Solved: ACS 5.8.0.32 CLI Password Recovery not working

James Montigny · ‎07-20-2016

While conducting an emergency password change on my production SNS-3415 ACS 5.8.0.32 servers following an IT employee termination, I found myself having to recover the CLI password for my administrative accounts.

Using a bootable USB drive made from an ACS 5.8.0.32 .iso, I made my way through the menus, saw the list of accounts that I expected, entered new passwords, saved my changes then used the menu option (q) to reboot. When the system came up, the passwords had not been changed.

I've since attempted the same operation on two production ACS hosts and one lab host with the same result.

I obtained a Recovery.iso image from Cisco TAC, but it did not change the outcome.

The ACS servers are up and running and actively servicing TACACS requests as designed, I just can't get to the CLI.

Any advice? I can rebuild if needed, but there really should be an easier way to do this.

vthaluru · ‎07-21-2016

Hi James,

We have bug(CSCuy45998) for it .Please install patch4 and try for recovery .

Thanks

VenkataKrishna

Please rate helpful posts and mark correct answers.

View solution in original post

Jatin Katyal · ‎08-15-2016

Hi James,

Further to what my colleagues suggested - I wanted to add that we introduced this feature in earlier versions of ACS 5 but it didn't work the way we expected and finally it had to go away. Please see the screen shot attached. CLI is the way to go :)

Rgds,

Jatin

~ Do rate helpful posts.

~Jatin

View solution in original post

vthaluru · ‎07-21-2016

Hi James,

We have bug(CSCuy45998) for it .Please install patch4 and try for recovery .

Thanks

VenkataKrishna

Please rate helpful posts and mark correct answers.

James Montigny · ‎07-21-2016

This worked in the lab, thank you.

Is there any way to apply this patch from the GUI?

I can't get to the production CLI because I can't recover the password; which is where this whole problem started.

apunwani · ‎08-15-2016

Hi James,

We can't apply patches for ACS via GUI. The only way to install the patch is via CLI.

If it is an SNS-3415, we can reset the password via CIMC:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_ins_acs_in_ucs.html#64650

Thanks and Regards,

Aekaansh

Jatin Katyal · ‎08-15-2016

Hi James,

Further to what my colleagues suggested - I wanted to add that we introduced this feature in earlier versions of ACS 5 but it didn't work the way we expected and finally it had to go away. Please see the screen shot attached. CLI is the way to go :)

Rgds,

Jatin

~ Do rate helpful posts.

~Jatin

James Montigny · ‎08-15-2016

Sure, except that the whole reason I was trying to recover the CLI password is that I didn't have it and thus couldn't get to the CLI to run the patch which fixes the CLI password recovery tool.

It's over now, we rebuilt the ACS hosts then synced the databases.

Jatin Katyal · ‎08-15-2016

Perfect! Have a good one!

~Jatin

James Montigny · ‎08-12-2016

I wanted to follow-up on this so the next person is aware;

When attempting to use the password recovery tool on 5.8.0.32.2, the recovery tool not only fails to reset the password, it also strips the ACS host of password policy. We discovered this in reviewing configurations prior to rebuilding with patch 4. Unlikely to be a huge deal in most environments, but this happened to be a heavily regulated section of the network and the password policy was a documented security control which is what raised the flag in our review.