Security – Authentication, Authorization and Accounting (AAA)

aaa authentication login

Use the aaa authentication login Global Configuration mode command to set one or more authentication methods to be applied during login. Use the no form of this command to restore the default authentication method.

Syntax

aaa authentication login {default | list-name} method1 [method2…] no aaa authentication login {default | list-name}

Parameters

  • default—Uses the authentication methods that follow this argument as the default method list when a user logs in (this list is unnamed).
  • list-name—Specifies a name of a list of authentication methods activated when a user logs in. (Length: 1–12 characters)
  • method1 [method2…]—Specifies a list of methods that the authentication algorithm tries (in the given sequence). Each additional authentication method is used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. Select one or more methods from the following list::
KeywordDescription
enableUses the enable password for authentication.
lineUses the line password for authentication.
localUses the locally-defined usernames for authentication.
noneUses no authentication.
KeywordDescription
radiusUses the list of all RADIUS servers for authentication.
tacacsUses the list of all TACACS+ servers for authentication.

Default Configuration

If no methods are specified, the default are the locally-defined users and passwords. This is the same as entering the command aaa authentication login local.

Command Mode

Global Configuration mode

User Guidelines

Create a list of authentication methods by entering this command with the list-name parameter where list-name is any character string. The method arguments identifies the list of methods that the authentication algorithm tries, in the given sequence.

The default and list names created with this command are used with the login authentication command.

The no aaa authentication login list-name command deletes a list-name only if it has not been referenced by another command.

Example

The following example sets the authentication login methods for the console.

switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list

aaa authentication enable

The aaa authentication enable Global Configuration mode command sets one or more authentication methods for accessing higher privilege levels. To restore the default authentication method, use the no form of this command.

Syntax

aaa authentication enable {default | list-name} method [method2…]} no aaa authentication enable {default | list-name}

Parameters

  • default—Uses the listed authentication methods that follow this argument as the default method list, when accessing higher privilege levels.
  • list-name —Specifies a name for the list of authentication methods activated when a user accesses higher privilege levels. (Length: 1–12 characters)
  • method [method2…]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds, even if all methods return an error. Select one or more methods from the following list:
KeywordDescription
enableUses the enable password for authentication.
lineUses the line password for authentication.
noneUses no authentication.
radiusUses the list of all RADIUS servers for authentication.
tacacsUses the list of all TACACS+ servers for authentication.

Default Configuration

The enable password command defines the default authentication login method. This is the same as entering the command aaa authentication enable default enable.

On a console, the enable password is used if a password exists. If no password is set, authentication still succeeds. This is the same as entering the command aaa authentication enable default enable none.

Command Mode

Global Configuration mode

User Guidelines

Create a list by entering the aaa authentication enable list-name method1 [method2…] command where list-name is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.

The default and list names created by this command are used with the enable authentication command.

All aaa authentication enable requests sent by the device to a RADIUS server include the username $enabx$., where x is the requested privilege level.

All aaa authentication enable requests sent by the device to a TACACS+ server include the username that is entered for login authentication.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds even if all methods return an error.

no aaa authentication enable list-name deletes list-name if it has not been referenced.

Example

The following example sets the enable password for authentication for accessing higher privilege levels.

switchxxxxxx(config)# aaa authentication enable enable-list radius noneswitchxxxxxx(config)# line consoleswitchxxxxxx(config-line)# enable authentication enable-list

login authentication

The login authentication Line Configuration mode command specifies the login authentication method list for a remote Telnet or console session. Use the no form of this command to restore the default authentication method.

Syntax

login authentication {default | list-name} no login authentication

Parameters

  • default—Uses the default list created with the aaa authentication login command.
  • list-name—Uses the specified list created with the aaa authentication login command.

Default Configuration default

Command Mode

Line Configuration Mode

Examples

Example 1 – The following example specifies the login authentication method as the default method for a console session.

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication default

Example

Example 2 – The following example sets the authentication login methods for the console as a list of methods.

switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list

enable authentication

The enable authentication Line Configuration mode command specifies the authentication method for accessing a higher privilege level from a remote Telnet or console. Use the no form of this command to restore the default authentication method.

Syntax

enable authentication {default | list-name}

no enable authentication

Parameters

  • default—Uses the default list created with the aaa authentication enable command.
  • list-name—Uses the specified list created with the aaa authentication enable command.

Default Configuration

default.

Command Mode

Line Configuration Mode

Examples

Example 1 – The following example specifies the authentication method as the default method when accessing a higher privilege level from a console.

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication default

Example 2 – The following example sets a list of authentication methods for accessing higher privilege levels.

switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list

ip http authentication

The ip http authentication Global Configuration mode command specifies authentication methods for HTTP server access. Use the no form of this command to restore the default authentication method.

Syntax

ip http authentication aaa login-authentication method1 [method2…] no ip http authentication aaa login-authentication

Parameters

  • method [method2…]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to ensure that the authentication succeeds, even if all methods return an error. Select one or more methods from the following list:
KeywordDescription
localUses the local username database for authentication.
noneUses no authentication.
radiusUses the list of all RADIUS servers for authentication.
tacacsUses the list of all TACACS+ servers for authentication.

Default Configuration

The local user database is the default authentication login method. This is the same as entering the ip http authentication local command.

Command Mode

Global Configuration mode

User Guidelines

The command is relevant for HTTP and HTTPS server users.

Example

The following example specifies the HTTP access authentication methods.

switchxxxxxx(config)# ip http authentication aaa login-authentication radius local none

show authentication methods

The show authentication methods Privileged EXEC mode command displays information about the authentication methods.

Syntax show authentication methods

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following example displays the authentication configuration:

switchxxxxxx# show authentication methods
Login Authentication Method Lists 
--------------------------------- 
Default: Radius, Local, Line 
Console_Login: Line, None Enable Authentication Method Lists 
---------------------------------- 
Default: Radius, Enable 
Console_Enable(with authorization): Enable, None . 
Line                 Login Method List   Enable Method List 
--------------        -----------------   ------------------ 
Console              Console_Login       Console_Enable 
Telnet               Default             Default 
SSH                  Default             Default 
HTTP, HHTPS: Radius, local 
Dot1x: Radius

password

Use the password Line Configuration mode command to specify a password on a line (also known as an access method, such as a console or Telnet). Use the no form of this command to return to the default password.

Syntax password password [encrypted] no password

Parameters

  • password—Specifies the password for this line. (Length: 0–159 characters)
  • encrypted—Specifies that the password is encrypted and copied from another device configuration.

Default Configuration

No password is defined.

Command Mode

Line Configuration Mode

Example

The following example specifies the password ‘secret’ on a console.

switchxxxxxx(config)# line console
switchxxxxxx(config-line)# password secret

enable password

Use the enable password Global Configuration mode command to set a local password to control access to normal and privilege levels. Use the no form of this command to return to the default password.

Syntax

enable password [level privilege-level] {unencrypted-password | encrypted

encrypted-password}

no enable password [level level]

Parameters

  • level privilege-level—Level for which the password applies. If not specified, the level is 15. (Range: 1–15)
  • unencrypted-password—Password for this level. (Range: 0–159 chars)
  • password encrypted encrypted-password—Specifies that the password is encrypted. Use this keyword to enter a password that is already encrypted (for instance that you copied from another the configuration file of another device). (Range: 1–40)

Default Configuration

Default for level is 15.

Passwords are encrypted by default.

Command Mode

Global Configuration mode

User Guidelines

When the administrator configures a new enable password, this password is encrypted automatically and saved to the configuration file. No matter how the password was entered, it appears in the configuration file with the keyword encrypted and the encrypted value.

If the administrator wants to manually copy a password that was configured on one switch (for instance, switch B) to another switch (for instance, switch A), the administrator must add encrypted in front of this encrypted password when entering the enable command in switch A. In this way, the two switches will have the same password.

Passwords are encrypted by default. You only are required to use the encrypted keyword when you are actually entering an encrypted keyword.

Examples

Example 1 – The command sets a password that has already been encrypted. It will copied to the configuration file just as it is entered. To use it, the user must know its unencrypted form.

switchxxxxxx(config)# enable password encrypted 4b529f21c93d4706090285b0c10172eb073ffebc4

Example 2 – The command sets an unencrypted password for level 7 (it will be encrypted in the configuration file).

switchxxxxxx(config)# enable password level 7 let-me-in

service password-recovery

Use the service password-recovery Global Configuration mode command to enable the password-recovery mechanism. This mechanism allows an end user, with physical access to the console port of the device, to enter the boot menu and trigger the password recovery process. Use the no service password-recovery command to disable the password-recovery mechanism. When the password-recovery mechanism is disabled, accessing the boot menu is still allowed and the user can trigger the password recovery process. The difference is, that in this case, all the configuration files  and all the user files are removed. The following log message is generated to the terminal: “All the configuration and user files were removed”.

Syntax service password-recovery no service password-recovery

Parameters

N/A

Default Configuration

The service password recovery is enabled by default.

Command Mode

Global Configuration mode

User Guidelines

  • If password recovery is enabled, the user can access the boot menu and trigger the password recovery in the boot menu. All configuration files and user files are kept.
  • If password recovery is disabled, the user can access the boot menu and trigger the password recovery in the boot menu. The configuration files and user files are removed.
  • If a device is configured to protect its sensitive data with a user-defined passphrase for (Secure Sensitive Data), then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled.
  • If a device is configured to protect its sensitive data with a user-defined passphrase for (Secure Sensitive Data), then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled.

Example

The following command disables password recovery:

switchxxxxxx(config)# no service password recovery

Note that choosing to use Password recovery option in the Boot Menu during the boot process will remove the configuration files and the user files.

Would you like to continue ? Y/N.

username

Use the username Global Configuration mode command to establish a username-based authentication system. Use the no form to remove a user name.

Syntax

username name {nopassword | {password {unencrypted-password | {encrypted

encrypted-password}}} | {privilege privilege-level {unencrypted-password |

{encrypted encrypted-password}}} no username name

Parameters

  • name—The name of the user. (Range: 1–20 characters)
  • nopassword—No password is required for this user to log in.
  • password—Specifies the password for this username. (Range: 1–64)
  • unencrypted-password—The authentication password for the user. (Range: 1–159)
  • encrypted encrypted-password—Specifies that the password is MD5 encrypted. Use this keyword to enter a password that is already encrypted (for instance that you copied from another the configuration file of another device). (Range: 1–40)
  • privilege privilege-level —Privilege level for which the password applies. If not specified the level is 1. (Range: 1–15).

Default Configuration No user is defined.

Command Mode

Global Configuration mode

Usage Guidelines

The last level 15 user (regardless of whether it is the default user or any user) cannot be removed and cannot be a remote user.

Examples

Example 1 – Sets an unencrypted password for user tom (level 15). It will be encrypted in the configuration file.

switchxxxxxx(config)# username tom password 1234

Example 2 – Sets a password for user jerry (level 15) that has already been encrypted. It will be copied to the configuration file just as it is entered. To use it, the user must know its unencrypted form.

switchxxxxxx(config)# username jerry privilege 15 encrypted 4b529f21c93d4706090285b0c10172eb073ffebc4

show users accounts

The show users accounts Privileged EXEC mode command displays information about the users local database.

Syntax show users accounts

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following example displays information about the users local database:

switchxxxxxx# show users accounts

Password

Username
——–
Bob
Robert
Smith
Privilege
———
15
15
15
Expiry date
———-
Jan 18 2005
Jan 19 2005

The following table describes the significant fields shown in the display:

FieldDescription
UsernameThe user name.
PrivilegeThe user’s privilege level.
Password Expiry dateThe user’s password expiration date.

aaa accounting login

Use the aaa accounting login command in Global Configuration mode to enable accounting of device management sessions. Use the no form of this command to disable accounting.

Syntax

aaa accounting login start-stop group {radius | tacacs+} no aaa accounting login start-stop

Parameters

  • group radius—Uses a RADIUS server for accounting.
  • group tacacs+—Uses a TACACS+ server for accounting.

Default Configuration

Disabled

Command Mode

Global Configuration mode

User Guidelines

This command enables the recording of device management sessions (Telnet, serial and WEB but not SNMP).

It records only users that were identified with a username (e.g. a user that was logged in with a line password is not recorded).

If accounting is activated, the device sends a “start”/“stop” messages to a RADIUS server when a user logs in / logs out respectively.

The device uses the configured priorities of the available RADIUS/TACACS+ servers in order to select the RADIUS/TACACS+ server.

The following table describes the supported RADIUS accounting attributes values, and in which messages they are sent by the switch.

NameStartMessag eStopMessageDescription
User-Name (1)YesYesUser’s identity.
NAS-IP-Address (4)YesYesThe switch IP address that is used for the session with the RADIUS server.
Class (25)YesYesArbitrary value is included in all accounting packets for a specific session.
Called-Station-ID(30)YesYesThe switch IP address that is used for the management session.
Calling-Station-ID (31)YesYesThe user IP address.
Acct-Session-ID(44)YesYesA unique accounting identifier.
Acct-Authentic (45)YesYesIndicates how the supplicant was authenticated.
Acct-Session-Time(46)NoYesIndicates how long the user was logged in.
Acct-Terminate-Cau se (49)NoYesReports why the session was terminated.

The following table describes the supported TACACS+ accounting arguments and in which messages they are sent by the switch.

NameDescriptionStartMessageStop Message
task_idA unique accounting session identifier.YesYes
userusername that is entered for login authenticationYesYes
rem-addrIP address.of the userYesYes
elapsed-timeIndicates how long the user was logged in.NoYes
reasonReports why the session was terminated.NoYes

Example

switchxxxxxx(config)# aaa accounting login start-stop group radius

Verge Documentation – English//Authentication, Authorization and Accounting (AAA) Commands

Angora Networks Product Support Portal

aaa accounting dot1x

To enable accounting of 802.1x sessions, use the aaa accounting dot1x Global Configuration mode command. Use the no form of this command to disable accounting.

Syntax

aaa accounting dot1x start-stop group radius no aaa accounting dot1x start-stop group radius

Parameters

N/A

Default Configuration

Disabled

Command Mode

Global Configuration mode

User Guidelines

This command enables the recording of 802.1x sessions.

If accounting is activated, the device sends start/stop messages to a RADIUS server when a user logs in / logs out to the network, respectively.

The device uses the configured priorities of the available RADIUS servers in order to select the RADIUS server.

If a new supplicant replaces an old supplicant (even if the port state remains authorized), the software sends a stop message for the old supplicant and a start message for the new supplicant.

In multiple sessions mode (dot1x multiple-hosts authentication), the software sends start/stop messages for each authenticated supplicant.

In multiple hosts mode (dot1x multiple-hosts), the software sends start/stop messages only for the supplicant that has been authenticated.

The software does not send start/stop messages if the port is force-authorized.

The software does not send start/stop messages for hosts that are sending traffic on the guest VLAN or on the unauthenticated VLANs.

The following table describes the supported Radius accounting Attributes Values and when they are sent by the switch.

NameStartStopDescription
User-Name (1)YesYesSupplicant’s identity.
NAS-IP-Address (4)YesYesThe switch IP address that is used for the session with the RADIUS server.
NAS-Port (5)YesYesThe switch port from where the supplicant has logged in.
Class (25)YesYesThe arbitrary value that is included in all accounting packets for a specific session.
Called-Station-ID (30)YesYesThe switch MAC address.
Calling-Station-ID (31)YesYesThe supplicant MAC address.
Acct-Session-ID (44)YesYesA unique accounting identifier.
NameStartStopDescription
Acct-Authentic (45)YesYesIndicates how the supplicant was authenticated.
Acct-Session-Time (46)NoYesIndicates how long the supplicant was logged in.
Acct-Terminate-Cause(49)NoYesReports why the session was terminated.
Nas-Port-Type (61)YesYesIndicates the supplicant physical port type.

Example

switchxxxxxx(config)# aaa accounting dot1x start-stop group radius

show accounting

The show accounting EXEC mode command displays information as to which type of accounting is enabled on the switch.

Syntax show accounting

Parameters

N/A

Default Configuration

N/A

Command Mode

User EXEC mode

Example

The following example displays information about the accounting status.

switchxxxxxx# show accounting

Login: Radius

802.1x: Disabled

passwords complexity enable

Use the passwords complexity enable Global Configuration mode command to enforce minimum password complexity. The no form of this command disables enforcing password complexity.

Syntax passwords complexity enable no passwords complexity enable

Parameters

N/A

Default Configuration

Enabled

Command Mode

Global Configuration mode

User Guidelines

If password complexity is enabled, the user is forced to enter a password that:

  • Has a minimum length of 8 characters.
  • Contains characters from at least 3 character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard).
  • Is different from the current password.
  • Contains no character that is repeated more than 3 times consecutively.
  • Does not repeat or reverse the user name or any variant reached by changing the case of the characters.
  • Does not repeat or reverse the manufacturer’s name or any variant reached by changing the case of the characters.

You can control the above attributes of password complexity with specific commands described in this section.

If you have previously configured other complexity settings, then those settings are used. This command does not wipe out the other settings. It works only as a toggle.

Example

The following example configures requiring complex passwords that fulfill the minimum requirements specified in the User Guidelines above.

switchxxxxxx(config)# passwords complexity enable
switchxxxxxx# show passwords configuration 
Passwords aging is enabled with aging time 180 days. 
Passwords complexity is enabled with the following attributes: 
Minimal length: 3 characters 
Minimal classes: 3 
New password must be different than the current: Enabled 
Maximum consecutive same characters: 3 
New password must be different than the user name: Enabled
New password must be different than the manufacturer name: Enabled
switchxxxxxx#

passwords complexity

Created by Sinan KizarLast updated 21 Mar , 2019

Use the passwords complexity Global Configuration mode commands to control the minimum requirements from a password when password complexity is enabled. Use the no form of these commands to return to default.

Syntax

passwords complexity {min-length number} | {min-classes number} | not-current |

{no-repeat number} | not-username | not-manufacturer-name

no passwords complexity min-length | min-classes | not-current | no-repeat | not-username | not-manufacturer-name

Parameters

  • min-length number—Sets the minimal length of the password. (Range: 0– 64)
  • min-classes number—Sets the minimal character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard). (Range: 0–4)
  • not-current—Specifies that the new password cannot be the same as the current password.
  • no-repeat number—Specifies the maximum number of characters in the new password that can be repeated consecutively. Zero specifies that there is no limit on repeated characters. (Range: 0–16)
  • not-username—Specifies that the password cannot repeat or reverse the user name or any variant reached by changing the case of the characters.
  • not-manufacturer-name—Specifies that the password cannot repeat or reverse the manufacturer’s name or any variant reached by changing the case of the characters.

Default Configuration The minimal length is 8.

The number of classes is 3.

The default for no-repeat is 3.

All the other controls are enabled by default.

Command Mode

Global Configuration mode

Example

The following example configures the minimal required password length to 8 characters.

switchxxxxxx(config)# passwords complexity min-length 8

passwords aging

Use the passwords aging Global Configuration mode command to enforce password aging. Use the no form of this command to return to default.

Syntax passwords aging days no passwords aging

Parameters

  • days—Specifies the number of days before a password change is forced. You can use 0 to disable aging. (Range: 0–365).

Default Configuration

180

Command Mode

Global Configuration mode

User Guidelines

Aging is relevant only to users of the local database with privilege level 15 and to enable a password of privilege level 15.

To disable password aging, use passwords aging 0.

Using no passwords aging sets the aging time to the default.

Example

The following example configures the aging time to be 24 days.

switchxxxxxx(config)# passwords aging 24

show passwords configuration

Created by Sinan KizarLast updated 25 Apr , 2019

The show passwords configuration Privileged EXEC mode command displays information about the password management configuration.

Syntax show passwords configuration

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show passwords configuration
 
Passwords aging is enabled with aging time 180 days.
 
Passwords complexity is enabled with the following attributes:
 
Minimal length: 3 characters
 
Minimal classes: 3
 
New password must be different than the current: Enabled
 
Maximum consecutive same characters: 3
 
New password must be different than the user name: Enabled
 
New password must be different than the manufacturer name: Enabled
 
Enable Passwords
 
Level
 
-----
 
1
 
15
 
Line Passwords
 
Line
 
-----
 
Console
 
Telnet
 
SSH

Was this article helpful?

Related Articles

Leave A Comment?