PDF(34.7 KB) View with Adobe Reader on a variety of devices
ePub(85.5 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(72.2 KB) View on Kindle device or Kindle app on multiple devices
Updated:August 31, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to reset your lost administrator account password for a Cisco Email Security Appliance (ESA), Cisco Security Management Appliance (SMA), or a Cisco Web Security Appliance (WSA). This document applies to both hardware-based and virtual-based AsyncOS appliances.
Reset Your Administrator Password
The password for the admin account of an appliance can only be reset via the serial console, using a temporary password Cisco Technical Assistance Center (TAC) can generate. Complete these steps in order to reset your administrator (admin) password on your appliance:
Contact Cisco Customer Support for a temporary admin password.
Note: You must provide the full serial number of the appliance in your request or case notes.
When you receive the temporary admin password:
For hardware-based appliances, access the appliance via a direct serial connection:
Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: Hardware
For virtual-based appliances, access the appliance from the ESXi console or another virtual host console.
Log in as the user adminpassword.
Enter the temporary admin password that you received from the Cisco Customer Support Engineer and press Return.
Enter the new password for the admin user.
AsyncOS myesa.local (ttyv0)
login: adminpassword Password: <<<WILL REMAIN BLANK AS YOU ENTER IN THE TEMP PASSWORD>>> Last login: Fri Feb 6 20:45 from 192.168.0.01 Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.5.6 for Cisco C370 build 092 Welcome to the Cisco C370 Email Security Appliance Chaning local password for admin New Password: <<<WILL REMAIN BLANK AS YOU ENTER IN THE NEW PASSWORD>>> Retype New Password: <<<WILL REMAIN BLANK AS YOU ENTER IN THE NEW PASSWORD>>>
AsyncOS myesa.local (ttyv0)
login: admin Password: <<<USE NEW PASSWORD AS SET ABOVE>>>
Steps to Unlock the Admin User Account
The admin account can only be unlocked via direct physical access to the appliance. Now that you are logged in via the reset admin account on the appliance, confirm that the admin user has not been locked due to consecutive login failures. In order to confirm this, enter the userconfig command in the CLI:
Note: Newer versions of code, 12.x and later, prompt for an existing administrator role password in order to make edits to users.
Choose the operation you want to perform: - NEW - Create a new account. - EDIT - Modify an account. - DELETE - Remove an account. - POLICY - Change password and account policy settings. - PASSWORD - Change the password for a user. - ROLE - Create/modify user roles. - STATUS - Change the account status. - EXTERNAL - Configure external authentication. - DLPTRACKING - Configure DLP tracking privileges.
If the admin user is locked, it is noted with (locked), as shown in the output.
Note: Only the admin account can change the status for the admin user. The admin user cannot be changed by any other local user account, regardless of the account's role on the appliance. Also, as previously mentioned, this must be completed via a serial/console connection.
The only other option is to request that the admin user be unlocked by Cisco Customer Support. This assumes that you have an account that has an administrative role on the appliance and that you are able to log into the CLI or GUI with that account. This option also requires an open remote support tunnel to the appliance.
In order to unlock the admin user, or any other user account in the locked status, enter the userconfig command and proceed from the start menu as shown here:
Note: In newer versions of AsyncOS, you could be required to enter your passphrase after you enter the status command. When prompted, use the new password you set in the previous step.
Enter the username or number to edit. > 1
This account is locked due to consecutive log-in failures.
Do you want to make this account available? [N]> y