CCNA RSE Lab: 10.3.1.11 Lab – Configure and Verify Password Recovery

CCNA RSE Lab: 10.3.1.11 Lab – Configure and Verify Password Recovery

Topology

ccna-rse-lab-configure-verify-password-recovery

Objectives
Part 1: Configure Basic Device Settings
Part 2: Reboot Router and Enter ROMMON
Part 3: Reset Password and Save New Configuration
Part 4: Verify the Router is Loading Correctly

Background / Scenario
The purpose of this lab is to reset the enable password on a specific Cisco router. The enable password protects access to privileged EXEC and configuration mode on Cisco devices. The enable password can be recovered, but the enable secret password is encrypted and will need to be replaced with a new password.

In order to bypass a password, a user must be familiar with the ROM monitor (ROMMON) mode, as well as the configuration register setting for Cisco routers. ROMMON is basic CLI software stored in ROM that can be used to troubleshoot boot errors and recover a router when an IOS is not found.

In this lab, you will change the configuration register in order to reset the enable password on a Cisco router.

Required Resources

  • 1 Router (Cisco 1941 with Cisco IOS Release 15.2(4)M3 universal image or comparable)
  • 1 PC (Windows 7, Vista, or XP with terminal emulation program, such as Tera Term)
  • Console cable to connect to the Cisco IOS device via the console port

Part 1: Configure Basic Device Settings

In Part 1, you will set up the network topology and copy the basic configuration into R1. The password is encrypted to setup the scenario of needing to recover from an unknown enabled password.

Step 1: Cable the network as shown in the topology.

Step 2: Initialize and reload the routers as necessary.

Step 3: Configure basic settings on the router.

Instructor note: The encrypted password is NoRecovery123.
a. Console into the router and enter global configuration mode.
b. Copy the following basic configuration and paste it to the running-configuration on the router.

c. Press Enter and try to enable Privileged Exec mode.
As you can see, access to a Cisco IOS device is very limited if the enable password is unknown. It is important for a network engineer to be able to recover from an unknown enable password issue on a Cisco IOS device.

Part 2: Reboot Router and Enter ROMMON

Step 1: Reboot the router.
a. While still consoled into R1, remove the power cord from the back of R1.

Note: If you are working in a NETLAB pod, ask your instructor how to power cycle the router.

b. From the console session on PC-A, issue a hard break to interrupt the routers normal boot process and enter ROMMON mode.

Note: To issue a hard break in Tera Term, press the Alt and the B keys simultaneously.

Step 2: Reset the configuration register.
a. From the ROMMON prompt, type a ?, then press Enter. This will display a list of available ROMMON commands. Look for the confreg command in this list.

Note: The number at the end of the ROMMON prompt will increment by one each time a command is entered.

b. Type confreg 0x2142 and press Enter. Changing the register to Hex 2142 tells the router not to automatically load the startup configuration when booting. The router will need to be rebooted for the configuration register change to take effect.

rommon 2 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 3 >

c. Issue the reset ROMON command to reboot the router.

d. When asked if you would like to enter the initial configuration dialog, type no and press Enter. Would you like to enter the initial configuration dialog? [yes/no]: no
e. The router will complete its boot process and display the User Exec prompt. Enter Privileged Exec mode.

Part 3: Reset Password and Save New Configuration

a. While in Privileged Exec mode, copy the startup configuration to the running configuration.

b. Enter global configuration mode.

c. Reset the enable secret password to cisco.

d. Reset the configuration register back to 0x2102 to allow the startup configuration to automatically load the next time the router is rebooted.

e. Exit global configuration mode.

f. Copy the running configuration to the startup configuration.

You have successfully reset the enable password on a router.

Part 4: Verify the Router is Loading Correctly

Step 1: Reboot R1.

Step 2: Verify that the startup configuration loaded automatically.

Step 3: Enter Privileged Exec mode.

The new enable secret password should be cisco. If you are able to enter Privileged Exec mode, then you have successfully completed this lab.

Reflection

Why is it of critical importance that a router be physically secured to prevent unauthorized access?
Because the password recovery procedure is based on a console connection, which requires direct physical access to the device, preventing unauthorized users access to the physical device is an imperative part of an overall security plan.

Device Configs

Router R1

More Resources

About the author

Scott

Leave a Comment