CCNA Cisco Certification Training Case Study: How Multiple Passwords Affect Router Access


by Chris Bryant - Date: 2006-11-21 - Word Count: 555 Share This!

Your CCNA certification exam efforts must include practicing with different password types and knowing how to configure them on a Cisco router - but for CCNA exam success and to thrive in real-world networks, you also have to know how to examine a Cisco router configuration and determine the level of network security that is already present. After all, most routers you work with already have passwords set, and it's up to you to determine if those passwords are getting the job done.


Let's start with a telnet password. Telnet passwords are configured on the VTY lines, and no telnet access is enabled on a Cisco router by default. If you saw the following configuration, what would it mean?


line vty 0 4

privilege level 15

password baseball

login


That small Cisco router configuration means three things - first, Telnet access is enabled. Second, the password is baseball. Third, the "privilege level 15" command means that any user who attempts to Telnet to the router and knows the password will automatically be placed into privileged exec mode. (If that command were not present, the user would be placed into user exec and then prompted for the enable password before being allowed into privileged exec.)


You may not want to give that level of access to all incoming Telnet connections. If you walked into a client's router room and saw this configuration on a router, what would it mean to you?


username halas password 0 bears

username ewbank password 0 jets

username ed privilege 15 password 0 mcdaniel


line vty 0 4

login local


This configuration means three things as well. Each user attempting to telnet in will be prompted for both a username and password. Each individual user must enter the password that's been assigned to them. For example, the user "halas"would have to enter the password "bears" to successfully Telnet into this router. The command "login local" under the VTY lines means that this local database of usernames and passwords will be used for authentication.


Again, by default, users who are Telnetting in will be placed into user exec mode by default. Only users with "privilege 15" in the middle of their username / password definition will be placed into privileged exec immediately upon login.


Notice that zero in each of the username / password statements? I didn't enter that when I configured these statements. This number indicates the level of encryption the password is currently under; a zero is the lowest level of encryption, indicating that the passwords aren't encrypted at all. There's a single line near the top of a Cisco router configuration that tells you why.. which of these three is it?


service timestamps debug uptime

service timestamps log uptime

no service password-encryption


Simple enough! The password encryption service is off by default. To turn it on. just run the command service password-encryption. Let's do so here and then take a look at the configuration.


R1(config)#service password-encryption


username halas password 7 1415170A1E17

username ewbank password 7 070524585D

username ed privilege 15 password 7 082C4F4A08170C121E


Now that's what I call encryption! Note that the zero has changed to a "7" - that's the highest level of encryption on a Cisco router, and as you can see, it's very effective.


Knowing how to read a Cisco router configuration is a valuable skill for both the CCNA certification exam and working with production networks. Keep practicing, keep studying, and you'll have the coveted letters "CCNA" behind your name soon!

Related Tags: certification, training, ccna, cisco, ccnp, access, router, telnet, vty, enable, passwords, username

Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage, home of over 100 free certification exam tutorials, including Cisco CCNA certification test prep articles. His exclusive Cisco CCNA study guide and Cisco CCNA training is also available!Visit his blog and sign up for Cisco Certification Central, a daily newsletter packed with CCNA, Network+, Security+, A+, and CCNP certification exam practice questions! A free 7-part course, "How To Pass The CCNA", is also available, and you can attend an in-person or online CCNA boot camp with The Bryant Advantage! Your Article Search Directory : Find in Articles

© The article above is copyrighted by it's author. You're allowed to distribute this work according to the Creative Commons Attribution-NoDerivs license.
 

Recent articles in this category:



Most viewed articles in this category: