Admin credentials expired and unable to login and reset the password
48958
Created On 09/17/19 19:49 PM - Last Modified 10/07/19 17:10 PM
Symptom
- The main Admin account with superuser privileges expired and there is no way to access the Panorama/Firewall via CLI or GUI.
- There are no other superuser accounts.
- There are no other admins that has a superuser account to log into the device.
- There is no way to export the snapshot due to permissions limitation.
- There is AD account (Radius/TACACs) access with limited permissions, which allows us to log into the CLI and GUI.
Environment
- Panorama (HA) device
- PAN-OS device
Cause
- The Administrator's Password has expired preventing the user from accessing the Panorama management.
Resolution
If using an AD account and authenticated through either RADIUS or TACACs, make sure that the Panorama or Firewall device is set to Active (only applies to HA configuration).
- Go to configuration mode and do the following steps:
admin@pan-test(primary-active)> configure Entering configuration mode admin@pan-test(primary-active)# set mgt-config users admin@pan-test(primary-active)# set mgt-config users admin_temp admin@pan-test(primary-active)# set mgt-config users admin_temp password Enter password : Confirm password : [edit] admin@pan-test(primary-active)# commit admin@pan-test(primary-active)# set mgt-config users admin_temp permissions role-based superuser yes
- Log into the Panorama or Firewall as a local admin.
- Go to Administrator section and check if there are other superuser accounts.
- Edit the Superuser accounts as needed.
Additional Information
This solution requires the user to have access to their AD credentials via RADIUS or TACACS in order to gain limited GUI or CLI access.