AAA - secret
sendalot
Member Posts: 328
Having some AAA crisis.
Please help me clrafiy somethings.
"enable secret level 5 abc" means pw "abc" for level 5 access?
"enable secret 5 abc" means pw "abc" with md5 hashed form?
Some textbook examples show "enable sercert 5 @38diL?1i2jfSS" but how can a human being enter in hashed format?
or does the CLI automtically convert the command input?
But then when I do "run config" after I hit above command, would I see "enable sercert 5 @38diL?1i2jfSS" ?
Lastly, if I do a "debug" on localDB aaa later on, would the only the password matter? since there is no username?
(If you could cite a published source upon answering, I'd greatly apprecieate it).
Thanks.
Please help me clrafiy somethings.
"enable secret level 5 abc" means pw "abc" for level 5 access?
"enable secret 5 abc" means pw "abc" with md5 hashed form?
Some textbook examples show "enable sercert 5 @38diL?1i2jfSS" but how can a human being enter in hashed format?
or does the CLI automtically convert the command input?
But then when I do "run config" after I hit above command, would I see "enable sercert 5 @38diL?1i2jfSS" ?
Lastly, if I do a "debug" on localDB aaa later on, would the only the password matter? since there is no username?
(If you could cite a published source upon answering, I'd greatly apprecieate it).
Thanks.
Comments
-
RouteMyPacket
Member Posts: 1,104
Having some AAA crisis.
Please help me clrafiy somethings.
"enable secret level 5 abc" means pw "abc" for level 5 access?
Correct
"enable secret 5 abc" means pw "abc" with md5 hashed form?
Some textbook examples show "enable sercert 5 @38diL?1i2jfSS" but how can a human being enter in hashed format? or does the CLI automtically convert the command input?
If you are pasting in a hashed password from another device perse, this is where "5" comes in. Do an "enable secret ?" to learn more on this.
But then when I do "run config" after I hit above command, would I see "enable sercert 5 @38diL?1i2jfSS" ?
If you entered it hashed with the "5" yes, if you did a normal "enable secret password123" it would return hashed off a sh run if you had service password-encryption enabled
Lastly, if I do a "debug" on localDB aaa later on, would the only the password matter? since there is no username?
(If you could cite a published source upon answering, I'd greatly apprecieate it).
Published resource = my brain
Thanks.
In bold aboveModularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
sendalot
Member Posts: 328
so do "enable secret" have a username tied to it?
i thought it has no username tied to it and that's why when we do "enable," it doesn't ask for a username?
Thanks.
(PS: that's a great source!) -
RouteMyPacket
Member Posts: 1,104
No, enable secret and local database are two seperate thingsModularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
sendalot
Member Posts: 328
I guess at ICND R&S scope, it's enable secret. But when we are talking AAA, there always are usernames tied to the pw?
-
RouteMyPacket
Member Posts: 1,104
During AAA, we are leveraging..well...a AAA server. Say for instance ACS and should the TACACS server be unavailable, we would want to leverage the local database username/password so we could get into our gear.
enable secret password123
username sendalot priv 15 secret password123
Also, when you want to login to your gear, configure the vty line to allow local login.Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?