If switch model and version are the same, and command entered with the password is the same, and only 1 switch rejects the command, it's strange indeed.
I've found one case with a similar description, and there it seemed to be resolved after a reboot of the switch (which doesn't make sense to me). Maybe TAC can find the root cause.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 02, 2025 04:55 AM
From: MartinDoed
Subject: Invalid ciphertext. Password update failed when adding a user
Hi Herman,
thanks for your explanations - however my question was not answered with this.
I finally entered the password in cleartext but was curios to understand why the ciphertext is different with that only one switch while it worked for my other 60+ AOS-CX switches.
------------------------------
Regards
Martin
Original Message:
Sent: Jan 02, 2025 04:28 AM
From: Herman Robers
Subject: Invalid ciphertext. Password update failed when adding a user
Once you enter the password (in plaintext) into the switch, it's converted. One common method to protect such encrypted passwords is to add 'salts' to the password, which is a random value added before encryption to make the ciphertext different, even for the same password. This helps security as when you use the same password on multiple systems, you can't see from the ciphertext that is is the same password. As well if the password has been cracked/leaked once, you can't easily detect from collected ciphertext where it has been used more.
Even better explanation of Password Salting here.
With that being said, if you have a ciphertext password from one CX switch, if I'm right, it should be possible to copy that into another switch. But the message says that the ciphertext that you used is invalid. Easiest is to re-enter the password in once switch (in plaintext), then copy out the encrypted value and try again with that one. Or use your network management system to enter the password in plaintext and let the switch do the conversion, with the benefit of some additional security as explained earlier.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 27, 2024 06:47 AM
From: MartinDoed
Subject: Invalid ciphertext. Password update failed when adding a user
Hi,
I´ve 60+ AOS-CX switches where I resently added an additional user with the following command:
user test group administrators password ciphertext AQBapUWCdtDh...7OZ6NaMTuhF/w9ok58
All except one accecpted it, one replied with the error message: Invalid ciphertext. Password update failed.
All switches have the same firmware (10.13.1020) and are 6000/6100 models.
When I add the user with plaintext password the cipher in the config differs on that switch to all others. I cannot really see a reason for this. Any ideas?
------------------------------
Regards
Martin
------------------------------