THE SCHOOL OF CISCO NETWORKING (SCN): CISCO - BASIC ENCRYPTING PASSWORDS CONFIGURATION:
Contact No:   ### / ###/ ###
Welcome To The IT Knowledge Base Sharing Freeway "Study With The Zero Fees / Zero Money" Web - If We Believe, That If We Have Knowledge, Let Others Light Their Candles With It. - Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Ones Please. "Student Expectations And Satisfaction Is Always Our Highest Priority")

'Love All, Serve All, Help Ever Hurt Never'

Please Welcome To The "Zero Fees And Zero Money SCN Community Study Page"

We Like To Share Our Stuff With Everyone And Hope You Will Find Something Useful Here. Enjoy Our Collection And Come Back Again And Again, We'll Do Our Best To Make It Always Interesting For You. All Our Stuff Always Available May Be 100% Totally Freely. Use Only For Non-Commercial Purposes Only!

THE SCHOOL OF CISCO NETWORKING (SCN) Is A IT Support Community – Based, Non - Profit Volunteer Organizations, Offering Our Assistance And Support To Developmental Our Services Dedicated To All.

Because Large Section Of Our Students In This World, Especially In Villages, Who Are Under Privileged Expecting For Equal Opportunity In Terms Of Money And Education. We Feel The Sufferings Of Talented Students Losing Their Opportunity To Shine Because Of Their Poor Financial Status. So We Thought That Professional Education Will Be Providing Them Freely.

Our Web Site Is To Give An Easy Way To Understand Each And Every Student Who Are Going To Start CISCO Lab Practice Without Any Doubts And Our ARTICLES STUFF Are Always 100% Totally Free For Everyone, Which Is Belongings To THE SCHOOL OF CISCO NETWORKING (SCN).

Also This Guide Provides Technical Guidance Intended To Help All Network Students, Network Administrators And Security Officers Improve Of Their Demonstrated Ability To Achieve Specific objectives Within Set Timeframes.

Hands - On Experience Is An Invaluable Part Of Preparing For The Lab Exam And Never Pass Up An Opportunity To Configure Or Troubleshoot A Router ( If You Have Access To Lab Facilities, Take Full Advantage Of Them) There Is No Replacement For The Experience You Can Gain From Working In A Lab, Where You Can Configure Whatever You Want To Configure And Introduce Whatever Problems You Want To Introduce, Without Risk Of Disrupting A Production Network.

For Better View Of Our Web Page - Please Use Any Latest Web Browser, Such As (Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer, Torch, Maxthon, Sea Monkey, Avant Browser, Deepnet Explorer, And Etc ), Because Some Elements Or Scripts Are Not Work In The Old Web Browser (It Might Not Be Displayed Properly Or Are Not Appearing properly!). Thank You For Your Time And Best Of Luck!

Your Sincerely – Premakumar Thevathasan.
"Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Once Please,Thank You."

CISCO - BASIC ENCRYPTING PASSWORDS CONFIGURATION:

CISCO – BASIC ENCRYPTING PASSWORDS

ROUTER PASSWORD TYPES :


Passwords Are The First Line Of Defense For Securing Cisco Routers. A Password Must Be Configured For The Virtual Terminal Lines (VTY Lines) And For The Console Port. A Cisco Router Supports 5 VTY Lines (Numbered 0 To 4) Which Are Used For Accessing The Router Using Telnet Over The Network.

PASSWORD TYPES THAT CAN BE CONFIGURED ON A CISCO ROUTER :


• Privileged Level Passwords

     Enable Password (Not Encrypted)
     Enable Secret Password (Encrypted Password)

• Console Line Password

• VTY Lines Password

• Auxiliary (AUX) Line Password

CONFIGURING PASSWORDS :


Configuring Privileged Level Passwords, Configure Non-Encrypted Password:

Router(Config)# Enable Password Anypassword

Configure Encrypted Password (Recommended)

Router(Config)# Enable Secret Strongpassword Configuring Console Line Password :

Router(Config)# Line Console 0
Router(Config-Line)# Password Anypassword
Router(Config-Line)# Login

Configuring Auxiliary Line Password :

Router(Config)# Line Aux 0
Router(Config-Line)# Password Anypassword
Router(Config-Line)# Login

Configuring VTY Line (Telnet) Password :

Router(Config)# Line VTY 0 4
Router(Config-Line)# Password Anypassword
Router(Config-Line)# Login


ENCRYPTING PASSWORDS



ENCRYPTING PASSWORDS :


By Default, Only The Enable Secret Password Is Encrypted. In Order To Encrypt The Other Password Types, You Need To Enable The “Password Encryption” Service Globally On The Router As Following:

Router# Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.

Router(Config)# Service Password-Encryption


The Following Techniques Enable You To Control Who Is Allowed Access To The Router And What IOS Privilege Levels They Are Granted Once They Gain Access:

Password (Line Configuration): To Specify A Password On A Line, Use The Password

Command In Line Configuration Mode. A Line Is A Console Port (CTY), Auxiliary Port (AUX),

Virtual Terminal (VTY), Or Asynchronous (TTY) Line.

After Specifying A Password On A Line Using The Password Command, You Must Activate Password Checking At Login Using The Login Command In Line Configuration Mode.

THE PASSWORD AND LOGIN COMMANDS ARE :


Router(Config)# Line Con 0
Router(Config-Line)# Password pS3cr3t
Router(Config-Line)# Login

Router(Config-Line)# Line 1 8
Router(Config-Line)# Password pS3cr3t
Router(Config-Line)# Login

Router(Config-Line)# Line Aux 0
Router(Config-Line)# Password pS3cr3t
Router(Config-Line)# Login

Router(Config-Line)# Line VTY 0 4
Router(Config-Line)# Password SPs3P1h6I1D
Router(Config-Line)# Login

Username Password : The Password Command Described Above Specifies A Password For A Specific Line. Using The Configuration In The Example Above, Any User That Attempts To Connect To A Line Must Enter The Configured Line Password To Be Granted User EXEC Mode Access.

To Establish Local Username-Based Password Authentication, Use The Username Command In Global Configuration Mode. After Specifying A Username Password, You Must Activate Username-Based Password Checking For The Lines Using The Login Local Command In Line Configuration Mode.

ENABLE SECRET : To Specify An Additional Layer Of Security Use The Enable Secret Command In Global Configuration Mode. The Enable Secret Command Provides Better Security By Storing The Configured Enable Secret Password Using A Nonreversible Cryptographic Hash Function, Compared To The Enable Password Command, Which Stores The Configured Password In Clear Text Or In An Easily Reversible Encrypted Format. Storing The Password As A Cryptographic Hash Helps To Minimize The Risk Of Password Sniffing If The Router Configuration File Is Transferred Across The Network, Such As To And From A TFTP Server. It Is Also Useful If An Unauthorized User Obtains A Copy Of Your Configuration File. Note, If Neither The Enable Password Command Nor The Enable Secret Command Is Configured, And If There Is A Line Password Configured For The Console Port, The Console Line Password Will Serve As The Enable Password For All VTY Lines, Which Includes Telnet, Rlogin, And SSH Connections. The Enable Secret Command Is Widely Available Within IOS. Username Passwords May Also Be Stored In The Router Configuration File In Cryptographic Hash Format, Similar To The Enable Secret. The Associated Command Is Username Secret.

SERVICE PASSWORD-ENCRYPTION: To Encrypt Local Router Passwords, Use The Service Password-Encryption Command In Global Configuration Mode. This Command Applies To Line Passwords, Username Passwords, Enable Passwords, And Authentication Key Passwords, Including Routing Authentication Passwords And Key Strings. By Default, IOS Does Not Encrypt Passwords. Encrypting Passwords In This Way Helps To Minimize The Risk Of Password Sniffing If The Router Configuration File Is Transferred Across The Network Such As To And/Or From A TFTP Server. It Is Also Useful If An Unauthorized User Obtains A Copy Of Your Configuration File. This Command Is Widely Available Within IOS.

NOTE :To Provide An Additional Layer Of Security, Particularly For Passwords That Cross The Network Or Are Stored On A TFTP Server, You Can Use Either The Enable Password Or Enable Secret Commands. Both Commands Accomplish The Same Thing; That Is, They Allow You To Establish An Encrypted Password That Users Must Enter To Access Enable Mode (The Default), Or Any Privilege Level You Specify.

We Recommend That You Use The Enable Secret Command Because It Uses An Improved Encryption Algorithm. Use The Enable Password Command Only If You Boot An Older Image Of The Cisco IOS Software, Or If You Boot Older Boot Roms That Do Not Recognize The Enable Secret Command.

If You Configure The Enable Secret Command, It Takes Precedence Over The Enable Password Command; The Two Commands Cannot Be In Effect Simultaneously.

Router(Config)# Enable Password [Level Level] {Password| Encryption-Type Encrypted-Password}- >

OR

Router(Config)# Enable Secret [Level Level] {Password | Encryption-Type Encrypted-Password} - >

Establishes a password for a privilege command mode.

Specifies A Secret Password, Saved Using A Non-Reversible Encryption Method. (If Enable Password And Enable Secret Are Both Set, Users Must Enter The Enable Secret Password.)

Use Either Of These Commands With The Level Option To Define A Password For A Specific Privilege Level. After You Specify The Level And Set A Password, Give The Password Only To Users Who Need To Have Access At This Level. Use The Privilege Level Configuration Command To Specify Commands Accessible At Various Levels.

If You Have The Service Password-Encryption Command Enabled, The Password You Enter Is Encrypted. When You Display It With The More System:Running-Config Command, It Is Displayed In Encrypted Form.

If You Specify An Encryption Type, You Must Provide An Encrypted Password—An Encrypted Password You Copy From Another Router Configuration.

Note : You Cannot Recover A Lost Encrypted Password. You Must Clear NVRAM And Set A New Password.


ENCRYPTING PASSWORDS CONFIGURATION EXAMPLE



You Want To Encrypt Passwords So That They Do Not Appear In Plain Text In The Router Configuration File. To Enable Password Encryption On A Router, Use The Service Password-Encryption Configuration Command :

Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.

Router1(Config)#Enable Password P1r2e3m
Router1(Config)#Line VTY 0 4

Router1(Config-Line)#Password SCNbook
Router1(Config-Line)#Line Con 0
Router1(Config-Line)#Password SCNbook

Router1(Config-Line)#Line Aux 0
Router1(Config-Line)#Password SCNbook

Router1(Config-Line)#Exit
Router1(Config)#Service Password-Encryption

Router1(Config)#End

Router1#

DISCUSSION By Default, The Router Stores All Passwords In Clear Text And Presents Them In A Human-Readable Format When You Look At The Router's Configuration. The Service Password-Encryption Command Encrypts The Passwords By Using The Vigenere Encryption Algorithm.

However, This Functionality Is Still Quite Useful To Prevent Nosy Neighbors From Viewing Passwords Over Your Shoulder. As Such, Encrypting Your Passwords Is Still Highly Recommended In Spite Of The Known Weaknesses. You Should Be Aware Of The Inherent Weaknesses Of This Encryption Scheme When Storing Or Forwarding Router Configuration Files, Though. Provides A Small Utility To Strip Your Router Configuration Files Of All Passwords (Encrypted Or Not) To Keep Stored And Forwarded Configuration Files Safe From Prying Eyes.

The Following Example Shows What A Configuration File Looks Like With Password Encryption Enabled :

Router1#Show Running-Config
Building Configuration...

Current Configuration: 4385 Bytes
!
! Last Configuration Change At 13:08:35 EDT Thu Jun 27 2002 By Prem
! NVRAM Config Last Updated At 13:01:45 EDT Thu Jun 27 2002 By Kumar
!
Version 12.2
Service Password-Encryption
!
Hostname Router
!
Enable Password 7 06091D2445420500
!
Username Prem Password 7 045802150C2E
Username Kumar Password 7 070C285F4D06
!
Line Con 0
Password 7 0605002E474C06160E
Line Aux 0
Password 7 151104030F28242B23
Line Vty 0 4
Password 7 110A160A1C1004030F
!
End

You Will Notice That The Router Now Encrypts All Of The Passwords And No Longer Displays Them In A Human-Readable Format.


ENCRYPTING PASSWORDS CONFIGURATION EXAMPLE - 1



USING BETTER PASSWORD-ENCRYPTION TECHNIQUES


You Want To Assign A Privileged Password With A Stronger Encryption Standard Than Cisco's Trivial Default Encryption. To Enable Strong, Nonreversible Encryption Of The Privileged Password, Use The Enable Secret Configuration Command :

Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.

Router1(Config)#Enable Secret Orabooks
Router1(Config)#End
Router1#

Beginning With IOS Version 12.2(8)T, Cisco Introduced Strong Encryption For Its Username Command As Well. To Enable Strong Encryption For Router Usernames, Use The Username Secret Command:

Router#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.

Router(Config)#Username Prem Secret Oreilly
Router(Config)#End
Router#

Discussion Cisco Introduced The Enable Secret Password To Improve The Security Of The Enable Password Command. This Command Uses The Cryptographically Strong MD5 Algorithm To Encrypt Passwords. It It Extremely Difficult To Crack This Algorithm. In Fact, There Are No Known Ways To Uniquely Reverse MD5 Encryptions, Which Is Why It Is Called A Nonreversible Algorithm.

When You Configure The Router With An Enable Secret Password, It Will Encrypt Your Enable Password Whether You Have The Service Password-Encryption Command Or Not. The Service Password-Encryption Command Has No Effect On The Enable Secret Password.

Configuring A Nonreversible Enable Password Provides Greater Security Than The Traditional Enable Password Command. It Is Useful In Environments That Store Or Transfer Configuration Files Across The Network. The Enable Secret Password Takes Precedence Over The Enable Password. So If You Have Both Types Of Enable Passwords Configured, The Router Will Only Use The Secret Version. We Highly Recommend Using The Enable Secret Password On All Routers.

The Following Command Shows What The Enable Secret Command Looks Like When You Look At The Router's Configuration File:

Router1#Show Running-Config | Include Secret
Enable Secret 5 $1$Ahxf$4oiveqn0n0jnesobfrdsw0
Router1#


RESTRICTIONS FOR ENABLE SECRET PASSWORD



THE FOLLOWING IS A LIST OF ENABLE SECRET PASSWORD RESTRICTIONS :


• The Password Must Contain Between 1 And 25 Alphanumeric Characters (Upper- Or Lowercase).

• Leading Spaces Are Ignored While Intermediate And Trailing Spaces Are Permitted And Recognized.

• You Can Use A Question Mark, "?", In The Password, But Only If You Precede The Question Mark With A "Control V" (The Ctrl Key And The Letter V Key).

NOTE :You Should Never Use The Same Password For The Enable Password And Enable Secret Commands. The Router Will Warn You Against Doing This, But It Will Accept It:

Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.

Router1(Config)#Enable Password Cisco
Router1(Config)#Enable Secret Cisco

  • The Enable Secret You Have Chosen Is The Same As Your Enable Password.

  • This Is Not Recommended. Re-Enter The Enable Secret.

    Router1(Config)#End
    Router1#

    Setting The Same Password For Both Commands Defeats The Purpose Of Using The Enable Secret Command In The First Place And Renders Its Strong Encryption Useless. Avoid This Problem By Choosing A Different Password Or Removing The Enable Password Altogether.

    Cisco Introduced The Username Secret Command In Version 12.2(8)T To Provide An Added Layer Of Security Over The Username Password Command. It Provides Greater Security By Using The Same Irreversible MD5 Encryption As The Enable Secret Command.

    However, Because The Password Is Not Retrievable, Some Protocols That Require Clear Test Passwords, Such As CHAP, Will Not Work With The Strong Encryption.



    CONCLUSION:


    The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO – BASIC ENCRYPTING PASSWORDS CONFIGURATION". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts.

    Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck.

    This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.

    DISCLAIMER:


    This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible.

    It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk.

    For Home Page Of - > SCN InF4 TECH


    To Send Email




    Window Minimize OR Window Maximize

  • No comments: