Filter
Top Products
7-5
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
78-17058-01
Chapter 7 Configuring Switch-Based Authentication
Protecting Access to Privileged EXEC Commands
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and
set a password, give the password only to users who need to have access at this level. Use the privilege
level global configuration command to specify commands accessible at various levels. For more
information, see the “Configuring Multiple Privilege Levels” section on page 7-8.
If you enable password encryption, it applies to all passwords including username passwords,
authentication key passwords, the privileged command password, and console and virtual terminal line
passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level
level] global configuration command. To disable password encryption, use the no service
password-encryption global configuration command.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for
privilege level 2:
Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Disabling Password Recovery
By default, any end user with physical access to the switch can recover from a lost password by
interrupting the boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of this
functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing
to set the system back to the default configuration. With password recovery disabled, you can still
interrupt the boot process and change the password, but the configuration file (config.text) and the
VLAN database file (vlan.dat) are deleted.
Note If you disable password recovery, we recommend that you keep a backup copy of the configuration file
on a secure server in case the end user interrupts the boot process and sets the system back to default
values. Do not keep a backup copy of the configuration file on the switch. We recommend that you also
keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the
default system configuration, you can download the saved files to the switch by using the XMODEM
protocol. For more information, see the “Recovering from a Lost or Forgotten Password” section on
page 36-3.
Beginning in privileged EXEC mode, follow these steps to disable password recovery:
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
no service password-recovery Disable password recovery.
This setting is saved in an area of the flash memory that is accessible by
the boot loader and the Cisco IOS image, but it is not part of the file
system and is not accessible by any user.
Step 3
end Return to privileged EXEC mode.
Step 4
show version Verify the configuration by checking the last few lines of the command
output.