Cisco Systems 0L-11350-01 Protecting Enable and Enable Secret Passwords with Encryption

5-6

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter5 Administering the Access PointW ireless Device Access

Protecting Access to Privileged EXEC Commands

Protecting Enable and Enable Secret Passwords with Encryption

To provide an additional layer of security, particularly for passwords that cross the network or that are

stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or

enable secret global configuration commands. Both commands accomplish the same thing; that is, you

can establish an encrypted password that users must enter to access privileged EXEC mode (the default)

or any privilege level you specify.

Cisco recommends that you use the enable secret command because it uses an improved encryption

algorithm.

If you configure the enable secret command, it takes precedence over the enable password command;

the two commands cannot be in effect simultaneously.

Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable

secret passwords:

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 enable password [level level] {password |

encryption-type encrypted-password}

enable secret [level level] {password |

encryption-type encrypted-password}

Define a new password or change an existing password for

access to privileged EXEC mode.

Define a secret password, which is saved using a

nonreversible encryption method.

•(Optional) For level, the range is from 0 to 15. Level 1

is normal user EXEC mode privileges. The default level

is 15 (privileged EXEC mode privileges).

•For password, specify a string from 1 to 25

alphanumeric characters. The string cannot start with a

number, is case sensitive, and allows spaces but ignores

leading spaces. By default, no password is defined.

•(Optional) For encryption-type, only type 5, a Cisco

proprietary encryption algorithm, is available. If you

specify an encryption type, you must provide an

encrypted password—an encrypted password you copy

from another access pointwireless device configuration.

Note If you specify an encryption type and then enter a

clear text password, you can not re-enter privileged

EXEC mode. You cannot recover a lost encrypted

password by any method.

Step3 service password-encryption (Optional) Encrypt the password when the password is

defined or when the configuration is written.

Encryption prevents the password from being readable in the

configuration file.

Step4 end Return to privileged EXEC mode.

Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.