Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6039
Views
5
Helpful
3
Replies

IOS Password Encryption Algorithm

Go to solution
avilt
Level 3
Level 3

‎06-16-2018 11:43 PM - edited ‎02-21-2020 07:53 AM

I need to implement strong encryption algorithm for Cisco IOS and ASA firewalls. How do I achieve this?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-17-2018 12:25 AM

It sounds like, from this question and the other one you posted, that you've been audited or are preparing for an audit. It would be better if you learned some of the fundamentals and best practices rather than asking specific questions out of context.

 

In any event, ASA passwords since 9.7 can use a stronger pbkdf2 algorithm for hashing local passwords. Details are here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076

 

IOS devices should be setup to use type 9 (where possible - vs. type 5 or 7) user passwords and "enable secret" passwords. If type 8/9 are not supported on your IOS then type 5 is the next-preferred method.

 

https://learningnetwork.cisco.com/thread/86911

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to avilt

‎06-18-2018 05:14 AM

Hi, I don't believe it's possible to hide/encrypt a local user account in the running configuration.

What a lot of organizations do is implement an external aaa server (tacacs+ or radius) which stores the user accounts/passwords in a remote database (therefore not stored on the local router/switch).

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-17-2018 12:25 AM

It sounds like, from this question and the other one you posted, that you've been audited or are preparing for an audit. It would be better if you learned some of the fundamentals and best practices rather than asking specific questions out of context.

 

In any event, ASA passwords since 9.7 can use a stronger pbkdf2 algorithm for hashing local passwords. Details are here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076

 

IOS devices should be setup to use type 9 (where possible - vs. type 5 or 7) user passwords and "enable secret" passwords. If type 8/9 are not supported on your IOS then type 5 is the next-preferred method.

 

https://learningnetwork.cisco.com/thread/86911

Go to solution
avilt
Level 3
Level 3
In response to Marvin Rhoads

‎06-17-2018 11:04 PM

When I define users on IOS/ASA, is it possible to hide/encrypt the username in the running config?

 

username Abc privilege 15 secret 5 $XXXXXXXXXXXXXXXXXXXXXXXXX

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to avilt

‎06-18-2018 05:14 AM

Hi, I don't believe it's possible to hide/encrypt a local user account in the running configuration.

What a lot of organizations do is implement an external aaa server (tacacs+ or radius) which stores the user accounts/passwords in a remote database (therefore not stored on the local router/switch).
0 Helpful
Review Cisco Networking for a $25 gift card
Top