5.3 Device Access and Local Passwords Flashcards
Configure and verify device access control using local passwords. (21 cards)
Define:
local authentication
A method where users log in using credentials stored on the device.
Local authentication is used when no external authentication servers (AAA) are configured.
What command sets a local username and password on a Cisco device?
username < user> secret < password>
The secret keyword encrypts the password, unlike password, which is stored in plain text.
What happens when no local password is set on a console or VTY line?
VTY access is denied without a password, while console access is open unless login is enforced.
By default, Cisco devices allow console access without a password unless explicitly configured with the login command.
List three types of passwords used to secure access on Cisco devices.
- Console password
- VTY (Telnet/SSH) password
- Enable secret password
Console password – Secures access to the device via the physical console port.
VTY (Telnet/SSH) password – Controls remote access through Telnet or SSH sessions.
Enable secret password – Protects privileged EXEC mode with an encrypted password.
True or False:
The ‘enable password’ command is more secure than ‘enable secret’.
False
‘enable secret’ encrypts the password with MD5, while enable password stores it in plain text.
Fill in the blank:
The command to encrypt plain-text passwords in a Cisco configuration is ______ ______.
service password-encryption
This command prevents casual viewing of passwords in the configuration file but uses weak encryption (Type 7).
What command enables password authentication for console access?
line console 0 → password < password> → login
Without the login command, the password is ignored.
What happens if both enable password and enable secret are configured?
The device prioritizes enable secret over enable password.
‘enable password’ is ignored when ‘enable secret’ is set.
Why use an enable secret password over enable password?
It provides better security through encryption.
MD5 hashing protects enable secret passwords, whereas enable password is stored in plaintext.
List two ways to strengthen password security on Cisco devices.
- Use enable secret instead of enable password
- Enforce password complexity with minimum length, uppercase, lowercase, numbers, and special characters.
Implementing enable secret ensures that the password is stored using a more secure hashing algorithm. Additionally, enforcing password complexity rules enhances security by making passwords more resistant to brute-force attacks.
True or False:
The enable secret password can be decrypted by default.
False
It is hashed with MD5, making it non-reversible.
Why should Telnet be disabled on production devices?
It transmits credentials in plaintext.
SSH is recommended since it encrypts login credentials, preventing eavesdropping attacks.
What command restricts remote access to only SSH connections?
transport input ssh
This is configured under line vty mode to block insecure Telnet access.
What does show running-config | include password display?
It filters and displays all configured passwords.
This command helps administrators review password configurations while troubleshooting.
What command verifies user login attempts and authentication methods?
show login
This command tracks failed and successful login attempts, along with the authentication methods used.
Fill in the blank:
The command ______ ______ ______ allows the device to display login failure messages.
login on-failure log
This feature helps track failed login attempts to detect potential security threats.
What command logs failed login attempts and temporarily locks accounts?
login block-for < time> attempts < number> within < seconds>
This protects against brute-force attacks by locking accounts after repeated failures.
List two commands to remove passwords from a Cisco device.
- no enable secret
- no username < user>
These commands delete passwords but should be used with caution.
True or False:
The show version command displays password settings.
False
Passwords are visible in show running-config, not show version.
What command removes all user-configured passwords?
‘write erase’ followed by ‘reload’
This resets the device to factory defaults, erasing all configurations.
List two commands to verify password configurations.
- show running-config
- show startup-config
These commands display stored passwords and security configurations.
