Set Username & Password on Cisco 3750 Switch

balakrishnansenthil · ‎11-25-2012

Hi Team,

I want to configure " Username & Password" on Cisco 3750 switch.

I need to configure as "username xxxxxx privilege 15 password 5 xxxxxxx "

Is it possible to create password with level 5 ?......

I want to know about level 5 "password" & level 7 "password" ?

when i tried I am not able to configure with " password 5"

Please help me resolve the issue?.

Regards,

Sen

Mark Potter · ‎11-25-2012

Try:

username privilege 15 secret

e.g. name = mark , password = mypass

username mark privilege 15 secret mypass

Basically password is easily reversable, secret isn't.

balakrishnansenthil · ‎11-25-2012

Thanks Potterm,

But i want use "Username privilege 15 password 5 $1$Z3fsOO.p$7alNAnUmVSd5ucARj7CsO0"

is it possible?...

regards,

Sen

Reza Sharifi · ‎11-25-2012

Hi,

The options are 0 or 7. There is no 5.

see below from a 3750

Switch(config)#username cisco privilege 15 password 5

% Incomplete command.

Switch(config)#username cisco privilege 15 password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) user password

HTH

Mark Potter · ‎11-25-2012

You can't use password with 5.

password only supports 0 and 7

secret supports 0 and 5

SWITCH1(config)#username mark privilege 15 password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) user password

SWITCH1(config)#username mark privilege 15 secret ?

0 Specifies an UNENCRYPTED secret will follow

5 Specifies a HIDDEN secret will follow

LINE The UNENCRYPTED (cleartext) user secret

If you want 5 you need to use secret as in example below.

username privilege 15 secret 5

Best of luck.

Mark.

balakrishnansenthil · ‎11-25-2012

Thanks Potterm,

I try this.....

What is difference of this below two method ? What is the enable password for this?...

SWITCH1(config)#username mark privilege 15 password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) user password

SWITCH1(config)#username mark privilege 15 secret ?

0 Specifies an UNENCRYPTED secret will follow

5 Specifies a HIDDEN secret will follow

LINE The UNENCRYPTED (cleartext) user secret

Regards,

Sen

Mark Potter · ‎11-25-2012

secret I believe uses better password security/algorithm to store passwords in the conifg.

password is less secure, better off googling that.

The enable password is whatever you make it.

enable secret

e.g. enable password = mypass

enable secret mypass

Mark.

balakrishnansenthil · ‎11-25-2012

Thank you so much...

I will try and let you know....

Regards,

Sen

balakrishnansenthil · ‎11-26-2012

Hi,

Please find the below config.( This one already configured inside the switch)

Config:

----------

enable secret 5 $1$UK0G$d4QXwakilHzVNyjZEjyXk.

!

username privilege 15 password 7 122050460A5809537D2808

aaa new-model

!

I wan to configure like this is?....

Here already some one configured secret 5 < password > , Can create one more secret password.

Please i want to use encrypted password is it possible?....

Error:

------

ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

Thanks.......

Reagrds,

Sen

packettracer86 · ‎11-26-2012

Hello,

just do it like mentioned above.

For unencrypted password:

username superman privilege 15 password mypassword

Result in config:

!

username superman privilege 15 password 0 mypassword

!

U can also set the "service password-encryption" globaly

then the config will look like this:

!

username superman privilege 15 password 09878419047

!

But that is just some kind of Hash afaik! So you can easy "encrypt" it, google for that ..

More Secure is:

username superman privilege 15 secret mypassword

Looks in config:

!

username superman privilege 15 secret 5 $1$hqMA$adgOgpNk91XnQPjwv6CgT.

!

This is more secure ..

So you have two choices,

username XY priv 15 password XY

username XY priv 15 secret XY

and optionally (i would always set this, it encrypt all PW's in the cfg)

service password-encryption

Greets

John Blakley · ‎11-26-2012

To change your password, do everything everyone else stated above. The difference between the passwords are:

The "password" attribute allows type 0 (unencrypted) and type 7 (vigenere). The type 7 is easily decrytable and there are several utilities online that can reverse the password with ease.

The "secret" attribute allows type 0 (unecrypted) and type 5 (MD5) hash. The type 5 is a one-way hash that the router can compare your password to when logging in. If your password hash matches the local password, you're allowed in.

The reason that you have the choice of type 5 or type 7 "secret 5" or "password 7" is because when you have a running config, you can copy and paste the already "hashed" version of the password and the system knows how to deal with the password that you just pasted. In fact, if you were to put "usernam admin password 0 admin", IOS will change it to "username admin password 7 xxxxxx" if the "service password-encryption" is enabled. The "service password-encryption" doesn't need to be enabled for the "secret" attribute, but there are other passwords in the router that are only affected if the password encryption is on, so I still recommend having it enabled.

In short, if you don't know what the password hash is because you don't already have a running config in hand, then always use "0" as your password attribute and the system will change the attribute to either 7 or 5 depending on your use of "password" or "secret" respectively.

HTH,

John

***** Please rate all useful posts *****

HTH, John *** Please rate all useful posts ***

balakrishnansenthil · ‎12-07-2012

Hi,

If i create local account like " username xxxxxx privilege 15 password 7 023E077B07041D791C"

When i can use this local account? after configured i try to login but am not able to to login....

i thing if not tacacs then only i can login am i correct?......

Please make sure how to use this account? when i can login?...

Regards,

Sen

John Blakley · ‎12-07-2012

If you have tacacs or radius configured with aaa authentication, it's going to use one of those servers first. If the server responds at all, it won't fail over to the local database. If you're not using aaa authentication, and you only need to use the local database, you'll need to change your lines to use the local database:

line vty 0 4

login local

Then you'll be able to use the login. Since you mentioned tacacs though, you could do something like:

aaa authentication login default local group tacacs

If the user doesn't exist on the local database, it should roll over to the tacacs server.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***