Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
5
Helpful
4
Replies

"Secret" Passwords under VTY, CON, and AUX Line ports

Go to solution
gsanin
Level 1
Level 1

‎06-03-2014 09:00 AM - edited ‎03-07-2019 07:37 PM

I would like to setup an MD5 passwords under the VTY, CON, and AUX line ports but the IOS (c2951-universalk9-mz.SPA.151-4.M1.bin) only let's me setup a "7" hidden password. Is there anyway to do this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gsanin

‎06-03-2014 12:37 PM

If you're using TACACS+ as your primary authentication method, then you dont need to put either a password or "login local" under your line configurations.

Instead, you use aaa new-model and setup authentication method list that includes the TACACS server group as the primary method (and local as fallback). A local username is there for use if and only if the configured TACACS servers are unavailable.

Have a look at the Cisco Validated Design page at  Campus Wired LAN Technology Design Guide - April 2014 (specifically steps 10 and 11 on pages 26-27) for more details.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-03-2014 09:46 AM

If you want to use MD5 passwords, specify "login local" under the line commands. then create local usernames with MD5 passwords, e.g.:

username gsanin privilege 15 secret <plaintext password>

The cli parser will encrypt your plaintext entry after you enter the command and the running-configuration will store the password in its encrypted form.

Go to solution
gsanin
Level 1
Level 1
In response to Marvin Rhoads

‎06-03-2014 10:18 AM

Marvin,

Thank you for your reply.

We are also using TACACS+, will I still need to create a local username? I guess the point is to be able to access the device via out of band, so I would still need the local username. Is that an accurate assumption?

Thanks again.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gsanin

‎06-03-2014 12:37 PM

If you're using TACACS+ as your primary authentication method, then you dont need to put either a password or "login local" under your line configurations.

Instead, you use aaa new-model and setup authentication method list that includes the TACACS server group as the primary method (and local as fallback). A local username is there for use if and only if the configured TACACS servers are unavailable.

Have a look at the Cisco Validated Design page at  Campus Wired LAN Technology Design Guide - April 2014 (specifically steps 10 and 11 on pages 26-27) for more details.

0 Helpful

Go to solution
gsanin
Level 1
Level 1
In response to Marvin Rhoads

‎06-03-2014 12:51 PM

Thank you Marvin. I really appreciate your help on this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card