Use the aaa authentication login Global Configuration mode command to set one or more authentication methods to be applied during login. Use the no form of this command to restore the default authentication method.

Syntax

aaa authentication login [authorization] {default | list-name} method1 [method2...]

no aaa authentication login {default | list-name}

Parameters

• authorization—Specifies that authentication and authorization are applied to the given list. If the keyword is not configured, then only authentication is applied to the given list.

• default—Uses the authentication methods that follow this argument as the default method list when a user logs in (this list is unnamed).

• list-name—Specifies a name of a list of authentication methods activated when a user logs in. (Length: 1–12 characters)

• method1 [method2...]—Specifies a list of methods that the authentication algorithm tries (in the given sequence). Each additional authentication method is used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. Select one or more methods from the following list::

Default Configuration

If no methods are specified, the default are the locally-defined users and passwords. This is the same as entering the command aaa authentication login local.

Command Mode

Global Configuration mode

User Guidelines

Create a list of authentication methods by entering this command with the list-name parameter where list-name is any character string. The method arguments identifies the list of methods that the authentication algorithm tries, in the given sequence.

Note	If authorization is enabled for login and the switch receives from a TACACS+ server user level 15, then the enable command is not required and if received level 1 the enable command is required.

The no aaa authentication login list-name command deletes a list-name only if it has not been referenced by another command.

Example

The following example sets the authentication login methods for the console.

switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list

The aaa authentication enable Global Configuration mode command sets one or more authentication methods for accessing higher privilege levels. To restore the default authentication method, use the no form of this command.

Syntax

aaa authentication enable [authorization] {default | list-name} method [method2...]}

no aaa authentication enable {default | list-name}

Parameters

• authorization—Specifies that authentication and authorization are applied to the given list. If the keyword is not configured, then only authentication is applied to the given list.

• default—Uses the listed authentication methods that follow this argument as the default method list, when accessing higher privilege levels.

• list-name —Specifies a name for the list of authentication methods activated when a user accesses higher privilege levels. (Length: 1–12 characters)

• method [method2...]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds, even if all methods return an error. Select one or more methods from the following list:

Default Configuration

No Authentication lists exist by default.

Command Mode

Global Configuration mode

User Guidelines

Create a list by entering the aaa authentication enable list-name method1 [method2...] command where list-name is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.

All aaa authentication enable requests sent by the device to a RADIUS server include the username $enabx$, where x is the requested privilege level.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds even if all methods return an error.

no aaa authentication enable list-name deletes list-name if it has not been referenced.

Example

The following example sets the enable password for authentication for accessing higher privilege levels.

switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list

The login authentication Line Configuration mode command specifies the login authentication method list for a remote Telnet or console session. Use the no form of this command to restore the default authentication method.

Syntax

login authentication {default | list-name}

no login authentication

Parameters

• default—Uses the default list created with the aaa authentication login command.

• list-name—Uses the specified list created with the aaa authentication login command.

Default Configuration

default

Command Mode

Line Configuration Mode

The enable authentication Line Configuration mode command specifies the authentication method for accessing a higher privilege level from a remote Telnet or console. Use the no form of this command to restore the default authentication method.

Syntax

enable authentication {default | list-name}

no enable authentication

Parameters

• default—Uses the default list created with the aaa authentication enable command.

• list-name—Uses the specified list created with the aaa authentication enable command.

Default Configuration

default.

Command Mode

Line Configuration Mode

The ip http authentication Global Configuration mode command specifies authentication methods for HTTP server access. Use the no form of this command to restore the default authentication method.

Syntax

ip http authentication aaa login-authentication [login-authorization] method1 [method2...]

no ip http authentication aaa login-authentication

Parameters

• login-authorization—Specifies that authentication and authorization are applied. If the keyword is not configured, then only authentication is applied.

• method [method2...]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds, even if all methods return an error. Select one or more methods from the following list:

Default Configuration

The local user database is the default authentication login method. This is the same as entering the ip http authentication local command.

Command Mode

Global Configuration mode

User Guidelines

The command is relevant for HTTP and HTTPS server users.

Example

The following example specifies the HTTP access authentication methods.

switchxxxxxx(config)# ip http authentication aaa login-authentication radius local none

The show authentication methods Privileged EXEC mode command displays information about the authentication methods.

Syntax

show authentication methods

Command Mode

Privileged EXEC mode

Example

The following example displays the authentication configuration:

switchxxxxxx# show

authentication methods
Login Authentication Method Lists
---------------------------------
Default: Radius, Local, Line
Consl_Login(with authorization): Line, None
Enable Authentication Method Lists
----------------------------------
Default: Radius, Enable
Consl_Enable(with authorization): Enable, None

.

HTTP, HHTPS: Radius, local
Dot1x: Radius

Use the aaa authorization commands Global Configuration mode command to create a method list that can be used for command authorization, use the no command to delete a method list.

Syntax

aaa authorization commands {default | list-name} method [method2...]}

no aaa authorization commands {default | list-name}

Parameters

• privilege-level - specifies the privilege level of the commands that the authorization list will address:

  • 1 – Defines a commands authorization method list for level 1 commands.

  • 7 - Defines a commands authorization method list for level 7 commands.

  • 15 - Defines a commands authorization method list for level 15 commands.

• {default | Uses the listed commands authorization methods that follow this argument as the default method list.

• list-name: Specifies a name for the list of commands authorization methods. (Length:1–20 characters)

• method [method2...]—Specifies a list of methods that the commands authorization algorithm tries, in the given sequence. The additional authorization methods are used only if the previous method is not active, not if it rejected a command. Select one or more methods from the following list:

  Keyword	Description
  none	Commands authorization is not required.This method is usually used as a fall back if the previous methods are not reachable
  if-authenticated	Specifies that the commands of the specific level are authorized if the user has been authenticated to that level. This method is usually used as fall back if the previous methods are not reachable.
  local	Specifies that the local database should be used for commands authorization. This method is usually used as a fall back if the previous methods are not reachable.
  tacacs	Uses the list of all TACACS+ servers for commands authorization.

Default Configuration

The Default method list exists, using none as the only method

Command Mode

Global configuration mode

User Guidelines

Use the aaa authorization commands command to specify a method list for authorizing commands executed by the user. If the method list includes more than one method, then the methods are used in the order specified in the command. A secondary method will be used only if the previous method is un-reachable.

Command authorization will not be applied to a configuration mode command unless the aaa authorization config-commands is also configured on the device.

Use the no form of the command to return the default method list to its default (none is the only method), or to delete a named method list that was created by the user.

If local is defined as a method the commands will be authorized based on the credentials provided by the user and according to their privilege level. This means that a level 1 user will be able to execute all of the level 1 commands and a level 15 user will be able to execute all of the level 15 commands. If the credentials used for login are not part of the local database then execution for all of the commands will fail. This method is usually used as a backup in case the main method (for example tacacs) is not reachable. It prevents command execution lockout in this case.

The none and if-authenticated are also used usually as backup method. If none is defined as a method – then the commands will always be authorized. The if-authenticated method functionality is similar to the none method functionality. However if the user did not provide any credentials when login in (for example authentication and authorization method list were none), then if none is defined as a command authorization list all commands will be authorized, and if the if-authenticated method is used all commands will be denied (since the user was not authenticated).

In order to activate a method list it needs to be applied to a management interface (console, SSH or telnet) using the authorization commands line configuration mode command.

Example

The following example configures an authorization method list for level 15 commands. The authorization requests are sent to the list of the TACACS+ servers. If the TACACS+ servers do not respond, then the commands are still authorized (due to the none method).

switchxxxxxx(config)# aaa authorization commands 15 auth_commands15 tacacs
none

Use the aaa authorization config-commands to define that configuration commands require authorization. Use the no form of the command to return to default settings.

Syntax

aaa authorization config-commands

no aaa authorization config-commands

Parameters

N/A

Default

By default, configuration mode commands do not require authorization.

User Guidelines

This command is used to define that configuration commands require authorization. If the aaa authorization config-commands command is not configured then configuration commands do not require authorization, even if the aaa authorization commands command was defined.

If the aaa authorization config-commands command configured then also configuration commands require authorization. The configuration commands will be authorized using the active level 15 or level 7 method list.

Example

The following example enables command authorization for Configuration mode CLI commands.

switchxxxxxx(config)# aaa authorization config-commands

Use the aaa authorization console global mode command to activate Command Authorization method list that were applied to the console interface. Use the no form of the command to de-activate methods applied to the console interface.

Syntax

aaa authorization console

no aaa authorization console

Parameters

N/A

Default

Command Authorization method list that were applied to the console interface are not active.

Command Mode

Global Configuration mode

User Guidelines

Use the aaa authorization console command to activate Command Authorization method list that were applied to the console interface. Without this command methods that were applied to the console interface (command ) will be part of the device configuration but will not be active.

Use the no to de-activate Command Authorization method list that were applied to the console management interface.

Example

The following example enables commands authorization for commands that were configured in the console management interface.

switchxxxxxx(config)# aaa authorization console

The authorization commands Line Configuration Mode command enables a commands authorization method list for a management line. Use the no form of this command to restore the default commands authorization method list.

Syntax

authorization commands privilege-level {default| list-name}

no authorization commands

Parameters

• privilege-level - specifies the privilege level of the commands that the authorization list will address:

  • 1 – Defines a commands authorization method list for level 1 commands.

  • 7 - Defines a commands authorization method list for level 7 commands.

  • 15 - Defines a commands authorization method list for level 15 commands.

• {default | Applies the default list defined with the command aaa authorization commands.

• list-name: Applies the specified named list created with the commands aaa authorization methods.

Default Configuration

The default method list is applied to each of the command levels.

Command Mode

Line Configuration Mode

User Guidelines

Use the command authorization commands to enable a commands authorization method list to a management line (console, telnet or SSH). The commands authorization method list are enabled per command level. A named authorization list can be specified only if it was previously created using the command aaa authorization commands.

Use the command no authorization commands to remove a named method list and enable the default method list for the level that was specified in the command.

Command authorization method list applied to the console interface will be active only after the command aaa authorization console is configured. If a method list is applied to the console interface and the command aaa authorization console is not configured, the command will be accepted but the following notification will be displayed: “Authorization without the global command 'aaa authorization console' is useless”

Examples

Example 1 - The following example enables the defau

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# authorization commands 1 default

Example 2 - The following example enables the auth_comm15 commands authorization named list for the level 15 command configured on the console interface.

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# authorization commands 15 auth_comm15

Use the show authorization methods Privileged EXEC mode command to display the Command Authorization methods and the management interfaces to which they were applied.

Syntax

show authorization methods

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following example displays the commands authorization configuration:

switchxxxxxx# show authorization methods
commands level 1 Authorization Method Lists
----------------------------------
Default :  None
commands level 7 Authorization Method Lists
----------------------------------
Default : None
commands level 15 Authorization Method Lists
----------------------------------
Default :  None
comAuth15 : Tacacs none
Console Authorization: disabled
Configuration Authorization: disabled
Line Commands level 1 Commands level 7 Commands level 15
Method List Method List Method List
------- ----------------- ---------------- ------------------
Console Default comAuth7 Default
Telnet comAuth1 Default Default
SSH Default Default comAuth15

Use the login delay Global Configuration mode command to configure a delay in device response to a failed login attempts. Use the no form of this command to return to the default setting.

Syntax

login delay seconds

no login delay

Parameters

• seconds - The delay (in seconds) that is imposed between failed login attempts (range 1-10 seconds).

Default Configuration

By default, login delay is disabled.

Command Mode

By default, login delay is disabled.

User Guidelines

The login delay command introduces a delay in device response following a failed login attempt (HTTP, HTTPS, Telnet, SSH and SNMP). The delay provides better protection from possible dictionary attacks.

Examples

Example 1 - The following example sets a delay of 5 seconds following a failed login attempt:

switchxxxxxx(config)# login delay 5

Use the login quiet-mode access-class Global Configuration mode command to to specify a management access control list (MACL) that will be applied when the device transitions to the login quiet-mode. Use the no form of this command to return to the default setting.

Syntax

login quiet-mode access-class name

no login quiet-mode access-class

Parameters

• name – the name of the management ACL to apply on the device while in login quiet mode.

Default Configuration

By default, the "console-only" management access list is applied as the default quiet-mode access-class. For devices that do not support console - the quiet-mode access-class has no default.

Command Mode

Global configuration mode.

User Guidelines

Use the login quiet-mode access-class command to allow selective hosts access to the device management during a login quiet period. Access is allowed based on the specified Management ACL. The management access list needs to be created prior to configuring this command using the management access-list command.

This settings provides the ability to grant access to a client or list of clients even during a quiet-mode period. On devices that support a console connection the "console-only" management access-list is applied by default during a quiet-mode period, meaning all network login connections (telnet, SSH, SNMP, HTTP, HTTPS) are denied, while a connection from the console is allowed. On devices that do not support a console there is no default access-class and the login block-for command cannot be configured if user did not first define a quiet-mode access-class.

The command is rejected if it is configured during a quiet-mode period.

The no form of the command returns quiet-mode access-class to the default setting. On devices without a console the no command cannot be applied if login block-for command is configured.

Examples

Example 1 - The following example shows how to configure the device to accept connection during quiet mode period based on quiet-acl management access list:

switchxxxxxx(config)# login quiet-mode access-class quiet-acl

Use the following privileged exec mode command to display login setting and status:

Syntax

show login

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

User Guidelines

This command displays setting and status related to commands login delay, Login block-for and login quiet-mode access-class.

Examples

Example 1 - The following example shows output if no login settings have been applied or changed:

switchxxxxxx# show login
Login delay: disabled
Login Attacks watch: disabled
Quiet-Mode access list: console-only (the default)

Example 2 - The following example shows the show login command output where the user set the login delay to 5 seconds, configured a login block period and the device is not in quiet-mode:

switchxxxxxx# show login
Login delay: 5 second
Login Attacks watch: enabled
If more than 4 login failures occur in 60 seconds or less, logins will be disabled for 60 seconds.
Quiet-Mode access list: console-only (the default)
Quiet-Mode: inactive
Watch Window remaining time: 44 seconds.
Present login failure count: 3.

Note	Login failure count is counted from the earliest failed login that is still valid (within a watching windows)

Example 3 - The following example shows output where user set login delay to 5 seconds, configured a login block period and device is in quiet mode:

switchxxxxxx# show login
Login delay: 5 second
Login Attacks watch: enabled
If more than 4 login failures occur in 60 seconds or less, logins will be disabled for 60 seconds.
Quiet-Mode access list: console-only (the default)
Quiet-Mode: active (time remaining: 20 seconds)

Use the following privileged exec mode command to display information on failed login attempts:

Syntax

Show login failures

Parameters

NA

Default Configuration

NA

Command Mode

Privileged EXEC mode

User Guidelines

This command displays information on last 50 failed login attempts. Information includes the username provided in the failed attempt (if provided as part of attempt), source IP used in failed attempt, service requested in the failed attempt, the number of failed attempts for this connection and the time stamp of last failed attempt for this connection. Entries are sorted from the newest time stamp to the oldest.

Examples

switchxxxxxx#  show login failures  

Information about last 50 login failure's with the device.

Use the following privileged exec mode command to clear login failure database:

Syntax

clear login failures

Parameters

NA

Default Configuration

NA

Command Mode

Privileged EXEC mode

User Guidelines

Use this command to clear all entries in login failure database (command show login failures).

Examples

switchxxxxxx#  clear login failures 

Use the following privileged exec mode command to immediately terminate an active quiet-mode period:

Syntax

clear login quiet-mode

Parameters

NA

Default Configuration

NA

Command Mode

Privileged EXEC mode

User Guidelines

Use this command to terminate an active quiet-period, without disabling the feature (command login block-for). Quiet mode period will be terminated even if the quiet mode period timer did not expire.

Examples

switchxxxxxx#  clear login quiet-mode
11-Aug-2021 10:33:12 :%ABC-I-XXX: Quiet-Mode is OFF, terminated by user

Use the password Line Configuration mode command to specify a password on a line (also known as an access method, such as a console or Telnet). Use the no form of this command to return to the default password.

Syntax

password {unencrypted-password [method hash-method] | encrypted-password encrypted}

password generate-password [method hash-method]

no password

Parameters

• unencrypted-password—The authentication password for the user. (Range: 1–64)

• [method hash-method] — (optional) specifies the method used for encrypting the clear-text password. Supported values:

  • sha512 - PBKDF2 encryption with HMAC using the SHA512 as the underlying Hashing Algorithm. This is the default method if the method parameter is not specified.

• encrypted encrypted-password—Specifies that the password is encrypted and hashed using a salt. Use this keyword to enter a password that is already encrypted (for instance, a password that was copied from the configuration file of another device). The encrypted-password is specified in the format of $<type>$<salt>$<encrypted-password >, where:

  • <type> - is an integer value that indicates the type of hash algorithm used to generate the hash

  • <salt> - The base64 encoding of the 96 bits used for salt (length – 16 bytes)

  • <encrypted-password> - The base64 encoding of the encrypted hash output (length - 86 bytes)

Default Configuration

No password is defined.

Command Mode

Line Configuration Mode

User Guidelines

The unencrypted-password must comply to password complexity requirements.

If the generate-password option is selected, the user does not need to input a password. Instead, the device will automatically generate a random based password suggestion. This suggestion will be displayed to the user, and the user will be presented with an option to accept or reject the proposed password. If user selected to accept the proposed password, then the specified username with this password (in encrypted format) will be added to device configuration file. If user rejects the proposed password then a new command needs to be entered by the user.

Example

Example 1 -The following example specifies the password ‘secreT123!’ on the console line.

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# password secreT123!

Example 2 - The command in this example includes the generate-password key word. in this case the device will propose a randomly generated password to be used. in the example below the user selects to accept the proposed password.

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# password generate-password
Generated password: aBgrT9!59Hq$
Accept generated password (y/n) [Y] y
“Configuration and password are added to device configuration. Please Note
password for future use.”

Example 3 - The command in this example includes the generate-password key word. in this case the device will propose a randomly generated password to be used. in the example below the user selects to reject the proposed password.

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# password generate-password
Generated password: aBgrT9!59Hq$
Accept generated password (y/n) [Y] n
“Auto generated password rejected by user. Password configuration is not added to
device configuration”

Use the enable password Global Configuration mode command to set a local password to control access to normal and privilege levels. Use the no form of this command to return to the default password.

Syntax

enable password [level privilege-level] {[method hash-method] unencrypted-password | encrypted encrypted-password}

enable [level privilege-level] [method hash-method] generate-password

enable masked-secret [level privilege-level] [method hash-method]

no enable password [level privilege-level]

Parameters

• level privilege-level—Level for which the password applies. If not specified, the level is 15. (Range: 1–15)

• [method hash-method] — (optional) specifies the method used for encrypting the clear-text password. Supported values:

  • sha512 - PBKDF2 encryption with HMAC using the SHA512 as the underlying Hashing Algorithm. This is the default method if the method parameter is not specified.

• unencrypted-password—Password for this level. (Range: 0–159 chars)

• encrypted encrypted-password—Specifies that the password is encrypted and hashed using a salt. Use this keyword to enter a password that is already encrypted (for instance, a password that was copied from the configuration file of another device). The encrypted-password is specified in the format of $<type>$<salt>$<encrypted-password >, where:

  • <type> - is an integer value that indicates the type of hash algorithm used to generate the hash

  • <salt> - The base64 encoding of the 96 bits used for salt (length – 16 bytes)

  • <encrypted-password> - The base64 encoding of the encrypted hash output (length - 86 bytes)

Default Configuration

Default for level is 15.

Command Mode

Global Configuration mode

User Guidelines

The unencrypted-password must comply to password complexity requirements.

Note

The password complexity rules are as follows: Minimal password length is 8 characters by default. Passwords are configurable with a range of 8-64. Character Repetition: A character cannot be repeated consecutively. The maximum number of repetition allowed is 3 by default. Minimum number of character classes: The number of different character classes that must be included in the password (classes are: uppercase letter, lowercase letter, number and special character). The minimum number is 3 by default and is configurable to 0-4 (0 and 1 are functionally identical). Any password established or altered by the user (hence "Secret") is compared to a list of common passwords. SecLists/Password Common Credentials If the secret contains a word from the list, the user will receive the following error message and will need to re-enter an alternative password: "Password rejected- Passwords must not match words in the dictionary, and must not contain commonly used passwords". Sequential characters – The password MUST NOT contain more than 2 sequential characters or numbers, or the reverse value of these sequences. Restriction also includes letters that are replaced with other characters, as follows: "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e". Examples for prohibited passwords: “efg123!$”, “abcd765%”, “kji!$378”, qr$58!230. Sequential letters are prohibited in any case combination (e.g. AbC or aBC). Context specific words (project and vendor name) – The password MUST NOT contain the username or the words “cisco” , "catalyst" or derivatives of such. This restriction includes these words reversed or in any case. Restriction also includes letters that are replaced with other characters, as follows: "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e", is not permitted. For example, C!$c0678! is not permitted. Known passwords are not allowed as passwords

When the administrator configures a new enable password, this password is encrypted automatically and saved to the configuration file. No matter how the password was entered, it appears in the configuration file with the keyword encrypted and the encrypted value. The administrator is required to use the encrypted keyword only when actually entering an encrypted keyword.

If the administrator wants to manually copy a password that was configured on one switch (for instance, switch B) to another switch (for instance, switch A), the administrator must add encrypted in front of this encrypted password when entering the enable command in switch A. In this way, the two switches will have the same password.

The administrator is required to use the encrypted keyword only when actually entering an encrypted keyword.

If the generate-password option is used, instead of entering a password the user will be presented with a randomly generated password suggestion. This suggestion will comply with all current password strength settings

The user will be given the choice to accept or reject the proposed password. If the user elects to accept the password, then this password will be added for the configured enable level (in encrypted format) in the configuration file.

If the user rejects the password suggestion, the command will need to be entered again to configure this enable level.

Example

Example 1 - The command sets a password that has already been encrypted. It will be copied to the configuration file just as it is entered. To login to device using this password, the user must know its unencrypted form.

switchxxxxxx(config)# enable password encrypted $15$TqKC13RgV/QJb2Ma$4JmeD7wgRGH2iwGKMM+g4M53uQxpOMlhkUN56UMAEUuMqhw0bsRH27zakc7
2hLxt/YhEknPA6LX7fTgqwZn6Vw==

Example 2 - The command sets an unencrypted password for level 1 (it will be encrypted in the configuration file).

switchxxxxxx(config)# enable password level 1 let-me-In

Example 3 - The command in this example includes the generate-password key word. in this case the device will propose a randomly generated password to be used. in the example below the user selects to accept the proposed password.

switchxxxxxx(config)# enable password generate-password
Generated password: aBgrT9!59Hq$
Accept generated password (y/n) [Y] y
“Configuration and password are added to device configuration. Please Note
password for future use”

Example 4 - The command in this example includes the generate-password key word. in this case the device will propose a randomly generated password to be used. in the example below the user selects to rejects the proposed password.

switchxxxxxx(config)# enable password generate-password
Generated password: aBgrT9!59Hq$
Accept generated password (y/n) [Y] n
“Auto generated password rejected by user. Password configuration is not added to
device configuration”

Use the service password-recovery Global Configuration mode command to enable the password-recovery mechanism. This mechanism allows an end user, with physical access to the console port of the device, to enter the boot menu and trigger the password recovery process. Use the no service password-recovery command to disable the password-recovery mechanism. When the password-recovery mechanism is disabled, accessing the boot menu is still allowed and the user can trigger the password recovery process. The difference is, that in this case, all the configuration files and all the user files are removed. The following log message is generated to the terminal: “All the configuration and user files were removed”.

Syntax

service password-recovery

no service password-recovery

Default Configuration

The service password recovery is enabled by default.

Command Mode

Global Configuration mode

User Guidelines

• If password recovery is enabled, the user can access the boot menu and trigger the password recovery in the boot menu. All configuration files and user files are kept.

• If password recovery is disabled, the user can access the boot menu and trigger the password recovery in the boot menu. The configuration files and user files are removed.

• If a device is configured to protect its sensitive data with a user-defined passphrase for (Secure Sensitive Data), then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled.

Use the username Global Configuration mode command to create or edit a username based user authentication account. Use the no form to remove a user account.

Syntax

username name {[method hash-method] password {unencrypted-password | {encrypted encrypted-password}} | {privilege privilege-level {[method hash-method] unencrypted-password | {encrypted encrypted-password}}}}

username name {[method hash-method] generate-password | {privilege privilege-level{[method hash-method] generate-password}

username name {[method hash-method] masked-secret | {privilege privilege-level {[method hash-method] masked-secret}

no username name

Parameters

• name—The name of the user. (Range: 1–20 characters)

• [method hash-method] — (optional) specifies the method used for encrypting the clear-text password. Supported values:

  • sha512 - PBKDF2 encryption with HMAC using the SHA512 as the underlying Hashing Algorithm. This is the default method if the method parameter is not specified.

• password—Specifies the password for this username.

• unencrypted-password—The authentication password for the user. (Range: 1–64)

• encrypted encrypted-password—Specifies that the password is encrypted and hashed using a salt. Use this keyword to enter a password that is already encrypted (for instance, a password that was copied from the configuration file of another device). The encrypted-password is specified in the format of $<type>$<salt>$<encrypted-password >, where:

  • <type> - is an integer value that indicates the type of hash algorithm used to generate the hash.

  • <salt> - The base64 encoding of the 96 bits used for salt (length – 16 bytes)

  • <encrypted-password> - The base64 encoding of the encrypted hash output (length - 86 bytes)

• generate-password - The device automatically generates a random based password suggestion. The user has an option to accept or reject the proposed password.

• privilege privilege-level —User account privilege level. If not specified the level is 1. (Range: 1–15).

Default Configuration

No user is defined.

Command Mode

Global Configuration mode

Example

Example 1- Sets an unencrypted password for user tom (level 15). It will be encrypted in the configuration file.

switchxxxxxx(config)# username tom password 1234Ab$5678

Example 2 - Sets a password for user jerry (level 15) that has already been encrypted. It will be copied to the configuration file just as it is entered. To use it, the user must know its unencrypted form.

switchxxxxxx(config)# username jerry privilege 15 encrypted 
$15$TqKC13RgV/QJb2Ma$4JmeD7wgRGH2iwGKMM+g4M53uQxpOMlhkUN56UMAEUuMqhw0bsRH27zakc72hLxt/YhEknPA6LX7fTgqwZn6Vw==

Example 3 - The command in this example includes the generate-password key word. in this case the device will propose a randomly generated password to be used. in the example below the user selects to accept the proposed password.

switchxxxxxx(config)# username tom generate-password privilege 15
Generated password: aBgrT9!59Hq$
Accept generated password (y/n) [Y] y
“Configuration and password are added to device configuration. Please Note
password for future use.”

Example 4 - The command in this example includes the generate-password key word. in this case the device will propose a randomly generated password to be used. in the example below the user selects to reject the proposed password.

switchxxxxxx(config)# username tom generate-password privilege 15
Generated password: aBgrT9!59Hq$
Accept generated password (y/n) [Y] n
“Auto generated password rejected by user. Password configuration is not added to
device configuration.”

The show users accounts Privileged EXEC mode command displays information about the users local database.

Syntax

show users accounts

Command Mode

Privileged EXEC mode

Example

The following example displays information about the users local database:

The following table describes the significant fields shown in the display:

Use the passwords complexity keyboard-pattern Global Configuration mode command to enable QWERTY keyboard pattern related restriction as part of password complexity settings.

Use the no form of the command to disable the QWERTY keyboard pattern related restriction.

Syntax

passwords complexity keyboard-pattern

no passwords complexity keyboard-pattern

Parameters

N/A

Default Configuration

Keyboard-pattern Password complexity setting is Disabled by default.

Command Mode

Global Configuration mode

User Guidelines

Use the passwords complexity keyboard-pattern command to define that a password cannot contain more than 3 consecutive characters on a QWERTY keyboard. The restriction applies only to letters and numbers on the keyboard and not to symbols. Both forward and reverse character sequences are prohibited.

The restriction is applied to the password defined using one of the following command:

• username

• enable password

• password

Example

The following example enables the key-board-pattern based password restriction.

switchxxxxxx(config)# passwords complexity keyboard-pattern

Use the aaa accounting login start-stop command in Global Configuration mode to enable accounting of device management sessions. Use the no form of this command to disable accounting.

Syntax

aaa accounting login start-stop group {radius | tacacs+}

no aaa accounting login start-stop

Parameters

• group radius—Uses a RADIUS server for accounting.

• group tacacs+—Uses a TACACS+ server for accounting.

Default Configuration

Disabled

Command Mode

Global Configuration mode

User Guidelines

This command enables the recording of device management sessions (Telnet, serial and WEB but not SNMP).

It records only users that were identified with a username (e.g. a user that was logged in with a line password is not recorded).

If accounting is activated, the device sends a “start”/“stop” messages to a RADIUS server when a user logs in / logs out respectively.

The device uses the configured priorities of the available RADIUS/TACACS+ servers in order to select the RADIUS/TACACS+ server.

The following table describes the supported RADIUS accounting attributes values, and in which messages they are sent by the switch.

The following table describes the supported TACACS+ accounting arguments and in which messages they are sent by the switch.

Example

switchxxxxxx(config)# aaa accounting login start-stop group radius

To enable accounting of 802.1x sessions, use the aaa accounting dot1x Global Configuration mode command. Use the no form of this command to disable accounting.

Syntax

aaa accounting dot1x start-stop group radius

no aaa accounting dot1x start-stop group radius

Default Configuration

Disabled

Command Mode

Global Configuration mode

User Guidelines

This command enables the recording of 802.1x sessions.

If accounting is activated, the device sends start/stop messages to a RADIUS server when a user logs in / logs out to the network, respectively. The device uses the configured priorities of the available RADIUS servers in order to select the RADIUS server.

If a new supplicant replaces an old supplicant (even if the port state remains authorized), the software sends a stop message for the old supplicant and a start message for the new supplicant.

In multiple sessions mode (dot1x multiple-hosts authentication), the software sends start/stop messages for each authenticated supplicant.

In multiple hosts mode (dot1x multiple-hosts), the software sends start/stop messages only for the supplicant that has been authenticated. The software does not send start/stop messages if the port is force-authorized.

The software does not send start/stop messages for hosts that are sending traffic on the guest VLAN or on the unauthenticated VLANs.

The following table describes the supported Radius accounting Attributes Values and when they are sent by the switch.

Example

switchxxxxxx(config)# aaa accounting dot1x start-stop group radius

To enable sending periodic interim accounting updates and to set the interval between the updates, use the aaa accounting update periodic Global Configuration mode command. Use the no form of this command to disable accounting periodic updates.

Syntax

aaa accounting update periodic minutes

no aaa accounting update periodic

Parameters

• minutes - The interval, in minutes, between the periodic accounting updates (Range: 1-65535 minutes)

Default Configuration

Periodic updates are disabled

Command Mode

Global Configuration mode

User Guidelines

If accounting periodic updates are enabled an accounting Interim-Update packet will be sent periodically for each 802.1x or login session, in an interval defined in this command.

If the Access-Accept sent by the RADIUS server includes the Acct-Interim-Interval attribute (type 85), then the actual interval between updates will be set to the larger value between the interval configured in this command and the value that is included in the attribute.

Example

In the following example, periodic accounting updates are enabled and the interval between the updates is set to 5 minutes:

switchxxxxxx(config)# aaa accounting update periodic 5

The show accounting EXEC mode command displays information as to which type of accounting is enabled on the switch.

Syntax

show accounting

Command Mode

User EXEC mode

Example

The following example displays information about the accounting status.

switchxxxxxx# show accounting
Login: Radius
802.1x: Disabled

Use the passwords complexity Global Configuration mode commands to control the minimum requirements from a password when password complexity is enabled. Use the no form of these commands to return to default.

Syntax

passwords complexity {min-length number} | {min-classes number} | {no-repeat number} | not-current | not-username | not-manufacturer-name

no passwords complexity min-length | min-classes | no-repeat | not-current | not-username | not-manufacturer-name

Parameters

• min-length number—Sets the minimal length of the password. (Range: 8–64)

• min-classes number—Sets the minimal character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard). (Range: 1–4)

• no-repeat number—Specifies the maximum number of characters in the new password that can be repeated consecutively. (Range: 1–16)

• not-current—Specifies that the new password cannot be the same as the current password.

• not-username—Specifies that the password cannot repeat or reverse the user name or any variant reached by changing the case of the characters.

• not-manufacturer-name—Specifies that the password cannot repeat or reverse the manufacturer’s name or any variant reached by changing the case of the characters.

Note	The only usable keywords are "min-classes", "min-length", and "no-repeat": Passwords complexity keyboard-pattern Passwords complexity min-classes <1-4> Passwords complexity min-length <8-64> Passwords complexity no-repeat <1-16>

Default Configuration

The minimal length is 8.

The number of classes is 3.

The default for no-repeat is 3.

All the other controls are enabled by default.

Command Mode

Global Configuration mode

Example

The following example configures the minimal required password length to 10 characters.

switchxxxxxx(config)# passwords complexity min-length 10

Use the passwords aging Global Configuration mode command to enforce password aging. Use the no form of this command to return to default.

Syntax

passwords aging days

no passwords aging

Parameters

• days—Specifies the number of days before a password change is forced. You can use 0 to disable aging. (Range: 0–365).

Default Configuration

Password aging is disabled by default.

Command Mode

Global Configuration mode

User Guidelines

The password aging setting is relevant to local database users, enable passwords and line passwords.

If password aging is enabled, when a user logs into the device within the 10 days preceding the password expiration date, a warning will be displayed alerting the user that the password will expire soon. The user is granted access to the device without changing the password. At this stage it is the user’s responsibility to change the password before the expiration date.

Is the user logs into the device after the password expiration date, they are prompted to enter a new password and are not allowed access to the device management until a new password has been configured.

To disable password aging, use passwords aging 0.

Example

The following example configures the aging time to be 24 days.

witchxxxxxx(config)# passwords aging 24

The passwords complexity history Global Configuration mode command configures the number of password changes required before a password can be reused. Use the no form of this command to return to the default setting

Syntax

passwords complexity history number

no passwords complexity history

Parameters

number—Specifies the number of password changes required before a password can be reused. (Range: 3–12).

Default Configuration

By default the number of passwords changes that are needed before password reuse is 12.

Command Mode

Global configuration mode.

User Guidelines

The setting is relevant to local users’ passwords, line passwords and enable passwords.

The local user history is maintained for users up to the number of local users supported on the device.

Password history is not checked during a configuration download.

The password history is kept even if the password history check is disabled.

Example

The following example sets the number of password changes required before a password can be reused to 10.

switchxxxxxx(config)# passwords complexity history 10

The aaa login-history file Global Configuration mode command enables writing to the login history file. Use the no form of this command to disable writing to the login history file.

Syntax

aaa login-history file

no aaa login-history file

Default Configuration

Writing to the login history file is enabled.

Command Mode

Global Configuration mode.

User Guidelines

The login history is stored in the device internal buffer.

Example

The following example enables writing to the login history file.

switchxxxxxx(config)# aaa login-history file

The show passwords configuration Privileged EXEC mode command displays information about the password management configuration.

Syntax

show passwords configuration

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Passwords history is enabled, the number of previous passwords to check is 12
Passwords complexity is enabled with the following attributes:
 Minimal length: 8 characters
 Minimal classes: 3
 Maximum consecutive same characters: 3
 Password cannot include more than 2 sequential numbers or characters
Password cannot contain the username, manufacturer name or product name
Password must be different from current password
Password cannot contain commonly used passwords or known breached passwords

The show users login-history Privileged EXEC mode command displays information about the user’s login history.

Syntax

show users login-history [username name]

Parameters

• name—Name of the user. (Range: 1–20 characters).

Default Configuration

N/A

Command Mode

Privileged EXEC mode.

User Guidelines

Note	TACACS is not supported on the C1200 models.

Example

The following example displays information about the users’ login history.

Example 1 - The following example shows how to block all login requests for 180 seconds if 18 failed login attempts are exceeded within 180 seconds:

switchxxxxxx# show users login-history
File save: Enabled.
Login Time              Username  Protocol    Location
--------------------
Jan 18 2004 23:58:17    Robert    HTTP        172.16.1.8
Jan 19 2004 07:59:23    Robert    HTTP        172.16.1.8
Jan 19 2004 08:23:48    Bob       Serieal     
Jan 19 2004 08:29:29    Robert    HTTP        172.16.1.8
Jan 19 2004 08:42:31    John      SSH         172.16.0.1
Jan 19 2004 08:49:52    Betty     Telnet      172.16.1.7