Update: what follows applies to IOS as well, but apparently I had never tried making the mistake described below until now. Yay me?!
Okay regular readers, don’t freak out, but this post has absolutely nothing to do with voice. Not even a little. But I suggest you go with it because change happens and we love it. (No, we really don’t love it, that’s just more of my charming sarcasm you’ve grown to know and *actually* love…)
So, changing a password on a Nexus 7K, sounds simple enough, right? Not something I’ve had to do before (remember, voice engineer last three years), but not something I expected to give me any push back doing. Yes, well, it seems I was wrong about that.
See, I logged into the shiny N7K and typed:
MYSHINY7K(config)#show run | in sec username
and got back something like:
username AMYENGINEER password 5 MYAWESOMEPASSWORDHASHVALUE role network-admin
Prompting me to type in something like:
MYSHINY7K(config)#username AMYENGINEER password 5 HEREISMYNEWAWESOMEPASSWORD role network-admin
And press Enter. And then I got totally sassed by the switch with a message that looked like this:
%String failed to match token pattern at ‘^’ marker.
Huh? Well, fast forward after a few minutes after firing up Google, and I land on this helpful gem from the Cisco Support Forums. It was just enough information to clue me into the fact that the switch didn’t much care for the 5 after the password in my command string. Oh well, pardon me, let me just try that again Mr. Switch.
MYSHINY7K(config)#username AMYENGINEER password HEREISMYAWESOMEPASSWORD role network-admin
And sure enough, without the 5 in the command string, my syntax was perfectly acceptable. Note that the 5 does show up in the running-config after.
Now for those of you Nexus gurus who already know this and have known it for ages, please feel free to pat yourselves on the back, as for this Nexus newbie, I’ll be over in the corner wondering what hazing fun the switch has planned for me next.
Published 7/18/2013
I also found this support forum post helpful
Amy Engineer 
but did you learn what the ‘5’ indicates? That’s the real question
I already knew, but in case someone doesn’t, here is a good link to the explanation: http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_rbac.html
It’s the same in adding a password to a VTY line or set of lines, I believe, on most if not all cisco devices ? I’m a wannabe NE, and not even in the cisco world, so I may be wrong.
CcnaRack1TS(config-line)#password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
Yes, this is true of regular IOS as well. If you include the 5 in the command then the IOS expects the password to be an MD5 hash. If you are entering plaintext use 0 (or leave it out completely and it defaults to 0). When you check the running config you will find that the IOS automatically changes it to a 5 with the appropriate hash rather than the plain text you typed in.
Thanks guys! This was a case of my expecting it might be different and using the question mark key to be prompted for the next bit to fill in. I did a test on IOS as well and indeed it does the same thing, I had just never tried making that mistake before! 🙂
Neat little blog, I just stumbled on it doing some research re: city of l***ville. There’s also a complexity check, which is what I thought you were talking about when I first read the headline. For those who aren’t familiar with it, check out the “password strength-check” command – it got me for a minute or two the first time I set up a Nexus box. NX-OS also requires some additional TLV’s if you want to integrate it with ACS. If anyone needs info on that feel free to contact.
Amy, the Nexus has soooo many “fun” features. I myself have experienced many sleepless nights/cutovers trying to get everything to work. You are in for such a treat! Just wait until you start playing around with vPC+, 🙂