Mio Synchronization; Protection Of Passwords; Secure Password Encryption - Cisco ASR 5500 Administration Manual
Asr 5500 system administration guide, staros release 19
Hide thumbs
Also See for ASR 5500:
- System administration manual (430 pages) ,
- Installation manual (192 pages) ,
- Installation procedure overview (6 pages)
Table of Contents
Advertisement
MIO Synchronization
Important
The configuration file contains a one-way encrypted value of the chassis key (the chassis key identifier) and
the version number in a comment header line. These two pieces of data determine if the encrypted passwords
stored within the configuration will be properly decrypted.
While a configuration file is being loaded, the chassis key used to generate the configuration is compared
with the stored chassis key. If they do not match the configuration is not loaded.
The user can remove the chassis key identifier value and the version number header from the configuration
file. Also, the user may elect to create a configuration file manually. In both of these cases, the system will
assume that the same chassis key will be used to encrypt the encrypted passwords. If this is not the case, the
passwords will not be decrypted due to resulting non-printable characters or memory size checks. This situation
is only recoverable by setting the chassis key back to the previous value, editing the configuration to have the
encrypted values which match the current chassis key, or by moving the configuration header line lower in
the configuration file.
Beginning with Release 15.0, the chassis ID will be generated from an input chassis key using the SHA2-256
algorithm followed by base36 encoding. The resulting 44-character chassis ID will be stored in the same
chassisid file in flash.
Release 14 and Release 15 chassis IDs will be in different formats. Release 15 will recognize a Release 14
chassis ID and consider it as valid. Upgrading from 14.x to 15.0 will not require changing the chassis ID or
configuration file
However, if the chassis-key is reset in Release 15 through the setup wizard or chassis-key CLI command, a
new chassis ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will
not recognize the 44-character chassis ID. If the chassis is subsequently downgraded to Release 14, a new
16-character chassis ID will be generated. To accommodate the old key format, you must save the configuration
file in pre-v12.2 format before the downgrade. If you attempt to load a v15 configuration file on the downgraded
chassis, StarOS will not be able to decrypt the password/secrets stored in the configuration file.
MIO Synchronization
On boot up both MIO/UMIOs automatically read the chassis key configured on the ASR 5500 midplane.
Protection of Passwords
Users with privilege levels of Inspector and Operator cannot display decrypted passwords in the configuration
file via the command line interface (CLI).
Secure Password Encryption
By default the system encrypts passwords using an MD5-based cipher (option A). These passwords also have
a random 64-bit (8-byte) salt added to the password. The chassis key is used as the encryption key.
Setting a chassis key supports an encryption method where the decryption requires the knowledge of a "shared
secret". Only a chassis with knowledge of this shared secret can access the passwords. To decipher passwords,
ASR 5500 System Administration Guide, StarOS Release 19
82
To make password configuration easier for administrators, the chassis key should be set during the initial
chassis set-up.
System Security
Advertisement
Table of Contents
Troubleshooting
