Saturday, December 3, 2011

Password Recovery Procedure for the Wireless LAN


Password Recovery Procedure for the Wireless LAN Controller Module (WLCM) and Wireless Services Module (WiSM)

Introduction

This document describes how to recover a password or to restore the default settings on a Cisco Wireless LAN Controller Module (WLCM) installed on a Cisco Integrated Services Router (ISR) and the Cisco Wireless Services Module (WiSM) installed on a Catalyst 6500 Series Switch with the Supervisor 720.
Note: If you use the Cisco Wireless Control System (WCS) in order to manage the WLCM or WiSM, you should be able to access the controller from the WCS and create a new admin user without logging into the controller itself. Or, if you did not save the configuration on the controller after you deleted the user, then a reboot (power cycling) of the controller should bring it back up with the deleted user still in the system. If you do not have the default admin account or another user account with which you can log in, your only option is to default the controller to factory settings and reconfigure it from scratch.


Prerequisites

Requirements

This document applies to WLC versions prior to version 5.1. If you forget your password in WLC version 5.1 and later, you can use the CLI from the serial console of the controller in order to configure a new user name and password. See the Password Recovery in WLC versions 5.1 and later section for more information on this procedure.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Reset the WLCM to Default Settings

When the password to login to the WLCM is lost, the only way to get into the WLCM is to reset the WLCM back to default settings. This also means that the entire configuration on the WLCM is reset and has to be configured from scratch.
Complete these steps in order to reset the WLCM to factory default settings:
1.      Go to the CLI on the ISR and enter this command:
2811ISR#service-module wlan-controller slot/port reset
This command performs a hardware reset on the WLCM. When this command is issued, the user is prompted to confirm the reset. When the user presses Enter, the reset begins.
This output shows an example:
2811ISR#service-module wlan-controller 2/0 reset
Use reset only to recover from shutdown or failed state
Warning: May lose data on the hard disc!
Do you want to reset?[confirm]
Trying to reset Service Module wlan-controller2/0.
[Resuming connection 1 to 192.168.11.1 ... ]
2.      When the reset begins, the console switches back to the ISR CLI. Press Enter in order to switch back to the WLCM CLI.
Note: The console switches back to the controller only if there is an open session that was previously established on the controller. If there is no open session on the controller, use the service-module wlan-controller 2/0 session command in order to open a new session on the controller.
When you session into the controller, the router might prompt you for a username and password to connect to the serial line if there is a default login authentication configured. This is the username and password for the router and not the controller. It does not give you the controller's User prompt until you press <cr> after you have entered the correct password. The Username prompt is for the router VTY and the User prompt is for sessioning into the controller. The first login is for the router, then <cr>, and the second login is for the controller.
Router#service-module wlan-controller 1/0 session
 
Username:myusername
Password:*********
<cr>
User:wlcuser
Password:*******
 
(Cisco Controller)>
Note: In order to check if the router is configured for any default login authentication, check if the running configuration has any of the aaa authentication commands, such as aaa new-model or aaa authentication login default. Refer to General AAA Configuration for more information on these commands.
This prevents the recovery of the password as the router prompts for a username/password and breaks the recover-config first prompt (it gets intercepted). Therefore, the user never has the opportunity. A workaround is to disable auth for the line.
Router(config)#aaa authentication login wlc none
Router(config)#line 66
 
!--- Line 66 is meant for the controller module of the router and 
!--- might change based on the hardware/chassis used on the router.
 
Router(config-if)#login authentication wlc
The boot process on the WLCM starts.
During the boot process on the WLCM, the user has to break into the boot loader by pressing Esc in order to see the additional options.
This output shows an example:
Initializing memory.  Please wait.  256 MB SDRAM detected
BIOS Version: SM 02.00
BIOS Build date: 09/17/02
System Now Booting ...
 
 
Booting from disk..., please wait.
 
Cisco Bootloader Loading stage2...
 
    Cisco Bootloader (Version 3.2.116.21)
 
Booting Primary Image...
Press <ESC> now for additional boot options...
 
    Boot Options
 
Please choose an option from below:
 
1. Run primary image (Version 3.2.116.21) (active)
2. Run backup image  (Version 3.2.116.21)
3. Manually upgrade primary image
4. Change active boot image
5. Clear Configuration
3.      Choose 5. Clear Configuration.
This is the only option that resets the password along with the controller configuration. This means you need to reconfigure the rest of the box again.
This output shows an example:
Please choose an option from below:
 
1. Run primary image (version 3.2.116.21) (active)
2. Run backup image (version 3.1.87.0)
3. Manually update images
4. Change active boot image
5. Clear Configuration
 
Please enter your choice: 5
4.      Once you enter this option, the WLCM is reset to factory default settings. After the reset, the WLCM automatically enters the CLI startup wizard and you are prompted for the startup configuration which includes the username/password. Complete the startup configuration wizard in order to access the WLCM.
This output shows an example:
Please enter your choice: 5
Detecting hardware . . . .
Clearing system configuration: done.
 
Configuration has been cleared.  Restarting...
 
 
Initializing memory.  Please wait.  256 MB SDRAM detected
BIOS Version: SM 02.00
BIOS Build date: 09/17/02
System Now Booting ...
 
Booting from disk..., please wait.
 
Cisco Bootloader Loading stage2...
 
    Cisco Bootloader (Version 3.2.116.21)
 
Booting Primary Image...
Press <ESC> now for additional boot options...
Detecting hardware . . . .
 
Generating Secure Shell DSA Host Key ...
Generating Secure Shell RSA Host Key ...
Generating Secure Shell version 1.5 RSA Host Key ...
Cisco is a trademark of Cisco Systems, Inc.
Software Copyright Cisco Systems, Inc. All rights reserved.
 
Cisco AireOS Version 3.2.116.21
Initializing OS Services: ok
Initializing Serial Services: ok
Initializing Network Services: ok
Starting ARP Services: ok
Starting Trap Manager: ok
Starting Network Interface Management Services: ok
Starting System Services: ok
Starting Fast Path Hardware Acceleration: ok
Starting Switching Services: ok
Starting QoS Services: ok
Starting FIPS Features: Not enabled
Starting Policy Manager: ok
Starting Data Transport Link Layer: ok
Starting Access Control List Services: ok
Starting System Interfaces: ok
Starting LWAPP: ok
Starting Crypto Accelerator: Not Present
Starting Certificate Database: ok
Starting VPN Services: ok
Starting Security Services: ok
Starting Policy Manager: ok
Starting Authentication Engine: ok
Starting Mobility Management: ok
Starting Virtual AP Services: ok
Starting AireWave Director: ok
Starting Network Time Services: ok
Starting Broadcast Services: ok
Starting Logging Services: ok
Starting DHCP Server: ok
Starting IDS Signature Manager: ok
Starting RFID Tag Tracking: ok
Starting RBCP: ok
Starting Management Services:
   Web Server: ok
   CLI: ok
   Secure Web: Web Authentication Certificate not found (error).
 
(Cisco Controller)
 
 
Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
System Name [Cisco_e8:38:c0]: WLCM
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (24 characters max): *****
 
Management Interface IP Address: 172.16.1.60
Management Interface Netmask: 255.255.0.0
Management Interface Default Router: 172.16.1.1
Management Interface VLAN Identifier (0 = untagged):
Management Interface Port Num [1]: 1
Management Interface DHCP Server IP Address: 172.16.1.1
 
AP Manager Interface IP Address: 172.16.1.61
 
AP-Manager is on Management subnet, using same values
AP Manager Interface DHCP Server (172.16.1.1):
 
Virtual Gateway IP Address: 1.1.1.1
 
Mobility/RF Group Name: WLCM-Group
 
Network Name (SSID): WLCM-Clients
Allow Static IP Addresses [YES][no]: no
 
Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
 
Enter Country Code (enter 'help' for a list of countries) [US]:
 
Enable 802.11b Network [YES][no]: yes
Enable 802.11a Network [YES][no]: yes
Enable 802.11g Network [YES][no]: yes
Enable Auto-RF [YES][no]: yes
 
Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no
 
Warning! No AP will come up unless the time is set.
Please see documentation for more details.
 
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
 
Configuration saved!
Resetting system with new configuration...
 
 
Initializing memory.  Please wait.  256 MB SDRAM detected
BIOS Version: SM 02.00
BIOS Build date: 09/17/02
System Now Booting ...
 
Booting from disk..., please wait.
 
Cisco Bootloader Loading stage2...
 
    Cisco Bootloader (Version 3.2.116.21)
 
Booting Primary Image...
Press <ESC> now for additional boot options...
Detecting hardware . . . .
 
Cisco is a trademark of Cisco Systems, Inc.
Software Copyright Cisco Systems, Inc. All rights reserved.
 
Cisco AireOS Version 3.2.116.21
Initializing OS Services: ok
Initializing Serial Services: ok
Initializing Network Services: ok
Starting ARP Services: ok
Starting Trap Manager: ok
Starting Network Interface Management Services: ok
Starting System Services: ok
Starting Fast Path Hardware Acceleration: ok
Starting Switching Services: ok
Starting QoS Services: ok
Starting FIPS Features: Not enabled
Starting Policy Manager: ok
Starting Data Transport Link Layer: ok
Starting Access Control List Services: ok
Starting System Interfaces: ok
Starting LWAPP: ok
Starting Crypto Accelerator: Not Present
Starting Certificate Database: ok
Starting VPN Services: ok
Starting Security Services: ok
Starting Policy Manager: ok
Starting Authentication Engine: ok
Starting Mobility Management: ok
Starting Virtual AP Services: ok
Starting AireWave Director: ok
Starting Network Time Services: ok
Starting Broadcast Services: ok
Starting Logging Services: ok
Starting DHCP Server: ok
Starting IDS Signature Manager: ok
Starting RFID Tag Tracking: ok
Starting RBCP: ok
Starting Management Services:
   Web Server: ok
   CLI: ok
   Secure Web: ok
 
(Cisco Controller)
 
Enter User Name (or 'Recover-Config' this one-time only to reset 
configuration to factory defaults)
 
User: admin
Password:*****
(Cisco Controller) >
Note: There is an alternate way to reset the WLCM to default settings. Reset the WLCM with the command illustrated in step 1. At this point, you perform step 2 as described earlier.
5.      After the boot process completes, it leads you to the user prompt. Enter the recover-config command at the User prompt on the controller.
WLCM is reset back to the factory default and the user is prompted with the startup wizard so that they can reconfigure the WLCM from scratch.
This output shows an example
(Cisco Controller)
 
Enter User Name (or 'Recover-Config' this one-time only to reset 
configuration to factory defaults)
 
User:recover-config
 
!--- This command works only for the first user prompt. 
!--- If you press enter and try the command at the second user prompt,
!--- this does not work.
 

Reset the WiSM to Default Settings

The procedure to reset the WiSM to its default settings is similar to the procedure to reset the WLCM.
Complete these steps in order to reset the WiSM to its default settings:
1.      In privileged mode from the router prompt, enter this command:
2.           Router#hw-module module <module slot number> reset
This command reboots the WiSM module. This is an example:
Router#hw-module module 3 reset
Proceed with reload of module?[confirm]
3.      Access the console of the controllers using a serial connection.
4.      When you are prompted for a username, enter recover-config in order to restore the factory default configuration.
Here is an example:
(Cisco Controller)
 
Enter User Name (or 'Recover-Config' this one-time only to reset 
configuration to factory defaults)
 
User:recover-config
For an alternative method, refer to WiSM Troubleshooting FAQ.
The controller reboots and displays this message:
Welcome to the Cisco WLAN Solution Wizard Configuration Tool
5.      Use the startup configuration wizard in order to enter new configuration settings including the username and password.

Password Recovery in WLC versions 5.1 and later

If you forget your password in WLC version 5.1 and later, you can use the CLI from the serial console of the controller in order to configure a new user name and password.
After the controller boots up, enter the Restore-Password command at the user prompt. This command is only accepted for the initial user login and becomes disabled after a user logs in. You are prompted to enter a new username/password, which can then be used to log into the controller and modify settings.
Before version 5.1, there is no password recovery option on the Wireless LAN Controller (WLC). You need to set the WLC in order to factory defaults and reconfigure it. In order to set the WLC to factory defaults, power cycle the WLC, press the ESC Key during the boot up process from the console, and choose last option(5) in order to clear the configuration and reboot the Wireless LAN Controller.
Note:  The new default username and password is admin.
Refer to the Clearing the Controller Configuration section of Managing Controller Software and Configurations for more information on how to clear the configuration on the WLC.
You can also have a look at the Wireless LAN Password Recovery video , which provides an explanation with an illustration on how to recover passwords on WLCs that run the older firmware versions and the WLCs that run versions 5.1 and later.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)