- Preface
- New and Changed Information
- Understanding the Carrier Packet Transport System
- Hardware
- Configuring Ethernet Virtual Circuit
- Configuring Multiprotocol Label Switching
- Configuring MPLS–Transport Profile
- Configuring Pseudowire
- Configuring Virtual Private LAN Services
- Configuring Quality of Service
- Configuring High Availability
- Configuring Resilient Ethernet Protocol
- Configuring Link Aggregation Group and Link Aggregation Control Protocol
- Configuring Span
- Configuring MAC Learning
- Configuring Multicast VLAN Registration
- Configuring IGMP Snooping
- Configuring Ethernet OAM, Connectivity Fault Management, and Y.1731
- Configuring Synchronous Ethernet
- Configuring Performance Monitoring, RMON, OTN, and Port Provisioning
- Configuring Local Authentication
- Configuring Cisco Discovery Protocol
- Alarm Troubleshooting
- SNMP
- CPT Error Messages
- Support for MSTP Cards
- Network Element Defaults
- Index
Contents
- Configuring Local Authentication
- Understanding Authentication
- NTP-J102 Configure Local Authentication Using Cisco IOS Commands
- NTP-J103 Protect Access to Privileged EXEC Commands Using Cisco IOS Commands
- DLP-J291 Set or Change a Static Enable Password Using Cisco IOS Commands
- DLP-J292 Protect Passwords with Enable Password and Enable Secret Using Cisco IOS Commands
- DLP-J293 Set or Change a Line Password Using Cisco IOS Commands
- DLP-J294 Encrypt Passwords Using Cisco IOS Commands
- Understanding Multiple Privilege Levels
- NTP-J104 Configure Privilege Levels Using Cisco IOS Commands
- DLP-J295 Set the Privilege Level for a Command Using Cisco IOS Commands
- DLP-J296 Change the Default Privilege Level for Lines Using Cisco IOS Commands
- DLP-J297 Display Current Privilege Levels Using Cisco IOS Commands
- DLP-J298 Log In to a Privilege Level Using Cisco IOS Commands
Configuring Local Authentication
This chapter describes local authentication. This chapter also describes procedures to configure local authentication and privilege levels.
This chapter includes the following topics:
- Understanding Authentication
- NTP-J102 Configure Local Authentication Using Cisco IOS Commands
- NTP-J103 Protect Access to Privileged EXEC Commands Using Cisco IOS Commands
- Understanding Multiple Privilege Levels
- NTP-J104 Configure Privilege Levels Using Cisco IOS Commands
Understanding Authentication
Access control enables you to restrict access to the network server and its services to a specific group of users. The authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you can set up access control on your router or access server.
Authentication is a way of identifying a user before permitting access to the network and network services. The Carrier Packet Transport (CPT) supports local authentication mechanism to administer its security functions.
NTP-J102 Configure Local Authentication Using Cisco IOS Commands
Purpose | This procedure configures local authentication using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
The only supported login authentication method in CPT is local authentication.
Example: Configure Local Authentication
The following example shows how to configure local authentication using Cisco IOS commands:
Router> enable Router# configure terminal Router(config)# aaa new-model Router(config-if)# aaa authentication login default local Router(config)# line vty 0 4 Router(config-line)# login authentication default Router(config-line)# end
NTP-J103 Protect Access to Privileged EXEC Commands Using Cisco IOS Commands
Purpose | This procedure provides a way to control access to the system configuration file and privileged EXEC (enable) commands, using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
Stop. You have completed this procedure. |
DLP-J291 Set or Change a Static Enable Password Using Cisco IOS Commands
Purpose | This procedure sets or changes a static password that controls access to privileged EXEC (enable) mode, using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
DLP-J292 Protect Passwords with Enable Password and Enable Secret Using Cisco IOS Commands
Purpose | This procedure configures the router to require an enable password and an enable secret password using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
To provide an additional layer of security, particularly for passwords that cross the network or are stored on a TFTP server, you can use either the enable password or enable secret commands. Both commands accomplish the same thing; that is, they allow you to establish an encrypted password that users must enter to access enable mode (the default), or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
![]() Note | If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password serves as the enable password for all VTY sessions. |
Use the enable password or enable secret commands with the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify the commands accessible at various levels.
You can enable or disable password encryption with the service password-encryption command. If you have the service password-encryption command enabled, the password you enter is encrypted. When you display it with the more system:running-config command, it is displayed in encrypted form.
DLP-J293 Set or Change a Line Password Using Cisco IOS Commands
Purpose | This procedure sets or changes a password on a line, using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
DLP-J294 Encrypt Passwords Using Cisco IOS Commands
Purpose | This procedure encrypts passwords using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
Encryption prevents the password from being readable in the configuration file.
Understanding Multiple Privilege Levels
CPT supports multiple privilege levels, which provide access to commands. By default, there two levels of access to commands:
You can configure additional levels of access to commands, called privilege levels, to meet the needs of users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured from level 0, which is the most restricted level, to level 15, which is the least restricted level.
The access to each privilege level is enabled through separate passwords, which you can specify when configuring the privilege level.
For example, if you want a certain set of users to be able to configure only certain interfaces and configuration options, you could create a separate privilege level only for specific interface configuration commands and distribute the password for that level to those users.
NTP-J104 Configure Privilege Levels Using Cisco IOS Commands
Purpose | This procedure configures privilege levels using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
Stop. You have completed this procedure. |
DLP-J295 Set the Privilege Level for a Command Using Cisco IOS Commands
Purpose | This procedure configures a new privilege level for users, and associate commands with that privilege level, using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
DLP-J296 Change the Default Privilege Level for Lines Using Cisco IOS Commands
Purpose | This procedure changes the default privilege level for a given line or a group of lines, using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
DLP-J297 Display Current Privilege Levels Using Cisco IOS Commands
Purpose | This procedure displays the current privilege levels using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
Command or Action | Purpose |
---|
DLP-J298 Log In to a Privilege Level Using Cisco IOS Commands
Purpose | This procedure logs in to a router at a specified privilege level, using Cisco IOS commands. |
Tools/Equipment | None |
Prerequisite Procedures | None |
Required/As Needed | As needed |
Onsite/Remote | Onsite or remote |
Security Level | Provisioning or higher |
Command or Action | Purpose |
---|