Set NSX-T 3.1.1 Password Expiration Policy for Home Labs

Posted on Updated on

If you run a home lab like I do then sometimes VM’s are powered off until you need them.  In my case I use NSX but not as frequently as I’d like to. So its not uncommon for my NSX manager passwords to expire.  VMware NSX-T has a preconfigured password expiration policy of 90 days. When the password expiration day is near, a notification is displayed in the Web interface OR in my case they already expired so you can’t login. There are 3 preconfigured local users: admin, audit, and root. All passwords have to be changed after 90 days. In this blog I’m going to cover how I set the policy to not expire.

First off a bit of warning — I wouldn’t recommend this for a production environment and I’d follow your best practices around password policies.

Environment:

There are 3 x ESXi 7u2d Hosts with 3 NSX-T 3.1.1 Manager Nodes in my enviroment.  The NSX-T Manager Nodes have a virtual IP (VIP) that allows me to access the NSX Web GUI.  No Edge Nodes are installed.

Pre-Steps:

  • Ensure your vSphere Hosts are in a health state and all NSX Manager VM’s are powered on
  • Ensure you can logon to the NSX-T Environment as Admin and Root on all Management nodes. Update Passwords if needed.
  • If your admin password has already expired then, logon via SSH to the NSX VIP as admin and update the password. If you logon as root it will not enable the NSX CLI commands.

Steps:

The following commands can be used to remove the password expiration policy. If you have multiple manager appliances, the commands only need to be executed on one node.

  • Connect directly to a NSX-T Manager or the VIP address with SSH
  • Login as admin  << this is key to enable the NSX CLI Command set
  • Enter clear user [username] password-expiration
    • NSXMGR220> clear user admin password-expiration
      NSXMGR220> clear user root password-expiration
      NSXMGR220> clear user audit password-expiration 
  • Validate the password expiration with get user [username] password-expiration
    • NSXMGR220> get user admin password-expiration
      Sat Nov 06 2021 UTC 18:52:00.552
      Password expiration not configured for this user

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.