Cisco Router Password in depth

Security is very important in order to save your network being hacked, though you would need physical security to your devices as well but passwords are absolutely the best defense against would-be hackers. Before starting this lab I would suggest you to read “Different modes and prompts of acisco router ios” where you can find a complete drill down of cisco routers ios prompts and modes being used in this lab, which could also help you understand upcoming labs easily.  Cisco router’s has some defense against would-be hackers built into its internetworking operating system (IOS). for example it is impossible to telnet into a cisco router unless an administrator configures  a telnet password  or uses the No Login Command which allows users to telnet router without any password. and also you won’t be able to get into privileged mode from telnet unless the enable password is set.

Part1: Router and Switch Administrative Configurations
         i.   Hostnames
         ii.  Banners
         iii. Descriptions

Part2: Cisco Router Password in depth

Five passwords are being used in order to secure a cisco router: Consol, auxiliary, telnet (VTY), enable password and enable secret. The enable secret and enable password are used to secure the privileged mode. The other three are used when a user wants to get into user mode through the Consol port, through the auxiliary port or via telnet.

Now let’s take a look at each of them

Enable password

To set the enable password you should get into global configuration mode using the following command.

Router>enable
Router#config t
Router(config)#

Once you get into global configuration mode you can set enable password using enable password [your password] command.

Router(config)#enable password mynetworkinglabs

In above example we set mynetworkinglabs to be as an enable password. Now if you write enable from user configuration mode you will see the following prompt

Router>enable
Password:

Enable Secret

This is the new encrypted password overrides enable password. To set enable secret use the following command

Router>enable
Router#config t
Router(config)#enable password mynetworkinglabs
Router(Config)#enable secret waleed

In above lab we set enable password to be the same “mynetworkinglabs” as it was before, and enable secret to be “waleed”. If you try to set the enable secret and enable password the same then router will give you a nice and polite prompt asking you to change the second password. If you don’t have the older legacy routers so don’t even bother to use the enable password. When entering the privileged mode router will first ask you to write the enable password and then the enable secret.

Console Password:

To configure a console user-mode password use the Line command from global configuration mode. There is only one console port on all router’s so command is line console 0

Here is an example:

Router#config t
Router(config)#line console 0
Router(config-line)#

Notice the prompt changes from Router(config)# to Router(config-line)# which tells you that you are configuring the Console, Aux or VTY line.

You can use two more commands to finish configuring the console user-mode password.

•      Login: This tells router to look under console line configuration for password. If you do not use this command router will not prompt you for password while connecting to router’s console port.
•       Password: This sets the password for console user-mode. It is case sensitive.

The complete command will look like this:

Router#config t
Router(config)#line console 0
Router(config-line)#login
Router(config-line)#password waleed

Aux or Auxiliary Password

On some routers, aux is called the auxiliary port, and on some it is called the aux port. To find the complete command-line name on your router, use a question mark with the Line command as shown:

Router(config)#line ?
< 0-4> First Line Number 
aux           Auxiliary line
console     Primary terminal line
vty           Virtual terminal

At this point, you can choose the correct command you need. Here is an example of setting the aux port on a Cisco router to prompt for a user-mode password with a console cable connected (this port can be used with or without a modem):

Router#config t
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password cisco

VTY (Telnet)

The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco router. As I mentioned earlier, the VTY lines must be configured for Telnet to be successful.

Here is an example of an administrator’s attempt to Telnet to a router that does not have the VTY lines configured:

Password not set, connection refused

This is the default on every Cisco router.

To configure the VTY lines, you must use the question mark with the command line 0

to determine the number of lines available on your router. The number varies with the type of router and the IOS version. However, five is the most common number of lines.

Router#config t
Router(config)#line vty 0 ?
<0-4>  Last Line Number
<cr>< br/>Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco

Notice that you choose all the lines available for the most efficient configuration. You can set each line individually, but because you cannot choose the line you enter the router with when you Telnet, this can cause problems.

You can tell the router to allow Telnet connections without a password by using the No Login command:

Router(config)#line vty 0 4
Router(config-line)#no login

Encrypting your passwords

The Line command passwords (console, aux, and VTY) are not encrypted by default and can be seen by going into privileged EXEC mode and typing the command show running-config.

This “show running-config” displays the complete configuration that the router is running, including all the passwords. Remember that the Enable Secret password is encrypted by default, but the other four are not. To encrypt your passwords, use the global configuration command service password-encryption.

Here is an example of how to perform manual password encryption (as well as an example of how to set all five passwords):

Router#config t
Router(config)#service password-encryption
Router(config)#enable password waleed
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password waleed
Router(config-line)#line con 0
Router(config-line)#login
Router(config-line)#password cisco
Router(config-line)#line aux 0
Router(config-line)#login
Router(config-line)#password khaliqi
Router(config-line)#exit
Router(config)#no service password-encryption
Router(config)#enable secret khaliqi
Router(config)#^Z

All of the passwords can be the same except the Enable Password and the Enable Secret passwords. You should make them different for security reasons, however.

Conclusion

It is extremely important to set your passwords on every Cisco router your company has. If you are studying for your Cisco certification exams, be sure you understand the passwords and how to set them. Remember the difference between the Enable Secret and the Enable password and that the Enable Secret password supercedes the Enable password if it’s set.

I have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes. 
May peace be with you.