Sometime ago, I made a video training on the CCNA Security certification and one of the students had a couple of questions for me after going through the training and one of it was confusion about enable passwords, enable secrets, privilege levels and similar issues. Therefore in today’s article on the ‘CCNA Security- Solutions to Frequently Asked Challenges (FACs)’ series, we will be clearing any doubts you may have. You can view the first article on this series for an explanation about what the series is about. As always, this article will be hands-on and you will also have access to the GNS3 files.
A note about privilege levels
To begin our discussion, we need to first familiarize ourselves with the privilege levels on the Cisco device. An analogy I like to use is an organization: a janitor is not privileged to have access to some information the CEO will have access to; this is because the CEO is at a higher privilege level than a janitor is. It is the same with privilege levels on a Cisco device: the higher the privilege level, the more access you have.
Privilege levels on the Cisco device can be between 0 and 15 (16 privilege levels). There are two EXEC modes on the Cisco IOS: User EXEC mode and Privileged EXEC mode. The User EXEC mode is at a privilege level of 1 by default while the privileged EXEC mode is at a privilege level of 15. Let’s see this in action.
We will be using a very simple network diagram for demonstration purposes as shown below:
I am using GNS3 so I will explain what happens from a GNS3 perspective and hint on what may happen on real routers. When you open the console of a router in GNS3, you will be presented with a prompt similar to “Router_Name#”.
Opening a console connection like this in GNS3 is similar to connecting a console cable to a real Cisco device. You will notice we are automatically placed in the Privileged EXEC mode. How do I know this? The ‘#’ sign is a good indication of being in the Privileged EXEC mode while the ‘>’ sign tells you that you are in the User EXEC mode. However, I can confirm what privilege level I am on using the command “show privilege“.
However, if we were to telnet into this device (assuming that I have set a line password), we will be placed in privilege level of 1 i.e. User EXEC mode.
Why this difference? The answer is revealed in the (default) configuration on the router especially the line configurations.
Notice from the configuration above that the console line has the ‘privilege level 15‘ command under it while the VTY lines do not have that command. This tells us that if we were to put that command under the VTY lines, then we should also be placed in privilege level 15 by default after we open a telnet connection.
<CODE> linevty 0 4 privilege level 15 </CODE>
So we have seen the default commands and how it affects different connection methods. Now, let’s move on to how to change between EXEC modes.
Changing EXEC modes
We saw that by default, a telnet connection will be placed at User EXEC mode but how does such user access the Privileged EXEC mode? You guessed it right- enable passwords/secrets. This is basic CCNA knowledge. Let me remove the privilege command I have under the VTY lines.
<CODE> linevty 0 4 noprivilege level 15 </CODE>
Now if I open a telnet connection to my router and then try to access the Privileged EXEC mode, notice what happens?
I have no enable password or secret set on this router so I cannot gain access remotely (by default). I assume you know that the enable password and enable secret commands do the same thing but one (secret) is more secure than the other. Let’s look at the command structure for enable secret and see where that student I mentioned at the beginning of this article got confused.
His confusion was with the numbers 0 and 5 above. He knew very well that enable secret uses MD5 hash and if you were to look at an MD5 hashed secret in the configuration, you will see a ‘5’ before the hash (you will see a ‘7’ if service password encryption is enabled and you have the enable password configured). His confusion was then: enable secret (MD5) is always encrypted so what does the 0 UNCRYPTED mean? Also, does the ‘5’ mean you are specifying a secret for privilege level 5?
When you enter “enable secret 0” followed by a password, it means the password you specify should be in the default ‘plain text’ form e.g. “cisco”, “c1sc0”. However, when you enter the “enable secret 5” command followed by the password, the cisco device expects the MD5 hash to follow. In both cases, the secret is always stored in its hashed form in the configuration. Let’s see this in reality:
Notice that in the configuration, secret “cisco” has been hashed to become that string highlighted above. Now, let’s try to use the ‘5’ and a normal plain text password and see what happens.
As you can see from above, the router expects a hash to follow when you specify the ‘5’ option. To demonstrate this, I will copy the hash we already have, remove the enable secret, and then add it again using the ‘5’ option.
<CODE> No enable secret enable secret 5 $1$tZdd$RedGVdYEyUK2j.c60wz3k0 </CODE>
The command was accepted as shown below.
To see if it works, I will open my telnet connection and try to enter the Privileged EXEC mode using the password of cisco.
Cool. So that settles the ‘0’ and ‘5’ options of the enable secret command. If you do not specify any of the options, it assumes that a plain text (non-encrypted) password will follow. Let’s look at one more thing that has to do with numbers when discussing privilege levels.
Remember we said above that there are 16 privilege levels in the Cisco IOS; however we deal mostly with 1 and 15. Imagine if you had several network administrators at different skill and professional levels in your organization and you want to ensure that they have access to your devices at different privilege levels. This is possible with the ‘privilege level‘ option not only with usernames but also with the enable secret/password command. Let me show you what I mean:
However, there are other options under the enable command as shown below:
What happens when we type the enable command without any options is that the router interprets it as “enable 15” so it expects a privilege level 15 password/secret. Let’s try to go into privilege level 3 for example.
As you can see, even though we have an enable secret configured, that secret does not apply to all privilege levels, only level 15.
To set an enable secret for a particular privilege level, we use the “level” option in the enable secret command. For example:
<CODE>enable secret level 3 cisco3</CODE>
From our configuration above, “cisco3” is the password for privilege level 3 and we can try to use that password now from our telnet session.
Looking at our running configuration, we will see a 5 next to the 3. I hope this article has been able to explain what those numbers signify.
This brings us to the end of this article where we have taken an in-depth look into the enable secret command. We have clarified what the numbers meant: all enable secret commands will always have the ‘5’ when looking at the router’s configuration; the ‘5’ here means it is MD5 hashed. However, when typing the command in the CLI, the option ‘5’ means that an already hashed password will follow (not a plain text password). Finally, we saw that different privilege levels can be assigned their own individual enable secrets by specifying the ‘level’ option.
I hope you have found this article insightful and I look forward to answering another frequently asked challenge in the next article. Remember to drop your comments for those topics you will like answered.
Cisco IOS Security Configuration Guide- Configuring Security with Passwords Privileges and Logins: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4t/sec-cfg-sec-4cli.html
CCNA Exam: Security Topics Hands-on: http://resources.intenseschool.com/ccna-exam-security-topics-hands-on/
CCNA Exam: Security Topics Hands-on (Part 2): http://resources.intenseschool.com/ccna-exam-security-topics-hands-on-part-2/