cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
420931
Views
42
Helpful
12
Replies

Set Username & Password on Cisco 3750 Switch

Hi Team,

I want to configure " Username & Password" on Cisco 3750 switch.

I need to configure as "username xxxxxx  privilege 15 password 5 xxxxxxx "

Is it possible to create password with level 5 ?......

I want to know about level 5 "password" & level 7 "password" ?

when i tried I am not able to configure with " password 5"

Please help me resolve the issue?.

Regards,

Sen

12 Replies 12

Mark Potter
Level 1
Level 1

Try:

username privilege 15 secret

e.g. name = mark , password = mypass

username mark privilege 15 secret mypass

Basically password is easily reversable, secret isn't.

Thanks Potterm,

But i want use "Username privilege 15 password 5 $1$Z3fsOO.p$7alNAnUmVSd5ucARj7CsO0"

is it possible?...

regards,

Sen

Hi,

The options are 0 or 7.  There is no 5.

see below from a 3750

Switch(config)#username cisco privilege 15 password 5

% Incomplete command.

Switch(config)#username cisco privilege 15 password ?

  0     Specifies an UNENCRYPTED password will follow

  7     Specifies a HIDDEN password will follow

  LINE  The UNENCRYPTED (cleartext) user password

HTH

You can't use password with 5.

password only supports 0 and 7

secret supports 0 and 5

SWITCH1(config)#username mark privilege 15 password ?

  0     Specifies an UNENCRYPTED password will follow

  7     Specifies a HIDDEN password will follow

  LINE  The UNENCRYPTED (cleartext) user password

SWITCH1(config)#username mark privilege 15 secret ?

  0     Specifies an UNENCRYPTED secret will follow

  5     Specifies a HIDDEN secret will follow

  LINE  The UNENCRYPTED (cleartext) user secret

If you want 5 you need to use secret as in example below.

username privilege 15 secret 5

Best of luck.

Mark.

Thanks Potterm,

I try this.....

What is difference of this below two method ? What is the enable password for this?...

SWITCH1(config)#username mark privilege 15 password ?

  0     Specifies an UNENCRYPTED password will follow

  7     Specifies a HIDDEN password will follow

  LINE  The UNENCRYPTED (cleartext) user password

SWITCH1(config)#username mark privilege 15 secret ?

  0     Specifies an UNENCRYPTED secret will follow

  5     Specifies a HIDDEN secret will follow

  LINE  The UNENCRYPTED (cleartext) user secret

Regards,

Sen

secret I believe uses better password security/algorithm to store passwords in the conifg.

password is less secure, better off googling that.

The enable password is whatever you make it.

enable secret

e.g. enable password = mypass

enable secret mypass

Mark.

Thank you so much...

I will try and let you know....

Regards,

Sen

Hi,

Please find the below config.( This one already configured inside the switch)

Config:

----------

enable secret 5 $1$UK0G$d4QXwakilHzVNyjZEjyXk.

!

username privilege 15 password 7 122050460A5809537D2808

aaa new-model

!

I wan to configure like this is?....

Here already some one configured secret 5 < password > , Can create one more secret password.

Please i want to use encrypted password is it possible?....

Error:

------

ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

Thanks.......

Reagrds,

Sen

Hello,

just do it like mentioned above.

For unencrypted password:

username superman privilege 15 password mypassword

Result in config:

!

username superman privilege 15 password 0 mypassword

!

U can also set the "service password-encryption" globaly

then the config will look like this:

!

username superman privilege 15 password 09878419047

!

But that is just some kind of Hash afaik! So you can easy "encrypt" it, google for that ..

More Secure is:

username superman privilege 15 secret mypassword

Looks in config:

!

username superman privilege 15 secret 5 $1$hqMA$adgOgpNk91XnQPjwv6CgT.

!

This is more secure ..

So you have two choices,

username XY priv 15 password XY

username XY priv 15 secret XY

and optionally (i would always set this, it encrypt all PW's in the cfg)

service password-encryption

Greets

John Blakley
VIP Alumni
VIP Alumni

To change your password, do everything everyone else stated above. The difference between the passwords are:

The "password" attribute allows type 0 (unencrypted) and type 7 (vigenere). The type 7 is easily decrytable and there are several utilities online that can reverse the password with ease.

The "secret" attribute allows type 0 (unecrypted) and type 5 (MD5) hash. The type 5 is a one-way hash that the router can compare your password to when logging in. If your password hash matches the local password, you're allowed in.

The reason that you have the choice of type 5 or type 7 "secret 5" or "password 7" is because when you have a running config, you can copy and paste the already "hashed" version of the password and the system knows how to deal with the password that you just pasted. In fact, if you were to put "usernam admin password 0 admin", IOS will change it to "username admin password 7 xxxxxx" if the "service password-encryption" is enabled. The "service password-encryption" doesn't need to be enabled for the "secret" attribute, but there are other passwords in the router that are only affected if the password encryption is on, so I still recommend having it enabled.

In short, if you don't know what the password hash is because you don't already have a running config in hand, then always use "0" as your password attribute and the system will change the attribute to either 7 or 5 depending on your use of "password" or "secret" respectively.

HTH,

John

***** Please rate all useful posts *****

HTH, John *** Please rate all useful posts ***

Hi,

If i create local account like " username xxxxxx privilege 15 password 7 023E077B07041D791C"

When i can use this local account? after configured i try to login but am not able to to login....

i thing if not tacacs then only i can login am i correct?......

Please make sure how to use this account? when i can login?...

Regards,

Sen

If you have tacacs or radius configured with aaa authentication, it's going to use one of those servers first. If the server responds at all, it won't fail over to the local database. If you're not using aaa authentication, and you only need to use the local database, you'll need to change your lines to use the local database:

line vty 0 4

login local

Then you'll be able to use the login. Since you mentioned tacacs though, you could do something like:

aaa authentication login default local group tacacs

If the user doesn't exist on the local database, it should roll over to the tacacs server.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco