Dec 182007
 


There are five passwords used to secure your Cisco routers: console, auxiliary, telnet (VTY),enable password, and enable secret. Just as you learned earlier in the chapter, the first two passwords are used to set your enable password that’s used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed either through the console port, through the auxiliary port, or via Telnet.

Cisco Router Auxiliary Password Setup

To configure the auxiliary password, go into global configuration mode and type line aux ?.You can see here that you only get a choice of 0–0 (that’s because there’s only one port)

Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password admin

It’s important to remember the login command, or the auxiliary port won’t prompt for authentication.Now watch what happens when you try to set the Aux on the “newer” IOS that Cisco has released

2600A#config t
Enter configuration commands, one per line. End with CNTL/Z.
2600A(config)#line aux 0
2600A(config-line)#login
% Login disabled on line 65, until ‘password' is set
2600A(config-line)#

Cisco has begun this process of not letting you set the “login” command before a password is set on a line because if you set the login command under a line, and then don’t set a password, the line won’t be usable. And it will prompt for a password that doesn’t exist. So this is a good thing—a feature, not a hassle!

Cisco Router Console Password Setup

To set the console password, use the line console 0 command. But look at what happened when I tried to type line console 0 ? from the aux line configuration—you should received an error.You can still type line console 0 and it will accept it, but the help screens just don’t work from that prompt. Type exit to get back one level and you’ll find that your help screens now work. This is a “feature.” Really.

Example

Router(config-line)#line console ?
% Unrecognized command
Router(config-line)#exit
Router(config)#line console ?
<0-0> First Line number
Router(config)#line console 0
Router(config-line)# password admin1
Router(config-line)# login

Since there’s only one console port, you can only choose line console 0. You can set all your line passwords to the same password, but for security reasons, I’d recommend that you make them different.

There are a few other important commands to know for the console port.

For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out. The default timeout is 10 minutes. (If you’re feeling mischievous, try this on people at work: Set it to 0 1. That will make the console time out in 1 second! And to fix it, you have to continually press the Down arrow key while changing the timeout time with your free hand!)

logging synchronous is a very cool command, and it should be a default command, but it’s not. It stops annoying console messages from popping up and disrupting the input you’re trying to type. The messages still pop up, but you are returned to your router prompt without your input interrupted. This makes your input messages oh-so-much easier to read.

Here’s an example of how to configure both commands

Router(config)#line con 0
Router(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Router(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds

Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous

Cisco Router Telnet Password Setup

To set the user-mode password for Telnet access into the router, use the line vty command. Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines, 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark

Router(config-line)#line vty 0 ?
<1-4> Last Line Number

Router(config-line)#line vty 0 4
Router(config-line)# password admin2
Router(config-line)# login

You may or may not have to set the login command before the password on the VTY lines—depends on the IOS version. The result is the same either way.

So what will happen if you try to telnet into a router that doesn’t have a VTY password set? You’ll receive an error stating that the connection is refused because, well, the password isn’t set. So, if you telnet into a router and receive this message

Router#telnet SFRouter
Trying SFRouter (10.0.0.1)...Open
Password required, but none set
[Connection to SFRouter closed by foreign host]
Router#

then the remote router (SFRouter in this example) does not have the VTY (telnet) password set. But you can get around this and tell the router to allow Telnet connections without a password by using the no login command

Router(config-line)#line vty 0 4
Router(config-line)#no login

After your routers are configured with an IP address, you can use the Telnet program to configure and check your routers instead of having to use a console cable. You can use the Telnet program by typing telnet from any command prompt (DOS or Cisco).

Sponsored Link

 Posted by at 8:56 am
  • francis

    this should be in this order:
    Router(config-line)#line vty 0 4
    Router(config-line)# login
    Router(config-line)# password admin2

  • noobiew

    I have aproblem, can anyone tell me why my router can’t accept login command ?

    I am getting incomplete command error message.

    —————————————————————–
    Router(config)#line console 0
    Router(config-line)#password cisco
    Router(config-line)#login
    % Incomplete command.

    Router(config-line)#login ?
    authentication Authentication parameters.
    ctrlc-disable Disable CONTROL-C during login.
    —————————————————————–

    Can someone help me on this, thanks a lot

  • Thiyagu

    Hi, I know that you might have configured the password prior to do this. If not, Can you please try to configure “login” command after you set the password globally ?

    Thanks,
    G Thiyagu

  • tressor

    console:
    (config)#line con 0
    (config-line)#password cisco
    (config-line)#login
    (config-line)#

    telnet:
    (config)#line vty 0 4
    (config-line)#password cisco
    (config-line)#login
    (config-line)#

    (config)#int vlan1
    (config-if)#ip address 172.16.0.1 255.255.0.0
    (config-if)#no shutdown

    http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml

  • Shadow

    For noobiew

    If the router will scream at you

    Router(config-line)#login ?
    authentication Authentication parameters.
    ctrlc-disable Disable CONTROL-C during login.

    you probably have AAA enabled (you have aaa new-model in your config)

    You need to create a method list, I’ll recomend stick with the default;

    aaa authentication login default local

    On vty / console
    login authentication default

    Hope that was helpful.

  • http://www.gmail.com sumit

    how configure host name in router

  • Admin

    login in to config mode and use hostname comamnd

    router#conf t
    Router(config)#hostname yourchoiceofhostname

    finally

    Router(config)#wr

  • alam

    I want to access my router remotely by name instead of Ip address.
    So how to configure the router to take telnet by name.

    Please assist me.

    regards,
    Alam

  • Shawn

    Alam, the router does not care what your client tries to telnet to, be it an ip address or name. What you are trying to do is set up name resolution on your client. There are two ways to do this.

    The easiest way, if you use the same client machine to telnet into your router all the time, is to edit the hosts file on your client computer to associate the name of your router with the ip address of that same router. Once you do this, connecting to “Router-name” and the associated ip address will have the same effect.

    The other way, if you and a bunch of other people need access to this router, is to add an entry in your DNS server for the name of the router and any (or all) ip addresses that it should be reachable from. If you do not manage your own DNS server, you will have to ask the administrator to do this for you.

    Remember, you can have more than one ip address associated with a router, for instance an external and an internal. Make sure you specify all ip addresses you want to be reachable as separate host file entries or DNS aliases.

  • http://N/WEngg.ofNIC,Simdega MANISH SRIVASTAVA

    console:
    (config)#line con 0
    (config-line)#password cisco
    (config-line)#login
    (config-line)#

    telnet:
    (config)#line vty 0 4
    (config-line)#password cisco
    (config-line)#login
    (config-line)#

    (config)#int vlan1
    (config-if)#ip address 172.16.0.1 255.255.0.0
    (config-if)#no shutdown

  • mian iftikhar ahmad

    when i acces my router global configration mode via terminal it gove massge that this mode is blocked so any 1 can tell me what is the problem is and how to remove in order to acces it
    thanks

  • http://www.buyatnectar.com Tushar

    These are used to configure a password when user mode is accessed either through the console port, through the auxiliary port, or via Telnet.

    Telnet – VTY 0 4

    (Config)#line vty 0 4
    (Config)#password cisco
    (Config)#login

    Consol – Con 0

    (Config)#line con 0
    (Config)#password cisco
    (Config)#login

    Auxiliary – aux 0

    (Config)#line aux 0
    (Config)#password cisco
    (Config)#login

  • khaled

    hi how are you plz i want to help me for network and how to make subneting for class A ,B , E and router configuration comand for tow or more than tow routers and explan how to do

    so think you for help

  • sonam dorji

    please can any one tell help me in this matter…

    i already have password on line vty 0 4
    but i want to change the password of that ….

    i have done like this
    config ter
    line vty 04
    password cisco
    login but here it is not working, its show that incomplete command

  • Kofi

    Hello Dear All,

    Trough TELNET i can access my router I can changed the VTY 0 4 (Telnet) but can not set password for privileged Mode

    Router# #enable password cisco
    Router# #do write to save the configuration

    Router accepted the command but the password will be not set to router,

    please coordinate me in this problem
    thanks

  • Sunny

    When conf. the console and vty what is the difference between “login” and “login local”?

    Cheers

  • Tina Brown

    hi people please help me with IGRIP configs

  • Oscar

    Hi guys,

    Nice post, you can see more options about security about telnet acess here in http://n3networkweb.com/cisco-telnet-access-enhance-security-applying-acl/.

    See you

  • Kehowell1

    Thank you for your help!