📘 CCNA 200-301 v1.1
5.3 Configure and verify device access control using local passwords
Overview
In networking, device access control means controlling who can log in to a network device (like a router or switch) and what they can do once logged in.
In this section, we will focus on using local passwords to protect access to Cisco devices.
Local passwords are passwords stored directly on the device itself (not on an external server like RADIUS or TACACS+).
You must be able to:
- Configure these passwords
- Verify they work properly
- Understand their purpose and how to secure them
🔹 Types of Access on Cisco Devices
Cisco devices (routers, switches) can be accessed in different modes and through different methods.
Let’s understand both.
1. Access Methods
- Console Access:
Used for direct, physical access to the device using a console cable. - VTY (Virtual Terminal) Access:
Used for remote access through Telnet or SSH. - Auxiliary (AUX) Access:
A backup method used via modem connection (less common today).
2. Access Modes
When you connect to a Cisco device, there are multiple modes you can enter:
| Mode | Prompt Example | Description |
|---|---|---|
| User EXEC mode | Switch> | Basic mode; can view limited info only |
| Privileged EXEC mode | Switch# | Full access to device commands |
| Global Configuration mode | Switch(config)# | Used to make configuration changes |
| Line Configuration mode | Switch(config-line)# | Used to configure access lines (console, VTY, etc.) |
To protect these modes, we use passwords.
🔹 Types of Local Passwords
There are three main local passwords you should know for CCNA:
1. Console Password
- Used when accessing the device through the console port (physical connection).
- Protects direct local access.
2. VTY (Telnet/SSH) Password
- Used when accessing the device remotely.
- Protects remote login sessions.
3. Enable Password / Enable Secret
- Used to access Privileged EXEC mode (
Switch#orRouter#). - Protects high-level administrative access.
🔹 Step-by-Step Configuration
Now let’s configure these passwords one by one on a Cisco switch or router.
1. Set the Console Password
Switch(config)# line console 0
Switch(config-line)# password cisco123
Switch(config-line)# login
Switch(config-line)# exit
Explanation:
line console 0→ Enters console line configuration modepassword cisco123→ Sets the password (you can choose any password)login→ Tells the device to ask for this password during loginexit→ Returns to the previous mode
Now, if anyone connects via the console, they must enter the password.
2. Set the VTY (Telnet/SSH) Password
Switch(config)# line vty 0 4
Switch(config-line)# password remote123
Switch(config-line)# login
Switch(config-line)# exit
Explanation:
line vty 0 4→ Configures the first 5 VTY lines (for remote access)password remote123→ Sets password for remote loginlogin→ Enables password checking for VTY logins
Optional (for SSH only):
If SSH is used, we must also create a local user account (explained below).
3. Set Enable Password / Enable Secret
Switch(config)# enable secret admin123
Explanation:
enable secret→ Sets an encrypted password for privileged EXEC mode.admin123→ The password.
Important:
There is also an older command:
Switch(config)# enable password admin123
But “enable secret” is preferred because it is encrypted automatically and more secure.
🔹 Creating Local User Accounts (for SSH or Custom Access)
You can create local usernames and passwords stored on the device.
Switch(config)# username admin password admin123
Or, to make it more secure (recommended):
Switch(config)# username admin secret admin123
Explanation:
username admin→ Creates a local user named “admin”secret admin123→ Sets an encrypted password
This is needed if you want to:
- Use SSH login (instead of Telnet)
- Use local user authentication instead of line passwords
Use Local User Authentication on Lines
If you want the device to check usernames and passwords (not just a shared password), do this:
Switch(config)# line vty 0 4
Switch(config-line)# login local
Switch(config-line)# exit
Explanation:
login local→ Tells the device to use the local user database for authentication.
Now users must enter a username and password to log in.
🔹 Verifying Configuration
After configuration, you should always verify.
1. Show running configuration
Switch# show running-config
Check the lines for:
line console 0line vty 0 4enable secret
You should see the passwords (encrypted).
2. Testing Access
- Console:
Disconnect and reconnect using the console cable — it should ask for a password. - VTY:
Use Telnet or SSH from another device:telnet 192.168.1.1It should prompt for a password or username/password. - Enable mode:
Typeenableand check if it asks for the enable secret.
🔹 Securing Passwords
1. Encrypt all plain-text passwords
By default, some passwords are visible in clear text.
To hide them, use this command:
Switch(config)# service password-encryption
Now all passwords in the running configuration will be encrypted using a weak encryption (Type 7).
This is not very strong but better than showing plain text.
2. Set a Login Banner (optional for security)
To display a warning message before login:
Switch(config)# banner motd #Unauthorized access is prohibited#
This helps in legal compliance and security awareness.
🔹 Summary Table
| Access Type | Command Mode | Example Command | Purpose |
|---|---|---|---|
| Console | line console 0 | password cisco123 + login | Local access protection |
| VTY (Telnet/SSH) | line vty 0 4 | password remote123 + login | Remote access protection |
| Privileged EXEC | global config | enable secret admin123 | Admin-level access |
| Local User | global config | username admin secret admin123 | Local account for SSH or login local |
| Encrypt all passwords | global config | service password-encryption | Hides plain-text passwords |
🔹 Key Points for the CCNA Exam
✅ Know the difference between enable password and enable secret
→ Use enable secret (more secure, encrypted by default).
✅ Understand the login vs login local command
→ login = use the line password
→ login local = use local username/password
✅ Use service password-encryption to hide plain-text passwords
✅ Use show running-config to verify configuration
✅ Understand where each password is applied (console, VTY, enable)
