User and Root Passwords with CP Redundancy

book

Article ID: 168129

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Changes in User and Root Passwords on primary CPM in cp-redundancy environments require the running config to be saved to startup config using 'wr' otherwise the changes will be lost after the CPM failover.Unable to login after a CPM failover to the standby CPM

Cause

Problem: When changing the root password on a CPM that is configured for CP-Redundancy (unix prompt and type passwd), the changes are not applied to the Secondary CPM until you save the running config to startup config.  If the config is not saved, and a CPM failover occurs, then you will not be able to login using the new root password.

Root passwords on the APMs also have an important characteristic with respect to Primary CPM vs. Secondary CPM.  If the APM root password is set using the vap-group-password command, the APM's root password will be the password that was set on the Primary CPM at the time the vap-group-password command was run.  If a CP failover occurs after changing root password from Primary CPM, you will need to reset/update the root password again on the APMs using the " vap-group-password" command. 
 
When passwords are changed from the CLI for users by running "configure reset-password", and for admin password using "configure password" then the changes are immediately propagated to the secondary CPM. However, unless these changes are saved/written to the startup-config they will be lost in the event of a CPM failover.
 

Resolution

When changing the root password or a user password on a primary CPM with CP-Redundancy enabled, you must write the running config to startup config for these changes to be applied to the Secondary CPM. 

You can use the following commands:
1. CBS#  wr
2. CBS# copy running-config startup-config


 

Workaround

In case the root password is lost then perform the password recovery procedure.

#####

In case the admin password is lost, then reset the admin password using the command 'configure password'

######


In case the APM root password is lost, reset the root password on the APM's using the " vap-group-password" command 


From XOS 8.5.3 Command Reference Guide:

-----------------
vap-group-password:

Configures a user-defined Unix root password for the specified VAP group, assigns the CPM’s Unix root
password to all VAP groups configured on the X-Series Platform, or assigns the CPM’s Unix root password to
the specified VAP group. By default, VAP groups do not have Unix root passwords.

A VAP group’s Unix root password applies to every VAP in the group. To successfully log into a VAP using
SSH, you must supply the Unix root password assigned to that VAP.


NOTE: While you must use a VAP’s Unix root password to log into the VAP using SSH, you do not have to
supply a password to log into a VAP from the CPM using RSH.

You use a VAP’s Unix root password to access the Linux shell running on the VAP. To access and
manage the application running on the VAP, you use the application management password that
you specify when you install the application on the VAP group.

Command syntax that you use:
CBS# vap-group-password vap-group <VAP_group_name>

Assigns a user-defined password to the specified VAP group. When you issue this command, the CLI
prompts you twice to enter the password for the specified VAP group.

NOTE: A VAP group password must be at least six characters in length and must meet IT industry
standards for secure passwords. If you enter a password that does not meet these
requirements, the CLI issues an error message and prompts you to enter a different password..

CBS# vap-group-password source-cp

Assigns the CPM’s root password to all VAP groups configured on the X-Series Platform.

CBS# vap-group-password source-cp vap-group <VAP_group_name>

Assigns the CPM’s root password to the specified VAP group.

---------------------