Table Of Contents

Configuring the Switch Access Using AAA

Understanding How Authentication Works

Authentication Overview

Understanding How Login Authentication Works

Understanding How Local Authentication Works

Understanding How Local User Authentication Works

Understanding How TACACS+ Authentication Works

Understanding How RADIUS Authentication Works

Understanding How Kerberos Authentication Works

Using a Kerberized Login Procedure

Using a Non-Kerberized Login Procedure

Configuring Authentication on the Switch

Authentication Default Configuration

Authentication Configuration Guidelines

Configuring Login Authentication

Setting Authentication Login Attempts on the Switch

Setting Authentication Login Attempts for the Privileged Mode

Configuring Local Authentication

Enabling Local Authentication

Setting the Login Password

Setting the Enable Password

Disabling Local Authentication

Recovering a Lost Password

Configuring Local User Authentication

Creating a Local User Account

Enabling Local User Authentication

Disabling Local User Authentication

Deleting a Local User Account

Configuring TACACS+ Authentication

Specifying TACACS+ Servers

Enabling TACACS+ Authentication

Specifying the TACACS+ Key

Specifying the TACACS+ Timeout Interval

Specifying the TACACS+ Login Attempts

Enabling TACACS+ Directed Request

Disabling TACACS+ Directed Request

Clearing TACACS+ Servers

Clearing the TACACS+ Key

Disabling TACACS+ Authentication

Configuring RADIUS Authentication

Specifying RADIUS Servers

Specifying the RADIUS Key

Enabling RADIUS Authentication

Specifying the RADIUS Timeout Interval

Specifying the RADIUS Retransmit Count

Specifying the RADIUS Dead Time

Specifying Optional Attributes for RADIUS Servers

Clearing RADIUS Servers

Clearing the RADIUS Key

Disabling RADIUS Authentication

Configuring Kerberos Authentication

Configuring a Kerberos Server

Enabling Kerberos

Defining the Kerberos Local Realm

Specifying a Kerberos Server

Mapping a Kerberos Realm to a Host Name or DNS Domain

Copying SRVTAB Files

Deleting an SRVTAB Entry

Enabling Credentials Forwarding

Disabling Credentials Forwarding

Defining and Clearing a Private DES Key

Encrypting a Telnet Session

Displaying and Clearing Kerberos Configurations

Authentication Example

Understanding How Authorization Works

Authorization Overview

Authorization Events

TACACS+ Primary Options and Fallback Options

TACACS+ Command Authorization

RADIUS Authorization

Configuring Authorization on the Switch

TACACS+ Authorization Default Configuration

TACACS+ Authorization Configuration Guidelines

Configuring TACACS+ Authorization

Enabling TACACS+ Authorization

Disabling TACACS+ Authorization

Configuring RADIUS Authorization

Enabling RADIUS Authorization

Disabling RADIUS Authorization

Authorization Example

Understanding How Accounting Works

Accounting Overview

Accounting Events

Specifying When to Create Accounting Records

Specifying RADIUS Servers

Updating the Server

Suppressing Accounting

Configuring Accounting on the Switch

Accounting Default Configuration

Accounting Configuration Guidelines

Configuring Accounting

Enabling Accounting

Disabling Accounting

Accounting Example

Configuring the Switch Access Using AAA

---

This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst 6500 series switches.

---

Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.

---

---

Note For information on configuring 802.1X authentication to restrict unauthorized devices from connecting to a LAN through publicly accessible ports, see Chapter 40, "Configuring 802.1X Authentication."

---

---

Note For information on configuring MAC address authentication bypass, see Chapter 41, "Configuring MAC Authentication Bypass."

---

---

Note For information on configuring ports to allow or restrict traffic based on host MAC addresses, see Chapter 38, "Configuring Port Security."

---

---

Note For information on configuring network admission control, see Chapter 44, "Configuring Network Admission Control."

---

This chapter consists of these sections:

•Understanding How Authentication Works

•Configuring Authentication on the Switch

•Understanding How Authorization Works

•Configuring Authorization on the Switch

•Understanding How Accounting Works

•Configuring Accounting on the Switch

Understanding How Authentication Works

These sections describe how the different authentication methods work:

•Authentication Overview

•Understanding How Login Authentication Works

•Understanding How Local Authentication Works

•Understanding How Local User Authentication Works

•Understanding How TACACS+ Authentication Works

•Understanding How RADIUS Authentication Works

•Understanding How Kerberos Authentication Works

Authentication Overview

You can configure any combination of these authentication methods to control access to the switch:

•Login authentication

•Local authentication

•RADIUS authentication

•TACACS+ authentication

•Kerberos authentication

---

Note Kerberos authentication does not work if TACACS+ is used as the authentication method.

---

When you enable local authentication with one or more other authentication methods, local authentication is always attempted last. However, you can specify different authentication methods for the console and Telnet connections. For example, you might use local authentication for the console connections and RADIUS authentication for the Telnet connections.

Understanding How Login Authentication Works

Login authentication increases the security of the system by keeping the unauthorized users from guessing the password. The user is limited to a specific number of attempts to successfully log in to the switch. If the user fails to authorize the password, the system delays the accesses and captures the user ID and the IP address of the station in the syslog and in the SNMP trap.

The maximum number of login attempts is configurable from the CLI and SNMP through the set authentication login attempt count command. Enter the set authentication enable attempt count command to set the login limits for accessing enable mode. The configurable range is three (default) to ten tries. Setting the login authentication limit to zero (0) disables this function.

All authentication methods are supported (RADIUS, TACACS+, Kerberos, or local).

You can configure the lockout (delay) time from the CLI and SNMP through the set authentication login lockout time command. Use the set authentication enable lockout time command to set a delay time for accessing enable mode. The configurable range is 30-43200 seconds. Setting the lockout time to zero (0) disables this function.

If you are locked out at the console, the console does not allow you to log in during that lockout time. If you are locked out with a Telnet session, the connection closes when the time limit is reached. The switch closes any subsequent access from that station during the lockout time and provides an appropriate notice.

Understanding How Local Authentication Works

Local authentication uses locally configured login and enable passwords to authenticate login attempts. The login and enable passwords are local to each switch and are not mapped to the individual usernames.

By default, local authentication is enabled. You can disable local authentication only after enabling one or more of the other authentication methods. However, when local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.

You can enable local authentication and one or more of the other authentication methods at the same time. The switch attempts local authentication only if the other authentication methods fail.

Understanding How Local User Authentication Works

Local user authentication uses local user accounts and passwords that you create to validate the login attempts of local users. Each switch can have a maximum of 25 local user accounts. Before you can enable local user authentication, you must define at least one local user account.

You set up local user accounts by creating a unique username and password combination for each local user. Each username must be fewer than 65 characters and can be any alphanumeric character (at least one character must be alphabetic).

You configure each local user account with a privilege level; the valid privilege levels are 0 or 15. The privilege level assigned to a username and password combination designates whether a user will be logged in to normal or privileged mode after successful authentication. A user with a privilege level of 0 is automatically logged in to normal mode, and a user with a privilege level of 15 is logged in to privileged mode. A user with a privilege level of 0 can still access privileged mode by entering the enable command and password combination. Once a local user is logged in, only the commands that are available for that privilege level can be displayed.

---

Note If you are running a CiscoView image or are logging in using an HTTP login, the system completes its initial authentication using the username and password combination. You can enter privileged mode by either providing the privilege password or using the username and password combination if the local user has a privilege level of 15.

---

Understanding How TACACS+ Authentication Works

TACACS+ controls access to the network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or an entity. TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control protocol that is specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.

TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually occurs in these instances:

•When you first log on to a machine

•When you send a service request that requires privileged access

When you request privileged or restricted services, TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type that is being sent (for example, an authentication packet), the packet sequence number, the encryption type that is used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.

A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use any or all of the three services.

When the TACACS+ server receives the packet, it does the following:

•Authenticates the user information and notifies the client that authentication has either passed or failed.

•Notifies the client that authentication will continue and that the client must provide additional information. This challenge-response process can continue through multiple iterations until authentication either passes or fails.

You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must be the same as the one that is configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all the transmitted TACACS+ packets. If you do not configure a TACACS+ key, the packets are not encrypted.

You can configure the following TACACS+ parameters on the switch:

•Enable or disable TACACS+ authentication to determine if a user has permission to access the switch

•Enable or disable TACACS+ authentication to determine if a user has permission to enter privileged mode

•Specify a key that is used to encrypt the protocol packets

•Specify the server on which the TACACS+ server daemon resides

•Set the number of login attempts that are allowed

•Set the timeout interval for a server daemon response

•Enable or disable the directed-request option

TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time.

When local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.

Understanding How RADIUS Authentication Works

RADIUS is a client-server authentication and authorization access protocol that is used by the NAS to authenticate the users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport between the RADIUS client and server.

You can configure a RADIUS key on the client and server. If you configure a key on the client, it must be the same as the one that is configured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all the transmitted RADIUS packets. If you do not configure a RADIUS key, the packets are not encrypted. The key itself is never transmitted over the network.

---

Note For more information about how the RADIUS protocol operates, refer to RFC 2138, "Remote Authentication Dial In User Service (RADIUS)."

---

You can configure the following RADIUS parameters on the switch:

•Enable or disable RADIUS authentication to control login access

•Enable or disable RADIUS authentication to control enable access

•Specify the IP addresses and UDP ports of the RADIUS servers

•Specify the RADIUS key that is used to encrypt the RADIUS packets

•Specify the RADIUS server timeout interval

•Specify the RADIUS retransmit count

•Specify the RADIUS server dead time interval

RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can specify which method to use first using the primary keyword.

When local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.

Understanding How Kerberos Authentication Works

Kerberos is a client-server based secret-key network authentication method that uses a trusted Kerberos server to verify secure access to both services and users. In Kerberos, this trusted server is called the key distribution center (KDC). The KDC issues a ticket to validate users and services. A ticket is a temporary set of electronic credentials that verifies the identity of a client for a particular service.

These tickets have a limited life span and can be used in place of the standard user password pair authentication mechanism if a service trusts the Kerberos server that issued the ticket. If the standard user password method is used, Kerberos encrypts the user passwords into the tickets, ensuring that the passwords are not sent on the network in clear text. When you use Kerberos, the passwords are not stored on any machine, other than the Kerberos server, for more than a few seconds. Kerberos also guards against intruders who might pick up the encrypted tickets from the network.

Table 39-1 defines the Kerberos terms.

Table 39-1 Kerberos Terminology 

Term	Definition
Kerberized	Applications and services that have been modified to support the Kerberos credential infrastructure.
Kerberos credential	Authentication tickets, such as ticket granting tickets (TGTs), and service credentials. Kerberos credentials verify the ticket of a user or service. If a network service decides to trust the Kerberos server that issued the ticket, the Kerberos credential can be used in place of retyping in a username and password. Credentials have a default life span of eight hours.
Kerberos identity	(See Kerberos principal.)
Kerberos principal	The Kerberos principal is who you are or what a service is according to the Kerberos server. (Also known as a Kerberos identity.)
Kerberos realm	A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. Kerberos realms must always be in uppercase characters.
Kerberos server	A daemon running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services.
Key distribution center (KDC)	A Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services.
Service credential	A credential for a network service. When issued from the KDC, this credential is encrypted with the password that is shared by the network service and the KDC and with the user's TGT.
SRVTAB	A password that a network service shares with the KDC. The network service authenticates an encrypted service credential by using the SRVTAB (also known as a KEYTAB) to decrypt it.
Ticket granting ticket (TGT)	A credential that the KDC issues to authenticated users. When users receive a TGT, they can authenticate to network services within the Kerberos realm that is represented by the KDC.

In the Catalyst 6500 series switches, the Telnet clients and servers through both the console and in-band management port can be Kerberized.

---

Note Kerberos authentication does not work if TACACS+ is used as the authentication mechanism.

---

---

Note If you are logged in to the console through a modem or a terminal server, you cannot use a Kerberized login procedure.

---

Using a Kerberized Login Procedure

You can use a Kerberized Telnet session if you are logging in through the in-band management port. When the Telnet client and services have been Kerberized, you follow this process when attempting to access the switch through Telnet:

1. The Telnet client asks you for the username and issues a request for a TGT to the KDC on the Kerberos server.

2. The KDC creates the TGT, which contains the user's identity, the KDC's identity, and the TGT's expiration time. The KDC then encrypts the TGT with your password and sends the TGT to the client.

3. When the Telnet client receives the encrypted TGT, it prompts you for the password. If the Telnet client can decrypt the TGT with the entered password, you are successfully authenticated to the KDC. The client then builds a service credential request and sends it to the KDC. This request contains your user identity and a message saying that it wants to access the switch through Telnet. This request is encrypted using the TGT.

4. When the KDC successfully decrypts the service credential request with the TGT that it issued to the client, it builds a service to the switch. The service credential has the client's identity and the identity of the desired Telnet server. The KDC then encrypts the credential with the password that it shares with the switch's Telnet server, encrypts the resulting packet with the Telnet client's TGT, and sends this packet to the client.

5. The Telnet client decrypts the packet first with its TGT. If the encryption is successful, the client then sends the resulting packet to the switch's Telnet server. At this point, the packet is still encrypted with the password that the switch's Telnet server and the KDC share.

6. If the Telnet client has been instructed to do so, it forwards the TGT to the switch. This step ensures that you do not need to get another TGT in order to use another network service from the switch.

Figure 39-1 shows the Kerberos Telnet connection process.

Figure 39-1 Kerberized Telnet Connection

Using a Non-Kerberized Login Procedure

If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of the authentication to the KDC on behalf of the login client. However, the user password is now transferred in clear text from the login client to the switch.

---

Note A non-Kerberized login can be performed through a modem or terminal server through the in-band management port. Telnet does not support non-Kerberized login.

---

If you launch a non-Kerberized login, the following process takes place:

1. The switch prompts you for a username and password.

2. The switch requests a TGT from the KDC so that you can be authenticated to the switch.

3. The KDC sends an encrypted TGT to the switch, which contains your identity, KDC's identity, and TGT's expiration time.

4. The switch tries to decrypt the TGT with the password that you entered. If the decryption is successful, you are authenticated to the switch.

5. If you want to access the other network services, the KDC must be contacted directly for authentication. To obtain the TGT, you can run the program "kinit," which is the client software that is provided with the Kerberos package.

Figure 39-2 shows the non-Kerberized login process.

Figure 39-2 Non-Kerberized Telnet Connection

Configuring Authentication on the Switch

These sections describe how to configure the different authentication methods:

•Authentication Default Configuration

•Authentication Configuration Guidelines

•Configuring Login Authentication

•Configuring Local Authentication

•Configuring Local User Authentication

•Configuring TACACS+ Authentication

•Configuring RADIUS Authentication

•Configuring Kerberos Authentication

•Authentication Example

Authentication Default Configuration

Table 39-2 shows the default authentication configuration.

Table 39-2 Authentication Default Configuration 

Feature	Default Value
Login authentication (console and Telnet)	Enabled
Local authentication (console and Telnet)	Enabled
Local user authentication	Disabled
TACACS+ login authentication (console and Telnet)	Disabled
TACACS+ enable authentication (console and Telnet)	Disabled
TACACS+ key	None specified
TACACS+ login attempts	3
TACACS+ server timeout	5 seconds
TACACS+ directed request	Disabled
RADIUS login authentication (console and Telnet)	Disabled
RADIUS enable authentication (console and Telnet)	Disabled
RADIUS server IP address	None specified
RADIUS server UDP auth-port	Port 1812
RADIUS key	None specified
RADIUS server timeout	5 seconds
RADIUS server dead time	0 (servers not marked dead)
RADIUS retransmit attempts	2 times
Kerberos login authentication (console and Telnet)	Disabled
Kerberos enable authentication (console and Telnet)	Disabled
Kerberos server IP address	None specified
Kerberos DES key	None specified
Kerberos server auth-port	Port 750
Kerberos local-realm name	NULL string
Kerberos credentials forwarding	Disabled
Kerberos clients mandatory	Not mandatory
Kerberos preauthentication	Disabled

Authentication Configuration Guidelines

This section describes the guidelines for configuring authentication on the switch:

•Authentication configuration applies to both console and Telnet connection attempts unless you use the console and telnet keywords to specify the authentication methods to use for each connection type individually.

•If you configure a RADIUS or TACACS+ key on the switch, make sure that you configure an identical key on the RADIUS or TACACS+ server.

•You must specify a RADIUS or TACACS+ server before enabling RADIUS or TACACS+ on the switch.

•If you configure multiple RADIUS or TACACS+ servers, the first server that is configured is the primary server and authentication requests are sent to this server first. You can specify a server as primary by using the primary keyword.

•RADIUS and TACACS+ support one privileged mode only (level 1).

•Kerberos authentication does not work if TACACS+ is also used as an authentication mechanism.

•Before you can enable local user authentication, you must define at least one username.

•Local user accounts and passwords must be fewer than 65 characters and can consist of any alphanumeric characters. Local user accounts must contain at least one alphabetic character.

Configuring Login Authentication

These sections describe how to configure login authentication on the switch:

•Setting Authentication Login Attempts on the Switch

•Setting Authentication Login Attempts for the Privileged Mode

Setting Authentication Login Attempts on the Switch

To set up login authentication on the switch, perform this task in privileged mode:

	Task	Command
Step 1	Enable login attempt limits on the switch. Enter the console or telnet keyword if you want to enable local authentication only for the console port or for Telnet connection attempts.	set authentication login attempt {count} [console | telnet]
Step 2	Enable the login lockout time on the switch. Enter the console or telnet keyword if you want to enable local authentication only for the console port or for Telnet connection attempts.	set authentication login lockout {time} [console | telnet]
Step 3	Verify the local authentication configuration.	show authentication

This example shows how to limit login attempts to 5, set the lockout time for both console and Telnet connections to 50 seconds, and verify the configuration:

Console> (enable) set authentication login attempt 5

Login authentication attempts for console and telnet logins set to 5.

Console> (enable) set authentication login lockout 50

Login lockout time for console and telnet logins set to 50.

Console> (enable) show authentication

Login Authentication:  Console Session   Telnet Session    Http Session

---------------------  ----------------  ----------------  ----------------

tacacs                 disabled          disabled          disabled

radius                 disabled          disabled          disabled

kerberos               disabled          disabled          disabled

local                  enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          5                 5                 -

lockout timeout (sec)  50                50                -

Enable Authentication: Console Session   Telnet Session    Http Session

---------------------- ----------------- ----------------  ----------------

tacacs                 disabled          disabled          disabled

radius                 disabled          disabled          disabled

kerberos               disabled          disabled          disabled

local                  enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          3                 3                 -

lockout timeout (sec)  disabled          disabled          -

Console> (enable)

Setting Authentication Login Attempts for the Privileged Mode

To set up login authentication for privileged mode, perform this task in privileged mode:

	Task	Command
Step 1	Enable the login attempt limits for privileged mode. Enter the console or telnet keyword if you want to enable local authentication only for the console port or for Telnet connection attempts.	set authentication enable attempt {count} [console | telnet]
Step 2	Enable the login lockout time for privileged mode. Enter the console or telnet keyword if you want to enable local authentication only for the console port or for Telnet connection attempts.	set authentication enable lockout {time} [console | telnet]
Step 3	Verify the local authentication configuration.	show authentication

This example shows how to limit enable mode login attempts to 5, set the enable mode lockout time for both console and Telnet connections to 50 seconds, and verify the configuration:

Console> (enable) set authentication enable attempt 5

Enable mode authentication attempts for console and telnet logins set to 5.

Console> (enable) set authentication enable lockout 50

Enable mode lockout time for console and telnet logins set to 50.

Console> (enable) show authentication 

Login Authentication:  Console Session   Telnet Session    Http Session

---------------------  ----------------  ----------------  ----------------

tacacs                 disabled          disabled          disabled

radius                 disabled          disabled          disabled

kerberos               disabled          disabled          disabled

local                  enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          5                 5                 -

lockout timeout (sec)  50                50                -

Enable Authentication: Console Session   Telnet Session    Http Session

---------------------- ----------------- ----------------  ----------------

tacacs                 disabled          disabled          disabled

radius                 disabled          disabled          disabled

kerberos               disabled          disabled          disabled

local                  enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          5                 5                 -

lockout timeout (sec)  50                50                -

Console> (enable)

Configuring Local Authentication

These sections describe how to configure local authentication on the switch:

•Enabling Local Authentication

•Setting the Login Password

•Setting the Enable Password

•Disabling Local Authentication

•Recovering a Lost Password

Enabling Local Authentication

---

Note Local login and enable authentication are enabled for both console and Telnet connections by default. You do not need to perform this task unless you want to modify the default configuration or you have disabled local authentication.

---

To enable local authentication on the switch, perform this task in privileged mode:

	Task	Command
Step 1	Enable local login authentication on the switch. Enter the console or telnet keyword if you want to enable local authentication only for the console port or Telnet connection attempts.	set authentication login local enable [all | console | http | telnet]
Step 2	Enable local enable authentication on the switch. Enter the console or telnet keyword if you want to enable local authentication only for the console port or Telnet connection attempts.	set authentication enable local enable [all | console | http | telnet]
Step 3	Verify the local authentication configuration.	show authentication

This example shows how to enable local login, enable authentication for both console and Telnet connections, and verify the configuration:

Console> (enable) set authentication login local enable

local login authentication set to enable for console and telnet session.

Console> (enable) set authentication enable local enable

local enable authentication set to enable for console and telnet session.

Console> (enable) show authentication

Login Authentication:  Console Session   Telnet Session

---------------------  ----------------  ----------------

tacacs                 disabled          disabled

radius                 disabled          disabled

kerberos               disabled          disabled

local                  enabled(primary)  enabled(primary)

Enable Authentication: Console Session   Telnet Session

---------------------- ----------------- ----------------

tacacs                 disabled          disabled

radius                 disabled          disabled

kerberos               disabled          disabled

local                  enabled(primary)  enabled(primary)

Console> (enable)

Setting the Login Password

The login password controls access to the user mode CLI. The passwords are case sensitive, contain up to 19 characters, and use any printable character including a space.

---

Note The passwords that were set in releases prior to software release 5.4 remain non-case sensitive. You must reset the password after installing software release 5.4 to activate case sensitivity.

---

To set the login password for local authentication, perform this task in privileged mode:

Task	Command
Set the login password for access. Enter your old password (press Return on a switch with no password configured), enter your new password, and reenter your new password.	set password

This example shows how to set the login password on the switch:

Console> (enable) set password

Enter old password: <old_password>

Enter new password: <new_password>

Retype new password: <new_password>

Password changed.

Console> (enable)

Setting the Enable Password

The login password controls access to the user mode CLI. The passwords are case sensitive, contain up to 19  characters, and use any printable character including a space.

---

Note The passwords that were set in releases prior to software release 5.4 remain non-case sensitive. You must reset the password after installing software release 5.4 to activate case sensitivity.

---

To set the enable password for local authentication, perform this task in privileged mode:

Task	Command
Set the password for privileged mode. Enter your old password (press Return on a switch with no password configured), enter your new password, and reenter your new password.	set enablepass

This example shows how to set the enable password on the switch:

Console> (enable) set enablepass

Enter old password: <old_password>

Enter new password: <new_password>

Retype new password: <new_password>

Password changed.

Console> (enable)

Disabling Local Authentication

---

Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local login or enable authentication. If you disable local authentication and RADIUS or TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the switch.

---

To disable local authentication on the switch, perform this task in privileged mode:

	Task	Command
Step 1	Disable local login authentication on the switch. Enter the console or telnet keyword if you want to disable local authentication only for the console port or Telnet connection attempts.	set authentication login local disable [all | console | http | telnet]
Step 2	Disable local enable authentication on the switch. Enter the console or telnet keyword if you want to disable local authentication only for the console port or Telnet connection attempts.	set authentication enable local disable [all | console | http | telnet]
Step 3	Verify the local authentication configuration.	show authentication

---

Note You must have either RADIUS or TACACS+ authentication enabled before you disable local authentication.

---

This example shows how to disable local login authentication, enable authentication for both console and Telnet connections, and verify the configuration:

Console> (enable) set authentication login local disable

local login authentication set to disable for console and telnet session.

Console> (enable) set authentication enable local disable

local enable authentication set to disable for console and telnet session.

Console> (enable) show authentication

Login Authentication:  Console Session   Telnet Session

---------------------  ----------------  ----------------

tacacs                 disabled          disabled        

radius                 enabled(primary)  enabled(primary)

kerberos               disabled          disabled

local                  disabled          disabled        

Enable Authentication: Console Session   Telnet Session

---------------------- ----------------- ----------------

tacacs                 disabled          disabled        

radius                 enabled(primary)  enabled(primary)

kerberos               disabled          disabled

local                  disabled          disabled        

Console> (enable) 

Recovering a Lost Password

Use the following procedure to recover a lost local authentication password. You must complete Steps 3 through 7 within 30 seconds of a power cycle or the recovery will fail. If you lost both the login and enable passwords, repeat the process for each password.

To recover a lost password, perform these steps in privileged mode:

---

Step 1 Connect to the switch through the supervisor engine console port. You cannot recover the password if you are connected through a Telnet connection.

Step 2 Enter the reset system command to reboot the switch.

Step 3 At the "Enter Password" prompt, press Return. The login password is null for 30 seconds when you are connected to the console port.

Step 4 Enter privileged mode using the enable command.

Step 5 At the "Enter Password" prompt, press Return. (The enable password is null for 30 seconds when you are connected to the console port.)

Step 6 Enter the set password or set enablepass command, as appropriate.

Step 7 When prompted for your old password, press Return.

Step 8 Enter and confirm your new password.

---

Configuring Local User Authentication

These sections describe how to configure local user authentication on the switch:

•Creating a Local User Account

•Enabling Local User Authentication

•Disabling Local User Authentication

•Deleting a Local User Account

Creating a Local User Account

A local user account and password must be fewer than 65 characters and can consist of any alphanumeric characters. A local user account must also contain at least one alphabetic character.

To create a local user account on the switch, perform this task in privileged mode:

	Task	Command
Step 1	Create a new local user account.	set localuser user username password pwd privilege privilege_level
Step 2	Verify the local user account.	show localusers

This example shows how to create a local user account and password, set the privilege level, and verify the configuration:

Console> (enable) set localuser user picard password captain privilege 15

Added local user picard.

Console> (enable) show localusers

Local User Authentication: disabled

Username                        Privilege Level

---------                        -------------

picard                             15

Console> (enable)

Enabling Local User Authentication

To enable local user authentication on the switch, perform this task in privileged mode:

	Task	Command
Step 1	Enable local user authentication.	set localuser authentication enable
Step 2	Verify the local user authentication configuration.	show authentication

This example shows how to create a local user account, enable local user authentication, and verify the configuration:

Console> (enable) set localuser authentication enable 

Local User Authentication enabled.

Console> (enable) show authentication

Login Authentication:  Console Session   Telnet Session    Http Session

---------------------  ----------------  ----------------  ----------------

tacacs                 disabled          disabled          disabled        

radius                 disabled          disabled          disabled        

kerberos               disabled          disabled          disabled        

local  *               enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          3                 3                 -

lockout timeout (sec)  disabled          disabled          -

Enable Authentication: Console Session   Telnet Session    Http Session

---------------------- ----------------- ----------------  ----------------

tacacs                 disabled          disabled          disabled        

radius                 disabled          disabled          disabled        

kerberos               disabled          disabled          disabled        

local  *               enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          3                 3                 -

lockout timeout (sec)  disabled          disabled          -

* Local User Authentication enabled.

Console> (enable)

Disabling Local User Authentication

To disable local user authentication on the switch, perform this task in privileged mode:

	Task	Command
Step 1	Disable local user authentication.	set localuser authentication disable
Step 2	Verify the local authentication configuration.	show authentication

This example shows how to disable local user authentication for the switch and how to verify the configuration:

Console> (enable) set localuser authentication disable

local user authentication set to disable.

Console> (enable) show authentication

Login Authentication:  Console Session   Telnet Session    Http Session

---------------------  ----------------  ----------------  ----------------

tacacs                 disabled          disabled          disabled        

radius                 disabled          disabled          disabled        

kerberos               disabled          disabled          disabled        

local  *               enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          3                 3                 -

lockout timeout (sec)  disabled          disabled          -

Enable Authentication: Console Session   Telnet Session    Http Session

---------------------- ----------------- ----------------  ----------------

tacacs                 disabled          disabled          disabled        

radius                 disabled          disabled          disabled        

kerberos               disabled          disabled          disabled        

local  *               enabled(primary)  enabled(primary)  enabled(primary)

attempt limit          3                 3                 -

lockout timeout (sec)  disabled          disabled          -

* Local User Authentication disabled.

Console> (enable) 

Deleting a Local User Account

To delete a local user account on the switch, perform this task in privileged mode:

	Task	Command
Step 1	Delete a local user account.	clear localuser picard
Step 2	Verify that the local user account has been deleted.