WLC Password Reset

Cisco - Enterprise


tl;dr

  1. Boot up your WLC.
  2. Enter the username "Recover-Config", if it's not the very first username to be entered you need to reboot the server.
  3. Let the WLC reboot.
  4. Run through the inital configuraiton wizard.
  5. Connect to the web interface.

What's this for?

WLC Factory Reset is for when your colleague who's now happily retired has set a password on a device but forgot to put it in the password management software. It's also useful for you newbies to the land of networking who have received a second hand WLC from a popular online e-buying site but it's got a password set on it.

I'm afraid unlike routers and switches you don't have the option to recover the configuration. Your only option is to factory reset the device; If this device is in production I hope you have a good backup policy!

Demo Enviroment

The outputs below come from the following setup...

  • Hardware: Cisco WLC 5520
  • OS: AirOS
  • Version: 8.5.135.0
  • Date: 10-08-2019

WLC Factory Reset

So what we're going to do in this ramblings is run through the steps needed to get back into your Cisco WLC.

Warning: if you do not own the WLC your about to attempt this on you will probably be breaking some sort of company policy / law of the land you live in. If in doubt seek legal advise and or permission from the person that owns the router. Please also read the disclaimer on the About page of this website.

Before we start there is something important to understand. When the wireless LAN controllers that are based on the Cisco C-Series servers are booting up they will get to the 'Cisco Bootloader Loading Stage2...' and they will stop outputting on the KVM. That's because they have essentially started running the AirOS software. The AirOS software was originally designed to run on the dedicated WLC hardware. Dedicated WLC hardware doesn't make sense when you own a server business too; you have to pay two hardware development teams. The C-Series servers were more versatile so they won the fight. This is not really a big problem though as you don't really need to access the server like this using the KVM; the WLC is designed to be configured from the serial port. So just like we did with the dedicated hardware devices we can just plug into the serial port to configure the WLC. The serial port will even give you the output before the 'Cisco Bootloader Loading Stage2... prompt. For me however the beauty of running the WLC on the C-Series hardware is you get a CIMC thrown in. The CIMC allows you to SSH into the serial port remotely.

To illustrate the above point I have opened the KVM from the CIMC and taken a picture for you. If you were to plug a screen into the 'console' port on the front you get exactly the same output.

Before starting this guide I would recommend configuring your CIMC card. I have a guide here on how to do a basic configuration on the CIMC version 4.0. If you are running a CIMC older than version 4.0 it's likely to look a bit different so there is a guide here on how to upgrade from older CIMC versions.

With the above in mind lets SSH to the CIMC and tell the server to boot up.

wlc001-oobm# show chassis detail 
Chassis: 
    Power: off 
    Serial Number: ########### 
    Product Name: 
    PID : AIR-CT5520-K9 
    UUID: ##########-####-####-####-############ 
    Locator LED: off 
    Description: 
    Asset Tag: Unknown 
wlc001-oobm# 
wlc001-oobm# scope chassis 
wlc001-oobm /chassis # power on 
This operation will change the server's power state. 
Do you want to continue?[y|N]y 
wlc001-oobm /chassis # exit

Once this is done we can connect to the serial port via the SSH session and watch the server boot up.

wlc001-oobm # connect host 
CISCO Serial Over LAN: 
Press Ctrl+x to Exit the session 
 Configuring platform hardware... 

Once the server is all booted up it will prompt you for a username. At this point we need to make sure the first username we enter is 'Recover-Config'. If we enter anything else we will have to reboot the serevr to start over again; this command MUST be the first username you enter after boot.

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults) 

User: Recover-Config
Initiating system recovery process... please wait 

Rebooting system 

Updating license storage ...  Done. 

 Exiting SL process ! 
Terminated 
sh: can't kill pid 1872: No such process 

At this point the server will reboot the AirOS and eventually take us into the setup wizard. First thing we want to do is disable autoinstall. Autoinstall is where the WLC will go out to the network to find a configuration to use.

Welcome to the Cisco Wizard Configuration Tool 
Use the '-' character to backup 

Would you like to terminate autoinstall? [yes]: yes

After this we are asked to provide the WLC with a hostname, username and password.

System Name [Cisco_##:##:##] (31 characters max): wlc001 
Enter Administrative User Name (24 characters max): AdmPri 
Enter Administrative Password (3 to 24 characters): ********** 
Re-enter Administrative Password                 : ********** 

Next we are asked to configure the service interface IP Address. This is the "Service" port on the back on the controller. It's not a routed interface so you can't use it for out of band management but you can use it as a walk up to the back of the server plug into the port and SSH / HTTPS to the WLC. It's not something you use often but when you do use it your normally glad its there! When allocating an IP address for this use an IP range that you don't use on the main production network. I normally reserve 192.168.0.0/16 for this sort of stuff as it's not practical to route this in a business network otherwise when people VPN in from home strange things happen.

Service Interface IP Address Configuration [static][DHCP]: static 
Service Interface IP Address: 192.168.0.1 
Service Interface Netmask: 255.255.255.0 

Link Aggregation Protocol is a bit of a no brainer on WLCs if you ask me; it's something I just do. There might be some more specialist deployments when you don't want to do this but these are few and far between. Basically if you're not familiar with Link Aggregation it basically takes two or more physical interfaces (ideally in multiples of 2) and creates on logical interface out of them. For more information about link aggregation see the article here.

Enable Link Aggregation (LAG) [yes][NO]: yes 

Next we want to configure the management interface. This is the IP Address we are going to use to administrator the WLC. As a rule of thumb you're not going to want your wireless clients being spat out onto on the same VLAN as your management traffic so were going to TAG the traffic with a VLAN ID reserved for management. Later on we can take the wireless clients to use a different VLAN ID.

Management Interface IP Address: 192.168.193.1
Management Interface Netmask: 255.255.255.0 
Management Interface Default Router: 192.168.193.254 
Management Interface VLAN Identifier (0 = untagged): 193 

Even though we have told it we are using LAG it will still want to know a physical port for this management interface. Resistance is futile as you can see below so just give it a number.

Management Interface Port Num [1 to 2]: 
Invalid response 
 
Management Interface Port Num [1 to 2]: 1

In my lab setup this is just a Cisco 5520 WLC, plugging into a 2960G switch that then plugs into a Cisco 2811 router. The Cisco 2811 and 2960G are configured in a router on a stick setup. For the purposes of this I'm just going to use my 2811 router as a DHCP server.

Management Interface DHCP Server IP Address: 192.168.193.254 

In this example I am not going to configure High Availability. If you want to see how to do this look at this guide here.

Enable HA [yes][NO]: no 

You will probably find lots of guides saying use 1.1.1.1 or 2.2.2.0/24 etc for the Virtual IP address. Blunt answer, don't. These are not private IP addresses and can start being used on the internet. At the time of writing 1.1.1.1 has just became a public DNS server, anyone using 1.1.1.1 in there network will not be having issues accessing that online service. For this I wouldn't normally use an RFC1918 address instead I would go for a RFC5737.

Virtual Gateway IP Address: 192.0.2.1 

The Multicast address is used by the controller for forwards traffic more efficiently to your access points. In a small deployment where all your access points are on the same VLAN as the controller this is pretty simple to do. However if you're using routing to get between your controller and access points this becomes a bit more complicated as you will need to do multicast routing. If you want to try this checkout this article here.

Multicast IP Address: 239.239.239.239

For simplicity unless you are going to start doing some more complex stuff with RF groups just leave this as the controllers hostname.

Mobility/RF Group Name: wlc001 

If you already know what you want your SSID name to be put it here. If not dont worry too much as you can just delete this later.

Missing Output!

Lets cover off quickly what the two options here mean:

Configure DHCP Bridging Mode [yes][NO]: no 

Without bursting into a rant clients should use DHCP. Plus, in a large deployment the likelihood is you also going to be using interface groups. With this there is no way to guarantee the client will always end up on the same VLAN for their static IP to work anyway. 

Allow Static IP Addresses [YES][no]: no 

I'm not going to setup RADIUS now but watch this space I will be doing lots of guides around this.

Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server. 
Please see documentation for more details. 

Country code; self-explanatory. Get it wrong and your controller probably won't play nicely with your access points. The reason behind this is different countries licence different radio frequencies for WiFi usage. 

Enter Country Code list (enter 'help' for a list of countries) [US]: GB

This is one where ideally you only want to enable the latest and greatest protocol. If you enable the older protocols you won't get such good performance. However you will have users that need to connect older devices so you just have to suck it up and enable them all in most cases; especially if you have BYOD.

Enable 802.11b Network [YES][no]: yes
Enable 802.11a Network [YES][no]: yes 
Enable 802.11g Network [YES][no]: yes 

This just let the controller make decisions on RF power levels etc. If you want this will really depend on your RF environment. I tend to find if you're not sure just enable it, you can always change your mind later. 

Enable Auto-RF [YES][no]: yes 

This is a no-brainer, of course you should configure NTP, otherwise analysing logs files is going to be horrid. If you don't have an internal NTP server you can just point this out to something on the internet. In my lab I will just configure the Cisco 2811 to be the NTP server.

Configure a NTP server now? [YES][no]: yes 
Enter the NTP server's IP address: 192.168.193.254 
Enter a polling interval between 3600 and 604800 secs: 3600 

If you are IPv6 ready, go you, you are the future. I don't have it in the lab so I'm not going to worry about it for now.

Would you like to configure IPv6 parameters[YES][no]: no

If you made a mistake part way through now it your opportunity to go back through. If not, lets go for it. 

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes 
Updating LAG configuration...Done 
 
Updating license storage ...  Done. 
 
 Exiting SL process ! 
Terminated 
sh: can't kill pid 4328: No such process 

After the server has rebooted web browse to the management IP you have just configured. You will probably be prompted with some security warning around the website not being secure that you will need to get past. You will then be presented with this screen.

After this hit login and enter the username and password you have just configured. You should then be presented with the Network Summary page.

Note: If you want to do anything of use you will need to hit adavnced in the top right corner.