CIsco 3750G - how to reset or clear web login creds - AND DHCP question.

Still learning...
Some time ago I added web logon creds to this 3750G and I cant remember them. How can I clear those creds so they aren't needed or reset them to something I will write on the darn thing?
Switch>enable
Switch#show run
Building configuration...

Current configuration : 1486 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
!...
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 192.168.200.254 255.255.255.0
ip classless
ip http server
ip http secure-server
line con 0
line vty 5 15
end

Open in new window


Found a post that suggested a "Skinny" install meaning no GUI installed. If true - why a prompt? Can I add it?
Switch#dir
Directory of flash:/

    3  drwx         192   Mar 1 1993 00:19:54 +00:00  c3750-ipbasek9-mz.122-55.S         E11
  510  -rwx        1486  Mar 24 1993 20:55:35 +00:00  config.text
  511  -rwx          24  Mar 24 1993 20:55:35 +00:00  private-config.text
  512  -rwx        2072  Mar 24 1993 20:55:35 +00:00  multiple-fs

32514048 bytes total (16817152 bytes free)
Switch#

Open in new window


In addition, can this switch become a DHCP server?  I dont believe so as the doc mention considerations when the switch receives DHCP config - but nothing on creating them. But I need to ask.  I will need a simple DHCP server for this assembly (SIP Phones using Free PBX) and using the switch would be ideal if it did work like that.
LVL 1
Salad-DodgerInstrumentationAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
It looks like from your posts that you have CLI access.  If so, run the following:

show run | inc user

Open in new window


this will show you the list of usernames created on the switch.  Assuming the user you want to change is different from the one you are using for CLI, run the following command (ex. user test):

config t
no username test
username test secret bilbobaggins
end
wr mem

Open in new window


Open an https session to the switch and test the new creds.

Regarding your DHCP question, the 3750 will run as a DHCP server but..., you have to have the DHCP service enabled on the switch and you will need and SVI on the switch to anchor the server to.  You may also need a license version on the switch that permits layer three but I am not immediately sure on that one.
Salad-DodgerInstrumentationAuthor Commented:
no joy

inc user showed nothing - blank

using http I still get prompted for a password over and over
using https I get the following error message
192.168.200.254 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Open in new window


is it possible that the gui isnt installed at all?
JustInCaseCommented:
GUI access is possible on Cisco 3750 switch.
Generally http should be disabled, https should be used.

HTTP/HTTPs access is configured properly (you are missing authentication location, and you need privilege 15 account):

! configure user
!
username <username> privilege 15 secret <password>
!
! configure https access
!
ip http secure-server
ip http authentication local
!
! remove unsecured access
no ip http server
!
! to permit access only from specific location (in this case host 192.168.0.7)
!
access-list 54 permit 192.168.10.7
ip http access-class 54

 
3750 can be configured as DHCP server, however VoIP typically  need additional information, not just IP address, subnet mask and default gateway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Salad-DodgerInstrumentationAuthor Commented:
Predrag Followed all but last 2 lines. Didn't want to limit access just yet.  
this is the result
Switch#show run
Building configuration...

Current configuration : 3220 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
username MyName privilege 15 secret 5 $1$ewCx$YHhP16cM.Yb57yQh4C1VC/
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
!
crypto pki trustpoint TP-self-signed-408...
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-408...
 revocation-check none
 rsakeypair TP-self-signed-408...
!
crypto pki certificate chain TP-self-signed-408...
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 ...
  quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
...
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 192.168.200.254 255.255.255.0
!
ip classless
no ip http server
ip http authentication local
ip http secure-server
!
line con 0
line vty 5 15

Open in new window

Now I dont get an authentication prompt from switch web page using HTTPS or HTTP.  This is a change - but not the direction I hoped for :) Response says "uses an unsupported protocol" on https and refused to connect using http. Second one makes sense, thats what we told it to do.

DHCP - ALL i need is IP, Subnet and Gateway, if issuing OPTION 66 is available that would be icing on the cake, but I don't need anything else. These are just phones in a small office. I could configure the phones by hand if needed. I even considered using an old AP without a wan connection to issue DHCP so my needs here are minimal.  Can you show me how this is done? I have a sad feeling that I don't have the proper OS for this feature.
JustInCaseCommented:
Try to zeroize rsa key and recreate configuration - create hostname other than default. :)

crypto key zeroize rsa
!
! % All keys will be removed.
! % All router certs issued using these keys will also be removed.
! Do you really want to remove these keys? [yes/no]:
yes
!
no ip http server
no ip http authentication local
no ip http secure-server
!
! Then recreate configuration
!
hostname 3750
!
ip http server
ip http authentication local
ip http secure-server

Open in new window

atlas_shudderedSr. Network EngineerCommented:
Can you post the full config and contents of flash please?
Salad-DodgerInstrumentationAuthor Commented:
Got DHCP to work, and I can get to the switch GUI with HTTP (which will probably be fine once I add a PW to "enable" access) but still can't get HTTPS access and I would at least like to know why.

Maybe SSL version in this switch is too old and browser wont tolerate its use? The message is "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" on the browser.

Current configuration : 2032 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname phoneswitch
!
boot-start-marker
boot-end-marker
!
username MyName privilege 15 secret 5 $1$...
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.200.1 192.168.200.200
ip dhcp excluded-address 192.168.200.250 192.168.200.254
ip dhcp pool Phones
   network 192.168.200.0 255.255.255.0
ip dhcp pool phones
   option 66 ip 192.168.200.200
!
crypto pki trustpoint TP-self-signed-4081810816
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4081810816
 revocation-check none
 rsakeypair TP-self-signed-4081810816
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
...
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 192.168.200.254 255.255.255.0
!
ip classless
ip http server
ip http authentication local
ip http secure-server
!
end

Open in new window


Flash DIR
Switch#dir
Directory of flash:/

    3  drwx         192   Mar 1 1993 00:19:54 +00:00  c3750-ipbasek9-mz.122-55.S         E11
  510  -rwx        1486  Mar 24 1993 20:55:35 +00:00  config.text
  511  -rwx          24  Mar 24 1993 20:55:35 +00:00  private-config.text
  512  -rwx        2072  Mar 24 1993 20:55:35 +00:00  multiple-fs

32514048 bytes total (16817152 bytes free)
Switch#

Open in new window

JustInCaseCommented:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH could be problem with SSL from switch is SSLv2.
Try solutions from article ERR_SSL_VERSION_OR_CIPHER_MISMATCH – Explained With Solutions

DHCP server options are typically configured under the same pool:
no ip dhcp pool phones
!
ip dhcp pool Phones
 network 192.168.200.0 255.255.255.0
 ! default gateway IP address
 default-router 192.168.200.254
 option 66 ip 192.168.200.200
 ! if you have multiple IP TFTP servers
 ! option 150 ip 192.168.200.200 192.168.200.199

Open in new window

• DHCP option 150 provides the IP addresses of a list of TFTP servers.

• DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Salad-DodgerInstrumentationAuthor Commented:
Oh man, case sensitivity. When will I ever . . .
End result . . .

no ip dhcp conflict logging
ip dhcp excluded-address 192.168.200.1 192.168.200.200
ip dhcp excluded-address 192.168.200.250 192.168.200.254
!
ip dhcp pool Phones
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.254
   option 66 ip 192.168.200.200

Open in new window


As to your link on the error message - I tried this on IE, Chrome and Edge with the same result and your link suggests this is indeed a browser issue not a switch issue. I thought it might be however none of the info on that page suggests that the switch firmware is providing an SSL "flavor or version" that is deemed outdated/unreliable so is simply blocked by the browser- and you have not suggested that either.  Or are you?

If that is indeed the case I can just let it go and I can understand why this switch was for sale so reasonable. And I'm fine with that in this case, it's an isolated network anyway so little actual risk.  I'll follow up myself but if that's what you are suggesting I'd love to hear it.
JustInCaseCommented:
What is output from:
show version
atlas_shudderedSr. Network EngineerCommented:
Configure base aaa authentication
Salad-DodgerInstrumentationAuthor Commented:
Selecting SSL 3.0 in IE allowed access after 2 more warnings so I think my suspicion may be correct
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Wed 17-Aug-16 13:28 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02D00000

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

phoneswitch uptime is 3 weeks, 5 days, 5 hours, 20 minutes
System returned to ROM by power-on
System restarted at 19:04:32 UTC Mon Dec 4 2017
System image file is "flash:/c3750-ipbasek9-mz.122-55.SE11/c3750-ipbasek9-mz.122-55.SE11.bin"
cisco WS-C3750G-24PS (PowerPC405) processor (revision H0) with 131072K bytes of memory.
Processor board ID FOC1410Y21C
Last reset from power-on
1 Virtual Ethernet interface
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Motherboard assembly number     : 73-10217-08
Power supply part number        : 341-0108-04
Motherboard serial number       : FOC14102W2K
Power supply serial number      : DCA1408A59Y
Model revision number           : H0
Motherboard revision number     : C0
Model number                    : WS-C3750G-24PS-S
System serial number            : FOC1410Y21C
Top Assembly Part Number        : 800-26855-02
Top Assembly Revision Number    : E0
Version ID                      : V06
CLEI Code Number                : COMXD00ARA
Hardware Board Revision Number  : 0x09


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 28    WS-C3750G-24PS     12.2(55)SE11          C3750-IPBASEK9-M
Configuration register is 0xF

Open in new window

JustInCaseCommented:
I am not sure why it is not working for you. I reset my home device to fabric default settings and tested minimum configuration on it, but my IOS version is 15.x and https is working as it should (don't have proper GUI but I can access to what is there via https).

This was all that I configured on device:
Router(config)#ip dhcp pool POOL1
Router(dhcp-config)#network 192.168.1.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.1.1
Router(dhcp-config)#interface vlan 1
Router(config-if)#ip add 192.168.1.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip http serv
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Router(config)#ip http authentication local
Router(config)#username home privilege 15 secret home

Open in new window

It was enough.

You can try to download newer IOS image for your3650 and upgrade it:
Cisco Download Center
Your device is 128/32 MB (RAM/FLASH).
In the case that you want to install IP BASE WITH WEB BASED DEV MGR - c3750-ipbasek9-tar.122-55.SE12.tar you will have to remove current IOS image before you can copy this one on flash ( flash on device: 32514048 bytes total (16817152 bytes free) - 32MB with 16MB free), but do not reload device until new IOS is on flash (otherwise you will have to copy image to flash from ROMMON). But, I would go for version without WEB BASED...
Salad-DodgerInstrumentationAuthor Commented:
Predrag,
I also suspect the old version is the issue here.  I looked at the DL page and the IPBASE... version is locked from me. I suspect that means they want money to DL it and it's not important enough in this case to spend more just to get an HTTPS gui.

Atlas_Shrugged,
What will AAA do here? My searching of AAA gives me the impression that AAA is mostly about connection with another server for accounting purposes and other forms of authentication.  I freely admit my ignorance on the subject, but this switch will be isolated with no other server connected to it. Just a FreePBX box and phones.
atlas_shudderedSr. Network EngineerCommented:
It defines three things.   Authentication, authorization and accounting.  Authentic and authorization is what you are primarily concerned with. I'm thinking it may help you sidestep the default logon process and get you clear.
JustInCaseCommented:
Generally, AAA can be tested, but most likely will not change anything since will actually be configured as local authentication or fail back to local authentication method.
Salad-DodgerInstrumentationAuthor Commented:
Thank you very much for the help.
JustInCaseCommented:
You're welcome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.