01-06-2015 02:56 AM - edited 03-07-2019 10:06 PM
Hello Guys,
Am quite new in cisco and i need to configure an 891 cisco router,can someone please show me step by step configuration commands for configuring Username and Secret Password.I would like the router to ask for "Username"and " Password" anytime i want to login the router through telnet.I also want to know if i have to erase the default configurations on the router first, before i start the configuration,and how it should be done in other not to loose the router whiles working on it.Thanks for your usual quick responds.
Regards,
Eben.
Solved! Go to Solution.
01-06-2015 06:06 AM
Hello Reza,
Your configuration would work, and is rated accordingly :) At the same time, however, using the AAA new model, things get more complicated and more complex, and in simple deployment scenarios, it is not worth the effort. Because Eben is just starting to play with Cisco devices and is new to them, I suggest using the classic authentication configuration that is simpler, even if perhaps more chatty to configure, and it would look as follows:
enable configure terminal username mylogin secret mypassword ! This is a normal user username admin privilege 15 secret S3cr3tP4ssw0rd ! This is an administrator enable secret S0m30therP4ssw0rd ! A password to protect the enable command line con 0 login local ! Authenticate console users using the local username/pw database line aux 0 login local ! Authenticate AUX port users using the local username/pw database line vty 0 15 login local ! Authenticate Telnet/SSH users using the local username/pw database end
Also, instead of Telnet, I suggest starting SSH service on the router to provide for SSH access:
enable configure terminal hostname MyRouter ! Just about any non-default host name of the router ip domain-name eben.name ! Just about any DNS domain here crypto key generate rsa modulus 1024 ! Generates RSA keys to start the SSH ip ssh version 2 ! Permit SSHv2 only end
After testing the SSH connection to the router successfully, deactivate the Telnet access:
enable line vty 0 15 transport input ssh ! Allow SSH access only end
Best regards,
Peter
01-06-2015 03:49 AM
Hi
>enable
#conf t
(config)#aaa new-model
(config)#username yourusername password yourpassword
(config)#enable secret yoursecret
01-06-2015 06:06 AM
Hello Reza,
Your configuration would work, and is rated accordingly :) At the same time, however, using the AAA new model, things get more complicated and more complex, and in simple deployment scenarios, it is not worth the effort. Because Eben is just starting to play with Cisco devices and is new to them, I suggest using the classic authentication configuration that is simpler, even if perhaps more chatty to configure, and it would look as follows:
enable configure terminal username mylogin secret mypassword ! This is a normal user username admin privilege 15 secret S3cr3tP4ssw0rd ! This is an administrator enable secret S0m30therP4ssw0rd ! A password to protect the enable command line con 0 login local ! Authenticate console users using the local username/pw database line aux 0 login local ! Authenticate AUX port users using the local username/pw database line vty 0 15 login local ! Authenticate Telnet/SSH users using the local username/pw database end
Also, instead of Telnet, I suggest starting SSH service on the router to provide for SSH access:
enable configure terminal hostname MyRouter ! Just about any non-default host name of the router ip domain-name eben.name ! Just about any DNS domain here crypto key generate rsa modulus 1024 ! Generates RSA keys to start the SSH ip ssh version 2 ! Permit SSHv2 only end
After testing the SSH connection to the router successfully, deactivate the Telnet access:
enable line vty 0 15 transport input ssh ! Allow SSH access only end
Best regards,
Peter
01-07-2015 03:12 AM
Thank You very much Peter for your quick response.I tried it and its perfect,i have some few questions which are,i would like to know why you suggest ssh instead of telnet,is it for security reasons? and secondly why the "ip domain-name eben.name"
Thank You once again.
Best Regards,
Eben.
01-07-2015 03:41 AM
Hello Eben,
Peter has suggested to use SSH because of the fact that telnet data is sent in clear text, so someone with the right tools could easily find your password and your device could/would be compromised. It is security best practice. SSH is encrypted.
Technically speaking you do not need to change the hostname / domain name. But majority of Cisco documentation follow this method.
In case you are interested on how to do this without change... see below.
Router(config)#
Router(config)#crypto key generate rsa modulus 1024
% Please define a hostname other than Router.
Router(config)#crypto key generate rsa modulus 1024 label CISCO
The name for the keys will be: CISCO
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router(config)#
*Jul 11 13:27:51.431: %SSH-5-ENABLED: SSH 1.99 has been enabled
Router(config)#
The normal cases just as shown in Cisco documentation, the parser (without a label on the crypto key) would force us to change the hostname, create a domain name. I think the domain name is there to put a label on the keys.
Router(config)#crypto key generate rsa general-keys modulus 1024
% Please define a hostname other than Router.
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#hos
Router(config)#hostname ISR
lexnetISR(config)#crypto key generate rsa general-keys modulus 1024
% Please define a domain-name first.
ISR(config)#ip domain name net.com
ISR(config)#exit
ISR(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: ISR.net.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
01-07-2015 04:51 AM
Hello Reza,
Thank's to all you guys for your support,i really appreciate your quick responds,i have about six(6) different branches with a cisco 891 router but all of them are on telnet so i will take your advise and change them to ssh very soon for more security.
Kind Regards,
Eben.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: