cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
51562
Views
28
Helpful
5
Replies
easamoah1
Beginner

Configure a Cisco router with Username and Password.

Hello Guys,

Am quite new in cisco and i need to configure an 891 cisco router,can someone please show me step by step configuration commands for configuring Username and Secret Password.I would like the router to ask for "Username"and " Password" anytime i want to login the router through telnet.I also want to know if i have to erase the default configurations on the router first, before i start the configuration,and how it should be done in other not to loose the router whiles working on it.Thanks for your usual quick responds.

 

Regards,

Eben.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Peter Paluch
Hall of Fame Cisco Employee

Hello Reza,

Your configuration would work, and is rated accordingly :) At the same time, however, using the AAA new model, things get more complicated and more complex, and in simple deployment scenarios, it is not worth the effort. Because Eben is just starting to play with Cisco devices and is new to them, I suggest using the classic authentication configuration that is simpler, even if perhaps more chatty to configure, and it would look as follows:

 

enable
configure terminal
username mylogin secret mypassword ! This is a normal user
username admin privilege 15 secret S3cr3tP4ssw0rd ! This is an administrator
enable secret S0m30therP4ssw0rd ! A password to protect the enable command
line con 0
 login local ! Authenticate console users using the local username/pw database
line aux 0
 login local ! Authenticate AUX port users using the local username/pw database
line vty 0 15
 login local ! Authenticate Telnet/SSH users using the local username/pw database
end

 

Also, instead of Telnet, I suggest starting SSH service on the router to provide for SSH access:

 

enable
configure terminal
hostname MyRouter ! Just about any non-default host name of the router
ip domain-name eben.name ! Just about any DNS domain here
crypto key generate rsa modulus 1024 ! Generates RSA keys to start the SSH
ip ssh version 2 ! Permit SSHv2 only
end

 

After testing the SSH connection to the router successfully, deactivate the Telnet access:

 

enable
line vty 0 15
 transport input ssh ! Allow SSH access only
end

 

Best regards,
Peter

View solution in original post

5 REPLIES 5
Reza Zand
Beginner

Hi

 

>enable

#conf t

(config)#aaa new-model

(config)#username yourusername password yourpassword

(config)#enable secret yoursecret

Peter Paluch
Hall of Fame Cisco Employee

Hello Reza,

Your configuration would work, and is rated accordingly :) At the same time, however, using the AAA new model, things get more complicated and more complex, and in simple deployment scenarios, it is not worth the effort. Because Eben is just starting to play with Cisco devices and is new to them, I suggest using the classic authentication configuration that is simpler, even if perhaps more chatty to configure, and it would look as follows:

 

enable
configure terminal
username mylogin secret mypassword ! This is a normal user
username admin privilege 15 secret S3cr3tP4ssw0rd ! This is an administrator
enable secret S0m30therP4ssw0rd ! A password to protect the enable command
line con 0
 login local ! Authenticate console users using the local username/pw database
line aux 0
 login local ! Authenticate AUX port users using the local username/pw database
line vty 0 15
 login local ! Authenticate Telnet/SSH users using the local username/pw database
end

 

Also, instead of Telnet, I suggest starting SSH service on the router to provide for SSH access:

 

enable
configure terminal
hostname MyRouter ! Just about any non-default host name of the router
ip domain-name eben.name ! Just about any DNS domain here
crypto key generate rsa modulus 1024 ! Generates RSA keys to start the SSH
ip ssh version 2 ! Permit SSHv2 only
end

 

After testing the SSH connection to the router successfully, deactivate the Telnet access:

 

enable
line vty 0 15
 transport input ssh ! Allow SSH access only
end

 

Best regards,
Peter

easamoah1
Beginner

Thank You very much Peter for your quick response.I tried it and its perfect,i have some few questions which are,i would like to know why you suggest ssh instead of telnet,is it for security reasons? and secondly why the "ip domain-name eben.name"

Thank You once again.

Best Regards,

Eben.

Hello Eben,

Peter has suggested to use SSH because of the fact that telnet data is sent in clear text, so someone with the right tools could easily find your password and your device could/would be compromised. It is security best practice. SSH is encrypted.

Technically speaking you do not need to change the hostname / domain name. But majority of Cisco documentation follow this method.

In case you are interested on how to do this without change... see below.

Router(config)#
Router(config)#crypto key generate rsa modulus 1024
% Please define a hostname other than Router.
Router(config)#crypto key generate rsa modulus 1024 label CISCO
The name for the keys will be: CISCO

 

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

 

Router(config)#
*Jul 11 13:27:51.431: %SSH-5-ENABLED: SSH 1.99 has been enabled
Router(config)#

 

The normal cases just as shown in Cisco documentation, the parser (without a label on the crypto key) would force us to change the hostname, create a domain name. I think the domain name is there to put a label on the keys.

 

Router(config)#crypto key generate rsa general-keys modulus 1024
% Please define a hostname other than Router.
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#hos
Router(config)#hostname ISR
lexnetISR(config)#crypto key generate rsa general-keys modulus 1024
% Please define a domain-name first.
ISR(config)#ip domain name net.com
ISR(config)#exit
ISR(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: ISR.net.com

 

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hello Reza,

Thank's to all you guys for your support,i really appreciate your quick responds,i have about six(6) different branches with a cisco 891 router but all of them are on telnet so i will take your advise and change them to ssh very soon for more security.

Kind Regards,

Eben.