Solved: questions

SJ K · ‎04-22-2015

q1) how come every time i will enter privilege mode once i enter the console password ? can I choose to enter normal user mode instead ? is it via setting the privilege level ?

q2) I understand that for enable privilege mode, i can set secret/encrypted password for the enabling.

R1#config t
R1(config)#enable secret XXXX

Where does the encryption take place? is it only to just md5 the password text in the configuration file only ? if i were to sniff the password over the network, i will still see clear text "XXXX" ?

q3) Why can't i do so (setting secret/encrypted) password for line (vty,con etc) login ?

q4) for q3, after google, i realize i need to issue service password-Encryption

- does this command "encrypt" again my current enable secret password? -- i think its no cause i see no changes in show run

- why do we have to issue this command to encrypt my line,vty etc password ? why can't we use the "secret" command ?

- what the different between this "service password-Encryption" and "secret" ? why do we need to have both ?

q5) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?

Mark Malone · ‎04-23-2015

Hi

the enable secret(type 5 md5) is only for global , you need to use service password-encryption to encrypt the type 7 passwords which are line vty/con or enable password the option is just not available

If your unsure about the security of the type 7 even when encrypted with service password-encryption use login local underneath the line and then use username test priv 15 secret xxx , then anyone who accesses the device through any of the available ports will be forced to use the md5 password , other than that you will need to use aaa + tacacs for stronger security again

View solution in original post

Mark Malone · ‎04-22-2015

Hi

this link answers your questions

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file

SJ K · ‎04-22-2015

Hi Mark,

Thanks for reverting, not sure why you are able to view this thread, it is suppose to be "lost".

Anyway is there any reason why line (con,vty etc) password cannot be encrypted by "secret" command ?

Regards,

Noob

Mark Malone · ‎04-23-2015

Hi

the enable secret(type 5 md5) is only for global , you need to use service password-encryption to encrypt the type 7 passwords which are line vty/con or enable password the option is just not available

If your unsure about the security of the type 7 even when encrypted with service password-encryption use login local underneath the line and then use username test priv 15 secret xxx , then anyone who accesses the device through any of the available ports will be forced to use the md5 password , other than that you will need to use aaa + tacacs for stronger security again

SJ K · ‎04-23-2015

Duly noted and Thanks mark.