Section 3-3. Passwords and Password Recovery | Cisco Field Manual. Catalyst Switch Configuration

3-3. Passwords and Password Recovery

Passwords provide a layer of protection for the switch to prevent unauthorized use.
Catalyst switches have basically two levels of password protection (user level and privileged level).
Privileged passwords are encrypted for tighter security.
If a password is lost, each OS offers a password recovery process to gain access to the device.

Configuration of Passwords

(Optional; highly recommended) Configure a user-level password:

COS	set password
IOS	(line) login (line) password password

The user-level password prevents anyone who is not authorized from accessing the command-line interface (CLI) from Telnet or console sessions. For COS machines, the command set password enables an applet that queries the user for the current and new password. On IOS machines, the command login and a password must be configured on each line (con0 or vty 0 4). The command login is a default setting on the Telnet lines for an IOS switch, which prevents a user from logging in via Telnet until after a password has been configured.

NOTE

On an IOS switch, you can configure a different user-level password for any line, such as Telnet or console connections. For a COS switch, the user password is always the same regardless of how the switch is accessed (Telnet or console).

(Optional; highly recommended) Configure a privileged-level password:

COS	set enablepass
IOS	(global) enable secret password

The privileged password prevents anyone who is not authorized from gaining access to privileged level, where configuration changes can be made to the switch and other features. For COS machines, the command set enablepass enables an applet that queries the user for the current and new password. On IOS machines, the command enable secret followed by the password is used to configure the password.

NOTE

On a COS device, both passwords are encrypted. For the IOS machine, only the secret, privileged password is encrypted by default.

Feature Example

This example shows a typical configuration for setting the user and privileged passwords for COS and IOS switches.

An example of the Catalyst OS configuration follows:

 Console (enable)> Console (enable)>set enablepass Enter old password: oldenablepass Enter new password: san-fran Retype new password: san-fran Password changed Console (enable)> set password Enter old password: oldpass Enter new password: cisco Retype new password: cisco Password changed Console (enable)>

An example of the Supervisor IOS configuration follows:

 Switch(config)#enable secret san-fran Switch(config)#line vty 0 4 Switch(config-line)#password cisco Switch(config-line)#line con 0 Switch(config-line)#login Switch(config-line)#password cisco Switch(config-line)#end Switch1#copy running-config startup-config

Password Recovery on a COS Device

If you have lost or forgotten your passwords, you can use the COS password-recovery process to gain access to the device. The COS procedure is among the easiest of all the recovery procedures.

For the initial 30 or so seconds after the switch CLI becomes available, all passwords are null, so users only need to press Enter when prompted for a password (including prompts during password management). The following steps outline the procedure:

1.	Attach a device to the console of the switch and power cycle the device.
2.	As the switch comes up, press Enter to gain access to the user prompt. NOTE You should see a message about the device being available, but it might scroll by quickly. Because it is important to complete the next few steps in a timely fashion, you might want to press Enter every few seconds until you get the user prompt.
3.	After accessing the user prompt, access privileged mode by typing the command enable and pressing Enter when prompted for a password.
4.	In privileged mode, changed the user password with the command set password. Press Enter for each of the prompts.
5.	In privileged mode, change the user password with the command set enablepass. Press Enter for each of the prompts.

At this point, you have set all the passwords back to the default (which is null). Because timing is critical for Steps 2 through 5, it is best to set the passwords to null and then go back and change the passwords to the desired setting using the set password and set enablepass commands again after Step 5.

TIP

Because you have a limited time to complete this process, it is helpful to create a text file with the commands and carriage returns needed to complete the process. Then when you get the prompt to log in, you can paste in the text file to complete the password-recovery process.

Feature Example

This example shows a typical password-recovery process for a COS switch:

 System Bootstrap, Version 5.3(1) Copyright (c) 1994-1999 by Cisco Systems, Inc. c6k_sup1 processor with 65536 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup9k.6-1-1c.bin" Uncompressing file: ##################################################### ######################################################################### ######################################################################### System Power On Diagnostics DRAM Size ....................64 MB Testing DRAM..................Passed Verifying Text segment .......Passed NVRAM Size ...................512 KB Saving NVRAM .................Done Testing NVRAM ................Passed Restoring NVRAM ..............Done Level2 Cache .................Present Testing Level2 Cache .........Passed System Power On Diagnostics Complete Boot image: bootflash:cat6000-sup9k.6.1.1(c).bin Running System Diagnostics from this Supervisor (Module 1) This may take up to 2 minutes....please wait Cisco Systems Console Enter password: (press Enter) 2000 Jan 09 23:09:27 %SYS-1-SYS_NORMPWRMGMT:System in normal power management operation 2000 Jan 09 23:09:27 %SYS-5-MOD_PWRON:Module 3 powered up 2000 Jan 09 23:09:34 %SYS-5-MOD_OK:Module 1 is online Console> enable Enter password: (press Enter) Console> (enable) set password Enter old password: (press Enter) Enter new password: (press Enter) Retype new password: (press Enter) Password changed. Console> (enable) set enablepass Enter old password: (press Enter) Enter new password: (press Enter) Retype new password: (press Enter) Password changed. Console> (enable) Console> (enable) set password Enter old password: (press Enter) Enter new password: (type your new password) Retype new password: (type your new password) Password changed. Console> (enable) set enablepass Enter old password: (press Enter) Enter new password: (type your new password) Retype new password: (type your new password) Password changed.

Password Recovery on IOS Devices: Procedure 1

Password-recovery procedure 1 covers the 2900/3500XL, 2950, and 3550. If you have lost or forgotten your passwords, or if you want to bypass the configuration file, you can use this recovery process to gain access to the device.

To recover from a lost IOS password, you have to stop the boot process and then direct the IOS switch to not use the configuration file. When the switch loads without a file, you have no passwords and can enter into privileged mode. From there, you can copy the configuration file into active memory and then change and save the passwords. To complete the recovery process, follow these steps:

1.	Attach a device to the console of the switch. Make sure you have connectivity, and then unplug the power cord from the switch.
2.	Press and hold the mode button and plug the switch back in. Release the mode button after the LED above port 1x has been on for at least 2 seconds.
3.	You will receive some information indicating that the Flash initialization has been interrupted. After you receive this information, at the prompt type the command flash_init.
4.	Next type the command load_helper.
5.	You need to get a listing of the Flash with the command dir flash: (the colon [:] is required).
6.	Rename the file to config.text with the command rename flash:config.text flash:config.old.
7.	Continue the boot process with the command boot.
8.	Answer n to the question about entering setup mode.
9.	Press Enter to access the user mode and enter into privileged mode with the command enable.
10.	Rename the configuration file back to config.text with the command rename flash:config.old flash:config.text.
11.	Copy the configuration file into active memory with the command copy flash:config.text system:running-config.
12.	Enter configuration mode with the command configure terminal.
13.	Change the line and secret passwords as covered earlier in this section.
14.	Save the configuration.

Feature Example

This example shows a typical password-recovery procedure 1 for IOS switches.

The system has been interrupted prior to initializing the Flash file system. The following commands initialize the Flash file system and finish loading the operating system software:

 flash_init load_helper boot flash_init load_helper dir flash:  Directory of flash: 2 -rwx 843947 Mar 01 1993 00:02:18 C2900XL-ms-12.2.8.bin 4 drwx   3776 Mar 01 1993 01:23:24 html 66 -rwx    130 Jan 01 1970 00:01:19 env_vars 68 -rwx 1296   Mar 01 1993 06:55:51 config.text 1728000 bytes total (456704 bytes free) rename flash:config.text flash:config.old boot Continue with the configuration dialog? [yes/no] : N Switch>enable Switch#rename flash:config.old flash:config.text Switch# copy flash:config.text system:running-config Switch#configure terminal Switch(config)#enable secret newpassword Switch(config)#line vty 0 4 Switch(config-line)#password newpassword Switch(config)#line con 0 Switch(config-line)#password newpassword Switch#(config-line)#end Switch#copy running-config startup-config

Password Recovery on IOS Devices: Procedure 2

Password-recovery procedure 2 covers the 6000 series switch running IOS. If you have lost or forgotten your passwords, or if you want to bypass the configuration file, you can use this recovery process.

To recover from a lost IOS password, you must stop the boot process of the route processor and then direct the IOS switch to not use the configuration file. When the switch loads without a file, you have no passwords and can enter into privileged mode. From there you can copy the configuration file into active memory and then change and save the passwords. To complete the recovery process, follow these steps:

1.	Attach a device to the console of the switch and power cycle the device.
2.	Watch the console output. When you see the message "%OIR-6-CONSOLE: Changing console ownership to route processor," initiate the break sequence from your terminal emulator (typically Ctrl-Break).
3.	You should see a rommon1> prompt. At this prompt, type confreg 0x2142 to tell the switch to ignore the current configuration.
4.	Now type reset at the rommon2> prompt to reset the switch and restart to boot process.
5.	Answer no to the question about entering setup.
6.	Press Enter to gain access to the Router> prompt and enter the command enable to access privileged mode.
7.	At the Router# prompt, copy the startup configuration into the running configuration with the command copy startup-config running-config.
8.	Enter global configuration mode with the command configure terminal.
9.	Change the line and secret passwords as covered earlier in this section.
10.	Reset the configuration register with the command config-register 0x2102.
11.	Exit setup mode with the command end.
12.	Save the configuration with the command copy running-config startup-config.

Feature Example

This example shows a typical password-recovery procedure 2 for IOS switches:

 %OIR-6-CONSOLE: Changing console ownership to route processor issue break rommon1>confreg 0x2142 rommon2>reset <switch output omitted> Continue with the configuration dialog? [yes/no] : N Router>enable Router# copy startup-config running-config Router#configure terminal Router(config)#enable secret newpassword Router(config)#line vty 0 4 Router(config-line)#password newpassword Router(config)#line con 0 Router(config-line)#password newpassword Router#config-register 0x2102 Router#(config-line)#end Router#copy running-config startup-config