Solved: Locked out of 3850 password recovery

idratherbesurfing · ‎02-13-2019

I was setting up a new 3850 and entered the following line

username security privilege 15 password XXXXXXX

omitting the 0 between password and the actual password.

I am now unable to access the switch. Upon boot I am asked for username which I supply and then immediately get kicked out. Other relevant commands

aaa new-model
aaa session-id common
aaa authentication login default local enable
aaa authorization exec default local

line con 0
exec-timeout 15 0
transport output all
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
transport input ssh
transport output all
line vty 5 15
exec-timeout 15 0
privilege level 15
logging synchronous
transport input ssh
transport output all

I cannot rename the packages.conf file from ROMMON as it is read only. I cannot format the flash either. I attempted booting from TFTP server via emergency-install but am still presented with a username prompt.

I have tried this as well

https://community.cisco.com/t5/networking-documents/password-recovery-on-cisco-catalyst-3850/ta-p/3154378

Any suggestions on how to wipe either the password or the device back to factory. It is not in production and I have the setup script so starting from scratch is not an issue.

idratherbesurfing · ‎02-18-2019

Here are the steps I used to return the switch to factory defaults.

View solution in original post

Jaderson Pessoa · ‎02-13-2019

Guy, try entrie on rommon at boot process press small buttom closer of leds in front of the switch in boot process and you will have access on rommon.
Try some commands like
flash enable
ren flash:config.txt flash:configold.txt
reload

Jaderson Pessoa
*** Rate All Helpful Responses ***

idratherbesurfing · ‎02-13-2019

I have tried this via ROMMON and continue to get access denied or read-only depending on the file or file system I am working with. You can only access emergency-recovery from ROMMON mode

Thank you though

luis_cordova · ‎02-13-2019

Hi @idratherbesurfin,

Having entered this command should not have blocked access:

username security privilege 15 password XXXXXXX

Omitting 0 only indicates that the key that follows will be in plain text:

SWITCH1(config)#username security privilege 15 password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) user password

You should be able to access with the user security and the password that you entered.

If this is not the case, there should be another reason for the blockade (if I'm not wrong).

Regards

idratherbesurfing · ‎02-14-2019

I must have typed the username incorrectly. I have been searching for a way to reset the username from ROMMON but everything leads to a password recovery.

idratherbesurfing · ‎02-14-2019

I must have typed the username incorrectly. I am setting up another 3850 with the same script and have not had any issues. So how do I go about clearing out the username or resetting the switch to factory defaults?

Thank you!

idratherbesurfing · ‎02-14-2019

I attempted to SSH to the machine and the credentials were still rejected. Unless the username is wrong I am stumped. I cannot see the config to verify this. Additional configuration info

line con 0
exec-timeout 15 0
transport output all
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
transport input ssh
transport output all
line vty 5 15
exec-timeout 15 0
privilege level 15
logging synchronous
transport input ssh
transport output all

aaa new-model
aaa session-id common
aaa authentication login default local enable
aaa authorization exec default local

idratherbesurfing · ‎02-18-2019

Here are the steps I used to return the switch to factory defaults.