index_53
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
53
§ Avoid dictionary words, names, or dates.
§ Always include at least one of each of the following: lowercase letters,
uppercase letters, digits, and special characters.
§ Make all passwords at least eight characters long.
§ Avoid more than 4 digits or same-case letters in a row.
See [4] for more detailed guidance on selecting good passwords. Note: enable
secret and username passwords may be up to 25 characters long including
spaces.
Accounts
First, give each administrator their own login user name for the router. When an
administrator logs in with a user name and changes the configuration, the log
message that is generated will include the name of the login account which was used.
The login accounts created with the username command should be assigned
privilege level 1 (see Passwords, above). In addition, do not create any user accounts
without passwords! When an administrator no longer needs access to the router,
remove their account. The example below shows how to create accounts for users
named rsmith and bjones, and remove the user named brian.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# username rsmith password 3d-zirc0nia
Central(config)# username rsmith privilege 1
Central(config)# username bjones password 2B-or-3B
Central(config)# username bjones privilege 1
Central(config)# no username brian
Central(config)# end
Central#
Only allow accounts that are required on the router and minimize the number of users
with access to configuration mode on the router. See Section 4.6, which describes
AAA, for a preferred user account mechanism.
4.1.5. Remote Access
This document will discuss five connection schemes which can be used for router
administration.
1. No Remote administration is performed on the console only.
2. Remote Internal only with AAA administration can be performed on
the router from a trusted internal network only, and AAA is used for
access control.