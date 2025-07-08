On This Page
- User Accounts
- AAA Methods
- aaa accounting
- aaa authentication login
- aaa authentication attempts fail-delay
- aaa authentication attempts track
- aaa authentication attempts lockout
- aaa authentication attempts class-override
- aaa authentication attempts reset
- clear aaa authentication attempts
- aaa authorization
- show aaa
- show aaa authentication attempts
- RADIUS
- TACACS+
- LDAP
- ldap enable
- ldap base-dn
- ldap bind-dn/bind-password
- ldap group-attribute/group-dn
- ldap nested-group-search
- ldap nested-group-depth
- ldap nested-group-count
- ldap host
- ldap hostname-check enable
- ldap login-attribute
- ldap port
- ldap referrals
- ldap scope
- ldap ssl
- ldap timeout
- ldap version
- show ldap
- show ldap crl
- System Secure Mode
User Management and Security Commands
username
username <username> [capability <cap> | disable [login | password] | disconnect | full-name <name> | nopassword | password [0 | 7] <password>]
no username <username> [capability | disable [login | password] | full-name]
Creates a user and sets its capabilities, password and name.
The no form of the command deletes the user configuration.
Syntax Description
username
Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled.
Allowed characters for the username:
Any single character or combination of characters from the above is allowed except for a period "." in a single form.
capability <cap>
Defines user capabilities.
disable [login | password]
disconnect
Logs out the specified user from the system.
name
Full name of the user.
nopassword
The next login of the user will not require password.
0 | 7
password
Specifies a password for the user in string form. If [0 | 7] was not specified then the password is in cleartext.
Default
The following usernames are available by default:
Configuration Mode
config
History
Example
|
switch (config) # username monitor full-name smith
Related Commands
show usernames
show users
Notes
show usernames
show usernames
Displays list of users and their capabilities.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
Example
|
switch (config) # show usernames
USERNAME FULL NAME CAPABILITY ACCOUNT STATUS
Related Commands
username
show users
Notes
show users
show users [history]
Displays logged in users and related information such as idle time and what host they have connected from.
Syntax Description
history
Displays current and historical sessions.
Default
N/A
Configuration Mode
Any command mode
History
3.1.0000
Example
|
switch (config) # show users
USERNAME FULL NAME LINE HOST IDLE
admin System Administrator pts/0 172.22.237.174 0d0h34m4s
switch (config) #s how users history
Related Commands
username
show usernames
Notes
show whoami
show whoami
Displays username and capabilities of user currently logged in.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.1.0000
Example
|
switch (config) # show whoami
Related Commands
username
show usernames
show users
Notes
password
password [age expiration <days> | age warning <days> | history < length > | length minimal <length> | length maximal < length > | username-password-match enable | complexity-class <char class> | hardening enable]
Configures restrictions for new passwords.
Syntax Description
age expiration <days>
Specifies validity period of any password configured.
Range: 0-365 days (0=password will not expire)
Default: 365 days
age warning <days>
Specifies how many days before expiration a warning message should be printed while logging in.
Range: 0-30 days (0 indicates that a warning message will not be printed)
Default: 15 days
history < length >
Specifies how many passwords are saved per user. New password will be compared to previous passwords and will not be allowed if it is the same as an old one.
Range: 0-20 passwords
Default: 5 passwords
length minimal <length>
Specifies minimal length of allowed password.
Range: 1-32 characters
Default: 8 characters
length maximal < length>
Specifies maximal length of allowed password.
Range: 64-80 characters
Default: 64 characters
username-password-match enable
Restricts user from having password identical to its username.
Default: enabled
The no form of this command will allow this.
complexity-class <char class>
Specifies what characters must be used while configuring password.
Special characters allowed are: `~!@#$%^&*()-_=+[{}];:',<.>
Default: lower-upper-digit
hardening enable
Enable password restrictions. If enabled, all the above will be checked upon every new password that is being configured. Password that does not meet the requirements will be rejected.
The no form will disable any password restrictions and every password will be allowed.
Default
Enabled. After upgrade, the feature will be disabled by default.
Configuration Mode
Config
History
3.9.2000
Example
|
switch (config) # password hardening enable
Related Commands
show password hardening
Notes
show password hardening
show password hardening
Displays all the configured password restrictions settings.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.9.2000
Example
|
switch (config) # show password hardening
Related Commands
password
Notes
aaa accounting
aaa accounting changes default stop-only tacacs+
no aaa accounting changes default stop-only tacacs+
Enables logging of system changes to an AAA accounting server.
The no form of the command disables the accounting.
Syntax Description
N/A
Default
N/A
Configuration Mode
config
History
3.1.0000
Example
|
switch (config) # aaa accounting changes default stop-only tacacs+
Related Commands
show aaa
Notes
aaa authentication login
aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]]
no aaa authentication login
Sets a sequence of authentication methods. Up to four methods can be configured.
The no form of the command resets the configuration to its default.
Syntax Description
auth-method
Default
local
Configuration Mode
Any command mode
History
3.1.0000
3.7.1102—Updated notes
Example
|
switch (config) # aaa authentication login default radius tacacs+ ldap local
Related Commands
show aaa
Notes
aaa authentication attempts fail-delay
aaa authentication attempts fail-delay <time>
no aaa authentication attempts fail-delay
Configures delay for a specific period of time after every authentication failure.
The no form of the command resets the fail-delay to its default value.
Syntax Description
time
Range: 0-60 seconds
Default
0
Configuration Mode
config
History
3.5.0200
Example
|
switch (config) # aaa authentication attempts fail-delay 1
Related Commands
Notes
aaa authentication attempts track
aaa authentication attempts track {downcase | enable}
no aaa authentication attempts track {downcase | enable}
Configure tracking for failed authentication attempts.
The no form of the command clears configuration for tracking authentication failures.
Syntax Description
downcase
Does not convert all usernames to lowercase (for authentication failure tracking purposes only).
enable
Disables tracking of failed authentication attempts.
Default
N/A
Configuration Mode
config
History
3.5.0200
Example
|
switch (config) # aaa authentication attempts track enable
Related Commands
Notes
aaa authentication attempts lockout
aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time}
no aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time}
Configures lockout of accounts based on failed authentication attempts.
The no form of the command clears configuration for lockout of accounts based on failed authentication attempts.
Syntax Description
enable
Enables locking out of user accounts based on authentication failures.
This both suspends enforcement of any existing lockouts, and prevents any new lockouts from being recorded. If lockouts are later re-enabled, any lockouts that had been recorded previously resume being enforced; but accounts which have passed the max-fail limit in the meantime are NOT automatically locked at this time. They would be permitted one more attempt, and then locked, because of how the locking is done: lockouts are applied after an authentication failure, if the user has surpassed the threshold at that time.
Lockouts only work if tracking is enabled. Enabling lockouts automatically enables tracking. Disabling tracking automatically disables lockouts.
lock-time
Sets maximum permitted consecutive authentication failures before locking out users.
Unlike the “max-fail” setting, this does take effect immediately for all accounts.
If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time.
This is not based on the number of consecutive failures, and is therefore divorced from most of the rest of the tally feature, except for the tracking of the last login failure.
max-fail
Sets maximum permitted consecutive authentication failures before locking out users.
This setting only impacts what lockouts are imposed while the setting is active; it is not retroactive to previous logins. So if max-fail is disabled or changed, this does not immediately cause any users to be changed from locked to unlocked or vice versa.
unlock-time
Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt.
Unlike the “max-fail” setting, this does take effect immediately for all accounts.
If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time.
Careful with disabling the unlock-time, particularly if you have max-fail set to something, and have not overridden the behavior for the admin (i.e. they are subject to lockouts also). If the admin account gets locked out, and there are no other administrators who can aid, the user may be forced to boot single-user and use the pam_tallybyname command-line utility to unlock your account manually. Even if one is careful not to incur this many authentication failures, it makes the system more subject to DOS attacks.
Default
N/A
Configuration Mode
config
History
3.2.3000
Example
|
switch (config) # aaa authentication attempts lockout enable
Related Commands
Notes
aaa authentication attempts class-override
aaa authentication attempts class-override {admin [no-lockout] | unknown {no-track | hash-username}}
no aaa authentication attempts class-override {admin | unknown {no-track | hash-username}}
Overrides the global settings for tracking and lockouts for a type of account.
The no form of the command removes this override and lets the admin be handled according to the global settings.
Syntax Description
admin
Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges.
no-lockout
Prevents the admin user from being locked out though authentication failure history is still tracked (if tracking is enabled overall).
unknown
Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:
hash-username
Applies a hash function to the username and stores the hashed result in lieu of the original
no-track
Does not track authentication for such users (which of course also implies no-lockout)
Default
N/A
Configuration Mode
config
History
3.2.3000
Example
|
switch (config) # aaa authentication attempts class-override admin no-lockout
Related Commands
Notes
aaa authentication attempts reset
aaa authentication attempts reset {all | user <username>} [{no-clear-history | no-unlock}]
Clears the authentication history for and/or unlocks specified users.
Syntax Description
all
Applies function to all users
user
Applies function to a specific user
no-clear-history
Leaves the history of login failures but unlocks the account
no-unlock
Leaves the account locked but clears the history of login failures
Default
N/A
Configuration Mode
config
History
3.2.3000
Example
|
switch (config) # aaa authentication attempts reset user admin all
Related Commands
Notes
clear aaa authentication attempts
clear aaa authentication attempts {all | user <username>} [no-clear-history | no-unlock]
Clears the authentication history for and/or unlocks specified users.
Syntax Description
all
Applies function to all users.
user
Applies function to a specific user.
no-clear-history
Clears the history of login failures.
no-unlock
Unlocks the account.
Default
N/A
Configuration Mode
config
History
3.2.3000
Example
|
switch (config) # aaa authentication attempts reset user admin no-clear-history
Related Commands
Notes
aaa authorization
aaa authorization map [default-user <username> | order <policy> | fallback]
no aaa authorization map [default-user | order | fallback]
Sets the mapping permissions of a user in case a remote authentication is done.
The no form of the command resets the attributes to default.
Syntax Description
username
Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+ or LDAP) and does not have a local account. If the username is local, this mapping is ignored.
order <policy>
Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ or LDAP to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
fallback
Sets the authenticating fallback behavior via RADIUS or TACACS+ or LDAP. This option attempts to authenticate username through the next authentication method listed in case of an error.
Default
Default user—admin
Map order—remote-first
Order fallback—server-err
Configuration Mode
config
History
3.1.0000
3.7.1000—Added “fallback” parameter
3.7.1000—Updated syntax
Example
|
switch (config) # aaa authorization map default-user admin
Related Commands
show aaa
username
Notes
show aaa
show aaa
Displays the AAA configuration.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.1.0000
3.7.0020—Example updated
Example
|
switch (config) # show aaa
AAA authorization:
Related Commands
aaa accounting
aaa authentication
aaa authorization
show aaa
show usernames
username
Notes
show aaa authentication attempts
show aaa authentication attempts [configured | status user <username>]]
Displays the current authentication, authorization and accounting settings.
Syntax Description
authentication attempts
Displays configuration and history of authentication failures.
configured
Displays configuration of authentication failure tracking.
status user
Displays status of authentication failure tracking and lockouts for specific user.
Default
N/A
Configuration Mode
Any command mode
History
3.2.1000
3.5.0200—Updated example
Example
|
switch (config) # show aaa authentication attempts
Configuration for authentication failure tracking and locking:
Track authentication failures: yes
Related Commands
Notes
radius-server
radius-server {key <secret>| retransmit <retries> | timeout <seconds>}
no radius-server {key | retransmit | timeout}
Sets global RADIUS server attributes.
The no form of the command resets the attributes to their default values.
Syntax Description
secret
Sets a secret key (shared hidden text string), known to the system and to the RADIUS server.
retries
Number of retries (0-5) before exhausting from the authentication.
seconds
Timeout in seconds between each retry (1-60).
Default
3 seconds, 1 retry
Configuration Mode
config
History
3.1.0000
Example
|
switch (config) # radius-server retransmit 3
Related Commands
aaa authorization
radius-server host
show radius
Notes
Each RADIUS server can override those global parameters using the command “radius-server host”.
radius-server host
radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>| cipher <none | eap-peap> ]
no radius-server host <IP address> [auth-port | enable | cipher]
Configures RADIUS server attributes.
The no form of the command resets the attributes to their default values and deletes the RADIUS server.
Syntax Description
IP address
RADIUS server IP address
enable
Administrative enable of the RADIUS server
auth-port
Configures authentication port to use with this RADIUS server
port
RADIUS server UDP port number
key
Configures shared secret to use with this RADIUS server
prompt-key
Prompt for key, rather than entering on command line
retransmit
Configures retransmit count to use with this RADIUS server
retries
Number of retries (0-5) before exhausting from the authentication
timeout
Configures timeout between each try
seconds
Timeout in seconds between each retry (1-60)
cipher
Configures which cipher to use for communication encryption <none | eap-peap>
Default
3 seconds, 1 retry
Default UDP port is 1812
Configuration Mode
config
History
3.1.0000
3.8.1000—Updated command description, syntax description & example
Example
|
switch (config) # radius-server host fe80::202:b3ff:fe1e:8329
Related Commands
aaa authorization
radius-server
show radius
Notes
show radius
show radius
Displays RADIUS configurations.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.1.0000
3.6.6000—Updated example
3.8.1000—Updated command description, syntax description & example
Example
|
switch (config) # show radius
Related Commands
aaa authorization
radius-server
radius-server host
Notes
tacacs-server
tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>}
no tacacs-server {key | retransmit | timeout}
Sets global TACACS+ server attributes.
The no form of the command resets the attributes to default values.
Syntax Description
secret
Set a secret key (shared hidden text string), known to the system and to the TACACS+ server.
retries
Number of retries (0-5) before exhausting from the authentication.
seconds
Timeout in seconds between each retry.
Reang: 1-60
Default
3 seconds, 1 retry
Configuration Mode
config
History
3.1.0000
Example
|
switch (config) # tacacs-server retransmit 3
Related Commands
aaa authorization
show radius
show tacacs
tacacs-server host
Notes
Each TACACS+ server can override those global parameters using the command “tacacs-server host”.
tacacs-server host
tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>}
no tacacs-server host <IP address> {enable | auth-port}
Configures TACACS+ server attributes.
The no form of the command resets the attributes to their default values and deletes the TACACS+ server.
Syntax Description
IP address
TACACS+ server IP address.
enable
Administrative enable for the TACACS+ server.
auth-port
Configures authentication port to use with this TACACS+ server.
port
TACACS+ server UDP port number.
auth-type
Configures authentication type to use with this TACACS+ server.
type
Authentication type. Possible values are:
key
Configures shared secret to use with this TACACS+ server.
secret
Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server.
prompt-key
Prompts for key, rather than entering key on command line.
retransmit
Configures retransmit count to use with this TACACS+ server.
retries
Number of retries (0-5) before exhausting from the authentication.
timeout
Configures timeout to use with this TACACS+ server.
seconds
Timeout in seconds between each retry.
Range: 1-60
Default
3 seconds, 1 retry
Default TCP port is 49
Default auth-type is PAP
Configuration Mode
config
History
3.1.0000
Example
|
switch (config) # tacacs-server host 40.40.40.40
switch (config) # tacacs-server host fe80::202:b3ff:fe1e:8329
Related Commands
aaa authorization
show tacacs
tacacs-server
Notes
show tacacs
show tacacs
Displays TACACS+ configurations.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.1.0000
3.6.6000—Updated example
Example
|
TACACS+ servers:
Related Commands
aaa authorization
tacacs-server
tacacs-server host
Notes
ldap enable
ldap [vrf <vrf-name>] enable [force]
no ldap [vrf <vrf-name>] enable
Enables LDAP in VRF.
The no form of the command disables LDAP in a specified VRF.
Syntax Description
force
Enables LDAP in the specified VRF while setting all relevant LDAP options to default.
Default
LDAP enabled
Configuration Mode
config
History
3.9.2000
Example
switch (config) # ldap vrf mgmt enable
Related Commands
Notes
If VRF mgmt exists, LDAP will be enabled on VRF mgmt. If there is no VRF mgmt, LDAP will be enabled on the "default" VRF.
ldap base-dn
ldap base-dn <string>
no ldap base-dn
Sets the base distinguished name (location) of the user information in the schema of the LDAP server.
The no form of the command resets the attribute to its default values.
Syntax Description
string
A case-sensitive string that specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.
For example: “ou=users,dc=example,dc=com”, with no spaces.
Where:
Default
ou=users,dc=example,dc=com
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap base-dn ou=department,dc=example,dc=com
Related Commands
show ldap
Notes
ldap bind-dn/bind-password
ldap {bind-dn | bind-password} <string>
no ldap {bind-dn | bind-password}
Gives the distinguished name or password to bind to on the LDAP server. This can be left empty for anonymous login (the default).
The no form of the command resets the attribute to its default values.
Syntax Description
string
A case-sensitive string that specifies distinguished name or password to bind to on the LDAP server.
Default
“”
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap bind-dn my-dn
Related Commands
show ldap
Notes
For anonymous login, bind-dn and bind-password should be empty strings “”.
ldap group-attribute/group-dn
ldap {group-attribute {<group-att> |member | uniqueMember} | group-dn <group-dn>}
no ldap {group-attribute | group-dn}
Sets the distinguished name or attribute name of a group on the LDAP server.
The no form of the command resets the attribute to its default values.
Syntax Description
group-att
Specifies a custom attribute name.
member
groupOfNames or group membership attribute.
uniqueMember
groupOfUniqueNames membership attribute.
group-dn
DN of group required for authorization.
Default
group-att: member
group-dn: “”
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap group-attribute member
Related Commands
show ldap
Notes
ldap nested-group-search
ldap nested-group-search
no ldap nested-group-search
Enable LDAP nested-group search mechanism for user-authentication group matching.
The no form of the command resets the attribute to its default values.
Syntax Description
N/A
Default
Disabled
Configuration Mode
config
History
3.10.2000
Example
switch (config) # ldap nested-group-search
Related Commands
ldap nested-group-depth
ldap nested-group-count
show ldap
Notes
ldap nested-group-depth
ldap nested-group-depth <1-9>
no ldap nested-group-depth
Sets LDAP maximum depth for nested-group search.
The no form of the command resets search depth to default (3).
Syntax Description
N/A
Default
3
Configuration Mode
config
History
3.10.2000
Example
switch (config) # ldap nested-group-depth 6
Related Commands
ldap nested-group-search
ldap nested-group-count
show ldap
Notes
ldap nested-group-count
ldap nested-group-count <1-10000>
no ldap nested-group-count
Sets LDAP maximum number of queried nested-groups.
The no form of the command resets search depth to default (1000).
Syntax Description
N/A
Default
1000
Configuration Mode
config
History
3.10.2000
Example
switch (config) # ldap nested-group-count 500
Related Commands
ldap nested-group-depth
ldap nested-group-search
show ldap
Notes
ldap host
ldap host <ip-address> [order <number> last]
no ldap host <ip-address>
Adds an LDAP server to the set of servers used for authentication.
The no form of the command deletes the LDAP host.
Syntax Description
ip-address
IPv4 or IPv6 address.
number
The order of the LDAP server.
last
The LDAP server will be added in the last location.
Default
No hosts configured
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap host 10.10.10.10
Related Commands
show aaa
show ldap
Notes
ldap hostname-check enable
ldap hostname-check enable
no ldap hostname-check enable
Enables LDAP hostname check.
The no form of the command disables LDAP hostname check.
Syntax Description
N/A
Default
No hosts configured
Configuration Mode
config
History
3.6.8008
Example
switch (config) # ldap hostname-check enable
Related Commands
show aaa
show ldap
Notes
ldap login-attribute
ldap login-attribute {<string> | uid | sAMAccountName}
no ldap login-attribute
Sets the attribute name which contains the login name of the user.
The no form of the command resets this attribute to its default.
Syntax Description
string
Custom attribute name.
uid
LDAP login name is taken from the user login username.
sAMAccountName
SAM Account name, active directory login name.
Default
sAMAccountName
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap login-attribute uid
Related Commands
show aaa
show ldap
Notes
ldap port
ldap port <port>
no ldap port
Sets the TCP port on the LDAP server to connect to for authentication.
The no form of the command resets this attribute to its default value.
Syntax Description
port
TCP port number
Default
389
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap port 1111
Related Commands
show aaa
show ldap
Notes
ldap referrals
ldap referrals
no ldap referrals
Enables LDAP referrals.
The no form of the command disables LDAP referrals.
Syntax Description
N/A
Default
LDAP referrals are enabled
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # no ldap referrals
Related Commands
show aaa
show ldap
Notes
Referral is the process by which an LDAP server, instead of returning a result, will return a referral (a reference) to another LDAP server which may contain further information.
ldap scope
ldap scope <scope>
no ldap scope
Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.
Syntax Description
scope
Default
subtree
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap scope subtree
Related Commands
show aaa
show ldap
Notes
ldap ssl
ldap ssl {ca-list <options> | cert-verify | ciphers {all | TLS1.2} | crl-check {enable | file fetch all [vrf <vrf-name>] <path>} | mode <mode> | port <port-number>}
no ldap ssl {cert-verify | ciphers | crl-check enable | mode | port}
Sets SSL parameter for LDAP.
The no form of the command resets the attribute to its default value.
Syntax Description
options
This command specifies the list of supplemental certificates of authority (CAs) from the certificate configuration database that is to be used by LDAP for authentication of servers when in TLS or SSL mode.
The options are:
CA certificates are ignored if “ldap ssl mode” is not configured as either “tls” or “ssl”, or if “no ldap ssl cert-verify” is configured.
The default-ca-list is empty in the factory default configuration. Use the command: “crypto certificate ca-list default-ca-list name” to add trusted certificates to that list.
The “default-ca-list” option requires LDAP to consult the system’s configured global default CA-list for supplemental certificates.
cert-verify
Enables verification of SSL/TLS server certificates. This may be required if the server's certificate is self-signed, or does not match the name of the server.
ciphers {all | TLS1.2}
Sets SSL mode to be used
crl-check enable
Enables LDAP CRL check
crl-check file fetch
Fetches CRL from remote server. CRL must be a valid PEM file unless a proper message shown. Supported formats: SCP, HTTP, HTTPS, FTP, and FTPS.
mode
Sets the security mode for connections to the LDAP server.
vrf-name
VRF to be affected. If "vrf-name" parameter is not specified, "default" VRF will be used.
port-number
Sets the port on the LDAP server to connect to for authentication when the SSL security mode is enabled (LDAP over SSL)
Default
cert-verify—enabled
mode—none (LDAP SSL is not activated)
port-number—636
ciphers—all
Configuration Mode
config
History
3.1.1000
3.2.3000—Added ca-list argument
3.4.0000—Added “ssl ciphers” parameter and Updated example
3.6.8008—Added the parameter “crl-check”
3.9.2000—Addded VRF option
3.10.6000—Added note
Example
switch (config) # ldap ssl crl-check file fetch scp://root:pass@1.1.1.1/etc/pki/crl.pem
Related Commands
show aaa
show ldap
Notes
ldap timeout
ldap {timeout-bind | timeout-search} <seconds>
no ldap {timeout-bind | timeout-search}
Sets a global communication timeout in seconds for all LDAP servers to specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
The no form of the command resets the attribute to its default value.
Syntax Description
timeout-bind
Sets the global LDAP bind timeout for all LDAP servers.
timeout-search
Sets the global LDAP search timeout for all LDAP servers.
seconds
Number of seconds.
Range: 1-60
Default
5 seconds
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap timeout-bind 10
Related Commands
show aaa
show ldap
Notes
ldap version
ldap version <version>
no ldap version
Sets the LDAP version.
The no form of the command resets the attribute to its default value.
Syntax Description
version
Sets the LDAP version
Available values: 2, 3
Default
3
Configuration Mode
config
History
3.1.1000
3.4.0000—Updated example
Example
switch (config) # ldap version 3
Related Commands
show aaa
show ldap
Notes
show ldap
show ldap
Displays LDAP configurations.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.1.1000
3.4.0000—Updated example
3.6.8008—Updated example
3.10.2000—Updated example to reflect the following added fields: "Nested-group search," "nested-group search depth," and "nested-search maximum group count"
Example
switch (config) # show ldap
Related Commands
show aaa
show ldap
Notes
show ldap crl
show ldap crl
Displays current CRL configured by the user.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.6.8008
Example
switch (config) # show ldap crl
Related Commands
show aaa
show ldap
Notes
system secure-mode enable
system secure-mode enable
no system secure-mode enable
Enables secure mode on the switch.
The no form of the command disables secure mode.
Syntax Description
N/A
Default
Disabled
Configuration Mode
config
History
3.5.0200
3.10.2000: Added note
Example
switch (config) # system secure-mode enable
Related Commands
user <username> password <password>
ssh server min-version
ssh server security strict
snmp-server user
no neighbor <ip-address> password
ntp server disable
ntp server keyID
router bgp neighbor password
router bgp peer-group password
Notes
show system secure-mode
show system secure-mode
Displays the security mode of the switch system.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.4.2300
Example
switch (config) # show system secure-mode
Related Commands
system secure-mode enable
Notes
show secure-boot-status
show secure-boot-status
Displays the state of the secure boot: enable or disable.
Syntax Description
N/A
Default
N/A
Configuration Mode
Any command mode
History
3.10.1000
Example
Switch # show secure-boot-status
Related Commands
Notes
This command is only available for NDR platforms and above