Configure Different Types of Passwords on the Cisco Router
|
|
|
|
Introduction
This document explains how to configure different types of passwords
(Console, Aux, VTY and Enable and Enable Secret) on Cisco routers.
Back to Top
Requirements
To perform the steps described in this document, you need to have these
items:
Back to Top
Connect to the Router
Follow these steps to connect to the router command line
interface:
-
Connect a PC to the router with a console cable.
-
Create a HyperTerminal connection to your router. For more
information, refer to
Create a
HyperTerminal Connection.
-
Log into the router with the login and password that you entered in
fields B10 and B11 of the Router Worksheet.
Username:admin
Password:
Note: If you do not know the password for your router, refer to
Reset
the Password on the Router.
-
Type enable and press Enter to
access the privileged mode. Type the enable password that you entered in field
B12 of the Router Worksheet and press
Enter.
Router>enable
Password:
Router#
Note: If you have not configured the enable password earlier just type
enable and press enter twice to get into the
privilege exec mode.
Back to Top
Configure Line Passwords on the Router
The use of password protection is to control or restrict access to the
command line interface (CLI) of your router. It is one of the fundamental
elements for an overall security plan.
Protecting the router from unauthorized remote access, typically
Telnet, is the most common security that needs to be configured, but to protect
the router from unauthorized local access is not possible to be
overlooked.
Note: Password protection is just one of the many steps that you must use
in an effective in-depth network security regimen. Firewalls, access-lists, and
control of physical access to the equipment are the other elements that must be
considered when implementing your security plan.
There are the four main types of TTY lines, Console port (CTY),
Asynchronous lines (TTY), Auxiliary port (AUX) and Virtual terminal lines (VTY)
as seen in this sample show line output:
2509#show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 CTY - - - - - 0 0/0 -
1 TTY 9600/9600 - - - - - 0 0 0/0 -
2 TTY 9600/9600 - - - - - 0 0 0/0 -
3 TTY 9600/9600 - - - - - 0 0 0/0 -
4 TTY 9600/9600 - - - - - 0 0 0/0 -
5 TTY 9600/9600 - - - - - 0 0 0/0 -
6 TTY 9600/9600 - - - - - 0 0 0/0 -
7 TTY 9600/9600 - - - - - 0 0 0/0 -
8 TTY 9600/9600 - - - - - 0 0 0/0 -
9 AUX 9600/9600 - - - - - 0 0 0/0 -
10 VTY - - - - - 0 0 0/0 -
11 VTY - - - - - 0 0 0/0 -
12 VTY - - - - - 0 0 0/0 -
13 VTY - - - - - 0 0 0/0 -
14 VTY - - - - - 0 0 0/0 -
Configure Console line Password
It is important to remember that the console port of a Cisco IOS device
has special privileges. In particular, if a BREAK signal is sent to the console
port at the start of the first few seconds after a reboot, the password
recovery procedure can easily be used to take control of the system.
Follow these steps to configure passwords for all users attempting to
use the console line:
-
Type show running-config at the router privilege
or EXEC prompt and press Enter to look for the passwords
configured under line console 0. The output shows that there
is no password configured for the console line.
Router#show running-config
Building configuration...
Current configuration : 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!--- Output is suppressed for brevity.
line con 0
line 1 8
line aux 0
line vty 0 4
-
Type configure terminal and press
Enter to enter the router configuration
mode.
Router#configure terminal
Router(config)#
-
Type line console 0 and press
Enter.
Router(config)#line console 0
-
Type password <password> and press
Enter.
Router(config-line)#password Cisco123
-
Type login and press
Enter.
Router(config-line)#login
Note: To configure the console lines to use the local username and
password already configured on the router use login local
command instead of login command.
-
Type exit and press
Enter.
Router(config)#exit
Router#
-
Type write memory and press
Enter.
Router#write memory
-
Type show running-config to verify the console
line configuration of the router.
Router#show running-config
Building configuration...
Current configuration : 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!--- Output is suppressed for brevity.
line con 0
password Cisco123
login
line 1 8
line aux 0
line vty 0 4
!
!
end
Configure Auxiliary line Password
The purpose of the auxiliary port is to connect to an external modem.
Once configured, this modem can be used as a backup demand-dial connection to
another location, or as a way to dial in to the router for troubleshooting
purposes must be a regular connectivity fail.
Follow these steps to configure passwords for all users attempting to
use the auxiliary line:
-
Type show running-config at the router privilege
or EXEC prompt and press Enter to look for the passwords
configured under line auxillary 0. The output shows that there
is no password configured for the auxillary line.
Router#show running-config
Building configuration...
Current configuration : 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!--- Output is suppressed for brevity.
line con 0
line 1 8
line aux 0
line vty 0 4
!
!
end
-
Type configure terminal and press
Enter to enter the router configuration
mode.
Router#configure terminal
Router(config)#
-
Type line aux 0 and press
Enter.
Router(config)#line aux 0
-
Type password <password> and press
Enter.
Router(config-line)#password Cisco321
-
Type login and press
Enter.
Router(config-line)#login
Note: To configure the auxillary lines, to use the local username and
password already configured on the router use the login local
command instead of the login command.
-
Type exit and press
Enter.
Router(config)#exit
Router#
-
Type write memory and press
Enter.
Router#write memory
-
Type show running-config to verify the auxillary
line configuration of the router.
Router#show running-config
Building configuration...
Current configuration: 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!--- Output is suppressed for brevity.
line con 0
line 1 8
line aux 0
password Cisco321
login
line vty 0 4
!
!
end
Configure Local User-Specific Passwords
The Cisco IOS can have actual usernames and passwords assigned for
access rather than just the basic level security when you use passwords. When
you do this, you have the real name of the person who access the device. If you
chose to do so, this username can be logged so that you know when that user
logged into the router, and when they logged off.
Follow these steps to create two users with different
privileges:
Note: The Admin user will have level 15 (Cisco administrator / super-user
access). The user Bob will have level 7 access (moderate user access).
-
From the privileged EXEC prompt type configure
terminal and press Enter to enter the router
configuration mode.
Router#configure terminal
Router(config)#
-
Type username <name> privilege 15 password
<pwd> to create a level 15 administrator or super-user
access.
Router(config)#username administrator privilege 15 password admin321
-
Type username <name> privilege 7 password
<pwd> to create a level 7 moderate user
access.
Router(config)#username Bob privilege 7 password Bob789
-
Type exit and press
Enter.
Router(config)#exit
Router#
-
Type write memory and press
Enter.
Router#write memory
Configure VTY (Telnet) line Password
Any VTY must be configured to accept connections only with the
protocols actually needed. This is performed with the transport
input command. For example, a VTY that is expected to receive only
Telnet sessions is configured with the transport input telnet
command, while a VTY that permits both Telnet and SSH sessions has the
transport input telnet ssh command. If your software supports
an encrypted access protocol such as SSH, then enable only that protocol, and
disable cleartext Telnet.
Follow these steps to configure the passwords for users attempting to
connect to the router on the VTY lines using Telnet:
-
From the privileged EXEC prompt type configure
terminal and press Enter to enter the router
configuration mode.
Router#configure terminal
Router(config)#
-
Type line vty 0 4 and press Enter
to enter the VTY line configuration mode.
Router(config)#line vty 0 4
-
Type login local and press
Enter.
Router(config-line)#login local
Note: The login local command prompts the user who
tries to access the VTY line with Telnet to enter the username and password
which were created in the section Configure Local
User-Specific Passwords. This is different than just the login command,
by itself. The login command enables to check the password. When you use only
the login command, you only enable to check the password for the line password,
configured on that line.
-
Type exit and press
Enter.
Router(config)#exit
Router#
-
Type show running-config to verify the Telnet line
configuration of the router.
Router#show running-config
Building configuration...
Current configuration: 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!--- Output is suppressed for brevity.
line con 0
line 1 8
line aux 0
password Cisco321
login
line vty 0 4
login local
!
!
end
-
Type write memory and press
Enter.
Router#write memory
Note: To test this configuration, a Telnet connection must be made to
the router. This can be done when you connect from a different host on the
network but, you can also test from the router itself by telnetting to the IP
address of any interface on the router that is in an up/up state as seen in the
output of the show interfaces command.
Configure Enable Passwords
To set a local password to control access to various privilege levels,
enable and enable secret passwords can be used.
Follow these steps to configure enable password on the
router:
-
From the privileged EXEC prompt type configure
terminal and press Enter to enter the router
configuration mode.
Router#configure terminal
Router(config)#
-
Type enable password <password> and press
Enter.
Router(config)#enable password Cisco567
Note: The enable password command uses a weak encryption algorithm and
hence it is recommended to use enable secret password as shown in the section
Configure Enable Secret Password instead of
enable password.
-
Type exit and press
Enter.
Router(config)#exit
Router#
-
Type show running-config to verify the enable
password configured on the router.
Router#show running-config
Building configuration...
Current configuration: 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
enable password Cisco567
!--- Output is suppressed for brevity.
-
Type write memory and press
Enter.
Router#write memory
Configure Enable Secret Passwords
If no enable secret is set, and a password is configured for the
console TTY line, the console password can be used to receive privileged
access, even from a remote VTY session. This is almost certainly not what you
want, and is another reason to be certain to configure an enable secret.
Follow these steps to configure enable secret password on the router:
-
From the privileged EXEC prompt type configure
terminal and press Enter to enter the router
configuration mode.
Router#configure terminal
Router(config)#
-
Type enable secret <password> and press
Enter.
Router(config)#enable secret Cisco567
-
Type exit and press
Enter.
Router(config)#exit
Router#
-
Type show running-config to verify the enable
password configured on the router.
Router#show running-config
Building configuration...
Current configuration: 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
enable secret 5 $1$Va6v$ShxHYvqgkJLTIeIrhDVj71
!--- Output is suppressed for brevity.
Note: The enable secret password is encrypted and does not show up in
the show running-config command.
-
Type write memory and press
Enter.
Router#write memory
Encrypt the Passwords Using Service Password-Encryption Command
The service password-encryption command directs the
IOS software to encrypt the passwords, CHAP secrets, and similar data that are
saved in its configuration file. This is useful to prevent casual observers
from reading passwords, such as when they look at the screen over the shoulder
of an administrator.
Follow these steps to encrypt the passwords configured on the
router:
-
From the privileged EXEC prompt type configure
terminal and press Enter to enter the router
configuration mode.
Router#configure terminal
Router(config)#
-
Type service password-encryption and press
Enter.
Router(config)#service password-encryption
-
Type exit and press
Enter.
Router(config)#exit
Router#
-
Type write memory and press
Enter.
Router#write memory
Back to Top
Next Step
You have completed the procedure to configure the different types of
passwords on Cisco routers. To make further changes to your router, refer to
the Routers
Support Page.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may
encounter. If this information does not solve your problem, contact the
SMB
Technical Assistance Center (SMB TAC) for assistance.
Back to Top
Related Information
