Cisco® CCNA Exam Cram Notes : Different types of router passwords

II. Cisco IOS

5. Different types of router passwords

1. Enable Password: A global command that restricts access to privileged exec mode. This is a non-encrypted password. To change the enable password, you use "enable password password"

2. Enable Secret: Assigns a one-way encryptographic secret password, available in versions 10.3 and up. This secret password is used instead of the enable password when it exists. To change the enable secret, you use "enable secret password".The enable secret, which always takes precedence over the enable password. The enable secret’s also the only password that is encrypted by default

3. Virtual Terminal Password (vty password): The virtual terminal password is used for Telnet sessions into the router. The password can be changed at any time. It can be set up when you configure the router from the console. There can be five distinct passwords corresponding to each vty (vty0 to vty4) or there can be a single password for all vtys.

4. Auxiliary Password: Auxiliary password is used to set password to the auxiliary port. This port is used to access a router through a modem.

5. Console Password: Console password is used to set the console port password. The actual encryption process occurs when the current configuration is written or when a password is configured. Service password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

By default on all cisco boxes support 5 telnet lines, they are line vty 0 4. You actually have to bring up the other 10 by adding the line vty 5 15 command.

Example configurations shown below:
(default)

line vty 0 4
access-class 147 in
exec-timeout 30 0
password 7 xxxxx

To bring up the additional 10 telnet lines, use the following config commands:

configure terminal
line vty 5 15
access-class 147 in
password 7 xxxxxx

Follow these steps to configure Auxiliary (AUX) port passwords.

Note: If you are trying to change the password on a real router, ensure that you have an alternate connection into the router, such as console or Telnet, in case there is a problem logging back in to the router.

1. From the privileged EXEC (or enable) prompt, enter configuration mode (config) and then switch to line configuration mode (config-line), by issuing the following commands:

Note: Notice that the prompt changes to reflect the current mode.

router#conf terminal
!--- Enter configuration commands, one per line. End with CNTL/Z.

router(config)#line aux 0
router(config-line)#

2. Configure the password, and enable password checking at login.

router(config-line)#password <password>
router(config-line)#login

3. Exit configuration mode.

router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console

Note: Do not save your configuration changes until your ability to log in has been verified.

4. Verify the configuration. Examine the configuration of the router to make sure that the commands have been properly entered by issuing the “show running-config” command. Test the configuration by making an inbound or outbound connection to the line. For specific information on configuring async lines for modem connections, refer to the Modem-Router Connection Guide.

5. Save your configuration. router#write memory

The command initialize will load the IOS during password recovery on a Cisco 2501. Typical sequence of steps involved in password recovery (on 2501 router) is:

  • Power cycle the router by turning it OFF and ON.

  • Press Break key (key configuration depends on the router type) within 60 seconds of power on.

  • Use the rommon command o/r 0X2142

  • Use rommon command INITIALIZE to load IOS

  • Skip the setup mode (by choosing NO to configuration commands).

  • Enter privileged mode

  • After entering the privileged mode, you can view the passwords by issuing appropriate config commands.

The Cisco router can be configured from many locations.

  • Console port: During the initial installation, you configure the router from a console terminal connected to the "Console port" of the router.

  • Virtual Terminals (vty): A virtual terminal (vty) is typically accessed through Telnet. A router can be accessed through vty after the initial installation in the network. There are five virtual terminals, namely, vty0,vty1,vty2,vty3,vty4.

  • Auxiliary Port: you can configure a router through auxiliary port. Typically, a modem is used to configure the modem through aux port.

  • TFTP Server: Configuration information can be downloaded from a TFTP server over the network.

  • NMS (Network Management Station): You can also manage router configuration through NMS such as CiscoWorks or HP OpenView.

It is important to know the difference between a collision domain and a broadcast domain. When you use Hubs, all the nodes connected to the hub will be in the same collision domain. However, when you use switches and implement VLANs, each VLAN will be in a separate broadcast domain. The packet forwarding between VLANs is achieved through the use of routing.

Configuring minimum password length:

If you want to ensure passwords adhere to a minimum length on a Cisco router, there is a simple command you can use to enable this feature: security passwords min-length <#>

To configure it, simply enter global configuration mode and type the following:

Router(config)#security passwords min-length <value>

<0-16> Minimum length of all user/enable passwords

Router(config)#security passwords min-length 10

Here's how the command works when you try to configure a password that is too short:

Router(config)#enable password testsim

% Password too short - must be at least 10 characters. Password configuration failed

Router(config)#enable password testsim

How to encrypt all the CISCO router password?

By default all the passwords of a CISCO router is readable in clear text in the configuration file. This is a great security threat if someone read it and configure or change the router configuration. So, to protect form display the password, service password-encryption command is used to encrypt the passwords. Service password-encryption is a global command and encrypt the passwords:

  • enable password

  • console password

  • vty password

  • aux password

Ex: router(config)#service password-encryption

images/pin-icon.png

The encryption algorithm used by service password-encryption is a weak one, it is reversed easily. The hashing algorithm used by enable secret (md5) is not so easily broken.


Previous    Contents    Next


CCNA Cram Notes Contents
certexams ad

simulationexams ad