Here are 4 methods (CCNA/CCENT)
Here are two questions that a lot of new Cisco Engineers struggle with.
<!--[if !supportLists]-->1) <!--[endif]--> Are passwords required on vty lines?
<!--[if !supportLists]-->2) <!--[endif]--> How do you configure vty passwords?
Here we look at 4 options:
<!--[if !supportLists]-->1) <!--[endif]--> Line passwords
<!--[if !supportLists]-->2) <!--[endif]--> Local username passwords
<!--[if !supportLists]-->3) <!--[endif]--> No login
<!--[if !supportLists]-->4) <!--[endif]--> AAA
By default, when you telnet to the vty line of a router or switch, you will see the following output:
C:\>telnet 10.1.2.1
Password required, but none set
[Connection to 10.1.2.1 closed by foreign host]
The router/switch will drop your connection as a password is required for access to the router/switch. So by default you can see that a password is required to telnet to the vty lines of a router or switch.
Line passwords:
A password can be used on the line for access. This is easy to setup as there is only one password, but it not very secure because everyone shares that single password and it is difficult to track who has made changes.
This is configured as follows:
Router>enable
Router#configure terminal
Router(config)#line vty 0 4
Router-2(config-line)#login
% Login disabled on line 2, until 'password' is set
% Login disabled on line 3, until 'password' is set
% Login disabled on line 4, until 'password' is set
% Login disabled on line 5, until 'password' is set
% Login disabled on line 6, until 'password' is set
Router(config-line)#password configureterminal.com
When a telnet connection is now made to the router, the router will prompt for a password:
C:\>telnet 10.1.2.1
User Access Verification
Password:
Enter your password and you are now in user mode:
Router>
Local usernames:
This is better than using a line password as different users have their own individual passwords. Each use is required to enter their own passwords rather than using a shared password. This helps with logging which user has made changes to the router.
Router>enable
Router#configure terminal
Router(config)#username david password configureterminal.com
Router(config)#line vty 0 4
Router-2(config-line)#login local
Testing:
C:\>telnet 10.1.2.1
User Access Verification
Username:david
Password:
Enter your password and you are now in user mode:
Router>
No password (not recommended):
It is possible to set up a router to allow vty connections without authentication. This is not a good idea for the real world, but in a lab environment it can save time.
Router>enable
Router#configure terminal
Router(config)#line vty 0 4
Router-2(config-line)#no login
Testing:
C:\>telnet 10.1.2.1
Router>
Notice that no authentication was required. You are taken directly to user mode.
AAA servers:
This is the most secure and scalable way of implementing authentication. This uses a central server where all usernames and passwords are stored. A windows 2000/2003 server could be used for example, so that users use the same passwords on windows and routers/switches.
Router>enable
Router#configure terminal
Router(config)#aaa new-model
Router(config)#aaa authentication login default group tacacs+
Router(config)#line vty 0 4
Router(config)#login authentication default
Testing:
C:\>telnet 10.1.2.1
User Access Verification
Username: david
Password:
Router>
As you can see, there are various ways to secure the vty lines on routers & switches.