Solved

Cisco Router Enable Secret Issue

Posted on 2015-02-05
15
197 Views
Last Modified: 2015-02-10
Hello..

I currently have a cisco router that needs its enable secret password changed.
It's been a really long time since i've done any cisco commands so I'm a little lost.

I've logged onto the router, enabled, conf t, and now when I run the "enable secret <password>" command it accepts the new password but it doesn't get changed when I disable and try to re-enable?

I remember something about in order to change a password for a user you need to use the username parameter in the command?    I'm a little unsure why though as that is the only user that has access anyway?

Thanks!
0
Comment
Question by:dqnet
  • 6
  • 6
  • 2
  • +1
15 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 40591800
Can you post the config of your router so we can take a closer look.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40591807
try this:

no enable secret
enable secret your-new-password
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 40591841
So if the router is asking for a user login name then it is using the local login instead of using the secret password.  So if you are singing in with a username there will be a line in the config like this:

username jsmith secret password privilege 15

So you need to change it by reentering that command with the new secret password for that user.

Hope that help.s
0
 

Author Comment

by:dqnet
ID: 40591859
@Ken, exactly what I thought as that line in face there...! Ok i'll try it later.

But that line being there, does it mean there are other users? I just want one user only.
A little like one Windows Administrator, not multiple users who are Administrators
Just one way to get in with one user and NO other way to get in...

??
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 40591861
so if you issue this command:


show run | i username

it will show you how many usernames are configured.

you can delete them with the
 no username xxxxxx command
and just leave one.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40591866
You can define "privilege" with users on CISCO.

Privilege 15 is the same as "domain admin" in Windows AD world.

Enable secret is only for users who are not privileged or if you try to logon via console port just with enable password - I don't recommend it, always use at least locally defined user no matter how do you access box (console port, telnet or ssh)
0
 

Author Comment

by:dqnet
ID: 40591900
@ken, perfect, it shows only that username - now to confirm, nobody can enter this router except that user right?

@matt, yep, thats fine but my objective is to allow all protocols including console but only with a username ans password stated in the show run | i username command that ken provided.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 24

Expert Comment

by:Ken Boone
ID: 40591981
Yea so if you do a show run and look at the bottom:

line con 0

line vty 0 4

if you want to login with username you need to add the command login local under both of those.  You might need to specify under line con 0
privilege level 15
0
 

Author Comment

by:dqnet
ID: 40592706
And that would guarantee no other login would work unless it was to be a password reset at physical level?

Also, when I did do the line before which was just enable secret <password> and it accepted it, what did it actually change?

Finally, when changing the password is the activity logged, like IP address and when it was done? Can it be cleared?

Thanks Ken!!
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 40593689
so there are only a handful of ways to log in to the router:

1 - physical access through the console port
i.e.

line con 0

2 - virtual access via telnet or ssh or web browser

If you had it set up like this:

----
enable secret testing
line vty 0 4
  password test
-----
When you started a telnet session it hits the vty (virtual ports) it would ask you for a password.  That would be the password defined under the line vty command.

That would put you into the first level access with a prompt like this cisco-router>
Then you would have to enter the command enable to enter enable mode.
That would prompt you for an additional password.  That password is the enable secret password.

Now if you set up username authentication,  on the line vty 0 4 ports instead of password you would have a statement that says "login local"
That means you have to authenticate to the local username database.

You can't do both.  Same applies to the console port.  If you use login local it forces authentication through the local user database.

There are more in depth ways of handling the username it doesn't have to be local, you can use a 3rd party authentication with AAA but the concept is still the same.  

If you issue the command show log
That will show you the log.  All you will see is that a configuration change was made by username but it won't show the ip address of the user.  clear log will clear it out.
0
 

Author Comment

by:dqnet
ID: 40598282
Hello Ken,

Sorry weekend rush and all that..!

Perfect, you summarized it so fantastically.

Just one last question - do I have to also add login local to the console in order to use the same username as the one used for "vty 0 4" or would it automatically make that a login necessary without adding the command under "con"..?

Ultimately I would like to make a single username with a single "enable secret" password that will work across con, vty, and ssh. So a when one logs in, he would use the username created with a normal user password and then when you try to "enable" it would ask for another password which would be the enable secret password.  I want to avoid having any other way in.

Presently when I login it asks for a username and the enable secret. if i try and use the enable password it will just say access denied which is correct as I believe the normal password is automatically not used when you use "enable secret"...?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 40598370
Yes you would need to do login local on the console if you wanted it to use the username.  When you use the privilege command level 15 that puts the user in enable mode directly.  So its just a single username/password login and you are at enable mode.  No need to enter enable at this point.

So remember
username "username" privilege 15 secret "password"

That secret password is for that specific username - it is different than the one that was defined in the command:  enable secret "password"

So when logging in with username privilege 15 the command enable secret has no affect.
0
 

Author Comment

by:dqnet
ID: 40600694
So when running the command when I am logged in with the username I want to be logged in as and type:
"enable secret password" it doesn't actually do anything despite accepting the command?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 40600702
that is correct.  If you are using a local login with privilege 15, then the "enable secret command" has no effect.
0
 

Author Comment

by:dqnet
ID: 40600830
Thanks a million Ken! :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now