Pages

Sunday, November 23, 2014

Configuring Password on Cisco Router

There are mainly three types of passwords that can be set on cisco routers.
To see the lines available in a cisco router we can use the following command.

sandesh#show line
   Tty Line Typ     Tx/Rx    A Roty AccO AccI   Uses   Noise  Overruns   Int
*    0    0 CTY              -    -    -    -      0       0     0/0       -
     1    1 AUX   9600/9600  -    -    -    -      0       0     0/0       -
   322  322 VTY              -    -    -    -      0       0     0/0       -
   323  323 VTY              -    -    -    -      0       0     0/0       -
   324  324 VTY              -    -    -    -      0       0     0/0       -
   325  325 VTY              -    -    -    -      0       0     0/0       -
   326  326 VTY              -    -    -    -      0       0     0/0       -
   327  327 VTY              -    -    -    -      0       0     0/0       -
   328  328 VTY              -    -    -    -      0       0     0/0       -
   329  329 VTY              -    -    -    -      0       0     0/0       -
   330  330 VTY              -    -    -    -      0       0     0/0       -
   331  331 VTY              -    -    -    -      0       0     0/0       -
   332  332 VTY              -    -    -    -      0       0     0/0       -
   333  333 VTY              -    -    -    -      0       0     0/0       -
   334  334 VTY              -    -    -    -      0       0     0/0       -
   335  335 VTY              -    -    -    -      0       0     0/0       -
   336  336 VTY              -    -    -    -      0       0     0/0       -
   337  337 VTY              -    -    -    -      0       0     0/0       -

The router I am using has an auxiliary port, a console port and 16 vty lines. Following are the passwords that can be set for these lines.

1. Auxiliary Password:
      This password is set for the auxiliary port of router which is located at the back of the router. The purpose of an auxiliary port is to connect an external modem to the router. This modem can be used to connect to the router for troubleshooting purposes should regular connectivity fail. Similary to console port, auxiliary port is also an asynchronous serial port with an RJ-45 interface. A rollover cable is used for connections.

CLI Commands for configuration:

Router(config)#line aux 0
Router(config-line)#password auxiliary
Router(config-line)#login

2. Console Password: 
        Router console ports are meant to allow root access to the router via a dumb terminal interface, regardless of the state of the router (unless it is completely dead). By connecting to the console port you can get remote access to the root level of a router without using the network that the router is connected to. This creates a secondary path to the router outside the bandwidth of the network which needs to be secured without relying on the primary network. A rollover cable is used for connections.

More info about physical connection here : https://www.youtube.com/watch?v=_xA94N__uzk

CLI Commands for configuration:

Router(config)#line aux 0
Router(config-line)#password console
Router(config-line)#login

3. VTY Password:
        This is used in vty lines. Whenever, there is a request to connect to these vty lines, the router ass for a password. A number of protocols can be used to connect to these vty lines. For eg: telnet and ssh. The protocols allowed depends on the cisco router series.


CLI Commands for configuration:

The simplese command include the following.

Router(config)#line vty 0 4
Router(config-line)#password remote
Router(config-line)#login

These commands set password for telnet access. When we try to telnet to the management ip of the router, the router asks for the password.
Eg: C:> telnet 8.8.8.8
       Password:
Configuration to ask for username in telnet access:
Now, if we want the router to ask for the username as well, we need to use the following commands.

Router(config)#username cisco password cisco
Router(config)#line vty 0 4
Router(config-line)#login local

The command login local forces the router to ask for username.

SSH Protocol configuration for VTY lines:

We can also configure to use ssh protocol for remote connections as telnet is not secure. Telnet uses plain-text to transport data to and from the router.

Step 1: Configure the domain name:

Router(config)#ip domain-name sandeshshrestha,net

Step 2: Generate RSA key

Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#hostname sandesh
sandesh(config)#crypto key generate rsa
The name for the keys will be: sandesh.sandeshshrestha.net
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 510
% Generating 510 bit RSA keys, keys will be non-exportable...[OK]
sandesh(config)#
*Mar 1 2:53:22.782:  RSA key size needs to be at least 768 bits for ssh version 2
*Mar 1 2:53:22.782:  %SSH-5-ENABLED: SSH 1.5 has been enabled

Two interesting thing to note here:

1. It asks for a hostname other than Router.
2. The ssh verion enabled is 1.5 but there is not 1.5 version for ssh. This basically means that version 2 is not being used here. Instead its version 1. To configure version 2 of ssh, use the following command. Also, note that the rsa key should be at least 768 bits for version 2.

sandesh(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.

For reason mentioned above, it gives the error.

Step 3: Configure vty line

Router(config)#line vty 0 4
Router(config-line)#transport input ssh telnet  (allows both ssh and telnet)
Router(config-line)#password ssh
Router(config-line)#login local

Step4: Connect
To connect to vty line in router using ssh we do the following:

C:>ssh cisco@8.8.8.8
Password:

No comments:

Post a Comment