Hello Kumar,

Thanks for your response. I saw this tutorial previously, before this post and I did it but the result is the same, the hashing algorithm type 9 is still there.

Thanks,

Hello Martin,

This is the version.

Cisco IOS XE Software, Version 16.12.02
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.02, RELEASE SOFTWARE (fc2)

cisco C9300-48U

Thanks,

Hi,

Note:  Password type 5 is deprecated. Password type 5 must be migrated to stronger password type 8 or type
9.

The command would be like: enable password [level level] {password encryption-type encrypted-password}

I suggest you visit on page 8 for more information: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-12/configuration_guide/sec/b_1612_sec_3650_cg.pdf

https://community.cisco.com/t5/security-documents/why-you-should-be-using-scrypt-for-cisco-router-password-storage/ta-p/3157196

Cisco is making it difficult for you to use the type 5 password in this release. As you discovered when you attempted to do it the command enable secret 5 <some value> then Cisco expects the value that you enter to be the already encrypted word not the plain text word. It seems to me that you might have a solution if you have some other Cisco gear that does still use the type 5 password. If you do have a Cisco router or switch that uses type 5 then configure the password that you want to use, do show run on that device, copy the value of the enable secret (which will be the encrypted version of the password), and use that value for the enable secret 5 on the problem device.

Hello Richard,

Thank you for your assistance,

Your recommendation had already been made, but type 9 still appears. As you indicate like Kumar and Martin, type 5 is deprecated and after several tests, I think that type 9 has nothing to do with the authentication problem that I have, it seems to be something related to AAA and tacacs. I ran an aaa and tacacs debugging and I got the below capture.

Jun 12 18:11:18.829: %PLATFORM_STACKPOWER-3-INVALID_TOPOLOGY: Invalid power stack topology observed by switch 5. More than four switches are connected in ring topology

Jun 12 18:11:27.063: AAA/BIND(0000103E): Bind i/f 

Jun 12 18:11:27.063: AAA/AUTHEN/LOGIN (0000103E): Pick method list 'default'

Jun 12 18:11:27.063: TPLUS: Queuing AAA Authentication request 4158 for processing

Jun 12 18:11:27.063: TPLUS(0000103E) login timer started 1020 sec timeout

Jun 12 18:11:27.063: TPLUS: processing authentication start request id 4158

Jun 12 18:11:27.063: TPLUS: Authentication start packet created for 4158(johnc)

Jun 12 18:11:27.063: AAA/AUTHEN/ENABLE(0000103E): Processing request action LOGIN

Jun 12 18:11:27.063: AAA/AUTHEN/ENABLE(0000103E): Done status GET_PASSWORD

Jun 12 18:11:27.063: AAA/AUTHEN/ENABLE(0000103E): Processing request action LOGIN

Jun 12 18:11:27.097: AAA/AUTHEN/ENABLE(0000103E): Done status FAIL - bad password

Below is the aaa and tacacs configuration:

!
aaa new-model
!aaa authentication login default group tacacs+ enable
!aaa session-id common

tacacs-server host X.X.X.X
tacacs-server host B.B.B.B
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX

Thanks for the additional information. Perhaps you can clarify something for me. The original post seems to think there was a problem with the enable password. This output clearly shows that tacacs is generating the fail response. The partial config that you posted has tacacs doing login authentication but not doing authentication for enable. So are the debug results generated when you attempt to login to the router or were already logged in and the debug was when you attempted to go to enable mode?

Hello Richard,

The debug is the results generated when I attempt to login to the switch in user mode with my regular network password but when I put the local enable password of the switch I can get into the switch in user mode and then in a privileged mode without issue.

Thanks for clarifying that the debug output corresponds to your attempt to login to the switch. I have a few things to follow up to investigate this issue:

- does this user ID and password work on other Cisco equipment in your network?

- do the logs on the tacacs server show the login attempt and failure to authenticate using tacacs?

- would you attempt to login, and then post the output of the command show tacacs?

Hey Richard,

Here you have the response.

1) - does this user ID and password work on other Cisco equipment in your network?

Yes, the user ID and password are working on other Cisco equipment in my network.

2) - do the logs on the tacacs server show the login attempt and failure to authenticate using tacacs?

The log on the Tacacs isn't showing up any attempt or failure from this device seems like the switch and the server are not talking to each other.

3) - would you attempt to login, and then post the output of the command show tacacs?

The Tacacs server is not showing up any attempt or failure from this device.

I think you may not have understood my request to run show tacacs. I was asking you to run this on the switch and post the output from the switch - not asking what the server shows.

Ok,  I got it.

aaa new-model
!
aaa authentication login default group tacacs+ enable
!
aaa session-id common

tacacs-server host X.X.X.X
tacacs-server host  Z.Z.Z.Z
tacacs-server directed-request
tacacs-server key 7 RRRRRRRRR