VTY scrypt password

Moudar · ‎12-19-2023

Hi

I have got switches 9200l. How to use a scrypt 9 password on VTY lines?

Switch(config-line)#password ?
  0      Specifies an UNENCRYPTED password will follow
  7      Specifies a HIDDEN password will follow
  <0-9>  Encryption types not explicitly specified
  LINE   The UNENCRYPTED (cleartext) line password
  LINE   The UNENCRYPTED (cleartext) line password

Switch(config-line)#password 9
Switch(config-line)#password 9 ?
  LINE  The UNENCRYPTED (cleartext) line password

Switch(config-line)#password 9 moudar
Invalid encryption type: 9

There is no choice as "algorithm-type scrypt" here what to do. The switch is complainnig about 7 passwords! but i cant see how to make that password a scrypt 9 password!

Any ideas!

MHM Cisco World · ‎12-20-2023

Check this command friend

Enable algorithm-type scrypt secret <your clear text>

Note:- dont wr config until sure you can access if you failed then reboot to return to point before add new command

MHM

M02@rt37 · ‎12-20-2023

Hello @Moudar

Follow : https://learningnetwork.cisco.com/s/article/cisco-routers-password-types

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Walston5119 · ‎12-20-2023

@Moudar wrote:
Hi
I have got switches 9200l. How to use a scrypt 9 password on VTY lines?

Switch(config-line)#password ?
  0      Specifies an UNENCRYPTED password will follow
  7      Specifies a HIDDEN password will follow
  <0-9>  Encryption types not explicitly specified
  LINE   The UNENCRYPTED (cleartext) line password
  LINE   The UNENCRYPTED (cleartext) line password

Switch(config-line)#password 9
Switch(config-line)#password 9 ?
  LINE  The UNENCRYPTED (cleartext) line password

Switch(config-line)#password 9 moudar
Invalid encryption type: 9

There is no choice as "algorithm-type scrypt" here what to do. RTasks Login The switch is complaining about 7 passwords! but i cant see how to make that password a scrypt 9 password!

Any ideas!

It seems that you are trying to configure a Scrypt 9 password on VTY lines for your Cisco switch, but you are getting an error message. According to the web search results, there are a few possible reasons and solutions for this issue:

The Scrypt 9 password encryption is only supported on certain IOS versions and devices. You may need to check if your switch model and IOS version support this feature.
The Scrypt 9 password encryption is only available for the enable secret command, not for the line password command. You may need to use a different encryption type for the line password, such as type 5 (MD5) or type 8 (SHA256).
The scrypt 9 password encryption requires you to specify the algorithm-type scrypt option before the secret keyword. You may need to use the following syntax: enable algorithm-type scrypt secret password.

MHM Cisco World · ‎12-20-2023

MHM

Moudar · ‎12-20-2023

It is not helping using ChatGPT!!

Moudar · ‎12-20-2023

The scrypt algorithm is supported on my switch, as I am using it to on enable secret password.

My question is about VTY lines!!

Please read my post !

MHM Cisco World · ‎12-20-2023

There is workaround but I dont know if it work or not

Use

Line vty 0 4

Login local

Then

Username xxx algorithm-type scrypt secret xxxx

Try this way.

Note:- if you want to try to only one line use rotary feature of vty

MHM

Moudar · ‎12-20-2023

I have aaa active so no local login available!

pieterh · ‎12-21-2023

if you have AAA active why the need to configure a local VTY password instead of your AAA server(-group) ?

Moudar · ‎12-21-2023

You have got a very good point !

My config looks like this now and it is working:

line con 0
 logging synchronous
 stopbits 1
line vty 0 4
 logging synchronous
 transport input ssh
line vty 5 15
 logging synchronous
 transport input ssh
!

MHM Cisco World · ‎12-21-2023

The vty will trt first aaa and if

Server not available or dead

Then vty use local (if you use local with aaa auth login)

Now

Local must secure with encrypt 9 or other.

So add password under vty or use aaa with local need same security.

Using encryption to encrypt the password you use if aaa dead or directly.

MHM

Moudar · ‎12-21-2023

I got this config for aaa:

aaa authentication login default group RADIUS_AUTH local line
aaa authentication dot1x default group RADIUS_AUTH
aaa authorization network default group RADIUS_AUTH
aaa accounting exec default start-stop group RADIUS_AUTH

I did som tests and it is working without any password under vty lines. The important thing here is to have a local defined user and password!

MHM Cisco World · ‎12-21-2023

Yes it work since you use fallback method local

The SW lookup in local database for usernames and password

This phases is finished (auth)

Now authz, authz without local is issue also, if you auth with local that meaning the server dead so how you then authz wothout local.

You need to add to password and username privilege level 15

And you need to use local with aaa authorization exec

MHM

paul driver · ‎12-20-2023

Hello

@Moudar wrote:

The switch is complainnig about 7 passwords! but i cant see how to make that password a scrypt 9 password!
I have aaa active so no local login available

Can you elaborate "switch is complaining about type 7"...you say you do not use any local authentication or is it just that at present you are logged into the device via tacacs/radius ?

For example when AAA is enabled it is usually applied with with fallback local credentials in case the remote authentication become unavailable, as such if/when local credentials are used they could incorporate type6 or type 9 locally, either way all passwords (inclusive tacacs/radius) should be stored with the new security level when you apply that level to it.

example:
type 6
password encryption aes
key config-key password-encrypt xxxxx

type 9
enable algorithm-type scrypt secret xxxx
username xxx privilege xx algorithm-type scrypt secret xx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul