[no] access [ftp] [snmp] [console]
config>system>security>user
config>system>security>user-template
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command grants user permission for FTP, SNMP, console, or lawful intercept (LI) access.
If a user requires access to more than one application, multiple applications can be specified in a single command. Multiple commands are treated additively.
The no form of this command removes access for a specific application. The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied, for example, no access ftp denies FTP access.
Specifies FTP permission.
Specifies SNMP permission. This keyword is only configurable in the config>system>security>user context.
Specifies console access (serial port or Telnet) permission.
authentication none
authentication authentication-protocol key-1 [privacy none] [hash | hash2]
authentication authentication-protocol key-1 privacy privacy-protocol key-2 [hash | hash2]
no authentication
config>system>security>user>snmp
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the authentication and encryption method that the device uses to validate the user. The SNMP authentication allows the device to validate the managing node that issues the SNMP message and detect message tampering.
The no form of this command reverts to the default value.
authentication none
Specifies the SNMP authentication protocol.
Specifies the SNMP privacy protocol.
Keyword to indicate the encryption mechanism used to store the authentication and privacy keys in an encrypted format in the configuration file. When hash is not specified, non-encrypted characters can be entered. When hash is specified, the key is expected to be decrypted using the hash mechanism. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.
Keyword to indicate the encryption mechanism used to store all specified keys in an encrypted format in the configuration file. For example, the hash2 encrypted variable cannot be copied and pasted to a different node. If the hash2 keyword is not specified, the key is assumed to be unencrypted in cleartext form. The hash2 keyword is the default mechanism used if hash is not specified. Therefore, the user does not need to specify hash2 explicitly while entering the key. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.
Specifies the key-1 value for SNMP packet encryption.
Specifies the key-2 value for SNMP packet encryption.
group group-name
no group
config>system>security>user>snmp
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user>snmp>group command. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions
Specifies the group name, up to 32 alphanumeric characters, that is associated with this user. A user can be associated with one group name per security model.
[no] cannot-change-password
config>system>security>user>console
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command allows a user to change their password for FTP and console login.
To disable a user password change privilege, use the cannot-change-password form of this command.
The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.
no cannot-change-password
console
config>system>security>user
config>system>security>user-template
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context configure user profile membership for the console (either Telnet or serial port user).
copy {user source-user | profile source-profile} to destination [overwrite]
config>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command copies a specific user configuration parameter to another (destination) user.
The password is set to a carriage return and a new password at login must be selected.
Specifies the user, up to 32 characters, to copy. The user must already exist.
Specifies the destination user or profile, up to 32 characters.
Specifies that the destination user configuration will be overwritten with the copied source user configuration. A configuration will not be overwritten if the overwrite command is not specified.
home-directory url-prefix [directory] [directory/directory…]
no home-directory
config>system>security>user
config>system>security>user-template
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the local home directory for the user for both console and FTP access.
If the URL or the specified URL/directory structure is not present, a warning message is issued and the default is assumed.
The no form of this command removes the configured home directory.
If restricted-to-home has been configured, no file access is granted and no home directory is created. If restricted-to-home is not applied, the root becomes the user home directory.
no home-directory
Specifies the user local home directory URL prefix and directory structure, up to 190 characters.
profile user-profile-name
no profile
config>system>security>user-template
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the profile for the user based on this template.
Specifies the user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.
[no] login-exec url-prefix: source-url
config>system>security>user>console
config>system>security>user-template>console
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a user login exec file, which executes whenever the user successfully logs in to a console session.
Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.
The no form of this command disables the login exec file for the user.
Specifies either a local or remote URL, up to 200 characters, that identifies the exec file that will be executed after the user successfully logs in.
member user-profile-name [user-profile-name…up to 8max]
no member user-profile-name
config>system>security>user>console
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command gives the user access to a profile.
A user can participate in up to eight profiles.
The no form of this command deletes user access to a profile.
default
Specifies the user profile name, up to 32 characters.
[no] new-password-at-login
config>system>security>user>console
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command forces the user to change a password at the next console login. The new password applies to FTP but the change can be enforced only by the console, SSH, or Telnet login.
The no form of this command does not force the user to change passwords.
no new-password-at-login
password [password] [hash | hash2]
config>system>security>user
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the user password for console and FTP access.
The use of the hash keyword sets the initial password when the user is created or modifies the password of an existing user and specifies that the specific password was hashed using hashing algorithm version 1.
The password is stored in an encrypted format in the configuration file when specified. Passwords should be encased in double quotes (" ") at the time of the password creation. The double quote character (") is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.
The use of the hash2 keyword specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.
For example:
config>system>security# user testuser1
config>system>security>user$ password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
config>system>security>user# exit
config>system>security# info
-------------------------------------
...
user "testuser1"
password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
exit
...
-------------------------------------
config>system>security#
This is the password for the user that must be entered by this user during the login procedure. The minimum length of the password is determined by the minimum-length command. The maximum length is up to 20 characters if unhashed, 32 characters if hashed.
All password special characters (#, $, spaces, and so on) must be enclosed within double quotes.
config>system>security>user# password ‟south#bay?”The question mark character (?) cannot be directly inserted as input during a telnet connection because the character is bound to the help command during a normal Telnet/console connection.
To insert a # or ? character, enter them inside a notepad or clipboard program, and cut and pasted them into the Telnet session in the password field that is encased in the double quotes as delimiters for the password.
If a password is entered without any parameters, a password length of zero is implied: (carriage return).
Specifies that the specific password is already hashed using hashing algorithm version 1. A semantic check is performed on the specific password field to verify if it is a valid hash 1 key to store in the database.
Specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.
[no] restricted-to-home
config>system>security>user
config>system>security>user-template
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.
If a home-directory is not configured or the home directory is not available, the user has no file access.
The no form of this command allows the user access to navigate to directories above their home directory.
no restricted-to-home
snmp
config>system>security>user
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command creates the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters.
All SNMPv3 users must be configured with the commands available in this CLI node.
The 7210 SAS always uses the configured SNMPv3 username as the security username.
user-template {tacplus_default | radius_default}
config>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures default security user template parameters.
Specifies that the default TACACS+ user template is actively applied to the TACACS+ user.
Specifies that the default RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server.
users
show
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the context to edit the user configuration.
When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, there will be no password required. The user can login to the system and <ENTER> at the password prompt; the user will be logged in.
Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.
user user-name
admin
config>system>security>user
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context edit the user configuration.
If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, there will be no password required. The user can login to the system and <ENTER> at the password prompt; the user will be logged in.
Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.
The no form of this command deletes the user and all configuration data. Users cannot delete themselves.
Specifies the name of the user, up to 16 characters.