144
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
You can also enable the login enhancements feature, which logs both failed and unsuccessful login attempts. Login
enhancements can also be configured to block future login attempts after a set number of unsuccessful attempts
are made.
Password Protection
A simple way of providing terminal access control in your network is to use passwords and assign privilege levels.
Password protection restricts access to a network or network device. Privilege levels define what commands users can
enter after they have logged into a network device.
Default Password and Privilege Level Configuration
Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial
File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration
commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users
must enter to access privileged EXEC mode (the default) or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the two
commands cannot be in effect simultaneously.
Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password,
give the password only to users who need to have access at this level. Use the privilege level global configuration
command to specify commands accessible at various levels.
If you enable password encryption, it applies to all passwords including username passwords, authentication key
passwords, the privileged command password, and console and virtual terminal line passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level level] global
configuration command. To disable password encryption, use the no service password-encryption global configuration
command.
Password Recovery
Any end user with physical access to the switch can recover from a lost password by interrupting the boot process while
the switch is powering on and manually deleting the configuration of the switch.
Press and hold the factory default button when power is applied to the switch. You can release the button once you see
the password-recovery mechanism is enabled message. You will be at the boot loader prompt at this point and will be
able to delete the configuration file (which contains the forgotten password).
Table 25 Default Password and Privilege Levels
Feature Default Setting
Enable password and privilege level No password is defined. The default is level 15 (privileged EXEC level).
The password is not encrypted in the configuration file.
Enable secret password and privilege level No password is defined. The default is level 15 (privileged EXEC level).
The password is encrypted before it is written to the configuration file.
Line password No password is defined.
To Next Page
Loading...
Need help?
General