Saturday, 3 October 2015

Router Passwords

Setting Passwords: - There are five passwords used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable password, and enable secret.

Enable Passwords
You set the enable passwords from global configuration mode like this:

Router(config)#enable ?

last-resort :- Define enable action if no TACACS servers
respond

Password:-  Assign the privileged level password

Secret:-  Assign the privileged level secret

use-tacacs:- Use TACACS to check enable passwords

The following points describe the enable password parameters:

Last-resort:-  Allows you to still enter the router if you set up authentication through a TACACS
server and it’s not available. But it isn’t used if the TACACS server is working.

Password :- Sets the enable password on older, pre-10.3 systems, and isn’t ever used if an enable
secret is set.

Secret :-  encrypted password that overrides the enable password if it’s set.

Use-tacacs This tells the router to authenticate through a TACACS server. It’s convenient if you
have anywhere from a dozen to multitudes of routers, because, well, would you like to face the fun
task of changing the password on all those routers? If you’re sane, no, you wouldn’t. So instead,
just go through the TACACS server, and you only have to change the password:

Router(config)#enable secret cisco        

User mode password:- User-mode passwords are assigned by using the line command:

Router(config)#line ?

<0-70> First Line number
aux Auxiliary line

console Primary terminal line

tty Terminal controller

vty Virtual terminal


Auxiliary Password

To configure the auxiliary password, go into global configuration mode and type line aux ?.

 Router#config t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#line aux ?
<0-0> First Line number

Router(config)#line aux 0

Router(config-line)#login

Router(config-line)#password cisco

It’s important to remember the login command, or the auxiliary port won’t prompt for
Authentication.                                               


Console Password

To set the console password, use the line console 0 command.  

Router(config)#line console 0

Router(config-line)# password cisco1

Router(config-line)# login


Additional Commands

Router(config)#line con 0

Router(config-line)#exec-timeout ?
<0-35791> Timeout in minutes

Router(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
<cr>

Router(config-line)#exec-timeout 0 0

Router(config-line)#logging synchronous

The exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out. The default timeout is 10 minutes

Logging synchronous stops annoying console messages from popping up and disrupting the input you’re
trying to type. The messages still pop up, but you are returned to your router prompt without your input interrupted.


Telnet Password

To set the user-mode password for Telnet access into the router use the following command

Router(config-line)#line vty 0 ?
<1-4> Last Line Number
<cr>

Router(config-line)#line vty 0 4

Router(config-line)# password cisco2

Router(config-line)# login


Encrypting Your Passwords

By default only secret password is encrypted, all other passwords are in plain text. To encrypt all passwords we have use following command

Router(config)#service password-encryption



No comments: