Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
13
Helpful
6
Replies

Enable Secret questions

dbarboza27
Level 1
Level 1

‎05-13-2010 01:26 PM - edited ‎03-04-2019 08:28 AM

Hi,

I have some questions about enable secret.

If there is a router that authenticate locally, usually you have a username/password to connect and enable secret to allow ingress to global configuration mode.

In the case that the router uses a TACACS:

1. is the enable secret required ?

2. the authentication could do it trough server ?

3. Could a level 15 local credential substitute the requirement of a enable secret?

Thanks for your comments,

Labels:
0 Helpful
6 Replies 6

robert.horrigan
Level 2
Level 2

‎05-13-2010 01:50 PM

Always have enable secret configured.  You can use local authentication to log into your equipment as well:

username test pass test priv 15

aaa new-model
aaa authentication login default local

0 Helpful

narendrakumar1987in
Level 1
Level 1

‎05-13-2010 06:19 PM

Dear Douglas,

                  enable secret is to allow ingress to Privilege 15 mode and not global configuration mode. So if you use TACACS,

1) Is the enable secret required ?

    Well, Enable Secret is not required to login if you have a privilege 15 username password configured.

   username douglas priviledge 15 password barboza

    Because using the above username you will be placed directly in to the Privilege mode.

2) . the authentication could do it trough server ?

          aaa new-model
    aaa authentication login default group tacacs+ local

The above configuration means that in order to login in to the router, use the TACACS for authentication. And If TACACS is not reachable, then use the local database to login.

An additional info 4 u. Look at the following command,

           aaa authentication enable default group tacacs+ enable

This command is optional and which means that in order to get in to the privilege mode from user Exec mode, use TACACS for authentication, else use the local "enable password/secret".

But, since we have used a priv 15 username password in our local database, we dont need the enable password/secret.

3) Yes Douglas, you are right  ,!! a level 15 local credential substitute the requirement of a enable secret  ..

      Hope this helps..

      Narendrakumar B

   Please do not forget to rate the useful posts.!!   

Richard Burts
Hall of Fame
Hall of Fame
In response to narendrakumar1987in

‎05-14-2010 04:32 AM

I would offer this as a supplement to the very good response from Narendrakumar B.

1. is the enable secret required ?

There are several options to control access to privilege mode that do not depend on enable secret, so NO enable secret is not required. But I advocate that it is a Best Practice to always have an enable secret configured. Even if you use one of the alternatives to control access to privilege mode that do not require it, having enable secret gives you a back up option if the other method does not work for some reason (tacacs server down etc).

2. the authentication could  do it trough server ?

You certainly can authenticate to privelege level using an authentication server and if you do this it does not use the enable secret. But I would suggest that having enable secret configured is a good thing so that it can give you an alternative in situations in which your router can not successfully authenticate with the TACACS server.

3. Could a level 15 local credential  substitute the requirement of a enable secret?

Yes, if you configure a local credential that specifies level 15 access then it could substitute for enable secret.

HTH

Rick

HTH

Rick

narendrakumar1987in
Level 1
Level 1
In response to Richard Burts

‎05-14-2010 07:56 AM

Hi Rick,

    I'm just glad to see ur statement "very good response from Narendrakumar B".

    I say this because this is my 1st day that i have started posting in this/a community!!!

    and im glad to see that it is appreciated by a Hall of fame member.

    Which inspires me a lot..

    Not to mention, your suplemental info was valuable.. Tanks for that..

    I would greatly appreciate if the actual poster of the question interacts with the posters

    and let us know whether our posts clarifies ur doubts..

Thanks for your time, n Happy Networking !!!

Rgds

Narendrakumar B

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to narendrakumar1987in

‎05-14-2010 09:51 AM

Narendrakumar B

If this was your first day of posting in the forum then I believe that you are to be especially congratulated

I hope that you will continue to actively participate in the forum and I look forward to seeing more good posts from you.

HTH

Rick

HTH

Rick
0 Helpful

narendrakumar1987in
Level 1
Level 1
In response to Richard Burts

‎05-14-2010 10:13 AM

Thankyou very much Rick

I too hope the same..

Happy Networking !!! 

Rgds,

Narendrakumar B

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card