cc/td/doc/product/software/ios112/112cg_cr
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring Terminal Access Security

Configuring Terminal Access Security

This chapter describes how to prevent unauthenticated users from logging in to your router. As shown in Figure 7, users can log in to a router through the following ports:


Figure 7: Terminal Access Methods Requiring Security



The section "Configure Login Authentication" describes the different login authentication security mechanisms available in the Cisco IOS software.

This chapter also describes the following tasks:

Other chapters in the Cisco IOS software configuration guides and command references provide information about protocol-specific security features. The "Configuring Interfaces" chapter in the Configuration Fundamentals Configuration Guide provides information on Challange Handshake Authentication Protocol (CHAP), an additional authentication feature. Another example is the IP Security Option (IPSO) feature described in the "Configuring IP" chapter in the Network Protocols Configuration Guide, Part 1. Finally, see the separate protocol chapters in each publication for information about how to create access lists.

Configure Login Authentication

The three methods for controlling login access to terminal lines are described in the following sections:

If you configure static login and password protection, then configure TACACS or Extended TACACS, the TACACS username and password take precedence over static passwords. If you have not yet implemented a security policy, Cisco recommends that you use the AAA facility to configure terminal access security.

Configure Static Login and Password Protection

You can provide access control on a terminal line by entering the password and establishing password checking. To do so, perform the following tasks in line configuration mode:

Task Command
Step 1 Assign a password to a terminal or other device on a line. password password1
Step 2 Enable password checking at login. login1

1 This command is documented in the "Terminal Lines and Modem Support Commands" chapter in the Access Services Command Reference.

The password checker is case sensitive and can include spaces; for example, the password "Secret" is different than the password "secret," and "two words" is an acceptable password.

You can disable line password verification by disabling password checking. To do so, perform the following task in line configuration mode:

Task Command
Disable password checking or allow access to a line without password verification. no login1

1 This command is documented in the "Terminal Lines and Modem Support Commands" chapter in the Access Services Command Reference.

Configure TACACS and Extended TACACS Password Protection

You can use TACACS or Extended TACACS to control login access to the router. Perform the tasks in the following sections:

Before performing these tasks, you must have enabled communication with a TACACS host on the network. For more information, refer to the "Establish the TACACS Server Host" section in the "Network Access Security" chapter.

Set TACACS Password Protection at the User Level

You can enable password checking at login by performing the following task in line configuration mode:

Task Command
Set the TACACS-style user ID and password-checking mechanism. login tacacs1

1 This command is documented in the "Network Access Security" chapter of the Security Command Reference.

Disable Password Checking at the User Level

If a TACACS server does not respond to a login request, the Cisco IOS software denies the request by default. However, you can prevent login failure in one of two ways.

To specify one of these features, perform either of the following tasks in global configuration mode:

Task Command
Allow a user to access privileged EXEC mode, or set last resort options for logins. tacacs-server last-resort password
or
tacacs-server last-resort succeed

Configure Login Authentication Using AAA

This section describes how to control access to the router using the following security tools:

For information about controlling access to your network resources using these technologies, refer to the "Configuring Network Access Security" chapter.

Controlling Login by Using Local Authentication

To configure local login authentication by using the AAA facility in the Cisco IOS software, perform the following tasks, beginning in global configuration mode:

Task Command
Step 1 Enable AAA globally, aaa new-model 1
Step 2 Create a local authentication list. aaa authentication login {default | list-name} local
Step 3 Enter line configuration mode for the lines to which you want to apply the authentication list. line [aux | console | tty | vty] line-number [ending-line-number]
Step 4 Apply the authentication list to a line or set of lines. login authentication {default | list-name}
Step 5 Exit back to global configuration mode. exit
Step 6 Populate the local username database for all users who need to log in. username name [nopassword | password encryption-type password] 1

1 This command is described in the "Network Access Security Commands" chapter of the Security Command Reference.

For information about configuring local authentication for network access security, refer to the "Configuring Network Access Security" chapter in this publication.

Controlling Login by Using TACACS+ Authentication

To specify TACACS+ as the login authentication method, perform the following tasks, beginning in global configuration mode:

Task Command
Step 1 Enable AAA globally, aaa new-model 1
Step 2 Enable login authentication using TACACS+. aaa authentication login {default | list-name} tacacs+
Step 3 Enter line configuration mode for the lines to which you want to apply the authentication list. line [aux | console | tty | vty] line-number [ending-line-number]
Step 4 Apply the authentication list to a line or set of lines. login authentication {default | list-name}

1 This command is described in the "Network Access Security Commands" chapter of the Security Command Reference.

For information about configuring TACACS+ authentication for network access security, refer to the "Configuring Network Access Security" chapter in this publication.

Controlling Login by Using RADIUS Authentication

Before performing the tasks in this section, make sure you have enabled communication with the RADIUS server, as described in the "Configure Router to RADIUS Server Communication" section of the "Configuring Network Access Security" chapter.

To specify RADIUS as the login authentication method, perform the following steps in global configuration mode:

Task Command
Step 1 Configure the router to use RADIUS login authentication. aaa authentication login {default | list-name} radius1
Step 2 Enter line configuration mode for the lines to which you want to apply the authentication list. line [aux | console | tty | vty] line-number [ending-line-number]
Step 3 Apply the authentication list to a line or set of lines. login authentication {default | list-name}

1 This command is described in the "Network Access Security Commands" chapter of the Security Command Reference.

For information about configuring RADIUS authentication for network access security, refer to the "Configuring Network Access Security" chapter in this publication.

Controlling Login by Using Kerberos Authentication

Before you configure the router to use Kerberos as the login authentication method, make sure you have performed the tasks in the "Establish the Kerberos-Authenticated Server-Client System" section in the "Configuring Network Access Security" chapter of this publication.

To specify to the router to use Kerberos as the login authentication method, perform the following tasks, beginning in global configuration mode:

Task Command
Step 1 Set AAA authentication at login using Kerberos. aaa authentication login {default | list-name} krb51
Step 2 Enter line configuration mode for the lines to which you want to apply the authentication list. line [aux | console | tty | vty] line-number [ending-line-number]
Step 3 Apply the authentication list to a line or set of lines. login authentication {default | list-name}

1 This command is documented in the "Network Access Security Commands" chapter in the Security Command Reference.

Remote users logging in to the network are prompted for a username. If the key distribution center (KDC) has an entry for that user, it creates an encrypted ticket granting ticket (TGT) with the password for that user and sends it back to the router. The user is then prompted for a password, and the router attempts to decrypt the TGT with that password. If it succeeds, the user is authenticated and the TGT is stored in the user's credential cache on the router.

A user does not need to run the KINIT program to get a TGT to authenticate to the router. This is because KINIT has been integrated into the login procedure in the Cisco IOS implementation of Kerberos.

Protect Passwords

Complete the following tasks to establish password protection:

Protect Access to Privilege EXEC Commands

The Cisco IOS software provides two tools for controlling access to the system configuration file:

Set or Change a Static Enable Password

To set or change a static password that controls access to privilege EXEC (enable) mode, perform the following task in global configuration mode:

Task Command
Establish a new password or change an exitsing password for the privileged command level. enable password password

For examples of how to define enable passwords for different privilege levels, see the "Multiple Levels of Privileges Examples" section at the end of this chapter.

Protect Passwords with Enable Password and Enable Secret

To provide an additional layer of security, particularly for passwords that cross the network or are stored on a TFTP server, you can use either the enable password or enable secret commands. Both commands accomplish the same thing; that is, they allow you to establish an encrypted password that users must enter to access enable mode (the default), or any privilege level you specify.

Cisco recommends that you use the enable secret command because it uses an improved encryption algorithm. Use the enable password command only if you boot an older image of the Cisco IOS, or if you boot older boot ROMS that do not recognize the enable secret command.

If you configure the enable secret command, it is used instead of the enable password command, not in addition to it.

To configure the router to require an enable password, perform one of the following tasks in global configuration mode:

Task Command
Establish a password for a privilege command mode. enable password [level level] {password |
encryption-type encrypted-password}
Specify a secret password, saved using a non-reversible encryption method. (When enable password and enable secret are both set, users must enter the enable secret password.) enable secret [level level] {password | encryption-type encrypted-password}

Use either of these commands with the level option to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.

If you have service password-encryption set, the password you enter is encrypted. When you display it with the show startup-config command, it is displayed in encrypted form.

If you specify an encryption type, you must provide an encrypted password--an encrypted password you copy from another router configuration.

You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. See the sections "Recover a Lost Enable Password" or "Recover a Lost Line Password" in this chapter if you have lost or forgotten your password.

Set or Change a Line Password

To set or change a password on a line, perform the following task in global configuration mode:

Task Command
Establish a new password or change an exitsing password for the privileged command level. password password

Enable TACACS+ Password Protection for Privilege EXEC Model

Use the aaa authentication enable default command to create a series of authentication methods (including TACACS+) that are used to determine whether a user can access privilege EXEC (enable) mode. You can specify up to four authentication methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

To create a series of authentication methods, perform the following task in global configuration mode:

Task Command
Create a series of authentication methods for users requesting privileged EXEC level. aaa authentication enable default tacacs+

Set TACACS Password Protection for Privilege EXEC Mode

You can set the TACACS protocol to determine whether a user can access privileged EXEC (enable) mode. To do so, perform the following task in global configuration mode:

Task Command
Set the TACACS-style user ID and password-checking mechanism at the privileged EXEC level. enable use-tacacs

When you set TACACS password protection at the privilege EXEC mode, the enable EXEC command prompts for both a new username and a password. This information is then passed to the TACACS server for authentication. If you are using the extended TACACS, it also passes any existing UNIX user identification code to the TACACS server.

Caution If you use the enable use-tacacs command, you must also specify tacacs-server authenticate enable, or you will be locked out of the privilege EXEC (enable) mode.
Note When used without extended TACACS, the enable use-tacacs command allows anyone with a valid username and password to access the privileged EXEC mode, creating a potential security problem. This occurs because the TACACS query resulting from entering the enable command is indistinguishable from an attempt to log in without extended TACACS.

Encrypt Passwords

Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file.

Configure the Cisco IOS software to encrypt passwords by performing the following task in global configuration mode:

Task Command
Encrypt a password. service password-encryption

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

**before**The service password-encryption command does not provide a high level of network security. If you use this command, you should also take additional network security measures.@@before@@Caution **after**The service password-encryption command does not provide a high level of network security. If you use this command, you should also take additional network security measures.@@after@@

Although you cannot recover a lost encrypted password (that is, you cannot get the original password back), you can recover from a lost encrypted password. See the sections "Recover a Lost Enable Password" or "Recover a Lost Line Password" in this chapter if you have lost or forgotten your password.

Configure Multiple Privilege Levels

By default, the Cisco IOS software has two modes of password security: user mode (EXEC) and privilege mode (enable). You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

For example, if you want the configure command to be available to a more restricted set of users than the clear line command, you can assign level 2 security to the clear line command and distribute the level 2 password fairly widely, and assign level 3 security to the configure command and distribute the password to level 3 commands to fewer users.

The following tasks describe how to configure additional levels of security:

Set the Privilege Level for a Command

To set the privilege level for a command, perform the following tasks in global configuration mode:

Task Command
Set the privilege level for a command. privilege mode level level command
Specify the enable password for a privilege level. enable password level level [encryption-type] password

Change the Default Privilege Level for Lines

To change the default privilege level for a given line or a group of lines, perform the following task in line configuration mode:

Task Command
Specify a default privilege level for a line. privilege level level

Display Current Privilege Levels

To display the current privilege level you can access based on the password you used, perform the following task in EXEC mode:

Task Command
Display your current privilege level. show privilege

Log In to a Privilege Level

To log in to a router at a specified privilege level, perform the following task in EXEC mode:

Task Command
Log in to a specified privilege level. enable level 1

1 This command is documented in the "User Interface Commands" chapter in the Configuration Fundamentals Command Reference.

To exit to a specified privilege level, perform the following task in EXEC mode:

Task Command
Exit to a specified privilege level. disable level 1

1 This command is documented in the "User Interface Commands" chapter in the Configuration Fundamentals Command Reference.

Recover a Lost Enable Password

You can restore access to enable mode on a router when the password is lost using one of the three procedures described in this section. The procedure you use depends on your router platform. Table 5 shows which password recovery procedure to use with each router platform.

You can perform password recovery on most of the platforms without changing hardware jumpers, but all platforms require the configuration to be reloaded. Password recovery can be done only from the console port on the router.


Table  5: Platform-specific Password Recovery Procedures
Password Recovery Procedure Router Platform
Password Recovery Procedure 1 Cisco 2000 series

Cisco 2500 series

Cisco 3000 series

Cisco 4000 series with 680x0 Motorola CPU

Cisco 7000 seies running Cisco IOS Release 10.0 or later in ROMs installed on the RP card

IGS series running Cisco IOS 9.1 or later in ROMs

Password Recovery Procedure 2 Cisco 1003

Cisco 4500 series

Cisco 7500 series

IDT Orion-based routers

Both password recovery procedures involve the following basic tasks:


  1. Configure the router to boot up without reading the configuration memory (NVRAM). This is sometimes called the test system mode.

  2. Reboot the system.

  3. Access enable mode (which can be done without a password if you are in test system mode).

  4. View or change the password, or erase the configuration.

  5. Reconfigure the router to boot up and read the NVRAM as it normally does.

  6. Reboot the system.
Note Some password recovery requires that a terminal issue a Break signal; you must be familiar with how your terminal or PC terminal emulator issues this signal. For example, in ProComm, the keys Alt-B by default generates the Break signal, and in a Windows terminal you press Break or CTRL-Break. A Windows terminal also allows you to define a function key as a BREAK signal. To do so, select function keys from the Terminal window and define one as Break by entering the characters ^$B (Shift 6, Shift 4, and uppercase B).

Password Recovery Procedure 1

Use this procedure to recover lost passwords on the following Cisco routers:

The router can be booting Cisco IOS Release 10.0 software in Flash memory, but it needs the actual ROMs on the processor card too.

To recover a password using Technique 1, perform the following steps:

Step 1 Attach a terminal or PC with terminal emulation software to the console port of the router.

Step 2 Enter the show version command and record the setting of the configuration register. It is usually 0x2102 or 0x102.

The configuration register value is on the last line of the display. Note whether the configuration register is set to enable Break or disable Break.


The factory-default configuration register value is 0x2102. Notice that the third digit from the left in this value is 1, which disables Break. If the third digit is not 1, Break is enabled.


Step 3 Turn off the router, then turn it on.

Step 4 Press the Break key on the terminal within 60 seconds of turning on the router.

The rommon> prompt with no router name appears. If it does not appear, the terminal is not sending the correct Break signal. In that case, check the terminal or terminal emulation setup.


Step 5 Enter o/r0x42 at the rommon> prompt to boot from Flash memory or o/r0x41 to boot from the boot ROMs.

Note that this is the letter o, not the numeral zero. If you have Flash memory and it is intact, 0x42 is the best setting. Use 0x41 only if the Flash memory is erased or not installed. If you use 0x41, you can only view or erase the configuration. You cannot change the password.


Step 6 At the rommon> prompt, enter the initialize command to initialize the router.

This causes the router to reboot but ignore its saved configuration and use the image in FLASH memory instead.


The system configuration display appears.


Step 7 Enter no in response to the System Configuration Dialog prompts until the following message appears:

Step 8 Press Return.

The Router> prompt appears.


Step 9 Enter the enable command.

This puts you in enable mode.


The Router# prompt appears.


Step 10 Choose one of the following options:

Router # configure terminal
Router(config)# enable password 1234abcd
Router(config)# ctrl-z
Router # write memory

Step 11 Enter the configure terminal command at the EXEC prompt to enter configuration mode.

Step 12 Enter the config-register command and whatever value you recorded in step 2.

Step 13 Press Ctrl-Z to quit from the configuration editor.

Step 14 Enter the reload command at the privileged EXEC prompt and issue the write memory command to save the configuration.

Password Recovery Procedure 2

Use this procedure to recover lost passwords on the following Cisco routers:

To recover a password using Procedure 2, perform the following steps:

Step 1 Attach a terminal or PC with terminal emulation software to the console port of the router.

Step 2 Enter the show version command and record the setting of the configuration register. It is usually 0x2102 or 0x102.

The configuration register value is on the last line of the display. Note whether the configuration register is set to enable Break or disable Break.


The factory-default configuration register value is 0x2102. Notice that the third digit from the left in this value is 1, which disables Break. If the third digit is not 1, Break is enabled.


Step 3 Turn off the router, then turn it on.

Step 4 Press the Break key on the terminal within 60 seconds of turning on the router.

The rommon> prompt appears. If it doesn't appear, the terminal is not sending the correct Break signal. In that case, check the terminal or terminal emulation setup.


Step 5 Enter the config-register command at the rommon> prompt.

The following prompt appears:


Step 6 Enter yes and press Return:

Step 7 Enter no to subsequent questions until the following prompt appears:

Step 8 Enter yes.

Step 9 Enter no to subsequent questions until the following prompt appears:

Step 10 Enter yes.

The following prompt appears:


Step 11 At this prompt, either enter 2 and press Return if Flash memory or, if Flash memory is erased, enter 1. If Flash memory is erased, the Cisco 4500 must be returned to Cisco for service. If you enter 1, you can only view or erase the configuration. You cannot change the password.

A configuration summary is displayed and the following prompt appears:


Step 12 Answer no and press Return.

The following prompt appears:


Step 13 Enter the reload command at the privileged EXEC prompt or, for Cisco 4500 series and Cisco 7500 series routers, power cycle the router.

Step 14 As the router boots, enter no to all the setup questions until the following prompt appears:

Step 15 Enter the enable command to enter enable mode.

The Router# prompt appears.


Step 16 Choose one of the following options:

Router # configure terminal
Router (config)# enable password 1234abcd
Router (config)# ctrl-z
Router # write memory

Step 17 Enter the configure terminal command at the prompt.

Step 18 Enter the config-register command and whatever value you recorded in step 2.

Step 19 Press Ctrl-Z to quit from the configuration editor.

Step 20 Enter the reload command at the prompt and issue the write memory command to save the configuration.

Recover a Lost Line Password

If your router has the nonvolatile memory option, you can accidentally lock yourself out of enable mode if you enable password checking on the console terminal line and then forget the line password. To recover a lost line password, perform following steps:

Step 1 Force the router into factory diagnostic mode.

See the hardware installation and maintenance publication for your product for specific information about setting the processor configuration register to factory diagnostic mode. Table 6 summarizes the hardware or software settings required by various products to set factory diagnostic mode.


Step 2 Enter Yes when asked if you want to set the manufacturers' addresses.

The following prompt appears:


Step 3 Issue the enable command to enter enable mode:

Step 4 Enter the show startup-config command to review the system configuration and find the password. Do not change anything in the factory diagnostic mode.

Step 5 To resume normal operation, restart the router or reset the configuration register.

Step 6 Log in to the router with the password that was shown in the configuration file.

Note All debugging capabilities are turned on during diagnostic mode.

See the hardware installation and maintenance publication for your product for specific information about configuring the processor configuration register for factory diagnostic mode. Table 6 summarizes the hardware or software settings required by the various products to set factory diagnostic mode.


Table  6: Factory Diagnostic Mode Settings for the Configuration Register
Platform Setting
Modular products Set jumper in bit 15 of the processor configuration register, then restart; remove the jumper when finished.
Cisco AS5100

Cisco 2500 series

Cisco 3000 series

Cisco 4000 series

Cisco 7000 series

 Use the config-register command to set the processor configuration register to 0x8000, then initialize and boot the system. Use the reload command to restart and set the processor configuration register to 0x2102 when finished.

Configure Identification Support

Identification support allows you to query a Transmission Control Protocol (TCP) port for identification. This feature enables an unsecure protocol, described in RFC 1413, to report the identity of a client initiating a TCP connection and a host responding to the connection. With identification support, you can connect a TCP port on a host, issue a simple text string to request information, and receive a simple text-string reply.

To configure identification support, perform the following task in global configuration mode:

Task Command
Enable identification support. ip identd

Authentication Examples

This section describes multiple privilege level and username authentication examples and contains the following sections:

Multiple Levels of Privileges Examples

This section provides examples of using multiple privilege levels to specify who can access different sets of commands.

Allow Users to Clear Lines Examples

If you want to allow users to clear lines, you can do either of the following:

privilege exec level 1 clear line

enable password level 2 pswd2
privilege exec level 2 clear line

Define an Enable Password for System Operators Examples

In the following example, you define an enable password for privilege level 10 for system operators and make clear and debug commands available to anyone with that privilege level enabled.

enable password level 10 pswd10
privilege exec level 10 clear line
privilege exec level 10 debug ppp chap
privilege exec level 10 debug ppp error
privilege exec level 10 debug ppp negotiation

The following example lowers the privilege level of the show running-config command and most configuration commands to operator level so that the configuration can be viewed by an operator. It leaves the privilege level of the configure command at 15. Individual configuration commands are displayed in the show running-config output only if the privilege level for a command has been lowered to 10. Users are allowed to see only those commands that have a privilege level less than or equal to their current privilege level. 

enable password level 15 pswd15
privilege exec level 15 configure
enable password level 10 pswd10
privilege exec level 10 show running-config

Disable a Privilege Level Example

In the following example, the show ip route command is set to privilege level 15. To keep all show ip and show commands from also being set to privilege level 15, these commands are specified to be privilege level 1.

privilege exec level 15 show ip route
privilege exec level 1 show ip
privilege exec level 1 show

Username Examples

The following sample configuration sets up secret passwords on Routers A, B, and C, to enable the three routers to connect to each other.

To authenticate connections between Routers A and B, enter the following commands:

On Router A: 

username B password a-b_secret

On Router B:

username A password a-b_secret

To authenticate connections between Routers A and C, enter the following commands:

On Router A: 

username C password a-c_secret

On Router C:

username A password a-c_secret

To authenticate connections between Routers B and C, enter the following commands:

On Router B: 

username C password b-c_secret

On Router C:

username B password b-c_secret

When you specify encryption type 0 to enter an unencrypted password, the system displays the encrypted version of the password. For example, suppose you enter the following command:

username bill password westward

The system displays this command as follows:

username bill password 7 21398211

The encrypted version of the password is 21398211. The password was encrypted by the Cisco-defined encryption algorithm, as indicated by the "7."

However, if you enter the following command, the system determines that the password is already encrypted and performs no encryption. Instead, it displays the command exactly as you entered it:

username bill password 7 21398211
username bill password 7 21398211


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1997 © Cisco Systems Inc.