cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4135
Views
10
Helpful
7
Replies

ASR 1001 line vty password encryption

akgupt89
Level 1
Level 1

I have ASR 1001, in which I want to encrypt password for line vty login.

By default password is encrypted as "password 7" and to hide password 7 I am trying configure "login local" but this is not taking the command and if I do not set any password in line vty and try remote login, not able to access ASR.

Need suggestion on how to encrypt the password of line vty.

1 Accepted Solution

Accepted Solutions

The partial config that you posted looks pretty much right. You do not really need the line

login authentication default

There are parts of the config that we do not know, such as the configuration for the tacacs server. But assuming that the other parts are right you should achieve what you want: when someone attempt to access the router it will prompt for a user name and password, will attempt to authenticate with the tacacs server, and if the tacacs server is not reachable it will authenticate with the local configured user name and password.

HTH

Rick

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the commands you have used and what is the error you getting.

 

here is the reference guide in case if you do not had it before :

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-9/sec-usr-cfg-xe-16-9-book/sec-cfg-sec-4cli.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

line vty 0 4

privilege level 15

password 7 (password)

 

but I have to encrypt password using secret instead of password 7.

 

I tried to configure "login local" so that SSH session authenticate via local username but login local option is not available.

One way to achieve login local is to configure aaa new-model. When you activate aaa the default is to authenticate using local configured user ID and password, which is the equivalent of login local. If you do this be sure that you have configured at least one local user ID and password.

HTH

Rick

Thanks Richard for your suggestion.

I have done below configuration on ASR along with local username.

So as per below configuration when any one try to login in device first user will authenticate from AAA server(tacacs+) and if server is not reachable then it will authenticate via local username.

 

Kindly correct me if I am getting anything wrong.

 

 

aaa new model

aaa authentication login default group tacacs+ local

 

line vty 0 4
privilege level 15

login authentication default

The partial config that you posted looks pretty much right. You do not really need the line

login authentication default

There are parts of the config that we do not know, such as the configuration for the tacacs server. But assuming that the other parts are right you should achieve what you want: when someone attempt to access the router it will prompt for a user name and password, will attempt to authenticate with the tacacs server, and if the tacacs server is not reachable it will authenticate with the local configured user name and password.

HTH

Rick

I am very grateful for your suggestion and help.

Thank you very much.

You are welcome. I am glad that my suggestions have been helpful.  Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
Review Cisco Networking for a $25 gift card