ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

ISG2000 Login LDAP admin user issue

‎05-10-2018 11:44 PM
HI Friends,
we have two ISG2000 firewalls in active/passive mode installed, Yesterday by mistake while creating a new user, we changed the admin user from NetScreen to new user jams, and this is only admin user on firewall now i.e. jams.
as our firewall authentication mode is tacaces/LDAP, and jams name is same as LDAP and local, so when we try to authenticate firewall, it tries to authenticate from AAA instead of a local password. when we enter LDAP password it works but that user is not the admin.
 
if someone faced this issue, kindly assist how to force firewall to authenticate locally with user jams instead of LDAP, we are afraid if change tacaces conifguration, if will force to logout and no one will be able to login again if local user not worked 😞
 
below are the conguration before and after change.
 
----------------------------before change------------
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"

set auth-server "aruba-tacacs" id 1

set auth-server "aruba-tacacs" server-name "10.XX.XX.XX"

set auth-server "aruba-tacacs" backup1 "10.XX.XX.XX"

set auth-server "aruba-tacacs" account-type admin 

set auth-server "aruba-tacacs" fail-over revert-interval 5

set auth-server "aruba-tacacs" type tacacs

set auth-server "aruba-tacacs" tacacs secret "abc-xyz"

set auth-server "aruba-tacacs" tacacs port 49

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "netscreen"
set admin password "abc-xyz"

set admin auth web timeout 0

set admin auth server "aruba-tacacs"

set admin auth remote root

set admin privilege get-external

set admin format dos
set user "netscreen" uid 2
set user "netscreen" type auth

set user "netscreen" remote ipaddr "10.xx.xx.xx"

set user "netscreen" hash-password "0abc-xyz"
----------------------------after change-------------------
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"

set auth-server "aruba-tacacs" id 1

set auth-server "aruba-tacacs" server-name "10.XX.XX.XX"

set auth-server "aruba-tacacs" backup1 "10.XX.XX.XX"

set auth-server "aruba-tacacs" account-type admin 

set auth-server "aruba-tacacs" fail-over revert-interval 5

set auth-server "aruba-tacacs" type tacacs

set auth-server "aruba-tacacs" tacacs secret "abc-xyz"

set auth-server "aruba-tacacs" tacacs port 49

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "jams"
set admin password "abc-xyz"

set admin auth web timeout 0

set admin auth server "aruba-tacacs"

set admin auth remote root

set admin privilege get-external

set admin format dos
set user "netscreen" uid 2
set user "netscreen" type auth

set user "netscreen" remote ipaddr "10.xx.xx.xx"

set user "netscreen" hash-password "0abc-xyz"
set  user "jams" uid 3
set user "jams" type auth
set user "jams" remote ipaddr "10.xx.xx.xx"
set user "jams" hash-password "0abc-xyz"
 
3 REPLIES 3
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: ISG2000 Login LDAP admin user issue

‎05-11-2018 03:15 AM

You will need the authentication to go to local after LDAP the options are not pretty.

Kill the network access path from the firewall to LDAP so it won't get a response and proceed to local

temporarily remove the ISG from LDAP

Temporarily disable LDAP in the configuration

Delete the user from LDAP

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: ISG2000 Login LDAP admin user issue

[ Edited ]
‎05-11-2018 05:50 AM

Thank you Mr Steve Puluka for your valuable comments, on passive firewall, we always use netscreen password, as its is not communicating with LDAP, and it should work for local, may be i have done some miss configuration, below are the exact changes i have made only.

 

set admin name jams

after this command i received this error

Password has been restored to default "netscreen". For security reasons, please change password immediately.

then i set the password

set user jams password "abc-xyz"

 

now when i try to login with username jams and password, it pass error

Password:
Password authentication failed.
Please verify that the username and password are correct

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: ISG2000 Login LDAP admin user issue

‎05-13-2018 07:11 AM

When you view the configuration from other ldap logins does the jams user change seem be in place?

 

I assume the old user/password does not work.

Does jams work on the secondary firewall with the default netscreen password?

 

After the cli changes was the configuration saved?

perhaps you can revert with a reboot if not.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback