5.2 Device Access Control and Password Policies
Key Takeaways
- Use 'enable secret' (Type 5/8/9 hash) rather than 'enable password' (Type 0/7); if both exist, enable secret wins.
- 'service password-encryption' only applies weak, reversible Type 7 encryption — it stops shoulder-surfing, not attackers.
- Configure SSHv2 on the VTY lines and set 'transport input ssh' to block clear-text Telnet credentials.
- AAA splits into Authentication (who), Authorization (what you can do), and Accounting (what you did).
- TACACS+ (TCP 49, full-packet encryption, command authorization) suits device admin; RADIUS (UDP 1812/1813) suits network access like 802.1X and Wi-Fi.
Securing the Privileged-EXEC Password
The single most-tested device-access fact: use enable secret, never enable password. The secret form stores a one-way hash; the password form stores clear text or trivially reversible Type 7.
| Command | Storage | Verdict |
|---|---|---|
enable password Cisco123 | Type 0 (clear) or Type 7 | Weak — avoid |
enable secret Cisco123 | Type 5 (MD5), Type 8, or Type 9 (scrypt) | Strong — always use |
If both are configured, the enable secret value always takes priority and the enable password is effectively dead.
Cisco Password Types
Know the type numbers — the exam shows a hash prefix and asks how strong it is.
| Type | Algorithm | Strength | Prefix/example |
|---|---|---|---|
| Type 0 | Plain text | None | Cisco123 |
| Type 4 | SHA-256 (deprecated, flawed) | Removed | n/a |
| Type 5 | Salted MD5 | Medium | $1$mERr$... |
| Type 7 | Vigenere (reversible) | Weak — obfuscation only | 070C285F4D06 |
| Type 8 | PBKDF2-SHA-256 | Strong | $8$dsYG... |
| Type 9 | scrypt | Strongest | $9$nhEmQ... |
service password-encryption upgrades clear Type 0 entries to Type 7 in the running config. Because Type 7 is reversible (free decoders exist online), treat it as a screen against casual shoulder-surfing — not real protection.
Router(config)# enable secret StrongP@ss123 ! Type 9 on modern IOS
Router(config)# service password-encryption ! Masks remaining Type 0 passwords
Router(config)# username admin secret StrongP@ss123 ! Local user, hashed
Securing the Console Line
Router(config)# line console 0
Router(config-line)# password ConsolePass123
Router(config-line)# login ! Require the line password
Router(config-line)# exec-timeout 5 0 ! Logout after 5 min idle
Router(config-line)# logging synchronous ! Stop log msgs from scrambling input
Securing the VTY Lines (Remote Access)
VTY lines handle Telnet/SSH. The exam wants SSH-only with a local or AAA login.
Router(config)# ip domain-name example.com
Router(config)# crypto key generate rsa modulus 2048 ! Required before SSH
Router(config)# ip ssh version 2
Router(config)# line vty 0 15
Router(config-line)# transport input ssh ! Blocks clear-text Telnet
Router(config-line)# login local ! Use local username database
Router(config-line)# exec-timeout 10 0
Router(config-line)# access-class 10 in ! ACL restricts source IPs
Key requirements for SSH to even start: a hostname, an IP domain name, and an RSA key (≥768-bit modulus, 2048 recommended). Forgetting the domain name or key is the classic "SSH won't work" troubleshooting trap.
Throttling Brute-Force Logins
Router(config)# login block-for 120 attempts 3 within 60
This blocks all logins for 120 seconds after 3 failed attempts within 60 seconds, defeating dictionary attacks against the VTY lines.
AAA: Authentication, Authorization, Accounting
| Component | Question it answers | Example |
|---|---|---|
| Authentication | "Who are you?" | Username/password, certificate, token |
| Authorization | "What can you do?" | Per-command rights, privilege levels |
| Accounting | "What did you do?" | Command logs, session time, byte counts |
Authentication Methods, Not Just Passwords
Authentication can rest on three broad evidence types, and AAA can chain them. Passwords (something you know) are the baseline but the weakest alone. Certificates and tokens (something you have) bind the login to a device or hardware key. Biometrics (something you are) tie it to the person. Strong device-access designs combine a hashed local credential with a centralized AAA server and, increasingly, a second factor. This is where AAA authentication meets the multi-factor concept covered later in this chapter.
TACACS+ vs. RADIUS
This comparison is almost guaranteed on the exam.
| Feature | TACACS+ | RADIUS |
|---|---|---|
| Standard | Cisco-developed | Open (RFC 2865) |
| Transport | TCP port 49 | UDP 1812 (auth) / 1813 (acct) |
| Encryption | Entire packet | Password field only |
| AAA separation | Separates all three | Combines authN and authZ |
| Command authorization | Yes, granular | No |
| Best fit | Device administration | Network access (802.1X, Wi-Fi, VPN) |
On the Exam: Pick TACACS+ when the scenario is controlling which commands an admin can run (full-packet encryption + per-command authZ). Pick RADIUS when it is user network access such as 802.1X or wireless. Memorize ports: TACACS+ = TCP 49; RADIUS = UDP 1812/1813.
Privilege Levels and Local Fallback
IOS supports sixteen privilege levels, 0 through 15. Level 1 is normal user EXEC (the > prompt), level 15 is full privileged EXEC (the # prompt), and levels 2 through 14 are custom tiers you assign specific commands to. A read-only help-desk role typically lives at level 1, while a senior engineer needs level 15.
When you deploy centralized AAA, always keep a local fallback so a RADIUS/TACACS+ outage does not lock everyone out. The classic pattern tries the server group first and the local database second:
Router(config)# aaa new-model
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# username admin privilege 15 secret StrongP@ss123
If the TACACS+ servers are unreachable, the router falls back to the local admin account. Omitting the local keyword is an outage waiting to happen and a tempting wrong answer on the exam. Remember that aaa new-model must be enabled before any AAA command takes effect, and that turning it on immediately changes the default login behavior on every line.
An administrator needs centralized control over exactly which IOS commands each network engineer may run, with the entire authentication packet encrypted. Which protocol fits best?
Both 'enable password Cisco1' and 'enable secret Cisco2' are configured on a router. What password grants privileged EXEC access?
Which prerequisite is REQUIRED before a Cisco router can accept SSH connections?
What does the command 'service password-encryption' actually accomplish?