Chapter 9 Configuring Switch-Based Authentication

Protecting Access to Privileged EXEC Commands

Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

username name [privilege level]

Enter the username, privilege level, and password for each user.

 

{password encryption-type password}

For name, specify the user ID as one word. Spaces and quotation

 

 

 

 

marks are not allowed.

 

 

(Optional) For level, specify the privilege level the user has after

 

 

gaining access. The range is 0 to 15. Level 15 gives privileged EXEC

 

 

mode access. Level 1 gives user EXEC mode access.

 

 

For encryption-type, enter 0 to specify that an unencrypted password

 

 

will follow. Enter 7 to specify that a hidden password will follow.

 

 

For password, specify the password the user must enter to gain access

 

 

to the switch. The password must be from 1 to 25 characters, can

 

 

contain embedded spaces, and must be the last option specified in the

 

 

username command.

Step 3

 

 

line console 0

Enter line configuration mode, and configure the console port (line 0) or

 

or

the VTY lines (line 0 to 15).

 

 

 

line vty 0 15

 

Step 4

 

 

login local

Enable local password checking at login time. Authentication is based on

 

 

the username specified in Step 2.

Step 5

 

 

end

Return to privileged EXEC mode.

Step 6

 

 

show running-config

Verify your entries.

Step 7

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.

Configuring Multiple Privilege Levels

By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.

These sections contain this configuration information:

Setting the Privilege Level for a Command, page 9-8

Changing the Default Privilege Level for Lines, page 9-9

Logging into and Exiting a Privilege Level, page 9-9

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

OL-9775-02

9-7

 

 

 

Page 209
Image 209
Cisco Systems 3750E Configuring Multiple Privilege Levels, Username name privilege level, Username command, Line console