In the last video in this series, we looked at the basic configuration tasks on a Cisco router such as setting hostnames and banners.
CCNA Training – Resources (Intense)
In this video, we will discuss password management on the Cisco IOS especially as it relates to securing access to the console using the login and password commands. We will also secure access to the privileged EXEC mode using the enable password and enable secret commands.
For more information on Cisco IOS, please consult our article titled “Evolution of Cisco IOS.”
New tutorial videos are posted every Monday, so keep checking back!
If you have any questions, or would like to suggest topics for future videos, please leave them in the comments section below.
- CCNA Exam: Security Topics Hands-on: http://resources.intenseschool.com/ccna-exam-security-topics-hands-on/
Welcome back to the CCNA prep video series where we have been looking at the configuration and verification objectives of the 200,120 exam.
In this video we will discuss password management on the Cisco IOS especially as it relates to the secure access to the console and also the privilege Exec mode. By default when we log out of the console and log back in; so log out and then we log back in no password is required as you can see I have been placed in the privilege Exec mode already. This means that if anybody gains physical access to your router and connects the console cable to it then they can at least gain user Exec mode to your router. To remedy this we can configure the router to require a password for granting access to the console. So I will go to the global configuration mode. There is only one console port on the Cisco router which can be accessed ‘line console 0’ command. So this brings us on that line configuration mode. By accessing the help content we can see this ‘password’ command, so I am just going to use the more, more, right, and then we have this ‘password’ command here. This allows us to set a password. Let us go ahead and configure a password and then we will log out. Now let’s bring it back. So what happened, it didn’t ask me for a password. The reason is because by default the console line does not check for authentication. We can enable authentication. So let’s go back on that line, ‘line console 0’. We can enable authentication on the terminal line by configuring log in command onto that line. So if I just type ‘login’ and then ‘logout’ and then come back. Now you can see it says user access verification and then it requires me to enter the password. So ‘Cisco’ and then I am given access to the console again. Keep in mind that if you type the ‘login’ command before setting a password the ‘login’ command will be accepted but it won’t be enforced. So let’s go back ‘config t’, ‘line con 0’. Let’s remove the password that we set. Now let’s also remove the ‘login’ command. Now if I put ‘login’ back, look at what happens. It tells me login disabled on line 0 until the password is set. Now the reason it does this is that if you enable authentication but you don’t set a password then you can effectively lock yourself out of your router. So that is just something to keep in mind when you are using the ‘login’ and the ‘password’ command.
Furthermore you don’t just want anyone that has access to your router to be given the highest privilege available. Therefore it is recommended that you secure access to the privilege Exec mode. There are two basic ways that this can be done. The first is to set and enable password and the second is to set and enable secret. One is more superior to the other security wise as we are going to see later. Keep in mind that I said basic ways to secure access to the privilege Exec mode because there are more advanced methods that we will consider later on in this series.
To set the enable password I am just going to go to global configuration mode and type ‘enable password’ and then I can set the password. So for this let’s just say ‘cisco123’. Now if I log out and log back in notice that the console does not ask me for the enable password. The reason this occurs is because– let’s view the console ‘line con 0’ that is the console configuration. There is something that I did here that I want you to understand. I used to the packed command to view only the aspects of the configuration that deals with line 0. Now this ‘se’ stands for section. Actually let me just show you. ‘Show run |?’ and then see what you can use. You can use ‘append’, you can use ‘begin’, you can use ‘exclude’, ‘include’, ‘redirect’, ‘section’ and then ‘tee’. So I used section as I wanted to view only the section of the line. So enter and then now I can see line console, line aux and the line vty. I am concerned with this line console for now. Now the reason it doesn’t ask me for the enable secret is because of this privilege level 15. In another video I explain privilege levels, but for now it’s just take that out. ‘line console 0’, ‘no privilege level 15’. So if I logout now. Now you can see that I was placed at the user Exec mode. So if I use enable it asks me for the password, now this is the enable password that we configured. So I am just going to type ‘cisco123’. As you can see, the CLI doesn’t show the password that I type but if I press enter, that password is good. However there is a problem with the enable password. Let’s look at the running configuration, ‘show run’. Notice the enable password, ‘enable password cisco123’, it is in plain text. That means that anybody who is looking over an assured eye, anybody who gets access to this configuration already knows what your enable password is. That is why Cisco has something called the service password encryption which you can enable on Cisco IRS to encrypt all our plain text passwords. Not just the enable password, also login password and things like that. It uses Virginia Sifa for encryption. To enable the service password encryption let’s go back to the global configuration mode. We type here ‘service password-encryption’ and I press enter. Now if we check our running config again. Now I did something else. Notice that I run ‘show run’ even though I was in global configuration mode. That’s because I used this do command. So the do command allows us to run privilege Exec mode commands from anywhere. As long as you use the do command you are fine. So that saves you a lot of stress rather than having to go all the way back to the privilege Exec mode and then typing your show command there, you can just use do and then the show command. Now notice that the enable password is encrypted. So we have all this ‘050. .’. It’s not in plain text and you can see this ‘7’ here. ‘7’ means that it is using the type 7 algorithm for encryption, that’s the Virginia Sifa. However there is still a problem with this. This form of encryption is very easy to crack. So if I bring up a web browser and search for ‘crack Cisco password online’ you can see the number of results that come up. Let’s just use any of them. ‘Open in new tab’. And then what I am going to do is that I am going to copy that password, that’s this one and then paste it here, ‘crack password’. As you can see, very easy, ‘cisco123’.
Therefore this brings us to the second method of securing access to the privilege Exec mode. Cisco doesn’t actually recommend I use the enable password command anymore except your Cisco IOS supports the newer enable secret command. The enable secret command uses MD5 Hash algorithm, which is more difficult to crack although it’s still possible with brute force. So if I say ‘enable secret cisco123’ one thing you should notice that you cannot use the enable secret and enable password. So you are going to get an error again, ‘the enable secret you have chosen is the same as your enable password’. So ‘enable secret cisco1234’ right. Now when we check the running configuration, we see that enable secret is hashed and then notice this ‘5’ in front of it, meaning it’s using MD5, ‘7’ means that it is using the type 7 algorithm which is the Virginia Sifa.
This brings us to the end of this video where we have the log in and password commands to secure access to the console. We have also used the enable password and enable secret commands to secure access to the privilege Exec mode. I hope you have found this video insightful and I look forward to the next video in series.