Solved: MDS 9124 -- Limited Command Set?

jon.armani · ‎07-02-2012

I've got two MDS 9124 FiberChannel switches, and can SSH into them using RADIUS authentication with my domain admin user.

I'm trying to do things, like update the license file, but lots of "normal" commands, like "copy" which is documented in the license update procedure, are missing. Page 1-6 of this PDF [command reference for SAN-OS 3.x] lists many more commands that I don't seem to have: http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_3_x/command/reference/CR03.pdf

The rest of this post will be (1) the output of "?" at the EXEC prompt, (2) the output of "?" at the Config prompt, (3) the output of "show version":

----------------------------------------------------------------------------------------------------------------

FCSwitch01# ?

Exec commands:

attach Connect to a specific linecard

cd Change current directory

cfs CFS parameters

clear Reset functions

cli CLI commands

clock Manage the system clock

config Enter configuration mode

dir List files in a directory

discover Discover information

exit Exit from the EXEC

fcping Ping an N-Port

fctrace Trace the route for an N-Port.

find Find a file below the current directory

no Disable debugging functions

ping Send echo messages

pwd View current directory

send Send message to open sessions

show Show running system information

sleep Sleep for the specified number of seconds

ssh SSH to another system

tail Display the last part of a file

telnet Telnet to another system

terminal Set terminal line parameters

test Test command

traceroute Trace route to destination

----------------------------------------------------------------------------------------------------------------

FCSwitch01(config)# ?

Configure commands:

cli CLI configuration commands

do EXEC command

end Exit from configure mode

exit Exit from configure mode

hw-module Enable/Disable OBFL information

no Negate a command or set its defaults

username Configure user information.

----------------------------------------------------------------------------------------------------------------

FCSwitch01# show version

[[[--- STANDARD GPL AND OTHER LICENSE JUNK REMOVED FROM THIS POST FOR READABILITY ---]]]

Software

BIOS: version 1.0.12

kickstart: version 3.3(1c)

system: version 3.3(1c)

BIOS compile time: 09/10/07

kickstart image file is: bootflash:/m9100-s2ek9-kickstart-mz.3.3.1c.bin

kickstart compile time: 5/23/2008 19:00:00 [06/20/2008 04:29:52]

system image file is: bootflash:/m9100-s2ek9-mz.3.3.1c.bin

system compile time: 5/23/2008 19:00:00 [06/20/2008 04:51:10]

Hardware

cisco MDS 9124 ("1/2/4 Gbps FC/Supervisor-2")

Motorola, ppc8541 (e500) with 515032 kB of memory.

Processor Board ID JAE1133U87Q

bootflash: 250368 kB

FCSwitch01 kernel uptime is 2 days 0 hour 24 minute(s) 48 second(s)

----------------------------------------------------------------------------------------------------------------

Brian Morrissey · ‎07-09-2012

Hi Jon,

Do you have access to the radius server? Can you set the shell:roles="network-admin" attribute on your account?

Unfortunately if you don't remember the password of any accounts with network-admin you will need to do a password recovery which is a disruptive process. Below are the instructions for the MDS:

Power Cycling the Switch

If you cannot start a session on the switch that has network-admin privileges, you must recover the administrator password by power cycling the switch.

Caution This procedure disrupts all traffic on the switch. All connections to the switch will be lost for 2 to 3 minutes.

Note You cannot recover the administrator password from a Telnet or SSH session. You must have access to the local console connection. See the "Starting a Switch in the Cisco MDS 9000 Family" section on page 5-2 for information on setting up the console connection.

To recover a administrator password by power cycling the switch, follow these steps:

Step 1 For Cisco MDS 9500 Series switches with two supervisor modules, remove the supervisor module in
slot 6 from the chassis.

Note On the Cisco MDS 9500 Series, the password recovery procedure must be performed on the active supervisor module. Removing the supervisor module in slot 6 ensures that a switchover will not occur during the password recovery procedure.

Step 2 Power cycle the switch.

Step 3 Press the Ctrl-] key sequence when the switch begins its Cisco NX-OS software boot sequence to enter the switch(boot)# prompt mode.

Ctrl-]

switch(boot)#

Step 4 Change to configuration mode.

switch(boot)# config terminal

Step 5 Issue the admin-password command to reset the administrator password.

switch(boot-config)# admin-password <new password>

For information on strong passwords, see the "Characteristics of Strong Passwords" section.

Step 6 Exit to the EXEC mode.

switch(boot-config)# exit

switch(boot)#

Step 7 Issue the load command to load the Cisco NX-OS software.

switch(boot)# load bootflash:m9500-sf1ek9-mz.2.1.1a.bin

Caution

If you boot a system image that is older than the image you used to store the configuration and do not use the install all command to boot the system, the switch erases the binary configuration and uses the ASCII configuration. When this occurs, you must use the init system command to recover your password.

Step 8 Log in to the switch using the new administrator password.

switch login: admin

Password: <new password>

Step 9 Reset the new password to ensure that is it is also the SNMP password for Fabric Manager.

switch# config t

switch(config)# username admin password <new password>

switch(config)# exit

switch#

Step 10 Save the software configuration.

switch# copy running-config startup-config

Step 11 Insert the previously removed supervisor module into slot 6 in the chassis.

View solution in original post

Brian Morrissey · ‎07-02-2012

Hi Jon,

It seems like your radius account might not be mapped to the network-admin role which could explain the lack of commands that are available. May want to take a look at the radius user config (

http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/cradtac1.html).

jon.armani · ‎07-09-2012

That looks like the answer . . . My account is authenticated through RADIUS and shows up in Cisco's Device Manager for that switch as "Network Operator" and the "Admin" account it "Network-Admin." Unfortunately, we don't know the password for the Admin account. Is there a way to recover that password, or create a new user [wouldn't let me in my Network-Operator role] with admin credentials to be able to change things?

Brian Morrissey · ‎07-09-2012

Hi Jon,

Do you have access to the radius server? Can you set the shell:roles="network-admin" attribute on your account?

Unfortunately if you don't remember the password of any accounts with network-admin you will need to do a password recovery which is a disruptive process. Below are the instructions for the MDS:

Power Cycling the Switch

If you cannot start a session on the switch that has network-admin privileges, you must recover the administrator password by power cycling the switch.

Caution This procedure disrupts all traffic on the switch. All connections to the switch will be lost for 2 to 3 minutes.

Note You cannot recover the administrator password from a Telnet or SSH session. You must have access to the local console connection. See the "Starting a Switch in the Cisco MDS 9000 Family" section on page 5-2 for information on setting up the console connection.

To recover a administrator password by power cycling the switch, follow these steps:

Step 1 For Cisco MDS 9500 Series switches with two supervisor modules, remove the supervisor module in
slot 6 from the chassis.

Note On the Cisco MDS 9500 Series, the password recovery procedure must be performed on the active supervisor module. Removing the supervisor module in slot 6 ensures that a switchover will not occur during the password recovery procedure.

Step 2 Power cycle the switch.

Step 3 Press the Ctrl-] key sequence when the switch begins its Cisco NX-OS software boot sequence to enter the switch(boot)# prompt mode.

Ctrl-]

switch(boot)#

Step 4 Change to configuration mode.

switch(boot)# config terminal

Step 5 Issue the admin-password command to reset the administrator password.

switch(boot-config)# admin-password <new password>

For information on strong passwords, see the "Characteristics of Strong Passwords" section.

Step 6 Exit to the EXEC mode.

switch(boot-config)# exit

switch(boot)#

Step 7 Issue the load command to load the Cisco NX-OS software.

switch(boot)# load bootflash:m9500-sf1ek9-mz.2.1.1a.bin

Caution

If you boot a system image that is older than the image you used to store the configuration and do not use the install all command to boot the system, the switch erases the binary configuration and uses the ASCII configuration. When this occurs, you must use the init system command to recover your password.

Step 8 Log in to the switch using the new administrator password.

switch login: admin

Password: <new password>

Step 9 Reset the new password to ensure that is it is also the SNMP password for Fabric Manager.

switch# config t

switch(config)# username admin password <new password>

switch(config)# exit

switch#

Step 10 Save the software configuration.

switch# copy running-config startup-config

Step 11 Insert the previously removed supervisor module into slot 6 in the chassis.

jon.armani · ‎07-10-2012

SECOND EDIT: It worked! It just took a few minutes to sync with the RADIUS server across the network!

EDIT: Some digging around, and I found what you were talking about. I see the existing attribute called Cisco-AV-Pair with value "shell:priv-lvl=15" . . . I added the additional value "shell:roles="network-admin"" as you had mentioned, and moved it to be the top attribute. Nothing seems to have changed in the shell now, after reconnecting, like there is no "copy" command, and if I issue "username admin password SomePassword" I get told that I can't make changes to other users. Maybe it takes time to refresh these settings across the network?

---END OF EDIT--- Original Post:

Brian,

I do have Domain Admin access to our RADIUS server, which is a Windows 2003 Standard server with Active Directory . . . I'm afraid I don't know what you're talking about as far as defining the shell role, or how to do that. Is that something I do in the server, or in the FiberChannel Switch?

Jon