8-7
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 8 Configuring Switch-Based Authentication
Protecting Access to Privileged EXEC Commands
Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication
system that requests a login username and a password:
To disable username authentication for a specific user, use the
no username
name
global configuration
command. To disable password checking and allow connections without a password, use the
no login
line configuration command.
Configuring Multiple Privilege Levels
By default, the Cisco IOS software has two modes of password security: user EXEC and privileged
EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring
multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the
clear line
command, you can assign it
level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access
to the
configure
command, you can assign it level 3 security and distribute that password to a more
restricted group of users.
These sections contain this configuration information:
•
Setting the Privilege Level for a Command, page 8-8
•
Changing the Default Privilege Level for Lines, page 8-9
•
Logging into and Exiting a Privilege Level, page 8-9
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
username
name
[
privilege
level
]
{
password
encryption-type
password
}
Enter the username, privilege level, and password for each user.
•
For
name
, specify the user ID as one word. Spaces and quotation
marks are not allowed.
•
(Optional) For
level
, specify the privilege level the user has after
gaining access. The range is 0 to 15. Level 15 gives privileged EXEC
mode access. Level 1 gives user EXEC mode access.
•
For
encryption-type
, enter 0 to specify that an unencrypted password
will follow. Enter 7 to specify that a hidden password will follow.
•
For
password
, specify the password the user must enter to gain access
to the switch. The password must be from 1 to 25 characters, can
contain embedded spaces, and must be the last option specified in the
username
command.
Step 3
line console 0
or
line vty 0 15
Enter line configuration mode, and configure the console port (line 0) or
the VTY lines (line 0 to 15).
Step 4
login local
Enable local password checking at login time. Authentication is based on
the username specified in Step 2.
Step 5
end
Return to privileged EXEC mode.
Step 6
show running-config
Verify your entries.
Step 7
copy running-config startup-config
(Optional) Save your entries in the configuration file.