Solved: Re: CSPC 2.8.0.1 Access denied to CLI admin

danielbarri · ‎09-16-2020

Hi,

After 90 days I tried to change the admin, collectorlogin and root CLI password. I could change the collectorlogin and root password successfully.

But when I tried to access the admin cli I got "Account locked due to 152 failed logins".

Then from CLI root I performed:
root# service adminshell restart
root# service cspc restart

After that I cannot login with the expired password and thereby not able to change the password. See below outputs:

-------------

login as: admin
****************************************************************************************************
----------------------------------------------------------------------------------------------------

CSP Collector

Please use below url to access CSP Collector appliance GUI
IPv4 URL : https://x.x.x.x:8001

----------------------------------------------------------------------------------------------------
****************************************************************************************************
Using keyboard-interactive authentication.
Account locked due to 151 failed logins
Password:
Access denied
Using keyboard-interactive authentication.
Account locked due to 152 failed logins

----------------
CSPC sw version 2.8.0.1

From CLI root performed:
root# service adminshell restart
root# service cspc restart

Then I tried with the last known 100% working password and got "Access denied"

login as: admin
****************************************************************************************************
----------------------------------------------------------------------------------------------------

CSP Collector

Please use below url to access CSP Collector appliance GUI
IPv4 URL : https://x.x.x.x:8001

----------------------------------------------------------------------------------------------------
****************************************************************************************************
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:

danielbarri · ‎09-17-2020

Now I know that CSPC cli admin password can be 'recovered' when having root access.

In the past, in similar situation, TAC did a long procedure for the same; I'm wondering if this is something new?

---------

[root@si030-p ~]# whoami
root
[root@si030-p ~]# passwd admin
************************PASSWORD POLICY****************************

> New Password must be minimum of 9 characters in length
> New password must contain at least one capital letter, one small letter, one s pecial character and one numeric Example for new password : Cis@12cso
> User cannot set last previously used 10 passwords as new password

Changing password for user admin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@si030-p ~]# su admin

===========================================================================
Cisco Network Appliance Administration
===========================================================================

To see the list of all the commands press '?'
admin#

View solution in original post

balaji.bandi · ‎09-16-2020

Do not try many times, give some time between failure logins, use IE , i see some time has this issue with Chrome.

Follow below thread may help you to resolve the issue :

https://community.cisco.com/t5/smart-net-total-care-portal-and/cspc-collector-problem-with-adminshell-service/td-p/3954724

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

danielbarri · ‎09-16-2020

The issue is not with GUI admin but CLI admin via SSH, so no web browser involved in this, as I understand.

The thing is that I'm the only one who use to work with thi CSPC and I SSH accessed it successfully for a couple of months ago; so I don't know where it comes those 150 failed logins!! It seems to be some intrusion attempts.

jofrumki · ‎09-16-2020

The number of login attempts is most likely from your security team doing pen testing on your servers, the root account has been known to be lockout out due to this as well. If possible please request that your CSPC be whitelisted as there is no way to alter the admin or root account names to avoid this situation. The PAM rules only allow for 3 attempts before it locks the account, please execute the following command from the root user.

# pam_tally2 -u admin -r

danielbarri · ‎09-16-2020

[root@si030-p ~]# pam_tally2 -u admin -r
Login Failures Latest failure From
admin 3 09/16/20 10:32:23 x.x.x.x

danielbarri · ‎09-16-2020

As mentioned earlier, the admin account is not locked any more. But now it's "Access denied" instead; and I'm trying with the last known and working password before its expiration.

Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:

adias · ‎09-16-2020

What message you get when you from root use the command below

# su admin

danielbarri · ‎09-17-2020

It seems something happened to the last working password:

[root@si030-p ~]# su admin
Password has Expired. Please reset the password

Changing password for user admin.
Old password:
New password:
Retype new password:

Old password mismatch

Press any key to exit
[root@si030-p ~]#

jofrumki · ‎09-16-2020

From the root user you can attempt to reset the admin password using the below command;

# passwd admin

danielbarri · ‎09-17-2020

Is the "# passwd admin" a kind of password recovery and a supported one? I don't want to worsen the situation.

[root@si030-p ~]# passwd admin
************************PASSWORD POLICY****************************

> New Password must be minimum of 9 characters in length
> New password must contain at least one capital letter, one small letter, one special character and one numeric Example for new password : Cis@12cso
> User cannot set last previously used 10 passwords as new password

Changing password for user admin.
New password:

jofrumki · ‎09-17-2020

passwd is a Linux command to change a user's password, the output you are viewing is custom generated by the CSPC and is providing precautions regarding this particular user account. Please proceed with this passwd command, then attempt to login to the admin account.

danielbarri · ‎09-17-2020

Now I know that CSPC cli admin password can be 'recovered' when having root access.

In the past, in similar situation, TAC did a long procedure for the same; I'm wondering if this is something new?

---------

[root@si030-p ~]# whoami
root
[root@si030-p ~]# passwd admin
************************PASSWORD POLICY****************************

> New Password must be minimum of 9 characters in length
> New password must contain at least one capital letter, one small letter, one s pecial character and one numeric Example for new password : Cis@12cso
> User cannot set last previously used 10 passwords as new password

Changing password for user admin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@si030-p ~]# su admin

===========================================================================
Cisco Network Appliance Administration
===========================================================================

To see the list of all the commands press '?'
admin#

jofrumki · ‎09-17-2020

This password reset for the admin user has always been implemented this way, the process you may be referring to was used if all CLI access was compromised. As long as root access is active you can reset the passwords.

danielbarri · ‎09-17-2020

Now I recall, TAC did a GUI admin password recovery, having CLI root access; sorry.

jjfaure · ‎04-05-2021

Hi Daniel, can you explain how TAC did that GUI admin user password recovery please?

Having SSH root access to appliance was enough to do it?

Regards

Juan