Wireless Access

Hello,

I have tried to upgrade my Aruba 3200 controller to a new version and now it is completely blocked. I can't access it by IP, the only way is by the serial port.

When I want to login, my password isn't valid any more (I am sure of it). Support gave me a procedure to reset it and erase the configuration of the controller.

But when I try the procedure, I can't change the password. Every time I get the message "Error : Non-Compliant to Mgmt Password Policy Internal error occurred, Password validation failed". I am sure that no policy was configured and I can enter every possible password and still the same error.

Any idea to solve this ? No problem to get back "out of the bock", the controller is in the lab.

Thanks

Dimitri

Hi

Here you go:

Here is an example how to reset admin/enable password: *VIA CLI CONSOLE- SERIAL PORT - ONLY*

User: password
Password: forgetme!
(aruba) >enable
Password: enable
(aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(aruba) (config) #mgmt-user admin root
Password:
Re-Type password:
(aruba) (config) #exit
(aruba) #exit
(aruba) >exit

User: admin
Password:
(aruba) >enable
Password: enable
(aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(aruba) (config) #enable secret
Password:
Re-Type password:
(aruba) (config) #write memory

It will give u the ability to reset password via serial port.

have a nice day.

*after you will reset you pass/user - you will be able to run show interfaces... or change/delete the config.

me

Hi,

Thanks but my problem is at this point :

(aruba) (config) #mgmt-user admin root
Password:
Re-Type password:

I can't change the password. Here is the error message I have : Error : Non-Compliant to Mgmt Password Policy Internal error occurred, Password validation failed.

The point is that I haven't configure any password policy.

Dimitri

Tried, same issue even with a much more longer password.

Dimitri

Very Very wired - did u contact Aruba TAC regarding this issue?

Yes, at this time, they gave me the same procedure as you. Waiting for news...

Dimitri

Dont wait for news.

start to try all the options: (u dont have nothing to lose)  *say thanks to jfernyc*

You need a password that is compliant with the management password
policy as configured on the controller.

There are several parameters that can be set (and clearly are in your
case/controller), per below:

Enable password policy
Set minimum password length (6-32 characters)
Set/config minimum upper case characters required for passwd (0-10)
Set/config minimum lower case characters required for passwd (0-10)
Set/config minimum special case characters required for passwd (0-10)
Set/config the number of numerical digits required for passwd (0-10)
Set/config the # of times a single character can be repeated in a passwd
(0-10)
Deny the use of a known username, or the reverse of a username in a
passwd

If you can find out which of these are set you can then select a
compliant password.

BTW:

are u using FIPS or upgraded to FIPS? if so --> the following post - will solve your issue:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/locked-out-after-FIPS-upgrade/td-p/35541

Have a lovley day.

me

Thanks I will follow the post and try to solve this issue.

Dimitri

tell me if it worked for u :smileywink:

The thing is that I can only enter a username and password in the CLI. I don't now how to get in cpboot mode.

Dimitri

cpboot mode:

just reboot your controller. (while you console cable is connected and putty/securecrt are running)

and stop the controller few sec before he boots (you will see a counter saying 1-2-3-4 press enter to stop boot process..)

---

@Boxcar wrote:

The thing is that I can only enter a username and password in the CLI. I don't now how to get in cpboot mode.

 

Dimitri

---

Cpboot mode is ONLY to be used when there is a serious problem booting the controller code.  Did you enter enable mode after you put in the username and password?

Yes I did.

Okay, so you can get into the controller.  What is wrong?

I can't connect to the controller with its IP address and with the serial port, I can't make any changes because my username and password are not reconnized.

If I follow the procedure given in the last posts, I can't change the email of the admin. I get this error message : Error : Non-Compliant to Mgmt Password Policy Internal error occurred, Password validation failed. But no Policy was configured.

Dimitri

The password should by default have more than 6 characters.  I am assuming you already tried that...

Did you try creating a root user besides admin?

No I haven't try this.

And yes, I have tried password of 6 and more characters.

Dimitri

I want a step further.

Now I can configure the controller by the console but when I save it, it loops back to the Aruba 3200 setup dialog.

I can read this before the dialog setup :

Saving current config file default.cfg as default...

Generating new configuration

Configuration upgrade complete

Reading configuration from factory-default.cfg

Starting FIPS Aruba Cryptographic KAT test

But after, I am back to setup dialog and if I try again to configure it, still the setup dialog.

Any idea ?

Thanks

Dimitri

Last Step:

boot into cpboot and do this:

setenv cfgfile
save
boot

I works with your last step. Now it reboots on the controller and I can login with username and password.

Thanks

Dimitri

So now the controller is as out-of-the-box but I can't access to the webUI. The controller is not connected to the network, I have setup my IP address to 172.16.0.99 and connected directly to the controller.

But when entering 172.16.0.254, nothing happends. I can't go the webUI but if I open a terminal, I can see the setup dial ?

Any idea ?

Thanks

Dimitri

Problem solved with the help of support. It was about DHCP issue and FIPS update.

Edit : I have talked a bit too fast. A new issue has appeared, when using the webUI, the configuration doesn't save. Everytime, I am back to the basic config. It's like that nothing was saved.

Someone knows where the problem come from ?

Thanks for your help.

Dimitri

I have 2 brand new 7210 controllers and the exact same issue - cannot use the password I configured in the setup dialogue and cannot do a password recovery due to password policy.

Can anyone assist?

Please contact TAC.

For the next person with this issue, it seems to a bug with choosing the 'Disable all interfaces' option in the setup dialogue. Everything works fine if you don't choose that option.

Has this been resolved? Im having the same problem with a dell branded controler. Ive ran through the setup wizard a few times with different options with no luck. I can't reset the password with the password:forgetme! username and combination either. This is the second of 2 identical controllers im configuring only difference this is a "local" not "master"

User: password
Password: *********
(Dell PowerConnect W-7210 Controller) >en
Password:******
(Dell PowerConnect W-7210 Controller) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Dell PowerConnect W-7210 Controller) (config) #mgmt-user admin root
Password:***********
Re-Type password:***********

Error : Non-Compliant to Mgmt Password Policy
Internal error occurred, Password validation failed

RichardG,

What version of Dell OS did it come with and what options did you choose for your steps?

It shipped with ArubaOS 6.3.1.5 (build 43118 / lable #43118)

The options I selected:

Enter System Name: xxxxxxxx.xxxxx

Enter Switch Role: local

Enter Master Switch IP address: 172.17.x.5

Enter Master Switch Mac address: xx:xx:xx:xx:xx:xx

Enter Redundant master switch mac: <none>

VLAN 1 interface IP address: 172.17.x.6

VLAN 1 interface subnet mask: 255.255.255.0

IP Default Gateway: 172.17.x.1

Country Code: AU

Timezone: <none (wouldnt let me enter UTC+10)>

Enter time in UTC: 05:16:30

Enter Date: 05/06/2015

Enter password for admin: xxxxxxxxxxxx

Re-type password for admin: xxxxxxxxxxxx

Enter password for enable: xxxxxxxxxxxx

Re-type password for enable: xxxxxxxxxxxx

Do you wish to shutdown all the ports: yes

I entered both the admin and enable passwords as the same. This config didnt work so i wiped the config and chose not to shutdown the ports with the same outcome. Both times i tried to go down the password restore path with no luck (all different passwords tried, short, long, complex, simple)

Error: Non-Compliant to Mgmt Password Policy

          Internal error occurred, Password validation failed

im thinking it could have something to do with local vs master? I didnt have trouble with the other controller I got which is identical.

How did you wipe the config?

To clear the configuration

cpboot> setenv cfgfile 1

cpboot> save

cpboot> reset

I reset instead of doing bootaos because for some reason that wouldn't work

After I ran the wizard again I did the following

cpboot> setenv cfgfile

cpboot> save

cpboot> reset

Looking at my logs I also selected master the first time along with shutdown all interfaces.

Then wiped the config, chose local and do not shutdown interfaces to get it working.

BGC IT,

Did you have a case# for your issue?  If so, please PM me so we can see how far it has progressed.

Hi CJ, No case for this. 

 I was able to get past the issue I was having by setting up my second controller as a master, then converting it after initial setup. :) thanks for all the help!

Richard

I agree that this process definitely works.  I have added some small text differences as of 6/2018 on firmware 6.5. 

I found that running the "minimal-setup" on bootup will get you stuck vs "full-setup".  I am not running the FIPS version of the firmware which is mentioned in many articles.

 "Non-compliant to management password policy"

######################

To clear the configuration

Hit any key to stop autoboot:  0
cpboot>
cpboot> setenv cfgfile default1.cfg
cpboot> saveenv
cpboot> bootf

After I ran the wizard and rebooted, I had to go into cpboot again and change the cfgfile back.

Hit any key to stop autoboot:  0
cpboot>
cpboot> setenv cfgfile
cpboot> saveenv
Saving Environment to Flash...

cpboot>bootf

CJ, for me it happened on 6.4.2.3 but it's clearly been around for a while.

Richard, do repair this you need to do the CPboot thing described earlier in the thread to get back to a default state, then redo the install without disabling interfaces.