Solved: Re: Password 6 setup for cisco 9200l

randy-reed · ‎07-06-2025

Hello Cisco community,

I have a Cisco 9200L. For some reason, we have had no luck migrating from password 7 to password 6. Each time I attempt config, it gives me an error. I even tried a new switch for additional testing, but still gives same result. I'm running IOS version 17.09.05. When I put the old password in, it never prompts me to confirm, etc I have seen many reports, on this issue but no fix yet. (issue below) please advise

key config-key password-encrypt Friday321!!
Old key:
Switch(config)#
Switch(config)#service password-encryption
Switch(config)#password encryption aes
Master key change notification called without new or old key

Jens Albrecht · ‎07-08-2025

Hello @randy-reed,

I just tested type 6 passwords on a Catalyst 9200 switch running 17.9.7 and the good news is that everything works just fine as expected.

This also means that the message 'Master key change notification called without new or old key' is indeed what Cisco calls a 'cosmetic issue' and does not affect the functionality at all.

It is important to understand that there is a HUGE difference between encryption and hashing.

Encrypting a password will result in ciphertext that can be unencrypted if the key is known.
Hashing a password will result in a fixed-length checksum and there is no way to recover the original password.

Cisco devices can use both methods to secure passwords, although in general hashing is more secure and therefore recommended. Nevertheless, there are cases where you have to use encryption, i.e. the good old chap authentication on ppp links.

When configuring new users you can choose the method by using either the 'password' or the 'secret' keyword and the available options depend on your choice.

SW_B(config)#username NEW_USERNAME secret ?
  0      Specifies an UNENCRYPTED secret will follow
  5      Specifies a MD5 HASHED secret will follow
  8      Specifies a PBKDF2 HASHED secret will follow
  9      Specifies a SCRYPT HASHED secret will follow
  <0-9>  Encryption types not explicitly specified
  LINE   The UNENCRYPTED (cleartext) user secret

As you can see the 'secret' keyword uses hashing to secure the password of the user, hence there is no option to use type 6 encryption.

SW_B(config)#username NEW_USERNAME password ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  7     Specifies a HIDDEN password will follow
  LINE  The UNENCRYPTED (cleartext) user password

The 'password' keyword uses encryption and offers the possibility to use type 6 encryption to secure the password.

When you configure a new user via the CLI you enter the password for this user in cleartext and the device will then either encrypt or hash the password.

If you use the command

username NEW_USER password C1sco1234!

the result will be

username NEW_USER password 6 Th[OHPKXZeTiG^ZbT]^BXdV^Y^fNcDSdRVA\

If you use the command

username NEW_USER2 algorithm-type scrypt secret C1sco1234!

the result will be

username NEW_USER2 secret 9 $9$TBFsppylajYbbk$631.Kfnynsk6CfGu1SJeq7DBFxpiMxNdezhrAEgBOCc

As a summary, you can use type 6 encryption for user passwords but this is only recommended if the router needs the password in cleartext for any reason (e.g. CHAP authentication as mentioned before).

It is also important to note that your config backups do not contain the Master key that is used for password encryption. This means that you have to configure the Master key on any new device before you can use your configuration backup. Otherwise the new device is not able to decrypt the passwords.

HTH!

View solution in original post

randy-reed · ‎07-10-2025

Hey Jens,

thanks for your help and sharing this info. I have successfully configured it for password 6.

View solution in original post

marce1000 · ‎07-06-2025

- @randy-reed FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs52230

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

randy-reed · ‎07-08-2025

Hello, I greatly appreciate the response, but still no luck completing setup for Password 6. It appears to take the encryption password, but still get an error when trying to create the user account. I've seen many posts regarding this issues and some known bugs were reported. Please advise

Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#key config-key password-encrypt
New key:
Confirm key:
Switch(config)#service password-encryption
Switch(config)#username admin secret 6 Monday123!!
Invalid encryption type: 6. Password not set.

Karsten Iwen · ‎07-08-2025

The option "6" means that you will provide the encrypted password next. Beside that, type "6" is not used for user-passwords. The correct syntax is:

switch(config)#username Your-User algorithm-type scrypt secret The-Cleartext-Password

With that, you end up with a scrypt-hashed password, which gives you great protection.

Jens Albrecht · ‎07-08-2025

Hello @randy-reed,

I just tested type 6 passwords on a Catalyst 9200 switch running 17.9.7 and the good news is that everything works just fine as expected.

This also means that the message 'Master key change notification called without new or old key' is indeed what Cisco calls a 'cosmetic issue' and does not affect the functionality at all.

It is important to understand that there is a HUGE difference between encryption and hashing.

Encrypting a password will result in ciphertext that can be unencrypted if the key is known.
Hashing a password will result in a fixed-length checksum and there is no way to recover the original password.

Cisco devices can use both methods to secure passwords, although in general hashing is more secure and therefore recommended. Nevertheless, there are cases where you have to use encryption, i.e. the good old chap authentication on ppp links.

When configuring new users you can choose the method by using either the 'password' or the 'secret' keyword and the available options depend on your choice.

SW_B(config)#username NEW_USERNAME secret ?
  0      Specifies an UNENCRYPTED secret will follow
  5      Specifies a MD5 HASHED secret will follow
  8      Specifies a PBKDF2 HASHED secret will follow
  9      Specifies a SCRYPT HASHED secret will follow
  <0-9>  Encryption types not explicitly specified
  LINE   The UNENCRYPTED (cleartext) user secret

As you can see the 'secret' keyword uses hashing to secure the password of the user, hence there is no option to use type 6 encryption.

SW_B(config)#username NEW_USERNAME password ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  7     Specifies a HIDDEN password will follow
  LINE  The UNENCRYPTED (cleartext) user password

The 'password' keyword uses encryption and offers the possibility to use type 6 encryption to secure the password.

When you configure a new user via the CLI you enter the password for this user in cleartext and the device will then either encrypt or hash the password.

If you use the command

username NEW_USER password C1sco1234!

the result will be

username NEW_USER password 6 Th[OHPKXZeTiG^ZbT]^BXdV^Y^fNcDSdRVA\

If you use the command

username NEW_USER2 algorithm-type scrypt secret C1sco1234!

the result will be

username NEW_USER2 secret 9 $9$TBFsppylajYbbk$631.Kfnynsk6CfGu1SJeq7DBFxpiMxNdezhrAEgBOCc

As a summary, you can use type 6 encryption for user passwords but this is only recommended if the router needs the password in cleartext for any reason (e.g. CHAP authentication as mentioned before).

It is also important to note that your config backups do not contain the Master key that is used for password encryption. This means that you have to configure the Master key on any new device before you can use your configuration backup. Otherwise the new device is not able to decrypt the passwords.

HTH!

randy-reed · ‎07-10-2025

Hey Jens,

thanks for your help and sharing this info. I have successfully configured it for password 6.

Jens Albrecht · ‎07-10-2025

You're welcome. Glad to hear that it's working now.

randy-reed · ‎07-14-2025

Hello Cisco community,

So I was able to get the 9200L configured for Password 6, but I get errors when trying to create the local user acct. I can login with account via the console, but I cannot log into the CLI using local account. Per some research it's because the local user is not set for password 6. Any ideas?

key config-key password-encrypt
New Password:
Confirm Password:

password encryption aes

username admin privilege 15 password FinallyFriday321! (This works for console login)

Switch(config)#username mdhsadmin secret 6 Monday123!!
Invalid encryption type: 6. Password not set. (error received when trying to create local account using password 6)

Jens Albrecht · ‎07-14-2025

Hello @randy-reed,

as explained in my previous post, you cannot directly enter the type 6 password when creating a new user.

You create the new user with a cleartext password and the Cisco switch will then encrypt it and store it as type 6 password.

So you use the command

username NEW_USER password C1sco1234! - NOT password 6 !!!

and the switch encrypt the password for you and store it in the config as

username NEW_USER password 6 Th[OHPKXZeTiG^ZbT]^BXdV^Y^fNcDSdRVA\

So if you do a "show run | include username" the admin that you successfully created will also be displayed with an encrypted type 6 password because you created this user with a cleartext password.

HTH!

randy-reed · ‎07-14-2025

Perfect! I will give a try and see what happens. Thanks for your help.