Types of Cisco Router Passwords

When it comes to basic password security, there are three basic types:

Line Passwords Privileged mode Passwords (enable mode) Username Passwords (optional)

Lets explore these. Line Passwords Line passwords are configured on router lines. Examples of lines are:

Console Line - The console is the main serial administrative port on a router. This is where you configure the router when it is new and has no network configuration. Aux Line The aux line is an auxiliary port. Like the console, it is a physical port on every router. You can think of it as a backup console port. Besides being a backup console port, the aux port is periodically used for administrative console dial up access to the router. VTY Lines Vty lines are virtual tty lines and are used when you connect to the router via telnet or ssh. These are not physical lines on the router but virtual inbound network lines. Async Lines Async lines are asynchronous serial lines and are optional. These async lines are created when you insert an async serial card in a router. You can use the async serial lines to connect dumb-terminals (text-based terminals), serial printers, or modems.

All of these different lines need a password configured on them. Lets find out how to configure Cisco router line passwords.

Configuring Cisco Router Line Passwords

There are two commands used to configure line passwords, no matter what kind of line you are using. The commands are password and login. The password command is used to set your line password. The login command, when entered by itself, is used to tell the router to use the password that is configured on the line. Here is an example of how this is configured on the console port:

As you can see in the graphic, we first set the password to cisco using password cisco, then enabled login using that password with the login command. We repeat this on the aux port, like this:

Finally, we configure the same commands on the VTY lines. The catch to doing this is that there is more than one VTY. Because you dont want to have to configure them one at a time, you use a VTY range when performing the configuration. Using a VTY range works by specifying your routers starting and ending VTY number. Inside the configuration mode for this range of VTYs is where you are configuring the password and login commands. In the past, router only had 0-4, or 5, VTY lines. Today, most routers have 0-15, or 16, VTY lines. Make sure that you know how many VTYs your router has so that there arent some lines that are left without a password. Here is what you do to tell how many lines your router has:

As you can see from the screenshot above, this router has 16 (actually 0 to 15) VTY lines. You know this because the last line number is 15. Here is how you would configure the password and login commands on the VTY lines using the range of VTYs:

Configuring Cisco Router Privileged mode Passwords

Another basic router security requirement is that you configure a password used to enter privileged mode (enable mode). The enable password is a well-known way to do this but it is not recommended anymore because it does not encrypt the password with a strong encryption mechanism. The enable secret command does encrypt the password with a strong encryption mechanism and it also sets a password to enter enable mode. Here is how you configure an enable secret password:

Testing Password Configuration

To test our new password configuration from the console port, exit out of all IOS modes. Once logged off, press enter to log back in. You will be prompted with the console login prompt. Enter your console line password, cisco. Once you are logged in, type enable and press enter. You will be prompted for your privilege mode password. Type Cisco! and press enter. You should now be logged in. Here is an example:

Username Passwords
Optionally, you can configure usernames and associated passwords on a Cisco router. This is a more advanced level of security than line passwords. Once configured on the lines, the line password is then ignored. You configure the usernames with the username command and can add their password on the same command line. Optionally, you can configure the privilege level of that user. Level 15 is the administrative user. Once you create the username, you need to tell each line to use the local username/password database, on the router. To do this, go back to each line and type login local. Here is an example:

Now lets test it out:

Notice that we were prompted for a username. We typed in one of the users we setup, admin. We were then prompted for admins password. Also, because we specified that admins privilege was 15, we were put directly into privileged mode, with full administrative privileges (and without having to type enable). If we log out, and log back in, notice that user1 doesnt have the # sign, telling us that we are already in privileged mode:

What you learned

In this article, you learned that there are line passwords and privileged mode passwords. The line passwords protect the console, aux, and vty lines. They are configured with the password and login command. The privileged mode password should be configured with enable secret. Optionally, you can configure usernames and use the login local command on the lines. All routers should be protected by a password, at minimum. Additionally, privileged mode (and configuration mode) should be controlled by an additional password. Your action: check each router for proper line and password security as this is the minimum level of security you should employ.