The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To enter Authentication Authorization and Accounting (AAA) configuration mode, use the aaa command in global configuration mode.
aaa
Global configuration (config)
This example shows how to enter AAA configuration mode.
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# To configure a RADIUS authentication key, use the auth-secret-key command in AAA configuration mode. To delete the configured RADIUS authentication key, use the no form of the command.
auth-secret-key keyno auth-secret-key
| key |
The secret key. |
AAA configuration (config-aaa)
Use this command in the AAA configuration mode.
This example shows how to configure a RADIUS authentication key
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# radius host radius1
Device(config-aaa-radius-radius1)# auth-secret-key key1To enable or disable the default domain, use the default domain-name command in AAA configuration mode.
default domain-name {enable domain-name | disable}
| enable |
Enables the default domain. |
| domain-name |
The default domain name The format is string. |
| disable |
Disables the default domain. |
AAA configuration (config-aaa)
Use this command in the AAA configuration mode.
This example shows how to configure the default domain.
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# domain default1
Device(config-aaa-domain-default1)# radius host binding cisco
Device(config-aaa-domain-default1)# state active
Device(config-aaa-domain-default1)# exit
Device(config-aaa)# default domain-name enable domain1
Succeed in setting default domain.To specify a RADIUS domain name, use the domain domain_name command in AAA configuration mode.
domain domain_name
| domain_name |
The name of the domain. The format is string. |
AAA configuration (config-aaa)
Use this command in the AAA configuration mode.
This example shows how to specify the RADIUS domain name
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# domain domain1
Device(config-aaa-domain-domain1)# To allow access for specific IP addresses, use the login-access-list {snmp | ssh | telnet} command in global configuration mode. To block all IP addresses, use the no login-access-list command.
login-access-list {snmp ip_address mask | ssh ip_address mask | telnet ip_address mask | telnet-limit max_user_number}
no login-access-list {snmp {all | ip_address mask} | ssh {all | ip_address mask} | telnet {all | ip_address mask} | telnet-limit max_user_number}
| snmp |
The SNMP client. |
| ssh |
The SSH client. |
| telnet |
The Telnet client. |
| all |
Deletes all IP address. |
| ip_address |
The IP address. |
| mask |
The IP address mask. |
| telnet-limit max_user_number |
Limit the number of Telnet user logins. The range is from 0 to 5. |
Global configuration (config)
Use the no login-access-list {snmp| ssh |telnet}all command to block all IP access.
Use the login-access-list {snmp| ssh |telnet} 0.0.0.0 [ 0.0.0.0 | 255.255.255.255] command to allow all IP access.
This example shows how to delete all IP addresses from the SNMP client.
Device> enable
Device# configure terminal
Device(config)# no login-access-list snmp all
Delete access ip address successfully.To enable local authentication mode, use the muser local command in global configuration mode.
muser local
Global configuration (config)
This example shows how to enable local authentication mode
Device> enable
Device# configure terminal
Device(config)# muser local
Config manager user authentication successfully.To enable RADIUS remote authentication, use the muser radius radius_name command in global configuration mode.
muser radius radius_name {pap | chap} {account | local}
| radius_name |
The RADIUS host name. The format is string. The range is from 1 to 32. |
| pap |
The password authentication protocol (PAP) |
| chap |
The challenge handshake authentication protocol (CHAP) |
| account |
Manages login accounting through the RADIUS server. |
| local |
Allows local authentication when the remote authentication fails. |
Global configuration (config)
This example shows how to enable RADIUS remote authentication.
Device> enable
Device# configure terminal
Device(config)# muser radius cisco pap localTo enable TACACS+ remote authentication mode, use the muser tacacs+ command in global configuration mode.
muser tacacs+ {author | account | command-account | local}
| author |
Allows login authorization through the TACACS+ server |
| account |
Manages login accounting through the TACACS+ server. |
| command-account |
Forwards all the command lines to the TACACS+ server through the TACACS+ account packet. |
| local |
Allows local authentication when the remote authentication fails. |
Global configuration (config)
This example shows how to enable TACACS+ remote authentication.
Device> enable
Device# configure terminal
Device(config)# muser tacacs+To configure a RADIUS server name, use the radius host command in AAA configuration mode.
radius host radius_name
| radius_name |
The name of the RADIUS serve |
AAA configuration (config-aaa)
Use this command in the AAA configuration mode.
This example shows how to configure a RADIUS server name
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# radius host radius1To bind a domain to the RADIUS server name, use the radius host binding command in AAA configuraton mode.
radius host binding radius-name
| radius-name |
The RADIUS name server. The format is string. |
AAA configuration (config-aaa)
Use this command in the AAA configuration mode.
This example shows how to bind the RADIUS host to the domain.
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# domain radius1
Device(config-aaa-domain-radius1)# radius host binding ciscoTo save a password in cipher text, use the service password-encryption command in global configuration mode.
service password-encryption
Global configuration (config)
This example shows how to save a password in cipher text
Device> enable
Device# configure terminal
Device(config)# service password-encryption To display the domain configuration, use the show domain command in privileged EXEC or global configuration mode.
show domain [domain_name]
| domain_name |
The name of the domain. The format is string. |
Privileged EXEC (#)
Global configuration (config)
This example shows how to display the domain configuration.
Device> enable
Device# configure terminal
Device(config)# show domain domain1
Default domain name : domain1
DomainName : domain1
RADIUSServerName : cisco
Access-limit : disabled
AccessedNum : 0
Scheme : radius
State : Block
----------------------------------------------------------------------
Total [1] item(s).To display the list of allowed IP addresses, use the show login-access-list command in privileged EXEC or global configuration mode.
show login-access-list
Privileged EXEC (#)
Global configuration (config)
This example shows how to view the list of allowed IP addresses.
Device> enable
Device# configure terminal
Device(config)# show login-access-list
sno ipAddress wildcard bits terminal
1 0.0.0.0 255.255.255.255 telnet
2 0.0.0.0 255.255.255.255 sshTo display the authentication configuration, use the show muser command in privileged EXEC or global configuration mode.
show muser
Privileged EXEC (#)
Global configuration (config)
This example shows how to view the authentication configuration.
Device> enable
Device# configure terminal
Device(config)# show muser
Show manager user authentication.
Authentication type : local
Admin-Remote-Auth: Disable
To display the timeout configuration, use the show running-config oam command in privileged EXEC or global configuration mode.
show running-config oam
Privileged EXEC (#)
Global configuration (config)
This example shows how to view the timeout configuration.
Device> enable
Device# configure terminal
Device(config)# show running-config oam
![OAM]
no login-access-list snmp 0.0.0.0 255.255.255.255
service password-encryption
username text privilege 0 password 7 884863d2
banner
screen-rows per-page 55
hostname 2
telnet limit 3
exit
timeout 100
configure terminal
telnetclient timeout 2
ip icmp mask-replyTo display the TACACS+ configuration, use the show tacacs+ command in privileged EXEC or global configuration mode.
show tacacs+
Privileged EXEC (#)
Global configuration (config)
This example shows how to view the TACACS+ configuration.
Device> enable
Device# configure terminal
Device(config)# show tacacs+
Primary Server Configurations:
IP address: : 192.168.1.10
Connection port: : 49
Connection timeout: : 5
Key: : 123456
Secondary Server Configurations:
IP address: : 192.168.1.11
Connection port: : 49
Connection timeout: : 5
Key: : 123456To display the user information, use the show username command in privileged EXEC or global configuration mode.
show username username
| username |
The user name. |
Privileged EXEC (#)
Global configuration (config)
This example shows how to view the user information.
Device> enable
Device# configure terminal
Device(config)# show username admin
display user information
Terminal type: C=Console, T=Telnet, S=SSH, W=Web
Global Failmax: n/a
User Name Role Terminal FailMax Fail OnLineMax OnLine
______________________________________________________________________________
admin ADMIN CTSW n/a 0 n/a 1To display the privilege password authentication configuration, use the show username privilege-auth command in privileged EXEC or global configuration mode.
show username privilege-auth
Privileged EXEC (#)
Global configuration (config)
This example shows how to view the configuration of second-tier password authentication
Device> enable
Device# configure terminal
Device(config)# show username privilege-auth
Privilege-password authentication
switch: OFF
remote-user name: remote_admin
password not configuredTo display a user silent period information, use the show username silent command in privileged EXEC or global configuration mode.
show username silent
Privileged EXEC (#)
Global configuration (config)
This example shows how to view a user silent period information
Device> enable
Device# configure terminal
Device(config)# show username silent
display user silent period information
Silent Time: 2 minutes
User Name State Silent End Time
________________________________________________
admin Off n/a
text Off n/aTo display the online users, use the show users command in privileged EXEC or global configuration mode.
show users
Privileged EXEC (#)
Global configuration (config)
This example shows how to view the online users.
Device> enable
Device# configure terminal
Device(config)# show users
Only 5 users logged in by telnet are allowed to be in privileged mode.
Now 1 users logged in by telnet have been in privileged mode.
User "admin" logged in at time 2001/12/09 16:53:44
Time passed after login: 0 days 0 hours 12 minutes 32 seconds
Time no operation: 0 minutes 0 seconds
Terminal: telnet 1
Transport: telnet
User's IP address: 10.65.75.54
Authentication: local
Radius hostname: N/ATo activate a domain, use the state active command in AAA configuration mode.
state active
AAA configuration (config-aaa)
This example shows to activate a configured domain.
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# domain default1
Device(config-aaa-domain-default1)# radius host binding cisco
Device(config-aaa-domain-default1)# state active
Device(config-aaa-domain-default1)# exitTo deactivate a domain, use the state block command in AAA configuration mode.
state block
AAA configuration mode
This example shows how to deactivate a domain.
Device> enable
Device# configure terminal
Device(config)# aaa
Device(config-aaa)# domain default1
Device(config-aaa-domain-default1)# state blockTo force user or users to go offline, use the stop command in privileged EXEC mode.
stop {username | vty {all | vty_list} | telnet {all | terminal_id}}
| username |
The username |
| all |
Stops all. |
| vty_list |
The VTY list. |
| terminal_id |
The terminal ID The range is from 0 to 5. |
Privileged EXEC (#)
This example shows how to force a user offline
Device> enable
Device# stop JerryTo configure the TACACS + server, use the tacacs+ command in global configuration mode.
tacacs+ {primary | secondary}server ip_address [encrypt-key value | key key | port port | timeout value]
| primary |
Configures the primary server. |
| secondary |
Configures the secondary server. |
| server ip_address |
The server IP address. |
| encrypt-key value |
The server key encryption. |
| key key |
The server key configuration. |
| portport |
The TCP port. The range is from 1 to 65535. |
| timeout value |
The connection timeout. The range is from 1 to 70. The default is 5. |
Global configuration (config)
This example shows how to configure the TACACS + primary server
Device> enable
Device# configure terminal
Device(config)# tacacs+ primary server 192.168.1.10 key 123456
To configure an authentication type, use the tacacs+ authentication-type command in global configuration mode.
tacacs+ authentication-type {ascii | chap | pap}
| ascii |
Configures the ASCII authentication type. |
| chap |
Configures the Challenge Handshake Authentication Protocol (CHAP) authentication type. |
| pap |
Configures the Password Authentication Protocol (PAP) authentication type. |
Global configuration (config)
This example shows how to configure an ASCII authentication type
Device> enable
Device# configure terminal
Device(config)# tacacs+ authentication-type ascii
To enable password encryption, use the tacacs+ encrypt-key command in global configuration mode. To disable password encryption, use the no tacacs+ encrypt-key command.
tacacs+ encrypt-key
no tacacs+ encrypt-key
Global configuration (config)
This example shows how to enable password encryption
Device> enable
Device# configure terminal
Device(config)# tacacs+ encrypt-keyTo configure the recovery time to switch to the TACACS+ primary server, use the tacacs+ preemption-time command in global configuration mode.
tacacs+ preemption-time time
| time |
The preemption time The unit in minutes. The range is from 0 to 1440. The default value isc0 |
Global configuration (config)
This example shows how to configure the recovery time to switch to the TACACS+ primary server.
Device> enable
Device# configure terminal
Device(config)# tacacs+ preemption-time 200
To configure the system idle timeout, use the timeout command in privileged Exec mode. To disable the system idle timeout, use the no timeout command.
timeout value
no timeout
| value |
The system idle timeout value. The range is 1-480. The default timeout value is 20m. |
Privileged Exec (#)
This example shows how to configure the system idle timeout
Device> enable
Device# timeout 100
The idle time is : 100 minutes!To add a user or modify an existing user privilege level, use the username username command in global configuration mode. To remove a user, use the no username username command.
username username {password {0 | 7}password | privilege privilege_level password {0 | 7}password | terminal {all | console | none | ssh | telnet | web}}
no username username
| username |
The username. |
| password 0 |7 |
The password encryption time.
|
| password |
The password. |
| privilege_level |
The privilege level.
|
| terminal |
The login mode The options are
|
Global configuration (config)
If you do not enter a permission value when you create a user, the system will automatically assign it with normal permissions.
Configure the password encryption type as 0 for a new user. When you configure the service password-encryption command, a password configured in plain text (0) is decrypted in de-compilation and the decrypted password type changes to 7
This example shows how to add a new user.
Device> enable
Device# configure terminal
Device(config)# username mark privilege 0 password 0 mark@123
Add user successfully.To modify the user password, use the username change-password command in global configuration mode.
username change-password
Global configuration (config)
This example shows how to modify the user password
Device> enable
Device# configure terminal
Device(config)# username change-passwordTo configure the second-tier password authentication, use the username change-privilege-pwd command in global configuration mode.
username change-privilege-pwd {0 | 7}
| { 0 |7} |
|
Global configuration (config)
This example shows how to configure the second-tier password authentication.
Device> enable
Device# configure terminal
Device(config)# username change-privilege-pwd 0 123456To configure a limit on the consecutive failed login attempts, use the username failmax command in global configuration mode. To disable the limit on the consecutive failed login attempts, use the no username failmax command.
username failmax {fail_value | username fail_value}
no username failmax
| fail_value |
The fail value. The range is from 1 to 100. |
| username |
The username. |
Global configuration (config)
This example shows how to configure a limit on the consecutive failed login attempts.
Device> enable
Device# configure terminal
Device(config)# username failmax 5To configure the duration users are online at the same time, use the username online-max command in global configuration mode.
username online-max username value
| username |
The username. |
| value |
The duration users are online at the same time The range is from 1 to 100. |
Global configuration (config)
This example shows how to configure the duration users are online at the same time.
Device> enable
Device# configure terminal
Device(config)# username online-max mark 100To enable privilege password authentication for a remote user, use the username privilege-auth-remote-user command in global configuration mode. To disable user privilege password authentication, use the no username privilege-auth command.
username privilege-auth-remote-user username
no username privilege-auth-remote-user
| username |
The username. |
Global configuration (config)
This example shows how to enable privilege password authentication.
Device> enable
Device# configure terminal
Device(config)# username privilege-auth-remote-user mark
Enable Privilege-password authentication OK!To enable privilege password authentication for a user, use the username privilege-auth command in global configuration mode. To disable user privilege password authentication, use the no username privilege-auth command.
username privilege-auth [always]
no username privilege-auth
| always |
Configures privilege password authentication for all users. |
Global configuration (config)
This example shows how to enable user privilege password authentication.
Device> enable
Device# configure terminal
Device(config)# username privilege-auth
Enable Privilege-password authentication OK!To configure the silent time, use the username silent-time command in global configuration mode.
username silent-time silent_time
| silent_time |
The silence period time. The range is from 2 to 1440. |
Global configuration (config)
This example shows how to configure the silent time
Device> enable
Device# configure terminal
Device(config)# username silent-time 100
Feedback