01-31-2022 12:19 PM
I recently started to study CCNA, I am in the Introduction to networks, there's a command I am a little bit confused and I would like to see if anyone can help me to clarify
So basically when I am doing the configuration on a switch I have to configure 2 passwords, one for the User Mode and the other one for the Privileged Mode.
To enter the User Mode password I type
S1>enable
S1#config t
S1(config)#line console 0
S1(config-line)#password cisco
S1(config-line)#login
and then for the Privileged Mode I type
S1(config-line)#enable secret class
but then when I do the configuration for VTY I do this
S1(config)#Line vty 0 15
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#end
S1#wr
Why do I have to enter AGAIN the User Mode password on this part? I saw some videos on youtube and everyone is doing the same but I don't really understand this part and will it make a difference if I don't use the same password I set for the User Mode? What is the purpose of this other password?
thanks in advance
01-31-2022 12:43 PM
A password is related to the way that you will access the switch. When you access the console you are using a physical cable that connects to the console port of the switch and it uses the configured console password. If you use telnet or SSH to access the switch they are accessing the vty lines and use the password configured on the vty. You need 2 passwords because there are 2 different ways to access the switch.
While it is common to use the same password for both console and vty there is no requirement that they be the same. It would be valid to use different passwords for console and for vty. (note that while it is advisable to use the same password for all the vty lines that is not a requirement. It would be valid to configure one password for vty 0 to 4, a second password for vty 5 to 9, and a third password for vty 10 to 15. The issue with this is that when using telnet or SSH you do not know which vty line you will get and so would have difficulty knowing which password to use.)
01-31-2022 04:22 PM - edited 01-31-2022 04:51 PM
Yes, 2 passwords for 2 level of access: User mode and Privileged Mode.
1st one is User Mode, This 1st level password controls access or controls the way you access the device which is either via console or VTY (telnet/ssh). Without this one you will not be able to access device at all (CLI window says press enter key). In other words, you will not get to 2nd password mode which is Privileged Mode.
The Privileged Mode password (your enable secret class) is also called enable mode password ( enable secret xyz or enable xyz). This one controls what you can do with device; in other words, It protects configurations of device. It is like protecting 2nd level of configure or not. Without Privileged Mode password, you will not be able to configure device. This 2nd Privileged Mode password is the same for all methods of access by default.
In your case, password cisco is 1st level and it is the same for console access as well for VTY (Telnet/SSH)
enable secret class is Privileged Mode password (aka enable mode)
Note: Routers may have 3rd access method via AUX port. It is old and dying method of access device via phone line.
Also note that enable secret class does not belong in LINE config mode (of console) but in Global config mode. CLI IOS let us enter command but it will move it to right place afterwords, Do show run to see where this command ends up. Also, use ? to see all commands and options.
Regards, ML
**Please Rate All Helpful Responses **
02-21-2024 01:41 PM
I know this is an old thread, but I'm wondering about the precedence when using local user accounts (not my preferred configuration, I'm cleaning up a client's old equipment).
Is the vty password ignored when there is a user present?
Is the vty password ignored when TACACS+ is in use?
Best Regards,
Martin
02-21-2024 06:28 PM
Hi,
Q1) Is the vty password ignored when there is a user present?
If you want to use a local user account on the device for the VTY lines you then need the config to have "login local"
eg
!
username bob secret mypass
!
line vty 0 15
transpport in telnet ssh
login local
!
Even if you have left in the password on the line vty 0 15 it will be ignored.
Q2) Is the vty password ignored when TACACS+ is in use?
As long as your TACACS+ is working correctly then YES the vty password is ignored
Hope this helps
02-22-2024 06:56 AM
Thank you Alex. Yes, that's the clarification I was looking for.
Best Regards,
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide