09-04-2020 03:52 AM - edited 09-04-2020 03:52 AM
I am trying to disable password recovery on a cisco 9300 switch, using the popular rommon method.
I use the command (config)#no service password-recovery
The following message then pops up;
"Password recovery disable mode is not supported by the current ROMMON.
Please upgrade the ROMMON if you want to use this feature".
Has anyone had any experience of this, or knows how to disable password recovery?
Solved! Go to Solution.
09-04-2020 06:52 AM - edited 09-04-2020 06:53 AM
I thing the phrase on ROMMON upgrade is misleading!
You may think it says a newer version will support the option, but it really says the current version does NOT support the command.
the Security Configuration Guide uses the command: system disable password recovery switch all
this link Cisco – IOS XE Password Recovery on Catalyst 3850 mentions two boot variables (may work on 9300?):
Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=1
Switch: SWITCH_IGNORE_STARTUP_CFG=0
09-04-2020 04:00 AM
@Ahoysoy wrote:
I am trying to disable password recovery on a cisco 9300 switch
Why would you want to do that?
What happens if you disable password recovery and then a disgruntled staff locks everyone out?
05-03-2023 04:24 AM
We routinely use it for fully managed CPE because if somebody (unauthorised) on the customer premises tries to access the device we'd rather have the config wiped than let them get access to confidential information in the device configs (that can include VPN keys, SNMP communities, management IPs etc etc)
It's a required security feature.
09-04-2020 04:01 AM
- What about the suggesting-message and or are there more recent ROMMON-versions available for your platform ?
M.
09-04-2020 04:03 AM
what is the verison of code you running, why you would like to disable and you understand the implication.
09-04-2020 04:18 AM
we use radius so we don't need password recovery.
using cisco ios-xe 16.12.03a
not sure how to check rommon version or how to update it
09-04-2020 06:52 AM - edited 09-04-2020 06:53 AM
I thing the phrase on ROMMON upgrade is misleading!
You may think it says a newer version will support the option, but it really says the current version does NOT support the command.
the Security Configuration Guide uses the command: system disable password recovery switch all
this link Cisco – IOS XE Password Recovery on Catalyst 3850 mentions two boot variables (may work on 9300?):
Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=1
Switch: SWITCH_IGNORE_STARTUP_CFG=0
09-09-2020 03:42 AM
Thanks for this, I shall give this a try and report back!
09-04-2020 04:43 AM
If you are using Radius Fine, what happends if the Radius Fails or device moved to different network(where there is no radius available)
you can restrict users still you meet the secure boundaries and acceptable widely.
post show version
here is the release notes and limitaiton :
05-03-2023 06:07 AM - edited 05-03-2023 06:15 AM
It's an old thread but this is now covered in https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216850-configuration-register-equivalent-clis-i.html which recommends "system disable password recovery"
That works for a single switch and stackwise virtual.
On a traditional stack the command is "system disable password recovery switch all"
Note that unlike "service password recovery" this setting does not appear in the config. The documentation says "This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but is not a part of the file system and is not accessible by any user." but there doesn't seem to be any way to verify whether it's set or not (as far as I can tell anyway).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide