Technical data
Security Configuration 7-5
Configuring Authentication
To enter an encryption type with the enable secret command, perform the following steps:
Step 1 From within global configuration mode, enter the enable secret command, followed by
the cleartext password that you will use to gain access to privileged EXEC mode. Do not
specify an encryption type.
Step 2 Exit from global configuration mode and enter the command show running-config to
view the encrypted version of the password. The following example illustrates these first
two steps:
2511(config)# enable secret mypassword
2511(config)# exit
2511# show running-config
Building configuration...
Current configuration:
!
version 12.0
! some of the configuration skipped
enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570
! the rest of the configuration skipped
Step 3 At this point, select and copy the encrypted password following enable secret 5 in the
configuration output ($1$h7dd$VTNs4.BAfQMUU0Lrvw6570).
Step 4 Enter global configuration mode and enter the enable secret command, followed by the
encryption type (5 is the only valid encryption type for enable secret), then paste in the
encrypted version of the password, as shown in the following example:
2511(config)# enable secret 5 $1$h7dd$VTNs4.BAfQMUU0Lrvw6570
Step 5 Exit from global configuration mode and copy the running configuration to NVRAM.
2511(config)# exit
2511# copy running-config startup-config
You can also specify additional protection for privileged EXEC mode, including the following:
• Privilege levels for Cisco IOS commands
• Privileged EXEC passwords for different privilege levels
• Privilege levels for specific lines on the access server
• Encrypt passwords using service password-encryption
For more information about these security tools, refer to the Security Configuration Guide in the
Cisco IOS configuration guides and command references documentation.
Enabling Communication between the Access Server and the Security Server
This section describes the Cisco IOS software commands that enable the access server to
communicate with a security server. This process is similar for communicating with TACACS+ and
RADIUS servers, and the following sections describe the process.
If you are using local authentication, you can refer to the section “Enabling AAA Globally on the
Access Server.”
If you are using a remote security server for authentication and authorization, you must configure
the security server before performing the tasks described in this chapter. The section “Security
Configuration Examples” at the end of this chapter shows some typical TACACS+ and RADIUS
server entries corresponding to the access server security configurations.