Your CCNA certification exam efforts must include practicing with different password types and knowing how to configure them on a Cisco router – but for CCNA exam success and to thrive in real-world networks, you also have to know how to examine a Cisco router configuration and determine the level of network security that is already present. After all, most routers you work with already have passwords set, and it's up to you to determine if those passwords are getting the job done.
Let's start with a telnet password. Telnet passwords are configured on the VTY lines, and no telnet access is enabled on a Cisco router by default. If you saw the following configuration, what would it mean?
line vty 0 4
privilege level 15
That small Cisco router configuration means three things – first, Telnet access is enabled. Second, the password is baseball. Third, the "privilege level 15" command means that any user who attempts to Telnet to the router and knows the password will automatically be placed into privileged exec mode. (If that command were not present, the user would be placed into user exec and then prompted for the enable password before being allowed into privileged exec.)
You may not want to give that level of access to all incoming Telnet connections. If you walked into a client's router room and saw this configuration on a router, what would it mean to you?
username halas password 0 bears
username ewbank password 0 jets
username ed privilege 15 password 0 mcdaniel
line vty 0 4
This configuration means three things as well. Each user attempting to telnet in will be prompted for both a username and password. Each individual user must enter the password that's been assigned to them. For example, the user "halas" would have to enter the password "bears" to successfully Telnet into this router. The command "login local" under the VTY lines means that this local database of usernames and passwords will be used for authentication.
Again, by default, users who are Telnetting in will be placed into user exec mode by default. Only users with "privilege 15" in the middle of their username / password definition will be placed into privileged exec immediately upon login.
Notice that zero in each of the username / password statements? I did not enter that when I configured these statements. This number indicates the level of encryption the password is currently under; a zero is the lowest level of encryption, indicating that the passwords aren't encrypted at all. There's a single line near the top of a Cisco router configuration that tells you why .. which of these three is it?
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
Simple enough! The password encryption service is off by default. To turn it on. just run the command service password-encryption. Let's do so here and then take a look at the configuration.
R1 (config) #service password-encryption
username halas password 7 1415170A1E17
username ewbank password 7 070524585D
username ed privilege 15 password 7 082C4F4A08170C121E
Now that's what I call encryption! Note that the zero has changed to a "7" – that's the highest level of encryption on a Cisco router, and as you can see, it's very effective.
Knowing how to read a Cisco router configuration is a valuable skill for both the CCNA certification exam and working with production networks. Keep practicing, keep studying, and you'll have the coveted letters "CCNA" behind your name soon!