You are here: Home > Configuring ArubaOS Features > Management Access > Resetting Admin or Enable Password

Resetting Admin Password

This section describes how to reset the password for the default administrator user account (admin) on the managed device. Use this procedure if the administrator user account password is lost or forgotten.

1. Connect a local console to the serial port on the managed device.

2. From the console, login into the managed device as a password recovery user. For information, read Password Recovery user.

3. Enter configuration mode by typing in configure terminal.

4. To reset the administrator user account password, use the mgmt-user admin root command.

5. Enter a new password for this account and retype the same to confirm.

6. Exit from the configuration mode and the user mode.

If you have defined a management user password policy, make sure that the new password conforms to this policy. For details, see Implementing Specific Management Password Policy.

The following is an example of how to reset the admin password as a default password recovery user. If you have configured an alternate password recovery user, use its credentials to login to the controller. The commands in bold type are what you enter:

User: password

Password: forgetme!

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

(host) (config) #mgmt-user admin root

Password:********

Re-Type password:********

(host) (config) #exit

(host) #exit

Password Recovery user

A password recovery user is a management user with root rights that is used to reset the admin password in the event of a lost or forgotten password. Starting with ArubaOS 8.4.0.0, a configurable alternate password recovery user can be created in addition to the default password recovery feature.

 

Password recovery access using either the default password recovery user or the alternate password recovery user is allowed only through the serial console of a controller.

 

Password recovery users can be configured only through SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. sessions and serial console sessions with a controller and not through WebUI.

 

Aruba recommends to enable the default password recovery user before generating and sharing the tech-support logs or configuration files with customer support.

 

It is recommended that either the default password recovery user is disabled or the alternate password recovery user is configured when setting up the network to ensure. This is to ensure that there are no vulnerabilities.

Default password recovery user

In the event of a lost/forgotten password, the administrator can login to the controller and reset the admin password as the default password recovery user using the username password and the password forgetme!. The default password recovery user is defined and is enabled by default . Disabling the Default password recovery user is recommended if the network uses a TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. server to authenticate its management users.

To disable the default password recovery user, execute the following command in the configuration mode:

(host) (config) #password-recovery-disable

To enable the default password recovery user, execute the following command in the configuration mode:

(host) (config) #no password-recovery-disable

Alternate password recovery user

Starting with ArubaOS 8.4.0.0, an alternate password recovery user with a username and password can be created to reset the admin password. The alternate user’s username can be 16 characters long and the password can be 32 characters long. Configuring the alternate password recovery user automatically disables the default password recovery user. Configuring the alternate password recovery user is highly recommended if the network is managed locally.

 

The alternate password recovery user will not be shown in the management user section of the WebUI. This user role cannot be configured through the WebUI.

To configure the alternate password recovery user, execute the following command in the configuration mode:

(host) (config) #password-recovery-user <username>

Password:******

Re-Type password:******

To disable the alternate password recovery user, execute the following command in the configuration mode:

(host) (config) #no password-recovery-user

The following is an example to configure the alternate password recovery user:

(host) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

(host) (config) #password-recovery-user recadmin

Password:******

Re-Type password:******

(host) (config) #exit

Use the show mgmt-user command to view the configured management users and the status of the default password recovery user.

The following is an example of the show mgmt-user command with the default password recovery user enabled.

(host) #show mgmt-user

Default password recovery user: Enabled

Management User Table

---------------------

USER PASSWD ROLE STATUS

---- ------ ---- ------

admin ***** root ACTIVE

The following is an example of the show mgmt-user command when the alternate password recovery user is configured.

(host) #show mgmt-user

Default password recovery user: Disabled

Management User Table

---------------------

USER PASSWD ROLE STATUS

---- ------ ---- ------

admin ***** root ACTIVE

recadmin ***** passR ACTIVE

/*]]>*/