- Preface
- Using the Command-Line Interface
- Security Features Overview
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Index
- Finding Feature Information
- Restrictions for Controlling Switch Access with Passwords and Privileges
- Information About Passwords and Privilege Levels
- How to Control Switch Access with Passwords and Privilege Levels
- Setting or Changing a Static Enable Password
- Protecting Enable and Enable Secret Passwords with Encryption
- Disabling Password Recovery
- Setting a Telnet Password for a Terminal Line
- Configuring Username and Password Pairs
- Setting the Privilege Level for a Command
- Changing the Default Privilege Level for Lines
- Logging into and Exiting a Privilege Level
- Monitoring Switch Access
- Configuration Examples for Setting Passwords and Privilege Levels
- Additional References
Controlling Switch Access with Passwords and Privilege Levels
- Finding Feature Information
- Restrictions for Controlling Switch Access with Passwords and Privileges
- Information About Passwords and Privilege Levels
- How to Control Switch Access with Passwords and Privilege Levels
- Monitoring Switch Access
- Configuration Examples for Setting Passwords and Privilege Levels
- Additional References
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Controlling Switch Access with Passwords and Privileges
The following are the restrictions for controlling switch access with passwords and privileges:
Information About Passwords and Privilege Levels
Default Password and Privilege Level Configuration
A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.
Feature |
Default Setting |
---|---|
Enable password and privilege level |
No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file. |
Enable secret password and privilege level |
No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. |
Line password |
No password is defined. |
Additional Password Security
To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.
Password Recovery
By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of this functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, you can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the Xmodem protocol.
To re-enable password recovery, use the service password-recovery global configuration command.
Terminal Line Telnet Configuration
When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password. If you did not configure this password during the setup program, you can configure it when you set a Telnet password for a terminal line.
Username and Password Pairs
You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Privilege Levels
Cisco switches (and other devices) use privilege levels to provide password security for different levels of switch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Privilege Levels on Lines
Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.
Command Privilege Levels
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
How to Control Switch Access with Passwords and Privilege Levels
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. Follow these steps to set or change a static enable password:
1.
enable
3.
enable password
password
6.
copy running-config
startup-config
DETAILED STEPS
Protecting Enable and Enable Secret Passwords with Encryption
Follow these steps to establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify:
1.
enable
3.
Use one of the
following:
4.
service password-encryption
7.
copy running-config
startup-config
DETAILED STEPS
Disabling Password Recovery
Follow these steps to disable password recovery to protect the security of your switch:
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the Xmodem protocol.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 | configure
terminal
Example: Switch# configure terminal | |
Step 3 | system disable password recovery switch {all |
<1-9>}
Example:
Switch(config)# system disable password recovery switch all
|
Disables password recovery.
This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user. |
Step 4 | end
Example: Switch(config)# end |
To remove disable password recovery, use the no system disable password recovery switch all global configuration command.
Setting a Telnet Password for a Terminal Line
Beginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:
1.
enable
3.
line vty 0 15
4.
password
password
5.
end
7.
copy running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | enable
Example:
Switch> enable
|
Enters privileged EXEC mode. | ||
Step 2 | configure
terminal
Example: Switch# configure terminal | |||
Step 3 | line vty 0 15
Example:
Switch(config)# line vty 0 15
|
Configures the number of Telnet sessions (lines), and enters line configuration mode. There are 16 possible sessions on a command-capable Switch. The 0 and 15 mean that you are configuring all 16 possible Telnet sessions. | ||
Step 4 | password
password
Example:
Switch(config-line)# password abcxyz543
|
Sets a Telnet password for the line or lines. For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. | ||
Step 5 | end
Example:
Switch(config-line)# end
|
Returns to privileged EXEC mode. | ||
Step 6 | show running-config
Example: Switch# show running-config | |||
Step 7 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Configuring Username and Password Pairs
Follow these steps to configure username and password pairs:
1.
enable
3.
username
name
[privilege
level]
{password
encryption-type
password}
4.
Use one of the
following:
5.
login local
8.
copy running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 | configure
terminal
Example: Switch# configure terminal | |
Step 3 | username
name
[privilege
level]
{password
encryption-type
password}
Example:
Switch(config)# username adamsample privilege 1 password secret456
Switch(config)# username 111111111111 mac attribute
|
Sets the username, privilege level, and password for each user.
|
Step 4 | Use one of the
following:
Example: Switch(config)# line console 0
or Switch(config)# line vty 15
|
Enters line configuration mode, and configures the console port (line 0) or the VTY lines (line 0 to 15). |
Step 5 | login local
Example:
Switch(config-line)# login local
|
Enables local password checking at login time. Authentication is based on the username specified in Step 3. |
Step 6 | end
Example: Switch(config)# end | |
Step 7 | show running-config
Example: Switch# show running-config | |
Step 8 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Setting the Privilege Level for a Command
Follow these steps to set the privilege level for a command:
1.
enable
3.
privilege
mode
level
level
command
4.
enable password level
level
password
6.
copy running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 | configure
terminal
Example: Switch# configure terminal | |
Step 3 | privilege
mode
level
level
command
Example:
Switch(config)# privilege exec level 14 configure
|
Sets the privilege level for a command.
|
Step 4 | enable password level
level
password
Example:
Switch(config)# enable password level 14 SecretPswd14
|
Specifies the password to enable the privilege level. |
Step 5 | end
Example: Switch(config)# end | |
Step 6 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Changing the Default Privilege Level for Lines
Follow these steps to change the default privilege level for the specified line:
1.
enable
3.
line vty
line
4.
privilege level
level
6.
copy running-config
startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example:
Switch> enable
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 | configure
terminal
Example: Switch# configure terminal | |
Step 3 | line vty
line
Example:
Switch(config)# line vty 10
|
Selects the virtual terminal line on which to restrict access. |
Step 4 | privilege level
level
Example:
Switch(config)# privilege level 15
|
Changes the default privilege level for the line. For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password. |
Step 5 | end
Example: Switch(config)# end | |
Step 6 | copy running-config
startup-config
Example:
Switch# copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage.
Logging into and Exiting a Privilege Level
Beginning in user EXEC mode, follow these steps to log into a specified privilege level and exit a specified privilege level.
1.
enable
level
2.
disable
level
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
level Example:
Switch> enable 15
|
Logs in to a specified privilege level. Following the example, Level 15 is privileged EXEC mode. For level, the range is 0 to 15. |
Step 2 | disable
level Example:
Switch# disable 1
|
Exits to a specified privilege level. Following the example, Level 1 is user EXEC mode. For level, the range is 0 to 15. |
Monitoring Switch Access
Configuration Examples for Setting Passwords and Privilege Levels
- Example: Setting or Changing a Static Enable Password
- Example: Protecting Enable and Enable Secret Passwords with Encryption
- Example: Setting a Telnet Password for a Terminal Line
- Example: Setting the Privilege Level for a Command
Example: Setting or Changing a Static Enable Password
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access):
Switch(config)# enable password l1u2c3k4y5
Example: Protecting Enable and Enable Secret Passwords with Encryption
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:
Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Example: Setting a Telnet Password for a Terminal Line
This example shows how to set the Telnet password to let45me67in89:
Switch(config)# line vty 10 Switch(config-line)# password let45me67in89
Example: Setting the Privilege Level for a Command
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands:
Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14
Additional References
Error Message Decoder
Description | Link |
---|---|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
MIBs
MIB | MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |