admin-password password [hash | hash2]
no admin-password
config>system>security>password
Supported on all 7210 SAS platforms as described in this document
This command enables the context (with admin permissions) to configure a password that enables a user to become an administrator.
This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.
This functionality can be enabled in two contexts:
config>system>security>password>admin-password
global enable-admin
See the description for enable-admin. If the admin-password command is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.
The enable-admin command is in the default profile. By default, all users have access to this command.
After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is granted unrestricted access to all commands.
The minimum password length is determined by the minimum-length command. The complexity requirements for the password is determined by the configuration in the complexity-rules context.
The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.
The usernames and passwords in the FTP and TFTP URLs are not sent to the authorization or accounting servers when the file>copy source-file-url dest-file-url command is executed.
For example:
file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile
In this example, the username 'test' and password 'secret' are not sent to the AAA servers (or to any logs). They are replaced with '****'.
The configure system security password hashing command affects the maximum number of characters that can be used to configure the password parameter.
The no form of this command removes the admin password from the configuration.
no admin-password
Configures the password that enables a user to become a system administrator. The maximum length can be up to 56 characters if unhashed, 32 characters if the hash keyword is specified, and 54 characters if the hash2 keyword is specified, 60 characters if hashed with bcrypt, or 87 to 92 characters if hashed with sha2-pbkdf2.
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted.
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
enable-admin
<global>
Supported on all 7210 SAS platforms as described in this document
Commands in this context enter the administrative mode.
See the description for admin-password. If admin-password is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.
The enable-admin command is in the default profile. By default, all users are granted access to this command.
After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is granted unrestricted access to all the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the configuration in the complexity-rules context.
There are two ways to verify that a user is in the enable-admin mode:
The administrator can use the show users command to know which users are in this mode.
Enter the enable-admin command again at the root prompt and an error message is returned.
The following output is an example of user information.
A:ALA-1# show users
===============================================================================
User Type From Login time Idle time
===============================================================================
admin Console -- 10AUG2006 13:55:24 0d 19:42:22
admin Telnet 10.20.30.93 09AUG2006 08:35:23 0d 00:00:00 A
-------------------------------------------------------------------------------
Number of users : 2
'A' indicates user is in admin mode
===============================================================================
A:ALA-1#
A:ALA-1# enable-admin
MINOR: CLI Already in admin mode.
A:ALA-1#
aging days
no aging
config>system>security>password
Supported on all 7210 SAS platforms as described in this document
This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.
The no form of this command reverts to the default value.
Specifies the maximum number of days the password is valid.
attempts count [time minutes1 [lockout minutes2]
no attempts
config>system>security>password
Supported on all 7210 SAS platforms as described in this document
This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.
The threshold for the number of login attempts can be configured by using the CLI parameter count in the command. An SNMP trap is generated by the device when the number of login attempts exceeds the configured threshold. Generation of the trap can be suppressed using the config>log>event-control command. By default, the device generates a trap when the login attempts exceed the configured threshold. The trap carries information about the user ID used for the login attempt. An SNMP trap is not sent for every failed attempt. If the threshold is exceeded, the user is locked out for a specified time period.
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no form of this command resets all values to default.
attempts 3 time 5 lockout 10
Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.
Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.
Specifies the lockout period, in minutes, when the user is not allowed to login. Allowed values are decimal integers. When the user exceeds the attempted count times in the specified time, that user is locked out from any further login attempts for the configured time period.
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
no authentication-order
config>system>security>password
Supported on all 7210 SAS platforms as described in this document
This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.
The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.
If all (operational) methods are attempted and no authentication for a particular login has been granted, an entry in the security log registers the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.
The preferred order for password authentication is:
RADIUS
TACACS+
local passwords
The no form of this command reverts to the default authentication sequence.
authentication-order radius tacplus local
Specifies the first password authentication method to attempt.
Specifies the second password authentication method to attempt.
Specifies the third password authentication method to attempt.
Specifies RADIUS authentication.
Specifies TACACS+ authentication.
Specifies password authentication based on the local password database.
When enabled and if one of the AAA methods configured in the authentication order sends a reject, the next method in the order is not attempted. If the exit-on-reject keyword is not specified and if one AAA method sends a reject, the next AAA method is attempted. If in this process, all the AAA methods are exhausted, it is considered as a reject.
A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration are other configured methods attempted. If the local keyword is the first authentication and:
exit-on-reject is configured and the user does not exist, the user is not authenticated.
The user is authenticated locally, then other methods, if configured, are used for authorization and accounting.
The user is configured locally but without console access, login is denied.
complexity-rules
config>system>security>password
Supported on all 7210 SAS platforms as described in this document
This command defines a list of rules for configurable password options.
[no] allow-user-name
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document
This command enables the username to be used as part of the password.
The no form of this command does not allow the username to be used as part of the password.
credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
no credits
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document
This command configures the maximum credits granted for usage of the different character classes in the local passwords.
The no form of this command reverts to the default value.
no credits
Specifies the number of credits that can be used for each character class.
minimum-classes minimum
no minimum-classes
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document
This command forces the use of at least as many different character classes as specified.
The no form of this command resets to default.
no minimum-classes
Specifies the minimum number of classes to be configured.
minimum-length length
no minimum-length
config>system>security>password>complexity-rule
Supported on all 7210 SAS platforms as described in this document
This command configures the minimum number of characters required for locally administered passwords and keys used with SNMPv3 user authentication and encryption. See the configure system security user snmp authentication command for more information about the use of keys with SNMPv3-based authentication and encryption algorithms.
If multiple minimum-length commands are entered, each new command overwrites the previously configured password length.
The no form of this command reverts to the default value.
minimum-length 6
Specifies the minimum number of characters required for a locally administered password.
repeated-characters count
no repeated-characters
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document
This command configures the number of times a characters can be repeated consecutively.
The no form of this command resets to default.
no repeated-characters
Specifies the minimum count of consecutively repeated characters.
required [lowercase count] [uppercase count] [numeric count] [special-character count]
no required
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document
This command configures the minimum number of different character classes required.
The no form of this command reverts to the default value.
no required
Specifies the minimum count of characters classes.
hashing {bcrypt | sha2-pbkdf2}
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-D
This command configures the password hashing algorithm.
Keyword to configure the bcrypt algorithm.
Keyword to configure the PBKDF2 algorithm.
[no] health-check [interval interval]
config>system>security>password
Supported on all 7210 SAS platforms as described in this document
This command specifies that RADIUS and TACACS+ servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, based on the type of the server, a trap is sent.
The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server is up if the last access was successful.
health-check
Specifies the interval of the health check in seconds.
password
config>system>security
Supported on all 7210 SAS platforms as described in this document
Commands in this context configure password management parameters.
public-keys
config>system>security>user
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Commands in this context configure public keys for SSH.
ecdsa
config>system>security>user>public-keys
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Commands in this context configure ECDSA public keys.
ecdsa-key ecdsa-public-key-id [create]
no ecdsa-key ecdsa-public-key-id
config>system>security>user>public-keys>ecdsa
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
The no form of this command removes the configured ECDSA public keys.
no ecdsa-key
Keyword to create an ECDSA key. The create keyword requirement can be enabled or disabled in the environment>create context.
Specifies the key identifier.
key-value public-key-value
no key-value
config>system>security>user>public-keys>ecdsa>ecdsa-key
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
This command configures a value for the ECDSA public key. The public key must be enclosed in quotation marks. The key is between 1 and 1024 bits.
The no form of this command removes the configured ECDSA public key value.
no key-value
Specifies the public key value, up to 255 characters.
rsa
config>system>security>user>public-keys
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Commands in this context configure RSA public keys.
rsa-key rsa-public-key-id [create]
no rsa-key rsa-public-key-id
config>system>security>user>public-keys>rsa
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
The no form of this command removes the configured RSA public keys.
no rsa-key
Keyword to create the RSA key. The create keyword requirement can be enabled or disabled in the environment>create context.
Specifies the key identifier.
key-value rsa-public-key-value
no key-value
config>system>security>user>public-keys>rsa>rsa-key
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. The key is between 768 and 4096 bits.
The no form of this command removes the configured public key value.
no key-value
Specifies the public key value, up to 800 characters.