Tuesday, October 26, 2010

Setting passwords on Cisco Routers and Switches

Passwords can be set on Cisco Routers and Switches to make the hardware and the network configuration in it secure. In this blog, I will show you how.

We can add a password for every user that wants to access to the device by entering "enable password " at the configuration terminal of the switch/hardware. In this way, every user will be asked for the password. However, this password is not fully secured since it can be seen on the show running-config command. To make it more secure and encrypted, we can use the "enable secret " command.

The enable secret password has a higher priority than the enable password command, meaning that if both of them are set, the password put in the secret password will be enabled. So, what is usage of the enable password command? Well, this command is used on devices that do not support enable secret password yet.

Cisco routers and switches can be accessed remotely and therefore passwords for this must be configured too. The command is "line vty 0 15" then "password " and then type login to put the command to work. If the password is not set yet, then the remote login will not be available. However, this password is still visible in the show running-config command on the bottom. Basically, a user that wants to login needs to enter the vty password first to get access to the router. After that, it needs to enter the password again to be able to go to the configuration mode of the router/switch (if this has been set before).

Privelege levels on each of the virtual lines can also be set entering the line desired in the configuration terminal mode e.g. "line vty 0 15" and then "privilege level <0-15>". 0 means that the user will be very limited to do operations on the router while 15 means that the user will have full access to configure the router/switch. Combining this with the password commands we can set different privileges based on the password that the user knows. e.g. for line vty 1 we set password line1 and the privilege level of 0, while line vty 2 we set the password line2 and the privelege level 15.

There is also the possibility for accessing the network using a username and password. To do that, we need to set up a database of users and password in the configure terminal mode. Insert then the following structure: "username privilege password ". We can do that for as many users as we want. Now, apply this feature to all of the lines of the router by entering the "line vty 0 15" command in the configure terminal mode. Then type the "login local" command to enable the router to check only for usernames and passwords stored in the local database. After this, the command will be put in play.





No comments:

Post a Comment