Configure Password Option


Configure Console Access
In this topic, you will learn how to configure passwords for the console access, virtual terminal, and EXEC mode. You will also learn how to encrypt and recover passwords on a switch.
Data is very valuable and must be zealously guarded and protected. The U.S. Federal Bureau of Investigation (FBI) estimates that businesses lose $67.2 billion annually because of computer-related crime. Personal customer data in particular sells for very high prices. The following are some current prices for stolen data:
Automatic teller machine (ATM) or debit card with personal identification number (PIN): $500
Driver's license number: $150
Social Security number: $100
Credit card number with expiration date: $15 to $20
Securing your switches starts with protecting them from unauthorized access.
You can perform all configuration options directly from the console. To access the console, you need to have local physical access to the device. If you do not secure the console port properly, a malicious user could compromise the switch configuration.
Secure the Console
To secure the console port from unauthorized access, set a password on the console port using the password line configuration mode command. Use the line console 0 command to switch from global configuration mode to line configuration mode for console 0, which is the console port on Cisco switches. The prompt changes to (config-line)#, indicating that the switch is now in line configuration mode. From line configuration mode, you can set the password for the console by entering the password command. To ensure that a user on the console port is required to enter the password, use the login command. Even when a password is defined, it is not required to be entered until the login command has been issued.
The figure shows the commands used to configure and require the password for console access. Recall that you can use the show running-config command to verify your configuration. Before you complete the switch configuration, remember to save the running configuration file to the startup configuration.
Remove Console Password
If you need to remove the password and requirement to enter the password at login, use the following steps:
Step 1. Switch from privileged EXEC mode to global configuration mode. Enter the configure terminal command.
Step 2. Switch from global configuration mode to line configuration mode for console 0. The command prompt (config-line)# indicates that you are in line configuration mode. Enter the command line console 0.
Step 3. Remove the password from the console line using the no password command.
Caution: If no password is defined and login is still enabled, there is no access to the console.
Step 4. Remove the requirement to enter the password at login to the console line using the no login command.

Step 5. Exit line configuration mode and return to privileged EXEC mode using the end command.

Secure the vty Ports
The vty ports on a Cisco switch allow you to access the device remotely. You can perform all configuration options using the vty terminal ports. You do not need physical access to the switch to access the vty ports, so it is very important to secure the vty ports. Any user with network access to the switch can establish a vty remote terminal connection. If the vty ports are not properly secured, a malicious user could compromise the switch configuration.
To secure the vty ports from unauthorized access, you can set a vty password that is required before access is granted.
To set the password on the vty ports, you must be in line configuration mode.
There can be many vty ports available on a Cisco switch. Multiple ports permit more than one administrator to connect to and manage the switch. To secure all vty lines, make sure that a password is set and login is enforced on all lines. Leaving some lines unsecured compromises security and allows unauthorized users access to the switch.
Use the line vty 0 4 command to switch from global configuration mode to line configuration mode for vty lines 0 through 4.
Note: If the switch has more vty lines available, adjust the range to secure them all. For example, a Cisco 2960 has lines 0 through 15 available.
The figure shows the commands used to configure and require the password for vty access. You can use the show running-config command to verify your configuration and the copy running-config startup config command to save your work.
Remove the vty Password
If you need to remove the password and requirement to enter the password at login, use the following steps:
Step 1. Switch from privileged EXEC mode to global configuration mode. Enter the configure terminal command.
Step 2. Switch from global configuration mode to line configuration mode for vty terminals 0 through 4. The command prompt (config-line)# indicates that you are in line configuration mode. Enter the command line vty 0 4.
Step 3. Remove the password from the console line using the no password command.
Caution: If no password is defined and login is still enabled, there is no access to the console.
Step 4. Remove the requirement to enter the password at login to the console line using the no login command.
Step 5. Exit line configuration mode and return to privileged EXEC mode using the end command.

Configure EXEC Mode Passwords
Privileged EXEC mode allows any user enabling that mode on a Cisco switch to configure any option available on the switch. You can also view all the currently configured settings on the switch, including some of the unencrypted passwords! For these reasons, it is important to secure access to privileged EXEC mode.
The enable password global configuration command allows you to specify a password to restrict access to privileged EXEC mode. However, one problem with the enable password command is that it stores the password in readable text in the startup-config and running-config. If someone were to gain access to a stored startup-config file, or temporary access to a Telnet or console session that is logged in to privileged EXEC mode, they could see the password. As a result, Cisco introduced a new password option to control access to privileged EXEC mode that stores the password in an encrypted format.
You can assign an encrypted form of the enable password, called the enable secret password, by entering the enable secret command with the desired password at the global configuration mode prompt. If the enable secret password is configured, it is used instead of the enable password, not in addition to it. There is also a safeguard built into the Cisco IOS software that prevents you from setting the enable secret password to the same password that is used for the enable password.
Remove EXEC Mode Password
If you need to remove the password requirement to access privileged EXEC mode, you can use the no enable password and the no enable secret commands from global configuration mode.

Configure Encrypted Passwords
When configuring passwords in Cisco IOS CLI, by default all passwords, except for the enable secret password, are stored in clear text format within the startup-config and running-config. The figure shows an abbreviated screen output from the show running-config command on the S1 switch. The clear text passwords are highlighted in orange. It is universally accepted that passwords should be encrypted and not stored in clear text format. The Cisco IOS command service password-encryption enables service password encryption.
When the service password-encryption command is entered from global configuration mode, all system passwords are stored in an encrypted form. As soon as the command is entered, all the currently set passwords are converted to encrypted passwords. At the bottom of the figure, the encrypted passwords are highlighted in orange.
If you want to remove the requirement to store all system passwords in an encrypted format, enter the no service password-encryption command from global configuration mode. Removing password encryption does not convert currently encrypted passwords back into readable text. However, all newly set passwords are stored in clear text format.
Note: The encryption standard used by the service password-encryption command is referred to as type 7. This encryption standard is very weak and there are easily accessible tools on the Internet for decrypting passwords encrypted with this standard. Type 5 is more secure but must be invoked manually for each password configured.
Enable Password Recovery
After you set passwords to control access to the Cisco IOS CLI, you need to make sure you remember them. In case you have lost or forgotten access passwords, Cisco has a password recovery mechanism that allows administrators to gain access to their Cisco devices. The password recovery process requires physical access to the device. The figure shows a screen capture of the console display indicating that password recovery has been enabled. You will see this display after Step 3 below.
Note that you may not be able to actually recover the passwords on the Cisco device, especially if password encryption has been enabled, but you are able to reset them to a new value.
For more information on the password procedure, visit: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml.
To recover the password on a Cisco 2960 switch, use the following steps:
Step 1. Connect a terminal or PC with terminal-emulation software to the switch console port.
Step 2. Set the line speed on the emulation software to 9600 baud.
Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.
Step 4. Initialize the Flash file system using the flash_init command.
Step 5. Load any helper files using the load_helper command.
Step 6. Display the contents of Flash memory using the dir flash command:
The switch file system appears:
Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat
16128000 bytes total (10003456 bytes free)
Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command.
Step 8. Boot the system with the boot command.
Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N.
Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.
Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command.
Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console:
Source filename [config.text]?
Destination filename [running-config]?
Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
Step 13. Enter global configuration mode using the configure terminal command.
Step 14. Change the password using the enable secretpassword command.
Step 15. Return to privileged EXEC mode using the exit command.
Step 16. Write the running configuration to the startup configuration file using the copy running-config startup-config command.
Step 17. Reload the switch using the reload command.
Note: The password recovery procedure can be different depending on the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog