Passwords are an essential part of the cisco router access control methods. These are used to restrict access to a CISCO router; As there is no automatic or default password defense that comes with the routers, different types of passwords are used, such as the Console password used for setting up the console port password, Aux Passwords for setting up a password for the auxiliary port, the secret password for SSH and Telnet connections and the console port as well, the enable password or the Vty password used for Telnet or SSH session in a router. Furthermore, privileged EXEC mode can be set on passwords.
Types of passwords :
There are five main types of passwords:
- Console Password
- Aux or Auxiliary Password
- Enable Password
- Enable Secret Password
- VTY password
These are explained as following below.
1. Console Password :
It is used to set the console port password, if no password has been set on the router’s console, by default, the user can use the access user mode. The real encryption process ensues when a password is configured or the existing configuration is written. It is crucial to set a console port password as it defends against someone from connecting, physically moving up to the router, or gaining access to user mode, and much more. As the routers have only one console port, the user needs to use the command line console 0 in the global config mode.
Router1# config t Router1(config)# line console 0 Router1(config-line)# password MkcbDtGfRblw3#$577DF Router1(config-line)# login Router1(config-line)#exit
2. Aux or Auxiliary Passwords :
The Aux password is used for setting up a password for the auxiliary port, which is a physical access port on the router. An Auxiliary port is used for accessing a router over a modem. Though, this port is not present on all the routers.
Router1# config t Router1(config)# line aux 0 Router1(config-line)# password MkcbDtGfRblw3#$577DF Router1(config-line)# login Router1(config-line)# end
3. Enable Password :
Enable password is a global command that limits access to the privileged exec mode. These passwords are not encrypted. These are generally used for changing the security level (From level 0 – level 15) on the router. Though, usually, it is used for moving from user mode to the privileged mode.
Router1# config t Router1(config)# enable password MkcbDtGfRblw3#$577DF Router1(config)# exit
4. Enable Secret Password :
It has the same functionality as the enabled password, Though the passwords are stored in a much more secure encrypted form. It assigns one-way encrypted secret passwords available in version 10.3 and newer versions.
Router1(config)# enable secret MkcbDtGfRblw3#$577DF
5. Vty password :
Vty is used for Telnet or SSH session in a router. Vty password can be set up at the time of configuring the router from the console. These passwords can be changed at any time by the user. There can be one password for all vtys or there could be different passwords corresponding to each virtual terminal (i.e., vty0 – vty4).
Router1# config t Router1(config)# line vty 0 4 Router1(config-line)# password MkcbDtGfRblw3#$577DF Router1(config-line)# login
For Example, encrypting all text passwords through service password-encryption command:
Router1#show run Building configuration...Current configuration: 976 bytes version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption! hostname Router1 enable secret 5 $5$eWMd$Qxl6RCoPutSnLoBaR047N/ enable password dSFsvr433 username smdh password 0 dSFsvr43345 username btcan password 0 linux username mtcan secret 5 $5$eWMd$Qxl6RCoPutSnLoBaafdefR047Ncs username mmlel password 0 68445 interface FastEthernet0/0 ip address 1.0.0.1 255.0.0.0 duplex auto speed auto! Interface FastEthernet0/1 ip address 2.0.0.1 255.0.0.0 ip classless ip route 0.0.0.0 0.0.0.0 2.0.0.2 password mmlel684 Login line aux 0 password 684 login !line vty 0 4 login local
Now, Running the service password-encryption command
Router1# config t Router1(config)# service password-encryption
Now checking status after running the password-encryption command.
Router1#show run Building configuration...Current configuration: 926 bytes version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec service password-encryption hostname Router1 enable secret 5 $5$eWMd$Qxl6RCoPutSnLoBaR047N/ enable password 7 54893F4571269843 username smdh password 7 54893F457126984365E username btcan password 7 548D93F457C12 username mtcan secret 5 $5$eWMd$Qxl6RCoPutSnLoBaafdefR047Ncs username mmlel password 7 59531E1D5D8C interface FastEthernet0/0 ip address 1.0.0.1 255.0.0.0 duplex auto speed auto !interface FastEthernet0/1 ip address 2.0.0.1 255.0.0.0 duplex auto speed auto ip classless ip route 0.0.0.0 0.0.0.0 2.0.0.2 line con 0 password 7 01863D9A110A0D494078 login line aux 0 password 7 02803W1F login line vty 0 4 login local
Now configure telnet with password protection.
Router1(config)# username mmlel password 68445 Router1(config)# username smdh password dSFsvr43345 Router1(config)#line vty 0 4 Router1(config-line)# login local Router1(config-line)# exit
Tips :
- The user should use service password encryption on all the routers.
- Users should make sure that passwords are strong.
- All routers should have distinct passwords.
- The router should always be accessed from a secure system.