2 Forgetting Passwords
2.1 Recovering the Console Port Login Password
- Method 1: Log in to the device using STelnet/Telnet and change the console port login password.
- Method 2: Clear the console port login password in BootROM and change the console port login password.
- Method 3: Clear the startup configuration file in BootROM, start the device with no configuration, and change the console port login password.
NOTE:- Method 1 is recommended. You are recommended to use method 2 if method 1 cannot be used.
If you forget the STelnet/Telnet password, use method 2 or 3. You are advised to log in to the device using STelnet V2 because using Telnet poses security risks.
- Enter the BootROM menu on the S1720GFR, S2720, S2750, S5700LI, S5700S-LI, S5720S-12TP-PWR-LI-AC and S5700S-28P-PWR-LI-AC, and enter the BootLoad menu on the S5710-X-LI, S5700S-28X-LI-AC, S5700S-52X-LI-AC, S5720SI, S5720S-SI, S5720EI, S5720HI, S6720EI, S5720LI, S5720S-LI and S6720S-EI. The following command outputs are used as an example.
- The command outputs for different versions of different device models may differ. Therefore, the command outputs on your device may differ from those provided in this document.
Logging In to the Device Using STelnet/Telnet and Changing the Console Port Login Password
The following uses the command lines and outputs of logging in to the device using STelnet as an example.
If you have an STelnet account and your user right is level 3 or higher, log in to the device using STelnet, change the console port login password, and save the configuration.
Log in to the device using STelnet. Ensure that your user right is level 3 or higher.
Run the display users command to display all the users who have logged in to the device. The item with a "+" mark indicates your user account on user interface VTY1.
<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 129 VTY 0 00:23:36 TEL 10.135.18.67 pass no Username : Unspecified + 130 VTY 1 01:20:36 TEL 10.135.18.91 pass no Username : Unspecified 131 VTY 2 00:00:00 TEL 10.135.18.54 pass no Username : UnspecifiedRun the display user-interface command to display the user rights of all users. The output shows that VTY1 has user right 15. Therefore, you have the right to change the console port login password.
<HUAWEI> display user-interface Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 15 - P - + 129 VTY 0 - 15 15 P - + 130 VTY 1 - 15 15 P - + 131 VTY 2 - 15 - P - 132 VTY 3 - 15 15 P - ......Change the console port login password. In this example, set the authentication mode to password authentication and the password to huawei@123.
<HUAWEI> system-view [HUAWEI] user-interface console 0 [HUAWEI-ui-console0] authentication-mode password [HUAWEI-ui-console0] set authentication password cipher huawei@123 [HUAWEI-ui-console0] return
Save the configuration.
<HUAWEI> save The current configuration will be written to the device. Are you sure to continue?[Y/N]y Now saving the current configuration to the slot 0. Save the configuration successfully.
Clearing the Console Port Login Password in BootROM and Changing the Console Port Login Password
The BootROM allows you to clear the console port login password so that the device does not check the password when you log in through the console port. When the device starts, you do not need to enter the console port login password and all configurations are loaded normally. After the device starts, reconfigure the authentication mode and console port login password, and save the configuration.
NOTICE:You must restart the device to display the BootROM menu, which results in service interruptions. Migrate services to a backup device and perform this operation during off-peak hours.
Set a new password immediately after clearing the console port login password in BootROM and logging in to the device.
Do not power off the device during the operation.
Connect a PC to the device through a serial cable and restart the device. When the message "Press Ctrl+B to enter BootROM menu..." (V200R002 and V200R003) or "Press Ctrl+B or Ctrl+E to enter BootROM menu..." (V200R005 and later versions)is displayed, press Ctrl+Bor Ctrl+E in later versions, and enter the password (Admin@huawei.com by default and possibly huawei on a device running versions earlier than V100R006C03). The BootROM main menu is displayed.
Clear console port login password.
BootROM MENU 1. Boot with default mode 2. Enter serial submenu 3. Enter startup submenu 4. Enter ethernet submenu 5. Enter filesystem submenu 6. Modify BootROM password //V200R006 and earlier versions: Modify BootROM password; V200R007 and later versions: Enter password submenu 7. Clear password for console user 8. Reboot (Press Ctrl+E to enter diag menu) Enter your choice(1-8): 7 Note: Clear password for console user? Yes or No(Y/N): y Clear password for console user successfully. Choose "1" to boot, then set a new password. Note: Do not choose "8. Reboot" or power off the device, otherwise this operation will not take effect.- Enter 1 in the BootROM main menu to start the device.
Log in to the device through the console port. Authentication is not required when you log in. Change the console port login password. In this example, set the authentication mode to password authentication and the password to huawei@123.
<HUAWEI> system-view [HUAWEI] user-interface console 0 [HUAWEI-ui-console0] authentication-mode password [HUAWEI-ui-console0] set authentication password cipher huawei@123 [HUAWEI-ui-console0] return
Save the configuration.
<HUAWEI> save The current configuration will be written to the device. Are you sure to continue?[Y/N]y Now saving the current configuration to the slot 0. Save the configuration successfully.
Clearing the Startup Configuration File in BootROM, Starting the Device with No Configuration, and Changing the Console Port Login Password
If you clear the startup configuration file in BootROM, the device restarts with no configurations (factory settings). After the device starts, export the configuration file and change the console port login configuration. Upload the changed configuration to the device and specify the new configuration file as the next startup configuration file. After the device restarts, you do not need to enter the console port login password.
In the following example, the authentication mode for console port login is password authentication. In other authentication modes, the output varies according to the device model and configuration.
NOTICE:You must restart the device to display the BootROM menu, which results in service interruptions. Migrate services to a backup device and perform this operation during off-peak hours.
Do not power off the device during the operation.
In V200R010 and later versions, the default authentication mode for console port login is AAA authentication. If the authentication mode is not changed after the device starts with no configurations, and the device is configured to start with the configuration file from which the authentication mode is deleted, you must enter the default user name admin and password admin@huawei.com after the device restarts. The output varies according to the device model and configuration.
Connect a PC to the device through a serial cable and restart the device. When the message "Press Ctrl+B to enter BootROM menu..." (V200R002 and V200R003) or "Press Ctrl+B or Ctrl+E to enter BootROM menu..." (V200R005 and later versions)is displayed, press Ctrl+B or Ctrl+E and enter the password (Admin@huawei.com by default and possibly huawei on a device running versions earlier than V100R006C03). The BootROM main menu is displayed.
- Clear the startup configuration file so that the device starts with no configurations.
Record the name of the current configuration file so that you can restore the previous configuration.
BootROM MENU 1. Boot with default mode 2. Enter serial submenu 3. Enter startup submenu 4. Enter ethernet submenu 5. Enter filesystem submenu 6. Modify BootROM password //V200R006 and earlier versions: Modify BootROM password; V200R007 and later versions: Enter password submenu 7. Clear password for console user 8. Reboot (Press Ctrl+E to enter diag menu) Enter your choice(1-8): 3 Startup Configuration Submenu 1. Display startup configuration 2. Modify startup configuration 3. Return to main menu Enter your choice(1-3): 2 Note: startup file field can not be cleared '.'=clear field; 'Ctrl+D'=quit; Enter=use current configuration startup type(1: Flash) current: 1 new : Flash startup file (can not be cleared) current: HUAWEI-v200r008c00.cc new : saved-configuration file current: vrpcfg.zip new : . //Clear the current value. patch package current: new : Startup Configuration Submenu 1. Display startup configuration 2. Modify startup configuration 3. Return to main menu Enter your choice(1-3): 3 - Enter 1 in the BootROM main menu to start the device.
After the device starts, factory settings are restored. When you log in to a device running V200R009 or an earlier version through the console port, the system asks you to set the console port login password. The following uses the password huawei@123 as an example.
An initial password is required for the first login via the console. Continue to set it? [Y/N]:y Set a password and keep it safe. Otherwise you will not be able to login via the console. Please configure the login password (8-16) Enter Password: //Enter huawei@123. Confirm Password: //Enter huawei@123 again.
When you log in to a device running V200R010 or a later version through the console port, the system asks you to enter the default user name and password for console port login, and then asks you to change the password. You must change the password. The following uses the password huawei@123 as an example.
Login authentication Username:admin Password: //Enter admin@huawei.com. Warning: The default password poses security risks. The password needs to be changed. Change now? [Y/N]: y Please enter old password: //Enter admin@huawei.com. Please enter new password: //Enter huawei@123. Please confirm new password: //Enter huawei@123 again. The password has been changed successfully.- Restore the original configuration. To restore the original configuration without retaining the console port login password from the original configuration file, download the original configuration file to the PC and delete the console configuration. Then upload this configuration file to the device and specify it as the startup configuration file. Restart the device to make this configuration file take effect.
- Configure the device as the FTP server.
<HUAWEI> system-view [HUAWEI] ftp server enable Info: The FTP server is already enabled. [HUAWEI] vlan 10 [HUAWEI-vlan10] interface vlanif 10 //Configure VLANIF 10 as the management interface. [HUAWEI-Vlanif10] ip address 10.110.24.254 24 [HUAWEI-Vlanif10] quit [HUAWEI] interface gigabitethernet 0/0/10 //GE0/0/10 is the physical interface used for logging in to the switch through the web system on a PC. Select an interface based on actual networking requirements. [HUAWEI-GigabitEthernet0/0/10] port link-type access [HUAWEI-GigabitEthernet0/0/10] port default vlan 10 [HUAWEI-GigabitEthernet0/0/10] quit [HUAWEI] aaa [HUAWEI-aaa] local-user huawei password irreversible-cipher huawei@123 [HUAWEI-aaa] local-user huawei ftp-directory flash: [HUAWEI-aaa] local-user huawei service-type ftp [HUAWEI-aaa] local-user huawei privilege level 15
Download the original configuration file vrpcfg.zip to the PC.
C:\Documents and Setting\Administrator> ftp 10.110.24.254 Connected to 10.110.24.254. 220 FTP service ready. User (10.110.24.254:(none)): huawei 331 Password required for huawei. Password: 230 User logged in. ftp> get vrpcfg.zip 200 Port command okay. 150 Opening ASCII mode data connection for directory list. 226 Transfer complete. ftp: receive 981 bytes in 0.01 seconds 981000.00Kbytes/sec
Decompress the downloaded file on the PC and open it using a text editing tool (a system-provided text editing tool is recommended). Delete the console authentication configuration and compress the file into the file vrpcfg.zip. The following configuration needs to be deleted:
# user-interface maximum-vty 15 user-interface con 0 authentication-mode password // Manual deletion is required. set authentication password cipher %@%@:*IB+w7j~""GlU$0-;\#m@Jw%@%@ // Manual deletion is required. # user-interface con 0 authentication-mode aaa // Manual deletion is required. user privilege level 15 // Manual deletion is required.
- Configure the device as the FTP server.
Save the modified configuration file and upload it to the device to replace the original configuration file.
ftp> put vrpcfg.zip 200 Port command okay. 150 Opening ASCII mode data connection for directory list. 226 Transfer complete. ftp: 981 bytes are sent and the transmission time is 0.00 Seconds. The speed is 978000.00Kbytes/sec.
Configure the uploaded configuration file as the startup configuration file. Restart the device without saving the configuration.
<HUAWEI> startup saved-configuration vrpcfg.zip Info: Succeeded in setting the configuration for booting system. <HUAWEI> reboot fast System will reboot! Continue ? [y/n]:y
After the device restarts, you are prompted to enter the console port login password. Enter a password and press Enter to display the command line interface.
2.2 Recovering the Telnet Login Password
You can use Telnet to remotely maintain and manage a device. If you forget the Telnet login password, log in to the device using another method, such as the Console port, and set a new password.
- AAA authentication: To log in to the device, you must have a user name and a password.
- Password authentication: To log in to the device, you must have a password.
In this example, the configurations for VTY0 to VTY4 are the same.
Configuring AAA Authentication
If the user remembers the original login user name, a new password can be configured. For example, if the user name is huawei, configure a new password huawei@123 and set the user level to level 2.
<HUAWEI> system-view [HUAWEI] user-interface vty 0 4 [HUAWEI-ui-vty0-4] protocol inbound telnet //By default, Telnet is configured on devices running V200R006 and earlier versions. SSH is configured by default on devices running V200R007 and later versions, in which case this command is mandatory. [HUAWEI-ui-vty0-4] authentication-mode aaa [HUAWEI-ui-vty0-4] quit [HUAWEI] aaa [HUAWEI-aaa] local-user huawei password irreversible-cipher huawei@123 [HUAWEI-aaa] local-user huawei service-type telnet [HUAWEI-aaa] local-user huawei privilege level 2
After the configuration is complete, you can use the user name huawei and password huawei@123 to log in to the device.
If the user forgets the original login user name, configure a new user named huawei and password huawei@123 using the same method.
Configuring Password Authentication
Configure password authentication for VTYs 0-4 and configure a password huawei@123.
<HUAWEI> system-view [HUAWEI] user-interface vty 0 4 [HUAWEI-ui-vty0-4] protocol inbound telnet //By default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later versions support SSH. [HUAWEI-ui-vty0-4] authentication-mode password [HUAWEI-ui-vty0-4] set authentication password cipher huawei@123 [HUAWEI-ui-vty0-4] return
After the configuration is complete, you can use the password huawei@123 to log in to the device.
NOTE:After you log in to the device through VTY0 to 4, you can run the display current-configuration configuration user-interfacecommand to view the authentication mode of the VTY user.
2.3 Recovering the BootROM Password
The BootROM is the basis for device security and maintenance, and provides functions such as configuration recovery and system software upgrade. You must keep the BootROM password secure. If the BootROM password is lost, you can run the reset boot password command to restore the default password and reset the password.
To reset the BootROM password through the BootROM menu, you must connect to the console port and log in to the device through the console port.
In any view, restore the default BootROM password Admin@huawei.com.
<HUAWEI> reset boot password The password used to enter the boot menu by clicking Ctrl+B or Ctrl+E will be restored to the default password, continue? [Y/N]y Info: Succeeded in setting password of boot to "Admin@huawei.com".The reset boot password command is only supported after V100R006C03. The default password for versions earlier than V100R006C03 is huawei, and the default password for V100R006C03 and later versions is Admin@huawei.com.
For security, change the default password.
Change the BootROM password using the following methods:- Run the bootrom password change command in the system view and change the BootROM password.
<HUAWEI> system-view [HUAWEI] bootrom password change Old Password: //Enter the old password. New Password(6 to 79 chars): //Enter the new password. Confirm Password(6 to 79 chars): //Confirm the new password.
To downgrade the system software to V200R008 or an earlier version, you must run the reset boot password command to restore the default BootROM password first and then specify the system software. Otherwise, the BootROM password may not be used or a fault occurs on the switch. If the BootROM password cannot be used after the downgrade, run the reset boot password command to restore the default BootROMpassword again.
Change the BootROM password in the BootROM menu. Run the reboot command to restart the device. When the message "Press Ctrl+B to enter BootROM menu..." (in V200R002 and V200R003) or "Press Ctrl+B or Ctrl+E to enter BootROM menu..." (in V200R005 and later versions)is displayed, press Ctrl+B or Ctrl+E and enter the default password to enter the BootROM main menu.
In V200R006 and earlier versions, select 6 in the BootROM main menu and change the BootROM password. The display is as follows:
BOOTROM MENU 1. Boot with default mode 2. Enter serial submenu 3. Enter startup submenu 4. Enter ethernet submenu 5. Enter filesystem submenu 6. Modify BOOTROM password 7. Clear password for console user 8. Reboot Enter your choice(1-8):6 //Select 6 and change the BootROM password. Old password: //Enter the old BootROM password. The default password is Admin@huawei.com. New password: //Enter the new BootROM password. Verify: //Confirm the new BootROM password. Save password to Flash...OK! Save backup password to Flash...OK!In V200R007 and later versions, select 1 in the password submenu and change the BootROM password. The display is as follows:
BootROM MENU 1. Boot with default mode 2. Enter serial submenu 3. Enter startup submenu 4. Enter ethernet submenu 5. Enter filesystem submenu 6. Enter password submenu 7. Clear password for console user 8. Reboot (Press Ctrl+E to enter diag menu) Enter your choice(1-8): 6 //Select 6 to enter the password submenu. PASSWORD SUBMENU 1. Modify BootROM password 2. Reset BootROM password 3. Return to main menu Enter your choice(1-3): 1 //Select 1 and change the BootROM password. Old password: //Enter the old BootROM password. The default password is Admin@huawei.com. New password: //Enter the new BootROM password. Verify: //Confirm the new BootROM password. Save password to Flash...OK! Save backup password to Flash...OK!
- Run the bootrom password change command in the system view and change the BootROM password.
