password
config>system>security
This command enables the context to configure password management parameters.
admin-password password [hash | hash2]
no admin-password
config>system>security>password
This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.
See the description for the enable-admin command. If the admin-password is configured in the config>system>security>password context, then any user can enter the admin mode by entering the enable-admin command and the correct admin password.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.
The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets. Usernames and passwords in the FTP and TFTP URLs are not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.
For example:
file copy ftp://test:secret@192.0.2.0/test/srcfile cf3:\destfile
In this example, the username ‟test” and password ‟secret” are not sent to the AAA servers (or to any logs). They are replaced with ‟****”.
See the description for the system-password command. Any user that either has administrative privileges or has entered enable-admin mode can run the admin>system>security>system-password admin-password command to change this admin-password as required.
The no form of the command removes the admin password from the configuration.
no admin-password
configures the password that enables a user to become a system administrator. The maximum length is as follows:
56 characters if in unhashed plaintext
The unhashed plaintext form must meet all the requirements that are defined within the complexity-rules command context.
60 characters if hashed with bcrypt
from 87 to 92 characters if hashed with PBKDF2 SHA-2
from 131 to 136 characters if hashed with PBKDF2 SHA-3
32 characters if the hash keyword is specified
54 characters if the hash2 keyword is specified
specifies that the key is entered and stored on the node in encrypted form
specifies that the key is entered and stored on the node in a more complex encrypted form
If neither the hash nor hash2 keyword is specified, the key is entered in clear text. However, for security purposes, the key is stored on the node using bcrypt or PBKDF2 hash encryption.
aging days
no aging
config>system>security>password
This command configures the number of days a user password is valid before the user must change their password.
The no form of the command reverts to the default value.
no aging is enforced
the maximum number of days the password is valid
attempts count [time minutes1] [lockout minutes2]
no attempts
config>system>security>password
This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.
If the threshold is exceeded, the user is locked out for a specified time period.
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no attempts command resets all values to the default.
count: 3 minutes1: 5 minutes2: 10
the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.
the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out
the lockout period, in minutes, where the user is not allowed to log in
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
no authentication-order
config>system>security>password
This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.
The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.
If all (operational) methods are attempted and no authentication for a particular login has been granted, then an entry in the security log registers the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.
The no form of the command reverts to the default authentication sequence.
authentication-order radius tacplus local
the first password authentication method to attempt
the second password authentication method to attempt
the third password authentication method to attempt
RADIUS authentication
TACACS+ authentication
password authentication based on the local password database
when enabled, and if one of the AAA methods configured in the authentication order sends a reject, then the next method in the order are not tried. If the exit-on-reject keyword is not specified and one AAA method sends a reject, the next AAA method is attempted. If in this process all the AAA methods are exhausted, it is considered a reject.
A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration other configured methods are attempted. If the local keyword is the first authentication and:
exit-on-reject is configured and the user does not exist, the user is not authenticated
the user is authenticated locally, then other methods, if configured, is used for authorization and accounting
the user is configured locally but without console access, login is denied
complexity-rules
config>system>security>password
This command enables the context to configure security password complexity rules.
[no] allow-user-name
config>system>security>password>complexity-rules
This command allows a login name to be included as part of the password.
The no form of this command prevents a login name from being included as part of the password.
credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
no credits
config>system>security>password>complexity-rules
This command configures a credit value for each of the different character classes in a local password. When a password is created, credits are assigned for each character in a character class, up to the assigned credits limit. The credits each count as one additional character toward the minimum length of the password. This allows a trade-off between a very long, simple password and a short, complex one.
For example, if the password minimum length is seven and lowercase credits is set to 3, a password with four lowercase letters, such as ‟srty”, is accepted. The first three lowercase letters are each given a credit worth one extra character. Combined with the four characters in the password, the total reaches the minimum length. If lowercase credits is set to 2 instead of 3, only the first two lowercase letters are given credit. In this case, the ‟srty” password is worth only six characters (four characters plus two extra characters from credits) and would fail to reach the seven character minimum length.
The no form of this command removes all credit values.
no credits
the number of credits allowed for each character class
minimum-classes minimum
no minimum-classes
config>system>security>password>complexity-rules
This command enforces a minimum number of different character classes to be used in the password. The possible character classes are lowercase letters, uppercase letters, numbers, and special characters.
The no form of this command removes the minimum character class requirement.
no minimum-classes
the minimum number of character classes required in a password
minimum-length value
no minimum-length
config>system>security>password>complexity-rules
This command configures the minimum number of characters required for passwords.
If multiple minimum-length commands are entered, each command overwrites the previously entered command.
The no form of the command reverts to the default value.
6
the minimum number of characters required for a password
repeated-characters count
no repeated-characters
config>system>security>password>complexity-rules
This command configures the maximum number of times a character can be repeated consecutively in a password.
The no form of the command resets to the default value, which removes the restriction on repeated characters in passwords.
no repeated-characters
the maximum number of consecutive repeated characters allowed in the password
required [lowercase count] [uppercase count] [numeric count] [special-character count]
no required
config>system>security>password>complexity-rules
This command configures the minimum number of characters from each character class that are required for a password to be valid.
The no form of the command removes the minimum required characters from each character class.
no required
the minimum number of characters required from the character class
hashing {bcrypt | sha2-pbkdf2 | sha3-pbkdf2}
config>system>security>password
This command configures the password hashing algorithm.
bcrypt
sets the password hashing algorithm to bcrypt
sets the password hashing algorithm to PBKDF2 with SHA-2 hashing
sets the password hashing algorithm to PBKDF2 with SHA-3 hashing
[no] health-check [interval interval]
config>system>security>password
This command specifies that RADIUS and TACACS+ servers are monitored for 3 s each during every polling interval. Servers that are not configured have 3 s of idle time. If a server is found to be unreachable, or a previously unreachable server starts responding, depending on the type of server, a trap is sent.
The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server is up if the last access was successful.
30
the polling interval for RADIUS and TACACS+ servers, in seconds
history-size size
no history-size
config>system>security>password
This command configures the number of previous passwords to save in the system. A new password is matched against every old password and is rejected if it is identical to a password in the history.
The no form of the command prevents password history matching.
no history-size
specifies how many previous passwords are stored in the history
minimum-age [days days] [hrs hours] [min minutes] [sec seconds]
no minimum-age
config>system>security>password
This command configures the minimum required age of a password before it can be changed again.
The no form of this command removes the minimum password age requirement.
no minimum-age
the minimum number of days before a password can be changed again
the minimum number of hours before a password can be changed again
the minimum number of minutes before a password can be changed again
the minimum number of seconds before a password can be changed again
minimum-change length
no minimum-change
config>system>security>password
This command configures the minimum number of characters in a new password that must be unique from the previous password.
The no form of the command removes the unique character requirement.
no minimum-change
the minimum number of characters in a new password that must be unique from a previous password