Password Recovery Procedure for Cisco NX-OS

This document describes how to recover a lost network administrator password from the console port of a device that operates with Cisco NX-OS.

The Cisco NX-OS software is a data center-class operating system that is based on the Cisco SAN-OS software. The Cisco NX-OS software fulfills the routing, switching, and storage networking requirements of data centers and provides an Extensible Markup Language (XML) interface and a command-line interface (CLI) that is similar to Cisco IOS software.

This document includes the following sections:

Prerequisites

This section describes the prerequisites to performing the recovery procedure and includes the following topics:

Requirements

On a device with two supervisor modules, you must perform the password recovery procedure on the supervisor module that will become the active module after you complete the recovery procedure. To ensure that the other supervisor module does not become active, perform one of the following tasks:

  • Remove the other supervisor module from the chassis.

  • Change the console prompt of the other supervisor module to one of the following two prompts until the recovery procedure completes:

    • loader >

    • switch(boot) #

For more information about these prompts, see the documentation for your device.

Conventions

For more information about document conventions, see the Cisco Technical Tips Conventions at http://www.cisco.com/application/pdf/paws/17016/techtip_conventions.pdf

Recovering the Administrator Password

You can recover the network administrator password using one of these methods:

  • From the CLI with a username that has network-admin privileges

  • By power cycling the device

  • By reloading the device

Using the CLI with Network-Admin Privileges to Recover the Administrator Password

SUMMARY STEPS

  1. switch# show user-account
  2. switch# config terminal
  3. switch(config)# username admin password new-password
  4. switch(config)# copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# show user-account

Example:

switch# show user-account 
user:admin
        this user account has no expiry date
        roles:network-admin
user:dbgusr
        this user account has no expiry date
        roles:network-admin network-operator

Shows that your username has network-admin privileges.

Step 2

switch# config terminal

Example:

switch# config terminal 
switch(config)#

Enters global configuration mode.

Step 3

switch(config)# username admin password new-password

Example:

switch(config)# username admin password egBdf

Assigns a new network administrator password if your username has network-admin privileges.

Note

 

The new-password does not allow the $ character.

Step 4

switch(config)# copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

Copies the running configuration to the startup configuration.

Power Cycling the Device to Recover the Administrator Password

If you cannot start a session on the device that has network-admin privileges, you can recover the network administrator password by power cycling the device.


Caution
The password recovery procedure disrupts all traffic on the device. All connections to the device will be lost for 2 to 3 minutes.

Note
You cannot recover the administrator password from a Telnet or Secure Shell (SSH) session to the management interface. You must have access to the local console connection.

Note
Password recovery updates the new administrator password only in the local user database and not on the remote AAA servers. The new password works only if local authentication is enabled; it does not work for remote authentication. When a password is recovered, local authentication is enabled for logins through a console so that the admin user can log in with a new password from a console.

Note
If you need to recover the password because the username was not specified in the configuration file when you performed a copy configuration-file startup-config followed by the fast-reload or reload command, you will need to perform a write erase in Step 12 below.

Before you begin

On a device with two supervisor modules, you must perform the password recovery procedure on the supervisor module that will become the active module after you complete the recovery procedure. To ensure that the other supervisor module does not become active, perform one of the following tasks:

  • Remove the other supervisor module from the chassis.

  • Change the console prompt of the other supervisor module to one of the following two prompts until the recovery procedure completes:

    • loader >

    • switch(boot)#

Procedure

  Command or Action Purpose

Step 1

Establish a terminal session on the console port of the active supervisor module.

Note

 
If you are using a non-U.S. keymap, the key sequence that you need to press to generate the break sequence might not work. In this case, we recommend that you set your terminal to a U.S. keymap. You can enter Ctrl-C instead of Ctrl-] (right square bracket) due to keyboard mapping.

Step 2

If you use SSH or a terminal emulator to access the console port, go to Step 6.

Step 3

If you use Telnet to access the console port, press Ctrl-] (right square bracket) to verify that it does not conflict with the Telnet escape sequence.

Example:

switch login: Ctrl-]

Note

 
If the Cisco NX-OS login prompt remains and the Telnet prompt does not appear, go to Step 6.

Step 4

If the Telnet prompt appears, change the Telnet escape sequence to a character sequence other than Ctrl-] (right square bracket).

Example:

telnet> set escape ^\
Escape Character is 'CTRL+\'

The example shows how to set Ctrl-\ as the escape key sequence in Microsoft Telnet.

Note

 
If the Cisco NX-OS login prompt remains and the Telnet prompt does not appear, go to Step 6.

Step 5

Press Enter one or more times to return to the Cisco NX-OS login prompt.

Example:

telnet> <Enter>
switch login:

Step 6

Power cycle the device.

Step 7

Press Ctrl-C to access the loader> prompt.

Example:

Ctrl-C
loader>

Step 8

loader> cmdline recoverymode=1

Example:


loader> cmdline recoverymode=1

Enters recovery mode.

Step 9

loader> boot n9000-dk9.x.x.x.bin

Example:

loader> boot n9000-dk9.x.x.x.bin 
Booting iash
Trying diskboot
 Filesystem type is ext2fs, partition type 0x83
Image valid
MD5Sum mismatch

INIT: Loading IGB driver ... Signature Envelope.(36)Invalid Tag in Signature Envelope
Installing SSE module ... done
Creating the sse device node ... done
Installing CCTRL driver for card_type 3 ...

Checking all filesystems.......
Installing SPROM driver ...
Installing default sprom values ...
 done.Configuring network ...
Installing psdev ...
Installing veobc ...
Installing OBFL driver ...
Starting portmap daemon...
creating NFS state directory: done
starting 8 nfsd kernel threads: done
starting mountd: done
starting statd: done
Loading system software
No system image is specified
INIT: Sending processes the TERM signal
INIT: Sending processes the KILL signal
Bad terminal type: "linux". Will assume vt100.
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2013, Cisco Systems, Inc. All
rights reserved.
The copyrights to certain works contained in this
software are owned by other third parties and used
and distributed under license. Certain components
of this software are licensed under the GNU General
Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1.
A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
switch(boot)#

Restarts the device with the nx-os image to reach the switch(boot)# prompt.

Step 10

Press Enter one or more times to return to the Cisco NX-OS login prompt.

Example:

telnet> <Enter>
switch login:

Step 11

switch(boot)# config terminal

Example:

switch(boot)# config terminal 
Enter configuration commands, one per line.  End
with CNTL/Z.
switch(boot)(config)#

Enters boot configuration mode.

Step 12

switch(boot)(config)# admin-password new-password

Example:

switch(boot)(config)# admin-password egBdf 
WARNING! Remote Authentication for login through console has been disabled

Resets the network administrator password.

Note

 

If you are performing this password recovery procedure because the username was not specified in the configuration file when you performed a copy configuration-file startup-config followed by the fast-reload or reload command, skip this step, enter the write erase command instead, and then go to the next step.

Step 13

switch(boot)(config)# exit

Example:

switch(boot)(config)# exit 
switch(boot)#

Exits boot configuration mode.

Step 14

switch(boot)# load-nxos

Example:

switch(boot)# load-nxos

Loads the nx-os image. You must enter the load-nxos command exactly as shown. Do not enter the image filename with this command.

Step 15

Log into the device using the new administrator password.

Example:

switch login: admin 
Password: egBdf
The running configuration indicates that local authentication is enabled for logins through a console. You should not change the running configuration in order for the new password to work for future logins. You can enable remote authentication after you reset and remember the administrator password that is configured on the AAA servers. 
switch# show running-config aaa
!Command: show running-config aaa
!Time: Fri Jun 7 02:39:23 2013
version 6.1(2)I1(1)
logging level aaa 5
aaa authentication login ascii-authentication

Step 16

switch# config terminal

Example:

switch# config terminal 
switch(config)#

Enters global configuration mode.

Step 17

switch(config)# username admin password new-password

Example:

switch(config)# username admin password egBdf

Resets the new password to ensure that it is also the Simple Network Management Protocol (SNMP) password.

Step 18

switch(config)# exit

Example:

switch(config)# exit 
switch#

Exits global configuration mode.

Step 19

Insert the previously removed standby supervisor module into the chassis, if necessary.

Step 20

Boot the nx-os image on the standby supervisor module, if necessary.

Step 21

switch(config)# copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

Copies the running configuration to the startup configuration.

Reloading the Device to Recover the Administrator Password

You can reset the network administrator password by reloading the device.


Caution
This procedure disrupts all traffic on the device. All connections to the device will be lost for 2 to 3 minutes.

Note
You cannot recover the administrator password from a Telnet or Secure Shell (SSH) session to the management interface. You must have access to the local console connection.

Note
Password recovery updates the new administrator password only in the local user database and not on the remote AAA servers. The new password works only if local authentication is enabled; it does not work for remote authentication. When a password is recovered, local authentication is enabled for logins through a console so that the admin user can log in with a new password from a console.

SUMMARY STEPS

  1. Establish a terminal session on the console port of the active supervisor module.
  2. switch# reload
  3. loader> cmdline recoverymode=1
  4. loader> boot n9000-dk9.x.x.x.bin
  5. Reset the network administrator password by following Steps 6 through 20 in Power Cycling the Device to Recover the Administrator Password.

DETAILED STEPS

  Command or Action Purpose

Step 1

Establish a terminal session on the console port of the active supervisor module.

Step 2

switch# reload

Example:

switch# reload 
This command will reboot the system. (y/n)?  [n] Y
2013 Jun  7 13:09:56 switch %$ VDC-1 %$ %PLATFORM-2-PFM_SYSTEM_RESET:
Manual system restart from Command Line Interface
 writing reset reason 9,
..
..
              GNU GRUB  version 0.97
Autobooting bootflash:/n9000-dk9.x.x.x.bin bootflash:/n...
 Filesystem type is ext2fs, partition type 0x83
Booting nx-os image: bootflash:/n9000-dk9.x.x.x.bin....(---->
Press Ctrl + C)
....Aborting Image Boot    
              GNU GRUB  version 0.97
                Loader Version 3.22.0
loader>
Reloads the device to reach the loader prompt. You need to press Ctrl-C when the following appears: 
Booting nx-os image: bootflash:/n9000-dk9.x.x.x.bin....

Step 3

loader> cmdline recoverymode=1

Example:

loader> cmdline recoverymode=1

Configure the boot process to stop at the switch(boot)# prompt.

Step 4

loader> boot n9000-dk9.x.x.x.bin

Example:

loader> boot n9000-dk9.x.x.x.bin 
Filesystem type is ext2fs, partition type 0x83
Booting nx-os image: n9000-dk9.6.1.2.I1.1.gbin....
................................................
.....................Image verification OK
..
..
Lesser General Public License (LGPL) Version 2.1.
A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
switch(boot)#

Restarts the device with only the nx-os image to reach the switch boot prompt.

Step 5

Reset the network administrator password by following Steps 6 through 20 in Power Cycling the Device to Recover the Administrator Password.

Recovery from the loader> Prompt

Use the help command at the loader> prompt to display a list of commands available at this prompt or to obtain more information about a specific command in that list.

Before you begin

This procedure uses the init system command, which reformats the file system of the device. Be sure that you have made a backup of the configuration files before you begin this procedure.

The loader> prompt is different from the regular switch# or switch(boot)# prompt. The CLI command completion feature does not work at the loader> prompt and might result in undesired errors. You must type the command exactly as you want the command to appear.

If you boot over TFTP from the loader> prompt, you must supply the full path to the image on the remote server.

Procedure

Step 1

Specify the local IP address and the subnet mask for the system.

loader> set ip 172.21.55.213 255.255.255.224

Step 2

Specify the IP address of the default gateway. 

 loader> set gw 172.21.55.193

Step 3

Configure the boot process to stop at the switch(boot)# prompt. 

 loader> cmdline recoverymode=1

Step 4

Boot the NX-OS image file from the required server. The switch(boot)# prompt indicates that you have a usable nx-os image.

 loader> boot tftp://172.28.255.18/tftpboot/n9000-dk9.6.1.2.I1.1.bin

Step 5

Enter the NX-OS system.

Caution

 

Be sure that you have made a backup of the configuration files before you enter this command. 

switch(boot)# init system

Step 6

Complete the reload of the NX-OS image file. 

 switch(boot)# reload-nxos