Enable secret

Similar Messages

• How to find out when 'enable secret' and username secret' was set/changed

  Hi,
  I was wondering if it is possible to find out when 'enable secret' and username secret' was set or changed last time on an IOS based machine.
  Is there any show command or kind of timestamp or MIB which can be read out?
  tnx Ralf

  Probably your syslog server would give you that info.

• Line console password vs privilege mode enable secret

  Hi all,
  Below is my running config ->
  line con 0
  exec-timeout 0 0
  privilege level 15
  password cisco
  logging synchronous
  login
  q1) how come every time i will enter privilege mode once i enter the console password ? can I choose to enter normal user mode instead ? is it via setting the privilege level ?
  q2) I understand that for enable privilege mode, i can set secret/encrypted password for the enabling.
  R1#config t
  R1(config)#enable secret cisco
  Where does the encryption take place ? is it only to just md5 the password text in the configuration file only ?  if i were to sniff the password over the network, i will still see clear text "cisco" ?
  q3) Why can't i do so (setting secret/encrypted) password for line (vty,con etc) login ?
  q4) for q3, after google, i realize i need to issue service password-Encryption
  a) does this command "encrypt" again my current enable secret password ? -- i think its no cause i see no changes in show run
  b) why do we have to issue this command to encrypt my line,vty etc password ? why can't we use the "secret" command ?
  c) what the different between this "service password-Encryption" and "secret" ?  why do we need to have both ?
  q5) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?
  Thanks,
  Noob

  a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password
  Because they can't, its as simple as that really.
  Like you said, the only way to protect the password using an MD5 hash is to create a username and password and ensure you use the secret command like:
  username admin secret password
  b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ? 
  Its just using an MD5 hash
  Where its encrypted or not over the network will depend on whether you use Telnet or SSH to connect to the switch.
  Telnet is plain text so even using an MD5 password will still be visible if someone were to packet capture your telnet session.
  SSH in encrypted so use this whenever possible. 

• About Cat 3550 enable secret passworld

  Hello, everyone!
  this day, I tried to change of password about my Catalyst 3550 L2/L3 Swithes.
  but, I find out a problem.
  next is process my change of enable password.
  1. conf t
  2. enable password xxx
  3. ^z
  4. conf t
  5. enable secret xxx
  6. ^Z
  the end
  I tried to enable password after disable.
  but, I can't enter with changed password.
  I don't know why can't enter.
  Do you know this ?
  and how to setting enable secret pasword ?
  I would like know how to set-up enable secret password on cataylst 3550 switches.
  thank you.
  I will wait your answer.

  The enable secret will override any enable password that may be configured . Use one or the other and delete the one you aren't using . The enable secret is the preferred password due to md5 encryption and which can't be cracked by those nice little cisco password breakers they out everywhere .
  CONF T
  no enable password
  enable secret XXXXX

• Cisco AAA and Free Radius enable secret failure

  Hi,
  I am currently testing aaa authentication with free radius.
  I can authenticate users through the radius server, however i cannot authenticate the enable secret.
  Here is the router configurations
  aaa new-model
     aaa authentication login default group radius local
     aaa authentication login localauth local
     aaa authentication ppp default if-needed group radius local
     aaa authentication enable default group radius enable
     aaa authorization exec default group radius local
     aaa authorization network default group radius local
     aaa accounting delay-start
     aaa accounting exec default start-stop group radius
     aaa accounting network default start-stop group radius
  radius-server host 192.168.0.135 auth-port 1812 acct-port 1813 key cisco
  I have created a user for the enable secret as such:
  $enable15$   Auth-Type := local
          Service-Type = NAS-Prompt-User
  The router cannot authenticate when logging for priviliged mode. I cannot find any log on the radius server as well.
  PLease help.

  It should be $enab15$ as the user that IOS sends to the radius server.
  Sent from Cisco Technical Support iPhone App

• ACS Appliance 1112 - Authentication Without Enable Secret

  Hello Everybody
  I have a ACS appliance 1112 to authenticate users by TACACS+ with Active Directory.
  The users can access the privileged mode on network devices just with the user AD without typing a enbale secret but after a restart on appliance now the users are asked to typing a enable secret to access the privileged mode.
  Is necessary change something on Network Devices or maybe a configuration on ACS ?
  Thanks

  Please go to the group that belongs to the user in question and make sure we have shell exec checked with priv 15
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Also check passed authenticate logs and make sure that user are mapped to the right group of acs.
  Regards,
  ~JG
  Do rate helpful posts

• Info about setting enable and username secret lev.5 passwords

  Hi,
  it's the first time I write on this forum, so I hope it's the right section for my question... I need to replace the enable and username XXX level 7 passwords (defined with enable password PPP and username xxx password PPP commands) on a lot of devices and I'll do it through an automated script that will send commands to these devices.. Since I would avoid to send the password in cleartext with enable secret PPP or username xxx secret PPP, I'd like to execute the commands on a test router and then directly send the level 5 encrypted password to the other routers (i.e. enable secret 5 hash-of-PPP and username xxx secret 5 hash-of-PPP). Since I know that the hashed value contains a salt that is used in some way to compute the hash value of a password, I wonder if a given level 5 enable or username password can work on all the IOS versions and router models that we have.. have you ever experienced some problems regarding the copy-and-paste of already-encrypted passwords?
  I know that this could lead to problems with level 7 passwords used for radius authentications (one of my colleagues experienced problems after a copy-and-paste of a password that did not work until he re-wrote the authentication command with the clear-text password, forcing the router to compute the level 7 password by itself), but I don't know if it was a bug of IOS and maybe only related to level 7 passwords..
  Thank you in advance for any help.
      Gianni

  Hi,
  it's the first time I write on this forum, so I hope it's the right section for my question... I need to replace the enable and username XXX level 7 passwords (defined with enable password PPP and username xxx password PPP commands) on a lot of devices and I'll do it through an automated script that will send commands to these devices.. Since I would avoid to send the password in cleartext with enable secret PPP or username xxx secret PPP, I'd like to execute the commands on a test router and then directly send the level 5 encrypted password to the other routers (i.e. enable secret 5 hash-of-PPP and username xxx secret 5 hash-of-PPP). Since I know that the hashed value contains a salt that is used in some way to compute the hash value of a password, I wonder if a given level 5 enable or username password can work on all the IOS versions and router models that we have.. have you ever experienced some problems regarding the copy-and-paste of already-encrypted passwords?
  I know that this could lead to problems with level 7 passwords used for radius authentications (one of my colleagues experienced problems after a copy-and-paste of a password that did not work until he re-wrote the authentication command with the clear-text password, forcing the router to compute the level 7 password by itself), but I don't know if it was a bug of IOS and maybe only related to level 7 passwords..
  Thank you in advance for any help.
      Gianni

• Enabling 802.11n on the 861-w ISR

  Hello,
  I'm attempting to configure 11n on the 861W router integrated access point. I've configured
  speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m8. m9. m10. m11. m12. m13. m14. m15.
  But still can't connect faster than 54Mb. Are there any comprehensive instructions for how this works?
  Any help surely appreciated.

  Thanks for your reply - much appreciated.
  What I was trying to say was my test client only had one antenna, since it's an old Dell 8200 with an newer "n" card in it. But I was able to rig two more antennas (antenni?). I was also able to set "channel width 40-above" on the 861-W. Now, on the client utility I get receive rates poping up to 300 Mbps and transmit rates in the 108 to 168 range.
  According to Table 2 on this page:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a3443f.shtml
  that signifies a guard interval of 800ns on transmit, but 400ns on receive.
  Is there a command to explicitly set the guard interval?
  RRodichev, I am also wondering what leads you to believe that the 861-W is 2.4 GHz only? I don't see anything in the data sheet about frequency bands.
  Finally, there is anyone who knows what all of the codes are in the
  #show dot11 statistics client-traffic
  command mean?
  Here's the AP config:
  Current configuration : 2270 bytes
  ! Last configuration change at 10:28:45 EDT Sun Apr 30 1905
  ! NVRAM config last updated at 13:15:04 EDT Tue May 5 2009
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$U4BR$hXHAUw3QwGBCNMYwAFD7B0
  no aaa new-model
  clock timezone EST -5
  clock summer-time EDT recurring
  dot11 ssid Public Assets
  vlan 1
  authentication open
  dot11 ssid Voices for Vermont Children
  vlan 2
  authentication open
  username Cisco password 7 05280F1C2243
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid
  ssid
  speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m8. m9. m10. m11. m12. m13. m14. m15.
  channel width 40-above
  station-role root access-point
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface GigabitEthernet0
  description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
  no ip address
  no ip route-cache
  interface GigabitEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address dhcp client-id GigabitEthernet0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 2 protocol ieee
  line con 0
  no activation-character
  line vty 0 4
  login local
  end

• Secret 8 and 9 vs. secret 4

  Hi all
  not a long time ago, Cisco introduced the secret 4 (for enable secret and username), now this secret 4 no longer seems to be an option (within the 3650 switch with the IOS-XE 03.03.01SE. There are the hashes 8 (PBKDF2) and 9 (SCRYPT) instead. For me this is new, is there a documentation which describes the function of these two options 8 and 9? Why is the option 4 no longer availalbe, is there any security concerns? Should be AES-256 as as far as I know, this option is really secure.
  Thank you
  Markus

  Hi,
  while secret 4 was an attempt to implement something more secure than is classic MD5 hashes (secret 5), the implementation itself was severly flawed in multiple respects. It failed to actually implement most of the aspects that would have made that SHA256-based hash secure, first of all it lacked salting. This was even obvious from the configuration - identical passwords lead to identical encoded hash strings. It still took months and some external researchers to notify Cisco that something is wrong, and it ended with a PSIRT advisory roughly a year ago. And then, for the following several months, latest IOS versions still bugged you to use secret 4 even when you insisted on old-but-at-least-salted MD5 secrets. I've even used an external generator to avoid this pitfall until fixed implementations finally made it to customers (which is what happened over the last weeks). Now secret 5 is again the default (when you just enter "enable secret bla", it will generate an MD5 hash again) and the new solutions are pushed a lot less aggressively than was the disaster of secret 4. Give them a year for some external cryptologists to seriously probe them before ever touching them.
  BTW, secret 4 had to go as it was unfixable - they could have implemented the method correctly, but it would have invalidated all the hashes existing in configurations out there. It's still getting an interesting transition period now, away again from busted secret 4...
  Sorry for the rant, but this has been a "pet peeve" of mine, I had to discuss this with a lot of customers over the last 9 months or so...
  HTH,
  Andre.

• 3750X Prompts for Device/Enable Password Instead of Local Username/Password

  I've got two 3750X switches that were built from a fairly basic template from my existing 3750/3560 switches. However, these new switches ONLY prompt for the device/enable passwords instead of the configured local username/password when connecting by console/telnet/ssh. Here's the config that I think is relevant, sans password strings. Only real difference is that the new switches are running an IOS 15.2 build, the 3750 switches are running 12.4, and the 3560 is currently running 15.0 (pending an update).
  enable secret 5 string
  username Administrator privilege 15 secret 5 string
  line con 0
   password 7 string
   login local
  line vty 0 4
   password 7 string
   login local
   length 0
  line vty 5 15
   password 7 string
   login
   length 0
  Any way to correct this?
  Thanks!

  usually you need "login local" under all the vty lines in order to authenticate locally unless you use ACS server for authentication.
  HTH

• Cisco enable password

  Try this:
  enable secret 0 cisco
  service password encryption.
  The 5 in the command above says the password that follows is an encrypted password. After the service command the passwords should get encrypted in the configuration.
  vel 5 with password ‘password’
  #enable secret level 5 ?
  0 Specifies an UNENCRYPTED password will follow
  4 Specifies an SHA256 ENCRYPTED secret will follow
  5 Specifies a MD5 ENCRYPTED secret will follow
  LINE The UNENCRYPTED (cleartext) ‘enable’ secret

  If I type in: switch# "enable secret 5 cisco"
  and I exit out of global config mode and priv exec mode and then I type in "enable" I get prompted for the password and I type in "cisco" it asks for the password again, until finaly it says "bad secrets". What did I do wrong?
  However if I type in "enable password cisco" and go back into "enable" I type in the password and I can get into priv exec mode no problem.
  whats the problem?
  This topic first appeared in the Spiceworks Community

• The Need for Enable Password

  Hi,
  If all users that have acces to the network equipment will be given level 15, is there any reason to have an enable password?
  Just seems like another step to authenticate - and if we are using the same passowrd for enable that we are for the login, I don't see the point.
  Thanks, Pat.    

  Thanks Mauicio,
  This is the config. We are trying to authenticate via tacacs that is configured to query AD. And, it is working great. I just want to make it so we can go directly into priv mode after logging in with username and password. Also, the username and password prompts aren't taking. I still get the login promt.
  aaa new-model
  aaa authentication password-prompt Password:
  aaa authentication username-prompt Username:
  aaa authentication login default group tacacs+ local
  aaa authentication login con group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  tacacs-server host 10.10.40.50 key 7 XXXXXXXXXXXXXXX
  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
  line con 0
  login authentication con
  no modem enable
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line 3
  no exec
  line vty 0 4
  length 0
  transport input ssh
  Thanks again.

• Aaa authentication enable command

  Hi,
  If I configure following command, how can I enter enable user name and password to get into enable prompt? Can someone explain to me how to enable tacacs autherntication for enable access?
  "aaa authentication enable default group tacacs+ enable",
  TIA
  krishna

  Assuming that your IOS device is otherwise correctly configured for TACACS (has the proper TACACS server address, proper TACACS key) and that the TACACS server is configured to recognize and process this machine as a client for authentication, then using this command:
  aaa authentication enable default group tacacs+ enable
  will cause the IOS device to send an authentication request to the TACACS server when someone attempts to access privilege mode. If the TACACS server does not respond the IOS device will use the local enable secret (or password) to authenticate enable mode. This is the only thing that you must do on the IOS device. On the TACACS server you must be sure that the user ID is correctly configured for access to this device and the user is checked for level 15 access.
  HTH
  Rick

• Tacac+ logins asking for enable password

  Hi,
  7609 with the following IOS version. 
  Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICES-M), Version 15.2(4)S4a, RELEASE SOFTWARE (fc1)
  Tacacs+ users can successfully login via telnet but its asking for the enable password to go to privilege mode. I have tried everything I could but it keeps asking for the enable password. How do I get rid of the enable password for the tacacs+ users? The following is the current relevant config.
  enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa group server tacacs+ TAC_PLUS
   server name AUTH
  aaa authentication login default group TAC_PLUS local
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa session-id common
  tacacs server AUTH
   address ipv4 xx.xx.xx.xx
   key 7 xxxxxxxxxxxxxxxxxxxxx
  line con 0
  line vty 0 4
   session-timeout 15
   access-class 10 in
   exec-timeout 120 0
   timeout login response 15
   transport input telnet
  ip telnet source-interface Loopback1
  ip tacacs source-interface Loopback1

  Hi,
  I did not have aaa authentication and tacacs debugging enabled. I have enabled them all and this is what it shows when tacacs+ works but have to type the enable password.
  Nov 18 07:39:35: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
  Nov 18 07:39:35: TPLUS: Queuing AAA Authentication request 0 for processing
  Nov 18 07:39:35: TPLUS: processing authentication start request id 0
  Nov 18 07:39:35: TPLUS: Authentication start packet created for 0()
  Nov 18 07:39:35: TPLUS: Using server xx.xxx.xxx.xxx
  Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT/56CA2684: Started 5 sec timeout
  Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT: socket event 2
  Nov 18 07:39:35: TPLUS(00000000)/0/NB_WAIT: wrote entire 20 bytes request
  Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
  Nov 18 07:39:35: TPLUS(00000000)/0/READ: Would block while reading
  Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
  Nov 18 07:39:35: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 43 bytes data)
  Nov 18 07:39:35: TPLUS(00000000)/0/READ: socket event 1
  Nov 18 07:39:35: TPLUS(00000000)/0/READ: read entire 55 bytes response
  Nov 18 07:39:35: TPLUS(00000000)/0/56CA2684: Processing the reply packet
  Nov 18 07:39:35: TPLUS: Received authen response status GET_USER (7)
  Nov 18 07:39:37: TPLUS: Queuing AAA Authentication request 0 for processing
  Nov 18 07:39:37: TPLUS: processing authentication continue request id 0
  Nov 18 07:39:37: TPLUS: Authentication continue packet generated for 0
  Nov 18 07:39:37: TPLUS(00000000)/0/WRITE/4752E370: Started 5 sec timeout
  Nov 18 07:39:37: TPLUS(00000000)/0/WRITE: wrote entire 24 bytes request
  Nov 18 07:39:37: TPLUS(00000000)/0/READ: socket event 1
  Nov 18 07:39:37: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Nov 18 07:39:37: TPLUS(00000000)/0/READ: socket event 1
  Nov 18 07:39:37: TPLUS(00000000)/0/READ: read entire 28 bytes response
  Nov 18 07:39:37: TPLUS(00000000)/0/4752E370: Processing the reply packet
  Nov 18 07:39:37: TPLUS: Received authen response status GET_PASSWORD (8)
  Nov 18 07:39:41: TPLUS: Queuing AAA Authentication request 0 for processing
  Nov 18 07:39:41: TPLUS: processing authentication continue request id 0
  Nov 18 07:39:41: TPLUS: Authentication continue packet generated for 0
  Nov 18 07:39:41: TPLUS(00000000)/0/WRITE/55F31F34: Started 5 sec timeout
  Nov 18 07:39:41: TPLUS(00000000)/0/WRITE: wrote entire 27 bytes request
  Nov 18 07:39:41: TPLUS(00000000)/0/READ: socket event 1
  Nov 18 07:39:41: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
  Nov 18 07:39:41: TPLUS(00000000)/0/READ: socket event 1
  Nov 18 07:39:41: TPLUS(00000000)/0/READ: read entire 18 bytes response
  Nov 18 07:39:41: TPLUS(00000000)/0/55F31F34: Processing the reply packet
  Nov 18 07:39:41: TPLUS: Received authen response status PASS (2)
  Nov 18 07:39:41: AAA/AUTHOR (00000000): Method list id=0 not configured. Skip author
  Nov 18 07:39:42: AAA/AUTHOR: auth_need : user= 'user1' ruser= 'r17609'rem_addr= 'xxx.xxx.xxx.xxx' priv= 0 list= '' AUTHOR-TYPE= 'commands'
  Nov 18 07:39:42: AAA: parse name=tty1 idb type=-1 tty=-1
  Nov 18 07:39:42: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
  Nov 18 07:39:42: AAA/MEMORY: create_user (0x776722A4) user='user1' ruser='NULL' ds0=0 port='tty1' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
  Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): port='tty1' list='' action=LOGIN service=ENABLE
  Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): non-console enable - default to enable password
  Nov 18 07:39:42: AAA/AUTHEN/START (2568611223): Method=ENABLE
  Nov 18 07:39:42: AAA/AUTHEN (2568611223): status = GETPASS
  Nov 18 07:39:48: AAA/AUTHEN/CONT (2568611223): continue_login (user='(undef)')
  Nov 18 07:39:48: AAA/AUTHEN (2568611223): status = GETPASS
  Nov 18 07:39:48: AAA/AUTHEN/CONT (2568611223): Method=ENABLE
  Nov 18 07:39:48: AAA/AUTHEN (2568611223): status = PASS
  Nov 18 07:39:48: AAA/MEMORY: free_user (0x776722A4) user='NULL' ruser='NULL' port='tty1' rem_addr='xxx.xxx.xxx.xxx' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek