• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

Cisco Router Enable Secret Issue

Hello..

I currently have a cisco router that needs its enable secret password changed.
It's been a really long time since i've done any cisco commands so I'm a little lost.

I've logged onto the router, enabled, conf t, and now when I run the "enable secret <password>" command it accepts the new password but it doesn't get changed when I disable and try to re-enable?

I remember something about in order to change a password for a user you need to use the username parameter in the command?    I'm a little unsure why though as that is the only user that has access anyway?

Thanks!
0
dqnet
Asked:
dqnet
  • 6
  • 6
  • 2
  • +1
1 Solution
 
James HIT DirectorCommented:
Can you post the config of your router so we can take a closer look.
0
 
MattCommented:
try this:

no enable secret
enable secret your-new-password
0
 
Ken BooneNetwork ConsultantCommented:
So if the router is asking for a user login name then it is using the local login instead of using the secret password.  So if you are singing in with a username there will be a line in the config like this:

username jsmith secret password privilege 15

So you need to change it by reentering that command with the new secret password for that user.

Hope that help.s
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
dqnetAuthor Commented:
@Ken, exactly what I thought as that line in face there...! Ok i'll try it later.

But that line being there, does it mean there are other users? I just want one user only.
A little like one Windows Administrator, not multiple users who are Administrators
Just one way to get in with one user and NO other way to get in...

??
0
 
Ken BooneNetwork ConsultantCommented:
so if you issue this command:


show run | i username

it will show you how many usernames are configured.

you can delete them with the
 no username xxxxxx command
and just leave one.
0
 
MattCommented:
You can define "privilege" with users on CISCO.

Privilege 15 is the same as "domain admin" in Windows AD world.

Enable secret is only for users who are not privileged or if you try to logon via console port just with enable password - I don't recommend it, always use at least locally defined user no matter how do you access box (console port, telnet or ssh)
0
 
dqnetAuthor Commented:
@ken, perfect, it shows only that username - now to confirm, nobody can enter this router except that user right?

@matt, yep, thats fine but my objective is to allow all protocols including console but only with a username ans password stated in the show run | i username command that ken provided.
0
 
Ken BooneNetwork ConsultantCommented:
Yea so if you do a show run and look at the bottom:

line con 0

line vty 0 4

if you want to login with username you need to add the command login local under both of those.  You might need to specify under line con 0
privilege level 15
0
 
dqnetAuthor Commented:
And that would guarantee no other login would work unless it was to be a password reset at physical level?

Also, when I did do the line before which was just enable secret <password> and it accepted it, what did it actually change?

Finally, when changing the password is the activity logged, like IP address and when it was done? Can it be cleared?

Thanks Ken!!
0
 
Ken BooneNetwork ConsultantCommented:
so there are only a handful of ways to log in to the router:

1 - physical access through the console port
i.e.

line con 0

2 - virtual access via telnet or ssh or web browser

If you had it set up like this:

----
enable secret testing
line vty 0 4
  password test
-----
When you started a telnet session it hits the vty (virtual ports) it would ask you for a password.  That would be the password defined under the line vty command.

That would put you into the first level access with a prompt like this cisco-router>
Then you would have to enter the command enable to enter enable mode.
That would prompt you for an additional password.  That password is the enable secret password.

Now if you set up username authentication,  on the line vty 0 4 ports instead of password you would have a statement that says "login local"
That means you have to authenticate to the local username database.

You can't do both.  Same applies to the console port.  If you use login local it forces authentication through the local user database.

There are more in depth ways of handling the username it doesn't have to be local, you can use a 3rd party authentication with AAA but the concept is still the same.  

If you issue the command show log
That will show you the log.  All you will see is that a configuration change was made by username but it won't show the ip address of the user.  clear log will clear it out.
0
 
dqnetAuthor Commented:
Hello Ken,

Sorry weekend rush and all that..!

Perfect, you summarized it so fantastically.

Just one last question - do I have to also add login local to the console in order to use the same username as the one used for "vty 0 4" or would it automatically make that a login necessary without adding the command under "con"..?

Ultimately I would like to make a single username with a single "enable secret" password that will work across con, vty, and ssh. So a when one logs in, he would use the username created with a normal user password and then when you try to "enable" it would ask for another password which would be the enable secret password.  I want to avoid having any other way in.

Presently when I login it asks for a username and the enable secret. if i try and use the enable password it will just say access denied which is correct as I believe the normal password is automatically not used when you use "enable secret"...?
0
 
Ken BooneNetwork ConsultantCommented:
Yes you would need to do login local on the console if you wanted it to use the username.  When you use the privilege command level 15 that puts the user in enable mode directly.  So its just a single username/password login and you are at enable mode.  No need to enter enable at this point.

So remember
username "username" privilege 15 secret "password"

That secret password is for that specific username - it is different than the one that was defined in the command:  enable secret "password"

So when logging in with username privilege 15 the command enable secret has no affect.
0
 
dqnetAuthor Commented:
So when running the command when I am logged in with the username I want to be logged in as and type:
"enable secret password" it doesn't actually do anything despite accepting the command?
0
 
Ken BooneNetwork ConsultantCommented:
that is correct.  If you are using a local login with privilege 15, then the "enable secret command" has no effect.
0
 
dqnetAuthor Commented:
Thanks a million Ken! :)
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 6
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now