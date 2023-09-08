On This Page
User Management and Security Commands
username
username <username> [capability <cap> | disable [login | password] | disconnect | full-name <name> | nopassword | password [0 | 7] <password>]
Creates a user and sets its capabilities, password and name.
Syntax Description
username
Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled.
Allowed characters for the username:
Any single character or combination of characters from the above is allowed except for a period "." in a single form.
capability <cap>
Defines user capabilities.
disable [login | password]
|
disconnect
Logs out the specified user from the system.
name
Full name of the user.
nopassword
The next login of the user will not require password.
0 | 7
|
password
|
Specifies a password for the user in string form. If [0 | 7] was not specified then the password is in cleartext.
Default
The following usernames are available by default:
Configuration Mode
config
History
|
Example
switch (config) # username monitor full-name smith
Related Commands
show usernames
Notes
|
show usernames
show usernames
Displays list of users and their capabilities.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
|
Example
switch (config) # show usernames
USERNAME FULL NAME CAPABILITY ACCOUNT STATUS
Related Commands
username
Notes
show users
show users [history]
Displays logged in users and related information such as idle time and what host they have connected from.
Syntax Description
history
Displays current and historical sessions.
|
|
|
|
|
|
3.1.0000
Example
switch (config) # show users
USERNAME FULL NAME LINE HOST IDLE
admin System Administrator pts/0 172.22.237.174 0d0h34m4s
switch (config) #s how users history
Related Commands
username
|
Notes
show whoami
show whoami
Displays username and capabilities of user currently logged in.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.1.0000
|
|
switch (config) # show whoami
Related Commands
username
|
Notes
password
password [age expiration <days> | age warning <days> | history < length > | length minimal <length> | length maximal < length > | username-password-match enable | complexity-class <char class> | hardening enable]
Configures restrictions for new passwords.
|
|
age expiration <days>
|
Specifies validity period of any password configured.
|
age warning <days>
|
Specifies how many days before expiration a warning message should be printed while logging in.
|
history < length >
|
Specifies how many passwords are saved per user. New password will be compared to previous passwords and will not be allowed if it is the same as an old one.
Range: 0-20 passwords
|
length minimal <length>
|
Specifies minimal length of allowed password.
Range: 1-32 characters
|
length maximal < length>
|
Specifies maximal length of allowed password.
Range: 64-80 characters
username-password-match enable
|
Restricts user from having password identical to its username.
|
complexity-class <char class>
|
Specifies what characters must be used while configuring password.
Special characters allowed are: `~!@#$%^&*()-_=+[{}];:',<.>
|
hardening enable
|
Enable password restrictions. If enabled, all the above will be checked upon every new password that is being configured. Password that does not meet the requirements will be rejected.
|
|
Enabled. After upgrade, the feature will be disabled by default.
|
|
Config
|
|
3.9.2000
|
Example
switch (config) # password hardening enable
|
|
show password hardening
|
Notes
show password hardening
show password hardening
Displays all the configured password restrictions settings.
Syntax Description
N/A
|
|
|
|
Any command mode
History
3.9.2000
|
|
Related Commands
password
|
Notes
aaa accounting
aaa accounting changes default stop-only tacacs+
Enables logging of system changes to an AAA accounting server.
Syntax Description
N/A
|
|
|
|
config
History
3.1.0000
|
|
switch (config) # aaa accounting changes default stop-only tacacs+
Related Commands
show aaa
|
Notes
aaa authentication login
aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]]
Sets a sequence of authentication methods. Up to four methods can be configured.
Syntax Description
auth-method
|
Default
local
|
|
Any command mode
History
3.1.0000
|
|
switch (config) # aaa authentication login default radius tacacs+ ldap local
|
|
show aaa
|
Notes
aaa authentication attempts fail-delay
aaa authentication attempts fail-delay <time>
Configures delay for a specific period of time after every authentication failure.
Syntax Description
time
|
Range: 0-60 seconds
|
|
0
Configuration Mode
config
|
|
3.5.0200
|
Example
switch (config) # aaa authentication attempts fail-delay 1
|
|
Notes
aaa authentication attempts track
aaa authentication attempts track {downcase | enable}
Configure tracking for failed authentication attempts.
Syntax Description
downcase
|
Does not convert all usernames to lowercase (for authentication failure tracking purposes only).
|
enable
|
Disables tracking of failed authentication attempts.
|
|
N/A
Configuration Mode
config
|
|
3.5.0200
|
Example
switch (config) # aaa authentication attempts track enable
|
|
Notes
aaa authentication attempts lockout
aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time}
Configures lockout of accounts based on failed authentication attempts.
Syntax Description
enable
|
Enables locking out of user accounts based on authentication failures.
|
lock-time
|
Sets maximum permitted consecutive authentication failures before locking out users.
|
max-fail
|
Sets maximum permitted consecutive authentication failures before locking out users.
|
unlock-time
|
Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt.
|
|
N/A
Configuration Mode
config
|
|
3.2.3000
|
Example
switch (config) # aaa authentication attempts lockout enable
|
|
Notes
aaa authentication attempts class-override
aaa authentication attempts class-override {admin [no-lockout] | unknown {no-track | hash-username}}
Overrides the global settings for tracking and lockouts for a type of account.
Syntax Description
admin
|
Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges.
|
no-lockout
|
Prevents the admin user from being locked out though authentication failure history is still tracked (if tracking is enabled overall).
|
unknown
|
Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:
|
hash-username
|
Applies a hash function to the username and stores the hashed result in lieu of the original
|
no-track
|
Does not track authentication for such users (which of course also implies no-lockout)
|
|
N/A
Configuration Mode
config
|
|
3.2.3000
|
Example
switch (config) # aaa authentication attempts class-override admin no-lockout
|
|
Notes
aaa authentication attempts reset
aaa authentication attempts reset {all | user <username>} [{no-clear-history | no-unlock}]
Clears the authentication history for and/or unlocks specified users.
Syntax Description
all
|
Applies function to all users
|
user
|
Applies function to a specific user
|
no-clear-history
|
Leaves the history of login failures but unlocks the account
|
no-unlock
|
Leaves the account locked but clears the history of login failures
|
|
N/A
Configuration Mode
config
|
|
3.2.3000
|
Example
switch (config) # aaa authentication attempts reset user admin all
|
|
Notes
clear aaa authentication attempts
clear aaa authentication attempts {all | user <username>} [no-clear-history | no-unlock]
Clears the authentication history for and/or unlocks specified users.
Syntax Description
all
|
Applies function to all users.
|
user
|
Applies function to a specific user.
|
no-clear-history
|
Clears the history of login failures.
|
no-unlock
|
Unlocks the account.
|
|
N/A
Configuration Mode
config
|
|
3.2.3000
|
Example
switch (config) # aaa authentication attempts reset user admin no-clear-history
|
|
Notes
aaa authorization
aaa authorization map [default-user <username> | order <policy> | fallback]
Sets the mapping permissions of a user in case a remote authentication is done.
Syntax Description
username
|
Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+ or LDAP) and does not have a local account. If the username is local, this mapping is ignored.
|
order <policy>
|
Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ or LDAP to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
|
fallback
|
Sets the authenticating fallback behavior via RADIUS or TACACS+ or LDAP. This option attempts to authenticate username through the next authentication method listed in case of an error.
|
|
Default user—admin
|
|
config
|
|
3.1.0000
|
Example
switch (config) # aaa authorization map default-user admin
|
|
show aaa
|
Notes
show aaa
show aaa
Displays the AAA configuration.
Syntax Description
N/A
|
|
|
|
Any command mode
History
3.1.0000
|
|
switch (config) # show aaa
AAA authorization:
|
|
aaa accounting
|
Notes
show aaa authentication attempts
show aaa authentication attempts [configured | status user <username>]]
Displays the current authentication, authorization and accounting settings.
Syntax Description
authentication attempts
|
Displays configuration and history of authentication failures.
|
configured
|
Displays configuration of authentication failure tracking.
|
status user
|
Displays status of authentication failure tracking and lockouts for specific user.
|
|
N/A
Configuration Mode
Any command mode
|
|
3.2.1000
|
Example
switch (config) # show aaa authentication attempts
Configuration for authentication failure tracking and locking:
|
|
Notes
radius-server
radius-server {key <secret>| retransmit <retries> | timeout <seconds>}
Sets global RADIUS server attributes.
Syntax Description
secret
|
Sets a secret key (shared hidden text string), known to the system and to the RADIUS server.
|
retries
|
Number of retries (0-5) before exhausting from the authentication.
|
seconds
|
Timeout in seconds between each retry (1-60).
|
|
3 seconds, 1 retry
|
|
config
|
|
3.1.0000
|
|
switch (config) # radius-server retransmit 3
|
|
aaa authorization
|
Notes
Each RADIUS server can override those global parameters using the command “radius-server host”.
radius-server host
radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>| cipher <none | eap-peap> ]
Configures RADIUS server attributes.
Syntax Description
IP address
|
RADIUS server IP address
|
enable
|
Administrative enable of the RADIUS server
|
auth-port
|
Configures authentication port to use with this RADIUS server
|
port
|
RADIUS server UDP port number
|
key
|
Configures shared secret to use with this RADIUS server
|
prompt-key
|
Prompt for key, rather than entering on command line
|
retransmit
|
Configures retransmit count to use with this RADIUS server
|
retries
|
Number of retries (0-5) before exhausting from the authentication
|
timeout
|
Configures timeout between each try
|
seconds
|
Timeout in seconds between each retry (1-60)
|
cipher
|
Configures which cipher to use for communication encryption <none | eap-peap>
|
|
3 seconds, 1 retry
|
|
config
|
|
3.1.0000
|
|
switch (config) # radius-server host fe80::202:b3ff:fe1e:8329
|
|
aaa authorization
|
Notes
show radius
show radius
Displays RADIUS configurations.
Syntax Description
N/A
|
|
|
|
Any command mode
History
3.1.0000
|
|
Related Commands
aaa authorization
|
Notes
tacacs-server
tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>}
Sets global TACACS+ server attributes.
Syntax Description
secret
|
Set a secret key (shared hidden text string), known to the system and to the TACACS+ server.
|
retries
|
Number of retries (0-5) before exhausting from the authentication.
|
seconds
|
Timeout in seconds between each retry.
|
|
3 seconds, 1 retry
|
|
config
|
|
3.1.0000
|
|
switch (config) # tacacs-server retransmit 3
|
|
aaa authorization
|
Notes
Each TACACS+ server can override those global parameters using the command “tacacs-server host”.
tacacs-server host
tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>}
Configures TACACS+ server attributes.
Syntax Description
IP address
|
TACACS+ server IP address.
|
enable
|
Administrative enable for the TACACS+ server.
|
auth-port
|
Configures authentication port to use with this TACACS+ server.
|
port
|
TACACS+ server UDP port number.
|
auth-type
|
Configures authentication type to use with this TACACS+ server.
|
type
|
Authentication type. Possible values are:
|
key
|
Configures shared secret to use with this TACACS+ server.
|
secret
|
Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server.
|
prompt-key
|
Prompts for key, rather than entering key on command line.
|
retransmit
|
Configures retransmit count to use with this TACACS+ server.
|
retries
|
Number of retries (0-5) before exhausting from the authentication.
|
timeout
|
Configures timeout to use with this TACACS+ server.
|
seconds
|
Timeout in seconds between each retry.
|
|
3 seconds, 1 retry
|
|
config
|
|
3.1.0000
|
|
switch (config) # tacacs-server host 40.40.40.40
|
|
aaa authorization
|
Notes
show tacacs
show tacacs
Displays TACACS+ configurations.
Syntax Description
N/A
|
|
|
|
Any command mode
History
3.1.0000
|
|
TACACS+ servers:
Related Commands
aaa authorization
|
Notes
ldap enable
ldap [vrf <vrf-name>] enable [force]
Enables LDAP in VRF.
|
force
|
Enables LDAP in the specified VRF while setting all relevant LDAP options to default.
|
|
LDAP enabled
|
|
config
|
|
3.9.2000
|
Example
switch (config) # ldap vrf mgmt enable
|
|
Notes
|
If VRF mgmt exists, LDAP will be enabled on VRF mgmt. If there is no VRF mgmt, LDAP will be enabled on the "default" VRF.
ldap base-dn
ldap base-dn <string>
Sets the base distinguished name (location) of the user information in the schema of the LDAP server.
Syntax Description
string
|
A case-sensitive string that specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.
|
|
ou=users,dc=example,dc=com
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap base-dn ou=department,dc=example,dc=com
|
|
show ldap
|
Notes
ldap bind-dn/bind-password
ldap {bind-dn | bind-password} <string>
Gives the distinguished name or password to bind to on the LDAP server. This can be left empty for anonymous login (the default).
Syntax Description
string
|
A case-sensitive string that specifies distinguished name or password to bind to on the LDAP server.
|
|
“”
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap bind-dn my-dn
|
|
show ldap
|
Notes
For anonymous login, bind-dn and bind-password should be empty strings “”.
ldap group-attribute/group-dn
ldap {group-attribute {<group-att> |member | uniqueMember} | group-dn <group-dn>}
Sets the distinguished name or attribute name of a group on the LDAP server.
Syntax Description
group-att
|
Specifies a custom attribute name.
|
member
|
groupOfNames or group membership attribute.
|
uniqueMember
|
groupOfUniqueNames membership attribute.
|
group-dn
|
DN of group required for authorization.
|
|
group-att: member
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap group-attribute member
|
|
show ldap
|
Notes
ldap nested-group-search
ldap nested-group-search
Enable LDAP nested-group search mechanism for user-authentication group matching.
Syntax Description
N/A
|
|
Disabled
|
|
config
|
|
3.10.2000
|
Example
switch (config) # ldap nested-group-search
|
|
ldap nested-group-depth
|
Notes
ldap nested-group-depth
ldap nested-group-depth <1-9>
|
|
N/A
|
|
3
|
|
config
|
|
3.10.2000
|
Example
switch (config) # ldap nested-group-depth 6
|
|
ldap nested-group-search
|
Notes
ldap nested-group-count
ldap nested-group-count <1-10000>
Sets LDAP maximum number of queried nested-groups.
Syntax Description
N/A
|
|
1000
|
|
config
|
|
3.10.2000
|
Example
switch (config) # ldap nested-group-count 500
|
|
ldap nested-group-depth
|
Notes
ldap host
ldap host <ip-address> [order <number> last]
Adds an LDAP server to the set of servers used for authentication.
Syntax Description
ip-address
|
IPv4 or IPv6 address.
|
number
|
The order of the LDAP server.
|
last
|
The LDAP server will be added in the last location.
|
|
No hosts configured
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap host 10.10.10.10
|
|
show aaa
|
Notes
ldap hostname-check enable
ldap hostname-check enable
Enables LDAP hostname check.
Syntax Description
N/A
|
|
No hosts configured
|
|
config
|
|
3.6.8008
|
Example
switch (config) # ldap hostname-check enable
|
|
show aaa
|
Notes
ldap login-attribute
ldap login-attribute {<string> | uid | sAMAccountName}
Sets the attribute name which contains the login name of the user.
Syntax Description
string
|
Custom attribute name.
|
uid
|
LDAP login name is taken from the user login username.
|
sAMAccountName
|
SAM Account name, active directory login name.
|
|
sAMAccountName
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap login-attribute uid
|
|
show aaa
|
Notes
ldap port
ldap port <port>
Sets the TCP port on the LDAP server to connect to for authentication.
Syntax Description
port
|
TCP port number
|
|
389
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap port 1111
|
|
show aaa
|
Notes
ldap referrals
ldap referrals
Enables LDAP referrals.
Syntax Description
N/A
|
|
LDAP referrals are enabled
|
|
config
|
|
3.1.1000
|
Example
switch (config) # no ldap referrals
|
|
show aaa
|
Notes
Referral is the process by which an LDAP server, instead of returning a result, will return a referral (a reference) to another LDAP server which may contain further information.
ldap scope
ldap scope <scope>
Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
Syntax Description
scope
|
|
|
subtree
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap scope subtree
|
|
show aaa
|
Notes
ldap ssl
ldap ssl {ca-list <options> | cert-verify | ciphers {all | TLS1.2} | crl-check {enable | file fetch all [vrf <vrf-name>] <path>} | mode <mode> | port <port-number>}
Sets SSL parameter for LDAP.
Syntax Description
options
|
This command specifies the list of supplemental certificates of authority (CAs) from the certificate configuration database that is to be used by LDAP for authentication of servers when in TLS or SSL mode.
CA certificates are ignored if “ldap ssl mode” is not configured as either “tls” or “ssl”, or if “no ldap ssl cert-verify” is configured.
|
cert-verify
|
Enables verification of SSL/TLS server certificates. This may be required if the server's certificate is self-signed, or does not match the name of the server.
|
ciphers {all | TLS1.2}
|
Sets SSL mode to be used
|
crl-check enable
|
Enables LDAP CRL check
|
crl-check file fetch
|
Fetches CRL from remote server. CRL must be a valid PEM file unless a proper message shown. Supported formats: SCP, HTTP, HTTPS, FTP, and FTPS.
|
mode
|
Sets the security mode for connections to the LDAP server.
|
vrf-name
|
VRF to be affected. If "vrf-name" parameter is not specified, "default" VRF will be used.
|
port-number
|
Sets the port on the LDAP server to connect to for authentication when the SSL security mode is enabled (LDAP over SSL)
|
|
cert-verify—enabled
|
|
config
|
|
3.1.1000
|
|
Related Commands
show aaa
|
Notes
ldap timeout
ldap {timeout-bind | timeout-search} <seconds>
Sets a global communication timeout in seconds for all LDAP servers to specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
Syntax Description
timeout-bind
|
Sets the global LDAP bind timeout for all LDAP servers.
|
timeout-search
|
Sets the global LDAP search timeout for all LDAP servers.
|
seconds
|
Number of seconds.
|
|
5 seconds
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap timeout-bind 10
|
|
show aaa
|
Notes
ldap version
ldap version <version>
Sets the LDAP version.
Syntax Description
version
|
Sets the LDAP version
|
|
3
|
|
config
|
|
3.1.1000
|
Example
switch (config) # ldap version 3
|
|
show aaa
|
Notes
show ldap
show ldap
Displays LDAP configurations.
Syntax Description
N/A
|
|
N/A
|
|
Any command mode
|
|
3.1.1000
|
Example
switch (config) # show ldap
|
|
show aaa
|
Notes
show ldap crl
show ldap crl
Displays current CRL configured by the user.
Syntax Description
N/A
|
|
N/A
|
|
Any command mode
|
|
3.6.8008
|
Example
switch (config) # show ldap crl
|
|
show aaa
|
Notes
system secure-mode enable
system secure-mode enable
Enables secure mode on the switch.
Syntax Description
N/A
|
|
Disabled
|
|
config
|
|
3.5.0200
|
Example
Related Commands
user <username> password <password>
|
Notes
show system secure-mode
show system secure-mode
Displays the security mode of the switch system.
Syntax Description
N/A
|
|
N/A
|
|
Any command mode
|
|
3.4.2300
|
Example
Related Commands
system secure-mode enable
|
Notes
show secure-boot-status
show secure-boot-status
Displays the state of the secure boot: enable or disable.
Syntax Description
N/A
|
|
N/A
|
|
Any command mode
|
|
3.10.1000
|
Example
Related Commands
Notes
This command is only available for NDR platforms and above