There are five passwords you’ll need to secure your Cisco routers: console, auxiliary, telnet/SSH (VTY), enable password, and enable secret. The enable secret and enable password are the ones used to set
the password for securing privileged mode. Once the enablecommands are set, users will be prompted for a password. The other three are used to configure a password when user mode is accessed
through the console port, through the auxiliary port, or via Telnet.
Let’s take a look at each of these now.
You set the enable passwords from global configuration mode like this:
tod (config)# enable ?
last-resort Define enable action if no TACACS servers
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords
The following list describes the enable password parameters:
last-resort This allows you to still enter the device if you set up authentication through a TACACS server and it’s not available. It won’t be used if the TACACS server is working.
password This sets the enable password on older, pre-10.3 systems and isn’t ever used if an enable secret is set.
secret The newer, encrypted password that overrides the enable password if it has been set.
use-tacacs This tells the router or switch to authenticate through a TACACS server. It comes in really handy when you have lots of routers because changing the password on a multitude of them can be insanely tedious. It’s much easier to simply go through the TACACS server and change the password only once!
Here’s an example that shows how to set the enable passwords:
tod (config)# enable secret tod tod (config)# enable password tod
The enable password you have chosen is the same as your
enable secret. This is not recommended. Re-enter the
If you try to set the enable secret and enable passwords the same, the device will give you a polite warning to change the second password.Make a note to yourself that if there aren’t any old legacy routers involved, you don’t even bother to use the enable password!
User-mode passwords are assigned via the line command like this:
tod (config)# line ?
<0-16> First Line number
console Primary terminal line
vty Virtual terminal
And these two lines are especially important for the exam objectives:
console Sets a console user-mode password.
vty Sets a Telnet password on the device. If this password isn’t set, then by default, Telnet can’t be used.
To configure user-mode passwords, choose the line you want and configure it using the login command to make the switch prompt for authentication. Let’s focus in on the configuration of individual lines now.
We set the console password with the line console 0 command, but look at what happened when I tried to type line console ? from the (config-line)# prompt—I received an error! Here’s the example:
tod (config-line)# line console ?
% Unrecognized command
tod (config-line)# exit tod (config)# line console ?
<0-0> First Line number
tod (config)# line console 0 tod (config-line)# password console tod (config-line)# login
You can still type line console 0 and that will be accepted, but the help screens just don’t work from that prompt. Type exit to go back one level, and you’ll find that your help screens now work. This is a “feature.” Really.
Because there’s only one console port, I can only choose line console 0. You can set all your line passwords to the same password, but doingthis isn’t exactly a brilliant security move!
And it’s also important to remember to apply the login command or the console port won’t prompt for authentication. The way Cisco has this process set up means you can’t set the login command before a password is set on a line because if you set it but don’t then set a password, that line won’t be usable. You’ll actually get prompted for a password that doesn’t exist, so Cisco’s method isn’t just a hassle; it makes sense and is a feature after all!
Definitely remember that although Cisco has this
“password feature” on its routers starting with IOS 12.2 and above, it’s not included in older IOSs.
Okay, there are a few other important commands you need to know regarding the console port.
For one, the exec-timeout 0 0 command sets the time-out for the console EXEC session to zero, ensuring that it never times out. The
default time-out is 10 minutes.
If you’re feeling mischievous, try this on people at work: Set
the exec-timeout command to 0 1. This will make the console time out in 1 second, and to fix it, you have to continually press the
down arrow key while changing the time-out time with your free hand!
Logging synchronous is such a cool command that it should be a default, but it’s not. It’s great because it’s the antidote for those annoying console messages that disrupt the input you’re trying to type.
The messages will still pop up, but at least you get returned to your device prompt without your input being interrupted! This makes your
input messages oh-so-much easier to read!
Here’s an example of how to configure both commands:
tod (config-line)# line con 0
tod (config-line)# exec-timeout ?
<0-35791> Timeout in minutes
tod (config-line)# exec-timeout 0 ?
<0-2147483> Timeout in seconds
tod (config-line)# exec-timeout 0 0 tod (config-line)# logging synchronous
You can set the console to go from never timing out (0 0)
to timing out in 35,791 minutes and 2,147,483 seconds. Remember that the default is 10 minutes.
To set the user-mode password for Telnet access into the router or switch, use the line vty command. IOS switches typically have 16
lines, but routers running the Enterprise edition have considerably more. The best way to find out how many lines you have is to use that
handy question mark like this:
tod (config-line)# line vty 0 ?
% Unrecognized command
tod (config-line)# exit tod (config)# line vty 0 ?
<1-15> Last Line number
tod (config)# line vty 0 15 tod (config-line)# password telnet
tod (config-line)# login
This output clearly shows that you cannot get help from your (config- line)# prompt. You must go back to global config mode in order to use the question mark ( ? ).
So what will happen if you try to telnet into a device that doesn’t have a VTY password set? You’ll receive an error saying the connection has been refused because the password isn’t set. So, if you telnet into a switch and receive a message like this one that I got from Switch B
tod # telnet SwitchB
Trying SwitchB (10.0.0.1)…OpenPassword required, but none set
[Connection to SwitchB closed by foreign host]
it means the switch doesn’t have the VTY password set. But you can still get around this and tell the switch to allow Telnet connections without a password by using the no login command:
SwitchB(config-line)# line vty 0 15
SwitchB(config-line)# no login
I definitely do not recommend using the no login
command to allow Telnet connections without a password, unless you’re in a testing or classroom environment. In a production
network, always set your VTY password!
After your IOS devices are configured with an IP address, you can use the Telnet program to configure and check your routers instead of
having to use a console cable. You can use the Telnet program by typing telnet from any command prompt (DOS or Cisco). I’ll cover all things Telnet more thoroughly in Chapter 7, “Managing a Cisco