Managing user Accounts and passwords in Cisco IOS Devices is very important task. With several different user accounts, you can also set different privilege level for each one of them. Different privilege means different available commands that can be executed per user account. In this article, we will go deep on creating users accounts and all its features including privilege, encryption, and automation that we can implement in Cisco IOS devices. This article shows how you can manage user accounts and passwords in Cisco IOS devices.
Manage User Accounts and Passwords in Cisco IOS Devices
Basically you will need to create at least a user account in your Cisco router or switch if:
- You want to secure the console command line
- You want to enable virtual terminal line such as telnet or SSH
- You want to restrict some commands to a specific user
- You want to enable automation to some IOS commands
The standard command to create user account and password in Cisco IOS is shown in the example below, and it must be executed in global configuration mode.
GeekRtr(config)#username admin password letmein123
With above configuration you have successfully created username Cisco IOS device. However, there is one major weakness in this configuration and it will be explained in this sub-section below.
Securing your Cisco IOS password with encryption
When you define a password, it is stored with clear-text format in your running-configuration. In the show running-config output, the password will be shown as it is:
GeekRtr#show running-config | include username username admin password 0 letmein123 GeekRtr#
Notice that your password phrase is explicitly written there. Also notice the number “0” before the passphrase indicates it is unencrypted. It’s never a good idea to leave your password in a readable condition like this.
To solve this issue, we can apply encryption to the password and hide the exact passphrase. There are two types of encryption:
Encryption type 7
With the command service password-encryption, all existing and future added passwords will be automatically encrypted.
GeekRtr(config)#service password-encryption GeekRtr(config)#do show running-config | include username username admin password 7 10420C0D08121B055D5679
As you can see above, password phrase in the show running-config output has been masked by a random numbers and letters. Also notice that the number “0” before the passphrase has been changed to “7”, indicating it has been encrypted using type 7 hash. However, this encryption is no longer secure in today’s network as it can be easily reversed to reveal the original passphrase.
Encryption type 5
Instead of type 7, it is highly advised to use encryption type 5. It using MD5 algorithm to hide your original passphrase.
MD5 algorithm is a complex one-way operation and it’s nearly impossible to reverse the process. It’s far stronger than encryption type 7 and the only way to reveal the original password is by using brute force (and of course it would take a lot of time and resources just to do that — depends on the original passphrase length).
To use type 5 encryption to secure passwords in Cisco IOS devices we can simply create username followed by a secret instead of password. The configuration will be demonstrated in the next example but first we will delete the username and password created earlier:
GeekRtr(config)#no username admin
And with this configuration we will re-create username using a secret:
GeekRtr(config)#username admin secret letmein123 GeekRtr(config)#do show running-config | include username username admin secret 5 $1$rszA$h4AZMOUECxMMoBg/BVnm//
Now you can see that by specifying a secret instead of password, it will automatically replace the phrase with random characters combined with random uppercase and lowercase letters, making it totally non-readable to human’s eyes. Notice the number “5” before the encrypted passphrase in the show running-config output above — indicates that you have secured your password using type 5 encryption (MD5).
Applying user accounts to console command line
The user account we created before is basically useless if we don’t enforce login process. In this section we will enforce login to the console command line.
GeekRtr(config)#line con 0 GeekRtr(config-line)#login local
By issuing command login above, we told the device to always ask credential to any attempt of accessing the console command line. The word local is telling the device to look up its internal user account database for authentication, which means the device will refer to the list of username we created before. Now the device will ask for login credential on the next attempt of accessing CLI via console line.
GeekRtr con0 is now available Press RETURN to get started. User Access Verification Username:
Securing privileged EXEC mode
By default after login you will be prompted with the device hostname followed by a “>” sign, indicating that you are inside the user EXEC mode. You cannot enter configuration mode except from privileged EXEC mode. To enter privileged EXEC mode from user EXEC mode, simply use command enable. The “#” sign next to the device name indicates you are in privileged EXEC mode.
Now of course we don’t want anybody to easily enter the privileged EXEC mode. With the configuration below we will set authentication on any attempt to enter privileged EXEC mode using the enable command:
GeekRtr(config)#enable secret letmeconfig123
Note: remember that by specifying secret instead of password will encrypt the passphrase in configuration file using type 5 encryption, so always use secret whenever possible.
As the result of this configuration, now a passphrase will be asked before we entering the privileged EXEC mode.
Applying username to virtual terminal line (Telnet/SSH)
We can enforce login on the remote access with similar configuration as the one we applied in the console line (anyway, it is mandatory to have username and password in terminal line if we want to enable SSH) With this configuration below we will enforce login to virtual terminal line:
GeekRtr(config)#line vty 0 4 GeekRtr(config-line)#login local
An enable-password might also be required in order for virtual terminal access to work, you can refer to the previous sub-section titled “Securing privileged EXEC mode” to create an enable-password.
Assigning privilege to specific user accounts
By default all user accounts are created using privilege level 1 and it is equivalent with user EXEC mode. When we use the command enable, we will be granted with privilege level 15 by default, and privilege level 15 has access to all configurations and commands. We can create custom privilege level between 1 and 15. By default if we assign any privilege level to a user account it will bypass the user EXEC mode.
In this example we are going to create a new user account with privilege level 7.
GeekRtr(config)#username junior_admin secret letmetry123 GeekRtr(config)#username junior_admin privilege 7
In this case, if we try login using junior_admin we will be brought directly to privileged EXEC mode. But as you can see in the screenshot below, the command configure terminal that we use to enter global configuration mode is not recognized.
This is because we haven’t define what commands are allowed to be executed using privilege level 7. Now in this example we will allow everybody with privilege level 7 to do something at the interface level, which is giving a description. We’ll be back to login using our standard admin account (the one with privilege level 15) and configure it this way:
GeekRtr(config)#privilege exec level 7 configure terminal GeekRtr(config)#privilege configure level 7 interface GeekRtr(config)#privilege interface level 7 description
In the first line of the above config, we’re allowing users with privilege level 7 to use command configure terminal in the privileged EXEC mode and enter the global configuration mode. Then the second line will allow them to enter interface configuration mode from global configuration mode by issuing command interface interface_name. Then finally the third line will allow them to configure the interface description. Below is the result:
Notice that junior_admin can now enter global configuration mode and interface configuration mode consecutively. But also notice that the other interface level commands except description are not shown in the help context, and that means junior_admin cannot modify anything except the interface description; because we configured it that way!
Applying automated command to a specific user account
Basically we apply automated command to a specific user account because we want a dedicated user account to execute a command. In this example we are going to create a user account named view_ip. Just like the name says, this user account is dedicated to see IP address of the device interfaces. We will configure it to automatically execute command show ip interface brief after logon.
GeekRtr(config)#username view_ip secret v13w_1p! GeekRtr(config)#username view_ip autocommand show ip interface brief GeekRtr(config)#username view_ip nohangup
Note: we also added the parameter nohangup to prevent session disconnected after autocommand executed
Below is screenshot of the result:
In this way you can manage user accounts and passwords in Cisco IOS Devices.