Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6886
Views
15
Helpful
9
Replies

Cisco 9300 password recovery

Go to solution
Ahoysoy
Level 1
Level 1

‎09-04-2020 03:52 AM - edited ‎09-04-2020 03:52 AM

I am trying to disable password recovery on a cisco 9300 switch, using the popular rommon method.

 

I use the command (config)#no service password-recovery 

 

The following message then pops up;

 

"Password recovery disable mode is not supported by the current ROMMON.
Please upgrade the ROMMON if you want to use this feature".

 

Has anyone had any experience of this, or knows how to disable password recovery?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pieterh
VIP
VIP
In response to Ahoysoy

‎09-04-2020 06:52 AM - edited ‎09-04-2020 06:53 AM

I thing the phrase on ROMMON upgrade is misleading! 
You may think it says a newer version will support the option, but it really says the current version does NOT support the command.

the Security Configuration Guide uses the command: system disable password recovery switch all
this link Cisco – IOS XE Password Recovery on Catalyst 3850 mentions two boot variables (may work on 9300?):
Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=1
Switch: SWITCH_IGNORE_STARTUP_CFG=0

View solution in original post

9 Replies 9

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎09-04-2020 04:00 AM

@Ahoysoy wrote:

I am trying to disable password recovery on a cisco 9300 switch

Why would you want to do that?

What happens if you disable password recovery and then a disgruntled staff locks everyone out?  

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Leo Laohoo

‎05-03-2023 04:24 AM

We routinely use it for fully managed CPE because if somebody (unauthorised) on the customer premises tries to access the device we'd rather have the config wiped than let them get access to confidential information in the device configs (that can include VPN keys, SNMP communities, management IPs etc etc) 

It's a required security feature.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
marce1000
VIP
VIP

‎09-04-2020 04:01 AM

 

 - What about the suggesting-message and or are there more recent ROMMON-versions available for your platform ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-04-2020 04:03 AM

what is the verison of code you running, why you would like to disable and you understand the implication.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Ahoysoy
Level 1
Level 1

‎09-04-2020 04:18 AM

we use radius so we don't need password recovery.

 

using cisco ios-xe 16.12.03a

 

not sure how to check rommon version or how to update it

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to Ahoysoy

‎09-04-2020 06:52 AM - edited ‎09-04-2020 06:53 AM

I thing the phrase on ROMMON upgrade is misleading! 
You may think it says a newer version will support the option, but it really says the current version does NOT support the command.

the Security Configuration Guide uses the command: system disable password recovery switch all
this link Cisco – IOS XE Password Recovery on Catalyst 3850 mentions two boot variables (may work on 9300?):
Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=1
Switch: SWITCH_IGNORE_STARTUP_CFG=0

Go to solution
Ahoysoy
Level 1
Level 1
In response to pieterh

‎09-09-2020 03:42 AM

Thanks for this, I shall give this a try and report back!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-04-2020 04:43 AM

If you are using Radius Fine, what happends if the Radius Fails or device moved to different network(where there is no radius available)

 

you can restrict users still you meet the secure boundaries and acceptable widely.

 

post show version

 

here is the release notes and limitaiton :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-12/release_notes/ol-16-12-9400.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rich R
VIP
VIP

‎05-03-2023 06:07 AM - edited ‎05-03-2023 06:15 AM

It's an old thread but this is now covered in https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216850-configuration-register-equivalent-clis-i.html which recommends "system disable password recovery"
That works for a single switch and stackwise virtual.
On a traditional stack the command is "system disable password recovery switch all"

Note that unlike "service password recovery" this setting does not appear in the config.  The documentation says "This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but is not a part of the file system and is not accessible by any user." but there doesn't seem to be any way to verify whether it's set or not (as far as I can tell anyway).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card