User Security

This section covers the following:

AAA Configuration

Authentication, Authorization, and Accounting Overview

This section contains the following topics:

Methods

The switch controls access to eos commands by authenticating user identity and verifying user authorization. Authentication, Authorization, and Accounting (AAA) activities are conducted through three data services -a local security database, TACACS+ servers, and RADIUS servers. Configuring the Security Services describes these services.

Configuration Statements

Enabling AAA on the switch requires two steps:

  1. Configure security service parameters.
    The switch provides configuration commands for each security service:
    • A local file supports authentication through username and enable password commands.
      • TACACS+ servers provide security services through tacacs-server commands.
      • RADIUS servers provide security services through radius-server commands.
    • Configuring the Security Services describes security service configuration commands.
  2. Activate AAA services.

    eos provides aaa authorization, aaa authentication, and aaa accounting commands to select the primary and backup services. Activating Security Services provides information on implementing a security environment.

Encryption

The switch uses clear-text passwords and server access keys to authenticate users and communicate with security systems. To prevent accidental disclosure of passwords and keys, running-config stores their corresponding encrypted strings. The encryption method depends on the type of password or key.

Commands that configure passwords or keys can accept the clear-text password or an encrypted string that was generated by the specified encryption algorithm with the clear-text password as the seed.

Configuring the Security Services

The switch can access three security data services to authenticate users and authorize switch tasks: a local file, TACACS+ servers, and RADIUS Servers.

This section contains the following topics:

Local Security File

The local file uses passwords to provide these authentication services:
  • authenticate users as they log into the switch.
  • control access to configuration commands.
  • control access to the switch root login.

The local file contains username-password combinations to authenticate users. Passwords also authorize access to configuration commands and the switch root login.

Passwords
The switch recognizes passwords as clear text and encrypted strings.
  • Clear-text passwords are the text that a user enters to access the CLI, configuration commands, or the switch root login.
  • Encrypted strings are SHA-512-encrypted strings generated with the clear text as the seed. The local file stores passwords in this format to avoid unauthorized disclosure. When a user enters the clear-text password, the switch generates the corresponding secure hash and compares it to the stored version.
    Note: The switch cannot recover the clear text from which an encrypted string is generated.

Valid passwords contain the characters A-Z, a-z, 0-9 and any of these punctuation characters:

! @ # $ % ^ & * ( ) - _ = + { } [ ] ; : < > , . ? / ~ \

Usernames

Usernames control access to the eos and all switch commands. The switch is typically accessed through an SSH login, using a previously defined username-password combination. To create a new username or modify an existing username, use the username command.

Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:

@   #   $   %   ^   &   *   -   _   =    +   ;   <   >   ,   .   ~   |

The default username is admin, which is described in Admin Username.

Examples
  • These equivalent commands create the username john and assign it the password x245. The password is entered in clear text because the encrypt-type parameter is omitted or zero.
    switch(config)# username john secret x245
    switch(config)# username john secret 0 x245
  • This command creates the username john and assigns it to the text password that corresponds to the encrypted string $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1. The string was generated by an MD5-encryption program using x245 as the seed.
    switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1 
The username is authenticated by entering x245 when the CLI prompts for a password.
  • This command creates the username jane without securing it with a password. It also removes a password if the jane username exists.
    switch(config)# username jane nopassword
  • This command removes the username william from the local file.
    switch(config)# no username william
Logins by Unprotected Usernames

The default switch configuration allows usernames that are not password-protected to log in only from the console. The aaa authentication policy local allow-nopassword-remote-login command configures the switch to allow unprotected usernames to log in from any port. To reverse this setting to the default state, use no form of aaa authentication policy local allow-nopassword-remote-login.

Note: Allowing remote access to accounts without passwords is a severe security risk. Arista Networks recommends assigning strong passwords to all usernames.
Examples
  • This command configures the switch to allow unprotected usernames to log in from any port.
    switch(config)# aaa authentication policy local allow-nopassword-remote-login
  • This command configures the switch to allow unprotected usernames to log in only from the console port.
    switch(config)# no aaa authentication policy local allow-nopassword-remote-login
Enable Command Authorization

The enable command controls access to Privileged EXEC and all configuration command modes. The enable password authorizes users to execute the enable command. When the enable password is set, the CLI displays a password prompt when a user attempts to enter Privileged EXEC mode.

main-host> enable
Password:
main-host#

If an incorrect password is entered three times in a row, the CLI displays the EXEC mode prompt.

If no enable password is set, the CLI does not prompt for a password when a user attempts to enter Privileged EXEC mode.

To set the enable password, use the enable password command.

Examples
  • These equivalent commands assign xyrt1 as the enable password.
    switch(config)# enable password xyrt1
    switch(config)# enable password 0 xyrt1
  • This command assigns the enable password to the clear text 12345 corresponding to the encrypted string $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/. The string was generated by an MD5-encryption program using 12345 as the seed.
     switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
  • This command deletes the enable password.
    switch(config)# no enable password
Root Account Password

The root account accesses the root directory in the underlying Linux shell. When it is not password protected, you can log into the root account only through the console port. After you assign a password to the root account, you can log into it through any port.

To set the password for the root account, use the aaa root command.

Examples
  • These equivalent commands assign f4980 as the root account password.
    switch(config)# aaa root secret f4980
    switch(config)# aaa root secret 0 f4980
  • This command assigns the text ab234 that corresponds to the encrypted string $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b. as the root password.
    switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
  • This command removes the password from the root account.
     switch(config)# aaa root nopassword
  • This command disables the root login.
    switch(config)# no aaa root

TACACS+

Terminal Access Controller Access-Control System Plus (TACACS+), derived from the TACACS protocol defined in RFC 1492, is a network protocol that provides centralized user validation services. TACACS+ information is maintained on a remote database. eos support of TACACS+ services requires access to a TACACS+ server.

TACACS+ manages multiple network access points from a single server. The switch defines a TACACS+ server connection by its address and port, allowing the switch to conduct multiple data streams to a single server by addressing different ports on the server.

These sections describe steps that configure access to TACACS+ servers. Configuring TACACS+ access is most efficiently performed when TACACS+ is functioning prior to configuring switch parameters.

Configuring TACACS+ Parameters

TACACS+ parameters define settings for the switch to communicate with TACACS+ servers. A set of values can be configured for individual TACACS+ servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.

The switch supports the following TACACS+ parameters.

Encryption Key
The encryption key is code that the switch and the TACACS+ server share to facilitate communications.
Examples
  • This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1 using the encryption key rp31E2v.
    switch(config)# tacacs-server host TAC-1 key rp31E2v 
  • This command configures cv90jr1 as the global encryption key.
    switch(config)# tacacs-server key 0 cv90jr1  
  • This command assigns cv90jr1 as the global key, using the corresponding encrypted string.
    switch(config)# tacacs-server key 7 020512025B0C1D70
Session Multiplexing
The switch supports multiplexing sessions on a single TCP connection.
  • The tacacs-server host command configures the multiplexing option for a specified server.
  • There is no global multiplexing setting.
Example
This command configures the switch to communicate with the TACACS+ server at 10.12.7.9 and indicates the server supports session multiplexing on a TCP connection.
switch(config)# tacacs-server host 10.12.7.9 single-connection
Timeout
The timeout is the period the switch waits for a successful connection to, or response from, the TACACS+ server. The default is 5 seconds.
Examples
  • This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1 and configures the timeout period as 20 seconds.
    switch(config)# tacacs-server host TAC_1 timeout 20 
  • This command configures 40 seconds as the period that the server waits for a response from a TACACS+ server before issuing an error.
    switch(config)# tacacs-server timeout 40
Port
The port specifies the port number through which the switch and the servers send information. The TACACS+ default port is 49.
  • The tacacs-server host command specifies the port number for an individual TACACS+ server.
  • The global TACACS+ port number cannot be changed from the default value of 49.
Example
This command configures the switch to communicate with the TACACS+ server at 10.12.7.9 through port 54.
switch(config)# tacacs-server host 10.12.7.9 port 54
TACACS+ Status

To display the TACACS+ servers and their interactions with the switch, use the show tacacs command.

Example
This command lists the configured TACACS+ servers.
switch(config)# show tacacs

server1: 10.1.1.45
connection opens: 15
connection closes: 6
connection disconnects: 6
connection failures: 0
connection timeouts: 2
Messages sent: 45
Messages received: 14
Receive errors: 2
Receive timeouts: 2
Send timeouts: 3

Last time counters were cleared: 0:07:02 ago

To reset the TACACS+ status counters, use the clear aaa counters tacacs+ command.

Example

This command clears all TACACS+ status counters.
switch(config)# clear aaa counters tacacs

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized AAA services for computers connecting to and using network resources. RADIUS is used to manage access to the Internet, internal networks, wireless networks, and integrated email services.

These sections describe steps that configure RADIUS server access. Configuring RADIUS parameters is most efficiently performed when RADIUS is functioning prior to configuring switch parameters.

RADIUS Vendor-Specific Attribute-Value Pairs

RADIUS servers and client companies extend basic RADIUS functionality through vendor-specific attributes. A dictionary file includes a list of RADIUS attribute-value pairs that Arista switches use to perform AAA operations through the RADIUS server.

Arista switches use the following attribute values:
  • Arista Vendor number: 30065
  • Attribute: Arista-AVPair 1 string
Acceptable string values for Arista-AVPair include:
  • shell:priv-lvl=<privilege level of a user, 0-15>
  • shell:roles=<list of roles for a user>
Example
This is a sample dictionary file that identifies Arista RADIUS vendor-specific attribute value pairs.
#
# dictionary.arista
#
VENDOR           Arista    30065
#   Standard Attribute
BEGIN-VENDOR     Arista
ATTRIBUTE        Arista-AVPair    1    string
END-VENDOR       Arista
Configuring RADIUS Defaults

RADIUS policies specify settings for the switch to communicate with RADIUS servers. A set of values can be configured for individual RADIUS servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.

The switch defines the following RADIUS parameters.

Encryption Key
The encryption key is the key shared by the switch and RADIUS servers to facilitate communications.
Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 using the encryption key rp31E2v.
    switch(config)# radius-server host RAD-1 key rp31E2v
  • This command configures cv90jr1 as the global encryption key.
     switch(config)# radius-server key 0 cv90jr1
  • This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
    switch(config)# radius-server key 7 020512025B0C1D70
Timeout
The timeout is the period that the switch waits for a successful connection to, or response from, a RADIUS server. The default period is 5 seconds.
Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the timeout period as 20 seconds.
    switch(config)# radius-server host RAD-1 timeout 20
  • This command configures 50 seconds as the period that the server waits for a response from a RADIUS server before issuing an error.
    switch(config)# radius-server timeout 50
Retransmit
Retransmit is the number of times the switch attempts to access the RADIUS server after the first server timeout expiry. The default value is 3 times.
Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the retransmit value as 2.
    switch(config)# radius-server host RAD-1 retransmit 2
  • This command configures the switch to attempt five RADIUS server contacts after the initial timeout. If the timeout parameter is set to 50 seconds, then the total period that the switch waits for a response is ((5+1)*50) = 300 seconds.
    switch(config)# radius-server retransmit 5
Deadtime
Deadtime is the period when the switch ignores a non-responsive RADIUS server or a server that does not answer retransmit attempts after timeout expiry. Deadtime is disabled if a value is not specified.
Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the deadtime period as 90 minutes.
    switch(config)# radius-server host RAD-1 deadtime 90
  • This command programs the switch to ignore a server for two hours if the server does not respond to a request during the timeout-retransmit period.
    switch(config)# radius-server deadtime 120
Port
The port specifies the port number through which the switch and servers send information.
  • The radius-server host command specifies the port numbers for an individual RADIUS server.
  • The global RADIUS port numbers cannot be changed from the default values of 1812 for an authorization port and 1813 for an accounting port.

Example

These commands configure the switch to communicate with the RADIUS server named RAD-1 through port number 1850 for authorization and port number 1851 for accounting.
switch(config)# radius-server host RAD-1 auth-port 1850
switch(config)# radius-server host RAD-1 acct-port 1851

To remove the configuration for this server, use no radius-server host command and specify the hostname or IP address with both the authorization and accounting port numbers.

DSCP Support for CPU-generated Traffic
The Differentiated Services Code Point (DSCP) is a 6 bit field in the IP header, which marks traffic for providing Quality of Service (QoS). All protocol-specific traffic from the switch is marked with the configured DSCP value set individually for the following network management protocols:
  • RADIUS
  • TACACS
  • SNMP
  • SSH
  • sFlow
Configuring DSCP Value

The following commands are applicable to all platforms for configuring DSCP value.

Example

This command configures the DSCP value of 62 for RADIUS-server.

switch(config)# radius-server qos dscp 62

This command configures the DSCP value of 36 for TACACS-server.

Example
switch(config)# tacacs-server qos dscp 36

This command configures the DSCP value of 36 for snmp-server.

switch(config)# snmp-server qos dscp 36
Example

This command configures the DSCP value of 36 for sFlow.

switch(config)# sFlow qos dscp 36

This command configures the DSCP value of 36 for snmp-server.

switch(config)# snmp-server qos dscp 36
RADIUS Status

The show radius command displays configured RADIUS servers and their interactions with the switch.

Examples
  • This command lists the configured RADIUS servers.
    switch(config)# show radius
    
    server1: 10.1.1.45
    Messages sent: 24
    Messages received: 20
    Requests accepted: 14
    Requests rejected: 8
    Requests timeout: 2
    Requests retransmitted: 1
    Bad responses: 1
    Last time counters were cleared: 0:07:02 ago

    To reset the RADIUS status counters, use the clear aaa counters radius command.

  • This command clears all RADIUS status counters.
    switch(config)# clear aaa counters radius

AAA with LDAP

The switches support AAA with LDAP protocol for authentication and authorization using TLS communication with a remote LDAP server, and interoperates with Microsoft's ActiveDirectory when configured with LDAP plugins. LDAP authentication configuration is required for LDAP to work. AAA requests to servers are made in the order of their configuration. Once a server is marked as unreachable, it is tried only after all other servers are also found unreachable.

Configuring LDAP Authentication

For all platforms, the ldap command is configured from the management ldap mode and requires configuration files to provide remote authentication.

Active Directory Server with LDAP Plug-in Configured
The file extract below configures the authentication for rdn attribute user and search filter.
aaa authentication login default group ldap local
aaa authorization exec default group ldap local
!
management ldap
   server host ldap-server.samplecompany.com
   !
   server defaults
      base-dn dc=samplecompany,dc=com
      rdn attribute user cn
      ssl-profile testProfile
      authorization group policy basic-role-example
      search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
   !
   group policy basic-role-example
      search filter objectclass group attribute member
      group "Network Admin" role network-admin
      group "Network Newbie" role network-operator
!
management security
   ssl profile testProfile
      fips restrictions
      trust certificate caCert
!
The file extract below configures the management ldap mode.
management ldap
   server host ldap-server.samplecompany.com
      ssl-profile testProfile2
      authorization group policy company1
   !
   Server host ldap-server.company2.com
   !
   server defaults
      base-dn dc=samplecompany,dc=com
      rdn attribute user cn
      ssl-profile testProfile1
      authorization group policy basic-role-example
      search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
   !
   group policy basic-role-example
      search filter objectclass group attribute member
      group "Network Admin" role network-admin
      group "Network Newbie" role network-operator
   !
   group policy company1
      search filter objectclass group attribute member
      group "Network Admin2" role network-admin
      group "Network Newbie2" role network-operator
   !
Use LDAP with the following configuration as a minimum.
aaa authentication login default group ldap
!
management ldap
   server host <ldap server hostname/ip>
   !
   server defaults
      base-dn <base distinguished name>
      rdn attribute user <relative distinguished attribute name>
      search username <full distinguished name> password <password>

The configuration sets up aaa authentication with LDAP. The LDAP server supports IPv4, IPv6, hostnames, and VRFs for specifying the address. The RDN , relative distiguished name, is typically an attribute/value pair to specify a user. When a user attempts to connect to the switch, the admin username searches recursively for the RDNs which match the passed-in username from the base-dn folder to generate a shortened list of potential DNs, which are then searched for a match with the provided password.

Configuring LDAP Authorization

Active Directory Server with LDAP Plug-in Configured

The file extract below configures the authorization for a user.
aaa authorization exec default group ldap
!
management ldap
   server defaults
      authorization group policy basic-role-example
   !
   group policy basic-role-example
      search filter objectclass group attribute member
      group "Network Admin" role network-admin
      group "Network Newbie" role network-operator

The group / role maps an LDAP group to an eos role for RBAC. The matching is done so that the first group that is matched against results in the role being mapped to the user. before and after commands are used to insert rules in the appropriate priority.

The LDAP admin account uses the search filter command to search for LDAP groups which contain the user, where objectclass defines the object which contains the LDAP group and attribute is the entry attribute name which contains the DN of the group member.
TLS Communication

LDAP supports TLS communication using SSL profiles. A trust certificate, or multiple intermediate certificates, is required to verify the root of trust of the LDAP server. The server will not be used for authentication if ssl profiles are configured and the server does not support TLS or fails x509 verification. Other ssl profiles supported commands are:

  • fips restrictions
  • crl
  • tls version
  • cipher-list

Active Directory Server with LDAP Plug-in Configured

The file extract below configures TLS communication.
management ldap
   !
   server defaults
      ssl-profile testProfile
management security
   ssl profile testProfile
      trust certificate <root of trust>

Server Groups

A server group is a collection of servers that are associated with a single group name. Subsequent authorization and authentication commands can access all servers in a group by invoking the group name. The switch supports TACACS+ and RADIUS server groups.

The aaa group server commands create server groups and place the switch in a server-group configuration mode to assign servers to the group. Commands that reference an existing group place the switch in a server-group configuration mode to modify the group.

These commands create named server groups and enter the appropriate command mode for the specified group:

The server (server-group-RADIUS configuration mode) commands add servers to the configuration mode server group. Servers must be previously configured with a radius-server host or tacacs-server host command before they are added to a group.

Examples

  • This command creates the TACACS+ server group named TAC-GR and enters server-group configuration mode for the new group.
    switch(config)# aaa group server tacacs+ TAC-GR
    switch(config-sg-tacacs+-TAC-GR)#
  • These commands add two servers to the TAC-GR server group. To add servers to this group, the switch must be in sg-tacacs+-TAC-GR configuration mode.

    The CLI remains in server-group configuration mode after adding the TAC-1 server (port 49) and the server located at 10.1.4.14 (port 151) to the group.

    switch(config-sg-tacacs+-TAC-GR)# server TAC-1
    switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14 port 151
    switch(config-sg-tacacs+-TAC-GR)#
  • This command exits server-group configuration mode.
    switch(config-sg-tacacs+-TAC-GR)# exit
    switch(config)#
  • This command creates the RADIUS server group named RAD-SV1 and enters server-group configuration mode for the new group.
    switch(config)# aaa group server radius RAD-SV1
    switch(config-sg-radius-RAD-SV1)#
  • These commands add two servers to the RAD-SV1 server group. To add servers to this group, the switch must be in sg-radius-RAD-SV1 configuration mode.

    The CLI remains in server-group configuration mode after adding the RAC-1 server (authorization port 1812, accounting port 1813) and the server located at 10.1.5.14 (authorization port 1812, accounting port 1850) to the group.

    switch(config-sg-radius-RAD-SV1)# server RAC-1
    switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1850
    switch(config-sg-radius-RAD-SV1)#

Role-Based Authorization

Role-based authorization is a method of restricting access to CLI commands through the assignment of profiles, called roles, to user accounts. Each role consists of rules that permit or deny access to a set of commands within specified command modes.

All roles are accessible to the local security file through a username parameter and to remote users through RADIUS or TACACS+ servers. Each role can be applied to multiple user accounts. Only one role may be applied to a user.

Role Types

The switch defines two types of roles: user-defined and built-in.
  • User-defined roles are created and edited through CLI commands.
  • Built-in roles are supplied with the switch and are not user-editable.

Built-in roles supplied by the switch are network-operator and network-admin.

Role Structure

A role is an ordered list of rules that restricts access to specified commands from users on whom it is applied. Roles consist of deny and permit rules. Each rule references a set of command modes and contains a regular expression that specifies one or more CLI commands. Commands are compared sequentially to the rules within a role until a rule's regular expression matches the command.
  • Commands that match a regular expression in a permit rule are executed.
  • Commands that match a regular expression in a deny rule are disregarded.
  • Commands that do not match a regular expression are evaluated against the next rule in the role.

Upon its entry in the CLI, a command is compared to the first rule of the role. Commands that match the rule are executed (permit rule) or disregarded (deny rule). Commands that do not match the rule are compared to the next rule. This process continues until the command either matches a rule or the rule list is exhausted. The switch disregards commands not matching any rule.

Role Rules

Role rules consist of four components: sequence number, filter type, mode expression, and command expression.

Sequence Number

The sequence number designates a rule’s placement in the role. Sequence numbers range in value from 1 to 256. Rule commands that do not include a sequence number append the rule at the end of the list, deriving its sequence number by adding 10 to the sequence number of the last rule in the list.

Example

These rules have sequence numbers 10 and 20.
10 deny mode exec command reload
20 deny mode config command (no |default )?router
Filter Type

The filter type specifies the disposition of matching commands. Filter types are permit and deny. Commands matching permit rules are executed. Commands matching deny rules are disregarded.

Example

These rules are deny and permit rules, respectively.
10 deny mode exec command reload
20 permit mode config command interface
Mode Expression

The mode expression specifies the command mode under which the command expression is effective. The mode expression may be a regular expression or a designated keyword. Rules support the following mode expressions:

  • exec EXEC and Privileged EXEC modes
  • config Global Configuration Mode
  • config-all All configuration modes, including Global Configuration Mode
  • short_name
  •  short key name of a command mode (exact match)
  • long_name long key name of a command mode (regular expression match of one or more modes)
  • no parameter all command modes
The prompt command configures the CLI to display a configuration mode’s key name:
  • %P long key name
  • %p short key name
Examples
  • These commands use the prompt command to display short key name (if) and long key name (if-Et1) for interface ethernet 1.
    switch(config)# prompt switch%p
    switch(config)# interface ethernet 1
    switch(config-if)# exit
    switch(config)# prompt switch%P
    switch(config)# interface ethernet 1
    switch(config-if-Et1)#

    The command supports the use of regular expressions to reference multiple command modes.

  • These regular expressions correspond to the listed command modes:
    • if-Vlan(1|2)     matches interface-VLAN 1 or interface-VLAN 2.
    • if     matches all interface modes.
    • acl-text1     matches ACL configuration mode for text1 ACL.
Command Expression

The command expression is a regular expression that corresponds to one or more CLI commands.

Examples

These regular expressions correspond to the specified commands:
  • reload reload command
  • (no |default )? router commands that enter routing protocol configuration modes
  • (no |default )?(ip|mac) access-list commands that enter ACL configuration modes
  • (no |default )?(ip|mac) access-group commands that bind ACLs to interfaces
  • lacp | spanning-tree LACP and STP commands
  • .* all commands

Creating and Modifying Roles

This section contains the following topics:
Built-in Role
The switch provides the following two built-in roles:
  • network-operator Allows all commands in EXEC (Privileged) modes. Commands in all other modes are denied.
  • network-admin Allows all CLI commands in all modes.

The network-admin role is typically assigned to the admin user to allow it to run any command.

Built-in roles are not editable.

Example

These show users roles commands display the contents of the built-in roles.
switch(config)# show users roles network-operator
The default role is network-operator
role: network-operator
        10 deny mode exec command bash|\|
        20 permit mode exec command .*
switch(config)# show users roles network-admin
The default role is network-operator
role: network-admin
        10 permit command .*
switch(config)#
Managing Roles
Creating and Opening a Role

Roles are created and modified in Role configuration mode. To create a role, enter the role command with the role’s name. The switch enters Role configuration mode. If the command is followed by the name of an existing role, subsequent commands edit that role.

Example

This command places the switch in Role configuration mode to create a role named sysuser.
switch(config)# role sysuser
switch(config-role-sysuser)#
Saving Role Changes

Role configuration mode is a group-change mode; changes are saved by exiting the mode.

Examples
  • These commands create a role, then add a deny rule to the role. Because the changes are not yet saved, the role remains empty, as shown by show users roles.
    switch(config)# role sysuser
    switch(config-role-sysuser)# deny mode exec command reload
    switch(config-role-sysuser)# show users roles sysuser
    The default role is network-operator
    
    switch(config-role-sysuser)#
  • To save all current changes to the role and exit role configuration mode, type exit.
    switch(config-role-sysuser)# exit
    switch(config)# show users roles sysuser
    The default role is network-operator
    
    role: sysuser
            10 deny mode exec command reload
    switch(config)#
    Note: After exiting role mode, running-config must be saved to startup-config to preserve role changes past system restarts.
Discarding Role Changes

The abort command exits Role configuration mode without saving pending changes.

Example

These commands enter Role configuration mode to add deny rules, but discard the changes before saving them to the role.
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# abort
switch(config)# show users roles sysuser
The default role is network-operator

switch(config)#
Modifying Roles
Adding Rules to a Role

The deny (Role) command adds a deny rule to the configuration mode role. The permit (Role) command adds a permit rule to the configuration mode role.

To append a rule to the end of a role, enter the rule without a sequence number while in Role Configuration Mode. The new rule's sequence number is derived by adding 10 to the last rule's sequence number.

Example

These commands enter the first three rules into a new role.
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# deny mode config command (no |default )?router
switch(config-role-sysuser)# permit command .*
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        10 deny mode exec command reload
        20 deny mode config command (no |default )?router
        30 permit command .*
switch(config)#
Inserting a Rule

To insert a rule into a role, enter the rule with a sequence number between the existing rules numbers.

Example

This command inserts a rule between the first two rules by assigning it the sequence number 15.
switch(config)# role sysuser
switch(config-role-sysuser)# 15 deny mode config-all command lacp
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        10 deny mode exec command reload
        15 deny mode config-all command lacp
        20 deny mode config command (no |default )router
        30 permit command .*
switch(config)#
Deleting a Rule
To remove a rule from the current role, perform one of these commands:
  • Enter no, followed by the sequence number of the rule to be deleted.
  • Enter no, followed by the rule be deleted.
  • Enter default, followed by the sequence number of the rule to be deleted.
  • Enter default, followed by the rule to be deleted.
Example
  • These equivalent commands remove rule 30 from the list.
    switch(config-role-sysuser)# no 30
    switch(config-role-sysuser)# default 30
    switch(config-role-sysuser)# no permit command .*
    
    switch(config-role-sysuser)# default permit command .*
  • This role results from entering one of the preceding commands.

    switch(config)# show users roles sysuser
    The default role is network-operator
    
    role: sysuser
            10 deny mode exec command reload
            15 deny mode config-all command lacp|spanning-tree
            20 deny mode config command (no |default )router
    switch(config)#
Redistributing Sequence Numbers

Sequence numbers determine the order of the rules in a role. After a list editing session where existing rules are deleted and new rules are inserted between existing rules, the sequence number distribution may not be uniform. Redistributing rule numbers changes adjusts the sequence number of rules to provide a constant difference between adjacent rules. The resequence (Role) command adjusts the sequence numbers of role rules.

Example

The resequence command renumbers rules in the sysuser role. The sequence number of the first rule is 100; subsequent rules numbers are incremented by 20.
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        10 deny mode exec command reload
        20 deny mode config-all command lacp|spanning-tree
        25 deny mode config command (no |default )?router
        30 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 100 20
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        100 deny mode exec command reload
        120 deny mode config-all command lacp|spanning-tree
        140 deny mode config command (no |default )?router
        160 permit command .*
switch(config)#

Assigning a Role to a Username

Roles are assigned to local users through the username command and to remote users through RADIUS servers or TACACS+ servers. Each user is assigned one role. Each role can be assigned to multiple local and remote users.

Default Roles

Users that are not explicitly assigned a role are assigned the default role. The aaa authorization policy local default-role command designates the default role. The network-operator built-in role is the default role when the default role is not configured.

Examples
  • These commands assign sysuser as the default role, then display the name of the default role.
    switch(config)# aaa authorization policy local default-role sysuser
    switch(config)# show users roles
    The default role is sysuser
    
    switch(config)#
  • These commands restore network-operator as the default role by deleting the aaa authorization policy local default-role statement from running-config, then display the default role name.

    switch(config)# no aaa authorization policy local default-role
    switch(config)# show users roles
    The default role is network-operator
    
    switch(config)#
Local Security File (Username Command)

Roles are assigned to users with the username command's role parameter. A username whose running-config username statement does not include a role parameter is assigned the default role.

The role parameter function in a command creating a username is different from its function in a command editing an existing name.

Assigning a Role to a New Username

A username command creating a username explicitly assigns a role to the username by including the role parameter; commands without a role parameter assigns the default role to the username.

ExampleThese commands create two usernames. The first user is assigned a role; the second user assumes the default role.
switch(config)# username FRED secret 0 axced role sysuser1
switch(config)# username JANE nopassword
switch(config)# show running-config
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
username JANE nopassword
!
<-------OUTPUT OMITTED FROM EXAMPLE-------->
switch(config)#
Editing the Role of an Existing Username

The role of a previously configured username may be edited by a username command without altering its password. The role assignment of a username is not changed by username commands that do not include a role parameter.

Examples
  • These commands assign a role to a previously configured username.
    switch(config)# username JANE role sysuser2
    switch(config)# show running-config
    
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    !
    username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
    username JANE role sysuser2 nopassword
    !
    
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    switch(config)#
  • These commands reverts a username to the default role by removing its role assignment.
    switch(config)# no username FRED role
    switch(config)# show running-config
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    !
    
    username FRED secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
    username JANE role sysuser2 nopassword
    !
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    switch(config)#
Displaying the Role Assignments

The show users accounts command displays role assignment of the configured users. The show users detail command displays roles of users that are currently logged into the switch.

Examples
  • This command displays the configured users and their role assignments.
    switch(config)# show users accounts
    user: FRED
           role: <unknown>
           privilege level: 1
    user: JANE
           role: sysuser2
           privilege level: 1
    user: admin
           role: network-admin
           privilege level: 1
    switch(config)#
  • This command displays information about the active AAA login sessions.
    switch(config)# show aaa session
    Session  Username  Roles             TTY    State Duration  Auth          Remote Host
    -------  --------- ------------      ------ ----- --------  ------------- ------------
    2         admin     network-operator ttyS0   E     0:01:21  local
    4         Fred      sysadmin         telnet  E     0:02:01  local         sf.example.com
    6         Jane      sysuser2         ssh     E     0:00:52  group radius  ny.example.com
    9         admin     network-admin    ssh     E     0:00:07  local         bj.example.com
    10        max       network-admin    telnet  E     0:00:07  local         sf.example.com
Radius Servers

A role can be assigned to a remote user authenticated through a RADIUS server. Roles are assigned through the vendor-specific Attribute-Value (AV) pair named “Arista-AVPair.” The switch extracts the remote user’s role upon a successful authentication when RADIUS authentication is enabled.

Example

This file extract is sample FreeRadius server code that includes the AV pair that assigns roles to three remote users.
# Sample RADIUS server users file
"Jane"          Cleartext-Password := "Abc1235"
                Arista-AVPair = "shell:roles=sysuser2",
                Service-Type = NAS-Prompt-User
"Mary"          Cleartext-Password := "xYz$2469"
                Arista-AVPair = "shell:roles=sysadmin",
                Service-Type = NAS-Prompt-User
"Fred"          Cleartext-Password := "rjx4#222"
                Arista-AVPair = "shell:roles=network-operator",
                Service-Type = NAS-Prompt-User

The aaa authentication login command selects the user authentication service (see Configuring Service Lists ).

Example

This command configures the switch to authenticate users through all RADIUS servers.
switch(config)# aaa authentication login default group radius
Enable Role-Based Access Control

To enable Role-Based Access Control on the switch, apply the following configuration:

 switch(config)# aaa authorization commands all default local 

AAA and X.509 Authentication

Configure AAA to support X.509 Certificates for Secure Shell (SSH) connections to securely send commands over an unsecured network. X.509 certificates use a type of public key authentication, and must be enabled on the switch.

When a user attempts to log into the network using an X.509 certificate, eos performs a check to ensure that the certificate grants permissions and compares the username to names extracted from the certificate. By default, an exact match must be located. The configuration extracts subject alternative names (SANs) from the X.509 certificate, and eos supports uniform resource identifiers (URIs), an email format as defined in RFC822, and the otherName format for Microsoft Active Directory User Principal Name (UPN). If a match cannot be located, the common name is extracted and checked.

Table 1. Default Behavior of Validating Usernames
  Name Extracted from the Certificate
Login User Name Username This email address is being protected from spambots. You need JavaScript enabled to view it.
Username Valid Match Match Failure
This email address is being protected from spambots. You need JavaScript enabled to view it. Match Failure Valid Match

Successful login attempts must match one of the names on the certificate.

Before configuring X.509 authentication, enable public-key authentication and keyboard interactive on the switch.

switch(config)#management ssh
switch(config-mgmt-ssh)#authentication protocol public-key keyboard-interactive

Configuring a Secure Socket Layer (SSL) Profile for X.509 Authentication

You must add at least one trusted certificate (CA) to allow X.509 authentication, and specify a Certificate Revocation List (CRL) with revoked certificates.

To enable X.509 on a switch, configure an SSL profile, x509-profile, to link to the SSH configuration:

switch(config)#management security
switch(config-mgmt-security)#ssl profile x509-profile

Add the trusted certificate, trusted-cert, to the configuration:

switch(config-mgmt-sec-profile-x509-profile)#trust trusted-cert

Add the name of the applicable Certificate Revocation List (CRL), my-crl:

switch(config-mgmt-sec-profile-x509-profile)#revocation crl name my-crl

Next, enable public-key authentication on the switch, and add the SSL profile, x509-profile:

switch(config)#management ssh
switch(config-mgmt-ssh)#authentication x509
switch(config-mgmt-ssh-auth-x509)#server ssl profile x509-profile

Configuring X.509 to Omit Domains from the Usernames

Names extracted from the X.509 certificates include domain names, and in some cases, you may want to omit the domain name from the X.509 certificates when comparing the usernames with the login name. To omit the domain name, use the following commands:

switch(config)#management ssh
switch(config-mgmt-ssh)#authentication x509
switch(config-mgmg-ssh-auth-x509)#username domain omit

When configured, the following login behavior occurs on the switch:

Table 2. Default Behavior when Omitting Domains from Usernames
  Name Extracted from the Certificate
Login User Name Username This email address is being protected from spambots. You need JavaScript enabled to view it.
Username Valid Match Valid Match
This email address is being protected from spambots. You need JavaScript enabled to view it. Match Failure Match Failure

Configuring an Online Certificate Status Profile (OCSP) for X.509 Certificates

Instead of using a CRL to perform certificate validation, use an OCSPquery to an authorized server for the revocation status of a certificate. Performing an OCSP lookup requires access to a remote OCSP server, or a local OSCP server. Configure an OCSP profile with the appropriate settings for your network.

Note: The OCSP server must be reachable from the default VRF.

Use the following commands to enable OCSP on the switch, and add the OCSP profile, myOCSP:

switch(config)#managment security
switch(config-mgmt-security)#ocsp profile myOSCP                
            

Link an OCSP profile to an SSL profile by adding the parameter, revocation ocsp profile.

Specify a timeout in seconds from one (1) to 600 with a default timeout of 30 seconds.

switch(config-mgmt-sec-ocsp-profile-myOCSP)#timeout 120

Ovveride the OCSP responder and use a URL to a OCSP server for all OCSP queries instead of the values in the X.509 certificate:

switch(config-mgmt-sec-ocsp-profile-myOCSP)#url http://www.myocspserver.com
Note: eos only supports HTTP requests for OCSP queries.

Add an extension request and response nonce behavior to the configuration. By default, a response contains a nonce but doesn't treat the absence of one as a failure. Configure this parameter to require a nonce in the request or not send one at all. In this case, disable the nonce request:

switch(config-mgmt-sec-ocsp-profile-myOCSP)#extension nonce request disabled

Configure certificates in the chain that require validation using OCSP. By default, the profile uses all. This requires the entire chain up to but not including the root CA to validate with OCSP. If set to leaf, only the client certificate must be validated using OCSP. If set to none, then OCSP only performs validation on certificates with an OCSP responder specified.

switch(config-mgmt-sec-ocsp-profile-myOCSP)#chain certificate requirement responder all

Displaying X.509 Certification Configuration

Use the following command to display the X.509 Authentication configuration:

switch(config)#show run section management ssh
management ssh
   authentication X.509
   server ssl profile x509-profile
   username domain omit

The command, show management ssh, includes additional information about the X.509 authentication configuration:

switch(config)#show management ssh
User certificate authentication methods: x509-certificates
SSL profile: X509-profile invalid. See "show management security ssl profile” output for details.

To display details about the SSL profile configured for SSH authentication, use the show management security ssl profile command:

switch(config)#show management security ssl profile
Profile                State   Additional Information
---------------------- ------- ----------------------
ARISTA_DEFAULT_PROFILE valid                         
x509-profile           invalid Profile has no data

To display the SSL profile and OCSP profile information, use the following command:

switch(config)#show run section management security
management security
   ocsp profile myOCSP
     chain certificate requirement responder leaf
   extension nonce request response
   timeout 20
   url http://127.0.0.1:8080
   !
   ssl profile X509-profile
    …
   revocation ocsp profile revoke-ocsp
    …

In the output, only the leaf certificate validates, and an extension request requires a nonce. The timeout occurs after 20 seconds, and the URL for certificate validation set to the local address.

Activating Security Services

After configuring the access databases, aaa authentication, aaa authorization, and aaa accounting commands designate active and backup services for handling access requests.

These sections describe the methods of selecting the database that the switch uses to authenticate users and authorize access to network resources.

Authenticating Usernames and the Enable Password

Service lists specify the services the switch uses to authenticates usernames and the enable password.

Service List Description

Service list elements are service options, ordered by their priority.

Note: When the local file is one of the service list elements, any attempts to locally authenticate a username that is not included in the local file will result in the switch continuing to the next service list element.
Example
This is an example service list for username authentication:
  1. Location_1 server group - specifies a server group (see Server Groups ).
  2. Location_2 server group - specifies a server group.
  3. TACACS+ servers - specifies all hosts for which a tacacs-server host command exists.
  4. Local file - specifies the local file.
  5. None - specifies that no authentication is required - all access attempts succeed.

To authenticate a username, the switch checks Location_1 server group. If a server in the group is available, the switch authenticates the username through that group. Otherwise, it continues through the list until it finds an available service or utilizes option 5, which allows the access attempt to succeed without authentication.

Configuring Service Lists
Service lists are incorporated into these aaa authentication commands to specify services the switch uses to authenticate usernames and the enable password.
Examples
  • This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
    switch(config)# aaa authentication login default group TAC-1 local
  • This command configures the switch to authenticate usernames through all TACACS+ servers, then all RADIUS servers if the TACACS+ servers are not available. If the RADIUS servers are unavailable, the switch does not authenticate any login attempts.
    switch(config)# aaa authentication login default group tacacs+ group radius none
  • This command configures the switch to authenticate the enable password through all TACACS+ servers, then through the local database if the TACACS+ servers are unavailable.
    switch(config)# aaa authentication enable default group TACACS+ local

AAA Time-based Lockout

AAA time-based lockout enables managing remote user unsuccessful login attempts for a configurable time duration.

 

  • aaa authentication policy lockout failure command locks the remote user from getting access for a specific duration of time after specific consecutive unsuccessful login attemps within a lockout period. In the following example, a user is allowed 4 attempts to log in within a duration of 1 day (the default window). If the user has 4 unsuccessful consecutive logins, the person will be locked out of the account for 360 seconds.
    switch(config)# aaa authentication policy lockout failure 4 
    duration 360
  • show aaa authentication lockout command displays the status of locked-out users.
    switch# show aaa authentication lockout
  • clear aaa authentication lockout command clears the locked status of a user so as to allow access within a lockout period.
    switch# clear aaa authentication lockout

Authorization

Authorization commands control eos shell access, CLI command access, and configuration access through the console port. The switch also supports role-based authorization, which allows access to specified CLI commands by assigning command profiles (or roles) to usernames. See Role-Based Authorization for details.

During the exec authorization process, TACACS+ server responses may include attribute-value (AV) pairs. The switch recognizes the mandatory AV pair named priv-lvl=x (where x is between 0 and 15).

By default, a TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server. The tacacs-server policy command programs the switch to allow access to TACACS+ servers that send unrecognized mandatory AV pairs.

Authorization to switch services is configured by the following aaa authorization commands.
Examples
  • This command specifies that TACACS+ servers authorize users attempting to open a CLI shell.
    switch(config)# aaa authorization exec default group tacacs+ 
  • This command programs the switch to authorize configuration commands (privilege level 15) through the local file and to deny command access to users not listed in the local file.
    switch(config)# aaa authorization commands all default local
  • This command programs the switch to permit all commands entered on the CLI.
    switch(config)# aaa authorization commands all default none
  • This command configures the switch to permit access to TACACS+ servers that send unrecognized mandatory AV pairs.
     switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
All commands are typically authorized through aaa authorization commands. However, the no aaa authorization config-commands command disables the authorization of configuration commands. In this state, authorization to execute configuration commands can be managed by controlling access to global configuration commands. The default setting authorizes configuration commands through the policy specified for all other commands.
  • To enable the authorization of configuration commands with the policy specified for all other commands, enter aaa authorization config-commands.
  • To require authorization of commands entered on the console, enter aaa authorization serial-console.

    By default, eos does not verify authorization of commands entered on the console port.

Examples
  • This command disables the authorization of configuration commands.
    switch(config)# no aaa authorization config-commands
  • This command enables the authorization of configuration commands.

    switch(config)# aaa authorization config-commands
  • This command configures the switch to authorize commands entered on the console, using the method specified through a previously executed aaa authorization command.

    switch(config)# aaa authorization serial-console

Accounting

The accounting service collects information for billing, auditing, and reporting. The switch supports TACACS+ and RADIUS accounting by reporting user activity to either the TACACS+ server or RADIUS server in the form of accounting records.

The switch supports two types of accounting:
  • EXEC: Provides information about user CLI sessions.
  • Commands: Command authorization for all commands, including configuration commands that are associated with a privilege level.
The accounting mode determines when accounting notices are sent. Mode options include:
  • start-stop: a start notice is sent when a process begins; a stop notice is sent when it ends.
  • stop-only: a stop accounting record is generated after a process successfully completes.

Accounting is enabled by the aaa accounting command.

Examples
  • This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
    switch(config)# aaa accounting commands all default start-stop group tacacs+
  • This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
    switch(config)# aaa accounting exec console stop group tacacs+

TACACS+ Configuration Examples

These sections describe two sample TACACS+ host configurations.

Single Host Configuration

The example single host configuration consists of a TACACS+ server with these attributes:
  • IP address: 10.1.1.10.
  • encryption key: example_1.
  • port number: 49 (global default).
  • timeout: 5 seconds (global default).

The switch authenticates the username and enable command against all TACACS+ servers which, in this case, is one host. If the TACACS+ server is unavailable, the switch authenticates with the local file.

  1. This step configures TACACS+ server settings port number and timeout are global defaults.
    switch(config)# tacacs-server host 10.1.1.10 key example_1
  2. This step configures the login authentication service.
    switch(config)# aaa authentication login default group tacacs+ local
  3. This step configures the enable command password authentication service.
    switch(config)# aaa authentication enable default group tacacs+ local

Multiple Host Configuration

The example multiple host configuration consists of three TACACS+ servers at these locations:
  • IP address 10.1.1.2 - port 49.
  • IP address 172.16.4.12 - port 4900.
  • IP address 192.168.2.10 - port 49.
The configuration combines the servers into these server groups:
  • Bldg_1 group consists of the servers at 10.1.1.2 and 172.16.4.12.
  • Bldg_2 group consists of the servers at 192.168.2.10.
All servers use these global TACACS+ defaults:
  • encryption key - example_2.
  • timeout - 10 seconds.
The switch authenticates these access methods:
  • username access against Bldg_1 group then, if they are not available, against the local file.
  • enable command against Bldg_2 group, then Bldg_1 group, then against the local file.
  1. TACACS+ Host commands:

    These commands configure the IP address and ports for the three TACACS+ servers. The port for the first and third server is default 49.

    switch(config)# tacacs-server host 10.1.1.12
    switch(config)# tacacs-server host 172.16.4.12 port 4900
    switch(config)# tacacs-server host 192.168.2.10
  2. Global Configuration Commands:

    These commands configure the global encryption key and timeout values.

    switch(config)# tacacs-server key example_2
    switch(config)# tacacs-server timeout 10
  3. Group Server Commands:

    The aaa group server commands create the server groups and place the CLI in server group configuration mode, during which the servers are placed in the group. The port number must be included if it is not the default port, as in the line that adds 192.168.1.1.

    switch(config)# aaa group server tacacs+ Bldg_1  
    switch(config-sg-tacacs+-Bldg_1)# server 10.1.1.2  
    switch(config-sg-tacacs+-Bldg_1)# server 192.168.1.1 port 4900  
    switch(config-sg-tacacs+-Bldg_1)# exit  
    switch(config)# aaa group server tacacs+ Bldg_2  
    switch(config-sg-tacacs+-Bldg_2)# server 192.168.2.2  
    switch(config-sg-tacacs+-Bldg_2)# exit  
    switch(config)# 
  4. Login and enable configuration authentication responsibility commands:

    These commands configure the username and enable command password authentication services.

    switch(config)# aaa authentication login default group Bldg_1 local  
    switch(config)# aaa authentication enable default group Bldg_1 group Bldg_2 local

AAA Accounting for OpenConfig Remote Procedure Call (RPC) Messages Overview

OpenConfig allows network engineers to collaboratively develop programming interfaces and tools to manage networks dynamically and vendor-neutral manner. eos supports AAAA Accounting for gRPC Network management Interface (gNMI), gRPC Network Operations (gNOI) Interface, and gRPC Network Security Interface (gNSI) RPCs by logging the accounting records to a TACACS+ server, RADIUS server, or to a Syslog server.

AAA Commands

aaa accounting dot1x

The aaa accounting dot1x command enables the accounting of requested 802.1X services for network access.

The no aaa accounting dot1x and default aaa accounting dot1x commands disable the specified method list by removing the corresponding aaa accounting dot1x command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa accounting dot1x default [METHOD_1][METHOD_2][METHOD_N]

no aaa accounting dot1x default

default aaa accounting dot1x default

Parameters
  • MODE accounting mode that defines when accounting notices are sent. Options include:
    • start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
  • METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.
  • Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:

  • group name the server group identified by name.
    • group radius server group that includes all defined RADIUS hosts.
    • logging server group that includes all defined TACACS+ hosts.

Examples
  • This example configures IEEE 802.1X accounting on the switch.
    switch(config)# aaa accounting dot1x default start-stop group radius
    switch(config)#
  • This example disables IEEE 802.1X accounting on the switch.
    switch(config)# no aaa accounting dot1x default  
    switch(config)#

aaa accounting system

The aaa accounting system command performs accounting for all system-level events.

The no aaa accounting system and default aaa accounting system commands clear the specified method list by removing the corresponding aaa accounting system command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa accounting system default [METHOD_1][METHOD_2] ... [METHOD_N]

no aaa accounting system default

default aaa accounting system default

Parameters
  • MODE accounting mode that defines when accounting notices are sent. Options include:
    • none no notices are sent.
    • start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
    • stop-only a stop accounting record is generated after a process successfully completes.
  • METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.
  • Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:
    • group name the server group identified by name.
      • group radius server group that includes all defined RADIUS hosts.
      • group tacacs+ server group that includes all defined TACACS+ hosts.
      • logging server group that includes all defined TACACS+ hosts.
Examples
  • This command configures AAA accounting to not use any accounting methods for system events.
    switch(config)# aaa accounting system default none
    switch(config)#
  • This command configures the switch to maintain stop accounting records for system events to all defined RADIUS hosts.
    switch(config)# aaa accounting system default stop-only group radius
    switch(config)#

aaa accounting

The aaa accounting command configures accounting method lists for a specified authorization type. Each list consists of a prioritized list of methods. The accounting module uses the first available listed method for the authorization type.

The no aaa accounting and default aaa accounting commands clear the specified method list by removing the corresponding aaa accounting command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa accounting TYPE connection MODE [METHOD_1][METHOD_2] ... [METHOD_N]

no aaa accounting TYPE connection

default aaa accounting TYPE connection

Parameters
  • TYPE authorization type for which the command specifies a method list. Options include:
    • EXEC records user authentication events.
    • COMMANDS ALL records all entered commands.
    • COMMANDS level records entered commands of the specified level (ranges from 0 to 15).
  • connection connection type of sessions for which method lists are reported. Options include:
    • console console connection.
    • default all connections not covered by other command options.
  • MODE accounting mode that defines when accounting notices are sent. Options include:
    • none no notices are sent.
    • start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
    • stop-only a stop accounting record is generated after a process successfully completes.
  • METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.
  • Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:
    • group name the server group identified by name.
    • group radius server group that includes all defined RADIUS hosts.
    • group tacacs+ server group that includes all defined TACACS+ hosts.
    • logging log all accounting messages to Syslog.
Examples
  • This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
    switch(config)# aaa accounting commands all default start-stop group tacacs+
    switch(config)#
  • This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
    switch(config)# aaa accounting exec console stop group tacacs+
    switch(config)#
  • This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
    switch(config)# aaa accounting commands all default start-stop group tacacs+
    switch(config)#
  • This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
    switch(config)# aaa accounting exec console stop group tacacs+
    switch(config)#

aaa authentication dot1x

The aaa authentication dot1x command configures the default authentication list of requested 802.1X services for network access.

The no aaa authentication dot1x and default aaa authentication dot1x commands remove the default authentication list for IEEE 802.1X.

Command Mode

Global Configuration

Command Syntax

aaa authentication dot1x default group {group_name | radius}

no aaa authentication dot1x default

default aaa authentication dot1x

Parameters
  • default configures the default authentication list of requested 802.1X services for network access.
  • group configures server group.
  • group_name server group name; multiple group names can be entered in a single command.
  • radius list of all defined RADIUS hosts.
Example
This command configures the switch in the auth1 group for IEEE 802.1X authentication.
switch(config)# aaa authentication dot1x default group auth1
switch(config)#

aaa authentication enable

The aaa authentication enable command configures the service list that the switch references to authorize access to Privileged EXEC command mode.

The list consists of a prioritized list of service options. Available service options include the following:
  • A named server group
  • All defined TACACS+ hosts
  • All defined RADIUS hosts
  • Local authentication
  • No authentication

The switch authorizes access by using the first listed service option available. When the local file is a service list element, attempts to locally authenticate a usernamenot in the local file results in the switch continuing to the next service list element.

eos supports a console list for authorizing usernames through the console and a default list for authorizing usernames through all other connections.

  • If no console list exists, the console connection uses the default list.
  • If no default list exists, the list sets to local.

The no aaa authentication enable and default aaa authentication enable commands revert the list configuration to the default by removing the corresponding aaa authentication enable command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa authentication enable [console|default] METHOD_1 [METHOD_2] ... [METHOD_N]

no aaa authentication enable [console|default] default

default aaa authentication enable [console|default] default

Parameters

console - Uses the console authentication list.

default - Uses the default authentication list.

METHOD_X authentication service method list. The command must provide at least one method. Each method consists of one of the following:
  • group name the server group identified by name.
  • group radius a server group that consists of all defined RADIUS hosts.
  • group tacacs+ a server group that consists of all defined TACACS+ hosts.
  • local local authentication.
  • none users are not authenticated; all access attempts succeed.
Example
This command configures the switch to authenticate the enable password through all configured TACACS+ servers. Local authentication is the backup if TACACS+ servers are unavailable.
switch(config)# aaa authentication default enable group TACACS+ local
switch(config)#

aaa authentication login

The aaa authentication login command configures service lists the switch references to authenticate usernames. Service lists consist of service options ordered by usage priority. The switch authenticates usernames through the first available service option. Supported service options include the following:
  • A named server group
  • All defined TACACS+ hosts
  • All defined RADIUS hosts
  • Local authentication
  • No authentication.

When the local file contains a service list element, attempts to locally authenticate a username not in the local file results in the switch continuing to the next service list element.

The switch supports a console list for authenticating usernames through the console and a default list for authenticating usernames through all other connections.

  • When the console list is not configured, the console connection uses the default list.
  • When the default list is not configured, it is set to local.

The no aaa authentication login and default aaa authentication login commands revert the specified list configuration to its default by removing the corresponding aaa authentication login command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa authentication login connection SERVICE_1 [SERVICE_2] ... [SERVICE_N]

no aaa authentication login connection

default aaa authentication login connection

Parameters
  • connection connection type of sessions for which authentication list is used.
    • default the default authentication list.
    • console the authentication list for console logins.
  • SERVICE_X an authentication service. Settings include:
    • group name identifies a previously defined server group.
    • group radius a server group that consists of all defined RADIUS hosts.
    • group tacacs+ a server group that consists of all defined TACACS+ hosts.
    • local local authentication.
    • none The switch does not perform authentication. All access attempts succeed.
Examples
  • This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
    switch(config)# aaa authentication login default group TAC-1 local
    switch(config)#
  • This command configures the switch to authenticate usernames through all TACACS+ servers, then all RADIUS servers if the TACACS+ servers are not available. If the RADIUS servers are also unavailable, the switch allows access to all login attempts without authentication.
    switch(config)# aaa authentication login default group tacacs+ group radius none
    switch(config)#

aaa authentication policy local allow-nopassword-remote-login

The aaa authentication policy local allow-nopassword-remote-login command permits usernames without passwords to log in from any port. The default switch setting only allows unprotected usernames to log in from the console.

The no aaa authentication policy local allow-nopassword-remote-login and default aaa authentication policy local allow-nopassword-remote-login commands return the switch to the default setting of allowing unprotected usernames to log in only from the console.

Command Mode

Global Configuration

Command Syntax

aaa authentication policy local allow-nopassword-remote-login

no aaa authentication policy local allow-nopassword-remote-login

default aaa authentication policy local allow-nopassword-remote-login

Examples
  • This command configures the switch to allow unprotected usernames to log in from any port.
    switch(config)# aaa authentication policy local allow-nopassword-remote-login
    switch(config)#
  • This command configures the switch to allow unprotected usernames to log in only from the console port.
    switch(config)# no aaa authentication policy local allow-nopassword-remote-login
    switch(config)#

aaa authentication policy lockout failure

The aaa authentication policy lockout failure command configures the switch to lock the remote user from getting access after specific unsuccessful login attempts within a lockout period.

The no aaa authentication policy lockout failure and the default aaa authentication policy lockout failure commands disable the lockout period configuration.

Command Mode

Global Configuration

Command Syntax

aaa authentication policy lockout failure failure_count duration duration_time {window window_time}

no aaa authentication policy lockout failure

default aaa authentication policy lockout failure

Parameters
  • failure_count the number of failed logins allowed during access. The valid number is between 1 and 255.
  • duration duration_time the time in seconds to block a user account from login. The value is between 1 and 4294967295 seconds.
  • window window_time the time in seconds to track failed logins within this duration. The value is between 1 and 4294967295 seconds while the default is 1 day.
Examples
  • This command configures the system to allow four attempts to log in within a duration of 1 day (the default window). If the user has 4 unsuccessful consecutive logins, the person will be locked out of the account for 360 seconds.
    switch(config)# aaa authentication policy lockout failure 4 
    duration 360
  • This command configures the system to allow five attempts to log in within a duration of 1 day (the default window). If the user has 5 unsuccessful consecutive logins, the person will be locked out of the account for 60 seconds.
    switch(config)# aaa authentication policy lockout failure 5 
    window 10 duration 60

aaa authentication policy log

The aaa authentication policy log command configures the switch to generate syslog messages for login authentication success or failure events.

The no aaa authentication policy log and the default aaa authentication policy log commands restore the default behavior of not generating syslog messages for these events.

Command Mode

Global Configuration

Command Syntax

aaa authentication policy {on-failure | on-success} log

no aaa authentication policy {on-failure | on-success} log

default aaa authentication policy {on-failure | on-success} log

Parameters
  • on-failure generates syslog messages for failed login events.
  • on-success generates syslog messages for successful login events.
Example

This command configures the switch to log successful and failed login attempts.

switch(config)# aaa authentication policy on-success log
switch(config)# aaa authentication policy on-failure log

aaa authorization commands

The aaa authorization commands command configures the service list that authorizes CLI command access. All switch commands are assigned a privilege level that corresponds to the lowest level command mode from which it can be executed:
  • Level 1: Commands accessible from EXEC mode.
  • Level 15: Commands accessible from any mode except EXEC.

Command usage is authorized for each privilege level specified in the command.

The list consists of a prioritized list of service options. The switch authorizes access by using the first listed service option that is available. The available service options include:
  • a named server group.
  • all defined TACACS+ hosts.
  • all defined RADIUS hosts.
  • local authorization.
  • no authorization.

The list is set to none for all unconfigured privilege levels, allowing all CLI access attempts to succeed.

The no aaa authorization commands and default aaa authorization commands commands revert the list contents to none for the specified privilege levels.

Command Mode

Global Configuration

Command Syntax

aaa authorization commands PRIV default SERVICE_1[SERVICE_2] ... [SERVICE_N]

no aaa authorization commands PRIV default

default aaa authorization commands PRIV default

Parameters
  • PRIV Privilege levels of the commands. Options include:
    • level numbers from 0 and 15. Number, range, and comma-delimited list of numbers and ranges.
    • all commands of all levels.
  • SERVICE_X Authorization service. Command must list at least one service. Options include:
    • group name the server group identified by name.
    • group tacacs+ a server group that consists of all defined TACACS+ hosts.
    • local local authorization.
    • none the switch does not perform authorization. All access attempts succeed.
Examples
  • This command authorizes configuration commands (privilege level 15) through the local file. The switch denies command access to users not listed in the local file.
    switch(config)# aaa authorization commands all default local
    switch(config)#
  • This command authorizes all commands entered on the CLI.
    switch(config)# aaa authorization commands all default none
    switch(config)#

aaa authorization config-commands

The aaa authorization config-commands command enables authorization of commands in any configuration mode, such as Global Configuration and all interface configuration modes. Commands are authorized through the policy specified by the aaa authorization commands setting. Authorization is enabled by default, so issuing this command has no effect unless running-config contains the no aaa authorization config-commands command.

The no aaa authorization config-commands command disables configuration command authorization. When configuration command authorization is disabled, running-config contains the no aaa authorization config-commands command. The default aaa authorization config-commands command restores the default setting by removing the no aaa authorization config-commands from running-config.

Command Mode

Global Configuration

Command Syntax

aaa authorization config-commands

no aaa authorization config-commands

default aaa authorization config-commands

Examples
  • This command enables the authorization of configuration commands.
    switch(config)# aaa authorization config-commands
    switch(config)#
  • This command disables the authorization of configuration commands.
    switch(config)# no aaa authorization config-commands
    switch(config)#

aaa authorization exec

The aaa authorization exec command configures the service list that the switch references to authorize access to open an eos CLI shell.

The list consists of a prioritized list of service options. The switch authorizes access by using the first listed service option to which the switch can connect. When the switch cannot communicate with an entity that provides a specified service option, it attempts to use the next option in the list.

The available service options include:
  • a named server group.
  • all defined TACACS+ hosts.
  • all defined RADIUS hosts.
  • local authentication.
  • no authentication.

eos supports a console list to authorize access to a CLI shell through the console and a default list to authorize access for all other connections.

  • If no console list exists, the console connection uses the default list and you enable aaa authorization serial-console. Otherwise, uses none.
  • If no default list exists, the list sets to local.

The no aaa authorization exec and default aaa authorization exec commands set the list contents to none.

Command Mode

Global Configuration

Command Syntax

aaa authorization exec default METHOD_1 [METHOD_2] ... [METHOD_N]

no aaa authorization exec default

default aaa authorization exec default

Parameters
  • METHOD_X authorization service (method). The switch uses the first listed available method.

    The command must provide at least one method. Each method is composed of one of the following:

  • group name the server group identified by name.
    • group radius a server group that consists of all defined RADIUS hosts.
      • group tacacs+ a server group that consists of all defined TACACS+ hosts.
      • local local authentication.
      • none the switch does not perform authorization. All access attempts succeed.

Guidelines

During the EXEC authorization process, the TACACS+ server response may include attribute-value (AV) pairs. The switch recognizes priv-lvl=x (where x is an integer between 0 and 15), which is a mandatory AV pair. A TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server.

Example
This command specifies that the TACACS+ servers authorize users that attempt to open an eos CLI shell.
switch(config)# aaa authorization exec default group tacacs+
switch(config)#

aaa authorization policy local default-role

The aaa authorization policy local command specifies the name of the default role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.

The default role is assigned to the following users:
  • local or remote users assigned to a role that is not configured.
  • local users to whom a role is not assigned.

When the default-role is not specified, network-operator is assigned to qualified users as the default role. The network-operator role authorizes assigned users access to all CLI commands in EXEC and Privileged EXEC modes.

The no aaa authentication policy local default-role and default aaa authentication policy local default-role commands remove the authentication policy local default-role statement from running-config. Removing this statement restores network-operator as the default role.

Command Mode

Global Configuration

Command Syntax

aaa authorization policy local default-role role_name

no aaa authorization policy local default-role

default aaa authorization policy local default-role

Parameters

role_name Name of the default role.

Related Command

The role command places the switch in role configuration mode for creating and editing roles.

Examples
  • This command configures the sysuser as the default role.
    switch(config)# aaa authorization policy local default-role sysuser
    switch(config)#
  • This command restores network-operator as the default role.
    switch(config)# no aaa authorization policy local default-role
    switch(config)#
  • This command displays the contents of the network-operator role.
    switch# show users roles network-operator
    The default role is network-operator
    role: network-operator
            10 deny mode exec command bash|\|
            20 permit mode exec command .*
    switch#

aaa authorization serial-console

The aaa authorization serial-console command configures the switch to authorize commands entered through the console. By default, commands entered through the console do not require authorization.

The no aaa authorization serial-console and default aaa authorization serial-console commands restore the default setting.

Command Mode

Global Configuration

Command Syntax

aaa authorization serial-console

no aaa authorization serial-console

default aaa authorization serial-console

Example
This command configures the switch to authorize commands entered on the console, using the method specified through a previously executed aaa authorization commands command.
switch(config)# aaa authorization serial-console
switch(config)#

aaa group server radius

The aaa group server radius command enters the Server-group-RADIUS Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.

A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a radius-server host command.

The no aaa group server radius and default aaa group server radius commands delete the specified server group from running-config.

Command Mode

Global Configuration

Command Syntax

aaa group server radius group_name

no aaa group server radius group_name

default aaa group server radius group_name

Parameters

group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a TACACS+ server group.

Commands Available in Server-group-RADIUS Configuration Mode

server (server-group-RADIUS configuration mode).

Related Command

aaa group server tacacs+.

Example
This command creates the RADIUS server group named RAD-SV1 and enters Server-group-RADIUS configuration mode for the new group.
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)#

aaa group server tacacs+

The aaa group server tacacs+ command enters Server-group-TACACS+ Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.

A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a tacacs-server host command.

The no aaa group server tacacs+ and default aaa group server tacacs+ commands delete the specified server group from running-config.

Command Mode

Global Configuration

Command Syntax

aaa group server tacacs+ group_name

no aaa group server tacacs+ group_name

default aaa group server tacacs+ group_name

Parameters

group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a RADIUS server group.

Commands Available in Server-group-TACACS+ Configuration Mode

server (server-group-TACACS+ configuration mode)

Related Command

aaa group server radius
Example
This command creates the TACACS+ server group named TAC-GR and enters the Server-group-TACAS+ Configuration Mode for the new group.
switch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)#

aaa root

The aaa root command specifies the password security level for the root account and can assign a password to the account.

The no aaa root and default aaa root commands disable the root account by removing the aaa root command from running-config. The root account is disabled by default.

Command Mode

Global Configuration

Command Syntax

aaa root SECURITY_LEVEL [ENCRYPT_TYPE] [password]

no aaa root

default aaa root

Parameters
  • SECURITY_LEVEL password assignment level. Settings include:
    • secret the root account is assigned to the password.
    • nopassword the root account is not password protected.
  • ENCRYPT_TYPE encryption level of the password parameter. This parameter is present only when SECURITY_LEVEL is secret. Settings include:
    • no parameter the password is entered as clear text.
    • 0 the password is entered as clear text. Equivalent to no parameter.
    • 5 the password is entered as an MD5-encrypted string.
    • sha512 the password is entered as an SHA-512-encrypted string.
  • password text that authenticates the username. The command includes this parameter only if SECURITY_LEVEL is secret.
    • password must be in clear text if ENCRYPT_TYPE specifies clear text.
    • password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.

Encrypted strings entered through this parameter are generated elsewhere.

Examples
  • These equivalent commands assign f4980 as the root account password.
    switch(config)# aaa root secret f4980
    switch(config)# aaa root secret 0 f4980
  • This command assigns the text (ab234) that corresponds to the encrypted string of $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b. as the root password.
    switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
    switch(config)#
  • This command removes the password from the root account.
    switch(config)# aaa root nopassword
    switch(config)#
  • This command disables the root login.
    switch(config)# no aaa root
    switch(config)#

clear aaa authentication lockout

 

The clear aaa authentication lockout command clears the locked status of a user so as to allow access within a lockout period. If no user is specified, the command clears the locked status of all users.

Command Mode

Privileged EXEC

Command Syntax

clear aaa authentication lockout [user user_name]

Parameter
  • user user_name the specific name of the user.
Example
  • This command clears the locked status of the user Alice.
    switch# clear aaa authentication lockout user Alice

clear aaa counters radius

The clear aaa counters radius command resets the counters that track the statistics for the RADIUS servers that the switch accesses. The show radius command displays the counters reset by the clear aaa counters radius command.

Command Mode

Privileged EXEC

Command Syntax

clear aaa counters radius

Example
These commands display the effect of the clear aaa counters radius command on the RADIUS counters.
switch# show radius
RADIUS server            : radius/10
          connection opens:        204
         connection closes:          0
    connection disconnects:        199
       connection failures:         10
       connection timeouts:          2
             Messages sent:       1490
         Messages received:       1490
            Receive errors:          0
          Receive timeouts:          0
             Send timeouts:          0

Last time counters were cleared: never
switch# clear aaa counters radius
switch# show radius
RADIUS server            : radius/10
          connection opens:          0
         connection closes:          0
    connection disconnects:          0
       connection failures:          0
       connection timeouts:          0
             Messages sent:          0
         Messages received:          0
            Receive errors:          0
          Receive timeouts:          0
             Send timeouts:          0

Last time counters were cleared: 0:00:03 ago
switch#

clear aaa counters tacacs+

The clear aaa counters tacacs+ command resets the counters that track the statistics for the TACACS+ servers that the switch accesses. The show tacacs command displays the counters reset by the clear aaa counters tacacs+ command.

Command Mode

Privileged EXEC

Command Syntax

clear aaa counters tacacs+

Example
These commands display the effect of the clear aaa counters tacacs+ command on the tacacs+ counters.
switch# show tacacs
TACACS+ server            : tacacs/49
          connection opens:      15942
         connection closes:          7
    connection disconnects:       1362
       connection failures:          0
       connection timeouts:          0
             Messages sent:      34395
         Messages received:      34392
            Receive errors:          0
          Receive timeouts:          2
             Send timeouts:          0

Last time counters were cleared: never

TACACS+ source-interface: Enabled
  TACACS+ outgoing packets will be sourced with an IP address associated with the 
Loopback0 interface
switch# clear aaa counters tacacs+
switch# show tacacs
TACACS+ server            : tacacs/49
          connection opens:          0
         connection closes:          0
    connection disconnects:          0
       connection failures:          0
       connection timeouts:          0
             Messages sent:          0
         Messages received:          0
            Receive errors:          0
          Receive timeouts:          0
             Send timeouts:          0

Last time counters were cleared: 0:00:03 ago
switch#

TACACS+ source-interface: Enabled
  TACACS+ outgoing packets will be sourced with an IP address associated with the 
Loopback0 interface
switch#

clear aaa counters

The clear aaa counters command resets the counters that track the number of service transactions performed by the switch since the last time the counters were reset. The show aaa counters command displays the counters reset by the clear aaa counters command.

Command Mode

Privileged EXEC

Command Syntax

clear aaa counters [SERVICE_TYPE]

Example
These commands display the effect of the clear aaa counters command on the AAA counters.
switch# clear aaa counters
switch# show aaa counters
Authentication
          Successful:          0
              Failed:          0
 Service unavailable:          0

Authorization
             Allowed:          1
              Denied:          0
 Service unavailable:          0

Accounting
          Successful:          0
               Error:          0
             Pending:          0

Last time counters were cleared: 0:00:44 ago

deny (Role)

The deny command adds a deny rule to the configuration mode role. Deny rules prohibit access of specified commands from usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A commands authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the roles last rule.

Deny rules use regular expressions to denote commands. A mode parameter specifies command modes from which commands are restricted. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.

The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.

Command Mode

Role Configuration

Command Syntax

[SEQ_NUM] deny [MODE_NAME] command command_name

no deny [MODE_NAME] command command_name

default deny [MODE_NAME] command command_name

Parameters
  • SEQ_NUM Sequence number assigned to the rule. Options include:
    • no parameter Number is derived by adding 10 to the number of the roles last rule.
    • 1 - 256 Number assigned to entry.
  • MODE_NAME Command mode from which command access is prohibited. Values include:
    • no parameter All command modes.
    • mode short_name Exact match of a modes short key name.
    • mode long_name Regular expression matching long key name of one or more modes.
    • mode config Global configuration mode.
    • mode config-all All configuration modes, including global configuration mode.
    • mode exec EXEC and Privileged EXEC modes.
  • command_name Regular expression that denotes the name of one or more commands.

Guidelines

These CLI prompt format commands program the prompt to display the following mode keys:
  • %p Short mode key.
  • %P Long mode key.

Deny statements are saved to running-config only upon exiting Role configuration mode.

Related Command

The role command places the switch in Role configuration mode.

Example
These commands append a deny rule at the end of the sysuser role that restricts access to the reload command from EXEC and Privileged EXEC mode.
switch(config)# role sysuser
switch(config-mode-sysuser)# deny mode exec command reload
switch(config-mode-sysuser)#

enable password

The enable password command creates a new enable password or changes an existing password.

The no enable password and default enable password commands delete the enable password by removing the enable password command from running-config.

Command Mode

Global Configuration

Command Syntax

enable password [ENCRYPT_TYPE] password

no enable password

default enable password

Parameters
  • ENCRYPT_TYPE encryption level of the password parameter. Settings include:
    • no parameter the password is entered as clear text.
    • 0 the password is entered as clear text. Equivalent to <no parameter>.
    • 5 the password is entered as an MD5 encrypted string.
    • sha512 the password is entered as an SHA-512-encrypted string.
  • password text that authenticates the username.
    • password must be in clear text if ENCRYPT_TYPE specifies clear text.
    • password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.

Encrypted strings entered through this parameter are generated elsewhere.

Examples
  • These equivalent commands assign xyrt1 as the enable password.
    switch(config)#enable password xyrt1
    switch(config)#enable password 0 xyrt1
  • This command assigns the enable password to the clear text (12345) that corresponds to the encrypted string $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/. The string was generated by an MD5-encryption program using 12345 as the seed.
    switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
    switch(config)#
  • This command deletes the enable password.
    switch(config)# no enable password
    switch(config)#

ip radius source-interface

The ip radius source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound RADIUS packets. When a source interface is not specified, the switch selects an interface.

The no ip radius source-interface and default ip radius source-interface commands remove the ip radius source-interface command from running-config.

Command Mode

Global Configuration

Command Syntax

ip radius [vrf_inst] source-interface slot_number

no ip radius [vrf_inst] source-interface

default ip radius [vrf_inst] source-interface

Parameters
  • vrf_inst specifies the VRF instance used to communicate with the specified server.
    • no parameter switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • int_name Interface type and number. Options include:
    • Ethernet e_num - Ethernet interface specified by slot_number.
    • Loopback slot_number - Loopback interface specified by slot_number.
    • management slot_number - management interface specified by slot_number.
    • Port-channel slot_number - Port-channel interface specified by slot_number.
    • Tunnel tunnel_number -
    • Vlan v_num VLAN interface specified by v_num.

Example

This command configures the source address for outbound RADIUS packets as the IPv4 address assigned to the loopback interface.
switch(config)# ip radius source-interface loopback 0
switch(config)#

ip tacacs source-interface

The ip tacacs source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound TACACS+ packets. When a source interface is not specified, the switch selects an interface.

The no ip tacacs source-interface and default ip tacacs source-interface commands remove the ip tacacs source-interface command from running-config.

Command Mode

Global Configuration

Command Syntax

ip tacacs [VRF_INST] source-interface INT_NAME

no ip tacacs [VRF_INST] source-interface

default ip tacacs [VRF_INST] source-interface

Parameters
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • no parameter switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • INT_NAME Interface type and number. Options include:
    • interface ethernet e_num Ethernet interface specified by e_num.
    • interface loopback l_num Loopback interface specified by l_num.
    • interface management m_num management interface specified by m_num.
    • interface port-channel p_num Port-channel interface specified by p_num.
    • interface vlan v_num VLAN interface specified by v_num.
Example
This command configures the source address for outbound TACACS+ packets as the IPv4 address assigned to the loopback interface.
switch(config)# ip tacacs source-interface loopback 0
switch(config)#

no <sequence number> (Role)

The no <sequence number> command removes the rule with the specified sequence number from the configuration-mode role. The default <sequence number> command also removes the specified rule.

Command Mode

Role Configuration

Command Syntax

no sequence_num

default sequence_num

Parameters

sequence_num sequence number of rule to be deleted. Values range from 1 to 256.

Guidelines

Role statement changes are saved to running-config only upon exiting Role configuration mode.

Related Command

The role command places the switch in Role configuration mode.

Example
These commands display the rules in the sysuser role, remove rule 30 from the role, then display the edited role.
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        10 deny mode exec command reload
        20 deny mode config command (no |default )?router
        30 deny mode config command (no |default )?(ip|mac) access-list
        40 deny mode if command (no |default )?(ip|mac) access-group
        50 deny mode config-all command lacp|spanning-tree
        60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# no 30
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        10 deny mode exec command reload
        20 deny mode config command (no |default )?router
        40 deny mode if command (no |default )?(ip|mac) access-group
        50 deny mode config-all command lacp|spanning-tree
        60 permit command .*
switch(config)#

radius-server deadtime

The radius-server deadtime command defines global deadtime period, when the switch ignores a non-responsive RADIUS server. A non-responsive server is one that fails to answer any attempt to retransmit after a timeout expiry. Deadtime is disabled if a value is not configured.

The no radius-server deadtime and default radius-server deadtime commands restore the default global deadtime period of three minutes by removing the radius-server deadtime command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server deadtime dead_interval

no radius-server deadtime

default radius-server deadtime

Parameters

dead_interval period that the switch ignores non-responsive servers (minutes). Values range from 1 to 1000. Default is 3.

Example
This command programs the switch to ignore a server for two hours if it fails to respond to a request during the period defined by timeout and retransmit parameters.
switch(config)# radius-server deadtime 120
switch(config)#

radius-server host

The radius-server host command sets parameters for communicating with a specific RADIUS server. These values override global settings when the switch communicates with the specified server.

A RADIUS server is defined by its server address, authorization port, and accounting port. Servers with different address-authorization port-accounting port combinations have separate configurations.

The no radius-server host and default radius-server commands remove settings for the RADIUS server configuration at the specified address-authorization port-accounting port location by deleting the corresponding radius-server host command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server host ADDR [VRF_INST][AUTH][ACCT][TIMEOUT][DEAD][RETRAN][ENCRYPT]

no radius-server host [ADDR][VRF_INST][AUTH][ACCT]

default radius-server host [ADDR][VRF_INST][AUTH][ACCT]

Parameters
  • ADDR RADIUS server location. Options include:
    • ipv4_addr server's IPv4 address.
    • host_name server's DNS host name (FQDN).
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • no parameter switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • AUTH Authorization port number.
    • no parameter default port of 1812.
    • auth-port number number ranges from 1 to 65535.
  • ACCT Accounting port number.
    • no parameter default port of 1813.
    • acct-port number numbers range from 1 to 65535.
  • TIMEOUT timeout period (seconds). Ranges from 1 to 1000.
    • no parameter assigns global timeout value (see radius-server timeout).
    • timeout number assigns number as the timeout period. Ranges from 1 to 1000.
  • DEAD period (minutes) when the switch ignores a non-responsive RADIUS server.
    • no parameter assigns global deadtime value (see radius-server deadtime ).
    • deadtime number specifies deadtime, where number ranges from 1 to 1000.
  • RETRAN attempts to access RADIUS server after the first timeout expiry.
    • no parameter assigns global retransmit value (see radius-server retransmit).
    • retransmit number specifies number of attempts, where number ranges from 1 to 100.
  • ENCRYPT encryption key that switch and server use to communicate.
    • no parameter assigns global encryption key (see radius-server key).
    • key key_text where key_text is in clear text.
    • key 5 key_text where key_text is in clear text.
    • key 7 key_text where key_text is provide in an encrypted string.
Examples
  • This command configures the switch to communicate with the RADIUS server located at 10.1.1.5. The switch uses the global timeout, deadtime, retransmit, and key settings to communicate with this server, and communicates through port 1812 for authorization and 1813 for accounting.
    switch(config)# radius-server host 10.1.1.5
    switch(config)#
  • This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1. Communication for authorization is through port 1850; communication for accounting is through port 1813 (the default).
    switch(config)# radius-server host RAD-1 auth-port 1850
    switch(config)#

radius-server key

The radius-server key command defines the global encryption key the switch uses when communicating with any RADIUS server for which a key is not defined.

The no radius-server key and default radius-server key commands remove the global key from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server key [ENCRYPT_TYPE] encrypt_key

no radius-server key

default radius-server key

Parameters
  • ENCRYPT_TYPE encryption level of encrypt_key.
    • no parameter encryption key is entered as clear text.
    • 0 encryption key is entered as clear text. Equivalent to no parameter.
    • 7 encrypt_key is an encrypted string.
  • encrypt_key shared key that authenticates the username.
    • encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
    • encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.

Encrypted strings entered through this parameter are generated elsewhere.

Related Command

radius-server host

Examples
  • This command configures cv90jr1 as the global encryption key.
    switch(config)# radius-server key 0 cv90jr1
    switch(config)#
  • This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
    switch(config)# radius-server key 7 020512025B0C1D70
    switch(config)#

radius-server retransmit

The radius-server retransmit command defines the global retransmit count, which specifies the number of times the switch attempts to access the RADIUS server after the first timeout expiry.

The no radius-server retransmit and default radius-server retransmit commands restore the global retransmit count to its default value of three by deleting the radius-server retransmit command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server retransmit count

no radius-server retransmit

default radius-server retransmit

Parameters

count retransmit attempts after first timeout expiry. Values range from 1 to 100. Default is 3.

Related Command

radius-server host

Example
This command configures the switch to attempt five RADIUS server contacts after the initial timeout. If the timeout parameter is set to 50 seconds, then the total period that the switch waits for a response is ((5+1)*50) = 300 seconds.
switch(config)# radius-server retransmit 5
switch(config)#

radius-server timeout

The radius-server timeout command defines the global timeout the switch uses when communicating with any RADIUS server for which a timeout is not defined.

The no radius-server timeout and default radius-server timeout commands restore the global timeout default period of five seconds by removing the radius-server timeout command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server timeout time_period

no radius-server timeout

default radius-server timeout

Parameters

time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.

Related Commands

Example
This command configures the switch to wait 50 seconds for a RADIUS server response before issuing an error.
switch(config)# radius-server timeout 50
switch(config)#

resequence (Role)

The resequence command assigns sequence numbers to rules in the configuration mode role. Command parameters specify the number of the first rule and the numeric interval between consecutive rules.

The maximum sequence number is 256.

Command Mode

Role Configuration

Command Syntax

resequence start_num inc_num

Parameters
  • start_num sequence number assigned to the first rule. Value ranges from 1 to 256. Default is 10.
  • inc_num numeric interval between consecutive rules. Value ranges from 1 to 256. Default is 10.

Guidelines

Role statement changes are saved to running-config only upon exiting Role configuration mode.

Related Command

The role command places the switch in Role configuration mode.

Example
The resequence command renumbers the rules in the sysuser role, starting the first rule at 15 and incrementing subsequent lines by 5.
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        10 deny mode exec command reload
        20 deny mode config command (no |default )?router
        40 deny mode if command (no |default )?(ip|mac) access-group
        50 deny mode config-all command lacp|spanning-tree
        60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 15 5
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator

role: sysuser
        15 deny mode exec command reload
        20 deny mode config command (no |default )?router
        25 deny mode if command (no |default )?(ip|mac) access-group
        30 deny mode config-all command lacp|spanning-tree
        35 permit command .*
switch(config)#

permit (Role)

The permit command adds a permit rule to the configuration mode role. Permit rules authorize access to specified commands for usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A command's authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the role's last rule.

Permit rules use regular expression to denote commands. A mode parameter specifies command modes in which commands are authorized. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.

The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.

Command Mode

Role Configuration

Command Syntax

[SEQ_NUM] permit [MODE_NAME] command command_name

no permit [MODE_NAME] command ] command_name

default permit [MODE_NAME] command command_name

Parameters
  • SEQ_NUM Sequence number assigned to the rule. Options include:
    • <no parameter> Number is derived by adding 10 to the number of the roles last rule.
    • <1 - 256> Number assigned to entry.
  • MODE_NAME Command mode in which command access is authorized. Values include:
    • no parameter All command modes.
    • mode short_name Exact match of a modes short-key name.
    • mode long_name Regular expression matching long-key name of one or more modes.
    • mode config Global configuration mode.
    • mode config-all All configuration modes, including global configuration mode.
    • mode exec EXEC and Privileged EXEC modes.
  • command_name Regular expression that denotes the name of one or more commands.

Guidelines

These CLI prompt format commands program the prompt to display the following mode keys:
  • %p Short-mode key.
  • %P Long-mode key.

Permit statements are saved to running-config only upon exiting Role configuration mode.

Related Commands

The role command places the switch in Role Cconfiguration mode.

Example
These commands append a permit rule at the end of the sysuser role that authorizes all commands from VLAN 1 or VLAN 2 interface configuration modes.
switch(config)# role sysuser
switch(config-mode-sysuser)# permit mode if-Vl(1|2) command .*
switch(config-mode-sysuser)#

role

The role command places the switch in Role Configuration Mode, which is a group-change mode that modifies a role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.

The role command specifies the name of the role that subsequent commands modify and creates a role if it references a nonexistent role. All changes in a group change mode edit session are pending until the session ends:

  • The exit command saves pending changes to running-config and returns the switch to Global Configuration Mode. Changes are also saved by entering a different configuration mode.
  • The abort command discards pending changes, returning the switch to Global Configuration Mode.

The no role and default role commands delete the specified role by removing the role and its statements from running-config.

Command Mode

Global Configuration

Command Syntax

role role_name

no role role_name

default role role_name

Parameters

role_name Name of role.

Commands Available in Role Configuration Mode:

Related Commands

show users roles

Examples
  • This command places the switch in Role configuration mode to modify the speaker role.
    switch(config)# role speaker
    switch(config-role-speaker)#
  • This command saves changes to speaker role, then returns the switch to Global configuration mode.

    switch(config-role-speaker)# exit
    switch(config)#
  • This command discards changes to speaker, then returns the switch to Global configuration mode.

    switch(config-role-speaker)# abort
    switch(config)#

server (server-group-RADIUS configuration mode)

The server (server-group-RADIUS configuration mode) command adds the specified RADIUS server to the configuration-mode group. Servers must be configured with the radius-server host command before adding them to the server group.

A RADIUS server is defined by its server address, authorization port, and accounting port. A group can contain multiple servers with the same IP address that have different authorization or accounting ports.

The no server and default server commands remove the specified server from the group.

Command Mode

Server-Group-RADIUS Configuration

Command Syntax

server LOCATION [VRF_INST][AUTH][ACCT]

no server LOCATION [VRF_INST][AUTH][ACCT]

default server LOCATION [VRF_INST][AUTH][ACCT]

Parameters
  • LOCATION RADIUS server location. Options include:
    • ipv4_addr server's IPv4 address.
    • host_name server's DNS host name (FQDN).
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • no parameter switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • AUTH Authorization port number.
    • no parameter default port of 1812.
    • auth-port number number ranges from 1 to 65535.
  • ACCT Accounting port number.
    • no parameter default port of 1813.
    • acct-port number number ranges from 1 to 65535.

Related Commands

The aaa group server radius command places the switch in Server-group-RADIUS cConfiguration mode.

Example
These commands add two servers to the RAD-SV1 server group.
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)# server RAC-1
switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1851
switch(config-sg-radius-RAD-SV1)#

server (server-group-TACACS+ configuration mode)

The server (server-group-TACACS+ configuration mode) command adds the specified TACACS+ server to the configuration-mode group. Servers must be configured with the tacacs-server host command before adding them to the server group.

A TACACS+ server is defined by its server address and port number. Servers with different address-port combinations have separate statements in running-config.

The no server and default server commands remove the specified server from the group.

Command Mode

Server-group-TACACS+ Configuration

Command Syntax

server LOCATION [VRF_INST][PORT]

no server LOCATION [VRF_INST][PORT]

default server LOCATION [VRF_INST][PORT]

Parameters
  • LOCATION TACACS+ server location. Options include:
    • ipv4_addr server's IPv4 address.
    • ipv6_addr server's IPv6 address.
    • host_name server's DNS host name (FQDN).
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • no parameter switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • PORT TCP connection port number.
    • no parameter default port of 49.
    • port number number ranges from 1 to 65535.

Related Command

The aaa group server tacacs+ command places the switch in Server-group-TACACS+ configuration mode.

Example
These commands add two servers to the TAC-GR server group with default port number 49.
switch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)# server TAC-1
switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14
switch(config-sg-tacacs+-TAC-GR)#

show aaa

The show aaa command displays the user database. The command displays the encrypted enable password first, followed by a table of usernames and their corresponding encrypted password.

The command does not display unencrypted passwords.

Command Mode

Privileged EXEC

Command Syntax

show aaa

Example
This command displays the local user database.
switch# show aaa
Enable password (encrypted): $1$UL4gDWy6$3KqCPYPGRvxDxUq3qA/Hs/
Username  Encrypted passwd
--------  ----------------------------------
admin
janis     $1$VVnDH/Ea$iwsfnrGNO8nbDsf0tazp9/
thomas    $1$/MmXTUil$.fJxLfcumzppNSEDVDWq9.
switch#

show aaa authentication lockout

 

The show aaa authentication lockout command displays the status of locked-out users who could not log within the specified time and number of login attempts.

Command Mode

Privileged EXEC

Command Syntax

show aaa authentication lockout

Example
  • This command displays the status of Alice, who is the locked out user. Alice's last failed login was at 17:50:06, and her lockout will be cleared at 17:51:06, in 58 seconds. When the duration of 58 seconds elapses, Alice’s name will no longer be displayed.
    switch# show aaa authentication lockout
     User     Start Time                End Time                  Expires In      
    --------- ------------------------- ------------------------- ----------      
     alice    Fri Jul 12 17:50:06 2020  Fri Jul 12 17:51:06 2020  0:00:58
    

show aaa counters

The show aaa counters command displays the number of service transactions performed by the switch since the last time the counters were reset.

Command Mode

Privileged EXEC

Command Syntax

show aaa counters

Example
This command displays the number of AAA transactions.
switch# show aaa counters
Authentication
          Successful:         30
              Failed:          0
 Service unavailable:          0

Authorization
             Allowed:        188
              Denied:          0
 Service unavailable:          0

Accounting
          Successful:          0
               Error:          0
             Pending:          0

Last time counters were cleared: never
switch#

show aaa methods

The show aaa methods command displays all the named method lists defined in the specified Authentication, Authorization, and Accounting (AAA) service.

Command Mode

Privileged EXEC

Command Syntax

show aaa methods SERVICE_TYPE

Parameters

SERVICE_TYPE the service type of the method lists that the command displays.
  • accounting accounting services.
  • authentication authentication services.
  • authorization authorization services.
  • all accounting, authentication, and authorization services.
Example
This command configures the named method lists for all AAA services.
switch# show aaa methods all
Authentication method lists for LOGIN:
  name=default methods=group tacacs+, local
Authentication method list for ENABLE:
  name=default methods=local
Authorization method lists for COMMANDS:
  name=privilege0-15 methods=group tacacs+, local
Authentication method list for EXEC:
  name=exec methods=group tacacs+, local
Accounting method lists for COMMANDS:
  name=privilege0-15 default-action=none
Accounting method list for EXEC:
  name=exec default-action=none
switch#

show management ldap

The show management ldap command displays information about the LDAP configuration.

Command Mode

EXEC

Command Syntax

show management ldap

Parameter

  • no parameter state of the system.
The following command shows general information for LDAP.
switch# show management ldap
LDAP server: prod-dc-hq1.aristanetworks.com/389
   Binds requested: 6
   Binds successful: 6
   Binds failed: 0
   Binds timed out: 0
   FIPS is ON

Last time counters were cleared: 1:16:41 ago

The authentication action in LDAP is the bind, which is equivalent to attempting a log-in. There will be two binds per login attempt, one for the admin account and one for the user account.

The FIPS mode is controlled by the SSL profile in AAA. To validate an SSL profile use the following:
switch# show management security ssl profile
   Profile           State
----------------- -----------
   testProfile       valid

To verify a user accounts authorization being performed by ldap, use “show users detail”:
switch# show users detail
Session  Username  Roles         TTY  State Duration  Auth       Remote Host
-------- --------- ------------- ---- ----- --------- ---------- ---------------------------------------
1006     erahn     network-admin vty3 E     0:00:05   group ldap fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7

To validate the role for a current session the vty information in the TTY column must be matched against the Line column in the following command. The row with a “*” character at the start is the current session where the command was run:

switch#show users
   Line      User             Host(s)  Idle       Location
   1 con 0   admin            idle     01:19:00   -
   2 vty 10  srv-sw-ldaptest  idle     01:19:00   172.16.124.151
*  3 vty 3   erahn            idle     00:00:04   fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7

show privilege

The show privilege command displays the current privilege level for the CLI session.

Command Mode

EXEC

Command Syntax

show privilege

Example
This command displays the current privilege level.
switch> show privilege
Current privilege level is 15
switch>

show radius

The show radius command displays statistics for the RADIUS servers that the switch accesses.

Command Mode

EXEC

Command Syntax

show radius

Example
This command displays statistics for connected RADIUS servers.
switch#show radius
RADIUS server            : radius/10
          connection opens:        204
         connection closes:          0
    connection disconnects:        199
       connection failures:         10
       connection timeouts:          2
             Messages sent:       1490
         Messages received:       1490
            Receive errors:          0
          Receive timeouts:          0
             Send timeouts:          0

Last time counters were cleared: never
switch#

show tacacs

The show tacacs command displays statistics for the TACACS+ servers that the switch accesses.

Command Mode

EXEC

Command Syntax

show tacacs

Example
This command displays statistics for connected TACACS+ servers.
switch# show tacacs
TACACS+ server            : tacacs/49
          connection opens:      15942
         connection closes:          7
    connection disconnects:       1362
       connection failures:          0
       connection timeouts:          0
             Messages sent:      34395
         Messages received:      34392
            Receive errors:          0
          Receive timeouts:          2
             Send timeouts:          0

Last time counters were cleared: never

TACACS+ source-interface: Enabled
  TACACS+ outgoing packets will be sourced with an IP address associated with the 
Loopback0 interface
switch#

show users accounts

The show users accounts command displays the names, roles, and privilege levels of users that are listed in running-config. The SSH public key is also listed for names for which an SSH key is configured.

Command Mode

Privileged EXEC

Command Syntax

show users accounts

Example
This command displays the usernames that are configured on the switch.
switch# show users accounts
user: FRED
       role: <unknown>
       privilege level: 1
       ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjUg2VDiBX7In0q 
HtN5PyHOWtYvIoeZsxF5YmesQ/rh++mbpT504dL7So+Bpr9T/0qIj+zilat8fX/JlO42+3pjfkHY/+l
sT2EPNjGTK7uJv1wSGmhc3+90dNmJtr5YVlJFjjQ5m+5Pa+PGe3z4JIV1lY2NhLrV2fXtbciLdjnj6F
AlhXjiLt51DJhG13uUxGBJe0+NlGvpEsTJVJvMdJuS6weMi+xSXc9yQimVD2weJBHsYFnghST2j0pAy
F2S7/EOU13pY42RztDSs42nMNNrutPT0q5Z17aAKvhpd0dDlc+qIwrCrXbeIChHem7+0N8/zA3alBK4
eKSFSZBd3Pb admin@switch
switch#
user: JANE
       role: sysuser2
       privilege level: 1
user: admin
       role: network-admin
       privilege level: 1

show users detail

The show users detail command displays information about active AAA login sessions. Information includes username, roles, TTY, state of the session (pending or established), duration, authentication method, and if available, remote host and remote username.

Command Mode

Privileged EXEC

Command Syntax

show users detail

Example
This command displays information about the active AAA login sessions.
switch# show users detail
Session  Username Roles           TTY    State Duration  Auth          Remote Host
-------   ---------- ------------ ------ ----- --------  ------------- ------------
2      admin     network-admin    ttyS0  E     0:01:21  local
4      joe       sysadmin         telnet E     0:02:01  local        sf.example.com
6      alice     sysadmin         ssh    E     0:00:52  group radius ny.example.com
7      bob       sysadmin         ssh    E     0:00:48  group radius la.example.com
8      kim       network-admin1   ssh    E     0:00:55  group radius de.example.com
9      admin     network-admin    ssh    E     0:00:07  local        bj.example.com
10     max       network-admin    telnet E     0:00:07  local        sf.example.com

show users roles

The show users roles command displays the name of the default role and the contents of the specified roles. Commands that do not specify a role display the rules in all built-in and configured roles.

Command Mode

Privileged EXEC

Command Syntax

show users roles [ROLE_LIST]

Parameters

ROLE_LIST Roles that the command displays. Options include:
  • no parameter Command displays all roles.
  • role_name Name of role displayed by command.

Related Command

The role command places the switch in Role configuration mode, which is used to create new roles or modify existing roles.

Example
This command displays the contents of all user-defined and built-in roles.
switch# show users roles
The default role is network-operator

role: network-admin
        10 permit command .*
role: network-operator
        10 deny mode exec command bash|\|
        20 permit mode exec command .*
role: sysuser
        15 deny mode exec command reload
        20 deny mode config command (no |default )?router
        25 deny mode if command (no |default )?(ip|mac) access-group
        30 deny mode config-all command lacp|spanning-tree
        35 permit command .*
        40 deny mode exec command .*
        50 permit mode exec command show|clear (counters|platform)|configure

show users

The show users command displays the usernames that are currently logged into the switch.

Command Mode

Privileged EXEC

Command Syntax

show users

Example
This command displays the users that are logged into the switch.
switch# show users
    Line       User       Host(s)              Idle       Location
   1 vty 2     john       idle                       1d  10.22.6.113
   2 vty 4     jane       idle                 21:33:00  10.22.26.26
*  3 vty 6     ted        idle                 00:00:01  10.17.18.71
switch#

tacacs-server host

The tacacs-server host command sets communication parameters for communicating with a specific TACACS+ server. These values override global settings when the switch communicates with the specified server.

A TACACS+ server is defined by its server address and port number. Servers with different combinations of address-port-VRF-multiplex settings have separate statements in running-config.

The no tacacs-server host and default tacacs-server host commands remove settings for the TACACS+ server configuration at the specified address-port-VRF combination by deleting the corresponding tacacs-server host command from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server host SERVER_ADDR [MULTIPLEX][VRF_INST][PORT][TIMEOUT][ENCRYPT]

no tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]

default tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]

Parameters
  • SERVER_ADDR TACACS+ server location. Options include:
    • ipv4_addr server's IPv4 address.
    • ipv6_addr server's IPv6 address.
    • host_name server's DNS host name (FQDN).
  • MULTIPLEX TACACS+ server support of multiplex sessions on a TCP connection.
    • no parameter server does not support multiplexing.
    • single-connection server supports session multiplexing.
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • <no parameter> switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • PORT port number of the TCP connection.
    • no parameter default port of 49.
    • port number port number ranges from 1 to 65535.
  • TIMEOUT timeout period (seconds).
    • no parameter assigns the globally configured timeout value (see tacacs-server timeout ).
    • timeout number timeout period (seconds). Number ranges from 1 to 1000.
  • ENCRYPT encryption key the switch and server use to communicate. Settings include:
    • no parameter assigns the globally configured encryption key (see tacacs-server key).
    • key key_text where key_text is in clear text.
    • key 5 key_text where key_text is in clear text.
    • key 7 key_text where key_text is an encrypted string.
Examples
  • This command configures the switch to communicate with the TACACS+ server located at 10.1.1.5. The switch uses the global timeout, encryption key, and port settings.
    switch(config)# tacacs-server host 10.1.1.5
    switch(config)#
  • This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1. The switch defines the timeout period as 20 seconds and the encryption key as rp31E2v.
    switch(config)# tacacs-server host TAC_1 timeout 20 key rp31E2v
    switch(config)#
  • This command configures the switch to communicate with the TACACS+ server located at 10.12.7.9, indicates that the server supports multiplexing sessions on the same TCP connection, and that access is through port 54.
    switch(config)# tacacs-server host 10.12.7.9 single-connection port 54
    switch(config)#

tacacs-server key

The tacacs-server key command defines the global encryption key the switch uses when communicating with any TACACS+ server for which a key is not defined.

The no tacacs-server key and default tacacs-server key commands remove the global key from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server key [ENCRYPT_TYPE] encrypt_key

no tacacs-server key

default tacacs-server key

Parameters
  • ENCRYPT_TYPEencryption level of encrypt_key.
    • no parameter encryption key is entered as clear text.
    • 0 encryption key is entered as clear text. Equivalent to no parameter.
    • 7 encrypt_key is an encrypted string.
  • encrypt_key shared key that authenticates the username.
    • encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
    • encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.

    Encrypted strings entered through this parameter are generated elsewhere.

Related Command

tacacs-server host

Examples
  • This command configures cv90jr1 as the encryption key.
    switch(config)# tacacs-server key 0 cv90jr1
    switch(config)#
  • This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
    switch(config)# tacacs-server key 7 020512025B0C1D70
    switch(config)#

tacacs-server policy

The tacacs-server policy command programs the switch to permit access to TACACS+ servers that send mandatory attribute-value (AV) pairs that the switch does not recognize. By default, the switch denies access to TACACS+ servers when it receives unrecognized AV pairs from the server.

The switch recognizes the following mandatory AV pairs:

priv-lvl=x where x is an integer between 0 and 15.

The no tacacs-server policy and default tacacs-server policy commands restore the switch default of denying access to servers from which it receives unrecognized mandatory AV pair by deleting the tacacs-server policy statement from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server policy unknown-mandatory-attribute ignore

no tacacs-server policy unknown-mandatory-attribute ignore

default tacacs-server policy unknown-mandatory-attribute ignore

Example
This command configures the switch to permit access to TACACS+ servers that send unrecognized mandatory AV pairs.
switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
switch(config)#

tacacs-server timeout

The tacacs-server timeout command defines the global timeout the switch uses when communicating with any TACACS+ server for which a timeout is not defined.

The no tacacs-server timeout and default tacacs-server timeout commands restore the global timeout default period of five seconds by removing the tacacs-server timeout command from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server timeout time_period

no tacacs-server timeout

default tacacs-server timeout

Parameters

time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.

Related Command

tacacs-server host

Example
This command configures the switch to wait 20 seconds for a TACACS+ server response before issuing an error.
switch(config)# tacacs-server timeout 20
switch(config)#

username ssh-key

The username ssh-key command configures an SSH key for the specified username. Command options allow the key to be entered directly into the CLI or referenced from a file.

The specified username must be previously configured through a username command.

The no username ssh-key and default username ssh-key commands delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.

The no username ssh-key role and default username ssh-key role commands perform the following:

  • delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.
  • delete the role assignment from the specified username by editing the corresponding username statement in running-config.

Command Mode

Global Configuration

Command Syntax

username name sshkey KEY

no username name sshkey [role]

default username name sshkey [role]

Parameters
  • name username text that the user enters at the login prompt to access the CLI.

    Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:

    @ # $ % ^ & * - _ = + ; < > , . ~ |

  • KEY SSH key. Options include:
    • key_text username is associated with ssh key specified by key_text string.
    • file key_file username is associated with SSH key in the specified file.
Example
These commands create the username john, assign it the password x245, then associate it to the SSH key listed in the file named john-ssh.
switch(config)# username john secret x245
switch(config)# username john sshkey file john-ssh
switch(config)#

username

The username command adds a username to the local file and optionally assigns a password to the username. If the command specifies an existing username, the command replaces the password in the local file. The command can also define a username without a password or remove the password from a username.

The no username command deletes the specified username by removing the corresponding username statement from running-config. The default username command removes user-specified usernames, but restores the admin username to its default parameters.

The no username role command assigns the default role assignment to the specified username statement by editing the corresponding username statement in running-config. The default username role command reverts the specified username to its default role by editing the corresponding username statement in running-config. For the admin username, this restores network-admin as its role, even if the admin username has been deleted and then created again.

Command Mode

Global Configuration

Command Syntax

username name [PRIVILEGE_LEVEL] SECURITY [ROLE_USER]

no username name [role]

default username name [role]

All parameters except name can be placed in any order.

Parameters
  • name username text that the user enters at the login prompt to access the CLI.

    Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:

    @ # $ % ^ & * - _ = + ; < > , . ~ |

  • PRIVILEGE_LEVEL user’s initial session privilege level. This parameter is used when an authorization command includes the local option.
    • no parameter the privilege level is set to 1.
    • privilege rank where rank is an integer between 0 and 15.
  • SECURITY password assignment option.
    • nopassword name is not password protected.
    • secret password name is protected by specified password (clear-text string).
    • secret 0 password name is protected by specified password (clear-text string).
    • secret 5 password name is protected by specified password. (MD5-encrypted string).
    • secret sha5 password name is protected by specified password (SHA-512-encrypted string).
  • ROLE_USER specifies the role for performing command authorization. Options include:

Guidelines

Encrypted strings entered through this parameter are generated elsewhere. The secret 5 option (SECURITY) is typically used to enter a list of username-passwords from a script.

The SECURITY parameter is mandatory for unconfigured usernames. For previously configured users, the command can specify a PRIVILEGE_LEVEL or ROLE without a SECURITY setting.

The admin username is provided by the initial configuration, but it can be deleted, and its parameters are editable. The initial admin configuration is:
username admin privilege 1 role network-admin nopassword
Note: when deleting the admin username, it is advisable to create at least one other username on the switch before saving the configuration.
Examples
  • These equivalent commands create the username john and assign it the password x245. The password is entered in clear text because the ENCRYPTION parameter is either omitted or zero.
    switch(config)# username john secret x245
    switch(config)# username john secret 0 x245
  • This command creates the username john and assigns it to the text password that corresponds to the encrypted string $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1. The string was generated by an MD5-encryption program using x245 as the seed.
    switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1
    switch(config)#

    A user authenticates the username john by entering x245 when the CLI prompts for a password.

  • This command creates the username jane without securing it with a password or removes a password if the jane username exists.
    switch(config)# username jane nopassword
    switch(config)#
  • This command removes the username william from the local file.
    switch(config)# no username william
    switch(config)#