Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 9500 Switches) - Controlling Switch Access with Passwords and Privilege Levels [Support] (2023)

Restrictions for Controlling Switch Access with Passwords and Privileges

The following are the restrictions for controlling switch access with passwords and privileges:

Disabling password recovery will not work if you have set the switch to boot up manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.

Restrictions and Guidelines for Reversible Password Types

Password type 0 and 7 are replaced with password type 6. So password type 0 and 7, which were used for administrator login to the console, Telnet, SSH, webUI, and NETCONF must be migrated to password type 6. No action is required if username and password are type 0 and 7 for local authentication such as CHAP, EAP, and so on.
If the startup configuration has a type 6 password and you downgrade to a version in which type 6 password is not supported, you can/may be locked out of the device.

Restrictions and Guidelines for Irreversible Password Types

Username secret password type 5 and enable secret password type 5 must be migrated to the stronger password type 8 or 9. For more information, see Protecting Enable and Enable Secret Passwords with Encryption.
If the startup configuration of the device has convoluted type 9 secret (password that starts with $14$), then a downgrade can only be performed to a release in which the convoluted type 9 secret is supported. Convoluted type 9 secret is supported in Cisco IOS XE Gibraltar 16.11.2 and later releases. If the startup configuration has convoluted type 9 secret and you downgrade to any release earlier than Cisco IOS XE Gibraltar 16.11.2, you will be locked out of the device.

Before you downgrade to any release in which convoluted type 9 secret is not supported, ensure that the type 9 secret (password that starts with $9$) must be part of the startup configuration instead of convoluted type 9 secret (password that starts with $14$) or type 5 secret (password that starts with $1$).

If a device is upgraded from Cisco IOS XE Fuji 16.9.x, Cisco IOS XE Gibraltar 16.10.x, or Cisco IOS XE Gibraltar 16.11.x to Cisco IOS XE Gibraltar 16.12.x, the type 5 secret is auto-converted to convoluted type 9 secret (password that starts with $14$). For example: username user1 secret 5 $1$dNmW$7jWhqdtZ2qBVz2R4CSZZC0 is auto-converted to username user1 secret 9 $14$dNmW$QykGZEEGmiEGrE$C9D/fD0czicOtgaZAa1CTa2sgygi0Leyw3/cLqPY426. After the device is upgraded, run the write memory command in privileged EXEC mode for the convoluted type 9 secret to be permanently written into the startup configuration.
Plain text passwords are converted to nonreversible encrypted password type 9.

Note

This is supported in Cisco IOS XE Gibraltar 16.10.1 and later releases.
Secret password type 4 is not supported.

Information About Controlling Switch Access with Passwords and Privileges

This section provides information about controlling switch access with passwords and privileges.

Preventing Unauthorized Access

You can prevent unauthorized users from reconfiguring your switch and viewing configuration information. Typically, you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port, connect from outside the network through a serial port, or connect through a terminal or workstation from within the local network.

To prevent unauthorized access into your switch, you should configure one or more of these security features:

At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally stored on the switch. When users attempt to access the switch through a port or line, they must enter the password specified for the port or line before they can access the switch.
See Also
Configure Password Settings on a Switch through the Command Line Interface (CLI)Configure Telnet, Console, and AUX Port Passwords on Routers Cisco Content Hub - Controlling Switch Access with Passwords and Privilege Levels User Security Configuration Guide, Cisco IOS Release 15MT - Configuring Security with Passwords, Privileges, and Logins [Support]
For an additional layer of security, you can also configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information.
You can also enable the login enhancements feature, which logs both failed and unsuccessful login attempts. Login enhancements can also be configured to block future login attempts after a set number of unsuccessful attempts are made.

Default Password and Privilege Level Configuration

A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.

This table shows the default password and privilege level configuration.

Table 1. Default Password and Privilege Levels
Feature	Default Setting
Enable password and privilege level	No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file.
Enable secret password and privilege level	No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file.
Line password	No password is defined.

Additional Password Security

To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.

We recommend that you use the enable secret command because it uses an improved encryption algorithm.

If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.

If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.

Password Recovery

By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.

The password-recovery disable feature protects access to the switch password by disabling part of this functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, you can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.

If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the Xmodem protocol.

To re-enable password recovery, use the no system disable password recovery switch number| all global configuration command.

Terminal Line Telnet Configuration

When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password. If you did not configure this password during the setup program, you can configure it when you set a Telnet password for a terminal line.

Username and Password Pairs

You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.

Privilege Levels

Cisco devices use privilege levels to provide password security for different levels of switch operation. By default, the Cisco IOS XE software operates in two modes (privilege levels) of password security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

Privilege Levels on Lines

Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage.

For example, if you want many users to have access to the clear line command, you can assign it level2security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.

Command Privilege Levels

When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.

AES Password Encryption and Master Encryption Keys

You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type 6 encryption. To start using type 6 encryption, enable the AES Password Encryption feature and configure a master encryption key to encrypt and decrypt passwords.

After you enable AES password encryption and configure a master key, all the existing and newly created cleartext passwords for the supported applications are stored in type 6 encrypted format, unless you disable type 6 password encryption. You can also configure the device to convert all the existing weakly encrypted passwords to type 6 encrypted passwords.

Type 0 and 7 passwords can be autoconverted to type 6 if the AES Password Encryption feature and master encryption key are configured.

Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 9500 Switches) - Controlling Switch Access with Passwords and Privilege Levels [Support] (2)

Note

Type 6 encrypted password for the username password is supported from Cisco IOS XE Gibraltar 16.10.1 and later releases. Autoconversion to password type 6 is supported from Cisco IOS XE Gibraltar 16.11.1 and later releases.
Type 6 username and password are backward compatible to Cisco IOS XE Gibraltar 16.10.x. If you downgrade to any release earlier than Cisco IOS XE Gibraltar 16.10.1, the type 6 username and password are rejected. After autoconversion, to prevent an administrator password from getting rejected during a downgrade, migrate the passwords used for administrator logins (management access) to irreversible password types manually.

How to Configure Switch Access with Passwords and Privileges

Setting or Changing a Static Enable Password

The enable password controls access to the privileged EXEC mode. Follow these steps to set or change a static enable password:

SUMMARY STEPS

enable
configure terminal
enable password password
end

DETAILED STEPS

	Command or Action	Purpose
Step1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step3	enable password `password` Example: `Device(config)# enable password secret321`	Defines a new password or changes an existing password for access to privileged EXEC mode. By default, no password is defined. For `password` , specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. It can contain the question mark (?) character if you precede the question mark with the key combination Crtl-v when you create the password; for example, to create the password abc?123, do this: Enter abc. Enter Crtl-v. Enter ?123. When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Step4	end Example: `Device(config)# end`	Exits global configuration mode and returns to privileged EXEC mode.

Protecting Enable and Enable Secret Passwords with Encryption

Follow these steps to establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify:

SUMMARY STEPS

enable
configure terminal
Use one of the following:

enable password [level level] {unencrypted-password | encryption-type encrypted-password}
enable secret [level level] {unencrypted-password | encryption-type encrypted-password}

service password-encryption

end

DETAILED STEPS

Command or Action Purpose

Step1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password, if prompted.

Step2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step3

Use one of the following:

enable password [level level] {unencrypted-password | encryption-type encrypted-password}
enable secret [level level] {unencrypted-password | encryption-type encrypted-password}

Example:

Device(config)# enable password level 12 example123

Device(config)# enable secret 9 $9$sMLBsTFXLnnHTk$0L82

Defines a new password or changes an existing password for access to privileged EXEC mode.

Defines a secret password, which is saved using a nonreversible encryption method.

(Optional) For level , the range is from 0 to 15. Level 1 is normal user EXEC mode privileges. The default level is 15 (privileged EXEC mode privileges).
For unencrypted-password , specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.

For encryption-type , the available options for enable password are type 0 and 7, and type 0, 5, 8, and 9 for enable secret . If you specify an encryption type, you must provide an encrypted password—an encrypted password that you copy from another switch configuration. Secret encryption type 9 is more secure, so we recommend that you select type 9 to avoid any issues while upgrading or downgrading.

Note

If you do not specify an encryption type for the secret password, the password is auto converted to type 9. This is applicable in Cisco IOS XE Gibraltar 16.10.1 and later releases.
If you specify an encryption type and then enter a clear text password, it will result in an error.
You can also configure type 9 encryption for the secret password manually by using the algorithm-type scrypt command in global configuration mode. For example:
```
Device(config)# username user1 algorithm-type scrypt secret cisco
```
Or
```
Device(config)# enable algorithm-type scrypt secret cisco
```
Run the write memory command in privileged EXEC mode for the type 9 secret to be permanently written into the startup configuration.

Step4

service password-encryption

Example:

Device(config)# service password-encryption

(Optional) Encrypts the password when the password is defined or when the configuration is written.

Encryption prevents the password from being readable in the configuration file.

Step5

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Disabling Password Recovery

Follow these steps to disable password recovery to protect the security of your switch:

Before you begin

SUMMARY STEPS

enable
configure terminal
system disable password recovery switch {all | <1-9> }
end

DETAILED STEPS

	Command or Action	Purpose
Step1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step3	system disable password recovery switch {`all` \| `<1-9>` } Example: `Device(config)# system disable password recovery switch all`	Disables password recovery. `all` : Sets the configuration on switches in stack. `<1-9>` : Sets the configuration on the switch number selected. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but is not a part of the file system and is not accessible by any user.
Step4	end Example: `Device(config)# end`	Exits global configuration mode and returns to privileged EXEC mode.

What to do next

To remove disable password recovery , use the no system disable password recovery switch all global configuration command.

Setting a Telnet Password for a Terminal Line

Beginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:

Before you begin

Attach a PC or workstation with emulation software to the switch console port, or attach a PC to the Ethernet management port.
The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to press the Return key several times to see the command-line prompt.

SUMMARY STEPS

enable
configure terminal
line vty 0 98
password password
end

DETAILED STEPS

	Command or Action	Purpose
Step1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step3	line vty 0 98 Example: `Device(config)# line vty 0 98`	Configures the number of Telnet sessions (lines), and enters line configuration mode. There are 99 possible sessions on a command-capable device. The 0 and 98 mean that you are configuring all 99 possible Telnet sessions.
Step4	password `password` Example: `Device(config-line)# password abcxyz543`	Sets a Telnet password for the line or lines. For `password` , specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
Step5	end Example: `Device(config-line)# end`	Returns to privileged EXEC mode.

Configuring Username and Password Pairs

Follow these steps to configure username and password pairs:

SUMMARY STEPS

enable
configure terminal
username name [privilege level] {password encryption-type password}
Use one of the following:

line console 0
line vty 0 98

end

DETAILED STEPS

	Command or Action	Purpose
Step1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step3	username `name` [privilege `level`] {password `encryption-type` `password`} Example: `Device(config)# username adamsample privilege 1 password secret456` `Device(config)# username 111111111111 mac attribute`	Sets the username, privilege level, and password for each user. For `name` , specify the user ID as one word or the MAC address. Spaces and quotation marks are not allowed. You can configure a maximum of 12000 clients each, for both username and MAC filter. (Optional) For `level` , specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 1 gives user EXEC mode access. For `encryption-type` , enter 0 to specify that an unencrypted password will follow. Enter 7 to specify that a hidden password will follow. Enter 6 to specify that an encrypted password will follow. For `password` , specify the password the user must enter to gain access to the device. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
Step4	Use one of the following: line console 0 line vty 0 98 Example: `Device(config)# line console 0` or `Device(config)# line vty 0 98`	Enters line configuration mode, and configures the console port (line 0) or the VTY lines (line 0 to 98).
Step5	end Example: `Device(config-line)# end`	Exits line configuration mode and returns to privileged EXEC mode.

Setting the Privilege Level for a Command

Follow these steps to set the privilege level for a command:

SUMMARY STEPS

enable
configure terminal
privilege mode level level command
enable password level level password
end

DETAILED STEPS

	Command or Action	Purpose
Step1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step3	privilege `mode` level `level` `command` Example: `Device(config)# privilege exec level 14 configure`	Sets the privilege level for a command. For `mode` , enter configure for global configuration mode, exec for EXEC mode, interface for interface configuration mode, or line for line configuration mode. For `level` , the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password. For `command` , specify the command to which you want to restrict access.
Step4	enable password level `level` `password` Example: `Device(config)# enable password level 14 SecretPswd14`	Specifies the password to enable the privilege level. For `level` , the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. For `password` , specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
Step5	end Example: `Device(config)# end`	Exits global configuration mode and returns to privileged EXEC mode.

Changing the Default Privilege Level for Lines

Follow these steps to change the default privilege level for the specified line:

SUMMARY STEPS

enable
configure terminal
line vty line
privilege exec level level
end

DETAILED STEPS

	Command or Action	Purpose
Step1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step3	line vty `line` Example: `Device(config)# line vty 10`	Selects the virtual terminal line on which to restrict access.
Step4	privilege exec level `level` Example: `Device(config-line)# privilege exec level 15`	Changes the default privilege level for the line. For `level` , the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password.
Step5	end Example: `Device(config-line)# end`	Exits line configuration mode and returns to privileged EXEC mode.

What to do next

Logging in to and Exiting a Privilege Level

Beginning in user EXEC mode, follow these steps to log into a specified privilege level and exit a specified privilege level.

SUMMARY STEPS

enable level
disable level

DETAILED STEPS

Command or Action Purpose

	Command or Action	Purpose
Step1	enable `level` Example: `Device> enable 15`	Logs in to a specified privilege level. InI the example, Level 15 is privileged EXEC mode. For `level` , the range is 0 to 15.
Step2	disable `level` Example: `Device# disable 1`	Exits to a specified privilege level. In the example, Level 1 is user EXEC mode. For `level` , the range is 0 to 15.

Step1

enable level

Example:

Device> enable 15

Logs in to a specified privilege level.

InI the example, Level 15 is privileged EXEC mode.

For level , the range is 0 to 15.

Step2

disable level

Example:

Device# disable 1

Exits to a specified privilege level.

In the example, Level 1 is user EXEC mode.

For level , the range is 0 to 15.

Configuring an Encrypted Preshared Key

To configure an encrypted preshared key, perform the following steps.

SUMMARY STEPS

enable
configure terminal
key config-key password-encrypt [text]
password encryption aes
end

DETAILED STEPS

	Command or Action	Purpose
Step1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step3	key config-key password-encrypt [`text`] Example: `Device(config)# key config-key password-encrypt`	Stores a type 6 encryption key in private NVRAM. To key in interactively (using the Enter key) and an encrypted key already exists, you will be prompted for the following: Old key, New key, and Confirm key. To key in interactively, but an encryption key is not present, you will be prompted for the following: New key and Confirm key. When removing the password that is already encrypted, you will see the following prompt: `WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion? [yes/no]:"`
Step4	password encryption aes Example: `Device(config)# password encryption aes`	Enables the encrypted preshared key.
Step5	end Example: `Device(config)# end`	Exits global configuration mode and returns to privileged EXEC mode.

Monitoring Switch Access with Passwords and Privileges

Table 2. Commands for Displaying Privilege-Level Information
Command	Information
show privilege	Displays the privilege level configuration.

Configuration Examples for Switch Access with Passwords and Privilege Levels

Example: Setting or Changing a Static Enable Password

This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access):

Device> enableDevice# configure terminalDevice(config)# enable password l1u2c3k4y5Device(config)# end

Example: Protecting Enable and Enable Secret Passwords with Encryption

The following example shows how to configure the encrypted password $9$sMLBsTFXLnnHTk$0L82 for privilege level 2:

Device> enableDevice# configure terminalDevice(config)# enable secret level 2 9 $9$sMLBsTFXLnnHTk$0L82Device(config)# end

Example: Setting a Telnet Password for a Terminal Line

This example shows how to set the Telnet password to let45me67in89:

Device> enableDevice# configure terminalDevice(config)# line vty 10Device(config-line)# password let45me67in89Device(config-line)# end

Example: Setting the Privilege Level for a Command

This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands:

Device> enableDevice# configure terminalDevice(config)# privilege exec level 14 configureDevice(config)# enable password level 14 SecretPswd14Device(config)# end

Example: Configuring an Encrypted Preshared Key

The following example shows a configuration for which a type 6 preshared key has been encrypted. It includes the prompts and messages that a user might see.

Device> enableDevice# configure terminalDevice(config)# password encryption aesDevice(config)# key config-key password-encryptNew key:Confirm key:Device(config)# 01:46:40: TYPE6_PASS: New Master key configured, encrypting the keys withthe new master keyDevice(config)# end

Feature History for Controlling Switch Access with Passwords and Privileges

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.


Release	Feature	Feature Information
Cisco IOS XE Everest 16.5.1a	Controlling Switch Access with Passwords and Privileges	Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. Support for this feature was introduced on all the models of the Cisco Catalyst 9500 Series Switches.
Cisco IOS XE Fuji 16.8.1a	Controlling Switch Access with Passwords and Privileges	Support for this feature was introduced on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.
Cisco IOS XE Gibraltar 16.11.1	Autoconversion of Type 0 and Type 7 Username and Password to Type 6	From this release, type 0 and 7 username and password can be autoconverted to type 6. Support for this feature was introduced on all the models of the Cisco Catalyst 9500 Series Switches. Support for this feature was introduced on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.