60-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 60 Router Device Administration
User Accounts and Device Credentials on Cisco IOS Routers
Note If you use this policy to define a password, be careful later not to unassign this policy without assigning
a replacement policy before your next deployment. If you deploy a device access policy that removes
this password and the device contains a different type of password not known to Security Manager, such
as a line console password, you will not be able to configure this device in the future. This is because
the device reverts to this unknown password if Security Manager removes the enable password that it
had previously configured.
Related Topics
Defining Accounts and Credential Policies, page 60-14
Defining Accounts and Credential Policies
This procedure describes how to define a device access policy on a Cisco IOS router. If the username
that you configured on the Device Properties page to connect to the router (see Viewing or Changing
Device Properties, page 3-39) matches one of the user accounts you defined in this policy, Security
Manager updates the device credentials according to your policy definition.
If you change the password for the user defined in the device properties, which Security Manager uses
to deploy configurations to the device, or change the enable password, Security Manager uses the
existing credentials defined in the device properties to log into the device and deploy changes. After
successful deployment, the device properties are then changed to use your new settings. For more
information on credentials in device properties, see Device Credentials Page, page 3-44.
Note You can discover encrypted passwords, but any password you enter must be in clear text. If you discover
an encrypted password and then modify it, the password is saved as clear text.
Related Topics
User Accounts and Device Credentials on Cisco IOS Routers, page 60-13
Step 1 Do one of the following:
(Device view) Select Platform > Device Admin > Accounts and Credentials from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > Accounts and Credentials from the
Policy Type selector. Select an existing policy or create a new one.
The Accounts and Credentials page is displayed. See Table 60-7 on page 60-16 for a description of the
fields on this page.
Step 2 Enter the password for switching to privileged EXEC mode on the router:
a. Select Enable Password or Enable Secret Password. The Enable Secret Password option offers
better security than the Enable Password option by storing the password using MD5 encryption. This
option is useful in environments in which the password crosses the network or is stored on a TFTP
server.
Note After you set an enable secret password, you can switch to an enable password only if the
enable secret is disabled or an older version of Cisco IOS software is being used, such as
when running an older rxboot image.