User Management and Security Commands

username

username <username> [capability <cap> | disable [login | password] | disconnect | full-name <name> | nopassword | password [0 | 7] <password>]
no username <username> [capability | disable [login | password] | full-name]

Creates a user and sets its capabilities, password and name.
The no form of the command deletes the user configuration.

Syntax Description

username

Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled.

Allowed characters for the username:

  • a-z

  • A-Z

  • 0-9

  • period (.), underscore (_), hyphen (-)

Any single character or combination of characters from the above is allowed except for a period "." in a single form.

capability <cap>

Defines user capabilities.

  • admin—full administrative capabilities

  • monitor—read only capabilities, can not change the running configuration

  • unpriv—can only query the most basic information, and cannot take any actions or change any configuration

  • v_admin—basic administrator capabilities

disable [login | password]

  • Disable—disable this account

  • Disable login—disable all logins to this account

  • Disable password—disable login to this account using a local password

disconnect

Logs out the specified user from the system.

name

Full name of the user.

nopassword

The next login of the user will not require password.

0 | 7

  • 0—specifies a login password in cleartext

  • 7—specifies a login password in encrypted text

password

Specifies a password for the user in string form. If [0 | 7] was not specified then the password is in cleartext.

Default

The following usernames are available by default:

  • admin

  • monitor

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # username monitor full-name smith

Related Commands

show usernames
show users

Notes

  • To enable a user account, just set a password on it (or use the command “username <user> nopassword” to enable it with no password required for login)

  • Removing a user account does not terminate any current sessions that user has open; it just prevents new sessions from being established

  • Encrypted password is useful for the command “show configuration”, since the cleartext password cannot be recovered after it is set

  • The command "username <user> password <password>" or "username <user> password 0 <password>" are not security and will leave clear text in user's terminal (log and command history will be treated as sensitive information without clear text password). They are recommended to be replaced as "username <user> password" or "username <user> password" commands.

show usernames

show usernames

Displays list of users and their capabilities.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # show usernames
USERNAME    FULL NAME               CAPABILITY  ACCOUNT STATUS
USERID System Administrator admin Local password login disabled
admin System Administrator admin No password required for login
monitor System Monitor monitor Password set (SHA512)
root Root User admin No password required for login

Related Commands

username
show users

Notes

show users

show users [history]

Displays logged in users and related information such as idle time and what host they have connected from.

Syntax Description

history

Displays current and historical sessions.

Default

N/A

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # show users
USERNAME   FULL NAME                LINE    HOST               IDLE
admin      System Administrator     pts/0   172.22.237.174     0d0h34m4s
admin System Administrator pts/1 172.30.0.127 1d3h30m49s
admin System Administrator pts/3 172.22.237.34 0d0h0m0s
gateway (config) #s how users history
admin pts/3 172.22.237.34 Wed Feb 1 11:56 still logged in
admin pts/3 172.22.237.34 Wed Feb 1 11:42 - 11:46 (00:04)
wtmp begins Wed Feb 1 11:38:10 2012

Related Commands

username
show usernames

Notes

show whoami

show whoami

Displays username and capabilities of user currently logged in.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # show whoami
Current user: admin
Capabilities: admin

Related Commands

username
show usernames
show users

Notes

password

password [age expiration <days> | age warning <days> | history < length > | length minimal <length> | length maximal < length > | username-password-match enable | complexity-class <char class> | hardening enable]

Configures restrictions for new passwords.

Syntax Description

age expiration <days>

Specifies validity period of any password configured.
Range: 0-365 days (0=password will not expire)
Default: 365 days

age warning <days>

Specifies how many days before expiration a warning message should be printed while logging in.
Range: 0-30 days (0 indicates that a warning message will not be printed)
Default: 15 days

history < length >

Specifies how many passwords are saved per user. New password will be compared to previous passwords and will not be allowed if it is the same as an old one.

Range: 0-20 passwords
Default: 5 passwords

length minimal <length>

Specifies minimal length of allowed password.

Range: 1-32 characters
Default: 8 characters

length maximal < length>

Specifies maximal length of allowed password.

Range: 64-80 characters
Default: 64 characters

username-password-match enable

Restricts user from having password identical to its username.
Default: enabled
The no form of this command will allow this.

complexity-class <char class>

Specifies what characters must be used while configuring password.

  1. none—no restrictions

  2. lower

  3. lower-upper

  4. lower-upper-digit

  5. lower-upper-digit-special

Special characters allowed are: `~!@#$%^&*()-_=+[{}];:',<.>
Default: lower-upper-digit

hardening enable

Enable password restrictions. If enabled, all the above will be checked upon every new password that is being configured. Password that does not meet the requirements will be rejected.
The no form will disable any password restrictions and every password will be allowed.

Default

Enabled. After upgrade, the feature will be disabled by default.

Configuration Mode

Config

History

8.1.1000

Example

gateway (config) # password hardening enable

Related Commands

show password hardening

Notes

show password hardening

show password hardening

Displays all the configured password restrictions settings.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

8.1.1000

Example

gateway (config) # show password hardening

Password settings:
Password hardening : enabled
Min password length : 8 (characters)
Max password length : 64 (characters)
Character class : Lowercase, uppercase and digits
Password history length : 5
Different username and password: yes
Password aging : enabled
Expiration warning message : 15 (days)
Password age : 365 (days)

gateway(config) # show password hardening
Password settings:
Password hardening : disabled

Related Commands

password

Notes

  • Wizard will prompt for enabling/disabling password hardening

  • Configuring password 7 while password hardening is enabled, will disable it

aaa accounting

aaa accounting changes default stop-only tacacs+
no aaa accounting changes default stop-only tacacs+

Enables logging of system changes to an AAA accounting server.
The no form of the command disables the accounting.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa accounting changes default stop-only tacacs+

Related Commands

show aaa

Notes

  • TACACS+ is presently the only accounting service method supported

  • Change accounting covers both configuration changes and system actions that are visible under audit logging, however this feature operates independently of audit logging, so it is unaffected by the commands “logging level audit mgmt” or “configuration audit”

  • Configured TACACS+ servers are contacted in the order in which they appear in the configuration until one accepts the accounting data, or the server list is exhausted

  • Despite the name of the “stop-only” keyword, which indicates that this feature logs a TACACS+ accounting “stop” message, and in contrast to configuration change accounting, which happens after configuration database changes, system actions are logged when the action is started, not when the action has completed

aaa authentication login

aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]]
no aaa authentication login

Sets a sequence of authentication methods. Up to four methods can be configured.
The no form of the command resets the configuration to its default.

Syntax Description

auth-method

  • local

  • radius

  • tacacs+

  • ldap

Default

local

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # aaa authentication login default local radius tacacs+ ldap

Related Commands

show aaa

Notes

The order in which the methods are specified is the order in which the authentication is attempted. It is recommended that “local” is one of the methods selected.

aaa authentication attempts fail-delay

aaa authentication attempts fail-delay <time>
no aaa authentication attempts fail-delay

Configures delay for a specific period of time after every authentication failure.
The no form of the command resets the fail-delay to its default value.

Syntax Description

time

Range: 0-60 seconds

Default

0

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa authentication attempts fail-delay 1

Related Commands

Notes

aaa authentication attempts track

aaa authentication attempts track {downcase | enable}
no aaa authentication attempts track {downcase | enable}

Configure tracking for failed authentication attempts.
The no form of the command clears configuration for tracking authentication failures.

Syntax Description

downcase

Does not convert all usernames to lowercase (for authentication failure tracking purposes only).

enable

Disables tracking of failed authentication attempts.

Default

N/A

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa authentication attempts track enable

Related Commands

Notes

  • This is required for the lockout functionality described below, but can also be used on its own for informational purposes.

  • Disabling tracking does not clear any records of past authentication failures, or the locks in the database. However, it does prevent any updates to this database from being made: no new failures are recorded. It also disables lockout, preventing new lockouts from being recorded and existing lockouts from being enforced.

aaa authentication attempts lockout

aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time}
no aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time}

Configures lockout of accounts based on failed authentication attempts.
The no form of the command clears configuration for lockout of accounts based on failed authentication attempts.

Syntax Description

enable

Enables locking out of user accounts based on authentication failures.
This both suspends enforcement of any existing lockouts, and prevents any new lockouts from being recorded. If lockouts are later re-enabled, any lockouts that had been recorded previously resume being enforced; but accounts which have passed the max-fail limit in the meantime are NOT automatically locked at this time. They would be permitted one more attempt, and then locked, because of how the locking is done: lockouts are applied after an authentication failure, if the user has surpassed the threshold at that time.
Lockouts only work if tracking is enabled. Enabling lockouts automatically enables tracking. Disabling tracking automatically disables lockouts.

lock-time

Sets maximum permitted consecutive authentication failures before locking out users.
Unlike the “max-fail” setting, this does take effect immediately for all accounts.
If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time.
This is not based on the number of consecutive failures, and is therefore divorced from most of the rest of the tally feature, except for the tracking of the last login failure.

max-fail

Sets maximum permitted consecutive authentication failures before locking out users.
This setting only impacts what lockouts are imposed while the setting is active; it is not retroactive to previous logins. So if max-fail is disabled or changed, this does not immediately cause any users to be changed from locked to unlocked or vice versa.

unlock-time

Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt.
Unlike the “max-fail” setting, this does take effect immediately for all accounts.
If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time.
Careful with disabling the unlock-time, particularly if you have max-fail set to something, and have not overridden the behavior for the admin (i.e. they are subject to lockouts also). If the admin account gets locked out, and there are no other administrators who can aid, the user may be forced to boot single-user and use the pam_tallybyname command-line utility to unlock your account manually. Even if one is careful not to incur this many authentication failures, it makes the system more subject to DOS attacks.

Default

N/A

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa authentication attempts lockout enable

Related Commands

Notes

aaa authentication attempts class-override

aaa authentication attempts class-override {admin [no-lockout] | unknown {no-track | hash-username}}
no aaa authentication attempts class-override {admin | unknown {no-track | hash-username}}

Overrides the global settings for tracking and lockouts for a type of account.
The no form of the command removes this override and lets the admin be handled according to the global settings.

Syntax Description

admin

Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges.

no-lockout

Prevents the admin user from being locked out though authentication failure history is still tracked (if tracking is enabled overall).

unknown

Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:

  • Real remote usernames which simply failed authentication

  • Mis-typed remote usernames

  • Passwords accidentally entered as usernames

  • Bogus usernames made up as part of an attack on the system

hash-username

Applies a hash function to the username and stores the hashed result in lieu of the original

no-track

Does not track authentication for such users (which of course also implies no-lockout)

Default

N/A

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa authentication attempts class-override admin no-lockout

Related Commands

Notes

aaa authentication attempts reset

aaa authentication attempts reset {all | user <username>} [{no-clear-history | no-unlock}]

Clears the authentication history for and/or unlocks specified users.

Syntax Description

all

Applies function to all users

user

Applies function to a specific user

no-clear-history

Leaves the history of login failures but unlocks the account

no-unlock

Leaves the account locked but clears the history of login failures

Default

N/A

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa authentication attempts reset user admin all

Related Commands

Notes

clear aaa authentication attempts

clear aaa authentication attempts {all | user <username>} [no-clear-history | no-unlock]

Clears the authentication history for and/or unlocks specified users.

Syntax Description

all

Applies function to all users.

user

Applies function to a specific user.

no-clear-history

Clears the history of login failures.

no-unlock

Unlocks the account.

Default

N/A

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa authentication attempts reset user admin no-clear-history

Related Commands

Notes

aaa authorization

aaa authorization map [default-user <username> | order <policy> | fallback]
no aaa authorization map [default-user | order | fallback]

Sets the mapping permissions of a user in case a remote authentication is done.
The no form of the command resets the attributes to default.

Syntax Description

username

Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+ or LDAP) and does not have a local account. If the username is local, this mapping is ignored.

order <policy>

Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ or LDAP to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:

  • local-only—maps all remote users to the user specified by the command “aaa authorization map default-user <user name>”. Any vendor attributes received by an authentication server are ignored.

  • remote-first—if a local-user mapping attribute is returned and it is a valid local username, it maps the authenticated user to the local user specified in the attribute. Otherwise, it uses the user specified by the default-user command.

  • remote-only—maps a remote authenticated user if the authentication server sends a local-user mapping attribute. If the attribute does not specify a valid local user, no further mapping is tried.

fallback

Sets the authenticating fallback behavior via RADIUS or TACACS+ or LDAP. This option attempts to authenticate username through the next authentication method listed in case of an error.

  • server-err—performs fallback if an error occurs while connecting to remote AAA server (e.g., server is down, not responding, and so forth)

Default

Default user—admin
Map order—remote-first
Order fallback—server-err

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # aaa authorization map default-user admin

Related Commands

show aaa
username

Notes

  • If, for example, the user is locally defined to have admin permission, but in a remote server such as RADIUS the user is authenticated as monitor and the order is remote-first, then the user is given monitor permissions.

  • The user must be careful when disabling AAA authorization map fallback server-err, because if the remote server stops working then the user may lock themselves out.

show aaa

show aaa

Displays the AAA configuration.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # show aaa
AAA authorization:
Default User: admin
Map Order: remote-first
Fallback on server-err: yes
Authentication method(s):
local
Accounting method(s):
tacacs+

Related Commands

aaa accounting
aaa authentication
aaa authorization
show aaa
show usernames
username

Notes

show aaa authentication attempts

show aaa authentication attempts [configured | status user <username>]]

Displays the current authentication, authorization and accounting settings.

Syntax Description

authentication attempts

Displays configuration and history of authentication failures.

configured

Displays configuration of authentication failure tracking.

status user

Displays status of authentication failure tracking and lockouts for specific user.

Default

N/A

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # show aaa authentication attempts
Configuration for authentication failure tracking and locking:

Track authentication failures: yes
Lock accounts based on authentication failures: yes
Override treatment of 'admin' user: (none)
Override treatment of unknown usernames: hash-usernames
Convert usernames to lowercase for tracking: no
Delay after each auth failure (fail delay): none

Configuration for lockouts based on authentication failures:
Lock account after consecutive auth failures: 5
Allow retry on locked accounts (unlock time): after 15 second(s)
Temp lock after each auth failure (lock time): none

Username Known Locked Failures Last fail time Last fail from
-------- ----- ------ -------- -------------- --------------
0Q72B43EHBKT8CB5AF5PGRX3U3B3TUL4CYJP93N(*) no no 1 2020/05/20 14:29:19 ttyS0

(*) Hashed for security reasons

Related Commands

Notes

radius-server

radius-server {key <secret>| retransmit <retries> | timeout <seconds>}
no radius-server {key | retransmit | timeout}

Sets global RADIUS server attributes.
The no form of the command resets the attributes to their default values.

Syntax Description

secret

Sets a secret key (shared hidden text string), known to the system and to the RADIUS server.

retries

Number of retries (0-5) before exhausting from the authentication.

seconds

Timeout in seconds between each retry (1-60).

Default

3 seconds, 1 retry

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # radius-server retransmit 3

Related Commands

aaa authorization
radius-server host
show radius

Notes

Each RADIUS server can override those global parameters using the command “radius-server host”.

radius-server host

radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>| cipher <none | eap-peap> ]
no radius-server host <IP address> [auth-port | enable | cipher]

Configures RADIUS server attributes.
The no form of the command resets the attributes to their default values and deletes the RADIUS server.

Syntax Description

IP address

RADIUS server IP address

enable

Administrative enable of the RADIUS server

auth-port

Configures authentication port to use with this RADIUS server

port

RADIUS server UDP port number

key

Configures shared secret to use with this RADIUS server

prompt-key

Prompt for key, rather than entering on command line

retransmit

Configures retransmit count to use with this RADIUS server

retries

Number of retries (0-5) before exhausting from the authentication

timeout

Configures timeout between each try

seconds

Timeout in seconds between each retry (1-60)

cipher

Configures which cipher to use for communication encryption <none | eap-peap>

Default

3 seconds, 1 retry
Default UDP port is 1812

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # radius-server host fe80::202:b3ff:fe1e:8329
gateway (config) # radius-server host 40.40.40.40

Related Commands

aaa authorization
radius-server
show radius

Notes

  • RADIUS servers are tried in the order they are configured

  • If you do not specify a parameter for this configured RADIUS server, the configuration will be taken from the global RADIUS server configuration. Refer to the command “radius-server”.

show radius

show radius

Displays RADIUS configurations.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # show radius

RADIUS defaults:
Key : ********
Timeout : 3
Retransmit : 1

RADIUS servers:
1.1.1.1:1812 :
Enabled : yes
Key : ********
Timeout : 3 (default)
Retransmit : 1 (default)
Cipher : none

40.40.40.40:1812:
Enabled : yes
Key : ********
Timeout : 3 (default)
Retransmit : 1 (default)

Related Commands

aaa authorization
radius-server
radius-server host

Notes

tacacs-server

tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>}
no tacacs-server {key | retransmit | timeout}

Sets global TACACS+ server attributes.
The no form of the command resets the attributes to default values.

Syntax Description

secret

Set a secret key (shared hidden text string), known to the system and to the TACACS+ server.

retries

Number of retries (0-5) before exhausting from the authentication.

seconds

Timeout in seconds between each retry.
Reang: 1-60

Default

3 seconds, 1 retry

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # tacacs-server retransmit 3

Related Commands

aaa authorization
show radius
show tacacs
tacacs-server host

Notes

Each TACACS+ server can override those global parameters using the command “tacacs-server host”.

tacacs-server host

tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>}
no tacacs-server host <IP address> {enable | auth-port}

Configures TACACS+ server attributes.
The no form of the command resets the attributes to their default values and deletes the TACACS+ server.

Syntax Description

IP address

TACACS+ server IP address.

enable

Administrative enable for the TACACS+ server.

auth-port

Configures authentication port to use with this TACACS+ server.

port

TACACS+ server UDP port number.

auth-type

Configures authentication type to use with this TACACS+ server.

type

Authentication type. Possible values are:

  • ASCII

  • PAP (Password Authentication Protocol)

key

Configures shared secret to use with this TACACS+ server.

secret

Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server.

prompt-key

Prompts for key, rather than entering key on command line.

retransmit

Configures retransmit count to use with this TACACS+ server.

retries

Number of retries (0-5) before exhausting from the authentication.

timeout

Configures timeout to use with this TACACS+ server.

seconds

Timeout in seconds between each retry.
Range: 1-60

Default

3 seconds, 1 retry
Default TCP port is 49
Default auth-type is PAP

Configuration Mode

config

History

8.0.0100

Example

gateway (config) # tacacs-server host 40.40.40.40

Related Commands

aaa authorization
show tacacs
tacacs-server

Notes

  • TACACS+ servers are tried in the order they are configured

  • A PAP auth-type similar to an ASCII login, except that the username and password arrive at the network access server in a PAP protocol packet instead of being typed in by the user, so the user is not prompted

  • If the user does not specify a parameter for this configured TACACS+ server, the configuration will be taken from the global TACACS+ server configuration. Refer to the command “tacacs-server”.

show tacacs

show tacacs

Displays TACACS+ configurations.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

8.0.0100

Example

gateway (config) # show tacacs

TACACS+ defaults:

  Key : ******** 
  Timeout : 3 Retransmit: 1
TACACS+ servers:
1.1.1.1:49:
Enabled : yes
Auth Type : pap
Key : ********
Timeout : 3 (default)
Retransmit: 1 (default)

Related Commands

aaa authorization
tacacs-server
tacacs-server host

Notes

© Copyright 2023, NVIDIA. Last updated on May 23, 2023.