Basic Password Authentication

Real World Application

Security is of the uttermost importance in a production network, especially an internet facing production network. Having an insecure Cisco Router and/or switch is exposing your network to virtually unlimited number of risks. This lab will teach you the basics of password authentication in the Cisco IOS software to secure your Cisco router and/or switch.

Lab Prerequisites

Lab Objectives

Lab Instruction

Step 1. – To meet the first objective of protecting the console line with a console password you’ll need to navigate to the console line configuration mode as shown below;

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)#

Once in console line configuration mode, you can set the password by executing the password passwordgoeshere As shown below, the password is being set to Cisco123;

Router(config-line)#password Cisco123

Simply setting the password does not enable password authentication. You’ll need to tell the router to prompt incoming sessions on the console line to require a password. This is done by executing the login command from line configuration mode as shown below;

Router(config-line)#login

Now you can test your console line password but first you’ll have to end your exec session by typing end and exit then attempting to establish a new exec session via console as shown below;

Router(config-line)#end
Router#exit

Router con0 is now available



Press RETURN to get started.



User Access Verification

Password: 

Router>

Step 2. Now its time to configure VTY (Virtual TeleType) lines. The VTY lines are virtual lines used for establishing an exec session via telnet or ssh. You apply the password to these lines in the same manner as you previously did the console line as shown below;

Router>enable
Router#config terminal
Router(config)#line vty 0 4
Router(config-line)#password Cisco321
Router(config-line)#login

Notice that in this example the password was set to Cisco321 just to demonstrate you can have different passwords per line. In order to verify this configuration; typically you’d need Ethernet connectivity to the device so as per that requirement you’ll need to assign an IP address to an interface. For example assign 10.1.1.1 255.255.255.255 to interface loopback0 as shown below;

Router(config-line)#interface lo0
Router(config-if)#ip add 10.1.1.1 255.255.255.255
Router(config-if)#end
Router#

To verify your vty line password configuration you can telnet to your local interface to initiate a telnet exec session as shown below;

Router#telnet 10.1.1.1
Trying 10.1.1.1 ... Open


User Access Verification

Password:
Password: 
Router>

As you can see you’re prompted for the VTY line password. If you enter the console line password, you will be denied access but upon entering the correct vty line password you’ll be authorized to start an exec session as shown above.

Once you’ve established a telnet session to the router, try to gain privileged level access. You’ll immediately notice that you’ll be prompted for an “enable” password in which case none is set so therefore you cannot gain privileged level access.

Router>enable
Password: 
Password: 
Password: 
% Bad passwords

Router>

Step 3. Configure an enable password and secret for the Cisco router to gain privileged level access to the device via telnet. This configuration is done in global configuration mode. If you still have a telnet session open from the previous objective verification, type exit. To configure an enable password execute the enable password passwordgoeshere command.

To configure an enable secret you simply execute the enable secret passwordgoeshere as shown below;

Router>exit

[Connection to 10.1.1.1 closed by foreign host]
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable password Cisco1
Router(config)#enable secret Cisco2
Router(config)#end
Router#

As shown above the enable password was set to Cisco1 and the enable secret was set to Cisco2

Once the enable passwords have been set verify the configuration by executing a reverse telnet to 10.1.1.1 and establishing a telnet session using the previously set vty lines password then escalate to privileged level access.

Router#telnet 10.1.1.1
Trying 10.1.1.1 ... Open


User Access Verification

Password: 
Router>enable
Password: 
Password: 
Router#

If you typed in the enable password first you’ll be rejected as the router also has an enable secret set of Cisco2.

Step 4. The last objective only applies to Cisco devices that have an Auxiliary (AUX) port. The AUX port is very similar to the console port but has modem control pins where you can attach an external modem to the device and dial-in to the device via external 56k modem and remote manage the device using POTS dial-up service. This is commonly used in out of band management for single devices however when there are multiple devices per site and out of band management is required its common to have an access-server setup with a modem to allow console management of multiple devices through a single dial-in device.

To set the AUX line password you’ll execute the same commands as you’ve previously done in the console line password configuration as shown below;

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line aux 0
Router(config-line)#password AuxPassword123
Router(config-line)#login
Router(config-line)#end
Router#