Showing results for 
Search instead for 
Did you mean: 

2 enable passwords - Cisco Catalyst 1000

Hi All,


I have one password enable

The command is:

(config)# enable password...


There is any option to configure second enable password on the switch?

Thanks for help

11 Replies 11

no you can config only one password in SW/R for enable.

If you authenticate against a TACACS server like Cisco ISE, every admin can have a separate enable password.

Can I see example for this case, I dont see such config before 



aaa new-model
aaa authentication login default group tacacs
aaa authentication enable default group tacacs

CleanShot 2023-07-19 at 22.21.15@2x.png

First thanks a lot for this new info


If we dont use tacacs there is only ONE enable password 

If we use tacacs there is two behavior' if user have 15 privilege then login password is same as enable password' if the user not 15 privilege it need enable password and we can config with field you mention

What I find more interesting is user can if you use tacacs change enable password if auto-enable is config.

Thank again 

Hace a nice summer 


Level 9
Level 9


if you're using AAA/TACACS then you don't need the 'enable' command.

you'll use it when AAA fails and as a fall back.

you also want to "standardize" the enable PW if you're managing several switches.

@johnlloyd_13 wrote:


if you're using AAA/TACACS then you don't need the 'enable' command.

This is not dependent on the usage of AAA/TACACS or not. Any way of AAA (local or centralized) can be done with or without enable password. It's all about the defined requirement for the login process and which config fits best for the environment.

Thanks A lot guys.

Can I configure Active Directory with C1000 Switch and AD will provide enable password for every user?

No, this is not possible if you authenticate directly to your Windows server (which is then typically done with RADIUS).



If you configure the switch to authenticate with Active Directory using the RADIUS services in AD (NPS), you can configure it in such a way that admins are put into enable/privilege level 15 after logging in, eliminating the requirement for them to know the enable password.

That way each admin has their own credentials when logging into the device, and no password needs to be shared between them.

Of course there are different security aspects between RADIUS and TACACS+ packets, including how much of the packet is encrypted.

This can also be achieved using local users on the device, for example with the following commands:
aaa authorization exec default local if-authenticated
username jimmy privilege 15 secret <...>

If you google for "Authentication Authorization and Accounting Configuration Guide Cisco IOS" you can find guides for both ios and ios-xe which explain this in more detail.

Another thing I would like to point out is that you mention in the original post that the command you plan on using is:
"enable password <...>"

On ios appliances this generates a password that can either be seen in the config in clear text or obfuscated in a way that's easily reversible.
A better approach is to use the following command:
"enable secret <...>"



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card