08-01-2007 05:43 AM - edited 03-03-2019 06:07 PM
How can I turn on the enable password on a router?
I have tried, do i need a restart?
Current configuration : 3539 bytes
!
! Last configuration change at 13:39:20 UTC Wed Aug 1 2007 by itacc355
! NVRAM config last updated at 13:39:10 UTC Wed Aug 1 2007 by itacc355
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dfgdfgdg
!
logging buffered 8192 warnings
enable password 7 00124207070B06
!
username 1234 privilege 15 password 7 14441C1F5F162C272D
no aaa new-model
ip subnet-zero
ip tftp source-interface Ethernet0
ip dhcp excluded-address 172.19.3.1 172.19.3.10
!
ip dhcp pool client
network 172.19.3.0 255.255.255.0
default-router 172.19.3.1
dns-server 192.168.21.1 192.168.21.2
lease 0 2
!
!
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 ********* address **********
!
!
crypto ipsec transform-set **** esp-3des esp-md5-hmac
!
crypto map **** 10 ipsec-isakmp
set peer *****
set transform-set ****
match address 101
!
!
!
!
interface Ethernet0
ip address 172.19.3.1 255.255.255.0
ip inspect outbound in
hold-queue 100 out
!
interface ATM0
no ip address
no ip unreachables
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group inbound_acl in
no ip unreachables
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******
ppp chap password 7 080740471D0E0C1419240A0223282179
crypto map *****
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended inbound_acl
permit udp any any eq isakmp
permit esp any any
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
permit icmp any any
permit udp any any eq ntp
permit tcp * 0.0.0.31 any eq telnet
permit tcp * 0.0.0.31 any eq 22
permit tcp * 0.0.0.31 any eq ftp-data
permit tcp * 0.0.0.31 any eq ftp
permit tcp * 0.0.0.31 any eq www
permit tcp * 0.0.0.31 any eq 443
permit ip 192.168.200.0 0.0.0.255 172.19.3.0 0.0.0.255
logging trap warnings
logging facility local4
logging source-interface Ethernet0
access-list 50 permit *****
access-list 101 permit ip 172.19.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community *** RO
snmp-server enable traps tty
snmp-server host **** RO
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 50 in
privilege level 15
login local
length 0
!
scheduler max-task-time 5000
sntp server 158.43.128.33
!
end
Solved! Go to Solution.
08-01-2007 06:15 AM
Try the username and password without the 'privilege 15 password' keyword. It should be like this.
username 1234 password 7 14441C1F5F162C272D
08-01-2007 05:50 AM
Normally just configuring the enable password is good enough for the router to prompt for a enable password. Your existing configuration puts the user directly into privilege exec mode without having to enter the enable password.
Try this config.
line vty 0 15
no privilege level 15
no username 1234 privilege 15 password 7 14441C1F5F162C272D
username 1234 password 7 14441C1F5F162C272D
HTH
Sundar
08-01-2007 05:54 AM
i will do, is it normal to have a config like mine, I was trying to enable the SDM, which said i need this?
Also if I do a show flash why on line 2 is the a sdm.tar [delete] is this file still using the flash mem?
08-01-2007 06:01 AM
SDM probably is a tool geared towards people who have limited knowledge of Cisco gear. Hence, for simplicity sake they would have done this. But it's your router you should try and make it more secure as much as you can. I haven't used SDM myself and hence comment on the 2nd part of your question.
HTH
Sundar
08-01-2007 06:11 AM
No SDM mean more secure I take it?
I still don't get prompted for an enabled password:
line vty 0 4
access-class 50 in
login local
length 0
I have re-entered the username *** privilege 15 password ****
08-01-2007 06:15 AM
Try the username and password without the 'privilege 15 password' keyword. It should be like this.
username 1234 password 7 14441C1F5F162C272D
08-01-2007 06:25 AM
thanks that fixed it, so if there is no SDM it could be classed as more secure?
08-01-2007 06:32 AM
Glad it works now :-)
I am not saying SDM is insecure as a whole. But isn't having the router prompt for two login (login + enable login) better than one. You would learn more by using the CLI method and you would have a wide range of configuration options with that.
HTH
Sundar
08-01-2007 06:35 AM
Thanks, CLI is the command line method?
08-01-2007 06:38 AM
Correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: