Solved: Re: Enable, Secret, Privilege Password

Joy3 · ‎07-29-2021

Hallo All,

I have configured my router with an enable secret 5 password and also added some usernames+privilege level+secret 5 password. However, when I reload the router, I am not prompted for any username or password. I have the aaa enabled to authenticate with TACACS, which I understand could be a problem. However, is there a solution without disabling aaa.

This will probably be the most basic question but I will go ahead and ask because I have dwelt on it all morning without success. I had deleted the configs from my router and would want to reconfigure with the exact same configs (maybe add a few usernames and change passwords). However, I am getting the following error messages:

R1(config)#enable secret 5 xyz
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.

It is clear, after reading, that secret 5 passwords are hashed, so, plain text will definitely not work. So, how do I generate an encrypted secret while maintaining the secret 5 level password? If I configure with secret password without specifying 5, the secret level is set to secret 9 in 'sh run' but I want to maintain it at secret 5.

Then this is also giving me the same problem when I enter a plain text secret 5 password:

R1(config)#username xyz privilege 15 secret 5 xyz
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

To add context to my issue, I had the running configs before erasing them from the router. When I directly paste it into my terminal, it works (with a warning) but unfortunately, I can't decrypt the MD5 passwords andy anyway, I am not even prompted to enter username or password on reboot.

R1(config)#username xyz privilege 15 secret 5 $1$H5hX$mxxxxxxx
WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type
R1(config)#
*Jul 29 2021 14:49:25.157 CEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password

I will really appreciate your help on this. Thanks.

Regards,

Joyce

Richard Burts · ‎07-30-2021

Joyce

Thank you for the additional information. First let me comment on the issue of type 5 vs type 9. If there is a request to use type 5 then there is a way to achieve it - as long as you have a copy of the type 5 encrypted password. Which is what you did here

username xyz privilege 15 secret 5 $1$H5hX$mxxxxxxx

Do this on additional devices (changing user name and privilege level as appropriate but keeping the crypto text) and it should work. The down side is that if there are multiple user names then all of the configured user names would be using the same password. Since the username is being set up as a backup for times when authentication with tacacs is not working this might not be a big deal. But it is something to be aware of.

Let me also say that I appreciate that as a junior member of the team you do not want to challenge the members of the team who have so much experience. Perhaps you could ask some of those senior members of the team a question saying I am getting this warning message - is it something that I should be concerned about? If they continue to insist on type 5 then do it their way.

As far as why you are not prompted for user name when logging in the config snippet does give me what I wanted to see. Focus on this line

login authentication !

what I would expect to see is

login authentication CONSOLE

Make the change and let me know if the behavior changes.

HTH

Rick

View solution in original post

Richard Burts · ‎08-02-2021

Joyce

I am glad that my explanations and suggestion were helpful. Most Cisco commands are pretty good about not being case sensitive. In this particular command CONSOLE is a name for an authentication method and for names (as you have learned) CONSOLE is not the same as console.

As far as using type 5 encryption for passwords you have done what you can do. You have pointed out that Cisco is changing things and is encouraging customers to change the encryption type that they use. If the senior member of the team still wants to continue using type 5 you have the ability to do that (be careful that you do not lose the encrypted value of the password). At some point the type 5 passwords will stop working and it is difficult to know when that will be. I would suggest that as you are assigned tasks to do code upgrades on the Cisco network equipment that you read the release notes for the new release carefully. When Cisco does implement the change to stop using type 5 encrypted passwords there will be mention of that in the release notes. Some customers have been known to implement code upgrades without carefully reading the release notes and get surprised when the way things work changes.

As you work on this project it is likely that you will have additional questions. Feel free to post in the community about your questions. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

View solution in original post

Richard Burts · ‎07-29-2021

Joyce

There are at least 2 issues in the situation that you describe.

When I first read the post I thought that the issue was about configuring passwords using plain text vs using crypto text. But reading it again I realize that the question is really about the versions of crypto text. Some history might help. When Cisco inItially introduced encryption of the enable password it used MD5 encryption. (That is where the 5 in the enable secret command comes from). But over time issues developed and better forms of encryption were developed. And Cisco is advising that at some point use of MD5 encrypted passwords will no longer be supported. That is why you are getting the messages about "However, type 5 passwords will soon be deprecated. Migrate to a supported password type"

You say "the secret level is set to secret 9 in 'sh run' but I want to maintain it at secret 5" As long as you have access to the MD5 hashed version of the password you can continue to maintain secret 5 passwords. But Cisco is warning you that at some future point that will no longer be supported. I suggest that you should change your mind about keeping level 5 passwords. Remember that type 5 provides much weaker protection for your routers while type 9 is much more secure.

The other issue is why you are not prompted for a user ID or password. We do not have enough information at this point to be able to provide answers. Can you tell us whether this is happening when logging in on console or when logging in using SSH/telnet? It would be helpful if we could see the complete config but if you do not want to provide the complete config then please provide these

show run section aaa

show run | begin cons

HTH

Rick

Joy3 · ‎07-30-2021

Hi Rick,

Thanks for the response. I had suggested the use of type 9 but the request is that we leave it as type 5. I am also relatively new in the networking field so, I wouldn't like to be the know-it-all of the team of people with years upon years of experience in the field

At the moment, I am only accessing via console because the LTE connection is yet to work (I will probably be back with more questions on this, lol; but first things first). As requested, here are the configs:

R1-1#sh run | section aaa
aaa new-model
aaa group server tacacs+ TACACS-ISE
server name SUS-ISE-01-LP
server name SUS-ISE-02-LP
aaa group server radius RADIUS-ISE
server name SUS-ISE-01-LP
server name SUS-ISE-02-LP
aaa authentication login VTY group TACACS-ISE local
aaa authentication login CONSOLE group TACACS-ISE local
aaa authentication enable default group TACACS-ISE none
aaa authentication dot1x default group RADIUS-ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group TACACS-ISE local if-authenticated
aaa authorization exec CONSOLE group TACACS-ISE local
aaa authorization commands 15 VTY group TACACS-ISE local if-authenticated
aaa authorization commands 15 CONSOLE group TACACS-ISE local
aaa authorization network default group RADIUS-ISE
aaa accounting update periodic 15
aaa accounting identity default start-stop group RADIUS-ISE
aaa accounting exec default start-stop group TACACS-ISE
aaa accounting commands 15 default start-stop group TACACS-ISE
aaa server radius dynamic-author
client x.x.x.x server-key 7 xyz
client x.x.x.x server-key 7 abc

aaa session-id common

match result-type aaa-timeout

The configs for begin cons are so long so I've only sent a snippet. Not sure if this will be helpful.

R1-1# show run | begin cons

!
line con 0
password 7 094F471A1A0A
login authentication !
transport input none
stopbits 1
line vty 0 4
access-class SSH-MGMT in vrf-also
exec-timeout 30 0
authorization commands 15 VTY
authorization exec VTY
login authentication VTY
transport input ssh
!
ntp source Loopback0
ntp server 172.30.7.2

Thanks and good day.

Joyce

Richard Burts · ‎07-30-2021

Joyce

Thank you for the additional information. First let me comment on the issue of type 5 vs type 9. If there is a request to use type 5 then there is a way to achieve it - as long as you have a copy of the type 5 encrypted password. Which is what you did here

username xyz privilege 15 secret 5 $1$H5hX$mxxxxxxx

Do this on additional devices (changing user name and privilege level as appropriate but keeping the crypto text) and it should work. The down side is that if there are multiple user names then all of the configured user names would be using the same password. Since the username is being set up as a backup for times when authentication with tacacs is not working this might not be a big deal. But it is something to be aware of.

Let me also say that I appreciate that as a junior member of the team you do not want to challenge the members of the team who have so much experience. Perhaps you could ask some of those senior members of the team a question saying I am getting this warning message - is it something that I should be concerned about? If they continue to insist on type 5 then do it their way.

As far as why you are not prompted for user name when logging in the config snippet does give me what I wanted to see. Focus on this line

login authentication !

what I would expect to see is

login authentication CONSOLE

Make the change and let me know if the behavior changes.

HTH

Rick

Joy3 · ‎08-02-2021

Hallo Rick,

You are a life saver (or should I say a network saver ;)) That worked like magic. At first when I entered the command in small letters, I received an error message (AAA: Warning authentication list "console" is not defined for LOGIN.) and tried to find a solution online to no avail. Then I just tried it with capital letters and there was no error and after a reload of the router, I was prompted for both a username and password. That is a big win for me, thanks to you I didn't know that commands are case sensitive. But thanks again.

As for the type 5 message, I had earlier informed the my senior team member about it being soon deprecated and he still insisted on us using it. So, for now, we shall maintain it like that until further notice

I will now try the LTE connection and hopefully it works smoothly.

Have a good day and thanks again.

Regards,

Joyce

Richard Burts · ‎08-02-2021

Joyce

I am glad that my explanations and suggestion were helpful. Most Cisco commands are pretty good about not being case sensitive. In this particular command CONSOLE is a name for an authentication method and for names (as you have learned) CONSOLE is not the same as console.

As far as using type 5 encryption for passwords you have done what you can do. You have pointed out that Cisco is changing things and is encouraging customers to change the encryption type that they use. If the senior member of the team still wants to continue using type 5 you have the ability to do that (be careful that you do not lose the encrypted value of the password). At some point the type 5 passwords will stop working and it is difficult to know when that will be. I would suggest that as you are assigned tasks to do code upgrades on the Cisco network equipment that you read the release notes for the new release carefully. When Cisco does implement the change to stop using type 5 encrypted passwords there will be mention of that in the release notes. Some customers have been known to implement code upgrades without carefully reading the release notes and get surprised when the way things work changes.

As you work on this project it is likely that you will have additional questions. Feel free to post in the community about your questions. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Joy3 · ‎08-03-2021

Hallo Rick,

About the names of methods being case sensitive was not known to me but now I know and now the config I am working on is making more sense now Thanks again and I will be sure to bring any questions for the future.

Regards,

Joyce

Richard Burts · ‎08-03-2021

Joyce

You are welcome. You are making progress. I look forward to your next question.

HTH

Rick

Joy3 · ‎08-04-2021

Hallo Rick,

I am not sure whether I should create another question, althought it still has to do with my current project. If it okay to answer it here, well and good, if not I can always create another question.

I have configured a cellular interface on an ISR LTE router to negotiate an ip address and the status and protocol are now up. Unfortunately, I am unable to SSH to the router (I assume it has to do with the IP addresses but I am not sure really). How is it possible to SSH?

R1-1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM down down
GigabitEthernet0/1/0 unassigned YES unset up up
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset down down
Wl0/1/4 unassigned YES unset administratively down down
Cellular0/2/0 10.118.207.83 YES IPCP up up
Cellular0/2/1 unassigned YES NVRAM down down
ATM0/3/0 unassigned YES NVRAM down down
Ethernet0/3/0 unassigned YES NVRAM down down
Loopback0 172.30.255.99 YES NVRAM up up
Tunnel100 172.30.254.99 YES NVRAM up down
Tunnel200 172.30.253.99 YES NVRAM up down
Vlan1 unassigned YES unset administratively down down
Vlan100 10.201.185.1 YES NVRAM up up
Vlan251 192.168.185.1 YES NVRAM up up
Vlan300 10.201.167.33 YES NVRAM up up
Vlan804 172.30.153.241 YES NVRAM up up
Vlan805 172.30.101.249 YES NVRAM up up
Vlan806 172.30.201.249 YES NVRAM up up

R1-1#ping 8.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.30.255.99
.....
Success rate is 0 percent (0/5)
999VT01CI11-1#

I have checked and I see SSH is enabled.

Additionally, I have plugged in a cisco phone in port gi0/1/0 that I would like to access via a VPN tunnel. I can't find a proper way to configure it and I would really appreciate direction on how to go about it. Let me know if any additional info will help.

Thanks and regards,

Joyce

Richard Burts · ‎08-04-2021

Joyce

There is not any absolute answer about whether or not you should start a new discussion for this question. One way of looking at it is that a different question might benefit from having a new discussion (when a post has no response or only a few responses some people are more likely to read it and possibly respond while they might not pay as much attention to a post that already has multiple responses). Another way to look at it is that if the new question is part of the same project that there may be context in the discussion that would help understand the new question and posting in the same discussion might be helpful. (and one benefit of posting in the same discussion is that I should get a notification of the new post) Certainly for this question there is no need for a new discussion. For your next question you will make a new decision.

For your question about using a phone over a vpn I would suggest that we deal with that after we have dealt with the issue about SSH access.

For the issue about SSH access I have some questions and suggestions:

- where are you attempting the SSH access from? (what is the source address of the SSH request and is that request coming from inside your network or from outside of your network)

- which IP address on your router is the SSH to?

- can the device on which you attempt SSH ping to the IP address that is the destination for SSH?

- as a starting point in investigating this would you post the output of show ip ssh

HTH

Rick

Joy3 · ‎08-05-2021

Hallo Rick,

Thanks for the clarification. I will do as you suggested with my next question.

Here is the output of sh ip ssh.

R1-1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 4096 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): R-1.xxx.lan
Modulus Size : 4096 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqHihvVmRUxxH5CUcDPjYhuRJOEhkVWIiEVENHyuCi
/RNjHWDksrt9mbrfcyS/mcilr9F+U73OAFAm6AOPOA61GREFT9b5ZszbscnQ++s3lEjwrj9pr1TgHwmC
+qR0ofiJjxQBfkjFaZwc2M9ExlZgSYzpdsi7vQG7ZqI5HCQBWEsnvMQvbg3Xkst2jrxG0ABX2xExI9UY
esEWy91WDJ3oiWFXZmRbzn7kvz7lo4/bgNt2WIxixRf1CZpfjRxJmVyTKW/sjwCGFsAKmXJ/**bleep**Lrlcg
aCrvMxTUJdZaY9jn0QoD54SZpWn7wN9fmaZdWB4bfnIq7lKk+QNjAz4Ia/s+rv7yUloRXF2DyMp1/ANs
+y6ybhkQBwPG3cEiyQJ7E8mWbS9p3oQ8o2LJjLHTw86V+6cuCQajLmWbhIUadvHAc56SLV6HkvFKtR8m
GF+FGPTOG061NGDQ8QTQ0QqhN2jjdC0FQA/4QsMs018Aeu4lK1y/pmq1FzQqVHEGO8ZKmK/Ts6vEnFM7
PgL5y20Bmfbh7P6yScGrRx53rtIRpU5A2afyu4XFm1/0BhD21JiKuYRwSSloTUzAfq/ph7asWCUsAFAE
mQvbp0RRf1A6tO3bWPxkJ+swRJ3faKJx6ONjnDOgGjz7ugBqY1wYl1vDuY/MdQo1kqmgaCc7EkBSn2vj
R1-1#

- where are you attempting the SSH access from? (what is the source address of the SSH request and is that request coming from inside your network or from outside of your network)

The source address of the SSH request is from inside my network. 10.201.144.201/26

- which IP address on your router is the SSH to?

The router's management IP is 172.30.255.99

- can the device on which you attempt SSH ping to the IP address that is the destination for SSH?

I am getting 100% packet loss when I ping from my PC to the destination IP (172.30.255.99)

The router is a "Cisco C1116-4PLTEEAWE Chassis".

Thank you.

Regards,

Joyce

Richard Burts · ‎08-05-2021

Joyce

Thanks for the information. It is good to confirm that SSH is enabled (and forces use of SSH version 2). At some point we may need to verify that your SSH client is using version 2. But first we have a different problem to solve.

If your PC can not ping the router address it suggests that there is an IP connectivity problem. I see that the address that you attempt SSH to is up/up - that is good. I see that the subnet that you SSH from is not a connected subnet on the router. So one question is whether this router has a route to that subnet. Please post the output of show ip route on the router. Another question is whether the router/switch where your PC is connected has a route to the subnet that you attempt to SSH to. Do you have access to the router/switch the PC is connected to and could check its routing table? It might be helpful if you do traceroute/tracert (depending on OS of your PC) and see how far it gets.

HTH

Rick

Joy3 · ‎08-06-2021

Hallo Rick,

I have seen that the subnet of my PC (where I SSH from) is not in the router's routing table. Here is the sh ip route output:

R1-1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Cellular0/2/0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.117.130.111/32 is directly connected, Cellular0/2/0
C 10.201.167.32/28 is directly connected, Vlan300
L 10.201.167.33/32 is directly connected, Vlan300
C 10.201.185.0/28 is directly connected, Vlan100
L 10.201.185.1/32 is directly connected, Vlan100
172.30.0.0/16 is variably subnetted, 7 subnets, 3 masks
C 172.30.101.248/29 is directly connected, Vlan805
L 172.30.101.249/32 is directly connected, Vlan805
C 172.30.153.240/28 is directly connected, Vlan804
L 172.30.153.241/32 is directly connected, Vlan804
C 172.30.201.248/29 is directly connected, Vlan806
L 172.30.201.249/32 is directly connected, Vlan806
C 172.30.255.99/32 is directly connected, Loopback0
192.168.185.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.185.0/28 is directly connected, Vlan251
L 192.168.185.1/32 is directly connected, Vlan251
R1-1#

I see that there is no subnet here and for that I would prefer dynamic routing (I have seen that I can manually configure the routes but I would rather not, unless it is all that is needed for the connection to work).

I have also tracerouted from my PC and here is the output:

C:\Users\xyz>tracert 172.30.255.99

Routenverfolgung zu 172.30.255.99 über maximal 30 Hops

1 2 ms 2 ms 2 ms 10.201.114.65
2 2 ms 1 ms 1 ms 172.30.50.153
3 2 ms 2 ms 1 ms 172.30.20.153
4 4 ms 2 ms 1 ms 10.201.106.10
5 * * * Zeitüberschreitung der Anforderung. //request timed out
6 * * * Zeitüberschreitung der Anforderung.
7 * * * Zeitüberschreitung der Anforderung.
8 * * ^C
C:\Users\xyz>

I have had a discussion with my colleague and he assumes that after connecting via LTE, then a tunnel should be created so that we can ssh to the router and then the phone can come on. Could this be the case?

Regards,

Joyce

Richard Burts · ‎08-06-2021

Joyce

We are making progress. We have established that your PC does not have basic IP connectivity to the new router. And that the new router does not have any route to the subnet where your PC is located. There are multiple possible solutions for this and choosing which solution is best requires knowledge of your environment that I do not have. Possible solutions include:

- dynamic routing protocol. If this router is part of your Enterprise network and if at least one of the subnets on this router is also configured on some other device in the Enterprise network then a dynamic routing protocol is a possible solution. But I have the impression that none of the subnets on this router are also present on other devices in the Enterprise network. Is this correct?

- static routes on the new router. You might be able to configure static routes on the new router to route to the subnets of the Enterprise network. But as with the dynamic routing option this depends on having at least one subnet on the new router that is also present on some device in the Enterprise network. I have the impression that this is not the case. Is this correct?

- routing over the LTE. I generally associate LTE with connections to ISP and to Public IP. But in this case the LTE seems to be getting an IP in the Private IP network. It would seem possible that this might work. But since the new router does already have a default route using the LTE and you do not have connectivity I suspect that this option will not work.

- some tunneling implementation (perhaps even some vpn tunnel implementation). Especially if this new router is to be deployed in some other/remote site then a tunnel solution might be the solution that works.

What can you tell me about the environment in which this new router will operate?

In a previous post the output of show ip interface brief shows that you have 2 tunnel interfaces. What can you tell me about those tunnel interfaces?

HTH

Rick

Joy3 · ‎08-09-2021

Hallo Rick,

Thanks for the detailed info.

The router needs to be tunnelled to 2-DMVPN hubs which is why the last solution of implementing a vpn tunnel seems viable. I have configured the tunnels and compared it to a working router operating similarly and so far, it looks the same. However, the line protocols of both tunnels are still down. The following are the show run for the 2 tunnels:

R1-1#sh run int tunnel 100
Building configuration...

Current configuration : 534 bytes
!
interface Tunnel100
description TUNNEL-TO-DMVPN-HUB-MUC13
ip address 172.30.254.99 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I1
ip nhrp network-id 100
ip nhrp nhs 172.30.254.254 nbma 109.70.192.4 multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-1
end

R1-1#sh run int tunnel 200
Building configuration...

Current configuration : 532 bytes
!
interface Tunnel200
description TUNNEL-TO-DMVPN-HUB-RTH
ip address 172.30.253.99 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I2
ip nhrp network-id 200
ip nhrp nhs 172.30.253.254 nbma 109.70.192.5 multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-2
end

I have a wild unfounded guess that there could be a firewall blocking traffic. Could this be the case?

Thanks.

Regards,

Joyce