Роутеры Cisco широко используются в сетях для обеспечения безопасной передачи данных. Один из важных аспектов в обеспечении безопасности является установка и изменение паролей для доступа к роутеру. Это позволяет предотвратить несанкционированный доступ к устройству и его настройкам. В данной статье будет представлена подробная инструкция по установке и изменению паролей на роутеры Cisco.
Прежде чем приступить к установке паролей на роутеры Cisco, важно понять различные типы паролей, которые можно установить. Существуют три основных типа паролей на роутерах Cisco: пароль для входа в привилегированный режим, пароль для входа в режим конфигурации и пароль для входа по протоколу SSH.
Установка пароля для входа в привилегированный режим позволяет ограничить доступ к основным настройкам роутера. Пароль для входа в режим конфигурации позволяет предотвратить несанкционированное изменение настроек роутера. Пароль для входа по протоколу SSH обеспечивает защищенное подключение к роутеру.
Итак, если вы хотите установить или изменить пароли на роутеры Cisco, будьте готовы следовать подробной инструкции, которая будет представлена далее.
Содержание
- Подготовка к установке пароля на роутер Cisco
- Шаги по установке пароля на роутер Cisco
- Как изменить пароль на роутере Cisco
- Рекомендации по созданию безопасного пароля
- Что делать, если забыли пароль на роутере Cisco
Подготовка к установке пароля на роутер Cisco
Перед тем, как установить пароль на роутер Cisco, необходимо выполнить несколько предварительных шагов:
Шаг 1: Подключите компьютер к роутеру Cisco с помощью Ethernet-кабеля.
Шаг 2: Откройте веб-браузер и введите IP-адрес роутера в адресную строку.
Шаг 3: Введите имя пользователя и пароль. Если вы впервые настраиваете роутер, используйте стандартные учетные данные (например, admin / admin) или учетные данные, указанные вашим интернет-провайдером.
Шаг 4: Перейдите в настройки безопасности и найдите раздел установки пароля.
Шаг 5: Выберите тип пароля, который вы хотите установить (например, пароль на доступ к роутеру, пароль на беспроводную сеть и т. д.) и введите новый пароль.
Шаг 6: Сохраните изменения и перезапустите роутер.
После выполнения этих шагов вы успешно установите пароль на роутер Cisco и защитите его от несанкционированного доступа.
Шаги по установке пароля на роутер Cisco
- Подключите компьютер к роутеру Cisco с помощью Ethernet-кабеля.
- Откройте интернет-браузер и введите IP-адрес роутера Cisco в строке адреса. Обычно адрес роутера Cisco — 192.168.1.1, но он может отличаться в зависимости от настроек сети.
- В открывшемся окне авторизации введите имя пользователя и пароль по умолчанию. Обычно это «admin» и «password».
- После входа в систему найдите раздел «Security» или «Security Settings».
- Выберите опцию «Password» или «Change Password» чтобы изменить текущий пароль.
- Введите новый пароль и подтвердите его. Убедитесь, что пароль достаточно сложный и надежный для обеспечения безопасности сети.
- Сохраните изменения и выйдите из настроек роутера.
После завершения этих шагов ваш роутер Cisco будет защищен паролем, что поможет предотвратить несанкционированный доступ к вашей сети.
Как изменить пароль на роутере Cisco
Шаг 1: Подключитесь к роутеру Cisco с помощью программы терминала или подобного программного обеспечения.
Шаг 2: Войдите в режим привилегированного режима EXEC, введя привилегированный пароль.
Шаг 3: Введите команду configure terminal для входа в режим конфигурации.
Шаг 4: Введите команду enable secret новый_пароль, чтобы установить новый пароль для привилегированного режима.
Шаг 5: Введите команду line vty 0 4 для выбора виртуальных терминалов.
Шаг 6: Введите команду password новый_пароль, чтобы установить новый пароль для виртуальных терминалов.
Шаг 7: Введите команду exit, чтобы выйти из режима конфигурации.
Шаг 8: Введите команду write memory, чтобы сохранить новые настройки.
Теперь новый пароль установлен на вашем роутере Cisco. Не забудьте записать его в безопасном месте, чтобы избежать потери доступа к роутеру.
Рекомендации по созданию безопасного пароля
| 1 | Используйте комбинацию символов |
| 2 | Создайте длинный пароль |
| 3 | Избегайте простых слов и фраз |
| 4 | Варьируйте регистр символов |
| 5 | Используйте специальные символы |
| 6 | Не используйте личные данные |
| 7 | Не используйте одинаковые пароли |
| 8 | Периодически меняйте пароль |
Следуя этим рекомендациям, вы сможете создать безопасный пароль, который будет сложным для подбора и защитит ваш роутер Cisco от несанкционированного доступа.
Что делать, если забыли пароль на роутере Cisco
Забыв пароль на роутере Cisco, вы можете столкнуться с проблемой доступа к его настройкам и управлению устройствами в сети. Однако не все потеряно, и вы можете восстановить пароль и получить доступ к роутеру. Вот несколько способов, которые помогут вам в этом:
1. Использование восстановления по умолчанию: большинство моделей роутеров Cisco имеют кнопку «Reset» на задней панели. Вы можете нажать ее с помощью острым предметом, например, шариковой ручкой, чтобы вернуть настройки роутера к заводским, в том числе и пароль. Имейте в виду, что это удалит все настройки и данные с роутера, поэтому используйте этот метод только в крайнем случае.
2. Использование команды recover configure: для этого вам понадобится доступ к командной строке устройства. Перезагрузите роутер и нажмите комбинацию клавиш Ctrl+Break (или Ctrl+Pause для некоторых моделей) во время загрузки. Это поможет вам войти в режим ROMMON. Введите команду «confreg 0x2142», а затем перезагрузите устройство с помощью команды «reset». Роутер загрузится без сохранения текущей конфигурации, и вы сможете изменить пароль командой «configure terminal» и ввести новый пароль.
3. Использование программы для восстановления пароля: существует множество программных инструментов, которые могут помочь в восстановлении пароля на роутере Cisco. Некоторые из них могут быть платными, но существуют и бесплатные варианты, такие как «Cisco Password Recovery Tool». Установите выбранную программу на компьютер, подключите роутер к компьютеру с помощью консольного кабеля и следуйте инструкциям по использованию программы для восстановления пароля.
Помните, что изменение или восстановление пароля на роутере Cisco должно быть выполнено ответственно и с согласия владельца. Эти методы могут потребовать технических знаний и могут вызывать риск потери данных. В случае сомнений лучше обратиться за помощью к профессионалам сетевых технологий.
Configuring Security with
Passwords, Privileges, and Logins
Cisco IOS based
networking devices provide several features that can be used to implement basic
security for CLI sessions using only the operating system running on the
device. These features include the following:
-
Different levels
of authorization for CLI sessions to control access to commands that can modify
the status of the networking device versus commands that are used to monitor
the device -
Assigning
passwords to CLI sessions -
Requiring users
log in to a networking device with a username -
Changing the
privilege levels of commands to create new authorization levels for CLI
sessions
This module is a
guide to implementing a baseline level of security for your networking devices.
It focuses on the least complex options available for implementing a baseline
level of security. If you have networking devices installed in your network
with no security options configured, or you are about to install a networking
device and you need help understanding the how to implement a baseline of
security, this document will help you.
Restrictions for Configuring
Security with Passwords, Privileges, and Logins
Your networking
device must not be configured to use any local or remote authentication,
authorization, and accounting (AAA) security features. This document describes
only the non-AAA security features that can be configured locally on the
networking device.
For information how
to configure AAA security features that can be run locally on a networking
device, or for information on how to configure remote AAA security using
TACACS+ or RADIUS servers, see the
Securing User
Services Configuration Guide Library.
Restrictions and Guidelines for Reversible Password Types
-
Password type 0 and type 7 are deprecated. So password type 0 and type 7, used for administrator login to Console, Telnet,
SSH, webUI, and NETCONF, must be migrated to password type 8 or type 9. -
No action is required if username and password are type 0 and type 7 for local authentication such as CHAP, EAP and so on
for ISG and Dot1x. -
Enable password type 0 and type 7 must be migrated to password type 8 or type 9.
Restrictions and Guidelines for Irreversible Password Types
-
Password type 5 is deprecated. Password type 5 must be migrated to stronger password type 8 or type 9.
-
For username secret password type 5 and for enable secret password type 5, migrate to type 8 or type 9.
-
Secret password type 4 is not supported.
Information About Configuring
Security with Passwords, Privileges, and Logins
Benefits of Creating a Security Scheme
The foundation of a good security scheme in the network is the protection of the user interfaces of the networking devices
from unauthorized access. Protecting access to the user interfaces on your networking devices prevents unauthorized users
from making configuration changes that can disrupt the stability of your network or compromise your network security.
The Cisco IOS XE features described in this document can be combined in many different ways to create a unique security scheme
for each of your networking devices. Here are some possible examples that you can configure:
-
You can enable non administrative users to run a subset of the administrative commands available on the networking device
by lowering the entitlement level for the commands to the non administrative privilege level. This can be useful for the following
scenarios:- ISPs that want their first-line technical support staff to perform tasks such as enabling new interfaces for new customers
or resetting the connection for a customer whose connection has stopped passing traffic. See the Example: Configuring a Device to Allow Users to Shutdown and Enable Interfaces section for an example of how to do this. - When you want your first-line technical support staff to have the ability to clear console port sessions that were disconnected
improperly from a terminal server. See the Example: Configuring a Device to Allow Users to Clear Remote Sessions section for an example of how to do this. - When you want your first-line technical support staff to have the ability to view, but not change, the configuration of a
networking device to facilitate troubleshooting a networking problem. See the Example: Configuring a Device to Allow Users to View the Running Configuration section for an example of how to do this.
- ISPs that want their first-line technical support staff to perform tasks such as enabling new interfaces for new customers
Cisco IOS XE CLI
Modes
To aid in the
configuration of Cisco devices, the Cisco IOS XE command-line interface is
divided into different command modes. Each command mode has its own set of
commands available for the configuration, maintenance, and monitoring of router
and network operations. The commands available to you at any given time depend
on the mode you are in. Entering a question mark (? ) at the system prompt (device prompt) allows you
to obtain a list of commands available for each command mode.
The use of specific
commands allows you to navigate from one command mode to another. The standard
order in which a user would access the modes is as follows: user EXEC mode;
privileged EXEC mode; global configuration mode; specific configuration modes;
configuration submodes; and configuration subsubmodes.
Note |
The default |
Most EXEC mode
commands are one-time commands, such as
show or
more commands,
which show the current configuration status, and
clear commands,
which clear counters or interfaces. EXEC mode commands are not saved across
reboots of the router.
From privileged EXEC
mode, you can enter global
configuration mode . In this mode, you can enter commands that configure
general system characteristics. You also can use global configuration mode to
enter specific configuration modes. Configuration modes, including global
configuration mode, allow you to make changes to the running configuration. If
you later save the configuration, these commands are stored across router
reboots.
From global
configuration mode you can enter a variety of protocol-specific or
feature-specific configuration modes. The CLI hierarchy requires that you enter
these specific configuration modes only through global configuration mode. For
example,
interface
configuration mode , is a commonly used configuration mode.
From configuration
modes, you can enter configuration submodes. Configuration submodes are used
for the configuration of specific features within the scope of a given
configuration mode. As an example, this chapter describes the
subinterface
configuration mode , a submode of the interface configuration mode.
ROM monitor mode
is a separate mode used when the router cannot boot properly. If your system
(router, switch, or access server) does not find a valid system image to load
when it is booting, the system will enter ROM monitor mode. ROM monitor
(ROMMON) mode can also be accessed by interrupting the boot sequence during
startup. ROMMON is not covered in this document because it does not have any
security features available in it.
User EXEC Mode
When you start a
session on a router, you generally begin in
user EXEC mode ,
which is one of two access levels of the EXEC mode. For security purposes, only
a limited subset of EXEC commands are available in user EXEC mode. This level
of access is reserved for tasks that do not change the configuration of the
router, such as determining the router status.
If your device is
configured to require users to log-in the log-in process will require a
username and a password. You may try three times to enter a password before the
connection attempt is refused.
User EXEC mode is set by default to privilege level 1. Privileged EXEC mode is set by default to privilege level 15. When
you are logged into a networking device in user EXEC mode your session is running at privilege level 1. By default the EXEC
commands at privilege level 1 are a subset of those available at privilege level 15. When you are logged into a networking
device in privileged EXEC mode your session is running at privilege level 15. You can move commands to any privilege level
between 1 and 15 using the privilege command.
In general, the user
EXEC commands allow you to connect to remote devices, change terminal line
settings on a temporary basis, perform basic tests, and list system
information.
To list the available
user EXEC commands, use the following command:
|
Command |
Purpose |
|---|---|
|
Lists the |
The user EXEC mode
prompt consists of the host name of the device followed by an angle bracket
(>), as shown in the following example:
Device>
The default host name
is generally Router, unless it has been changed during initial configuration
using the
setup EXEC
command. You also change the host name using the
hostname global configuration command.
|
Note |
Examples in Cisco |
To list the commands
available in user EXEC mode, enter a question mark (? ) as shown in the following example:
Device> ?
Exec commands:
<1-99> Session number to resume
connect Open a terminal connection
disconnect Disconnect an existing telnet session
enable Turn on privileged commands
exit Exit from Exec mode
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
logout Exit from Exec mode and log out
menu Start a menu-based user interface
mbranch Trace multicast route for branch of tree
mrbranch Trace reverse multicast route to branch of tree
mtrace Trace multicast route to group
name-connection Name an existing telnet connection
pad Open a X.29 PAD connection
ping Send echo messages
resume Resume an active telnet connection
show Show running system information
systat Display information about terminal lines
telnet Open a telnet connection
terminal Set terminal line parameters
tn3270 Open a tn3270 connection
trace Trace route to destination
where List active telnet connections
x3 Set X.3 parameters on PAD
The list of commands
will vary depending on the software feature set and platform you are using.
|
Note |
You can enter |
Privileged EXEC Mode
In order to have
access to all commands, you must enter
privileged EXEC
mode , which is the second level of access for the EXEC mode. Normally, you
must enter a password to enter privileged EXEC mode. In privileged EXEC mode,
you can enter any EXEC command, because privileged EXEC mode is a superset of
the user EXEC mode commands.
Because many
privileged EXEC mode commands set operating parameters, privileged EXEC level
access should be password protected to prevent unauthorized use. The privileged
EXEC command set includes those commands contained in user EXEC mode.
Privileged EXEC mode also provides access to configuration modes through the
configure command, and includes advanced testing
commands, such as
debug .
Privileged EXEC mode is set by default to privilege level 15. User EXEC mode is set by default to privilege level 1. For
more information see the User EXEC Mode. When you are logged into a networking device in privileged EXEC mode your session is running at privilege level 15. When
you are logged into a networking device in user EXEC mode your session is running at privilege level 1. By default the EXEC
commands at privilege level 15 are a superset of those available at privilege level 1. You can move commands to any privilege
level between 1 and 15 using the privilege command. See the Cisco IOS XE Privilege Levels for more information on privilege levels and the privilege command.
The privileged EXEC
mode prompt consists of the host name of the device followed by a pound
sign(#), as shown in the following example:
Device#
To access privileged
EXEC mode, use the following command:
|
Command |
Purpose |
|---|---|
|
Enables
|
|
Note |
Privileged EXEC |
If a password has
been configured on the system, you will be prompted to enter it before being
allowed access to privileged EXEC mode. The password is not displayed on the
screen and is case sensitive. If an enable password has not been set,
privileged EXEC mode can be accessed only by a local CLI session (terminal
connected to the console port).
If you attempt to access privileged EXEC mode on a router over a remote connection, such as a telnet connection, and you
have not configured a password for privileged EXEC mode you will see the %
No
password
set error message. For more information on remote connections see the Remote CLI Sessions. The system administrator uses the enable
secret or enable
password global configuration commands to set the password that restricts access to privileged EXEC mode. For information on configuring
a password for privileged EXEC mode, see the Protecting Access to Privileged EXEC Mode.
To return to user
EXEC mode, use the following command:
|
Command |
Purpose |
|---|---|
|
Exits from |
The following example
shows the process of accessing privileged EXEC mode:
Device> enable
Password:<letmein>
Device#
Note that the
password will not be displayed as you type, but is shown here for
illustrational purposes. To list the commands available in privileged EXEC
mode, issue the
? command at
the prompt. From privileged EXEC mode you can access global configuration mode,
which is described in the following section.
|
Note |
Because the |
Global Configuration
Mode
The term “global” is
used to indicate characteristics or features that affect the system as a whole.
Global configuration mode is used to configure your system globally, or to
enter specific configuration modes to configure specific elements such as
interfaces or protocols. Use the
configure
terminal privileged EXEC command to enter global
configuration mode.
To access global
configuration mode, use the following command in privileged EXEC mode:
|
Command |
Purpose |
|---|---|
|
From |
The following example
shows the process of entering global configuration mode from privileged EXEC
mode:
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)#
Note that the system
prompt changes to indicate that you are now in global configuration mode. The
prompt for global configuration mode consists of the host-name of the device
followed by (config) and the pound sign ( # ). To list the commands available
in privileged EXEC mode, issue the
? command at
the prompt.
Commands entered in
global configuration mode update the running configuration file as soon as they
are entered. In other words, changes to the configuration take effect each time
you press the Enter or Return key at the end of a valid command. However, these
changes are not saved into the startup configuration file until you issue the
copy
running-config
startup-config EXEC mode command. This behavior is
explained in more detail later in this document.
As shown in the
example above, the system dialogue prompts you to end your configuration
session (exit configuration mode) by pressing the Control (Ctrl) and “z” keys
simultaneously; when you press these keys,
^Z is printed
to the screen. You can actually end your configuration session by entering the
Ctrl-Z key combination, using the
end command,
using the Ctrl-C key combination. The
end command is
the recommended way to indicate to the system that you are done with the
current configuration session.
Caution |
If you use Ctrl-Z |
You can also use the
exit command to
return from global configuration mode to EXEC mode, but this only works in
global configuration mode. Pressing Ctrl-Z or entering the
end command
will always take you back to EXEC mode regardless of which configuration mode
or configuration submode you are in.
To exit global
configuration command mode and return to privileged EXEC mode, use one of the
following commands:
|
Command |
Purpose |
|---|---|
or |
Ends the |
|
Exits the |
From global
configuration mode, you can enter a number of protocol-specific,
platform-specific, and feature-specific configuration modes.
Interface
configuration mode, described in the following section, is an example of a
configuration mode you can enter from global configuration mode.
Interface Configuration
Mode
One example of a
specific configuration mode you enter from global configuration mode is
interface configuration mode.
Many features are
enabled on a per-interface basis. Interface configuration commands modify the
operation of an interface such as an Ethernet, FDDI, or serial port. Interface
configuration commands always follow an
interface
global configuration command, which defines the interface type.
For details on
interface configuration commands that affect general interface parameters, such
as bandwidth or clock rate, refer to the Release 12.2
Cisco IOS Interface
Configuration Guide . For protocol-specific commands, refer to the
appropriate Cisco IOS XE software command reference.
To access and list
the interface configuration commands, use the following command:
|
Command |
Purpose |
|---|---|
|
Specifies |
In the following
example, the user enters interface configuration mode for serial interface 0.
The new prompt,
hostname
(config-if)#, indicates interface configuration mode.
Device(config)# interface serial 0
Device(config-if)#
To exit interface
configuration mode and return to global configuration mode, enter the
exit command.
Configuration
submodes are configuration modes entered from other configuration modes
(besides global configuration mode). Configuration submodes are for the
configuration of specific elements within the configuration mode. One example
of a configuration submode is subinterface configuration mode, described in the
following section.
Subinterface Configuration
Mode
From interface
configuration mode, you can enter subinterface configuration mode. Subinterface
configuration mode is a submode of interface configuration mode. In
subinterface configuration mode you can configure multiple virtual interfaces
(called subinterfaces) on a single physical interface. Subinterfaces appear to
be distinct physical interfaces to the various protocols.
For detailed
information on how to configure subinterfaces, refer to the appropriate
documentation module for a specific protocol in the Cisco IOS XE software
documentation set.
To access
subinterface configuration mode, use the following command in interface
configuration mode:
|
Command |
Purpose |
|---|---|
|
Specifies |
In the following
example, a subinterface is configured for serial line 2, which is configured
for Frame Relay encapsulation. The subinterface is identified as “2.1” to
indicate that it is subinterface 1 of serial interface 2. The new prompt
hostname
(config-subif)# indicates subinterface configuration mode. The subinterface can
be configured to support one or more Frame Relay PVCs.
Device(config)# interface serial 2
Device(config-if)# encapsulation frame-relay
Device(config-if)# interface serial 2.1
Device(config-subif)#
To exit subinterface
configuration mode and return to interface configuration mode, use the
exit command.
To end your configuration session and return to privileged EXEC mode, press
Ctrl-Z or enter the
end command.
Cisco IOS XE CLI Sessions
Local CLI Sessions
Local CLI sessions require direct access to the the console port of the networking device. Local CLI sessions start in user
EXEC mode. All of the tasks required to configure and manage a networking device can be done using a local CLI session. The
most common method for establishing a local CLI session is to connect the serial port on a PC to the console port of the networking
device and then to launch a terminal emulation application on the PC. The type of cable and connectors required and the settings
for the terminal emulation application on the PC are dependant on the type of networking device that you are configuring.
See to the documentation for your networking device for more information on setting it up for a local CLI session.
Remote CLI Sessions
Remote CLI sessions are created between a host such as a PC and a networking device such as a router over a network using
a remote terminal access application such as Telnet and Secure Shell (SSH). Local CLI sessions start in user EXEC mode. Most
of the tasks required to configure and manage a networking device can be done using a remote CLI session. The exceptions are
tasks that interact directly with the console port (such as recovering from a corrupted operating system (OS) by uploading
a new OS image over the console port) and interacting with the networking device when it is in ROM Monitor Mode.
This document explains how to configure security for remote Telnet sessions. Telnet is the most common method for accessing
a remote CLI session on a networking device.
|
Note |
SSH is a more secure alternative to Telnet. SSH provides encryption for the session traffic between your local management |
Terminal Lines are Used for
Local and Remote CLI Sessions
Cisco networking
devices use the word lines to refer to the software components that manage
local and remote CLI sessions. You use the
line
console
0 global
configuration command to enter line configuration mode to configure options,
such as a password, for the console port.
Device# configure terminal
Device(config)# line console 0
Device(config-line)# password password-string
Remote CLI sessions
use lines that are referred to virtual teletypewriter (VTY) lines. You use the
line
vty
line-number
[ending-line-number ] global configuration command
to enter line configuration mode to configure options, such as a password, for
remote CLI sessions.
Device# configure terminal
Device(config)# line vty 0 4
Device(config-line)# password password-string
Protect Access to Cisco IOS XE EXEC Modes
Cisco IOS XE provides the ability to configure passwords that protect access to the following:
Protecting Access to User EXEC Mode
The first step in creating a secure environment for your networking device is protecting access to user EXEC mode by configuring
passwords for local and remote CLI sessions.
You protect access to user EXEC mode for local CLI sessions by configuring a password on the console port. See the Configuring and Verifying a Password for Local CLI Sessions.
You protect access to user EXEC mode for remote CLI sessions by configuring a password on the virtual terminal lines (VTYs).
See the Configuring and Verifying a Password for Remote CLI Sessions for instructions on how to configure passwords for remote CLI sessions.
Protecting Access to
Privileged EXEC mode
The second step in
creating a secure environment for your networking device is protecting access
to privileged EXEC mode with a password. The method for protecting access to
privileged EXEC mode is the same for local and remote CLI sessions.
You protect access to
privileged EXEC mode by configuring a password for it. This is sometimes
referred to as the enable password because the command to enter privileged EXEC
mode is
enable .
|
Command |
Purpose |
|---|---|
|
Enables
|
Cisco IOS XE Password Encryption Levels
Some of the passwords that you configure on your networking device are saved in the configuration in plain text. This means
that if you store a copy of the configuration file on a disk, anybody with access to the disk can discover the passwords by
reading the configuration file. The following password types are stored as plain text in the configuration by default:
-
Console passwords for local CLI sessions
-
Virtual terminal line passwords for remote CLI sessions
-
Username passwords using the default method for configuring the password
-
Privileged EXEC mode password when it is configured with the enable password password command
-
Authentication key chain passwords used by RIPv2 and EIGRP
-
BGP passwords for authenticating BGP neighbors
-
OSPF authentication keys for authenticating OSPF neighbors
-
ISIS passwords for authenticating ISIS neighbors
This excerpt from a router configuration file shows examples of passwords and authentication keys that are stored as clear
text.
!
enable password O9Jb6D
!
username username1 password 0 kV9sIj3
!
key chain trees
key 1
key-string willow
!
interface Ethernet1/0.1
ip address 172.16.6.1 255.255.255.0
ip router isis
ip rip authentication key-chain trees
ip authentication key-chain eigrp 1 trees
ip ospf authentication-key j7876
no snmp trap link-status
isis password u7865k
!
line vty 0 4
password V9jA5M
!
You can encrypt these clear text passwords in the configuration file by using the service password-encryption command. This should be considered only a minimal level of security because the encryption algorithm used by the service password-encryption command to encrypt passwords creates text strings that be decrypted using tools that are publicly available. You should still
protect access to any electronic or paper copies of your configuration files after you use the service password-encryption command.
The service
password-encryption command does not encrypt the passwords when they are sent to the remote device. Anybody with a network traffic analyzer who
has access to you network can capture these passwords from the packets as they are transmitted between the devices. See the
Configuring Password Encryption for Clear Text Passwordsfor more information on encrypting clear text passwords in configuration files.
Many of the Cisco IOS XE features that use clear text passwords can also be configured to use the more secure MD5 algorithm.
The MD5 algorithm creates a text string in the configuration file that is much more difficult to decrypt. The MD5 algorithm
does not send the password to the remote device. This prevents people using a traffic analyzer to capture traffic on your
network from being able to discover your passwords.
You can determine the type of password encryption that has been used by the number that is stored with the password string
in the configuration file of the networking device. The number 5 in the configuration excerpt below indicates that the enable
secret password has been encrypted using the MD5 algorithm.
enable secret 5 $1$fGCS$rkYbR6.Z8xo4qCl3vghWQ0
The number 7 in the excerpt below indicates that the enable password has been encrypted using the less secure algorithm used
by the service password-encryption command.
!
enable password 7 00081204
Cisco IOS XE CLI Session Usernames
After you have protected access to user EXEC mode and privileged EXEC mode by configuring passwords for them you can further
increase the level of security on your networking device by configuring usernames to limit access to CLI sessions to your
networking device to specific users.
Usernames that are intended to be used for managing a networking device can be modified with additional options such as:
See the
Cisco IOS Security Command Reference . (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html) for more information on how to configure
the
username command.
Cisco IOS XE Privilege Levels
The default configuration for Cisco IOS XE based networking devices uses privilege level 1 for user EXEC mode and privilege
level 15 for privileged EXEC. The commands that can be run in user EXEC mode at privilege level 1 are a subset of the commands
that can be run in privileged EXEC mode at privilege 15.
The privilege command is used to move commands from one privilege level to another. For example, some ISPs allow their first level technical
support staff to enable and disable interfaces to activate new customer connections or to restart a connection that has stopped
transmitting traffic. See the Example: Configuring a Device to Allow Users to Shutdown and Enable Interfaces for an example of how to configure this option.
The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session
will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them
troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with
privilege level 15, and configure it to run the show
running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically. The
user’s session will be logged out automatically after the user has viewed the last line of the configuration. See the Example: Configuring a Device to Allow Users to View the Running Configuration for an example of how to configure this option.
These command privileges can also be implemented when using AAA with TACACS+ and RADIUS. For example, TACACS+ provides two
ways to control the authorization of router commands on a per-user or per-group basis. The first way is to assign privilege
levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified
privilege level. The second way is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands
that are allowed. For more information about implementing AAA with TACACS+ and RADIUS, see the technical note
How to Assign Privilege Levels with TACACS+ and RADIUS
.
Cisco IOS XE Password Configuration
Cisco IOS XE software does not prompt you to repeat any passwords that you configure to verify that you have entered the passwords
exactly as you intended. New passwords, and changes to existing passwords, go into effect immediately after you press the
Enter key at the end of a password configuration command string. If you make a mistake when you enter a new password and have
saved the configuration on the networking device to its startup configuration file and exited privileged EXEC mode before
you realize that you made a mistake, you may find that you are no longer able to manage the device.
The following are common situations that can happen:
-
You make a mistake configuring a password for local CLI sessions on the console port. -
If you have properly configured access to your networking device for remote CLI sessions, you can Telnet to it and reconfigure
the password on the console port.
-
If you have properly configured access to your networking device for remote CLI sessions, you can Telnet to it and reconfigure
-
You make a mistake configuring a password for remote Telnet or SSH sessions. -
If you have properly configured access to your networking device for local CLI sessions, you can connect a terminal to it
and reconfigure the password for the remote CLI sessions.
-
If you have properly configured access to your networking device for local CLI sessions, you can connect a terminal to it
-
You make a mistake configuring a password for privileged EXEC mode (enable password or enable secret password). - You will have to perform a lost password recovery procedure.
-
You make a mistake configuring your username password, and the networking device requires that you log into it with your username. - If you do not have access to another account name, you will have to perform a lost password recovery procedure.
To protect yourself from having to perform a lost password recovery procedure open two CLI sessions to the networking device
and keep one of them in privilege EXEC mode while you reset the passwords using the other session. You can use the same device
(PC or terminal) to run the two CLI sessions or two different devices. You can use a local CLI session and a remote CLI session
or two remote CLI sessions for this procedure. The CLI session that you use to configure the password can also be used to
verify that the password was changed properly. The other CLI session that you keep in privileged EXEC mode can be used to
change the password again if you made a mistake the first time you configured it.
You should not save password changes that you have made in the running configuration to the startup configuration until you
have verified that your password was changed successfully. If you discover that you made a mistake configuring a password,
and you were not able to correct the problem using the second CLI session technique described above, you can power cycle the
networking device so that it returns to the previous passwords that are stored in the startup configuration.
AES Password Encryption and Master Encryption Keys
You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption.
To start using type-6 encryption, you must enable the AES password encryption feature and configure a master encryption key,
which is used to encrypt and decrypt passwords. After you enable AES password encryption and configure a master key, all existing
and newly created clear-text passwords for supported applications are stored in type-6 encrypted format, unless you disable
type-6 password encryption. You can also configure the device to convert all existing weakly encrypted passwords to type-6
encrypted passwords.
Type 0 and type 7 passwords can be autoconverted to type 6 if the AES password encryption feature and master encryption key
are configured.
|
Note |
Type 6 username and password are backward compatible to the Cisco IOS release 16.10.1 only. If you downgrade to any release |
How To Configure Security with Passwords Privileges and Logins
Protecting Access to User Exec Mode
Configuring and Verifying a
Password for Remote CLI Sessions
This task will
assign a password for remote CLI sessions. After you have completed this task
the networking device will prompt you for a password the next time that you
start a remote CLI session with it.
Cisco IOS XE based
networking devices require that you have a password configured for remote CLI
sessions. If you attempt to start a remote CLI session with a device that
doesn’t have a password configured for remote CLI sessions you will see a
message that a password is required and has not been set. The remote CLI
session will be terminated by the remote host.
Before you begin
If you have not
previously configured a password for remote CLI sessions, you must perform this
task over a local CLI session using a terminal or a PC running a terminal
emulation application, attached to the console port.
Your terminal, or
terminal emulation application, must be configured with the settings that are
used by the console port on the networking device. The console ports on most
Cisco networking devices require the following settings: 9600 baud, 8 data
bits, 1 stop bit, no parity, and flow control is set to «none.» See the
documentation for your networking device if these settings do not work for your
terminal.
To perform the
verification step (Step 6) for this task, your networking device must have an
interface that is in an operational state. The interface must have a valid IP
address.
|
Note |
If you have not |
SUMMARY STEPS
- enable
-
configure
terminal -
line
vty
line-number
[ending-line-number ] -
password
password - end
-
telnet
ip-address -
exit
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables
|
||
|
Step 2 |
configure Example: |
Enters global |
||
|
Step 3 |
line Example: |
Enters line |
||
|
Step 4 |
password Example: |
The argument
|
||
|
Step 5 |
end Example: |
Exits the |
||
|
Step 6 |
telnet Example: |
Start a remote
|
||
|
Step 7 |
exit Example: |
Terminates the |
Troubleshooting Tips
To display information for all users who have access to a lawful intercept view, issue the show users lawful-intercept command. (This command is available only to authorized lawful intercept view users.)
What to Do Next
Proceed to the Configuring and Verifying a Password for Local CLI Sessions.
Configuring and Verifying a
Password for Local CLI Sessions
This task will
assign a password for local CLI sessions over the console port. After you have
completed this task, the networking device will prompt you for a password the
next time that you start a local CLI session on the console port.
This task can be
performed over a local CLI session using the console port or a remote CLI
session. If you want to perform the optional step of verifying that you
configured the password correctly you should perform this task using a local
CLI session using the console port.
Before you begin
If you want to
perform the optional step of verifying the local CLI session password, you must
perform this task using a local CLI session. You must have a terminal or a PC
running a terminal emulation program, connected to the console port of the
networking device. Your terminal must be configured with the settings that are
used by the console port on the networking device. The console ports on most
Cisco networking devices require the following settings: 9600 baud, 8 data
bits, 1 stop bit, no parity, and flow control is set to «none.» See the
documentation for your networking device if these settings do not work for your
terminal.
SUMMARY STEPS
- enable
-
configure
terminal -
line
console
0 -
password
password - end
- exit
- Press the Enter
key.
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables
|
||
|
Step 2 |
configure Example: |
Enters global |
||
|
Step 3 |
line Example: |
Enters line |
||
|
Step 4 |
password Example: |
The argument
|
||
|
Step 5 |
end Example: |
Exits the |
||
|
Step 6 |
exit Example: |
Exits |
||
|
Step 7 |
Press the Enter |
(Optional)
|
Troubleshooting Tips
If your new password is not accepted proceed to the Configuration Examples for Configuring Security with Passwords Privileges
and Logins for instructions on what to do next.
What to Do Next
Proceed to the Protecting Access to Privileged EXEC Mode.
Protecting Access to Privileged EXEC Mode
Configuring and Verifying the
Enable Password
Cisco no longer
recommends that you use the
enable
password
command to configure a password for
privileged EXEC mode. The password that you enter with the
enable
password
command is stored as plain text in the configuration file of the networking
device. You can encrypt the password for the
enable
password
command in the configuration file of the networking device using the
service
password-encryption command. However the
encryption level used by the
service
password-encryption command can be decrypted using
tools available on the Internet.
Instead of using the enable
password command, Cisco recommends using the enable
secret command because it encrypts the password that you configure with it with strong encryption . For more information on password encryption
issues see the Cisco IOS XE Password Encryption Levels. For information on configuring the enable
secret command see the Configuring and Verifying the Enable Secret Password.
|
Note |
The networking You cannot use |
SUMMARY STEPS
- enable
-
configure
terminal -
enable
password
password - end
- exit
- enable
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables
|
|
Step 2 |
configure Example: |
Enters global |
|
Step 3 |
enable Example: |
The argument
|
|
Step 4 |
end Example: |
Exits the |
|
Step 5 |
exit Example: |
Exits |
|
Step 6 |
enable Example: |
Enables
|
Troubleshooting Tips
If your new password is not accepted, proceed to the Recovering from Lost or Misconfigured Passwords for Privileged EXEC
Mode section for instructions on what to do next.
What to Do Next
Encrypt the clear text enable password in the configuration file of the networking device using the procedure described in
Configuring Password Encryption for Clear Text Passwords.
Configuring Password
Encryption for Clear Text Passwords
Cisco IOS XE stores passwords in clear text in network device configuration files for several features such as passwords
for local and remote CLI sessions, and passwords for neighbor authentication for routing protocols. Clear text passwords are
a security risk because anybody with access to archived copies of the configuration files can discover the passwords that
are stored as clear text. The service
password-encryption command can be used to encrypt clear text commands in the configuration files of networking devices. See the Cisco IOS XE Password Encryption Levels for more information.
Perform the
following steps to configure password encryption for passwords that are stored
as clear text in the configuration files of your networking device.
Before you begin
You must have at
least one feature that uses clear text passwords configured on your networking
device for this command to have any immediate effect.
SUMMARY STEPS
- enable
-
configure
terminal -
service
password-encryption - end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables
|
|
Step 2 |
configure Example: |
Enters global |
|
Step 3 |
service Example: |
Enables |
|
Step 4 |
end Example: |
Exits the |
Configuring and Verifying the
Enable Secret Password
Cisco recommends
that you use the
enable
secret command, instead of the
enable
password
command to configure a password for privileged EXEC mode. The password created
by the
enable
secret command is encrypted with the more secure
MD5 algorithm.
|
Note |
You cannot use |
SUMMARY STEPS
- enable
-
configure
terminal - Perform one of the
following steps: - enable
secret
password - enable
secret
5
previously-encrypted-password - end
- exit
- enable
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables
|
|
Step 2 |
configure Example: |
Enters global |
|
Step 3 |
Perform one of the
Example:Example: |
The argument
or Sets a |
|
Step 4 |
end Example: |
Exits the |
|
Step 5 |
exit Example: |
Exits |
|
Step 6 |
enable Example: |
Enables
|
Troubleshooting Tips
If your new password is not accepted proceed to the Configuration Examples for Configuring Security with Passwords Privileges
and Logins for instructions on what to do next.
What to Do Next
If you have finished configuring passwords for local and remote CLI sessions and you want to configure additional security
features, such as usernames, and privilege levels proceed to the Configuring Security Options to Manage Access to CLI Sessions and Commands.
Configuring a
Device to Allow Users to View the Running Configuration
To access the
running configuration of a device using the
show
running-config command at a privilege level lower
than level 15, perform the following task.
SUMMARY STEPS
- enable
-
configure
terminal -
privilege exec all level
level
command-string -
file privilege
level -
privilege configure all level
level
command-string - end
- show privilege
- show running-config
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure Example: |
Enters global configuration mode. |
|
Step 3 |
privilege exec all level Example: |
Changes the privilege level of the specified command from one |
|
Step 4 |
file privilege Example: |
Allows a user of the privilege level to execute commands that |
|
Step 5 |
privilege configure all level Example: |
Allows a user of a privilege level to see specific configuration |
|
Step 6 |
end Example: |
Exits global configuration mode and returns to privileged EXEC |
|
Step 7 |
show privilege Example: |
Displays the current privilege level. |
|
Step 8 |
show running-config Example: |
Displays the current running configuration for the specified |
Example
The following output for the
show running-config command displays the
logging configuration commands in the running configuration. Users with a
privilege level below 15 can view the running configuration after configuring
the
privilege configure all level
level
command-string command.
Device# show running-config
Building configuration...
Current configuration : 128 bytes
!
boot-start-marker
boot-end-marker
!
no logging queue-limit
logging buffered 10000000
no logging rate-limit
!
!
!
end
Configuring Security Options to Manage Access to CLI Sessions and Commands
The tasks in this section describe how to configure your networking device to permit the use of a subset of privileged EXEC
mode commands by users who should not have access to all of of the commands available in privileged EXEC mode.
These tasks are beneficial for companies that have multiple levels of network support staff and the company wants the staff
at each level to have access to a different subset of the privileged EXEC mode commands.
In this task the users who should not have access to all of of the commands available in privileged EXEC mode are referred
to as the first-line technical support staff.
This section contains the following procedures:
Configuring the Networking
Device for the First-Line Technical Support Staff
This task describes
how to configure the networking device for first-line technical support users.
First-line technical support staff are usually not allowed to run all of the
commands available in privileged EXEC mode (privilege level 15) on a networking
device. They are prevented from running commands that they are not authorized
for by not being granted access to the password assigned to privileged EXEC
mode or to other roles that have been configured on the networking device.
The
privilege
command is used to move commands from one privilege level to another in order
to create the additional levels of administration of a networking device that
is required by companies that have different levels of network support staff
with different skill levels.
The default
configuration of a Cisco IOS XE device permits two types of users to access the
CLI. The first type of user is a person who is only allowed to access user EXEC
mode. The second type of user is a person who is allowed access to privileged
EXEC mode. A user who is only allowed to access user EXEC mode is not allowed
to view or change the configuration of the networking device, or to make any
changes to the operational status of the networking device. On the other hand,
a user who is allowed access to privileged EXEC mode can make any change to a
networking device that is allowed by the CLI.
In this task the
two commands that normally run at privilege level 15 are reset to privilege
level 7 using the privilege command in order that first-line technical support
users will be allowed to run the two commands. The two commands for which the
privilege levels will be reset are the
clear
counters
command and
reload command.
-
The
clear
counters
command is used to reset the counter fields on interfaces for statistics such
as packets received, packets transmitted, and errors. When a first-line
technical support user is troubleshooting an interface related connectivity
issue between networking devices, or with remote users connecting to the
network, it is useful to reset the interface statistics to zero and them
monitor the interfaces for a period of time to see if the values in the
interface statistics counters change. -
The
reload command
is used initiate a reboot sequence for the networking device. One common use of
the reload command by first-line technical support staff is to cause the
networking device to reboot during a maintenance window so that it loads a new
operating system that was previously copied onto the networking device’s file
system by a user with a higher level of authority.
Any user that is permitted to know the enable
secret password that is assigned to the first-line technical support user role privilege level can access the networking device
as a first-line technical support user. You can add an additional level of security by configuring a username on the networking
device and requiring that the users know the username and the password. Configuring a username as an additional level of security
is described in the . Configuring a Device to Require a Username for the First-Line Technical Support Staff
|
Note |
You must not have
|
SUMMARY STEPS
- enable
-
configure
terminal -
enable
secret
level
level
password -
privilege
exec
level
level
command-string - end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enters privileged EXEC mode. Enter the password when prompted. |
|
Step 2 |
configure Example: |
Enters global configuration mode. |
|
Step 3 |
enable Example: |
Configures a new enable secret password for privilege level 7. |
|
Step 4 |
privilege Example: |
Changes the privilege level of the |
|
Step 5 |
end Example: |
Exits global configuration mode. |
Verifying the Configuration
for the First-Line Technical Support Staff
This task describes
how to verify that the network device is configured correctly for the
first-line technical support staff.
Before you begin
The following
commands must have been modified to run at privilege level 7 for this task:
-
clear
counters -
reload
SUMMARY STEPS
-
enable
level
password -
show
privilege -
clear
counters -
clear
ip
route
* -
reload
in
time -
reload
cancel - disable
-
show
privilege
DETAILED STEPS
|
Step 1 |
enable Logs the user Example: |
|
Step 2 |
show Displays the Example: |
|
Step 3 |
clear The clear Example: |
|
Step 4 |
clear The Example: |
|
Step 5 |
reload The reload Example: |
|
Step 6 |
reload The Example: |
|
Step 7 |
disable Exits the Example: |
|
Step 8 |
show Displays the Example: |
Troubleshooting Tips
If your configuration does not work the way that you want it to and you want to remove the privilege commands from the configuration,
use the reset keyword for the privilege command to return the commands to their default privilege level. For example, to remove the command privilege exec level reload command from the configuration and return the reload command to its default privilege of 15 use the privilege exec reset reload command.
What to Do Next
If you want to add an additional level of security by requiring that the first level technical staff use a login name, proceed
to the Configuring a Device to Require a Username for the First-Line Technical Support Staff.
Configuring a Device to
Require a Username for the First-Line Technical Support Staff
This task
configures the networking device to require that the first-line technical
support staff login to the networking device with a login name of admin. The
admin username configured in this task is assigned the privilege level of 7
which will allow users who log in with this name to run the commands that were
reassigned to privilege level 7 in the previous task. When a user successfully
logs in with the admin username, the CLI session will automatically enter
privilege level 7.
Before Cisco IOS XE
Release 2.3, two types of passwords were associated with usernames: Type 0,
which is a clear text password visible to any user who has access to privileged
mode on the router, and type 7, which has a password encrypted by the
service
password
encryption command.
In Cisco IOS XE
Release 2.3 and later releases, the new
secret keyword
for the
username
command allows you to configure Message Digest 5 (MD5) encryption for username
passwords.
Before you begin
The following
commands must have been modified to run at privilege level 7 for this task:
-
clear
counters -
reload
See the Configuring the Networking Device for the First-Line Technical Support Staff for instructions on how to change the privilege level for a command.
|
Note |
MD5 encryption You must not have
|
SUMMARY STEPS
- enable
-
configure
terminal -
username
username
privilege
level
secret
password - end
- disable
-
login
username -
show
privilege -
clear
counters -
clear
ip
route
* -
reload
in
time -
reload
cancel - disable
-
show
privilege
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enters |
|
Step 2 |
configure Example: |
Enters global |
|
Step 3 |
username Example: |
Creates a |
|
Step 4 |
end Example: |
Exits global |
|
Step 5 |
disable Example: |
Exits the |
|
Step 6 |
login Example: |
Logs in the |
|
Step 7 |
show Example: |
The |
|
Step 8 |
clear Example: |
The |
|
Step 9 |
clear Example: |
The |
|
Step 10 |
reload Example: |
The reload |
|
Step 11 |
reload Example: |
The |
|
Step 12 |
disable Example: |
Exits the |
|
Step 13 |
show Example: |
Displays the |
Recovering from a Lost or Misconfigured Password for Local Sessions
There are three methods that can be used to recover from a lost or misconfigured password for local CLI sessions over console
port. The method that you will use depends on the current configuration of your networking device.
Networking Device Is Configured to Allow Remote CLI Sessions
The fastest method to recover from a lost, or misconfigured password for local CLI sessions is to establish a remote CLI
session with the networking device and repeat the Configuring and Verifying a Password for Local CLI Sessions. Your networking device must be configured to allow remote CLI sessions and you must know the remote CLI session password
to perform this procedure.
Networking Device Is Not Configured to Allow Remote CLI Sessions
-
If you cannot establish a remote session to your networking device, and you have not saved the misconfigured local CLI session
password to the startup configuration, you can restart the networking device. When the networking device starts up again it
will read the startup configuration file. The previous local CLI session password is restored.
|
Caution |
Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services |
Recovering from a Lost or Misconfigured Password for Remote Sessions
There are three methods that can be used to recover from a lost, or misconfigured remote CLI session password. The method
that you will use depends on the current configuration of your networking device.
Networking Device Is Configured to Allow Local CLI Sessions
The fastest method to recover from a lost, or misconfigured password for remote CLI sessions is to establish a local CLI
session with the networking device and repeat the Configuring and Verifying a Password for Remote CLI Sessions. Your networking device must be configured to allow local CLI sessions and you must know the local CLI session password to
perform this procedure.
Networking Device Is Not Configured to Allow Local CLI Sessions
-
If you cannot establish a local CLI session to your networking device, and you have not saved the misconfigured remote CLI
session password to the startup configuration, you can restart the networking device. When the networking device starts up
again it will read the startup configuration file. The previous remote CLI session password is restored.
|
Caution |
Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services |
Recovering from Lost or Misconfigured Passwords for Privileged EXEC Mode
There are two methods that can be used to recover from a lost, or misconfigured Privileged EXEC Mode password. The method
that you will use depends on the current configuration of your networking device.
A Misconfigured Privileged EXEC Mode Password Has Not Been Saved
-
If you have not saved the misconfigured privileged EXEC mode password to the startup configuration, you can restart the networking
device. When the networking device starts up again it will read the startup configuration file. The previous privileged EXEC
mode password is restored.
|
Caution |
Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services |
Configuration Examples for Configuring Security with Passwords Privileges and Logins
Example: Configuring an Encrypted Preshared Key
The following is an example of a configuration for which a type 6 preshared key has been encrypted. It includes the prompts
and messages that a user might see.
Device(config)# password encryption aes
New key:
Confirm key:
Device (config)#
01:46:40: TYPE6_PASS: New Master key configured, encrypting the keys with
the new master key
Device (config)# exit Example: Configuring a
Device to Allow Users to Clear Remote Sessions
The following
example shows how to configure a networking device to allow a non
administrative user to clear remote CLI session virtual terminal (VTY) lines.
The first section
is an excerpt of the running configuration for this example. The following
sections show you how this example is used.
The following
section is an excerpt of the running-configuration:
!
privilege exec level 7 clear line
!
no aaa new-model
!
!
username admin privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J.
!
privilege exec level 7 clear line
!
! the privilege exec level 7 clear command below is entered automatically
! when you enter the privilege exec level 7 clear line command above, do
! not enter it again
!
privilege exec level 7 clear
!
The following
section using the
login command
shows the user logging in to the networking device with the username of admin:
R1> login
Username: admin
Password:
The following
section using the
show
privilege
command shows that the current privilege level is 7:
R1# show privilege
Current privilege level is 7
R1#
The following
section using the
show
user command
shows that two users (admin and root) are currently logged in to the networking
device:
R1# show user
Line User Host(s) Idle Location
* 0 con 0 admin idle 00:00:00
2 vty 0 root idle 00:00:17 172.16.6.2
Interface User Mode Idle Peer Address
The following
section using the
clear
line
2 command
terminates the remote CLI session in use by the username root:
R1# clear line 2
[confirm]
[OK]
The following
section using the
show
user command
shows that admin is the only user currently logged in to the networking device:
R1# show user
Line User Host(s) Idle Location
* 0 con 0 admin idle 00:00:00
Interface User Mode Idle Peer Address
Example: Configuring a Device
to Allow Users to View the Running Configuration
For Users With Privilege Level 15
The following
example shows how to configure the networking device to allow a non
administrative users (no access to privileged EXEC mode) to view the running
configuration automatically. This example requires that the username is
configured for privilege level 15 because many of the commands in the
configuration file can be viewed only by users who have access to privilege
level 15.
The solution is to
temporarily allow the user access to privilege level 15 while running the
show
running-config
command and then terminating the CLI session when the end of the configuration
file has been viewed. In this example the networking device will automatically
terminate the CLI session when the end of the configuration file has been
viewed. No further configuration steps are required.
|
Caution |
You must include |
!
!
username viewconf privilege 15 noescape secret 5 $1$zA9C$TDWD/Q0zwp/5xRwRqdgc/.
username viewconf autocommand show running-config
!
For Users With Privilege Level Lower Than Level 15
The following example shows how to configure a networking device to
allow a user with privilege level lower than level 15 to view the running
configuration.
Device> enable
Device# configure terminal
Device(config)# privilege exec all level 5 show running-config
Device(config)# file privilege 5
Device(config)# privilege configure all level 5 logging
Device(config)# end
Device# show privilege
Current privilege level is 5
Device# show running-config
Building configuration...
Current configuration : 128 bytes
!
boot-start-marker
boot-end-marker
!
no logging queue-limit
logging buffered 10000000
no logging rate-limit
!
!
!
end
Example: Configuring a Device
to Allow Users to Shutdown and Enable Interfaces
The following
example shows how to configure a networking device to allow non administrative
users to shutdown and enable interfaces.
The first section
is an an excerpt of the running configuration for this example. The following
sections show you how this example is used.
The following
section is an excerpt of the running-configuration:
!
no aaa new-model
!
username admin privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J.
!
privilege interface all level 7 shutdown
privilege interface all level 7 no shutdown
privilege configure level 7 interface
privilege exec level 7 configure terminal
!
! the privilege exec level 7 configure command below is entered automatically
! when you enter the privilege exec level 7 configure terminal command above, do
! not enter it again
!
privilege exec level 7 configure
!
The following
section using the
login command
shows the user logging in to the networking device with the username of admin:
R1> login
Username: admin
Password:
The following
section using the
show
privilege
command shows that the current privilege level is 7:
R1# show privilege
Current privilege level is 7
The following
section using the
show
user command
shows that admin is the only user currently logged in to the networking device:
R1# show user
Line User Host(s) Idle Location
* 0 con 0 admin idle 00:00:00
Interface User Mode Idle Peer Address
The following
section shows that the admin user is permitted to shutdown and enable an
interface:
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# interface ethernet 1/0
R1(config-if)# shutdown
R1(config-if)# no shutdown
R1(config-if)# exit
R1#
Where to Go Next
Once you have established a baseline of security for your networking devices you can consider more advanced options such
as:
-
Role-Based CLI Access—The role-based CLI access feature offers a more comprehensive set of options than the
privilege command (described in this document) for network managers who want to allow different levels of technical support staff to
have different levels of access to CLI commands. -
AAA Security—Many Cisco networking devices offer an advanced level of security using authentication, authorization and accounting
(AAA) features. All of the tasks described in this document, and other — more advanced security features — can be implemented
using AAA on the networking device in conjunction with a remote TACACS+ or RADIUS server. For information how to configure
AAA security features that can be run locally on a networking device, or for information on how to configure remote AAA security
using TACACS+ or RADIUS servers, see the
Cisco IOS XE Security Configuration Guide:Securing User Services , Release 2.
Additional References
The following sections provide references related to Configuring Security with Passwords and, Login Usernames for CLI Sessions
on Networking Devices.
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Managing user access to CLI commands and configuration information |
“Role-Based CLI Access” in the |
|
AAA Security Features |
Cisco IOS XE Security Configuration Guide: Securing User Services , Release 2 |
|
Assigning privilege levels with TACACS+ and RADIUS |
How to Assign Privilege Levels with TACACS+ and RADIUS |
Standards
|
Standard |
Title |
|---|---|
|
No new or modified RFCs are supported by this functionality, and support for existing RFCs has not been modified. |
— |
MIBs
|
MIBs |
MIBs Link |
|---|---|
|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator http://www.cisco.com/go/mibs |
RFCs
|
RFC |
Title |
|---|---|
|
No new or modified RFCs are supported by this functionality, and support for existing RFCs has not been modified. |
— |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and To receive security and technical information about your products, you can subscribe to various services, such as the Product Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Feature Information for
Configuring Security with Passwords Privileges and Logins
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
|
Feature |
Releases |
Feature |
|---|---|---|
|
Enhanced |
Using the |
При более глубокой настройке line vty существует одна опасность.
Есть такой параметр: access-class. Его настройка позволяет ограничить IP-адреса, с которых возможно подключение. И вот однажды я, как умная маша, решил заняться безопасностью в сети и на всём почти оборудование понаставил эти аксес-листы, чтобы комар не пролетел. В один прекрасный момент пришлось выехать в поле и в тот день я проклял свою аккуратность – никуда не мог достучаться – малейшей лазейки не оставил. В общем будьте с этой командой внимательны или оставляйте для себя лазейки.
При работе с access-list’ами и прочими опасными вещами, неправильная настройка которых может лишить вас доступа к устройству, можно использовать замечательную команду reload in min, где min время в минутах. Эта команда перезагрузит устройство по истечении указанного времени, если ее не прервать командой reload cancel. Т.е. схема работы такова: вы удаленно копаете что-то, что может в теории (закон Мерфи не забываем) прервать ваш сеанс связи с устройством. Сохраняем текущий (рабочий) конфиг в startup-config (он используется при загрузке), ставим reload in 15, вводим ключевую команду, относительно которой у нас сомнения ;-), и получаем обрыв связи, худшие опасения оправдались. Ждем 15 минут, устройство перегружается с рабочим конфигом, коннект — вуаля, связь есть. Либо (если связь не прервалась) проверяем, что все работает, и делаем reload cancel.
В современных условиях, когда все больше людей пользуются сетью Интернет, установка пароля на маршрутизатор Cisco является одной из наиболее важных задач. Это обеспечит необходимый уровень безопасности и защитит вашу сеть от атак неизвестных пользователей.
Чтобы установить пароль на маршрутизатор Cisco, следуйте следующим инструкциям:
1. Чтобы войти в интерфейс управления маршрутизатором, необходимо открыть любой браузер на компьютере, подключенном к маршрутизатору. В строке ввода адреса введите IP-адрес маршрутизатора. По умолчанию это 192.168.1.1, но если у вас есть другой IP-адрес, вы можете ввести его в строку ввода.
2. В появившемся окне введите свои учетные данные. По умолчанию имя пользователя и пароль – admin. Но самое главное: Никогда, никогда не используйте стандартные учетные данные! Это крайне важно для сохранения безопасности сети. Советуем назначить свой собственный пароль и не забывать его.
3. Переведите интерфейс маршрутизатора в режим конфигурации.
4. Зайдите в раздел Security и выберите пункт Passwords. Здесь вы найдете все необходимые настройки пароля.
5. Выберите вкладку Enable Password и введите новый пароль. Рекомендуется использовать пароль не менее 8 символов, содержащих различные комбинации цифр, букв и специальных символов.
6. Далее, установите пароль на консоль, подобно тому, как на шаге 5. Когда вы займетесь настройками консоли, рекомендуется установить пароль для Telnet и SNMP.
7. После того как вы настроили все пароли, сохраните изменения, примените их и перезагрузите маршрутизатор. Теперь, кто-либо, кто попытается получить доступ к вашей сети, должен будет знать правильные учетные данные.
Вот и все, теперь вы научились, как установить пароль на маршрутизатор Cisco. Вы уверены в том, что ваша сеть надежно защищена от любых нежелательных пользователей. Проявите ответственность и обеспечьте безопасность вашей сети уже сейчас!
In this Daily Drill Down, I will focus on a great way to ensure basic security on a Cisco router: router passwords. Passwords are absolutely the best defense against would-be hackers. Leaving no passwords on a Cisco router can cause major problems. Keep in mind that using passwords is just the first line of defense, and you should have other security features on your network as well.
Cisco has some defense against would-be hackers built into its router Internetworking Operating System (IOS). For example, it is impossible to Telnet into a Cisco router unless an administrator configures the router with a Telnet password or uses the No Login command, which allows users to Telnet into a router with no password. Either way, something has to be configured for Telnet to work. Also, you cannot enter privileged mode (which is the IOS EXEC mode that allows you to view or change the configuration on a router) from Telnet unless an Enable password is set. These are very basic features of Cisco routers and allow only some security.
Here, I will focus on the five basic Cisco router passwords you can use to protect your network. However, first you must know the difference between user mode and privileged mode. Both of these modes are called EXEC mode, and a prompt is used to tell you which mode you are in.
User mode CLI
The user mode EXEC command-line interface (CLI) is sometimes referred to as “useless mode” because it doesn’t do a whole lot. User mode lets you view interface statistics and is typically used by junior administrators to gather facts for the senior staff. You don’t want highly paid people sitting around gathering basic network statistics when a junior administrator can be adequately trained to document this information. To get into user mode, you can connect in one of three ways:
- Console: An RJ-45 connection on all Cisco routers allows full access to the router if no passwords are set.
- Aux: An RJ-45 connection on most routers allows you to connect a modem to the port, dial in to the router, and make a console connection.
- VTY: Virtual Teletype is used to allow a Telnet connection to the router, which will then work like a console port. You must have an active interface on the router for Telnet to connect to the router.
The most important thing to understand about the three connection modes is that they get you into user mode only. To view and change the configuration, you need to be in privileged mode.
Privileged mode CLI
The privileged EXEC mode allows full access to a Cisco router by default, and the configuration can be both viewed and changed in this EXEC mode. You can enter privileged mode by first entering user mode and then typing the command enable.
It is important to remember that to change the router configuration, you must be in privileged EXEC mode. The console, aux, and VTY ports are used to get into user mode only and have nothing to do with how the router is configured.
Here is an example of how to get into privileged mode on a Cisco router through the console port:
Line con 0 now ready, press return to continue
At this point, you press Enter. Next, you will see:
Enter password:
This prompt is asking for the console user-mode password. Then, you will see:
Router>enable
Router#
The prompt at user mode is the greater-than sign (>). When you are in privileged mode, the prompt changes to a pound sign (#).
Global configuration mode
Once you are in privileged mode, you enter global configuration mode to change the configuration. You make changes by typing the command configure terminal. However, I prefer to type the shortcut command config t. This allows you to change the running-config, a file that is in DRAM and is the configuration the router is using. You can save the running-config to what is called Non-Violate RAM (NVRAM). The file that is copied into NVRAM is called startup-config and is the configuration that is copied to RAM when the router is rebooted or powered up.
Once you type configure terminalfrom privileged mode, your prompt changes to the following:
Router#configure terminal
Router(config)#
This prompt tells you that you are in global configuration mode. From here, you can make changes to the router that affect the router in whole, hence the name global configuration mode. For example, this is the location where you set the router passwords.
If you want to change the configuration of an interface, you would have to enter interface configuration mode from global configuration mode. Here is an example:
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#
Notice the prompt is Router(config-if)#, which tells you that you are in interface configuration mode. From here, you can enable or disable the interface, add IP and IPX addresses, and more.
The five passwords
Now that you understand the difference between user mode, privileged mode, and global and interface configuration modes, you can now set the passwords for each level.
Here are the five passwords you can set on a Cisco router:
- Console
- Aux
- VTY
- Enable password
- Enable Secret
We will discuss each of these passwords and how to configure them in the following sections.
Console
This is the basic connection into every router. To initially set up a router, you need to connect to the console port and at a minimum enable one interface and set the VTY password. After one interface is enabled and the VTY lines are configured, an administrator can then Telnet into the router and do the final configurations from that connection. However, the console port can be used to configure the complete configuration at any time. This makes it very important to protect the console port with a password.
To configure a console user-mode password, use the Line command from global configuration mode. There is only one console port on all routers, so the command is
line console 0
Here is an example:
Router#config t
Router(config)#line console 0
Router(config-line)#
Notice the prompt changed to Router(config-line)#. This prompt tells you that you are configuring the console, aux, or VTY lines.
To finish configuring the console port, you can use two more commands:
- Login:This tells the router to look under the console line configuration for the password. If you do not use this command, you will not be prompted for a password when you connect to the router’s console port.
- Password: This sets the console user-mode password. It is case sensitive.
The complete command will look like this:
Router#config t
Router(config)#line console 0
Router(config-line)#login
Router(config-line)#password todd
Aux
On some routers, aux is called the auxiliary port, and on some it is called the aux port. To find the complete command-line name on your router, use a question mark with the Line command as shown:
Router(config)#line ?
< 0-4> First Line Number
aux Auxiliary line
console Primary terminal line
vty Virtual terminal
At this point, you can choose the correct command you need. Here is an example of setting the aux port on a Cisco router to prompt for a user-mode password with a console cable connected (this port can be used with or without a modem):
Router#config t
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password cisco
VTY (Telnet)
The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco router. As I mentioned earlier, the VTY lines must be configured for Telnet to be successful.
Here is an example of an administrator’s attempt to Telnet to a router that does not have the VTY lines configured:
Password not set, connection refused
This is the default on every Cisco router.
To configure the VTY lines, you must use the question mark with the command
line 0
to determine the number of lines available on your router. The number varies with the type of router and the IOS version. However, five is the most common number of lines.
Router#config t
Router(config)#line vty 0 ?
<0-4> Last Line Number
<cr>
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Notice that you choose all the lines available for the most efficient configuration. You can set each line individually, but because you cannot choose the line you enter the router with when you Telnet, this can cause problems.
You can tell the router to allow Telnet connections without a password by using the No Login command:
Router(config)#line vty 0 4
Router(config-line)#no login
Enable password
The Enable password is used to allow security on a Cisco router when an administrator is trying to go from user mode to privileged mode. The Enable password is an old, unencrypted password that will prompt for a password when used from privileged mode. You set the Enable password from global configuration EXEC mode and use the command
enable password password
Here is an example:
Router#config t
Router(config)#enable password lammle
Router(config)#exit
Router#disable (the disable command takes you from privilege mode back to user mode)
Router>enable
Enter password:
Enable Secret
The Enable Secret password accomplishes the same thing as Enable. However, it is encrypted by default and supercedes Enable if it is set. In other words, if you set the Enable password and then set the Enable Secret password, the Enable password will never be used.
You set the Enable Secret password from global configuration mode by using the command:
enable secret password
Here’s an example:
Router#config t
Router(config)#enable secret san jose
Encrypting your passwords
The Line command passwords (console, aux, and VTY) are not encrypted by default and can be seen by going into privileged EXEC mode and typing the command
show running-config
This displays the complete configuration that the router is running, including all the passwords. Remember that the Enable Secret password is encrypted by default, but the other four are not. To encrypt your passwords, use the global configuration command
service password-encryption
Here is an example of how to perform manual password encryption (as well as an example of how to set all five passwords):
Router#config t
Router(config)#service password-encryption
Router(config)#enable password todd
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password todd
Router(config-line)#line con 0
Router(config-line)#login
Router(config-line)#password cisco
Router(config-line)#line aux 0
Router(config-line)#login
Router(config-line)#password sanjose
Router(config-line)#exit
Router(config)#no service password-encryption
Router(config)#enable secret lammle
Router(config)#^Z
All of the passwords can be the same except the Enable and the Enable Secret passwords. You should make them different for security reasons, however.
Conclusion
It is extremely important to set your passwords on every Cisco router your company has. If you are studying for your Cisco certification exams, be sure you understand the passwords and how to set them. Remember the difference between the Enable Secret and the Enable password and that the Enable Secret password supercedes the Enable password if it’s set.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.