Changes To Cisco ISR Initial Setup Could Leave You Out in The Cold

Last Updated on January 8, 2015 by Daniele Besana

Here we go again.  Cisco has made a change to the way we do things in our day to day network engineering lives and has failed to get the word out.

What we found cost us quite a bit of time and man hours to correct.

We recently had an opportunity to configure a new 2900 series ISR router and experienced first hand some new changes to the initial setup of these routers as well as changes to the password recovery procedures that really bit us in the butt.

While configuring a brand new out of the box 2900 ISR , we noticed (a little late) a slight change in the initial login banner.  If you’re in a hurry, like most of us are, when doing initial configurations it probably flies by unnoticed.

In particular the addition of a notification that Cisco Configuration Professional and in ALL CAPS the need to change the default password has been added.

Snippet of the New Setup Banner

-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username privilege 15 secret 0
no username cisco

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------


Here’s a quick link to Cisco Configuration Professional.

If you haven’t seen this before, don’t worry many engineers haven’t noticed it either.  But you maybe surprised to find that the first thing Cisco requires new owners of it’s products to do is create, change or remove the default password.   We’ve found out (the hard way) that if you don’t change the password you will be in for a big surprise.

Here’s The Scenario – See If This Sounds Familiar To You

You received a new 2900 ISR router that needed to be configured in your local data center ASAP.  The router has been shipped to the data center and the local onsite folks have racked and stacked the new box and it’s ready for you to configure.

Given console access, you log into the new router, while the onsite guy hits the power switch and you watch as the this router comes to life.

Suddenly the phone rings and a new network issue has occurred and you turn your attention to fix it.

45 Minutes later, the emergency has been averted and you come back to your console session eager to begin configuration on your router.  Your console session timed out and you need to log back in.  This is when you realize you can’t.  You are locked out!

User Access Verification

Username: ernet0/1, changed state to administratively down
Aug 7 22:27:12.847: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 29-Feb-12 20:40 by prod_rel_team
Aug 7 22:27:12.935: %SSH-5-ENABLED: SSH 1.99 has been enabled
Aug 7 22:27:12.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Embedded-Service-Engine0/0, changed state to down
Aug 7 22:27:12.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
Aug 7 22:27:13.035: %SNMP-5-COLDSTART: SNMP agent on host yourname is undergoing a cold start
% Username: timeout expired!
Username: cisco
Password:
% Login invalid

Username: admin
Password:
% Login invalid

To put it nicely – WTF!!!!

You have been locked out of the router and what’s worse a simple reboot won’t fix it.  You have just been SLAPPED  by Cisco’s new router security.

The New Cisco Password Recovery

Normally you might decide to do password recovery on the new router to try to break in, however you may quickly learn that Cisco has changed the password recovery method also! See here for Cisco’s new password recovery procedures.

You can no longer simply hit “break” during boot-up to gain access to Rommon

No longer can you simply hit “break” during the boot up sequence to access rommon and type confreg to bypass the startup config.  You have to have physical access to the router or someone on site who has physical access to the router in order to do password recovery.

Here’s a break down of the steps you now need to take in order to do password recovery on a Cisco ISR router:

1. Turn off the router
2. Remove the compact flash card from the router
3. Turn on the router
4. Wait for router to boot to rommon
5. Reinsert the compact flash card
6. Type confreg 0x2142 at the rommon > prompt (this is standard password recovery stuff here)
7. Type reset to reboot the router
8. Either skip setup by pressing Ctrl-C or enter N to bypass setup
9. Type enable at the Router> prompt to put you in privileged exec mode
10. Type “copy start run” (DON”T ENTER COPY RUN START!!  You will erase the startup config and turn your router into a brick)
11. Type Config t
12. Type “enable secret
13. Type config-register 0x2102
14. Type show version (this is to verify that the router will boot up with 0x2102

Router#show version
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M1,
     RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 15:23 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)

c2921-CCP-1-xfr uptime is 2 weeks, 22 hours, 15 minutes
System returned to ROM by reload at 06:06:52 PCTime Mon Apr 2 1900
System restarted at 06:08:03 PCTime Mon Apr 2 1900
System image file is "flash:c2900-universalk9-mz.SPA.150-1.M1.bin"
Last reload reason: Reload Command

Cisco CISCO2921/K9 (revision 1.0) with 475136K/49152K bytes of memory.
Processor board ID FHH1230P04Y
1 DSL controller
3 Gigabit Ethernet interfaces
9 terminal lines
1 Virtual Private Network (VPN) Module
1 Cable Modem interface
1 cisco Integrated Service Engine-2(s)
   Cisco Foundation 2.2.1 in slot 1
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
248472K bytes of ATA System CompactFlash 0 (Read/Write)
62720K bytes of ATA CompactFlash 1 (Read/Write)

Configuration register is 0x2142 (will be 0x2102 at next reload)

Router#

Finally, reload the router to have it reboot and to login to it normally.

It’s Good and It’s Bad

If you ask me it’s a total pain in the ASS!  But I understand where they’re going with it and the need for greater physical security.  For lights-out data centers this can be a good thing and a bad thing. You have improved security on router for any attempt to try to remotely do a password recovery on a router but on the other hand you now need to have someone on site in the event that you need to do a password recovery!