Summary
Cisco IOS XE 17.3(2a) was released in November 2020 and with it came support for a new feature called Masked Secret. Originally the feature only hashed the secret with the SCRYPT algorithm.
Cisco IOS XE 17.10 was released in November 2022 and with it came support for an enhancement to Masked Secret that allowed a user to hash the secret wtih SHA-256. I was excited to see this feature as SCRYPT is not NIST approved and SHA-256 is NIST Recommended!
In the past when setting up the IOS XE local user database or enable secret (please do not use enable password) we have entered the secret onto the CLI and the secret was displayed on the terminal. This practice is insecure and goes against best practices. This legacy method allows for someone watching over your shoulder to see the password on your screen, if you log your CLI sessions, like I do, it keeps the password in a text file.
This is the way we used to do it.
With IOS XE 17.3(2) there is a new and better way, avoid shoulder surfers.
With IOS XE 17.10(1) there is a more secure way to store the secrets.
Configuration
The Masked Secret feature enables administrators to interactively work with the CLI to input the secret. When administrators input the secret, the secret string is only displayed as asterisks, the actual secret is not displayed on the terminal.
Local Username
!
configure terminal
!
username margaret algorithm-type sha256 masked-secret
mysecretpassword123
mysecretpassword123
!
end
!
Enable Secret
!
configure terminal
!
enable algorithm-type sha256 masked-secret
mysecretpassword123
mysecretpassword123
!
end
!
Verification \ Errors
Verify User Created
After we create the new user we can verify that her user account has been successfully created.
show running-config aaa username
Mismatched Secrets
Here we can see that the administrator entered secrets that are different lengths. IOS XE throws an error that clearly indicates the Secrets do not match.
No Secret Entered
No secret has been entered but the Return key was pressed. IOS XE gives the administrator the ability to break out of the process. When the administrator does not break out the hold process times out.
References
Cat 9300 IOS XE 17.10 Release Notes
Understanding the differences between Cisco Password \ Secret Types