Password Recovery Procedure for Cisco NX-OS
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- February 20, 2012
Chapter: Password Recovery Procedure for Cisco NX-OS
Password Recovery Procedure for Cisco NX-OS
This document describes how to recover a lost network administrator password from the console port of a device that operates with Cisco NX-OS.
The Cisco NX-OS software is a data center-class operating system that is based on the Cisco SAN-OS software. The Cisco NX-OS software fulfills the routing, switching, and storage networking requirements of data centers and provides an Extensible Markup Language (XML) interface and a command-line interface (CLI) that is similar to Cisco IOS software.
Contents
Prerequisites
This section describes the prerequisites to performing the recovery procedure and includes the following topics:
Requirements
On a device with two supervisor modules, you must perform the password recovery procedure on the supervisor module that will become the active module after you complete the recovery procedure. To ensure that the other supervisor module does not become active, perform one of the following tasks:
- Remove the other supervisor module from the chassis.
- Change the console prompt of the other supervisor module to one of the following two prompts until the recovery procedure completes:
Note
For more information about these prompts, see the documentation for your device.
Conventions
For more information about document conventions, see the Cisco Technical Tips Conventions at http://www.cisco.com/application/pdf/paws/17016/techtip_conventions.pdf
Recovering the Network Administrator Password
You can recover the network administrator password using one of these methods:
This section includes the following topics:
Using the CLI with Network-Admin Privileges
To use the command line-interface (CLI) with network-admin privileges, follow these steps:
Step 1 Verify that your username has network-admin privileges.
Step 2 Assign a new network administrator password if your username has network-admin privileges.
Step 3 Save the configuration.
Power Cycling the Device
If you cannot start a session on the device that has network-admin privileges, you must recover the network administrator password by power cycling the device by following these two methods:
The password recovery procedure disrupts all traffic on the device. All connections to the device will be lost for 2 to 3 minutes.
Note ● You cannot recover the administrator password from a Telnet or Secure Shell (SSH) session to the management interface. You must have access to the local console connection. Also, for Cisco NX-OS devices, such as the Cisco Nexus 7000 Series switches, that support Connectivity Management Processors (CMPs) on the supervisor modules, you cannot use the CMP management interface to recover the administrator password.
- Password recovery updates the new administrator password only in the local user database and not on the remote AAA servers. The new password works only if local authentication is enabled; it does not work for remote authentication. When a password is recovered, local authentication is enabled for logins through a console so that the admin user can log in with a new password from a console.
Method One
To recover the network administrator password by power cycling the device, follow these steps:
Step 1 Establish a terminal session on the console port of the active supervisor module.
Note If you are using a non-U.S. keymap, the key sequence that you need to press to generate the break sequence may not work. In this case, we recommend that you set your terminal to a U.S. keymap. You can enter Ctrl-C instead of Ctrl-] (right square bracket) due to keyboard mapping.
Step 2 If you use SSH or a terminal emulator to access the console port or you are recovering the password on a Cisco Nexus 5000 Series switch running Cisco NX-OS Release 4.0(0)N1(2a) or earlier releases, go to Step 6.
Step 3 If you use Telnet to access the console port, press Ctrl-] (right square bracket) to verify that it does not conflict with the Telnet escape sequence.
If the Cisco NX-OS login prompt remains and the Telnet prompt does not appear, go to Step 6.
Step 4 If the Telnet prompt appears, change the Telnet escape sequence to a character sequence other than Ctrl-] (right square bracket). The following example shows how to set the Ctrl-\ as the escape key sequence in Microsoft Telnet:
Step 5 Press Enter one or more times to return to the Cisco NX-OS login prompt.
Step 6 Power cycle the device.
Step 7 Press Ctrl-] (right square bracket) from the console port session when the device begins the Cisco NX-OS software boot sequence to enter the switch(boot)# prompt mode. You need to press Ctrl-] (right square bracket) when you see that the system image is getting loaded.
Note For Cisco Nexus 5000 Series switches that run Cisco NX-OS 4.0(0)N1(2a) or earlier releases, use Ctrl-B (Ctrl+Shift+B) instead of the Ctrl-] (right square bracket).
Step 8 Reset the network administrator password.
switch(boot)# configure terminal
Step 9 Display the bootflash: contents to locate the Cisco NX-OS software image file.
switch(boot)# dir bootflash:
Step 10 Load the Cisco NX-OS system software image.
In the following example, the system image filename is nx-os.bin:
Step 11 Log in to the device using the new administrator password.
The running configuration indicates that local authentication is enabled for logins through a console. You should not change the running configuration in order for the new password to work for the future logins. You can enable remote authentication after you reset and remember the administrator password that is configured on the AAA servers.
Step 12 Reset the new password to ensure that is it is also the Simple Network Management Protocol (SNMP) password.
Step 13 Insert the previously removed standby supervisor module into the chassis, if necessary.
Step 14 Boot the Cisco NX-OS kickstart image on the standby supervisor module, if necessary.
In the following example, the kickstart image filename is nx-os_kickstart.bin:
Step 15 Load the Cisco NX-OS system software on the standby supervisor module, if necessary.
In the following example, the system image filename is nx-os.bin:
Step 16 Save the configuration.
Method Two
You can reset the network administrator password by reloading the device.
This procedure disrupts all traffic on the device. All connections to the device will be lost for 2 to 3 minutes.
Note ● You cannot recover the administrator password from a Telnet or SSH session to the management interface. You must have access to the local console connection. Also, for Cisco NX-OS devices, such as the Cisco Nexus 7000 Series switches, that support Connectivity Management Processors (CMPs) on the supervisor modules, you cannot use the CMP management interface to recover the administrator password.
- Password recovery updates the new administrator password only in the local user database and not on the remote AAA servers. The new password works only if local authentication is enabled; it does not work for remote authentication. When a password is recovered, local authentication is enabled for logins through a console so that the admin user can log in with a new password from a console.
To reset the network administrator password by reloading the device, follow these steps:
Step 1 Establish a terminal session on the console port of the active supervisor module.
Step 2 Reload the device to reach the loader prompt by using the reload command. You need to press Ctrl-C when the following appears :
Note For Cisco Nexus 5000 Series switches that run Cisco NX-OS 4.0(0)N1(2a) or earlier releases, use Ctrl-R (Ctrl+Shift+R) instead of the Ctrl-C.
Booting kickstart image: bootflash:/n7000-s1-kickstart.x.x.x.bin....
Note For Cisco Nexus 7000 Series switches, you must press Ctrl-C to stop loading the kickstart image when the switch is booting. For Cisco Nexus 5000 Series switches, you must press Ctrl-R (Ctrl+Shift+R).
Step 3 Restart the device with only the kickstart image to reach the switch boot prompt.
Step 4 Reset the network administrator password by following Step 8 through Step 16 described in the “Method One” section.
Recovery from the loader> Prompt
Use the help command at the loader> prompt to display a list of commands available at this prompt or to obtain more information about a specific command in that list.
Before you begin
This procedure uses the init system command, which reformats the file system of the device. Be sure that you have made a backup of the configuration files before you begin this procedure.
The loader> prompt is different from the regular switch# or switch(boot)# prompt. The CLI command completion feature does not work at the loader> prompt and might result in undesired errors. You must type the command exactly as you want the command to appear.
If you boot over TFTP from the loader> prompt, you must supply the full path to the image on the remote server.
Step 1 Specify the local IP address and the subnet mask for the system.
Step 2 Specify the IP address of the default gateway.
Step 3 Configure the boot process to stop at the switch(boot)# prompt.
Step 4 Boot the NX-OS image file from the required server. The switch(boot)# prompt indicates that you have a usable nx-os image.
Step 5 Enter the NX-OS system.
Be sure that you have made a backup of the configuration files before you enter this command.
Step 6 Complete the reload of the NX-OS image file.
Related Documentation
You can find documentation for the Cisco NX-OS software on Cisco.com :
http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Feedback