There are five passwords used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable password, and enable secret. Just as you learned earlier in the chapter, the first two passwords are used to set your enable password that’s used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed either through the console port, through the auxiliary port, or via Telnet.
Enable Passwords
You can set the enable passwords from global configuration mode like this:
Router(config)#enable ?
last-resort Define enable action if no TACACS servers respond
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords
The following points describe the enable password parameters:
Last-resort Allows you to still enter the router if you set up authentication through a TACACS server and it’s not available. But it isn’t used if the TACACS server is working.
Password Sets the enable password on older, pre-10.3 systems, and isn’t ever used if an enable secret is set.
Secret Is the newer, encrypted password that overrides the enable password if it’s set.
Use-tacacs This tells the router to authenticate through a TACACS server. It’s convenient if you have anywhere from a dozen to multitudes of routers, because, well, would you like to face the fun task of changing the password on all those routers? If you’re sane, no, you wouldn’t. So instead, just go through the TACACS server, and you only have to change the password once—yeah!
Here’s an example of setting the enable passwords:
Router(config)#enable secret your-password
Router(config)#enable password your-password
The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password.
If you try to set the enable secret and enable passwords the same, the router will give you a nice, polite warning to change the second password. If you don’t have older legacy routers, don’t even bother to use the enable password.
User-mode passwords are assigned by using the line command:
Router(config)#line ?
<0-70> First Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
x/y Slot/Port for Modems
Here are the lines to be concerned with:
aux Sets the user-mode password for the auxiliary port. It’s usually used for attaching a modem to the router, but it can be used as a console as well.
console Sets a console user-mode password.
vty Sets a Telnet password on the router. If this password isn’t set, then Telnet can’t be used by default.
To configure the user-mode passwords, you configure the line you want and use either the login or no login command to tell the router to prompt for authentication.
Auxiliary Password
To configure the auxiliary password, go into global configuration mode and type line aux ?.
You can see here that you only get a choice of 0–0 (that’s because there’s only one port):
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password your-password
Console Password
To set the console password, use the line console 0 command. But look at what happened when I tried to type line console 0 ? from the aux line configuration–I received an error. You can still type line console 0 and it will accept it, but the help screens just don’t work from that prompt. Type exit to get back one level and you’ll find that your help screens now work. This is a “feature.” Really.
Here’s the example:
Router(config-line)#line console ?
% Unrecognized command
Router(config-line)#exit
Router(config)#line console ?
<0-0> First Line number
Router(config)#line console 0
Router(config-line)# password your-password
Router(config-line)# login
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out. The default timeout is 10 minutes. (If you’re feeling mischievous, try this on people at work: Set it to 0 1. That will make the console time out in 1 second! And to fix it, you have to continually press the Down arrow key while changing the timeout time with your free hand!) logging synchronous is a very cool command, and it should be a default command, but it’s not. It stops annoying console messages from popping up and disrupting the input you’re trying to type. The messages still pop up, but you are returned to your router prompt without your input interrupted. This makes your input messages oh-so-much easier to read.
Here’s an example of how to configure both commands:
Router(config)#line con 0
Router(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Router(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous
Telnet Password
To set the user-mode password for Telnet access into the router, use the line vty command.
Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines, 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark:
Router(config-line)#line vty 0 ?
<1-4> Last Line Number
Router(config-line)#line vty 0 4
Router(config-line)# password your-password
Router(config-line)# login
Encrypting Your Passwords
Because only the enable secret password is encrypted by default, you’ll need to manually configure the user-mode and enable passwords for encryption.
To manually encrypt your passwords, use the service password-encryption command. Here’s an example of how to do it:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-encryption
Router(config)#^Z
Here is an example of how you might set and encrypt your Telnet password under the CCNA objectives:
1. Enter the mode to configure telnet access: line vty 0 4
2. Enable Telnet login: login
3. Set the password to cisco: password cisco
4. Return to global configuration mode: exit
5. Encrypt password in show run/start output: service password-encryption
Here are the commands in order:
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Router(config)#exit
Router#service password-encryption
Remember that the CCNA objectives may require that you use the login command before you set the VTY password, or you may just need to set it after the password.
0 comments:
Post a Comment