IOS Switch Password Reset

Cisco - Enterprise

tl;dr

  1. Interupt the boot sequence by booting with the mode button held down.
  2. Rename config.text so the switch can't find it on boot.
  3. Boot the switch.
  4. Copy the renamed file to the running config.
  5. Reset the secrets/passwords as needed.
  6. Save the config.
  7. Delete the renamed file
  8. Test you have still have acccess.

What's this for?

IOS Switch Password Reset is for when your colleague who's now happily retired has set a password on a device but forgot to put it in the password management software. It's also useful for you newbies to the land of networking who have received a second hand switch from a popular online e-buying site but it's got a password set on it.

Demo Enviroment

The outputs below come from the following setup...

  • Hardware: Cisco WS-C2960G-8TC-L
  • OS: IOS
  • Version: 12.2(53)SE2
  • Bootstrap: 12.2(35r)SE2
  • Date: 09-08-2019

IOS Switch Password Reset

So what were going to do in this ramblings is run through the steps needed to get back into your Cisco switch.

Warning: if you do not own the WLC your about to attempt this on you will probably be breaking some sort of company policy / law of the land you live in. If in doubt seek legal advise and or permission from the person that owns the router. Please also read the disclaimer on the About page of this website.

The first step we need to take is to get physically consoled into the switch. In this ramblings I will use PuTTY however any termainal emulator will do. Note: you can not use SSH or Telnet for this procedure.

Once you're connected up you might as well have one last stab at that password that will look something like this...

Note: There is a bit of good practice here; we are logging the failed login attempts. There is also a bit of bad practice here; we are outputting log messages to the console port. 
User Access Verification 
  
Username: AdmPri 
Password:  
  
% Authentication failed 
  
Username: Adm 
*Mar  1 00:05:17.408: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: AdmPri] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 00:05:17 BST Mon Mar 1 1993 
Username: AdmPri 
Password:  
  
% Authentication failed 
  
Username:  
*Mar  1 00:05:27.264: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: AdmPri] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 00:05:27 BST Mon Mar 1 1993 
Username:

Once you get to the point where the swearing is starting to disturb your colleagues or/and the switch is about to break some form or record for the longest flight without wings then, it's time to get the switch rebooted. Whilst holding down the mode button on the front pull out the power cable and plug it back in. The exact details on how long you need to hold down the button for seems to depend on the switch, normally the status light will flash orange when you have held it down long enough, sometimes it will just stay orange.

Note: If the switch is stacked it's really important at this point all other stack members are powered down. You could only console into and boot backup the member with the highest priority. If you don't you will find you will do all this work on one member it will join the stack and get its config put back!

Using driver version 1 for media type 1 
Base ethernet MAC Address: 3c:ce:73:69:80:00 
Xmodem file system is available. 
The password-recovery mechanism is enabled. 
  
The system has been interrupted prior to initializing the 
flash filesystem.  The following commands will initialize 
the flash filesystem, and finish loading the operating  
system software: 
  
    flash_init 
    boot 


switch:

If all has gone to plan we should be confronted with a prompt "switch: " on hte console. When your sat at this switch prompt consider it to be the switches version of a BIOS. From here we want to check the file system and look for a file called "config.text". Before we can do this we will need to initalise the flash.

switch: flash_init 
Initializing Flash... 
mifs[2]: 0 files, 1 directories 
mifs[2]: Total bytes     :    3870720 
mifs[2]: Bytes used      :       1024 
mifs[2]: Bytes available :    3869696 
mifs[2]: mifs fsck took 0 seconds. 
mifs[3]: 539 files, 19 directories 
mifs[3]: Total bytes     :   27998208 
mifs[3]: Bytes used      :   12654080 
mifs[3]: Bytes available :   15344128 
mifs[3]: mifs fsck took 7 seconds. 
...done Initializing Flash. 
switch:

Now we have the flash initialised we can have hunt around for that "config.text" file.

Note: This is the 'config.text' file is the real name of the 'startup-config' file you always write the 'running-config' to.


switch: dir flash:/ 
Directory of flash:// 
  
    2  -rwx  3096                     multiple-fs 
    3  drwx  512                      c2960-lanbasek9-mz.122-53.SE2 
  556  -rwx  924                      vlan.dat 
  557  -rwx  5495                     private-config.text 
  558  -rwx  4197                     config.text 
  
15344128 bytes available (12654080 bytes used) 
  
switch:

Once we have confirmed the file is there we can rename it to ensure the switch does not load this configuration on.

Note: If you don’t care about what's on the switch you can just delete the file instead (delete flash:/config.text) of renaming it. If you're going down this route it would also be a good idea to delete the VLAN database (delete flash:/vlan.dat). After that just tell the switch to boot up as found in the next step and you're done.

switch: rename flash:/config.text flash:/config.old 

switch:

We can now tell the switch to boot back up

switch: boot 
Loading "flash:/c2960-lanbasek9-mz.122-53.SE2/c2960-lanbasek9-mz.122-53.SE2.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
File "flash:/c2960-lanbasek9-mz.122-53.SE2/c2960-lanbasek9-mz.122-53.SE2.bin" uncompressed and installed, entry point: 0x3000 
executing... 
  
              Restricted Rights Legend 
  
Use, duplication, or disclosure by the Government is 
subject to restrictions as set forth in subparagraph 
(c) of the Commercial Computer Software - Restricted 
Rights clause at FAR sec. 52.227-19 and subparagraph 
(c) (1) (ii) of the Rights in Technical Data and Computer 
Software clause at DFARS sec. 252.227-7013. 
  
           cisco Systems, Inc. 
           170 West Tasman Drive 
           San Jose, California 95134-1706  
  
  
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3) 
Technical Support: http://www.cisco.com/techsupport 
Copyright (c) 1986-2010 by Cisco Systems, Inc. 
Compiled Wed 21-Apr-10 05:52 by prod_rel_team 
Image text-base: 0x00003000, data-base: 0x01500000 
  
Initializing flashfs... 
Using driver version 1 for media type 1 
mifs[3]: 0 files, 1 directories 
mifs[3]: Total bytes     : 3870720    
mifs[3]: Bytes used      : 1024       
mifs[3]: Bytes available : 3869696    
mifs[3]: mifs fsck took 0 seconds. 
mifs[3]: Initialization complete. 
  
mifs[4]: 539 files, 19 directories 
mifs[4]: Total bytes     : 27998208   
mifs[4]: Bytes used      : 12654080   
mifs[4]: Bytes available : 15344128   
mifs[4]: mifs fsck took 1 seconds. 
mifs[4]: Initialization complete. 
  
...done Initializing flashfs. 
Checking for Bootloader upgrade.. not needed 
  
POST: CPU MIC register Tests : Begin 
POST: CPU MIC register Tests : End, Status Passed 
  
POST: PortASIC Memory Tests : Begin 
POST: PortASIC Memory Tests : End, Status Passed 
  
POST: CPU MIC interface Loopback Tests : Begin 
POST: CPU MIC interface Loopback Tests : End, Status Passed 
  
POST: PortASIC RingLoopback Tests : Begin 
POST: PortASIC RingLoopback Tests : End, Status Passed 
  
POST: PortASIC Port Loopback Tests : Begin 
POST: PortASIC Port Loopback Tests : End, Status Passed 
  
Waiting for Port download...Complete 
  
  
This product contains cryptographic features and is subject to United 
States and local country laws governing import, export, transfer and 
use. Delivery of Cisco cryptographic products does not imply 
third-party authority to import, export, distribute or use encryption. 
Importers, exporters, distributors and users are responsible for 
compliance with U.S. and local country laws. By using this product you 
agree to comply with applicable laws and regulations. If you are unable 
to comply with U.S. and local laws, return this product immediately. 
  
A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html 
  
If you require further assistance please contact us by sending email to 
export@cisco.com. 
  
cisco WS-C2960G-8TC-L (PowerPC405) processor (revision D0) with 65536K bytes of memory. 
Processor board ID ###########
Last reset from power-on 
1 Virtual Ethernet interface 
8 Gigabit Ethernet interfaces 
The password-recovery mechanism is enabled. 
  
64K bytes of flash-simulated non-volatile configuration memory. 
Base ethernet MAC Address       : 3C:CE:73:##:80:00 
Motherboard assembly number     : 73-10613-08 
Power supply part number        : 341-0208-02 
Motherboard serial number       : ########### 
Power supply serial number      : ###########
Model revision number           : D0 
Motherboard revision number     : B0 
Model number                    : WS-C2960G-8TC-L 
System serial number            : ########### 
Top Assembly Part Number        : 800-28133-02 
Top Assembly Revision Number    : F0 
Version ID                      : V02 
CLEI Code Number                : COM7S00ARB 
Hardware Board Revision Number  : 0x01 
  
  
Switch Ports Model              SW Version            SW Image                  
------ ----- -----              ----------            ----------                
*    1 8     WS-C2960G-8TC-L    12.2(53)SE2           C2960-LANBASEK9-M         
  
 
Press RETURN to get started! 
  
  
*Mar  1 00:00:35.030: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down 
*Mar  1 00:00:36.188: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan 
*Mar  1 00:00:57.034: %SYS-5-RESTART: System restarted -- 
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3) 
Technical Support: http://www.cisco.com/techsupport 
Copyright (c) 1986-2010 by Cisco Systems, Inc. 
Compiled Wed 21-Apr-10 05:52 by prod_rel_team

Once the switch has booted you will get an output looking like this. We will answer "no" because we're real network engineers.

          --- System Configuration Dialog --- 
  
Enable secret warning 
---------------------------------- 
In order to access the device manager, an enable secret is required 
If you enter the initial configuration dialog, you will be prompted for the enable secret 
If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret, 
please set an enable secret using the following CLI in configuration mode- 
enable secret 0  
---------------------------------- 
Would you like to enter the initial configuration dialog? [yes/no]: no
Switch> 
Switch>

After this it's the moment of truth! If at this point we try to move into privileged exec mode we should go straight in. If not scroll up and start again!

Router>en
Router#

At this point we can copy the startup configuration into the running configuration. After the copy has completed your switch should be pretty much back to how it was before.

Warning: Do not get this the wrong way around otherwise bye bye configuration, hello bad day.
Note: How it starts a logging session out to 10.2.11.72, this is another bit of good practice as we should really record any log messages centrally.

switch#copy flash:/config.old running-config 
Destination filename [running-config]?  
  
4197 bytes copied in 0.772 secs (5437 bytes/sec) 
nafra-asw01# 
*Mar  1 00:04:58.156: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:04:58 UTC Mon Mar 1 1993 to 00:04:58 BST Mon Mar 1 1993, configured from console by console. 
*Mar  1 00:04:58.164: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:04:58 BST Mon Mar 1 1993 to 00:04:58 BST Mon Mar 1 1993, configured from console by console. 
*Mar  1 00:04:59.162: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.2.11.71 Port 514 started - CLI initiated 
nafra-asw01# 
*Mar  1 00:04:59.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to down 
*Mar  1 00:05:00.588: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down 
nafra-asw01# 
*Mar  1 00:05:02.182: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.2.11.72 Port 514 started - CLI initiated 
nafra-asw01#

If at this point you get distracted and let the CLI session expire you will be back to square one and need to run through the procedure again. So let's quickly get the secrets updated on the switch. First use the command below to find any secrets configured on the box.

Note: if you use passwords on your equipment instead of secrets, first consider upgrading to secrets, second change the command below to be "show run | include password". If you have both don't worry too much about the passwords as the secret will overrule the password.

nafra-asw01#show run | i secret 
enable secret 5 $1$n7os$1k5tq7VSYgQZV3KMofWmg1 
username AdmPri privilege 15 secret 5 $1$k0q0$mLkYtu9.OVxp.UvLlHdSI0 
username AdmSec privilege 15 secret 5 $1$1sfJ$sD081/GXAA3K83dgiHBpV/

Now we know what we need to update let's move into danger mode / configure terminal and get them updated.

Note in this output how every time we type a command it gets logged, combine this with the fact this goes off to a central logging server this is really useful. It will act as a bit of a black box for when you crash you network.

nafra-asw01#conf t
Enter configuration commands, one per line.  End with CNTL/Z. 
nafra-asw01(config)#username AdmPri privilege 15 secret PasswordICanRemember 
*Mar  1 00:08:02.781: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username AdmPri privilege 15 secret ***** 
nafra-asw01(config)#username AdmSec privilege 15 secret PasswordICanRemember 
nafra-asw01(config)# 
*Mar  1 00:08:08.258: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username AdmSec privilege 15 secret ***** 
nafra-asw01(config)#enable secret PasswordICanRemember 
nafra-asw01(config)# 
*Mar  1 00:08:17.385: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:enable secret ***** 
nafra-asw01(config)#

If we were to reboot the switch now it still won't find a startup file. To make sure it can find one we need to copy the running-config to startup-config. Then because we leave things nice and tidy we can also delete the flash:/config.old file as we no longer need it.

nafra-asw01(config)#end
nafra-asw01#copy running-config startup-config
Building configuration... 
[OK] 
nafra-asw01# delete flash:/config.old 
Delete filename [config.old]?  [Enter]
Delete flash:/config.old? [confirm] [Enter]
nafra-asw01#

Finally, I would ALWAYS recommend you try three tests:

  1. First, reboot the switch to make sure you do have a startup config that works! It's probably worth taking a backup to an FTP server before doing this just in case. If you have just drove for a few hours to reset this switch the last thing you want to do is have to drive all the way back in a weeks' time to work out why after that power cut the switch didn't come back up.
  2. Second, after the switch log into the switch using all the usernames and passwords you have just reset. If the device is configured for TACACS disconnect the uplink cables to ensure it fails back to the local credentials. Note: if your device has a load of uplink cables this is why labelling cables is important. To label cables like a Pro see this article for more information.
  3. Third, make sure you can remotely access the switch. If you're currently working at a remote site call your office up and get someone there to check.