topic Re: Local Password Policy with Encrypted password in Switching

Local Password Policy with Encrypted password

giridar — Tue, 02 Feb 2021 14:05:44 GMT

Hi All,

I have enabled local aaa authentication and added password policy

is there any way to encrypt the password created using the policy

tried using password 7 but it gives an error saying that password cannot be blank

Re: Local Password Policy with Encrypted password

Richard Burts — Wed, 03 Feb 2021 19:06:11 GMT

The part of the error message about the password can not be blank leads me to believe that the immediate issue is in how you attempted to configure the user name and password. Can you tell us exactly what you typed in when you attempted to configure this user?

I do not understand this part of your question "is there any way to encrypt the password created using the policy". Perhaps you can provide clarification about what policy you configured?

If you want to configure a user and encrypted password I would suggest that using the parameter "secret" rather than using password 7 would be more effective.

Re: Local Password Policy with Encrypted password

giridar — Thu, 04 Feb 2021 05:03:12 GMT

sorry about that,

i enabled aaa authentication and configured a password policy

aaa-new model
aaa authentication login default local
aaa authorization exec default local
aaa common-criteria policy policy1
char-changes 3
max-length 16
min-length 8
special-case 1
numeric-count 1
upper-count 1
lower-count 1

then tried to add user

user user1 privilege 15 common-criteria-policy policy1 password 7 password1

Re: Local Password Policy with Encrypted password

Richard Burts — Thu, 04 Feb 2021 14:07:11 GMT

Thanks for the additional information. I believe that there are at least 2 issues that caused your attempt to configure the user to fail.

1) When you specify password 7 IOS expects the password to be already encrypted text. You might get that, for example, if you are doing copy/paste from an existing configuration into a new device. If the existing configuration specified service password encryption then the passwords would already have type 7 encryption. But your attempt asks for password 7 but has a plain text password. I would suggest that it would be better if you used this

user user1 privilege 15 common-criteria-policy policy1 secret password1

2) Your policy specifies that there should be at least one capital and 1 special case but the password you used has lower case and 1 number. So you might want something like this

user user1 privilege 15 common-criteria-policy policy1 secret Password1#

Re: Local Password Policy with Encrypted password

giridar — Thu, 04 Feb 2021 14:20:05 GMT

thank you, when i run user user1 privilege 15 common-criteria-policy policy1 secret Password1#

it gives attached error

is there a way to generate a password 7

Re: Local Password Policy with Encrypted password

Richard Burts — Thu, 04 Feb 2021 14:32:37 GMT

I am surprised that the command to create a user does not accept the secret parameter. But your use of the help ? does show pretty clearly that it expects password and not secret. So use

user user1 privilege 15 common-criteria-policy policy1 password Password1#

If your configuration contains the service password-encryption then I would expect that the result would be in the config file the user password would have type 7 encryption.

Re: Local Password Policy with Encrypted password

giridar — Mon, 08 Feb 2021 05:34:57 GMT

thank you, currently there is no service password-encryption

Re: Local Password Policy with Encrypted password

Richard Burts — Mon, 08 Feb 2021 07:34:24 GMT

If currently your config does not contain service password-encryption can you add that? Have you been able to configure the user ID with a password? In show run what do you see for the user?

Re: Local Password Policy with Encrypted password

giridar — Mon, 08 Feb 2021 11:34:24 GMT

yes, i have configured service password-encryption and the password is now encrypted

thank you very much

Re: Local Password Policy with Encrypted password

Richard Burts — Mon, 08 Feb 2021 15:39:04 GMT

You are welcome. I am glad that my suggestions were helpful and that you have now achieved what you were trying to accomplish. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

Re: Local Password Policy with Encrypted password

savvas.ap — Tue, 24 May 2022 13:00:54 GMT

I have experienced the same issue. It does not allow me to set secret passwords like this username usertest common-criteria-policy TEST secret password123453a and accept only username usertest common-criteria-policy TEST password password123453a. I have already enabled the encryption service as well. any ideas why?