cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Password Recovery on Cisco Catalyst 3850

128459
Views
35
Helpful
9
Comments

Power cycle the switch. Immediatly press and hold the Mode button. Hold the button for approximately 12 seconds, the Status LED will go amber. On the console you should be in Boot Loader.

Switch:

Add the following variables.

Switch: SWITCH_IGNORE_STARTUP_CFG=1

Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=0

Then boot the switch.

Switch: boot

Once the switch has booted you can copy the saved config back into the running config.

Switch# copy start runn

Next set your password(s). Finally we want to remove the variables we set while in Boot Loader.

Switch# no system ignore startupconfig switch all

Switch# system disable password recovery switch all

Save your new config.

Switch# copy runn start

Since we are on the topic of passwords, I beleive you should configure AAA even if you're using local credentials. Here's an example of how easy it is to setup.

Switch(config)# aaa new-model

Switch(config)# aaa authentication login default local

Switch(config)# username mmessier privilege 15 secret StAnLeYcUp

Switch(config)# line vty 0 4

Switch(config-line)# login authentication default

It's that easy! You can now remove the passwords from under the VTY. Those passwords are easily reversible and should not be used. Instead use AAA and the secret keyword in configuring the username. It encrypts the password and is not reversible (yet). For even more security use the service-password encrypt aes command.

Comments
Shashank Singh
Cisco Employee

Following step is outdated and does not work on later releases. I tried on 3850 running 3.3.4 and saw this:

switch: SWITCH_DISABLE_PASSWORD_RECOVERY=0
Can't set variable "SWITCH_DISABLE_PASSWORD_RECOVERY" -- is readonly.

Shashank Singh
Cisco Employee

Please be aware of this bug that causes entire startup config to get wiped out when user attempts pwd recovery.

 

start-up config is initialized after executing password recovery CSCum26261

 
Conditions:
cat3850, 3650
15.0(1)EZ and 15.0(1)EZ1

Workaround:
There is no workaround

Further Problem Description:
When we do password recovery, a new certificates is created by http component. After the certificate creation, the startup-config is overwritten with default running-config. so, the startup-config is lost.

 

Fixed in 3.6.1 and 3.7.0

drefk2000
Beginner

So how do I recover password now?

mbecton
Beginner

idk what version of IOS the password recovery commands were used on but it doesn't work for v3.2 and above.  This doc needs to be removed.

edu290386
Beginner

I´ve had same problem but I solved doing this:

 

Switch: SWITCH_IGNORE_STARTUP_CFG=1

Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=0 ---- Message Read Only

Switch: BOOT=flash:packages.conf

Switch: boot

 

Once the switch has booted you can copy the saved config back into the running config.

 

Switch# copy start runn

 

Next set your password(s). Finally we want to remove the variables we set while in Boot Loader.

 

Switch# no system ignore startupconfig switch all

Switch# system disable password recovery switch all

 

Save your new config.

 

Switch# copy runn start

 

 

 

 

rsevastianov
Beginner

Hello world (privet partizany)

 

I had this issue today. Glad was able to find this instructions. The beauty is that I recovered password and not lost config. It was exactly what I want == password recovery. Re-typed username / password statement then followed the steps. At the end I reboot 3850 just to have peace of mind. No issues. I have VERY happy.

However, need to note that instructions above are not 100% accurate. I figured it out ;)
You need to be in config mode, not in enabled mode for the following commands:

 

Switch(config)# no system ignore startupconfig switch all

Switch(config)# system disable password recovery switch all

 

Thank you and good luck // vsem poka

Roman

Martin L
VIP Advocate

this password recovery seems to be dependable on your iso version; there is no consistency on the c3850 models

iroperto1
Beginner

The step from edu290386 actually work. I was able to get in to the switch successfully, but to to 100% 

 

Switch(config)# no system ignore startupconfig switch all

Switch(config)# system disable password recovery switch all 

 

Need to be in config mode. 

 

Great post. 

mohsiala
Cisco Employee

WARNING : please don't use:
Switch(config)# system disable password recovery switch all 
you are basically disabling password recovery in future, hence you won't be able do it after doing it for the first time, eventually if you don't have configs as backup you will loose everything.