Cisco Systems DOC-7814982 Protecting Enable and Enable Secret Passwords with Encryption

7-4

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 7 Administering the Switch

Protecting Access to Priv ileged EXEC Com m ands

Protecting Enable and Enable Secret Passwords with Encryption

To provide an additional layer of security, particularly for passwords that cross the network or that are

stored on a Trivial File Tr ansfer Protocol (TFTP) server, you can use either the enable password or

enable secret global configuration commands. Both commands accomplish the same thing; that is, you

can es tabl ish an encr ypte d pa ss wor d that u ser s must enter to ac cess priv ile ged EXE C mo de ( the def a ult)

or any privilege level you specify.

We re co mmend th at you use the enable secret command be c aus e i t use s an im proved encr ypt ion

algorithm.

If you configure the enable secret command, it takes precedence over the enable password command;

the two commands cannot be in effect simultaneously.

Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable

secr et pas swords :

Command Purpose

Step 1 configure terminal Enter g lo bal c onfigurat ion m ode.

Step 2 enable password [ level level] {password |

encry ption -typ e encry pte d-passw ord}

enable secret [level level] {password |

encry ption -typ e encry pte d-passw ord}

Define a new password or change an existi ng password for

access to privileged EXEC mode.

Define a sec ret p assword, wh ich is saved using a

nonreversible encry ptio n me thod.

•(Optional) For level, the range is fr om 0 to 15. L evel 1

is nor ma l user EXE C mo de pr i v ile ge s . The d efa ul t lev el

is 15 (pr ivileged EXEC m ode p rivileges).

•For password, specify a string from 1 to 25

alphanumeric characters. The string cannot start with a

number, is case sensitiv e , and allows spaces but ignores

leadin g spaces. By de fault, no password is defined.

•(Optional) For encryption-type, only type 5, a Cisco

propri etary e ncryp tio n a lgor ith m, i s available. If you

specify an encryption type, you must provide an

encrypt ed password—an enc rypt ed p assword you c opy

from a noth er Ca taly st2 950 switch c onfiguratio n.

Note If you specif y an encryp tion typ e and then enter a

clear t ext password, you can not re-enter pr ivilege d

EXEC mod e. You c annot recover a lo st en crypt e d

password by any me tho d.

Step 3 service password-encryption (Optional) Encrypt the password when the password is

defined or when the configuration is written.

Encrypt ion prev ents the passwor d from being readab le in the

configuration file.

Step 4 end Return t o privileged E XEC m ode .

Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.