Jump to content
hillcenter

Cisco 15 Privilege Reset - Not Reseting

Recommended Posts

Hello!

 

I've set up our Cisco Catalyst 3560G switches as hosts in Password state. I've also set up a password list that allows for password resets and heartbeats. I'm able to get the validation to work with our current network credentials, and the green marker appears next to the password list that is tied to the host. I can remote session launcher in with the credentials used for the positive heartbeat, and access the switch

 

I set up the Cisco - Privilege 15 Script to run, and then expired the password to have the system automatically reset the password. It successfully ran, updated the password state, and then showed green in the two boxes for both heartbeat and reset status.

 

However. When I attempt to run a remote session launcher or manually putty in to the device with the new credentials, I can't log in. When I attempt to log in with the old credentials that were used before the password reset, I can still log in. And after the next scheduled heartbeat, I now have a red circle in that column.

 

I've gone into the switch and checked the running configuration, compared them side by side, and as far as I can tell everything is exactly the same as before the script was run. But the audit history in the process seems to have completed without error

 

The Passwordstate Windows Service successfully processed the Password Reset Script 'Reset Cisco Host Password - Priv 15' against Host 'XXXXXX' for the account 'XXXXX' (\XXXXXXXX\Network Equipment)

 

The Passwordstate Windows Service removed the account 'XXXXXXX' (Password List = \XXXXXXX\Network Equipment, UserName = XXXXXX, Description = Catalyst 3560G - School) from the Queue as the Process Reset Task is now complete. This account relates to the Host XXXXXXXX.

 

What am I missing here?

Share this post


Link to post
Share on other sites

Hi Hillcenter,

 

What we think is happening here, is the reset process is throwing and error with an exception that we've never come across, and hence haven't built in proper error capturing.  So it's giving you a false positive result. To find out what the actual error is, we'll need to get you to run the script outside of Passwordstate, using the process below.  Once we know what the error is, we can add it into the next version of Passwordstate, and provide you a workaround until we can do this.

 

1. Take a copy of the Priv 15 script from Resets -> Scripts - Password Reset, and paste it into Powershell ISE on your web server

2. Change line 58 where it has a variable called [PasswordstateBinFolderPath] to the actual path of your Passwordstate Bin folder.  By default it should be c:\inetpub\passwordstate\bin

3. Change line 95 which should read default { Write-Output "Success" } to be default { Write-Output $results.ToString() }

4. Change the parameters on the very last line of the script to be relevant to your environment.  ie put int he correct Hostname, Port, Username and Privileged Account etc.

 

Now when running this script in Powershell, it should give you a detailed error message.  Could yo copy this and report back here with your findings?  If you need any help or have any questions about this, please let me know.

Share this post


Link to post
Share on other sites

1. Pasted into the script side of ISE

2. Updated to the PasswordState bin folder path. Note - We put our installation in a non-default location, so our path on 58 was D:\PasswordState\bin

3. Updated 95 with          default { Write-Output $results.ToString() }

4. Input our relevant information

 

Failed to reset password for account 'XXXXX' on Host 'XXXXXX'. Error =
Cannot bind parameter 'Seconds'. Cannot convert value "[OpenTimeout]" to type "System.Int32". Error: "Input
string was not in a correct format."

 

We are running password state on a Win 2012r2 box (Powershell 4.0 native) with a .NET Framework 4.6.1.

Share this post


Link to post
Share on other sites

Hi Hillcenter,


Sorry, we forgot about this other variable in the script. Can you search for [OpenTimeout] and change it to 10 - that would be 10 seconds, and make sure you remove the brackets as well.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Ah ha.   ERROR: Can not have both a user password and a user secret.

 

We were in the wrong. Our configuration was set up with an existing username XXXXX password XXXXX rather than secret XXXXX. I've updated our switches with the correct password type, and retested the script. Everything is working perfectly now, and more secure! Double bonus.

 

Thank you so much for your help!

Share this post


Link to post
Share on other sites

Thanks very much for letting us know this - we will add this as an exception to our script as well, in case any other customers run into this issue.

 

Regards
Click Studios

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×