Tuesday, September 28, 2010

Cisco Secure ACS password recovery

So today I got an ACS backup from a client to test some features on a lab setup and since I had never done it, instead of asking for the GUI password, I decided to do password recovery.

After some googling, I found a couple of ways, both on the official Cisco FAQ:

1. Using allowAutoLocalLogin to enable that if you are opening the GUI from the server, it doesn't ask for a password.
2. Removing existing entries in:
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAA##\CSAdmin\Administrators
Unfortunately, neither of those methods seemed to work on my version of ACS (4.2(1) Build 15 Patch 2), the keys were not in the Windows registry, so after more searching I got the fabulous news that:

"On ACS 4.0 or later, reinstallation is the only way"

So, I'm supposed to reinstall? Come on, this makes no sense at all, specially considering that after reinstalling, the next logical step would be to load the last good backup, which will use the same administrator password that you don't know. Not only you are supposed to reinstall but you are also supposed to reconfigure the ACS again by hand?.

Bad design, just bad.

I guess I'm going to take extra extra extra care of my production ACS passwords now ;)

No comments:

Post a Comment