Turn on the enable password on router?

Answered Question
Aug 1st, 2007

How can I turn on the enable password on a router?

I have tried, do i need a restart?

Current configuration : 3539 bytes

!

! Last configuration change at 13:39:20 UTC Wed Aug 1 2007 by itacc355

! NVRAM config last updated at 13:39:10 UTC Wed Aug 1 2007 by itacc355

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname dfgdfgdg

!

logging buffered 8192 warnings

enable password 7 00124207070B06

!

username 1234 privilege 15 password 7 14441C1F5F162C272D

no aaa new-model

ip subnet-zero

ip tftp source-interface Ethernet0

ip dhcp excluded-address 172.19.3.1 172.19.3.10

!

ip dhcp pool client

network 172.19.3.0 255.255.255.0

default-router 172.19.3.1

dns-server 192.168.21.1 192.168.21.2

lease 0 2

!

!

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0 ********* address **********

!

!

crypto ipsec transform-set **** esp-3des esp-md5-hmac

!

crypto map **** 10 ipsec-isakmp

set peer *****

set transform-set ****

match address 101

!

!

!

!

interface Ethernet0

ip address 172.19.3.1 255.255.255.0

ip inspect outbound in

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip access-group inbound_acl in

no ip unreachables

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ******

ppp chap password 7 080740471D0E0C1419240A0223282179

crypto map *****

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http authentication local

ip http secure-server

!

!

ip access-list extended inbound_acl

permit udp any any eq isakmp

permit esp any any

deny icmp any any timestamp-request

deny icmp any any timestamp-reply

permit icmp any any

permit udp any any eq ntp

permit tcp * 0.0.0.31 any eq telnet

permit tcp * 0.0.0.31 any eq 22

permit tcp * 0.0.0.31 any eq ftp-data

permit tcp * 0.0.0.31 any eq ftp

permit tcp * 0.0.0.31 any eq www

permit tcp * 0.0.0.31 any eq 443

permit ip 192.168.200.0 0.0.0.255 172.19.3.0 0.0.0.255

logging trap warnings

logging facility local4

logging source-interface Ethernet0

access-list 50 permit *****

access-list 101 permit ip 172.19.3.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community *** RO

snmp-server enable traps tty

snmp-server host **** RO

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 50 in

privilege level 15

login local

length 0

!

scheduler max-task-time 5000

sntp server 158.43.128.33

!

end

I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 9 years 4 months ago

Try the username and password without the 'privilege 15 password' keyword. It should be like this.

username 1234 password 7 14441C1F5F162C272D

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Wed, 08/01/2007 - 05:50

Normally just configuring the enable password is good enough for the router to prompt for a enable password. Your existing configuration puts the user directly into privilege exec mode without having to enter the enable password.

Try this config.

line vty 0 15

no privilege level 15

no username 1234 privilege 15 password 7 14441C1F5F162C272D

username 1234 password 7 14441C1F5F162C272D

HTH

Sundar

whiteford Wed, 08/01/2007 - 05:54

i will do, is it normal to have a config like mine, I was trying to enable the SDM, which said i need this?

Also if I do a show flash why on line 2 is the a sdm.tar [delete] is this file still using the flash mem?

sundar.palaniappan Wed, 08/01/2007 - 06:01

SDM probably is a tool geared towards people who have limited knowledge of Cisco gear. Hence, for simplicity sake they would have done this. But it's your router you should try and make it more secure as much as you can. I haven't used SDM myself and hence comment on the 2nd part of your question.

HTH

Sundar

whiteford Wed, 08/01/2007 - 06:11

No SDM mean more secure I take it?

I still don't get prompted for an enabled password:

line vty 0 4

access-class 50 in

login local

length 0

I have re-entered the username *** privilege 15 password ****

Correct Answer
sundar.palaniappan Wed, 08/01/2007 - 06:15

Try the username and password without the 'privilege 15 password' keyword. It should be like this.

username 1234 password 7 14441C1F5F162C272D

whiteford Wed, 08/01/2007 - 06:25

thanks that fixed it, so if there is no SDM it could be classed as more secure?

sundar.palaniappan Wed, 08/01/2007 - 06:32

Glad it works now :-)

I am not saying SDM is insecure as a whole. But isn't having the router prompt for two login (login + enable login) better than one. You would learn more by using the CLI method and you would have a wide range of configuration options with that.

HTH

Sundar

Actions

This Discussion