04-27-2023 07:07 AM
Hi guys,
i´m a bit confused, what worked like a charm for many many years seems not to work for me anymore, actually the first time.
I put in a username/secret like follows:
username blabla privilege 15 secret <Cleartextpassword>
Afterwards i take the line from the running config
username blabla privilege 15 secret 9 fsfsfunnyhashedpasswordnln3452
and try to copy it to another routers config, which always worked for me.
Today: I end up in a line
% Incomplete command.
Or, when i use to generate that line which i want to copy using
username blabla privilege 15 algorithm-type scrypt secret <Cleartextpassword>
after pasting (the encrypted config line) to another router with THAT message:
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
I´m aware of the concept of hashes and salts, but should it really be not possible anymore to generate such user/secret-lines on one Cisco box next to you for the colleagues and paste these handful of lines to other Cisco-devices? We cannot have an AAA-server for this purpose, some of these customers don´t even have more than a PC behind the routers. So, simply a local personalized login for us staff is the weapon of choice.
Does anybody know a workaround for this problem?
BTW:
I tried on various switches with 15.x and Cisco-routers ISR4k with IOS-XE 16.x and 17.x ...everywhere the same game.
Thanks in advance for any input!
Kind regards,
Andreas
Solved! Go to Solution.
02-09-2024 07:07 AM
I had the same problem until i realize that the encrypted SCRYPT hash uses $ sign as a separator and if "shell processing full" command exists then this creates an issue as $ sign is also used as a place-holder for variables.
Remove the command "shell processing full" and copy/paste of SCRYPT hash works as expected.
05-07-2023 10:18 AM
I suggest moving your question to a IOS switch or router forum, not ISE, since this is clearly an IOS CLI-specific question.
05-08-2023 12:20 AM
Many thanks, Thomas, my fault when creating that post in sort of a hurry
05-07-2023 11:32 AM
Hi
There are many similar posts here. It seems Cisco change some security policy related to it. And if we think it through, it make sense. Be able to replicate a password between device is a security risk.
05-08-2023 12:27 AM
I agree to you and completely understand that concern, but not being able to simply copy and paste a preencrypted/hashed line with a secret is also not too helpful in certain cases.
Just think about it, i would have to let a certain colleague whcih should help us in monitoring, troubleshooting, or simply a new teammember which needs access on a device locally (without sing AAA, radius or whatever, because sometimes routers and switches are deployed in a very small environment) on all the devices PER device.
This is a bit overcomplicated, instead of having a set of config lines as a (let´s say) default when configuring a new device or simply add it via script runs with ansible.
So, i am still searching a solution for this.
Not sure if it will do the trick, didn´t try jet, but maybe i do the same on a old device (md5) and while pasting it on a new device it gets automatically "leveled up" as type 9
Let´s see
02-09-2024 07:07 AM
I had the same problem until i realize that the encrypted SCRYPT hash uses $ sign as a separator and if "shell processing full" command exists then this creates an issue as $ sign is also used as a place-holder for variables.
Remove the command "shell processing full" and copy/paste of SCRYPT hash works as expected.
02-10-2024 03:25 PM
Thanks, i‘ll try it!
10-01-2024 01:44 AM
Thanks, you nailed it. This was my problem. And actually it makes sense, even there could be some hint from IOS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide