How to disable default password recovery?

MVP Expert
MVP Expert
Requirement:

Controller allows WLAN admin(s) to reset their password using default password recovery method through console and this is enabled by default. There were no option to disable this in earlier versions, even if needed. A new feature has been introduced to disable/enable the same according to administrator’s needs. 

 

username: password
password: forgetme!

 



Solution:

Starting ArubaOS 6.5.4.8, password-recovery-disable and password-recovery-user <username> commands are introduced. 

 

  • Use the password-recovery-disable command to disable the default password recovery user.
  • Use the no password-recovery-disable command to enable the default password recovery user.
  • Use the password-recovery-user <username> command to create an alternate recovery user. The alternate recovery includes a username and password. The alternate recovery user username can be 16 characters long and the alternate recovery user password can be 32 characters long.
  • Use the no password-recovery-user command to disable the alternate recovery user.


Configuration:

 

Password recovery disable:

 

(Aruba7240-164.10) (config) #show mgmt-user

Default password recovery user: Enabled                                    

Management User Table
---------------------
USER    PASSWD  ROLE   STATUS
----    ------  ----   ------
admin   *****   root   ACTIVE

 

(Aruba7240-164.10) (config) #password-recovery-disable
Warning: Default admin password recovery user is now disabled. Please use password-recovery-user to create an alternate user.


(Aruba7240-164.10) (config) #show mgmt-user

Default password recovery user: Disabled                                    

Management User Table
---------------------
USER    PASSWD  ROLE   STATUS
----    ------  ----   ------
admin   *****   root   ACTIVE

 

Creating password recovery user:

 

(Aruba7240-164.10) (config) #password-recovery-user recover
Password:********
Re-Type password:********

 

(Aruba7240-164.10) (config) #show mgmt-user

Default password recovery user: Disabled

Management User Table
---------------------
USER      PASSWD  ROLE    STATUS
----      ------  ----    ------
admin     *****   root    ACTIVE
recover   *****   passR   ACTIVE                                    <<<<< Password recovery user is created and role is 'passR'

 

(Aruba7240-164.10) (config) #no password-recovery-user
(Aruba7240-164.10) (config) #show mgmt-user

Default password recovery user: Disabled

Management User Table
---------------------
USER    PASSWD  ROLE   STATUS
----    ------  ----   ------
admin   *****   root   ACTIVE


Verification
  • With default password recovery disabled, we are unable to login to controller using password/forgetme!
(Aruba7240-164.10)
User: password
Password: *********
User:

 

  • However, we are able to login using the recovery user.
User: aruba
Password: ********

(Aruba7240-164.10) #
Version history
Revision #:
2 of 2
Last update:
‎01-24-2019 12:25 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: