Reset Your Administrator Password and Unlock the Administrator User Account

Available Languages

Download Options

  • PDF     (34.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (85.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (72.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 31, 2023
Document ID:117866

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to reset your lost administrator account password for a Cisco Email Security Appliance (ESA), Cisco Security Management Appliance (SMA), or a Cisco Web Security Appliance (WSA). This document applies to both hardware-based and virtual-based AsyncOS appliances.

    Reset Your Administrator Password

    The password for the admin account of an appliance can only be reset via the serial console, using a temporary password Cisco Technical Assistance Center (TAC) can generate. Complete these steps in order to reset your administrator (admin) password on your appliance:

    1. Contact Cisco Customer Support for a temporary admin password.

      Note: You must provide the full serial number of the appliance in your request or case notes.

    2. When you receive the temporary admin password:

      • For hardware-based appliances, access the appliance via a direct serial connection:

        Bits per second: 9600
        Data bits: 8
        Parity: None
        Stop bits: 1
        Flow control: Hardware
      • For virtual-based appliances, access the appliance from the ESXi console or another virtual host console.

    3. Log in as the user adminpassword.

      1. Enter the temporary admin password that you received from the Cisco Customer Support Engineer and press Return.

      2. Enter the new password for the admin user.

        AsyncOS myesa.local (ttyv0)

        login: adminpassword
        Password:  <<<WILL REMAIN BLANK AS YOU ENTER IN THE TEMP PASSWORD>>>
        Last login: Fri Feb 6 20:45 from 192.168.0.01
        Copyright (c) 2001-2013, Cisco Systems, Inc.

        AsyncOS 8.5.6 for Cisco C370 build 092
        Welcome to the Cisco C370 Email Security Appliance
        Chaning local password for admin
        New Password:  <<<WILL REMAIN BLANK AS YOU ENTER IN THE NEW PASSWORD>>>
        Retype New Password:  <<<WILL REMAIN BLANK AS YOU ENTER IN THE NEW PASSWORD>>>

        AsyncOS myesa.local (ttyv0)

        login: admin
        Password:  <<<USE NEW PASSWORD AS SET ABOVE>>>

    Steps to Unlock the Admin User Account

    The admin account can only be unlocked via direct physical access to the appliance. Now that you are logged in via the reset admin account on the appliance, confirm that the admin user has not been locked due to consecutive login failures. In order to confirm this, enter the userconfig command in the CLI:

    note-icon

    Note: Newer versions of code, 12.x and later, prompt for an existing administrator role password in order to make edits to users.

    > userconfig


    Users:
    1. admin - "Administrator" (admin) (locked)
    2. dlpuser - "DLP User" (dlpeval)

    External authentication: Disabled

    Choose the operation you want to perform:
    - NEW - Create a new account.
    - EDIT - Modify an account.
    - DELETE - Remove an account.
    - POLICY - Change password and account policy settings.
    - PASSWORD - Change the password for a user.
    - ROLE - Create/modify user roles.
    - STATUS - Change the account status.
    - EXTERNAL - Configure external authentication.
    - DLPTRACKING - Configure DLP tracking privileges.

    If the admin user is locked, it is noted with (locked), as shown in the output.

    Note: Only the admin account can change the status for the admin user. The admin user cannot be changed by any other local user account, regardless of the account's role on the appliance. Also, as previously mentioned, this must be completed via a serial/console connection.

    The only other option is to request that the admin user be unlocked by Cisco Customer Support. This assumes that you have an account that has an administrative role on the appliance and that you are able to log into the CLI or GUI with that account. This option also requires an open remote support tunnel to the appliance.

    In order to unlock the admin user, or any other user account in the locked status, enter the userconfig command and proceed from the start menu as shown here:

    note-icon

    Note: In newer versions of AsyncOS, you could be required to enter your passphrase after you enter the status command. When prompted, use the new password you set in the previous step.

    []> status

    Enter the username or number to edit.
    []> 1

    This account is locked due to consecutive log-in failures.

    Do you want to make this account available? [N]> y

    Account admin is now available.

    Users:
    1. admin - "Administrator" (admin)
    2. dlpuser - "DLP User" (dlpeval)

    Note: You are not required to commit the appliance configuration when you only change the status for the admin user.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    31-Aug-2023
    Added notes regarding the requirement to enter the newly reset password when unlocking the account.
    1.0
    27-Jun-2014
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Robert Sherwin
      Technical Marketing Engineering Technical Leader
    • Alvaro J Gordon-Escobar
      Software Engineering Technical Leader

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products