aaa authentication enable

Use this command to set authentication for accessing higher privilege levels. The default enable list is enableList. It is used by console, and contains the method as enable followed by none.

A separate default enable list, enableNetList, is used for Telnet and SSH users instead of enableList. This list is applied by default for Telnet and SSH, and contains enable followed by deny methods. In 200 Series, by default, the enable password is not configured. That means that, by default, Telnet and SSH users will not get access to Privileged EXEC mode. On the other hand, with default conditions, a console user always enters the Privileged EXEC mode without entering the enable password.

The default and optional list names created with the aaa authentication enable command are used with the enable authentication command. Create a list by entering the aaa authentication enable list-name method command where list-name is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence.

The user manager returns ERROR (not PASS or FAIL) for enable and line methods if no password is configured, and moves to the next configured method in the authentication list. The method none reflects that there is no authentication needed.

The user will only be prompted for an enable password if one is required. The following authentication methods do not require passwords:

  1. none
  2. deny
  3. enable (if no enable password is configured)
  4. line (if no line password is configured)

See the following examples:

  1. aaa authentication enable default enable none
  2. aaa authentication enable default line none
  3. aaa authentication enable default enable radius none
  4. aaa authentication enable default line tacacs none

Examples 1 and 2 do not prompt for a password, however because examples 3 and 4 contain the radius and tacacs methods, the password prompt is displayed.

If the login methods include only enable, and there is no enable password configured, you are not prompted for a username – only for a password. 200 Series supports configuring methods after the local method in authentication and authorization lists. If the user is not present in the local database, then the next configured method is tried.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

Use the command show authorization methods to display information about the authentication methods.

Note

Note

Requests sent by the switch to a RADIUS (Remote Authentication Dial In User Service) server include the username $enabx$, where x is the requested privilege level. For enable to be authenticated on RADIUS servers, add $enabx$ users to them. The login user ID is now sent to TACACS+ servers for enable authentication.
Default default
Format
aaa authentication enable {default | list-name} method1 [method2...]
Mode Global Config
Parameter Description
default Uses the listed authentication methods that follow this argument as the default list of methods, when using higher privilege levels.
list-name Character string used to name the list of authentication methods activated, when using access higher privilege levels. Range: 1-15 characters.
method1 [method2...] Specify at least one from the following:
  • deny: Used to deny access.
  • enable: Uses the enable password for authentication.
  • line: Uses the line password for authentication.
  • none: Uses no authentication.
  • radius: Uses the list of all RADIUS servers for authentication.
  • tacacs: Uses the list of all TACACS+ servers for authentication.

The following example sets authentication when accessing higher privilege levels:

(Extreme 220) (Config)# aaa authentication enable default enable