Cisco ACS 4.x Password Recovery

Similar Messages

• Cisco ACS 4.2 1113 Recovery DVD

  Good day!
  We have CSACSE-1113-k9 Cisco ACS 4.2 1113 appliance. And we need to reimage (restore the appliance to its original state). Could enyone help me with proper link to software.cisco.com image of recovery DVD?
  I'm trying to find it, but i cant see recovery dvd:
  Downloads Home
  Products
  Cloud and Systems Management
  Security and Identity Management
  Cisco Secure Access Control Server Products
  Cisco Secure Access Control Server Solution Engine
  Cisco Secure Access Control Server Solution Engine 4.2

  Hi,
  AFAIK you do not have the option to download ACS Recovery DVD from cisco.com. You can contact Cisco TAC and they can publish the software for you.
  Do rate if Helpful....
  Regards,
  Kush

• Cisco 878 "priv" command password recovery in Rommon mode

  Hi,
  There was " Cookie information corrupt" error on cisco 878 and I enter cookie information with cookie command. The priv command password is "0000" when all cookies zero, but I inserted wrong cookies . I want to edit cookie information. The priv command password changed and I can't edit cookie informations.
  How can I recovery priv command password in rommon ?
  Thanks for help,

  Hi friends,
  I solved problem.   You must add the first five numbers in 16-bit hex in cookies :
  Sample :
  00
  01
  +
  00
  30
  +
  85
  d7
  +
  e0
  60
  +
  0a
  ff
  =        17167
  The password is only four characters, so remove the most significant bit  and the password is 7167.

• Cisco 3560-G Username/password recovery

  Evening all,
  whilst configuring a 3560-G i was interupted whilst setting a username and password, unfortantly when i turned back around I was kicked out. it is now asking for a username even though i havent set one fully. i was vty into the device and am unable console in at the moment is there anything I can do to get past this except get physical access and reboot the device. I havent saved the config at any point so if I reset i assume the username/password mistake wouldnt exist any more.  Any help is greatly appriecated.
  Cheers
  Neil,

  I havent saved the config at any point so if I reset i assume the username/password mistake wouldnt exist any more.
  Reboot the switch is one option.   You can have physical access to the appliance or you can use SNMP to remotely reboot the appliance.  For this method to work, the command "snmp-server system-shutdown" needs to be enabled.
  Another option is to pull down or upload the config using SNMP.  This method is dependent on SNMP RW community string is disabled or not.  

• Cisco VXC 6215: bios password recovery

  hi
  I have a unit of VXC 6215, once rebooting "DEL" is pressed, brings us to the BIOS password input. Black & Blue screen
  Passwword/Unlock Key: [???????????]
  Unlock Key Hint Number: 35629588
  What is the password/unlock key? Could not find it in any of the admin guide.
  Please advise

  while the VXC6215 is booting up, Press & Hold the "DELETE" key. This will take you into BIOS MODE of the VXC6215.  Note: you may have to do this a couple of times to get it to work.
  The PASSWORD to get into BIOS mode is "Fireport"

• Cisco ISE 1.2 vm cli admin password recovery

  I'm having trouble getting this to work.   I was under the impression by mounting the ISO (connect at power on) i could perform the password recovery like it states for the hardware appliance.  However, if i mount the 1.2.0.899 iso image (connect at power) I don't seen to get any options in my vm console?  At most, I have a <enter> at the very beginning that will take me to Grub or ADE boot menu...  but I don't see anything about options to change the password?  

  Make sure you are following the steps in the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_postins.html#38674
  Also, make sure that the VM Guest is set to boot from DVD/CD first before trying the HDD. 
  Thank you for rating helpful posts!

• Enable password recovery in cisco 2950 with AAA

  Hello friends,
  I need to reccover switch enable password, i have already configured AAA also, when i am tryig to follow below proceedure finally saying Authorization failed. how can i recover enable password,
  Regards,
  Haris
  If I try to recover password like this description says
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swtrbl.html#wp1090048
  Step 1 Connect a terminal or PC with terminal-emulation software to the switch console port.
  Step 2 Set the line speed on the emulation software to 9600 baud.
  Step  3 Power off the switch. Reconnect the power cord to the switch and,  within 15 seconds, press the Mode button while the System LED is still  flashing green.
  Base ethernet MAC Address: 00:0x:xx:xx:xx:xx
  Xmodem file system is available.
  The password-recovery mechanism is enabled.
  The system has been interrupted prior to initializing the
  flash filesystem. The following commands will initialize
  the flash filesystem, and finish loading the operating
  system software:
  flash_init
  load_helper
  boot
  switch:
  Step 4 switch: flash_init
  Initializing Flash...
  flashfs[0]: 600 files, 19 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 32514048
  flashfs[0]: Bytes used: 7713792
  flashfs[0]: Bytes available: 24800256
  flashfs[0]: flashfs fsck took 10 seconds.
  ...done Initializing Flash.
  Boot Sector Filesystem (bs) installed, fsid: 3
  Setting console baud rate to 9600...
  Step5 switch:load_helper
  Step6 switch: dir flash:
  Directory of flash:/
  2 -rwx 916 <date> vlan.dat
  5 drwx 192 <date> c2960-lanbase-mz.122-25.SEE1
  620 -rwx 5488 <date> config.text
  621 -rwx 5 <date> private-config.text
  24800256 bytes available (7713792 bytes used)
  Step7 switch: rename flash:config.text flash:config.text.old
  Step8 switch: boot
  Loading "flash:c2960-lanbase-mz.122-25.SEE1/c2960-lanbase-mz.122-25.SEE1.bin"...
  Initializing flashfs...
  flashfs[1]: 600 files, 19 directories
  flashfs[1]: 0 orphaned files, 0 orphaned directories
  flashfs[1]: Total bytes: 32514048
  flashfs[1]: Bytes used: 7713792
  flashfs[1]: Bytes available: 24800256
  flashfs[1]: flashfs fsck took 1 seconds.
  flashfs[1]: Initialization complete....done Initializing flashfs.
  64K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address : 00:0x:xx:xx:xx:xx
  Motherboard assembly number : xxxxxxxxxx
  Power supply part number : xxxxxxxxxxx
  Motherboard serial number : xxxxxxxxxxx
  Power supply serial number : xxxxxxxxxxx
  Model revision number : B0
  Motherboard revision number : B0
  Model number : WS-C2960G-24TC-L
  System serial number : xxxxxxxxxxxx
  Top Assembly Part Number : xxxxxxxxxxxx
  Top Assembly Revision Number : B0
  Version ID : V02
  CLEI Code Number : xxxxxxxxxxxxx
  Hardware Board Revision Number : 0x01
  Switch Ports Model SW Version SW Image
  * 1 24 WS-C2960G-24TC-L 12.2(25)SEE1 C2960-LANBASE-M
  Press RETURN to get started!
  Step9 Hit <Enter>
  Would you like to terminate autoinstall? [yes]: yes
  Step10
  --- System Configuration Dialog ---
  Would you like to enter the initial configuration dialog? [yes/no]no
  Switch>
  Step11 Switch> enable
  Step12 Switch# rename flash:config.text.old flash:config.text
  Destination filename [config.text]? <Enter>
  Step13 Switch# copy flash:config.text system:running-config
  Destination filename [running-config]?<Enter>
  5488 bytes copied in 0.940 secs (5838 bytes/sec)
  Step14 NewSwitchName#conf t
  % Authorization failed.
  Doesn't this procedure work any more ?

  The password recovery worked, but you copied your problematic config back to the switch. Skip Step 13 and paste only the working part of the config to the switch.
  You can see your renamed config with "more flash:config.text.old".

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco NCS admin password recovery.

  Hi All
  In Cisco NCS shell I have incorrectly entered the following command in order to chang ethe admin password and saved it
  username admin password hash <password> role admin
  and hence lost the access to shell (ssh). Is there a way to retrieve or reset the admin password. Tried to log in as single user (as in any ohter Red Hat Distribution) but didn't work. In the worst case scenario I have rebuild the server (VM) from the .ova imange, however the licenses won't work.
  Any advise would be greatly appreciated.
  Regards

  Hello,
  The only way to recover the admin password for NCS would be to use the recovery image (iso). The recovery image is not available for download from CCO. Please open a TAC case & they can special publish the image for you.
  For the CLI admin password, the recovery method is the same as the physical appliance.  Attach the recovery ISO, and reboot the machine.  You may have to force the virtual machine to boot from the cd drive.  Once it does, you will get the  menu that contains the password recovery option.
  Hope this helps.
  Ram

• Password recovery on Cisco AP 1232

  Hi all.
  I have a Cisco 1232 AP at a remote location. It was configured by somebody no longer with the company and I have no passwords for it, no do I have a back up config.
  It is using local authenticaiton.
  Is there a way to do a password recovery without losing the current configuration?

  Check this out:
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_password_recovery09186a00800949d0.shtml#resios
  There is another similar post on this board for using a password cracker.
  Here's a link to the thread:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Getting%20Started%20with%20Wireless&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddb082/1#selected_message
  Good Luck
  Scott

• Cisco Password Recovery

  Hello,
  How can I block any body to change the password using the Cisco Password recovery? because I am facing one problem that few of our clients rebootting the router and change the Conf registry and change the password.
  Please give me few Suggestions.
  Thanks

  Try the "no service password-recovery" in global config mode.
  Please read the information contained in the follwoing URL before you use this command:
  http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5413/products_feature_guide09186a00802a1e76.html
  Hope this helps,

• Password Recovery Cisco WLAN Controllers

  Hi,
  I would like to know the procedure for recoering passwords on Cisco 2000/ 4000 series contorllers.
  Please Help!
  Thanks and Regards,
  Mohan

  Sorry, you have to reset to factory defaults. Then reconfigure. Here's the TAC Case
  Solution # K52826052
  Title How to recover a password on the Cisco Wireless LAN Controller
  Core Issue
  Resolution
  There is no password recovery option on the Wireless LAN Controller (WLC). You need to set the WLC to factory defaults and reconfigure it.
  In order to set the WLC to factory defaults, power cycle the WLC, press ESC Key during the boot up process from the console and select last option(5) to clear the configuration and reboot the Wireless Lan Controller.
  Note:The new default username and password is "admin".

• No service password recovery command on cisco 2801 router

  HI,
  we have a cisco 2801 router in class which has a disabled pasword recovery. We tried almost everything, we cannot get into ROMmon and the break sequence dosent work in any program (hyper terminal, putty, teraterm pro). We dont have any idea how to solve this problem.
  Here is the log from hyperterminal:
  System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 2004 by cisco Systems, Inc.
  PLD version 0x10
  GIO ASIC version 0x127
  c2801 processor with 131072 Kbytes of main memory
  Main memory is configured to 64 bit mode with parity disabled
  Readonly ROMMON initialized
  PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
  program load complete, entry point: 0x8000f000, size: 0xc100
  Initializing ATA monitor library.......
  program load complete, entry point: 0x8000f000, size: 0xc100
  Initializing ATA monitor library.......
  program load complete, entry point: 0x8000f000, size: 0xd49718
  Self decompressing the image : #################################################
  ######## [OK]
  --- TRIED BREAK SEQUENCE HERE but nothing happens ---
  Smart Init is enabled
  smart init is sizing iomem
    ID            MEMORY_REQ         TYPE
                  0X003AA110 public buffer pools
                  0X00211000 public particle pools
  0X0013          0X00035000 Card in slot 1
                  0X000021B8 Onboard USB
  If any of the above Memory Requirements are
  "UNKNOWN", you may be using an unsupported
  configuration or there is a software problem and
  system operation may be compromised.
  Allocating additional 7692663 bytes to IO Memory.
  PMem allocated: 117440512 bytes; IOMem allocated: 16777216 bytes
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.4(1c), RELEASE SO
  FTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2005 by Cisco Systems, Inc.
  Compiled Wed 26-Oct-05 08:42 by evmiller
  Image text-base: 0x6007ECA0, data-base: 0x61480000 
  --- TRIED BREAK SEQUENCE HERE but nothing happens too ---
  Port Statistics for unclassified packets is not turned on.
  Cisco 2801 (revision 6.0) with 114688K/16384K bytes of memory.
  Processor board ID FCZ102422KK
  2 FastEthernet interfaces
  2 Low-speed serial(sync/async) interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  191K bytes of NVRAM.
  62720K bytes of ATA CompactFlash (Read/Write)
  Press RETURN to get started!
  Thanks for help!

  I usually suffer from the same issue, but what works for me everytime is the other method that simulates break sequence. Can't find the documentation for it but this is how it goes:
  Set the serial connection as follows in Putty:
  Baud rate 1200
  1 stop bit
  8 data bits
  no parity
  no flow control
  Turn off your router, then turn it back on and immediately press the spacebar for about 10-15 seconds. All you'll see is giberish. After that reset your console connection settings to the usual 9600 baud rate, and you'll find yourself in rommon mode.

• Cisco 3945 password recovery

  I observed two cisco 3945 routers lose IOS during password recovery. Router was rebooted, break sequence ctrl-break, then boot(instead of reset) issued. The router booted to its existing configuration or password recovery failed and router was power cycled again then ctrl-break issued. However this time the IOS was gone and all flash file systems were blank! It happened on two routers. Anyone know why such an anomaly would occur or has anyone witnessed such?

  config register was set to confreg 0X2142 first time password recovery was attempted. It took but only after the power cycle(not when I simply typed boot) but by then the IOS images were gone. I found that very disturbing when it happened on two different routers and I never saw such a thing happen to a router before. 

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.