CCNA Certification Exam Training: Passwords, Cisco Routers, And Network Security
by: Chris Bryant, CCIE #12933
CCNA certification is important, and so is securing our network's Cisco routers! To reflect the importance of network security, your CCNA certification exam is likely going to contain a few questions about the various passwords you can set on a Cisco router. Let's take a look at some of those passwords and when to apply them.
If the previous user has logged out of the router properly, you will see a prompt like this when you sit down at the router console:
R1 con0 is now available
Press RETURN to get started.
R1>
To get into enable mode, by default all I have to do is type "enable".
R1>enable
R1#
See how the prompt changed? By default, I can now run all the show and debug commands I want, not to mention entering global configuration mode and doing pretty much what I want. It just might be a good idea to password protect this mode! We do so with either the enable password command or the enable secret command. Let's use the enable password command first.
R1(config)#enable password dolphins
Now when I log out and then go back to enable mode - or try to - I should be prompted for the password "dolphins". Let's see what happens.
R1>enable
Password:
R1#
I was indeed prompted for a password. Cisco routers will not show asterisks or any other character when you enter a password; in fact, the cursor doesn't even move.
The problem with the enable password command is that the password will show in the configuration in clear text, making it easy for someone to look over your shoulder and note the password for future use, as shown below:
hostname R1
!
enable password dolphins
We could use the "service password-encryption" command to encrypt the enable password, but that will also encrypt all the other passwords in the Cisco router config. That's not necessarily a bad thing! Here's the effect of this command on the enable password we set earlier.
enable password 7 110D1609071A020217
Pretty effective encryption! However, if we want to have the enable password automatically encrypted, we can use the enable secret command. I'll use that command here to set this password to "saints", and note that I'm not removing the previous enable password.
R1(config)#enable secret saints
After removing the "service password-encryption" command, we're left with two enable mode passwords, and they appear in the Cisco router config like this:
enable password dolphins
enable secret 5 $1$kJB6$fPuVebg7uMnoj5KV4GUKI/
If we have two enable passwords, which one should we use to log into the router? Let's try the first password, "dolphins", first:
R1>enable
Password:
Password:
When you're prompted for the password a second time, you know you got it wrong the first time! Let's try "saints":
R1>enable
Password:
Password:
R1#
When both the enable secret and enable password commands are in use on a Cisco router, the enable secret password always takes precedence. "dolphins" didn't get us in, but "saints" did. That's valuable information for both the CCNA certification exam and real-world networks, because there's no worse feeling than typing a password at a Cisco router prompt and then getting another password prompt!
This is just one way to perform basic Cisco router security with passwords. We'll take a look at other methods in a future CCNA certification exam training tutorial!
About The Author
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (http://www.thebryantadvantage.com).
For his FREE seven-part course, “How To Pass The CCNA”, visit the website and sign up today! Daily free CCNA, CCNP, Network+, Security+, and A+ certification questions, too!
Friday, June 13, 2008
CCNA Certification Exam Training: Passwords, Cisco Routers, And Network Security
Cisco CCNA Certification Exam Training: Telnet, Passwords, and Privilege Levels
Cisco CCNA Certification Exam Training: Telnet, Passwords, and Privilege Levels by: Chris Bryant, CCIE #12933
Your CCNA certification exam is likely going to contain questions about Telnet, an application-level protocol that allows remote communication between two networking devices. With Telnet use being as common as it is, you had better know the details of how to configure it in order to pass your CCNA exam and to work in real-world networks.
The basic concept is pretty simple - we want to configure R1, but we're at R2. If we telnet successfully to R1, we will be able to configure R1 if we've been given the proper permission levels. In this CCNA case study, R2 has an IP address of 172.12.123.2 and R1 an address of 172.12.123.1. Let's try to telnet from R2 to R1.
R2#telnet 172.12.123.1
Trying 172.12.123.1 ... Open
Password required, but none set
[Connection to 172.12.123.1 closed by foreign host]
This seems like a problem, but it's a problem we're happy to have. A Cisco router will not let any user telnet to it by default. That's a good thing, because we don't want just anyone connecting to our router! The "password required" message means that no password has been set on the VTY lines on R1. Let's do so now.
R1(config)#line vty 0 4
R1(config-line)#password baseball
A password of "baseball" has been set on the VTY lines, so we shouldn't have any trouble using Telnet to get from R2 to R1. Let's try that now.
R2#telnet 172.12.123.1
Trying 172.12.123.1 ... Open
User Access Verification
Password:
R1>
We're in, and placed into user exec mode. Let's say we want to configure a new IP address on the ethernet interface on R1. We'll now go into privileged exec mode....
R1>enable
% No password set
R1>
.. or maybe we won't! The default behavior of Telnet on a Cisco router is to place the incoming user into user exec mode, and require an enable password to allow that user into privileged exec mode! Right now, we can't configure anything on this router and even the show commands we would use are limited at best.
If we wanted to allow all telnetting users to be put into privileged exec mode immediately without being prompted for an enable password, the command privilege level 15 placed on the VTY lines will accomplish this.
R1(config)#line vty 0 4
R1(config-line)#privilege level 15
From R2, we'll telnet into R1 again.
R2#telnet 172.12.123.1
Trying 172.12.123.1 ... Open
User Access Verification
Password:
R1#
We were able to telnet in from R2 with the original password of "baseball", and even better, we were placed into privileged exec mode immediately!
You may or may not want to do this in real-world networks, though. If you want to assign privilege levels on an individual user basis, configure usernames and passwords and use the privilege 15 command in the actual username/password command itself to give this privilege levels to some users but not all.
R1(config)#username heidi password klum
R1(config)#username tim privilege 15 password gunn
Both users can telnet into the router, but the first user will be placed into user exec and challenged for the enable password to enter privileged exec mode. If there is no enable password, the user literally cannot get into privileged exec. The second user will be placed into privileged exec immediately after successfully authenticating.
Passwords on a Cisco router or switch are vitally important, and you're not tied down to granting "all-or-nothing" access. Knowing the details like the ones shown here help you tie down network security while allowing people to do their jobs - and it doesn't hurt to know this stuff for the CCNA exam, either!
About The Author
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (http://www.thebryantadvantage.com).
For his FREE seven-part course, “How To Pass The CCNA”, visit the website and sign up today! Daily free CCNA, CCNP, Network+, Security+, and A+ certification questions, too!
CCNA Cisco Certification Training Case Study: How Multiple Passwords Affect Router Access
CCNA Cisco Certification Training Case Study: How Multiple Passwords Affect Router Access
by: Chris Bryant, CCIE #12933
Your CCNA certification exam efforts must include practicing with different password types and knowing how to configure them on a Cisco router - but for CCNA exam success and to thrive in real-world networks, you also have to know how to examine a Cisco router configuration and determine the level of network security that is already present. After all, most routers you work with already have passwords set, and it's up to you to determine if those passwords are getting the job done.
Let's start with a telnet password. Telnet passwords are configured on the VTY lines, and no telnet access is enabled on a Cisco router by default. If you saw the following configuration, what would it mean?
line vty 0 4
privilege level 15
password baseball
login
That small Cisco router configuration means three things - first, Telnet access is enabled. Second, the password is baseball. Third, the "privilege level 15" command means that any user who attempts to Telnet to the router and knows the password will automatically be placed into privileged exec mode. (If that command were not present, the user would be placed into user exec and then prompted for the enable password before being allowed into privileged exec.)
You may not want to give that level of access to all incoming Telnet connections. If you walked into a client's router room and saw this configuration on a router, what would it mean to you?
username halas password 0 bears
username ewbank password 0 jets
username ed privilege 15 password 0 mcdaniel
line vty 0 4
login local
This configuration means three things as well. Each user attempting to telnet in will be prompted for both a username and password. Each individual user must enter the password that's been assigned to them. For example, the user "halas"would have to enter the password "bears" to successfully Telnet into this router. The command "login local" under the VTY lines means that this local database of usernames and passwords will be used for authentication.
Again, by default, users who are Telnetting in will be placed into user exec mode by default. Only users with "privilege 15" in the middle of their username / password definition will be placed into privileged exec immediately upon login.
Notice that zero in each of the username / password statements? I didn't enter that when I configured these statements. This number indicates the level of encryption the password is currently under; a zero is the lowest level of encryption, indicating that the passwords aren't encrypted at all. There's a single line near the top of a Cisco router configuration that tells you why.. which of these three is it?
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
Simple enough! The password encryption service is off by default. To turn it on. just run the command service password-encryption. Let's do so here and then take a look at the configuration.
R1(config)#service password-encryption
username halas password 7 1415170A1E17
username ewbank password 7 070524585D
username ed privilege 15 password 7 082C4F4A08170C121E
Now that's what I call encryption! Note that the zero has changed to a "7" - that's the highest level of encryption on a Cisco router, and as you can see, it's very effective.
Knowing how to read a Cisco router configuration is a valuable skill for both the CCNA certification exam and working with production networks. Keep practicing, keep studying, and you'll have the coveted letters "CCNA" behind your name soon!
About The Author
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (http://www.thebryantadvantage.com).
For his FREE seven-part course, “How To Pass The CCNA”, visit the website and sign up today! Daily free CCNA, CCNP, Network+, Security+, and A+ certification questions, too!
Cisco CCNA Certification Exams Retiring In November - Get Certified Now!
Cisco CCNA Certification Exams Retiring In November - Get Certified Now!
by: Chris Bryant, CCIE #12933
If you’re working on the Cisco CCNA right now, or even thinking about it, there are changes coming to the CCNA program in November that you need to know about. No reason to worry, these changes are all good news for CCNA candidates.
And the first bit of good news is that you have plenty of time to take and pass the current CCNA exams. In this article, I will outline several advantages to taking the CCNA plunge now before these changes take effect.
The current CCNA exam (640-801) will not be phased out until November 6, which gives you more than enough time to get CCNA certified before then -- even if you haven’t started studying yet! Those of you who want to take the two-exam path to CCNA certification should know that the 640-811 ICND and 640-821 INTRO exams will be phased out on that same date.
Cisco’s taking the approach that the CCNA certification is no longer an entry-level certification, and this is a welcome change for CCNAs and CCNA candidates alike. I have been writing CCNA ebooks and teaching CCNA courses for several years, and I’ve always refused to call this an entry-level certification.
The new CCNA exam (640-802) looks to be even more demanding than the current exam, which is another reason to pick up the pace and get certified now! Here are just some of the new topics you’ll find on the 640-802 exam:
* Rapid Spanning Tree Protocol
* Switch security
* IP Version 6
* Router security
* Virtual Private Networks
* Wireless routing and more
Add these to the topics already found on the current CCNA exam, and you can see that the new CCNA exam will be even more demanding than the current version.
If you choose the two-exam path for the CCNA certification after November 6, you’ll need to take two ICND exams – ICND 1 (640-822) and ICND 2 (640-816). This is much tougher than the current path because the INTRO exam will be a thing of the past after November 6! (Passing the ICND 1 exam will earn you the new Cisco Certified Entry Networking Technician certification, Cisco’s new entry-level certification.)
The CCNA will be even more valuable with these changes, so again, even if you’ve even been thinking about earning the CCNA – now is the time!
The new CCNA exams will actually be available on August 1, but again, I want to emphasize that the current CCNA exams will be available through November 6. My advice to those who want to get CCNA certified before the change is to book your exam now, make sure you choose the right exam number – and get started studying!
About The Author
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (http://www.thebryantadvantage.com).
For his FREE seven-part course, “How To Pass The CCNA”, visit the website and sign up today! Daily free CCNA, CCNP, Network+, Security+, and A+ certification questions, too!
Cisco CCNA Certification Exam FAQ: Discussing 640-801 And 640-802
Cisco CCNA Certification Exam FAQ: Discussing 640-801 And 640-802
by: Chris Bryant, CCIE #12933
The prestigious Cisco CCNA certification is going to become even more prestigious later this year - and from all accounts, even more difficult! The current 640-801 exam will be phased out on November 6, giving candidates plenty of time to prepare for that exam. The new 640-802 exam is actually being introduced August 1, giving CCNA candidates an option as to which exam to take.
Naturally, CCNA candidates have a lot of questions regarding these changes. I've prepared this FAQ to answer the most common questions arriving in my email inbox. If your question isn't answered here, send it to me and your question just might be in the next FAQ!
Q: Should I stop studying for the 640-801 exam?
A: Absolutely not. Actually, this should help you accelerate your efforts! Cisco has been kind enough to keep the current exam around through November 6, so you have more than enough time to pass the current version. Also, while I'm sure there will be some 640-802 study tools available soon, you won't have a wide selection until later this year. Never delay your career progress or your studies - hit those books and pass the 640-801!
On a personal note, I've taken Cisco certification exams for almost a decade as well as taking exams from other vendors for about 14 years, and I've never been big on taking a brand-new exam. Some people like to do so, though- it's all a matter of personal preference.
Q. What's this I hear about another Cisco certification being offered?
A. Cisco no longer views the CCNA as an entry-level exam, and I think that's a fantastic change. I have personally taught and written CCNA materials for several years, and I have never considered the CCNA to be entry-level. When you're troubleshooting OSPF virtual links, you are not working at entry level!
Cisco does recognize the need for an entry-level certification, and that's why they've developed the CCENT (Cisco Certified Entry Networking Technician) certification. I'll have more details on that in a future article, but earning the CCENT is not required to become a CCNA.
Q. Is there still going to be a one-exam path and a two-exam path to the CCNA?
A. Yes, and again, I expect it to be more difficult to earn either way. If you choose the two-exam path, you're actually going to take two ICND exams - ICND 1 (640-822) and ICND 2 (640-816). The INTRO exam for the current CCNA path will be phased out on November 6, along with the current ICND and CCNA exams. If you choose the two-exam path, passing the ICND 1 exam will make you a CCENT.
Q. Which topics will be dropped when the 640-801 exam is dropped?
A. Following the trend of other Cisco exams, the 640-802 exams will not test on ISDN. That's the only major topic I see so far that will be dropped. This exam isn’t getting any easier!
Q. Which topics will be added?
A. A *lot* of them. According to Cisco's CCNA exam blueprint, you can expect to see questions on Voice over IP, wireless, Rapid Spanning Tree Protocol (RSTP), SSH, and wireless security. This is an educated guess, but I'd expect to see even more on router and switch security as well.
Judging from that list, I expect the 640-802 CCNA exam to be even more challenging than the current version. Like I said, you have plenty of time to pass the current version! ;)
Don't see your question answered here? Send your CCNA question to chris@thebryantadvantage.com, and you just may see it answered in the next CCNA certification FAQ!
About The Author
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (http://www.thebryantadvantage.com).
For his FREE seven-part course, “How To Pass The CCNA”, visit the website and sign up today! Daily free CCNA, CCNP, Network+, Security+, and A+ certification questions, too!
