In this article you will learn why you cannot go into privileged exec mode if you don’t set up a password for it, before trying to remotely connect to a device using telnet, while getting Privileged exec mode – % No password set error. You will also learn how to configure the virtual lines to put you into privileged exec mode as soon as you login with the correct password through the vty lines.

Telnet is an application level protocol that allows networking devices to communicate remotely. This is mostly used by network administrators for configuring and troubleshooting network devices like routers and switches.

One thing you should know about Telnet compared to SSH (Secure Shell – another network protocol running at application level) is that it does not encrypt traffic at all. This means all communication between you for example, as network administrator running a computer and a switch/router virtual line will be passed through network as text, while for SSH it is encrypted. This is a risk, especially because you will have to use passwords to authenticate and they can be intercepted.

The thing we are trying to do is configuring RTWO – for example an interface – or going into configure terminal mode but we’re stuck at RONE. IF we could telnet into RTWO and we would have the correct access rights this could be easy.

Let’s say we have two routers in the same LAN, RONE and RTWO and we are trying to telnet from RONE into RTWO.

The IP addresses are:

RONE – 10.0.0.1/24

RTWO – 10.0.0.2/24

I will assume you will follow the steps of the example and change the IPs to fit your case. Even more, if you can’t manage and you need help, send me a message with the details on what you want to do and I will provide you with a solution. You could also post a comment.

This example would work in the same way and you would get almost same messages, depending on IOS, even if using a computer to telnet with putty to a SW/router or switch to switch, computer to router and so on.

When trying to telnet to RTWO with basic configuration, only the interfaces inside LAN are configured with IP address and subnet mask, no vty lines and nothing else is configured, so you would get a message like this:

RONE#telnet 10.0.0.2
Trying 10.0.0.2 …Open
[Connection to 10.0.0.2 closed by foreign host]

This is good, because if a Cisco device would have telnet enabled by default, it would be a high security risk. So this message is saying the virtual lines are not enabled so no telnet is possible. Now let’s change this.

You can enable telnet on RONE by using the following commands which enables virtual interfaces:RTWO>en
RTWO#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RTWO(config)#line vty 0 4
RTWO(config-line)#password Cisco
RTWO(config-line)#end

Now when you will try to telnet to RTWO it will work:

RONE#telnet 10.0.0.2
Trying 10.0.0.2 …Open

User Access Verification

Password:

After you put the password you will be sent to the user exec mode:

RTWO>

Now, if for example, we want to configure a new interface on RTWO and just go into configure terminal mode, we would get this error:

RTWO>en
% No password set.
RTWO>

Cisco’s default behavior for telnet is to place you into user exec after you input the password for the vty line. After this you would have to provide the password to go into privileged exec mode. However, from this mode (user exec) you can use a limited amount of commands for show type information but you can’t do any change to the system configuration.

You will have to go on your RTWO router and configure the “enable secret” or “enable password” options to set the password for the privileged exec mode and put it when asked, after you do above steps. So it would be telnet to RTWO, input the password for the vty line; in this user exec mode type “enable” for privileged exec mode and give the password you did set for this mode on RTWO.

There is another way, but not as safe as the one above, which would allow the user who connects via the virtual line using telnet for example, to go directly into privileged level 15 without being asked for any password, by default the highest permission level on Cisco devices.

You should think twice before doing this, but if you still want to do it, you have to go back on the RTWO router and modify the settings a bit:

RTWO>en
RTWO#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RTWO(config)#line vty 0 4
RTWO(config-line)#privilege level 15
RTWO(config-line)#end
RTWO#

Now when you will connect with telnet from RONE to RTWO, you would have to put the password you set for the vty line according to first settings, in our case “Cisco” and then you would be sent directly to privileged exec mode as you can see in below example:

RONE>telnet 10.0.0.2
Trying 10.0.0.2 …Open

User Access Verification

Password:
RTWO#

It would be best if you would avoid this type of access, especially for everyone. It would be better to create usernames for different people, and assign them privileged level 15 on a per user basis, instead of to all which is a security risk a network administrator should never take in a live environment.

RTWO(config)#username Class password Cisco

RTWO(config)#username Class2 privilege 15 password Cisco2

In this example both users could telnet into RTWO router, however Class username would be put into user exec mode by default, as soon as he provides the password for his account and then would have to give also the privileged exec password if he wants to access this mode. If there is no enable password this user cannot access the privileged exec mode.

The Class2 username would be sent to privileged exec mode as soon as he finishes the authentication requirement.

Level 1 privilege rights would be user exec while 15 is the highest and the level where “enable” command takes you by default .

You should also know you are not forced to grant full access rights or no access at all. You have the power and the knowledge to differentiate the users based on what commands they need to do their jobs. The commands differ from privileged level to another.

 

VN:F [1.9.22_1171]
Rating: 5.0/5 (7 votes cast)
Privileged exec mode - % No password set, 5.0 out of 5 based on 7 ratings