Details
Authenticates users trying to access the Enable mode (privileged EXEC mode) through the ‘enable’ command.
Rationale:
The default access to enable mode is done through a password. AAA provides a primary method for authenticating users (a username/password database stored on a TACACS+ or RADIUS server or group of servers) and then specifies backup method (a locally stored username/password database). The backup method is used if the primary method’s database cannot be accessed by the networking device.
Solution
Configure the aaa authentication for enable access using the TACACS+ server-group as primary method and the local database as backup method
HOSTNAME(CONFIG)# AAA AUTHENTICATION ENABLE CONSOLE <_server-group_name_> LOCAL
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Cisco.