|
|
This chapter describes the commands used to control access to the router.
To log on to the router at a specified level, use the enable EXEC command.
enable [level]| level | (Optional) Defines the privilege level that a user logs in to on the router. |
Level 15
EXEC
This command first appeared in Cisco IOS Release 10.0.
In the following example, the user is logging on to privilege level 5 on a router:
enable 5
A dagger (+) indicates that the command is documented outside this chapter.
disable +
privilege level (global)
privilege level (line)
Use the enable password global configuration command to set a local password to control access to various privilege levels. Use the no form of this command to remove the password requirement.
enable password [level level] {password | encryption-type encrypted-password}| level level | (Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges). |
| password | Password users type to enter enable mode. |
| encryption-type | (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router). |
| encrypted-password | Encrypted password you enter, copied from another router configuration. |
No password is defined. The default is level 15.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level (global) configuration command to specify commands accessible at various levels.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.
 | Caution If you specify an encryption type and then enter a cleartext password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method. |
If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a show startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
In the following example, the password pswd2 is enabled for privilege level 2:
enable password level 2 pswd2
In the following example the encrypted password $1$i5Rkls3LoyxzS8t9, which has been copied from a router configuration file, is set for privilege level 2 using encryption type 7:
enable password level 2 7 $1$i5Rkls3LoyxzS8t9
A dagger (+) indicates that the command is documented outside this chapter.
disable +
enable +
enable secret
privilege level (global)
service password-encryption
show privilege
show startup-config +
Use the enable secret global configuration command to specify an additional layer of security over the enable password command. Use the no form of the command to turn off the enable secret function.
enable secret [level level] {password | encryption-type encrypted-password}| level level | (Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command. |
| password | Password users type to enter enable mode. This password should be different from the password created with the enable password command. |
| encryption-type | (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5 . If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router). |
| encrypted-password | Encrypted password you enter, copied from another router configuration. |
No password is defined. The default level is 15.
Global configuration
This command first appeared in Cisco IOS Release 11.0.
Use this command in conjunction with the enable password command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.
| Caution If you specify an encryption-type and then enter a cleartext password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method. |
If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.
If service password-encryption is set, the encrypted form of the password you create here is displayed when a show startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
The following example specifies the enable secret password of gobbledegook:
enable secret gobbledegook
After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.
Password: gobbledegoo
In the following example the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8, which has been copied from a router configuration file, is enabled for privilege level 2 using encryption type 5:
enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
A dagger (+) indicates that the command is documented outside this chapter.
enable +
enable password
To enable identification support, use the ip identd global configuration command. Use the no form of this command to disable this feature.
ip identdThis command has no arguments or keywords.
Identification support is not enabled.
Global configuration
This command first appeared in Cisco IOS Release 11.1.
The ip identd command returns accurate information about the host TCP port; however, no attempt is made to protect against unauthorized queries.
In the following example, identification support is enabled:
ip identd
To enable TACACS+ authentication for logins, use the login authentication line configuration command. Use the no form of this command to either disable TACACS+ authentication for logins or to return to the default.
login authentication {default | list-name}| default | Uses the default list created with the aaa authentication login command. |
| list-name | Uses the indicated list created with the aaa authentication login command. |
Uses the default set with aaa authentication login.
Line configuration
This command first appeared in Cisco IOS Release 10.3.
This command is a per-line command used with AAA that specifies the name of a list of TACACS+ authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line).
| Caution If you use a list-name value that was not configured with the aaa authentication login command, you will disable login on this line. |
Entering the no version of login authentication has the same effect as entering the command with the default argument.
Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command.
The following example specifies that the default AAA authentication is to be used on line 4:
line 4 login authentication default
The following example specifies that the AAA authentication list called list1 is to be used on line 7:
line 7 login authentication list1
aaa authentication login
To set the privilege level for a command, use the privilege level global configuration command. Use the no form of this command to revert to default privileges for a given command.
privilege mode level level command| mode | Configuration mode. (See the alias command in the Configuration Fundamentals Command Reference for a description of mode. |
| level | Privilege level associated with the specified command. You can specify up to sixteen privilege levels, using numbers 0 through 15. |
| command | Command to which privilege level is associated. |
Level 15 is the level of access permitted by the enable password.
Level 1 is normal EXEC-mode user privileges.
Global configuration
This command first appeared in Cisco IOS Release 10.3.
The description of the alias command, in the Configuration Fundametals Command Reference, shows the options for the mode argument in the privilege level global configuration command.
The password for a privilege level defined using the privilege level global configuration command is configured using the enable password command.
Level 0 can be used to specify a more-limited subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands.
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15--unless you set them individually to different levels.
The commands in the following example set the configure command to privilege level 14 and establish SecretPswd14 as the password users must enter to use level 14 commands.
privilege exec level 14 configure enable secret level 14 SecretPswd14
enable password
enable secret
privilege level (line)
To set the default privilege level for a line, use the privilege level line configuration command. Use the no form of this command to restore the default user privilege level to the line.
privilege level level| level | Privilege level associated with the specified line. |
Level 15 is the level of access permitted by the enable password.
Level 1 is normal EXEC-mode user privileges.
Line configuration
This command first appeared in Cisco IOS Release 10.3.
Users can override the privilege level you set using this command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level.
You can use level 0 to specify a subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands.
You might specify a high level of privilege for your console line to restrict who uses the line.
The commands in the following example configure the auxiliary line for privilege level 5. Anyone using the auxiliary line has privilege level 5 by default.
line aux 0 privilege level 5
The command in the following example sets all show ip commands, which includes all show commands, to privilege level 7:
privilege exec level 7 show ip route
This is equivalent to the following command:
privilege exec level 7 show
The commands in the following example set show ip route to level 7 and the show and show ip commands to level 1:
privilege exec level 7 show ip route privilege exec level 1 show ip
enable password
privilege level (line)
To encrypt passwords, use the service password-encryption global configuration command. Use the no form of this command to disable this service.
service password-encryptionThis command has no arguments or keywords.
No encryption
Global configuration
This command first appeared in Cisco IOS Release 10.0.
The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.
When password encryption is enabled, the encrypted form of the passwords is displayed when a show startup-config command is entered.
| **before**This command does not provide a high level of network security. If you use this command, you should also take additional network security measures.@@before@@ | Caution **after**This command does not provide a high level of network security. If you use this command, you should also take additional network security measures.@@after@@ |
The following example causes password encryption to take place:
service password-encryption
A dagger (+) indicates that the command is documented outside this chapter.
enable password
key-string +
neighbor password +
To display your current level of privilege, use the show privilege EXEC command.
show privilegeThis command has no arguments or keywords.
EXEC
This command first appeared in Cisco IOS Release 10.3.
The following is sample output from the show privilege command. The current privilege level is 15.
Router# show privilege
Current privilege level is 15
enable password level
enable secret level
To establish a username-based authentication system, enter the username global configuration command.
username name {nopassword | password password [encryption-type encrypted-password]}None
Global configuration
The following commands first appeared in Cisco IOS Release 10.0:
username name {nopassword | password password [encryption-type encrypted-password]}
username name password secret
username name [access-class number]
username name [autocommand command]
username name [noescape] [nohangup]
username name [privilege level]
The following commands first appeared in Cisco IOS Release 11.1:
username name [callback-dialstring telephone-number]
username name [callback-rotary rotary-group-number]
username name [callback-line [tty] line-number [ending-line-number]]
username name [nocallback-verify]
The username command provides username and/or password authentication for login purposes only. (Note that it does not provide username and/or password authentication for enable mode when the enable use-tacacs command is also configured.)
Multiple username commands can be used to specify options for a single user.
Add a username entry for each remote system that the local router communicates with and requires authentication from. The remote device must have a username entry for the local router. This entry must have the same password as the local router's entry for that remote device.
This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password, but connects the user to a general purpose information service.
The username command is required as part of the configuration for the Challenge Handshake Authentication Protocol (CHAP). Add a username entry or each remote system the local router requires authentication from.
If there is no secret specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. CHAP debugging information is available using the debug serial-interface and debug serial-packet commands. For more information about debug commands, refer to the Debug Command Reference.
To implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router, the username command takes the following form:
username who nopassword nohangup autocommand show users
To implement an information service that does not require a password to be used, the command takes the following form:
username info nopassword noescape autocommand telnet nic.ddn.mil
To implement an ID that works even if the TACACS servers all break, the command takes the following form:
username superuser password superpassword
The following example configuration enables CHAP on interface serial 0. It also defines a password for the local server, Adam, and a remote server, Eve.
hostname Adam
interface serial 0
encapsulation ppp
ppp authentication chap
username Adam password oursystem
username Eve password theirsystem
When you look at your configuration file, the passwords will be encrypted and the display will look similar to the following:
hostname Adam interface serial 0 encapsulation ppp ppp authentication chap username Adam password 7 1514040356 username Eve password 7 121F0A18
A dagger (+) indicates that the command is documented outside this chapter. Two daggers (++) indicate that the command is documented in the Debug Command Reference.
arap callback +
callback-forced-wait +
debug callback ++
ppp callback +
|
|