There are five passwords used to secure your Cisco routers: console, auxiliary, telnet (VTY),enable password, and enable secret. Just as you learned earlier in the chapter, the first two passwords are used to set your enable password that’s used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed either through the console port, through the auxiliary port, or via Telnet.
Setup Enable Passwords
You set the enable passwords from global configuration mode like this
last-resort – Define enable action if no TACACS servers respond
password – Assign the privileged level password
secret – Assign the privileged level secret
use-tacacs – Use TACACS to check enable passwords
The following points describe the enable password parameters
Last-resort – Allows you to still enter the router if you set up authentication through a TACACS
server and it’s not available. But it isn’t used if the TACACS server is working.
Password – Sets the enable password on older, pre-10.3 systems, and isn’t ever used if an enable
secret is set.
Secret – Is the newer, encrypted password that overrides the enable password if it’s set.
Use-tacacs – This tells the router to authenticate through a TACACS server. It’s convenient if you
have anywhere from a dozen to multitudes of routers.
Here’s an example of setting the enable passwords
Router(config)#enable secret admin
Router(config)#enable password admin
The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password.
If you try to set the enable secret and enable passwords the same, the router will give you a nice, polite warning to change the second password. If you don’t have older legacy routers,don’t even bother to use the enable password.