Re: 2960x secret not working with type 8 or 9 algorithm types

BVC · ‎03-03-2021

I'm trying to update the hashing algorithm for both the enable secret and the secret for the username login. Every time I enter my enable secret with either the type 8 or 9 it just doesn't work, I will enter a simple secret like cisco and it won't let me on either through console or the vty lines. When I delete the type 8/9 secret and just use the normal type 5 secret my enable secret works and I can get on.

The story is the same for configuring usernames, if I use a type 8/9 as the algorithm type it won't let me login with the username and secret I just configured, if I delete that username and add it again but use the type 5 instead it works and I can login. I can't find anything about this being a bug so I'm unsure if I'm configuring it correctly. Does a type 8/9 secret need to be a certain length (as I've only tested it with passwords that are less than 10 characters).

switch: 2960x-24PS-L

version: 15.2(4r)E3

Richard Burts · ‎03-03-2021

Could you post the exact syntax you are using when you attempt the type 8 or 9 secret?

HTH

Rick

BVC · ‎03-03-2021

enable algorithm-type scrypt secret cisco

username admin algorithm-type scrypt secret cisco

I'm using the local database so I have the no aaa new-model configured.

Georg Pauwen · ‎03-03-2021

Hello,

are you using the configuration as below ?

Type 8

2960X(config)#enable algorithm-type sha256 secret cisco
2960X(config)# username admin algorithm-type sha256 secret cisco

Type 9

2960X(config)#ena algorithm-type scrypt secret cisco
2960X(config)# username admin algorithm-type scrypt secret cisco

BVC · ‎03-03-2021

Yes I'm using all four of those commands, I have the no aaa new-model set so would this impact this? As I can still login when I set the username/secret and the enable secret to md5.

balaji.bandi · ‎03-03-2021

For now are not sure what is configuration you added with type 8 or type 9, good to know as @Richard Burts asked.

Also once you login back in with a normal user, what Logs you see in the switch?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BVC · ‎03-03-2021

I never really checked the logs tbh, I will check next time when I'm at the switch and I will also turn debug on so I can monitor from the console.

paul driver · ‎03-03-2021

Hello

As a test increase the priviege level and see if you are able to access the device, Also can you confirm if you are running AAA
username xxx privilege 15 algorithm-type scrypt secret xxxxxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BVC · ‎03-03-2021

I'm pretty sure I set my privileg level to 15 when I was testing the username and secret but I will check again when I'm at the switch. Also I'm using the local login database so I'm not using any aaa authentication servers, is this required for type 8 and 9 hashing?

paul driver · ‎03-03-2021

Hello

No it isn't but was curious as to how you were accessing the switch, by the way AAA also supports local database authentication, it isnt just used with a centralized ACS.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul