Router Passwords

The router passwords on the Cisco router provide security against unwanted users; Cisco IOS passwords were never intended to resist a determined, intelligent attack. Many programs exist (Cisco is aware of these programs) that can crack the MD5 encryption algorithm Cisco IOS employs. Cisco always recommends that some type of user -authentication protocol be used to enhance the security of Cisco routers. RADIUS and TACACS are two of the more popular authentication methods that major corporations use today. Cisco routers utilize five different password types to provide security.

The enable password and enable secret Password Commands

The enable password and enable secret password commands are designed to provide an additional layer of security for passwords. Both commands allow you to establish an encrypted password that requires users to enter access enable mode. The enable secret command was developed to use an improved encryption algorithm. The enable secret password overrides the password for enable password when it is present. An enable secret password can be entered by issuing the following command:

 
 Router(config)#enable secret NFLD Router# 

The enable password and enable secret commands also provide for security levels. These options are not part of the objectives set by the CCNA exam and are not, therefore, presented in this book.

The console and auxiliary Password Commands

The console and auxiliary password commands restrict user mode access via the console or auxiliary ports on the router:

 
 Router(config)#line aux 0 Router(config-line)#login Router(config-line)#password NFLD 

The login command designates that you want users to have to enter their passwords every time they connect to the router via the auxiliary port. The login command can be added to the console port to require a password login as well. The console password is set with the same command format as the aux password, except that the keyword aux is changed to con .

The virtual terminal Password Command

The virtual terminal (or vty ) password restricts user modes accessed via a Telnet session. The virtual terminal password must be set; otherwise , a user will not be able to log in to the router with a Telnet session. Multiple virtual terminal sessions can be engaged at one time. A separate password can also be specified for each virtual terminal session, as shown in the following:

 
 Router(config-line)#line vty 0 4 Router(config-line)#login Router(config-line)#password NFLD 

The Cisco IOS allows five simultaneous Telnet connections. Notice that the syntax is line then line type and line number . Cisco interface numbers always start with 0. For this example, we are specifying all five ports, numbers 0 through 4, to designate five virtual terminals that all use the password "NFLD."

Of the five different types of passwords, only the enable secret password is encrypted by default. For the remaining passwords, you must use the service password-encryption command. This command encrypts the enable , console , auxiliary , and virtual terminal passwords:

 
 Router(config)#service password-encryption 

Passwords that have already been set in the configuration file will not become encrypted; only passwords that are entered after the service password-encryption command has been entered will be encrypted. The service password-encryption command does not provide a high level of network security, but it helps to keep unauthorized individuals from viewing a password in a configuration file.



CCNA Exam Cram[tm] 2 (Exams 640-821, 640-811, 640-801)
CCNA Exam Cram[tm] 2 (Exams 640-821, 640-811, 640-801)
ISBN: 789730197
EAN: N/A
Year: 2005
Pages: 155

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net