Cisco Systems DOC-7814982 Protecting Access to Privileged EXEC Command s

7-2

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 7 Administering the Switch

Protecting Access to Priv ileged EXEC Com m ands

•For an add iti o nal layer of security, you can also configure userna me and password pairs, which are

locally stored on the switch. These pairs are assigned to lines or interfaces and authenticate each

user before that user can access the switch. If you have defined privilege le v e ls, you can also assign

a spec ific pri vile ge lev el (with as soci ated rights and privi leges) to ea ch username an d passwo rd pair .

For more information, see the “Configur ing User na me a nd Password Pair s” sec tion on page 7-7.

•If you want to u se use rn ame and pa ssword p airs, but you wa nt to st ore t hem c e ntra lly o n a server

instead of locally , you can store them in a database on a security server . Multiple networking devices

can t hen u se t he sa me da taba se t o obt ai n u se r aut hent ic ation ( and , if n ece ssary, aut horiz at ion)

information . For more infor mation, see the “Controllin g Switch Access with TA CA CS+” section on

page 7-10.

Protecting Access to Privileged EXEC Command s

A simpl e way of p rovidin g te rmi nal acces s c ontr ol i n you r netwo rk i s to use p ass words a nd as sign

privilege levels. Pass word pr otec tion re stric ts a cce ss to a ne twork or n etwo rk device. Privilege levels

define what co mman ds users can en ter after they have log ged into a network device.

Note For comple te syntax an d usage infor mation for the commands us ed in this sectio n, refer t o the Cisco IOS

Securi ty Com mand R eference for R elease 1 2.1 .

This sec ti on d escrib es h ow to contro l ac c ess to the con figurati on file and pr ivileged EXEC com ma nds.

It contains this configuration information:

•Default Password and Privilege Level Configuratio n, page 7-2

•Setting or Changing a Static Enable Password, page 7-3

•Protectin g E nabl e a nd En abl e Sec ret Passwords wit h Encr ypti on, p ag e 7- 4

•Disabling Password Re covery, page 7-5

•Setting a Telnet Password for a Terminal Line, page 7-6

•Configuring U serna me an d Password Pai rs, pa ge 7 -7

•Configuring Multiple Privilege Levels, page 7-8

Table 7-1 shows the defaul t pa ssword and p rivilege level configuration.

Table 7-1 Default Password and Privilege Levels

Feature Default Setting

Enable p assword an d privilege l evel No password i s defined. The defau lt i s level 15 (privileged EXE C level).

The password is not encrypted in the configuration file.

Enable sec ret passwor d and p rivilege level No password i s defined. The defau lt is level 15 (privileged EXEC l evel).

The password is encrypted before it is written to the configuration file.

Line p assword No password is de fined.