top of page

5.3 - Configuring Local Password Access Control

Writer's picture: Tor's Tech TalkTor's Tech Talk

Greetings, Tech Talkers!


This is Tor, your trusted network engineering uplink! Today, we're focusing on a fundamental aspect of network security—Configuring Local Password Access Control on Cisco devices. Controlling access to network devices is crucial to prevent unauthorized changes and protect your network infrastructure.


In this article, we'll explore how to set up local user accounts, secure access lines, and implement password policies on Cisco routers and switches. By the end, you'll have the knowledge to enhance the security of your devices through proper password configuration.


Let's get started!


Understanding Local Password Access Control


Local Password Access Control involves configuring passwords directly on the device to authenticate users who attempt to access it. This includes securing:


  • Console Access: Physical connection to the device.

  • Auxiliary (AUX) Port Access: Often used for modem connections.

  • Virtual Terminal (VTY) Access: Remote connections via Telnet or SSH.


Implementing strong password controls helps protect devices from unauthorized access, both locally and remotely.


Configuring Passwords on Cisco Devices


  1. Setting the Enable Password


The enable password protects access to privileged EXEC mode (also known as enable mode), where configuration changes can be made.


Using 'enable password' (unencrypted):

Router(config)# enable password [password]

Using 'enable secret' (encrypted and recommended):

Router(config)# enable secret [password]

Example:

Router(config)# enable secret StrongEnableP@ssw0rd

Note: The `enable secret` password is stored in the configuration using a MD5 hash, making it more secure than the `enable password`.


  1. Securing Console Access


Configure a password for console access and enable login authentication.

Router(config)# line console 0
Router(config-line)# password [password]
Router(config-line)# login
Router(config-line)# exit

Example:

Router(config)# line console 0
Router(config-line)# password ConsoleP@ssw0rd
Router(config-line)# login
Router(config-line)# exit

  1. Securing VTY (Telnet/SSH) Access


Configure passwords for VTY lines to control remote access.

Router(config)# line vty 0 4
Router(config-line)# password [password]
Router(config-line)# login
Router(config-line)# exit

Example:

Router(config)# line vty 0 4
Router(config-line)# password VtyP@ssw0rd
Router(config-line)# login
Router(config-line)# exit

Note: For SSH access, it's recommended to use local user accounts instead of line passwords (covered later).


  1. Securing AUX Port Access


If the device has an auxiliary port:

Router(config)# line aux 0
Router(config-line)# password [password]
Router(config-line)# login
Router(config-line)# exit

Example:

Router(config)# line aux 0
Router(config-line)# password AuxP@ssw0rd
Router(config-line)# login
Router(config-line)# exit

Using Local User Accounts for Authentication


Creating local user accounts provides better control and allows for individual user credentials.


Creating a Local User Account:

Router(config)# username [username] privilege [level] secret [password]

Example:

Router(config)# username admin privilege 15 secret UserP@ssw0rd

privilege 15: Grants full access to privileged EXEC mode.
secret: Stores the password in encrypted form.

Configuring VTY Lines to Use Local Authentication:

Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
Router(config-line)# exit

login local: Uses the local user database for authentication.
transport input ssh: Restricts access to SSH only (recommended for security).

Configuring Console Line to Use Local Authentication (Optional):

Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exit

Implementing Password Policies


To enhance security, implement password policies such as minimum length, password encryption, and login failure penalties.


  1. Setting Minimum Password Length

Router(config)# security passwords min-length [length]

Example:

Router(config)# security passwords min-length 8

  1. Encrypting Plain Text Passwords**


Enable password encryption to prevent passwords from appearing in plain text in the configuration file.


Router(config)# service password-encryption

Note: This uses a weak encryption algorithm (Type 7). It's still recommended to use `enable secret` and `username ... secret` for stronger encryption.


  1. Configuring Login Failure Penalties


Set login parameters to protect against brute-force attacks.


Router(config)# login block-for [seconds] attempts [number] within [seconds]

Example:


Router(config)# login block-for 60 attempts 3 within 120

Explanation:


Blocks login attempts for 60 seconds if there are 3 failed attempts within 120 seconds.


  1. Displaying a Login Banner


Display a message to unauthorized users (e.g., legal warning).


Router(config)# banner login #
Unauthorized access is prohibited. All activities are monitored.

Verifying Password Configuration


Show Commands:


View User Accounts:

 Router# show running-config | include username

Check Password Encryption Status:

  Router# show running-config | include service password-encryption

View Line Configurations:

Router# show running-config | section line

Test Login Authentication:


Attempt to log in via console or SSH to verify that authentication is working as intended.


Best Practices for Password Access Control


Use Strong Passwords:


  • Combine uppercase and lowercase letters, numbers, and special characters.

  • Avoid common words and personal information.


Implement AAA with External Servers:


  • For larger networks, consider using RADIUS or TACACS+ servers for centralized authentication.


Regularly Update Passwords:


  • Enforce password expiration policies and encourage users to change passwords periodically.


Disable Unused Services and Interfaces:


  • Limit access points to the device to reduce potential attack vectors.


Limit Login Attempts:


  • Configure login penalties to prevent brute-force attacks.


Backup Configurations Securely:


  • Ensure backups are stored securely to prevent unauthorized access to configuration files.


Troubleshooting Access Issues


Common Problems:


Unable to Log In:


  • Verify that passwords and usernames are correctly configured.

  • Ensure that `login` or `login local` is set on the appropriate lines.


Passwords Not Encrypted:


  • Confirm that `service password-encryption` is enabled.

  • Remember that only certain passwords are affected by this command.


Access Denied Errors:


  • Check for typos in passwords.

  • Ensure that the user has the correct privilege level.


Useful Commands:


Show Users Logged In:

 Router# show users

Debug Authentication Issues:

Router# debug aaa authentication

(Use debug commands with caution in production environments.)


Wrapping It Up


Configuring local password access control is a fundamental step in securing your network devices. By implementing strong passwords, local user accounts, and enforcing password policies, you enhance the overall security posture of your network infrastructure.


Until next time, Tech Talkers, keep your access controlled and your networks secure!


Thanks,


Tor – Your trusted network engineering uplink

2 views0 comments

Recent Posts

See All

Cisco VTP – To VTP, or Not to VTP

Greetings, Tech Talkers! This is Tor from Tors Tech Talk, your trusted network engineering uplink. Today, we’re tackling the ultimate...

Course Outro: Wrapping Up Your CCNA Journey

Greetings, Tech Talkers! This is Tor, your trusted network engineering uplink! We've journeyed together through the vast landscape of...

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page