The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the noform of this command.
enable password [ level level ] { password | [encryption-type] encrypted-password }
no enable password [ level level ]
level level |
(Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges). |
password |
Password users type to enter enable mode. |
encryption-type |
(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router). |
encrypted-password |
Encrypted password you enter, copied from another router configuration. |
No password is defined. The default is level 15.
Global configuration
Release |
Modification |
---|---|
10.0 |
This command was introduced. |
12.2(33)SRA |
This command was integrated into Cisco IOS release 12.(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Caution |
If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password will serve as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions. |
Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level configuration command to specify commands accessible at various levels.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.
Caution |
If you specify an encryption type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method. |
If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a more nvram:startup-configcommand is entered.
You can enable or disable password encryption with the service password-encryptioncommand.
An enable password is defined as follows:
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
The following example enables the password “ pswd2” for privilege level 2:
enable password level 2 pswd2
The following example sets the encrypted password “$1$i5Rkls3LoyxzS8t9”, which has been copied from a router configuration file, for privilege level 2 using encryption type 7:
enable password level 2 5 $1$i5Rkls3LoyxzS8t9
Command |
Description |
---|---|
disable |
Exits privileged EXEC mode and returns to user EXEC mode. |
enable |
Enters privileged EXEC mode. |
enable secret |
Specifies an additional layer of security over the enable password command. |
privilege |
Configures a new privilege level for users and associate commands with that privilege level. |
service password-encryption |
Encrypts passwords. |
show privilege |
Displays your current level of privilege. |
To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command.
enable secret [ level level ] { [0] unencrypted-password | encryption-type encrypted-password }
no enable secret [ level level ] [ encryption-type encrypted-password ]
No password is defined. The default level is 15.
Global configuration (config)
Release |
Modification |
---|---|
11.0 |
This command was introduced. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
15.0(1)S |
This command was integrated into Cisco IOS Release 15.0(1)S. Support for the encryption type 4 was added. |
Cisco IOS XE Release 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. Support for the encryption type 4 was added. |
15.1(4)M |
This command was modified. Support for the encryption type 4 was added. |
Cisco IOS Release 3.3.0SG |
This command was modified. Support for the encryption type 5 was removed. |
15.1(1)SY |
This command was integrated into Cisco IOS Release 15.1(1)SY. |
Cisco IOS XE Release 3.2SE |
This command was modified. The warning message for removal of support for the encryption type 5 was modified. |
Caution |
If neither the enable password command or the enable secret command is configured, and if a line password is configured for the console, the console line password will serve as the enable password for all vty (Telnet and Secure Shell [SSH]) sessions. |
Use the enable secret command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a nonreversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.
Typically you enter an encryption type only when you paste an encrypted password that you copied from a router configuration file into this command.
Caution |
If you specify an encryption type and then enter a clear-text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method. |
If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.
Note |
After you set a password using the enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image. Additionally, you cannot recover a lost password that has been encrypted by any method. |
If the service password-encryption command is set, the encrypted form of the password you create is displayed when the more nvram:startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can enter abc?123 at the password prompt.
Note |
During a downgrade from 3.3.0SG to 3.2.0SG, if a SHA256-encrypted enable password is configured, then the SHA256-encrypted password will be lost without any warning, and the secret password will have to be reconfigured. |
The following example shows how to specify the password with the enable secret command:
Device> enable Device# configure terminal Device(config)# enable secret password
After specifying a password with the enable secret command, users must enter this password to gain access. Any passwords set through enable password command will no longer work.
Password: password
The following example shows how to enable the encrypted password “$1$FaD0$Xyti5Rkls3LoyxzS8”, which has been copied from a router configuration file, for privilege level 2 using the encryption type 4:
Device> enable Device# configure terminal Device(config)# enable password level 2 4 $1$FaD0$Xyti5Rkls3LoyxzS8
The following example is a sample warning message that is displayed when a user enters the enable secret 5 encrypted-password command:
Device(config)# enable secret 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Warning: The CLI will be deprecated soon 'enable secret 5 <password>' Please move to 'enable secret <password>' CLI
Command |
Description |
---|---|
enable |
Enters privileged EXEC mode. |
enable password |
Sets a local password to control access to various privilege levels. |
service password-encryption |
Encrypt passwords. |
To access the certification authority (CA) by HTTP through the proxy server, use the enrollment http-proxy command in ca-trustpoint configuration mode.
enrollment http-proxy host-name port-num
host-name |
Defines the proxy server used to get the CA. |
port-num |
Specifies the port number used to access the CA. |
If this command is not enabled, the CA will not be accessed via HTTP.
Ca-trustpoint configuration
Release |
Modification |
---|---|
12.2(8)T |
This command was introduced. |
12.2(18)SXD |
This command was integrated into Cisco IOS Release 12.2(18)SXD. |
The enrollment http-proxy command must be used in conjunction with the enrollment command, which specifies the enrollment parameters for the CA.
The following example shows how to access the CA named “ka” by HTTP through the bomborra proxy server:
crypto ca trustpoint ka enrollment url http://kahului enrollment http-proxy bomborra 8080 crl optional
Command |
Description |
---|---|
crypto ca trustpoint |
Declares the CA that your router should use. |
enrollment |
Specifies the enrollment parameters of your CA. |
To specify the URL of the certification authority (CA) server to which to send enrollment requests, use the enrollment urlcommand in ca-profile-enroll configuration mode. To delete the enrollment URL from your enrollment profile, use the no form of this command.
enrollment url url
no enrollment url url
url |
URL of the CA server to which your router should send certificate requests. If you are using Simple Certificate Enrollment Protocol (SCEP) for enrollment, the url argument must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA. If you are using TFTP for enrollment, the url argument must be in the form tftp://certserver/file_specification. (If the URL does not include a file specification, the fully qualified domain name [FQDN] of the router will be used.) |
Your router does not recognize the CA URL until you specify it using this command.
Ca-profile-enroll configuration
Release |
Modification |
---|---|
12.2(13)ZH |
This command was introduced. |
12.3(4)T |
This command was integrated into Cisco IOS Release 12.3(4)T. |
This command allows the user to specify a different URL or a different method for authenticating a certificate and enrolling a certificate; for example, manual authentication and TFTP enrollment.
The following example shows how to enable certificate enrollment via HTTP for the profile name “E” :
crypto pki trustpoint Entrust enrollment profile E serial crypto pki profile enrollment E authentication url http://entrust:81 authentication command GET /certs/cacert.der enrollment url http://entrust:81/cda-cgi/clientcgi.exe enrollment command POST reference_number=$P2&authcode=$P1 &retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ parameter 1 value aaaa-bbbb-cccc parameter 2 value 5001
Command |
Description |
---|---|
crypto pki profile enrollment |
Defines an enrollment profile. |