User Management and Security Commands
username
username <username> [capability <cap> | disable [login | password] | disconnect | full-name <name> | nopassword | password [0 | 7] <password>] no username <username> [capability | disable [login | password] | full-name] Creates a user and sets its capabilities, password and name. The no form of the command deletes the user configuration. |
||
Syntax Description |
username |
Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled. Allowed characters for the username:
Any single character or combination of characters from the above is allowed except for a period "." in a single form. |
capability <cap> |
Defines user capabilities.
|
|
disable [login | password] |
|
|
disconnect |
Logs out the specified user from the system. |
|
name |
Full name of the user. |
|
nopassword |
The next login of the user will not require password. |
|
0 | 7 |
|
|
password |
Specifies a password for the user in string form. If [0 | 7] was not specified then the password is in cleartext. |
|
Default |
The following usernames are available by default:
|
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # username monitor full-name smith |
|
Related Commands |
show usernames show users |
|
Notes |
|
show usernames
show usernames Displays list of users and their capabilities. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
||
gateway (config) # show usernames USERNAME FULL NAME CAPABILITY ACCOUNT STATUS |
||
Related Commands |
username show users |
|
Notes |
show users
show users [history] Displays logged in users and related information such as idle time and what host they have connected from. |
||
Syntax Description |
history |
Displays current and historical sessions. |
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
||
gateway (config) # show users USERNAME FULL NAME LINE HOST IDLE admin System Administrator pts/0 172.22.237.174 0d0h34m4s gateway (config) #s how users history |
||
Related Commands |
username show usernames |
|
Notes |
show whoami
show whoami Displays username and capabilities of user currently logged in. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # show whoami |
|
Related Commands |
username show usernames show users |
|
Notes |
password
password [age expiration <days> | age warning <days> | history < length > | length minimal <length> | length maximal < length > | username-password-match enable | complexity-class <char class> | hardening enable] Configures restrictions for new passwords. |
||
Syntax Description |
age expiration <days> |
Specifies validity period of any password configured. Range: 0-365 days (0=password will not expire) Default: 365 days |
age warning <days> |
Specifies how many days before expiration a warning message should be printed while logging in. Range: 0-30 days (0 indicates that a warning message will not be printed) Default: 15 days |
|
history < length > |
Specifies how many passwords are saved per user. New password will be compared to previous passwords and will not be allowed if it is the same as an old one. Range: 0-20 passwords Default: 5 passwords |
|
length minimal <length> |
Specifies minimal length of allowed password. Range: 1-32 characters Default: 8 characters |
|
length maximal < length> |
Specifies maximal length of allowed password. Range: 64-80 characters Default: 64 characters |
|
username-password-match enable |
Restricts user from having password identical to its username. Default: enabled The no form of this command will allow this. |
|
complexity-class <char class> |
Specifies what characters must be used while configuring password.
Special characters allowed are: `~!@#$%^&*()-_=+[{}];:',<.> Default: lower-upper-digit |
|
hardening enable |
Enable password restrictions. If enabled, all the above will be checked upon every new password that is being configured. Password that does not meet the requirements will be rejected. The no form will disable any password restrictions and every password will be allowed. |
|
Default |
Enabled. After upgrade, the feature will be disabled by default. |
|
Configuration Mode |
Config |
|
History |
8.1.1000 |
|
Example |
gateway (config) # password hardening enable |
|
Related Commands |
show password hardening |
|
Notes |
show password hardening
show password hardening Displays all the configured password restrictions settings. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.1.1000 |
|
Example |
gateway (config) # show password hardening |
|
Related Commands |
password |
|
Notes |
|
aaa accounting
aaa accounting changes default stop-only tacacs+ no aaa accounting changes default stop-only tacacs+ Enables logging of system changes to an AAA accounting server. The no form of the command disables the accounting. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa accounting changes default stop-only tacacs+ |
|
Related Commands |
show aaa |
|
Notes |
|
aaa authentication login
aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]] no aaa authentication login Sets a sequence of authentication methods. Up to four methods can be configured. The no form of the command resets the configuration to its default. |
||
Syntax Description |
auth-method |
|
Default |
local |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication login default radius tacacs+ ldap local |
|
Related Commands |
show aaa |
|
Notes |
|
aaa authentication attempts fail-delay
aaa authentication attempts fail-delay <time> no aaa authentication attempts fail-delay Configures delay for a specific period of time after every authentication failure. The no form of the command resets the fail-delay to its default value. |
||
Syntax Description |
time |
Range: 0-60 seconds |
Default |
0 |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts fail-delay 1 |
|
Related Commands |
||
Notes |
aaa authentication attempts track
aaa authentication attempts track {downcase | enable} no aaa authentication attempts track {downcase | enable} Configure tracking for failed authentication attempts. The no form of the command clears configuration for tracking authentication failures. |
||
Syntax Description |
downcase |
Does not convert all usernames to lowercase (for authentication failure tracking purposes only). |
enable |
Disables tracking of failed authentication attempts. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts track enable |
|
Related Commands |
||
Notes |
|
aaa authentication attempts lockout
aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time} no aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time} Configures lockout of accounts based on failed authentication attempts. The no form of the command clears configuration for lockout of accounts based on failed authentication attempts. |
||
Syntax Description |
enable |
Enables locking out of user accounts based on authentication failures. This both suspends enforcement of any existing lockouts, and prevents any new lockouts from being recorded. If lockouts are later re-enabled, any lockouts that had been recorded previously resume being enforced; but accounts which have passed the max-fail limit in the meantime are NOT automatically locked at this time. They would be permitted one more attempt, and then locked, because of how the locking is done: lockouts are applied after an authentication failure, if the user has surpassed the threshold at that time. Lockouts only work if tracking is enabled. Enabling lockouts automatically enables tracking. Disabling tracking automatically disables lockouts. |
lock-time |
Sets maximum permitted consecutive authentication failures before locking out users. Unlike the “max-fail” setting, this does take effect immediately for all accounts. If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time. This is not based on the number of consecutive failures, and is therefore divorced from most of the rest of the tally feature, except for the tracking of the last login failure. |
|
max-fail |
Sets maximum permitted consecutive authentication failures before locking out users. This setting only impacts what lockouts are imposed while the setting is active; it is not retroactive to previous logins. So if max-fail is disabled or changed, this does not immediately cause any users to be changed from locked to unlocked or vice versa. |
|
unlock-time |
Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt. Unlike the “max-fail” setting, this does take effect immediately for all accounts. If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time. Careful with disabling the unlock-time, particularly if you have max-fail set to something, and have not overridden the behavior for the admin (i.e. they are subject to lockouts also). If the admin account gets locked out, and there are no other administrators who can aid, the user may be forced to boot single-user and use the pam_tallybyname command-line utility to unlock your account manually. Even if one is careful not to incur this many authentication failures, it makes the system more subject to DOS attacks. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts lockout enable |
|
Related Commands |
||
Notes |
aaa authentication attempts class-override
aaa authentication attempts class-override {admin [no-lockout] | unknown {no-track | hash-username}} no aaa authentication attempts class-override {admin | unknown {no-track | hash-username}} Overrides the global settings for tracking and lockouts for a type of account. The no form of the command removes this override and lets the admin be handled according to the global settings. |
||
Syntax Description |
admin |
Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges. |
no-lockout |
Prevents the admin user from being locked out though authentication failure history is still tracked (if tracking is enabled overall). |
|
unknown |
Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:
|
|
hash-username |
Applies a hash function to the username and stores the hashed result in lieu of the original |
|
no-track |
Does not track authentication for such users (which of course also implies no-lockout) |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts class-override admin no-lockout |
|
Related Commands |
||
Notes |
aaa authentication attempts reset
aaa authentication attempts reset {all | user <username>} [{no-clear-history | no-unlock}] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users |
user |
Applies function to a specific user |
|
no-clear-history |
Leaves the history of login failures but unlocks the account |
|
no-unlock |
Leaves the account locked but clears the history of login failures |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts reset user admin all |
|
Related Commands |
||
Notes |
clear aaa authentication attempts
clear aaa authentication attempts {all | user <username>} [no-clear-history | no-unlock] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users. |
user |
Applies function to a specific user. |
|
no-clear-history |
Clears the history of login failures. |
|
no-unlock |
Unlocks the account. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authentication attempts reset user admin no-clear-history |
|
Related Commands |
||
Notes |
aaa authorization
aaa authorization map [default-user <username> | order <policy> | fallback] no aaa authorization map [default-user | order | fallback] Sets the mapping permissions of a user in case a remote authentication is done. The no form of the command resets the attributes to default. |
||
Syntax Description |
username |
Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+ or LDAP) and does not have a local account. If the username is local, this mapping is ignored. |
order <policy> |
Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ or LDAP to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
|
|
fallback |
Sets the authenticating fallback behavior via RADIUS or TACACS+ or LDAP. This option attempts to authenticate username through the next authentication method listed in case of an error.
|
|
Default |
Default user—admin Map order—remote-first Order fallback—server-err |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # aaa authorization map default-user admin |
|
Related Commands |
show aaa username |
|
Notes |
|
show aaa
show aaa Displays the AAA configuration. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # show aaa AAA authorization: |
|
Related Commands |
aaa accounting aaa authentication aaa authorization show aaa show usernames username |
|
Notes |
show aaa authentication attempts
show aaa authentication attempts [configured | status user <username>]] Displays the current authentication, authorization and accounting settings. |
||
Syntax Description |
authentication attempts |
Displays configuration and history of authentication failures. |
configured |
Displays configuration of authentication failure tracking. |
|
status user |
Displays status of authentication failure tracking and lockouts for specific user. |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
||
gateway (config) # show aaa authentication attempts Configuration for authentication failure tracking and locking: Track authentication failures: yes |
||
Related Commands |
||
Notes |
radius-server
radius-server {key <secret>| retransmit <retries> | timeout <seconds>} no radius-server {key | retransmit | timeout} Sets global RADIUS server attributes. The no form of the command resets the attributes to their default values. |
||
Syntax Description |
secret |
Sets a secret key (shared hidden text string), known to the system and to the RADIUS server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry (1-60). |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # radius-server retransmit 3 |
|
Related Commands |
aaa authorization radius-server host show radius |
|
Notes |
Each RADIUS server can override those global parameters using the command “radius-server host”. |
radius-server host
radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>| cipher <none | eap-peap> ] no radius-server host <IP address> [auth-port | enable | cipher] Configures RADIUS server attributes. The no form of the command resets the attributes to their default values and deletes the RADIUS server. |
||
Syntax Description |
IP address |
RADIUS server IP address |
enable |
Administrative enable of the RADIUS server |
|
auth-port |
Configures authentication port to use with this RADIUS server |
|
port |
RADIUS server UDP port number |
|
key |
Configures shared secret to use with this RADIUS server |
|
prompt-key |
Prompt for key, rather than entering on command line |
|
retransmit |
Configures retransmit count to use with this RADIUS server |
|
retries |
Number of retries (0-5) before exhausting from the authentication |
|
timeout |
Configures timeout between each try |
|
seconds |
Timeout in seconds between each retry (1-60) |
|
cipher |
Configures which cipher to use for communication encryption <none | eap-peap> |
|
Default |
3 seconds, 1 retry Default UDP port is 1812 |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # radius-server host fe80::202:b3ff:fe1e:8329 |
|
Related Commands |
aaa authorization radius-server show radius |
|
Notes |
|
show radius
show radius Displays RADIUS configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # show radius
|
|
Related Commands |
aaa authorization radius-server radius-server host |
|
Notes |
tacacs-server
tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>} no tacacs-server {key | retransmit | timeout} Sets global TACACS+ server attributes. The no form of the command resets the attributes to default values. |
||
Syntax Description |
secret |
Set a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry. Reang: 1-60 |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # tacacs-server retransmit 3 |
|
Related Commands |
aaa authorization show radius show tacacs tacacs-server host |
|
Notes |
Each TACACS+ server can override those global parameters using the command “tacacs-server host”. |
tacacs-server host
tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>} no tacacs-server host <IP address> {enable | auth-port} Configures TACACS+ server attributes. The no form of the command resets the attributes to their default values and deletes the TACACS+ server. |
||
Syntax Description |
IP address |
TACACS+ server IP address. |
enable |
Administrative enable for the TACACS+ server. |
|
auth-port |
Configures authentication port to use with this TACACS+ server. |
|
port |
TACACS+ server UDP port number. |
|
auth-type |
Configures authentication type to use with this TACACS+ server. |
|
type |
Authentication type. Possible values are:
|
|
key |
Configures shared secret to use with this TACACS+ server. |
|
secret |
Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
|
prompt-key |
Prompts for key, rather than entering key on command line. |
|
retransmit |
Configures retransmit count to use with this TACACS+ server. |
|
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
timeout |
Configures timeout to use with this TACACS+ server. |
|
seconds |
Timeout in seconds between each retry. Range: 1-60 |
|
Default |
3 seconds, 1 retry Default TCP port is 49 Default auth-type is PAP |
|
Configuration Mode |
config |
|
History |
8.0.0100 |
|
Example |
gateway (config) # tacacs-server host 40.40.40.40 |
|
Related Commands |
aaa authorization show tacacs tacacs-server |
|
Notes |
|
show tacacs
show tacacs Displays TACACS+ configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
8.0.0100 |
|
Example |
gateway (config) # show tacacs Key : ******** Timeout : 3 Retransmit: 1 TACACS+ servers: |
|
Related Commands |
aaa authorization tacacs-server tacacs-server host |
|
Notes |