Setting Tacacs+ Password Protection For Privileged Exec Mode; Encrypting Passwords - Cisco WS-SUP32-GE-3B - Supervisor Engine 32 Software Configuration Manual

Protecting Access to Privileged EXEC Commands

Setting TACACS+ Password Protection for Privileged EXEC Mode

For complete information about TACACS+, refer to these publications:
•
•
To set the TACACS+ protocol to determine whether or not a user can access privileged EXEC mode,
perform this task:
Command
Router(config)# enable use-tacacs
When you set TACACS password protection at the privileged EXEC mode, the enable EXEC command
prompts for both a new username and a password. This information is then sent to the TACACS+ server
for authentication. If you are using the extended TACACS+, it also sends any existing UNIX user
identification code to the TACACS+ server.
If you enter the enable use-tacacs command, you must also enter tacacs-server authenticate enable,
Caution
or you are locked out of the privileged EXEC mode.
When used without extended TACACS, the enable use-tacacs command allows anyone with a valid
Note
username and password to access the privileged EXEC mode, creating a potential security problem. This
problem occurs because the switch cannot tell the difference between a query resulting from entering the
enable command and an attempt to log in without extended TACACS.

Encrypting Passwords

Because protocol analyzers can examine packets (and read passwords), you can increase access security
by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from
being readable in the configuration file.
To configure the Cisco IOS software to encrypt passwords, perform this task:
Command
Router(config)# service password-encryption
Encryption occurs when the current configuration is written or when a password is configured. Password
encryption is applied to all passwords, including authentication key passwords, the privileged command
password, console and virtual terminal line access passwords, and Border Gateway Protocol (BGP)
neighbor passwords. The service password-encryption command keeps unauthorized individuals from
viewing your password in your configuration file.
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
3-16
Cisco IOS Security Configuration Guide, Release 12.2, "Authentication, Authorization, and
Accounting (AAA)," at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/ffun_r.html
Chapter 3
Purpose
Sets the TACACS-style user ID and password-checking
mechanism for the privileged EXEC mode.
Purpose
Encrypts a password.
Configuring the Switch for the First Time
OL-11439-03