Resetting Admin Password
This section describes how to reset the password for the default administrator user account (admin) on the managed device. Use this procedure if the administrator user account password is lost or forgotten.
1. Connect a local console to the serial port on the managed device. 2. From the console, login into the managed device as a password recovery user. For information, read Password Recovery user. 3. Enter configuration mode by typing in configure terminal. 4. To reset the administrator user account password, use the mgmt-user admin root command. 5. Enter a new password for this account and retype the same to confirm. 6. Exit from the configuration mode and the user mode.
If you have defined a management user password policy, make sure that the new password conforms to this policy. For details, see Implementing Specific Management Password Policy.
The following is an example of how to reset the admin password as a default password recovery user. If you have configured an alternate password recovery user, use its credentials to login to the controller. The commands in bold type are what you enter:
User: password Password: forgetme! (host) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (host) (config) #mgmt-user admin root Password:******** Re-Type password:******** (host) (config) #exit (host) #exit
Password Recovery user
A password recovery user is a management user with root rights that is used to reset the admin password in the event of a lost or forgotten password. Starting with ArubaOS 8.4.0.0, a configurable alternate password recovery user can be created in addition to the default password recovery feature.
Note: Password recovery access using either the default password recovery user or the alternate password recovery user is allowed only through the serial console of a controller.
Note: Password recovery access using either the default password recovery user or the alternate password recovery user is allowed only through the serial console of a controller.
Note: Aruba recommends to enable the default password recovery user before generating and sharing the tech-support logs or configuration files with customer support.
Note: It is recommended that either the default password recovery user is disabled or the alternate password recovery user is configured when setting up the network to ensure. This is to ensure that there are no vulnerabilities.
Default password recovery user
In the event of a lost/forgotten password, the administrator can login to the controller and reset the admin password as the default password recovery user using the username password and the password forgetme!. The default password recovery user is defined and is enabled by default . Disabling the Default password recovery user is recommended if the network uses a TACACS server to authenticate its management users.
To disable the default password recovery user, execute the following command in the configuration mode:
(host) (config) #password-recovery-disable
To enable the default password recovery user, execute the following command in the configuration mode:
(host) (config) #no password-recovery-disable
Alternate password recovery user
Starting with ArubaOS 8.4.0.0, an alternate password recovery user with a username and password can be created to reset the admin password. The alternate user’s username can be 16 characters long and the password can be 32 characters long. Configuring the alternate password recovery user automatically disables the default password recovery user. Configuring the alternate password recovery user is highly recommended if the network is managed locally.
Note: The alternate password recovery user will not be shown in the management user section of the WebUI. This user role cannot be configured through the WebUI.
To configure the alternate password recovery user, execute the following command in the configuration mode:
(host) (config) #password-recovery-user <username> Password:****** Re-Type password:******
To disable the alternate password recovery user, execute the following command in the configuration mode:
(host) (config) #no password-recovery-user The following is an example to configure the alternate password recovery user: (host) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (host) (config) #password-recovery-user recadmin Password:****** Re-Type password:****** (host) (config) #exit
Use the show mgmt-user command to view the configured management users and the status of the default password recovery user.
The following is an example of the show mgmt-user command with the default password recovery user enabled.
(host) #show mgmt-user Default password recovery user: Enabled Management User Table --------------------- USER PASSWD ROLE STATUS ---- ------ ---- ------ admin ***** root ACTIVE The following is an example of the show mgmt-user command when the alternate password recovery user is configured. (host) #show mgmt-user Default password recovery user: Disabled Management User Table --------------------- USER PASSWD ROLE STATUS ---- ------ ---- ------ admin ***** root ACTIVE recadmin ***** passR ACTIVE