User Management and Security Commands
username
username <username> [capability <cap> | disable [login | password] | disconnect | full-name <name> | nopassword | password [0 | 7] <password>] Creates a user and sets its capabilities, password and name. |
||
Syntax Description |
username |
Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled. Allowed characters for the username:
Any single character or combination of characters from the above is allowed except for a period "." in a single form. |
capability <cap> |
Defines user capabilities.
|
|
disable [login | password] |
|
|
disconnect |
Logs out the specified user from the system. |
|
name |
Full name of the user. |
|
nopassword |
The next login of the user will not require password. |
|
0 | 7 |
|
|
password |
Specifies a password for the user in string form. If [0 | 7] was not specified then the password is in cleartext. |
|
Default |
The following usernames are available by default:
|
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # username monitor full-name smith |
|
Related Commands |
show usernames |
|
Notes |
|
show usernames
show usernames Displays list of users and their capabilities. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
||
gateway (config) # show usernames USERNAME FULL NAME CAPABILITY ACCOUNT STATUS |
||
Related Commands |
username |
|
Notes |
show users
show users [history] Displays logged in users and related information such as idle time and what host they have connected from. |
||
Syntax Description |
history |
Displays current and historical sessions. |
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
||
gateway (config) # show users USERNAME FULL NAME LINE HOST IDLE admin System Administrator pts/0 172.22.237.174 0d0h34m4s gateway (config) #s how users history |
||
Related Commands |
username |
|
Notes |
show whoami
show whoami Displays username and capabilities of user currently logged in. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # show whoami |
|
Related Commands |
username |
|
Notes |
password
password [age expiration <days> | age warning <days> | history < length > | length minimal <length> | length maximal < length > | username-password-match enable | complexity-class <char class> | hardening enable] Configures restrictions for new passwords. |
||
Syntax Description |
age expiration <days> |
Specifies validity period of any password configured. |
age warning <days> |
Specifies how many days before expiration a warning message should be printed while logging in. |
|
history < length > |
Specifies how many passwords are saved per user. New password will be compared to previous passwords and will not be allowed if it is the same as an old one. Range: 0-20 passwords |
|
length minimal <length> |
Specifies minimal length of allowed password. Range: 1-32 characters |
|
length maximal < length> |
Specifies maximal length of allowed password. Range: 64-80 characters |
|
username-password-match enable |
Restricts user from having password identical to its username. |
|
complexity-class <char class> |
Specifies what characters must be used while configuring password.
Special characters allowed are: `~!@#$%^&*()-_=+[{}];:',<.> |
|
hardening enable |
Enable password restrictions. If enabled, all the above will be checked upon every new password that is being configured. Password that does not meet the requirements will be rejected. |
|
Default |
Enabled. After upgrade, the feature will be disabled by default. |
|
Configuration Mode |
Config |
|
History |
8.1.1000 |
|
Example |
gateway (config) # password hardening enable |
|
Related Commands |
show password hardening |
|
Notes |
show password hardening
show password hardening Displays all the configured password restrictions settings. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.1.1000 |
|
Example |
|
|
Related Commands |
password |
|
Notes |
|
aaa accounting
aaa accounting changes default stop-only tacacs+ Enables logging of system changes to an AAA accounting server. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa accounting changes default stop-only tacacs+ |
|
Related Commands |
show aaa |
|
Notes |
|
aaa authentication login
aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]] Sets a sequence of authentication methods. Up to four methods can be configured. |
||
Syntax Description |
auth-method |
|
Default |
local |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication login default local radius tacacs+ ldap |
|
Related Commands |
show aaa |
|
Notes |
The order in which the methods are specified is the order in which the authentication is attempted. It is recommended that “local” is one of the methods selected. |
aaa authentication attempts fail-delay
aaa authentication attempts fail-delay <time> Configures delay for a specific period of time after every authentication failure. |
||
Syntax Description |
time |
Range: 0-60 seconds |
Default |
0 |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts fail-delay 1 |
|
Related Commands |
||
Notes |
aaa authentication attempts track
aaa authentication attempts track {downcase | enable} Configure tracking for failed authentication attempts. |
||
Syntax Description |
downcase |
Does not convert all usernames to lowercase (for authentication failure tracking purposes only). |
enable |
Disables tracking of failed authentication attempts. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts track enable |
|
Related Commands |
||
Notes |
|
aaa authentication attempts lockout
aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time} Configures lockout of accounts based on failed authentication attempts. |
||
Syntax Description |
enable |
Enables locking out of user accounts based on authentication failures. |
lock-time |
Sets maximum permitted consecutive authentication failures before locking out users. |
|
max-fail |
Sets maximum permitted consecutive authentication failures before locking out users. |
|
unlock-time |
Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts lockout enable |
|
Related Commands |
||
Notes |
aaa authentication attempts class-override
aaa authentication attempts class-override {admin [no-lockout] | unknown {no-track | hash-username}} Overrides the global settings for tracking and lockouts for a type of account. |
||
Syntax Description |
admin |
Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges. |
no-lockout |
Prevents the admin user from being locked out though authentication failure history is still tracked (if tracking is enabled overall). |
|
unknown |
Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:
|
|
hash-username |
Applies a hash function to the username and stores the hashed result in lieu of the original |
|
no-track |
Does not track authentication for such users (which of course also implies no-lockout) |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts class-override admin no-lockout |
|
Related Commands |
||
Notes |
aaa authentication attempts reset
aaa authentication attempts reset {all | user <username>} [{no-clear-history | no-unlock}] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users |
user |
Applies function to a specific user |
|
no-clear-history |
Leaves the history of login failures but unlocks the account |
|
no-unlock |
Leaves the account locked but clears the history of login failures |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts reset user admin all |
|
Related Commands |
||
Notes |
clear aaa authentication attempts
clear aaa authentication attempts {all | user <username>} [no-clear-history | no-unlock] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users. |
user |
Applies function to a specific user. |
|
no-clear-history |
Clears the history of login failures. |
|
no-unlock |
Unlocks the account. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts reset user admin no-clear-history |
|
Related Commands |
||
Notes |
aaa authorization
aaa authorization map [default-user <username> | order <policy> | fallback] Sets the mapping permissions of a user in case a remote authentication is done. |
||
Syntax Description |
username |
Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+ or LDAP) and does not have a local account. If the username is local, this mapping is ignored. |
order <policy> |
Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ or LDAP to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
|
|
fallback |
Sets the authenticating fallback behavior via RADIUS or TACACS+ or LDAP. This option attempts to authenticate username through the next authentication method listed in case of an error.
|
|
Default |
Default user—admin |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authorization map default-user admin |
|
Related Commands |
show aaa |
|
Notes |
|
show aaa
show aaa Displays the AAA configuration. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # show aaa AAA authorization: |
|
Related Commands |
aaa accounting |
|
Notes |
show aaa authentication attempts
show aaa authentication attempts [configured | status user <username>]] Displays the current authentication, authorization and accounting settings. |
||
Syntax Description |
authentication attempts |
Displays configuration and history of authentication failures. |
configured |
Displays configuration of authentication failure tracking. |
|
status user |
Displays status of authentication failure tracking and lockouts for specific user. |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
||
gateway (config) # show aaa authentication attempts Configuration for authentication failure tracking and locking:
|
||
Related Commands |
||
Notes |
radius-server
radius-server {key <secret>| retransmit <retries> | timeout <seconds>} Sets global RADIUS server attributes. |
||
Syntax Description |
secret |
Sets a secret key (shared hidden text string), known to the system and to the RADIUS server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry (1-60). |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # radius-server retransmit 3 |
|
Related Commands |
aaa authorization |
|
Notes |
Each RADIUS server can override those global parameters using the command “radius-server host”. |
radius-server host
radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>| cipher <none | eap-peap> ] Configures RADIUS server attributes. |
||
Syntax Description |
IP address |
RADIUS server IP address |
enable |
Administrative enable of the RADIUS server |
|
auth-port |
Configures authentication port to use with this RADIUS server |
|
port |
RADIUS server UDP port number |
|
key |
Configures shared secret to use with this RADIUS server |
|
prompt-key |
Prompt for key, rather than entering on command line |
|
retransmit |
Configures retransmit count to use with this RADIUS server |
|
retries |
Number of retries (0-5) before exhausting from the authentication |
|
timeout |
Configures timeout between each try |
|
seconds |
Timeout in seconds between each retry (1-60) |
|
cipher |
Configures which cipher to use for communication encryption <none | eap-peap> |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # radius-server host fe80::202:b3ff:fe1e:8329 |
|
Related Commands |
aaa authorization |
|
Notes |
|
show radius
show radius Displays RADIUS configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
|
|
Related Commands |
aaa authorization |
|
Notes |
tacacs-server
tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>} Sets global TACACS+ server attributes. |
||
Syntax Description |
secret |
Set a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry. |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # tacacs-server retransmit 3 |
|
Related Commands |
aaa authorization |
|
Notes |
Each TACACS+ server can override those global parameters using the command “tacacs-server host”. |
tacacs-server host
tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>} Configures TACACS+ server attributes. |
||
Syntax Description |
IP address |
TACACS+ server IP address. |
enable |
Administrative enable for the TACACS+ server. |
|
auth-port |
Configures authentication port to use with this TACACS+ server. |
|
port |
TACACS+ server UDP port number. |
|
auth-type |
Configures authentication type to use with this TACACS+ server. |
|
type |
Authentication type. Possible values are:
|
|
key |
Configures shared secret to use with this TACACS+ server. |
|
secret |
Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
|
prompt-key |
Prompts for key, rather than entering key on command line. |
|
retransmit |
Configures retransmit count to use with this TACACS+ server. |
|
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
timeout |
Configures timeout to use with this TACACS+ server. |
|
seconds |
Timeout in seconds between each retry. |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # tacacs-server host 40.40.40.40 |
|
Related Commands |
aaa authorization |
|
Notes |
|
show tacacs
show tacacs Displays TACACS+ configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
Key : ******** Timeout : 3 Retransmit: 1 TACACS+ servers: |
|
Related Commands |
aaa authorization |
|
Notes |