1.1.3 Enable 'aaa authentication enable default'

Information

Authenticates users who access privileged EXEC mode when they use the enable command.

Rationale:

Using AAA authentication for interactive management access to the device provides consistent, centralized control of your network. The default under AAA (local or network) is to require users to log in using a valid user name and password. This rule applies for both local and network AAA.

Solution

Configure AAA authentication method(s) for enable authentication.

hostname(config)#aaa authentication enable default {method1} enable

Impact:

Enabling Cisco AAA 'authentication enable' mode is significantly disruptive as former access methods are immediately disabled. Therefore, before enabling 'aaa authentication enable default' mode, the organization should plan and implement authentication logins and passwords, challenges and responses, and token technologies.

Default Value:

By default, fallback to the local database is disabled.

References:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-4171D649-2973-4707-95F3-9D96971893D0

See Also

https://workbench.cisecurity.org/files/2585

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|16.9

Plugin: Cisco

Control ID: 15f6dbd806eff67d67a8c3c1d2fa79486b41d1c51d46063d852f6cf91a27395d