This topic is to discuss the following lesson:
Hi Rene,
It’s a great article for the beginners. Do you have similar topics for the Cisco Switch
Thank you
BR
Taslim
Hi Taslim,
The basic configuration of a Cisco catalyst switch is similar to this example. The only difference is that a switch has “switchports” and a router has “routed ports”. The difference is that on the router we configure IP addresses on the interfaces, on the switch you’ll need to use a VLAN interface.
Rene
Hi Rene
I have a question ?
When I try to change login local password from plain text password to encrypt password this message appears to me :
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.
so how to solve this ?
and I have another question?
why RSA key need ip domain-name to generate
I need to know the relation between them
and what does ip domain-name exactly means?
thanks Rene
Hi Rene
If I use CLI to remote access to another router how I can use ssh ?
Hi Hussein,
Do you mean how to use SSH client on a Cisco router? You can use the SSH command to hop from one router to another.
Rene
Hi Hussein,
The RSA algorithm requires a domainname to generate the key pair. You’d have to look into the details of RSA to see how they exactly use it. The “ip domain-name” command sets the domain name.
Rene
On the VTY lines you can use the “login” command and the “login local” command. You probably already have the login command so try to remove it before you apply login local.
login = single password
login local = refers to a local database on the router or switch with usernames / passwords.
Thanks for answer Rene
yes I mean that but when I use try to use SSH command and ip address of the router I want to access in packet tracer does not work but when I use telnet it is work correctly.
This is exactly what appears to me:
SW1#ssh 192.168.1.2
^
% Invalid input detected at '^' marker.
SW1#tel 192.168.1.2
Trying 192.168.1.2 ...Open
User Access Verification
Username:
Thanks Rene
where can I find the details of RSA ?
is there another Interest of domain name except used to generate the key pair of RSA, I mean we use the "ip domain-name” command to sets the domain name for generating RSA key or there are other utility?
Thanks Rene
Thank you Rene I understand the concept of “login” and “login local” but my question about password encryption let me explain to you my question in another way:
login local refers to a local database on the router or switch with usernames / passwords as you said but the password possible to be encrypted or not if I configure it in plain text how can I change it to encrypted Text or vice versa ,
this is my question?
*when I try to change it this message appears to me :
SW3(config)#us hussein pa 121212
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.
how can I change between them?
Hi Hussein,
Now I understand your question
There are two methods:
- username hussein password cisco123
If you do it like this, then it will be saved in the configuration in clear text.
- username hussein secret cisco123
If you use “secret” then it will create a MD5 hash of your password.
You can’t have a “password” and “secret” at the same time for one user account so you are getting this error because you probably already configured a secret for your username. Remove it first and then you can set a password.
It’s also possible to encrypt all plaintext passwords in the configuration with the “service password-encryption” command. However, this is a very poor encryption type:
https://networklessons.com/security/decrypt-type-7-password-using-key-chain/
Rene
Hi Hussein,
SSH client requires a few more parameters than telnet:
R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
WORD IP address or hostname of a remote system
Try this:
R1#ssh -l admin 192.168.1.1
Hi Hussein,
I think the wikipedia page is a good start:
The most common use for using the “ip domain-name” command is probably SSH. However it’s also used sometimes for certificates.
To give you an idea, here’s an example where I used certificates for the anyconnect VPN on an ASA firewall:
https://networklessons.com/security/cisco-asa-anyconnect-self-signed-certificate/
Rene
Thanks Rene it’s work but when I try to enter the correct password i did’t have access , why?
thanks Rene I understand know
Let me give you a complete example:
R2(config)#ip domain-name networklessons.local
R2(config)#crypto key generate rsa
The name for the keys will be: R2.networklessons.local
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
R2(config)#username rene secret mysecretkey
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#transport input ssh
And then on another router:
R1#ssh -l rene 192.168.12.2
Password:
R2>
Thank you Rene for clarification and a full explanation,
It’s work with me in packet tracer but in gns3 it does’t work I think because there is issues of IOS that I used.
Hi Rene,
The router is just route right, so what is the benefit of interface VLAN in the router ? is it for management after assigning ip address to it or there is something else?