There are 5 types of passwords :
enable secret, enable, aux, console, vty (telnet)
to set an enable password: enable password password
to set an enable secret password: enable secret password
The “enable secret” password is encrypted by default – but the “enable” password is not
The three line passwords are also not encrypted by default
These two commands encrypts all four passwords at once. Oddly, you have to issue the command and then turn the command off. Go to config mode and type:
no service password-encryption
Encrypted password (if you tyoe “sh run” the password is shown as a bunch of encrypted text) that is set in the config mode, and takes precedence over the enable password (if one is set).
To enable a password for Priviledged Mode:
1) get into config mode
2) type: enable secret password - substitute in your own password
- for example, “enable secret midnight1”
At this point, once you log out, to re-enter priveledged mode, you will be prompted to enter the password.
to disable the Priveledged EXEC mode password:
1) get into config mode
2) type: no enable secret (you do not need to enter the password to disable it)
Unencrypted password (if you tyoe “sh run” the password is shown in the clear). The enable password is used when there is no enable secret password. It is only used with older IOS (pre 10.3), and can only be encrypted by issuing an additional “service password-encryption” command. This password can be set up in setup or config mode as follows:
enable password password
Aux (dial-up into the router via modem) is rarely used, while console is to grant access to a laptop with serial cable connected to the router’s console port, and vty is to grant access to a remote user trying to telnet into the router. Three commands are needed to se up a password: line, login, and password. Two commands are needed to remove a password: line and no login. You do not need to re-enter the password when disabling it.
To see the options with the line command, as well as numerical options, go to config mode and type : line ?
You will see the following response :
<0-6> First Line Number
aux Auxiliary Line
console Primary Terminal Line
vty virtual terminal
The <0-6> first line numbers correspond to seven “virtual lines”, which are actually are needed as part of the other line commands (you need to tell the router which number you are assigning to a line). These lines are input lines that the user can access, and as such, can be protected with passwords.
NOTE: by default, console does not require a password, but both aux and vty do require a password to be set before access can be granted.
vty password (Telnet only)
This sets up a “user mode” password which will be necessary for anyone trying to telnet into the router (actually, you must set up a user mode password, in order to enable the Telnet feature). Telnet is the ability to login and configure the router from a remote dial-up Telnet connection. You need to protect this feature by setting a vty password, while in config mode. There are three steps :
1) assign virtual lines to the telnet feature using the line command. Within the command, you need to type in the range (enter the first and last line number) of lines that will be captured and assigned the same password. Only five of the seven lines can be used, for Telnet. By assigning al five of them, when someone telnet’s into the router, all 5 lines will be available. For example: “line vty 0 4”
2) set the authentication ON which means the user will be presented with a prompt (enable the login by typing “login”) – you can disable the authentication by typing “no login”
3) set the password by typing “password password” (for example, “password onion”). You want to use the same password for all lines, because when someone Telnet’s in they have no control over which line is offered to them.
line vty 0 4 (set up all 5 vty lines, 0 through 4, for a Telnet password)
login (tell the router to display a prompt)
password onion (assigns the password)
Now if anyone tries to telnet in, they will be asked to enter the password, “onion”.
NOTE: the reason you always want to configure all 5 telnet lines at once with the same password, is because when someone telnet’s in – they never know which line they will be coming in on.
line vty 0 4
line aux 0
Console Password (must be in config mode to set – must use line 0)
Router (Config) # line con 0
Router (Config-line) # login
Router (Config-line) # password onion
NOTE: notice how the prompt changes to an extended mode – this is one of the few extended modes that are not the “int” mode
To remove a password :
line aux 0
or for the Console Password
line con 0