Restrictions for Controlling Switch Access with Passwords and Privileges
The following are the restrictions for controlling switch access with passwords and privileges:
-
Disabling password recovery will not work if you have set the switch to boot up manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.
-
Password validation for the enable password command against the common criteria policy does not happen during configuration or reconfiguration of the aaa common-criteria policy command. The password is validated against the common criteria policy only during configuration or reconfiguration of the enable common-criteria-policy command.
Restrictions and Guidelines for Reversible Password Types
-
Password type 0 and 7 are replaced with password type 6. So password type 0 and 7, which were used for administrator login to the console, Telnet, SSH, webUI, and NETCONF must be migrated to password type 6. No action is required if username and password are type 0 and 7 for local authentication such as CHAP, EAP, and so on.
-
If the startup configuration has a type 6 password and you downgrade to a version in which type 6 password is not supported, you can/may be locked out of the device.
Restrictions and Guidelines for Irreversible Password Types
-
Username secret password type 5 and enable secret password type 5 must be migrated to the stronger password type 8 or 9. For more information, see Protecting Enable and Enable Secret Passwords with Encryption.
-
If the startup configuration of the device has convoluted type 9 secret (password that starts with $14$), then a downgrade can only be performed to a release in which the convoluted type 9 secret is supported.
Before you downgrade to any release in which convoluted type 9 secret is not supported, ensure that the type 9 secret (password that starts with $9$) must be part of the startup configuration instead of convoluted type 9 secret (password that starts with $14$) or type 5 secret (password that starts with $1$).
-
Plain text passwords are converted to nonreversible encrypted password type 9.
-
Secret password type 4 is not supported.