cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1221
Views
20
Helpful
2
Comments
Tim Glen
Cisco Employee
Cisco Employee

Table of Contents

Summary

Cisco IOS XE 17.3(2a) was released in November 2020 and with it came support for a new feature called Masked Secret. Originally the feature only hashed the secret with the SCRYPT algorithm.

Cisco IOS XE 17.10 was released in November 2022 and with it came support for an enhancement to Masked Secret that allowed a user to hash the secret wtih SHA-256. I was excited to see this feature as SCRYPT is not NIST approved and SHA-256 is NIST Recommended!

In the past when setting up the IOS XE local user database or enable secret (please do not use enable password) we have entered the secret onto the CLI and the secret was displayed on the terminal. This practice is insecure and goes against best practices. This legacy method allows for someone watching over your shoulder to see the password on your screen, if you log your CLI sessions, like I do, it keeps the password in a text file.  

This is the way we used to do it.

01-username-algo-sha256-secret-WEB.png

 


 

With IOS XE 17.3(2) there is a new and better way, avoid shoulder surfers.

With IOS XE 17.10(1) there is a more secure way to store the secrets.

 

Configuration

The Masked Secret feature enables administrators to interactively work with the CLI to input the secret. When administrators input the secret, the secret string is only displayed as asterisks, the actual secret is not displayed on the terminal.

Local Username

!
configure terminal
!
username margaret algorithm-type sha256 masked-secret
mysecretpassword123
mysecretpassword123
!
end
!
02-username-algo-sha256-mask-secret-WEB.png

 

 

Enable Secret

!
configure terminal
!
enable algorithm-type sha256 masked-secret
mysecretpassword123
mysecretpassword123
!
end
!
03-enable-secret-masked-secret-WEB.png

 

 

Verification \ Errors

Verify User Created

After we create the new user we can verify that her user account has been successfully created.

show running-config aaa username
04-show-runn-aaa-username-WEB.png

 

Mismatched Secrets

Here we can see that the administrator entered secrets that are different lengths. IOS XE throws an error that clearly indicates the Secrets do not match. 

05-enable-secret-wrong-WEB.png

 


No Secret Entered

No secret has been entered but the Return key was pressed. IOS XE gives the administrator the ability to break out of the process. When the administrator does not break out the hold process times out.

06-username-masked-secret-timeout-WEB.png

 


References

Cat 9300 IOS XE 17.10 Release Notes

Understanding the differences between Cisco Password \ Secret Types

 

Comments
khorram1998
Level 1
Level 1

Hi @Tim Glen 

 

It is important to note that the Masked Secret feature is only available in IOS XE 17.10 and later versions. It is not supported in earlier versions of IOS XE. Additionally, this feature is only available for local user database and enable secret configurations, it is not available for other types of secrets such as enable password or SNMP community strings.

Overall, the Masked Secret feature improves security by not displaying the secret on the terminal, helping to prevent shoulder surfing and keeping the secret out of log files. It also provides a clear indication when the secrets entered do not match and gives the administrator the ability to break out of the process if no secret is entered. This feature is a great addition to the IOS XE software and is worth implementing for enhanced security.

All the best,
AK

Tim Glen
Cisco Employee
Cisco Employee

Hi @khorram1998, next time you copy \ paste directly from ChatGPT you should probably cite the AI Language Model or when it becomes sentient it will become angry and tell the robots to come after you. 

TimGlen_0-1674742247103.png

With that out of the way, ChatGPT is correct!  

Masked Secret is only available in IOS XE 17.10 and later. Further, Masked Secret is not an option for 'enable password' which no one should be using, and it is not available for SNMP community strings which no one should be using, use SNMPv3 instead as I've described here.

https://community.cisco.com/t5/networking-knowledge-base/configuration-template-for-snmpv3/ta-p/4666450

Thanks to both for the clarifying post.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco