Chapter 3
Configuring the Router for the First Time
When you set TACACS password protection at the privileged EXEC mode, the enable EXEC command
prompts for both a new username and a password. This information is then sent to the TACACS+ server
for authentication. If you are using the extended TACACS+, it also sends any existing UNIX user
identification code to the TACACS+ server.
If you enter the enable use-tacacs command, you must also enter tacacs-server authenticate enable,
Caution
or you are locked out of the privileged EXEC mode.
When used without extended TACACS, the enable use-tacacs command allows anyone with a valid
Note
username and password to access the privileged EXEC mode, creating a potential security problem. This
problem occurs because the router cannot tell the difference between a query resulting from entering the
enable command and an attempt to log in without extended TACACS.
Encrypting Passwords
Because protocol analyzers can examine packets (and read passwords), you can increase access security
by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from
being readable in the configuration file.
To configure the Cisco IOS software to encrypt passwords, perform this task:
Command
Router(config)# service password-encryption
Encryption occurs when the current configuration is written or when a password is configured. Password
encryption is applied to all passwords, including authentication key passwords, the privileged command
password, console and virtual terminal line access passwords, and Border Gateway Protocol (BGP)
neighbor passwords. The service password-encryption command keeps unauthorized individuals from
viewing your password in your configuration file.
Caution
The service password-encryption command does not provide a high level of network security. If you
use this command, you should also take additional network security measures.
Although you cannot recover a lost encrypted password (that is, you cannot get the original password
back), you can regain control of the router after you lose or forget the encrypted password. See the
"Recovering a Lost Enable Password" section on page 3-19
To display the password or access level configuration, see the
and Privilege Level Configuration" section on page
Configuring Multiple Privilege Levels
By default, the Cisco IOS software has two modes of password security: user EXEC mode and privileged
EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring
multiple passwords, you can allow different sets of users to have access to specified commands.
OL-4266-08
Purpose
Encrypts a password.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Protecting Access to Privileged EXEC Commands
if you lose or forget your password.
"Displaying the Password, Access Level,
3-19.
3-17