Passwords and Privileges Commands

This chapter explains the function and syntax of the passwords and privileges commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.

enable password

To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. Use the no form of this command to remove the password requirement.

enable password [level level] {password | [encryption-type] encrypted-password}

no enable password [level level]

Syntax Description

level level

(Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges).

password

Password users type to enter enable mode.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).

encrypted-password

Encrypted password you enter, copied from another router configuration.

level level	(Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges).
password	Password users type to enter enable mode.
encryption-type	(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).
encrypted-password	Encrypted password you enter, copied from another router configuration.

enable secret

To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. Use the no form of this command to turn off the enable secret function.

enable secret [level level] {password | [encryption-type] encrypted-password}

no enable secret [level level]

Syntax Description

level level

(Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.

password

Password for users to enter enable mode. This password should be different from the password created with the enable password command.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).

encrypted-password

Encrypted password you enter, copied from another router configuration.

level level	(Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.
password	Password for users to enter enable mode. This password should be different from the password created with the enable password command.
encryption-type	(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).
encrypted-password	Encrypted password you enter, copied from another router configuration.

password

To specify a password on a line, use the password command in line configuration mode. Use the no form of this command to remove the password.

password password

no password

Syntax Description

password

Character string that specifies the line password. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces, up to 80 characters. You cannot specify the password in the format number-space-anything. The space after the number causes problems. For example, hello 21 is a legal password, but 21 hello is not. The password checking is case sensitive. For example, the password Secret is different than the password secret.

password	Character string that specifies the line password. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces, up to 80 characters. You cannot specify the password in the format number-space-anything. The space after the number causes problems. For example, hello 21 is a legal password, but 21 hello is not. The password checking is case sensitive. For example, the password Secret is different than the password secret.

privilege level (global)

To set the privilege level for a command, use the privilege level (global) command in configuration mode. Use the no form of this command to revert to default privileges for a given command.

privilege mode [level level command | reset command]

no privilege mode level level command

Syntax Description

mode

Configuration mode.

level

Enables setting a privilege level with a specified command.

level

Specifies the privilege level associated with a command. You can specify up to sixteen privilege levels, using numbers 0 through 15.

command

Command to which the privilege level is associated.

reset

Resets the privilege level of a command.

command

Specifies the command for which you want to reset the privilege level.

mode	Configuration mode.
level	Enables setting a privilege level with a specified command.
level	Specifies the privilege level associated with a command. You can specify up to sixteen privilege levels, using numbers 0 through 15.
command	Command to which the privilege level is associated.
reset	Resets the privilege level of a command.
command	Specifies the command for which you want to reset the privilege level.

privilege level (line)

To set the default privilege level for a line, use the privilege level (line) command in line configuration mode. Use the no form of this command to restore the default user privilege level to the line.

privilege level level

no privilege level

Syntax Description

level

Privilege level associated with the specified line.

level	Privilege level associated with the specified line.

service password-encryption

To encrypt passwords, use the service password-encryption command in global configuration mode. Use the no form of this command to restore the default.

service password-encryption

no service password-encryption

Syntax Description

This command has no arguments or keywords.

show privilege

To display your current level of privilege, use the show privilege command in EXEC mode.

show privilege

Syntax Description

This command has no arguments or keywords.

username

To establish a username-based authentication system, use the username command in global configuration mode.

username name {nopassword | password password | password encryption-type encrypted-password}

username name password secret

username name [access-class number]

username name [autocommand command]

username name [callback-dialstring telephone-number]

username name [callback-rotary rotary-group-number]

username name [callback-line [tty] line-number [ending-line-number]]

username name dnis

username name [nocallback-verify]

username name [noescape] [nohangup]

username name [privilege level]

username name user-maxlinks number

Syntax Description

name

Host name, server name, user ID, or command name. The name argument can be only one word. White spaces and quotation marks are not allowed.

nopassword

No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.

password

Specifies a possibly encrypted password for this username.

password

Password a user enters.

encryption-type

(Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.

encrypted-password

(Optional) Encrypted password a user enters.

password

Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

secret

For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.

access-class

(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.

number

(Optional) Access list number.

autocommand

(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

command

(Optional) The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

callback-dialstring

(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.

telephone-number

(Optional) For asynchronous callback only: telephone number to pass to the DCE device.

callback-rotary

(Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected.

rotary-group-number

(Optional) For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.

callback-line

(Optional) For asynchronous callback only: specific line on which you enable a specific username for callback.

tty

(Optional) For asynchronous callback only: standard asynchronous line.

line-number

(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.

ending-line-number

(Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.

dnis

Does not require password when obtained via DNIS.

nocallback-verify

(Optional) Authentication not required for EXEC callback on the specified line.

noescape

(Optional) Prevents a user from using an escape character on the host to which that user is connected.

nohangup

(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.

privilege

(Optional) Sets the privilege level for the user.

level

(Optional) Number between 0 and 15 that specifies the privilege level for the user.

user-maxlinks

Limits the user's number of inbound links.

number

User-maxlinks limit for inbound links.

name	Host name, server name, user ID, or command name. The name argument can be only one word. White spaces and quotation marks are not allowed.
nopassword	No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.
password	Specifies a possibly encrypted password for this username.
password	Password a user enters.
encryption-type	(Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.
encrypted-password	(Optional) Encrypted password a user enters.
password	Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
secret	For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.
access-class	(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.
number	(Optional) Access list number.
autocommand	(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
command	(Optional) The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
callback-dialstring	(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.
telephone-number	(Optional) For asynchronous callback only: telephone number to pass to the DCE device.
callback-rotary	(Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected.
rotary-group-number	(Optional) For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.
callback-line	(Optional) For asynchronous callback only: specific line on which you enable a specific username for callback.
tty	(Optional) For asynchronous callback only: standard asynchronous line.
line-number	(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.
ending-line-number	(Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.
dnis	Does not require password when obtained via DNIS.
nocallback-verify	(Optional) Authentication not required for EXEC callback on the specified line.
noescape	(Optional) Prevents a user from using an escape character on the host to which that user is connected.
nohangup	(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.
privilege	(Optional) Sets the privilege level for the user.
level	(Optional) Number between 0 and 15 that specifies the privilege level for the user.
user-maxlinks	Limits the user's number of inbound links.
number	User-maxlinks limit for inbound links.

Table of Contents

Passwords and Privileges Commands