topic Re: 2 enable passwords - Cisco Catalyst 1000 in Network Security

2 enable passwords - Cisco Catalyst 1000

network_security — Tue, 18 Jul 2023 13:05:39 GMT

Hi All,

I have one password enable

The command is:

(config)# enable password...

There is any option to configure second enable password on the switch?

Thanks for help

Re: 2 enable passwords - Cisco Catalyst 1000

MHM Cisco World — Wed, 19 Jul 2023 17:47:19 GMT

no you can config only one password in SW/R for enable.

Re: 2 enable passwords - Cisco Catalyst 1000

Karsten Iwen — Wed, 19 Jul 2023 18:32:21 GMT

If you authenticate against a TACACS server like Cisco ISE, every admin can have a separate enable password.

Re: 2 enable passwords - Cisco Catalyst 1000

MHM Cisco World — Wed, 19 Jul 2023 18:35:32 GMT

Can I see example for this case, I dont see such config before

thanks
MHM

Re: 2 enable passwords - Cisco Catalyst 1000

Karsten Iwen — Wed, 19 Jul 2023 20:22:56 GMT

aaa new-model aaa authentication login default group tacacs aaa authentication enable default group tacacs

Re: 2 enable passwords - Cisco Catalyst 1000

MHM Cisco World — Wed, 19 Jul 2023 21:19:19 GMT

First thanks a lot for this new info

If we dont use tacacs there is only ONE enable password

If we use tacacs there is two behavior' if user have 15 privilege then login password is same as enable password' if the user not 15 privilege it need enable password and we can config with field you mention

What I find more interesting is user can if you use tacacs change enable password if auto-enable is config.

Thank again

Hace a nice summer

MHM

Re: 2 enable passwords - Cisco Catalyst 1000

johnlloyd_13 — Thu, 20 Jul 2023 01:58:54 GMT

hi,

if you're using AAA/TACACS then you don't need the 'enable' command.

you'll use it when AAA fails and as a fall back.

you also want to "standardize" the enable PW if you're managing several switches.

Re: 2 enable passwords - Cisco Catalyst 1000

network_security — Thu, 20 Jul 2023 06:33:53 GMT

Thanks A lot guys.

Can I configure Active Directory with C1000 Switch and AD will provide enable password for every user?

Re: 2 enable passwords - Cisco Catalyst 1000

Karsten Iwen — Thu, 20 Jul 2023 06:45:16 GMT

No, this is not possible if you authenticate directly to your Windows server (which is then typically done with RADIUS).

Re: 2 enable passwords - Cisco Catalyst 1000

Karsten Iwen — Thu, 20 Jul 2023 06:48:50 GMT

@johnlloyd_13 wrote:

hi,

if you're using AAA/TACACS then you don't need the 'enable' command.

This is not dependent on the usage of AAA/TACACS or not. Any way of AAA (local or centralized) can be done with or without enable password. It's all about the defined requirement for the login process and which config fits best for the environment.

Re: 2 enable passwords - Cisco Catalyst 1000

network_security — Thu, 20 Jul 2023 06:49:40 GMT

Ok.

Thanks

Re: 2 enable passwords - Cisco Catalyst 1000

Jonatan Jonasson — Fri, 21 Jul 2023 22:22:53 GMT

If you configure the switch to authenticate with Active Directory using the RADIUS services in AD (NPS), you can configure it in such a way that admins are put into enable/privilege level 15 after logging in, eliminating the requirement for them to know the enable password.

That way each admin has their own credentials when logging into the device, and no password needs to be shared between them.

Of course there are different security aspects between RADIUS and TACACS+ packets, including how much of the packet is encrypted.

This can also be achieved using local users on the device, for example with the following commands:
aaa authorization exec default local if-authenticated
username jimmy privilege 15 secret <...>

If you google for "Authentication Authorization and Accounting Configuration Guide Cisco IOS" you can find guides for both ios and ios-xe which explain this in more detail.

Another thing I would like to point out is that you mention in the original post that the command you plan on using is:
"enable password <...>"

On ios appliances this generates a password that can either be seen in the config in clear text or obfuscated in a way that's easily reversible.
A better approach is to use the following command:
"enable secret <...>"