There are mainly three types of passwords that can be set on cisco routers.
To see the lines available in a cisco router we can use the following command.
sandesh#show line
Tty Line Typ Tx/Rx A Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - 0 0 0/0 -
322 322 VTY - - - - 0 0 0/0 -
323 323 VTY - - - - 0 0 0/0 -
324 324 VTY - - - - 0 0 0/0 -
325 325 VTY - - - - 0 0 0/0 -
326 326 VTY - - - - 0 0 0/0 -
327 327 VTY - - - - 0 0 0/0 -
328 328 VTY - - - - 0 0 0/0 -
329 329 VTY - - - - 0 0 0/0 -
330 330 VTY - - - - 0 0 0/0 -
331 331 VTY - - - - 0 0 0/0 -
332 332 VTY - - - - 0 0 0/0 -
333 333 VTY - - - - 0 0 0/0 -
334 334 VTY - - - - 0 0 0/0 -
335 335 VTY - - - - 0 0 0/0 -
336 336 VTY - - - - 0 0 0/0 -
337 337 VTY - - - - 0 0 0/0 -
The router I am using has an auxiliary port, a console port and 16 vty lines. Following are the passwords that can be set for these lines.
1. Auxiliary Password:
This password is set for the auxiliary port of router which is located at the back of the router. The purpose of an auxiliary port is to connect an external modem to the router. This modem can be used to connect to the router for troubleshooting purposes should regular connectivity fail. Similary to console port, auxiliary port is also an asynchronous serial port with an RJ-45 interface. A rollover cable is used for connections.
CLI Commands for configuration:
Router(config)#line aux 0
Router(config-line)#password auxiliary
Router(config-line)#login
2. Console Password:
Router console ports are meant to allow root access to the router via a dumb terminal interface, regardless of the state of the router (unless it is completely dead). By connecting to the console port you can get remote access to the root level of a router without using the network that the router is connected to. This creates a secondary path to the router outside the bandwidth of the network which needs to be secured without relying on the primary network. A rollover cable is used for connections.
More info about physical connection here : https://www.youtube.com/watch?v=_xA94N__uzk
CLI Commands for configuration:
Router(config)#line aux 0
Router(config-line)#password console
Router(config-line)#login
3. VTY Password:
This is used in vty lines. Whenever, there is a request to connect to these vty lines, the router ass for a password. A number of protocols can be used to connect to these vty lines. For eg: telnet and ssh. The protocols allowed depends on the cisco router series.
CLI Commands for configuration:
The simplese command include the following.
Router(config)#line vty 0 4
Router(config-line)#password remote
Router(config-line)#login
These commands set password for telnet access. When we try to telnet to the management ip of the router, the router asks for the password.
Eg: C:> telnet 8.8.8.8
Password:
Configuration to ask for username in telnet access:
Now, if we want the router to ask for the username as well, we need to use the following commands.
Router(config)#username cisco password cisco
Router(config)#line vty 0 4
Router(config-line)#login local
The command login local forces the router to ask for username.
SSH Protocol configuration for VTY lines:
We can also configure to use ssh protocol for remote connections as telnet is not secure. Telnet uses plain-text to transport data to and from the router.
Step 1: Configure the domain name:
Router(config)#ip domain-name sandeshshrestha,net
Step 2: Generate RSA key
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#hostname sandesh
sandesh(config)#crypto key generate rsa
The name for the keys will be: sandesh.sandeshshrestha.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 510
% Generating 510 bit RSA keys, keys will be non-exportable...[OK]
sandesh(config)#
*Mar 1 2:53:22.782: RSA key size needs to be at least 768 bits for ssh version 2
*Mar 1 2:53:22.782: %SSH-5-ENABLED: SSH 1.5 has been enabled
Two interesting thing to note here:
1. It asks for a hostname other than Router.
2. The ssh verion enabled is 1.5 but there is not 1.5 version for ssh. This basically means that version 2 is not being used here. Instead its version 1. To configure version 2 of ssh, use the following command. Also, note that the rsa key should be at least 768 bits for version 2.
sandesh(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.
For reason mentioned above, it gives the error.
Step 3: Configure vty line
Router(config)#line vty 0 4
Router(config-line)#transport input ssh telnet (allows both ssh and telnet)
Router(config-line)#password ssh
Router(config-line)#login local
Step4: Connect
To connect to vty line in router using ssh we do the following:
C:>ssh cisco@8.8.8.8
Password:
To see the lines available in a cisco router we can use the following command.
sandesh#show line
Tty Line Typ Tx/Rx A Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - 0 0 0/0 -
322 322 VTY - - - - 0 0 0/0 -
323 323 VTY - - - - 0 0 0/0 -
324 324 VTY - - - - 0 0 0/0 -
325 325 VTY - - - - 0 0 0/0 -
326 326 VTY - - - - 0 0 0/0 -
327 327 VTY - - - - 0 0 0/0 -
328 328 VTY - - - - 0 0 0/0 -
329 329 VTY - - - - 0 0 0/0 -
330 330 VTY - - - - 0 0 0/0 -
331 331 VTY - - - - 0 0 0/0 -
332 332 VTY - - - - 0 0 0/0 -
333 333 VTY - - - - 0 0 0/0 -
334 334 VTY - - - - 0 0 0/0 -
335 335 VTY - - - - 0 0 0/0 -
336 336 VTY - - - - 0 0 0/0 -
337 337 VTY - - - - 0 0 0/0 -
The router I am using has an auxiliary port, a console port and 16 vty lines. Following are the passwords that can be set for these lines.
1. Auxiliary Password:
This password is set for the auxiliary port of router which is located at the back of the router. The purpose of an auxiliary port is to connect an external modem to the router. This modem can be used to connect to the router for troubleshooting purposes should regular connectivity fail. Similary to console port, auxiliary port is also an asynchronous serial port with an RJ-45 interface. A rollover cable is used for connections.
CLI Commands for configuration:
Router(config)#line aux 0
Router(config-line)#password auxiliary
Router(config-line)#login
2. Console Password:
Router console ports are meant to allow root access to the router via a dumb terminal interface, regardless of the state of the router (unless it is completely dead). By connecting to the console port you can get remote access to the root level of a router without using the network that the router is connected to. This creates a secondary path to the router outside the bandwidth of the network which needs to be secured without relying on the primary network. A rollover cable is used for connections.
More info about physical connection here : https://www.youtube.com/watch?v=_xA94N__uzk
CLI Commands for configuration:
Router(config)#line aux 0
Router(config-line)#password console
Router(config-line)#login
3. VTY Password:
This is used in vty lines. Whenever, there is a request to connect to these vty lines, the router ass for a password. A number of protocols can be used to connect to these vty lines. For eg: telnet and ssh. The protocols allowed depends on the cisco router series.
CLI Commands for configuration:
The simplese command include the following.
Router(config)#line vty 0 4
Router(config-line)#password remote
Router(config-line)#login
These commands set password for telnet access. When we try to telnet to the management ip of the router, the router asks for the password.
Eg: C:> telnet 8.8.8.8
Password:
Configuration to ask for username in telnet access:
Now, if we want the router to ask for the username as well, we need to use the following commands.
Router(config)#username cisco password cisco
Router(config)#line vty 0 4
Router(config-line)#login local
The command login local forces the router to ask for username.
SSH Protocol configuration for VTY lines:
We can also configure to use ssh protocol for remote connections as telnet is not secure. Telnet uses plain-text to transport data to and from the router.
Step 1: Configure the domain name:
Router(config)#ip domain-name sandeshshrestha,net
Step 2: Generate RSA key
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#hostname sandesh
sandesh(config)#crypto key generate rsa
The name for the keys will be: sandesh.sandeshshrestha.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 510
% Generating 510 bit RSA keys, keys will be non-exportable...[OK]
sandesh(config)#
*Mar 1 2:53:22.782: RSA key size needs to be at least 768 bits for ssh version 2
*Mar 1 2:53:22.782: %SSH-5-ENABLED: SSH 1.5 has been enabled
Two interesting thing to note here:
1. It asks for a hostname other than Router.
2. The ssh verion enabled is 1.5 but there is not 1.5 version for ssh. This basically means that version 2 is not being used here. Instead its version 1. To configure version 2 of ssh, use the following command. Also, note that the rsa key should be at least 768 bits for version 2.
sandesh(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.
For reason mentioned above, it gives the error.
Step 3: Configure vty line
Router(config)#line vty 0 4
Router(config-line)#transport input ssh telnet (allows both ssh and telnet)
Router(config-line)#password ssh
Router(config-line)#login local
Step4: Connect
To connect to vty line in router using ssh we do the following:
C:>ssh cisco@8.8.8.8
Password:
No comments:
Post a Comment