Chapter 9
Configuring Switch-Based Authentication
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC
mode, follow these steps to set or change a static enable password:
Command
Step 1
configure terminal
Step 2
enable password password
Step 3
end
Step 4
show running-config
Step 5
copy running-config startup-config
To remove the password, use the no enable password global configuration command.
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted
and provides access to level 15 (traditional privileged EXEC mode access):
Switch(config)# enable password l1u2c3k4y5
Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are
stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or
enable secret global configuration commands. Both commands accomplish the same thing; that is, you
can establish an encrypted password that users must enter to access privileged EXEC mode (the default)
or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption
algorithm.
If you configure the enable secret command, it takes precedence over the enable password command;
the two commands cannot be in effect simultaneously.
OL-26520-01
Purpose
Enter global configuration mode.
Define a new password or change an existing password for access to
privileged EXEC mode.
By default, no password is defined.
For password, specify a string from 1 to 25 alphanumeric characters. The
string cannot start with a number, is case sensitive, and allows spaces but
ignores leading spaces. It can contain the question mark (?) character if
you precede the question mark with the key combination Crtl-v when you
create the password; for example, to create the password abc?123, do this:
Enter abc.
Enter Crtl-v.
Enter ?123.
When the system prompts you to enter the enable password, you need not
precede the question mark with the Ctrl-v; you can simply enter abc?123
at the password prompt.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
The enable password is not encrypted and can be read in the switch
configuration file.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Protecting Access to Privileged EXEC Commands
9-3