Products Affected
Products Affected | Comments |
SDM Security Configuration 2.3.3 | Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers running 12.3(21), 12.3(22), 12.4(12), 12.4(12a), 12.4(13), 12.4(13a), 12.4(11)T, 12.4(11)T1, 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ |
Problem Description
Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers from the factory containing any of the following Cisco IOS images, with Cisco SDM 2.3.3 in flash and Cisco SDM factory default IOS configuration in start-up configuration.- 12.3(21), 12.3(22)
- 12.4(12), 12.4(12a), 12.4(13), 12.4(13a)
- 12.4(11)T, 12.4(11)T1
- 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ
Authentication will fail and the user will not be able to login to the router through HTTPS, HTTP, SSH, telnet, console, or any management application.
Background
If Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers are ordered with Cisco SDM software and Cisco SDM factory default IOS configuration, then manufacturing will load Cisco SDM default IOS configuration to the start-up configuration in NVRAM, so customers can quickly invoke and use Cisco SDM. The settings of this default IOS configuration will configure local authentication on HTTP, VTY and console lines and will configure a one-time credential (username = cisco and password = cisco) that can be used by the customer to login to the router through SDM or through HTTPS, HTTP, SSH, telnet, or console for the first time. This one-time credential will be removed from the running configuration after the user logs on to the router.Due to a bug in Cisco IOS versions 12.3(21), 12.3(22), 12.4(12), 12.4(12a), 12.4(13), 12.4(13a), 12.4(11)T, 12.4(11)T1, 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ (CSCsi13896), during the process of copying and verifying Cisco SDM factory default configuration in factory, the one-time credential is removed from the start-up configuration, resulting in customers getting a router with local authentication configured but without a user credential to login to the router. Consequently, the customer will be unable to log into the router.
Problem Symptoms
The customer will be asked to enter username and password for authentication when invoking SDM on a factory fresh router or when accessing the router through HTTPS, HTTP, SSH, telnet, or console. However, authentication will not succeed in spite of entering cisco/cisco, as said in Cisco SDM quick start guide, or any other user credential.Workaround/Solution
The workaround is to run the password recovery procedure.Follow these steps in order to recover your password:
1. Attach a terminal or PC with terminal emulation to the console port of the router.
Use these terminal settings:
o 9600 baud rate
o No parity
o 8 data bits
o 1 stop bit
o No flow control
2. If you can access the router, type show version at the prompt, and record the configuration register setting.
Note: The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router because of a lost login or TACACS password, you can safely assume that your configuration register is set to 0x2102.
3. Use the power switch in order to turn off the router, and then turn the router back on.
4. Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON. If the break sequence does not work, refer to Standard Break Key Sequence Combinations During Password Recovery for other key combinations.
5. Type confreg 0x2142 at the rommon 1> prompt in order to boot from flash.
This step bypasses the startup configuration where the passwords are stored.
6. Type reset at the rommon 2> prompt.
The router reboots, but ignores the saved configuration.
7. Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.
8. Type enable at the Router> prompt. You are in enable mode and should see the Router# prompt.
9. Type configure memory or copy startup-config running-config in order to copy the nonvolatile RAM (NVRAM) into memory.
Important: Do not type copy running-config startup-config or write . These commands erase your startup configuration.
10. Type show running-config .
The show running-config command shows the configuration of the router. In this configuration, the shutdown command appears under all interfaces, which indicates all interfaces are currently shut down.
11. Type configure terminal .
The yourname(config)# prompt appears.
12. Type username privilege 15 password in order to create a new user account with privilege 15.
For example:
yourname(config)#username cisco privilege 15 password cisco
13. Issue the no shutdown command on every interface that you use.
If you issue a show ip interface brief command, every interface that you want to use should display up up.
14. Type config-register , where configuration_register_setting is either the value you recorded in step 2 or 0x2102 .
For example:
yourname(config)#config-register 0x2102
15. Press Ctrl-z or end in order to leave the configuration mode.
The yourname# prompt appears.
16. Type write memory or copy running-config startup-config in order to commit the changes.
DDTS
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.DDTS | Description |
CSCsi13896 (registered customers only) | Authentication fails and unable to login to a factory fresh router |
Affected Serial Number and Hardware Version
Below is a list of Serial Numbers/Products which may be affected by this Field Notice. The list may not be a complete list of all Serial Numbers affected and will be updated if new information supports adding or removing Serial Numbers from the list. The list is sorted by Serial Number in ascending order.
