Cisco CSPC 2.10.0 admin user expiration?

michiel.van.t.erve · ‎07-15-2022

hi,
i have upgraded quite a few of the CSPC data collectors to the 2.10 main stream.
however, as these servers have been online for a while i was working on installing the patch towards 2.10.0.3

so i tried to login into the CLI, the admin account seems expired. starting a session returns:
"your account has expired; please contact your system administrator"

the password is ok, but we can't login using the CLI admin-account or the CLI collectorlogin userids we had saved and changed the expiration policies to not expire. is there a way to fix this ?

The CSPC GUI at port 8001 can still be reached: the server itself is available?

this looks like a change in the CSPC server configuration/security rules?
anyone here who knows how i can prevent this server to expire the admin-account?
During install it's stated that if i loose the password i need to reinstall, but i havem't lost the password, somewhere the account got expired. This seems a change from the <2.10.X.X versions?

madhushr · ‎07-15-2022

Hi,

If the account is expired, then you can Log in directly as root user using console through ESXi. Once you successfully log in as root user, then you can reset the password for admin and collectorlogin. By doing this, you would not get the account expiration error while logging in as admin and collectorlogin via putty (CLI).

For security reason, if you do not log into CSPC CLI as admin or collectorlogin user for more than 3 months, then your account will be inactive and you will encounter with this error.

However, we will get back to you with an update to confirm if we can make any changes in password expiration policy.

Regards,

Madhusha R

michiel.van.t.erve · ‎07-15-2022

Thanks,

That does clarify this.
this is a change from the previous versions.
as setting the root password isn’t in the standard documentation issued and loosing cli admin password is warned that you need to
Thanks for the help! I’m happy to have set and changed the root password here. this makes the recovery possible.
might be a good thing to add the root password procedure in the standard installation procedure?

madhushr · ‎07-18-2022

Hi,

Thanks for the update and we will look into it and we are happy to assist you. Please let us know if any further assistance required.

Regards,

Madhusha R

suneel.waqas · ‎08-03-2022

Hi,

can you please guide how to login via console ESXI? I mean what is the root password by default? However, i have the access via GUI. is there any way to change password via GUI?

madhushr · ‎08-03-2022

Hi Suneel,

Please not that there is no default root password. You can log into the console ESXi as admin and then you can reset the root password using the command-

# pwdreset root 90

This will generate the random password for the root and you note down the password, then exit from the admin and log in as root with the new password.

Also, you cannot change the CLI password via GUI.

Regards,

Madhusha R

suneel.waqas · ‎08-03-2022

Hi,
Problem is that I don't have admin password. That seems expired due to not login 3 months. So I am trying to get back CLI access.
However, I have GUI access.

madhushr · ‎08-03-2022

Hi Suneel,

In that case, we can reset the root password using single user mode. Please confirm if you have Grub password and also confirm the CSPC version.

Else, you will have to redeploy the CSPC.

Regards,

Madhusha R

suneel.waqas · ‎08-03-2022

I don't know what is GRUB password and don't have.
We have Version 2.10

madhushr · ‎08-03-2022

Hi Suneel,

Grub password helps us to log in as single user mode where you can reset the root password. Since you do not have the Grub password, root and admin password, it is not possible to get access to the CLI. Hence you will have to redeploy the CSPC.

Regards,

Madhusha R

suneel.waqas · ‎08-03-2022

Hi,
Thanks for your help on this. Really helpful.
Last thing, since I don't have any password to get enter into CLI but at least I have GUI access. So I hope that is enough to run the CSPC, is that correct?

michiel.van.t.erve · ‎08-04-2022

@suneel.waqas that would work for a while. but i would advise to fix this: updates and so on are often only successful with access to the cli

@madhushr could you please take this to the teams and discuss the changed procedure? this will lock quite a lot of users out of their servers? i would suggest to add the root/admin password change to the advised installation document?

suneel.waqas · ‎08-04-2022

Yes correct. During installation only admin CLI password has been asked. Don't know where it asked to set root/colltorlogin password. Secondly this feature should also disable or remove that if not login in CLI locked your account. so most of the time we login via GUI.

michiel.van.t.erve · ‎08-04-2022

hi @suneel.waqas effectively there are TWO admin users: the one in the GUI and the CLI version. they share the same name but can have different passwords!

my tip for you: make a backup from the GUI and reinstall the CSPC server. than you can have all settings fixed.

madhushr · ‎08-05-2022

Hi Suneel,

As informed by Michiel, you should better fix this or redeploy CSPC. Because, in future if you want to upgrade the CSPC or if the GUI access does not work, then you would need to have CLI access.

Due to security reason, the collectorlogin and admin will get expired in 90 days and goes inactive in few days by default.

However, you can use the below command where the users will not get expired in future if required.

# chage -m 0 -M 99999 -I -1 -E -1 collectorlogin (or admin or any users)

To check the status:

# chage -l collectorlogin (or admin or any users)

Thanks and regards,

Madhusha R