Real World Application
Security
is of the uttermost importance in a production network, especially an
internet facing production network. Having an insecure Cisco Router
and/or switch is exposing your network to virtually unlimited number
of risks. This lab will teach you the basics of password
authentication in the Cisco IOS software to secure your Cisco router
and/or switch.
Lab Prerequisites
- If you are using GNS3 than load the Free CCNA Workbook topology and start R1.
- Establish a console session with Router 1.
Lab Objectives
- Configure a Console line password so that anyone attempting to establish a console session to the device will be prompted for a password. Once completed, verify your configuration.
- Configure the VTY line 0-4 password so that anyone attempting to establish a telnet/ssh session to the device will be prompted for a password. Once completed, verify your configuration.
- Configure an enable password and enable secret. Once completed, verify these configurations.
- Configure a Auxiliary line password so that anyone attempting to established an auxiliary line session to the device (routers only) will be prompted for a password.
Lab Instruction
Step
1. – To meet the first objective of protecting the console line
with a console password you’ll need to navigate to the console line
configuration mode as shown below;
--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: no Press RETURN to get started! Router>enable Router#configure terminal Router(config)#line console 0 Router(config-line)#
Once
in console line configuration mode, you can set the password by
executing the password passwordgoeshere As
shown below, the password is being set to Cisco123;
Router(config-line)#password Cisco123
Simply
setting the password does not enable password authentication. You’ll
need to tell the router to prompt incoming sessions on the console
line to require a password. This is done by executing
the login command
from line configuration mode as shown below;
Router(config-line)#login
Now
you can test your console line password but first you’ll have to
end your exec session by typing end and exit then
attempting to establish a new exec session via console as shown
below;
Router(config-line)#end Router#exit Router con0 is now available Press RETURN to get started. User Access Verification Password: Router>
Step 2. Now its time to configure VTY (Virtual TeleType) lines. The VTY lines are virtual lines used for establishing an exec session via telnet or ssh. You apply the password to these lines in the same manner as you previously did the console line as shown below;
Router>enable Router#config terminal Router(config)#line vty 0 4 Router(config-line)#password Cisco321 Router(config-line)#login
Notice
that in this example the password was set to Cisco321 just
to demonstrate you can have different passwords per line. In order to
verify this configuration; typically you’d need Ethernet
connectivity to the device so as per that requirement you’ll need
to assign an IP address to an interface. For example assign
10.1.1.1 255.255.255.255 to interface loopback0 as shown below;
Router(config-line)#interface lo0 Router(config-if)#ip add 10.1.1.1 255.255.255.255 Router(config-if)#end Router#
To
verify your vty line password configuration you can telnet to your
local interface to initiate a telnet exec session as shown below;
Router#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Password: Password: Router>
As
you can see you’re prompted for the VTY line password. If you enter
the console line password, you will be denied access but upon
entering the correct vty line password you’ll be authorized to
start an exec session as shown above.
Once
you’ve established a telnet session to the router, try to gain
privileged level access. You’ll immediately notice that you’ll be
prompted for an “enable” password in which case none is set so
therefore you cannot gain privileged level access.
Router>enable Password: Password: Password: % Bad passwords Router>
Step 3. Configure an enable password and secret for the Cisco router to gain privileged level access to the device via telnet. This configuration is done in global configuration mode. If you still have a telnet session open from the previous objective verification, type exit. To configure an enable password execute the enable password passwordgoeshere command.
To
configure an enable secret you simply execute the enable
secret passwordgoeshere as
shown below;
Router>exit [Connection to 10.1.1.1 closed by foreign host] Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#enable password Cisco1 Router(config)#enable secret Cisco2 Router(config)#end Router#
As
shown above the enable password was set to Cisco1 and
the enable secret was set to Cisco2
Read
Me
The
enable password and enable secret are used for the same
authentication, which is to gain access to priviliged mode however if
you have both enable password and enable secret set, the enable
secret will override the enable password.
Once
the enable passwords have been set verify the configuration by
executing a reverse telnet to 10.1.1.1 and establishing a telnet
session using the previously set vty lines password then escalate to
privileged level access.
Router#telnet 10.1.1.1 Trying 10.1.1.1 ... Open User Access Verification Password: Router>enable Password: Password: Router#
If
you typed in the enable password first you’ll be rejected as the
router also has an enable secret set of Cisco2.
Step
4. The last objective only applies to Cisco devices that have an
Auxiliary (AUX) port. The AUX port is very similar to the console
port but has modem control pins where you can attach an external
modem to the device and dial-in to the device via external 56k modem
and remote manage the device using POTS dial-up service. This is
commonly used in out of band management for single devices however
when there are multiple devices per site and out of band management
is required its common to have an access-server setup with a modem to
allow console management of multiple devices through a single dial-in
device.
To
set the AUX line password you’ll execute the same commands as
you’ve previously done in the console line password configuration
as shown below;
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line aux 0 Router(config-line)#password AuxPassword123 Router(config-line)#login Router(config-line)#end Router#
