Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Password Recovery on Cisco Catalyst 3850

Power cycle the switch. Immediatly press and hold the Mode button. Hold the button for approximately 12 seconds, the Status LED will go amber. On the console you should be in Boot Loader.

Switch:

Add the following variables.

Switch: SWITCH_IGNORE_STARTUP_CFG=1

Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=0

Then boot the switch.

Switch: boot

Once the switch has booted you can copy the saved config back into the running config.

Switch# copy start runn

Next set your password(s). Finally we want to remove the variables we set while in Boot Loader.

Switch# no system ignore startupconfig switch all

Switch# system disable password recovery switch all

Save your new config.

Switch# copy runn start

Since we are on the topic of passwords, I beleive you should configure AAA even if you're using local credentials. Here's an example of how easy it is to setup.

Switch(config)# aaa new-model

Switch(config)# aaa authentication login default local

Switch(config)# username mmessier privilege 15 secret StAnLeYcUp

Switch(config)# line vty 0 4

Switch(config-line)# login authentication default

It's that easy! You can now remove the passwords from under the VTY. Those passwords are easily reversible and should not be used. Instead use AAA and the secret keyword in configuring the username. It encrypts the password and is not reversible (yet). For even more security use the service-password encrypt aes command.

Version history
Revision #:
1 of 1
Last update:
‎12-05-2013 01:49 PM
Updated by:
 
Labels (1)
Everyone's tags (4)
Comments
Cisco Employee

Following step is outdated and does not work on later releases. I tried on 3850 running 3.3.4 and saw this:

switch: SWITCH_DISABLE_PASSWORD_RECOVERY=0
Can't set variable "SWITCH_DISABLE_PASSWORD_RECOVERY" -- is readonly.

Cisco Employee

Please be aware of this bug that causes entire startup config to get wiped out when user attempts pwd recovery.

 

start-up config is initialized after executing password recovery CSCum26261

 
Conditions:
cat3850, 3650
15.0(1)EZ and 15.0(1)EZ1

Workaround:
There is no workaround

Further Problem Description:
When we do password recovery, a new certificates is created by http component. After the certificate creation, the startup-config is overwritten with default running-config. so, the startup-config is lost.

 

Fixed in 3.6.1 and 3.7.0

New Member

So how do I recover password now?

New Member

idk what version of IOS the password recovery commands were used on but it doesn't work for v3.2 and above.  This doc needs to be removed.