Solved: Configure password for "configure terminal" access

Gideon Goddard · ‎11-30-2015

Hello,

I know how to configure a password when a user try to connect on the router locally, the "enable password".

R1(config)#enable password mypassword

But I can't figure out how to do the same when a user want to configure the router..

Can you help me ?

Thanks :)

Peter Paluch · ‎11-30-2015

Hi Antoine,

There is no easy way of protecting the configure terminal command with a password. The basic Cisco command line only allows you to protect the router when logging in (accessing the command line), and when using the enable command to become a user with elevated privileges.

There are certain mechanisms using a centralized server or an approach called "views" that could be used to protect the access to the configure terminal command with additional authentication/authorization, but both of them are complex to set up and maintain. For the sake of simplicity, it is safe to assume that protecting the configure terminal command with an extra password is not possible.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎11-30-2015

Hi Antoine,

There is no easy way of protecting the configure terminal command with a password. The basic Cisco command line only allows you to protect the router when logging in (accessing the command line), and when using the enable command to become a user with elevated privileges.

There are certain mechanisms using a centralized server or an approach called "views" that could be used to protect the access to the configure terminal command with additional authentication/authorization, but both of them are complex to set up and maintain. For the sake of simplicity, it is safe to assume that protecting the configure terminal command with an extra password is not possible.

Best regards,
Peter

Masoud Pourshabanian · ‎11-30-2015

Hello,

If I understood correctly, you are asking about configuration by telnet or SSH as opposed to console.

For Telnet,

Config terminal

line vty 0 15

password mypassword

login

***********************

Telnet is not secure so you should use SSH.

*******************

Config terminal

username cisco secret cisco [use your own user and password]

Ip domain-name cisco

Ip ssh version 2

crypto key generate RSA

line vty 0 15

login local

service-password encryption ( just protects password from over shoulder look)

Remember to config enable password

*******************************************

The configuration above was just a basic config for telnet and SSH connectivity.

As Peter mentioned, using centerized server gives you much better protection.

Hope it helps,

Masoud

Gideon Goddard · ‎12-02-2015

Sorry I was just asking how to check user with a password when he tries to go in configure mode :

R1#conf t

(ask for a password)

R1(config)#

Sorry if I wasn't meaningful.

elnekramer · ‎12-01-2015

Hi

The command R1(config)#enable password mypassword is the correct global configuration command for configuring a password for enable or configuration mode.

You can also use R1(config)#enable secret mypassword as this will encrypt the password.

To add password for connecting (tellnetting or ssh) to vty, you use

R1config t

R1(config)#line vty 0 4

R1(config-line)#password mypassword

in line configuration mode

and for the console password:

R1config t

R1(config)#line con 0

R1(config-line)#password mypassword

Hope this helps

Gideon Goddard · ‎12-02-2015

Sorry I was just asking how to check user with a password when he tries to go in configure mode :

R1#conf t

(ask for a password)

R1(config)#

Sorry if I wasn't meaningful.

Peter Paluch · ‎12-02-2015

Hi Antoine,

I was just asking how to check user with a password when he tries to go in configure mode

Unfortunately, this is not supported on Cisco IOS-based devices.

Best regards,
Peter