Config Lab: CLI Passwords 2
The simplest way to protect the CLI uses passwords shared by all, rather than a per-user username and password. Using a per-user login method improves security. The easiest option for using per-user logins in a Cisco lab is configuring the username/password pairs in each Cisco router or switch. Today’s lab asks you to do just that: configure several username/password pairs, and enable their use.
The Lab Exercise
Requirements
Configure Switch SW1 with password security with a per-user username required for the three allowed users. The passwords and user names will be stored locally on the switch.
This lab begins with all the interfaces shown in Figure 1 working, with IPv4 addresses configured, and with all hosts able to ping other local hosts and hosts in the rest of the Enterprise.
The specific rules for this lab are as follows:
- Enable the use of local usernames for login from the console and when using Telnet.
- Create a user: Use password “hope” for user “allison”.
- Create a user: Use password “love” for user “danielle”.
- Create a user: Use password “faith” for user “tyler”.
Figure 1: Network for this Lab, with Console Access Switch SW1
Initial Configuration
Example 1 shows the non-default configuration added to switch SW1 before your work for this lab begins. Basically, the switch has already been configured with an IP address and a default gateway to allow telnet access.
ip default-gateway 10.1.1.1
!
interface vlan1
ip address 10.1.1.20 255.255.255.0
Example 1: SW1 Initial Configuration
* Note that the no shutdown command is likely unnecessary on real gear, but may be on some virtualization platforms, so we include it here in the initial configuration.
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Network Device Info:
This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.
Device | Lab Port | CML Port |
SW1 | G0/1 | G0/1 |
SW1 | F0/1 | G0/2 |
SW1 | F0/2 | G0/3 |
Host device info:
This table lists host information pre-configured in CML, information that might not be required by the lab but may be useful to you.
Device | IP Address | Mac Address | User/password |
PC | 10.1.1.11 | 02:00:11:11:11:11 | cisco/cisco |
S | 10.1.1.22 | 02:00:22:22:22:22 | cisco/cisco |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
username allison password hope
username danielle password love
username tyler password faith
!
line con 0
login local
!
line vty 0 4
login local
!
line vty 5 15
login local
Example: SW1 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
Cisco switches allow for different username and passsword pairs to be used for access to the console, and with Telnet or SSH, instead of a single all-users password.
The global command username name password password creates the username password pairs in one switch. To tell the switch to make use of these local username/password pairs, you must then configure the login local command in vty configuration mode (for Telnet/SSH) or console configuration mode (for console access).
Note that the answer shows the configuration of the VTY password (to support Telnet) with VTYs 0 through 4 as separate from the configuration of VTYs 5 through 15. This quirk of Cisco output has to do with the fact that older IOS versions support only VTYs 0 through 4. You could have used the commands literally shown in the answer example, or you could have used the command line vty 0 15, followed by those same password and login commands.
Finally, if you did happen to use the username name secret password command, that command also meets the requirements of the lab as stated.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | PT adds extra configuration | When you configure the username command in PT, PT adds the privilege 1 parameters (meaning user mode) if you do not configure the privilege keyword. Real gear simply omits the privilege 1. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.
- Connect to the console and try to login with the configured username/password combinations.
- Telnet into the switch and try the same username/password combinations there as well.
why you used “0” after the command “password”?
Hey Kevin,
Well, because I copied the config from the device when I made this post. I’ll remove the 0s to avoid confusion. Here’s the longer version:
In the command **username allison password 0 hope**, the zero refers to the level of password encryption, with 0 meaning “none”, which is the level used with this command. If you had instead typed **username allison password hope**, IOS would have chosen the encryption level of 0, and added the 0 into the command in the running-config.
Hope this helps…
Hi Wendell,
first of all thank you very much for these exercises. They are very instructive.
I have a question about the config-line command line vty 0 4 and line vty 0 15. I understand that the virtual teletype is about how many simultaneous virtual connections the device allows, which may be Telnet or SSH.
In your answers you have configured the device with the following command:
line vty 0 4
login local
!
line vty 5 15
login local
Wouldn’t it be sufficient to configure the device directly with only line vty 0 15 (allow 16 simultaneous virtual connections)?
Thank you for your clarification
Hi Daniel,
Short answer: Yes!
Longer answer: The answer page lists output from show run. When you configure line vty 0 15, and then add the subcommands, and do a show run, IOS splits it out as shown on the config page. It’s a throwback to ancient IOS history when IOS supports only vty’s 0 – 4. But yes, you can configure all 16 at once.
Wendell
Hi Wendell,
I have a question regarding the enable secret via telnet. I implemented my solution (below) on Cisco Packet Tracker, though I don’t know if this is a particularity of this piece of software only.
When connecting via console cable, I don’t need to provide an enable password. But I do need via telnet, which forced me to configure enable secret {ENABLE_SECRET}.
Without it, it just says: No password set. Is this normal?
Thank you in advance,
Italo.
My solution (Some lines omitted):
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$853d9gYeIIYF1JA6KByqT0
!
username allison secret 5 $1$mERr$rjwRnHvQ0EQyg2ihZdL9F/
username danielle secret 5 $1$mERr$wgCxZNZPm.wN81mUI/lF7/
username tyler secret 5 $1$mERr$bgp9ZgzRNe04AJAPG2nry0
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface Vlan1
ip address 10.1.1.20 255.255.255.0
!
ip default-gateway 10.1.1.1
!
line con 0
login local
!
line vty 0 4
login local
transport input telnet
line vty 5 15
login local
transport input telnet
!
end
Hi Italo,
Sorry for the delay – got behind in my day job.
Anyway…
Short answer is yes, what you see in packet tracer is exactly what a real device does. If the enable password is not set, a user that connects to user mode via Telnet or SSH cannot move to enable mode, and is shown the message you listed. In short, an enable password (either enable password or enable secret command) must be configured for such a user to reach privileged mode.
Wendell
Hello Mr. Grand Master,
can you confirm –
Hi David,
My college roommate and best friend was a chess nut. Nice reference! 🙂
Yes, if you interpret the 1st requirement to mean “Telnet only”. If you interpret the words to imply nothing about SSH, then the default works. But… having you think through the options to review for the test and for real work is the best side effect.
Hi Wendell,
First time I saw the use of “username <username> password <password>” here. I’m working through the second edition of volume 1, chapter 6 where it talks about “username <username> secret <password>”
I suppose in the real world, it’s always sensible to use the “secret” parameter with the “username” command, since the “password” parameter appears to always leave the provided password stored as clear text in the running-config. In the exam, would it actually matter which one we used?
Regarding “transport input telnet” the official guide mentioned that newer switches usually default to “transport input ssh” while older ones default to “transport input all“. Again in the real world I suppose it makes sense to explicitly specify whether you need / want SSH and/or telnet enabled.
In packet tracer, show running-config does not appear to give a clue on the default configuration about whether telnet/ssh is enabled by default. For the exams, what’s the sensible way to approach similar questions when you’re required to enable telnet / ssh access?
I think I just found the answer to my second question.
In the next chapter (Chapter 7), it mentions that the show running-config all command will show all default settings as well.
So I suppose I’d run that EXEC command first for a lab based exam question to ascertain the current default transport input setting, then depending on the minimum requirement of the lab question, enable telnet and/or ssh accordingly
As for setting a local username/password pair, if the exam question doesn’t specifically demand a secure local username/password pair or to store the password in clear text, I suppose either one would be fine. i.e. either username <username> password <password> or username <username> secret <password> would be acceptable?
Hi YT,
So sorry for the delay in replying! Just got behind a bit.
I think the big message here is that if you understand the commands, I think you can relax about your concerns about “what if” kinds of questions. They try and make questions that have a clear answer if you understand the topic, but that might be difficult to answer if you don’t. And they don’t tend to ask about defaults so much because of all those differences. (I point them out in the book to be complete and to ease your progress when labbing.)
So, I’d say instead, if a question asks “SSH only”, and it’s a lab question, configure transport input ssh. Or to support both, transport input all. Use username secret unless there’s a reason not to. A common sense approach will serve you well.
Hope this helps…
Wendell
Also, to the question of how to know the current transport command settings, check out these two commands. If you look towards the bottom, you’ll see the line that identifies the transport setting.
Thank you Wendell for taking the time to respond
I think I allowed myself to get too caught up with the nitty gritty stuff
Sure thing, YJ!