[an error occurred while processing the directive]

Telnet Passwords and Privilege Levels


Your CCNA certification exam is likely going to contain questions about Telnet, an application-level protocol that allows remote communication between two networking devices. With Telnet use being as common as it is, you had better know the details of how to configure it in order to pass your CCNA exam and to work in real-world networks.

The basic concept is pretty simple - we want to configure R1, but we're at R2. If we telnet successfully to R1, we will be able to configure R1 if we've been given the proper permission levels. In this CCNA case study, R2 has an IP address of 172.12.123.2 and R1 an address of 172.12.123.1. Let's try to telnet from R2 to R1.

R2#telnet 172.12.123.1

Trying 172.12.123.1 ... Open

Password required, but none set

[Connection to 172.12.123.1 closed by foreign host]


This seems like a problem, but it's a problem we're happy to have. A Cisco router will not let any user telnet to it by default. That's a good thing, because we don't want just anyone connecting to our router! The "password required" message means that no password has been set on the VTY lines on R1. Let's do so now.

R1(config)#line vty 0 4

R1(config-line)#password baseball


A password of "baseball" has been set on the VTY lines, so we shouldn't have any trouble using Telnet to get from R2 to R1. Let's try that now.

R2#telnet 172.12.123.1

Trying 172.12.123.1 ... Open

User Access Verification

Password:

R1>


We're in, and placed into user exec mode. Let's say we want to configure a new IP address on the ethernet interface on R1. We'll now go into privileged exec mode....

R1>enable

% No password set

R1>


... or maybe we won't! The default behavior of Telnet on a Cisco router is to place the incoming user into user exec mode, and require an enable password to allow that user into privileged exec mode! Right now, we can't configure anything on this router and even the show commands we would use are limited at best.

If we wanted to allow all telnetting users to be put into privileged exec mode immediately without being prompted for an enable password, the command privilege level 15 placed on the VTY lines will accomplish this.

R1(config)#line vty 0 4

R1(config-line)#privilege level 15

From R2, we'll telnet into R1 again.

R2#telnet 172.12.123.1

Trying 172.12.123.1 ... Open

User Access Verification

Password:

R1#


We were able to telnet in from R2 with the original password of "baseball", and even better, we were placed into privileged exec mode immediately!

You may or may not want to do this in real-world networks, though. If you want to assign privilege levels on an individual user basis, configure usernames and passwords and use the privilege 15 command in the actual username/password command itself to give this privilege levels to some users but not all.

R1(config)#username heidi password klum

R1(config)#username tim privilege 15 password gunn
Both users can telnet into the router, but the first user will be placed into user exec and challenged for the enable password to enter privileged exec mode. If there is no enable password, the user literally cannot get into privileged exec. The second user will be placed into privileged exec immediately after successfully authenticating.

Passwords on a Cisco router or switch are vitally important, and you're not tied down to granting "all-or-nothing" access. Knowing the details like the ones shown here help you tie down network security while allowing people to do their jobs - and it doesn't hurt to know this stuff for the CCNA exam, either!

About the Author:
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage , home of free CCNA and CCNP tutorials! Pass the CCNA exam with Chris Bryant!