There are mainly two ways to authenticate to a Cisco router device (and also to other networking devices in general). Using an external authentication service (such as AAA server, Radius, TACACS etc) or by having local usernames and passwords on the device itself.
In this article we will discuss how to setup a local username and password on a Cisco router in order to authenticate when connecting to the device for management purposes. The same principles apply also to other Cisco devices such as switches, firewalls etc.
By default, when you access a Cisco router for management purposes (using Console, Telnet or SSH) there is no username/password authentication required.
You only need to supply the “privileged EXEC” password (i.e the “enable” password) in order to gain access to the full configuration mode of the router (read below about the different password levels and types).
Employing an additional level of authentication (i.e requiring the user to supply an additional username/password credential in addition to the “enable” password) will make the router device more resistant to unauthorized access.
Moreover, configuring local usernames on the device gives you the flexibility to add granularity regarding the levels of management privileges for different users (although using an external AAA server for authentication and authorization purposes is better compared to local accounts).
For example, you can configure a username on the router with full privileges (privilege level 15) who can configure anything on the router, or you can configure a username with unprivileged access (privilege level 1) who can only see a few things on the router and nothing else.
There are two steps involved to configure local usernames. The first one is to create the username/password and assign it a privilege level (from 1 to 15, with 15 being the most privileged level).
If you don’t specify a privilege level number, it gets the full privilege 15 by default. The second step is to configure your VTY lines (0 to 4) to require a local login access (i.e only a configured user with a valid password can access the router).
Configuration of Local Account
Router# config t
Router(config)# username Mynetworkadmin privilege 15 secret [email protected]$
Router(config)# username Onlymonitoring privilege 1 secret An0ther!Pass34
! After creating the above local accounts, you then apply the “local” authentication type to the lines
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# exit
Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exit
Router(config)# line aux 0
Router(config-line)# login local
Router(config-line)# exit
Router(config)# wr
Just a security tip here, for username select something difficult to guess or something that will not be found in dictionary attacks. For example, words like “admin”, “administrator”, “cisco” etc are not good usernames. A simple dictionary attack from a hacker will find those easily.
Moreover, if you have more than one administrator user connecting to your routers, its better to configure a different personalized username for each administrator. This will help to ensure tracking and auditing in order to know what each user did on the device and when each user connected to the device.
Router Password Types:
Passwords are the first line of defense for securing Cisco Routers.
There are five password types that can be configured on a Cisco Router:
- Privileged Level Passwords (Privilege EXEC)
- Enable Password (not encrypted)
- Enable Secret Password (encrypted password)
- Console Line Password
- VTY Lines Password
- Auxiliary (AUX) Line Password
Configuring Privileged Level Passwords:
Above we have configured local accounts and also applied the “local” authentication type to all router lines (VTY, console, aux). Now, we will configure the “privileged EXEC” password which is used to enter into “full configuration mode” on the router.
! Configure non-encrypted password (avoid this type)
Router(config)# enable password somepassword
! Configure encrypted password (recommended)
Router(config)# enable secret strongpassword
NOTES:
To specify an additional layer of security it’s important to use the enable secret command in global configuration mode as shown above.
The enable secret command provides better security by storing the configured enable secret password using a nonreversible cryptographic hash function, compared to the enable password command, which stores the configured password in clear text or in an easily reversible encrypted format.
Storing the password as a cryptographic hash helps to minimize the risk of password sniffing if the router configuration file is transferred across the network, such as to and from a TFTP server.
It is also useful if an unauthorized user obtains a copy of your configuration file. Note, if neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console port, the console line password will serve as the enable password for all VTY lines, which includes Telnet, rlogin, and SSH connections.
The enable secret command is widely available within IOS.
Encrypting Passwords:
By default, only the enable secret password is encrypted. In order to encrypt the other password types, you need to enable the “password encryption” service globally on the router as following:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# service password-encryption
NOTES:
To encrypt local router passwords, use the service password-encryption command in global configuration mode as shown above.
This command applies to line passwords, username passwords, enable passwords, and authentication key passwords, including routing authentication passwords and key strings.
By default, IOS does not encrypt passwords. Encrypting passwords in this way helps to minimize the risk of password sniffing if the router configuration file is transferred across the network such as to and/or from a TFTP server.
It is also useful if an unauthorized user obtains a copy of your configuration file. This command is widely available within IOS.
Related Posts
- Configuring High Availability using HSRP and Boolean Object Tracking
- Cisco Show Interface Command on Routers and Switches Explained
- Configuring GRE Tunnel Through a Cisco ASA Firewall
- The Protocol of the Internet – eBGP and iBGP Tutorial and Configuration
- How to Configure Static Routing on Cisco IOS Routers (Examples)