To set one or more authentication methods for accessing higher privilege levels, use the aaa authentication enable Global Configuration mode command.

To restore the default authentication method, use the no form of this command.

Syntax

aaa authentication enable {default | LISTNAME} method1 [method2 ...]

no aaa authentication enable {default | LISTNAME}

Parameters

default—Uses the default authentication method list when accessing higher privilege levels.

LISTNAME —Name of the authentication method list activated when users access higher privilege levels. (Length: 1 to 32 characters)

method1 [method2 ...]—A list of methods that the authentication algorithm tries, in the given sequence.

Default Configuration

The enable password command defines the default authentication login method. This command functions the same as the aaa authentication enable default enable command.

On a console, the enable password is used if a password exists. If no password is set, the authentication still succeeds. This command functions the same as entering the aaa authentication enable default enable none command.

Command Mode

Global Configuration mode

User Guidelines

A user who logs on with a lower privilege level must pass these authentication methods to access a higher level.

The additional authentication methods are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds, even if all methods return an error.

Select one or more methods from the following list:

Create a list by entering the aaa authentication enable LISTNAME command where LISTNAME is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence.

All aaa authentication enable default requests sent by the switch to a RADIUS or a TACACS+ server include the username $enabx$., where x is the requested privilege level.

The no aaa authentication enable LISTNAME command deletes the list name if it has not been referenced.

Example

The following example sets the enable password for authentication for accessing higher privilege levels:

switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list

To set one or more authentication methods to be applied during login, use the aaa authentication login Global Configuration mode command.

To restore the default authentication method, use the no form of this command.

Syntax

aaa authentication login {default | LISTNAME} method1 [method2...]

no aaa authentication login {default | LISTNAME}

Parameters

default—Uses the default authentication method list when a user logs in (this list is unnamed).

LISTNAME—Name of the authentication method list activated when a user logs in. (Length: 1 to 32 characters)

method1 [method2...]—A list of methods that the authentication algorithm tries (in the given sequence).

Default Configuration

If no authentication method is specified, the default is to use the locally-defined users and passwords. It is the same as entering the aaa authentication login local command.

Note	If no authentication method is defined, the console users can log in without any authentication verification.

Command Mode

Global Configuration mode

User Guidelines

A list of authentication methods may be assigned a list name, and this list name can be used in the aaa authentication enable command.

Create a list of authentication methods by entering this command with the LISTNAME parameter where LISTNAME is any character string. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence.

Each additional authentication method is used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

Select one or more methods from the following list:

The default and list names created with this command are used with the aaa authentication enable command.

The no aaa authentication login LISTNAME command deletes a list name only if it has not been referenced by another command.

Example

The following example sets the authentication login method for console sessions:

switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list

To specify the authentication method for accessing a higher privilege level from a remote Telnet or console, use the enable authentication Line Configuration mode command.

To restore the default authentication method, use the no form of this command.

Syntax

enable authentication LISTNAME

no enable authentication

Parameters

LISTNAME—Name of a specific authentication method list created with the aaa authentication enable command.

Command Mode

Line Configuration mode

Examples

Example 1—The following example uses the default authentication method when accessing a higher privilege level from a console:

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication default

Example 2—The following example sets a list of authentication methods for accessing higher privilege levels:

switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list

To set a local password to control access to normal and privilege levels, use the enable Global Configuration mode command.

To restore the default password, use the no form of this command.

Syntax

enable algortithm-type hash-method [level privilege-level] unencrypted-password

enable secret 8 [level privilege-level] encrypted-password

no enable [level privilege-level]

Parameters

algorithm-type hash-method — specifies the method used for encrypting the clear-text password.

Supported values:

• sha256 — PBKDF2 encryption with HMAC using the SHA256 as the underlying Hashing Algorithm.

  level privilege-level—(Optional) Specifies the level for which the password applies. If not specified, the level is 15. (Range: 1 to 15)

  unencrypted-password—Password for this level. (Range: 0 to 32 characters)

  8 encrypted-password — Specifies that the password is encrypted and hashed using a salt. Use this keyword to enter a password that is already encrypted (for instance, a password that was copied from the configuration file of another device).

• The encrypted-password is specified in the format of

• $<type>$<salt>$<encrypted-password>, where:

• — $<type> is an integer value that indicates the type of hash algorithm
 used to generate the hash
— $<salt> is an random string. (length – 16 bytes) 
— $<encrypted-password> is base64 encoding of the encrypted hash output.

Default Configuration

The default level is 15.

The passwords are encrypted by default.

Command Mode

Global Configuration mode

User Guidelines

The unencrypted-password must comply to password complexity requirements.When the administrator configures a new enable password, this password is encrypted automatically and saved to the configuration file. No matter how the password was entered, it appears in the configuration file with the keyword encrypted and the encrypted value.

If the administrator wants to manually copy a password that was configured on one switch (for instance, switch B) to another switch (for instance, switch A), the administrator must add encrypted in front of this encrypted password when entering the enable secret 8 command in switch A. In this way, the two switches will have the same password.

The passwords are encrypted by default. You only are required to use the encrypted keyword when you are actually entering an encrypted keyword.

Example

Example 1 – The command sets an unencrypted password for level 15 (it will be encrypted in the configuration file).

switchxxxxxx(config)# enable algorithm-type sha256 level 15 secret Test123!

Example 2 - The command sets a password that has already been encrypted. It will copied to the configuration file just as it is entered. To login to device using this password, the user must know its unencrypted form.

To specify one or more AAA methods for HTTP and HTTPS login authentications, use the ip http authentication Global Configuration mode command.

Syntax

ip http authentication aaa login-authentication [http | https] {default | LISTNAME}

no ip http authentication aaa login-authentication [http | https]

Parameters

http—(Optional) Binds a login authentication list to user access with the HTTP protocol.

https—(Optional) Binds a login authentication list to user access with the HTTPS protocol.

default—Uses the default login authentication method list.

LISTNAME—Name of the login authentication method list.

Default Configuration

The default login authentication list is used for HTTP and HTTPS sessions by default.

Command Mode

Global Configuration mode

Example

The following example creates two login authentication method lists and binds them to HTTP and HTTPS separately:

switchxxxxxx(config)# ip http authentication aaa login-authentication http test1
switchxxxxxx(config)# ip http authentication aaa login-authentication https test2

To specify the login authentication method list for a remote Telnet or console session, use the login authentication Line Configuration mode command.

To restore the default authentication method, use the no form of this command.

Syntax

login authentication {default | LISTNAME}

no login authentication

Parameters

default—Uses the default login authentication list.

LISTNAME—Name of a specific authentication list created with the aaa authentication login command.

Default Configuration

The default login authentication list is used for each line.

Command Mode

Line Configuration mode

Examples

Example 1—The following example specifies the default login authentication method for a console session:

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication default

Example 2—The following example sets an authentication login method list for the console:

switchxxxxxx (config)# aaa authentication login authen-list radius local none
switchxxxxxx (config)# line console
switchxxxxxx (config-line)# login authentication authen-list

To enforce the password aging, use the passwords aging Global Configuration mode command.

To revert to its default setting, use the no form of this command.

Syntax

passwords aging days

no passwords aging

Parameters

days—The number of days before a password change is forced. The value of zero means disabling aging. (Range: 0 to 365)

Default Configuration

The number of days is 180.

Command Mode

Global Configuration mode

User Guidelines

Aging is relevant only to local users with the privilege level 15.

To disable the password aging, use passwords aging 0. Using no passwords aging restores the aging time to its default setting.

Example

The following example configures the aging time to 24 days:

switchxxxxxx(config)# passwords aging 24

To configure the minimum password requirements when the password complexity is enabled, use the passwords complexity <attributes> Global Configuration mode commands.

To revert to its default setting, use the no form of these commands.

Syntax

passwords complexity min-length number

no passwords complexity min-length

passwords complexity min-classes number

no passwords complexity min-classes

passwords complexity not-current

no passwords complexity not-current

passwords complexity no-repeat number

no password complexity no-repeat

passwords complexity not-username

no passwords complexity not-username

Parameters

min-length number—Specifies the minimum length of the password. (Range: 0 to 64 characters)

min-classes number—Specifies the minimum character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard). (Range: 0 to 4)

not-current—Specifies that the new password cannot be same as the current password.

no-repeat number—Specifies the maximum number of characters that can be repeated consecutively. Zero specifies that there is no limit on repeated characters. (Range: 0 to 16)

not-username—Specifies that the new password cannot be same as the current username.

Default Configuration

The minimum length is 8.

The number of classes is 3.

The default for no-repeat is 3.

All other controls are enabled by default.

Command Mode

Global Configuration mode

Example

The following example changes the minimum required password length to 10 characters:

switchxxxxxx(config)# passwords complexity min-length 10

To enforce the minimum password complexity, use the passwords complexity enable Global Configuration mode command.

To disable enforcing the password complexity, use the no form of this command.

Syntax

passwords complexity enable

no passwords complexity enable

Parameters

N/A

Default Configuration

Password complexity is enabled on the switch.

Command Mode

Global Configuration mode

User Guidelines

The password complexity is enabled by default. The user is required to enter a password that:

• Has a minimum length of 8 characters.

• Contains characters from at least 3 character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard).

• Is different from the current password.

• Contains no character that is repeated more than 3 times consecutively.

You can control these attributes of the password complexity with specific commands described in this section.

If you have previously configured other complexity settings, then those settings are used. This command does not eliminate the other settings. It works only as a toggle.

Example

The following example enables enforcing the password complexity on the switch and shows the current password complexity settings:

switchxxxxxx(config)# passwords complexity enable
switchxxxxxx(config)# exit
switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Passwords complexity is enabled with the following attributes:
Minimal length: 3 characters
Minimal classes: 3
New password must be different than the current: Enabled
Maximum consecutive same characters: 3
New password must be different than the user name: Enabled

To show information for the AAA authentication lists, use the show aaa authentication lists Privileged EXEC command.

Syntax

show aaa authentication {login | enable} lists

Parameters

login—Displays information for the AAA authentication login lists.

enable—Displays information for the AAA authentication enable lists.

Command Mode

Privileged EXEC mode

Example

The following examples show information for all existing login and enable authentication lists:

switchxxxxxx# show aaa authentication login lists
 Login List Name  | Authentication Method List
-----------------+-------------------------------
          default  |  local
switchxxxxxx# show aaa authentication enable lists
 Enable List Name  | Authentication Method List
-----------------+-------------------------------
          default  |  enable

To show all AAA method lists for different line types, use the show line lists Privileged EXEC mode command.

Syntax

show line lists

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following example displays all AAA method lists for different line types:

switchxxxxxxx# show line lists
Line Type  |    AAA Type     |  List Name
-------------+-----------------+-----------------
     console |           login | default
             |          enable | default
      telnet |           login | default
             |          enable | default
         ssh |           login | default
             |          enable | default
        http |           login | default
       https |           login | default

To show the password management configuration, use the show passwords configuration Privileged EXEC mode command.

Syntax

show passwords configuration

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Passwords complexity is enabled with the following attributes:
Minimal length: 3 characters
Minimal classes: 3
New password must be different than the current: Enabled
Maximum consecutive same characters: 3
New password must be different than the user name: Enabled

To show all user accounts in local database, use the show username Privileged EXEC mode command.

Syntax

show username

Parameters

None

Default Configuration

None

Command Mode

Privileged EXEC mode

Example

The following example shows information for all user accounts defined on the switch:

switchxxxxxx# show username
Priv  |  Type  |           User Name            |            Password
-------+--------+--------------------------------+--------------------------
15    | sha256 |                cisco
|$8$pyPNGyJXC0omPAcx$c/zXxHLyY2H/ZDYmmxxKtQ==

The following table describes the significant fields shown in the display:

To add a new user or edit an existing user, use the username Global Configuration mode command.

To delete a username, use the no form of this command.

Syntax

username USERNAME [privilege (1|15|admin|user)] algorithm-type hash-method secret unencrypted-password

username USERNAME [privilege {1 | 15 | admin | user}] {secret 8 {Encrypted encrypted-password }}

no username USERNAME

Parameters

USERNAME—Name of the user. (Range: 1 to 32 characters)

privilege 1 —(Optional) Specifies the privilege level to 1.

privilege 15 —(Optional) Specifies the privilege level to 15.

privilege admin —(Optional) Specifies the privilege level to 15.

privilege user —(Optional) Specifies the privilege level to 1.

algorithm-type hash-method — specifies the method used for encrypting the clear-text password. Supported values:

sha256 — PBKDF2 encryption with HMAC using the SHA256 as the underlying Hashing Algorithm. This is the default method if the method parameter is not specified.

• secret — Specifies the password for this username.

unencrypted-password—The authentication password for the user (Range: 1-64 characters)

• 8 encrypted-password — Specifies that the password is encrypted and hashed using a salt. Use this keyword to enter a password that is already encrypted (for instance, a password that was copied from the configuration file of another device). The encrypted-password is specified in the format of 
$<type>$<salt>$<encrypted-password>, where: 
— $<type> is an integer value that indicates the type of hash algorithm
 used to generate the hash
— $<salt> is an random string. (length – 16 bytes) 
— $<encrypted-password> is base64 encoding of the encrypted hash output

Default Configuration

The privilege level of the default user cisco is 15. The default password of this user is cisco.

Command Mode

Global Configuration mode

User Guidelines

The unencrypted-password must comply to password complexity requirements. The last level 15 user cannot be removed and cannot be a remote user.

Examples

Example 1 - Sets an unencrypted password for user tom (level 15). It will be encrypted in the configuration file.
switchxxxxxx(config)# username cisco privilege admin algorithm-type sha256 secret 1234Ab$5678
Example 2 - Sets an encrypted password for user tom (level 15). It will be encrypted in the configuration file.

switchxxxxxx(config)# username cisco privilege admin secret 8 $8$pyPNGyJXC0omPAcx$c/zXxHLyY2H/ZDYmmxxKtQ==