Setting Password Protection
Note For security purposes, the EXEC has two levels of access to commands: user EXEC mode and privileged EXEC mode. The commands available at the user level are a subset of those available at the privileged level.
Tip Because many privileged-level EXEC commands are used to set operating parameters, password-protect these commands to prevent unauthorized use.
At the EXEC prompt, enter one of the following two commands to set password protection:
password (which is a very secure, encrypted password)
password (which is a less secure, nonencrypted password)
To gain access to privileged-level commands, enter the desired password.
Note An enable secret password can contain from 1 to 25 uppercase and lowercase alphanumeric characters. An enable password can contain any number of uppercase and lowercase alphanumeric characters. A number cannot be the first character. Spaces are valid password characters; for example, “two words” is a valid password. Leading spaces are ignored. Trailing spaces are recognized. Alphanumeric characters are recognized as uppercase or lowercase.
Passwords should be different for maximum security. If you enter the same password for both during the setup script, the system accepts it, but you receive a warning message indicating that you should enter a different password.
Overview of the Password Recovery Process
Following is an overview of the general steps in the password recovery procedure:
Step 1 If you can log in to the router, enter the
command to determine the existing configuration register value.
Step 2 Press the Break key to get to the bootstrap program prompt (ROM monitor). You might need to reload the system image by power cycling the router.
Step 3 Change the configuration register so that the following functions are enabled:
Ignore startup configuration
Boot from Flash memory
Note The key to recovering a lost password is to set the configuration register bit 6 (0x0040) so that the startup configuration (usually in NVRAM) is ignored. This allows you to log in without using a password and to display the startup configuration passwords. Cisco recommends setting the configuration register to 0x142.
Step 4 Power cycle the router by turning power off and then back on.
Step 5 Log in to the router and enter the privileged EXEC mode.
Step 6 Enter the
command to display the passwords.
Step 7 Recover or replace the displayed passwords.
Step 8 Change the configuration register back to its original setting.
Note To recover a lost password if Break is disabled on the router, you must have physical access to the router.
Replacing or Recovering Passwords
Complete the following steps to recover or replace a lost enable, enable secret, or console login password:
Step 1 Attach an ASCII terminal to the console port on your Cisco RFGW-10.
Step 2 Configure the terminal to operate at 9600 baud, 8 data bits, no parity, and 2 stop bits.
Step 3 If you can log in to the router as a nonprivileged user, enter the
command to display the existing configuration register value. Note the value for later use. If you cannot log in to the router at all, continue with the next step.
Step 4 Press the
key or send a Break from the console terminal.
Step 5 Within 60 seconds of restoring the power to the router, press the
key or send a Break. This action causes the router to enter the ROM monitor and display the ROM monitor prompt (
Step 6 To set the configuration register on a Cisco RFGW-10, use the configuration register utility by entering the
command at the ROM monitor prompt as follows:
Answer yes to the enable
ignore system config info?
prompt and note the current configuration register settings.
Step 7 Initialize the router by entering the
command as follows:
The router initializes, the configuration register is set to 0x142, the router boots the system image from Flash memory and enters the System Configuration dialog (setup), as follows:
--- System Configuration Dialog --
Step 8 Enter
in response to the System Configuration dialog prompts until the following message appears:
Press RETURN to get started!
Step 9 Press
The user EXEC prompt appears as follows:
Step 10 Enter the
command to enter privileged EXEC mode.
Step 11 Enter the
command to display the passwords in the configuration file as follows:
Router# show startup-config
Step 12 Scan the configuration file display looking for the passwords; the enable passwords are usually near the beginning of the file, and the console login or user EXEC password is near the end. The passwords displayed will look something like this:
enable secret 5 $1$ORPP$s9syZt4uKn3SnpuLDrhuei
enable password 23skiddoo
line con 0
Note The enable secret password is encrypted and cannot be recovered; it must be replaced. The enable and console passwords can be encrypted text or clear text.
Proceed to the next step to replace an enable secret, console login, or enable password. If there is no enable secret password, note the enable and console login passwords if they are not encrypted and proceed to Step 17.
Do not perform the next step unless you have determined that you must change or replace the enable, enable secret, or console login passwords. Failure to follow the steps as presented here could cause your router configuration to be erased.
Step 13 Enter the
command to load the startup configuration file into running memory. This action allows you to modify or replace passwords in the configuration.
Step 14 Enter the
command for configuration mode:
Router# configure terminal
Step 15 Enter the following commands to change the passwords:
Router(config)# enable secret newpassword1
Router(config)# enable password newpassword2
Router(config)# line con 0
Router(config)# password newpassword3
Change only the passwords necessary for your configuration. You can remove individual passwords by using the
form of the previous commands. For example, entering the
no enable secret
command removes the enable secret password.
Step 16 You must configure all interfaces to not be administratively shut down as follows:
Router(config)# interface GigabitEthernet 1/3
Router(config)# no shutdown
Enter the equivalent commands for all interfaces that were originally configured. If you omit this step, all interfaces are administratively shut down and unavailable when the router is restarted.
Step 17 Use the
r command to set the configuration register to the original value noted in If you can log in to the router as a nonprivileged user, enter the show version command to display the existing configuration register value. Note the value for later use. If you cannot log in to the router at all, continue with the next step. or Initialize the router by entering the reset command as follows:.
Step 18 Press
or type end to exit configuration mode:
Do not perform the next step unless you have changed or replaced a password. If you skipped Step 13
through Step 16
previously, then proceed to Step 20
. Failure to observe this sequence causes the system to erase your router configuration file.
Step 19 Enter the
copy running-config startup-config
command to save the new configuration to nonvolatile (NVRAM) memory:
Router# copy running-config startup-config
Step 20 Enter the
command to reboot the router:
Step 21 Log in to the router with the new or recovered passwords.