hit counter script

Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures page 29

Aggregation services router
Hide thumbs Also See for ASR 1000 Series:
Table of Contents

Advertisement

Whether or not "service password-encryption" has been enabled, a password for an individual
username can be entered in either plaintext or as a SHA-256 hash value, and be stored as a
SHA-256 hash value by using the following command:
router(config)#username name secret {0 password | 4 secret-string | 5 SHA256 secret-string}
To store the enable password in non-plaintext form, use the 'enable secret' command when
setting the enable password. The enable password can be entered as plaintext, or as an MD5
hash value. Example:
router(config)#enable secret [level level] {password | 0 | 4 | 5 [encryption-type] encrypted-
password }
level - (Optional) Specifies the level for which the password applies. You can specify up to
sixteen privilege levels, using the numerals 0 through 15.
password – password that will be entered
0 - Specifies an unencrypted clear-text password. The password is converted to a SHA256 secret
and gets stored in the router.
4 - Specifies an SHA256 encrypted secret string. The SHA256 secret string is copied from the
router configuration.
5 - Specifies a message digest alogrithm5 (MD5) encrypted secret.
encryption-type - (Optional) Cisco-proprietary algorithm used to encrypt the password. The
encryption types available for this command are 4 and 5. If you specify a value for encryption-
type argument, the next argument you supply must be an encrypted password (a password
encrypted by a Cisco router).
encrypted-password - Encrypted password that is copied from another router configuration.
Use of enable passwords are not necessary, so all administrative passwords can be stored as
SHA-256 if enable passwords are not used.
Note: Cisco requires that the 'enable password' command be used to configure a password for
privileged EXEC mode. The password that is entered with the 'enable password' command is
stored as plain text in the configuration file of the networking device. If passwords were created
with the 'enable password' command, it can be hashed by using the 'service password-
encryption' command. Instead of using the 'enable password' command, Cisco recommends
using the 'enable secret' command because it stores a SHA-256 hash value of the password.
To have IKE preshared keys stored in encrypted form, use the password encryption aes
command to enable the functionality and the key config-key password-encrypt command to set
the master password to be used to encrypt the preshared keys. The preshared keys will be stored
encrypted with symmetric cipher Advanced Encryption Standard [AES].
router(config)# password encryption aes
router(config)# key config-key password-encryption [text]
Page 29 of 72

Advertisement

Table of Contents
loading

Table of Contents