User Security
AAA Configuration
- Authentication, Authorization, and Accounting Overview
- Configuring the Security Services
- Server Groups
- Role-Based Authorization
- AAA and X.509 Authentication
- Activating Security Services
- TACACS+ Configuration Examples
- AAA Accounting for OpenConfig Remote Procedure Call (RPC) Messages Overview
- AAA Commands
Authentication, Authorization, and Accounting Overview
Methods
The switch authenticates user identity and verifies user authorization to control access to EOS commands. Three data services conduct authentication, authorization, and accounting (AAA) activities: a local security database, TACACS+ servers, and RADIUS servers.
The Configuring the Security Services section provides details about these services.
Configuration Statements
Enabling AAA on the switch requires two steps:
- Configure security service parameters.
The switch provides configuration commands for each security service:
- A local file supports authentication through username and enable password commands.
- TACACS+ servers provide security services through tacacs-server commands.
- RADIUS servers provide security services through radius-server commands.
- The Configuring the Security Services section describes the configuration commands for each security service.
- A local file supports authentication through username and enable password commands.
- Activate AAA services.
EOS uses aaa authorization, aaa authentication, and aaa accounting commands to manage the primary and backup services. The Activating Security Services section provides details on implementing a security environment.
Encryption
The switch uses clear-text passwords and server access keys to authenticate users and communicate with security systems. To safeguard against accidental disclosure of passwords and keys, running-config stores encrypted versions of these passwords and keys. The encryption method depends on the type of password or key.
Commands used to configure passwords or keys can accept either the clear-text password or an encrypted string generated by the designated encryption algorithm, using the clear-text password as the basis (seed) for encryption.
Configuring the Security Services
The switch can access three security data services to authenticate users and authorize switch tasks: a local file, TACACS+ servers, and RADIUS Servers.
Local Security File
The local file uses passwords to:
- Authenticate users logging into the switch.
- Control access to configuration commands.
- Control access to the switch's root login.
The local file stores username-password combinations for user authentication. Passwords also control access to configuration commands and the switch's root login.
Passwords
The switch recognizes both clear text and encrypted strings as valid passwords.
- Clear-text passwords are the text you directly enter to access the CLI, configuration commands, or the switch's root login.
- Encrypted strings are SHA-512-encrypted strings generated using the clear text as the seed. The local file stores passwords in this format to prevent unauthorized disclosure. When you enter a clear-text password, the switch generates the corresponding secure hash and compares it to the stored version.
Valid passwords can include characters A-Z, a-z, 0-9, and any of the following punctuation characters:
! @ # $ % ^ & * ( ) - _ = + { } [ ] ; : < > , . ? / ~ \
Usernames
Usernames govern access to the EOS and all switch commands. You typically access the switch through an SSH login using a previously defined username and password. Use the username command to create a new username or change an existing one.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
The default username is admin, which the section on Admin Username explains.
Examples
- These commands both create the username john and assign it the password x245. The password is entered in clear text because the encrypt-type parameter is omitted or zero.
switch(config)# username john secret x245 switch(config)# username john secret 0 x245
- This command creates the username john and assigns it to the text password corresponding to the encrypted string $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1. An MD5 encryption program generated this string using x245 as the seed.
switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1
- This command creates the username jane without a password. It also removes a password if the jane username exists.
switch(config)# username jane nopassword
- This command removes the username william from the local file.
switch(config)# no username william
Logins by Unprotected Usernames
The default switch configuration allows usernames that are not password-protected to log in only from the console. The aaa authentication policy local allow-nopassword-remote-login command configures the switch to allow unprotected usernames to log in from any port. To reverse this setting to the default state, use the no
form of aaa authentication policy local allow-nopassword-remote-login.
Examples
- This command configures the switch to allow unprotected usernames to log in from any port.
switch(config)# aaa authentication policy local allow-nopassword-remote-login
- This command configures the switch to allow unprotected usernames to log in only from the console port.
switch(config)# no aaa authentication policy local allow-nopassword-remote-login
Enable Command Authorization
The enable command controls access to Privileged EXEC and all configuration command modes. The enable password authorizes users to execute the enable command. When the enable password is set, the CLI displays a password prompt when a user attempts to enter Privileged EXEC mode.
main-host> enable
Password:
main-host#
If an incorrect password is entered three times in a row, the CLI displays the EXEC mode prompt.
If no enable password is set, the CLI does not prompt for a password when a user attempts to enter Privileged EXEC mode.
To set the enable password, use the enable password command.
Examples
- These equivalent commands assign xyrt1 as the enable password.
switch(config)# enable password xyrt1 switch(config)# enable password 0 xyrt1
- This command assigns the enable password to the clear text 12345 corresponding to the encrypted string $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/. An MD5 encryption program generated the string using 12345 as the seed.
switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
- This command deletes the enable password.
switch(config)# no enable password
Root Account Password
The root account accesses the root directory in the underlying Linux shell. When it is not password protected, you can log into the root account only through the console port. After you assign a password to the root account, you can log in through any port.
To set the password for the root account, use the aaa root command.
Examples
- These equivalent commands assign f4980 as the root account password.
switch(config)# aaa root secret f4980 switch(config)# aaa root secret 0 f4980
- This command assigns the text ab234 corresponding to the encrypted string $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b. as the root password.
switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
- This command removes the password from the root account.
switch(config)# aaa root nopassword
- This command disables the root login.
switch(config)# no aaa root
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+), derived from the TACACS protocol defined in RFC 1492, is a network protocol that provides centralized user validation services. A remote database maintains TACACS+ information. EOS requires access to a TACACS+ server to support TACACS+ services.
TACACS+ manages multiple network access points from a single server. The switch defines a TACACS+ server connection by its address and port, allowing it to conduct multiple data streams to a single server by addressing different ports on the server.
These sections describe the steps to configure access to TACACS+ servers. Configuring TACACS+ access is most efficient when TACACS+ is functioning before you configure switch parameters.
Configuring TACACS+ Parameters
TACACS+ parameters define the settings the switch uses to communicate with TACACS+ servers. You can configure a set of values for individual TACACS+ servers that the switch accesses. Global parameters define settings for communicating with servers where you haven't configured individual parameters.
The switch supports the following TACACS+ parameters.
Encryption Key
- The tacacs-server host command defines the encryption key for a specified server.
- The tacacs-server key command defines the global encryption key.
Examples
- This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1 using the encryption key rp31E2v.
switch(config)# tacacs-server host TAC-1 key rp31E2v
- This command configures cv90jr1 as the global encryption key.
switch(config)# tacacs-server key 0 cv90jr1
- This command assigns cv90jr1 as the global key, using the corresponding encrypted string.
switch(config)# tacacs-server key 7 020512025B0C1D70
Session Multiplexing
- The tacacs-server host command configures the multiplexing option for a specified server.
- There is no global multiplexing setting.
Example
switch(config)# tacacs-server host 10.12.7.9 single-connection
Timeout
- The tacacs-server host command defines the timeout for a specified server.
- The tacacs-server timeout command defines the global timeout.
Examples
- This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1 and configures the timeout period as 20 seconds.
switch(config)# tacacs-server host TAC_1 timeout 20
- This command configures 40 seconds as the period that the server waits for a response from a TACACS+ server before issuing an error.
switch(config)# tacacs-server timeout 40
Port
- The tacacs-server host command specifies the port number for an individual TACACS+ server.
- The global TACACS+ port number cannot be changed from the default value of 49.
Example
switch(config)# tacacs-server host 10.12.7.9 port 54
TACACS+ Status
To display the TACACS+ servers and their interactions with the switch, use the show tacacs command.
Example
switch(config)# show tacacs
server1: 10.1.1.45
Connection opens: 15
Connection closes: 6
Connection disconnects: 6
Connection failures: 0
Connection timeouts: 2
Messages sent: 45
Messages received: 14
Receive errors: 2
Receive timeouts: 2
Send timeouts: 3
Last time counters were cleared: 0:07:02 ago
To reset the TACACS+ status counters, use the clear aaa counters tacacs+ command.
Example
switch(config)# clear aaa counters tacacs
RADIUS
Remote Authentication Dial-In User Service (RADIUS) consists of a networking protocol that provides centralized AAA services for computers connecting to a network and then using network resources. RADIUS manages access to the Internet, internal networks, wireless networks, and integrated email services.
These sections describe the steps to configure access to RADIUS servers. Before configuring switch parameters,confirm yourRADIUS server functionality.
RADIUS Vendor-Specific Attribute-Value Pairs
RADIUS servers and client companies extend basic RADIUS functionality through vendor-specific attributes. A dictionary file includes a list of RADIUS attribute-value pairs that Arista switches use to perform AAA operations through the RADIUS server.
- Arista Vendor number: 30065
- Attribute: Arista-AVPair 1 string
- shell:priv-lvl=<privilege level of a user, 0-15>
- shell:roles=<list of roles for a user>
Example
#
# dictionary.arista
#
VENDOR Arista 30065
# Standard Attribute
BEGIN-VENDOR Arista
ATTRIBUTE Arista-AVPair 1 string
END-VENDOR Arista
Configuring RADIUS Defaults
RADIUS policies specify the settings the switch uses to communicate with RADIUS servers. Configure a set of values for each RADIUS server that the switch accesses. Global parameters define settings for communicating with servers without configured individual parameters.
The switch defines the following RADIUS parameters.
Encryption Key
- The radius-server host command defines the encryption key for a specified server.
- The radius-server key command specifies the global encryption key.
- Configure the switch to communicate with the RADIUS server assigned the host name RAD-1 using the encryption key rp31E2v.
Configure cv90jr1 as the global encryption key.switch(config)# radius-server host RAD-1 key rp31E2v
switch(config)# radius-server key 0 cv90jr1
- Assign cv90jr1 as the key by specifying the corresponding encrypted string.
switch(config)# radius-server key 7 020512025B0C1D70
Timeout
- The radius-server host command defines the timeout for a specified server.
- The radius-server key command defines the global timeout.
- Use the following command to configure the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the timeout duration as 20 seconds.
switch(config)# radius-server host RAD-1 timeout 20
- Use the following command to configure 50 seconds as the duration the server waits for a response from a RADIUS server before issuing an error.
switch(config)# radius-server timeout 50
Retransmit
- The radius-server host command defines the retransmit for a specified server.
- The radius-server retransmit command defines the global retransmit value.
- Use the following command to configure the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the retransmit value as 2.
switch(config)# radius-server host RAD-1 retransmit 2
- Use the following command to configure the switch to attempt five RADIUS server contacts after the initial timeout. If the timeout parameter is set to 50 seconds, then the total period the switch waits for a response is ((5+1)*50) = 300 seconds.
switch(config)# radius-server retransmit 5
Deadtime
- The radius-server host command defines the deadtime for a specified server.
- The radius-server deadtime command defines the global deadtime setting.
- Use the following command to configure the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the deadtime period as 90 minutes.
switch(config)# radius-server host RAD-1 deadtime 90
- Use the following command to configure the switch to ignore a server for two hours if the server does not respond to a request during the timeout-retransmit period.
switch(config)# radius-server deadtime 120
Port
- The radius-server host command specifies the port numbers for an individual RADIUS server.
- The global RADIUS port numbers cannot be changed from the default values of 1812 for an authorization port and 1813 for an accounting port.
Example
switch(config)# radius-server host RAD-1 auth-port 1850
switch(config)# radius-server host RAD-1 acct-port 1851
To remove the configuration for this server, use the no radius-server host command and specify the hostname or IP address with both the authorization and accounting port numbers.
DSCP Support for CPU-generated Traffic
- RADIUS
- TACACS
- SNMP
- SSH
- sFlow
Configuring DSCP Value
The following commands apply to all platforms for configuring the DSCP value.
-
This command configures the DSCP value of 62 for RADIUS-server.
switch(config)# radius-server qos dscp 62
-
This command configures the DSCP value of 36 for TACACS-server.
switch(config)# tacacs-server qos dscp 36
-
This command configures the DSCP value of 36 for snmp-server.
switch(config)# snmp-server qos dscp 36
-
This command configures the DSCP value of 36 for sFlow.
switch(config)# sFlow qos dscp 36
-
This command configures the DSCP value of 36 for snmp-server.
switch(config)# snmp-server qos dscp 36
RADIUS Status
The show radius command displays configured RADIUS servers and their interactions with the switch.
Examples
- This command lists the configured RADIUS servers.
switch(config)# show radius server1: 10.1.1.45 Messages sent: 24 Messages received: 20 Requests accepted: 14 Requests rejected: 8 Requests timeout: 2 Requests retransmitted: 1 Bad responses: 1 Last time counters were cleared: 0:07:02 ago
To reset the RADIUS status counters, use the clear aaa counters radius command.
- This command clears all RADIUS status counters.
switch(config)# clear aaa counters radius
AAA with LDAP
The switches support AAA with the LDAP protocol for authentication and authorization. They use Transport Layer Security (TLS) communication with a remote LDAP server and interoperate with Microsoft's Active Directory when configured with LDAP plugins. LDAP authentication configuration is necessary for LDAP to function. The switch sends AAA requests to servers in the order of their configuration. Once marked unreachable, the switch will only retry a server after all other servers are also found unreachable.
Configuring LDAP Authentication
For all platforms, the ldap command is configured from the management ldap mode and requires configuration files to provide remote authentication.
aaa authentication login default group ldap local
aaa authorization exec default group ldap local
!
management ldap
server host ldap-server.samplecompany.com
!
server defaults
base-dn dc=samplecompany,dc=com
rdn attribute user cn
ssl-profile testProfile
authorization group policy basic-role-example
search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
!
management security
ssl profile testProfile
fips restrictions
trust certificate caCert
!
management ldap
server host ldap-server.samplecompany.com
ssl-profile testProfile2
authorization group policy company1
!
Server host ldap-server.company2.com
!
server defaults
base-dn dc=samplecompany,dc=com
rdn attribute user cn
ssl-profile testProfile1
authorization group policy basic-role-example
search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
!
group policy company1
search filter objectclass group attribute member
group "Network Admin2" role network-admin
group "Network Newbie2" role network-operator
!
aaa authentication login default group ldap
!
management ldap
server host <ldap server hostname/ip>
!
server defaults
base-dn <base distinguished name>
rdn attribute user <relative distinguished attribute name>
search username <full distinguished name> password <password>
The configuration sets up AAA authentication with LDAP. The LDAP server supports IPv4, IPv6, hostnames, and VRFs for specifying the address. The RDN, relative distinguished name, is typically an attribute/value pair to specify a user. When a user attempts to connect to the switch, the admin username searches recursively for the RDNs that match the passed-in username from the base-dn folder to generate a shortened list of potential DNs, which are then searched for a match with the provided password.
Configuring LDAP Authorization
Active Directory Server with LDAP Plugin Configured
aaa authorization exec default group ldap
!
management ldap
server defaults
authorization group policy basic-role-example
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
The group/role maps an LDAP group to an EOS role for RBAC. The matching process ensures that the first matched group results in the role being assigned to the user. Use the before and after commands to insert rules in the appropriate priority.
The LDAP admin account uses the search filter command to search for LDAP groups that contain the user, where objectclass defines the object that contains the LDAP group, and attribute is the entry attribute name that contains the DN of the group member.TLS Communication
LDAP supports TLS communication using SSL profiles. A trust certificate, or multiple intermediate certificates, is required to verify the root of trust of the LDAP server. If ssl profiles are configured and the server does not support TLS or fails x509 verification, the system will not use the server for authentication. Other ssl profiles supported commands are:
- fips restrictions
- crl
- tls version
- cipher-list
Active Directory Server with LDAP Plugin Configured
management ldap
!
server defaults
ssl-profile testProfile
management security
ssl profile testProfile
trust certificate <root of trust>
Server Groups
A server group is a collection of servers associated with a single group name. Subsequent authorization and authentication commands can access all servers in a group by invoking the group name. The switch supports TACACS+ and RADIUS server groups.
The aaa group server commands create server groups and place the switch in a server-group configuration mode to assign servers to the group. Commands referencing an existing group place the switch in a server-group configuration mode to modify the group.
The server (server-group-RADIUS configuration mode) commands add servers to the configuration mode server group. Before they are added to a group, servers must have been previously configured with a radius-server host or tacacs-server host command.
Examples
- This command creates the TACACS+ server group named TAC-GR and enters server-group configuration mode for the new group.
switch(config)# aaa group server tacacs+ TAC-GR switch(config-sg-tacacs+-TAC-GR)#
- These commands add two servers to the TAC-GR server group. To add servers to this group, the switch must be in sg-tacacs+-TAC-GR configuration mode.
The CLI remains in server-group configuration mode after adding the TAC-1 server (port 49) and the server located at 10.1.4.14 (port 151) to the group.
switch(config-sg-tacacs+-TAC-GR)# server TAC-1 switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14 port 151 switch(config-sg-tacacs+-TAC-GR)#
- This command exits server-group configuration mode.
switch(config-sg-tacacs+-TAC-GR)# exit switch(config)#
- This command creates the RADIUS server group named RAD-SV1 and enters server-group configuration mode for the new group.
switch(config)# aaa group server radius RAD-SV1 switch(config-sg-radius-RAD-SV1)#
- These commands add two servers to the RAD-SV1 server group. To add servers to this group, the switch must be in sg-radius-RAD-SV1 configuration mode.
The CLI remains in server-group configuration mode after adding the RAC-1 server (authorization port 1812, accounting port 1813) and the server located at 10.1.5.14 (authorization port 1812, accounting port 1850) to the group.
switch(config-sg-radius-RAD-SV1)# server RAC-1 switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1850 switch(config-sg-radius-RAD-SV1)#
Role-Based Authorization
Role-based authorization is a method of restricting access to CLI commands through the assignment of profiles, called roles, to user accounts. Each role consists of rules that permit or deny access to a set of commands within specified command modes.
All roles are accessible to the local security file through a username parameter and to remote users through RADIUS or TACACS+ servers. You can apply each role to multiple user accounts, but only one role to each user.
Role Types
- User-defined roles are created and edited through CLI commands.
- Built-in roles are supplied with the switch and are not user-editable.
Built-in roles supplied by the switch are network-operator and network-admin.
Role Structure
- Commands that match a regular expression in a permit rule are executed.
- Commands that match a regular expression in a deny rule are disregarded.
- Commands that do not match a regular expression are evaluated against the next rule in the role.
Upon its entry in the CLI, a command is compared to the first rule of the role. Commands that match the rule are executed (permit rule) or disregarded (deny rule). Commands that do not match the rule are compared to the next rule. This process continues until the command either matches a rule or the rule list is exhausted. The switch disregards commands that do not match any rule.
Role Rules
Role rules have four components: sequence number, filter type, mode expression, and command expression.
Sequence Number
The sequence number designates a rule’s placement in the role. Sequence numbers range in value from 1 to 256. Rule commands that do not include a sequence number append the rule at the end of the list, deriving its sequence number by adding 10 to the sequence number of the last rule in the list.
Example
10 deny mode exec command reload
20 deny mode config command (no |default )?router
Filter Type
The filter type specifies the disposition of matching commands. The filter types are permit and deny. Commands matching permit rules are executed, and commands matching deny rules are disregarded.
Example
10 deny mode exec command reload
20 permit mode config command interface
Mode Expression
The mode expression specifies the command mode under which the command expression is effective. The mode expression may be a regular expression or a designated keyword. Rules support the following mode expressions:
- exec - EXEC and Privileged EXEC modes
- config - Global Configuration Mode
- config-all - All configuration modes, including Global Configuration Mode
- short_name - short key name of a command mode (exact match)
- long_name - long key name of a command mode (regular expression match of one or more modes)
- no parameter - all command modes
- %P - long key name
- %p - short key name
-
These commands use the prompt command to display short key name (if) and long key name (if-Et1) for interface ethernet 1.
switch(config)# prompt switch%p switch(config)# interface ethernet 1 switch(config-if)# exit switch(config)# prompt switch%P switch(config)# interface ethernet 1 switch(config-if-Et1)#
The command supports the use of regular expressions to reference multiple command modes.
- These regular expressions correspond to the listed command modes:
- if-Vlan(1|2) - matches interface-VLAN 1 or interface-VLAN 2.
- if - matches all interface modes.
- acl-text1 - matches ACL configuration mode for text1 ACL.
Command Expression
The command expression is a regular expression that corresponds to one or more CLI commands.
Examples
- reload - reload command
- (no | default)? router - commands that enter routing protocol configuration modes
- (no | default)?(ip|mac) access-list - commands that enter ACL configuration modes
- (no | default)?(ip|mac) access-group - commands that bind ACLs to interfaces
- lacp | spanning-tree - LACP and STP commands
- .* - all commands
Creating and Modifying Roles
Built-in Role
- network-operator - Allows all commands in EXEC (Privileged) modes. Commands in all other modes are denied.
- network-admin - Allows all CLI commands in all modes.
The network-admin role is typically assigned to the admin user to allow it to run any command.
Built-in roles are not editable.
Example
switch(config)# show users roles network-operator
The default role is network-operator
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
switch(config)# show users roles network-admin
The default role is network-operator
role: network-admin
10 permit command .*
switch(config)#
Managing Roles
Creating and Opening a Role
Roles are created and modified in Role configuration mode. To create a role, enter the role command with the role’s name. The switch enters Role configuration mode. If the name of an existing role follows the command, subsequent commands edit that role.
Example
switch(config)# role sysuser
switch(config-role-sysuser)#
Saving Role Changes
Role configuration mode is a group-change mode; changes are saved by exiting the mode.
- These commands create a role, then add a deny rule to the role. Because the changes are not yet saved, the role remains empty, as shown by show users roles.
switch(config)# role sysuser switch(config-role-sysuser)# deny mode exec command reload switch(config-role-sysuser)# show users roles sysuser The default role is network-operator switch(config-role-sysuser)#
-
Type exit to save all current changes and exit the role configuration mode.
switch(config-role-sysuser)# exit switch(config)# show users roles sysuser The default role is network-operator role: sysuser 10 deny mode exec command reload switch(config)#
Note: To preserve role changes after system restarts, you need to save the running-config to the startup-config after exiting role mode.
Discarding Role Changes
The abort command exits the Role configuration mode without saving pending changes.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# abort
switch(config)# show users roles sysuser
The default role is network-operator
switch(config)#
Modifying Roles
Adding Rules to a Role
The deny (Role)command adds a deny rule to the configuration mode role. The permit (Role) command adds a permit rule to the configuration mode role.
To append a rule to the end of a role, enter the rule without a sequence number while in Role Configuration Mode. The new rule's sequence number is derived by adding 10 to the last rule's sequence number.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# deny mode config command (no |default )?router
switch(config-role-sysuser)# permit command .*
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 permit command .*
switch(config)#
Inserting a Rule
To insert a rule into a role, enter the rule with a sequence number between the existing rules numbers.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# 15 deny mode config-all command lacp
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
15 deny mode config-all command lacp
20 deny mode config command (no |default )router
30 permit command .*
switch(config)#
Deleting a Rule
- Enter no, followed by the sequence number of the rule to be deleted.
- Enter no, followed by the rule be deleted.
- Enter default, followed by the sequence number of the rule to be deleted.
- Enter default, followed by the rule to be deleted.
- These equivalent commands remove rule 30 from the list.
switch(config-role-sysuser)# no 30 switch(config-role-sysuser)# default 30 switch(config-role-sysuser)# no permit command .* switch(config-role-sysuser)# default permit command .*
-
This role results from entering one of the preceding commands.
switch(config)# show users roles sysuser The default role is network-operator role: sysuser 10 deny mode exec command reload 15 deny mode config-all command lacp|spanning-tree 20 deny mode config command (no |default )router switch(config)#
Redistributing Sequence Numbers
Sequence numbers determine the order of the rules in a role. After a list editing session where existing rules are deleted, and new rules are inserted between existing rules, the sequence number distribution may not be uniform. Redistributing rule numbers changes adjusts the sequence number of rules to provide a constant difference between adjacent rules. The resequence (Role) command adjusts the sequence numbers of role rules.
Example
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config-all command lacp|spanning-tree
25 deny mode config command (no |default )?router
30 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 100 20
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
100 deny mode exec command reload
120 deny mode config-all command lacp|spanning-tree
140 deny mode config command (no |default )?router
160 permit command .*
switch(config)#
Assigning a Role to a Username
Roles are assigned to local users through the username command and to remote users through RADIUS or TACACS+ servers. Each user is assigned one role, which can be assigned to multiple local and remote users.
Default Roles
Users that are not explicitly assigned a role are assigned the default role. The aaa authorization policy local default-role command designates the default role. The network-operator built-in role is the default role when the default role is not configured.
- These commands assign sysuser as the default role. The output displays the name of the default role (The default role is sysuser).
switch(config)# aaa authorization policy local default-role sysuser switch(config)# show users roles The default role is sysuser switch(config)#
-
These commands restore network-operator as the default role by deleting the aaa authorization policy local default-role statement from running-config. The output displays the default role name (The default role is network-operator).
switch(config)# no aaa authorization policy local default-role switch(config)# show users roles The default role is network-operator switch(config)#
Local Security File (Username Command)
Roles are assigned to users with the username command's role parameter. A username whose running-config username statement does not include a role parameter is assigned the default role.
The role parameter function in a command creating a username is different from its function in a command to edit an existing name.
Assigning a Role to a New Username
A username command creating a username explicitly assigns a role to the username by including the role parameter; commands without a role parameter assign the default role to the username.
Example
switch(config)# username FRED secret 0 axced role sysuser1
switch(config)# username JANE nopassword
switch(config)# show running-config
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
username JANE nopassword
!
<-------OUTPUT OMITTED FROM EXAMPLE-------->
switch(config)#
Editing the Role of an Existing Username
A username command may edit the role of a previously configured username without altering its password. However, username commands that do not include a role parameter do not change the role assignment of a username.
- These commands assign a role to a previously configured username.
switch(config)# username JANE role sysuser2 switch(config)# show running-config <-------OUTPUT OMITTED FROM EXAMPLE--------> ! username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20 username JANE role sysuser2 nopassword ! <-------OUTPUT OMITTED FROM EXAMPLE--------> switch(config)#
- These commands reverts a username to the default role by removing its role assignment.
switch(config)# no username FRED role switch(config)# show running-config <-------OUTPUT OMITTED FROM EXAMPLE--------> ! username FRED secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20 username JANE role sysuser2 nopassword ! <-------OUTPUT OMITTED FROM EXAMPLE--------> switch(config)#
Displaying the Role Assignments
The show users accounts command displays role assignment of the configured users. The show users detail command displays roles of users that are currently logged into the switch.
- This command displays the configured users and their role assignments.
switch(config)# show users accounts user: FRED role: <unknown> privilege level: 1 user: JANE role: sysuser2 privilege level: 1 user: admin role: network-admin privilege level: 1 switch(config)#
- This command displays information about the active AAA login sessions.
switch(config)# show aaa session Session Username Roles TTY State Duration Auth Remote Host ------- --------- ------------ ------ ----- -------- ------------- ------------ 2 admin network-operator ttyS0 E 0:01:21 local 4 Fred sysadmin telnet E 0:02:01 local sf.example.com 6 Jane sysuser2 ssh E 0:00:52 group radius ny.example.com 9 admin network-admin ssh E 0:00:07 local bj.example.com 10 max network-admin telnet E 0:00:07 local sf.example.com
Radius Servers
A role can be assigned to a remote user authenticated through a RADIUS server.Roles are assigned through the vendor-specific Attribute-Value (AV) pair named Arista-AVPair. When RADIUS authentication is enabled, the switch extracts the remote user’s role upon successful authentication.
Example
# Sample RADIUS server users file
"Jane" Cleartext-Password := "Abc1235"
Arista-AVPair = "shell:roles=sysuser2",
Service-Type = NAS-Prompt-User
"Mary" Cleartext-Password := "xYz$2469"
Arista-AVPair = "shell:roles=sysadmin",
Service-Type = NAS-Prompt-User
"Fred" Cleartext-Password := "rjx4#222"
Arista-AVPair = "shell:roles=network-operator",
Service-Type = NAS-Prompt-User
The aaa authentication login command selects the user authentication service (see Configuring Service Lists ).
Example
switch(config)# aaa authentication login default group radius
Enable Role-Based Access Control
To enable Role-Based Access Control (RBAC) on the switch, apply the following configuration:
switch(config)# aaa authorization commands all default local
AAA and X.509 Authentication
Configure AAA to support X.509 Certificates for Secure Shell (SSH) connections to securely send commands over an unsecured network. X.509 certificates use a type of public key authentication, and must be enabled on the switch.
When a user attempts to log into the network using an X.509 certificate, EOS performs a check to ensure that the certificate grants permissions and compares the username to names extracted from the certificate. By default, an exact match must be located. The configuration extracts subject alternative names (SANs) from the X.509 certificate, and EOS supports uniform resource identifiers (URIs), an email format as defined in RFC822, and the otherName format for Microsoft Active Directory User Principal Name (UPN). If a match cannot be located, the common name is extracted and checked.
Name Extracted from the Certificate | ||
---|---|---|
Login User Name | Username | This email address is being protected from spambots. You need JavaScript enabled to view it. |
Username | Valid Match | Match Failure |
This email address is being protected from spambots. You need JavaScript enabled to view it. | Match Failure | Valid Match |
Successful login attempts must match one of the names on the certificate.
Before configuring X.509 authentication, enable public-key authentication and keyboard interactive on the switch.
switch(config)# management ssh
switch(config-mgmt-ssh)# authentication protocol public-key keyboard-interactive
Configuring a Secure Socket Layer (SSL) Profile for X.509 Authentication
You must add at least one trusted certificate (CA) to allow X.509 authentication, and specify a Certificate Revocation List (CRL) with revoked certificates.
To enable X.509 on a switch, configure an SSL profile, x509-profile, to link to the SSH configuration:
switch(config)# management security
switch(config-mgmt-security)# ssl profile x509-profile
Add the trusted certificate, trusted-cert, to the configuration:
switch(config-mgmt-sec-profile-x509-profile)# trust trusted-cert
Add the name of the applicable Certificate Revocation List (CRL), my-crl:
switch(config-mgmt-sec-profile-x509-profile)# revocation crl name my-crl
Next, enable public-key authentication on the switch, and add the SSL profile, x509-profile:
switch(config)# management ssh
switch(config-mgmt-ssh)# authentication x509
switch(config-mgmt-ssh-auth-x509)# server ssl profile x509-profile
Configuring X.509 to Omit Domains from the Usernames
Names extracted from the X.509 certificates include domain names, and in some cases, you may want to omit the domain name from the X.509 certificates when comparing the usernames with the login name. To omit the domain name, use the following commands:
switch(config)# management ssh
switch(config-mgmt-ssh)# authentication x509
switch(config-mgmg-ssh-auth-x509)# username domain omit
When configured, the following login behavior occurs on the switch:
Name Extracted from the Certificate | ||
---|---|---|
Login User Name | Username | This email address is being protected from spambots. You need JavaScript enabled to view it. |
Username | Valid Match | Valid Match |
This email address is being protected from spambots. You need JavaScript enabled to view it. | Match Failure | Match Failure |
Configuring an Online Certificate Status Profile (OCSP) for X.509 Certificates
Instead of using a CRL to perform certificate validation, use an OCSPquery to an authorized server for the revocation status of a certificate. Performing an OCSP lookup requires access to a remote OCSP server, or a local OSCP server. Configure an OCSP profile with the appropriate settings for your network.
Use the following commands to enable OCSP on the switch, and add the OCSP profile, myOCSP:
switch(config)# managment security
switch(config-mgmt-security)# ocsp profile myOSCP
Link an OCSP profile to an SSL profile by adding the parameter, revocation ocsp profile.
Specify a timeout in seconds from one (1) to 600 with a default timeout of 30 seconds.
switch(config-mgmt-sec-ocsp-profile-myOCSP)# timeout 120
Override the OCSP responder and use a URL to a OCSP server for all OCSP queries instead of the values in the X.509 certificate:
switch(config-mgmt-sec-ocsp-profile-myOCSP)# url http://www.myocspserver.com
Add an extension request and response nonce behavior to the configuration. By default, a response contains a nonce but doesn't treat the absence of one as a failure. Configure this parameter to require a nonce in the request or not send one at all. In this case, disable the nonce request:
switch(config-mgmt-sec-ocsp-profile-myOCSP)# extension nonce request disabled
Configure certificates in the chain that require validation using OCSP. By default, the profile uses all. This requires the entire chain up to but not including the root CA to validate with OCSP. If set to leaf, only the client certificate must be validated using OCSP. If set to none, then OCSP only performs validation on certificates with an OCSP responder specified.
switch(config-mgmt-sec-ocsp-profile-myOCSP)# chain certificate requirement responder all
Displaying X.509 Certification Configuration
Use the following command to display the X.509 Authentication configuration:
switch(config)# show run section management ssh
management ssh
authentication X.509
server ssl profile x509-profile
username domain omit
The command, show management ssh, includes additional information about the X.509 authentication configuration:
switch(config)# show management ssh
User certificate authentication methods: x509-certificates
SSL profile: X509-profile invalid. See "show management security ssl profile” output for details.
To display details about the SSL profile configured for SSH authentication, use the show management security ssl profile command:
switch(config)# show management security ssl profile
Profile State Additional Information
---------------------- ------- ----------------------
ARISTA_DEFAULT_PROFILE valid
x509-profile invalid Profile has no data
To display the SSL profile and OCSP profile information, use the following command:
switch(config)# show run section management security
management security
ocsp profile myOCSP
chain certificate requirement responder leaf
extension nonce request response
timeout 20
url http://127.0.0.1:8080
!
ssl profile X509-profile
…
revocation ocsp profile revoke-ocsp
…
In the output, only the leaf certificate validates, and an extension request requires a nonce. The timeout occurs after 20 seconds, and the URL for certificate validation set to the local address.
Activating Security Services
After configuring the access databases, aaa authentication, aaa authorization, and aaa accounting commands designate active and backup services for handling access requests.
These sections describe the methods of selecting the switch's database to authenticate users and authorize access to network resources.
Authenticating Usernames and the Enable Password
Service lists specify the services the switch uses to authenticate usernames and the enable password.
Service List Description
Service list elements are service options, ordered by their priority.
Example
- Location_1 server group - specifies a server group (see Server Groups).
- Location_2 server group - specifies a server group.
- TACACS+ servers - specifies all hosts for which a tacacs-server host command exists.
- Local file - specifies the local file.
- None - specifies that no authentication is required and all access attempts succeed.
The switch initially attempts to authenticate a username using the Location_1 server group. If a server within that group is available, authentication proceeds through it. If not, the switch continues checking subsequent server groups until it finds an available one, or it resorts to option 5 (None), permitting access without authentication.
Configuring Service Lists
- aaa authentication login specifies services the switch uses to authenticate usernames.
- aaa authentication enable specifies services the switch uses to authenticate the enable password.
- This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
switch(config)# aaa authentication login default group TAC-1 local
- This command configures the switch to authenticate usernames through all TACACS+ servers and, if the TACACS+ servers are not available, all RADIUS servers. If the RADIUS servers are unavailable, the switch does not authenticate any login attempts.
switch(config)# aaa authentication login default group tacacs+ group radius none
- This command configures the switch to authenticate the enable password through all TACACS+ servers and, if the TACACS+ servers are unavailable, through the local database.
switch(config)# aaa authentication enable default group TACACS+ local
AAA Time-based Lockout
AAA time-based lockout enables managing remote user unsuccessful login attempts for a specified period.
- The aaa authentication policy lockout failure command locks out remote user access for a specified period after several specific consecutive unsuccessful login attempts within a lockout period. In the following example, a user is allowed 4 attempts to log in within 1 day (the default window). After four consecutive unsuccessful logins, the system locks out their user account for 360 seconds.
switch(config)# aaa authentication policy lockout failure 4 duration 360
- The show aaa authentication lockout command displays the status of locked-out users.
switch# show aaa authentication lockout
- The clear aaa authentication lockout command clears a user's locked status, thus restoring access within a lockout period.
switch# clear aaa authentication lockout
Authorization
Authorization commands control EOS shell access, CLI command access, and configuration access through the console port. The switch also supports role-based authorization, which allows access to specified CLI commands by assigning command profiles (or roles) to usernames. See Role-Based Authorization for details.
During the exec authorization process, TACACS+ server responses may include attribute-value (AV) pairs. The switch recognizes the mandatory AV pair named priv-lvl=x (where x is between 0 and 15).
A TACACS+ server that sends any other mandatory AV pair is denied access to the switch by default. The switch's receipt of optional AV pairs does not affect decisions to permit or deny access to the TACACS+ server. The tacacs-server policy command programs the switch to allow access to TACACS+ servers that send unrecognized mandatory AV pairs.
- To specify the method of authorizing the opening of an EOS shell, enter aaa authorization exec.
- To specify the method of authorizing CLI commands, enter aaa authorization commands.
- This command specifies that TACACS+ servers authorize users attempting to open a CLI shell.
switch(config)# aaa authorization exec default group tacacs+
- This command programs the switch to authorize configuration commands (privilege level 15) through the local file and to deny command access to users not listed in the local file.
switch(config)# aaa authorization commands all default local
- This command programs the switch to permit all commands entered on the CLI.
switch(config)# aaa authorization commands all default none
- This command configures the switch to permit access to TACACS+ servers that send unrecognized mandatory AV pairs.
switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
- Use the aaa authorization config-commands command to enable the authorization of configuration commands with the policy specified for all other commands.
- To require authorization of commands entered on the console, enter aaa authorization serial-console.
By default, EOS does not verify the authorization of commands entered on the console port.
- This command disables the authorization of configuration commands.
switch(config)# no aaa authorization config-commands
-
This command enables the authorization of configuration commands.
switch(config)# aaa authorization config-commands
-
This command configures the switch to authorize commands entered on the console using the method specified through a previously executed aaa authorization command.
switch(config)# aaa authorization serial-console
Accounting
The accounting service collects information for billing, auditing, and reporting. The switch supports TACACS+ and RADIUS accounting by reporting user activity to either the TACACS+ server or the RADIUS server as accounting records.
- EXEC: Provides information about user CLI sessions.
- Commands: Command authorization for all commands, including configuration commands associated with a privilege level.
- start-stop: a start notice is sent when a process begins; a stop notice is sent when it ends.
- stop-only: a stop accounting record is generated upon the successful completion of a process.
The aaa accounting command enables accounting.
- This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
switch(config)# aaa accounting commands all default start-stop group tacacs+
- This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
switch(config)# aaa accounting exec console stop group tacacs+
TACACS+ Configuration Examples
These sections describe two sample TACACS+ host configurations.
Single Host Configuration
- IP address: 10.1.1.10.
- encryption key: example_1.
- port number: 49 (global default).
- timeout: 5 seconds (global default).
The switch authenticates the username and enable command against all TACACS+ servers which, in this case, is one host. If the TACACS+ server is unavailable, the switch authenticates with the local file.
Multiple Host Configuration
- IP address 10.1.1.2 - port 49.
- IP address 172.16.4.12 - port 4900.
- IP address 192.168.2.10 - port 49.
- Bldg_1 group consists of the servers at 10.1.1.2 and 172.16.4.12.
- Bldg_2 group consists of the servers at 192.168.2.10.
- encryption key - example_2.
- timeout - 10 seconds.
- username access against Bldg_1 group then, if they are not available, against the local file.
- enable command against Bldg_2 group, then Bldg_1 group, then against the local file.
AAA Accounting for OpenConfig Remote Procedure Call (RPC) Messages Overview
OpenConfig allows network engineers to collaboratively develop programming interfaces and tools to manage networks dynamically and in a vendor-neutral manner.
EOS supports AAA Accounting for gRPC Network Management Interface (gNMI), gRPC Network Operations (gNOI) Interface, and gRPC Network Security Interface (gNSI) RPCs by logging the accounting records to a TACACS+ server, RADIUS server, or to a syslog server.
AAA Commands
Local Security File Commands
Accounting, Authentication, and Authorization Commands
- aaa accounting
- aaa accounting dot1x
- aaa accounting system
- aaa authentication dot1x
- aaa authentication enable
- aaa authentication login
- aaa authentication policy local allow-nopassword-remote-login
- aaa authentication policy lockout failure
- aaa authentication policy log
- aaa authorization commands
- aaa authorization config-commands
- aaa authorization exec
- aaa authorization policy local default-role
- aaa authorization serial-console
- clear aaa authentication lockout
- clear aaa counters
- clear aaa counters radius
- clear aaa counters tacacs+
- clear radius proxy counters client group
- show aaa
- show aaa authentication lockout
- show aaa counters
- show aaa methods
- show management ldap
- show users detail
Server (RADIUS and TACACS+) Configuration Commands
- ip radius source-interface
- ip tacacs source-interface
- radius proxy client group client
- radius proxy client group server
- radius proxy client key
- radius proxy client session
- radius proxy dynamic-authorization
- radius-server deadtime
- radius-server host
- radius-server key
- radius-server retransmit
- radius-server timeout
- show radius
- show radius proxy client group
- show radius proxy server group
- show tacacs
- tacacs-server host
- tacacs-server key
- tacacs-server policy
- tacacs-server timeout
Server Group Configuration Commands
Role-Based Authorization Configuration Commands
aaa accounting dot1x
The aaa accounting dot1x command enables the accounting of requested 802.1X services for network access.
The no aaa accounting dot1x and default aaa accounting dot1x commands disable the specified method list by removing the corresponding aaa accounting dot1x command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting dot1x default [METHOD_1][METHOD_2][METHOD_N]
no aaa accounting dot1x default
default aaa accounting dot1x default
- MODE - The accounting mode that defines when to send accounting notices. Options include the following:
- start-stop - Send a start notice when a process begins, anda stop notice when it ends.
- start-stop - Send a start notice when a process begins, anda stop notice when it ends.
- METHOD_X - The server groups (methods) that receives accounting records from the switch. The switch sends the method list to the first available listed group.
-
No parameter specified if MODE is set to none. If MODE not set to none, the command must provide at least one method. Each method consists of one of the following:
- group name the server group identified by name.
- group radius server group that includes all defined RADIUS hosts.
-
logging server group that includes all defined TACACS+ hosts.
- This example configures IEEE 802.1X accounting on the switch.
switch(config)# aaa accounting dot1x default start-stop group radius switch(config)#
- This example disables IEEE 802.1X accounting on the switch.
switch(config)# no aaa accounting dot1x default switch(config)#
aaa accounting system
The aaa accounting system command performs accounting for all system-level events.
The no aaa accounting system and default aaa accounting system commands clear the specified method list by removing the corresponding aaa accounting system command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting system default [METHOD_1][METHOD_2] ... [METHOD_N]
no aaa accounting system default
default aaa accounting system default
- MODE The accounting mode that defines when to send accounting notices. Options include the following:
- none - Do not send notices.
- start-stop - Send a start notice when a process begins, and send a stop notice when it ends.
- stop-only - Generate a stop accounting record after a process successfully completes.
- METHOD_X - The server groups (methods) that receives accounting records from the switch. The switch sends the method list to the first available listed group.
- No parameter specified if MODE is set to none. If MODE not set to none, the command must provide at least one method. Each method consists of one of the following:
- group name - The server group identified by the name.
- group radius- The server group that includes all defined RADIUS hosts.
- group tacacs+ - The server group that includes all defined TACACS+ hosts.
- logging Log all accounting messages to Syslog..
- group name - The server group identified by the name.
- This command configures AAA accounting to not use any accounting methods for system events.
switch(config)# aaa accounting system default none switch(config)#
- This command configures the switch to maintain stop accounting records for system events to all defined RADIUS hosts.
switch(config)# aaa accounting system default stop-only group radius switch(config)#
aaa accounting
The aaa accounting command configures accounting method lists for a specified authorization type. Each list consists of a prioritized list of methods. The accounting module uses the first available listed method for the authorization type.
The no aaa accounting and default aaa accounting commands clear the specified method list by removing the corresponding aaa accounting command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting TYPE CONNECTION MODE [METHOD_1][METHOD_2] ... [METHOD_N]
no aaa accounting TYPE CONNECTION
default aaa accounting TYPE CONNECTION
- TYPE -Authorization type for which the command specifies a method list. Options include:
- EXEC - Records user authentication events.
- COMMANDS ALL- Records all entered commands.
- COMMANDS level - Records entered commands of the specified level (ranges from 0 to 15).
- CONNECTION - The connection type of sessions that report method lists. Options include the following:
- console - Console connection.
- default - All connections not covered by other command options.
-
MODE - The accounting mode that defines when to send accounting notices. Options include the following:
- none - No notices sent.
- start-stop a start - Send a notice when a process begins, and senda stop notice when it ends.
- stop-only a stop - Generate an accounting record after a process successfully completes.
- METHOD_X server groups (methods) to receive accounting records. The switch sends the method list to the first available listed group.
- If you set the MODE to none, no parameter value is specified. Ifyou do not set the MODE to none, the command must provide at least one method. Each method consists of one of the following:
- group name- The server group identified by name.
- group radius - The server group that includes all defined RADIUS hosts.
- group tacacs+ - The server group that includes all defined TACACS+ hosts.
- logging - Log all accounting messages to Syslog.
- This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
switch(config)# aaa accounting commands all default start-stop group tacacs+ switch(config)#
- This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
switch(config)# aaa accounting exec console stop group tacacs+ switch(config)#
- This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
switch(config)# aaa accounting commands all default start-stop group tacacs+ switch(config)#
- This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
switch(config)# aaa accounting exec console stop group tacacs+ switch(config)#
aaa authentication dot1x
The aaa authentication dot1x command configures the default authentication list of requested 802.1X services for network access.
The no aaa authentication dot1x and default aaa authentication dot1x commands remove the default authentication list for IEEE 802.1X.
Command Mode
Global Configuration
Command Syntax
aaa authentication dot1x default group {group_name | radius}
no aaa authentication dot1x default
default aaa authentication dot1x
- default configures the default authentication list of requested 802.1X services for network access.
- group configures server group.
- group_name server group name; multiple group names can be entered in a single command.
- radius list of all defined RADIUS hosts.
switch(config)# aaa authentication dot1x default group auth1
switch(config)#
aaa authentication enable
The aaa authentication enable command configures the service list that the switch references to authorize access to Privileged EXEC command mode.
- A named server group
- All defined TACACS+ hosts
- All defined RADIUS hosts
- Local authentication
- No authentication
The switch authorizes access by using the first listed service option available. When the local file is a service list element, attempts to locally authenticate a usernamenot in the local file results in the switch continuing to the next service list element.
EOS supports a console list for authorizing usernames through the console and a default list for authorizing usernames through all other connections.
- If no console list exists, the console connection uses the default list.
- If no default list exists, the list sets to local.
The no aaa authentication enable and default aaa authentication enable commands revert the list configuration to the default by removing the corresponding aaa authentication enable command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authentication enable [console|default] METHOD_1 [METHOD_2] ... [METHOD_N]
no aaa authentication enable [console|default] default
default aaa authentication enable [console|default] default
Parameters
console - Uses the console authentication list.
default - Uses the default authentication list.
- group name the server group identified by name.
- group radius a server group that consists of all defined RADIUS hosts.
- group tacacs+ a server group that consists of all defined TACACS+ hosts.
- local local authentication.
- none users are not authenticated; all access attempts succeed.
switch(config)# aaa authentication default enable group TACACS+ local
switch(config)#
aaa authentication login
- A named server group
- All defined TACACS+ hosts
- All defined RADIUS hosts
- Local authentication
- No authentication.
When the local file contains a service list element, attempts to locally authenticate a username not in the local file results in the switch continuing to the next service list element.
The switch supports a console list for authenticating usernames through the console and a default list for authenticating usernames through all other connections.
- When the console list is not configured, the console connection uses the default list.
- When the default list is not configured, it is set to local.
The no aaa authentication login and default aaa authentication login commands revert the specified list configuration to its default by removing the corresponding aaa authentication login command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authentication login CONNECTION SERVICE_1 [SERVICE_2] ... [SERVICE_N]
no aaa authentication login CONNECTION
default aaa authentication login CONNECTION
- CONNECTION connection type of sessions for which authentication list is used.
- default the default authentication list.
- console the authentication list for console logins.
- SERVICE_X an authentication service. Settings include:
- group name identifies a previously defined server group.
- group radius a server group that consists of all defined RADIUS hosts.
- group tacacs+ a server group that consists of all defined TACACS+ hosts.
- local local authentication.
- none The switch does not perform authentication. All access attempts succeed.
- This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
switch(config)# aaa authentication login default group TAC-1 local switch(config)#
- This command configures the switch to authenticate usernames through all TACACS+ servers, then all RADIUS servers if the TACACS+ servers are not available. If the RADIUS servers are also unavailable, the switch allows access to all login attempts without authentication.
switch(config)# aaa authentication login default group tacacs+ group radius none switch(config)#
aaa authentication policy local allow-nopassword-remote-login
The aaa authentication policy local allow-nopassword-remote-login command permits usernames without passwords to log in from any port. The default switch setting only allows unprotected usernames to log in from the console.
The no aaa authentication policy local allow-nopassword-remote-login and default aaa authentication policy local allow-nopassword-remote-login commands return the switch to the default setting of allowing unprotected usernames to log in only from the console.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy local allow-nopassword-remote-login
no aaa authentication policy local allow-nopassword-remote-login
default aaa authentication policy local allow-nopassword-remote-login
- This command configures the switch to allow unprotected usernames to log in from any port.
switch(config)# aaa authentication policy local allow-nopassword-remote-login switch(config)#
- This command configures the switch to allow unprotected usernames to log in only from the console port.
switch(config)# no aaa authentication policy local allow-nopassword-remote-login switch(config)#
aaa authentication policy lockout failure
The aaa authentication policy lockout failure command configures the switch to block the remote user from access after a specified number of unsuccessful login attempts within a lockout period.
The no aaa authentication policy lockout failure and the default aaa authentication policy lockout failure commands disable the lockout period configuration.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy lockout failure failure_count duration duration_time {window window_time}
no aaa authentication policy lockout failure
default aaa authentication policy lockout failure
- failure_count - The number of failed logins allowed during access. Specify a valid number between 1 and 255.
- duration duration_time - The time in seconds to block a user account from login. Specify a value between 1 and 4294967295 seconds.
- window window_time the time in seconds to track failed logins within this duration. The value is between 1 and 4294967295 seconds while the default is 1 day.
- This command configures the system to allow four attempts to log in within a duration of 1 day by default. If the user has 4 unsuccessful consecutive logins, EOS locks the person out of the account for 360 seconds.
switch(config)# aaa authentication policy lockout failure 4 duration 360
- This command configures the system to allow five attempts to log in within a duration of 1 day by default. If the user has 5 unsuccessful consecutive logins, EOS locks the person out of the account for 60 seconds.
switch(config)# aaa authentication policy lockout failure 5 window 10 duration 60
aaa authentication policy log
The aaa authentication policy log command configures the switch to generate syslog messages for login authentication success or failure events.
The no aaa authentication policy log and the default aaa authentication policy log commands restore the default behavior of not generating syslog messages for these events.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy {on-failure | on-success} log
no aaa authentication policy {on-failure | on-success} log
default aaa authentication policy {on-failure | on-success} log
- on-failure- Generates syslog messages for failed login events.
- on-success - Generates syslog messages for successful login events.
This command configures the switch to log successful and failed login attempts.
switch(config)# aaa authentication policy on-success log
switch(config)# aaa authentication policy on-failure log
aaa authorization commands
- Level 1: Commands accessible from EXEC mode.
- Level 15: Commands accessible from any mode except EXEC.
Command usage is authorized for each privilege level specified in the command.
- A named server group.
- All defined TACACS+ hosts.
- All defined RADIUS hosts.
- Local authorization.
- No authorization.
The list is set to none for all unconfigured privilege levels, allowing all CLI access attempts to succeed.
The no aaa authorization commands and default aaa authorization commands commands revert the list contents to none for the specified privilege levels.
Command Mode
Global Configuration
Command Syntax
aaa authorization commands PRIV default SERVICE_1[SERVICE_2] ... [SERVICE_N]
no aaa authorization commands PRIV default
default aaa authorization commands PRIV default
- PRIV Privilege levels of the commands. Options include the following:
- level - Numbers between 0 and 15. Number, range, and comma-delimited list of numbers and ranges.
- all - Commands of all levels.
- SERVICE_X Authorization service. Command must list at least one service. Options includethe following:
- group name - The server group identified by name.
- group tacacs+ - A server group that consists of all defined TACACS+ hosts.
- local - Local authorization.
- none - The switch does not perform authorization. All access attempts succeed.
- This command authorizes configuration commands (privilege level 15) through the local file. The switch denies command access to users not listed in the local file.
switch(config)# aaa authorization commands all default local switch(config)#
- This command authorizes all commands entered on the CLI.
switch(config)# aaa authorization commands all default none switch(config)#
aaa authorization config-commands
The aaa authorization config-commands command enables authorization of commands in any configuration mode, such as Global Configuration and all interface configuration modes. The policy specified by the aaa authorization commands setting authorizes the commands. EOS enables authorization by default, so issuing this command has no effect unless running-config contains the no aaa authorization config-commands command.
The no aaa authorization config-commands command disables configuration command authorization. When disabled, running-config contains the no aaa authorization config-commands command. The default aaa authorization config-commands command restores the default setting by removing the no aaa authorization config-commands from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authorization config-commands
no aaa authorization config-commands
default aaa authorization config-commands
- This command enables the authorization of configuration commands.
switch(config)# aaa authorization config-commands switch(config)#
- This command disables the authorization of configuration commands.
switch(config)# no aaa authorization config-commands switch(config)#
aaa authorization exec
The aaa authorization exec command configures the service list that the switch references to authorize access to open an EOS CLI shell.
The list consists of a prioritized list of service options. The switch authorizes access by using the first listed service option to which the switch can connect. When the switch cannot communicate with an entity that provides a specified service option, it attempts to use the next option in the list.
- A named server group.
- All defined TACACS+ hosts.
- All defined RADIUS hosts.
- Local authentication.
- No authentication.
EOS supports a console list to authorize access to a CLI shell through the console and a default list to authorize access for all other connections.
- If no console list exists, the console connection uses the default list and you enable aaa authorization serial-console. Otherwise, uses none.
- If no default list exists, the list sets to local.
The no aaa authorization exec and default aaa authorization exec commands set the list contents to none.
Command Mode
Global Configuration
Command Syntax
aaa authorization exec default METHOD_1 [METHOD_2] ... [METHOD_N]
no aaa authorization exec default
default aaa authorization exec default
- METHOD_X authorization service (method). The switch uses the first listed available method.
The command must provide at least one method. Each method is composed of one of the following:
- group name - The server group identified by name.
- group radius - A server group that consists of all defined RADIUS hosts.
- group tacacs+ - A server group that consists of all defined TACACS+ hosts.
- local- Local authentication.
- none -The switch does not perform authorization. All access attempts succeed.
- group radius - A server group that consists of all defined RADIUS hosts.
Guidelines
During the EXEC authorization process, the TACACS+ server response may include attribute-value (AV) pairs. The switch recognizes priv-lvl=x (where x is an integer between 0 and 15), which is a mandatory AV pair. A TACACS+ server that sends any other mandatory AV pair cannot access the switch. The receipt of optional AV pairs by the switch has no effect on decisions to permit or deny access to the TACACS+ server.
switch(config)# aaa authorization exec default group tacacs+
switch(config)#
aaa authorization policy local default-role
The aaa authorization policy local command specifies the name of the default role. A role provides a data structure that supports local command authorization through assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.
- Local or remote users assigned to an unconfigured role.
- Local users without an assigned role.
If you do not specify the default-role for a user, EOS assigns network-operator to qualified users as the default role. The network-operator role authorizes assigned users access to all CLI commands in EXEC and Privileged EXEC modes.
The no aaa authentication policy local default-role and default aaa authentication policy local default-role commands remove the authentication policy local default-role statement from running-config. Removing this statement restores network-operator as the default role.
Command Mode
Global Configuration
Command Syntax
aaa authorization policy local default-role role_name
no aaa authorization policy local default-role
default aaa authorization policy local default-role
Parameter
role_name - Specify the name of the default role.
Related Command
The role command places the switch in role configuration mode for creating and editing roles.
- This command configures the sysuser as the default role.
switch(config)# aaa authorization policy local default-role sysuser switch(config)#
- This command restores network-operator as the default role.
switch(config)# no aaa authorization policy local default-role switch(config)#
- This command displays the contents of the network-operator role.
switch# show users roles network-operator The default role is network-operator role: network-operator 10 deny mode exec command bash|\| 20 permit mode exec command .* switch#
aaa authorization serial-console
The aaa authorization serial-console command configures the switch to authorize commands entered through the console. By default, commands entered through the console do not require authorization.
The no aaa authorization serial-console and default aaa authorization serial-console commands restore the default setting.
Command Mode
Global Configuration
Command Syntax
aaa authorization serial-console
no aaa authorization serial-console
default aaa authorization serial-console
switch(config)# aaa authorization serial-console
switch(config)#
aaa group server radius
The aaa group server radius command enters the Server-group-RADIUS Configuration Mode for the specified group name. The command creates the specified group if not previously created.
A server group consists ofa collection of servers associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a radius-server host command.
The no aaa group server radius and default aaa group server radius commands delete the specified server group from running-config.
Command Mode
Global Configuration
Command Syntax
aaa group server radius group_name
no aaa group server radius group_name
default aaa group server radius group_name
Parameters
group_name - Specify a name, as a text string, to assign to the group. Cannot be identical to a name already assigned to a TACACS+ server group.
Commands Available in Server-group-RADIUS Configuration Mode
server (server-group-RADIUS configuration mode).
Related Command
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)#
aaa group server tacacs+
The aaa group server tacacs+ command enters Server-group-TACACS+ Configuration Mode for the specified group name. The command creates the specified group if not previously created.
A server group consists of a collection of servers associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a tacacs-server host command.
The no aaa group server tacacs+ and default aaa group server tacacs+ commands delete the specified server group from running-config.
Command Mode
Global Configuration
Command Syntax
aaa group server tacacs+ group_name
no aaa group server tacacs+ group_name
default aaa group server tacacs+ group_name
Parameters
group_name - Specify a name, as a text string, to assign to the group. Cannot be identical to a name already assigned to a RADIUS server group.
Commands Available in Server-group-TACACS+ Configuration Mode
server (server-group-TACACS+ configuration mode)
Related Command
aaa group server radius
switch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)#
aaa root
The aaa root command specifies the password security level for the root account and can assign a password to the account.
The no aaa root and default aaa root commands disable the root account by removing the aaa root command from running-config. The root account is disabled by default.
Command Mode
Global Configuration
Command Syntax
aaa root SECURITY_LEVEL [ENCRYPT_TYPE] [password]
no aaa root
default aaa root
- SECURITY_LEVEL - Specify the password assignment level. Settings include the following:
- secret Assigns the password to the root account.
- nopassword - Does not assign a password to the root account.
- ENCRYPT_TYPE encryption level of the password parameter. This parameter is present only when SECURITY_LEVEL is secret. Settings include:
- no parameter the password is entered as clear text.
- 0 the password is entered as clear text. Equivalent to no parameter.
- 5 the password is entered as an MD5-encrypted string.
- sha512 the password is entered as an SHA-512-encrypted string.
- password text that authenticates the username. The command includes this parameter only if SECURITY_LEVEL is secret.
- password must be in clear text if ENCRYPT_TYPE specifies clear text.
- password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.
Encrypted strings entered through this parameter are generated elsewhere.
- These equivalent commands assign f4980 as the root account password.
switch(config)# aaa root secret f4980 switch(config)# aaa root secret 0 f4980
- This command assigns the text (ab234) that corresponds to the encrypted string of $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b. as the root password.
switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b switch(config)#
- This command removes the password from the root account.
switch(config)# aaa root nopassword switch(config)#
- This command disables the root login.
switch(config)# no aaa root switch(config)#
clear aaa authentication lockout
The clear aaa authentication lockout command clears the locked status of a user and allows access within a lockout period. If no user specified, the command clears the locked status of all users.
Command Mode
Privileged EXEC
Command Syntax
clear aaa authentication lockout [user user_name]
Parameter
user user_name - Specify the name of the user.
- This command clears the locked status of the user Alice.
switch# clear aaa authentication lockout user Alice
clear aaa counters radius
The clear aaa counters radius command resets the counters tracking the statistics for the RADIUS servers that the switch accesses. The show radius command displays the counters reset by the clear aaa counters radius command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters radius
switch# show radius
RADIUS server : radius/10
Connection opens: 204
Connection closes: 0
Connection disconnects: 199
Connection failures: 10
Connection timeouts: 2
Messages sent: 1490
Messages received: 1490
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: never
switch# clear aaa counters radius
switch# show radius
RADIUS server : radius/10
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: 0:00:03 ago
switch#
clear aaa counters tacacs+
The clear aaa counters tacacs+ command resets the counters tracking the statistics for the TACACS+ servers that the switch accesses. The show tacacs command displays the counters reset by the clear aaa counters tacacs+ command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters tacacs+
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 15942
Connection closes: 7
Connection disconnects: 1362
Connection failures: 0
Connection timeouts: 0
Messages sent: 34395
Messages received: 34392
Receive errors: 0
Receive timeouts: 2
Send timeouts: 0
Last time counters were cleared: never
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch# clear aaa counters tacacs+
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: 0:00:03 ago
switch#
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch#
clear aaa counters
The clear aaa counters command resets the counters tracking the number of service transactions performed by the switch since the last reset of the counters. The show aaa counters command displays the counters reset by the clear aaa counters command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters [SERVICE_TYPE]
switch# clear aaa counters
switch# show aaa counters
Authentication
Successful: 0
Failed: 0
Service unavailable: 0
Authorization
Allowed: 1
Denied: 0
Service unavailable: 0
Accounting
Successful: 0
Error: 0
Pending: 0
Last time counters were cleared: 0:00:44 ago
clear radius proxy counters client group
The clear radius proxy client group command clears RADIUS proxy client packet counters.
Command Mode
Privileged EXEC
Command Syntax
clear radius proxy client group group_name
Parameters
- group group_name - Clear all RADIUS proxy client group packet counters or specify a group name to clear counters for a specific group.
Example
Use the following command to clear RADIUS proxy client packet counters:
switch# clear radius proxy client group
deny (Role)
The deny command adds a deny rule to the configuration mode role. Deny rules prohibit access of specified commands from usernames with the applied role. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A commands authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the roles last rule.
Deny rules use regular expressions to denote commands. A mode parameter specifies command modes with restricted commands. Modes use either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.
The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.
Command Mode
Role Configuration
Command Syntax
[SEQ_NUM] deny [MODE_NAME] command command_name
no deny [MODE_NAME] command command_name
default deny [MODE_NAME] command command_name
- SEQ_NUM - A sequence number assigned to the rule. Options include:
- no parameter - The number derived by adding 10 to the number of the roles last rule.
- 1 - 256 - A number assigned to an entry.
- MODE_NAME - The command mode that prohibits command access. Values include:
- no parameter All command modes.
- mode short_name - Specify an exact match of a modes short key name.
- mode long_name - A regular expression matching long key name of one or more modes.
- mode config - The Global configuration mode.
- mode config-all - All configuration modes, including global configuration mode.
- mode exec - EXEC and Privileged EXEC modes.
- command_name Regular expression that denotes the name of one or more commands.
Guidelines
- %p Short mode key.
- %P Long mode key.
Deny statements save to the running-config only when exiting the Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# role sysuser
switch(config-mode-sysuser)# deny mode exec command reload
switch(config-mode-sysuser)#
enable password
The enable password command creates a new enable password or changes an existing password.
The no enable password and default enable password commands delete the enable password by removing the enable password command from running-config.
Command Mode
Global Configuration
Command Syntax
enable password [ENCRYPT_TYPE] password
no enable password
default enable password
- ENCRYPT_TYPE encryption level of the password parameter. Settings include:
- no parameter the password is entered as clear text.
- 0 the password is entered as clear text. Equivalent to <no parameter>.
- 5 the password is entered as an MD5 encrypted string.
- sha512 the password is entered as an SHA-512-encrypted string.
- password text that authenticates the username.
- password must be in clear text if ENCRYPT_TYPE specifies clear text.
- password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.
Encrypted strings entered through this parameter are generated elsewhere.
- These equivalent commands assign xyrt1 as the enable password.
switch(config)# enable password xyrt1 switch(config)# enable password 0 xyrt1
- This command assigns the enable password to the clear text (12345) that corresponds to the encrypted string $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/. The string was generated by an MD5-encryption program using 12345 as the seed.
switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/ switch(config)#
- This command deletes the enable password.
switch(config)# no enable password switch(config)#
ip radius source-interface
The ip radius source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound RADIUS packets. When a source interface is not specified, the switch selects an interface.
The no ip radius source-interface and default ip radius source-interface commands remove the ip radius source-interface command from running-config.
Command Mode
Global Configuration
Command Syntax
ip radius [vrf_inst] source-interface slot_number
no ip radius [vrf_inst] source-interface
default ip radius [vrf_inst] source-interface
- vrf_inst specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- int_name Interface type and number. Options include:
- Ethernet e_num - Ethernet interface specified by slot_number.
- Loopback slot_number - Loopback interface specified by slot_number.
- Management slot_number - Management interface specified by slot_number.
- Port-channel slot_number - Port-channel interface specified by slot_number.
- Tunnel tunnel_number -
- Vlan v_num VLAN interface specified by v_num.
Example
switch(config)# ip radius source-interface loopback 0
switch(config)#
ip tacacs source-interface
The ip tacacs source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound TACACS+ packets. When a source interface is not specified, the switch selects an interface.
The no ip tacacs source-interface and default ip tacacs source-interface commands remove the ip tacacs source-interface command from running-config.
Command Mode
Global Configuration
Command Syntax
ip tacacs [VRF_INST] source-interface INT_NAME
no ip tacacs [VRF_INST] source-interface
default ip tacacs [VRF_INST] source-interface
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- INT_NAME Interface type and number. Options include:
- interface ethernet e_num Ethernet interface specified by e_num.
- interface loopback l_num Loopback interface specified by l_num.
- interface management m_num Management interface specified by m_num.
- interface port-channel p_num Port-channel interface specified by p_num.
- interface vlan v_num VLAN interface specified by v_num.
switch(config)# ip tacacs source-interface loopback 0
switch(config)#
no <sequence number> (Role)
The no <sequence number> command removes the rule with the specified sequence number from the configuration-mode role. The default <sequence number> command also removes the specified rule.
Command Mode
Role Configuration
Command Syntax
no sequence_num
default sequence_num
Parameters
sequence_num sequence number of rule to be deleted. Values range from 1 to 256.
Guidelines
Role statement changes are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 deny mode config command (no |default )?(ip|mac) access-list
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# no 30
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)#
radius proxy client group client
The radius proxy client group client command configures RADIUS Proxy client groups on the switch.
Command Mode
RADIUS Proxy Configuration Mode
Command Syntax
radius proxy client group group_name client [host host_name | ipv4 ipv4_addr | ipv6 ipv6_addr
Parameters
- group group_name - Specify a name for the client group.
- client - Specify the following client parameters:
- hostname - Specify the hostname of the client hostname configuration.
- ipv4 ipv4_addr | ipv4_prefix - Specify an IPv4 address or IPv4 prefix.
- ipv6 ipv6_addr | ipv6_prefix - Specify an IPv6 address or IPv6 prefix.
Example
Use the following command to enter the RADIUS Proxy Configuration Mode on a switch and add the IPv4 address, 192.168.1.25 as the client.
switch(config)#radius proxy
switch(config-radius-proxy)#client group MyGroup
switch(config-rp-cg-MyGroup)#client ipv4 192.168.1.25
radius proxy client group server
The radius proxy client group server command configures RADIUS Proxy server groups on the switch.
Command Mode
RADIUS Proxy Configuration Mode
Command Syntax
radius proxy client group group_name server group_name
Parameters
- group group_name - Specify a name for the client group.
- server group_name - Specify the server group name.
Example
Use the following command to enter the RADIUS Proxy Configuration Mode on a switch and add the server group, RADIUS_SG1 as the RADIUS server group.
switch(config)#radius proxy
switch(config-radius-proxy)#client group MyGroup
switch(config-rp-cg-MyGroup)#server group RADIUS_SG1
radius proxy client key
The radius proxy client key command enters the RADIUS Proxy Configuration Mode on a switch and allows the configuration of a global client key.
Command Mode
RADIUS Proxy Configuration Mode
Command Syntax
radius proxy client key [0 | 7 | 8a] line
Parameters
- key - Specify a client secret key up to 128 characters in length.
- 0 - Specify if the key string is unencrypted.
- 7 - Specify if a hidden key follows.
- 8a - Specifies that an AES-256-GCM encrypted key follows.
- line - Specifies that the key text is unobfuscated.
Example
Use the following command to enter the RADIUS Proxy Configuration Mode on a switch and add a key of 0 with the key text, SuperSecretKey:
switch(config)#radius proxy
switch(config-radius-proxy)#client key 0 SuperSecretKey
radius proxy client session
The radius proxy client key command enters the RADIUS Proxy Configuration Mode on a switch and allows the configuration of a client session idle-timeout parameter.
Command Mode
RADIUS Proxy Configuration Mode
Command Syntax
radius proxy client session idle-timeout seconds seconds
Parameters
- idle-timeout seconds seconds - Configure the minimum time to wait before clearing the client session.
Example
Use the following command to enter the RADIUS Proxy Configuration Mode on a switch and add a session idle-timeout of 300 seconds:
switch(config)#radius proxy
switch(config-radius-proxy)#client session idle-timeout 300 seconds
radius proxy dynamic-authorization
The radius proxy client key command enters the RADIUS Proxy Configuration Mode on a switch and enables dynamic authorization for RADIUS proxy server groups.
Command Mode
RADIUS Proxy Configuration Mode
Command Syntax
radius proxy dynamic-authorization
Parameters
- dynamic-authorization - Enable dynamic authorization for RADIUS proxy servers.
Example
Use the following command to enter the RADIUS Proxy Configuration Mode on a switch and enable dynamic authorization:
switch(config)#radius proxy
switch(config-radius-proxy)#dynamic-authorization
radius-server deadtime
The radius-server deadtime command defines global deadtime period, when the switch ignores a non-responsive RADIUS server. A non-responsive server is one that fails to answer any attempt to retransmit after a timeout expiry. Deadtime is disabled if a value is not configured.
The no radius-server deadtime and default radius-server deadtime commands restore the default global deadtime period of three minutes by removing the radius-server deadtime command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server deadtime dead_interval
no radius-server deadtime
default radius-server deadtime
Parameter
dead_interval period that the switch ignores non-responsive servers (minutes). Values range from 1 to 1000. Default is 3.
switch(config)# radius-server deadtime 120
switch(config)#
radius-server host
The radius-server host command sets parameters for communicating with a specific RADIUS server. These values override global settings when the switch communicates with the specified server.
A RADIUS server is defined by its server address, authorization port, and accounting port. Servers with different address-authorization port-accounting port combinations have separate configurations.
The no radius-server host and default radius-server commands remove settings for the RADIUS server configuration at the specified address-authorization port-accounting port location by deleting the corresponding radius-server host command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server host ADDR [VRF_INST][AUTH][ACCT][TIMEOUT][DEAD][RETRAN][ENCRYPT]
no radius-server host [ADDR][VRF_INST][AUTH][ACCT]
default radius-server host [ADDR][VRF_INST][AUTH][ACCT]
- ADDR RADIUS server location. Options include:
- ipv4_addr server's IPv4 address.
- host_name server's DNS host name (FQDN).
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- AUTH Authorization port number.
- no parameter default port of 1812.
- auth-port number number ranges from 1 to 65535.
- ACCT Accounting port number.
- no parameter default port of 1813.
- acct-port number numbers range from 1 to 65535.
- TIMEOUT timeout period (seconds). Ranges from 1 to 1000.
- no parameter assigns global timeout value (see radius-server timeout).
- timeout number assigns number as the timeout period. Ranges from 1 to 1000.
- DEAD period (minutes) when the switch ignores a non-responsive RADIUS server.
- no parameter assigns global deadtime value (see radius-server deadtime ).
- deadtime number specifies deadtime, where number ranges from 1 to 1000.
- RETRAN attempts to access RADIUS server after the first timeout expiry.
- no parameter assigns global retransmit value (see radius-server retransmit).
- retransmit number specifies number of attempts, where number ranges from 1 to 100.
- ENCRYPT encryption key that switch and server use to communicate.
- no parameter assigns global encryption key (see radius-server key).
- key key_text where key_text is in clear text.
- key 5 key_text where key_text is in clear text.
- key 7 key_text where key_text is provide in an encrypted string.
- This command configures the switch to communicate with the RADIUS server located at 10.1.1.5. The switch uses the global timeout, deadtime, retransmit, and key settings to communicate with this server, and communicates through port 1812 for authorization and 1813 for accounting.
switch(config)# radius-server host 10.1.1.5 switch(config)#
- This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1. Communication for authorization is through port 1850; communication for accounting is through port 1813 (the default).
switch(config)# radius-server host RAD-1 auth-port 1850 switch(config)#
radius-server key
The radius-server key command defines the global encryption key the switch uses when communicating with any RADIUS server for which a key is not defined.
The no radius-server key and default radius-server key commands remove the global key from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server key [ENCRYPT_TYPE] encrypt_key
no radius-server key
default radius-server key
- ENCRYPT_TYPE encryption level of encrypt_key.
- no parameter encryption key is entered as clear text.
- 0 encryption key is entered as clear text. Equivalent to no parameter.
- 7 encrypt_key is an encrypted string.
- encrypt_key shared key that authenticates the username.
- encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
- encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.
Encrypted strings entered through this parameter are generated elsewhere.
Related Command
- This command configures cv90jr1 as the global encryption key.
switch(config)# radius-server key 0 cv90jr1 switch(config)#
- This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
switch(config)# radius-server key 7 020512025B0C1D70 switch(config)#
radius-server retransmit
The radius-server retransmit command defines the global retransmit count, which specifies the number of times the switch attempts to access the RADIUS server after the first timeout expiry.
The no radius-server retransmit and default radius-server retransmit commands restore the global retransmit count to its default value of three by deleting the radius-server retransmit command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server retransmit count
no radius-server retransmit
default radius-server retransmit
Parameters
count retransmit attempts after first timeout expiry. Values range from 1 to 100. Default is 3.
Related Command
switch(config)# radius-server retransmit 5
switch(config)#
radius-server timeout
The radius-server timeout command defines the global timeout the switch uses when communicating with any RADIUS server for which a timeout is not defined.
The no radius-server timeout and default radius-server timeout commands restore the global timeout default period of five seconds by removing the radius-server timeout command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server timeout time_period
no radius-server timeout
default radius-server timeout
Parameters
time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.
Related Commands
switch(config)# radius-server timeout 50
switch(config)#
resequence (Role)
The resequence command assigns sequence numbers to rules in the configuration mode role. Command parameters specify the number of the first rule and the numeric interval between consecutive rules.
The maximum sequence number is 256.
Command Mode
Role Configuration
Command Syntax
resequence start_num inc_num
- start_num sequence number assigned to the first rule. Value ranges from 1 to 256. Default is 10.
- inc_num numeric interval between consecutive rules. Value ranges from 1 to 256. Default is 10.
Guidelines
Role statement changes are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 15 5
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
switch(config)#
permit (Role)
The permit command adds a permit rule to the configuration mode role. Permit rules authorize access to specified commands for usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands compare sequentially to rules within a role until it matches a rule. The first matching rule determines a command's authorization. EOS derives sequence numbers for commands without numbers by adding 10 to the number of the role's last rule.
Permit rules use regular expression to denote commands. A mode parameter specifies the command modes for authorized commands. EOS denotes modes either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.
The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.
Command Mode
Role Configuration
Command Syntax
[SEQ_NUM] permit [MODE_NAME] command command_name
no permit [MODE_NAME] command ] command_name
default permit [MODE_NAME] command command_name
- SEQ_NUM- The sequence number assigned to the rule. Options include the following:
- <no parameter> - A number derived by adding 10 to the number of the roles last rule.
- <1 - 256> - A number assigned to the entry.
- MODE_NAME - The command mode that authorizes command access. Values include the following:
- no parameter - All command modes.
- mode short_name - The exact match of a modes short-key name.
- mode long_name - A regular expression matching long-key name of one or more modes.
- mode config- The Global configuration mode.
- mode config-all All configuration modes, including global configuration mode.
- mode exec EXEC and Privileged EXEC modes.
- command_name Regular expression that denotes the name of one or more commands.
Guidelines
- %p Short-mode key.
- %P Long-mode key.
Permit statements save to the running-config only when exiting Role configuration mode.
Related Commands
The role command places the switch in the Role Configuration Mode.
switch(config)# role sysuser
switch(config-mode-sysuser)# permit mode if-Vl(1|2) command .*
switch(config-mode-sysuser)#
role
The role command places the switch in Role Configuration Mode, which is a group-change mode that modifies a role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.
The role command specifies the name of the role that subsequent commands modify and creates a role if it references a nonexistent role. All changes in a group change mode edit session are pending until the session ends:
- The exit command saves pending changes to running-config and returns the switch to Global Configuration Mode. Changes are also saved by entering a different configuration mode.
- The abort command discards pending changes, returning the switch to Global Configuration Mode.
The no role and default role commands delete the specified role by removing the role and its statements from running-config.
Command Mode
Global Configuration
Command Syntax
role role_name
no role role_name
default role role_name
Parameter
role_name Name of role.
Commands Available in Role Configuration Mode:
Related Commands
- This command places the switch in Role configuration mode to modify the speaker role.
switch(config)# role speaker switch(config-role-speaker)#
-
This command saves changes to speaker role, then returns the switch to Global configuration mode.
switch(config-role-speaker)# exit switch(config)#
-
This command discards changes to speaker, then returns the switch to Global configuration mode.
switch(config-role-speaker)# abort switch(config)#
server (server-group-RADIUS configuration mode)
The server (server-group-RADIUS configuration mode) command adds the specified RADIUS server to the configuration-mode group. Servers must be configured with the radius-server host command before adding them to the server group.
A RADIUS server is defined by its server address, authorization port, and accounting port. A group can contain multiple servers with the same IP address that have different authorization or accounting ports.
The no server and default server commands remove the specified server from the group.
Command Mode
Server-Group-RADIUS Configuration
Command Syntax
server LOCATION [VRF_INST][AUTH][ACCT]
no server LOCATION [VRF_INST][AUTH][ACCT]
default server LOCATION [VRF_INST][AUTH][ACCT]
- LOCATION RADIUS server location. Options include:
- ipv4_addr server's IPv4 address.
- host_name server's DNS host name (FQDN).
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- AUTH Authorization port number.
- no parameter default port of 1812.
- auth-port number number ranges from 1 to 65535.
- ACCT Accounting port number.
- no parameter default port of 1813.
- acct-port number number ranges from 1 to 65535.
Related Commands
The aaa group server radius command places the switch in Server-group-RADIUS cConfiguration mode.
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)# server RAC-1
switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1851
switch(config-sg-radius-RAD-SV1)#
server (server-group-TACACS+ configuration mode)
The server (server-group-TACACS+ configuration mode) command adds the specified TACACS+ server to the configuration-mode group. Servers must be configured with the tacacs-server host command before adding them to the server group.
A TACACS+ server is defined by its server address and port number. Servers with different address-port combinations have separate statements in running-config.
The no server and default server commands remove the specified server from the group.
Command Mode
Server-group-TACACS+ Configuration
Command Syntax
server LOCATION [VRF_INST][PORT]
no server LOCATION [VRF_INST][PORT]
default server LOCATION [VRF_INST][PORT]
- LOCATION TACACS+ server location. Options include:
- ipv4_addr server's IPv4 address.
- ipv6_addr server's IPv6 address.
- host_name server's DNS host name (FQDN).
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- PORT TCP connection port number.
- no parameter default port of 49.
- port number number ranges from 1 to 65535.
Related Command
The aaa group server tacacs+ command places the switch in Server-group-TACACS+ configuration mode.
switch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)# server TAC-1
switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14
switch(config-sg-tacacs+-TAC-GR)#
show aaa
The show aaa command displays the user database. The command displays the encrypted enable password first, followed by a table of usernames and their corresponding encrypted password.
The command does not display unencrypted passwords.
Command Mode
Privileged EXEC
Command Syntax
show aaa
switch# show aaa
Enable password (encrypted): $1$UL4gDWy6$3KqCPYPGRvxDxUq3qA/Hs/
Username Encrypted passwd
-------- ----------------------------------
admin
janis $1$VVnDH/Ea$iwsfnrGNO8nbDsf0tazp9/
thomas $1$/MmXTUil$.fJxLfcumzppNSEDVDWq9.
switch#
show aaa authentication lockout
The show aaa authentication lockout command displays the status of locked-out users who could not log within the specified time and number of login attempts.
Command Mode
Privileged EXEC
Command Syntax
show aaa authentication lockout
Example
switch# show aaa authentication lockout
User Start Time End Time Expires In
--------- ------------------------- ------------------------- ----------
alice Fri Jul 12 17:50:06 2020 Fri Jul 12 17:51:06 2020 0:00:58
show aaa counters
The show aaa counters command displays the number of service transactions performed by the switch since the last time the counters were reset.
Command Mode
Privileged EXEC
Command Syntax
show aaa counters
switch# show aaa counters
Authentication
Successful: 30
Failed: 0
Service unavailable: 0
Authorization
Allowed: 188
Denied: 0
Service unavailable: 0
Accounting
Successful: 0
Error: 0
Pending: 0
Last time counters were cleared: never
switch#
show aaa methods
The show aaa methods command displays all the named method lists defined in the specified Authentication, Authorization, and Accounting (AAA) service.
Command Mode
Privileged EXEC
Command Syntax
show aaa methods SERVICE_TYPE
Parameters
- accounting accounting services.
- authentication authentication services.
- authorization authorization services.
- all accounting, authentication, and authorization services.
switch# show aaa methods all
Authentication method lists for LOGIN:
name=default methods=group tacacs+, local
Authentication method list for ENABLE:
name=default methods=local
Authorization method lists for COMMANDS:
name=privilege0-15 methods=group tacacs+, local
Authentication method list for EXEC:
name=exec methods=group tacacs+, local
Accounting method lists for COMMANDS:
name=privilege0-15 default-action=none
Accounting method list for EXEC:
name=exec default-action=none
switch#
show management ldap
The show management ldap command displays information about the LDAP configuration.
Command Mode
EXEC
Command Syntax
show management ldap
Parameter
no parameter state of the system.
- The following command shows general information for LDAP.
switch# show management ldap LDAP server: prod-dc-hq1.aristanetworks.com/389 Binds requested: 6 Binds successful: 6 Binds failed: 0 Binds timed out: 0 FIPS is ON Last time counters were cleared: 1:16:41 ago
-
The authentication action in LDAP is the bind, which is equivalent to attempting a log-in. There will be two binds per login attempt, one for the admin account and one for the user account.
switch# show management security ssl profile Profile State ----------------- ----------- testProfile valid To verify a user accounts authorization being performed by ldap, use “show users detail”: switch# show users detail Session Username Roles TTY State Duration Auth Remote Host -------- --------- ------------- ---- ----- --------- ---------- --------------------------------------- 1006 erahn network-admin vty3 E 0:00:05 group ldap fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7
The FIPS mode is controlled by the SSL profile in AAA. To validate an SSL profile use the following:
-
To validate the role for a current session the vty information in the TTY column must be matched against the Line column in the following command. The row with a “*” character at the start is the current session where the command was run:
switch# show users Line User Host(s) Idle Location 1 con 0 admin idle 01:19:00 - 2 vty 10 srv-sw-ldaptest idle 01:19:00 172.16.124.151 * 3 vty 3 erahn idle 00:00:04 fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7
show privilege
The show privilege command displays the current privilege level for the CLI session.
Command Mode
EXEC
Command Syntax
show privilege
switch> show privilege
Current privilege level is 15
switch>
show radius
The show radius command displays statistics for the RADIUS servers that the switch accesses.
Command Mode
EXEC
Command Syntax
show radius
switch# show radius
RADIUS server : radius/10
Connection opens: 204
Connection closes: 0
Connection disconnects: 199
Connection failures: 10
Connection timeouts: 2
Messages sent: 1490
Messages received: 1490
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: never
switch#
show radius proxy client group
The show radius proxy client group command displays information about RADIUS proxy configurations.
Command Mode
Privileged EXEC
Command Syntax
show radius proxy client group group_name
Parameters
- group group_name - Display all RADIUS proxy client groups or specify a group name to see details about a specific group.
Example
Use the following command to display details about RADIUS proxy clients:
switch#show radius proxy client group
Radius Client Group : MyClientGroup
Last time counters were cleared : never
Client : 192.168.1.25, authentication port 1812, accounting port 1813, vrf default
Resolved IP address : 192.168.1.25/32
Messages received: 0
Messages sent: 0
Accept response sent: 0
Reject response sent: 0
Counting start received: 0
Interim updates received: 0
Accounting stop received: 0
Bad requests: 0
CoA requests sent: 0
DM requests sent: 0
CoA ACKs received: 0
DM ACKs received: 0
CoA NAKs received: 0
DM NAKs received: 0
Bad responses: 0
Connection errors: 0
show radius proxy server group
The show radius proxy server group command displays information about RADIUS proxy server group configurations.
Command Mode
Privileged EXEC
Command Syntax
show radius proxy server group group_name
Parameters
- group group_name - Display all RADIUS proxy server groups or specify a group name to see details about a specific group.
Example
Use the following command to display details about RADIUS proxy clients:
switch#show radius proxy server group
Radius Server Group: MyServerGroup
Radius Server 1: RADIUS
Resolved IP address: 192.168.25.33
Status: active
show tacacs
The show tacacs command displays statistics for the TACACS+ servers that the switch accesses.
Command Mode
EXEC
Command Syntax
show tacacs
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 15942
Connection closes: 7
Connection disconnects: 1362
Connection failures: 0
Connection timeouts: 0
Messages sent: 34395
Messages received: 34392
Receive errors: 0
Receive timeouts: 2
Send timeouts: 0
Last time counters were cleared: never
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch#
show users accounts
The show users accounts command displays the names, roles, and privilege levels of users that are listed in running-config. The SSH public key is also listed for names for which an SSH key is configured.
Command Mode
Privileged EXEC
Command Syntax
show users accounts
switch# show users accounts
user: FRED
role: <unknown>
privilege level: 1
ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjUg2VDiBX7In0q
HtN5PyHOWtYvIoeZsxF5YmesQ/rh++mbpT504dL7So+Bpr9T/0qIj+zilat8fX/JlO42+3pjfkHY/+l
sT2EPNjGTK7uJv1wSGmhc3+90dNmJtr5YVlJFjjQ5m+5Pa+PGe3z4JIV1lY2NhLrV2fXtbciLdjnj6F
AlhXjiLt51DJhG13uUxGBJe0+NlGvpEsTJVJvMdJuS6weMi+xSXc9yQimVD2weJBHsYFnghST2j0pAy
F2S7/EOU13pY42RztDSs42nMNNrutPT0q5Z17aAKvhpd0dDlc+qIwrCrXbeIChHem7+0N8/zA3alBK4
eKSFSZBd3Pb admin@switch
switch#
user: JANE
role: sysuser2
privilege level: 1
user: admin
role: network-admin
privilege level: 1
show users detail
The show users detail command displays information about active AAA login sessions. Information includes username, roles, TTY, state of the session (pending or established), duration, authentication method, and if available, remote host and remote username.
Command Mode
Privileged EXEC
Command Syntax
show users detail
switch# show users detail
Session Username Roles TTY State Duration Auth Remote Host
------- ---------- ------------ ------ ----- -------- ------------- ------------
2 admin network-admin ttyS0 E 0:01:21 local
4 joe sysadmin telnet E 0:02:01 local sf.example.com
6 alice sysadmin ssh E 0:00:52 group radius ny.example.com
7 bob sysadmin ssh E 0:00:48 group radius la.example.com
8 kim network-admin1 ssh E 0:00:55 group radius de.example.com
9 admin network-admin ssh E 0:00:07 local bj.example.com
10 max network-admin telnet E 0:00:07 local sf.example.com
show users roles
The show users roles command displays the name of the default role and the contents of the specified roles. Commands that do not specify a role display the rules in all built-in and configured roles.
Command Mode
Privileged EXEC
Command Syntax
show users roles [ROLE_LIST]
Parameters
- no parameter Command displays all roles.
- role_name Name of role displayed by command.
Related Command
The role command places the switch in Role configuration mode, which is used to create new roles or modify existing roles.
switch# show users roles
The default role is network-operator
role: network-admin
10 permit command .*
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
40 deny mode exec command .*
50 permit mode exec command show|clear (counters|platform)|configure
show users
The show users command displays the usernames that are currently logged into the switch.
Command Mode
Privileged EXEC
Command Syntax
show users
switch# show users
Line User Host(s) Idle Location
1 vty 2 john idle 1d 10.22.6.113
2 vty 4 jane idle 21:33:00 10.22.26.26
* 3 vty 6 ted idle 00:00:01 10.17.18.71
switch#
tacacs-server host
The tacacs-server host command sets communication parameters for communicating with a specific TACACS+ server. These values override global settings when the switch communicates with the specified server.
A TACACS+ server is defined by its server address and port number. Servers with different combinations of address-port-VRF-multiplex settings have separate statements in running-config.
The no tacacs-server host and default tacacs-server host commands remove settings for the TACACS+ server configuration at the specified address-port-VRF combination by deleting the corresponding tacacs-server host command from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server host SERVER_ADDR [MULTIPLEX][VRF_INST][PORT][TIMEOUT][ENCRYPT]
no tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]
default tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]
- SERVER_ADDR TACACS+ server location. Options include:
- ipv4_addr server's IPv4 address.
- ipv6_addr server's IPv6 address.
- host_name server's DNS host name (FQDN).
- MULTIPLEX TACACS+ server support of multiplex sessions on a TCP connection.
- no parameter server does not support multiplexing.
- single-connection server supports session multiplexing.
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- <no parameter> switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- PORT port number of the TCP connection.
- no parameter default port of 49.
- port number port number ranges from 1 to 65535.
- TIMEOUT timeout period (seconds).
- no parameter assigns the globally configured timeout value (see tacacs-server timeout ).
- timeout number timeout period (seconds). Number ranges from 1 to 1000.
- ENCRYPT encryption key the switch and server use to communicate. Settings include:
- no parameter assigns the globally configured encryption key (see tacacs-server key).
- key key_text where key_text is in clear text.
- key 5 key_text where key_text is in clear text.
- key 7 key_text where key_text is an encrypted string.
- This command configures the switch to communicate with the TACACS+ server located at 10.1.1.5. The switch uses the global timeout, encryption key, and port settings.
switch(config)# tacacs-server host 10.1.1.5 switch(config)#
- This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1. The switch defines the timeout period as 20 seconds and the encryption key as rp31E2v.
switch(config)# tacacs-server host TAC_1 timeout 20 key rp31E2v switch(config)#
- This command configures the switch to communicate with the TACACS+ server located at 10.12.7.9, indicates that the server supports multiplexing sessions on the same TCP connection, and that access is through port 54.
switch(config)# tacacs-server host 10.12.7.9 single-connection port 54 switch(config)#
tacacs-server key
The tacacs-server key command defines the global encryption key the switch uses when communicating with any TACACS+ server for which a key is not defined.
The no tacacs-server key and default tacacs-server key commands remove the global key from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server key [ENCRYPT_TYPE] encrypt_key
no tacacs-server key
default tacacs-server key
- ENCRYPT_TYPEencryption level of encrypt_key.
- no parameter encryption key is entered as clear text.
- 0 encryption key is entered as clear text. Equivalent to no parameter.
- 7 encrypt_key is an encrypted string.
- encrypt_key shared key that authenticates the username.
- encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
- encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.
Encrypted strings entered through this parameter are generated elsewhere.
Related Command
- This command configures cv90jr1 as the encryption key.
switch(config)# tacacs-server key 0 cv90jr1 switch(config)#
- This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
switch(config)# tacacs-server key 7 020512025B0C1D70 switch(config)#
tacacs-server policy
The tacacs-server policy command programs the switch to permit access to TACACS+ servers that send mandatory attribute-value (AV) pairs that the switch does not recognize. By default, the switch denies access to TACACS+ servers when it receives unrecognized AV pairs from the server.
The switch recognizes the following mandatory AV pairs:
priv-lvl=x where x is an integer between 0 and 15.
The no tacacs-server policy and default tacacs-server policy commands restore the switch default of denying access to servers from which it receives unrecognized mandatory AV pair by deleting the tacacs-server policy statement from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server policy unknown-mandatory-attribute ignore
no tacacs-server policy unknown-mandatory-attribute ignore
default tacacs-server policy unknown-mandatory-attribute ignore
switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
switch(config)#
tacacs-server timeout
The tacacs-server timeout command defines the global timeout the switch uses when communicating with any TACACS+ server for which a timeout is not defined.
The no tacacs-server timeout and default tacacs-server timeout commands restore the global timeout default period of five seconds by removing the tacacs-server timeout command from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server timeout time_period
no tacacs-server timeout
default tacacs-server timeout
Parameters
time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.
Related Command
switch(config)# tacacs-server timeout 20
switch(config)#
username ssh-key
The username ssh-key command configures an SSH key for the specified username. Command options allow the key to be entered directly into the CLI or referenced from a file.
The specified username must be previously configured through a username command.
The no username ssh-key and default username ssh-key commands delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.
The no username ssh-key role and default username ssh-key role commands perform the following:
- delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.
- delete the role assignment from the specified username by editing the corresponding username statement in running-config.
Command Mode
Global Configuration
Command Syntax
username name sshkey KEY
no username name sshkey [role]
default username name sshkey [role]
- name username text that the user enters at the login prompt to access the CLI.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
- KEY SSH key. Options include:
- key_text username is associated with ssh key specified by key_text string.
- file key_file username is associated with SSH key in the specified file.
switch(config)# username john secret x245
switch(config)# username john sshkey file john-ssh
switch(config)#
username
The username command adds a username to the local file and optionally assigns a password to the username. If the command specifies an existing username, the command replaces the password in the local file. The command can also define a username without a password or remove the password from a username.
The no username command deletes the specified username by removing the corresponding username statement from running-config. The default username command removes user-specified usernames, but restores the admin username to its default parameters.
The no username role command assigns the default role assignment to the specified username statement by editing the corresponding username statement in running-config. The default username role command reverts the specified username to its default role by editing the corresponding username statement in running-config. For the admin username, this restores network-admin as its role, even if the admin username has been deleted and then created again.
Command Mode
Global Configuration
Command Syntax
username name [PRIVILEGE_LEVEL] SECURITY [ROLE_USER]
no username name [role]
default username name [role]
All parameters except name can be placed in any order.
- name username text that the user enters at the login prompt to access the CLI.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
- PRIVILEGE_LEVEL user’s initial session privilege level. This parameter is used when an authorization command includes the local option.
- no parameter the privilege level is set to 1.
- privilege rank where rank is an integer between 0 and 15.
- SECURITY password assignment option.
- nopassword name is not password protected.
- secret password name is protected by specified password (clear-text string).
- secret 0 password name is protected by specified password (clear-text string).
- secret 5 password name is protected by specified password. (MD5-encrypted string).
- secret sha5 password name is protected by specified password (SHA-512-encrypted string).
- ROLE_USER specifies the role for performing command authorization. Options include:
- no parameter user is assigned default role aaa authorization policy local default-role.
- role role_name specifies role assigned to the user.
Guidelines
Encrypted strings entered through this parameter are generated elsewhere. The secret 5 option (SECURITY) is typically used to enter a list of username-passwords from a script.
The SECURITY parameter is mandatory for unconfigured usernames. For previously configured users, the command can specify a PRIVILEGE_LEVEL or ROLE without a SECURITY setting.
username admin privilege 1 role network-admin nopassword
- These equivalent commands create the username john and assign it the password x245. The password is entered in clear text because the ENCRYPTION parameter is either omitted or zero.
switch(config)# username john secret x245 switch(config)# username john secret 0 x245
- This command creates the username john and assigns it to the text password that corresponds to the encrypted string $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1. The string was generated by an MD5-encryption program using x245 as the seed.
switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1 switch(config)#
A user authenticates the username john by entering x245 when the CLI prompts for a password.
- This command creates the username jane without securing it with a password or removes a password if the jane username exists.
switch(config)# username jane nopassword switch(config)#
- This command removes the username william from the local file.
switch(config)# no username william switch(config)#