Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

"Secret" Passwords under VTY, CON, and AUX Line ports

I would like to setup an MD5 passwords under the VTY, CON, and AUX line ports but the IOS (c2951-universalk9-mz.SPA.151-4.M1.bin) only let's me setup a "7" hidden password. Is there anyway to do this?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

If you're using TACACS+ as

If you're using TACACS+ as your primary authentication method, then you dont need to put either a password or "login local" under your line configurations.

Instead, you use aaa new-model and setup authentication method list that includes the TACACS server group as the primary method (and local as fallback). A local username is there for use if and only if the configured TACACS servers are unavailable.

Have a look at the Cisco Validated Design page at  Campus Wired LAN Technology Design Guide - April 2014 (specifically steps 10 and 11 on pages 26-27) for more details.

4 REPLIES
Hall of Fame Super Silver

If you want to use MD5

If you want to use MD5 passwords, specify "login local" under the line commands. then create local usernames with MD5 passwords, e.g.:

username gsanin privilege 15 secret <plaintext password>

The cli parser will encrypt your plaintext entry after you enter the command and the running-configuration will store the password in its encrypted form.

New Member

Marvin,Thank you for your

Marvin,

Thank you for your reply.

We are also using TACACS+, will I still need to create a local username? I guess the point is to be able to access the device via out of band, so I would still need the local username. Is that an accurate assumption?

Thanks again.

Hall of Fame Super Silver

If you're using TACACS+ as

If you're using TACACS+ as your primary authentication method, then you dont need to put either a password or "login local" under your line configurations.

Instead, you use aaa new-model and setup authentication method list that includes the TACACS server group as the primary method (and local as fallback). A local username is there for use if and only if the configured TACACS servers are unavailable.

Have a look at the Cisco Validated Design page at  Campus Wired LAN Technology Design Guide - April 2014 (specifically steps 10 and 11 on pages 26-27) for more details.

New Member

Thank you Marvin. I really

Thank you Marvin. I really appreciate your help on this.

71
Views
5
Helpful
4
Replies
CreatePlease login to create content