How to configure all passwords to secure Cisco Router

Fallow below steps to configure the passwords on New Router or If you want to verify that you have properly configured passwords on your existing Cisco Router. Passwords are used to restrict access to a Cisco Router. You can set the separate passwords for different modes like to the virtual terminal lines, console line and privileged EXEC mode etc. This post will provide the information to set up Cisco Router password to virtual terminal lines, console lines and privileged mode etc. You will also learn how to encrypt the passwords.

Types of Cisco Router Passwords

When it comes to basic password security, there are three basic types:

  • Line Passwords(Console, Vty, Aux)
  • Privileged mode Passwords (enable mode)
  • Username Passwords (optional)

Configure Cisco Router Line Passwords

Line passwords are configured on Router lines. Examples of lines are:

There are two commands used to configure line passwords, no matter what kind of line you are using. The commands are password and login. The password command is used to set your line password. The login command, when entered by itself, is used to tell the Router to use the password that is configured on the line.

Line Console – The console is the main serial administrative port on a Router. This is used to configure the Router when it is brand new and without any network configuration.

Here is an example of how this is configured on the console port:

Cisco-Router(config)#line console 0
Cisco-Router(config)#password <password>
Cisco-Router(config)#login  < cr | authentication | local >

You can set password and give only login command to login with configured password. If you want use local username and password database use local command, for Tacacs+ or Radius database passwords use authentication command.

Line Aux – The aux line is an auxiliary port. Like the console, it is a physical port on every Router. You can think of it as a backup console port. Besides being a backup console port, Aux port has been connected with dialup modem, user can dial from remote location to login in to the Router and the aux port is periodically used for administrative console dial up access to the Router.

Here is an example of how this is configured on the Aux port:

Cisco-Router(config)#line aux  0
Cisco-Router(config)#password <password>
Cisco-Router(config)#login  < cr | authentication | local >

You can set password and give only login command to login with configured password. If you want use local username and password database use local command, for Tacacs+ or Radius database passwords use authentication command.

Line VTY  – Vty lines are “virtual tty” lines and are used when you connect to the Router via telnet or ssh. These are not physical lines on the Router but virtual “inbound network lines”.

You configure the same commands on the VTY lines. Before configure the VTY, find number of VTY lines supported by your Cisco Router. Because you don’t want to have to configure them one at a time, you use a VTY range when performing the configuration. Using a VTY range works by specifying your router’s starting and ending VTY number. Inside the configuration mode for this range of VTYs is where you are configuring the password and login commands. In the past, router only had 0-4, or 5, VTY lines. Today, most routers have 0-15, or 16, VTY lines. Make sure that you know how many VTY’s your router has so that there aren’t some lines that are left without a password. Here find the number of VTY lines in Cisco 2951 Router.

Cisco-Router(config)#line vty ?
     <0-858>  First Line number
Cisco-Router(config)#line vty

Here is an example of how this is configured on the VTY port:

Cisco-Router(config)#line VTY  0 15
Cisco-Router(config)#password <password>
Cisco-Router(config)#login  < cr | authentication | local >

Async Lines – Async lines are asynchronous serial lines and are optional. These async lines are created when you insert an async serial card in a router. You can use the async serial lines to connect dumb-terminals (text-based terminals), serial printers, or modems.

Configure Cisco Router Privileged mode Passwords

Another way of Cisco Router security requirement is that you have configure a password to enter privileged mode (enable mode). The enable password is a well-known way to do this but it is not recommended anymore because it does not encrypt the password with a strong encryption mechanism.

The enable secret command does encrypt the password with a strong encryption mechanism and it also sets a password to enter enable mode. Here is how you configure an enable secret password:

Cisco-Router(config)#enable password <password> or
Cisco-Router(config)#enable secret <password> 

Username Passwords (Local Database)

Optionally, you can configure usernames and associated passwords on a Cisco Router. This is a more advanced level of security than line passwords. Once configured on the lines, the line password is then ignored.

You configure the usernames with the username command and can add their password on the same command line. Optionally, you can configure the privilege level of that user. Level 15 is the administrative user.

Once you create the username, you need to tell each line to use the local username/password database, on the Router. To do this, go back to each line and type login local.

Cisco-Router(config)#username <username> password <password> or
Cisco-Router(config)#username <username> privilege 15 password <password>

Notice that we were prompted for a username. We typed in one of the users we setup, admin. We were then prompted for admin’s password. Also, because we specified that admin’s privilege was 15, we were put directly into privileged mode, with full administrative privileges (and without having to type enable). 

How to encrypt all the Cisco Router passwords?

By default all the passwords of a Cisco Router is readable in clear text in the configuration file. This is a great security threat if someone read it and configures or changes the Router configuration. So, to protect form display the password, service password-encryption command is used to encrypt all the passwords. Service password-encryption is a global command and encrypts all the passwords:

enable password

line console password

line vty password

line aux password

Cisco-Router(config)#Service password-encryption
Cisco-Router(config)#

Filed Under: Security General

Tags:

About the Author:

RSSComments (0)

Trackback URL

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.