Handle basic password management on your Cisco router
Changing password defaults to boost securityBy default, your Cisco router is set to use an Enable password. This password is unencrypted, however, so you should avoid using it. To tighten your router security, you can set an Enable Secret password, which is encrypted. When set, the Enable Secret password takes precedence over the Enable password. The router will use the latter only if the former hasn't been set.To set an Enable Secret password, you'll need to switch to Privileged Exec mode. You can then go into Terminal Configuration mode (or Global Configuration mode) to change the router configuration—in this case, to set or change the password. To enter Global Configuration mode, use this command:config t"""")Router#config tNote that the "t" is short for "terminal." When you press [Enter], you'll see this prompt:Router(config)#Now you're ready to enter your Enable Secret password. (Remember that Cisco router passwords are case-sensitive.) Let's say you want to use the password BigSecret. Here's how to set it:Router(config)#enable secret BigSecretYou should always end your configuration session by pressing [Ctrl]Z, so hit that key combination after entering the command. To test your new password, type disable at the router prompt to return to the User Exec prompt (>). Now go back into Privileged Exec mode by typing enable. This time, you'll be prompted for a password—the Enable Secret password you just set up:Router>enablePassword:Setting other key passwordsAnother important password is the Virtual Terminal (vty) password. Unless this password is set, you can't telnet into the router. To set the password, go into Global Configuration mode again. Here are the commands to create the password alsosecret:Router(config)#lin3 vty 0 4Router(config-line)#loginRouter(config-line)#password alsosecretRouter(config-line)#^ZThe 0 and 4 in the first command line indicate that the password will apply to all five available vty lines, from 0 to 4. The ^Z in the last command line is what appears if you press [Ctrl]Z. To gain access to the router via its console port, you'll have to set up a console password as follows (again in Global Configuration mode):line con 0loginpassword anothersecretUse a 0 in the first command line and end your configuration session with [Ctrl]Z. To save all these configuration changes so that they're still in effect the next time the router is restarted, you should copy the router's running configuration to its startup configuration. To do so, you must be in Privileged Exec mode. Using the abbreviated form for the commands running-configuration and startup-configuration, issue the following command:RouterName#copy run startPress [Enter], and it's done.
Working around forgotten passwordsWhat if you forget the encrypted Enable Secret password? Or maybe you don't have access to it to start with because the admin who configured the router has left that company or can't remember the password—that does happen.
The trick is to bypass the router's startup configuration, located in nonvolatile RAM (NVRAM), at boot time. To do that, you must connect to the router via its console port and get into what is known as ROM monitor mode (ROMMON mode). This is the key to the lost password kingdom.The recovery procedure differs depending on router model. For details of the different procedures, check out Cisco's site. Be sure to find the correct procedure for your router model before attempting the recovery. To give you a general idea of how the process works, we'll look at how to recover the Enable Secret password for the 2500 and 4000 series routers.First, turn off the router and connect a computer to the router's console port using the RJ-45-to-RJ-45 rollover cable and an RJ-45-to-DB-9 or RJ-45-to-DB-25 adapter, which is normally supplied with the router. Next, fire up terminal emulation software (such as Hyper Terminal, which is usually shipped with Windows) and configure the settings like this:
9600 baud
8N1
No flow control
No parity
Turn on the router, and within 60 seconds, press the emulation software's [Break] key—in the case of Hyper Terminal, it's [Ctrl][F6]Break].
If the Break command was successful, you should see the prompt:rommon>or just:>depending on your router model. You're now in ROMMON mode. If you're at the rommon> prompt, type the command:confregIf you're at the > prompt, type the command:o/r 0x2142After issuing the command confreg, you'll see the router's current settings and you'll be asked:Do you wish to change the configuration? y/n [n]:Press y to select yes. Choose the default answers to the other questions (press [Enter] or n, for no) until you're asked:Ignore system config info? y/n [n]:Press y. This is the crucial question, as you're actually being prompted about changing a configuration register bit—a key to what we're trying to achieve. Answering yes will set the bit to 1, which is what we want to do.Accept the defaults for the rest of the prompts until you're asked whether you want to change the configuration. This time, press n. You'll now be told that you have to reset or power-cycle for the new configuration to take effect. Issue the command reload or power off and back on again.If you issued the command o/r 0x2142 instead of confreg, you'll go through a similar procedure and have to reboot. Do this with the command:ior:initializeAt this point, you have access to the router without being prompted for the Enable Secret password. After restarting, the router will prompt you about entering Setup mode. Press n. Now you're ready to go into Privileged Exec mode by typing enable (or just en) at the prompt. Notice that you aren't prompted for the Enable Secret password.You can save the startup configuration to the running configuration if you still want to use the configuration that's in NVRAM. We'll run through the process so we can see that lost Enable Secret password. To save the configuration, use the command:RouterName#copy start runand type:RouterName#show runAll will be revealed (including some other information about your running configuration). Now you can change your Enable Secret password, as described above. Then, restore the configuration register to its original value using the following commands:RouterName(config)# config-reg 0x2102RouterName(config)# endSave changes to the configuration with the command:RouterName# copy run startFinally, restart the router and your work is done.
Working around forgotten passwordsWhat if you forget the encrypted Enable Secret password? Or maybe you don't have access to it to start with because the admin who configured the router has left that company or can't remember the password—that does happen.
The trick is to bypass the router's startup configuration, located in nonvolatile RAM (NVRAM), at boot time. To do that, you must connect to the router via its console port and get into what is known as ROM monitor mode (ROMMON mode). This is the key to the lost password kingdom.The recovery procedure differs depending on router model. For details of the different procedures, check out Cisco's site. Be sure to find the correct procedure for your router model before attempting the recovery. To give you a general idea of how the process works, we'll look at how to recover the Enable Secret password for the 2500 and 4000 series routers.First, turn off the router and connect a computer to the router's console port using the RJ-45-to-RJ-45 rollover cable and an RJ-45-to-DB-9 or RJ-45-to-DB-25 adapter, which is normally supplied with the router. Next, fire up terminal emulation software (such as Hyper Terminal, which is usually shipped with Windows) and configure the settings like this:
9600 baud
8N1
No flow control
No parity
Turn on the router, and within 60 seconds, press the emulation software's [Break] key—in the case of Hyper Terminal, it's [Ctrl][F6]Break].
If the Break command was successful, you should see the prompt:rommon>or just:>depending on your router model. You're now in ROMMON mode. If you're at the rommon> prompt, type the command:confregIf you're at the > prompt, type the command:o/r 0x2142After issuing the command confreg, you'll see the router's current settings and you'll be asked:Do you wish to change the configuration? y/n [n]:Press y to select yes. Choose the default answers to the other questions (press [Enter] or n, for no) until you're asked:Ignore system config info? y/n [n]:Press y. This is the crucial question, as you're actually being prompted about changing a configuration register bit—a key to what we're trying to achieve. Answering yes will set the bit to 1, which is what we want to do.Accept the defaults for the rest of the prompts until you're asked whether you want to change the configuration. This time, press n. You'll now be told that you have to reset or power-cycle for the new configuration to take effect. Issue the command reload or power off and back on again.If you issued the command o/r 0x2142 instead of confreg, you'll go through a similar procedure and have to reboot. Do this with the command:ior:initializeAt this point, you have access to the router without being prompted for the Enable Secret password. After restarting, the router will prompt you about entering Setup mode. Press n. Now you're ready to go into Privileged Exec mode by typing enable (or just en) at the prompt. Notice that you aren't prompted for the Enable Secret password.You can save the startup configuration to the running configuration if you still want to use the configuration that's in NVRAM. We'll run through the process so we can see that lost Enable Secret password. To save the configuration, use the command:RouterName#copy start runand type:RouterName#show runAll will be revealed (including some other information about your running configuration). Now you can change your Enable Secret password, as described above. Then, restore the configuration register to its original value using the following commands:RouterName(config)# config-reg 0x2102RouterName(config)# endSave changes to the configuration with the command:RouterName# copy run startFinally, restart the router and your work is done.
posted by e247net at 7:59 PM
0 Comments:
Post a Comment
<< Home