In this lesson, we’ll take a look at how you can secure user mode and privileged (enable) mode. By default, there is no authentication required. If you connect a Cisco console cable to your switch or router, here’s what happens:
Switch con0 is now available Press RETURN to get started. Switch>
Once you press the enter button, we end up in user mode right away. There’s no password or anything. The same thing applies to the enable mode:
We have full access right away. This is something you might want to change, which is what I’ll explain in this lesson.
User Mode Security
Let’s start with user mode.
The most simple option to protect user mode is to add a password. Here’s how to do this:
Switch(config)#line console 0
First, we need to enter the console settings. Here’s where we have to add two commands:
Switch(config-line)#password cisco Switch(config-line)#login
We configure a password (cisco) and use the login command to tell Cisco IOS to prompt for this password. Next time you open the console, this will happen:
Switch con0 is now available Press RETURN to get started. User Access Verification Password: Switch>
The CLI will ask you for the password. At least we have some form of authentication but we can do better…
Username and Password
Instead of a single password, it’s also possible to use usernames and passwords instead. This is a better option if you have multiple people that need to access your router or switch. Here’s how to do this:
Switch(config)#line console 0 Switch(config-line)#login local Switch(config-line)#exit Switch(config)#username admin password cisco
Under the console settings, we use the login local command to tell the switch to refer to a local database of usernames and passwords for authentication. In the global config, we create a username “admin” with password “cisco”.
Next time you open the console, here’s what you see:
Switch con0 is now available Press RETURN to get started. User Access Verification Username: admin Password: Switch>
The switch asks for our username and password.
Enable Mode Security
What about enable mode / privileged mode? We can also add a password there. You need to do this from the configuration mode:
Now we can set a password for enable mode:
Switch(config)#enable password cisco
Let’s see if our password “cisco” works. Let’s get out of enable mode:
And jump right back in:
The switch now asks for the password.
In the examples above, we used passwords but there is one problem…they all show up in clear text in our configuration. Take a look below:
Switch#show running-config | include password no service password-encryption enable password cisco username admin password 0 cisco
It’s all clear text. If someone steals one of your switches or routers, they will have your passwords. If you ever backup your configuration and forget to remove the passwords, same problem.
Cisco IOS has a command that lets you encrypt all clear text passwords in your configuration. Here’s how:
The service password-encryption command will encrypt every password that is plain text. Here you can see the result:
Switch#show running-config | include password service password-encryption enable password 7 13061E010803 username admin password 7 110A1016141D
Now you might get a warm fuzzy feeling that everything is encrypted but in reality, this is a very poor (broken) encryption algorithm. There are websites that let you decrypt these encrypted strings on the fly. If you want to try this, here’s one of those websites.
We need something stronger…
Cisco IOS supports something called a secret as an alternative to the password. Let’s try this for the enable mode:
Switch(config)#enable secret ? 0 Specifies an UNENCRYPTED password will follow 5 Specifies a MD5 HASHED secret will follow 8 Specifies a PBKDF2 HASHED secret will follow 9 Specifies a SCRYPT HASHED secret will follow LINE The UNENCRYPTED (cleartext) 'enable' secret level Set exec level password
Above you can see this switch supports MD5, PBKDF2 and SCRYPT hashes. Older IOS devices only support MD5 authentication.
Let’s give this a try:
Switch(config)#enable secret cisco
Our secret will be “cisco”. Let’s see what we find in the configuration:
Switch#show running-config | include secret enable secret 5 $1$CANW$U9Y8O6KeFhrFR4l1Qo07h/
You now find an MD5 hash in the configuration. The “5” that you see behind “enable secret” is the algorithm that we use, 5 means MD5.
MD5 is not considered secure nowadays. It’s very easy to brute force simple passwords. For example, try this website for the MD5 hash that was created for my secret “cisco”. It will only take a few seconds to recover.
Let’s try one of the other algorithms that are considered secure nowadays. Here’s how you can select the algorithm for the enable mode:
Switch(config)#enable algorithm-type ? md5 Encode the password using the MD5 algorithm scrypt Encode the password using the SCRYPT hashing algorithm sha256 Encode the password using the PBKDF2 hashing algorithm
Let’s try the PBKDF2 (SHA256) hashing algorithm:
Switch(config)#enable algorithm-type sha256 secret cisco
When we look at our configuration, we’ll see the new hash:
Switch#show running-config | include secret enable secret 8 $8$dvX/fx/FJ0Snk2$HhqrOUaEtBgk4zJvG2IQuAJNUicZmmELelC/L6.Fcl2
The “8” behind “enable secret” refers to the PBKDF2 hashing algorithm that we used.
In the example above I changed the hashing algorithm for the enable mode but we can also do this for usernames. Here’s an example:
Switch(config)#username rene algorithm-type sha256 secret cisco
My username now uses SHA256 as well for password “cisco”. Here’s what it looks like:
Switch#show running-config | include rene username rene secret 8 $8$dyzsAmZjA3w.aY$YBZn8LBI6CK04ij5ZmqQ/88OrFdc3jzGb6v7SSQI0cw
External Authentication Servers
Configuring usernames and secrets on your Cisco IOS devices is a good practice but one issue we have is scalability. If you have a network with multiple devices, you will have to configure your usernames/secrets on all devices. If you change your password, you have to do it on all devices.
In larger networks, we typically use authentication servers called RADIUS or TACACS+ servers. On these servers, we configure our usernames. When someone tries to access the console or enable mode on one of your switches or routers, they check the credentials on the authentication server.
This allows you to keep your authentication centralized. This is something we will cover in other lessons.
You have now learned how to protect the user and enable mode of your Cisco IOS devices. Make sure you use “secret” instead of plain text passwords and if possible, use a stronger hashing algorithm than the default MD5.
In most of the switches 2960X I dont have the option of login lor login local.
It only appears the option login authentication default that requires a list for login
It seems they changed this a bit on IOS 15.x. You can find an example here:
Once aaa new-model is enabled, you can use the login command:
Try this on a test switch first, usually when you mess around with AAA it’s easy to lock yourself out
I’ve been looking into passwords/secrets on Cisco devices, and am a bit confused regarding how to configure the best practice (most secure) password type.
I’ve successfully configured type 7 passwords on devices, enabled password encryption (so they don’t show as plain text in the config) then have been able to SSH to the device using those credentials.
However I’ve read that type 7 passwords are not secure, and using an online crack tool was easily able to crack my encrypted type 7 passwords. When I search online regarding this everyone says to u... Continue reading in our forum
Currently, the most secure method for encrypting passwords in your Cisco IOS devices is using a type 8 or type 9 encryption which use PBKDF2-SHA-256 and scrypt respectively. These are currently the most secure types, but must be supported by the IOS you are using. For more info about the various types, take a look at the following post on Cisco’s learning network:
As for how to use one of these for SSH, I was able to create a user with a secret using type 5 like so:
... Continue reading in our forum
Thanks for the response!
I tried again configuring the secret 5 with a username using your instructions, and I can SSH successfully from another device now – not sure what went wrong last time.
I tried the stronger encryption method mentioned by Rene in the article, however the commands don’t exist on the router I’m using, so I assume it requires a newer IOS version.
According to the Cisco document you linked, the secret 5 can be cracked but would take a long time – therefore I assume it’s “good enough” to use in a production environment. Would that be... Continue reading in our forum