Console Access
Every network devices has the console interface which is a serial RJ45 port on the network device. You can connect a computer running a terminal emulation program such as Tera Term or Hyper Terminal with a rollover cable. The command prompt will be appearing on the terminal emulation program.
Configuring the password on the console interface:
Router(config)#line ?
First Line number
aux Auxiliary line
console Primary terminal line
vty Virtual terminal
Router (config)#line console 0
Router (config-line)#exit
line console 0
Router(config-line)#login
Login disabled on line 0, until ‘password’ is set
Router(config-line)#password cisco
Auxiliary Access
The auxiliary port is for an out of band access & all routers come up with this interface. The external modem is attached to this interface so you can dial into this interface over the PSTN line.
Virtual Line Interfaces
By default, all Cisco routers are come with 5 VTY line interfaces. The vty line are 0, 1, 2, 3, and 4.
The VTY lines are configured as below.
line vty 0 4
Router(config-line)#login
% Login disabled on line 6, until ‘password’ is set
Router(config-line)#password cisco
Enable Password
The enable passwords are to protect the access to the enable mode access.
Configuring the enable password
Router(config)#enable password cisco
Secret Password
The enable password is ignored if the enable secret is configured.
The following command creates an encrypted secret MD5 password for the enable mode.
Router(config)#enable secret Cisco123
Service Password Encryption
To prevent accidental discovery of the router’s passwords, the service password encryption is configured which will encrypt all the passwords on the device.
Router(config)#service password encryption
Timeouts for Router Lines
To logout the user inactive line interface console, auxiliary or vty the timeout for line need to be configured. The exec-timeout minutes seconds command terminates an inactive connection.
Router(config)#line console 0
Router(config-line)#exec-timeout 5 20
Configuring Minimum Password Length
This is a configurable feature to enforce the minimum password length for router access.
Router(config)#security passwords min-length 18
Secure Administrative Access to Cisco Routers by Configuring Multiple Privilege Levels
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.
Access to each privilege level is enabled through separate passwords, which you specify when configuring the privilege level.
For example, if you want a certain set of users to be able to configure only certain interfaces, but not allow them access to other configuration options. Then you could create a separate privilege level for only specific interface configuration commands and distribute the password for that level to those users.
Setting the Privilege Level for a Command
To create a new privilege level and associate commands with that privilege level, use the following commands in beginning in global configuration mode:
|
|
Command |
Purpose |
|
Step 1 |
Router(config)# privilegemode level level command-string |
Configures the specified privilege level to allow access to the specified command. |
|
Step 2 |
Router(config)# enable secret level level {0 |5}password-string |
Sets the password for the specified privilege level. This is the password users will enter after entering the enable level command to access the specified level. •0 indicates an unencrypted password string follows; 5 indicates an encrypted password string follows. |
|
Step 3 |
Router(config)# exit |
Exists global configuration mode and returns to EXEC mode. |
|
Step 4 |
Router# do copy running-config startup-config |
(Optional) Saves the configuration to the startup configuration file in NVRAM. Note The do keyword allows execution of EXEC commands in configuration mode. |
Changing the Default Privilege Level for Lines
To change the default privilege level for a given line or a group of lines, use the following command in line configuration mode:
|
Command |
Purpose |
|
Router(config-line)# privilege level level |
Specifies a default privilege level for a line. |
Displaying Current Privilege Levels
To display the current privilege level you can access based on the password you used, use the following command in EXEC mode:
|
Command |
Purpose |
|
Router# show privilege |
Displays your current privilege level. |
Logging In to a Privilege Level
To log into a router at a specified privilege level, use the following command in EXEC mode:
|
Command |
Purpose |
|
Router# enable level |
Logs in to a specified privilege level. |
To exit to a specified privilege level, use the following command in EXEC mode:
|
Command |
Purpose |
|
Router# disable level |
Exits to a specified privilege level. |