Skip to main content

No Service Password Recovery - It is not the end of the world

Myth


Having a chat with some people and this came up in conversation, "no service password recovery" and people seemed to be taking it quite literally. e.g. if you forget your password the devices it is dead and needs to go back to Cisco, not being a security guy I though ok, but it was bothering me. So a quick lookup on cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html

Fact


In fact what this feature does is prevent you from getting access to the startup configuration, you can recover the device to FACTORY DEFAULT - the config has gone. Of course will have a backup of the config so it should be no big deal to switch this feature on every device, assuming the device supports it.

 

Take Note of the comments : "

Before deploying this feature, TEST the password recovery. Some platforms (based on ROMMON version) are EXTREMELY hard to recover.

http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html

"

Thanks Ivan

 

Comments

  1. Before deploying this feature, TEST the password recovery. Some platforms (based on ROMMON version) are EXTREMELY hard to recover.

    http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html

    ReplyDelete
  2. Yep, we like to use this feature when deploying equipment into semi-trusted or untrusted environments. Gear residing at a vendor/partner's site, small ASAs/routers deployed to employee's homes for EasyVPN, etc. If someone wants to get clever and crack the device for fun, or it gets stolen, they will get nothing useful.

    Good post to clarify the feature!

    ReplyDelete

Post a Comment

Popular posts from this blog

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006
Problem
After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!!
Solution
So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation

http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971



After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.



All was well again :) phew



Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.


Summary
I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided very quickly to go …

From IOS to Junos – JNCIA Result - PASS

I done the exam, and I am please to say I passed. So the lab-ing and the two PDFs

JNCIA-Junos_SG_part_1_09-16-2010.pdf
JNCIA-Junos_SG_part_2_09-16-2010.pdf

And a bit of surfing the web were enough. That is not to say everything in the exam was familiar, I did have to think seriously about some questions which puzzled me.
So the next step will be to go for specialist, but because of workload, it's going to take a little longer that 15 Days.

NetGuruSubnetCalc

This is a straightforward no nonsense Subnet Calculator. It does however allow you to pull up the subnet information you have been working on in the iPhone Todays Widget View. This means that the subnet information is just a slide away.




Developed my me. Now Available

http://itunes.apple.com/gb/app/id941632787