Print

User Security

This section covers the following:

AAA Configuration

Authentication, Authorization, and Accounting Overview

This section contains the following topics:

Methods

The switch controls access to EOS commands by authenticating user identity and verifying user authorization. Authentication, Authorization, and Accounting (AAA) activities are conducted through three data services -a local security database, TACACS+ servers, and RADIUS servers. Configuring the Security Services describes these services.

Configuration Statements

Enabling AAA on the switch requires two steps:

  1. Configure security service parameters.

    The switch provides configuration commands for each security service:

    • A local file supports authentication through username and enable passwordcommands.

      • TACACS+ servers provide security services through tacacs-server commands.

        • RADIUS servers provide security services through radius-server commands.

    Configuring the Security Servicesdescribes security service configuration commands.

  2. Activate AAA services.

    EOS provides aaa authorization, aaa authentication, and aaa accounting commands to select the primary and backup services. Activating Security Services provides information on implementing a security environment.

Encryption

The switch uses clear-text passwords and server access keys to authenticate users and communicate with security systems. To prevent accidental disclosure of passwords and keys, running-config stores their corresponding encrypted strings. The encryption method depends on the type of password or key.

Commands that configure passwords or keys can accept the clear-text password or an encrypted string that was generated by the specified encryption algorithm with the clear-text password as the seed.

Configuring the Security Services

The switch can access three security data services to authenticate users and authorize switch tasks: a local file, TACACS+ servers, and RADIUS Servers.

This section contains the following topics:

Local Security File

The local file uses passwords to provide these authentication services:

  • authenticate users as they log into the switch
  • control access to configuration commands
  • control access to the switch root login

The local file contains username-password combinations to authenticate users. Passwords also authorize access to configuration commands and the switch root login.

Passwords

The switch recognizes passwords as clear text and encrypted strings.

  • Clear-text passwords are the text that a user enters to access the CLI, configuration commands, or the switch root login.
  • Encrypted strings are MD5-encrypted strings generated with the clear text as the seed. The local file stores passwords in this format to avoid unauthorized disclosure. When a user enters the clear-text password, the switch generates the corresponding secure hash and compares it to the stored version.
    Note: The switch cannot recover the clear text from which an encrypted string is generated.

Valid passwords contain the characters A-Z, a-z, 0-9 and any of these punctuation characters:

! @ # $ % ^ & * ( ) - _ = +{ } [ ] ; : < > , . ? / ~ \

Usernames

Usernames control access to the EOS and all switch commands. The switch is typically accessed through an SSH login, using a previously defined username-password combination. To create a new username or modify an existing username, use the username command.

Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:

@   #   $   %   ^   &   *   -   _   =    +   ;   <   >   ,   .   ~   |

The default username is admin, which is described in Admin Username.

Examples
  • These equivalent commands create the username “john” and assign it the password “x245.” The password is entered in clear text because the encrypt-type parameter is omitted or zero.
    switch(config)#username john secret x245
    switch(config)#username john secret 0 x245
  • This command creates the username “john” and assigns it to the text password that corresponds to the encrypted string “$1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1.” The string was generated by an MD5-encryption program using “x245” as the seed.
    switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1 

The username is authenticated by entering “x245” when the CLI prompts for a password.

  • This command creates the username “jane” without securing it with a password. It also removes a password if the “jane” username exists.
     switch(config)# username jane nopassword 
  • This command removes the username “william” from the local file.
     switch(config)# no username william 
Logins by Unprotected Usernames

The default switch configuration allows usernames that are not password-protected to log in only from the console. The aaa authentication policy local allow-nopassword-remote-login command configures the switch to allow unprotected usernames to log in from any port. To reverse this setting to the default state, use no form of aaa authentication policy local allow-nopassword-remote-login.

Note: Allowing remote access to accounts without passwords is a severe security risk. Arista Networks recommends assigning strong passwords to all usernames.
Examples
  • This command configures the switch to allow unprotected usernames to log in from any port.
    switch(config)#aaa authentication policy local allow-nopassword-remote-login
  • This command configures the switch to allow unprotected usernames to log in only from the console port.
    switch(config)#no aaa authentication policy local allow-nopassword-remote-login
Enable Command Authorization

The enable command controls access to Privileged EXEC and all configuration command modes. The enable password authorizes users to execute the enable command. When the enable password is set, the CLI displays a password prompt when a user attempts to enter Privileged EXEC mode.

main-host> enable
Password:
main-host#

If an incorrect password is entered three times in a row, the CLI displays the EXEC mode prompt.

If no enable password is set, the CLI does not prompt for a password when a user attempts to enter Privileged EXEC mode.

To set the enable password, use the enable password command.

Examples
  • These equivalent commands assign “xyrt1” as the enable password.
    switch(config)#enable password xyrt1
    switch(config)#enable password 0 xyrt1
  • This command assigns the enable password to the clear text “12345” corresponding to the encrypted string “$1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/.” The string was generated by an MD5-encryption program using “12345” as the seed.
     switch(config)#enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
  • This command deletes the enable password.
    switch(config)#no enable password 
Root Account Password

The root account accesses the root directory in the underlying Linux shell. When it is not password protected, you can log into the root account only through the console port. After you assign a password to the root account, you can log into it through any port.

To set the password for the root account, use the aaa root command.

Examples
  • These equivalent commands assign “f4980” as the root account password.
    switch(config)#aaa root secret f4980
    switch(config)#aaa root secret 0 f4980
  • This command assigns the text “ab234” that corresponds to the encrypted string “$1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b.” as the root password.
    switch(config)#aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
  • This command removes the password from the root account.

     switch(config)#aaa root nopassword
  • This command disables the root login.

    switch(config)#no aaa root

TACACS+

Terminal Access Controller Access-Control System Plus (TACACS+), derived from the TACACS protocol defined in RFC 1492, is a network protocol that provides centralized user validation services. TACACS+ information is maintained on a remote database. EOS support of TACACS+ services requires access to a TACACS+ server.

TACACS+ manages multiple network access points from a single server. The switch defines a TACACS+ server connection by its address and port, allowing the switch to conduct multiple data streams to a single server by addressing different ports on the server.

These sections describe steps that configure access to TACACS+ servers. Configuring TACACS+ access is most efficiently performed when TACACS+ is functioning prior to configuring switch parameters.

Configuring TACACS+ Parameters

TACACS+ parameters define settings for the switch to communicate with TACACS+ servers. A set of values can be configured for individual TACACS+ servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.

The switch supports the following TACACS+ parameters.

Encryption Key

The encryption key is code that the switch and the TACACS+ server share to facilitate communications.

Examples
  • This command configures the switch to communicate with the TACACS+ server assigned the host name “TAC_1” using the encryption key “rp31E2v.”
    switch(config)#tacacs-server host TAC-1 key rp31E2v 
  • This command configures “cv90jr1” as the global encryption key.
    switch(config)#tacacs-server key 0 cv90jr1
  • This command assigns “cv90jr1” as the global key, using the corresponding encrypted string.
    switch(config)#tacacs-server key 7 020512025B0C1D70 
Session Multiplexing

The switch supports multiplexing sessions on a single TCP connection.

  • The tacacs-server host command configures the multiplexing option for a specified server.
  • There is no global multiplexing setting.
Example
  • This command configures the switch to communicate with the TACACS+ server at 10.12.7.9 and indicates the server supports session multiplexing on a TCP connection.
    switch(config)#tacacs-server host 10.12.7.9 single-connection 
Timeout

The timeout is the period the switch waits for a successful connection to, or response from, the TACACS+ server. The default is 5 seconds.

Examples
  • This command configures the switch to communicate with the TACACS+ server assigned the host name “TAC_1” and configures the timeout period as 20 seconds.
    switch(config)#tacacs-server host TAC_1 timeout 20  
  • This command configures 40 seconds as the period that the server waits for a response from a TACACS+ server before issuing an error.
     switch(config)#tacacs-server timeout 40  
Port

The port specifies the port number through which the switch and the servers send information. The TACACS+ default port is 49.

  • The tacacs-server host command specifies the port number for an individual TACACS+ server.
  • The global TACACS+ port number cannot be changed from the default value of 49.
Example
  • This command configures the switch to communicate with the TACACS+ server at 10.12.7.9 through port 54.
    switch(config)#tacacs-server host 10.12.7.9 port 54
TACACS+ Status

To display the TACACS+ servers and their interactions with the switch, use the show tacacscommand.

Example
  • This command lists the configured TACACS+ servers.
    switch(config)#show tacacs
    
    server1: 10.1.1.45
    Connection opens: 15
    Connection closes: 6
    Connection disconnects: 6
    Connection failures: 0
    Connection timeouts: 2
    Messages sent: 45
    Messages received: 14
    Receive errors: 2
    Receive timeouts: 2
    Send timeouts: 3
    
    Last time counters were cleared: 0:07:02 ago

To reset the TACACS+ status counters, use the clear aaa counters tacacs+ command.

Example
  • This command clears all TACACS+ status counters.
    switch(config)#clear aaa counters tacacs

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized AAA services for computers connecting to and using network resources. RADIUS is used to manage access to the Internet, internal networks, wireless networks, and integrated email services.

These sections describe steps that configure RADIUS server access. Configuring RADIUS parameters is most efficiently performed when RADIUS is functioning prior to configuring switch parameters.

RADIUS Vendor-Specific Attribute-Value Pairs

RADIUS servers and client companies extend basic RADIUS functionality through vendor-specific attributes. A dictionary file includes a list of RADIUS attribute-value pairs that Arista switches use to perform AAA operations through the RADIUS server.

Arista switches use the following attribute values:

  • Arista Vendor number: 30065
  • Attribute: Arista-AVPair 1 string

Acceptable string values for Arista-AVPair include:

  • "shell:priv-lvl=<privilege level of a user, 0-15>"
  • "shell:roles=<list of roles for a user>"
Example
  • This is a sample dictionary file that identifies Arista RADIUS vendor-specific attribute value pairs.
    #
    # dictionary.arista
    #
    VENDOR Arista30065
    # Standard Attribute
    BEGIN-VENDOR Arista
    ATTRIBUTEArista-AVPair1string
    END-VENDOR Arista
    
Configuring RADIUS Defaults

RADIUS policies specify settings for the switch to communicate with RADIUS servers. A set of values can be configured for individual RADIUS servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.

The switch defines the following RADIUS parameters.

Encryption Key

The encryption key is the key shared by the switch and RADIUS servers to facilitate communications.

Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name “RAD-1” using the encryption key “rp31E2v.”
    switch(config)#radius-server host RAD-1 key rp31E2v
  • This command configures “cv90jr1” as the global encryption key.
     switch(config)#radius-server key 0 cv90jr1 
  • This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
    switch(config)#radius-server key 7 020512025B0C1D70  
Timeout

The timeout is the period that the switch waits for a successful connection to, or response from, a RADIUS server. The default period is 5 seconds.

Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the timeout period as 20 seconds.
    switch(config)#radius-server host RAD-1 timeout 20 
  • This command configures 50 seconds as the period that the server waits for a response from a RADIUS server before issuing an error.
    switch(config)#radius-server timeout 50  
Retransmit

Retransmit is the number of times the switch attempts to access the RADIUS server after the first server timeout expiry. The default value is 3 times.

Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name “RAD-1” and configures the retransmit value as 2.
    switch(config)#radius-server host RAD-1 retransmit 2 
  • This command configures the switch to attempt five RADIUS server contacts after the initial timeout. If the timeout parameter is set to 50 seconds, then the total period that the switch waits for a response is ((5+1)*50) = 300 seconds.
    switch(config)#radius-server retransmit 5 
Deadtime

Deadtime is the period when the switch ignores a non-responsive RADIUS server or a server that does not answer retransmit attempts after timeout expiry. Deadtime is disabled if a value is not specified.

Examples
  • This command configures the switch to communicate with the RADIUS server assigned the host name “RAD-1” and configures the deadtime period as 90 minutes.
    switch(config)#radius-server host RAD-1 deadtime 90 
  • This command programs the switch to ignore a server for two hours if the server does not respond to a request during the timeout-retransmit period.
    switch(config)#radius-server deadtime 120 
Port

The port specifies the port number through which the switch and servers send information.

  • The radius-server host command specifies the port numbers for an individual RADIUS server.
  • The global RADIUS port numbers cannot be changed from the default values of 1812 for an authorization port and 1813 for an accounting port.
Example
  • These commands configure the switch to communicate with the RADIUS server named “RAD-1” through port number 1850 for authorization and port number 1851 for accounting.
    switch(config)#radius-server host RAD-1 auth-port 1850
    switch(config)#radius-server host RAD-1 acct-port 1851

To remove the configuration for this server, use no radius-server host command and specify the hostname or IP address with both the authorization and accounting port numbers.

RADIUS Status

The show radius command displays configured RADIUS servers and their interactions with the switch.

Example
  • This command lists the configured RADIUS servers.
    switch(config)#show radius
    
    server1: 10.1.1.45
    Messages sent: 24
    Messages received: 20
    Requests accepted: 14
    Requests rejected: 8
    Requests timeout: 2
    Requests retransmitted: 1
    Bad responses: 1
    Last time counters were cleared: 0:07:02 ago

To reset the RADIUS status counters, use the clear aaa counters radius command.

Example
  • This command clears all RADIUS status counters.
    switch(config)#clear aaa counters radius 

Server Groups

A server group is a collection of servers that are associated with a single group name. Subsequent authorization and authentication commands can access all servers in a group by invoking the group name. The switch supports TACACS+ and RADIUS server groups.

The aaa group server commands create server groups and place the switch in a server-group configuration mode to assign servers to the group. Commands that reference an existing group place the switch in a server-group configuration mode to modify the group.

These commands create named server groups and enter the appropriate command mode for the specified group:

The server (server-group-RADIUS configuration mode) commands add servers to the configuration mode server group. Servers must be previously configured with a radius-server host or tacacs-server host command before they are added to a group.

Examples

  • This command creates the TACACS+ server group named “TAC-GR” and enters server-group configuration mode for the new group.
    switch(config)#aaa group server tacacs+ TAC-GR
    switch(config-sg-tacacs+-TAC-GR)#
  • These commands add two servers to the “TAC-GR” server group. To add servers to this group, the switch must be in sg-tacacs+-TAC-GR configuration mode.

    The CLI remains in server-group configuration mode after adding the “TAC-1” server (port 49) and the server located at 10.1.4.14 (port 151) to the group.

    switch(config-sg-tacacs+-TAC-GR)#server TAC-1
    switch(config-sg-tacacs+-TAC-GR)#server 10.1.4.14 port 151
    switch(config-sg-tacacs+-TAC-GR)#
  • This command exits server-group configuration mode.
    switch(config-sg-tacacs+-TAC-GR)#exit
    switch(config)#
  • This command creates the RADIUS server group named “RAD-SV1” and enters server-group configuration mode for the new group.
    switch(config)#aaa group server radius RAD-SV1
    switch(config-sg-radius-RAD-SV1)#
  • These commands add two servers to the “RAD-SV1” server group. To add servers to this group, the switch must be in sg-radius-RAD-SV1 configuration mode.

    The CLI remains in server-group configuration mode after adding the RAC-1 server (authorization port 1812, accounting port 1813) and the server located at 10.1.5.14 (authorization port 1812, accounting port 1850) to the group.

    switch(config-sg-radius-RAD-SV1)#server RAC-1
    switch(config-sg-radius-RAD-SV1)#server 10.1.5.14 acct-port 1850
    switch(config-sg-radius-RAD-SV1)#

Role-Based Authorization

Role-based authorization is a method of restricting access to CLI commands through the assignment of profiles, called “roles,” to user accounts. Each role consists of rules that permit or deny access to a set of commands within specified command modes.

All roles are accessible to the local security file through ausername parameter and to remote users through RADIUS servers. Each role can be applied to multiple user accounts. Only one role may be applied to a user.

Role Types

The switch defines two types of roles: user-defined and built-in.

  • User-defined roles are created and edited through CLI commands.
  • Built-in roles are supplied with the switch and are not user-editable.

Built-in roles supplied by the switch are “network-operator” and “network-admin.”

Role Structure

A role is an ordered list of rules that restricts access to specified commands from users on whom it is applied. Roles consist of deny and permit rules. Each rule references a set of command modes and contains a regular expression that specifies one or more CLI commands. Commands are compared sequentially to the rules within a role until a rule's regular expression matches the command.

  • Commands that match a regular expression in a permit rule are executed.
  • Commands that match a regular expression in a deny rule are disregarded.
  • Commands that do not match a regular expression are evaluated against the next rule in the role.

Upon its entry in the CLI, a command is compared to the first rule of the role. Commands that match the rule are executed (permit rule) or disregarded (deny rule). Commands that do not match the rule are compared to the next rule. This process continues until the command either matches a rule or the rule list is exhausted. The switch disregards commands not matching any rule.

Role Rules

Role rules consist of four components: sequence number, filter type, mode expression, and command expression.

Sequence Number

The sequence number designates a rule’s placement in the role. Sequence numbers range in value from 1 to 256. Rule commands that do not include a sequence number append the rule at the end of the list, deriving its sequence number by adding 10 to the sequence number of the last rule in the list.

Example
  • These rules have sequence numbers 10 and 20.
    10 deny mode exec command reload
    20 deny mode config command (no |default )?router
Filter Type

The filter type specifies the disposition of matching commands. Filter types are permit and deny. Commands matching permit rules are executed. Commands matching deny rules are disregarded.

Example
  • These rules are deny and permit rules, respectively.
    10 deny mode exec command reload
    20 permit mode config command interface
Mode Expression

The mode expression specifies the command mode under which the command expression is effective. The mode expression may be a regular expression or a designated keyword. Rules support the following mode expressions:

  • exec EXEC and Privileged EXEC modes
  • config Global Configuration Mode
  • config-all All configuration modes, including Global Configuration Mode
  • short_name short key name of a command mode (exact match)
  • long_name long key name of a command mode (regular expression match of one or more modes)
  • <no parameter> all command modes

The prompt command configures the CLI to display a configuration mode’s key name:

  • %P long key name
  • %p short key name
Example
  • These commands use the prompt command to display short key name (if) and long key name (if-Et1) for interface-ethernet 1.
    switch(config)#prompt switch%p
    switch(config)#interface ethernet 1
    switch(config-if)#exit
    switch(config)#prompt switch%P
    switch(config)#interface ethernet 1
    switch(config-if-Et1)#

The command supports the use of regular expressions to reference multiple command modes.

Example

These regular expressions correspond to the listed command modes:

  • if-Vlan(1|2)     matches interface-VLAN 1 or interface-VLAN 2
  • if     matches all interface modes
  • acl-text1     matches ACL configuration mode for “text1” ACL
Command Expression

The command expression is a regular expression that corresponds to one or more CLI commands.

Examples

These regular expressions correspond to the specified commands:

  • reload reload command
  • (no |default )?router commands that enter routing protocol configuration modes
  • (no |default )?(ip|mac) access-list commands that enter ACL configuration modes
  • (no |default )?(ip|mac) access-group commands that bind ACLs to interfaces
  • lacp|spanning-tree LACP and STP commands
  • .* all commands

Creating and Modifying Roles

This section contains the following topics:
Built-in Role

The switch provides the following two built-in roles:

  • network-operator Allows all commands in EXEC (Privileged) modes. Commands in all other modes are denied.
  • network-admin Allows all CLI commands in all modes.

The network-admin role is typically assigned to the admin user to allow it to run any command.

Built-in roles are not editable.

Example
These show users roles commands display the contents of the built-in roles.
switch(config)#show users roles network-operator
The default role is network-operator
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
switch(config)#show users roles network-admin
The default role is network-operator
role: network-admin
10 permit command .*
switch(config)#
Managing Roles
Creating and Opening a Role

Roles are created and modified in Role Configuration Mode. To create a role, enter the rolecommand with the role’s name. The switch enters Role Configuration Mode. If the command is followed by the name of an existing role, subsequent commands edit that role.

Example
This command places the switch in Role Configuration Mode to create a role named “sysuser.”
switch(config)#role sysuser
switch(config-role-sysuser)#
Saving Role Changes

Role Configuration Mode is a group-change mode; changes are saved by exiting the mode.

Examples
  • These commands create a role, then add a deny rule to the role. Because the changes are not yet saved, the role remains empty, as shown by show users roles.
    switch(config)#role sysuser
    switch(config-role-sysuser)#deny mode exec command reload
    switch(config-role-sysuser)#show users roles sysuser
    The default role is network-operator
    
    switch(config-role-sysuser)#
    To save all current changes to the role and exit role configuration mode, type exit.
    switch(config-role-sysuser)#exit
    switch(config)#show users roles sysuser
    The default role is network-operator
    
    role: sysuser
    10 deny mode exec command reload
    switch(config)#
    Note: After exiting role mode, running-config must be saved to startup-config to preserve role changes past system restarts.
Discarding Role Changes

The abort command exits Role Configuration Mode without saving pending changes.

Example
These commands enter Role Configuration Mode to add deny rules, but discard the changes before saving them to the role.
switch(config)#role sysuser
switch(config-role-sysuser)#deny mode exec command reload
switch(config-role-sysuser)#abort
switch(config)#show users roles sysuser
The default role is network-operator

switch(config)#
Modifying Roles
Adding Rules to a Role

The deny (Role)command adds a deny rule to the configuration mode role. The permit (Role) command adds a permit rule to the configuration mode role.

To append a rule to the end of a role, enter the rule without a sequence number while in Role Configuration Mode. The new rule's sequence number is derived by adding 10 to the last rule's sequence number.

Example
These commands enter the first three rules into a new role.
switch(config)#role sysuser
switch(config-role-sysuser)#deny mode exec command reload
switch(config-role-sysuser)#deny mode config command (no |default )?router
switch(config-role-sysuser)#permit command .*
switch(config-role-sysuser)#exit
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 permit command .*
switch(config)#
Inserting a Rule

To insert a rule into a role, enter the rule with a sequence number between the existing rules numbers.

Example
This command inserts a rule between the first two rules by assigning it the sequence number 15.
switch(config)#role sysuser
switch(config-role-sysuser)#15 deny mode config-all command lacp
switch(config-role-sysuser)#exit
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
10 deny mode exec command reload
15 deny mode config-all command lacp
20 deny mode config command (no |default )router
30 permit command .*
switch(config)#
Deleting a Rule

To remove a rule from the current role, perform one of these commands:

  • Enter no, followed by the sequence number of the rule to be deleted.
  • Enter no, followed by the rule be deleted.
  • Enter default, followed by the sequence number of the rule to be deleted.
  • Enter default, followed by the rule to be deleted.
Example
These equivalent commands remove rule 30 from the list.
switch(config-role-sysuser)#no 30
switch(config-role-sysuser)#default 30
switch(config-role-sysuser)#no permit command .*

switch(config-role-sysuser)#default permit command .*

This role results from entering one of the preceding commands.

switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
10 deny mode exec command reload
15 deny mode config-all command lacp|spanning-tree
20 deny mode config command (no |default )router
switch(config)#
Redistributing Sequence Numbers

Sequence numbers determine the order of the rules in a role. After a list editing session where existing rules are deleted and new rules are inserted between existing rules, the sequence number distribution may not be uniform. Redistributing rule numbers changes adjusts the sequence number of rules to provide a constant difference between adjacent rules. The resequence (Role)command adjusts the sequence numbers of role rules.

Example
The resequence command renumbers rules in the sysuser role. The sequence number of the first rule is 100; subsequent rules numbers are incremented by 20.
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
10 deny mode exec command reload
20 deny mode config-all command lacp|spanning-tree
25 deny mode config command (no |default )?router
30 permit command .*
switch(config)#role sysuser
switch(config-role-sysuser)#resequence 100 20
switch(config-role-sysuser)#exit
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
100 deny mode exec command reload
120 deny mode config-all command lacp|spanning-tree
140 deny mode config command (no |default )?router
160 permit command .*
switch(config)#

Assigning a Role to a Username

Roles are assigned to local users through the username command and to remote users through RADIUS servers. Each user is assigned one role. Each role can be assigned to multiple local and remote users.

Default Roles

Users that are not explicitly assigned a role are assigned the default role. The aaa authorization policy local default-role command designates the default role. The “network-operator” built-in role is the default role when the default role is not configured.

Examples
  • These commands assign “sysuser” as the default role, then display the name of the default role.
    switch(config)#aaa authorization policy local default-role sysuser
    switch(config)#show users roles
    The default role is sysuser
    
    switch(config)#
  • These commands restore “network-operator” as the default role by deleting the aaa authorization policy local default-role statement from running-config, then display the default role name.

    switch(config)#no aaa authorization policy local default-role
    switch(config)#show users roles
    The default role is network-operator
    
    switch(config)#
Local Security File (Username command)

Roles are assigned to users with the username command's role parameter. A username whose running-config username statement does not include a role parameter is assigned the default role.

The role parameter function in a command creating a username is different from its function in a command editing an existing name.

Assigning a Role to a New Username

A username command creating a username explicitly assigns a role to the username by including the role parameter; commands without a role parameter assigns the default role to the username.

Example
  • These commands create two usernames. The first user is assigned a role; the second user assumes the default role.
    switch(config)#username FRED secret 0 axced role sysuser1
    switch(config)#username JANE nopassword
    switch(config)#show running-config
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    !
    username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
    username JANE nopassword
    !
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    switch(config)#
Editing the Role of an Existing Username

The role of a previously configured username may be edited by a username command without altering its password. The role assignment of a username is not changed by username commands that do not include a role parameter.

Examples
  • These commands assign a role to a previously configured username.
    switch(config)#username JANE role sysuser2
    switch(config)#show running-config
    
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    !
    username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
    username JANE role sysuser2 nopassword
    !
    
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    switch(config)#
  • These commands reverts a username to the default role by removing its role assignment.
    switch(config)#no username FRED role
    switch(config)#show running-config
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    !
    
    username FRED secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
    username JANE role sysuser2 nopassword
    !
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
    switch(config)#
Displaying the Role Assignments

The show users accounts command displays role assignment of the configured users. The show users detail command displays roles of users that are currently logged into the switch.

Example
  • This command displays the configured users and their role assignments.
    switch(config)#show users accounts
    user: FRED
     role: <unknown>
     privilege level: 1
    user: JANE
     role: sysuser2
     privilege level: 1
    user: admin
     role: network-admin
     privilege level: 1
    switch(config)#
  • This command displays information about the active AAA login sessions.
    switch(config)# show aaa session
    SessionUsernameRoles TTYState DurationAuthRemote Host
    ---------------- ------------------ ----- --------------------- ------------
    2 admin network-operator ttyS0 E 0:01:21local
    4 Fredsysadmin telnetE 0:02:01local sf.example.com
    6 Janesysuser2 ssh E 0:00:52group radiusny.example.com
    9 admin network-adminssh E 0:00:07local bj.example.com
    10max network-admintelnetE 0:00:07local sf.example.com
Radius Servers

A role can be assigned to a remote user authenticated through a RADIUS server. Roles are assigned through the vendor-specific attribute-value (AV) pair named “Arista-AVPair.” The switch extracts the remote user’s role upon a successful authentication when RADIUS authentication is enabled.

Example
This file extract is sample FreeRadius server code that includes the AV pair that assigns roles to three remote users.
# Sample RADIUS server users file
"Jane"Cleartext-Password := "Abc1235"
Arista-AVPair = "shell:roles=sysuser2",
Service-Type = NAS-Prompt-User
"Mary"Cleartext-Password := "xYz$2469"
Arista-AVPair = "shell:roles=sysadmin",
Service-Type = NAS-Prompt-User
"Fred"Cleartext-Password := "rjx4#222"
Arista-AVPair = "shell:roles=network-operator",
Service-Type = NAS-Prompt-User

The aaa authentication login command selects the user authentication service (see Configuring Service Lists ).

Example
This command configures the switch to authenticate users through all RADIUS servers.
switch(config)#aaa authentication login default group radius 
Enable Role-Based Access Control

To enable Role-Based Access Control on the switch, apply the following configuration:

 switch(config)#aaa authorization commands all default local 

Activating Security Services

After configuring the access databases, aaa authentication, aaa authorization, and aaa accounting commands designate active and backup services for handling access requests.

These sections describe the methods of selecting the database that the switch uses to authenticate users and authorize access to network resources.

Authenticating Usernames and the Enable Password

Service lists specify the services the switch uses to authenticates usernames and the enable password.

Service List Description

Service list elements are service options, ordered by their priority.

Note: When the local file is one of the service list elements, any attempts to locally authenticate a username that is not included in the local file will result in the switch continuing to the next service list element.
Example
  • This is an example service list for username authentication:

1. Location_1 server group - specifies a server group (see Server Groups ).

2. Location_2 server group - specifies a server group.

3. TACACS+ servers - specifies all hosts for which a tacacs-server host command exists.

4. Local file - specifies the local file.

5. None - specifies that no authentication is required - all access attempts succeed.

To authenticate a username, the switch checks Location_1 server group. If a server in the group is available, the switch authenticates the username through that group. Otherwise, it continues through the list until it finds an available service or utilizes option 5, which allows the access attempt to succeed without authentication.

Configuring Service Lists

Service lists are incorporated into these aaa authentication commands to specify services the switch uses to authenticate usernames and the enable password.

Examples
  • This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
    switch(config)#aaa authentication login default group TAC-1 local 
  • This command configures the switch to authenticate usernames through all TACACS+ servers, then all RADIUS servers if the TACACS+ servers are not available. If the RADIUS servers are unavailable, the switch does not authenticate any login attempts.
    switch(config)#aaa authentication login default group tacacs+ group radius none
  • This command configures the switch to authenticate the enable password through all TACACS+ servers, then through the local database if the TACACS+ servers are unavailable.
    switch(config)#aaa authentication enable default group TACACS+ local  

Authorization

Authorization commands control EOS shell access, CLI command access, and configuration access through the console port. The switch also supports role-based authorization, which allows access to specified CLI commands by assigning command profiles (or roles) to usernames. See Role-Based Authorization for details.

During the exec authorization process, TACACS+ server responses may include attribute-value (AV) pairs. The switch recognizes the mandatory AV pair named “priv-lvl=x” (where x is between 0 and 15).

By default, a TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server. The tacacs-server policy command programs the switch to allow access to TACACS+ servers that send unrecognized mandatory AV pairs.

Authorization to switch services is configured by the following aaa authorization commands.

Examples
  • This command specifies that TACACS+ servers authorize users attempting to open a CLI shell.
    switch(config)#aaa authorization exec default group tacacs+  
  • This command programs the switch to authorize configuration commands (privilege level 15) through the local file and to deny command access to users not listed in the local file.
    switch(config)#aaa authorization commands all default local
  • This command programs the switch to permit all commands entered on the CLI.
    switch(config)#aaa authorization commands all default none
  • This command configures the switch to permit access to TACACS+ servers that send unrecognized mandatory AV pairs.
     switch(config)#tacacs-server policy unknown-mandatory-attribute ignore

All commands are typically authorized through aaa authorization commands. However, the no aaa authorization config-commands command disables the authorization of configuration commands. In this state, authorization to execute configuration commands can be managed by controlling access to global configuration commands. The default setting authorizes configuration commands through the policy specified for all other commands.

By default, EOS does not verify authorization of commands entered on the console port.

Examples
  • This command disables the authorization of configuration commands.
    switch(config)#no aaa authorization config-commands 
  • This command enables the authorization of configuration commands.

    switch(config)#aaa authorization config-commands 
  • This command configures the switch to authorize commands entered on the console, using the method specified through a previously executed aaa authorization command.

    switch(config)#aaa authorization serial-console 

Accounting

The accounting service collects information for billing, auditing, and reporting. The switch supports TACACS+ and RADIUS accounting by reporting user activity to either the TACACS+ server or RADIUS server in the form of accounting records.

The switch supports two types of accounting:

  • EXEC: Provides information about user CLI sessions.
  • Commands: Command authorization for all commands, including configuration commands that are associated with a privilege level.

The accounting mode determines when accounting notices are sent. Mode options include:

  • start-stop: a start notice is sent when a process begins; a stop notice is sent when it ends.
  • stop-only: a stop accounting record is generated after a process successfully completes.

Accounting is enabled by the aaa accountingcommand.

Examples
  • This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
    switch(config)#aaa accounting commands all default start-stop group tacacs+  
  • This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
    switch(config)#aaa accounting exec console stop group tacacs+  

TACACS+ Configuration Examples

These sections describe two sample TACACS+ host configurations.

Single Host Configuration

The example single host configuration consists of a TACACS+ server with these attributes:

  • IP address: 10.1.1.10
  • encryption key: example_1
  • port number: 49 (global default)
  • timeout: 5 seconds (global default)

The switch authenticates the username and enable command against all TACACS+ servers which, in this case, is one host. If the TACACS+ server is unavailable, the switch authenticates with the local file.

  1. This step configures TACACS+ server settings – port number and timeout are global defaults.
    switch(config)#tacacs-server host 10.1.1.10 key example_1  
  2. This step configures the login authentication service.
    switch(config)#aaa authentication login default group tacacs+ local
  3. This step configures the enable command password authentication service.
    switch(config)#aaa authentication enable default group tacacs+ local  

Multiple Host Configuration

The example multiple host configuration consists of three TACACS+ servers at these locations:

  • IP address 10.1.1.2 - port 49
  • IP address 172.16.4.12 - port 4900
  • IP address 192.168.2.10 - port 49

The configuration combines the servers into these server groups:

  • Bldg_1 group consists of the servers at 10.1.1.2 and 172.16.4.12
  • Bldg_2 group consists of the servers at 192.168.2.10

All servers use these global TACACS+ defaults:

  • encryption key - example_2
  • timeout - 10 seconds

The switch authenticates these access methods:

  • username access against Bldg_1 group then, if they are not available, against the local file.
  • enable command against Bldg_2 group, then Bldg_1 group, then against the local file.
  1. TACACS+ Host commands:

    These commands configure the IP address and ports for the three TACACS+ servers. The port for the first and third server is default 49.

    switch(config)#tacacs-server host 10.1.1.12
    switch(config)#tacacs-server host 172.16.4.12 port 4900
    switch(config)#tacacs-server host 192.168.2.10 
  2. Global Configuration Commands:

    These commands configure the global encryption key and timeout values.

    switch(config)#tacacs-server key example_2
    switch(config)#tacacs-server timeout 10 
  3. Group Server Commands:

    The aaa group server commands create the server groups and place the CLI in server group configuration mode, during which the servers are placed in the group. The port number must be included if it is not the default port, as in the line that adds 192.168.1.1.

    switch(config)#aaa group server tacacs+ Bldg_1
    switch(config-sg-tacacs+-Bldg_1)#server 10.1.1.2  
    switch(config-sg-tacacs+-Bldg_1)#server 192.168.1.1 port 4900  
    switch(config-sg-tacacs+-Bldg_1)#exit  
    switch(config)#aaa group server tacacs+ Bldg_2
    switch(config-sg-tacacs+-Bldg_2)#server 192.168.2.2
    switch(config-sg-tacacs+-Bldg_2)#exit
    switch(config)# 
  4. Login and enable configuration authentication responsibility commands:

    These commands configure the username and enable command password authentication services.

    switch(config)#aaa authentication login default group Bldg_1 local
    switch(config)#aaa authentication enable default group Bldg_1 group Bldg_2 local 

AAA Commands

aaa accounting dot1x

The aaa accounting dot1x command enables the accounting of requested 802.1X services for network access.

The no aaa accounting dot1x and default aaa accounting dot1x commands disable the specified method list by removing the corresponding aaa accounting dot1x command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa accounting dot1x default[ METHOD_1]]METHOD_2] ... [METHOD_N]

no aaa accounting dot1x default

default aaa accounting dot1x default

Parameters

  • MODE accounting mode that defines when accounting notices are sent. Options include:
    • start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
  • METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.

Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:

  • group name the server group identified by name.
    • group radius server group that includes all defined RADIUS hosts.
    • logging server group that includes all defined TACACS+ hosts.

Examples
  • This example configures IEEE 802.1X accounting on the switch.
    switch(config)#aaa accounting dot1x default start-stop group radius
    switch(config)#
  • This example disables IEEE 802.1X accounting on the switch.
    switch(config)#no aaa accounting dot1x default  
    switch(config)#

aaa accounting system

The aaa accounting system command performs accounting for all system-level events.

The no aaa accounting system and default aaa accounting system commands clear the specified method list by removing the corresponding aaa accounting system command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa accounting system default [METHOD_1][METHOD_2] ... [METHOD_N]

no aaa accounting system default

default aaa accounting system default

Parameters

  • MODE accounting mode that defines when accounting notices are sent. Options include:
    • none no notices are sent.
    • start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
    • stop-only a stop accounting record is generated after a process successfully completes.
  • METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.

Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:

  • group name the server group identified by name.
    • group radius server group that includes all defined RADIUS hosts.
    • group tacacs+ server group that includes all defined TACACS+ hosts.
    • logging server group that includes all defined TACACS+ hosts.
Examples
  • This command configures AAA accounting to not use any accounting methods for system events.
    switch(config)#aaa accounting system default none
    switch(config)#
  • This command configures the switch to maintain stop accounting records for system events to all defined RADIUS hosts.
    switch(config)#aaa accounting system default stop-only group radius
    switch(config)#

aaa accounting

The aaa accounting command configures accounting method lists for a specified authorization type. Each list consists of a prioritized list of methods. The accounting module uses the first available listed method for the authorization type.

The no aaa accounting and default aaa accounting commands clear the specified method list by removing the corresponding aaa accounting command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa accounting TYPE CONNECTION MODE [METHOD_1][METHOD_2] ... [METHOD_N]

no aaa accounting TYPE CONNECTION

default aaa accounting TYPE CONNECTION

Parameters

  • TYPE authorization type for which the command specifies a method list. Options include:
    • EXEC records user authentication events.
    • COMMANDS ALL records all entered commands.
    • COMMANDS level records entered commands of the specified level (ranges from 0 to 15).
  • CONNECTION connection type of sessions for which method lists are reported. Options include:
    • console console connection.
    • default all connections not covered by other command options.
  • MODE accounting mode that defines when accounting notices are sent. Options include:

    • none no notices are sent.
    • start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
    • stop-only a stop accounting record is generated after a process successfully completes.
  • METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.

Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:

  • group name the server group identified by name.
    • group radius server group that includes all defined RADIUS hosts.
    • group tacacs+ server group that includes all defined TACACS+ hosts.
    • logging log all accounting messages to syslog.
Examples
  • This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
    switch(config)#aaa accounting commands all default start-stop group tacacs+
    switch(config)#
  • This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
    switch(config)#aaa accounting exec console stop group tacacs+
    switch(config)#
  • This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
    switch(config)#aaa accounting commands all default start-stop group tacacs+
    switch(config)#
  • This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
    switch(config)#aaa accounting exec console stop group tacacs+
    switch(config)#

aaa authentication dot1x

The aaa authentication dot1x command configures the default authentication list of requested 802.1X services for network access.

The no aaa authentication dot1x and default aaa authentication dot1x commands remove the default authentication list for IEEE 802.1X.

Command Mode

Global Configuration

Command Syntax

aaa authentication dot1x default group {group_name | radius}

no aaa authentication dot1x default

default aaa authentication dot1x

Parameters

  • default configures the default authentication list of requested 802.1X services for network access
  • group configures server group
  • group_name server group name; multiple group names can be entered in a single command
  • radius list of all defined RADIUS hosts
Examples
  • This command configures the switch in the auth1 group for IEEE 802.1X authentication.
    switch(config)#aaa authentication dot1x default group auth1
    switch(config)#

aaa authentication enable

The aaa authentication enable command configures the service list that the switch references to authorize access to Privileged EXEC command mode.

The list consists of a prioritized list of service options. Available service options include:

  • a named server group
  • all defined TACACS+ hosts
  • all defined RADIUS hosts
  • local authentication
  • no authentication

The switch authorizes access by using the first listed service option that is available. When the local file is a service list element, attempts to locally authenticate a username that is not in the local file result in the switch continuing to the next service list element.

When the list is not configured, it is set to local.

The no aaa authentication enable and default aaa authentication enable commands revert the list configuration as local by removing the aaa authentication enable command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa authentication enable default METHOD_1 [METHOD_2] ... [METHOD_N]

no aaa authentication enable default

default aaa authentication enable default

Parameters

  • METHOD_X authentication service method list. The command must provide at least one method. Each method is composed of one of the following:
    • group name the server group identified by name.
    • group radius a server group that consists of all defined RADIUS hosts.
    • group tacacs+ a server group that consists of all defined TACACS+ hosts.
    • local local authentication.
    • none users are not authenticated; all access attempts succeed.
Example
  • This command configures the switch to authenticate the enable password through all configured TACACS+ servers. Local authentication is the backup if TACACS+ servers are unavailable.
    switch(config)#aaa authentication default enable group TACACS+ local
    switch(config)#

aaa authentication login

The aaa authentication login command configures service lists the switch references to authenticate usernames. Service lists consist of service options ordered by usage priority. The switch authenticates usernames through the first available service option. Supported service options include:

  • a named server group
  • all defined TACACS+ hosts
  • all defined RADIUS hosts
  • local authentication
  • no authentication

When the local file is a service list element, attempts to locally authenticate a username that is not in the local file result in the switch continuing to the next service list element.

The switch supports a console list for authenticating usernames through the console and a default list for authenticating usernames through all other connections.

  • When the console list is not configured, the console connection uses the default list.
  • When the default list is not configured, it is set to local.

The no aaa authentication login and default aaa authentication login commands revert the specified list configuration to its default by removing the corresponding aaa authentication login command from running-config.

Command Mode

Global Configuration

Command Syntax

aaa authentication login CONNECTION SERVICE_1 [SERVICE_2] ... [SERVICE_N]

no aaa authentication login CONNECTION

default aaa authentication login CONNECTION

Parameters

  • CONNECTION connection type of sessions for which authentication list is used
    • default the default authentication list
    • console the authentication list for console logins
  • SERVICE_X an authentication service. Settings include:
    • group name identifies a previously defined server group
    • group radius a server group that consists of all defined RADIUS hosts
    • group tacacs+ a server group that consists of all defined TACACS+ hosts
    • local local authentication
    • none The switch does not perform authentication. All access attempts succeed.
Examples
  • This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
    switch(config)#aaa authentication login default group TAC-1 local
    switch(config)#
  • This command configures the switch to authenticate usernames through all TACACS+ servers, then all RADIUS servers if the TACACS+ servers are not available. If the RADIUS servers are also unavailable, the switch allows access to all login attempts without authentication.
    switch(config)#aaa authentication login default group tacacs+ group radius none
    switch(config)#

aaa authentication policy local allow-nopassword-remote-login

The aaa authentication policy local allow-nopassword-remote-login command permits usernames without passwords to log in from any port. The default switch setting only allows unprotected usernames to log in from the console.

The no aaa authentication policy local allow-nopassword-remote-login and default aaa authentication policy local allow-nopassword-remote-login commands return the switch to the default setting of allowing unprotected usernames to log in only from the console.

Command Mode

Global Configuration

Command Syntax

aaa authentication policy local allow-nopassword-remote-login

no aaa authentication policy local allow-nopassword-remote-login

default aaa authentication policy local allow-nopassword-remote-login

Examples
  • This command configures the switch to allow unprotected usernames to log in from any port.
    switch(config)#aaa authentication policy local allow-nopassword-remote-login
    switch(config)#
  • This command configures the switch to allow unprotected usernames to log in only from the console port.
    switch(config)#no aaa authentication policy local allow-nopassword-remote-login
    switch(config)#

aaa authentication policy log

The aaa authentication policy log command configures the switch to generate syslog messages for login authentication success or failure events.

The no aaa authentication policy log and the default aaa authentication policy log commands restore the default behavior of not generating syslog messages for these events.

Command Mode

Global Configuration

Command Syntax

aaa authentication policy {on-failure | on-success} log

no aaa authentication policy {on-failure | on-success} log

default aaa authentication policy {on-failure | on-success} log

Parameters

  • on-failure generates syslog messages for failed login events.
    • on-success generates syslog messages for successful login events.
Examples

This command configures the switch to log successful and failed login attempts.

switch(config)#aaa authentication policy on-success log
switch(config)#aaa authentication policy on-failure log

aaa authorization commands

The aaa authorization commands command configures the service list that authorizes CLI command access. All switch commands are assigned a privilege level that corresponds to the lowest level command mode from which it can be executed:

  • Level 1: Commands accessible from EXEC mode.
  • Level 15: Commands accessible from any mode except EXEC.

Command usage is authorized for each privilege level specified in the command.

The list consists of a prioritized list of service options. The switch authorizes access by using the first listed service option that is available. The available service options include:

  • a named server group
  • all defined TACACS+ hosts
  • all defined RADIUS hosts
  • local authorization
  • no authorization

The list is set to none for all unconfigured privilege levels, allowing all CLI access attempts to succeed.

The no aaa authorization commands and default aaa authorization commands commands revert the list contents to none for the specified privilege levels.

Command Mode

Global Configuration

Command Syntax

aaa authorization commands PRIV default SERVICE_1[SERVICE_2] ... [SERVICE_N]

no aaa authorization commands PRIV default

default aaa authorization commands PRIV default

Parameters

  • PRIV Privilege levels of the commands. Options include:
    • level numbers from 0 and 15. Number, range, comma-delimited list of numbers and ranges.
    • all commands of all levels.
  • SERVICE_X Authorization service. Command must list at least one service. Options include:
    • group name the server group identified by name.
    • group tacacs+ a server group that consists of all defined TACACS+ hosts.
    • local local authorization.
    • none the switch does not perform authorization. All access attempts succeed.
Examples
  • This command authorizes configuration commands (privilege level 15) through the local file. The switch denies command access to users not listed in the local file.
    switch(config)#aaa authorization commands all default local
    switch(config)#
  • This command authorizes all commands entered on the CLI.
    switch(config)#aaa authorization commands all default none
    switch(config)#

aaa authorization config-commands

The aaa authorization config-commands command enables authorization of commands in any configuration mode, such as Global Configuration and all interface configuration modes. Commands are authorized through the policy specified by the aaa authorization commands setting. Authorization is enabled by default, so issuing this command has no effect unless running-config contains the no aaa authorization config-commands command.

The no aaa authorization config-commands command disables configuration command authorization. When configuration command authorization is disabled, running-config contains the no aaa authorization config-commands command. The default aaa authorization config-commands command restores the default setting by removing the no aaa authorization config-commands from running-config.

Command Mode

Global Configuration

Command Syntax

aaa authorization config-commands

no aaa authorization config-commands

default aaa authorization config-commands

Example
  • This command disables the authorization of configuration commands.
    switch(config)#no aaa authorization config-commands
    switch(config)#
  • This command enables the authorization of configuration commands.
    switch(config)#aaa authorization config-commands
    switch(config)#

aaa authorization exec

The aaa authorization exec command configures the service list that the switch references to authorize access to open an EOS CLI shell.

The list consists of a prioritized list of service options. The switch authorizes access by using the first listed service option to which the switch can connect. When the switch cannot communicate with an entity that provides a specified service option, it attempts to use the next option in the list.

The available service options include:

  • a named server group
  • all defined TACACS+ hosts
  • all defined RADIUS hosts
  • local authentication
  • no authentication

When the list is not configured, it is set to none, allowing all CLI access attempts to succeed.

The no aaa authorization exec and default aaa authorization exec commands set the list contents to none.

Command Mode

Global Configuration

Command Syntax

aaa authorization exec default METHOD_1[METHOD_2] ... [METHOD_N]

no aaa authorization exec default

default aaa authorization exec default

Parameters

  • METHOD_X authorization service (method). The switch uses the first listed available method.

The command must provide at least one method. Each method is composed of one of the following:

  • group name the server group identified by name.
    • group radius a server group that consists of all defined RADIUS hosts.
    • group tacacs+ a server group that consists of all defined TACACS+ hosts.
    • local local authentication.
    • none the switch does not perform authorization. All access attempts succeed.

Guidelines

During the exec authorization process, the TACACS+ server response may include attribute-value (AV) pairs. The switch recognizes priv-lvl=x (where x is an integer between 0 and 15), which is a mandatory AV pair. A TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server.

Example
  • This command specifies that the TACACS+ servers authorize users that attempt to open an EOS CLI shell.
    switch(config)#aaa authorization exec default group tacacs+
    switch(config)#

aaa authorization policy local default-role

The aaa authorization policy local command specifies the name of the default role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.

The default role is assigned to the following users:

  • local or remote users assigned to a role that is not configured.
  • local users to whom a role is not assigned.

When the default-role is not specified, network-operator is assigned to qualified users as the default role. The network-operator role authorizes assigned users access to all CLI commands in EXEC and Privileged EXEC modes.

The no aaa authentication policy local default-role and default aaa authentication policy local default-role commands remove the authentication policy local default-role statement from running-config. Removing this statement restores network-operator as the default role.

Command Mode

Global Configuration

Command Syntax

aaa authorization policy local default-role role_name

no aaa authorization policy local default-role

default aaa authorization policy local default-role

Parameters

  • role_name Name of the default role.

Related Commands

The role command places the switch in role configuration mode for creating and editing roles.

Examples
  • This command configures the sysuser as the default role.
    switch(config)#aaa authorization policy local default-role sysuser
    switch(config)#
  • This command restores network-operator as the default role.
    switch(config)#no aaa authorization policy local default-role
    switch(config)#
  • This command displays the contents of the network-operator role.
    switch#show users roles network-operator
    The default role is network-operator
    role: network-operator
    10 deny mode exec command bash|\|
    20 permit mode exec command .*
    switch#

aaa authorization serial-console

The aaa authorization serial-console command configures the switch to authorize commands entered through the console. By default, commands entered through the console do not require authorization.

The no aaa authorization serial-console and default aaa authorization serial-console commands restore the default setting.

Command Mode

Global Configuration

Command Syntax

aaa authorization serial-console

no aaa authorization serial-console

default aaa authorization serial-console

Example
  • This command configures the switch to authorize commands entered on the console, using the method specified through a previously executed aaa authorization commands command.
    switch(config)#aaa authorization serial-console
    switch(config)#

aaa group server radius

The aaa group server radius command enters the Server-group-RADIUS Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.

A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a radius-server hostcommand.

The no aaa group server radius and default aaa group server radius commands delete the specified server group from running-config.

Command Mode

Global Configuration

Command Syntax

aaa group server radius group_name

no aaa group server radius group_name

default aaa group server radius group_name

Parameters

  • group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a TACACS+ server group.
Commands Available in Server-group-RADIUS Configuration Mode

Related Commands

Example
  • This command creates the RADIUS server group named RAD-SV1 and enters Server-group-RADIUS Configuration Mode for the new group.
    switch(config)#aaa group server radius RAD-SV1
    switch(config-sg-radius-RAD-SV1)#

aaa group server tacacs+

The aaa group server tacacs+ command enters Server-group-TACACS+ Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.

A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a tacacs-server host command.

The no aaa group server tacacs+ and default aaa group server tacacs+ commands delete the specified server group from running-config.

Command Mode

Global Configuration

Command Syntax

aaa group server tacacs+ group_name

no aaa group servertacacs+ group_name

default aaa group server tacacs+ group_name

Parameters

group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a RADIUS server group.

Commands Available in Server-group-TACACS+ Configuration Mode

server (server-group-TACACS+ configuration mode)

Related Command

aaa group server radius
Example
This command creates the TACACS+ server group named TAC-GR and enters Server-group-TACAS+ Configuration Mode for the new group.
switch(config)#aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)#

aaa root

The aaa root command specifies the password security level for the root account and can assign a password to the account.

The no aaa root and default aaa root commands disable the root account by removing the aaa root command from running-config. The root account is disabled by default.

Command Mode

Global Configuration

Command Syntax

aaa root SECURITY_LEVEL [ENCRYPT_TYPE] [password]

no aaa root

default aaa root

Parameters

  • SECURITY_LEVEL password assignment level. Settings include
    • secret the root account is assigned to the password.
    • nopassword the root account is not password protected.
  • ENCRYPT_TYPE encryption level of the password parameter. This parameter is present only when SECURITY_LEVEL is secret. Settings include:
    • <no parameter> the password is entered as clear text.
    • 0 the password is entered as clear text. Equivalent to <no parameter>.
    • 5 the password is entered as an MD5-encrypted string.
    • sha512 the password is entered as an SHA-512-encrypted string.
  • password text that authenticates the username. The command includes this parameter only if SECURITY_LEVEL is secret.
    • password must be in clear text if ENCRYPT_TYPE specifies clear text.
    • password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.

Encrypted strings entered through this parameter are generated elsewhere.

Examples
  • These equivalent commands assign f4980 as the root account password.
    switch(config)#aaa root secret f4980
    switch(config)#aaa root secret 0 f4980
  • This command assigns the text (ab234) that corresponds to the encrypted string of $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b. as the root password.
    switch(config)#aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
    switch(config)#
  • This command removes the password from the root account.
    switch(config)#aaa root nopassword
    switch(config)#
  • This command disables the root login.
    switch(config)#no aaa root
    switch(config)#

clear aaa counters radius

The clear aaa counters radius command resets the counters that track the statistics for the RADIUS servers that the switch accesses. The show radius command displays the counters reset by the clear aaa counters radius command.

Command Mode

Privileged EXEC

Command Syntax

clear aaa counters radius

Example
These commands display the effect of the clear aaa counters radius command on the RADIUS counters.
switch#show radius
RADIUS server: radius/10
Connection opens:204
 Connection closes:0
Connection disconnects:199
 Connection failures: 10
 Connection timeouts:2
 Messages sent: 1490
 Messages received: 1490
Receive errors:0
Receive timeouts:0
 Send timeouts:0

Last time counters were cleared: never
switch#clear aaa counters radius
switch#show radius
RADIUS server: radius/10
Connection opens:0
 Connection closes:0
Connection disconnects:0
 Connection failures:0
 Connection timeouts:0
 Messages sent:0
 Messages received:0
Receive errors:0
Receive timeouts:0
 Send timeouts:0

Last time counters were cleared: 0:00:03 ago
switch#

clear aaa counters tacacs+

The clear aaa counters tacacs+ command resets the counters that track the statistics for the TACACS+ servers that the switch accesses. The show tacacs command displays the counters reset by the clear aaa counters tacacs+ command.

Command Mode

Privileged EXEC

Command Syntax

clear aaa counters tacacs+

Example
  • These commands display the effect of the clear aaa counters tacacs+ command on the tacacs+ counters.
    switch#show tacacs
    TACACS+ server: tacacs/49
    Connection opens:15942
     Connection closes:7
    Connection disconnects: 1362
     Connection failures:0
     Connection timeouts:0
     Messages sent:34395
     Messages received:34392
    Receive errors:0
    Receive timeouts:2
     Send timeouts:0
    
    Last time counters were cleared: never
    
    TACACS+ source-interface: Enabled
    TACACS+ outgoing packets will be sourced with an IP address associated with the 
    Loopback0 interface
    switch#clear aaa counters tacacs+
    switch#show tacacs
    TACACS+ server: tacacs/49
    Connection opens:0
     Connection closes:0
    Connection disconnects:0
     Connection failures:0
     Connection timeouts:0
     Messages sent:0
     Messages received:0
    Receive errors:0
    Receive timeouts:0
     Send timeouts:0
    
    Last time counters were cleared: 0:00:03 ago
    switch#
    
    TACACS+ source-interface: Enabled
    TACACS+ outgoing packets will be sourced with an IP address associated with the 
    Loopback0 interface
    switch#

clear aaa counters

The clear aaa counters command resets the counters that track the number of service transactions performed by the switch since the last time the counters were reset. The show aaa counters command displays the counters reset by the clear aaa counters command.

Command Mode

Privileged EXEC

Command Syntax

clear aaa counters [SERVICE_TYPE]

Example
  • These commands display the effect of the clear aaa counters command on the AAA counters.
    switch#clear aaa counters
    switch#show aaa counters
    Authentication
    Successful:0
    Failed:0
     Service unavailable:0
    
    Authorization
     Allowed:1
    Denied:0
     Service unavailable:0
    
    Accounting
    Successful:0
     Error:0
     Pending:0
    
    Last time counters were cleared: 0:00:44 ago

deny (Role)

The deny command adds a deny rule to the configuration mode role. Deny rules prohibit access of specified commands from usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A commands authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the roles last rule.

Deny rules use regular expressions to denote commands. A mode parameter specifies command modes from which commands are restricted. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.

The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.

Command Mode

Role Configuration

Command Syntax

[SEQ_NUM] deny [MODE_NAME] command command_name

no deny [MODE_NAME] command command_name

default deny [MODE_NAME] command command_name

Parameters
  • SEQ_NUM Sequence number assigned to the rule. Options include:
    • <no parameter> Number is derived by adding 10 to the number of the roles last rule.
    • <1 - 256> Number assigned to entry.
  • MODE_NAME Command mode from which command access is prohibited. Values include:
    • <no parameter> All command modes
    • mode short_name Exact match of a modes short key name.
    • mode long_name Regular expression matching long key name of one or more modes.
    • mode config Global configuration mode.
    • mode config-all All configuration modes, including global configuration mode.
    • mode exec EXEC and Privileged EXEC modes.
  • command_name Regular expression that denotes the name of one or more commands.

Guidelines

These CLI prompt format commands program the prompt to display the following mode keys:

  • %p Short mode key.
  • %PLong mode key.

Deny statements are saved to running-config only upon exiting Role Configuration Mode.

Related Commands

The role command places the switch in Role Configuration Mode.

Example
These commands append a deny rule at the end of the sysuser role that restricts access to the reload command from EXEC and Privileged EXEC mode.
switch(config)#role sysuser
switch(config-mode-sysuser)#deny mode exec command reload
switch(config-mode-sysuser)#

enable password

The enable password command creates a new enable password or changes an existing password.

The no enable password and default enable password commands delete the enable password by removing the enable password command from running-config.

Command Mode

Global Configuration

Command Syntax

enable password [ENCRYPT_TYPE] password

no enable password

default enable password

Parameters

  • ENCRYPT_TYPE encryption level of the password parameter. Settings include:
    • <no parameter> the password is entered as clear text.
    • 0 the password is entered as clear text. Equivalent to <no parameter>.
    • 5 the password is entered as an MD5 encrypted string.
    • sha512 the password is entered as an SHA-512-encrypted string.
  • password text that authenticates the username.
    • password must be in clear text if ENCRYPT_TYPE specifies clear text.
    • password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.

Encrypted strings entered through this parameter are generated elsewhere.

Examples
  • These equivalent commands assign xyrt1 as the enable password.
    switch(config)#enable password xyrt1
    switch(config)#enable password 0 xyrt1
  • This command assigns the enable password to the clear text (12345) that corresponds to the encrypted string $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/. The string was generated by an MD5-encryption program using 12345 as the seed.
    switch(config)#enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
    switch(config)#
  • This command deletes the enable password.
    switch(config)#no enable password
    switch(config)#

ip radius source-interface

The ip radius source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound RADIUS packets. When a source interface is not specified, the switch selects an interface.

The no ip radius source-interface and default ip radius source-interface commands remove the ip radius source-interface command from running-config.

Command Mode

Global Configuration

Command Syntax

ip radius [VRF_INST] source-interface INT_NAME

no ip radius [VRF_INST] source-interface

default ip radius [VRF_INST] source-interface

Parameters

  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • <no parameter> switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • INT_NAME Interface type and number. Options include:
    • interface ethernet e_num Ethernet interface specified by e_num.
    • interface loopback l_num Loopback interface specified by l_num.
    • interface management m_num Management interface specified by m_num.
    • interface port-channel p_num Port-channel interface specified by p_num.
    • interface vlan v_num VLAN interface specified by v_num.
Example
This command configures the source address for outbound RADIUS packets as the IPv4 address assigned to the loopback interface.
switch(config)#ip radius source-interface loopback 0
switch(config)#

ip tacacs source-interface

The ip tacacs source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound TACACS+ packets. When a source interface is not specified, the switch selects an interface.

The no ip tacacs source-interface and default ip tacacs source-interface commands remove the ip tacacs source-interface command from running-config.

Command Mode

Global Configuration

Command Syntax

ip tacacs [VRF_INST] source-interface INT_NAME

no ip tacacs [VRF_INST] source-interface

default ip tacacs [VRF_INST] source-interface

Parameters

  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • <no parameter> switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • INT_NAME Interface type and number. Options include:
    • interface ethernet e_num Ethernet interface specified by e_num.
    • interface loopback l_num Loopback interface specified by l_num.
    • interface management m_num Management interface specified by m_num.
    • interface port-channel p_num Port-channel interface specified by p_num.
    • interface vlan v_num VLAN interface specified by v_num.
Example
This command configures the source address for outbound TACACS+ packets as the IPv4 address assigned to the loopback interface.
switch(config)#ip tacacs source-interface loopback 0
switch(config)#

no <sequence number> (Role)

The no <sequence number> command removes the rule with the specified sequence number from the configuration-mode role. The default <sequence number> command also removes the specified rule.

Command Mode

Role Configuration

Command Syntax

no sequence_num

default sequence_num

Parameters

  • sequence_num sequence number of rule to be deleted. Values range from 1 to 256.

Guidelines

Role statement changes are saved to running-config only upon exiting Role Configuration Mode.

Related Command

The rolecommand places the switch in Role Configuration Mode.

Example
These commands display the rules in the sysuser role, remove rule 30 from the role, then display the edited role.
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 deny mode config command (no |default )?(ip|mac) access-list
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)#role sysuser
switch(config-role-sysuser)#no 30
switch(config-role-sysuser)#exit
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)#

radius-server deadtime

The radius-server deadtime command defines global deadtime period, when the switch ignores a non-responsive RADIUS server. A non-responsive server is one that fails to answer any attempt to retransmit after a timeout expiry. Deadtime is disabled if a value is not configured.

The no radius-server deadtime and default radius-server deadtime commands restore the default global deadtime period of three minutes by removing the radius-server deadtime command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server deadtime dead_interval

no radius-server deadtime

default radius-server deadtime

Parameters

  • dead_interval period that the switch ignores non-responsive servers (minutes). Values range from 1 to 1000. Default is 3.

    Related Command

    radius-server host

Example
This command programs the switch to ignore a server for two hours if it fails to respond to a request during the period defined by timeout and retransmit parameters.
switch(config)#radius-server deadtime 120
switch(config)#

radius-server host

The radius-server host command sets parameters for communicating with a specific RADIUS server. These values override global settings when the switch communicates with the specified server.

A RADIUS server is defined by its server address, authorization port, and accounting port. Servers with different address-authorization port-accounting port combinations have separate configurations.

The no radius-server host and default radius-server commands remove settings for the RADIUS server configuration at the specified address-authorization port-accounting port location by deleting the corresponding radius-server host command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server host ADDR [VRF_INST][AUTH][ACCT][TIMEOUT][DEAD][RETRAN][ENCRYPT]

no radius-server host [ADDR][VRF_INST][AUTH][ACCT]

default radius-server host [ADDR][VRF_INST][AUTH][ACCT]

Parameters

  • ADDR RADIUS server location. Options include:
    • ipv4_addr server's IPv4 address.
    • host_name server's DNS host name (FQDN).
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • <no parameter> switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • AUTH Authorization port number.
    • <no parameter> default port of 1812.
    • auth-port number number ranges from 1 to 65535.
  • ACCT Accounting port number.
    • <no parameter> default port of 1813.
    • acct-port number numbers range from 1 to 65535.
  • TIMEOUT timeout period (seconds). Ranges from 1 to 1000.
    • <no parameter> assigns global timeout value (see radius-server timeout).
    • timeout number assigns number as the timeout period. Ranges from 1 to 1000.
  • DEAD period (minutes) when the switch ignores a non-responsive RADIUS server.
    • <no parameter> assigns global deadtime value (see radius-server deadtime ).
    • deadtime number specifies deadtime, where number ranges from 1 to 1000.
  • RETRAN attempts to access RADIUS server after the first timeout expiry.
    • <no parameter> assigns global retransmit value (see radius-server retransmit ).
    • retransmit number specifies number of attempts, where number ranges from 1 to 100.
  • ENCRYPT encryption key that switch and server use to communicate.
    • <no parameter> assigns global encryption key (see radius-server key).
    • key key_text where key_text is in clear text.
    • key 5 key_text where key_text is in clear text.
    • key 7 key_text where key_text is provide in an encrypted string.
Examples
  • This command configures the switch to communicate with the RADIUS server located at 10.1.1.5. The switch uses the global timeout, deadtime, retransmit, and key settings to communicate with this server, and communicates through port 1812 for authorization and 1813 for accounting.
    switch(config)#radius-server host 10.1.1.5
    switch(config)#
  • This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1. Communication for authorization is through port 1850; communication for accounting is through port 1813 (the default).
    switch(config)#radius-server host RAD-1 auth-port 1850
    switch(config)#

radius-server key

The radius-server key command defines the global encryption key the switch uses when communicating with any RADIUS server for which a key is not defined.

The no radius-server key and default radius-server key commands remove the global key from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server key [ENCRYPT_TYPE] encrypt_key

no radius-server key

default radius-server key

Parameters

  • ENCRYPT_TYPE encryption level of encrypt_key.
    • <no parameter> encryption key is entered as clear text.
    • 0 encryption key is entered as clear text. Equivalent to <no parameter>.
    • 7 encrypt_key is an encrypted string.
  • encrypt_key shared key that authenticates the username.
    • encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
    • encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.

Encrypted strings entered through this parameter are generated elsewhere.

Related Commands

Examples
  • This command configures cv90jr1 as the global encryption key.
    switch(config)#radius-server key 0 cv90jr1
    switch(config)#
  • This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
    switch(config)#radius-server key 7 020512025B0C1D70
    switch(config)#

radius-server retransmit

The radius-server retransmit command defines the global retransmit count, which specifies the number of times the switch attempts to access the RADIUS server after the first timeout expiry.

The no radius-server retransmit and default radius-server retransmit commands restore the global retransmit count to its default value of three by deleting the radius-server retransmit command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server retransmit count

no radius-server retransmit

default radius-server retransmit

Parameters

  • count retransmit attempts after first timeout expiry. Values range from 1 to 100. Default is 3.

    Related Command

    radius-server host

Example
This command configures the switch to attempt five RADIUS server contacts after the initial timeout. If the timeout parameter is set to 50 seconds, then the total period that the switch waits for a response is ((5+1)*50) = 300 seconds.
switch(config)#radius-server retransmit 5
switch(config)#

radius-server timeout

The radius-server timeout command defines the global timeout the switch uses when communicating with any RADIUS server for which a timeout is not defined.

The no radius-server timeout and default radius-server timeout commands restore the global timeout default period of five seconds by removing the radius-server timeout command from running-config.

Command Mode

Global Configuration

Command Syntax

radius-server timeout time_period

no radius-server timeout

default radius-server timeout

Parameters

  • time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.

Related Commands

Example
This command configures the switch to wait 50 seconds for a RADIUS server response before issuing an error.
switch(config)#radius-server timeout 50
switch(config)#

resequence (Role)

The resequence command assigns sequence numbers to rules in the configuration mode role. Command parameters specify the number of the first rule and the numeric interval between consecutive rules.

The maximum sequence number is 256.

Command Mode

Role Configuration

Command Syntax

resequence start_num inc_num

Parameters

  • start_num sequence number assigned to the first rule. Value ranges from 1 to 256. Default is 10.
  • inc_num numeric interval between consecutive rules. Value ranges from 1 to 256. Default is 10.

Guidelines

Role statement changes are saved to running-config only upon exiting Role Configuration Mode.

Related Command

The rolecommand places the switch in Role Configuration Mode.

Example
The resequence command renumbers the rules in the sysuser role, starting the first rule at 15 and incrementing subsequent lines by 5.
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)#role sysuser
switch(config-role-sysuser)#resequence 15 5
switch(config-role-sysuser)#exit
switch(config)#show users roles sysuser
The default role is network-operator

role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
switch(config)#

permit (Role)

The permit command adds a permit rule to the configuration mode role. Permit rules authorize access to specified commands for usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A command's authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the role's last rule.

Permit rules use regular expression to denote commands. A mode parameter specifies command modes in which commands are authorized. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.

The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.

Command Mode

Role Configuration

Command Syntax

[SEQ_NUM] permit [MODE_NAME] command command_name

no permit [MODE_NAME] command ] command_name

default permit [MODE_NAME] command command_name

Parameters

  • SEQ_NUM Sequence number assigned to the rule. Options include:
    • <no parameter> Number is derived by adding 10 to the number of the roles last rule.
    • <1 - 256> Number assigned to entry.
  • MODE_NAME Command mode in which command access is authorized. Values include:
    • <no parameter> All command modes
    • mode short_name Exact match of a modes short-key name.
    • mode long_name Regular expression matching long-key name of one or more modes.
    • mode config Global configuration mode.
    • mode config-all All configuration modes, including global configuration mode.
    • mode exec EXEC and Privileged EXEC modes.
  • command_name Regular expression that denotes the name of one or more commands.

Guidelines

These CLI prompt format commands program the prompt to display the following mode keys:

  • %p Short-mode key.
  • %P Long-mode key.

Permit statements are saved to running-config only upon exiting Role Configuration Mode.

Related Commands

The role command places the switch in Role Configuration Mode.

Example:
These commands append a permit rule at the end of the sysuser role that authorizes all commands from VLAN 1 or VLAN 2 interface configuration modes.
switch(config)#role sysuser
switch(config-mode-sysuser)#permit mode if-Vl(1|2) command .*
switch(config-mode-sysuser)#

role

The role command places the switch in Role Configuration Mode, which is a group-change mode that modifies a role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.

The role command specifies the name of the role that subsequent commands modify and creates a role if it references a nonexistent role. All changes in a group change mode edit session are pending until the session ends:

  • The exit command saves pending changes to running-config and returns the switch to Global Configuration Mode. Changes are also saved by entering a different configuration mode.
  • The abort command discards pending changes, returning the switch to Global Configuration Mode.

The no role and default role commands delete the specified role by removing the role and its statements from running-config.

Command Mode

Global Configuration

Command Syntax

role role_name

no role role_name

default role role_name

Parameters

  • role_nameName of role.

Commands Available in Role Configuration Mode:

Related Commands

Examples
  • This command places the switch in Role Configuration Mode to modify the speaker role.
    switch(config)#role speaker
    switch(config-role-speaker)#
  • This command saves changes to speaker role, then returns the switch to Global Configuration Mode.

    switch(config-role-speaker)#exit
    switch(config)#
  • This command discards changes to speaker, then returns the switch to Global Configuration Mode.

    switch(config-role-speaker)#abort
    switch(config)#

server (server-group-RADIUS configuration mode)

The server (server-group-RADIUS configuration mode) command adds the specified RADIUS server to the configuration-mode group. Servers must be configured with the radius-server host command before adding them to the server group.

A RADIUS server is defined by its server address, authorization port, and accounting port. A group can contain multiple servers with the same IP address that have different authorization or accounting ports.

The no server and default server commands remove the specified server from the group.

Command Mode

Server-Group-RADIUS Configuration

Command Syntax

server LOCATION [VRF_INST][AUTH][ACCT]

no server LOCATION [VRF_INST][AUTH][ACCT]

default server LOCATION [VRF_INST][AUTH][ACCT]

Parameters

  • LOCATION RADIUS server location. Options include:
    • ipv4_addr server's IPv4 address.
    • host_name server's DNS host name (FQDN).
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • <no parameter> switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • AUTH Authorization port number.
    • <no parameter> default port of 1812.
    • auth-port number number ranges from 1 to 65535.
  • ACCT Accounting port number.
    • <no parameter> default port of 1813.
    • acct-port number number ranges from 1 to 65535.

Related Commands

The aaa group server radiuscommand places the switch in Server-group-RADIUS Configuration Mode.

Example
These commands add two servers to the RAD-SV1 server group.
switch(config)#aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)#server RAC-1
switch(config-sg-radius-RAD-SV1)#server 10.1.5.14 acct-port 1851
switch(config-sg-radius-RAD-SV1)#

server (server-group-TACACS+ configuration mode)

The server (server-group-TACACS+ configuration mode) command adds the specified TACACS+ server to the configuration-mode group. Servers must be configured with the tacacs-server host command before adding them to the server group.

A TACACS+ server is defined by its server address and port number. Servers with different address-port combinations have separate statements in running-config.

The no server and default server commands remove the specified server from the group.

Command Mode

Server-group-TACACS+ Configuration

Command Syntax

server LOCATION [VRF_INST][PORT]

no server LOCATION [VRF_INST][PORT]

default server LOCATION [VRF_INST][PORT]

Parameters

  • LOCATION TACACS+ server location. Options include:
    • ipv4_addr server's IPv4 address.
    • ipv6_addr server's IPv6 address.
    • host_name server's DNS host name (FQDN).
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • <no parameter> switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • PORT TCP connection port number.
    • <no parameter> default port of 49.
    • port number number ranges from 1 to 65535.

Related Command

The aaa group server tacacs+command places the switch in Server-group-TACACS+ Configuration Mode.

Example
These commands add two servers to the TAC-GR server group with default port number 49.
switch(config)#aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)#server TAC-1
switch(config-sg-tacacs+-TAC-GR)#server 10.1.4.14
switch(config-sg-tacacs+-TAC-GR)#

show aaa counters

The show aaa counters command displays the number of service transactions performed by the switch since the last time the counters were reset.

Command Mode

Privileged EXEC

Command Syntax

show aaa counters

Example
This command displays the number of AAA transactions.
switch#show aaa counters
Authentication
Successful: 30
Failed:0
 Service unavailable:0

Authorization
 Allowed:188
Denied:0
 Service unavailable:0

Accounting
Successful:0
 Error:0
 Pending:0

Last time counters were cleared: never
switch#

show aaa methods

The show aaa methods command displays all the named method lists defined in the specified Authentication, Authorization, and Accounting (AAA) service.

Command Mode

Privileged EXEC

Command Syntax

show aaa methods SERVICE_TYPE

Parameters

  • SERVICE_TYPE the service type of the method lists that the command displays.
    • accounting accounting services.
    • authentication authentication services.
    • authorization authorization services.
    • all accounting, authentication, and authorization services.
Example
This command configures the named method lists for all AAA services.
switch#show aaa methods all
Authentication method lists for LOGIN:
name=default methods=group tacacs+, local
Authentication method list for ENABLE:
name=default methods=local
Authorization method lists for COMMANDS:
name=privilege0-15 methods=group tacacs+, local
Authentication method list for EXEC:
name=exec methods=group tacacs+, local
Accounting method lists for COMMANDS:
name=privilege0-15 default-action=none
Accounting method list for EXEC:
name=exec default-action=none
switch#

show aaa

The show aaa command displays the user database. The command displays the encrypted enable password first, followed by a table of usernames and their corresponding encrypted password.

The command does not display unencrypted passwords.

Command Mode

Privileged EXEC

Command Syntax

show aaa

Example
This command displays the local user database.
switch#show aaa
Enable password (encrypted): $1$UL4gDWy6$3KqCPYPGRvxDxUq3qA/Hs/
UsernameEncrypted passwd
------------------------------------------
admin
janis $1$VVnDH/Ea$iwsfnrGNO8nbDsf0tazp9/
thomas$1$/MmXTUil$.fJxLfcumzppNSEDVDWq9.
switch#

show privilege

The show privilege command displays the current privilege level for the CLI session.

Command Mode

EXEC

Command Syntax

show privilege

Example
This command displays the current privilege level.
switch>show privilege
Current privilege level is 15
switch>

show radius

The show radius command displays statistics for the RADIUS servers that the switch accesses.

Command Mode

EXEC

Command Syntax

show radius

Example
This command displays statistics for connected RADIUS servers.
switch#show radius
RADIUS server: radius/10
Connection opens:204
 Connection closes:0
Connection disconnects:199
 Connection failures: 10
 Connection timeouts:2
 Messages sent: 1490
 Messages received: 1490
Receive errors:0
Receive timeouts:0
 Send timeouts:0

Last time counters were cleared: never
switch#

show tacacs

The show tacacs command displays statistics for the TACACS+ servers that the switch accesses.

Command Mode

EXEC

Command Syntax

show tacacs

Example
This command displays statistics for connected TACACS+ servers.
switch#show tacacs
TACACS+ server: tacacs/49
Connection opens:15942
 Connection closes:7
Connection disconnects: 1362
 Connection failures:0
 Connection timeouts:0
 Messages sent:34395
 Messages received:34392
Receive errors:0
Receive timeouts:2
 Send timeouts:0

Last time counters were cleared: never

TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the 
Loopback0 interface
switch#

show users accounts

The show users accounts command displays the names, roles, and privilege levels of users that are listed in running-config. The SSH public key is also listed for names for which an SSH key is configured.

Command Mode

Privileged EXEC

Command Syntax

show users accounts

Example
This command displays the usernames that are configured on the switch.
switch#show users accounts
user: FRED
 role: <unknown>
 privilege level: 1
 ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjUg2VDiBX7In0q 
HtN5PyHOWtYvIoeZsxF5YmesQ/rh++mbpT504dL7So+Bpr9T/0qIj+zilat8fX/JlO42+3pjfkHY/+l
sT2EPNjGTK7uJv1wSGmhc3+90dNmJtr5YVlJFjjQ5m+5Pa+PGe3z4JIV1lY2NhLrV2fXtbciLdjnj6F
AlhXjiLt51DJhG13uUxGBJe0+NlGvpEsTJVJvMdJuS6weMi+xSXc9yQimVD2weJBHsYFnghST2j0pAy
F2S7/EOU13pY42RztDSs42nMNNrutPT0q5Z17aAKvhpd0dDlc+qIwrCrXbeIChHem7+0N8/zA3alBK4
eKSFSZBd3Pb admin@switch
switch#
user: JANE
 role: sysuser2
 privilege level: 1
user: admin
 role: network-admin
 privilege level: 1

show users detail

The show users detail command displays information about active AAA login sessions. Information includes username, roles, TTY, state of the session (pending or established), duration, authentication method, and if available, remote host and remote username.

Command Mode

Privileged EXEC

Command Syntax

show users detail

Example
This command displays information about the active AAA login sessions.
switch# show users detail
SessionUsername Roles TTYState DurationAuthRemote Host
------- ---------- ------------ ------ ----- --------------------- ------------
2admin network-adminttyS0E 0:01:21local
4joe sysadmin telnet E 0:02:01localsf.example.com
6alice sysadmin sshE 0:00:52group radius ny.example.com
7bob sysadmin sshE 0:00:48group radius la.example.com
8kim network-admin1 sshE 0:00:55group radius de.example.com
9admin network-adminsshE 0:00:07localbj.example.com
10 max network-admintelnet E 0:00:07localsf.example.com

show users roles

The show users roles command displays the name of the default role and the contents of the specified roles. Commands that do not specify a role display the rules in all built-in and configured roles.

Command Mode

Privileged EXEC

Command Syntax

show users roles [ROLE_LIST]

Parameters

  • ROLE_LIST Roles that the command displays. Options include:
    • <no parameter> Command displays all roles.
    • role_name Name of role displayed by command.

Related Command

The rolecommand places the switch in Role Configuration Mode, which is used to create new roles or modify existing roles.

Example
This command displays the contents of all user-defined and built-in roles.
switch#show users roles
The default role is network-operator

role: network-admin
10 permit command .*
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
40 deny mode exec command .*
50 permit mode exec command show|clear (counters|platform)|configure

show users

The show users command displays the usernames that are currently logged into the switch.

Command Mode

Privileged EXEC

Command Syntax

show users

Example
This command displays the users that are logged into the switch.
switch#show users
Line User Host(s)Idle Location
 1 vty 2 john idle 1d10.22.6.113
 2 vty 4 jane idle 21:33:0010.22.26.26
*3 vty 6 tedidle 00:00:0110.17.18.71
switch#

tacacs-server host

The tacacs-server host command sets communication parameters for communicating with a specific TACACS+ server. These values override global settings when the switch communicates with the specified server.

A TACACS+ server is defined by its server address and port number. Servers with different combinations of address-port-VRF-multiplex settings have separate statements in running-config.

The no tacacs-server host and default tacacs-server host commands remove settings for the TACACS+ server configuration at the specified address-port-VRF combination by deleting the corresponding tacacs-server host command from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server host SERVER_ADDR [MULTIPLEX][VRF_INST][PORT][TIMEOUT][ENCRYPT]

no tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]

default tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]

Parameters

  • SERVER_ADDR TACACS+ server location. Options include:
    • ipv4_addr server's IPv4 address.
    • ipv6_addr server's IPv6 address.
    • host_name server's DNS host name (FQDN).
  • MULTIPLEX TACACS+ server support of multiplex sessions on a TCP connection.
    • <no parameter> server does not support multiplexing.
    • single-connection server supports session multiplexing.
  • VRF_INST specifies the VRF instance used to communicate with the specified server.
    • <no parameter> switch communicates with the server using the default VRF.
    • vrf vrf_name switch communicates with the server using the specified user-defined VRF.
  • PORT port number of the TCP connection.
    • <no parameter>default port of 49.
    • port number port number ranges from 1 to 65535.
  • TIMEOUT timeout period (seconds).
    • <no parameter> assigns the globally configured timeout value (see tacacs-server timeout ).
    • timeout number timeout period (seconds). number ranges from 1 to 1000.
  • ENCRYPT encryption key the switch and server use to communicate. Settings include
    • <no parameter> assigns the globally configured encryption key (see tacacs-server key ).
    • key key_text where key_text is in clear text.
    • key 5 key_text where key_text is in clear text.
    • key 7 key_text where key_text is an encrypted string.
Examples
  • This command configures the switch to communicate with the TACACS+ server located at 10.1.1.5. The switch uses the global timeout, encryption key, and port settings.
    switch(config)#tacacs-server host 10.1.1.5
    switch(config)#
  • This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1. The switch defines the timeout period as 20 seconds and the encryption key as rp31E2v.
    switch(config)#tacacs-server host TAC_1 timeout 20 key rp31E2v
    switch(config)#
  • This command configures the switch to communicate with the TACACS+ server located at 10.12.7.9, indicates that the server supports multiplexing sessions on the same TCP connection, and that access is through port 54.
    switch(config)#tacacs-server host 10.12.7.9 single-connection port 54
    switch(config)#

tacacs-server key

The tacacs-server key command defines the global encryption key the switch uses when communicating with any TACACS+ server for which a key is not defined.

The no tacacs-server key and default tacacs-server key commands remove the global key from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server key [ENCRYPT_TYPE] encrypt_key

no tacacs-server key

default tacacs-server key

Parameters

  • ENCRYPT_TYPEencryption level of encrypt_key.
    • <no parameter> encryption key is entered as clear text.
    • 0 encryption key is entered as clear text. Equivalent to <no parameter>.
    • 7 encrypt_key is an encrypted string.
  • encrypt_key shared key that authenticates the username.
    • encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
    • encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.

Encrypted strings entered through this parameter are generated elsewhere.

Related Commands

Examples
  • This command configures cv90jr1 as the encryption key.
    switch(config)#tacacs-server key 0 cv90jr1
    switch(config)#
  • This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
    switch(config)#tacacs-server key 7 020512025B0C1D70
    switch(config)#

tacacs-server policy

The tacacs-server policy command programs the switch to permit access to TACACS+ servers that send mandatory attribute-value (AV) pairs that the switch does not recognize. By default, the switch denies access to TACACS+ servers when it receives unrecognized AV pairs from the server.

The switch recognizes the following mandatory AV pairs:

  • priv-lvl=x where x is an integer between 0 and 15.

The no tacacs-server policy and default tacacs-server policy commands restore the switch default of denying access to servers from which it receives unrecognized mandatory AV pair by deleting the tacacs-server policy statement from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server policy unknown-mandatory-attribute ignore

no tacacs-server policy unknown-mandatory-attribute ignore

default tacacs-server policy unknown-mandatory-attribute ignore

Example
This command configures the switch to permit access to TACACS+ servers that send unrecognized mandatory AV pairs.
switch(config)#tacacs-server policy unknown-mandatory-attribute ignore
switch(config)#

tacacs-server timeout

The tacacs-server timeout command defines the global timeout the switch uses when communicating with any TACACS+ server for which a timeout is not defined.

The no tacacs-server timeout and default tacacs-server timeout commands restore the global timeout default period of five seconds by removing the tacacs-server timeout command from running-config.

Command Mode

Global Configuration

Command Syntax

tacacs-server timeout time_period

no tacacs-server timeout

default tacacs-server timeout

Parameters

time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.

Related Command

tacacs-server host

Example
This command configures the switch to wait 20 seconds for a TACACS+ server response before issuing an error.
switch(config)#tacacs-server timeout 20
switch(config)#

username ssh-key

The username ssh-key command configures an SSH key for the specified username. Command options allow the key to be entered directly into the CLI or referenced from a file.

The specified username must be previously configured through a username command.

The no username ssh-key and default username ssh-key commands delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.

The no username ssh-key role and default username ssh-key role commands perform the following:

  • delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.
  • delete the role assignment from the specified username by editing the corresponding username statement in running-config.

Command Mode

Global Configuration

Command Syntax

username name sshkey KEY

no username name sshkey [role]

default username name sshkey [role]

Parameters

  • name username text that the user enters at the login prompt to access the CLI.

Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:

@ # $ % ^ & * - _ =+ ; < > , . ~ |

  • KEY SSH key. Options include:
    • key_text username is associated with ssh key specified by key_text string.
    • file key_file username is associated with SSH key in the specified file.
Example
These commands create the username john, assign it the password x245, then associate it to the SSH key listed in the file named john-ssh.
switch(config)#username john secret x245
switch(config)#username john sshkey file john-ssh
switch(config)#

username

The username command adds a username to the local file and optionally assigns a password to the username. If the command specifies an existing username, the command replaces the password in the local file. The command can also define a username without a password or remove the password from a username.

The no username command deletes the specified username by removing the corresponding username statement from running-config. The default username command removes user-specified usernames, but restores the admin username to its default parameters.

The no username role command assigns the default role assignment to the specified username statement by editing the corresponding username statement in running-config. The default username role command reverts the specified username to its default role by editing the corresponding username statement in running-config. For the admin username, this restores network-admin as its role, even if the admin username has been deleted and then created again.

Command Mode

Global Configuration

Command Syntax

username name [PRIVILEGE_LEVEL] SECURITY [ROLE_USER]

no username name[role]

default username name [role]

All parameters except name can be placed in any order.

Parameters

  • name username text that the user enters at the login prompt to access the CLI.

    Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:

    @ # $ % ^ & * - _ = + ; < > , . ~ |

  • PRIVILEGE_LEVEL user’s initial session privilege level. This parameter is used when an authorization command includes the local option.
    • <no parameter> the privilege level is set to 1.
    • privilege rank where rank is an integer between 0 and 15.
  • SECURITY password assignment option.
    • nopassword name is not password protected.
    • secret password name is protected by specified password (clear-text string).
    • secret 0 password name is protected by specified password (clear-text string).
    • secret 5 password name is protected by specified password. (MD5-encrypted string).
    • secret sha5 password name is protected by specified password (SHA-512-encrypted string).
  • ROLE_USER specifies the role for performing command authorization. Options include:

Guidelines

Encrypted strings entered through this parameter are generated elsewhere. The secret 5 option (SECURITY) is typically used to enter a list of username-passwords from a script.

The SECURITY parameter is mandatory for unconfigured usernames. For previously configured users, the command can specify a PRIVILEGE_LEVEL or ROLE without a SECURITY setting.

The admin username is provided by the initial configuration, but it can be deleted, and its parameters are editable. The initial admin configuration is:
username admin privilege 1 role network-admin nopassword
Note: when deleting the admin username, it is advisable to create at least one other username on the switch before saving the configuration.
Examples
  • These equivalent commands create the username john and assign it the password x245. The password is entered in clear text because the ENCRYPTION parameter is either omitted or zero.
    switch(config)#username john secret x245
    switch(config)#username john secret 0 x245
  • This command creates the username john and assigns it to the text password that corresponds to the encrypted string $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1. The string was generated by an MD5-encryption program using x245 as the seed.
    switch(config)#username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1
    switch(config)#
  • A user authenticates the username john by entering x245 when the CLI prompts for a password.
  • This command creates the username jane without securing it with a password or removes a password if the jane username exists.
    switch(config)#username jane nopassword
    switch(config)#
  • This command removes the username william from the local file.
    switch(config)#no username william
    switch(config)#
..