Cisco Router Password in depth

2:27 AM Posted by Ahmad Waleed Khaliqi

Labels: CCNA, Cisco

Cisco Router Password in depth

Security is very important in order to save your network being hacked, though you
would need physical security to your devices as well but passwords are absolutely the
best defense against would-be hackers. Before starting this lab I would suggest you to
read Different modes and prompts of acisco router ios where you can find a
complete drill down of cisco routers ios prompts and modes being used in this lab,
which could also help you understand upcoming labs easily. Cisco routers has some
defense against would-be hackers built into its internetworking operating system
(IOS). for example it is impossible to telnet into a cisco router unless an administrator
configures a telnet password or uses the No Login Command which allows users to
telnet router without any password. and also you wont be able to get into privileged
mode from telnet unless the enable password is set.
Five passwords are being used in order to secure a cisco router: Consol, auxiliary,
telnet (VTY), enable password and enable secret. The enable secret and enable
password are used to secure the privileged mode. The other three are used when a
user wants to get into user mode through the Consol port, through the auxiliary port or
via telnet.
Now lets take a look at each of them
Enable password
To set the enable password you should get into global configuration mode using the
following command.

Router>enable
Router#config t
Router(config)#

Once you get into global configuration mode you can set enable password using
enable password [your password] command.

Router(config)#enable password mynetworkinglabs

In above example we set mynetworkinglabs to be as an enable password. Now if you

write enable from user configuration mode you will see the following prompt

Router>enable
Password:

Enable Secret
This is the new encrypted password overrides enable password. To set enable secret
use the following command

Router>enable
Router#config t
Router(config)#enable password mynetworkinglabs
Router(Config)#enable secret waleed

In above lab we set enable password to be the same mynetworkinglabs as it was

before, and enable secret to be waleed. If you try to set the enable secret and
enable password the same then router will give you a nice and polite prompt asking
you to change the second password. If you dont have the older legacy routers so
dont even bother to use the enable password. When entering the privileged mode
router will first ask you to write the enable password and then the enable secret.

Console Password:
To configure a console user-mode password use the Line command from global
configuration mode. There is only one console port on all routers so command is line
console 0
Here is an example:

Router#config t

Router(config)#line console 0
Router(config-line)#

Notice the prompt changes from Router(config)# to Router(config-line)# which tells

you that you are configuring the Console, Aux or VTY line.
You can use two more commands to finish configuring the console user-mode
password.

Login: This tells router to look under console line configuration for password. If
you do not use this command router will not prompt you for password while
connecting to routers console port.
Password: This sets the password for console user-mode. It is case sensitive.

The complete command will look like this:

Router#config t
Router(config)#line console 0
Router(config-line)#login
Router(config-line)#password waleed

Aux or Auxiliary Password

On some routers, aux is called the auxiliary port, and on some it is called the aux port.
To find the complete command-line name on your router, use a question mark with the
Line command as shown:

Router(config)#line ?
< 0-4> First Line Number
aux

Auxiliary line

console

Primary terminal line

vty

Virtual terminal

At this point, you can choose the correct command you need. Here is an example of
setting the aux port on a Cisco router to prompt for a user-mode password with a
console cable connected (this port can be used with or without a modem):

Router#config t
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password cisco

VTY (Telnet)
The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco router.
As I mentioned earlier, the VTY lines must be configured for Telnet to be successful.
Here is an example of an administrators attempt to Telnet to a router that does not
have the VTY lines configured:

Password not set, connection refused

This is the default on every Cisco router.

To configure the VTY lines, you must use the question mark with the command line 0
to determine the number of lines available on your router. The number varies with the
type of router and the IOS version. However, five is the most common number of lines.

Router#config t
Router(config)#line vty 0 ?
<0-4> Last Line Number
<cr>< br/>Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco

Notice that you choose all the lines available for the most efficient configuration. You
can set each line individually, but because you cannot choose the line you enter the
router with when you Telnet, this can cause problems.
You can tell the router to allow Telnet connections without a password by using the No
Login command:

Router(config)#line vty 0 4
Router(config-line)#no login

Encrypting your passwords

The Line command passwords (console, aux, and VTY) are not encrypted by default
and can be seen by going into privileged EXEC mode and typing the command show
running-config.
This show running-config displays the complete configuration that the router is
running, including all the passwords. Remember that the Enable Secret password is
encrypted by default, but the other four are not. To encrypt your passwords, use the
global configuration command service password-encryption.

Here is an example of how to perform manual password encryption (as well as an

example of how to set all five passwords):

Router#config t
Router(config)#service password-encryption
Router(config)#enable password waleed
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password waleed
Router(config-line)#line con 0
Router(config-line)#login
Router(config-line)#password cisco
Router(config-line)#line aux 0

Router(config-line)#login
Router(config-line)#password khaliqi
Router(config-line)#exit
Router(config)#no service password-encryption
Router(config)#enable secret khaliqi
Router(config)#^Z

All of the passwords can be the same except the Enable Password and the Enable
Secret passwords. You should make them different for security reasons, however.
Conclusion
It is extremely important to set your passwords on every Cisco router your company
has. If you are studying for your Cisco certification exams, be sure you understand the
passwords and how to set them. Remember the difference between the Enable Secret
and the Enable password and that the Enable Secret password supercedes the Enable
password if its set.

I have taken care in preparation of the content contained herein but make no
expressed or implied warranty of any kind and assume no responsibility for errors or
omissions. No liability is assumed for any damages. Always have a verified backup
before making any changes.
May peace be with you.