Our previous article shows how to perform a password recovery on the Cisco Catalyst switches. This article will now explain how to disable or enable the Cisco password recovery service allowing network engineers and administrators to further secure their Cisco equipment.
The password recovery mechanism is enabled by default which means anyone with physical access to the switch is able to initiate the process and gain access to the switch or stack’s configuration. In some environments this might be a major security concern which is why Cisco provides the option to disable the password recovery mechanism.
In cases where the mechanism is disabled the only option available to gain access to the switch is to delete its startup configuration.
How to Disable or Enable the Password Recovery Service on Cisco Catalyst Switches
Disabling the password recovery mechanism is achieved by using the no service password-recovery command in global configuration mode as shown below:
3750-X-Stack1 (config) # no service password-recovery
Note: When applying the no service password-recovery command on the stack master, the command is propagated to all stack members, making it impossible to perform a password recovery on any switch part of a stack.
When trying to initiate the password recovery process on a switch or stack that has the mechanism disabled, the user will receive the following message:
The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed.
Would you like to reset the system back to the default configuration (y/n)?
Answering “y” at the prompt will wipe the current startup configuration from the switch.
To enable the password recovery mechanism, simply enter service password-recovery in global configuration mode:
3750-X-Stack1 (config) # service password-recovery
Once all configuration changes are complete, don’t forget to save the configuration.
This article explained the usage of the Cisco password recovery mechanism on Cisco Catalyst switches. We showed how network engineers and administrators can disable the recovery mechanism to increase their security and stop unauthorized people from gaining access to their configuration files and even user account credentials. More technical articles on Cisco Catalyst switches can be found in our Cisco Catalyst Switches section.