Use this command to set authentication for accessing higher privilege levels. The default enable list is enableList. It is used by console, and contains the method as enable followed by none.
A separate default enable list, enableNetList, is used for Telnet and SSH users instead of enableList. This list is applied by default for Telnet and SSH, and contains enable followed by deny methods. In LCOS SX, by default, the enable password is not configured. That means that, by default, Telnet and SSH users will not get access to Privileged EXEC mode. On the other hand, with default conditions, a console user always enter the Privileged EXEC mode without entering the enable password.
The default and optional list names created with the aaa authentication enable command are used with the enable authentication command. Create a list by entering the aaa authentication enable list-name method command where list-name is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence.
The user manager returns ERROR (not PASS or FAIL) for enable and line methods if no password is configured, and moves to the next configured method in the authentication list. The method none reflects that there is no authentication needed.
The user will only be prompted for an enable password if one is required. The following authentication methods do not require passwords:
- none
- deny
- enable (if no enable password is configured)
- line (if no line password is configured)
Example: See the examples below.
- aaa authentication enable default enable none
- aaa authentication enable default line none
- aaa authentication enable default enable radius none
- aaa authentication enable default line tacacs none
Examples 4.a and 4.b do not prompt for a password, however because examples 4.c and 4.d contain the radius and tacacs methods, the password prompt is displayed.
If the login methods include only enable, and there is no enable password configured, then LCOS SX does not prompt for a username. In such cases, LCOS SX only prompts for a password. LCOS SX supports configuring methods after the local method in authentication and authorization lists. If the user is not present in the local database, then the next configured method is tried.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
Use the commmand show authorization methods to display information about the authentication methods.
Requests sent by the switch to a RADIUS server include the username $enabx$, where x is the requested privilege level. For enable to be authenticated on Radius servers, add $enabx$ users to them. The login user ID is now sent to TACACS+ servers for enable authentication.
| Default | Uses the listed authentication methods that follow this argument as the default list of methods, when using higher privilege levels. |
| Format | aaa authentication enable {default | list-name} method1 [method2...] |
| Mode | Global Config |
| Parameter | Description |
|---|---|
| default | Uses the listed authentication methods that follow this argument as the default list of methods, when using higher privilege levels. |
| list-name | Character string used to name the list of authentication methods activated, when using access higher privilege levels. Range: 1-15 characters. |
| method1 [method2...] | Specify at least one from the following:
|
Example: The following example sets authentication when accessing higher privilege levels.
(switch)(config)# aaa authentication enable default enable
