10-02-2013 08:59 AM
Here's my Cisco version
* Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9K91S-M), Version 12.2(25)EWA14, RELEASE SOFTWARE (fc1)
cisco WS-C4507R (MPC8245) processor (revision 10) with 262144K bytes of memory
Processor board ID FOX09160247
MPC8245 CPU at 266Mhz, Supervisor II+
Last reset from PowerUp
6 Virtual Ethernet interfaces
244 Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x2
Brief description of the problem:
I added two users -
* username admin priv 15 password password1
* username admin2 secret secret1
* username admin2 priv 15
This made the total number of usernames 4 - from top in the order that could be seen from "sh run"
After this, I enabled secret by
#enable secret secret2 (password)
Now, when I try to telnet in (ssh never worked, not sure if supported on this version)
* I can't log in as admin or admin1 at all. I do not remember password for username cna. The only thing I can do that works is "webadmin" which takes me to the login prompt.
Now when I do "enable" (or "enable 15"), and try entering any/all password i remember, I get
% Access denied
Can someone please tell me how to get over this hump? I am trying to read "Password recovery" - I am just not sure what is the safest way to get back in "without having to reset the config". I can't wait for too long, we may need config changes very soon and without the Priv Exec mode, I am SOL.
Thank you for your efforts.
10-02-2013 10:05 AM
Is AAA configured to use the local users?
Is there a password configured on the line vty?
10-02-2013 10:11 AM
I don't think AAA is configured, frankly don't remember about the pwd on line vty.
I do know that when it was working fine -- only telnet worked, and when we used to log in, we were not asked username.
Only password to log in, and then enable password after that.
Then I added the username, and it all went downhill...
10-02-2013 10:16 AM
When you connect via telnet, does it prompt you for a username? (BTW, you have K9 version of code so SSH is possible)
Do you have physical access to the switch to connect via console?
10-02-2013 10:20 AM
With SSH I get "connection refused".
With serial console - I get the User mode "switch>"
With telnet I need to enter username to get to the User mode.
However, after that, it's the same - no matter what I try as my "enable" password - it keeps giving me
% Access Denied
10-02-2013 10:32 AM
Did you maybe typo the secret when you entered it?
Unfortunately, it sounds like you may need to do a password reset.
Or, if you didn't save the config after making the username changes, just reload the switch. The config will revert to the last saved copy.
Of course, either of these is a big impact on production.
There are a few easy steps that need to be taken to enable SSH. You can do a quick search after you regain control of the switch.
10-02-2013 10:44 AM
No, I just entered a username priv 15 password, and even then I could not log in as the username I entered. I could only enter as webadmin.
So I created another username secret password, username priv 15. enable secret.
Then I tried again. but this time, i couldn't log in as webadmin either! Well I can in the User mode, but not in enable one.
So I have a feeling it's the enable secret that must have screwed it up. The thing is saved, in fact I did "wr mem" a few times!!!
I have input telnet, I guess I can change it to ssh. I have always been worried if I do it, would it screw it up...
I think password recovery is the only thing, which means reboot
I have read about it, but never actually done it, so I just hope it wont blow off my config else I am in deep trouble, with my 48 port x 7 modules...
10-02-2013 10:50 AM
I've done many password recoveries. As long as you follow the process for your switchtype precisely it should be fine. Make sure to read each step closely and take your time.
You can initially make the input type 'any' so that telnet or SSH will work. You also need to make sure a domain name is configured, generate a crypto key and configure AAA. Usernames are needed for SSH.
10-02-2013 11:53 AM
Since you are more experienced in this matter -
Any one that sounds better?
10-02-2013 12:06 PM
It looks like you have a sup II+ so the second link would be the one to use.
Note the tip at the beginning:
Configuration of the switch is not lost if the procedure is followed as mentioned. As a best practice, Cisco recommends that you have a backup copy of the configuration of all Cisco devices at the TFTP server or a Network Management server.
Do you have Smartnet on this device? It's probably a good idea to call TAC and verify that you've done everything possible to recover the passwords. They can also guide you through a recover process if you want.
10-02-2013 12:13 PM
No I don't.
I am not sure about backup of the config. At this stage, without being able to get into the enable mode, is it possible for me to back this up?
10-02-2013 01:22 PM
I doubt it's possible if you don't have any credentials. You need enable to run the copy commands and external tools will need a logon.
10-02-2013 03:59 PM
OK so I am now able to get in, thanks to the CNA software!!!
I made a few changes, took away the usernames, and entered
username admin priv 15 secret xxxxx
I am able to get in - however I have a few bugs.
I still somehow get in on the User mode, and have to enter the enable password. I did enable secret - even then it keeps asking me about the enable password - so basically I am entering the password twice.
I also changed the line vty 0 4
line vty 0 4
transport input all
I did notice I have the following:
aaa session-id common
I also noticed that even though I changed the line vty - it still shows me (sh run) --
line vty 0 4
password 7 01170708521F15
I did manage to get the SSH turned on, however, it bugs me that I have to enter the password twice...
10-02-2013 04:13 PM
Are there any other AAA entries?
What is the configuration on the local console line?
If SSH is working, you can change the transport input to ssh instead of all. This will disable telnet access.
If you set up AAA correctly, you won't have to enter passwords more than once. You can do a search on AAA with a local database and it will provide the steps. Again, you need to be careful when doing this because it leads to a lot of lockouts.
10-03-2013 09:25 AM
Thank you for your help. I did a "no aaa new-model" and then went to the vty to do a login local. THEN it allowed me to change the input to SSH.
I am finally good. As a bit of cleaning up and best practices, I have given a different username to another person who may want to log in to just see what/where everything is without configuring it.
Do you know how to have this person change his own password even if he is NOT priv 15?
username user2 privilege 2 password 7 03075218050061
privilege interface level 2 ip address
privilege interface level 2 sh run
privilege interface level 2 desc
privilege interface level 2 switchport
privilege configure level 2 interface
privilege configure level 2 username
privilege configure level 2 password
privilege exec level 2 show running-config
privilege exec level 2 sh run
privilege exec level 2 show interfaces
privilege exec level 2 username
privilege exec level 2 configure terminal
However he is unable to change his password. Any way to achieve this?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: