H3C Series Ethernet Switches Login Password Recovery Manual(V1.01)


Introduction to H3C Switch Login Passwords

This document describes how to recover or change login passwords for the H3C switches listed in the table below.

 

Applicable products

S5820X series

S5810 series

S5800 series

S5600 series

S5510 series

S5500-EI series

S5500-SI series

S5120-SI series

S5120-EI series

S5100-EI series

S5100-SI series

S3610 series

S3600-EI series

S3600-SI series

S3100-EI series

S3100-SI series

S3100-52P

 

 

 

 

l          For how to recover passwords for other H3C switches, refer to the corresponding installation manuals or contact your H3C agent.

l          Support for the methods of recovering passwords depends on the device model.

l          The application scope of this document is subject to change without notice.

 

Console Login Password

Console login is the most basic method to log in to a switch locally, and is also the prerequisite for other login methods. Connect the serial port of your PC to the console port of the H3C switch, and then you can use the terminal emulation program on your PC to configure and manage the switch.

By default, you can log in to the H3C switch locally through the console port only.

To protect the switch from unauthorized accesses through the console port, you can set a console login username and password.

The H3C switch supports three console login authentication methods:

l          none: No authentication.

l          password: Password authentication.

l          scheme: Username and password authentication.

 

l          The scheme authentication method comprises local authentication and RADIUS authentication. For details, refer to the AAA section in the corresponding operation manual.

l          For details about the three authentication methods, refer to the operation manual and command manual of the specific device model.

 

With the password or scheme authentication method configured, the switch prompts you to enter the login authentication information when you log in through the console port.

l          Login interface of the password authentication method

****************************************************************************

* Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                               *

* no decompiling or reverse-engineering shall be allowed.                  *

****************************************************************************

 

User interface aux0 is available.

 

Press ENTER to get started.

 

Login authentication

 

Password:

l          Login interface of the scheme authentication method (with the username admin)

****************************************************************************

* Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                               *

* no decompiling or reverse-engineering shall be allowed.                  *

****************************************************************************

 

User interface aux0 is available.

 

Press ENTER to get started.

 

Login authentication

 

Username:admin

Password:

Telnet Login Password

Telnet offers a common method of remote login and management. You can telnet to a network device from any PC or terminal that can reach the device.

H3C switches support telnet. You can remotely manage an H3C switch via telnet, and prevent unauthorized accesses by setting the telnet username and password.

The H3C switch supports three telnet login authentication methods:

l          none: No authentication.

l          password: Password authentication.

l          scheme: Username and password authentication.

 

l          The scheme authentication method comprises local authentication and RADIUS authentication. For details, refer to the AAA section in the corresponding operation manual.

l          For details about the three authentication methods, refer to the operation manual and command manual of the specific device model.

 

With the password or scheme authentication method configured, the switch prompts you to enter the login authentication information when you log in via telnet.

l          Login interface of the password authentication method

******************************************************************************

* Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

Login authentication

 

Password:

l          Login interface of the scheme authentication method (with the username admin)

******************************************************************************

* Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

Login authentication

 

Username:admin

Password:

User Level Switching Password

You can temporarily change the current login user level with the user level switching password provided, thus to flexibly control the privileges of the current user. The change is effective for the current login only.

l          To prevent inadvertent operations, you are recommended to log in as a low-level user, and switch to a higher user level for device maintenance.

l          To protect the switch configuration, you can switch to a lower user level when you have the switch to be managed by someone else.

Local or RADIUS authentication of the scheme authentication method can be used for switching between user levels. Thus, you must set the user level switching password in the local device or RADIUS server.

For example, a user with the level 0 can use the following commands only:

<H3C> ?

User view commands:

  cluster  Run cluster command

  display  Display current system information

  ping     Ping function

  quit     Exit from current command view

  ssh2     Establish a secure shell client connection

  super    Set the current user priority level

  telnet   Establish one TELNET connection

  tracert  Trace route function

Use the super command and enter the password to switch the current user level to 2.

<H3C> super 2

 Password:

User privilege level is 2, and only those commands can be used

whose level is equal or less than this.

Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

Then you can use all commands except the management level commands.

<H3C> ?

User view commands:

  backup         Backup next startup-configuration file to TFTP server

  cluster        Run cluster command

  debugging      Enable system debugging functions

  display        Display current system information

  free           Clear user terminal interface

  mtracert       Trace route to multicast source

  ntdp           Run NTDP commands

  ping           Ping function

  quit           Exit from current command view

  refresh        Do soft reset

  reset          Reset operation

  save           Save current configuration

  screen-length  Specify the lines displayed on one screen

  send           Send information to other user terminal interface

  ssh2           Establish a secure shell client connection

  stack          Switch stack system

  super          Set the current user priority level

  system-view    Enter the System View

  telnet         Establish one TELNET connection

  terminal       Set the terminal line characteristics

  tracert        Trace route function

  undo           Cancel current setting

<H3C>

Boot ROM Password

Boot ROM is a power-on self test (POST) program that initializes hardware and displays hardware information. The Boot ROM menu is the interface for human-computer interactions. It provides functions such as software loading and file management.

Press Ctrl + B when the following displays, and then you are prompted to enter the Boot ROM password.

Starting......

 

            ***********************************************************

            *                                                         *

            *        H3C S5500-28C-PWR-EI BOOTROM, Version 509        *

            *                                                         *

            ***********************************************************

            Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd.

            Creation date   : Jan  9 2009, 10:44:09

            CPU Clock Speed : 533MHz

            BUS Clock Speed : 133MHz

            Memory Size     : 256MB

            Mac Address     : 002389294f70

 

 

Press Ctrl-B to enter Boot Menu... 1

Password:

By default, there is no Boot ROM password. After the correct password is provided, the Boot ROM menu is displayed as follows:

   BOOT  MENU

 

1. Download application file to flash

2. Select application file to boot

3. Display all files in flash

4. Delete file from flash

5. Modify bootrom password

6. Enter bootrom upgrade menu

7. Skip current configuration file

8. Set bootrom password recovery

9. Set switch startup mode

0. Reboot

 

Enter your choice(0-9):

You can select 5 to set the Boot ROM password.

Web NMS Login Password

The H3C switch has a built-in Web server. It enables you to log in to the switch from a web network management system (NMS) terminal (PC) to manage and maintain the switch through the web interface.

To control accesses to the switch, you are recommended to configure a login username and password.

Figure 1-1 shows the web NMS login page.

Figure 1-1 Web NMS login page

 

The web NMS login page varies with the device model.

 


H3C Switch Login Password Recovery

Console Login Password Recovery

 

l          The password recovery method described in this section applies to the password authentication method and local authentication of the scheme authentication method. In RADIUS authentication of the scheme authentication method, login passwords are configured on the RADIUS server. If you fail to log in to the RADIUS server due to password loss or RADIUS server failure, you are recommended to contact the administrator to obtain a new login password.

l          If the switch is enabled with the password control function, the console login password is not displayed in the configuration file. Disable this function before performing the following operations.

 

If the console login password is lost, you can select Skip current configuration file in the Boot ROM menu to recover the password. To do that, follow these steps:

1)        Use a configuration cable to connect the serial port of your PC to the console port of the H3C switch, and then you can display the login interface through the terminal emulation program. Table 2-1 shows the default settings of the console port.

Table 2-1 Default setting of the console port

Item

Default setting

Baud rate

9600 bps

Flow control

None

Parity

None

Stop bits

1

Data bits

8

 

2)        Restart the switch.

3)        When the following output appears, press Ctrl + B and enter the Boot ROM password as prompted to enter the Boot ROM menu.

Starting......

 

            ***********************************************************

            *                                                         *

            *        H3C S5500-28C-PWR-EI BOOTROM, Version 509        *

            *                                                         *

            ***********************************************************

            Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd.

            Creation date   : Jan  9 2009, 10:44:09

            CPU Clock Speed : 533MHz

            BUS Clock Speed : 133MHz

            Memory Size     : 256MB

            Mac Address     : 002389294f70

 

 

Press Ctrl-B to enter Boot Menu... 1

Password:

 

By default, the H3C switch does not have a Boot ROM password. If you have lost your Boot ROM password, recover the password as described in Boot ROM Password Recovery.

 

4)        Select 7 in the Boot ROM menu and type y to confirm your operation.

         BOOT  MENU

 

1. Download application file to flash

2. Select application file to boot

3. Display all files in flash

4. Delete file from flash

5. Modify bootrom password

6. Enter bootrom upgrade menu

7. Skip current configuration file

8. Set bootrom password recovery

9. Set switch startup mode

0. Reboot

 

Enter your choice(0-9): 7

The current setting is running configuration file when reboot.

Are you sure to skip current configuration file when reboot? Yes or No(Y/N) y

Setting......done!

5)        When you return to the Boot ROM menu, select 0 to restart the switch.

         BOOT  MENU

 

1. Download application file to flash

2. Select application file to boot

3. Display all files in flash

4. Delete file from flash

5. Modify bootrom password

6. Enter bootrom upgrade menu

7. Skip current configuration file

8. Set bootrom password recovery

9. Set switch startup mode

0. Reboot

 

Enter your choice(0-9): 0

^@System rebooting...           

6)        The switch skips the configuration file at the next startup and allows you to log in without providing the password.

****************************************************************************

* Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                               *

* no decompiling or reverse-engineering shall be allowed.                  *

****************************************************************************

 

Configuration file is skipped.

User interface aux0 is available.

 

 

 

Press ENTER to get started.

<H3C>                      

7)        At the command line interface (CLI), use the display startup command to view the startup configuration file, and use the more command to view the console login password in the configuration file.

<H3C> display startup

  Current startup saved-configuration file:          NULL

  Next startup saved-configuration file:             flash:/startup.cfg

<H3C> more startup.cfg

l          If the password authentication method is used, pay attention to the console login password configuration commands, which are gray highlighted.

The password is displayed in plain text:

#

user-interface aux 0

 authentication-mode password

 set authentication password simple test

The password is displayed in cipher text:

#

user-interface aux 0

 authentication-mode password

 set authentication password cipher .]@USE=B,53Q=^Q`MAF4<1!!

 

A plain text password is directly displayed in the set authentication password simple command, and you can use or change it. A cipher text password is converted into cipher text characters, and you are recommended to change it.

 

l          If the scheme authentication method is used, pay attention to the local username and password configuration commands, which are gray highlighted. The username is admin in this example.

The password is displayed in plain text:

#

local-user admin

 password simple 123

 service-type terminal

The password is displayed in cipher text:

#

local-user admin

 password cipher 7-CZB#/YX]KQ=^Q`MAF4<1!!

 service-type terminal

 

l          If the switch has multiple local users, view the configuration of the terminal user configured with the service-type terminal command.

l          A plain text password is directly displayed in the password simple command, and you can use or change it. A cipher text password is converted into cipher text characters, and you are recommended to change it.

 

8)        Use the copy command to back up the configuration file. In this example, the backup file is named startup_bak.cfg.

<H3C> copy startup.cfg startup_bak.cfg

Copy flash:/startup.cfg to flash:/startup_bak.cfg?[Y/N]:y

.......

%Copy file flash:/startup.cfg to flash:/startup_bak.cfg...Done.

9)        You can use File Transfer Protocol (FTP) or Trivial File Transfer Protocol(TFTP) to transfer the configuration file to your PC, and edit the file in the text editor software such as Windows Notepad and WordPad by using any of the following methods:

l          Change the keyword of the authentication-mode command to none.

l          Change keyword cipher of the set authentication password command to simple, and type a new password (for the password authentication method).

l          Change keyword cipher of the password command to simple, and type a new password (for the scheme authentication method).

 

The none authentication method is for temporary login only. To ensure device security, change the authentication method as soon as possible.

 

10)    Upload the configuration file to the switch to replace the existing configuration file. Then the switch uses the new configuration file at the next startup, and allows you to log in with the new password. Meanwhile, other configurations are retained.

Telnet Login Password Recovery

 

l          The password recovery method described in this section applies to the password authentication method and local authentication of the scheme authentication method. In RADIUS authentication of the scheme authentication method, login passwords are configured on the RADIUS server. If you fail to log in to the RADIUS server due to password loss or RADIUS server failure, you are recommended to contact the administrator to obtain a new login password.

l          If the switch is enabled with the password control function, the telnet login password is not displayed in the configuration file. Disable this function before performing the following operations.

 

If the telnet login password is lost, you can log in to the console through the console port to display and change the telnet login password.

1)        Use a configuration cable to connect the serial port of your PC to the console port of the H3C switch, configure the terminal emulation program, and log in to the console. For the settings of the terminal emulation program, refer to Table 2-1.

2)        Use the display current-configuration command to view the telnet authentication configuration.

l          If the password authentication method is used, pay attention to the telnet password configuration command, which is gray highlighted.

<H3C> display current-configuration | begin user-interface

user-interface aux 0

 set authentication password simple test

user-interface vty 0 4

 user privilege level 3

 set authentication password simple h3c

 idle-timeout 0 0

#               

 

l          With the | begin user-interface parameter specified, the display current-configuration command displays the line that matches the user-interface character string and all the subsequent lines. This parameter helps you quickly locate the user interface configuration in the configuration file. For detailed information about the regular expression in display commands, refer to the operation manuals of the switches.

l          If the configuration file contains no authentication-mode information, the authentication method is password, which is the default authentication method of the telnet (VTY) user interface.

l          For a plain text password, you can use or change it. For a cipher text password, you are recommended to change it.

 

l          If the scheme authentication method is used, pay attention to the telnet password configuration commands, which are gray highlighted.

<H3C> display current-configuration | begin local-user

local-user abc

 password simple 123

 service-type telnet

local-user admin

 password cipher 7-CZB#/YX]KQ=^Q`MAF4<1!!

 service-type telnet terminal

 

l          For a plain text password, you can use or change it. For a cipher text password, you are recommended to change it.

l          If the switch has multiple local users, view the configuration of the telnet user configured with the service-type telnet or service-type telnet terminal command.

 

3)        Change the authentication method and password.

l          If the password is displayed in plain text, you can telnet to the device by entering the password (for the password authentication method) or username and password (for the scheme authentication method).

l          If you want to change the telnet login authentication method, use the authentication-mode command in user view. For example, change the telnet authentication method to none as follows:

<H3C> system-view

[H3C] user-interface vty 0 4

[H3C-ui-vty0-4] authentication-mode none

l          If you want to change the login password for the password authentication method, use the set authentication password command to change the password. For example, change the password to new as follows:

<H3C> system-view

[H3C] user-interface vty 0 4

[H3C-ui-vty0-4] set authentication password simple new

l          If you want to change the login password of a user in the scheme authentication method, use the password command in the user view. For example, change the password of the user admin to new as follows:

<H3C> system-view

[H3C] local-user admin

[H3C-luser-admin] password simple new

When the preceding configuration is complete, you can use the new password and authentication method for the next telnet login.

 

l          The none authentication method is for temporary login only. To ensure device security, change the authentication method as soon as possible.

l          After the preceding configuration is complete, save the configuration with the save command. Otherwise, the switch may require you to use the former password and authentication method for login.

 

User Level Switching Password Recovery

 

If the switch is enabled with the password control function, the user level switching password is not displayed in the configuration file. Disable this function before performing the following operations.

 

1)        The configuration procedure is similar to that of recovering the console login password. Configure the device to skip the configuration file at startup. For detailed procedure, refer to Console Login Password Recovery.

2)        After the configuration file is skipped, view the user level switching configuration in the startup configuration file.

l          If local authentication is used for switching between user levels, pay attention to the commands for setting the user level switching password.

The password is displayed in plain text:

#

 super password level 2 simple 123

 super password level 3 simple 123

The password is displayed in cipher text:

#

 super password level 2 cipher 7-CZB#/YX]KQ=^Q`MAF4<1!!

 super password level 3 cipher AN$TBB7'VF3Q=^Q`MAF4<1!!

 

A plain text password is directly displayed the super password command, and you can use or change it. A cipher text password is converted into cipher text characters, and you are recommended to change it.

 

l          If the scheme authentication method is used, you are recommended to contact the RADIUS server administrator to obtain a new login password.

3)        Use the copy command to back up the configuration file. In this example, the backup file is named startup_bak.cfg.

<H3C> copy startup.cfg startup_bak.cfg

Copy flash:/startup.cfg to flash:/startup_bak.cfg?[Y/N]:y

%Copy file flash:/startup.cfg to flash:/startup_bak.cfg...Done.

4)        You can use FTP or TFTP to transfer the configuration file to your PC, and edit the file in the text editor software such as Windows Notepad and WordPad by using any of the following methods:

l          Change keyword cipher of the password command to simple, and type a new password (for the password authentication method).

l          Delete the super authentication-mode scheme command to set local authentication for user level switching, and set a new password with the super password command (for the scheme authentication method, not recommended).

5)        Upload the configuration file to the switch to replace the existing configuration file. Then the switch uses the new configuration file at the next startup, and allows you to switch between user levels with the new password. Meanwhile, other configurations are retained.

Boot ROM Password Recovery

 

Before performing the following operations, make sure that the Boot ROM password recovery function is enabled (default status). If you have disabled this function by selecting 8 in the Boot ROM menu, contact your H3C agent for password recovery.

 

Follow these steps to recover the Boot ROM password:

1)        Use any of the following methods to obtain the MAC address of the switch:

l          Use the display device manuinfo command.

<H3C> display device manuinfo

DEVICE_NAME          : S5500-28C-PWR-EI

DEVICE_SERIAL_NUMBER : 210235A254H096000016

MAC_ADDRESS          : 0023-8929-4F70

MANUFACTURING_DATE   : 2009-10-07

VENDOR_NAME          : H3C

l          Reboot the switch and view its MAC address in the POST information.

            ***********************************************************

            *                                                         *

            *          H3C S5500-28C-EI BOOTROM, Version 510          *

            *                                                         *

            ***********************************************************

            Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd.

            Creation date   : May 18 2009, 17:01:57

            CPU Clock Speed : 533MHz

            BUS Clock Speed : 133MHz

            Memory Size     : 256MB

            Mac Address     : 002389294F70

l          Check the MAC address label on the chassis.

2)        Contact the H3C customer service staff and provide the MAC address. Then you can obtain a Boot ROM super password.

3)        Use this password to enter the Boot ROM menu, select 5 in the menu, and change the Boot ROM password.

   BOOT  MENU

 

1. Download application file to flash

2. Select application file to boot

3. Display all files in flash

4. Delete file from flash

5. Modify bootrom password

6. Enter bootrom upgrade menu

7. Skip current configuration file

8. Set bootrom password recovery

9. Set switch startup mode

0. Reboot

 

Enter your choice(0-9):5

 

Old password: ******(Type the super password.)

New password: ******

Confirm password: ******

Current password has been changed successfully!

Web NMS Login Password Recovery

 

If the switch is enabled with the password control function, the local user password is not displayed in the configuration file. Disable this function before performing the following operations.

 

Log in to the switch through the console port or telnet and then follow these steps to recover the web NMS login password:

1)        Use the display current-configuration command to view the local username and password.

<H3C> display current-configuration | begin local-user

local-user abc

 password simple 123

 service-type telnet

local-user admin

 password cipher 7-CZB#/YX]KQ=^Q`MAF4<1!!

 service-type terminal telnet

 

l          For a plain text password, you can use or change it. For a cipher text password, you are recommended to change it.

l          If the switch has multiple local users, view the configuration of the telnet user configured with the service-type telnet or service-type terminal telnet command.

 

2)        Change the password. In this example, the password of the user admin is changed to new.

<H3C> system-view

[H3C] local-user admin

[H3C-luser-admin] password simple new

Save the configuration. Then you can use the username admin and password new to log in to the switch through the web NMS.

 

 

 

Copyright © 2007-2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.