Enhanced Password Security - Phase I



Similar documents
Enhanced Password Security - Phase I

Per-Packet Load Balancing

Router Security Audit Logs

Encrypted Preshared Key

Encrypted Preshared Key

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

NetFlow Subinterface Support

GLBP - Gateway Load Balancing Protocol

Domain Name System Server Round-Robin Functionality for the Cisco AS5800

Transferring Files Using HTTP or HTTPS

Image Verification. Finding Feature Information. Restrictions for Image Verification

DHCP Server Port-Based Address Allocation

L2TP Dial-Out Load Balancing and Redundancy

Connecting to the Firewall Services Module and Managing the Configuration

Controlling Access to a Virtual Terminal Line

Configuring a Load-Balancing Scheme

Configuring Access Service Security

Firewall Stateful Inspection of ICMP

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Lab Configure Syslog on AP

Flow-Based per Port-Channel Load Balancing

HTTP 1.1 Web Server and Client

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

RADIUS Server Load Balancing

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Configuring a Load-Balancing Scheme

Management, Logging and Troubleshooting

Backing Up and Restoring Data

Configuring the Cisco Secure PIX Firewall with a Single Intern

Cisco Routers and Switches

Configuring Secure Socket Layer HTTP

USB Disable for Cisco ISRs Feature Module

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

NetFlow v9 Export Format

Configuring a Cisco 2509-RJ Terminal Router

Configuring System Message Logging

Lab 5.5 Configuring Logging

Lab Load Balancing Across Multiple Paths Instructor Version 2500

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

Firewall Authentication Proxy for FTP and Telnet Sessions

Chapter 1: Planning Maintenance for Complex Networks. TSHOOT v6 Chapter , Cisco Systems, Inc. All rights reserved.

Lab Configure Basic AP Security through IOS CLI

Lab Creating a Network Map using CDP Instructor Version 2500

LAN-Cell to Cisco Tunneling

Virtual Fragmentation Reassembly

Configuring SIP Support for SRTP

Lab Configure Local AAA on Cisco Router

Configuring Role-Based Access Control

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

QoS: Color-Aware Policer

Configuring SSH and Telnet

SNMP Version 3. Finding Feature Information. Information About SNMP Version 3. Security Features in SNMP Version 3

Reverse Proxy Caching

Configuring a Load-Balancing Scheme

Configuring VoIP Call Setup Monitoring

Configuring and Monitoring Citrix Branch Repeater

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Using Link Layer Discovery Protocol in Multivendor Networks

- The PIX OS Command-Line Interface -

VRRPv3: Object Tracking Integration

ROLE-BASED COMMAND-LINE INTERFACE ACCESS

Configuring a Leased Line

Basic Configuration of the Cisco Series Internet Router

Configuring the Content Routing Software

Lab Advanced Telnet Operations

Configuring Basic Settings

This feature was introduced. This feature was integrated in Cisco IOS Release 12.2(11)T.

Question How do I access the router s web-based setup page? Answer

Managing and Monitoring Network Management Features

Network Security and AAA

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

Configuring Password Encryption

Configuring Single Sign-on for WebVPN

Planning Maintenance for Complex Networks

Configuring Enhanced Object Tracking

Lab Load Balancing Across Multiple Paths

Configuring Password Encryption

BRI to PRI Connection Using Data Over Voice

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Upgrading Software Using the Online Installer

Security Provider Integration RADIUS Server

Implementing Secure Shell

SNMP SECURITY A CLOSER LOOK JEFFERY E. HAMMONDS EAST CAROLINA UNIVERSITY ICTN 6865

How To Configure A Cisco Router With A Cio Router

Configuring CSS Remote Access Methods

Configuring Basic Settings

Dynamic DNS Support for Cisco IOS Software

VERALAB LDAP Configuration Guide

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Configuring the MNLB Forwarding Agent

Lab 2.5.2a Configure SSH

Enabling Management Protocols: NTP, SNMP, and Syslog

Configuring and Monitoring Bluecoat AntiVirus

Monitoring DoubleTake Availability

Configuring Port Security

Transcription:

Enhanced Password Security - Phase I Feature History 120(18)S 121(8a)E 122(14)S This feature was introduced Support for this feature was integrated into Cisco IOS Release 121(8a)E This feature was integrated into Cisco IOS Release 122(14)S This document describes the Enhanced Password Security feature in Cisco IOS Release 121(8a)E It includes the following sections: Feature Overview, page 1 Supported Platforms, page 2 Supported Standards, MIBs, and RFCs, page 3 Configuration Tasks, page 3 Monitoring and Maintaining Enhanced Password Security, page 4 Configuration Examples, page 4 Command Reference, page 6 Glossary, page 9 Feature Overview Using the Enhanced Password Security feature, you can configure MD5 encryption for username passwords Before the introduction of this feature there were two types of passwords associated with usernames Type 0 is a clear text password visible to any user who has access to privileged mode on the router Type 7 is a password with a weak, exclusive-or type encryption Type 7 passwords can be retrieved from the encrypted text by using publicly available tools MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection Using MD5 encryption, you cannot retrieve clear text passwords MD5 encrypted passwords cannot be used with protocols that require that the clear text password be retrievable, such as Challenge Handshake Authentication Protocol (CHAP) Use the username (secret) command to configure a user name and an associated MD5 encrypted secret 1

Supported Platforms Enhanced Password Security - Phase I Benefits Enhanced Password Security provides a strong method of encryption for user passwords Restrictions Protocols which require the retrieval of clear text passwords, such as CHAP, cannot be used with MD5 encrypted passwords You can specify a username password, or a username secret, but not both Related Features and Technologies To establish a username-based authentication system, use the username command in global configuration mode See Passwords and Privileges Commands for more details Related Documents Cisco IOS Security Configuration Guide, Release 121 Cisco IOS Security Command Reference, Release 121 Improving Security on Cisco Routers Passwords and Privileges Commands Supported Platforms Cisco 7100 series Cisco 7200 routers Cisco 7500 series Cisco 7600 OSR Catalyst 6000 Determining Platform Support Through Cisco Feature Navigator Cisco IOS software is packaged in feature sets that are supported on specific platforms To get updated information regarding platform support for this feature, access Cisco Feature Navigator Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image You can search by feature or release Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common 2

Enhanced Password Security - Phase I Supported Standards, MIBs, and RFCs To access Cisco Feature Navigator, you must have an account on Ciscocom If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@ciscocom An automatic check will verify that your e-mail address is registered with Ciscocom If the check is successful, account details with a new random password will be e-mailed to you Qualified users can establish an account on Ciscocom by following the directions found at this URL: http://wwwciscocom/register Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur For the most current information, go to the Cisco Feature Navigator home page at the following URL: http://wwwciscocom/go/fn Availability of Cisco IOS Software Images Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms Software images for some platforms may be deferred, delayed, or changed without prior notice For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator Supported Standards, MIBs, and RFCs Standards No new or modified standards are supported by this feature To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://toolsciscocom/itdit/mibs/servlet/index If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://wwwciscocom/public/sw-center/netmgmt/cmtk/mibsshtml To access Cisco MIB Locator, you must have an account on Ciscocom If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@ciscocom An automatic check will verify that your e-mail address is registered with Ciscocom If the check is successful, account details with a new random password will be e-mailed to you Qualified users can establish an account on Ciscocom by following the directions found at this URL: http://wwwciscocom/register RFCs No new or modified RFCs are supported by this feature Configuration Tasks The following section details the configuration task necessary for the Enhanced Password Security feature Configuring Enhanced Security Password, page 4 (required) 3

Monitoring and Maintaining Enhanced Password Security Enhanced Password Security - Phase I Configuring Enhanced Security Password Step 1 Command Router(config)# username name secret 0 password or Router(config)# username name secret 5 encrypted-secret Purpose Configures a username and encrypts a clear text password with MD5 encryption Configures a username and enters an MD5 encrypted text string which is stored as themd5 encrypted password for the specified username Verifying MD5 Password Encryption Follow the steps below to verify MD5 encryption on a username password: Step 1 Step 2 Step 3 Configure an encrypted MD5 user password in global configuration mode Exit configuration mode and enter the login local command Verify that a valid user is able to log in through the console Monitoring and Maintaining Enhanced Password Security Use the following command to monitor and maintain Enhanced Password Security Command Router# show running-config Purpose Enter the show running-config command to verify that MD5 password encryption has been enabled If the username name secret 5 line appears in the command output, the Enhanced Password Security feature is enabled Configuration Examples This section provides the following configuration example: Configuring MD5 Encryption on a Clear Text Password Example, page 5 4

Enhanced Password Security - Phase I Configuration Examples Configuring MD5 Encryption on a Clear Text Password Example The following example configures username abc with the MD5 encrypted password xyz Output from the show running-config confirms that the MD5 encrypted password has been configured Note that the password itself is not displayed Router# configure terminal Router(config)# username abc secret 0 xyz Router(config)# exit Router# show running-config version 121 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption hostname CE logging rate-limit console 10 except errors no logging console enable secret 0 $1$53Ew$Dp8E4JGpg7rKxQa49BF9/ username abc secret 5 $1$fBYK$rH5/OChyx/ --Note that password xyz is not displayed ip subnet-zero Configuring MD5 Encryption on a MD5 Encrypted Text String Example The following example configures username cde and enters an MD5 encryption text string as the user password Output from the show running-config confirms that the MD5 encrypted password has been configured Note that the password itself is not displayed Router# configure terminal Router(config)# username cde secret 5 $1$feb0$a104Qd9UZ/Ak00KTggPD0 Router(config)# exit Router# show running-config version 121 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption hostname CE logging rate-limit console 10 except errors no logging console enable secret 5 $1$feb0$a104Qd9UZ/Ak00KTggPD0 username cde secret 5 ip subnet-zero 5

Command Reference Enhanced Password Security - Phase I Command Reference This section documents the modified command that configures the Enhanced Password Security feature All other commands used with this feature are documented in the Cisco IOS Release 121 command reference publications username (secret) 6

Enhanced Password Security - Phase I username (secret) username (secret) To encrypt a user password with MD5 encryption, use the username secret command in global configuration mode username name secret {0 password 5 encrypted-secret} Syntax Description name Specifies the user name 0 password Specifies a clear text password, which will be MD5 encrypted 5 encrypted-secret Specifies an MD5 encrypted text string, which will be stored as the encrypted user password Defaults No default behavior or values Command Modes Global configuration Command History Release Modification 100 This command was introduced 111 The following keywords and arguments were added: username name [callback-dialstring telephone-number] 120(18)S 121(8a)E 122(14)S username name [callback-rotary rotary-group-number] username name [callback-line [tty] line-number [ending-line-number]] username name [nocallback-verify] The following keywords were added: secret 0 secret 5 This command was integrated into Cisco IOS Release 121(8a)E This command was integrated into Cisco IOS Release 122(14)S Usage Guidelines Use the username secret command to configure a user name and MD5 encrypted user passworduse the 0 keyword to enable MD5 encryption on a clear text password Use the 5 keyword to enter an MD5 encryption string and save it as the usermd5 encrypted secret MD5 encryption is a strong encryption method which is not retrievable You cannot use MD5 encryption with protocols such as CHAP that require clear-text passwords Use the username secret command to provide an additional layer of security over the username password The username secret command provides better security by encrypting the password using non-reversible MD5 encryption, and storing the encrypted text The added layer of MD5 encryption is useful in environments where the password crosses the network or is stored on a TFTP server 7

username (secret) Enhanced Password Security - Phase I Use MD5 as the encryption type if you paste into this command an encrypted password that you copied from a router configuration file Caution If you specify MD5 encryption and then enter a clear text password, you will not be able to reenter enable mode You cannot recover a lost password that has been encrypted by any method If you use the same password for the enable password and username secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted By using the same password, however, you undermine the additional security the username secret command provides Examples The following example configures username abc and enables MD5 encryption on the clear text password xyz : username abc secret 0 xyz The following example configures username cde and enters an MD5 encrypted text string that is stored as the user name password: username cde secret 5 $1$feb0$a104Qd9UZ/Ak00KTggPD0 Related Commands Command Description enable password Sets a local password to control access to various privilege levels enable secret Specifies an additional layer of security over the enable password command username Establishes a username-based authentication system 8

Enhanced Password Security - Phase I Glossary Glossary CHAP Challenge-Handshake Authentication Protocol MD5 Message Digest 5 Algorithm used for message authentication in SNMP v2 MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness 9

Glossary Enhanced Password Security - Phase I 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information