In this lesson, we’ll take a look at how you can secure user mode and privileged (enable) mode. By default, there is no authentication required. If you connect a Cisco console cable to your switch or router, here’s what happens: Show
Once you press the enter button, we end up in user mode right away. There’s no password or anything. The same thing applies to the enable mode: We have full access right away. This is something you might want to change, which is what I’ll explain in this lesson. User Mode SecurityLet’s start with user mode. Simple PasswordThe most simple option to protect user mode is to add a password. Here’s how to do this: First, we need to enter the console settings. Here’s where we have to add two commands: We configure a password (cisco) and use the login command to tell Cisco IOS to prompt for this password. Next time you open the console, this will happen: The CLI will ask you for the password. At least we have some form of authentication but we can do better… Username and PasswordInstead of a single password, it’s also possible to use usernames and passwords instead. This is a better option if you have multiple people that need to access your router or switch. Here’s how to do this: Under the console settings, we use the login local command to tell the switch to refer to a local database of usernames and passwords for authentication. In the global config, we create a username “admin” with password “cisco”. Next time you open the console, here’s what you see: The switch asks for our username and password. Enable Mode SecurityWhat about enable mode / privileged mode? We can also add a password there. You need to do this from the configuration mode: Now we can set a password for enable mode: Let’s see if our password “cisco” works. Let’s get out of enable mode: And jump right back in: The switch now asks for the password. Password EncryptionIn the examples above, we used passwords but there is one problem…they all show up in clear text in our configuration. Take a look below: It’s all clear text. If someone steals one of your switches or routers, they will have your passwords. If you ever backup your configuration and forget to remove the passwords, same problem. Cisco IOS has a command that lets you encrypt all clear text passwords in your configuration. Here’s how: The service password-encryption command will encrypt every password that is plain text. Here you can see the result: Now you might get a warm fuzzy feeling that everything is encrypted but in reality, this is a very poor (broken) encryption algorithm. There are websites that let you decrypt these encrypted strings on the fly. If you want to try this, here’s one of those websites. We need something stronger… SecretCisco IOS supports something called a secret as an alternative to the password. Let’s try this for the enable mode: Above you can see this switch supports MD5, PBKDF2 and SCRYPT hashes. Older IOS devices only support MD5 authentication. Let’s give this a try: Our secret will be “cisco”. Let’s see what we find in the configuration: You now find an MD5 hash in the configuration. The “5” that you see behind “enable secret” is the algorithm that we use, 5 means MD5. MD5 is not considered secure nowadays. It’s very easy to brute force simple passwords. For example, try this website for the MD5 hash that was created for my secret “cisco”. It will only take a few seconds to recover. Let’s try one of the other algorithms that are considered secure nowadays. Here’s how you can select the algorithm for the enable mode: Let’s try the PBKDF2 (SHA256) hashing algorithm: When we look at our configuration, we’ll see the new hash: The “8” behind “enable secret” refers to the PBKDF2 hashing algorithm that we used. In the example above I changed the hashing algorithm for the enable mode but we can also do this for usernames. Here’s an example: My username now uses SHA256 as well for password “cisco”. Here’s what it looks like: Make sure you use strong passwords. No matter what hashing algorithm you use, weak passwords like “cisco” are easily recovered. External Authentication ServersConfiguring usernames and secrets on your Cisco IOS devices is a good practice but one issue we have is scalability. If you have a network with multiple devices, you will have to configure your usernames/secrets on all devices. If you change your password, you have to do it on all devices. In larger networks, we typically use authentication servers called RADIUS or TACACS+ servers. On these servers, we configure our usernames. When someone tries to access the console or enable mode on one of your switches or routers, they check the credentials on the authentication server. This allows you to keep your authentication centralized. This is something we will cover in other lessons. ConclusionYou have now learned how to protect the user and enable mode of your Cisco IOS devices. Make sure you use “secret” instead of plain text passwords and if possible, use a stronger hashing algorithm than the default MD5. Which command enables password authentication for user exec mode?Securing access to the EXEC mode on a Cisco switch is accomplished with the enable secret command followed by the password. In this example the command is Switch(config)# enable secret class.
What commands are required to install a password on a router console port?Put the command line console 0 to the router. Provide the password by using password command. For example, if you want to put password "cisco" then the command will be password cisco.
What is the enable password command in cisco?To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. Use the no form of this command to remove the password requirement.
Why is the login command required after setting password?Login command is used in VTY for password that is specified to be checked at login. If you do not use login command you will not able to use the specified password for the vty to login.
|
