Solved: Re: ASR 1001 line vty password encryption

akgupt89 · ‎04-17-2020

I have ASR 1001, in which I want to encrypt password for line vty login.

By default password is encrypted as "password 7" and to hide password 7 I am trying configure "login local" but this is not taking the command and if I do not set any password in line vty and try remote login, not able to access ASR.

Need suggestion on how to encrypt the password of line vty.

Richard Burts · ‎04-20-2020

The partial config that you posted looks pretty much right. You do not really need the line

login authentication default

There are parts of the config that we do not know, such as the configuration for the tacacs server. But assuming that the other parts are right you should achieve what you want: when someone attempt to access the router it will prompt for a user name and password, will attempt to authenticate with the tacacs server, and if the tacacs server is not reachable it will authenticate with the local configured user name and password.

HTH

Rick

View solution in original post

balaji.bandi · ‎04-17-2020

Can you post the commands you have used and what is the error you getting.

here is the reference guide in case if you do not had it before :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16-9/sec-usr-cfg-xe-16-9-book/sec-cfg-sec-4cli.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

akgupt89 · ‎04-17-2020

line vty 0 4

privilege level 15

password 7 (password)

but I have to encrypt password using secret instead of password 7.

I tried to configure "login local" so that SSH session authenticate via local username but login local option is not available.

Richard Burts · ‎04-18-2020

One way to achieve login local is to configure aaa new-model. When you activate aaa the default is to authenticate using local configured user ID and password, which is the equivalent of login local. If you do this be sure that you have configured at least one local user ID and password.

HTH

Rick

akgupt89 · ‎04-19-2020

Thanks Richard for your suggestion.

I have done below configuration on ASR along with local username.

So as per below configuration when any one try to login in device first user will authenticate from AAA server(tacacs+) and if server is not reachable then it will authenticate via local username.

Kindly correct me if I am getting anything wrong.

aaa new model

aaa authentication login default group tacacs+ local

line vty 0 4
privilege level 15

login authentication default

Richard Burts · ‎04-20-2020

The partial config that you posted looks pretty much right. You do not really need the line

login authentication default

There are parts of the config that we do not know, such as the configuration for the tacacs server. But assuming that the other parts are right you should achieve what you want: when someone attempt to access the router it will prompt for a user name and password, will attempt to authenticate with the tacacs server, and if the tacacs server is not reachable it will authenticate with the local configured user name and password.

HTH

Rick

akgupt89 · ‎04-20-2020

I am very grateful for your suggestion and help.

Thank you very much.

Richard Burts · ‎04-20-2020

You are welcome. I am glad that my suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick