|
|
This chapter describes the function and displays the syntax of commands used to control access to the nework. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To log onto the router at a specified level, use the enable EXEC command.
enable [level]| level | (Optional) Privilege level to log in to on the router. The default is level 15. |
Use the enable password global configuration command to set a local password to control access to various privilege levels. Use the no form of this command to remove the password requirement.
enable password [level level] {password}| level level | (Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command. |
| password | The enable password password as you would type it when enabling. This password should be different from the password created with the enable secret command. If you have the service password-encryption flag set, when the router displays the password for you later it will be displayed encrypted (an encrypted form of what you typed). |
| encryption-type | (Optional) The Cisco proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router). |
| encrypted-password | An encrypted password you enter, copied from another router configuration. |
Use the enable secret command to specify an additional layer of security over the enable password command. Use the no form of the command to turn off the enable secret function.
enable secret [level level] {password | encryption-type encrypted-password}| level level | (Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command. |
| password | The enable secret password--the password you would type when enabling. This password should be different from the password created with the enable password command. When the router displays the password for you later, it will be displayed encrypted (an encrypted form of what you typed). |
| encryption-type | (Optional) The Cisco proprietary algorithm used to encrypt the password. Current the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router). |
| encrypted password | An encrypted password you enter, copied from another router configuration. |
To enable identification support, use the ip identd global configuration command. Use the no form of this command to disable this feature.
ip identdTo enable TACACS+ authentication for logins, use the login authentication line configuration command. Use the no form of this command to either disable TACACS+ authentication for logins or to return to the default.
login authentication {default | list-name}| default | Uses the default list created with the aaa authentication login command. |
| list-name | Uses the indicated list created with the aaa authentication login command. |
To set the privilege level for a command, use the privilege level global configuration command. Use the no form of this command to revert to default privileges for a given command.
privilege mode level level command| mode | Configuration mode. |
| level | Privilege level to be associated with the specified command. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 15 is the level of access permitted by the enable password. Level 1 is normal EXEC-mode user privileges. |
| command | Command to which privilege level is associated. |
To set the default privilege level for a line, use the privilege level line configuration command. Use the no form of this command to restore the default user privilege level to the line.
privilege level level| level | Privilege level to be associated with the specified line. Level 15 is the level of access permitted by the enable password. Level 1 is normal EXEC-mode user privileges. |
To encrypt passwords, use the service password-encryption global configuration command. Use the no form of this command to disable this service.
service password-encryptionTo display your current level of privilege, use the show privilege EXEC command.
show privilegeTo establish a username-based authentication system, enter the username global configuration command.
username name [nopassword | password password [encryption-type encrypted password]| name | Host name, server name, user ID, or command name. The name argument can only be one word. White spaces and quotation marks are not allowed. |
| nopassword | No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword. |
| password | Specifies a possibly encrypted password for this username. |
| password | Password a user enters. |
| encryption-type | (Optional) A single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco defined encryption algorithm. |
| encrypted password | Encrypted password a user enters. |
| password | (Optional) Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command. |
| secret | For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. This prevents the secret from being stolen. The secret can consist of any string of up to 11 printable ASCII characters. There is no limit to the number of username/password combinations that can be specified, allowing any number of remote devices to be authenticated. |
| access-class | (Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session. |
| number | (Optional) The access list number. |
| autocommand | (Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line. |
| command | The command string. |
| callback-dialstring | (Optional) For asynchronous callback only. Permits you to specify a telephone number to pass to the DCE device. |
| telephone-number | For asynchronous callback only. The telephone number to pass to the DCE device. |
| callback-rotary | (Optional) For asynchronous callback only. Permits you to specify a rotary group number. The next available line in the rotary group is selected. |
| rotary-group-number | For asynchronous callback only. Integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback. |
| callback-line | (Optional) For asynchronous callback only. Specific line on which you enable a specific username for callback. |
| tty | (Optional) For asynchronous callback only. Standard asynchronous line. |
| line-number | For asynchronous callback only. The relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero. |
| ending-line-number | (Optional) The relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers. |
| nocallback-verify | (Optional) Authentication not required for exec callback on the specified line. |
| noescape | (Optional) Prevents a user from using an escape character on the host to which that user is connected. |
| nohangup | (Optional) Prevents the communication server from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another login prompt. |
|
|