NSX-T Prevent Password Lockout for AVI ALB and other automation with lockout_immune_addresses

Published by Jimmy Mankowitz on

In NSX-T when the admin account password expires and you have integrations with NSX-T that is using this account, and have not had time to update the administrator password in the integrations and in NSX-T. You will find that the admin account can get locked out.
After five consecutive failed login attempts, the administrator account is locked for 15 minutes. To prevent this, we can add the endpoints utilizing NSX-T with their IP addresses to the lockout_immune_addresses list.

This can be done by using the NSX API with for example Postman Client.

Begin with starting the Postman client and then on the Authorization tab enter the information for the admin and the password with Basic Auth.

Then on the Headers tab utilize Content-Type: application/json

Proceed with adding the request method as GET with the URL against the NSX-T manager with the API to retrieve the lockout_immune_addresses list. /api/v1/cluster/api-service

After a successful response copy the full body answer and edit it and add it as the new body in postman so we can continue with a update PUT.

I am adding my AVI ALB load balancer IPs and Controller VIP in my list. This should contain every other IP that connects against NSX-T aswell.

Add the IP addresses of all global NSX Managers (including the VIP addresses) between the brackets in the following format, leaving the quotes intact: 
“lockout_immune_addresses”:[“”, “”, “”, “”]

Send the new security configuration to the local manager using the Postman PUT method
Take the previous Postman HTTP request and change the HTTP request method from GET to PUT.
Send the new HTTP request and confirm a successful response (“status: 200 OK”).

This concludes the lockout_immune_addresses work.

Have a great time!


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *