Name: Cisco ISR 4000 series
Brand: Cisco
Rating: 5 (1 reviews)

To Next Page

To Previous Page

Cisco ISR 4000 Family Routers Administrator Guidance

Page 28 of 66

TOE-common-criteria(config)#username name secret {0 password | 4 secret-string | 5 SHA256

secret-string}

To store the enable password in non-plaintext form, use the ‘enable secret’ command when setting

the enable password. The enable password can be entered as plaintext, or as an MD5 hash value.

Example:

TOE-common-criteria(config)#enable secret [level level] {password | 0 | 4 | 5 [encryption-type]

encrypted-password }

level - (Optional) Specifies the level for which the password applies. You can specify up to sixteen

privilege levels, using the numerals 0 through 15.

password – password that will be entered

0 - Specifies an unencrypted clear-text password. The password is converted to a SHA256 secret

and gets stored in the router.

4 - Specifies an SHA256 encrypted secret string. The SHA256 secret string is copied from the

router configuration.

5 - Specifies a message digest alogrithm5 (MD5) encrypted secret.

encryption-type - (Optional) Cisco-proprietary algorithm used to encrypt the password. The

encryption types available for this command are 4 and 5. If you specify a value for encryption-

type argument, the next argument you supply must be an encrypted password (a password

encrypted by a Cisco router).

encrypted-password - Encrypted password that is copied from another router configuration.

Use of enable passwords are not necessary, so all administrative passwords can be stored as SHA-

256 if enable passwords are not used.

Note: Cisco no longer recommends that the ‘enable password’ command be used to configure a

password for privileged EXEC mode. The password that is entered with the ‘enable password’

command is stored as plain text in the configuration file of the networking device. If passwords

were created with the ‘enable password’ command, it can be hashed by using the ‘service

password-encryption’ command. Instead of using the ‘enable password’ command, Cisco

recommends using the ‘enable secret’ command because it stores a SHA-256 hash value of the

password.

To have IKE preshared keys stored in encrypted form, use the password encryption aes command

to enable the functionality and the key config-key password-encrypt command to set the master

password to be used to encrypt the preshared keys. The preshared keys will be stored encrypted

with symmetric cipher Advanced Encryption Standard [AES].

TOE-common-criteria (config)# password encryption aes

TOE-common-criteria (config)# key config-key password-encryption [text]

Note: Details for the password encryption aes command can be found in the: [8] Under

Reference Guides  Command References  Security and VPN  See manual Cisco IOS

Security Command Reference: Commands M to R.

Questions and Answers:

Need help?

Do you have a question about the Cisco ISR 4000 series and is the answer not in the manual?

Cisco ISR 4000 series Specifications

General

Routing Performance	Up to 2 Gbps
Switching Capacity	Varies by model
Operating System	Cisco IOS XE
Dimensions	Varies by model
Weight	Varies by model
Series	ISR 4000
WAN Ports	Varies by model
LAN Ports	Varies by model
Redundancy	Yes
Type	Modular
Routing Throughput	Up to 2 Gbps
Memory	Up to 16 GB
Modular Slots	Varies by model
Power Supply	AC or DC options
Product Family	ISR (Integrated Services Router)
Models	ISR 4321, ISR 4331, ISR 4351, ISR 4431, ISR 4451-X
Storage	SSD options
Network Interfaces	Gigabit Ethernet, SFP
Security Features	Firewall, VPN
Virtualization Support	Yes
Modularity	Yes
Operating Temperature	0 to 40°C
Humidity	5% to 95% noncondensing