Migration 2960 to 9200 ( 17.06.05) password type

abtt-39 · ‎04-14-2023

Hello,

I want to migrate from 2960 to 9200 with IOS 17.06.05

In the previous configuration, I had this

enable secret 5 XXXXXXXX....
enable password 7 XXXXXX.......

So i do this :

#enable secret 9 $9$..

If I understand correctly, I no longer need to put enable password....
only enable secret 9....?

Because, when I copy / paste the old conf, I got this kind of message:

WARNING: Command has been added to the configuration using a type 7 password. However, recommended to migrate to strong type-6 encryption

So, I try this :

https://community.cisco.com/t5/networking-knowledge-base/configuring-type-6-passwords-in-ios-xe/ta-p/4438495

configure terminal
password encryption aes
key config-key password-encrypt My_password
end

I see that he automatically changed the type of password to 6

server-private 10.X.X.X acct-port 1812 key 6 a[xxxxxxxxxxxxxx...........

username admin privilege 15 password 6 X_Dxxxxxxxxxxxx

radius server Server_Name
address ipv4 10.X.X.X auth-port 1812 acct-port 1812
key 6 xxxxx/x///xxxxx

Except for :

line con 0
password 7 xxxxxxxx

AND

enable secret 9 $9$XXXXX (that I had done before "type 6 configuration")

does this configuration seem correct to you?

I'm not very comfortable with all these password and security levels, and I would like to start on a good basis, because I will then have other 9200s to configure, to gradually replace our 2960s.

balaji.bandi · ‎04-14-2023

Syntax changed from IOS to IOS XE ( you can not just copy the old config to new Cat 9200 there are several things changed QOS, security, and so on, so before migrating make sure to check the command syntax and test it. if not this will have a different outcome than expected.

Look cisco hardening guide :

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/220270-use-cisco-ios-xe-hardening-guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abtt-39 · ‎04-16-2023

ok, thanks,

and what is the best type of password, in good practice? I put 6 because that's what the alert generated by the switch advised me, but reading some sources, some say to apply type 8?

MHM Cisco World · ‎04-16-2023

CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF (defense.gov)
this paper is one of many paper publish by NSA, check it and check the recommendation for password type.

abtt-39 · ‎04-17-2023

I replaced with type 8 password, however, it is not possible for radius authentication.

TEST(config-radius-server)#key ?
0 Specifies an UNENCRYPTED key will follow
6 Specifies ENCRYPTED key will follow
7 Specifies HIDDEN key will follow
LINE The UNCRYPTED (cleartext) shared key

*Apr 17 08:47:07.364: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, recommended to migrate to strong type-6 encryption

I replaced with type 8 password, however, it is not possible for radius authentication.

TEST(config-radius-server)#key ?
0 Specifies an UNENCRYPTED key will follow
6 Specifies ENCRYPTED key will follow
7 Specifies HIDDEN key will follow
LINE The UNCRYPTED (cleartext) shared key

*Apr 17 08:47:07.364: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, recommended to migrate to strong type-6 encryption

It does not offer type 8 for the radius part?

If I don't specify, it automatically applies type 7 for the radius

MHM Cisco World · ‎04-17-2023

some server not accept strong password type.

Configuring Type 6 Passwords in IOS XE - Cisco Community

abtt-39 · ‎04-17-2023

ok thanks @MHM Cisco World

so I configured type 8 for enable secret, and type 6 for radius authentication.

I will have to test if the radius authentication is functional like that