|
|
This chapter describes the function and displays the syntax for password protection and privilege level commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To log on to the router at a specified level, use the enable EXEC command.
enable [level]| level | (Optional) Defines the privilege level that a user logs in to on the router. |
To set a local password to control access to various privilege levels, use the enable password global configuration command. Use the no form of this command to remove the password requirement.
enable password [level level] {password | encryption-type encrypted-password}| level level | (Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges). |
| password | Password users type to enter enable mode. |
| encryption-type | (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router). |
| encrypted-password | Encrypted password you enter, copied from another router configuration. |
To specify an additional layer of security over the enable password command, use the enable secret global configuration command. Use the no form of this command to turn off the enable secret function.
enable secret [level level] {password | encryption-type encrypted-password}| level level | (Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command. |
| password | Password for users to enter enable mode. This password should be different from the password created with the enable password command. |
| encryption-type | (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router). |
| encrypted-password | Encrypted password you enter, copied from another router configuration. |
To enable identification support, use the ip identd global configuration command. Use the no form of this command to disable this feature.
ip identdTo specify a password on a line, use the password line configuration command. Use the no form of this command to remove the password.
password password| password | Character string that specifies the line password. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces, up to 80 characters. You cannot specify the password in the format number-space-anything. The space after the number causes problems. For example, hello 21 is a legal password, but 21 hello is not. The password checking is case sensitive. For example, the password Secret is different than the password secret. |
To set the privilege level for a command, use the privilege level global configuration command. Use the no form of this command to revert to default privileges for a given command.
privilege mode level level command| mode | Configuration mode. |
| level | Privilege level associated with the specified command. You can specify up to sixteen privilege levels, using numbers 0 through 15. |
| command | Command to which privilege level is associated. |
To set the default privilege level for a line, use the privilege level line configuration command. Use the no form of this command to restore the default user privilege level to the line.
privilege level level| level | Privilege level associated with the specified line. |
To encrypt passwords, use the service password-encryption global configuration command. Use the no form of this command to disable this service.
service password-encryptionTo display your current level of privilege, use the show privilege EXEC command.
show privilegeTo establish a username-based authentication system, enter the username global configuration command.
username name {nopassword | password password [encryption-type encrypted-password]}| name | Host name, server name, user ID, or command name. The name argument can be only one word. White spaces and quotation marks are not allowed. |
| nopassword | No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword. |
| password | Specifies a possibly encrypted password for this username. |
| password | Password a user enters. |
| encryption-type | (Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm. |
| encrypted-password | Encrypted password a user enters. |
| password | (Optional) Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command. |
| secret | For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated. |
| access-class | (Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session. |
| number | Access list number. |
| autocommand | (Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line. |
| command | The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line. |
| callback-dialstring | (Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device. |
| telephone-number | For asynchronous callback only: telephone number to pass to the DCE device. |
| callback-rotary | (Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected. |
| rotary-group-number | For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback. |
| callback-line | (Optional) For asynchronous callback only: specific line on which you enable a specific username for callback. |
| tty | (Optional) For asynchronous callback only: standard asynchronous line. |
| line-number | For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero. |
| ending-line-number | (Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers. |
| nocallback-verify | (Optional) Authentication not required for EXEC callback on the specified line. |
| noescape | (Optional) Prevents a user from using an escape character on the host to which that user is connected. |
| nohangup | (Optional) Prevents the security server from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another login prompt. |
| privilege | (Optional) Sets the privilege level for the user. |
| level | (Optional) Number between 0 and 15 that specifies the privilege level for the user. |
|
|