Howto Setup Cisco Router Auxiliary,Console

and Telnet Passwords

Network Add comments
Dec 182007

There are five passwords used to secure your Cisco routers: console, auxiliary, telnet
(VTY),enable password, and enable secret. Just as you learned earlier in the chapter, the first two
passwords are used to set your enable password thats used to secure privileged mode. This will
prompt a user for a password when the enable command is used. The other three are used to
configure a password when user mode is accessed either through the console port, through the
auxiliary port, or via Telnet.
Cisco Router Auxiliary Password Setup
To configure the auxiliary password, go into global configuration mode and type line aux ?.You
can see here that you only get a choice of 00 (thats because theres only one port)
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password admin
Its important to remember the login command, or the auxiliary port wont prompt for
authentication.Now watch what happens when you try to set the Aux on the newer IOS that
Cisco has released
2600A#config t
Enter configuration commands, one per line. End with CNTL/Z.
2600A(config)#line aux 0
2600A(config-line)#login
% Login disabled on line 65, until password' is set
2600A(config-line)#
Cisco has begun this process of not letting you set the login command before a password is set
on a line because if you set the login command under a line, and then dont set a password, the
line wont be usable. And it will prompt for a password that doesnt exist. So this is a good thing
a feature, not a hassle!
Cisco Router Console Password Setup

To set the console password, use the line console 0 command. But look at what happened when I
tried to type line console 0 ? from the aux line configurationyou should received an error.You
can still type line console 0 and it will accept it, but the help screens just dont work from that
prompt. Type exit to get back one level and youll find that your help screens now work. This is a
feature. Really.
Example
Router(config-line)#line console ?
% Unrecognized command
Router(config-line)#exit
Router(config)#line console ?
<0-0> First Line number
Router(config)#line console 0
Router(config-line)# password admin1
Router(config-line)# login
Since theres only one console port, you can only choose line console 0. You can set all your line
passwords to the same password, but for security reasons, Id recommend that you make them
different.
There are a few other important commands to know for the console port.
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero,
which basically means to never time out. The default timeout is 10 minutes. (If youre feeling
mischievous, try this on people at work: Set it to 0 1. That will make the console time out in 1
second! And to fix it, you have to continually press the Down arrow key while changing the
timeout time with your free hand!)
logging synchronous is a very cool command, and it should be a default command, but its not. It
stops annoying console messages from popping up and disrupting the input youre trying to type.
The messages still pop up, but you are returned to your router prompt without your input
interrupted. This makes your input messages oh-so-much easier to read.
Heres an example of how to configure both commands
Router(config)#line con 0
Router(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Router(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous
Cisco Router Telnet Password Setup

To set the user-mode password for Telnet access into the router, use the line vty command.
Routers that arent running the Enterprise edition of the Cisco IOS default to five VTY lines, 0
through 4. But if you have the Enterprise edition, youll have significantly more. The best way to
find out how many lines you have is to use that question mark
Router(config-line)#line vty 0 ?
<1-4> Last Line Number
Router(config-line)#line vty 0 4
Router(config-line)# password admin2
Router(config-line)# login
You may or may not have to set the login command before the password on the VTY lines
depends on the IOS version. The result is the same either way.
So what will happen if you try to telnet into a router that doesnt have a VTY password set?
Youll receive an error stating that the connection is refused because, well, the password isnt set.
So, if you telnet into a router and receive this message
Router#telnet SFRouter
Trying SFRouter (10.0.0.1)...Open
Password required, but none set
[Connection to SFRouter closed by foreign host]
Router#
then the remote router (SFRouter in this example) does not have the VTY (telnet) password set.
But you can get around this and tell the router to allow Telnet connections without a password by
using the no login command
Router(config-line)#line vty 0 4
Router(config-line)#no login
After your routers are configured with an IP address, you can use the Telnet program to
configure and check your routers instead of having to use a console cable. You can use the Telnet
program by typing telnet from any command prompt (DOS or Cisco).