aaa authentication login
Use the aaa authentication login Global Configuration mode command to set one or more authentication methods to be applied during login. Use the no form of this command to restore the default authentication method.
Syntax
aaa authentication login {default | list-name} method1 [method2…] no aaa authentication login {default | list-name}
Parameters
- default—Uses the authentication methods that follow this argument as the default method list when a user logs in (this list is unnamed).
- list-name—Specifies a name of a list of authentication methods activated when a user logs in. (Length: 1–12 characters)
- method1 [method2…]—Specifies a list of methods that the authentication algorithm tries (in the given sequence). Each additional authentication method is used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. Select one or more methods from the following list::
Keyword | Description |
enable | Uses the enable password for authentication. |
line | Uses the line password for authentication. |
local | Uses the locally-defined usernames for authentication. |
none | Uses no authentication. |
Keyword | Description |
radius | Uses the list of all RADIUS servers for authentication. |
tacacs | Uses the list of all TACACS+ servers for authentication. |
Default Configuration
If no methods are specified, the default are the locally-defined users and passwords. This is the same as entering the command aaa authentication login local.
Command Mode
Global Configuration mode
User Guidelines
Create a list of authentication methods by entering this command with the list-name parameter where list-name is any character string. The method arguments identifies the list of methods that the authentication algorithm tries, in the given sequence.
The default and list names created with this command are used with the login authentication command.
The no aaa authentication login list-name command deletes a list-name only if it has not been referenced by another command.
Example
The following example sets the authentication login methods for the console.
switchxxxxxx(config)# aaa authentication login authen-list radius local none switchxxxxxx(config)# line console switchxxxxxx(config-line)# login authentication authen-list |
aaa authentication enable
The aaa authentication enable Global Configuration mode command sets one or more authentication methods for accessing higher privilege levels. To restore the default authentication method, use the no form of this command.
Syntax
aaa authentication enable {default | list-name} method [method2…]} no aaa authentication enable {default | list-name}
Parameters
- default—Uses the listed authentication methods that follow this argument as the default method list, when accessing higher privilege levels.
- list-name —Specifies a name for the list of authentication methods activated when a user accesses higher privilege levels. (Length: 1–12 characters)
- method [method2…]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds, even if all methods return an error. Select one or more methods from the following list:
Keyword | Description |
enable | Uses the enable password for authentication. |
line | Uses the line password for authentication. |
none | Uses no authentication. |
radius | Uses the list of all RADIUS servers for authentication. |
tacacs | Uses the list of all TACACS+ servers for authentication. |
Default Configuration
The enable password command defines the default authentication login method. This is the same as entering the command aaa authentication enable default enable.
On a console, the enable password is used if a password exists. If no password is set, authentication still succeeds. This is the same as entering the command aaa authentication enable default enable none.
Command Mode
Global Configuration mode
User Guidelines
Create a list by entering the aaa authentication enable list-name method1 [method2…] command where list-name is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.
The default and list names created by this command are used with the enable authentication command.
All aaa authentication enable requests sent by the device to a RADIUS server include the username $enabx$., where x is the requested privilege level.
All aaa authentication enable requests sent by the device to a TACACS+ server include the username that is entered for login authentication.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds even if all methods return an error.
no aaa authentication enable list-name deletes list-name if it has not been referenced.
Example
The following example sets the enable password for authentication for accessing higher privilege levels.
switchxxxxxx(config)# aaa authentication enable enable-list radius none switchxxxxxx(config)# line console switchxxxxxx(config-line)# enable authentication enable-list |
login authentication
The login authentication Line Configuration mode command specifies the login authentication method list for a remote Telnet or console session. Use the no form of this command to restore the default authentication method.
Syntax
login authentication {default | list-name} no login authentication
Parameters
- default—Uses the default list created with the aaa authentication login command.
- list-name—Uses the specified list created with the aaa authentication login command.
Default Configuration default
Command Mode
Line Configuration Mode
Examples
Example 1 – The following example specifies the login authentication method as the default method for a console session.
switchxxxxxx(config)# line console switchxxxxxx(config-line)# login authentication default |
Example
Example 2 – The following example sets the authentication login methods for the console as a list of methods.
switchxxxxxx(config)# aaa authentication login authen-list radius local none switchxxxxxx(config)# line console switchxxxxxx(config-line)# login authentication authen-list |
enable authentication
The enable authentication Line Configuration mode command specifies the authentication method for accessing a higher privilege level from a remote Telnet or console. Use the no form of this command to restore the default authentication method.
Syntax
enable authentication {default | list-name}
no enable authentication
Parameters
- default—Uses the default list created with the aaa authentication enable command.
- list-name—Uses the specified list created with the aaa authentication enable command.
Default Configuration
default.
Command Mode
Line Configuration Mode
Examples
Example 1 – The following example specifies the authentication method as the default method when accessing a higher privilege level from a console.
switchxxxxxx(config)# line console switchxxxxxx(config-line)# enable authentication default |
Example 2 – The following example sets a list of authentication methods for accessing higher privilege levels.
switchxxxxxx(config)# aaa authentication enable enable-list radius none switchxxxxxx(config)# line console switchxxxxxx(config-line)# enable authentication enable-list |
ip http authentication
The ip http authentication Global Configuration mode command specifies authentication methods for HTTP server access. Use the no form of this command to restore the default authentication method.
Syntax
ip http authentication aaa login-authentication method1 [method2…] no ip http authentication aaa login-authentication
Parameters
- method [method2…]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds, even if all methods return an error. Select one or more methods from the following list:
Keyword | Description |
local | Uses the local username database for authentication. |
none | Uses no authentication. |
radius | Uses the list of all RADIUS servers for authentication. |
tacacs | Uses the list of all TACACS+ servers for authentication. |
Default Configuration
The local user database is the default authentication login method. This is the same as entering the ip http authentication local command.
Command Mode
Global Configuration mode
User Guidelines
The command is relevant for HTTP and HTTPS server users.
Example
The following example specifies the HTTP access authentication methods.
switchxxxxxx(config)# ip http authentication aaa login-authentication radius local none |
show authentication methods
The show authentication methods Privileged EXEC mode command displays information about the authentication methods.
Syntax show authentication methods
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays the authentication configuration:
switchxxxxxx# show authentication methods Login Authentication Method Lists --------------------------------- Default: Radius, Local, Line Console_Login: Line, None Enable Authentication Method Lists ---------------------------------- Default: Radius, Enable Console_Enable(with authorization): Enable, None . Line Login Method List Enable Method List -------------- ----------------- ------------------ Console Console_Login Console_Enable Telnet Default Default SSH Default Default HTTP, HHTPS: Radius, local Dot1x: Radius |
password
Use the password Line Configuration mode command to specify a password on a line (also known as an access method, such as a console or Telnet). Use the no form of this command to return to the default password.
Syntax password password [encrypted] no password
Parameters
- password—Specifies the password for this line. (Length: 0–159 characters)
- encrypted—Specifies that the password is encrypted and copied from another device configuration.
Default Configuration
No password is defined.
Command Mode
Line Configuration Mode
Example
The following example specifies the password ‘secret’ on a console.
switchxxxxxx(config)# line console switchxxxxxx(config-line)# password secret |
enable password
Use the enable password Global Configuration mode command to set a local password to control access to normal and privilege levels. Use the no form of this command to return to the default password.
Syntax
enable password [level privilege-level] {unencrypted-password | encrypted
encrypted-password}
no enable password [level level]
Parameters
- level privilege-level—Level for which the password applies. If not specified, the level is 15. (Range: 1–15)
- unencrypted-password—Password for this level. (Range: 0–159 chars)
- password encrypted encrypted-password—Specifies that the password is encrypted. Use this keyword to enter a password that is already encrypted (for instance that you copied from another the configuration file of another device). (Range: 1–40)
Default Configuration
Default for level is 15.
Passwords are encrypted by default.
Command Mode
Global Configuration mode
User Guidelines
When the administrator configures a new enable password, this password is encrypted automatically and saved to the configuration file. No matter how the password was entered, it appears in the configuration file with the keyword encrypted and the encrypted value.
If the administrator wants to manually copy a password that was configured on one switch (for instance, switch B) to another switch (for instance, switch A), the administrator must add encrypted in front of this encrypted password when entering the enable command in switch A. In this way, the two switches will have the same password.
Passwords are encrypted by default. You only are required to use the encrypted keyword when you are actually entering an encrypted keyword.
Examples
Example 1 – The command sets a password that has already been encrypted. It will copied to the configuration file just as it is entered. To use it, the user must know its unencrypted form.
switchxxxxxx(config)# enable password encrypted 4b529f21c93d4706090285b0c10172eb073ffebc4 |
Example 2 – The command sets an unencrypted password for level 7 (it will be encrypted in the configuration file).
switchxxxxxx(config)# enable password level 7 let-me-in |
service password-recovery
Use the service password-recovery Global Configuration mode command to enable the password-recovery mechanism. This mechanism allows an end user, with physical access to the console port of the device, to enter the boot menu and trigger the password recovery process. Use the no service password-recovery command to disable the password-recovery mechanism. When the password-recovery mechanism is disabled, accessing the boot menu is still allowed and the user can trigger the password recovery process. The difference is, that in this case, all the configuration files and all the user files are removed. The following log message is generated to the terminal: “All the configuration and user files were removed”.
Syntax service password-recovery no service password-recovery
Parameters
N/A
Default Configuration
The service password recovery is enabled by default.
Command Mode
Global Configuration mode
User Guidelines
- If password recovery is enabled, the user can access the boot menu and trigger the password recovery in the boot menu. All configuration files and user files are kept.
- If password recovery is disabled, the user can access the boot menu and trigger the password recovery in the boot menu. The configuration files and user files are removed.
- If a device is configured to protect its sensitive data with a user-defined passphrase for (Secure Sensitive Data), then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled.
- If a device is configured to protect its sensitive data with a user-defined passphrase for (Secure Sensitive Data), then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled.
Example
The following command disables password recovery:
switchxxxxxx(config)# no service password recovery |
Note that choosing to use Password recovery option in the Boot Menu during the boot process will remove the configuration files and the user files.
Would you like to continue ? Y/N.
username
Use the username Global Configuration mode command to establish a username-based authentication system. Use the no form to remove a user name.
Syntax
username name {nopassword | {password {unencrypted-password | {encrypted
encrypted-password}}} | {privilege privilege-level {unencrypted-password |
{encrypted encrypted-password}}} no username name
Parameters
- name—The name of the user. (Range: 1–20 characters)
- nopassword—No password is required for this user to log in.
- password—Specifies the password for this username. (Range: 1–64)
- unencrypted-password—The authentication password for the user. (Range: 1–159)
- encrypted encrypted-password—Specifies that the password is MD5 encrypted. Use this keyword to enter a password that is already encrypted (for instance that you copied from another the configuration file of another device). (Range: 1–40)
- privilege privilege-level —Privilege level for which the password applies. If not specified the level is 1. (Range: 1–15).
Default Configuration No user is defined.
Command Mode
Global Configuration mode
Usage Guidelines
The last level 15 user (regardless of whether it is the default user or any user) cannot be removed and cannot be a remote user.
Examples
Example 1 – Sets an unencrypted password for user tom (level 15). It will be encrypted in the configuration file.
switchxxxxxx(config)# username tom password 1234 |
Example 2 – Sets a password for user jerry (level 15) that has already been encrypted. It will be copied to the configuration file just as it is entered. To use it, the user must know its unencrypted form.
switchxxxxxx(config)# username jerry privilege 15 encrypted 4b529f21c93d4706090285b0c10172eb073ffebc4 |
show users accounts
The show users accounts Privileged EXEC mode command displays information about the users local database.
Syntax show users accounts
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays information about the users local database:
switchxxxxxx# show users accounts |
Password
Username ——– Bob Robert Smith | Privilege ——— 15 15 15 | Expiry date ———- Jan 18 2005 Jan 19 2005 |
The following table describes the significant fields shown in the display:
Field | Description |
Username | The user name. |
Privilege | The user’s privilege level. |
Password Expiry date | The user’s password expiration date. |
aaa accounting login
Use the aaa accounting login command in Global Configuration mode to enable accounting of device management sessions. Use the no form of this command to disable accounting.
Syntax
aaa accounting login start-stop group {radius | tacacs+} no aaa accounting login start-stop
Parameters
- group radius—Uses a RADIUS server for accounting.
- group tacacs+—Uses a TACACS+ server for accounting.
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
This command enables the recording of device management sessions (Telnet, serial and WEB but not SNMP).
It records only users that were identified with a username (e.g. a user that was logged in with a line password is not recorded).
If accounting is activated, the device sends a “start”/“stop” messages to a RADIUS server when a user logs in / logs out respectively.
The device uses the configured priorities of the available RADIUS/TACACS+ servers in order to select the RADIUS/TACACS+ server.
The following table describes the supported RADIUS accounting attributes values, and in which messages they are sent by the switch.
Name | StartMessag e | StopMessage | Description |
User-Name (1) | Yes | Yes | User’s identity. |
NAS-IP-Address (4) | Yes | Yes | The switch IP address that is used for the session with the RADIUS server. |
Class (25) | Yes | Yes | Arbitrary value is included in all accounting packets for a specific session. |
Called-Station-ID(30) | Yes | Yes | The switch IP address that is used for the management session. |
Calling-Station-ID (31) | Yes | Yes | The user IP address. |
Acct-Session-ID(44) | Yes | Yes | A unique accounting identifier. |
Acct-Authentic (45) | Yes | Yes | Indicates how the supplicant was authenticated. |
Acct-Session-Time(46) | No | Yes | Indicates how long the user was logged in. |
Acct-Terminate-Cau se (49) | No | Yes | Reports why the session was terminated. |
The following table describes the supported TACACS+ accounting arguments and in which messages they are sent by the switch.
Name | Description | StartMessage | Stop Message |
task_id | A unique accounting session identifier. | Yes | Yes |
user | username that is entered for login authentication | Yes | Yes |
rem-addr | IP address.of the user | Yes | Yes |
elapsed-time | Indicates how long the user was logged in. | No | Yes |
reason | Reports why the session was terminated. | No | Yes |
Example
switchxxxxxx(config)# aaa accounting login start-stop group radius |
Verge Documentation – English//Authentication, Authorization and Accounting (AAA) Commands
Angora Networks Product Support Portal
aaa accounting dot1x
To enable accounting of 802.1x sessions, use the aaa accounting dot1x Global Configuration mode command. Use the no form of this command to disable accounting.
Syntax
aaa accounting dot1x start-stop group radius no aaa accounting dot1x start-stop group radius
Parameters
N/A
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
This command enables the recording of 802.1x sessions.
If accounting is activated, the device sends start/stop messages to a RADIUS server when a user logs in / logs out to the network, respectively.
The device uses the configured priorities of the available RADIUS servers in order to select the RADIUS server.
If a new supplicant replaces an old supplicant (even if the port state remains authorized), the software sends a stop message for the old supplicant and a start message for the new supplicant.
In multiple sessions mode (dot1x multiple-hosts authentication), the software sends start/stop messages for each authenticated supplicant.
In multiple hosts mode (dot1x multiple-hosts), the software sends start/stop messages only for the supplicant that has been authenticated.
The software does not send start/stop messages if the port is force-authorized.
The software does not send start/stop messages for hosts that are sending traffic on the guest VLAN or on the unauthenticated VLANs.
The following table describes the supported Radius accounting Attributes Values and when they are sent by the switch.
Name | Start | Stop | Description |
User-Name (1) | Yes | Yes | Supplicant’s identity. |
NAS-IP-Address (4) | Yes | Yes | The switch IP address that is used for the session with the RADIUS server. |
NAS-Port (5) | Yes | Yes | The switch port from where the supplicant has logged in. |
Class (25) | Yes | Yes | The arbitrary value that is included in all accounting packets for a specific session. |
Called-Station-ID (30) | Yes | Yes | The switch MAC address. |
Calling-Station-ID (31) | Yes | Yes | The supplicant MAC address. |
Acct-Session-ID (44) | Yes | Yes | A unique accounting identifier. |
Name | Start | Stop | Description |
Acct-Authentic (45) | Yes | Yes | Indicates how the supplicant was authenticated. |
Acct-Session-Time (46) | No | Yes | Indicates how long the supplicant was logged in. |
Acct-Terminate-Cause(49) | No | Yes | Reports why the session was terminated. |
Nas-Port-Type (61) | Yes | Yes | Indicates the supplicant physical port type. |
Example
switchxxxxxx(config)# aaa accounting dot1x start-stop group radius |
show accounting
The show accounting EXEC mode command displays information as to which type of accounting is enabled on the switch.
Syntax show accounting
Parameters
N/A
Default Configuration
N/A
Command Mode
User EXEC mode
Example
The following example displays information about the accounting status.
switchxxxxxx# show accounting |
Login: Radius
802.1x: Disabled
passwords complexity enable
Use the passwords complexity enable Global Configuration mode command to enforce minimum password complexity. The no form of this command disables enforcing password complexity.
Syntax passwords complexity enable no passwords complexity enable
Parameters
N/A
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
If password complexity is enabled, the user is forced to enter a password that:
- Has a minimum length of 8 characters.
- Contains characters from at least 3 character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard).
- Is different from the current password.
- Contains no character that is repeated more than 3 times consecutively.
- Does not repeat or reverse the user name or any variant reached by changing the case of the characters.
- Does not repeat or reverse the manufacturer’s name or any variant reached by changing the case of the characters.
You can control the above attributes of password complexity with specific commands described in this section.
If you have previously configured other complexity settings, then those settings are used. This command does not wipe out the other settings. It works only as a toggle.
Example
The following example configures requiring complex passwords that fulfill the minimum requirements specified in the User Guidelines above.
switchxxxxxx(config)# passwords complexity enable switchxxxxxx# show passwords configuration Passwords aging is enabled with aging time 180 days. Passwords complexity is enabled with the following attributes: Minimal length: 3 characters Minimal classes: 3 New password must be different than the current: Enabled Maximum consecutive same characters: 3 New password must be different than the user name: Enabled New password must be different than the manufacturer name: Enabled switchxxxxxx# |
passwords complexity
Created by Sinan KizarLast updated 21 Mar , 2019
Use the passwords complexity Global Configuration mode commands to control the minimum requirements from a password when password complexity is enabled. Use the no form of these commands to return to default.
Syntax
passwords complexity {min-length number} | {min-classes number} | not-current |
{no-repeat number} | not-username | not-manufacturer-name
no passwords complexity min-length | min-classes | not-current | no-repeat | not-username | not-manufacturer-name
Parameters
- min-length number—Sets the minimal length of the password. (Range: 0– 64)
- min-classes number—Sets the minimal character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard). (Range: 0–4)
- not-current—Specifies that the new password cannot be the same as the current password.
- no-repeat number—Specifies the maximum number of characters in the new password that can be repeated consecutively. Zero specifies that there is no limit on repeated characters. (Range: 0–16)
- not-username—Specifies that the password cannot repeat or reverse the user name or any variant reached by changing the case of the characters.
- not-manufacturer-name—Specifies that the password cannot repeat or reverse the manufacturer’s name or any variant reached by changing the case of the characters.
Default Configuration The minimal length is 8.
The number of classes is 3.
The default for no-repeat is 3.
All the other controls are enabled by default.
Command Mode
Global Configuration mode
Example
The following example configures the minimal required password length to 8 characters.
switchxxxxxx(config)# passwords complexity min-length 8 |
passwords aging
Use the passwords aging Global Configuration mode command to enforce password aging. Use the no form of this command to return to default.
Syntax passwords aging days no passwords aging
Parameters
- days—Specifies the number of days before a password change is forced. You can use 0 to disable aging. (Range: 0–365).
Default Configuration
180
Command Mode
Global Configuration mode
User Guidelines
Aging is relevant only to users of the local database with privilege level 15 and to enable a password of privilege level 15.
To disable password aging, use passwords aging 0.
Using no passwords aging sets the aging time to the default.
Example
The following example configures the aging time to be 24 days.
switchxxxxxx(config)# passwords aging 24 |
show passwords configuration
Created by Sinan KizarLast updated 25 Apr , 2019
The show passwords configuration Privileged EXEC mode command displays information about the password management configuration.
Syntax show passwords configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show passwords configuration Passwords aging is enabled with aging time 180 days. Passwords complexity is enabled with the following attributes: Minimal length: 3 characters Minimal classes: 3 New password must be different than the current: Enabled Maximum consecutive same characters: 3 New password must be different than the user name: Enabled New password must be different than the manufacturer name: Enabled Enable Passwords Level ----- 1 15 Line Passwords Line ----- Console Telnet SSH |
Leave A Comment?