Task 1: Configure a local username and password to prevent unauthorized access.

• Username: JohnDoe
• Password: StrongPass#123
• Privilege level: Exec mode
• Encrypt the password instead of storing it in plain text.

To ensure that only authorized personnel can access the network devices, we configure local users.

On Router:

Router# configure terminal
Router(config)# username JohnDoe privilege 15 secret StrongPass#123

On Switch:

Switch# configure terminal
Switch(config)# username JohnDoe privilege 15 secret StrongPass#123

The username JohnDoe privilege 15 secret StrongPass#123 command creates a user account with privilege level 15 (full administrative access).
The secret keyword encrypts the password using MD5 encryption instead of storing it in plain text.

Task 2: Secure console access by requiring authentication before granting access to configuration mode.

• Use local username for authentication.
• Automatically log out the user after 2 minutes of inactivity.
• Prevent log messages from interrupting commands.

On Router:

Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exec-timeout 2 0
Router(config-line)# logging synchronous
Router(config-line)# exit

On Switch:

Switch(config)# line console 0
Switch(config-line)# login local
Switch(config-line)# exec-timeout 2 0
Switch(config-line)# logging synchronous
Switch(config-line)# exit

line console 0: configures the console line.
login local: Uses local users for authentication.
exec-timeout 2 0: Automatically logs out the user after 2 minutes of inactivity.
logging synchronous: Prevents log messages from interrupting commands.

Task 3: Enable type 7 password encryption to prevent passwords from being stored in plain text.

By default, passwords configured on Cisco devices (e.g., console, VTY, enable password) are stored in plain text in the device’s configuration files (running-config and startup-config). This is a major security risk because anyone with access to these files can read and steal passwords.

To prevent passwords from being stored in plain text, we use the following command:

On Router:

Router(config)# service password-encryption

On Switch:

Switch(config)# service password-encryption

service password-encryption: Encrypts passwords stored with the password keyword (Type 7 encryption). Passwords stored with secret are already encrypted using MD5 (Type 5).

Task 4: Secure the privileged EXEC mode with password "StrongEnable#123" using MD5 hashing encryption.

We need To prevent unauthorized access to Privileged EXEC mode (enable mode) using MD5 encryption.

On Router:

Router(config)# enable secret StrongEnable#123

On Switch:

Switch(config)# enable secret StrongEnable#123

enable secret StrongEnable#123: This command creates an enable password and the "secret" keyword encrypts it using MD5 encryption.

Now exit configuration mode and save the configuration.

Router(config)# end
Router# write memory

Switch(config)# end
Switch# write memory

Important Note:

Cisco Type 7 encryption is not highly secure and can be easily cracked using online tools. It only prevents casual users from reading passwords in plain text.

The secret keyword in command stores passwords using MD5 hash encryption, which is much more secure.

Best Practice Recommendations:

• Always use service password-encryption to prevent casual viewing of passwords.
• Avoid using enable password (plain text) and use enable secret instead for stronger encryption.
• For maximum security, use AAA (Authentication, Authorization, and Accounting) with external authentication servers like RADIUS or TACACS+. These are high level concepts and their configuration is not included in the current CCNA exam.