Previous Next Table of Contents

26. How can I handle the enable password?

There are generally two possibilities. Either you always use the password defined locally on the router, or you forward the enable request to the TACACS+ daemon and have it verify the request.

I wouldn't recommend the latter method as it introduces some additional complication at a critical place and hardly gains you anything.

As it's possible to assign a privilege level to users by the priv-lvl attribute, it's not necessary to use enable at all. IMHO, this is a better way to cope with privileges in a multi-user environment.

With "aaa authentication enable default enable", the local enable password is always used. In contrast, "aaa authentication enable default TACACS+ enable" tells the NAS to first ask the TACACS+ server to verify the enable password, and only if no answer is received, then the local enable password is used as a fallback.


Previous Next Table of Contents