admin-password password [hash | hash2]
no admin-password
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command enables the context (with administrative permissions) to configure a password that enables a user to become an administrator.
This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an administrative user.
This functionality can be enabled in two contexts:
config>system>security>password>admin-password
<global> enable-admin
See the description for the enable-admin command. If the admin-password command is configured in the config>system>security>password context, any user can enter the special administrative mode by entering the enable-admin command.
The enable-admin command is in the default profile. By default, all users are given access to this command.
When the enable-admin command is entered, the user is prompted for a password. If the password is correct, the user is given unrestricted access to all commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for this password are determined by the configuration in the complexity-rules context.
The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.
Usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.
For example:
file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile
In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with '****'.
The configure system security password hashing command affects the maximum number of characters that can be used to configure the password parameter.
The no form of this command removes the administrative password from the configuration.
no admin-password
Specifies the password, which enables a user to become a system administrator. The maximum length can be up to 56 characters if unhashed, 32 characters if the hash keyword is specified, and 54 characters if the hash2 keyword is specified, 60 characters if hashed with bcrypt, or 87 to 92 characters if hashed with sha2-pbkdf2.
Specifies that the key is entered in an encrypted form. If the hash keyword is not configured, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form.
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
enable-admin
<global>
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command is in the default profile. By default, all users are given access to this command.
See the description for the admin-password command. If the admin-password command is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the enable-admin command.
When the enable-admin command is entered, the user is prompted for a password. If the password is correct, the user is given unrestricted access to all commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the configuration in the complexity-rules context.
There are two ways to verify that a user is in the enable-admin mode.
An administrator can enter the show users command know which users are in this mode.
Enter the enable-admin command again at the root prompt and an error message will be returned.
The following output shows an example of an error message when the enable-admin command is entered at the prompt again and the user is already in the enable-admin mode.
Sample output
A:ALA-1# show users
===============================================================================
User Type From Login time Idle time
===============================================================================
admin Console -- 10AUG2006 13:55:24 0d 19:42:22
admin Telnet 10.20.30.93 09AUG2006 08:35:23 0d 00:00:00 A
-------------------------------------------------------------------------------
Number of users : 2
'A' indicates user is in admin mode
===============================================================================
A:ALA-1#
A:ALA-1# enable-admin
MINOR: CLI Already in admin mode.
A:ALA-1#
aging days
no aging
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.
The no form of this command reverts to the default value.
Specifies the maximum number of days the password is valid.
attempts count [time minutes1 [lockout minutes2]
no attempts
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame. The threshold for the number of login attempts can be configured by using the CLI parameter count. An SNMP trap is generated by the device when the number of login attempts exceeds the configured threshold. Generation of the trap can be suppressed using the config>log>event-control command.
By default, the device generates a trap when the login attempts exceed the configured threshold. The trap carries information about the user ID used for the login attempt. An SNMP trap will not be sent for every failed attempt.
If the threshold is exceeded, the user is locked out for a specified time period.
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no form of this command reverts to the default values.
attempts 3 time 5 lockout 10
Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.
Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.
Specifies the lockout period, in minutes, where the user is not allowed to login. Allowed values are decimal integers.
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
no authentication-order
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.
The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.
If all (operational) methods are attempted and no authentication for a particular login has been granted, an entry in the security log registers the failed attempt. The attempted login identification and originating IP address are logged with the a timestamp.
The no form of this command reverts to the default authentication sequence.
authentication-order radius tacplus local
Specifies the first password authentication method to attempt.
Specifies the second password authentication method to attempt.
Specifies the third password authentication method to attempt.
Specifies the RADIUS authentication.
Specifies the TACACS+ authentication.
Specifies the password authentication based on the local password database.
When enabled and if one of the AAA methods configured in the authentication order sends a reject, the next method in the order will not be tried. If the exit-on-reject keyword is not specified and one AAA method sends a reject, the next AAA method will be attempted. If in this process, all the AAA methods are exhausted, it will be considered as a reject.
A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting will only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration will other configured methods be attempted. If the local keyword is the first authentication, exit-on-reject is configured, and the user does not exist, the user will not be authenticated.
The user is authenticated locally, then other methods, if configured, will be used for authorization and accounting.
If the user is configured locally but without console access, login will be denied.
complexity-rules
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context define a list of rules for configurable password options.
[no] allow-user-name
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command enables the username to be used as part of the password.
The no form of this command does not allow the username to be used as part of the password.
credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
no credits
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
The maximum credits given for usage of the different character classes in the local passwords.
The no form of this command reverts to the default value.
no credits
Specifies the number of credits that can be used for each characters class.
minimum-classes minimum
no minimum-classes
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command forces the use of at least the specified number of different character classes.
The no form of this command reverts to the default value.
no minimum-classes
Specifies the minimum number of classes to be configured.
[no] health-check [interval interval]
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies that RADIUS, TACACS+, and LDAP servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, a trap will be sent based on the server type.
The no form of this command disables the periodic monitoring of the RADIUS, TACACS+, and LDAP servers. In this case, the operational status for the active server will be up if the last access was successful.
Specifies the polling interval for RADIUS, TACACS+, and LDAP servers.
history size
no history
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures how many previous passwords a new password is matched against.
no history
Specifies how many previous passwords a new password is matched against.
minimum-age [days days] [hrs hours] [min minutes] [sec seconds]
no minimum-age
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the minimum required age of a password before it can be changed again.
The no form of this command removes the minimum password age requirement.
no minimum-age
Specifies the minimum number of days before a password can be changed again.
Specifies the minimum number of hours before a password can be changed again.
Specifies the minimum number of minutes before a password can be changed again.
Specifies the minimum number of seconds before a password can be changed again.
minimum-change length
no minimum-change
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the minimum number of characters required to be different in the new password from a previous password.
The no form of this command removes the unique character requirement.
no min-change
Specifies how many characters must be different in the new password from the old password.
minimum-length length
no minimum-length
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the minimum number of characters required for locally administered passwords and keys used with SNMPv3 user authentication and encryption. See the configure system security user snmp authentication command for more information about the use of keys with SNMPv3-based authentication and encryption algorithms.
If multiple minimum-length commands are entered, each new command overwrites the previously configured password length.
The no form of this command reverts to default value.
minimum-length 6
Specifies the minimum number of characters required for a locally administered password.
repeated-characters count
no repeated-characters
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the number of times a character can be repeated consecutively.
The no form of this command reverts to the default value.
no repeated-characters
Specifies the minimum count of consecutively repeated characters.
required [lowercase count] [uppercase count] [numeric count] [special-character count]
no required
config>system>security>password>complexity-rules
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the minimum number of different character classes required.
The no form of this command reverts to the default value.
no required
Specifies the minimum count of characters classes.
hashing {bcrypt | sha2-pbkdf2}
config>system>security>password
Supported on all 7210 SAS platforms as described in this document
This command configures the password hashing algorithm.
Keyword to configure the bcrypt algorithm.
Keyword to configure the PBKDF2 algorithm.
[no] health-check [interval interval]
config>system>security>password
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies that RADIUS and TACACS+ servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, a trap will be sent based on the type of the server.
The no form of this command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server will be up if the last access was successful.
health-check
Specifies the interval of the health check, in seconds.
password
config>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context configure password management parameters.
public-keys
config>system>security>user
Supported on all 7210 SAS platforms as described in this document
Commands in this context configure public keys for SSH.
ecdsa
config>system>security>user>public-keys
Supported on all 7210 SAS platforms as described in this document
Commands in this context configure ECDSA public keys.
ecdsa-key ecdsa-public-key-id [create]
no ecdsa-key ecdsa-public-key-id
config>system>security>user>public-keys>ecdsa
Supported on all 7210 SAS platforms as described in this document
This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
The no form of this command removes the configured ECDSA public keys.
no ecdsa-key
Keyword to create an ECDSA key. The create keyword requirement can be enabled or disabled in the environment>create context.
Specifies the key identifier.
key-value public-key-value
no key-value
config>system>security>user>public-keys>ecdsa>ecdsa-key
Supported on all 7210 SAS platforms as described in this document
This command configures a value for the ECDSA public key. The public key must be enclosed in quotation marks. The key is between 1 and 1024 bits.
The no form of this command removes the configured ECDSA public key value.
no key-value
Specifies the public key value, up to 255 characters.
rsa
config>system>security>user>public-keys
Supported on all 7210 SAS platforms as described in this document
Commands in this context configure RSA public keys.
rsa-key rsa-public-key-id [create]
no rsa-key rsa-public-key-id
config>system>security>user>public-keys>rsa
Supported on all 7210 SAS platforms as described in this document
This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
The no form of this command removes the configured RSA public keys.
no rsa-key
Keyword to create the RSA key. The create keyword requirement can be enabled or disabled in the environment>create context.
Specifies the key identifier.
key-value rsa-public-key-value
no key-value
config>system>security>user>public-keys>rsa>rsa-key
Supported on all 7210 SAS platforms as described in this document
This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. The key is between 768 and 4096 bits.
The no form of this command removes the configured public key value.
no key-value
Specifies the public key value, up to 800 characters.