Mac
asked on
CIsco 3750G - how to reset or clear web login creds - AND DHCP question.
Still learning...
Some time ago I added web logon creds to this 3750G and I cant remember them. How can I clear those creds so they aren't needed or reset them to something I will write on the darn thing?
Found a post that suggested a "Skinny" install meaning no GUI installed. If true - why a prompt? Can I add it?
In addition, can this switch become a DHCP server? I dont believe so as the doc mention considerations when the switch receives DHCP config - but nothing on creating them. But I need to ask. I will need a simple DHCP server for this assembly (SIP Phones using Free PBX) and using the switch would be ideal if it did work like that.
Some time ago I added web logon creds to this 3750G and I cant remember them. How can I clear those creds so they aren't needed or reset them to something I will write on the darn thing?
Switch>enable
Switch#show run
Building configuration...
Current configuration : 1486 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
!...
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 192.168.200.254 255.255.255.0
ip classless
ip http server
ip http secure-server
line con 0
line vty 5 15
end
Found a post that suggested a "Skinny" install meaning no GUI installed. If true - why a prompt? Can I add it?
Switch#dir
Directory of flash:/
3 drwx 192 Mar 1 1993 00:19:54 +00:00 c3750-ipbasek9-mz.122-55.S E11
510 -rwx 1486 Mar 24 1993 20:55:35 +00:00 config.text
511 -rwx 24 Mar 24 1993 20:55:35 +00:00 private-config.text
512 -rwx 2072 Mar 24 1993 20:55:35 +00:00 multiple-fs
32514048 bytes total (16817152 bytes free)
Switch#
In addition, can this switch become a DHCP server? I dont believe so as the doc mention considerations when the switch receives DHCP config - but nothing on creating them. But I need to ask. I will need a simple DHCP server for this assembly (SIP Phones using Free PBX) and using the switch would be ideal if it did work like that.
ASKER
no joy
inc user showed nothing - blank
using http I still get prompted for a password over and over
using https I get the following error message
is it possible that the gui isnt installed at all?
inc user showed nothing - blank
using http I still get prompted for a password over and over
using https I get the following error message
192.168.200.254 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
is it possible that the gui isnt installed at all?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Predrag Followed all but last 2 lines. Didn't want to limit access just yet.
this is the result
DHCP - ALL i need is IP, Subnet and Gateway, if issuing OPTION 66 is available that would be icing on the cake, but I don't need anything else. These are just phones in a small office. I could configure the phones by hand if needed. I even considered using an old AP without a wan connection to issue DHCP so my needs here are minimal. Can you show me how this is done? I have a sad feeling that I don't have the proper OS for this feature.
this is the result
Switch#show run
Building configuration...
Current configuration : 3220 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
username MyName privilege 15 secret 5 $1$ewCx$YHhP16cM.Yb57yQh4C1VC/
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
!
crypto pki trustpoint TP-self-signed-408...
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-408...
revocation-check none
rsakeypair TP-self-signed-408...
!
crypto pki certificate chain TP-self-signed-408...
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
...
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
...
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 192.168.200.254 255.255.255.0
!
ip classless
no ip http server
ip http authentication local
ip http secure-server
!
line con 0
line vty 5 15
Now I dont get an authentication prompt from switch web page using HTTPS or HTTP. This is a change - but not the direction I hoped for :) Response says "uses an unsupported protocol" on https and refused to connect using http. Second one makes sense, thats what we told it to do. DHCP - ALL i need is IP, Subnet and Gateway, if issuing OPTION 66 is available that would be icing on the cake, but I don't need anything else. These are just phones in a small office. I could configure the phones by hand if needed. I even considered using an old AP without a wan connection to issue DHCP so my needs here are minimal. Can you show me how this is done? I have a sad feeling that I don't have the proper OS for this feature.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you post the full config and contents of flash please?
ASKER
Got DHCP to work, and I can get to the switch GUI with HTTP (which will probably be fine once I add a PW to "enable" access) but still can't get HTTPS access and I would at least like to know why.
Maybe SSL version in this switch is too old and browser wont tolerate its use? The message is "ERR_SSL_VERSION_OR_CIPHER _MISMATCH" on the browser.
Flash DIR
Maybe SSL version in this switch is too old and browser wont tolerate its use? The message is "ERR_SSL_VERSION_OR_CIPHER
Current configuration : 2032 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname phoneswitch
!
boot-start-marker
boot-end-marker
!
username MyName privilege 15 secret 5 $1$...
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.200.1 192.168.200.200
ip dhcp excluded-address 192.168.200.250 192.168.200.254
ip dhcp pool Phones
network 192.168.200.0 255.255.255.0
ip dhcp pool phones
option 66 ip 192.168.200.200
!
crypto pki trustpoint TP-self-signed-4081810816
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4081810816
revocation-check none
rsakeypair TP-self-signed-4081810816
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
...
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 192.168.200.254 255.255.255.0
!
ip classless
ip http server
ip http authentication local
ip http secure-server
!
end
Flash DIR
Switch#dir
Directory of flash:/
3 drwx 192 Mar 1 1993 00:19:54 +00:00 c3750-ipbasek9-mz.122-55.S E11
510 -rwx 1486 Mar 24 1993 20:55:35 +00:00 config.text
511 -rwx 24 Mar 24 1993 20:55:35 +00:00 private-config.text
512 -rwx 2072 Mar 24 1993 20:55:35 +00:00 multiple-fs
32514048 bytes total (16817152 bytes free)
Switch#
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh man, case sensitivity. When will I ever . . .
End result . . .
As to your link on the error message - I tried this on IE, Chrome and Edge with the same result and your link suggests this is indeed a browser issue not a switch issue. I thought it might be however none of the info on that page suggests that the switch firmware is providing an SSL "flavor or version" that is deemed outdated/unreliable so is simply blocked by the browser- and you have not suggested that either. Or are you?
If that is indeed the case I can just let it go and I can understand why this switch was for sale so reasonable. And I'm fine with that in this case, it's an isolated network anyway so little actual risk. I'll follow up myself but if that's what you are suggesting I'd love to hear it.
End result . . .
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.200.1 192.168.200.200
ip dhcp excluded-address 192.168.200.250 192.168.200.254
!
ip dhcp pool Phones
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
option 66 ip 192.168.200.200
As to your link on the error message - I tried this on IE, Chrome and Edge with the same result and your link suggests this is indeed a browser issue not a switch issue. I thought it might be however none of the info on that page suggests that the switch firmware is providing an SSL "flavor or version" that is deemed outdated/unreliable so is simply blocked by the browser- and you have not suggested that either. Or are you?
If that is indeed the case I can just let it go and I can understand why this switch was for sale so reasonable. And I'm fine with that in this case, it's an isolated network anyway so little actual risk. I'll follow up myself but if that's what you are suggesting I'd love to hear it.
What is output from:
show version
show version
Configure base aaa authentication
ASKER
Selecting SSL 3.0 in IE allowed access after 2 more warnings so I think my suspicion may be correct
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(55)SE11, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Wed 17-Aug-16 13:28 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02D00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
phoneswitch uptime is 3 weeks, 5 days, 5 hours, 20 minutes
System returned to ROM by power-on
System restarted at 19:04:32 UTC Mon Dec 4 2017
System image file is "flash:/c3750-ipbasek9-mz.122-55.SE11/c3750-ipbasek9-mz.122-55.SE11.bin"
cisco WS-C3750G-24PS (PowerPC405) processor (revision H0) with 131072K bytes of memory.
Processor board ID FOC1410Y21C
Last reset from power-on
1 Virtual Ethernet interface
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Motherboard assembly number : 73-10217-08
Power supply part number : 341-0108-04
Motherboard serial number : FOC14102W2K
Power supply serial number : DCA1408A59Y
Model revision number : H0
Motherboard revision number : C0
Model number : WS-C3750G-24PS-S
System serial number : FOC1410Y21C
Top Assembly Part Number : 800-26855-02
Top Assembly Revision Number : E0
Version ID : V06
CLEI Code Number : COMXD00ARA
Hardware Board Revision Number : 0x09
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3750G-24PS 12.2(55)SE11 C3750-IPBASEK9-M
Configuration register is 0xF
I am not sure why it is not working for you. I reset my home device to fabric default settings and tested minimum configuration on it, but my IOS version is 15.x and https is working as it should (don't have proper GUI but I can access to what is there via https).
This was all that I configured on device:
You can try to download newer IOS image for your3650 and upgrade it:
Cisco Download Center
Your device is 128/32 MB (RAM/FLASH).
In the case that you want to install IP BASE WITH WEB BASED DEV MGR - c3750-ipbasek9-tar.122-55. SE12.tar you will have to remove current IOS image before you can copy this one on flash ( flash on device: 32514048 bytes total (16817152 bytes free) - 32MB with 16MB free), but do not reload device until new IOS is on flash (otherwise you will have to copy image to flash from ROMMON). But, I would go for version without WEB BASED...
This was all that I configured on device:
Router(config)#ip dhcp pool POOL1
Router(dhcp-config)#network 192.168.1.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.1.1
Router(dhcp-config)#interface vlan 1
Router(config-if)#ip add 192.168.1.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip http serv
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Router(config)#ip http authentication local
Router(config)#username home privilege 15 secret home
It was enough.You can try to download newer IOS image for your3650 and upgrade it:
Cisco Download Center
Your device is 128/32 MB (RAM/FLASH).
In the case that you want to install IP BASE WITH WEB BASED DEV MGR - c3750-ipbasek9-tar.122-55.
ASKER
Predrag,
I also suspect the old version is the issue here. I looked at the DL page and the IPBASE... version is locked from me. I suspect that means they want money to DL it and it's not important enough in this case to spend more just to get an HTTPS gui.
Atlas_Shrugged,
What will AAA do here? My searching of AAA gives me the impression that AAA is mostly about connection with another server for accounting purposes and other forms of authentication. I freely admit my ignorance on the subject, but this switch will be isolated with no other server connected to it. Just a FreePBX box and phones.
I also suspect the old version is the issue here. I looked at the DL page and the IPBASE... version is locked from me. I suspect that means they want money to DL it and it's not important enough in this case to spend more just to get an HTTPS gui.
Atlas_Shrugged,
What will AAA do here? My searching of AAA gives me the impression that AAA is mostly about connection with another server for accounting purposes and other forms of authentication. I freely admit my ignorance on the subject, but this switch will be isolated with no other server connected to it. Just a FreePBX box and phones.
It defines three things. Authentication, authorization and accounting. Authentic and authorization is what you are primarily concerned with. I'm thinking it may help you sidestep the default logon process and get you clear.
Generally, AAA can be tested, but most likely will not change anything since will actually be configured as local authentication or fail back to local authentication method.
ASKER
Thank you very much for the help.
You're welcome.
Open in new window
this will show you the list of usernames created on the switch. Assuming the user you want to change is different from the one you are using for CLI, run the following command (ex. user test):
Open in new window
Open an https session to the switch and test the new creds.
Regarding your DHCP question, the 3750 will run as a DHCP server but..., you have to have the DHCP service enabled on the switch and you will need and SVI on the switch to anchor the server to. You may also need a license version on the switch that permits layer three but I am not immediately sure on that one.