Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Password Recovery on WLC not working

I have a 4404 running firmware 7.0 and something happened (don't think it was a hack), but all of a sudden I can't login to the box via web or ssh or even telnet.

In trying the recovery procedure, I get a lot of messages scrolling through and cannot do the Restore-Password command on the CLI.

I'm attaching the whole capture, but here's a truncated capture from the procedure:

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: called to evaluate <cscoDefaultIdCert>

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

ok

Starting AireWave Director: ok

Starting Network Time Services: ok

Starting Cisco Discovery Protocol: ok

Starting Broadcast Services: ok

Starting Logging Services: ok

Starting DHCP Server: ok

Starting IDS Signature Manager: ok

Starting RFID Tag Tracking: ok

Starting Power Supply and Fan Status Monitoring Service: ok

Starting Mesh Services:  ok

Starting TSM: ok

Starting CIDS Services: ok

Starting Ethernet-over-IP: ok

Starting DTLS server:  enabled in CAPWAP

Starting CleanAir: ok

Starting WIPS: ok

Starting SSHPM LSC PROV LIST: ok

Starting RRC Services: ok

Starting FMC HS: ok

Starting Management Services:

   Web Server: ok

   CLI: ok

   Secure Web: ok

(Cisco Controller)

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)

User:  *fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*fp_main_task: Nov 21 10:39:46.501: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

So as you can see, my prompt to enter the command is taken up by this fp_main message and it uses up the first and only time I can enter this in.

I'm trying everything I can to not have to go back to factory defaults. That would be a nightmare.

Is there a way to stop these messages? Thanks any and all for your help.

24 REPLIES
Hall of Fame Super Silver

Re: Password Recovery on WLC not working

During the boot up, you should see something that tell you to hit ESC to enter the boot menu. From there you can reset the WLC to factory default.

Thanks,

Scott F. Fella

Sr. Network Engineer

CDW Corporation

CDW Plaza - 120 S. Riverside

Ninth Floor

Chicago, IL 60606

Cell: 630-935-7333

e-Mail: scott.fella@cdw.com

From: rmazzagate >

Reply-To: "cisco-support@sgaur.hosted.jivesoftware.com" >

Date: Mon, 28 Nov 2011 08:04:42 -0700

To: Scott Fella >

Subject: - Password Recovery on WLC not working

Home<>

Password Recovery on WLC not working

created by rmazzagate<> in Security and Network Management - View the full discussion<>

-Scott
*** Please rate helpful posts ***
New Member

Password Recovery on WLC not working

Thanks, but I'm not interested in factory defaults. That's my last option. I'm trying to just reset the username/password.

Password Recovery on WLC not working

I see you have already done a reboot. Can you disconnect the WLC from the network and see if you are still getting the messages on your console

Thanks

NikhiL

New Member

Password Recovery on WLC not working

Good point. I'll give that a try

Hall of Fame Super Silver

Password Recovery on WLC not working

I didn't see that part:)  Sorry about that. 

-Scott
*** Please rate helpful posts ***
New Member

Password Recovery on WLC not working

No problem, Scott

New Member

Password Recovery on WLC not working

HI Scott ,

Please find the video for the password recovery

https://supportforums.cisco.com/docs/DOC-8038

Regards

Angus

Hall of Fame Super Silver

Re: Password Recovery on WLC not working

Yeah.. I have seen that, I just thought you were having an issue resetting the WLC to factory default using the recover-config.

Thanks,

Scott F. Fella

Sr. Network Engineer

CDW Corporation

CDW Plaza - 120 S. Riverside

Ninth Floor

Chicago, IL 60606

Cell: 630-935-7333

e-Mail: scott.fella@cdw.com

From: "Helena.Elizabeth" >

Reply-To: "cisco-support@sgaur.hosted.jivesoftware.com" >

Date: Mon, 28 Nov 2011 09:12:21 -0700

To: Scott Fella >

Subject: - Re: Password Recovery on WLC not working

Home<>

Re: Password Recovery on WLC not working

created by Angus Bishop<> in Security and Network Management - View the full discussion<>

-Scott
*** Please rate helpful posts ***
Silver

Re: Password Recovery on WLC not working

All of that console output looks like certificate stuff for AP joins.

Does that output stop after your reboot (say 5-10 minutes later?) and all the APs are joined?

What about if you just type Restore-Password  when the login prompt first appears,  instead of hitting enter and getting the login prompt again? Are you sure the console log message is actually becoming text for the Login Prompt?

OR, what if you hit the backspace a thousand times (exaggeration) and then hit Restore-Password    if you think that console output line is filling in the username field...?

By the way..... if you have a WCS   or any other snmp device, you could probably jsut send snmp to create a new user.... 

New Member

Re: Password Recovery on WLC not working

Yeah, I've tried just putting in the Restore-Password after the login prompt finally comes up and it didn't work. That's what makes me think that, like you said, the message may be acting like text for the login. I'm going to try what one poster said and unplug it from the network and then try the procedure.

Silver

Re: Password Recovery on WLC not working

Yep, that makes alot of sense.  If those messages are because of AP joins, then it stands to reason that those messages will go away when disconnected and your prompt might return.

But more to my question, do you not have a WCS in play here?  Because it would be a lot less intrusive to just send a new user account with snmp....?

New Member

Re: Password Recovery on WLC not working

No, I don't have a WCS in place. Forgot to address that.

New Member

Re: Password Recovery on WLC not working

Well, unplugging from the network didn't work. Those messages still scroll and still can't reset the password. Not sure what next step should be. Really don't want to go back to factory defaults.

Re: Password Recovery on WLC not working

You can try few more options

When the device boots up break down the boot menu and try to boot with backup image,if it is something different

You have mentioned that you dont have a WCS, but in case you have a SNMP community and you know the details, you can try with the Cisco MIBS, to reset your password. You will have to download the Cisco MIBS corresponding to the software version you are running, identify the MIB corresponding to password and then try to change by MIB walk

Thanks

NikhiL

New Member

Re: Password Recovery on WLC not working

Actually, I finally got the reset working. BUT, it's not working! I created a new username and password but I still can't log in with it. What in the world could be preventing this? It's like it's disabled or something. Web interface, ssh, telnet, it doesn't work. Any ideas? Thanks for all your time!

Silver

Re: Password Recovery on WLC not working

Is it possible that you managed to set login for tacacs/radius only?  That would explain why local username/passwords don't work for you.....

Have you tried to login with any tacacs/radius accounts? 

New Member

Re: Password Recovery on WLC not working

Great point, and I was wondering if I somehow accidentally chose that option when I was in there last. The only radius config I'm using is by computer authentication. For fun, I tried my Active Directory credentials but it didn't work. Any other ideas or thoughts are most welcomed. Thanks.

Silver

Re: Password Recovery on WLC not working

So.... do you know if you removed the default SNMP communities?

As suggest by others, you could get an snmp tool to try to fix this.

You might even could get a demo WCS?

WLCs have a default read/write community, so if you haven't changed it, you're open for that.....

New Member

Re: Password Recovery on WLC not working

No, the community strings are still in there. In fact, it's still generating logs to my syslog server. So do you think that the WCS could help even when what appears to be the local authentication could be turned off? Thanks for all your time.

New Member

Re: Password Recovery on WLC not working

Ok, I'm getting close. I can console in with the network cables unplugged. What I think is happening is the Local User is either low priority or disabled and it may be trying to find a TACACS server when plugged into the network.

Can someone tell me the CLI commands I need to make the Local User top priority when logging into the box? Note: not to be confused with Local EAP.

Thank you.

Hall of Fame Super Silver

Re: Password Recovery on WLC not working

Try this:

config aaa auth mgmt local radius

-Scott
*** Please rate helpful posts ***
New Member

Re: Password Recovery on WLC not working

Booyah!! Everything's fine now. So in summary, somehow the authentication priority got changed to a TACACS+ first then local. So I unplugged the WLC from the network, consoled in and put in my credentials and got in. From there, I did "config aaa auth mgmt local tacacs". That set local back to priority.

Thanks everyone for all you input and help!

Re: Password Recovery on WLC not working

Thanks everyone for participating and helping out Roy .

Roy could you please mark this thread as Answered?

Vinay Sharma

Community Manager - Wireless

Thanks & Regards
New Member

Re: Password Recovery on WLC not working

I was going to yesterday, Vinay, but I can't find on the page where to do that.

2074
Views
0
Helpful
24
Replies
CreatePlease to create content