This topic is to discuss the following lesson:
HI Rene,
In most of the switches 2960X I dont have the option of login lor login local.
It only appears the option login authentication default that requires a list for login
Hello Helen,
It seems they changed this a bit on IOS 15.x. You can find an example here:
Once aaa new-model is enabled, you can use the login command:
Switch(config)# aaa new-model
Switch(config)# line vty 0 15
Switch(config-line)# login local
Switch(config-line)# exit
Try this on a test switch first, usually when you mess around with AAA it’s easy to lock yourself out 
Rene
Hey everyone,
I’ve been looking into passwords/secrets on Cisco devices, and am a bit confused regarding how to configure the best practice (most secure) password type.
I’ve successfully configured type 7 passwords on devices, enabled password encryption (so they don’t show as plain text in the config) then have been able to SSH to the device using those credentials.
However I’ve read that type 7 passwords are not secure, and using an online crack tool was easily able to crack my encrypted type 7 passwords. When I search online regarding this everyone says to use type 5 secrets instead.
I have no trouble configuring a type 5 secret using the “enable secret” command to use for priv exec mode, which gives me this in the run config:
enable secret 5 $1$mERr$OKzfSUgIm9q.QG2WpAsx1/
However when I try to configure a type 5 secret with a username (so it can be used for SSH) it shows up as plain text in the run config:
ip domain-name test.com
!
username josie secret 5 major
I also cannot SSH to the Cisco device using this username and password, it tells me the password is invalid.
So my question boils down to: What is the best practice for configuring usernames/passwords on Cisco devices which can be used for SSH etc, and how do I configure them?
Thanks for your help!
Hello Louis
Currently, the most secure method for encrypting passwords in your Cisco IOS devices is using a type 8 or type 9 encryption which use PBKDF2-SHA-256 and scrypt respectively. These are currently the most secure types, but must be supported by the IOS you are using. For more info about the various types, take a look at the following post on Cisco’s learning network:
As for how to use one of these for SSH, I was able to create a user with a secret using type 5 like so:
R2(config)#username my_name secret my_password
When viewing this in the configuration file, it looks like this:
username my_name secret 5 $1$wNNi$skihWOTQEs1u6w.AIJxMl0
I also made sure that within the vty configuration, I have the login local command and the transport input ssh command, so that SSH will be used as the protocol of choice, and the local user database will be used for SSH credentials, like so:
line vty 0 4
login local
transport input ssh
!
Now concerning the secret command for configuration a password, the command will, by default, encrypt the password using type 5. However, if you want to change the password type, you can do so by using the commands shown in the above link. Also note that if you try to change the encryption method using the number after the word secret, you will find it does not work:
R2(config)#username my_name secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a MD5 HASHED secret will follow
8 Specifies a PBKDF2 HASHED secret will follow
9 Specifies a SCRYPT HASHED secret will follow
LINE The UNENCRYPTED (cleartext) user secret
R2(config)#username my_name secret 9 my_password
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
This is because when you issue a number, the command expects the ENCRYPTED password, in the form of something like $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM depending on the algorithm chosen.
I hope this has been helpful!
Laz
1 Like
Hey Laz,
Thanks for the response!
I tried again configuring the secret 5 with a username using your instructions, and I can SSH successfully from another device now – not sure what went wrong last time.
I tried the stronger encryption method mentioned by Rene in the article, however the commands don’t exist on the router I’m using, so I assume it requires a newer IOS version.
According to the Cisco document you linked, the secret 5 can be cracked but would take a long time – therefore I assume it’s “good enough” to use in a production environment. Would that be correct?
Also with the secret 5, I noticed we cannot set permissions levels (1-15) like we can with the old passwords. With the secret 5 are these permissions levels obsolete? Do we need to just use the “enable secret” as well to provide full permissions?
Cheers.
Hello Louis
Good to hear that it’s working!
Yes, both types 8 and 9 (SHA-256 and scrypt respectively) are supported starting from IOS 15.3(3).
When you choose the type of encryption you should take into account what other security measures are in place. Do you have an access list that limits connectivity on the management interfaces? Any Control Plane Policing? Management Plane Protection? Is the device accessible only from the local network or from the Internet? If there are other measures in place, then type 5 would most likely be “good enough” as you say. If your device is accessible via the Internet, or is in an environment where you don’t have absolute control over who is able to connect, then using a better encryption method may be beneficial.
The privilege level can be set using commands similar to the following:
R1(config)#username laz privilege 15 secret my_password
I was able to enter this command on a Cisco router and set the privilege level to 15. I then tried to connect to R1 using telnet, and I was able to log in with these credentials. When I did, I was put immediately into privileged executive mode, which is this prompt: R1#
If I didn’t set the privilege to 15, then it would give me user executive mode which is this prompt: R1>. In order to get to privileged executive mode, I would then need to issue the enable command and the corresponding password.
I hope this has been helpful!
Laz
Encryption is great for protection, but sometimes almost TOO great!
Remember to log your passwords somewhere. I have run into too many times where AAA was broken and no one on my team had any recollection of the local login to SSH or even Console into the device. Imagine how much fun that can be in an outage and having to ROMMON a device.
The other thing that has burned me already is keychains for DMVPN or Dynamic Routing. You change the password because you don’t know it to add a new device, and now you need to change all the peering devices as well.
So lessons have been learned to remind teammates to store passwords in another vault that everyone has access to via their Network accts or AAA logins.
Hello Pietro
Thanks for sharing that experience. It is so true that documentation is very important, especially for things like passwords. It to often happens that when we change a password, we think “I’ll remember it!” and then a few days later you end up forgetting… 
For organizations that have an ICT team, it’s important to keep documentation of all types up to date. It really saves time and a lot of headaches in the long run.
Thanks again for sharing!
Laz
Hello Rene,
I was wondering what happens if you just configure the following without specifying a username and password:
Switch(config)#line console 0
Switch(config-line)#login local
I simulated this in packet tracer (I know, not always realistic). There comes the query for username. What do you have to enter then? Or do you have to reset the device?
Cheers,
Hello Ma Kro
That’s a good question. Essentially, if you configure the above as you stated in your post, you instruct the switch to prompt the user for credentials whenever they connect using the console. Any credentials entered will be compared to those found in the local user database. However, if you have not created any users, your local user database is empty, thus you will never be able to login. The solution is to create a user in the local database that you can use to log in.
You don’t necessarily have to reset the device. If you haven’t issued a similar command on the line vty configuration mode, you can always login using Telnet or SSH (if configured). However, if those too are setup like this then you must attempt to do a password recovery, or reset the device to its factory defaults…
I hope this has been helpful!
Laz
1 Like