How to set passwords from the CLI?

9 Replies

There have been quite a few comments posted to the Factory Reset Nortel Ethernet Switch article. One of those comments requested some help in how to set the passwords from the CLI (command line interface). You’ll obviously need the read-write password in order to login to the switch and reset the passwords. Without the read-write password you’ll need to factory reset the switch.

Note: I’m still trying to figure out the best way to display the CLI stuff… if I use the PRE HTML tag the font is really too small, if I don’t use the PRE HTML tag the formatting (spacing) gets lost making it difficult to compare the post with the real world output from a CLI interface.

Nortel Ethernet Routing Switch 5500 Series (v5.1)

Here’s how to set the passwords on the Nortel Ethernet Routing Switch 5500 Series (v5.1 software).

5520-48T-PWR>enable
5520-48T-PWR#config term
Enter configuration commands, one per line.  End with CNTL/Z.

What’s the syntax to set the read-only and read-write passwords?

5520-48T-PWR(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

We’ll use the commands below to set the read-only (RO) password to “readonlypassword” and the ready-write (RW) passwords to “readwritepassword”;

5520-48T-PWR(config)#cli password read-only readonlypassword
5520-48T-PWR(config)#cli password read-write readwritepassword

What is the syntax to enable the passwords on the serial and telnet interfaces?

5520-48T-PWR(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.
tacacs  Use TACACS+ AAA services

5520-48T-PWR(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.
tacacs  Use TACACS+ AAA services

We’ll use the commands below to set the serial and telnet interface to use the local passwords we’ve just configured above. You could also use RADIUS and TACACS authentication if you set it up.

5520-48T-PWR(config)#cli password serial local
5520-48T-PWR(config)#cli password telnet local

And let’s not forget to save the configuration file (even though the switch should auto-save it).

5520-48T-PWR(config)#copy config nvram
5520-48T-PWR(config)#exit
5520-48T-PWR#disable
5520-48T-PWR>

Nortel Ethernet Routing Switch 4500 Series (v5.0)

The Nortel Ethernet Routing Switch 4500 Series (v5.0 software) is piratically identical to the 5500 series except that it does not yet support TACACS authentication.

4548GT-PWR(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

4548GT-PWR(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

4548GT-PWR(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

Nortel Ethernet Switch 460/470 (v3.7.2)

The Nortel Ethernet Switch 460/470 (v3.7.2 software) is identical to the ERS 4500 series.

470-48T>enable
470-48T#config term
Enter configuration commands, one per line.  End with CNTL/Z.

470-48T(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

470-48T(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

470-48T(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

Hopefully this should help a few folks out.

Cheers!

Related posts:

  1. Default Nortel Ethernet Switch Usernames
  2. ERS 8600 Users and Passwords
  3. Changing SNMP Community Strings

9 thoughts on “How to set passwords from the CLI?

  1. Gabriel Palafox

    Hi Mike.

    I´m trying to implement Radius authentication over 5520 and 460 switches. I have cisco routers too, and it´s working on it. But I don´t know what I need to make it works on Nortel switches. I´m trying with the user rw, RW, rwa, bsrw and when I see the log on Radius server, send me a message with successful authentication, but in the switch send me a message “access denied … radius”, there is a document from Nortel with the configuration, but I miss something and I can´t figure out what I´m missing.

    Do you have any experience with Radius authentication on 5520 and 460 switches?

    Thanks.

    Reply
  2. Gabriel Palafox

    Thanks, I already saw that document, but I didn´t knew what I´m missing. In this moment is working, the problem was with a Radius attibute that I had to configure on Radius server.

    Just to share:
    If you want read-only access, you need to configure by user:
    You need to add attribute “User name” (in conditions for the policy that you are configuring) with a value of the username that you have, eg. gabrielpalafox
    Add to this you need the Attribute of “Service-Type” with the value of NAS prompt.

    If you want read-write access, you need to configure by user:
    You need to add attribute “User name” (in conditions for the policy that you are configuring)
    Add to this you need the Attribute of “Service-Type” with the value of Administrative.

    Hope this could helps for your community.

    Thanks.

    Reply
  3. Fernando

    How configure device manager may 1612 don´t conect to device manager usin te snmp v1, v2
    Tanks for your help

    Reply
    1. Michael McNamara Post author

      Hi Fernando,

      You should have a look at this post.

      You need to configure the SNMP community strings. You can try these commands (depending on the software release you are running on the switch);

      ERS-1648T:1# config snmp-v3 community commname first new-commname readme123
ERS-1648T:1# config snmp-v3 community commname second new-commname writeme123

      Good Luck!

      Reply
  4. Fernando

    Hi Michael, tanks for your help.
    The DVM return the error mensage
    172.16.X.X tinme out. This could be due to:
    1. No route to device.
    2. Network is busy.
    3. SNMP service disable on device.
    4. Invalid read community.
    5. Try to access a device trough stanby CPU.

    Tanks

    Fernando

    Reply
    1. Michael McNamara Post author

      Hi Fernando,

      You’ll need to troubleshoot the problem.

      Has this ever worked? Is SNMP disabled on the switch? Are there any access policies restricting/blocking SNMP access?

      Assuming you have basic connectivity, out of the box the read and write SNMP community strings are public and private respectively. You should only need to change the SNMP community strings – commands provided above.

      If someone else as performed additional configurations beyond ‘out of the box’ you’ll need to troubleshoot further.

      Good Luck!

      Reply
  5. Gus

    Hi Michael,
    Do you have experience with ERS8600 and tacacs +?
    I configured ERS8600 v5.1.3.1 with TACACS+ but when the tacacs is down I can not authenticate using local users (RWA,RW,RO…), such as ERS5520 usually do.

    Has anyone checked?

    Thanks
    Gus

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.