Setting up a Local Account and Password on a Cisco Router
There are two main authentication methods on Cisco routers (and other network devices in general). Use an external authentication service (such as AAA server, Radius, TACACS, etc.) or by having the username and password locally on the device itself.
In this article, we will discuss how to set up a local username and password on a Cisco Router for authentication when connecting to the device for management purposes. The same principles also apply to other Cisco devices such as switches (Cisco Switch), firewalls (Cisco Firewall), etc.
By default, when you access a Cisco router for management purposes (using Console, Telnet or SSH) no username/password authentication is required.
You just need to provide the “privileged EXEC” password (i.e. the “enable.enable”) to gain access to the router’s full configuration mode (different levels and types of passwords will be discussed below).
The use of an additional level of authentication (i.e., requiring the user to provide additional username/password credentials in addition to the password)enable.enable”) will make the router device more resistant to unauthorized access.
Furthermore, configuring a local username on the device gives you the flexibility to add details about management privilege levels for different users (although using an external AAA server for this purpose is not an option). authentication and authorization destinations are better than local accounts).
For example: you can configure a username on a Cisco router with full privileges (privilege level 15): configure anything on the router. Or you can configure a username with unprivileged access (privilege level 1): can only see some things on the router and nothing else.
There are two steps involved to configure a local username. The first is to create a username/password and assign them a privilege level (from 1 to 15, with 15 being the highest privilege level).
If you do not specify the number of privilege levels, it will receive the full privilege level 15 by default. The second step is to configure your VTY lines (0 to 4) to require local login access (i.e. only users configured with a valid password can access the router). gland).
Configure local accounts
Router# config t
Router(config)# username admin-TGM privilege 15 secret $thegioimang$
Router(config)# username monitoring-TGM privilege 1 secret $thegioimang.vn
! After creating the local accounts above, you apply the “local” authentication style to the flows
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# exit. exit
Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exit. exit
Router(config)# line aux 0
Router(config-line)# login local
Router(config-line)# exit. exit
Router(config)# wr
Just a security tip here, for the username, choose something that’s hard to guess or something that won’t be found in dictionary attacks. For example, words like “admin”, “administrator”, “cisco”, etc are not good usernames. A simple attack from a hacker will easily find them.
Furthermore, if you have multiple admin users connecting to your router, it is better to configure a different personalized username for each admin. This will help ensure tracking and auditing of what each user did on the device and when the user connected to the device.
Types of router passwords:
Passwords are the first line of defense to protect your Cisco Router.
There are five types of passwords that can be configured on Cisco Routers:
- Privilege EXEC Password
o Enable password (unencrypted)
o Enable secret password (encrypted password)
- Console line password
- VTY Lines password
- Auxiliary line password (AUX)
Configure Privileged Password:
Above, we configured local accounts and also applied “local” authentication to all routers (VTY, console, aux). Now, we will configure the “privileged EXEC” password used to access “full configuration mode” on the Cisco router.
! Configure unencrypted passwords (avoid this type)
Router(config)# enable password somepassword
! Configure encrypted passwords (recommended)
Router(config)# enable secrets strongpassword
Note:
To specify an additional layer of security, it is important to use the command enable secret in global configuration mode as shown above.
Command enable secrets provides better security by storing configured permission secret passwords using an irreversible cryptographic hash function, compared to the command enable passwordsaves configured passwords in clear text or in an easily reversible encrypted format.
Storing passwords as cryptographic hashes helps minimize the risk of password leaks if the router configuration file is transmitted over the network, such as to and from a TFTP server.
It’s also useful if an unauthorized user gets a copy of your configuration files. Note, if both commands enable password and command enable secret are not configured, and if there is a line password configured for the console port, the console line password will act as the enable password for all VTY lines, including Telnet, rlogin, and SSH connections.
Command enable secrets widely available in Cisco IOS.
Password encryption:
By default, password only enable secrets newly encrypted. To encrypt other types of passwords, you need to enable the “password encryption” service on the entire router as follows:
Router# configure terminal
Router(config)# service password-encryption
Note:
To encrypt the local router password, use the command service password-encryption in general configuration mode as shown above.
This command applies to line passwords, username passwords, activation passwords, and authentication key passwords, including route authentication passwords and key chains.
By default, IOS does not encrypt passwords. Encrypting the password in this way helps minimize the risk of the password being intercepted if the router configuration file Cisco Routers transmitted over a network such as to and/or from a TFTP server.
It is also useful if an unauthorized user obtains a copy of the Cisco Router’s configuration file.
Thank you for following the article! Good luck.
Xem tiếp...
