How can I remove the enable secret type 9 and set the number type 5. - Page 2

jhoncas · ‎06-11-2020

I have been trying to remove the enable secret 9 and set the enable secret 5 on Cisco 9300, but after I removed it with the command line " no enable secret" and added the command line " enable secret 5 PASSWORD" and verified with " Show run" the type 9 is still there.

You will wonder why I want to change type 9 to type 5, and the answer is because my authentication is through tacacs-server and when I am logging in this switch, this doesn't accept the password ( Password authentication fail) and this is because of the Type 9 work whit different hashing algorithm (SHA256) and typ5 work with MD5.

Another thing when I added the command line " Enable secret 5 PASSWORD" I receive the warning ( ERROR: The secret you entered is not a valid encrypted secret.To enter an UNENCRYPTED secret, do not specify type 5 encryption. When you properly enter an UNENCRYPTED secret, it will be encrypted). Then again added the command line "enable secret PASSWORD " but in this time without number 5 and when I checked the configuration the level of the enable secret is again 9.

The question is: How can I remove the enable secret 9 and set the number 5.

Thank you in advance.

Deepak Kumar · ‎06-12-2020

Hi,

Thanks for more explanations. Now we got that this is a different issue.

Can u change your command to:

aaa authentication login default tacacs+ enable

And try again.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

jhoncas · ‎06-13-2020

Hello Kumar,

Following your advice, I did the below process.

Process

no aaa new-model

aaa new-model

aaa authentication login default tacacs+ enable

aaa session-id common

Then when I check the configuration, the command line ( aaa authentication login default group tacacs+ enable) is still there.

Anyway, I ran the debug and I got the below results. I am posting below two debug, the first one with my regular network password and the second one with the local enable password

Debug with a local password

Jun 13 11:59:58 EDT: AAA/BIND(00001069): Bind i/f

Jun 13 11:59:58 EDT: AAA/AUTHEN/LOGIN (00001069): Pick method list 'default'

Jun 13 11:59:58 EDT: TPLUS: Queuing AAA Authentication request 4201 for processing

Jun 13 11:59:58 EDT: TPLUS(00001069) login timer started 1020 sec timeout

Jun 13 11:59:58 EDT: TPLUS: processing authentication start request id 4201

Jun 13 11:59:58 EDT: TPLUS: Authentication start packet created for 4201(usertest)

Jun 13 11:59:58 EDT: AAA/AUTHEN/ENABLE(00001069): Processing request action LOGIN

Jun 13 11:59:58 EDT: AAA/AUTHEN/ENABLE(00001069): Done status GET_PASSWORD

Jun 13 11:59:58 EDT: AAA/AUTHEN/ENABLE(00001069): Processing request action LOGIN

Jun 13 11:59:58 EDT: AAA/AUTHEN/ENABLE(00001069): Done status PASS

Jun 13 11:59:58 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: usertest] [Source: X.X.X.X] [localport: 22] at 11:59:58 EDT Sat Jun 13 2020

Jun 13 12:00:00 EDT: AAA: parse name=tty3 idb type=-1 tty=-1

Jun 13 12:00:00 EDT: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

Jun 13 12:00:00 EDT: AAA/MEMORY: create_user (0x7F954AC08BF8) user='usertest' ruser='NULL' ds0=0 port='tty3' rem_addr='X.X.X.X' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Jun 13 12:00:00 EDT: AAA/AUTHEN/START (2375611669): port='tty3' list='' action=LOGIN service=ENABLE

Jun 13 12:00:00 EDT: AAA/AUTHEN/START (2375611669): non-console enable - default to enable password

Jun 13 12:00:00 EDT: AAA/AUTHEN/START (2375611669): Method=ENABLE

Jun 13 12:00:00 EDT: AAA/AUTHEN (2375611669): status = GETPASS

Jun 13 12:00:02 EDT: AAA/AUTHEN/CONT (2375611669): continue_login (user='(undef)')

Jun 13 12:00:02 EDT: AAA/AUTHEN (2375611669): status = GETPASS

Jun 13 12:00:02 EDT: AAA/AUTHEN/CONT (2375611669): Method=ENABLE

Jun 13 12:00:02 EDT: AAA/AUTHEN (2375611669): status = PASS

Debug with my regular password

Jun 13 12:03:59 EDT: AAA/BIND(0000106A): Bind i/f

Jun 13 12:03:59 EDT: AAA/AUTHEN/LOGIN (0000106A): Pick method list 'default'

Jun 13 12:03:59 EDT: TPLUS: Queuing AAA Authentication request 4202 for processing

Jun 13 12:03:59 EDT: TPLUS(0000106A) login timer started 1020 sec timeout

Jun 13 12:03:59 EDT: TPLUS: processing authentication start request id 4202

Jun 13 12:03:59 EDT: TPLUS: Authentication start packet created for 4202(usertest)

Jun 13 12:03:59 EDT: AAA/AUTHEN/ENABLE(0000106A): Processing request action LOGIN

Jun 13 12:03:59 EDT: AAA/AUTHEN/ENABLE(0000106A): Done status GET_PASSWORD

Jun 13 12:03:59 EDT: AAA/AUTHEN/ENABLE(0000106A): Processing request action LOGIN

Jun 13 12:03:59 EDT: AAA/AUTHEN/ENABLE(0000106A): Done status FAIL - bad password

Richard Burts · ‎06-13-2020

Thank you for the additional debug output. You describe it this way " the first one with my regular network password and the second one with the local enable password". If I am understanding correctly it shows that using your regular network password is successful but using the local enable password fails. And that is pretty much what I would expect to happen if tacacs is working.

Perhaps we need to ask about what you expect to happen when you attempt to login. Your configuration addresses 2 conditions: 1) if tacacs is working 2) if tacacs is not working.

1) if tacacs is working then authentication would use your regular network password and would fail if you use the enable password.

2) if tacacs is not working then authentication would use the enable password and would fail if you use your regular network password.

Is that what is happening? Or is something different happening?

HTH

Rick

Deepak Kumar · ‎06-13-2020

Hi,

What is mean by "my regular network password "? Is it tacacs+ user account? If then it is correct. If the Tacacs server is responding and working properly then Device local user account will not work.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

jhoncas · ‎06-15-2020

Yes, it's my tacacs+ user account.