Cisco Router and Switch Password Protection

CCENT, , , ,

CCENT Router Passwords

One of the many skills that you must demonstrate as a CCENT candidate is your ability to configure basic password security on a Cisco router or switch. This blog post walks you through the configurations you must have mastered in order to succeed in this area of the exam and the real world.

While I will demonstrate the configurations required on a Cisco router, keep in mind that they are going to be identical on the model of switch you are presented with in the exam.

First, we enter user mode on the router, and then enter global configuration mode to set our first password.

Press RETURN to get started!
 Router> enable
 Router# configure terminal
 Router(config)#

The first password we will set is the enable password. This is for backwards compatibility if you ever need to copy this configuration to a system that does not support password encryption. Note that this this is highly unlikely to happen 🙂 Since our router does support password encryption, note that you will never actually use this password on the device. Again, it is there for sheer backwards compatibility.

Router(config)# enable password S0ftBa11

Now that we have taken care of that, it is time to set the encrypted version of the enable password. It is the job of this password to protect Privileged mode on the device. Remember, Privileged mode allows us to make configuration changes to the device.

Router(config)# enable secret SanFr@n

What about protecting User mode, the mode that you enter from the console port before you enter Privileged mode? You can do this by setting a password on the Console Line. When setting a password on any of the lines on the router, you need to also use the login command. This command instructs the router or switch to check the locally configured password upon login.

Router(config)# line con 0
Router(config-line)# password V011eyBa11
Router(config-line)# login

Here is an example of setting the password for the default Telnet lines available on the Cisco device:

Router(config-line)# line vty 0 4
 Router(config-line)# password T3nn1sBa11
 Router(config-line)# login

Great. So pretty darn easy. Except there is one slight problem. The enable secret password does have a weak encryption used so that it is not readable to the naked eye when viewing the configuration, but all the other passwords above will not feature any encryption at all by default. Here is proof:

Router#show running-config
Building configuration…
Current configuration : 772 bytes
!
enable secret 5 $1$3cho$p9t1k6BeP8iGFYtoY1kNS.
!
line con 0
password V011eyBa11
login
!

This is solved through the use of the handy service password-encryption command. This command places a weak encryption on the clear-text passwords in your configurations follows:

Router(config)#service password-encryption
 Router(config)#end
 Router#show running-config
 Building configuration...
 Current configuration : 772 bytes
 !
 enable secret 5 $1$3cho$p9t1k6BeP8iGFYtoY1kNS.
 !
 line con 0
 password 7 113F49544641122E057B7A
 login
 !

Which is stronger security? The MD5 hashing of the password done with the enable secret password, or the Cisco invention of password-encryption hashing? Well, you can see with your own eyes that it is the MD5 enable secret. Notice that it produces a longer string of characters, and even uses special characters in the hash.

You should also be aware of the fact that if you turn off this feature with the command no service password-encryption, you will not hash future passwords, but you will also not undo the hashing you have already done.

Leave a Reply

Your email address will not be published. Required fields are marked *