cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Smart Net Total Care Community!

Our community includes Cisco experts to answer your questions about the Smart Net Total Care (SNTC) portal and CSP-Collector.
Click the navigation links below to access materials for using our service and supported collectors.

141
Views
0
Helpful
13
Replies
Highlighted
Beginner

CSPC 2.8.0.1 Access denied to CLI admin

Hi,

After 90 days I tried to change the admin, collectorlogin and root CLI password. I could change the collectorlogin and root password successfully.

But when I tried to access the admin cli I got "Account locked due to 152 failed logins".

Then from CLI root I performed:
root# service adminshell restart
root# service cspc restart

After that I cannot login with the expired password and thereby not able to change the password. See below outputs:

-------------

login as: admin
****************************************************************************************************
----------------------------------------------------------------------------------------------------

CSP Collector

Please use below url to access CSP Collector appliance GUI
IPv4 URL : https://x.x.x.x:8001

----------------------------------------------------------------------------------------------------
****************************************************************************************************
Using keyboard-interactive authentication.
Account locked due to 151 failed logins
Password:
Access denied
Using keyboard-interactive authentication.
Account locked due to 152 failed logins

----------------
CSPC sw version 2.8.0.1

From CLI root performed:
root# service adminshell restart
root# service cspc restart


Then I tried with the last known 100% working password and got "Access denied"

login as: admin
****************************************************************************************************
----------------------------------------------------------------------------------------------------

CSP Collector

Please use below url to access CSP Collector appliance GUI
IPv4 URL : https://x.x.x.x:8001

----------------------------------------------------------------------------------------------------
****************************************************************************************************
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Now I know that CSPC cli admin password can be 'recovered' when having root access.

In the past, in similar situation, TAC did a long procedure for the same; I'm wondering if this is something new?

---------

[root@si030-p ~]# whoami
root
[root@si030-p ~]# passwd admin
************************PASSWORD POLICY****************************

> New Password must be minimum of 9 characters in length
> New password must contain at least one capital letter, one small letter, one s pecial character and one numeric Example for new password : Cis@12cso
> User cannot set last previously used 10 passwords as new password


Changing password for user admin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@si030-p ~]# su admin

===========================================================================
Cisco Network Appliance Administration
===========================================================================


To see the list of all the commands press '?'
admin#

View solution in original post

13 REPLIES 13
Highlighted
VIP Mentor

Do not try many times, give some time between failure logins, use IE , i see some time has this issue with Chrome.

 

Follow below thread may help you to resolve the issue :

 

https://community.cisco.com/t5/smart-net-total-care-portal-and/cspc-collector-problem-with-adminshell-service/td-p/3954724

BB
*** Rate All Helpful Responses ***
Highlighted

The issue is not with GUI admin but CLI admin via SSH, so no web browser involved in this, as I understand.

The thing is that I'm the only one who use to work with thi CSPC and I SSH accessed it successfully for a couple of months ago; so I don't know where it comes those 150 failed logins!! It seems to be some intrusion attempts.

Highlighted
Cisco Employee

The number of login attempts is most likely from your security team doing pen testing on your servers, the root account has been known to be lockout out due to this as well. If possible please request that your CSPC be whitelisted as there is no way to alter the admin or root account names to avoid this situation. The PAM rules only allow for 3 attempts before it locks the account, please execute the following command from the root user.

# pam_tally2 -u admin -r

 

Highlighted

[root@si030-p ~]# pam_tally2 -u admin -r
Login Failures Latest failure From
admin 3 09/16/20 10:32:23 x.x.x.x

 

Highlighted

As mentioned earlier, the admin account is not locked any more. But now it's "Access denied" instead; and I'm trying with the last known and working password before its expiration.

 

Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:

Highlighted

 

 

     What message you get when you from root use the command below

# su admin

Highlighted

It seems something happened to the last working password:

[root@si030-p ~]# su admin
Password has Expired. Please reset the password

Changing password for user admin.
Old password:
New password:
Retype new password:

Old password mismatch

Press any key to exit
[root@si030-p ~]#

Highlighted

From the root user you can attempt to reset the admin password using the below command;

# passwd admin

Highlighted

Is the "# passwd admin" a kind of password recovery and a supported one? I don't want to worsen the situation.

[root@si030-p ~]# passwd admin
************************PASSWORD POLICY****************************

> New Password must be minimum of 9 characters in length
> New password must contain at least one capital letter, one small letter, one special character and one numeric Example for new password : Cis@12cso
> User cannot set last previously used 10 passwords as new password


Changing password for user admin.
New password:

 

Highlighted

passwd is a Linux command to change a user's password, the output you are viewing is custom generated by the CSPC and is providing precautions regarding this particular user account. Please proceed with this passwd command, then attempt to login to the admin account. 

Highlighted

Now I know that CSPC cli admin password can be 'recovered' when having root access.

In the past, in similar situation, TAC did a long procedure for the same; I'm wondering if this is something new?

---------

[root@si030-p ~]# whoami
root
[root@si030-p ~]# passwd admin
************************PASSWORD POLICY****************************

> New Password must be minimum of 9 characters in length
> New password must contain at least one capital letter, one small letter, one s pecial character and one numeric Example for new password : Cis@12cso
> User cannot set last previously used 10 passwords as new password


Changing password for user admin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@si030-p ~]# su admin

===========================================================================
Cisco Network Appliance Administration
===========================================================================


To see the list of all the commands press '?'
admin#

View solution in original post

Highlighted

This password reset for the admin user has always been implemented this way, the process you may be referring to was used if all CLI access was compromised. As long as root access is active you can reset the passwords.

Highlighted

Now I recall, TAC did a GUI admin password recovery, having CLI root access; sorry.

CreatePlease to create content
Right-rail
Navigation
Be sure to bookmark these support pages and use them in the future to find all the self-help information.
Helpful Links