8-3
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 8 Configuring Switch-Based Authentication
Protecting Access to Privileged EXEC Commands
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC
mode, follow these steps to set or change a static enable password:
To remove the password, use the
no enable password
global configuration command.
This example shows how to change the enable password to
l1u2c3k4y5
. The password is not encrypted
and provides access to level 15 (traditional privileged EXEC mode access):
Switch(config)#
enable password l1u2c3k4y5
Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are
stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the
enable password
or
enable secret
global configuration commands. Both commands accomplish the same thing; that is, you
can establish an encrypted password that users must enter to access privileged EXEC mode (the default)
or any privilege level you specify.
We recommend that you use the
enable secret
command because it uses an improved encryption
algorithm.
If you configure the
enable secret
command, it takes precedence over the
enable password
command;
the two commands cannot be in effect simultaneously.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
enable password
password
Define a new password or change an existing password for access to
privileged EXEC mode.
By default, no password is defined.
For
password
, specify a string from 1 to 25 alphanumeric characters. The
string cannot start with a number, is case sensitive, and allows spaces but
ignores leading spaces. It can contain the question mark (?) character if
you precede the question mark with the key combination Crtl-v when you
create the password; for example, to create the password abc?123, do this:
Enter
abc
.
Enter
Crtl-v
.
Enter
?123
.
When the system prompts you to enter the enable password, you need not
precede the question mark with the Ctrl-v; you can simply enter abc?123
at the password prompt.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
The enable password is not encrypted and can be read in the switch
configuration file.