Security

This is a fresh build. Through the CLI wizard, I enabled ClearPass for FIPS mode. I logged in with admin and the default password. When I changed the password for "admin" unless I typed the passwrod wrong twice exaclty the same, I cannot login as admin. for staging I used the same password for appadmin and I am now unable to login as appadmin or admin. I dont know what I did wrong. the password I used is 12 chracaters long, with a symbol and some numbers.

If I really messed this up, easy to facotry reset without TAC?

1. Enter the cpbootmode and change the default boot file: Hit any key to stop autoboot: 0 cpboot> cpboot> setenv cfgfile default1.cfg cpboot> saveenv cpboot> reset 2. This will cause the controller to present the initial config wizard on bootup. Configure the desire password: Reading configuration from factory-default.cfg .. .. Enter System name [Aruba650]: Testcontroller .. .. Enter Password for admin login (up to 32 chars): ********* Re-type Password for admin login: ********* Enter Password for enable mode (up to 15 chars): ****** Re-type Password for enable mode: ****** Do you wish to shutdown all the ports (yes|no)? [no]: 3. Save the config and restart the controller: System name: Testcontroller .. .. If you accept the changes the switch will restart! Type to go back and change answer for any question Do you wish to accept the changes (yes|no)yes Creating configuration... Done. System will now restart! 4. Enter the CP boot mode again and reset the config file: Hit any key to stop autoboot: 0 cpboot> cpboot> setenv cfgfile cpboot> saveenv Saving Environment to Flash... Erasing # Erased 1 sectors Writing ######## cpboot> boot 5. Boot into the controller with new password. Make sure we save the config for new password to be saved: <<<<< Welcome to Aruba Networks - Aruba A650-US >>>>> Starting watchdog processes .. .. Completed FIPS OpenSSL KAT test successfully. (Testcontroller) User: admin Password: ********* (Testcontroller) >en Password:****** Password:****** (Testcontroller) # (Testcontroller) #write memory Saving Configuration... Configuration Saved. (Testcontroller) # Answer : Sometimes, we cannot reset the password in FIPS code through the console using default method. In that case, we must use alternative method: 1. Get into cpboot mode. Change config file so controller boots in config wizard. Configure the new password. 2. Reboot, enter cpboot mode, reset the config file again. 3. Login to the controller using new configured password. 4. Save the config.

If this is a ClearPass VM then I think rebuild it would be the fastest way. Also don't enable FIPS mode unless there's a very good reason to do so. TAC has advised me this mode is for high security environment (like the government) and should not be used, otherwise it may bring you some troubles in the future.

Thanks @zaffiro for the information.

Hi, I'm in the same situation, I only go into guest mode. with user admin and password eTIPS123 in the GUI, through the CLI I can not get in, it's very strange, could you give solution? reset or reinstall in some way ALL the Clear pass?

If you have access to the admin GUI, you can chnage the cluster password and it will change the CLI appadmin password.

1. Enter the cpbootmode and change the default boot file: Hit any key to stop autoboot: 0 cpboot> cpboot> setenv cfgfile default1.cfg cpboot> saveenv cpboot> reset 2. This will cause the controller to present the initial config wizard on bootup. Configure the desire password: Reading configuration from factory-default.cfg .. .. Enter System name [Aruba650]: Testcontroller .. .. Enter Password for admin login (up to 32 chars): ********* Re-type Password for admin login: ********* Enter Password for enable mode (up to 15 chars): ****** Re-type Password for enable mode: ****** Do you wish to shutdown all the ports (yes|no)? [no]: 3. Save the config and restart the controller: System name: Testcontroller .. .. If you accept the changes the switch will restart! Type to go back and change answer for any question Do you wish to accept the changes (yes|no)yes Creating configuration... Done. System will now restart! 4. Enter the CP boot mode again and reset the config file: Hit any key to stop autoboot: 0 cpboot> cpboot> setenv cfgfile cpboot> saveenv Saving Environment to Flash... Erasing # Erased 1 sectors Writing ######## cpboot> boot 5. Boot into the controller with new password. Make sure we save the config for new password to be saved: <<<<< Welcome to Aruba Networks - Aruba A650-US >>>>> Starting watchdog processes .. .. Completed FIPS OpenSSL KAT test successfully. (Testcontroller) User: admin Password: ********* (Testcontroller) >en Password:****** Password:****** (Testcontroller) # (Testcontroller) #write memory Saving Configuration... Configuration Saved. (Testcontroller) # Answer : Sometimes, we cannot reset the password in FIPS code through the console using default method. In that case, we must use alternative method: 1. Get into cpboot mode. Change config file so controller boots in config wizard. Configure the new password. 2. Reboot, enter cpboot mode, reset the config file again. 3. Login to the controller using new configured password. 4. Save the config.
Lucky Patcher