Configuring Password Encryption



Similar documents
Configuring Password Encryption

Configuring ECMP for Host Routes

Configuring SSH and Telnet

Configuring System Message Logging

Send document comments to

Encrypted Preshared Key

Configuring NTP. Information About NTP. NTP Overview. Send document comments to CHAPTER

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Connecting to the Firewall Services Module and Managing the Configuration

Configuring MAC ACLs

Configuring the Scheduler

Configuring NTP. Information about NTP. NTP Overview. Send document comments to CHAPTER

Configuring Network QoS

Encrypted Preshared Key

Configuring Auto-MDIX

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Flow-Based per Port-Channel Load Balancing

Configuring Basic Settings

Configuring iscsi Multipath

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

Configuring Role-Based Access Control

Configuring System Message Logging

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Configuring Network Load Balancing for vethernet

Configuring Access Service Security

Enabling Remote Access to the ACE

Configuring Network Load Balancing for vethernet

Basic Router and Switch Instructions (Cisco Devices)

Configuring Static and Dynamic NAT Translation

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Managing Storage Services Modules

Enhanced Password Security - Phase I

Enhanced Password Security - Phase I

Configuring CSS Remote Access Methods

Configuring Auto Policy-Based Routing

Backing Up and Restoring Data

Lab Introductory Lab 1 - Getting Started and Building Start.txt

Configuring Basic Settings

How To Use Cmk On An Ipa (Intralinks) On A Pc Or Mac Mac (Apple) On An Iphone Or Ipa On A Mac Or Ipad (Apple Mac) On Pc Or Ipat (Apple

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

How To Configure Rmon On Cisco Me 2600X On Ios 2.5A (Cisco) With A Network Monitor On A Network Device (Network) On A Pnet (Network Monitor) On An Ip

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Lab Configuring Basic Router Settings with the Cisco IOS CLI

Installation and Administration Guide

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Configuring Aggressive Load Balancing

Configuring EtherChannels

LAB Configuring NAT. Objective. Background/Preparation

File Transfers. Contents

Lab Configure Basic AP Security through IOS CLI

Configuring System Message Logging

Image Verification. Finding Feature Information. Restrictions for Image Verification

CCNA DATA CENTER BOOT CAMP: DCICN + DCICT

Configuring Secure Socket Layer HTTP

Applicazioni Telematiche

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

RADIUS Server Load Balancing

CISCO IOS NETWORK SECURITY (IINS)

Managing ACE Software Licenses

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Lab 8.3.3b Configuring a Remote Router Using SSH

Securing Networks with PIX and ASA

Configuring Secure Socket Layer (SSL)

Configuring DHCP Snooping

Firewall Authentication Proxy for FTP and Telnet Sessions

Router Lab Reference Guide

Lab Load Balancing Across Multiple Paths

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Network Security and AAA

Configuring the Switch with the CLI-Based Setup Program

USB Disable for Cisco ISRs Feature Module

Chapter 6 Updating Software Images and Configuration Files

CISCO CATALYST 3550 Series Switches

Basic Configuration of the Cisco Series Internet Router

Transferring Files Using HTTP or HTTPS

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

Licensing Cisco NX-OS Software Features

TACACS+ Authentication

Configuring Network Load Balancing for vethernet

Using the Command Line Interface (CLI)

DHCP Server Port-Based Address Allocation

3.1 Connecting to a Router and Basic Configuration

Configuring the Switch with the CLI Setup Program

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Configuring Basic Settings

NeoMail Guide. Neotel (Pty) Ltd

Configuring Right-To-Use Licenses

Lab Advanced Telnet Operations

vcenter Support Assistant User's Guide

How To Encrypt Data On A Network With Cisco Storage Media Encryption (Sme) For Disk And Tape (Smine)

Configuring PROFINET

- The PIX OS Command-Line Interface -

Configuring LLDP, LLDP-MED, and Location Service

SNMP Version 3. Finding Feature Information. Information About SNMP Version 3. Security Features in SNMP Version 3

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

SmartWare Encrypted File Download HowTo

Transcription:

This chapter describes how to configure password encryption on Cisco NX-OS devices. This chapter includes the following sections: Finding Feature Information, page 1 Information About Password Encryption, page 1 Licensing Requirements for Password Encryption, page 2 Guidelines and Limitations for Password Encryption, page 2 Default Settings for Password Encryption, page 3, page 3 Verifying the Password Encryption Configuration, page 6 Configuration Examples for Password Encryption, page 6 Additional References for Password Encryption, page 7 Feature History for Password Encryption, page 7 Finding Feature Information Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the New and Changed Information chapter or the Feature History table below. Information About Password Encryption This section includes information about password encryption on Cisco NX-OS devices. OL-25776-03 1

AES Password Encryption and Master Encryption Keys AES Password Encryption and Master Encryption Keys You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a master encryption key, which is used to encrypt and decrypt passwords. After you enable AES password encryption and configure a master key, all existing and newly created clear-text passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all existing weakly encrypted passwords to type-6 encrypted passwords. Related Topics Configuring a Master Key and Enabling the AES Password Encryption Feature Configuring Global RADIUS Keys Configuring a Key for a Specific RADIUS Server Configuring Global TACACS+ Keys Configuring a Key for a Specific TACACS+ Server Virtualization Support for Password Encryption The master key used with the AES password encryption feature is unique for each VDC. Note For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide. Licensing Requirements for Password Encryption The following table shows the licensing requirements for this feature: Product Cisco NX-OS License Requirement Password encryption requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide. Guidelines and Limitations for Password Encryption Password encryption has the following configuration guidelines and limitations: 2 OL-25776-03

Default Settings for Password Encryption Only users with administrator privilege (network-admin or vdc-admin) can configure the AES password encryption feature, associated encryption and decryption commands, and master keys. RADIUS and TACACS+ are the only applications that can use the AES password encryption feature. Configurations containing type-6 encrypted passwords are not rollback compliant. You can enable the AES password encryption feature without a master key, but encryption starts only when a master key is present in the system. Deleting the master key stops type-6 encryption and causes all existing type-6 encrypted passwords to become unusable, unless the same master key is reconfigured. Before you downgrade from Cisco NX-OS Release 5.2 to an earlier release, decrypt all type-6 passwords, disable the AES password encryption feature, and delete the master key. To move the device configuration to another device, either decrypt the configuration before porting it to the other device or configure the same master key on the device to which the configuration will be applied. Default Settings for Password Encryption This table lists the default settings for password encryption parameters. Table 1: Default Password Encryption Parameter Settings Parameters AES password encryption feature Master key Default Disabled Not configured This section describes the tasks for configuring password encryption on Cisco NX-OS devices. Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. Configuring a Master Key and Enabling the AES Password Encryption Feature You can configure a master key for type-6 encryption and enable the Advanced Encryption Standard (AES) password encryption feature. OL-25776-03 3

Configuring a Master Key and Enabling the AES Password Encryption Feature SUMMARY STEPS 1. [no] key config-key ascii 2. configure terminal 3. [no] feature password encryption aes 4. (Optional) show encryption service stat 5. copy running-config startup-config DETAILED STEPS Step 1 Step 2 Command or Action [no] key config-key ascii switch# key config-key ascii New Master Key: Retype Master Key: configure terminal Configures a master key to be used with the AES password encryption feature. The master key can contain between 16 and 32 alphanumeric characters. You can use the no form of this command to delete the master key at any time. If you enable the AES password encryption feature before configuring a master key, a message appears stating that password encryption will not take place unless a master key is configured. If a master key is already configured, you are prompted to enter the current master key before entering a new master key. Enters global configuration mode. Step 3 switch# configure terminal switch(config)# [no] feature password encryption aes Enables or disables the AES password encryption feature. Step 4 Step 5 switch(config)# feature password encryption aes show encryption service stat switch(config)# show encryption service stat copy running-config startup-config switch(config)# copy running-config startup-config (Optional) Displays the configuration status of the AES password encryption feature and the master key. Copies the running configuration to the startup configuration. Note This command is necessary to synchronize the master key in the running configuration and the startup configuration. Related Topics AES Password Encryption and Master Encryption Keys Configuring Text for a Key 4 OL-25776-03

Converting Existing Passwords to Type-6 Encrypted Passwords Configuring Accept and Send Lifetimes for a Key Converting Existing Passwords to Type-6 Encrypted Passwords You can convert existing plain or weakly encrypted passwords to type-6 encrypted passwords. Before You Begin Ensure that you have enabled the AES password encryption feature and configured a master key. SUMMARY STEPS 1. encryption re-encrypt obfuscated DETAILED STEPS Step 1 Command or Action encryption re-encrypt obfuscated switch# encryption re-encrypt obfuscated Converts existing plain or weakly encrypted passwords to type-6 encrypted passwords. Converting Type-6 Encrypted Passwords Back to Their Original States You can convert type-6 encrypted passwords back to their original states. Before You Begin Ensure that you have configured a master key. SUMMARY STEPS 1. encryption decrypt type6 DETAILED STEPS Step 1 Command or Action encryption decrypt type6 switch# encryption decrypt type6 Please enter current Master Key: Converts type-6 encrypted passwords back to their original states. OL-25776-03 5

Deleting Type-6 Encrypted Passwords Deleting Type-6 Encrypted Passwords You can delete all type-6 encrypted passwords from the Cisco NX-OS device. SUMMARY STEPS 1. encryption delete type6 DETAILED STEPS Step 1 Command or Action encryption delete type6 Deletes all type-6 encrypted passwords. switch# encryption delete type6 Verifying the Password Encryption Configuration To display password encryption configuration information, perform the following task: Command show encryption service stat Displays the configuration status of the AES password encryption feature and the master key. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference. Configuration Examples for Password Encryption The following example shows how to create a master key, enable the AES password encryption feature, and configure a type-6 encrypted password for a TACACS+ application: key config-key ascii New Master Key: Retype Master Key: configure terminal feature password encryption aes show encryption service stat Encryption service is enabled. Master Encryption Key is configured. Type-6 encryption is being used. feature tacacs+ tacacs-server key Cisco123 show running-config tacacs+ 6 OL-25776-03

Additional References for Password Encryption feature tacacs+ logging level tacacs 5 tacacs-server key 6 "JDYkqyIFWeBvzpljSfWmRZrmRSRE8syxKlOSjP9RCCkFinZbJI3GD5c6rckJR/Qju2PKLmOewbheAA==" Additional References for Password Encryption This section includes additional information related to implementing password encryption. Related Documents Related Topic Cisco NX-OS Licensing Command reference Document Title Cisco NX-OS Licensing Guide Cisco Nexus 7000 Series NX-OS Security Command Reference Standards Standards No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title Feature History for Password Encryption This table lists the release history for this feature. Table 2: Feature History for Password Encryption Feature Name Password encryption Password encryption Releases 6.0(1) 5.2(1) Feature Information No change from Release 5.2. This feature was introduced. OL-25776-03 7

Feature History for Password Encryption 8 OL-25776-03

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information