This How To explains Passwords on Cisco platforms.
The question you might ask is: Doesn’t the router already have default passwords? The answer is NO, it doesn’t. There is no automatic password defense that comes with your router.
As a Cisco admin, this should be taken very seriously. It is so important and so easy to set up passwords.
First, let’s discuss the different modes of the Cisco IOS. They are set up in a hierarchical manner, which means that the deeper the access, the more privilege you have and, hopefully, the more passwords you have set up for each level.
Before we can tell you how to secure your router with passwords, we need to first make sure you know the three modes of the Cisco IOS. They are:
- User: In User mode, basic interface information on the router is displayed. Well-known Cisco CCNA author, Todd Lammle, once called the user mode “useless mode” because no configuration changes can be made, nor can you view anything important at this level. It is also called user exec mode.
- Privileged: Sometimes called the privileged exec (or just priv mode), configuration views and changes are made at this level. In my opinion, this is the first point at which it is absolutely critical to have a password set (although you should have password access even at user mode). To move from user mode to priv mode, you just type enable while in user exec mode and press [Enter]:
- Cell_Router> enable
- Cell_Router#
- Global Configuration: From the exec priv mode, we can now access the global configuration mode. This is where you would make changes that would affect your whole router, including configuration changes. You will need to step in a little deeper in the router’s commands to make changes to your configuration. Here’s an example of how to access that mode:
- Router# configure terminal
- Router(config)#
- Note: you can also just type conf t.
How to configure the five main passwords of the Cisco IOS
The five main passwords of the Cisco IOS are:
- Console
- Aux
- VTY
- Enable password
- Enable secret
Console
If you have no password set on the router’s console, by default, you can access user mode (and then on to the other modes if no passwords are set there either). The console port is where you would initially start to configure a new router. It is critical to set a password on the console port of the router to protect someone from physically walking up to the router, connecting, and gaining access to user mode (and, potentially, much more).
Because there is only one console port per router, you would use the command line console 0 in global configuration mode, and then use the login and password commands to finish up the configuration. The command, login, tells the router to look under the console line configuration for the password. The command, password, sets the actual password.
Here is what it looks like:
Cell_Router# config t
Cell_Router(config)# line console 0
Cell_Router(config-line)# password Secret!pass
Cell_Router(config-line)# login
Note: Complex passwords are important to keep someone from guessing your password.
Aux
This is short for auxiliary port. This is also a physical access port on the router. Not all routers have this port. As the aux port is a backup configuration port for the console, it is equally important to configure a password on it.
Cell_Router# config t
Cell_Router(config)# line aux 0
Cell_Router(config-line)#password Secret!pass
Cell_Router(config-line)# login
VTY
The “virtual tty” line is not a physical connection, but a virtual connection. You would use this line to Telnet or SSH into the router (for SSH configuration, see my article “Configure SSH on Your Cisco Router“). Of course, you would need to have an active LAN or WAN interface set up on your router for Telnet to work. As different routers and switches can have a different number of vty ports, you should see how many you have before you configure them. To do this, just type line ? in privileged mode.
Here’s an example of configuring vty lines:
Cell_Router# config t
Cell_Router(config)# line vty 0 4
Cell_Router(config-line)# password Secret!pass
Cell_Router(config-line)# login
Enable password
The enable password prevents someone from getting full access to your router. The enable command is actually used to change between different security levels on the router (there are 0-15 levels of security). However, it is typically used to go from user mode (level 1) to privileged mode (level 15). In fact, if you are at user mode and you just type enable, it assumes you want to go to privileged mode.
To set a password to control access from user mode to privileged mode, go to the global configuration mode and use the enable password command, like this:
Cell_Router# config t
Cell_Router(config)# enable password Secret!pass
Cell_Router(config)# exit
The downside of the enable password is that it can be easily unencrypted by someone, and that is why you should use enable secret instead.
Enable secret
The enable secret password has the same function as the enable password, but with enable secret, the password is stored in a much stronger form of encryption:
Cell_Router(config)# enable secret Secret!pass