access-group [group-name]
show>system>security
This command displays SNMP access group information.
displays information for the specified access group
The following output is an example of system security access group information, and Table: System Security Access Group Field Descriptions describes the fields.
Output ExampleA:ALU-4# show system security access-group
===============================================================================
Access Groups
===============================================================================
group name security security read write notify
model level view view view
-------------------------------------------------------------------------------
snmp-ro snmpv1 none no-security no-security
snmp-ro snmpv2c none no-security no-security
snmp-rw snmpv1 none no-security no-security no-security
snmp-rw snmpv2c none no-security no-security no-security
snmp-rwa snmpv1 none iso iso iso
snmp-rwa snmpv2c none iso iso iso
snmp-trap snmpv1 none iso
snmp-trap snmpv2c none iso
===============================================================================
A:ALU-7#
Label |
Description |
|---|---|
Group name |
The access group name |
Security model |
The security model required to access the views configured in this node |
Security level |
Specifies the required authentication and privacy levels to access the views configured in this node |
Read view |
Specifies the variable of the view to read the MIB objects |
Write view |
Specifies the variable of the view to configure the contents of the agent |
Notify view |
Specifies the variable of the view to send a trap about MIB objects |
authentication [statistics]
show>system>security
This command displays system login authentication configuration and statistics.
appends login and accounting statistics to the display
The following output is an example of system security authentication information, and Table: System Security Authentication Field Descriptions describes the fields.
Output ExampleA:ALU-4# show system security authentication
===============================================================================
Authentication sequence : radius tacplus local
===============================================================================
type status timeout retry
server address (secs) count
-------------------------------------------------------------------------------
radius
10.10.10.103 up 5 5
radius
10.10.0.1 up 5 5
radius
10.10.0.2 up 5 5
tacplus
10.10.0.9(49) down 5 n/a
-------------------------------------------------------------------------------
radius admin status : up
tacplus admin status : down
health check : enabled (interval 30)
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
A:ALU-4#
A:ALU-7>show>system>security# authentication statistics
===============================================================================
Authentication sequence : radius tacplus local
===============================================================================
type status timeout retry
server address (secs) count
-------------------------------------------------------------------------------
radius
10.10.10.103 up 5 5
radius
10.10.0.1 up 5 5
radius
10.10.0.2 up 5 5
tacplus
10.10.0.9(49) down 5 n/a
-------------------------------------------------------------------------------
radius admin status : up
tacplus admin status : down
health check : enabled (interval 30)
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
Login Statistics
===============================================================================
server address conn accepted rejected
errors logins logins
-------------------------------------------------------------------------------
10.10.10.103 0 0 0
10.10.0.1 0 0 0
10.10.0.2 0 0 0
10.10.0.9 0 0 0
local n/a 1 0
===============================================================================
Authorization Statistics (TACACS+)
===============================================================================
server address conn sent rejected
errors pkts pkts
-------------------------------------------------------------------------------
10.10.0.9 0 0 0
===============================================================================
Accounting Statistics
===============================================================================
server address conn sent rejected
errors pkts pkts
-------------------------------------------------------------------------------
10.10.10.103 0 0 0
10.10.0.1 0 0 0
10.10.0.2 0 0 0
===============================================================================
A:ALU-7#
Label |
Description |
|---|---|
Sequence |
The sequence in which authentication is processed |
Server address |
The IP address of the RADIUS server |
Status |
The current status of the RADIUS server |
Type |
The authentication type |
Timeout (secs) |
The number of seconds the router waits for a response from a RADIUS server |
Retry count |
The number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server |
Connection errors |
The number of times a user has attempted to log in irrespective of whether the login succeeded or failed |
Accepted logins |
The number of times the user has successfully logged in |
Rejected logins |
The number of unsuccessful login attempts |
Sent packets |
The number of packets sent |
Rejected packets |
The number of packets rejected |
communities
show>system>security
This command displays SNMP communities and characteristics.
The following output is an example of community information, and Table: Communities Field Descriptions describes the fields.
Output ExampleA:ALU-48# show system security communities
=============================================================================
Communities
=============================================================================
community access view version group name
-----------------------------------------------------------------------------
cli-readonly r iso v2c cli-readonly
cli-readwrite rw iso v2c cli-readwrite
public r no-security v1 v2c snmp-ro
-----------------------------------------------------------------------------
No. of Communities: 3
=============================================================================
A:ALU-48#
Label |
Description |
|---|---|
Community |
The community string name for SNMPv1 and SNMPv2c access only |
Access |
r: The community string allows read-only access |
rw: The community string allows read-write access |
|
rwa: The community string allows read-write access |
|
mgmt: The unique SNMP community string assigned to the management router |
|
View |
The view name |
Version |
The SNMP version |
Group Name |
The access group name |
No of Communities |
The total number of configured community strings |
cpm-filter ip-filter [entry entry-id]
cpm-filter ipv6-filter [entry entry-id]
show>system>security
This command displays information on CPM (CSM) filters.
If an entry number is not specified, all entries are displayed.
displays information about the specified CPM filter entry
The following output is an example of CPM filter information, and Table: CPM Filter Field Descriptions describes the fields.
Output ExampleA:ALU-35# show system security cpm-filter ip-filter
===============================================================================
CPM IP Filters
===============================================================================
Entry-Id Dropped Forwarded Description
-------------------------------------------------------------------------------
2 0 0 CPM filter #2
3 25880 0 CPM filter #3
4 25880 0 CPM filter #4
5 25882 0 CPM filter #5
6 25926 0 CPM filter #6
7 25926 0 CPM filter #7
8 25944 0 CPM filter #8
9 25950 0 CPM filter #9
10 25968 0 CPM filter #10
11 25984 0 CPM filter #11
12 26000 0 CPM filter #12
13 26018 0 CPM filter #13
14 26034 0 CPM filter #14
15 26050 0 CPM filter #15
===============================================================================
A:ALU-35#
A:ALU-35# show system security cpm-filter ip-filter entry 2
===============================================================================
CPM IP Filter Entry
===============================================================================
Entry Id : 2
Description : CPM filter #2
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id : 101
Src. IP : 10.4.101.2/32 Src. Port : 0
Dest. IP : 10.4.101.1/32 Dest. Port : 0
Protocol : tcp Dscp : ef
ICMP Type : Undefined ICMP Code : Undefined
Fragment : True Option-present : Off
IP-Option : n/a Multiple Option : True
TCP-syn : Off TCP-ack : True
Match action : Drop
Dropped pkts : 0 Forwarded pkts : 0
===============================================================================
A:ALU-35#
A:ALU-35# show system security cpm-filter ipv6-filter entry 101
===============================================================================
CPM IPv6 Filter Entry
===============================================================================
Entry Id : 1
Description : CPM-Filter 11::101:2 #101
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id : n/a
Src. IP : 11::101:2 Src. Port : 0
Dest. IP : 11::101:1 Dest. Port : 0
next-header : none Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
TCP-syn : Off TCP-ack : Off
Match action : Drop
Dropped pkts : 25880 Forwarded pkts : 0
===============================================================================
Label |
Description |
|---|---|
CPM IP (or IPv6) Filter Entry |
|
Entry-id |
Displays information about the specified CPM filter entry |
Dropped |
The number of dropped events |
Forwarded |
The number of forwarded events |
Description |
The CPM filter description |
Filter Entry Match Criteria |
|
Log Id |
The log ID where matched packets will be logged |
Src. IP |
The source IP address |
Dest. IP |
The destination IP address |
Protocol |
The Protocol field in the IP header (IPv4 filters only) |
next-header |
The next header ID. Undefined indicates no next header is specified. (IPv6 filters only) |
ICMP Type |
The ICMP type field in the ICMP header |
Fragment |
The 3-bit fragment flags or 13-bit fragment offset field (IPv4 filters only) |
IP-Option |
The IP option setting (IPv4 filters only) |
TCP-syn |
The SYN flag in the TCP header |
Match action |
When the criteria matches, displays drop or forward packet |
Dropped pkts |
The number of matched dropped packets |
Src. Port |
The source port number (range) |
Dest. Port |
The destination port number (range) |
Dscp |
The DSCP field in the IP header |
ICMP Code |
The ICMP code field in the ICMP header |
Option-present |
The option present setting (IPv4 filters only) |
Multiple Option |
The multiple option setting (IPv4 filters only) |
TCP-ack |
The ACK flag in the TCP header |
Match action |
When the criteria matches, displays drop or forward packet |
Next Hop |
If match action is forward, indicates destination of the matched packet |
Forwarded pkts |
Indicates number of matched forwarded packets |
keychain [keychain] [detail]
show>system>security
This command displays information about keychains.
If a keychain name is not specified, all keychains are displayed.
displays information about the specified keychain
displays detailed keychain information
The following output is an example of keychain information, and Table: Keychain Field Descriptions describes the fields.
Output Example===============================================================================
Key chain:ospf-md5
===============================================================================
Description : MD5 keychain for OSPF interfaces
TCP-Option number send : 254 Admin state : Up
TCP-Option number receive : 254 Oper state : Up
Used by : None
Expired : No
===============================================================================
*A:ALU-35#
A:ALU-35# show system security keychain ospf-md5 detail
===============================================================================
Key entries for key chain: ospf-md5
===============================================================================
Id : 0 Direction : send-receive
Algorithm : message-digest Option : none
Admin State : Up RX Valid : No
TX Active : No Tolerance : 300
Begin Time : 2016/06/01 01:01:00 Begin Time (UTC) : 2016/06/01 01:01:00
End Time : 2016/09/01 01:01:00 End Time (UTC) : 2016/09/01 01:01:00
===============================================================================
Id : 1 Direction : send-receive
Algorithm : message-digest Option : none
Admin State : Up RX Valid : Yes
TX Active : Yes Tolerance : 600
Begin Time : 2016/09/01 01:01:00 Begin Time (UTC) : 2016/09/01 01:01:00
End Time : Forever End Time (UTC) : Forever
===============================================================================
*A:Sar18 Dut-B#
Label |
Description |
|---|---|
Key chain: name |
|
Description |
The text string description for the keychain |
TCP-Option number send |
The TCP option number to be inserted in the header of sent TCP packets |
Admin state |
The administrative state of the keychain: up or down |
TCP-Option number receive |
The TCP option number that will be accepted in the header of received TCP packets |
Oper state |
The operational state of the keychain: up or down |
Used by |
The protocols associated with this keychain |
Expired |
Indicates whether the keychain has expired |
Key entries for key chain: name |
|
Id |
The ID of the key entry |
Direction |
The stream direction on which keys will be applied for this entry: send, receive, or send-receive |
Algorithm |
The encryption algorithm to be used by this key entry |
Option |
Indicates the configured IS-IS encoding standard (indicates ‟none” if the associated protocol is not IS-IS) |
Admin State |
The administrative state of the key entry: up or down |
RX Valid |
Indicates if the receive key is valid |
TX Active |
Indicates if the transmit (sent) key is active |
Tolerance |
The tolerance time configured for support of both currently active and new keys |
Begin Time |
The time at which the new key is used to sign and/or authenticate protocol packets |
Begin Time (UTC) |
The begin time in UTC time |
End Time |
The time at which the key is no longer eligible to authenticate protocol packets |
End Time (UTC) |
The end time in UTC time |
management-access-filter ip-filter [entry entry-id]
management-access-filter ipv6-filter [entry entry-id]
show>system>security
This command displays management access control filter information.
If no specific entry number is specified, all entries are displayed.
displays information about the specified management access filter entry
The following output is an example of management access filter information, and Table: Management Access Filter Field Descriptions describes the fields.
Output ExampleA:ALU-7# show system security management-access-filter ip-filter entry 1
=============================================================================
IPv4 Management Access Filters
=============================================================================
filter type: : ip
Def. Action : permit
Admin Status : enabled (no shutdown)
-----------------------------------------------------------------------------
Entry : 1
Description : test description
Src IP : 10.10.10.104
Src interface : undefined
Dest port : 10.10.10.103
Protocol : 6
Router : undefined
Action : permit
Log : disabled
Matches : 0
=============================================================================
A:ALU-7#
A:ALU-7# show system security management-access-filter ipv6-filter entry 2
=============================================================================
IPv6 Management Access Filter
=============================================================================
filter type : ipv6
Def. Action : permit
Admin Status : enabled (no shutdown)
-----------------------------------------------------------------------------
Entry : 1
Src IP : 2001::1/128
Flow label : undefined
Src interface : undefined
Dest port : undefined
Next-header : undefined
Router : undefined
Action : permit
Log : enabled
Matches : 0
=============================================================================
A:ALU-7#
Label |
Description |
|---|---|
IPv4 (or IPv6) Management Access Filters |
|
filter type |
The management access filter type |
Def. Action |
Permit: Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted |
Deny: Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued |
|
Deny-host-unreachable: Specifies that packets not matching the configured selection criteria in the filter entries are denied |
|
Admin Status |
Up: indicates that the management access filter is administratively enabled |
Down: indicates that the management access filter is administratively disabled |
|
Entry |
The entry ID in a policy or filter table |
Description |
A text string describing the filter |
Src IP |
The source IP address used for management access filter match criteria |
Flow label |
The flow label to match (IPv6 filters only) |
Src interface |
The interface name for the next hop to which the packet should be forwarded if it hits this filter entry |
Dest port |
The destination port |
Next-header |
The next header ID to match. Undefined indicates no next header is specified. (IPv6 filters only) |
Protocol |
The IP protocol to match (IPv4 filters only) |
Action |
The action to take for packets that match this filter entry |
Matches |
The number of times a management packet has matched this filter entry |
password-options
show>system>security
This command displays configured password options.
The following output is an example of password options information, and Table: Password Options Field Descriptions describes the fields.
Output ExampleA:7705:Dut-A# show system security password-options
===============================================================================
Password Options
===============================================================================
Password aging in days : none
Time required between password changes : 0d 00:10:00
Number of invalid attempts permitted per login : 3
Time in minutes per login attempt : 5
Lockout period (when threshold breached) : 10
Authentication order : radius tacplus local
User password history length : disabled
Password hashing : bcrypt
Accepted password length : 6..56 characters
Credits for each character class : none
Number of required characters per class : none
Minimum number of required character classes : 0
Required distance with previous password : 5
Allow consecutively repeating a character : always
Allow passwords containing username : no
Palindrome allowed : no
===============================================================================
A:7705:Dut-A#
Label |
Description |
|---|---|
Password aging in days |
The number of days a user password is valid before the user must change their password |
Time required between password changes |
The time interval required before a password can be changed |
Number of invalid attempts permitted per login |
The number of unsuccessful login attempts allowed for the specified time |
Time in minutes per login attempt |
The period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out |
Lockout period (when threshold breached) |
The lockout period, in minutes, during which the user is not allowed to log in |
Authentication order |
The sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords |
User password history length |
The number of recent passwords stored in the history file to compare against new passwords. If a new password matches any of the passwords in the history file, it is rejected |
Password hashing |
The password hashing type, either bcrypt, sha2-pbkdf2, or sha3-pbkdf2 |
Accepted password length |
The minimum and maximum password length |
Credits for each character class |
The maximum number of credits given for each character class |
Number of required characters per class |
The minimum number of characters for each character classes that is required in a password: uppercase, lowercase, numeric, or special character |
Minimum number of required character classes |
The number of different character classes that is required in a password: uppercase, lowercase, numeric, or special character |
Required distance with previous password |
The minimum number of characters required to be different in the new password from the old password. |
Allow consecutively repeating a character |
The number of times the same character is allowed to be repeated consecutively in a new command |
Allow passwords containing username |
Displays whether the username is allowed as part of the password |
Palindrome allowed |
Displays whether palindromes are allowed as part of the password |
profile user-profile-name
show>system>security
This command displays user profile information.
If the user-profile-name is not specified, then information for all profiles is displayed.
displays information for the specified user profile
The following output is an example of user profile information, and Table: User Profile Field Descriptions describes the fields.
Output ExampleA:ALU-7# show system security profile administrative
===============================================================================
User Profile
===============================================================================
User Profile : administrative
Def. Action : permit-all
LI : no
-------------------------------------------------------------------------------
Entry : 10
Description :
Match Command: configure system security
Action : permit
-------------------------------------------------------------------------------
Entry : 20
Description :
Match Command: show system security
Action : permit
-------------------------------------------------------------------------------
No. of profiles: 1
===============================================================================
A:ALU-7#
Label |
Description |
|---|---|
User Profile |
The profile name used to deny or permit user console access to a hierarchical branch or to specific commands |
Def. action |
Permit all: Permits access to all commands |
Deny: Denies access to all commands |
|
None: No action is taken |
|
Entry |
The entry ID in a policy or filter table |
Description |
Displays the text string describing the entry |
Match Command |
Displays the command or subtree commands in subordinate command levels |
Action |
Permit all: Commands matching the entry command match criteria are permitted |
Deny: Commands not matching the entry command match criteria are not permitted |
|
No. of profiles |
The total number of profiles listed |
source-address
show>system>security
This command displays the source address configured for applications.
The following output is an example of source address information, and Table: Source Address Field Descriptions describes the fields.
Output ExampleA:ALU-1# show system security source-address
===============================================================================
Source-Address applications
===============================================================================
Application IP address/Interface Name Oper status
-------------------------------------------------------------------------------
telnet 10.20.1.7 Up
radius loopback1 Up
===============================================================================
A:ALU-1#
Label |
Description |
|---|---|
Application |
The source-address application |
IP address: Interface Name |
The source address IP address or interface name |
Oper status |
Up: The source address is operationally up |
Down: The source address is operationally down |
ssh
show>system>security
This command displays all the SSH sessions as well as the SSH status and fingerprint. The type of SSH application (CLI, SCP, or SFTP) is indicated for each SSH connection.
The following output is an example of SSH information for an SSH server, and Table: SSH Field Descriptions describes the fields.
Output Example*A:dut-c# show system security ssh
===============================================================================
SSH Server
===============================================================================
Administrative State : Enabled
Operational State : Up
Preserve Key : Disabled
Key-re-exchange : 60 minutes / 1024 MB
SSH Protocol Version 1 : Enabled
RSA Host Key Fingerprint : 6d:62:bc:5c:6e:0d:35:f3:f0:ee:fc:a4:5e:96:31:58
SSH Protocol Version 2 : Enabled
DSA Host Key Fingerprint : 22:44:66:55:4a:48:ac:de:55:a5:a5:59:83:07:ff:eb
RSA Host Key Fingerprint : 25:d9:54:74:2e:9c:b0:d5:5e:2f:7a:49:e1:6c:e7:98
-------------------------------------------------------------------------------
Connection Username
Version Cipher ServerName Status
MAC Key-re-exchange
KEX
-------------------------------------------------------------------------------
192.170.0.100 admin
2 arcfour cli connected
hmac-md5 60 minutes / 1024 MB
diffie-hellman-group-exchange-sha1
-------------------------------------------------------------------------------
Number of SSH sessions : 1
===============================================================================
Label |
Description |
|---|---|
Administrative State |
The administrative state of the SSH server: enabled or disabled |
Operational State |
The operational state of the SSH server: up or down |
Preserve Key |
Enabled: preserve-key is enabled |
Disabled: preserve-key is disabled |
|
Key-re-exchange |
The maximum minutes elapsed and maximum megabytes transmitted before a key re-exchange is initiated |
SSH Protocol Version 1 |
Enabled: SSHv1 is enabled |
Disabled: SSHv1 is disabled |
|
SSH Protocol Version 2 |
Enabled: SSHv2 is enabled |
Disabled: SSHv2 is disabled |
|
DSA Host Key Fingerprint RSA Host Key Fingerprint |
The key fingerprint is the digital signal algorithm (DSA) or Rivest, Shamir, and Adleman (RSA) host server’s identity. Clients trying to connect to the server verify the server fingerprint. If the server fingerprint is not known, the client will get a warning message that the server may be spoofed and they will not be allowed to log in until the administrator fixes the issue. |
Connection |
The IP address of the connected routers (remote client) |
Username |
The name of the user |
Version |
The SSH protocol version |
Cipher |
The cipher used by the SSH session |
MAC |
The MAC algorithm used by the SSH session |
KEX |
The KEX algorithm used by the SSH session |
ServerName |
The type of SSH application (CLI, SCP, or SFTP) |
Status |
The status of the connection |
Number of SSH sessions |
The total number of SSH sessions |
cert-profile name association
cert-profile [name]
cert-profile name entry 1..8
show>system>security>tls
This command displays information about TLS certificate profiles.
the name of a certificate profile for which to display information
the certificate profile entry number for which to display information
The following outputs are examples of client certificate profile information.
Output Example*A:7705# show system security tls cert-profile
===============================================================================
Certificate Profile
===============================================================================
Certificate Profile Name AdminState OperState OperFlags
-------------------------------------------------------------------------------
certProfile1 up up
===============================================================================
A:7705# show system security tls cert-profile "certProfile1"
===============================================================================
Certificate Profile Entry "certProfile1"
===============================================================================
Id Certificate File Name Key File Name Status Flags
-------------------------------------------------------------------------------
1 sarcert1 sarkey1
===============================================================================
*A:7705# show system security tls cert-profile "certProfile1" entry 1
===============================================================================
TLS Certificate Profile: "certProfile1" Entry: 1 Detail
===============================================================================
Certificate File : sarcert1
Key File : sarkey1
Status Flags : (Not Specified)
===============================================================================
*A:7705# show system security tls cert-profile "certProfile1" association
===============================================================================
TLS Client Profiles using cert-profile "certProfile1"
===============================================================================
TLS Client Profile Name
-------------------------------------------------------------------------------
tlsClientProfile
-------------------------------------------------------------------------------
Number of TLS Client Profile entries: 1
===============================================================================
client-tls-profile [client-tls-profile]
client-tls-profile client-tls-profile association
client-tls-profile client-tls-profile [connections]
show>system>security>tls
This command displays TLS client profile information.
the name of the client TLS profile
The following outputs are examples of TLS client profile information.
Output Example*A:7705# show system security tls client-tls-profile "tlsClientProfile"
===============================================================================
Client Profile Entry "tlsClientProfile"
===============================================================================
Cipher List Name : tlsClientCipherList
Certificate Profile Name : certProfile1
Trust Anchor Profile Name : trustAnchorProfile1
===============================================================================
A:7705:Dut-A# show system security tls client-tls-profile "tlsClientProfile" connections
===============================================================================
Active TLS connections using client-tls-profile "tlsClientProfile"
===============================================================================
Cipher Client Signature Server Signature
Matched Trust Anchor Server IP
-------------------------------------------------------------------------------
Pcep
1 AES_128_CCM_8_SHA256 RSASSA-PSS-SHA256 RSASSA-PSS-SHA256
rootCA 10.20.1.4:4189
-------------------------------------------------------------------------------
Number of TLS connections: 1
===============================================================================
user [user-id] [detail]
user [user-id] lockout
show>system>security
This command displays user registration and security information. You can clear lockouts for users with the lockout command.
If no command line options are specified, summary information for all users displays.
displays information for the specified user
displays detailed user information to the summary output
displays information about users that are currently locked out for too many failed login attempts
The following output is an example of user information, and Table: User Field Descriptions describes the fields.
Output Example*A:7705:Dut-C# show system security user detail
===============================================================================
Users
===============================================================================
User ID New User Permissions Password Login Failed Local
Pwd console ftp li snmp netconf Expires Attempts Logins Conf
-------------------------------------------------------------------------------
admin n y n n n n never 8 0 y
user3 n y n n n n never 21 9 y
-------------------------------------------------------------------------------
Number of users : 2
===============================================================================
===============================================================================
User Configuration Detail
===============================================================================
===============================================================================
user id : admin
-------------------------------------------------------------------------------
console parameters
-------------------------------------------------------------------------------
new pw required : no cannot change pw : no
home directory :
restricted to home : no
login exec file :
profile : administrative
locked-out : no
-------------------------------------------------------------------------------
snmp parameters
-------------------------------------------------------------------------------
auth protocol : hmac-sha2-512
auth key : ffb8bb4392ccab627d903db396cd928fdde5ac8cdb78e7b6ecb39bde2c
3ec67c8380cd0d91dfe6f30c041d9819a34e297994c3b759e68f2db075
4bc408e3a001
privacy protocol : cfb128-aes-256
privacy key : ffb8bb4392ccab627d903db396cd928fdde5ac8cdb78e7b6ecb39bde2c
3ec67c
group : moje
===============================================================================
*A:7705:Dut-C#
ALU-7# show system security user lockout
===============================================================================
Currently Failed Login Attempts
===============================================================================
User ID Remaining Login attempts Remaining Lockout Time (min:sec)
-------------------------------------------------------------------------------
jason123 N/A 9:56
-------------------------------------------------------------------------------
Number of users : 1
===============================================================================
|
Label |
Description |
|---|---|
|
Users |
|
|
User ID |
The name of a system user |
|
New Pwd |
y: the user must change their password at the next login |
|
n: the user is not forced to change their password at the next login |
|
|
User Permissions |
console: y: the user is authorized for console access n: the user is not authorized for console access |
|
ftp: y: the user is authorized for FTP access n: the user is not authorized for FTP access |
|
|
li: y: the user is authorized for lawful intercept (LI) access n: the user is not authorized for LI access |
|
|
snmp: y: the user is authorized for SNMP access n: the user is not authorized for SNMP access |
|
|
netconf: y: the user is authorized for NETCONF access (not supported on the 7705 SAR) n: the user is not authorized for NETCONF access (always set to this for the 7705 SAR) |
|
|
Password Expires |
The number of days the user has left before they must change their login password |
|
Login Attempts |
The number of times the user has attempted to log in regardless of whether the login succeeded or failed |
|
Failed Logins |
The number of unsuccessful login attempts |
|
Local Conf |
y: password authentication is based on the local password database |
|
n: password authentication is not based on the local password database |
|
|
Number of users |
The total number of listed users |
|
User Configuration Detail |
|
|
console parameters |
|
|
new pwd required |
yes: the user must change their password at the next login |
|
no: the user is not forced to change their password at the next login |
|
|
cannot change pw |
yes: the user has the ability to change the login password |
|
no: the user does not have the ability to change the login password |
|
|
home directory |
The local home directory for the user for both console and FTP access |
|
restricted to home |
Yes: the user is not allowed to navigate to a directory higher in the directory tree on the home directory device |
|
No: the user is allowed to navigate to a directory higher in the directory tree on the home directory device |
|
|
login exec file |
The user’s login exec file, which executes whenever the user successfully logs in to a console session |
|
profile |
The security profiles associated with the user |
|
locked-out |
Indicates whether the user is locked out, and if they are locked out, how much time remains before the user can attempt to log in to the node again |
|
snmp parameters |
|
|
auth protocol |
The SNMPv3 authentication protocol |
|
auth key |
The SNMPv3 authentication key |
|
privacy protocol |
The SNMPv3 privacy protocol |
|
privacy key |
The SNMPv3 privacy key |
|
group |
The group to which the protocols apply |
|
Currently Failed Login Attempts |
|
|
Remaining Login attempts |
The number of login attempts remaining before the user is locked out |
|
Remaining Lockout Time (min:sec) |
The time remaining before the lockout time expires and the user can attempt another login |
With the support of PKI on the 7705 SAR as an SSH server, the authentication process can be done via PKI or password. SSH clients usually authenticate via PKI and password if PKI is configured on the client. In this case, PKI takes precedence over password authentication in most clients.
All client authentications are logged and displayed in the show>system>security>user detail output. Table: Pass/Fail Login Attempts shows the rules where pass and fail attempts are logged.
|
Authentication Order |
Client (for example, PuTTY) |
Server (for example, 7705 SAR) |
CLI Show System Security Attempts |
||
|---|---|---|---|---|---|
|
Private Key Programmed |
Public Key Configured |
Password Configured |
Login Attempts |
Failed Logins |
|
|
1. Public key 2. Password |
Yes |
Yes |
N/A |
Increment |
— |
|
Yes |
Yes (if no match between client and server, go to password) |
Yes |
Increment |
— |
|
|
Yes |
No |
Yes |
Increment |
— |
|
|
No |
N/A |
Yes |
Increment |
— |
|
|
No |
N/A |
No |
— |
Increment |
|
|
1. Public key (only) |
Yes |
Yes |
N/A |
Increment |
— |
|
Yes |
Yes (if no match between client and server, go to password) |
N/A |
— |
Increment |
|
|
Yes |
No |
N/A |
— |
Increment |
|
|
No |
N/A |
N/A |
— |
Increment |
|
view [view-name] [detail] [capabilities]
show>system>security
This command displays one or all views and permissions in the MIB-OID tree.
specifies the name of the view to display. If no view name is specified, the complete list of views displays.
displays detailed view information
The following output is an example of view information, and Table: View Field Descriptions describes the fields.
Output ExampleA:ALU-48# show system security view
===============================================================================
Views
===============================================================================
view name oid tree mask permission
-------------------------------------------------------------------------------
iso 1 included
read1 1.1.1.1 11111111 included
write1 2.2.2.2 11111111 included
testview 1 11111111 included
testview 1.3.6.1.2 11111111 excluded
mgmt-view 1.3.6.1.2.1.2 included
mgmt-view 1.3.6.1.2.1.4 included
mgmt-view 1.3.6.1.2.1.5 included
mgmt-view 1.3.6.1.2.1.6 included
mgmt-view 1.3.6.1.2.1.31 included
mgmt-view 1.3.6.1.2.1.77 included
mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.7 included
mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.11 included
vprn-view 1.3.6.1.2.1.2 included
vprn-view 1.3.6.1.2.1.4 included
vprn-view 1.3.6.1.2.1.5 included
vprn-view 1.3.6.1.2.1.6 included
vprn-view 1.3.6.1.2.1.7 included
vprn-view 1.3.6.1.2.1.23 included
vprn-view 1.3.6.1.2.1.31 included
vprn-view 1.3.6.1.2.1.77 included
vprn-view 1.3.6.1.4.1.6527.3.1.2.3.7 included
vprn-view 1.3.6.1.4.1.6527.3.1.2.3.11 included
vprn-view 1.3.6.1.4.1.6527.3.1.2.20.1 included
no-security 1 included
no-security 1.3.6.1.6.3 excluded
no-security 1.3.6.1.6.3.10.2.1 included
no-security 1.3.6.1.6.3.11.2.1 included
no-security 1.3.6.1.6.3.15.1.1 included
on-security 2 00000000 included
-------------------------------------------------------------------------------
No. of Views: 30
===============================================================================
A:ALU-48#
Label |
Description |
|---|---|
view name |
The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree |
oid tree |
The object identifier of the ASN.1 subtree |
mask |
The bit mask that defines a family of view subtrees |
permission |
Indicates whether each view is included or excluded |
No. of Views |
The total number of views |