cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5804
Views
5
Helpful
3
Replies

IOS Password Encryption Algorithm

avilt
Level 3
Level 3

I need to implement strong encryption algorithm for Cisco IOS and ASA firewalls. How do I achieve this?

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

It sounds like, from this question and the other one you posted, that you've been audited or are preparing for an audit. It would be better if you learned some of the fundamentals and best practices rather than asking specific questions out of context.

 

In any event, ASA passwords since 9.7 can use a stronger pbkdf2 algorithm for hashing local passwords. Details are here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076

 

IOS devices should be setup to use type 9 (where possible - vs. type 5 or 7) user passwords and "enable secret" passwords. If type 8/9 are not supported on your IOS then type 5 is the next-preferred method.

 

https://learningnetwork.cisco.com/thread/86911

View solution in original post

Hi, I don't believe it's possible to hide/encrypt a local user account in the running configuration.

What a lot of organizations do is implement an external aaa server (tacacs+ or radius) which stores the user accounts/passwords in a remote database (therefore not stored on the local router/switch).

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

It sounds like, from this question and the other one you posted, that you've been audited or are preparing for an audit. It would be better if you learned some of the fundamentals and best practices rather than asking specific questions out of context.

 

In any event, ASA passwords since 9.7 can use a stronger pbkdf2 algorithm for hashing local passwords. Details are here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076

 

IOS devices should be setup to use type 9 (where possible - vs. type 5 or 7) user passwords and "enable secret" passwords. If type 8/9 are not supported on your IOS then type 5 is the next-preferred method.

 

https://learningnetwork.cisco.com/thread/86911

When I define users on IOS/ASA, is it possible to hide/encrypt the username in the running config?

 

username Abc privilege 15 secret 5 $XXXXXXXXXXXXXXXXXXXXXXXXX

Hi, I don't believe it's possible to hide/encrypt a local user account in the running configuration.

What a lot of organizations do is implement an external aaa server (tacacs+ or radius) which stores the user accounts/passwords in a remote database (therefore not stored on the local router/switch).
Review Cisco Networking for a $25 gift card