Setting passwords on a Cisco

router
By Todd Lammle May 1, 2001, 12:00 AM PST
Email Alert
RSS
Network security relies heavily on passwords. Cisco routers
use passwords to ensure that only "trusted" users
can perform certain services. In this Daily Drill Down, Todd
Lammle takes you on a journey through Cisco passwords.

In this Daily Drill Down, I will focus on a great way to ensure basic security on a
Cisco router: router passwords. Passwords are absolutely the best defense against
would-be hackers. Leaving no passwords on a Cisco router can cause major
problems. Keep in mind that using passwords is just the first line of defense, and
you should have other security features on your network as well.

Cisco has some defense against would-be hackers built into its router
Internetworking Operating System (IOS). For example, it is impossible to Telnet
into a Cisco router unless an administrator configures the router with a Telnet
password or uses the No Login command, which allows users to Telnet into a
router with no password. Either way, something has to be configured for Telnet to
work. Also, you cannot enter privileged mode (which is the IOS EXEC mode that
allows you to view or change the configuration on a router) from Telnet unless an
Enable password is set. These are very basic features of Cisco routers and allow
only some security.

Here, I will focus on the five basic Cisco router passwords you can use to protect
your network. However, first you must know the difference between user mode and
privileged mode. Both of these modes are called EXEC mode, and a prompt is
used to tell you which mode you are in.

User mode CLI
The user mode EXEC command-line interface (CLI) is sometimes referred to as
useless mode because it doesnt do a whole lot. User mode lets you view
interface statistics and is typically used by junior administrators to gather facts for
the senior staff. You dont want highly paid people sitting around gathering basic
network statistics when a junior administrator can be adequately trained to
document this information. To get into user mode, you can connect in one of three
ways:
Console: An RJ-45 connection on all Cisco routers allows full access to the
router if no passwords are set.
Aux: An RJ-45 connection on most routers allows you to connect a modem to
the port, dial in to the router, and make a console connection.
VTY: Virtual Teletype is used to allow a Telnet connection to the router, which
will then work like a console port. You must have an active interface on the
router for Telnet to connect to the router.

The most important thing to understand about the three connection modes is that
they get you into user mode only. To view and change the configuration, you need
to be in privileged mode.

Privileged mode CLI
The privileged EXEC mode allows full access to a Cisco router by default, and the
configuration can be both viewed and changed in this EXEC mode. You can enter
privileged mode by first entering user mode and then typing the command enable.

It is important to remember that to change the router configuration, you must be in
privileged EXEC mode. The console, aux, and VTY ports are used to get into user
mode only and have nothing to do with how the router is configured.

Here is an example of how to get into privileged mode on a Cisco router through
the console port:
Line con 0 now ready, press return to continue

At this point, you press Enter. Next, you will see:
Enter password:

This prompt is asking for the console user-mode password. Then, you will see:
Router>enable
Router#

The prompt at user mode is the greater-than sign (>). When you are in privileged
mode, the prompt changes to a pound sign (#).

Global configuration mode
Once you are in privileged mode, you enter global configuration mode to change
the configuration. You make changes by typing the command configure terminal.
However, I prefer to type the shortcut command config t. This allows you to change
the running-config, a file that is in DRAM and is the configuration the router is
using. You can save the running-config to what is called Non-Violate RAM
(NVRAM). The file that is copied into NVRAM is called startup-config and is the
configuration that is copied to RAM when the router is rebooted or powered up.

Once you type configure terminalfrom privileged mode, your prompt changes to the
following:
Router#configure terminal
Router(config)#

This prompt tells you that you are in global configuration mode. From here, you can
make changes to the router that affect the router in whole, hence the name global
configuration mode. For example, this is the location where you set the router
passwords.

If you want to change the configuration of an interface, you would have to enter
interface configuration mode from global configuration mode. Here is an example:
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#

Notice the prompt is Router(config-if)#, which tells you that you are in interface
configuration mode. From here, you can enable or disable the interface, add IP and
IPX addresses, and more.

The five passwords
Now that you understand the difference between user mode, privileged mode, and
global and interface configuration modes, you can now set the passwords for each
level.

Here are the five passwords you can set on a Cisco router:
Console
Aux
VTY
Enable password
Enable Secret

We will discuss each of these passwords and how to configure them in the
following sections.

Console
This is the basic connection into every router. To initially set up a router, you need
to connect to the console port and at a minimum enable one interface and set the
VTY password. After one interface is enabled and the VTY lines are configured, an
administrator can then Telnet into the router and do the final configurations from
that connection. However, the console port can be used to configure the complete
configuration at any time. This makes it very important to protect the console port
with a password.

To configure a console user-mode password, use the Line command from global
configuration mode. There is only one console port on all routers, so the command
is
line console 0

Here is an example:
Router#config t
Router(config)#line console 0
Router(config-line)#

Notice the prompt changed to Router(config-line)#. This prompt tells you that you
are configuring the console, aux, or VTY lines.

To finish configuring the console port, you can use two more commands:
Login:This tells the router to look under the console line configuration for the
password. If you do not use this command, you will not be prompted for a
password when you connect to the routers console port.
Password: This sets the console user-mode password. It is case sensitive.

The complete command will look like this:
Router#config t
Router(config)#line console 0
Router(config-line)#login
Router(config-line)#password todd

Aux
On some routers, aux is called the auxiliary port, and on some it is called the aux
port. To find the complete command-line name on your router, use a question mark
with the Line command as shown:
Router(config)#line ?
< 0-4> First Line Number
aux Auxiliary line
console Primary terminal line
vty Virtual terminal

At this point, you can choose the correct command you need. Here is an example
of setting the aux port on a Cisco router to prompt for a user-mode password with a
console cable connected (this port can be used with or without a modem):
Router#config t
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password cisco

VTY (Telnet)
The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco
router. As I mentioned earlier, the VTY lines must be configured for Telnet to be
successful.

Here is an example of an administrators attempt to Telnet to a router that does not
have the VTY lines configured:
Password not set, connection refused

This is the default on every Cisco router.

To configure the VTY lines, you must use the question mark with the command
line 0

to determine the number of lines available on your router. The number varies with
the type of router and the IOS version. However, five is the most common number
of lines.
Router#config t
Router(config)#line vty 0 ?
<0-4> Last Line Number
<cr>
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco

Notice that you choose all the lines available for the most efficient configuration.
You can set each line individually, but because you cannot choose the line you
enter the router with when you Telnet, this can cause problems.

You can tell the router to allow Telnet connections without a password by using the
No Login command:
Router(config)#line vty 0 4
Router(config-line)#no login

Enable password
The Enable password is used to allow security on a Cisco router when an
administrator is trying to go from user mode to privileged mode. The Enable
password is an old, unencrypted password that will prompt for a password when
used from privileged mode. You set the Enable password from global configuration
EXEC mode and use the command
enable password password

Here is an example:
Router#config t
Router(config)#enable password lammle
Router(config)#exit
Router#disable (the disable command takes you from privilege mode back to user
mode)
Router>enable
Enter password:

Enable Secret
The Enable Secret password accomplishes the same thing as Enable. However, it
is encrypted by default and supercedes Enable if it is set. In other words, if you set
the Enable password and then set the Enable Secret password, the Enable
password will never be used.

You set the Enable Secret password from global configuration mode by using the
command:
enable secret password

Heres an example:
Router#config t
Router(config)#enable secret san jose

Encrypting your passwords
The Line command passwords (console, aux, and VTY) are not encrypted by
default and can be seen by going into privileged EXEC mode and typing the
command
show running-config

This displays the complete configuration that the router is running, including all the
passwords. Remember that the Enable Secret password is encrypted by default,
but the other four are not. To encrypt your passwords, use the global configuration
command
service password-encryption

Here is an example of how to perform manual password encryption (as well as an
example of how to set all five passwords):
Router#config t
Router(config)#service password-encryption
Router(config)#enable password todd
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password todd
Router(config-line)#line con 0
Router(config-line)#login
Router(config-line)#password cisco
Router(config-line)#line aux 0
Router(config-line)#login
Router(config-line)#password sanjose
Router(config-line)#exit
Router(config)#no service password-encryption
Router(config)#enable secret lammle
Router(config)#^Z

All of the passwords can be the same except the Enable and the Enable Secret
passwords. You should make them different for security reasons, however.

Conclusion
It is extremely important to set your passwords on every Cisco router your company
has. If you are studying for your Cisco certification exams, be sure you understand
the passwords and how to set them. Remember the difference between the Enable
Secret and the Enable password and that the Enable Secret password supercedes
the Enable password if its set.
The authors and editors have taken care in preparation of the content contained
herein but make no expressed or implied warranty of any kind and assume no
responsibility for errors or omissions. No liability is assumed for any damages.
Always have a verified backup before making any changes.