Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
919293949596979899100
100
OL-11615-01
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/ses
_sete.htm#wp1052196
The set authentication enable Command
By default, privilege access to switches running Catalyst OS is controlled with the local enable
password. The set authentication enable command can be used to enable TACACS+, RADIUS, or
Kerberos as alternative authentication methods for enable (privilege) access.
In addition, the set authentication enable command allows you to limit the number of unsuccessful
access attempts to the enable mode. When a user fails to authenticate after the specified number of
attempts, the system delays access and logs the user ID and the IP address of the station with a syslog
message and a SNMP trap.
The maximum number of login attempts is configurable through the set authentication enable attempt
count command. The configurable range is three (default) to ten tries. Setting the login authentication
limit to zero (0) disables this function.
The lockout (delay) time can be configured through the set authentication enable lockout time
command. The configurable range is 30-43200 seconds. Setting the lockout time to zero (0) disables this
function.
This example shows how to limit enable mode login attempts to 5, set the lockout time for both console
and Telnet connections to 50 seconds, and verify the configuration:
Console> (enable) set authentication enable attempt 5
Enable mode authentication attempts for console and telnet logins set to 5.
Console> (enable) set authentication enable lockout 50
Enable mode lockout time for console and telnet logins set to 50.
For more information about the set authentication login attempt command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/ses
_sete.htm#wp1052090
Password Management in Cisco IOS
The following are the Cisco IOS commands that can be used to implement the above best practices:
service password-encryption
enable secret
security password min-length
security authentication failure rate
The service password-encryption Command
By default, some passwords and secrets are shown in clear text in a Cisco IOS software configuration
file or listing. The service password-encryption global configuration command instructs Cisco IOS
software to encrypt the passwords, CHAP secrets, and similar data that are saved in the configuration
file. This is shown in the following example:
Router(config)# service password-encryption
This command is primarily useful for keeping unauthorized individuals from viewing passwords in the
configuration file. However, it is important to note that the algorithm used by service
password-encryption is a simple Vigenere cipher that can be easily reversed, and for that reason this
command should not be used with the intention to protect configuration files against serious attacks.