NSX-T Local Accounts and Password Expiration

Graham NSX-T, Troubleshooting

Intro

By default NSX-T passwords have a 90 day expiration that applies to the NSX-T managers as well as the Edge nodes.
This is something a lot of people are not aware of and often when logging in especially to the Edge nodes you get a password expiry message.

Password expired

The message alters slightly depending on whether you connect via ssh or via the console. From the console it looks like this.

From an SSH session.

Last login: Mon Dec 21 14:06:15 2020 from 192.168.10.200
NSX CLI (Edge 3.1.0.0.0.17107177). Press ? for command list or enter: help
DCA-MulNSXT-ESG01> set user admin password-expiration 1
DCA-MulNSXT-ESG01> You are required to change your password immediately (password aged)

 * TIPS:  To reconfig management interface, please refer to these CLIs
     1) stop service dataplane
     2) set interface interface-name vlan vlan-id plane mgmt (for creating vlan sub-interface)
     3) set interface interface-name ip x.x.x.x/24 gateway x.x.x.x plane mgmt (for static ip)
        set interface interface-name dhcp plane mgmt (for dhcp)
     4) start service dataplane

     To config in-band management interface, please refer to these CLIs
     1) set interface mac mac-addr vlan vlan-id in-band plane mgmt
     2) set interface eth0.vlan ip x.x.x.x/24 gateway x.x.x.x plane mgmt (for static ip)
        set interface eth0.vlan dhcp plane mgmt (for dhcp)
 
Last login: Mon Dec 21 18:16:19 2020 from 192.168.10.200
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for admin.
(current) UNIX password:

To reset the password simply type in the current password then enter a new password twice when prompted, if you are connected via SSH its likely that you will be disconnected after the password change.

Manually change a users password

You can manually set the password for users by running “set user admin/audit/root password” then enter the current users password then the new one twice when promtped.

DCA-MulNSXT-ESG01> set user admin password
Current password: 
New password: 
Confirm new password: 
DCA-MulNSXT-ESG01>

Check password expiration

To check a users password expiration time setting type “get user admin/audit/root password-expiration”

DCA-MulNSXT-ESG01> get user admin password-expiration 
Wed Dec 23 2020 UTC 16:38:51.380
Password expires 90 days after last change. Current password will expire in 90 days.

Set password expiration

To set the password expiration time type “set user admin/audit/root password-expiration 1-9999 for instance to set the admin users password to expire after 10 days they “set user admin password-expiration 10

DCA-MulNSXT-ESG01> set user admin password-expiration 10

Set no password expiration

To set passwords to never expire type “clear user admin/audit/root password-expiration”

DCA-MulNSXT-ESG01> clear user admin password-expiration 
DCA-MulNSXT-ESG01> get user admin password-expiration 
Wed Dec 23 2020 UTC 16:44:56.671
Password expiration not configured for this user

Change username

To change a users username type “set user admin/audit/root username xxxx” for example “set user audit username audit1”

Leave a Reply

Your email address will not be published. Required fields are marked *