Configuring Password Encryption



Similar documents
Configuring Password Encryption

Configuring ECMP for Host Routes

Configuring SSH and Telnet

Configuring System Message Logging

Send document comments to

Configuring NTP. Information About NTP. NTP Overview. Send document comments to CHAPTER

Configuring MAC ACLs

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Configuring NTP. Information about NTP. NTP Overview. Send document comments to CHAPTER

Configuring Network QoS

Configuring the Scheduler

Encrypted Preshared Key

Connecting to the Firewall Services Module and Managing the Configuration

Encrypted Preshared Key

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Configuring Basic Settings

Configuring iscsi Multipath

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Configuring Auto-MDIX

Configuring Access Service Security

Configuring Static and Dynamic NAT Translation

Configuring Network Load Balancing for vethernet

Configuring System Message Logging

Configuring Role-Based Access Control

Basic Router and Switch Instructions (Cisco Devices)

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Enabling Remote Access to the ACE

Configuring CSS Remote Access Methods

Enhanced Password Security - Phase I

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Configuring Network Load Balancing for vethernet

Managing Storage Services Modules

Configuring Basic Settings

Lab Configuring Basic Router Settings with the Cisco IOS CLI

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Enhanced Password Security - Phase I

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

How To Configure Rmon On Cisco Me 2600X On Ios 2.5A (Cisco) With A Network Monitor On A Network Device (Network) On A Pnet (Network Monitor) On An Ip

Lab Introductory Lab 1 - Getting Started and Building Start.txt

Lab Load Balancing Across Multiple Paths

Flow-Based per Port-Channel Load Balancing

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Backing Up and Restoring Data

CISCO CATALYST 3550 Series Switches

LAB Configuring NAT. Objective. Background/Preparation

Lab Configure Basic AP Security through IOS CLI

Configuring System Message Logging

Using the Command Line Interface (CLI)

Installation and Administration Guide

Configuring EtherChannels

Router Lab Reference Guide

How To Use Cmk On An Ipa (Intralinks) On A Pc Or Mac Mac (Apple) On An Iphone Or Ipa On A Mac Or Ipad (Apple Mac) On Pc Or Ipat (Apple

Configuring the Switch with the CLI Setup Program

Configuring Auto Policy-Based Routing

Configuring the Switch with the CLI-Based Setup Program

File Transfers. Contents

Applicazioni Telematiche

Lab Advanced Telnet Operations

Configuring DHCP Snooping

USB Disable for Cisco ISRs Feature Module

TACACS+ Authentication

Lab 8.3.3b Configuring a Remote Router Using SSH

Managing ACE Software Licenses

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Lab: Basic Router Configuration

Configuring Secure Socket Layer (SSL)

3.1 Connecting to a Router and Basic Configuration

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Basic Configuration of the Cisco Series Internet Router

Network Security and AAA

Licensing Cisco NX-OS Software Features

Securing Networks with PIX and ASA

CCNA DATA CENTER BOOT CAMP: DCICN + DCICT

Chapter 6 Updating Software Images and Configuration Files

Configuring Basic Settings

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Configuring PROFINET

Configuring LLDP, LLDP-MED, and Location Service

Introduction to Cisco router configuration

Lab 3 Routing Information Protocol (RIPv1) on a Cisco Router Network

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

- The PIX OS Command-Line Interface -

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

CISCO IOS NETWORK SECURITY (IINS)

Configuring Aggressive Load Balancing

Cisco ISE Command-Line Interface

Security. AAA Identity Management. Premdeep Banga, CCIE # Cisco Press. Vivek Santuka, CCIE # Brandon J. Carroll, CCIE #23837

Managing Cisco ISE Backup and Restore Operations

SmartWare Encrypted File Download HowTo

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Lab Creating a Logical Network Diagram

Lab 3.5.1: Basic VLAN Configuration (Instructor Version)

Objectives. Background. Required Resources. CCNA Security

Configuring System Message Logging

Sample Configuration: Cisco UCS, LDAP and Active Directory

Managing Identities in Outlook Express

Administering Cisco ISE

Comware versus Cisco IOS Command Guide

Transcription:

This chapter describes how to configure password encryption on Cisco NX-OS devices. This chapter includes the following sections: Information About Password Encryption, page 1 Licensing Requirements for Password Encryption, page 2 Guidelines and Limitations for Password Encryption, page 2 Default Settings for Password Encryption, page 3, page 3 Verifying the Password Encryption Configuration, page 6 Configuration Examples for Password Encryption, page 6 Additional References for Password Encryption, page 6 Feature History for Password Encryption, page 7 Information About Password Encryption This section includes information about password encryption on Cisco NX-OS devices. AES Password Encryption and Master Encryption Keys You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a master encryption key, which is used to encrypt and decrypt passwords. After you enable AES password encryption and configure a master key, all existing and newly created clear-text passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all existing weakly encrypted passwords to type-6 encrypted passwords. OL-20637-03 1

Virtualization Support for Password Encryption Virtualization Support for Password Encryption The master key used with the AES password encryption feature is unique for each VDC. Note For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide. Licensing Requirements for Password Encryption The following table shows the licensing requirements for this feature: Product Cisco NX-OS License Requirement Password encryption requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide. Guidelines and Limitations for Password Encryption Password encryption has the following configuration guidelines and limitations: Only users with administrator privilege (network-admin or vdc-admin) can configure the AES password encryption feature, associated encryption and decryption commands, and master keys. RADIUS and TACACS+ are the only applications that can use the AES password encryption feature. Configurations containing type-6 encrypted passwords are not rollback compliant. You can enable the AES password encryption feature without a master key, but encryption starts only when a master key is present in the system. Deleting the master key stops type-6 encryption and causes all existing type-6 encrypted passwords to become unusable, unless the same master key is reconfigured. Before you downgrade from Cisco NX-OS Release 5.2 to an earlier release, decrypt all type-6 passwords, disable the AES password encryption feature, and delete the master key. To move the device configuration to another device, either decrypt the configuration before porting it to the other device or configure the same master key on the device to which the configuration will be applied. 2 OL-20637-03

Default Settings for Password Encryption Default Settings for Password Encryption This table lists the default settings for password encryption parameters. Table 1: Default Password Encryption Parameter Settings Parameters AES password encryption feature Master key Default Disabled Not configured This section describes the tasks for configuring password encryption on Cisco NX-OS devices. Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. Configuring a Master Key and Enabling the AES Password Encryption Feature SUMMARY STEPS You can configure a master key for type-6 encryption and enable the Advanced Encryption Standard (AES) password encryption feature. 1. [no] key config-key ascii 2. configure terminal 3. [no] feature password encryption aes 4. (Optional) show encryption service stat 5. copy running-config startup-config DETAILED STEPS Step 1 [no] key config-key ascii switch# key config-key ascii New Master Key: Retype Master Key: Configures a master key to be used with the AES password encryption feature. The master key can contain between 16 and 32 alphanumeric characters. You can use the no form of this command to delete the master key at any time. OL-20637-03 3

Converting Existing Passwords to Type-6 Encrypted Passwords Step 2 configure terminal If you enable the AES password encryption feature before configuring a master key, a message appears stating that password encryption will not take place unless a master key is configured. If a master key is already configured, you are prompted to enter the current master key before entering a new master key. Enters global configuration mode. Step 3 switch# configure terminal switch(config)# [no] feature password encryption aes Enables or disables the AES password encryption feature. Step 4 Step 5 switch(config)# feature password encryption aes show encryption service stat switch(config)# show encryption service stat copy running-config startup-config switch(config)# copy running-config startup-config (Optional) Displays the configuration status of the AES password encryption feature and the master key. Copies the running configuration to the startup configuration. Note This command is necessary to synchronize the master key in the running configuration and the startup configuration. Converting Existing Passwords to Type-6 Encrypted Passwords You can convert existing plain or weakly encrypted passwords to type-6 encrypted passwords. Before You Begin Ensure that you have enabled the AES password encryption feature and configured a master key. SUMMARY STEPS 1. encryption re-encrypt obfuscated 4 OL-20637-03

Converting Type-6 Encrypted Passwords Back to Their Original States DETAILED STEPS Step 1 encryption re-encrypt obfuscated switch# encryption re-encrypt obfuscated Converts existing plain or weakly encrypted passwords to type-6 encrypted passwords. Converting Type-6 Encrypted Passwords Back to Their Original States You can convert type-6 encrypted passwords back to their original states. Before You Begin Ensure that you have configured a master key. SUMMARY STEPS 1. encryption decrypt type6 DETAILED STEPS Step 1 encryption decrypt type6 switch# encryption decrypt type6 Please enter current Master Key: Converts type-6 encrypted passwords back to their original states. Deleting Type-6 Encrypted Passwords You can delete all type-6 encrypted passwords from the Cisco NX-OS device. SUMMARY STEPS 1. encryption delete type6 OL-20637-03 5

Verifying the Password Encryption Configuration DETAILED STEPS Step 1 encryption delete type6 Deletes all type-6 encrypted passwords. switch# encryption delete type6 Verifying the Password Encryption Configuration To display password encryption configuration information, perform the following task: Command show encryption service stat Displays the configuration status of the AES password encryption feature and the master key. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference. Configuration Examples for Password Encryption The following example shows how to create a master key, enable the AES password encryption feature, and configure a type-6 encrypted password for a TACACS+ application: key config-key ascii New Master Key: Retype Master Key: configure terminal feature password encryption aes show encryption service stat Encryption service is enabled. Master Encryption Key is configured. Type-6 encryption is being used. feature tacacs+ tacacs-server key Cisco123 show running-config tacacs+ feature tacacs+ logging level tacacs 5 tacacs-server key 6 "JDYkqyIFWeBvzpljSfWmRZrmRSRE8syxKlOSjP9RCCkFinZbJI3GD5c6rckJR/Qju2PKLmOewbheAA==" Additional References for Password Encryption This section includes additional information related to implementing password encryption. 6 OL-20637-03

Feature History for Password Encryption Related Documents Related Topic Cisco NX-OS Licensing Command reference Document Title Cisco NX-OS Licensing Guide Cisco Nexus 7000 Series NX-OS Security Command Reference Standards Standards No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title Feature History for Password Encryption This table lists the release history for this feature. Table 2: Feature History for Password Encryption Feature Name Password encryption Releases 5.2(1) Feature Information This feature was introduced. OL-20637-03 7

Feature History for Password Encryption 8 OL-20637-03

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information