CNA and SHA256 usernames

Jim Jones · ‎05-27-2014

All of my devices with 12.2(55) and higher have the username secrets encrypted with SHA256 as opposed to MD5. You can see this in the show run output as:

username user secret 4 ......

as opposed to

username user secret 5....

Any of the older MD5 based devices are able to be managed via CNA and access via the web device manager, the newer with the SHA 256 cannot. Anybody know how to make the https connections recognize these users?

Richard Burts · ‎05-29-2014

I am surprised that CNA has a problem with the type 4 secret passwords and wonder if it is a version issue with CNA and if a more recent version of CNA would work better. But I believe that there is something that you can do to resolve the problem with the version of CNA that you are using. You can copy the line from the config of a device with the user name and the MD5 encrypted password and paste it into the config of your devices with the type 4 passwords. Even though the new code will prefer to create type 4 passwords it will understand and process a type 5 password in the config. I have done this kind of thing several times for customers and it works well.

Note that Cisco is moving away from the type 4 passwords because of a flaw in their implementation. You would wind up being more secure if you do replace the type 4 passwords with type 5 passwords.

HTH

Rick

HTH

Rick