Password Types - Cisco IOS XR Configuration Manual

Configuring AAA Services on Cisco IOS XR Software
•
•
Bypassing ksh Authentication
Although the authentication to ksh is lightweight and depends on very few processes, there are cases
when ksh authentication needs to be bypassed, including the following:
•
•
•
To bypass ksh authentication, the user has to set the ROMMON variable AUX_AUTHEN_LEVEL to 0
and then reload the image. A reboot is required only on the card that has to bypass authentication.
The ROMMON variable AUX_AUTHEN_LEVEL can have one of the following values:
•
•
•
For example, to bypass authentication on the card, enter the following:
rommon1> AUX_AUTHEN_LEVEL=0
rommon2> sync
rommon2> boot tftp:/ ...

Password Types

In configuring a user and that user's group membership, you can specify two types of passwords:
encrypted or clear text.
The router supports both two-way and one-way (secret) encrypted user passwords. Secret passwords are
ideal for user login accounts because the original unencrypted password string cannot be deduced on the
basis of the encrypted secret. Some applications (PPP, for example) require only two-way passwords
because they must decrypt the stored password for their own function, such as sending the password in
a packet. For a login user, both types of passwords may be configured, but a warning message is
displayed if one type of password is configured while the other is already present.
If both secret and password are configured for a user, the secret takes precedence for all operations that
do not require a decryptable password, such as login. For applications such as PPP, the two-way
encrypted password is used even if a secret is present.
Ksh authentication cannot be turned off or bypassed after the card is booted. To bypass
authentication, a user needs a reload of the card. (See the
for details).
The ksh run from the console (using the run command) not authenticated because the run command
needs the root-system task ID. Because the user is already root-system, the user is not authenticated
again.
dSC (ACTIVE RP) disk0 corruption
Loss of Qnet connectivity
Inability to determine the node ID of the dSC (ACTIVE RP)
0—Authentication will be bypassed on the card.
1—Loose authentication. Authentication is performed on a best-effort basis and permits the user to
access ksh if the system cannot access authentication information successfully.
2—Strict authentication. This is the default state.
Under no circumstances is authentication bypassed. Even if the authentication infrastructure is
down, the system simply denies access.
Information About Configuring AAA Services
"Bypassing ksh
Cisco IOS XR System Security Configuration Guide
Authentication" section
SC-177