Creating Users on a Cisco Router

introduction

Having user accounts on a router makes life and logging much easier. We can assign different privilige levels to different users to restrict access to certain commands. You may want a junior admin to see a few things to help you troubleshoot but you don't want him to be able to change anything.
In the following example we are going to add 2 local user accounts, one with the default privilege level (0) and one with full privilege level (15).

The privilege word is optional. When left out the default level will be applied.

required steps

We need to be in global configuration mode in order to create user accounts. The command is pretty simple, only one line.
username username password password.
Creating user accounts is not enough though, we need to tell the router to use them too! We can accomplish this by selecting the line we want to apply it to and issue the login local command.

R1#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 ?
  <1-181>  Last Line number
  <cr>

R1(config)#line vty 0 181
R1(config-line)#login local
R1(config-line)#

optional commands

By default, user account passwords are stored in clear text in the configuration. We could use the service password-encryption command to apply a basic level of encryption on all clear text passwords. It is considered weak as it can be decrypted easily. You can test it yourself with this online decrypter.
It's better practice to use the secret when creating users instead of the password as it's encryption is much stronger. The syntax is:
username username secret secret password

configuration

Let's start by enabling service password-encryption and creating a user with the default privilege level of 0 and using the password command.

R1#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#service password-encryption
R1(config)#username JuniorAdmin password C1sc0
R1(config)#

Now create the second user but this time set the privilege level to 15 and use the secret to set the password.

R1(config)#username Admin ?
  aaa                  AAA directive
  access-class         Restrict access by access-class
  autocommand          Automatically issue a command after the user logs in
  callback-dialstring  Callback dialstring
  callback-line        Associate a specific line with this callback
  callback-rotary      Associate a rotary group with this callback
  dnis                 Do not require password when obtained via DNIS
  nocallback-verify    Do not require authentication after callback
  noescape             Prevent the user from using an escape character
  nohangup             Do not disconnect after an automatic command
  nopassword           No password is required for the user to log in
  password             Specify the password for the user
  privilege            Set user privilege level
  secret               Specify the secret for the user
  user-maxlinks        Limit the user's number of inbound links
  view                 Set view name
  <cr>

R1(config)#username Admin privilege ?
  <0-15>  User privilege level

R1(config)#username Admin privilege 15 ?
  aaa                  AAA directive
  access-class         Restrict access by access-class
  autocommand          Automatically issue a command after the user logs in
  callback-dialstring  Callback dialstring
  callback-line        Associate a specific line with this callback
  callback-rotary      Associate a rotary group with this callback
  dnis                 Do not require password when obtained via DNIS
  nocallback-verify    Do not require authentication after callback
  noescape             Prevent the user from using an escape character
  nohangup             Do not disconnect after an automatic command
  nopassword           No password is required for the user to log in
  password             Specify the password for the user
  privilege            Set user privilege level
  secret               Specify the secret for the user
  user-maxlinks        Limit the user's number of inbound links
  view                 Set view name
  <cr>

R1(config)#username Admin privilege 15 secret C1sc0
R1(config)#

All is left to do is to instruct the router to use the local database at logon on the desired line(s). Here is how to set it up on the console line only.

R1#conf terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line console 0
R1(config-line)#login local
R1(config-line)#

verification

Log out and log in as JuniorAdmin. His privilege level is 0.

R1 con0 is now available

Press RETURN to get started.





User Access Verification

Username: JuniorAdmin
Password:
R1>

Log out again and log in as Admin.

R1 con0 is now available

Press RETURN to get started.





User Access Verification

Username: Admin
Password:
R1#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
R1#

See the difference? Because JuniorAdmin has a privilege level of 0 he arrives to EXEC mode when he logs in. If he wants to see the running configuration or make changes he needs to enter the enable password or enable secret passwords (whichever is configured), while the user Admin arrives to Privileged mode directly and he can start fooling around without having to enter another password.

Instead of applying the login local command on specific lines, you could make it the default form of authentication on all lines by using the following global configuration commands:

R1(config)#aaa new-model
R1(config)#aaa authentication login default local

When this method is used all users arrive into EXEC mode regardless of their privilege level! If the enable password or enable secret is not set, they will not be able to enter into Privileged Mode!
Check the running configuration for usernames.

R1#show run | section username
username AUTH_R2 password 7 00364313100819
username JuniorAdmin password 7 08021D5D0A49
username Admin privilege 15 secret 5 $1$E9mL$mNFzh1/nqz4nhA.rLm8fp0
R1#

Note the difference between the encryption of the password and the secret! Secret looks -and it is- much more complicated!
Here is a little extra. Remember, I've started this tutorial by saying that having user accounts makes logging easier? Have a look at this snippet from the running configuration.

R1#show run
Building configuration...

Current configuration : 1013 bytes
!
! NVRAM config last updated at 21:30:19 UTC Sat Feb 5 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
 --More--

If the time and date is set on the router, the configuration file will store a timestamp and the name of the user who last saved it.

commands explained

Commands used with a brief explanation.
service password-encryption: Enables light encryption on all clear text passwords
username JuniorAdmin password C1sc0: Creates a user called JuniorAdmin with a password C1sc0
username Admin privilege 15 secret C1sc0: Creates a user called Admin with privilege level 15 and a strong password
line console 0: Selects the console line
login local: Instructs the router to use the local database to authenticate at log on instead of the line password (if there is one set)
copy run start: Saves the running cinfiguration to the NVRAM
show run | section username: Shows the username section from the running configuration

 Hire me for networking  call  +254 0710884144  or email me ericmutua44@gmail.com
Click here to order this paper @Essaybay.net. The Ultimate Custom Paper Writing Service

Enabling Telnet Client in Windows 7

Telnet Client is used to connect to remote machine by using the Telnet protocol. For example, I'm an old fashion IT guy, and I still like to configure Cisco Switches/Routers using telnet. If you started to use Windows 7, you will notice that telnet is not enabled by default !! Don't panic, it is just a matter of few clicks and telnet will be enabled again.

Telnet Client allows a computer to connect to a remote Telnet server and run applications on that server. Once logged on, a user is given a command prompt that can be used as if it had been opened locally on the Telnet server's console. Commands that you type at the Telnet client command prompt are sent to the Telnet Server and executed there, as though you were locally logged on to a command prompt session at the server. Output from the commands that you run are sent back to the Telnet client where they are displayed for you to view.

When you first try to run a telnet command, Windows will informs you that telnet is not recognized as a command



To enable Telnet Client on Windows 7, follow these steps :

1. Click on Start   then right click on Control Panel
   
   
2. From Control Panel, click on Programs
   
   
3. Under Programs and Features, click on Turn Windows Features on or off
   
4. From the Windows Features window, using the slider, scroll down till you reach Telnet Client, select the checkbox beside it, then click on OK
   
   
   
   The selected feature will be installed.
   
   
   
   Once it is installed, the Windows Features windows will be closed.
5. To confirm that Telnet is installed, open command prompt and type telnet /?
   
   

Summary
By default, Telnet Client is not enabled in Windows 7. To enable it, you have to add the Telnet Client Windows Feature.

Click here to order this paper @Essaybay.net. The Ultimate Custom Paper Writing Service