blog
    CCENT: Providing Basic Pa ...
    29 January 09

    CCENT: Providing Basic Password Security for a Cisco Router or Switch

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    One of the many skills that you must demonstrate as a CCENT candidate is your ability to configure basic password security on a Cisco router or switch. This blog post walks you through the configurations you must have mastered in order to succeed in this area of the exam.

    While I will demonstrate the configurations required on a Cisco router, keep in mind that they are going to be identical on the model of switch you are presented with in the exam.

    First, let us enter user mode on the router, and then enter global configuration mode to set our first password.

    Press RETURN to get started!
    Router> enable
    Router# configure terminal
    Router(config)#

    The first password we will set is the enable password. This is for backwards compatibility if you ever need to copy this configuration to a system that does not support password encryption. Since our router does support password encryption, note that you will never actually use this password on the device. Again, it is there for sheer backwards compatibility.

    Router(config)# enable password S0ftBa11

    Now that we have taken care of that, it is time to set the encrypted version of the enable password. It is the job of this password to protect Privileged mode on the device. Remember, Privileged mode allows us to make configuration changes to the device.

    Router(config)# enable secret SanFr@n

    What about protecting User mode, the mode that you enter from the console port before you enter Privileged mode? You can do this by setting a password on the Console Line. When setting a password on any of the lines on the router, you need to also use the login command. This command instructs the router or switch to check the locally configured password upon login.

    Router(config)# line con 0
    Router(config-line)# password V011eyBa11
    Router(config-line)# login

    Here is an example of setting the password for the default Telnet lines available on the Cisco device:

    Router(config-line)# line vty 0 4
    Router(config-line)# password T3nn1sBa11
    Router(config-line)# login

    Great. So pretty darn easy. Except there is one slight problem. The enable secret password does have a weak encryption used so that it is not readable to the naked eye when viewing the configuration, but all the other passwords above will not feature any encryption at all by default. Here is proof:

    Router#show running-config
    Building configuration...
    Current configuration : 772 bytes
    !
    enable secret 5 $1$3cho$p9t1k6BeP8iGFYtoY1kNS.
    !
    line con 0
    password V011eyBa11
    login
    !

    This is solved through the use of the handy service password-encryption command. This command places a weak encryption on the clear-text passwords in your configurations follows:

    Router(config)#service password-encryption
    Router(config)#end
    Router#show running-config
    Building configuration...
    Current configuration : 772 bytes
    !
    enable secret 5 $1$3cho$p9t1k6BeP8iGFYtoY1kNS.
    !
    line con 0
    password 7 113F49544641122E057B7A
    login
    !

    Which is stronger security? The MD5 hashing of the password done with the enable secret password, or the Cisco invention of password-encryption hashing? Well, you can see with your own eyes that it is the MD5 enable secret. Notice that it produces a longer string of characters, and even uses special characters in the hash.

    You should also be aware of the fact that if you turn off this feature with the command no service password-encryption, you will not hash future passwords, but you will also not undo the hashing you have already done.

    As always, thanks for reading, and enjoy your studies. If you have questions regarding this post, do not forget about our incredible forums at http://ieoc.com.

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo