User Management and Security Commands
username
username <username> [capability <cap> | disable [login | password] | disconnect | full-name <name> | nopassword | password [0 | 7] <password>] Creates a user and sets its capabilities, password and name. |
||||||||||||||||
Syntax Description |
username |
Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled. Allowed characters for the username:
Any single character or combination of characters from the above is allowed except for a period "." in a single form. |
||||||||||||||
capability <cap> |
Defines user capabilities.
|
|||||||||||||||
disable [login | password] |
|
|||||||||||||||
disconnect |
Logs out the specified user from the system. |
|||||||||||||||
name |
Full name of the user. |
|||||||||||||||
nopassword |
The next login of the user will not require password. |
|||||||||||||||
0 | 7 |
|
|||||||||||||||
password |
Specifies a password for the user in string form. If [0 | 7] was not specified then the password is in cleartext. |
|||||||||||||||
Default |
The following usernames are available by default:
|
|||||||||||||||
Configuration Mode |
config |
|||||||||||||||
History |
|
|||||||||||||||
Example |
switch (config) # username monitor full-name smith |
|||||||||||||||
Related Commands |
show usernames |
|||||||||||||||
Notes |
|
show usernames
show usernames Displays list of users and their capabilities. |
||||||||
Syntax Description |
N/A |
|||||||
Default |
N/A |
|||||||
Configuration Mode |
Any command mode |
|||||||
History |
|
|||||||
Example |
||||||||
switch (config) # show usernames USERNAME FULL NAME CAPABILITY ACCOUNT STATUS |
||||||||
Related Commands |
username |
|||||||
Notes |
show users
show users [history] Displays logged in users and related information such as idle time and what host they have connected from. |
||
Syntax Description |
history |
Displays current and historical sessions. |
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
||
switch (config) # show users USERNAME FULL NAME LINE HOST IDLE admin System Administrator pts/0 172.22.237.174 0d0h34m4s switch (config) #s how users history |
||
Related Commands |
username |
|
Notes |
show whoami
show whoami Displays username and capabilities of user currently logged in. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
switch (config) # show whoami |
|
Related Commands |
username |
|
Notes |
password
password [age expiration <days> | age warning <days> | history < length > | length minimal <length> | length maximal < length > | username-password-match enable | complexity-class <char class> | hardening enable] Configures restrictions for new passwords. |
||
Syntax Description |
age expiration <days> |
Specifies validity period of any password configured. |
age warning <days> |
Specifies how many days before expiration a warning message should be printed while logging in. |
|
history < length > |
Specifies how many passwords are saved per user. New password will be compared to previous passwords and will not be allowed if it is the same as an old one. Range: 0-20 passwords |
|
length minimal <length> |
Specifies minimal length of allowed password. Range: 1-32 characters |
|
length maximal < length> |
Specifies maximal length of allowed password. Range: 64-80 characters |
|
username-password-match enable |
Restricts user from having password identical to its username. |
|
complexity-class <char class> |
Specifies what characters must be used while configuring password.
Special characters allowed are: `~!@#$%^&*()-_=+[{}];:',<.> |
|
hardening enable |
Enable password restrictions. If enabled, all the above will be checked upon every new password that is being configured. Password that does not meet the requirements will be rejected. |
|
Default |
Enabled. After upgrade, the feature will be disabled by default. |
|
Configuration Mode |
Config |
|
History |
3.9.2000 |
|
Example |
switch (config) # password hardening enable |
|
Related Commands |
show password hardening |
|
Notes |
show password hardening
show password hardening Displays all the configured password restrictions settings. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.9.2000 |
|
Example |
|
|
Related Commands |
password |
|
Notes |
|
aaa accounting
aaa accounting changes default stop-only tacacs+ Enables logging of system changes to an AAA accounting server. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # aaa accounting changes default stop-only tacacs+ |
|
Related Commands |
show aaa |
|
Notes |
|
aaa authentication login
aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]] Sets a sequence of authentication methods. Up to four methods can be configured. |
||
Syntax Description |
auth-method |
|
Default |
local |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
switch (config) # aaa authentication login default radius tacacs+ ldap local |
|
Related Commands |
show aaa |
|
Notes |
|
aaa authentication attempts fail-delay
aaa authentication attempts fail-delay <time> Configures delay for a specific period of time after every authentication failure. |
||
Syntax Description |
time |
Range: 0-60 seconds |
Default |
0 |
|
Configuration Mode |
config |
|
History |
3.5.0200 |
|
Example |
switch (config) # aaa authentication attempts fail-delay 1 |
|
Related Commands |
||
Notes |
aaa authentication attempts track
aaa authentication attempts track {downcase | enable} Configure tracking for failed authentication attempts. |
||
Syntax Description |
downcase |
Does not convert all usernames to lowercase (for authentication failure tracking purposes only). |
enable |
Disables tracking of failed authentication attempts. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.5.0200 |
|
Example |
switch (config) # aaa authentication attempts track enable |
|
Related Commands |
||
Notes |
|
aaa authentication attempts lockout
aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time} Configures lockout of accounts based on failed authentication attempts. |
||
Syntax Description |
enable |
Enables locking out of user accounts based on authentication failures. |
lock-time |
Sets maximum permitted consecutive authentication failures before locking out users. |
|
max-fail |
Sets maximum permitted consecutive authentication failures before locking out users. |
|
unlock-time |
Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts lockout enable |
|
Related Commands |
||
Notes |
aaa authentication attempts class-override
aaa authentication attempts class-override {admin [no-lockout] | unknown {no-track | hash-username}} Overrides the global settings for tracking and lockouts for a type of account. |
||
Syntax Description |
admin |
Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges. |
no-lockout |
Prevents the admin user from being locked out though authentication failure history is still tracked (if tracking is enabled overall). |
|
unknown |
Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:
|
|
hash-username |
Applies a hash function to the username and stores the hashed result in lieu of the original |
|
no-track |
Does not track authentication for such users (which of course also implies no-lockout) |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts class-override admin no-lockout |
|
Related Commands |
||
Notes |
aaa authentication attempts reset
aaa authentication attempts reset {all | user <username>} [{no-clear-history | no-unlock}] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users |
user |
Applies function to a specific user |
|
no-clear-history |
Leaves the history of login failures but unlocks the account |
|
no-unlock |
Leaves the account locked but clears the history of login failures |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts reset user admin all |
|
Related Commands |
||
Notes |
clear aaa authentication attempts
clear aaa authentication attempts {all | user <username>} [no-clear-history | no-unlock] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users. |
user |
Applies function to a specific user. |
|
no-clear-history |
Clears the history of login failures. |
|
no-unlock |
Unlocks the account. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts reset user admin no-clear-history |
|
Related Commands |
||
Notes |
aaa authorization
aaa authorization map [default-user <username> | order <policy> | fallback] Sets the mapping permissions of a user in case a remote authentication is done. |
||
Syntax Description |
username |
Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+ or LDAP) and does not have a local account. If the username is local, this mapping is ignored. |
order <policy> |
Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ or LDAP to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
|
|
fallback |
Sets the authenticating fallback behavior via RADIUS or TACACS+ or LDAP. This option attempts to authenticate username through the next authentication method listed in case of an error.
|
|
Default |
Default user—admin |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # aaa authorization map default-user admin |
|
Related Commands |
show aaa |
|
Notes |
|
show aaa
show aaa Displays the AAA configuration. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
switch (config) # show aaa AAA authorization: |
|
Related Commands |
aaa accounting |
|
Notes |
show aaa authentication attempts
show aaa authentication attempts [configured | status user <username>]] Displays the current authentication, authorization and accounting settings. |
||
Syntax Description |
authentication attempts |
Displays configuration and history of authentication failures. |
configured |
Displays configuration of authentication failure tracking. |
|
status user |
Displays status of authentication failure tracking and lockouts for specific user. |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.2.1000 |
|
Example |
||
switch (config) # show aaa authentication attempts Configuration for authentication failure tracking and locking:
|
||
Related Commands |
||
Notes |
radius-server
radius-server {key <secret>| retransmit <retries> | timeout <seconds>} Sets global RADIUS server attributes. |
||
Syntax Description |
secret |
Sets a secret key (shared hidden text string), known to the system and to the RADIUS server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry (1-60). |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # radius-server retransmit 3 |
|
Related Commands |
aaa authorization |
|
Notes |
Each RADIUS server can override those global parameters using the command “radius-server host”. |
radius-server host
radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>| cipher <none | eap-peap> ] Configures RADIUS server attributes. |
||
Syntax Description |
IP address |
RADIUS server IP address |
enable |
Administrative enable of the RADIUS server |
|
auth-port |
Configures authentication port to use with this RADIUS server |
|
port |
RADIUS server UDP port number |
|
key |
Configures shared secret to use with this RADIUS server |
|
prompt-key |
Prompt for key, rather than entering on command line |
|
retransmit |
Configures retransmit count to use with this RADIUS server |
|
retries |
Number of retries (0-5) before exhausting from the authentication |
|
timeout |
Configures timeout between each try |
|
seconds |
Timeout in seconds between each retry (1-60) |
|
cipher |
Configures which cipher to use for communication encryption <none | eap-peap> |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # radius-server host fe80::202:b3ff:fe1e:8329 |
|
Related Commands |
aaa authorization |
|
Notes |
|
show radius
show radius Displays RADIUS configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
|
|
Related Commands |
aaa authorization |
|
Notes |
tacacs-server
tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>} Sets global TACACS+ server attributes. |
||
Syntax Description |
secret |
Set a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry. |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # tacacs-server retransmit 3 |
|
Related Commands |
aaa authorization |
|
Notes |
Each TACACS+ server can override those global parameters using the command “tacacs-server host”. |
tacacs-server host
tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>} Configures TACACS+ server attributes. |
||
Syntax Description |
IP address |
TACACS+ server IP address. |
enable |
Administrative enable for the TACACS+ server. |
|
auth-port |
Configures authentication port to use with this TACACS+ server. |
|
port |
TACACS+ server UDP port number. |
|
auth-type |
Configures authentication type to use with this TACACS+ server. |
|
type |
Authentication type. Possible values are:
|
|
key |
Configures shared secret to use with this TACACS+ server. |
|
secret |
Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
|
prompt-key |
Prompts for key, rather than entering key on command line. |
|
retransmit |
Configures retransmit count to use with this TACACS+ server. |
|
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
timeout |
Configures timeout to use with this TACACS+ server. |
|
seconds |
Timeout in seconds between each retry. |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # tacacs-server host 40.40.40.40 |
|
Related Commands |
aaa authorization |
|
Notes |
|
show tacacs
show tacacs Displays TACACS+ configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
TACACS+ servers: |
|
Related Commands |
aaa authorization |
|
Notes |
ldap enable
ldap [vrf <vrf-name>] enable [force] Enables LDAP in VRF. |
||
Syntax Description |
force |
Enables LDAP in the specified VRF while setting all relevant LDAP options to default. |
Default |
LDAP enabled |
|
Configuration Mode |
config |
|
History |
3.9.2000 |
|
Example |
switch (config) # ldap vrf mgmt enable |
|
Related Commands |
|
|
Notes |
If VRF mgmt exists, LDAP will be enabled on VRF mgmt. If there is no VRF mgmt, LDAP will be enabled on the "default" VRF. |
ldap base-dn
ldap base-dn <string> Sets the base distinguished name (location) of the user information in the schema of the LDAP server. |
||
Syntax Description |
string |
A case-sensitive string that specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.
|
Default |
ou=users,dc=example,dc=com |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap base-dn ou=department,dc=example,dc=com |
|
Related Commands |
show ldap |
|
Notes |
ldap bind-dn/bind-password
ldap {bind-dn | bind-password} <string> Gives the distinguished name or password to bind to on the LDAP server. This can be left empty for anonymous login (the default). |
||
Syntax Description |
string |
A case-sensitive string that specifies distinguished name or password to bind to on the LDAP server. |
Default |
“” |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap bind-dn my-dn |
|
Related Commands |
show ldap |
|
Notes |
For anonymous login, bind-dn and bind-password should be empty strings “”. |
ldap group-attribute/group-dn
ldap {group-attribute {<group-att> |member | uniqueMember} | group-dn <group-dn>} Sets the distinguished name or attribute name of a group on the LDAP server. |
||
Syntax Description |
group-att |
Specifies a custom attribute name. |
member |
groupOfNames or group membership attribute. |
|
uniqueMember |
groupOfUniqueNames membership attribute. |
|
group-dn |
DN of group required for authorization. |
|
Default |
group-att: member |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap group-attribute member |
|
Related Commands |
show ldap |
|
Notes |
|
ldap nested-group-search
ldap nested-group-search Enable LDAP nested-group search mechanism for user-authentication group matching. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config |
|
History |
3.10.2000 |
|
Example |
switch (config) # ldap nested-group-search |
|
Related Commands |
ldap nested-group-depth |
|
Notes |
ldap nested-group-depth
ldap nested-group-depth <1-9> Sets LDAP maximum depth for nested-group search. |
||
Syntax Description |
N/A |
|
Default |
3 |
|
Configuration Mode |
config |
|
History |
3.10.2000 |
|
Example |
switch (config) # ldap nested-group-depth 6 |
|
Related Commands |
ldap nested-group-search |
|
Notes |
ldap nested-group-count
ldap nested-group-count <1-10000> Sets LDAP maximum number of queried nested-groups. |
||
Syntax Description |
N/A |
|
Default |
1000 |
|
Configuration Mode |
config |
|
History |
3.10.2000 |
|
Example |
switch (config) # ldap nested-group-count 500 |
|
Related Commands |
ldap nested-group-depth |
|
Notes |
ldap host
ldap host <ip-address> [order <number> last] Adds an LDAP server to the set of servers used for authentication. |
||
Syntax Description |
ip-address |
IPv4 or IPv6 address. |
number |
The order of the LDAP server. |
|
last |
The LDAP server will be added in the last location. |
|
Default |
No hosts configured |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap host 10.10.10.10 |
|
Related Commands |
show aaa |
|
Notes |
|
ldap hostname-check enable
ldap hostname-check enable Enables LDAP hostname check. |
||
Syntax Description |
N/A |
|
Default |
No hosts configured |
|
Configuration Mode |
config |
|
History |
3.6.8008 |
|
Example |
switch (config) # ldap hostname-check enable |
|
Related Commands |
show aaa |
|
Notes |
ldap login-attribute
ldap login-attribute {<string> | uid | sAMAccountName} Sets the attribute name which contains the login name of the user. |
||
Syntax Description |
string |
Custom attribute name. |
uid |
LDAP login name is taken from the user login username. |
|
sAMAccountName |
SAM Account name, active directory login name. |
|
Default |
sAMAccountName |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap login-attribute uid |
|
Related Commands |
show aaa |
|
Notes |
ldap port
ldap port <port> Sets the TCP port on the LDAP server to connect to for authentication. |
||
Syntax Description |
port |
TCP port number |
Default |
389 |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap port 1111 |
|
Related Commands |
show aaa |
|
Notes |
ldap referrals
ldap referrals Enables LDAP referrals. |
||
Syntax Description |
N/A |
|
Default |
LDAP referrals are enabled |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # no ldap referrals |
|
Related Commands |
show aaa |
|
Notes |
Referral is the process by which an LDAP server, instead of returning a result, will return a referral (a reference) to another LDAP server which may contain further information. |
ldap scope
ldap scope <scope> Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request. |
||
Syntax Description |
scope |
|
Default |
subtree |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap scope subtree |
|
Related Commands |
show aaa |
|
Notes |
ldap ssl
ldap ssl {ca-list <options> | cert-verify | ciphers {all | TLS1.2} | crl-check {enable | file fetch all [vrf <vrf-name>] <path>} | mode <mode> | port <port-number>} Sets SSL parameter for LDAP. |
||
Syntax Description |
options |
This command specifies the list of supplemental certificates of authority (CAs) from the certificate configuration database that is to be used by LDAP for authentication of servers when in TLS or SSL mode.
CA certificates are ignored if “ldap ssl mode” is not configured as either “tls” or “ssl”, or if “no ldap ssl cert-verify” is configured. |
cert-verify |
Enables verification of SSL/TLS server certificates. This may be required if the server's certificate is self-signed, or does not match the name of the server. |
|
ciphers {all | TLS1.2} |
Sets SSL mode to be used |
|
crl-check enable |
Enables LDAP CRL check |
|
crl-check file fetch |
Fetches CRL from remote server. CRL must be a valid PEM file unless a proper message shown. Supported formats: SCP, HTTP, HTTPS, FTP, and FTPS. |
|
mode |
Sets the security mode for connections to the LDAP server.
|
|
vrf-name |
VRF to be affected. If "vrf-name" parameter is not specified, "default" VRF will be used. |
|
port-number |
Sets the port on the LDAP server to connect to for authentication when the SSL security mode is enabled (LDAP over SSL) |
|
Default |
cert-verify—enabled |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
|
|
Related Commands |
show aaa |
|
Notes |
|
ldap timeout
ldap {timeout-bind | timeout-search} <seconds> Sets a global communication timeout in seconds for all LDAP servers to specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request. |
||
Syntax Description |
timeout-bind |
Sets the global LDAP bind timeout for all LDAP servers. |
timeout-search |
Sets the global LDAP search timeout for all LDAP servers. |
|
seconds |
Number of seconds. |
|
Default |
5 seconds |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap timeout-bind 10 |
|
Related Commands |
show aaa |
|
Notes |
ldap version
ldap version <version> Sets the LDAP version. |
||
Syntax Description |
version |
Sets the LDAP version |
Default |
3 |
|
Configuration Mode |
config |
|
History |
3.1.1000 |
|
Example |
switch (config) # ldap version 3 |
|
Related Commands |
show aaa |
|
Notes |
show ldap
show ldap Displays LDAP configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.1000 |
|
Example |
switch (config) # show ldap
|
|
Related Commands |
show aaa |
|
Notes |
show ldap crl
show ldap crl Displays current CRL configured by the user. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.6.8008 |
|
Example |
switch (config) # show ldap crl |
|
Related Commands |
show aaa |
|
Notes |
system secure-mode enable
system secure-mode enable Enables secure mode on the switch. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config |
|
History |
3.5.0200 |
|
Example |
|
|
Related Commands |
user <username> password <password> |
|
Notes |
|
show system secure-mode
show system secure-mode Displays the security mode of the switch system. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.4.2300 |
|
Example |
|
|
Related Commands |
system secure-mode enable |
|
Notes |
|
show secure-boot-status
show secure-boot-status Displays the state of the secure boot: enable or disable. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.10.1000 |
|
Example |
|
|
Related Commands |
||
Notes |
This command is only available for NDR platforms and above |