{"id":54611,"date":"2022-06-25T03:39:24","date_gmt":"2022-06-25T03:39:24","guid":{"rendered":"https:\/\/ded9.com\/?p=54611"},"modified":"2025-11-29T09:42:06","modified_gmt":"2025-11-29T09:42:06","slug":"key-points-about-cisco-equipment-how-to-set-passwords-on-cisco-devices","status":"publish","type":"post","link":"https:\/\/ded9.com\/de\/key-points-about-cisco-equipment-how-to-set-passwords-on-cisco-devices\/","title":{"rendered":"How to Set Passwords on Cisco Devices \u2014 Key Points & Best Practices"},"content":{"rendered":"

One Of The Most Important Things To Consider As A Network Expert Is The Issue Of Controlling And Monitoring People Who Have Access To Network Equipment Settings.\u00a0<\/span><\/p>\n

Cisco Devices: You need to know how to use Secure Shell SSH<\/a> in conjunction with Cisco equipment and how to use access control lists to allow or block incoming or outgoing traffic to the network.<\/p>\n

Configure equipment passwords<\/h2>\n

One of the first steps to secure your network equipment is properly configuring passwords on essential devices such as routers and switches. In this section, two types of passwords can be configured. The first password to be set is the password that an administrator enters when switching from user EXEC mode to premium EXEC mode using the Enable command.<\/p>\n

The enable password is stored in an encrypted configuration file, and the second enable secret is stored in an encrypted configuration file. If you set both, you must use a secret password to access EXEC privileged mode, as it takes precedence over the other.<\/p>\n

Use the enable password command to configure the unencrypted password and the enable secret command to configure the encrypted password (Figure 1).<\/p>\n

\"Use<\/p>\n

figure 1<\/p>\n

To see the applied configuration, call the ” show running-config command. You will now see that the enable password is not encrypted, and the enable secret is stored encrypted in the configuration file (Figure 2).<\/p>\n

When working with\u00a0Cisco<\/strong>\u00a0<\/strong>equipment, remember that you can usually delete it by adding the word No to the beginning of a command. For example, if you want to delete a secret password, use the no enable personal knowledge, and if you want to delete an active password, use the no enable password command.<\/p>\n

\"When<\/p>\n

figure 2<\/p>\n

Auxiliary Port Security and Auxiliary Port<\/h2>\n

The following password is the console password, which must be entered whenever a person attempts\u00a0to connect to the device’s console port. The network administrator must enter the console port password before entering EXEC privileged mode. If the password is secret, you must use a personal password to access EXEC select mode. To configure the console password, use the syntax shown in Figure 3:<\/p>\n

\"The<\/p>\n

Figure 3<\/p>\n

Once you set up your password, you need to do something meaningful. By executing the previous commands, if you connect to the console port of your device, you will notice that you will not be asked for the password. After setting the password, you must use the login command to show the Cisco<\/strong>\u00a0device that it is necessary to access the authentication port and enter the password.\u00a0To do this, you must call the following command:<\/p>\n

VAN-R1 (config-line) #login<\/span><\/h3>\n

Typically, some\u00a0Cisco<\/strong> routers\u00a0have an auxiliary port (AUX) next to the console port.\u00a0The additional port is used as a backup line, where a modem is connected so that you can access the router remotely and make management changes.<\/p>\n

Usually, you communicate with the router remotely using the router’s IP address and the SSH protocol. Still, if something goes wrong and you fail to communicate with the router, you have the chance to connect a modem to the router’s auxiliary port. Then dial. The point to note in this section is that you need to set a password for the port; if you do not do this, there is a possibility that someone can connect to it.<\/p>\n

To configure the password on the auxiliary port, enter global configuration mode, then AUX Line mode, and set the password with the commands shown in Figure 4. It is necessary to explain that, as before, you still have to use the login command. If you do not run this command, the configured password will have no effect, as the device will not perform any authentication for this port (Figure 4).<\/p>\n

\"To<\/p>\n

Figure 4<\/p>\n

Securing VTY ports<\/h2>\n

To manage the device remotely with telnet or SSH, you must configure a password on the VTY terminal ports. To configure the password on VTY ports, we need to go to VTY mode and set the password. As before, use the login command to force the device to authenticate by prompting for a password when connecting to ports (Figure 5).<\/p>\n

\"To<\/p>\n

Figure 5<\/p>\n

The critical thing to note is that you should use SSH instead of telnet because telnet creates a simple communication channel that sends all the exchanged messages in clear text to the devices. It is also true for authentication traffic, so anyone can view this information, including the username and password you entered to access a device. In contrast, SSH encrypts all exchanged data.<\/p>\n

User configuration<\/h2>\n

When setting up security mechanisms for console ports, auxiliary ports, or VTY ports, it is best to use a combination of username and password instead of a single password to improve the device’s security. Of course, you need to know how to manage the list of users on the Cisco<\/strong>\u00a0device and assign access levels.<\/p>\n

Create user accounts<\/h2>\n

Network professionals create a list of usernames and passwords stored locally on your Cisco<\/strong> device.\u00a0To do this, you need to call the username command and enter the username and password parameters as shown in Figure 6:<\/p>\n

\"Network<\/p>\n

Figure 6<\/p>\n

Next, you need to call the local login command for each port that will use this list for authentication. In the local login command, the word login means mandatory authentication, while local means using a local database of usernames and passwords for authentication. For example, the controls below the console port are configured to enter a username and password whenever a person wants to access the device locally (Figure 7).<\/p>\n

\"Next,<\/p>\n

Figure 7<\/p>\n

Privilege Levels<\/h2>\n

Cisco<\/strong>\u00a0equipment\u00a0supports various scoring levels.\u00a0To be more precise, there are 16 scoring levels in\u00a0Cisco<\/strong> devices that can be adjusted from 0 to 15. 0 is the lowest, and 15 is the highest. When you are in EXEC mode, you have a rating level of 1, which is why you can not make changes to the device. When you enter the premium EXEC mode, your score level is raised to 15, indicating full managerial access. It would help if you switched to the premium EXEC mode to make changes to Cisco devices.<\/strong><\/p>\n

One of the exciting features of the scoring discussion is that you can assign a score level to a user and then link that score level to a command so that the user can execute a command. We must use the privilege parameter and the username command to give the user a story. The syntactic composition of this work is as follows:<\/p>\n

VAN-R1 (config) #username adminguy privilege three password adminpass<\/h3>\n

If you want a user to be able to execute a particular command, you must change the score level for the command for the user. To do this, we use the following syntax:<\/p>\n

VAN-R1 (config) #privilege exec level 3 show running-config<\/p>\n

In this example, I assigned the show running-config command to level 3 so that the user has the minimum score level to execute that command. If you do not know the status of your privileges, call the show privilege command (Figure 8).<\/p>\n

\"In<\/p>\n

Figure 8<\/p>\n

In this case, when it is in EXEC user mode, it has a score level of 1, but when it goes to the excellent EXEC mode, it receives a score of 15.<\/p>\n

Encrypt passwords<\/h2>\n

Now that we have some exciting information on configuring passwords on Cisco equipment, it’s time to learn how to store them in\u00a0startup-config and encrypt them. To view the configuration file’s contents, call the show startup-config command. In this case, we see information similar to Figure 9.<\/p>\n

\"Now<\/p>\n

Figure 9<\/p>\n

In the configuration file, you will see that all passwords, except the secret password, are stored in plain text. If a person can physically access the router, they can view the configuration file and passwords. It is enough to use a simple command to encrypt all passwords in Cisco<\/strong>\u00a0configuration files (Figure 10).<\/p>\n

\"In<\/p>\n

Figure 10<\/p>\n

When the command is executed, plain text passwords are encrypted in the configuration file. Now, if a person accesses the router, they will not be able to see the passwords.<\/p>\n

SSH configuration<\/h2>\n

Another essential security feature to set up on Cisco<\/strong> devices is configuring the device to use SSH instead of telnet. SSH uses TCP port 22 and encrypts all information exchanged over the communication channel, including usernames and passwords sent by administrators and users to Cisco<\/strong> equipment. Telnet uses TCP port 23 and does not encrypt communications. SSH configuration is done in three steps:<\/p>\n

    \n
  1. If the hostname does not already exist, it must be configured on the router.<\/li>\n
  2. In this step, you must create a username and password that administrators can use to authenticate when connecting to the device via SSH.<\/li>\n
  3. In the third step, you have to configure the domain name on the device, as this name is used to generate the encryption key.<\/li>\n<\/ol>\n

    The commands you need to run to configure SSH are shown in Figure 11.<\/p>\n

    \"The<\/p>\n

    Figure 11<\/p>\n

    The nice thing to note is that the Cisco<\/strong> device you want to configure SSH must use an iOS version that supports encryption. After completing the steps above, call the crypto key to generate the RSA command to create the encryption key (Figure 12).<\/p>\n

    Note that the key name is created based on the hostname and domain name that you have configured. In Figure 12, when asked about the number of bits used for this purpose, accept the default value of 512. 512-bit encryption is very secure, and hackers can not easily break it.<\/p>\n

    \"Note<\/p>\n

    Figure 12<\/h4>\n

    \"Now<\/p>\n

    Figure 13<\/h4>\n

    Now that you have the encryption key ready, you can configure the VTY ports to accept connections only via SSH. In the example shown in Figure 13, note that we configure authentication using local usernames on the device, then run the SSH input transport command so that the device uses only the SSH<\/a> protocol on the configured ports.<\/p>\n

    At this point,\u00a0Cisco<\/strong> will no longer accept Telnet-based communications for remote management.\u00a0However, if you want to improve the level of security, use access control lists to restrict IP addresses that can communicate with the device through the SSH protocol.<\/p>\n

    FAQ<\/h2>\n
    \n
    \n
    \n

    How do I secure privileged access on a Cisco device?<\/h3>\n
    \n\n

    Use the \u201cenable secret \u201d command \u2014 it stores the password encrypted and protects privileged EXEC mode.<\/p>\n\n<\/div>\n<\/div>\n

    \n

    How do I secure console or remote login to a Cisco switch or router?<\/h3>\n
    \n\n

    Under global config, use \u201cline console 0\u201d or \u201cline vty 0 15\u201d, then set \u201cpassword \u201d and \u201clogin\u201d to require login for console or remote access.<\/p>\n\n<\/div>\n<\/div>\n

    \n

    Why is password encryption important on Cisco devices?<\/h3>\n
    \n\n

    Because plain\u2011text passwords in config files can be exposed if the config is accessed; encrypted\/hashed passwords reduce risk of unauthorized access.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

    One Of The Most Important Things To Consider As A Network Expert Is The Issue Of Controlling And Monitoring People Who Have Access To Network Equipment Settings.\u00a0 Cisco Devices: You need to know how to use Secure Shell SSH in conjunction with Cisco equipment and how to use access control lists to allow or block […]<\/p>\n","protected":false},"author":6,"featured_media":54612,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[96],"tags":[1245],"class_list":["post-54611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","tag-ssh"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts\/54611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/comments?post=54611"}],"version-history":[{"count":3,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts\/54611\/revisions"}],"predecessor-version":[{"id":265709,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/posts\/54611\/revisions\/265709"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/media\/54612"}],"wp:attachment":[{"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/media?parent=54611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/categories?post=54611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ded9.com\/de\/wp-json\/wp\/v2\/tags?post=54611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}