Guest

Cisco 3800 Series Integrated Services Routers

Field Notice: FN - 62758 - Authentication Fails and Unable to Login to a Factory Fresh Router with Security Device Manager (SDM) 2.3.3


March 23, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

Comments

SDM Security Configuration 2.3.3

Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers running 12.3(21), 12.3(22), 12.4(12), 12.4(12a), 12.4(13), 12.4(13a), 12.4(11)T, 12.4(11)T1, 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ

Problem Description

Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers from the factory containing any of the following Cisco IOS images, with Cisco SDM 2.3.3 in flash and Cisco SDM factory default IOS configuration in start-up configuration.

- 12.3(21), 12.3(22)

- 12.4(12), 12.4(12a), 12.4(13), 12.4(13a)

- 12.4(11)T, 12.4(11)T1

- 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ

Authentication will fail and the user will not be able to login to the router through HTTPS, HTTP, SSH, telnet, console, or any management application.

Background

If Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers are ordered with Cisco SDM software and Cisco SDM factory default IOS configuration, then manufacturing will load Cisco SDM default IOS configuration to the start-up configuration in NVRAM, so customers can quickly invoke and use Cisco SDM. The settings of this default IOS configuration will configure local authentication on HTTP, VTY and console lines and will configure a one-time credential (username = cisco and password = cisco) that can be used by the customer to login to the router through SDM or through HTTPS, HTTP, SSH, telnet, or console for the first time. This one-time credential will be removed from the running configuration after the user logs on to the router.

Due to a bug in Cisco IOS versions 12.3(21), 12.3(22), 12.4(12), 12.4(12a), 12.4(13), 12.4(13a), 12.4(11)T, 12.4(11)T1, 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ (CSCsi13896), during the process of copying and verifying Cisco SDM factory default configuration in factory, the one-time credential is removed from the start-up configuration, resulting in customers getting a router with local authentication configured but without a user credential to login to the router. Consequently, the customer will be unable to log into the router.

Problem Symptoms

The customer will be asked to enter username and password for authentication when invoking SDM on a factory fresh router or when accessing the router through HTTPS, HTTP, SSH, telnet, or console. However, authentication will not succeed in spite of entering cisco/cisco, as said in Cisco SDM quick start guide, or any other user credential.

Workaround/Solution

The workaround is to run the password recovery procedure.

Follow these steps in order to recover your password:

  1. Attach a terminal or PC with terminal emulation to the console port of the router.

    Use these terminal settings:

    • 9600 baud rate

    • No parity

    • 8 data bits

    • 1 stop bit

    • No flow control

    Refer to the Cabling Guide for Console and AUX Ports document for information on how to cable and connect a terminal to the console port or the AUX port.

  2. If you can access the router, type show version at the prompt, and record the configuration register setting. See Example of Password Recovery Procedure in order to view the output of a show version command.

    Note: The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router because of a lost login or TACACS password, you can safely assume that your configuration register is set to 0x2102.

  3. Use the power switch in order to turn off the router, and then turn the router back on.

  4. Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON. If the break sequence does not work, refer to Standard Break Key Sequence Combinations During Password Recovery for other key combinations.

  5. Type confreg 0x2142 at the rommon 1> prompt in order to boot from flash.

    This step bypasses the startup configuration where the passwords are stored.

  6. Type reset at the rommon 2> prompt.

    The router reboots, but ignores the saved configuration.

  7. Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.

  8. Type enable at the Router> prompt. You are in enable mode and should see the Router# prompt.

  9. Type configure memory or copy startup-config running-config in order to copy the nonvolatile RAM (NVRAM) into memory.

    Important: Do not type copy running-config startup-config or write . These commands erase your startup configuration.

  10. Type show running-config .

    The show running-config command shows the configuration of the router. In this configuration, the shutdown command appears under all interfaces, which indicates all interfaces are currently shut down.

  11. Type configure terminal .

    The yourname(config)# prompt appears.

  12. Type username privilege 15 password in order to create a new user account with privilege 15.

    For example:

    yourname(config)#username cisco privilege 15 password cisco
    
  13. Issue the no shutdown command on every interface that you use.

    If you issue a show ip interface brief command, every interface that you want to use should display up up.

  14. Type config-register , where configuration_register_setting is either the value you recorded in step 2 or 0x2102 .

    For example:

    yourname(config)#config-register 0x2102
    

  15. Press Ctrl-z or end in order to leave the configuration mode.

    The yourname# prompt appears.

  16. Type write memory or copy running-config startup-config in order to commit the changes.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsi13896 (registered customers only)

Authentication fails and unable to login to a factory fresh router

Affected Serial Number and Hardware Version

Below is a list of Serial Numbers/Products which may be affected by this Field Notice. The list may not be a complete list of all Serial Numbers affected and will be updated if new information supports adding or removing Serial Numbers from the list. The list is sorted by Serial Number in ascending order.

fn62758_jf9u3k.jpg

fn62758_jf9wti.jpg

fn62758_jf9x6r.jpg

fn62758_jf9x8q.jpg

fn62758_jf9y5j.jpg

fn62758_jf9y6l.jpg

fn62758_jf9y7s.jpg

fn62758_jf9y9u.jpg

fn62758_jf9yb1.jpg

fn62758_jfbmwv.jpg

fn62758_jfbmy1.jpg

fn62758_jfbmz4.jpg

fn62758_jfbn41.jpg

fn62758_jfbn50.jpg

fn62758_jfboac.jpg

fn62758_jfboaw.jpg

fn62758_jfbobo.jpg

fn62758_jfboc9.jpg

fn62758_jfbod6.jpg

fn62758_jfbodt.jpg

fn62758_jfboj1.jpg

fn62758_jfbojn.jpg

fn62758_jfboka.jpg

Revision History

Revision

Date

Comment

1.0

23-MAR-2007

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.