Solved: Hi Devil, Thanks for the

SJ K · ‎04-22-2015

Hi all,

Below is my running config ->
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login

q1) how come every time i will enter privilege mode once i enter the console password ? can I choose to enter normal user mode instead ? is it via setting the privilege level ?

q2) I understand that for enable privilege mode, i can set secret/encrypted password for the enabling.

R1#config t
R1(config)#enable secret cisco

Where does the encryption take place ? is it only to just md5 the password text in the configuration file only ? if i were to sniff the password over the network, i will still see clear text "cisco" ?

q3) Why can't i do so (setting secret/encrypted) password for line (vty,con etc) login ?

q4) for q3, after google, i realize i need to issue service password-Encryption

a) does this command "encrypt" again my current enable secret password ? -- i think its no cause i see no changes in show run

b) why do we have to issue this command to encrypt my line,vty etc password ? why can't we use the "secret" command ?

c) what the different between this "service password-Encryption" and "secret" ? why do we need to have both ?

q5) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?

Thanks,
Noob

devils_advocate · ‎04-22-2015

In order to prevent the console going straight into enable mode, you need to remove the following line:

line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login

Privilege level 15 takes you straight into enable mode.

In regards to the other questions. I would have a little read of this:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

View solution in original post

devils_advocate · ‎04-23-2015

a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password

Because they can't, its as simple as that really.
Like you said, the only way to protect the password using an MD5 hash is to create a username and password and ensure you use the secret command like:

username admin secret password

b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?

Its just using an MD5 hash
Where its encrypted or not over the network will depend on whether you use Telnet or SSH to connect to the switch.
Telnet is plain text so even using an MD5 password will still be visible if someone were to packet capture your telnet session.
SSH in encrypted so use this whenever possible.

View solution in original post

Aaron Harrison · ‎04-22-2015

Hi

We see your posts... sometimes there are delays before they appear. Don't sweat it.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

devils_advocate · ‎04-22-2015

In order to prevent the console going straight into enable mode, you need to remove the following line:

line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login

Privilege level 15 takes you straight into enable mode.

In regards to the other questions. I would have a little read of this:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

SJ K · ‎04-22-2015

Hi Devil,

Thanks for the reply.

Read through the documentation, but it still doesn't directly answer the following questions below

a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password

b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?

I mean with all these encryption and hashing, when i connect over to the terminal using telnet, and i enter clear text password, these aint encrypted. what should we do ?

Regards,

Noob

devils_advocate · ‎04-23-2015

a) why vty, console line cannot have hashed password like enable secret ? -- the only way to use secret is to have login local and create local username with secret password

Because they can't, its as simple as that really.
Like you said, the only way to protect the password using an MD5 hash is to create a username and password and ensure you use the secret command like:

username admin secret password

b) is all the service password-Encryption, enable secret etc, just basically hashing or encrypting the actual text password in the config file. is there anyway of encryption over the network ?

Its just using an MD5 hash
Where its encrypted or not over the network will depend on whether you use Telnet or SSH to connect to the switch.
Telnet is plain text so even using an MD5 password will still be visible if someone were to packet capture your telnet session.
SSH in encrypted so use this whenever possible.

SJ K · ‎04-23-2015

thank you devil.

and thanks aaron!

line console password vs privilege mode enable secret