Question Regarding Enable Password..

I took the CCNA 640-607 exam and failed with an 839 due to what i believed was a test error. Prometric gave me a free retest and i had the same test the 2nd time around (simulation wise) and failed with an 847.

What's killing me is the password lab. Keep in mind when i took the CCNA classes at the University here i passed with flying colors (97 percent sustained average, highest in class) and router configuration was my forte.

VTY password- easy
Console0 Password- easy
Enable password- easy

Encrypting enable password- what's got me befuddled.

We did the lab in class after someone else took the exam and passed, but was confused on the encrypting of the enable password. The method we used was by using the "service password-encryption" command to encrypt the enable password.

Based on page 635 of Cisco Networking Academy Program (CNAP) First-year companion guide, second edition (the text given to me when I enrolled in the CNAP program by Southern Polytechnic) the following is true:

“The enable secret password from the system config dialog uses a cisco-proprietary encryption process to alter the password character string. Passwords can be further protected from display through the use of the service password-encryption command. The encryption algorithm does not match the Data Encryption Standard (DES).”

That's verbatim what's in cisco's textbook for this exam. The enable secret is encrypted by default, but router-config defaults to 'no service password-encryption' such that the enable password is visible in clear text.

On the exam, however, the service command is not supported. I felt this an error because the textbook offers no other recourse to encrypt an enable password, but according to Cisco (after 4 weeks of silence on their part and me pushing the issueat least once every 4 business days) the exam is 'working as intended' and obviously they weren't going to point me in the right direction.

Any help you can offer is appreciated. Granted, i could have just gotten another question right, but i dont feel i should have failed becasue of inconsistency within their own texts. Obviously there must be another method to encrypt the enable password because the service password-encryption command was not supported in Cisco's simulator.

Sincerely,

-Jon

P.S.- i'm one of those people with an **** retentive memory..i'm sure they were not asking for an enable secret password. nowhere in the question was the word 'secret'.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Webmaster

Sorry to hear you failed...

Dokudorf wrote:

That's verbatim what's in cisco's textbook for this exam. The enable secret is encrypted by default, but router-config defaults to 'no service password-encryption' such that the enable password is visible in clear text.

I think this is where you go wrong, the enable password and the enable secret are two different lines in the configuration (should be different passwords as well*)
The 'enable secret' password is always encrypted even if 'no service password-encryption' is configured. This command offers encryption to passwords that would normally appear in clear text in the configuration file.

When 'enable secret' is set 'enable password' will be ingnored. (there's no need to set the 'enable password' when the 'enable secret' is set unless you boot from older IOS on rom or TFTP server that can't recognize the 'enable secret' password, then the 'enable password' will be used instead)

* The reason these two passwords should be different should be obvious by now... what's the use of using an 'enable secret' (encrypted in configuration) when you set and identical 'enable password' password which is stored as clear text in the config...

I hope this clears things up.

i'm sure they were not asking for an enable secret password. nowhere in the question was the word 'secret'

I'm positive they were, you might get something about the 'service password-encryption' command in classes or books and maybe even in a multiple choice question, but this command is definitely beyond the scope of the simulations... (and probably needless to say, but the word 'secret' does not need to be in the questions for the answer to contain it..)

Let us know if there's anything else. Did you plan your next retake?

Johan

Dokudorf

Thanks for your input... let's say you need to initialize a privileged exec mode with password of "frank". A telnet password needs to be enabled with password "bubba" and there needs to be a console password initiazled as "betty." Furthermore, the priviledged exec mode needs to be encrypted.

How would you go about this? I went and did the following:

enable password frank

line vty 0 4
login
password bubba

line console 0
login
password betty

After that i got stuck on the encryption part. Do you think they were really just looking for an enable secret? If so what would the password be?

If the enable password is frank and the enable secret then cant be frank and thus the password to go to priviledged mode would be something different (and not given by the simulator question)

Would you make the enable password something else and the enable secret frank?

Kinda confused as to how to go about this if the enable secret is what they were really asking for.

Thanks again,

-Jon

Btw, i'm prep'ing for my retake now after i got the unsatisfactory response from Cisco. Should be taking it in a week or two. I wanna get it done before May for sure. Wanna be 17 with some cert letters for my resume. That's the goal.

Webmaster

(I had to edit/reword your post a bit, please don't post actual questions, just the concept/topic.)

In your config you are setting an unencrypted enable password. Use the command 'enable secret frank' instead of 'enable password frank', not both... that's it. Like I said in my previous post, there's no need to set both.

Good luck on your retake!
(I'm going to add some new questions to our CCNA practice exam, be sure to check'm out)

Dokudorf

Thanks for your help..i'll be sure to check out those updated question's.

One more thing though-

Isn't there something regarding the telnet password that an enable password has to be set before you can set a VTY line password or is my memory flawed?

For some reason i didn't connect a mental A to B in that i didn't have to have both passwords to have a secret password.

Thanks again!

-Jon

Webmaster

Isn't there something regarding the telnet password that an enable password has to be set before you can set a VTY line password or is my memory flawed?

If you set the enable secret, you will have configured an enable password... but maybe you are referring to the fact that you have to set a VTY password before you can access through telnet, otherwise you'll get an error message something like 'no password set'. It can't be blank.

Johan

Dokudorf

That was what i was thinking about, thanks for the correction!

Webmaster

You're welcome

sikdogg

I'd also like to add the even if you wanted to, the IOS won't allow you to set the "enable secret" password the same as the "enable" password.