Enable secret

fdharris1956 · ‎06-28-2008

I am a newbie, having just recently acquired my CCNA. I have a new 2811 that I am configuring and the login process is not working as I am used to seeing it work. During the initial setup of the router, I followed the instructions in the banner that indicated I should configure a user and password using the following command:

username router privilege 15 secret 5 password

The privilege keyword is not something I have seen before. I have since researched it and understand it but I think this command is getting in the way of the "standard" login procedure I am used to seeing; in other words, entering a console or vty password followed by using the "enable" command and entering the enable password to get into privileged mode. As it stands now, I can telnet to the router, enter the username and password and get right into privileged mode. I can't decide if this is a security issue or not. The password that is associated with this login method is encrypted just like the enable password I am used to so it seems as though it should be OK. I also configured vty and console passwords on this router but I am now wondering if they are necessary. Will this "privileged" command suffice for both vty and console access? Can anybody shed any light on this for me?

Thank you.

Dan Harris

Farrukh Haroon · ‎06-30-2008

Dan, if you enter the privilege 15 command this will take you directly to the enabled mode. This is the 'expected' behavior. If you don't want this to happen, change it to:

no username router privilege 15 secret 5 password

username router secret 5 password

Making CLI users login 'directly' into the enable/privileged mode is considered 'less' secure. But that is relative to your security policy and usability requirements. However you will required a privilege 15 user if you plan to user the web-interface to manage the box.

Regards

Farrukh

fdharris1956 · ‎07-02-2008

Farrukh,

Thanks for the help.

Dan Harris