Cisco Systems IE3010 Protecting Access to Privileged EXEC Commands

9-2

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 9 Configuring Switch-Based Authentication

Protecting Access to Privileged EXEC Commands

To prevent unauthorized access into your switch, you should configure one or more of the se security

features:

• At a minimum, you should configure passwords and privileges at each switch port. These passwords

are locally stored on the switch. When users attempt to access the switch through a port or line, they

must enter the password specified for the port or line before they can access the switch. For more

information, see the “Protecting Access to Privileged EXEC Commands” section on page 9-2.

• For an additional layer of security, you can also configure username and password pairs, which are

locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user

before that user can access the switch. If you have defined privilege levels, you can also assign a

specific privilege level (with associated rights and privileges) to each username and password pair.

For more information, see the “Configuring Username and Password Pairs” section on page 9-7.

• If you want to use username and password pairs, but you want to store them centrally on a server

instead of locally, you can store them in a database on a security server. Multiple networking devices

can then use the same database to obtain user authentic ation (and, if necessary, authorization)

information. For more information, see the “Controlling Switch Access with TACACS+” section on

page 9-10.

• You can also enable the login enhancements feature, which logs both failed and unsuccessful login

attempts. Login enhancements can also be configured to block future login attempts after a set

number of unsuccessful attempts are made. For more information, see t he Cisco IOS Login

Enhancements documentation at this URL:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_login.html

Protecting Access to Privileged EXEC Commands

A simple way of providing terminal access control in your network is to use passwords and assign

privilege levels. Password protection restricts access to a network or network device. Privilege levels

define what commands users can enter after they have logged into a network device.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS

Security Command Reference, Release 12.2 from the Cisco.com page u nder Documentation > Cisco

IOS Software > 12.2 Mainline > Command References.

These sections contain this configuration information:

• Default Password and Privilege Level Configuration, page 9-3

• Setting or Changing a Static Enable Password, page 9-3

• Protecting Enable and Enable Secret Passwords with Encryption, page 9-4

• Disabling Password Recovery, page 9-5

• Setting a Telnet Password for a Terminal Line, page 9-6

• Configuring Username and Password Pairs, page 9-7

• Configuring Multiple Privilege Levels, page 9-8