User Management and Security Commands
username
username <username> [capability <cap> | disable [login | password] | disconnect | full-name <name> | nopassword | password [0 | 7] <password>] no username <username> [capability | disable [login | password] | full-name] Creates a user and sets its capabilities, password and name. The no form of the command deletes the user configuration. |
||||||||||||||||
Syntax Description |
username |
Specifies a username and creates a user account. New users are created initially with admin privileges but is disabled. Allowed characters for the username:
Any single character or combination of characters from the above is allowed except for a period "." in a single form. |
||||||||||||||
capability <cap> |
Defines user capabilities.
|
|||||||||||||||
disable [login | password] |
|
|||||||||||||||
disconnect |
Logs out the specified user from the system. |
|||||||||||||||
name |
Full name of the user. |
|||||||||||||||
nopassword |
The next login of the user will not require password. |
|||||||||||||||
0 | 7 |
|
|||||||||||||||
password |
Specifies a password for the user in string form. If [0 | 7] was not specified then the password is in cleartext. |
|||||||||||||||
Default |
The following usernames are available by default:
|
|||||||||||||||
Configuration Mode |
config |
|||||||||||||||
History |
|
|||||||||||||||
Example |
switch (config) # username monitor full-name smith |
|||||||||||||||
Related Commands |
show usernames show users |
|||||||||||||||
Notes |
|
show usernames
show usernames Displays list of users and their capabilities. |
||||||||
Syntax Description |
N/A |
|||||||
Default |
N/A |
|||||||
Configuration Mode |
Any command mode |
|||||||
History |
|
|||||||
Example |
||||||||
switch (config) # show usernames USERNAME FULL NAME CAPABILITY ACCOUNT STATUS |
||||||||
Related Commands |
username show users |
|||||||
Notes |
show users
show users [history] Displays logged in users and related information such as idle time and what host they have connected from. |
||
Syntax Description |
history |
Displays current and historical sessions. |
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
||
switch (config) # show users USERNAME FULL NAME LINE HOST IDLE admin System Administrator pts/0 172.22.237.174 0d0h34m4s switch (config) #s how users history |
||
Related Commands |
username show usernames |
|
Notes |
show whoami
show whoami Displays username and capabilities of user currently logged in. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
Example |
switch (config) # show whoami |
|
Related Commands |
username show usernames show users |
|
Notes |
password
password [age expiration <days> | age warning <days> | history < length > | length minimal <length> | length maximal < length > | username-password-match enable | complexity-class <char class> | hardening enable] Configures restrictions for new passwords. |
||
Syntax Description |
age expiration <days> |
Specifies validity period of any password configured. Range: 0-365 days (0=password will not expire) Default: 365 days |
age warning <days> |
Specifies how many days before expiration a warning message should be printed while logging in. Range: 0-30 days (0 indicates that a warning message will not be printed) Default: 15 days |
|
history < length > |
Specifies how many passwords are saved per user. New password will be compared to previous passwords and will not be allowed if it is the same as an old one. Range: 0-20 passwords Default: 5 passwords |
|
length minimal <length> |
Specifies minimal length of allowed password. Range: 1-32 characters Default: 8 characters |
|
length maximal < length> |
Specifies maximal length of allowed password. Range: 64-80 characters Default: 64 characters |
|
username-password-match enable |
Restricts user from having password identical to its username. Default: enabled The no form of this command will allow this. |
|
complexity-class <char class> |
Specifies what characters must be used while configuring password.
Special characters allowed are: `~!@#$%^&*()-_=+[{}];:',<.> Default: lower-upper-digit |
|
hardening enable |
Enable password restrictions. If enabled, all the above will be checked upon every new password that is being configured. Password that does not meet the requirements will be rejected. The no form will disable any password restrictions and every password will be allowed. |
|
Default |
Enabled. After upgrade, the feature will be disabled by default. |
|
Configuration Mode |
Config |
|
History |
3.9.2000 |
|
Example |
switch (config) # password hardening enable |
|
Related Commands |
show password hardening |
|
Notes |
show password hardening
show password hardening Displays all the configured password restrictions settings. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.9.2000 |
|
Example |
switch (config) # show password hardening |
|
Related Commands |
password |
|
Notes |
|
aaa accounting
aaa accounting changes default stop-only tacacs+ no aaa accounting changes default stop-only tacacs+ Enables logging of system changes to an AAA accounting server. The no form of the command disables the accounting. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # aaa accounting changes default stop-only tacacs+ |
|
Related Commands |
show aaa |
|
Notes |
|
aaa authentication login
aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]] no aaa authentication login Sets a sequence of authentication methods. Up to four methods can be configured. The no form of the command resets the configuration to its default. |
||
Syntax Description |
auth-method |
|
Default |
local |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 3.7.1102—Updated notes |
|
Example |
switch (config) # aaa authentication login default radius tacacs+ ldap local |
|
Related Commands |
show aaa |
|
Notes |
|
aaa authentication attempts fail-delay
aaa authentication attempts fail-delay <time> no aaa authentication attempts fail-delay Configures delay for a specific period of time after every authentication failure. The no form of the command resets the fail-delay to its default value. |
||
Syntax Description |
time |
Range: 0-60 seconds |
Default |
0 |
|
Configuration Mode |
config |
|
History |
3.5.0200 |
|
Example |
switch (config) # aaa authentication attempts fail-delay 1 |
|
Related Commands |
||
Notes |
aaa authentication attempts track
aaa authentication attempts track {downcase | enable} no aaa authentication attempts track {downcase | enable} Configure tracking for failed authentication attempts. The no form of the command clears configuration for tracking authentication failures. |
||
Syntax Description |
downcase |
Does not convert all usernames to lowercase (for authentication failure tracking purposes only). |
enable |
Disables tracking of failed authentication attempts. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.5.0200 |
|
Example |
switch (config) # aaa authentication attempts track enable |
|
Related Commands |
||
Notes |
|
aaa authentication attempts lockout
aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time} no aaa authentication attempts lockout {enable | lock-time | max-fail | unlock-time} Configures lockout of accounts based on failed authentication attempts. The no form of the command clears configuration for lockout of accounts based on failed authentication attempts. |
||
Syntax Description |
enable |
Enables locking out of user accounts based on authentication failures. This both suspends enforcement of any existing lockouts, and prevents any new lockouts from being recorded. If lockouts are later re-enabled, any lockouts that had been recorded previously resume being enforced; but accounts which have passed the max-fail limit in the meantime are NOT automatically locked at this time. They would be permitted one more attempt, and then locked, because of how the locking is done: lockouts are applied after an authentication failure, if the user has surpassed the threshold at that time. Lockouts only work if tracking is enabled. Enabling lockouts automatically enables tracking. Disabling tracking automatically disables lockouts. |
lock-time |
Sets maximum permitted consecutive authentication failures before locking out users. Unlike the “max-fail” setting, this does take effect immediately for all accounts. If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time. This is not based on the number of consecutive failures, and is therefore divorced from most of the rest of the tally feature, except for the tracking of the last login failure. |
|
max-fail |
Sets maximum permitted consecutive authentication failures before locking out users. This setting only impacts what lockouts are imposed while the setting is active; it is not retroactive to previous logins. So if max-fail is disabled or changed, this does not immediately cause any users to be changed from locked to unlocked or vice versa. |
|
unlock-time |
Enables the auto-unlock of an account after a specified number of seconds if a user account is locked due to authentication failures, counting from the last valid login attempt. Unlike the “max-fail” setting, this does take effect immediately for all accounts. If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time. Careful with disabling the unlock-time, particularly if you have max-fail set to something, and have not overridden the behavior for the admin (i.e. they are subject to lockouts also). If the admin account gets locked out, and there are no other administrators who can aid, the user may be forced to boot single-user and use the pam_tallybyname command-line utility to unlock your account manually. Even if one is careful not to incur this many authentication failures, it makes the system more subject to DOS attacks. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts lockout enable |
|
Related Commands |
||
Notes |
aaa authentication attempts class-override
aaa authentication attempts class-override {admin [no-lockout] | unknown {no-track | hash-username}} no aaa authentication attempts class-override {admin | unknown {no-track | hash-username}} Overrides the global settings for tracking and lockouts for a type of account. The no form of the command removes this override and lets the admin be handled according to the global settings. |
||
Syntax Description |
admin |
Overrides the global settings for tracking and lockouts for the admin account. This applies only to the single account with the username “admin”. It does not apply to any other users with administrative privileges. |
no-lockout |
Prevents the admin user from being locked out though authentication failure history is still tracked (if tracking is enabled overall). |
|
unknown |
Overrides the global settings for tracking and lockouts for unknown accounts. The “unknown” class here contains the following categories:
|
|
hash-username |
Applies a hash function to the username and stores the hashed result in lieu of the original |
|
no-track |
Does not track authentication for such users (which of course also implies no-lockout) |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts class-override admin no-lockout |
|
Related Commands |
||
Notes |
aaa authentication attempts reset
aaa authentication attempts reset {all | user <username>} [{no-clear-history | no-unlock}] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users |
user |
Applies function to a specific user |
|
no-clear-history |
Leaves the history of login failures but unlocks the account |
|
no-unlock |
Leaves the account locked but clears the history of login failures |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts reset user admin all |
|
Related Commands |
||
Notes |
clear aaa authentication attempts
clear aaa authentication attempts {all | user <username>} [no-clear-history | no-unlock] Clears the authentication history for and/or unlocks specified users. |
||
Syntax Description |
all |
Applies function to all users. |
user |
Applies function to a specific user. |
|
no-clear-history |
Clears the history of login failures. |
|
no-unlock |
Unlocks the account. |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
3.2.3000 |
|
Example |
switch (config) # aaa authentication attempts reset user admin no-clear-history |
|
Related Commands |
||
Notes |
aaa authorization
aaa authorization map [default-user <username> | order <policy> | fallback] no aaa authorization map [default-user | order | fallback] Sets the mapping permissions of a user in case a remote authentication is done. The no form of the command resets the attributes to default. |
||
Syntax Description |
username |
Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+ or LDAP) and does not have a local account. If the username is local, this mapping is ignored. |
order <policy> |
Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ or LDAP to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
|
|
fallback |
Sets the authenticating fallback behavior via RADIUS or TACACS+ or LDAP. This option attempts to authenticate username through the next authentication method listed in case of an error.
|
|
Default |
Default user—admin Map order—remote-first Order fallback—server-err |
|
Configuration Mode |
config |
|
History |
3.1.0000 3.7.1000—Added “fallback” parameter 3.7.1000—Updated syntax |
|
Example |
switch (config) # aaa authorization map default-user admin |
|
Related Commands |
show aaa username |
|
Notes |
|
show aaa
show aaa Displays the AAA configuration. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 3.7.0020—Example updated |
|
Example |
switch (config) # show aaa AAA authorization: |
|
Related Commands |
aaa accounting aaa authentication aaa authorization show aaa show usernames username |
|
Notes |
show aaa authentication attempts
show aaa authentication attempts [configured | status user <username>]] Displays the current authentication, authorization and accounting settings. |
||
Syntax Description |
authentication attempts |
Displays configuration and history of authentication failures. |
configured |
Displays configuration of authentication failure tracking. |
|
status user |
Displays status of authentication failure tracking and lockouts for specific user. |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.2.1000 3.5.0200—Updated example |
|
Example |
||
switch (config) # show aaa authentication attempts Configuration for authentication failure tracking and locking: Track authentication failures: yes |
||
Related Commands |
||
Notes |
radius-server
radius-server {key <secret>| retransmit <retries> | timeout <seconds>} no radius-server {key | retransmit | timeout} Sets global RADIUS server attributes. The no form of the command resets the attributes to their default values. |
||
Syntax Description |
secret |
Sets a secret key (shared hidden text string), known to the system and to the RADIUS server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry (1-60). |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # radius-server retransmit 3 |
|
Related Commands |
aaa authorization radius-server host show radius |
|
Notes |
Each RADIUS server can override those global parameters using the command “radius-server host”. |
radius-server enable
radius-server [vrf <vrf-name>] enable [force] no radius-server [vrf <vrf-name>] enable Enables RADIUS in VRF. The no form of the command disables RADIUS in a specified VRF. |
||
Syntax Description |
vrf-name |
VRF name |
force |
Enables RADIUS in the specified VRF and sets all relevan t RADIUS o ption to default |
|
Default |
RADIUS is enabled by default |
|
Configuration Mode |
config |
|
History |
3.9.2000 |
|
Example |
||
Related Commands |
switch (config) # radius-server vrf mgmt enable |
|
Notes |
If VRF management exists, RADIUS will be enabled on VRF management. If VRF management not does not exist, RADIUS will be enabled on VRF default. |
radius-server host
radius-server host <IP address> [enable | auth-port <port> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>| cipher <none | eap-peap> ] no radius-server host <IP address> [auth-port | enable | cipher] Configures RADIUS server attributes. The no form of the command resets the attributes to their default values and deletes the RADIUS server. |
||
Syntax Description |
IP address |
RADIUS server IP address |
enable |
Administrative enable of the RADIUS server |
|
auth-port |
Configures authentication port to use with this RADIUS server |
|
port |
RADIUS server UDP port number |
|
key |
Configures shared secret to use with this RADIUS server |
|
prompt-key |
Prompt for key, rather than entering on command line |
|
retransmit |
Configures retransmit count to use with this RADIUS server |
|
retries |
Number of retries (0-5) before exhausting from the authentication |
|
timeout |
Configures timeout between each try |
|
seconds |
Timeout in seconds between each retry (1-60) |
|
cipher |
Configures which cipher to use for communication encryption <none | eap-peap> |
|
Default |
3 seconds, 1 retry Default UDP port is 1812 |
|
Configuration Mode |
config |
|
History |
3.1.0000 3.8.1000—Updated command description, syntax description & example |
|
Example |
switch (config) # radius-server host fe80::202:b3ff:fe1e:8329 |
|
Related Commands |
aaa authorization radius-server show radius |
|
Notes |
|
show radius
show radius Displays RADIUS configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 3.6.6000—Updated example 3.8.1000—Updated command description, syntax description & example 3.9.2000—Updated example , adding the "administratively" and "VRF name" fields |
|
Example |
switch (config) # show radius RADIUS defaults:
|
|
Related Commands |
aaa authorization radius-server radius-server host |
|
Notes |
tacacs-server
tacacs-server {key <secret>| retransmit <retries> | timeout <seconds>} no tacacs-server {key | retransmit | timeout} Sets global TACACS+ server attributes. The no form of the command resets the attributes to default values. |
||
Syntax Description |
secret |
Set a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
seconds |
Timeout in seconds between each retry. Reang: 1-60 |
|
Default |
3 seconds, 1 retry |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # tacacs-server retransmit 3 |
|
Related Commands |
aaa authorization show radius show tacacs tacacs-server host |
|
Notes |
Each TACACS+ server can override those global parameters using the command “tacacs-server host”. |
tacacs-server enable
tacacs-server [vrf <vrf-name>] enable [force] no tacacs-server [vrf <vrf-name>] enable Enables TACACS in VRF. The no form of the command disables TACACS in a specified VRF. |
||
Syntax Description |
vrf-name |
VRF name |
force |
Enables TACACS in the specified VRF and sets all relevan t TACACS o ption to default |
|
Default |
TACACS is enabled by default |
|
Configuration Mode |
config |
|
History |
3.9.2000 |
|
Example |
switch (config) # tacacs-server vrf mgmt enable |
|
Related Commands |
|
|
Notes |
If VRF management exists, TACACS will be enabled on VRF management. If VRF management not does not exist, TACACS will be enabled on VRF default. |
tacacs-server host
tacacs-server host <IP address> {enable | auth-port <port> | auth-type <type> | key <secret> | prompt-key | retransmit <retries> | timeout <seconds>} no tacacs-server host <IP address> {enable | auth-port} Configures TACACS+ server attributes. The no form of the command resets the attributes to their default values and deletes the TACACS+ server. |
||
Syntax Description |
IP address |
TACACS+ server IP address. |
enable |
Administrative enable for the TACACS+ server. |
|
auth-port |
Configures authentication port to use with this TACACS+ server. |
|
port |
TACACS+ server UDP port number. |
|
auth-type |
Configures authentication type to use with this TACACS+ server. |
|
type |
Authentication type. Possible values are:
|
|
key |
Configures shared secret to use with this TACACS+ server. |
|
secret |
Sets a secret key (shared hidden text string), known to the system and to the TACACS+ server. |
|
prompt-key |
Prompts for key, rather than entering key on command line. |
|
retransmit |
Configures retransmit count to use with this TACACS+ server. |
|
retries |
Number of retries (0-5) before exhausting from the authentication. |
|
timeout |
Configures timeout to use with this TACACS+ server. |
|
seconds |
Timeout in seconds between each retry. Range: 1-60 |
|
Default |
3 seconds, 1 retry Default TCP port is 49 Default auth-type is PAP |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
Example |
switch (config) # tacacs-server host 40.40.40.40 |
|
Related Commands |
aaa authorization show tacacs tacacs-server |
|
Notes |
|
show tacacs
show tacacs Displays TACACS+ configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 3.6.6000—Updated example 3.9.2000—Updated example , adding the "administratively" and "VRF name" fields |
|
Example |
switch (config) # show tacacs TACACS+ defaults: Key : ******** Timeout : 3 Retransmit: 1 switch (config) # show tacacs TACACS+ defaults: TACACS+ servers: |
|
Related Commands |
aaa authorization tacacs-server tacacs-server host |
|
Notes |
ldap enable
ldap [vrf <vrf-name>] enable [force] no ldap [vrf <vrf-name>] enable Enables LDAP in VRF. The no form of the command disables LDAP in a specified VRF. |
||
Syntax Description |
force |
Enables LDAP in the specified VRF while setting all relevant LDAP options to default. |
Default |
LDAP enabled |
|
Configuration Mode |
config |
|
History |
3.9.2000 |
|
Example |
switch (config) # ldap vrf mgmt enable |
|
Related Commands |
|
|
Notes |
If VRF mgmt exists, LDAP will be enabled on VRF mgmt. If there is no VRF mgmt, LDAP will be enabled on the "default" VRF. |
ldap base-dn
ldap base-dn <string> no ldap base-dn Sets the base distinguished name (location) of the user information in the schema of the LDAP server. The no form of the command resets the attribute to its default values. |
||
Syntax Description |
string |
A case-sensitive string that specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request. For example: “ou=users,dc=example,dc=com”, with no spaces. Where:
|
Default |
ou=users,dc=example,dc=com |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap base-dn ou=department,dc=example,dc=com |
|
Related Commands |
show ldap |
|
Notes |
ldap bind-dn/bind-password
ldap {bind-dn | bind-password} <string> no ldap {bind-dn | bind-password} Gives the distinguished name or password to bind to on the LDAP server. This can be left empty for anonymous login (the default). The no form of the command resets the attribute to its default values. |
||
Syntax Description |
string |
A case-sensitive string that specifies distinguished name or password to bind to on the LDAP server. |
Default |
“” |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap bind-dn my-dn |
|
Related Commands |
show ldap |
|
Notes |
For anonymous login, bind-dn and bind-password should be empty strings “”. |
ldap group-attribute/group-dn
ldap {group-attribute {<group-att> |member | uniqueMember} | group-dn <group-dn>} no ldap {group-attribute | group-dn} Sets the distinguished name or attribute name of a group on the LDAP server. The no form of the command resets the attribute to its default values. |
||
Syntax Description |
group-att |
Specifies a custom attribute name. |
member |
groupOfNames or group membership attribute. |
|
uniqueMember |
groupOfUniqueNames membership attribute. |
|
group-dn |
DN of group required for authorization. |
|
Default |
group-att: member group-dn: “” |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap group-attribute member |
|
Related Commands |
show ldap |
|
Notes |
|
ldap nested-group-search
ldap nested-group-search no ldap nested-group-search Enable LDAP nested-group search mechanism for user-authentication group matching. The no form of the command resets the attribute to its default values. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config |
|
History |
3.10.2000 |
|
Example |
switch (config) # ldap nested-group-search |
|
Related Commands |
ldap nested-group-depth ldap nested-group-count show ldap |
|
Notes |
ldap nested-group-depth
ldap nested-group-depth <1-9> no ldap nested-group-depth Sets LDAP maximum depth for nested-group search. The no form of the command resets search depth to default (3). |
||
Syntax Description |
N/A |
|
Default |
3 |
|
Configuration Mode |
config |
|
History |
3.10.2000 |
|
Example |
switch (config) # ldap nested-group-depth 6 |
|
Related Commands |
ldap nested-group-search ldap nested-group-count show ldap |
|
Notes |
ldap nested-group-count
ldap nested-group-count <1-10000> no ldap nested-group-count Sets LDAP maximum number of queried nested-groups. The no form of the command resets search depth to default (1000). |
||
Syntax Description |
N/A |
|
Default |
1000 |
|
Configuration Mode |
config |
|
History |
3.10.2000 |
|
Example |
switch (config) # ldap nested-group-count 500 |
|
Related Commands |
ldap nested-group-depth ldap nested-group-search show ldap |
|
Notes |
ldap host
ldap host <ip-address> [order <number> last] no ldap host <ip-address> Adds an LDAP server to the set of servers used for authentication. The no form of the command deletes the LDAP host. |
||
Syntax Description |
ip-address |
IPv4 or IPv6 address. |
number |
The order of the LDAP server. |
|
last |
The LDAP server will be added in the last location. |
|
Default |
No hosts configured |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap host 10.10.10.10 |
|
Related Commands |
show aaa show ldap |
|
Notes |
|
ldap hostname-check enable
ldap hostname-check enable no ldap hostname-check enable Enables LDAP hostname check. The no form of the command disables LDAP hostname check. |
||
Syntax Description |
N/A |
|
Default |
No hosts configured |
|
Configuration Mode |
config |
|
History |
3.6.8008 |
|
Example |
switch (config) # ldap hostname-check enable |
|
Related Commands |
show aaa show ldap |
|
Notes |
ldap login-attribute
ldap login-attribute {<string> | uid | sAMAccountName} no ldap login-attribute Sets the attribute name which contains the login name of the user. The no form of the command resets this attribute to its default. |
||
Syntax Description |
string |
Custom attribute name. |
uid |
LDAP login name is taken from the user login username. |
|
sAMAccountName |
SAM Account name, active directory login name. |
|
Default |
sAMAccountName |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap login-attribute uid |
|
Related Commands |
show aaa show ldap |
|
Notes |
ldap port
ldap port <port> no ldap port Sets the TCP port on the LDAP server to connect to for authentication. The no form of the command resets this attribute to its default value. |
||
Syntax Description |
port |
TCP port number |
Default |
389 |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap port 1111 |
|
Related Commands |
show aaa show ldap |
|
Notes |
ldap referrals
ldap referrals no ldap referrals Enables LDAP referrals. The no form of the command disables LDAP referrals. |
||
Syntax Description |
N/A |
|
Default |
LDAP referrals are enabled |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # no ldap referrals |
|
Related Commands |
show aaa show ldap |
|
Notes |
Referral is the process by which an LDAP server, instead of returning a result, will return a referral (a reference) to another LDAP server which may contain further information. |
ldap scope
ldap scope <scope> no ldap scope Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request. The no form of the command resets the attribute to its default value. |
||
Syntax Description |
scope |
|
Default |
subtree |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap scope subtree |
|
Related Commands |
show aaa show ldap |
|
Notes |
ldap ssl
ldap ssl {ca-list <options> | cert-verify | ciphers {all | TLS1.2} | crl-check {enable | file fetch all [vrf <vrf-name>] <path>} | mode <mode> | port <port-number>} no ldap ssl {cert-verify | ciphers | crl-check enable | mode | port} Sets SSL parameter for LDAP. The no form of the command resets the attribute to its default value. |
||
Syntax Description |
options |
This command specifies the list of supplemental certificates of authority (CAs) from the certificate configuration database that is to be used by LDAP for authentication of servers when in TLS or SSL mode. The options are:
CA certificates are ignored if “ldap ssl mode” is not configured as either “tls” or “ssl”, or if “no ldap ssl cert-verify” is configured. The default-ca-list is empty in the factory default configuration. Use the command: “crypto certificate ca-list default-ca-list name” to add trusted certificates to that list. The “default-ca-list” option requires LDAP to consult the system’s configured global default CA-list for supplemental certificates. |
cert-verify |
Enables verification of SSL/TLS server certificates. This may be required if the server's certificate is self-signed, or does not match the name of the server. |
|
ciphers {all | TLS1.2} |
Sets SSL mode to be used |
|
crl-check enable |
Enables LDAP CRL check |
|
crl-check file fetch |
Fetches CRL from remote server. CRL must be a valid PEM file unless a proper message shown. Supported formats: SCP, HTTP, HTTPS, FTP, and FTPS. |
|
mode |
Sets the security mode for connections to the LDAP server.
|
|
vrf-name |
VRF to be affected. If "vrf-name" parameter is not specified, "default" VRF will be used. |
|
port-number |
Sets the port on the LDAP server to connect to for authentication when the SSL security mode is enabled (LDAP over SSL) |
|
Default |
cert-verify—enabled mode—none (LDAP SSL is not activated) port-number—636 ciphers—all |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.2.3000 |
Added ca-list argument |
|
3.4.0000 |
Added “ssl ciphers” parameter and Updated example |
|
3.6.8008 |
Added the parameter “crl-check” |
|
3.9.2000 |
Addded VRF option |
|
Example |
switch (config) # ldap ssl crl-check file fetch scp://root:pass@1.1.1.1/etc/pki/crl.pem |
|
Related Commands |
show aaa show ldap |
|
Notes |
|
ldap timeout
ldap {timeout-bind | timeout-search} <seconds> no ldap {timeout-bind | timeout-search} Sets a global communication timeout in seconds for all LDAP servers to specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request. The no form of the command resets the attribute to its default value. |
||
Syntax Description |
timeout-bind |
Sets the global LDAP bind timeout for all LDAP servers. |
timeout-search |
Sets the global LDAP search timeout for all LDAP servers. |
|
seconds |
Number of seconds. Range: 1-60 |
|
Default |
5 seconds |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap timeout-bind 10 |
|
Related Commands |
show aaa show ldap |
|
Notes |
ldap version
ldap version <version> no ldap version Sets the LDAP version. The no form of the command resets the attribute to its default value. |
||
Syntax Description |
version |
Sets the LDAP version Available values: 2, 3 |
Default |
3 |
|
Configuration Mode |
config |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
Example |
switch (config) # ldap version 3 |
|
Related Commands |
show aaa show ldap |
|
Notes |
show ldap
show ldap Displays LDAP configurations. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.1.0000 |
|
3.4.0000 |
Updated example |
|
3.6.8008 |
Updated example |
|
3.10.2000 |
Updated example to reflect the following added fields: "Nested-group search," "nested-group search depth," and "nested-search maximum group count" |
|
Example |
switch (config) # show ldap |
|
Related Commands |
show aaa show ldap |
|
Notes |
show ldap crl
show ldap crl Displays current CRL configured by the user. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.6.8008 |
|
Example |
switch (config) # show ldap crl |
|
Related Commands |
show aaa show ldap |
|
Notes |
system secure-mode enable
system secure-mode enable no system secure-mode enable Enables secure mode on the switch. The no form of the command disables secure mode. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config |
|
History |
3.5.0200 3.10.2000: Added note |
|
Example |
switch (config) # system secure-mode enable |
|
Related Commands |
user <username> password <password> ssh server min-version ssh server security strict snmp-server user no neighbor <ip-address> password ntp server disable ntp server keyID router bgp neighbor password router bgp peer-group password |
|
Notes |
|
show system secure-mode
show system secure-mode Displays the security mode of the switch system. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.4.2300 |
|
Example |
switch (config) # show system secure-mode |
|
Related Commands |
system secure-mode enable |
|
Notes |
|