07-18-2023 06:05 AM
Hi All,
I have one password enable
The command is:
(config)# enable password...
There is any option to configure second enable password on the switch?
Thanks for help
07-19-2023 10:47 AM
no you can config only one password in SW/R for enable.
07-19-2023 11:32 AM
If you authenticate against a TACACS server like Cisco ISE, every admin can have a separate enable password.
07-19-2023 11:35 AM
Can I see example for this case, I dont see such config before
thanks
MHM
07-19-2023 01:22 PM
aaa new-model
aaa authentication login default group tacacs
aaa authentication enable default group tacacs
07-19-2023 02:19 PM
First thanks a lot for this new info
So
If we dont use tacacs there is only ONE enable password
If we use tacacs there is two behavior' if user have 15 privilege then login password is same as enable password' if the user not 15 privilege it need enable password and we can config with field you mention
What I find more interesting is user can if you use tacacs change enable password if auto-enable is config.
Thank again
Hace a nice summer
MHM
07-19-2023 06:58 PM
hi,
if you're using AAA/TACACS then you don't need the 'enable' command.
you'll use it when AAA fails and as a fall back.
you also want to "standardize" the enable PW if you're managing several switches.
07-19-2023 11:48 PM
@johnlloyd_13 wrote:
hi,
if you're using AAA/TACACS then you don't need the 'enable' command.
This is not dependent on the usage of AAA/TACACS or not. Any way of AAA (local or centralized) can be done with or without enable password. It's all about the defined requirement for the login process and which config fits best for the environment.
07-19-2023 11:33 PM
Thanks A lot guys.
Can I configure Active Directory with C1000 Switch and AD will provide enable password for every user?
07-19-2023 11:45 PM
No, this is not possible if you authenticate directly to your Windows server (which is then typically done with RADIUS).
07-19-2023 11:49 PM
Ok.
Thanks
07-21-2023 03:22 PM
If you configure the switch to authenticate with Active Directory using the RADIUS services in AD (NPS), you can configure it in such a way that admins are put into enable/privilege level 15 after logging in, eliminating the requirement for them to know the enable password.
That way each admin has their own credentials when logging into the device, and no password needs to be shared between them.
Of course there are different security aspects between RADIUS and TACACS+ packets, including how much of the packet is encrypted.
This can also be achieved using local users on the device, for example with the following commands:
aaa authorization exec default local if-authenticated
username jimmy privilege 15 secret <...>
If you google for "Authentication Authorization and Accounting Configuration Guide Cisco IOS" you can find guides for both ios and ios-xe which explain this in more detail.
Another thing I would like to point out is that you mention in the original post that the command you plan on using is:
"enable password <...>"
On ios appliances this generates a password that can either be seen in the config in clear text or obfuscated in a way that's easily reversible.
A better approach is to use the following command:
"enable secret <...>"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide