Reset Cisco DNA Center's Maglev User Password

Introduction

This document describes how to unlock and/or reset the password for the Maglev user.

Background Information

In the case where the Maglev account is locked out, you cannot log in to unlock it. To unlock and/or reset the password for the Maglev user, you must mount an image to the Cisco IMC vKVM. This allows you to access the shell and reset the user and/or password.

Prerequisites

Requirements

• You need to download an ISO image for Ubuntu 16.04 or newer from https://ubuntu.com/download/desktop.

• After the ISO has been downloaded to the local system you then need to mount the ISO to the Cisco Integrated Management Controller (CIMC) KVM.
• Once the ISO is mounted to the KVM you then need to boot from the ISO.
• Once you can access Ubuntu, mount the root and var directories to the system.
• After you have mounted the root and var directories, you can unlock and change the Maglev user account.
• Finally, you reboot the appliance, confirm you can login in with Maglev, and reset the password with the configuration wizard.

Components Used

This operation was run on Ubuntu 20.04 image; a different image produces different times and results. 

It has been seen in some environments to take up to 2 hours to reach the Ubuntu desktop.

This operation is not restricted strictly to the Ubuntu desktop version. All that is required is access to the shell. Any Ubuntu image that provides shell access works for this operation.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Note: you can use the same procedure in a DR environment. However, note these points:

*** Ensure that disaster recovery is in a PAUSED state before attempting any password recovery/reset methods ***

In a 1+1+1 DR deployment, the corresponding site is down while this process is completed.

In a 3+3+3, If your passwords are to be updated on all three nodes, do it one node at a time to ensure that the two other nodes are available to avoid an unnecessary DR failover.

Step 1: Boot from Live CD

Log in to the Cisco IMC GUI, choose Launch KVM and then choose Virtual Media > Activate Devices.

Next, choose Map CD/DVD.

After that choose Browse and then select the Ubuntu ISO image you downloaded to your local system. After you have selected the Ubuntu image, choose the Map Drive button.

Next power cycle the appliance with Power > Reset System (warm boot).

After the system has rebooted, press F6 when the Cisco logo appears. Expect to see the message "Entering Boot Menu ...". 

When the boot menu pops up, choose the option that says Cisco vKVM-Mapped vDVD1.24. This causes the appliance to boot from the mapped Ubuntu image selected earlier.

*** NOTE: The screen shots illustrate how long it takes to reach the Ubuntu desktop. ***

You see a loading screen for Ubuntu that is mostly blank as the system starts to initialize.

After that the screen changes to display a wheel with the Ubuntu logo. (It could take up to 30 minutes for this transition).

Once the screen displays the message "Checking disks: 0% complete", you need to cancel this task Press Ctrl+C to cancel the disk check.

Once the disk check has been skipped you move back to a spinning wheel. Then you get a blank window with just the Ubuntu logo. (This can take another 30 - 45 minutes to process through).

You eventually start to see some messages appear as the system starts to boot Ubuntu for use. Please note that the failed messages are expected. This window remains for up to 20 minutes. After that, the window goes back to a blank screen. After another 10-20 minutes you see the cursor appear. The Ubuntu GUI loads a short time after that.

*** REMINDER: It has been seen in some environments to take up to 2 hours to get to this point ***

Step 2: Mount Required Partitions

Once you have access to the Ubuntu desktop GUI environment you need to open the terminal application and perform these steps

• Create a temporary mount point.
• Mount the root and var partitions to the system.
• Mount the pseudo filesystems to the temporary mount point.

First create the temporary mount point with the command:

sudo mkdir /altsys

Next find the root and var partitions to mount. You can use the lsblk -fm command to find a partition to mount for "/" (root) and "/var".

$ lsblk -fm 
NAME FSTYPE LABEL UUID MOUNTPOINT SIZE OWNER GROUP MODE
 sda 446.1G root disk brw-rw----
 |-sda1 1M root disk brw-rw----
 |-sda2 ext4 install1 1cac7f26-3b8b-43dd-838c-9970000cef3e 28.6G root disk brw-rw----
 |-sda3 vfat 52E8-2653 239M root disk brw-rw----
 |-sda4 ext4 var 0f0e3643-d4eb-46e8-af9f-756906c5f04a 9 .5G root disk brw-rw----
 |-sda5 swap 221b2f64-5a44-404f-b47d-8489fec47598 30.5G root disk brw-rw----
 |-sda6 ext4 data 8aff5ec4-924f-42f9-9ca0-705e5807859a 348.8G root disk brw-rw----
 |-sda7 ext4 a0e853e9-b2d6-4099-ac77-2f322c2a3a26 28.4G root disk brw-rw----
 sdb 1.8T root disk brw-rw----
 |-sdb1 ext4 9b5c4182-9e9d-4e8a-baf6-8a88232f8bcd 426.1G root disk brw-rw----
 |-sdb2 ext4 e918dda6-133b-44ee-b005-5e9707088198 1.3T root disk brw-rw----
 sdc 5.2T root disk brw-rw----
 |-sdc1 ext4 bea4d6d5-7750-4bac-b724-f18867e2029c 5.2T root disk brw-rw----

*** Please note that "install1" is root "/" and "var" is "/var" in the output. ***

Make a note of the partition for mount commands. If you do not see the labels, then:

• for /var: based on appliance profile, look for a 9.5G or 168GB partition
• for /: 28.66GB or 47.7GB. Note that there is /install-artifacts with similar size 28.46GB.

Once you have identified the var and root partitions mount them:

sudo mount /dev/sda2  /altsys   # use the disk with up to 5 or 6 partitions 
sudo mount /dev/sda4 /altsys/var       # use the disk with up to 5 or 6 partitions 

Once root and var have been mounted, mount the psuedo filesystems:

sudo mount --bind /proc /altsys/proc
sudo mount --bind /dev  /altsys/dev
sudo mount --bind /sys  /altsys/sys

The last step before you change the password or unlock the Maglev account is to change to the temporary mount environment:

sudo chroot /altsys

Use Case 1: Unlock Maglev Account

Step 1: Verify that maglev user is unlocked

grep maglev /etc/shadow

maglev:!$6$6jvRGoDihpcsr8Xl$RUFs.Lb.2AbbgvODfJsw4b2EnpSwiNUlwJ6NQIjEnvOtT5Svz4ePHZa4f0eUvLHl7VAFca46f2nHxqMWORYLm.:18176:0:99999:7:::

Check if there is an exclamation mark in front of the password hash or not. If there is, that indicates the account is locked. Type in the command to unlock the user:

Unlock the maglev user with the command:

usermod -U maglev

Step 2: Reset failed count

If the user does not have an escalation mark in front of the hash in the /etc/shadow file, then the login failure limit has been exceeded. Please use these steps to reset failed login attempts.

Find the failed login attempts for the maglev user:

$ sudo pam_tally2 -u maglev

Login           Failures Latest failure     From
maglev              454    11/25/20 20:24:05  x.x.x.x

As shown here, the login attempts are larger than the default 6 attempts. This denies that user the ability to log in until the failure count drops to less than six (6). You can reset the login failure count with the command:

sudo pam_tally2 -r -u maglev

You can confirm that the counter has been reset:

sudo pam_tally2 -u maglev

Login           Failures Latest failure     From
maglev                0    

Use Case 2: Reset Maglev User Password

Step 1: Reset the Maglev user password

# passwd maglev

Enter new UNIX password:   #Enter in the desired password

Retype new UNIX password: #Re-enter the same password previously applied

Password has been already used.

passwd: password updated successfully  #Indicates that the password was successfully changed

Step 2: Reboot normally to Cisco DNA Center environment

Click on Power in the KVM window and then Reset System (warm boot). This causes the system to reboot and boot with the RAID controller so that the Cisco DNA Center software boots up.

Step 3: Update Maglev User Password from Cisco DNA Center CLI

Once the Cisco DNA Center software boots and you have access to the CLI, you need to change the Maglev password with the command sudo maglev-config update. This step is required to ensure that the change takes affect across the whole system.

Once the config wizard has been launched, you need to navigate completely through the wizard to screen that allows us to set the Maglev password in step 6.

Once the password has been set for both fields Linux Password and Re-enter Linux Password, choose next and complete the wizard. When the wizard finishes the configuration push, the password is successfully changed. You can create a new SSH session or enter in the command sudo -i in the CLI to test that the password has been changed.