You would never allow anyone in the world to access your email so why would you allow anyone to access your network hardware? This lab will discuss and demonstrate the configuration and verification of basic password authentication.
Security is of the uttermost importance in a production network, especially an internet facing production network. Having an insecure Cisco Router and/or switch is exposing your network to virtually unlimited number of risks. This lab will teach you the basics of password authentication in the Cisco IOS software to secure your Cisco router and/or switch.
Step 1. – To meet the first objective of protecting the console line with a console password you’ll need to navigate to the console line configuration mode as shown below;
--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: no Press RETURN to get started! Router>enable Router#configure terminal Router(config)#line console 0 Router(config-line)#
Once in console line configuration mode, you can set the password by executing the password passwordgoeshere As shown below, the password is being set to Cisco123;
Simply setting the password does not enable password authentication. You’ll need to tell the router to prompt incoming sessions on the console line to require a password. This is done by executing the login command from line configuration mode as shown below;
Now you can test your console line password but first you’ll have to end your exec session by typing end and exit then attempting to establish a new exec session via console as shown below;
Router(config-line)#end Router#exit Router con0 is now available Press RETURN to get started. User Access Verification Password: Router>
Step 2. Now its time to configure VTY (Virtual TeleType) lines. The VTY lines are virtual lines used for establishing an exec session via telnet or ssh. You apply the password to these lines in the same manner as you previously did the console line as shown below;
Router>enable Router#config terminal Router(config)#line vty 0 4 Router(config-line)#password Cisco321 Router(config-line)#login
Notice that in this example the password was set to Cisco321 just to demonstrate you can have different passwords per line. In order to verify this configuration; typically you’d need Ethernet connectivity to the device so as per that requirement you’ll need to assign an IP address to an interface. For example assign 10.1.1.1 255.255.255.255 to interface loopback0 as shown below;
Router(config-line)#interface lo0 Router(config-if)#ip add 10.1.1.1 255.255.255.255 Router(config-if)#end Router#
To verify your vty line password configuration you can telnet to your local interface to initiate a telnet exec session as shown below;
Router#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Password: Password: Router>
As you can see you’re prompted for the VTY line password. If you enter the console line password, you will be denied access but upon entering the correct vty line password you’ll be authorized to start an exec session as shown above.
Once you’ve established a telnet session to the router, try to gain privileged level access. You’ll immediately notice that you’ll be prompted for an “enable” password in which case none is set so therefore you cannot gain privileged level access.
Router>enable Password: Password: Password: % Bad passwords Router>
Step 3. Configure an enable password and secret for the Cisco router to gain privileged level access to the device via telnet. This configuration is done in global configuration mode. If you still have a telnet session open from the previous objective verification, type exit. To configure an enable password execute the enable password passwordgoeshere command.
To configure an enable secret you simply execute the enable secret passwordgoeshere as shown below;
Router>exit [Connection to 10.1.1.1 closed by foreign host] Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#enable password Cisco1 Router(config)#enable secret Cisco2 Router(config)#end Router#
As shown above the enable password was set to Cisco1 and the enable secret was set to Cisco2
Once the enable passwords have been set verify the configuration by executing a reverse telnet to 10.1.1.1 and establishing a telnet session using the previously set vty lines password then escalate to privileged level access.
Router#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Password: Router>enable Password: Password: Router#
If you typed in the enable password first you’ll be rejected as the router also has an enable secret set of Cisco2.
Step 4. The last objective only applies to Cisco devices that have an Auxiliary (AUX) port. The AUX port is very similar to the console port but has modem control pins where you can attach an external modem to the device and dial-in to the device via external 56k modem and remote manage the device using POTS dial-up service. This is commonly used in out of band management for single devices however when there are multiple devices per site and out of band management is required its common to have an access-server setup with a modem to allow console management of multiple devices through a single dial-in device.
To set the AUX line password you’ll execute the same commands as you’ve previously done in the console line password configuration as shown below;
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line aux 0 Router(config-line)#password AuxPassword123 Router(config-line)#login Router(config-line)#end Router#