|
|
|
|
This section describes the commands you use to add, manage, and delete system users. The software has two default users: admin and guest. The admin user can view and configure system settings, and the guest user can view settings.
NOTE: You cannot delete the admin user. There is only one user allowed with read/write privileges. You can configure up to five read-only users on the system.
Use this command to set authentication at login. The default and optional list names created with the command are used with the aaa authentication login command. Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.
The additional methods of authentication are used only if the previous method returns an error, not if there is an authentication failure. To ensure that the authentication succeeds even if all methods return an error, specify none as the fInal method in the command line. For example, if none is specified as an authentication method after radius, no authentication is used if the RADIUS server is down.
This command returns to the default.
Use this command to configure command and exec authorization method lists. This list is identified by default or a user-specified list-name. If tacacs is specified as the authorization method, authorization commands are notified to a TACACS server. If none is specified as the authorization method, command authorization is not applicable. A maximum of five authorization method lists can be created for the commands type.
When authorization is configured for a line mode, the user manager sends information about an entered command to the AAA server. The AAA server validates the received command, and responds with either a PASS or FAIL response. If approved, the command is executed. Otherwise, the command is denied and an error message is shown to the user. The various utility commands like tftp, ping, and outbound telnet should also pass command authorization. Applying the script is treated as a single command apply script, which also goes through authorization. Startup-config commands applied on device boot-up are not an object of the authorization process.
The per-command authorization usage scenario is this:
aaa authorization commands listname tacacs radius none
authorization commands listname
This command deletes the authorization method list.
Use this command to set authentication for accessing higher privilege levels. The default enable list is enableList. It is used by console, telnet, and SSH and only contains the method none. The default and optional list names created with the aaa authentication enable command are used with the enable authentication command. Create a list by entering the aaa authentication enable list-name method command where list-name is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
NOTE 1: Enable will not succeed for a level one user if no authentication method is defined. A level one user must authenticate to get to privileged EXEC mode.
NOTE 2: Requests sent by the switch to a RADIUS server include the username $enabx$, where x is the requested privilege level. For enable to be authenticated on Radius servers, add $enabx$ users to them. The login user ID is now sent to TACACS servers for enable authentication.
Use this command to specify the authentication method list when accessing a higher privilege level from a remote telnet or console.
Use this command to return to the default specified by the enable authentication command.
Use the username command in Global Config mode to add a new user to the local user database. The default privilege level is 1. Using the encrypted keyword allows the administrator to transfer local user passwords between devices without having to know the passwords. When the password parameter is used along with encrypted parameter, the password must be exactly 128 hexadecimal characters in length. If the password strength feature is enabled, this command checks for password strength and returns an appropriate error if it fails to meet the password strength criteria. Giving the optional parameter override-complexity-check disables the validation of the password strength.
Use this command to remove a user name.
Use this command to remove an existing user's password (NULL password).
Use this command to allows a locked user account to be unlocked. Only a user with read/write access can reactivate a locked user account.
This command specifies the snmpv3 access privileges for the specified login user. The valid accessmode values are readonly or readwrite. The <username> is the login user name for which the specified access mode applies. The default is readwrite for the “admin” user and readonly for all other users. You must enter the <username> in the same case you used when you added the user. To see the case of the <username>, enter the show users command.
This command sets the snmpv3 access privileges for the specified user as readwrite for the “admin” user and readonly for all other users. The <username> value is the user name for which the specified access mode will apply.
This command specifies the authentication protocol to be used for the specified user. The valid authentication protocols are none, md5 or sha. If you specify md5 or sha, the login password is also used as the snmpv3 authentication password and therefore must be at least eight characters in length. The <username> is the user name associated with the authentication protocol. You must enter the <username> in the same case you used when you added the user. To see the case of the <username>, enter the show users command.
This command sets the authentication protocol to be used for the specified user to none. The <username> is the user name for which the specified authentication protocol is used.
This command specifies the encryption protocol used for the specified user. The valid encryption protocols are des or none. If you select des, you can specify the required key on the command line. The encryption key must be 8 to 64 characters long. If you select the des protocol but do not provide a key, the user is prompted for the key. When you use the des protocol, the login password is also used as the snmpv3 encryption password, so it must be a minimum of eight characters. If you select none, you do not need to provide a key. The <username> value is the login user name associated with the specified encryption. You must enter the <username> in the same case you used when you added the user. To see the case of the <username>, enter the show users command.
This command sets the encryption protocol to none. The <username> is the login user name for which the specified encryption protocol will be used.
This command specifies the des encryption protocol and the required encryption key for the specified user. The encryption key must be 8 to 64 characters long.
This command displays the configured user names and their settings. This command is only available for users with Read/Write privileges. The SNMPv3 fields will only be displayed if SNMP is available on the system.
The display parameters for above command are:
This command displays the complete usernames of the configured users on the switch.
This command displays the local user status with respect to user account lockout and password aging.This command displays truncated user names. Use the show users long command to display the complete usernames.
The display parameters for above command are:
If the detail keyword is included, the following additional fields display.
Use this command to display information about the login history of users.
Use this command to specify the login authentication method list for a line (console, telnet, or SSH). The default configuration uses the default set with the command aaa authentication login.
Use this command to return to the default specified by the authentication login command.
This command allows the currently logged in user to change his or her password without having read/write privileges.
Use the password command in Line Configuration mode to specify a password on a line. The default configuration is no password is specified.
Use this command to remove the password on a line.
Use this command to allow a user to change the password for only that user. This command should be used after the password has aged. The user is prompted to enter the old password and the new password.
Use the enable password configuration command to set a local password to control access to the privileged EXEC mode.
Use the no enable password command to remove the password requirement.
Use the run bootrecovery command to recover the password.
NOTE: Issue the reboot before recovery.
After boot up, open the UI page and the admin password can be reset to new one.
Use this command to enforce a minimum password length for local users. The value also applies to the enable password. The valid range is 8-64.
Use this command to set the minimum password length to the default value.
Use this command to set the number of previous passwords that shall be stored for each user account. When a local user changes his or her password, the user will not be able to reuse any password stored in password history. This ensures that users don't reuse their passwords often. The valid range is 0-10.
Use this command to set the password history to the default value.
Use this command to implement aging on passwords for local users. When a user’s password expires, the user will be prompted to change it before logging in again. The valid range is 1-365. The default is 0, or no aging.
Use this command to set the password aging to the default value.
Use this command to strengthen the security of the switch by locking user accounts that have failed login due to wrong passwords. When a lockout count is configured, a user that is logged in must enter the correct password within that count. Otherwise the user will be locked out from further switch access. Only a user with read/write access can re-activate a locked user account. Password lockout does not apply to logins from the serial console. The valid range is 1-5. The default is 0, or no lockout count enforced.
Use this command to set the password lock-out count to the default value.
Use this command to enable the password strength feature. It is used to verify the strength of a password during configuration.
Use this command to set the password strength checking to the default value.
Use this command to set the maximum number of consecutive characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.
Use this command to set the maximum number of repeated characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.
Use this command to enforce a minimum number of uppercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
Use this command to reset the minimum uppercase letters required in a password to the default value.
Use this command to enforce a minimum number of lowercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
Use this command to reset the minimum lower letters required in a password to the default value.
Use this command to enforce a minimum number of numeric characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
Use this command to reset the minimum numeric characters required in a password to the default value.
Use this command to enforce a minimum number of special characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
Use this command to reset the minimum special characters required in a password to the default value.
Use this command to enforce a minimum number of characters classes that a password should contain. Character classes are uppercase letters, lowercase letters, numeric characters and special characters. The valid range is 0-4. The default is 4.
Use this command to reset the minimum number of character classes required in a password to the default value.
Use this command to exclude the specified keyword while configuring the password. The password does not accept the keyword in any form (in between the string, case in-sensitive and reverse) as a substring. User can configure up to a maximum of 3 keywords.
Use this command to reset the restriction for the specified keyword or all the keywords configured.
Use this command to display the configured password management settings.
The display parameters for above command are:
Use this command to display the last password set result information.
The display parameters for above command are:
Use this command to save running configuration changes to NVRAM so that the changes you make will persist across a reboot. This command is the same as copy system:running config nvram:startup-config.
The Internal Authentication Server (IAS) database is a dedicated internal database used for local authentication of users for network access through the IEEE 802.1X feature.
Use the aaa ias-user username command in Global Config mode to add the specified user to the internal user database. This command also changes the mode to AAA User Config mode.
Use this command to remove the specified user from the internal user database.
Use this command in Global Config mode to specify if the same session-id is used for Authentication, Authorization and Accounting service type within a session.
Use this command in Global Config mode to reset the aaa session-id behavior to the default.
Use this command in Global Config mode to create an accounting method list for either user EXEC sessions or for user-executed commands. This list is identified by default or a user-specified list_name. Accounting records, when enabled for a line-mode, can be sent at both the beginning and at the end (start-stop) or only at the end (stop-only). If none is specified, then accounting is disabled for the specified list. If tacacs is specified as the accounting method, accounting records are notified to a TACACS server. If radius is the specified accounting method, accounting records are notified to a RADIUS server.
NOTE 1: A maximum of five Accounting Method lists can be created for each exec and commands type.
NOTE 2: The same list-name can be used for both exec and commands accounting type.
NOTE 3: AAA Accounting for commands with RADIUS as the accounting method is not supported.
This command deletes the accounting method list.
Use this command to specify a password for a user in the IAS database. An optional parameter encrypted is provided to indicate that the password given to the command is already pre-encrypted.
Use this command to clear the password of a user.
Use this command to remove all users from the IAS database.
Use this command to display configured IAS users and their attributes. Passwords configured are not shown in the show command output.
Use this command in Line Configuration mode to apply the accounting method list to a line config (console/telnet/ssh).
Use this command to display ordered methods for accounting lists.
Use this command to display configured accounting method lists.