Answers: CLI Passwords 2

certskills
By certskills November 7, 2015 12:05

 

Do you know how to configure local usernames, and enable their use for login security on a Cisco router? No more sharing the same login password among all the network engineers. If you want some quick practice, go back to the original lab post. Then come back here and check your answers.

 

Answers

Example: SW1 Config

 

Commentary

Cisco switches allow for different username and passsword pairs to be used for access to the console, and with Telnet or SSH, instead of a single all-users password.

The global command username name password password creates the username password pairs in one switch. To tell the switch to make use of these local username/password pairs, you must then configure the login local command in vty configuration mode (for Telnet/SSH) or console configuration mode (for console access).

Note that the answer shows the configuration of the VTY password (to support Telnet) with VTYs 0 through 4 as separate from the configuration of VTYs 5 through 15. This quirk of Cisco output has to do with the fact that older IOS versions support only VTYs 0 through 4. You could have used the commands literally shown in the answer example, or you could have used the command line vty 0 15, followed by those same password and login commands.

Finally, if you did happen to use the username name secret password command, that command also meets the requirements of the lab as stated.

CLI Passwords 2
IPv6 Addressing with OSPFv3
certskills
By certskills November 7, 2015 12:05
Write a comment

10 Comments

  1. Bif December 11, 15:43

    Are there zeros between password and the actual password pertinent, ex:
    username allison password 0 hope

    Reply to this comment
    • CCENTSkills December 12, 09:53

      Yep. That zero means that the password is unencoded and unencrypted.

      Reply to this comment
      • Jonathan July 29, 11:32

        I guess my follow up question is if I omitted the 0’s from username/password commands, does I mean I got the answer wrong.

        I ask this because I typed
        SW1(config)#username allison password hope
        SW1(config)#username danielle password love
        SW1(config)#username tyler password faith

        and then I did a show run on my 3750 switch and got this

        !
        !
        username allison password 0 hope
        username danielle password 0 love
        username tyler password 0 faith
        !
        !

        So is including the 0’s really necessary since the switch automatically included it in the show run anyway?

        Reply to this comment
        • CCENTSkills August 3, 16:18

          Hi Jonathan,
          Short answer: No. That is, if you omitted the 0’s, I’d still grade your solution as correct if this were a class. 🙂

          What happens on real gear:
          We humans type the passwords in clear text when we configure, and omit the 0.
          For the commands with passwords, IOS injects the “encryption” type (a number).
          We humans *could* have configured using those same numbers, like 0, but there’s seldom a reason to do so.
          Wendell

          Reply to this comment
  2. Mit March 6, 10:19

    Hi Mr. Wendell,

    One simple question. Sorry if you find it silly.

    As long as the ip address is known, can any host in the world telnet into any switch? If no, what prevents this happening?

    Reply to this comment
    • Barbara November 3, 17:02

      Theoretically, yes. Extra security measures – such as ACLs, firewalls etc. – could prevent this, though.
      That’s my understanding anyway

      Reply to this comment
  3. Lester March 7, 09:40

    It’s a good security practice to enable username/password combination to avoid having a shared password.

    An observation would be that IOS encrypts the plain text “password” that is entered, if the keyword ‘secret’ is used on the command. For example username allinson secret hope.

    However, if the “TELNET” protocol is used for a remote session, the client host will be sending plain text to the IOS device.

    What happens when this command is entered ‘username allison password 7 hope’ ??

    Reply to this comment
  4. Peter L. May 29, 16:24

    The usernames in the problem statement are capitalized but in the solution they are lower case. I presume in a real exam this would marked incorrect.

    Reply to this comment
  5. Jeremy February 16, 16:15

    Hello Wendell,

    While going through this exercise, I used “username secret ”

    Will Cisco accept this on the CCNA exam? Or will they ask the test taker to use the least secure manner?

    Reply to this comment
    • CCENTSkills March 7, 09:45

      Hi Jeremy,
      username secret would of course work fine on real devices as well.
      As for the exam, I can’t answer your question specifically. However, in general, Cisco does a good job of creating questions for which if you truly understand all the factors that affect the question, the correct answer is clear. EG, a question related to these two similar commands might say something about encrypting the password. In short, Cisco does not set about to trick you by being ambiguous. (We all might see a question and believe it’s ambiguous, but they do try to avoid making them ambiguous.)
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories