DNA Center password encryption on network devices

martin.wisz · ‎12-08-2020

This is a new deployment (ver 1.3.3.9) with only a handfull of devices in inventory. I noticed there was no enable password listed in the device credentials. I went and entered a password and the DNA center pushed an updated configuration via a EMM applet. Two problems with what it pushed, it configured a sha256 encryption for the local admin user and for the enable password. We utilize scrypt or type 9 encryption. Is there a place where I can specify which algorithm to use when dealing with device passwords?

The other issue was even though the action in the applet contained cli command "no event manager applet_NEW_CREDENTIAL" the applet was not deleted. I entered that exact command and the applet was deleted. Has anyone seen this issue before?

Any help is appreciated.

Mike.Cifelli · ‎01-24-2021

Two problems with what it pushed, it configured a sha256 encryption for the local admin user and for the enable password. We utilize scrypt or type 9 encryption. Is there a place where I can specify which algorithm to use when dealing with device passwords?

-Was this ever resolved? AFAIK from within DNAC no. I would recommend submitting a feature request to your Cisco reps and/or using the make-a-wish from within DNAC to possibly get some visibility on this. The only thing I can think of to try is to attempt using the DNAC config template editor or have the necessary scrypt config as a part of your base config when deploying a node prior to adding to inventory via discovery etc.

enable algorithm-type scrypt secret <password>

username <user> privilege 15 algorithm-type scrypt secret <password>

If the default was sha256 I would suggest figuring out how to test to ensure there are no hiccups with DNAC. Maybe try manually modifying via CLI on an EN, and then re-sync the device in inventory to see if DNAC complains. Good luck & HTH!