APC AOS 5.1.3 NMC2 basic question

Anonymous user · ‎2021-06-30

Hello,

Regarding the syntax for local admin password resets, and the commands, how can I test and configure the local admin password? we have a RADIUS configured APC that is set to RADIUS then local. I tried to switch to local only after rotating the password using the user -ap command. The rotations appear to be successful, however I am unsure how to test this, as I can't login locally via PuTTy or with the local admin via the web interface. I know I'm missing something basic. We use Privileged Account Management software and I have been working with the dev group for over a year to build this out correctly and we're so close. How can I list local users via CLI and how can I verify access via SSH? with RADIUS configured and enabled, is the only option to kill RADIUS and connect via a Console cable to test the functionality of rotating the local admin account?

Thanks for any and all help.

-Chris

BillP · ‎2021-06-30

Hi Chris,

For checking in CLI for the admin name, you'll need some sort of administrator access and do user -an command (with no value to change) on AOS 5.1.3 and it will show you the current admin name. If you have no admin access, then you'd have to do the password reset procedure and/or gain access via console connection to get in.

I don't have RADIUS going to check this right this second but I believe when you're logged in via RADIUS, you should still be able to see the local accounts too via what I mentioned above. You could try that same command to see the local account name to check before you "hide" or disable the RADIUS servers to make them appear inaccessible or also look under Administration->Network->Local Users in web UI, and look at Administrator in the menu and that should show the local admin username.

Hope that makes sense and helps clarify.

See Answer In Context

BillP · ‎2021-06-30

Hi Chris,

Unfortunately, I think you already sort of figured out the answer.

"RADIUS, then local" authentication mode will only fall back to local if RADIUS is unreachable over the network, NOT in the case of a RADIUS auth failure or anything like that. So your options to bypass this would be to remove the RADIUS server from the network temporarily (so NMC can't reach it) or as you already did, move back to local authentication only to test the local credentials you have configured.

In 5.X.X firmware specifically, using a console cable connection via serial will bypass the RADIUS server I believe. This is is off by default in 6.X.X firmwares but can be disable to allow serial override, like 5.X.X allows.

Since SSH is a remote/network log in, it operates the same way as mentioned above. You can only test a local login with it if you hide the RADIUS server from the NMC over the network or switch to local only authentication.

P.S. AOS (APC OS) 5.1.3 is around 7 or 8 years old now and is a really old version. I just wanted to mention it because we are at version 6.X.X these days and is the firmware revs we actively fix any bugs on, add new features, etc. So if AOS 5.1.3 is what you're standardized on, I understand, but it is really old and effectively unsupported by us at this time. I am not sure if modern SSH clients work with the older SSH server on this rev to be honest.

But, just a note 6.X.X is radically different from v5. There are some similarities but a lot of differences, especially on CLI, web, and under the hood.

Anonymous user · ‎2021-06-30

Hi Angela,

Most of our stuff is 6.x, just a few stragglers with the 5.1.3. So essentially the best way to test is via local only and hide the RADIUS servers? How can I tell what the name of the local admin is? I believe I changed it to "admin" but even with local only enabled it says access denied. So I assume it's console only at that point. Just want to be sure I understand that portion. Is there a way via CLI to list local users in the local database?

BillP · ‎2021-06-30

Hi Chris,

For checking in CLI for the admin name, you'll need some sort of administrator access and do user -an command (with no value to change) on AOS 5.1.3 and it will show you the current admin name. If you have no admin access, then you'd have to do the password reset procedure and/or gain access via console connection to get in.

I don't have RADIUS going to check this right this second but I believe when you're logged in via RADIUS, you should still be able to see the local accounts too via what I mentioned above. You could try that same command to see the local account name to check before you "hide" or disable the RADIUS servers to make them appear inaccessible or also look under Administration->Network->Local Users in web UI, and look at Administrator in the menu and that should show the local admin username.

Hope that makes sense and helps clarify.