User Security
AAA Configuration
- Authentication, Authorization, and Accounting Overview
- Configuring the Security Services
- Server Groups
- Role-Based Authorization
- AAA and X.509 Authentication
- Activating Security Services
- TACACS+ Configuration Examples
- AAA Accounting for OpenConfig Remote Procedure Call (RPC) Messages Overview
- AAA Commands
Authentication, Authorization, and Accounting Overview
Methods
The switch controls access to EOS commands by authenticating user identity and verifying user authorization. Authentication, Authorization, and Accounting (AAA) activities are conducted through three data services -a local security database, TACACS+ servers, and RADIUS servers. Configuring the Security Services describes these services.
Configuration Statements
Enabling AAA on the switch requires two steps:
- Configure security service parameters.
The switch provides configuration commands for each security service:
- A local file supports authentication through username and enable password commands.
- TACACS+ servers provide security services through tacacs-server commands.
- RADIUS servers provide security services through radius-server commands.
- Configuring the Security Services describes security service configuration commands.
- A local file supports authentication through username and enable password commands.
- Activate AAA services.
EOS provides aaa authorization, aaa authentication, and aaa accounting commands to select the primary and backup services. Activating Security Services provides information on implementing a security environment.
Encryption
The switch uses clear-text passwords and server access keys to authenticate users and communicate with security systems. To prevent accidental disclosure of passwords and keys, running-config stores their corresponding encrypted strings. The encryption method depends on the type of password or key.
Commands that configure passwords or keys can accept the clear-text password or an encrypted string that was generated by the specified encryption algorithm with the clear-text password as the seed.
Configuring the Security Services
The switch can access three security data services to authenticate users and authorize switch tasks: a local file, TACACS+ servers, and RADIUS Servers.
Local Security File
- authenticate users as they log into the switch.
- control access to configuration commands.
- control access to the switch root login.
The local file contains username-password combinations to authenticate users. Passwords also authorize access to configuration commands and the switch root login.
Passwords
- Clear-text passwords are the text that a user enters to access the CLI, configuration commands, or the switch root login.
- Encrypted strings are SHA-512-encrypted strings generated with the clear text as the seed. The local file stores passwords in this format to avoid unauthorized disclosure. When a user enters the clear-text password, the switch generates the corresponding secure hash and compares it to the stored version.
Note: The switch cannot recover the clear text from which an encrypted string is generated.
Valid passwords contain the characters A-Z, a-z, 0-9 and any of these punctuation characters:
! @ # $ % ^ & * ( ) - _ = + { } [ ] ; : < > , . ? / ~ \
Usernames
Usernames control access to the EOS and all switch commands. The switch is typically accessed through an SSH login, using a previously defined username-password combination. To create a new username or modify an existing username, use the username command.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
The default username is admin, which is described in Admin Username.
Examples
- These equivalent commands create the username john and assign it the password x245. The password is entered in clear text because the encrypt-type parameter is omitted or zero.
switch(config)# username john secret x245 switch(config)# username john secret 0 x245
- This command creates the username john and assigns it to the text password that corresponds to the encrypted string $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1. The string was generated by an MD5-encryption program using x245 as the seed.
switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1
- This command creates the username jane without securing it with a password. It also removes a password if the jane username exists.
switch(config)# username jane nopassword
- This command removes the username william from the local file.
switch(config)# no username william
Logins by Unprotected Usernames
The default switch configuration allows usernames that are not password-protected to log in only from the console. The aaa authentication policy local allow-nopassword-remote-login command configures the switch to allow unprotected usernames to log in from any port. To reverse this setting to the default state, use no form of aaa authentication policy local allow-nopassword-remote-login.
Examples
- This command configures the switch to allow unprotected usernames to log in from any port.
switch(config)# aaa authentication policy local allow-nopassword-remote-login
- This command configures the switch to allow unprotected usernames to log in only from the console port.
switch(config)# no aaa authentication policy local allow-nopassword-remote-login
Enable Command Authorization
The enable command controls access to Privileged EXEC and all configuration command modes. The enable password authorizes users to execute the enable command. When the enable password is set, the CLI displays a password prompt when a user attempts to enter Privileged EXEC mode.
main-host> enable
Password:
main-host#
If an incorrect password is entered three times in a row, the CLI displays the EXEC mode prompt.
If no enable password is set, the CLI does not prompt for a password when a user attempts to enter Privileged EXEC mode.
To set the enable password, use the enable password command.
Examples
- These equivalent commands assign xyrt1 as the enable password.
switch(config)# enable password xyrt1 switch(config)# enable password 0 xyrt1
- This command assigns the enable password to the clear text 12345 corresponding to the encrypted string $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/. The string was generated by an MD5-encryption program using 12345 as the seed.
switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
- This command deletes the enable password.
switch(config)# no enable password
Root Account Password
The root account accesses the root directory in the underlying Linux shell. When it is not password protected, you can log into the root account only through the console port. After you assign a password to the root account, you can log into it through any port.
To set the password for the root account, use the aaa root command.
Examples
- These equivalent commands assign f4980 as the root account password.
switch(config)# aaa root secret f4980 switch(config)# aaa root secret 0 f4980
- This command assigns the text ab234 that corresponds to the encrypted string $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b. as the root password.
switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
- This command removes the password from the root account.
switch(config)# aaa root nopassword
- This command disables the root login.
switch(config)# no aaa root
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+), derived from the TACACS protocol defined in RFC 1492, is a network protocol that provides centralized user validation services. TACACS+ information is maintained on a remote database. EOS support of TACACS+ services requires access to a TACACS+ server.
TACACS+ manages multiple network access points from a single server. The switch defines a TACACS+ server connection by its address and port, allowing the switch to conduct multiple data streams to a single server by addressing different ports on the server.
These sections describe steps that configure access to TACACS+ servers. Configuring TACACS+ access is most efficiently performed when TACACS+ is functioning prior to configuring switch parameters.
Configuring TACACS+ Parameters
TACACS+ parameters define settings for the switch to communicate with TACACS+ servers. A set of values can be configured for individual TACACS+ servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.
The switch supports the following TACACS+ parameters.
Encryption Key
- The tacacs-server host command defines the encryption key for a specified server.
- The tacacs-server key command defines the global encryption key.
Examples
- This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1 using the encryption key rp31E2v.
switch(config)# tacacs-server host TAC-1 key rp31E2v
- This command configures cv90jr1 as the global encryption key.
switch(config)# tacacs-server key 0 cv90jr1
- This command assigns cv90jr1 as the global key, using the corresponding encrypted string.
switch(config)# tacacs-server key 7 020512025B0C1D70
Session Multiplexing
- The tacacs-server host command configures the multiplexing option for a specified server.
- There is no global multiplexing setting.
Example
switch(config)# tacacs-server host 10.12.7.9 single-connection
Timeout
- The tacacs-server host command defines the timeout for a specified server.
- The tacacs-server timeout command defines the global timeout.
Examples
- This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1 and configures the timeout period as 20 seconds.
switch(config)# tacacs-server host TAC_1 timeout 20
- This command configures 40 seconds as the period that the server waits for a response from a TACACS+ server before issuing an error.
switch(config)# tacacs-server timeout 40
Port
- The tacacs-server host command specifies the port number for an individual TACACS+ server.
- The global TACACS+ port number cannot be changed from the default value of 49.
Example
switch(config)# tacacs-server host 10.12.7.9 port 54
TACACS+ Status
To display the TACACS+ servers and their interactions with the switch, use the show tacacs command.
Example
switch(config)# show tacacs
server1: 10.1.1.45
Connection opens: 15
Connection closes: 6
Connection disconnects: 6
Connection failures: 0
Connection timeouts: 2
Messages sent: 45
Messages received: 14
Receive errors: 2
Receive timeouts: 2
Send timeouts: 3
Last time counters were cleared: 0:07:02 ago
To reset the TACACS+ status counters, use the clear aaa counters tacacs+ command.
Example
switch(config)# clear aaa counters tacacs
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized AAA services for computers connecting to and using network resources. RADIUS is used to manage access to the Internet, internal networks, wireless networks, and integrated email services.
These sections describe steps that configure RADIUS server access. Configuring RADIUS parameters is most efficiently performed when RADIUS is functioning prior to configuring switch parameters.
RADIUS Vendor-Specific Attribute-Value Pairs
RADIUS servers and client companies extend basic RADIUS functionality through vendor-specific attributes. A dictionary file includes a list of RADIUS attribute-value pairs that Arista switches use to perform AAA operations through the RADIUS server.
- Arista Vendor number: 30065
- Attribute: Arista-AVPair 1 string
- shell:priv-lvl=<privilege level of a user, 0-15>
- shell:roles=<list of roles for a user>
Example
#
# dictionary.arista
#
VENDOR Arista 30065
# Standard Attribute
BEGIN-VENDOR Arista
ATTRIBUTE Arista-AVPair 1 string
END-VENDOR Arista
Configuring RADIUS Defaults
RADIUS policies specify settings for the switch to communicate with RADIUS servers. A set of values can be configured for individual RADIUS servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.
The switch defines the following RADIUS parameters.
Encryption Key
- The radius-server host command defines the encryption key for a specified server.
- The radius-server key command specifies the global encryption key.
- This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 using the encryption key rp31E2v.
switch(config)# radius-server host RAD-1 key rp31E2v
- This command configures cv90jr1 as the global encryption key.
switch(config)# radius-server key 0 cv90jr1
- This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
switch(config)# radius-server key 7 020512025B0C1D70
Timeout
- The radius-server host command defines the timeout for a specified server.
- The radius-server key command defines the global timeout.
- This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the timeout period as 20 seconds.
switch(config)# radius-server host RAD-1 timeout 20
- This command configures 50 seconds as the period that the server waits for a response from a RADIUS server before issuing an error.
switch(config)# radius-server timeout 50
Retransmit
- The radius-server host command defines the retransmit for a specified server.
- The radius-server retransmit command defines the global retransmit value.
- This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the retransmit value as 2.
switch(config)# radius-server host RAD-1 retransmit 2
- This command configures the switch to attempt five RADIUS server contacts after the initial timeout. If the timeout parameter is set to 50 seconds, then the total period that the switch waits for a response is ((5+1)*50) = 300 seconds.
switch(config)# radius-server retransmit 5
Deadtime
- The radius-server host command defines the deadtime for a specified server.
- The radius-server deadtime command defines the global deadtime setting.
- This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1 and configures the deadtime period as 90 minutes.
switch(config)# radius-server host RAD-1 deadtime 90
- This command programs the switch to ignore a server for two hours if the server does not respond to a request during the timeout-retransmit period.
switch(config)# radius-server deadtime 120
Port
- The radius-server host command specifies the port numbers for an individual RADIUS server.
- The global RADIUS port numbers cannot be changed from the default values of 1812 for an authorization port and 1813 for an accounting port.
Example
switch(config)# radius-server host RAD-1 auth-port 1850
switch(config)# radius-server host RAD-1 acct-port 1851
To remove the configuration for this server, use no radius-server host command and specify the hostname or IP address with both the authorization and accounting port numbers.
DSCP Support for CPU-generated Traffic
- RADIUS
- TACACS
- SNMP
- SSH
- sFlow
Configuring DSCP Value
The following commands are applicable to all platforms for configuring DSCP value.
This command configures the DSCP value of 62 for RADIUS-server.
switch(config)# radius-server qos dscp 62
This command configures the DSCP value of 36 for TACACS-server.
switch(config)# tacacs-server qos dscp 36
This command configures the DSCP value of 36 for snmp-server.
switch(config)# snmp-server qos dscp 36
This command configures the DSCP value of 36 for sFlow.
switch(config)# sFlow qos dscp 36
This command configures the DSCP value of 36 for snmp-server.
switch(config)# snmp-server qos dscp 36
RADIUS Status
The show radius command displays configured RADIUS servers and their interactions with the switch.
Examples
- This command lists the configured RADIUS servers.
switch(config)# show radius server1: 10.1.1.45 Messages sent: 24 Messages received: 20 Requests accepted: 14 Requests rejected: 8 Requests timeout: 2 Requests retransmitted: 1 Bad responses: 1 Last time counters were cleared: 0:07:02 ago
To reset the RADIUS status counters, use the clear aaa counters radius command.
- This command clears all RADIUS status counters.
switch(config)# clear aaa counters radius
AAA with LDAP
The switches support AAA with LDAP protocol for authentication and authorization using TLS communication with a remote LDAP server, and interoperates with Microsoft's ActiveDirectory when configured with LDAP plugins. LDAP authentication configuration is required for LDAP to work. AAA requests to servers are made in the order of their configuration. Once a server is marked as unreachable, it is tried only after all other servers are also found unreachable.
Configuring LDAP Authentication
For all platforms, the ldap command is configured from the management ldap mode and requires configuration files to provide remote authentication.
aaa authentication login default group ldap local
aaa authorization exec default group ldap local
!
management ldap
server host ldap-server.samplecompany.com
!
server defaults
base-dn dc=samplecompany,dc=com
rdn attribute user cn
ssl-profile testProfile
authorization group policy basic-role-example
search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
!
management security
ssl profile testProfile
fips restrictions
trust certificate caCert
!
management ldap
server host ldap-server.samplecompany.com
ssl-profile testProfile2
authorization group policy company1
!
Server host ldap-server.company2.com
!
server defaults
base-dn dc=samplecompany,dc=com
rdn attribute user cn
ssl-profile testProfile1
authorization group policy basic-role-example
search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
!
group policy company1
search filter objectclass group attribute member
group "Network Admin2" role network-admin
group "Network Newbie2" role network-operator
!
aaa authentication login default group ldap
!
management ldap
server host <ldap server hostname/ip>
!
server defaults
base-dn <base distinguished name>
rdn attribute user <relative distinguished attribute name>
search username <full distinguished name> password <password>
The configuration sets up aaa authentication with LDAP. The LDAP server supports IPv4, IPv6, hostnames, and VRFs for specifying the address. The RDN , relative distiguished name, is typically an attribute/value pair to specify a user. When a user attempts to connect to the switch, the admin username searches recursively for the RDNs which match the passed-in username from the base-dn folder to generate a shortened list of potential DNs, which are then searched for a match with the provided password.
Configuring LDAP Authorization
Active Directory Server with LDAP Plug-in Configured
aaa authorization exec default group ldap
!
management ldap
server defaults
authorization group policy basic-role-example
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
The group / role maps an LDAP group to an EOS role for RBAC. The matching is done so that the first group that is matched against results in the role being mapped to the user. before and after commands are used to insert rules in the appropriate priority.
The LDAP admin account uses the search filter command to search for LDAP groups which contain the user, where objectclass defines the object which contains the LDAP group and attribute is the entry attribute name which contains the DN of the group member.TLS Communication
LDAP supports TLS communication using SSL profiles. A trust certificate, or multiple intermediate certificates, is required to verify the root of trust of the LDAP server. The server will not be used for authentication if ssl profiles are configured and the server does not support TLS or fails x509 verification. Other ssl profiles supported commands are:
- fips restrictions
- crl
- tls version
- cipher-list
Active Directory Server with LDAP Plug-in Configured
management ldap
!
server defaults
ssl-profile testProfile
management security
ssl profile testProfile
trust certificate <root of trust>
Server Groups
A server group is a collection of servers that are associated with a single group name. Subsequent authorization and authentication commands can access all servers in a group by invoking the group name. The switch supports TACACS+ and RADIUS server groups.
The aaa group server commands create server groups and place the switch in a server-group configuration mode to assign servers to the group. Commands that reference an existing group place the switch in a server-group configuration mode to modify the group.
The server (server-group-RADIUS configuration mode) commands add servers to the configuration mode server group. Servers must be previously configured with a radius-server host or tacacs-server host command before they are added to a group.
Examples
- This command creates the TACACS+ server group named TAC-GR and enters server-group configuration mode for the new group.
switch(config)# aaa group server tacacs+ TAC-GR switch(config-sg-tacacs+-TAC-GR)#
- These commands add two servers to the TAC-GR server group. To add servers to this group, the switch must be in sg-tacacs+-TAC-GR configuration mode.
The CLI remains in server-group configuration mode after adding the TAC-1 server (port 49) and the server located at 10.1.4.14 (port 151) to the group.
switch(config-sg-tacacs+-TAC-GR)# server TAC-1 switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14 port 151 switch(config-sg-tacacs+-TAC-GR)#
- This command exits server-group configuration mode.
switch(config-sg-tacacs+-TAC-GR)# exit switch(config)#
- This command creates the RADIUS server group named RAD-SV1 and enters server-group configuration mode for the new group.
switch(config)# aaa group server radius RAD-SV1 switch(config-sg-radius-RAD-SV1)#
- These commands add two servers to the RAD-SV1 server group. To add servers to this group, the switch must be in sg-radius-RAD-SV1 configuration mode.
The CLI remains in server-group configuration mode after adding the RAC-1 server (authorization port 1812, accounting port 1813) and the server located at 10.1.5.14 (authorization port 1812, accounting port 1850) to the group.
switch(config-sg-radius-RAD-SV1)# server RAC-1 switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1850 switch(config-sg-radius-RAD-SV1)#
Role-Based Authorization
Role-based authorization is a method of restricting access to CLI commands through the assignment of profiles, called roles, to user accounts. Each role consists of rules that permit or deny access to a set of commands within specified command modes.
All roles are accessible to the local security file through a username parameter and to remote users through RADIUS or TACACS+ servers. Each role can be applied to multiple user accounts. Only one role may be applied to a user.
Role Types
- User-defined roles are created and edited through CLI commands.
- Built-in roles are supplied with the switch and are not user-editable.
Built-in roles supplied by the switch are network-operator and network-admin.
Role Structure
- Commands that match a regular expression in a permit rule are executed.
- Commands that match a regular expression in a deny rule are disregarded.
- Commands that do not match a regular expression are evaluated against the next rule in the role.
Upon its entry in the CLI, a command is compared to the first rule of the role. Commands that match the rule are executed (permit rule) or disregarded (deny rule). Commands that do not match the rule are compared to the next rule. This process continues until the command either matches a rule or the rule list is exhausted. The switch disregards commands not matching any rule.
Role Rules
Role rules consist of four components: sequence number, filter type, mode expression, and command expression.
Sequence Number
The sequence number designates a rule’s placement in the role. Sequence numbers range in value from 1 to 256. Rule commands that do not include a sequence number append the rule at the end of the list, deriving its sequence number by adding 10 to the sequence number of the last rule in the list.
Example
10 deny mode exec command reload
20 deny mode config command (no |default )?router
Filter Type
The filter type specifies the disposition of matching commands. Filter types are permit and deny. Commands matching permit rules are executed. Commands matching deny rules are disregarded.
Example
10 deny mode exec command reload
20 permit mode config command interface
Mode Expression
The mode expression specifies the command mode under which the command expression is effective. The mode expression may be a regular expression or a designated keyword. Rules support the following mode expressions:
- exec EXEC and Privileged EXEC modes
- config Global Configuration Mode
- config-all All configuration modes, including Global Configuration Mode
- short_name
- short key name of a command mode (exact match)
- long_name long key name of a command mode (regular expression match of one or more modes)
- no parameter all command modes
- %P long key name
- %p short key name
-
These commands use the prompt command to display short key name (if) and long key name (if-Et1) for interface ethernet 1.
switch(config)# prompt switch%p switch(config)# interface ethernet 1 switch(config-if)# exit switch(config)# prompt switch%P switch(config)# interface ethernet 1 switch(config-if-Et1)#
The command supports the use of regular expressions to reference multiple command modes.
- These regular expressions correspond to the listed command modes:
- if-Vlan(1|2) matches interface-VLAN 1 or interface-VLAN 2.
- if matches all interface modes.
- acl-text1 matches ACL configuration mode for text1 ACL.
Command Expression
The command expression is a regular expression that corresponds to one or more CLI commands.
Examples
- reload reload command
- (no |default )? router commands that enter routing protocol configuration modes
- (no |default )?(ip|mac) access-list commands that enter ACL configuration modes
- (no |default )?(ip|mac) access-group commands that bind ACLs to interfaces
- lacp | spanning-tree LACP and STP commands
- .* all commands
Creating and Modifying Roles
Built-in Role
- network-operator Allows all commands in EXEC (Privileged) modes. Commands in all other modes are denied.
- network-admin Allows all CLI commands in all modes.
The network-admin role is typically assigned to the admin user to allow it to run any command.
Built-in roles are not editable.
Example
switch(config)# show users roles network-operator
The default role is network-operator
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
switch(config)# show users roles network-admin
The default role is network-operator
role: network-admin
10 permit command .*
switch(config)#
Managing Roles
Creating and Opening a Role
Roles are created and modified in Role configuration mode. To create a role, enter the role command with the role’s name. The switch enters Role configuration mode. If the command is followed by the name of an existing role, subsequent commands edit that role.
Example
switch(config)# role sysuser
switch(config-role-sysuser)#
Saving Role Changes
Role configuration mode is a group-change mode; changes are saved by exiting the mode.
- These commands create a role, then add a deny rule to the role. Because the changes are not yet saved, the role remains empty, as shown by show users roles.
switch(config)# role sysuser switch(config-role-sysuser)# deny mode exec command reload switch(config-role-sysuser)# show users roles sysuser The default role is network-operator switch(config-role-sysuser)#
-
To save all current changes to the role and exit role configuration mode, type exit.
switch(config-role-sysuser)# exit switch(config)# show users roles sysuser The default role is network-operator role: sysuser 10 deny mode exec command reload switch(config)#
Note: After exiting role mode, running-config must be saved to startup-config to preserve role changes past system restarts.
Discarding Role Changes
The abort command exits Role configuration mode without saving pending changes.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# abort
switch(config)# show users roles sysuser
The default role is network-operator
switch(config)#
Modifying Roles
Adding Rules to a Role
The deny (Role) command adds a deny rule to the configuration mode role. The permit (Role) command adds a permit rule to the configuration mode role.
To append a rule to the end of a role, enter the rule without a sequence number while in Role Configuration Mode. The new rule's sequence number is derived by adding 10 to the last rule's sequence number.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# deny mode config command (no |default )?router
switch(config-role-sysuser)# permit command .*
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 permit command .*
switch(config)#
Inserting a Rule
To insert a rule into a role, enter the rule with a sequence number between the existing rules numbers.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# 15 deny mode config-all command lacp
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
15 deny mode config-all command lacp
20 deny mode config command (no |default )router
30 permit command .*
switch(config)#
Deleting a Rule
- Enter no, followed by the sequence number of the rule to be deleted.
- Enter no, followed by the rule be deleted.
- Enter default, followed by the sequence number of the rule to be deleted.
- Enter default, followed by the rule to be deleted.
- These equivalent commands remove rule 30 from the list.
switch(config-role-sysuser)# no 30 switch(config-role-sysuser)# default 30 switch(config-role-sysuser)# no permit command .* switch(config-role-sysuser)# default permit command .*
-
This role results from entering one of the preceding commands.
switch(config)# show users roles sysuser The default role is network-operator role: sysuser 10 deny mode exec command reload 15 deny mode config-all command lacp|spanning-tree 20 deny mode config command (no |default )router switch(config)#
Redistributing Sequence Numbers
Sequence numbers determine the order of the rules in a role. After a list editing session where existing rules are deleted and new rules are inserted between existing rules, the sequence number distribution may not be uniform. Redistributing rule numbers changes adjusts the sequence number of rules to provide a constant difference between adjacent rules. The resequence (Role) command adjusts the sequence numbers of role rules.
Example
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config-all command lacp|spanning-tree
25 deny mode config command (no |default )?router
30 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 100 20
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
100 deny mode exec command reload
120 deny mode config-all command lacp|spanning-tree
140 deny mode config command (no |default )?router
160 permit command .*
switch(config)#
Assigning a Role to a Username
Roles are assigned to local users through the username command and to remote users through RADIUS servers or TACACS+ servers. Each user is assigned one role. Each role can be assigned to multiple local and remote users.
Default Roles
Users that are not explicitly assigned a role are assigned the default role. The aaa authorization policy local default-role command designates the default role. The network-operator built-in role is the default role when the default role is not configured.
- These commands assign sysuser as the default role, then display the name of the default role.
switch(config)# aaa authorization policy local default-role sysuser switch(config)# show users roles The default role is sysuser switch(config)#
-
These commands restore network-operator as the default role by deleting the aaa authorization policy local default-role statement from running-config, then display the default role name.
switch(config)# no aaa authorization policy local default-role switch(config)# show users roles The default role is network-operator switch(config)#
Local Security File (Username Command)
Roles are assigned to users with the username command's role parameter. A username whose running-config username statement does not include a role parameter is assigned the default role.
The role parameter function in a command creating a username is different from its function in a command editing an existing name.
Assigning a Role to a New Username
A username command creating a username explicitly assigns a role to the username by including the role parameter; commands without a role parameter assigns the default role to the username.
switch(config)# username FRED secret 0 axced role sysuser1
switch(config)# username JANE nopassword
switch(config)# show running-config
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
username JANE nopassword
!
<-------OUTPUT OMITTED FROM EXAMPLE-------->
switch(config)#
Editing the Role of an Existing Username
The role of a previously configured username may be edited by a username command without altering its password. The role assignment of a username is not changed by username commands that do not include a role parameter.
- These commands assign a role to a previously configured username.
switch(config)# username JANE role sysuser2 switch(config)# show running-config <-------OUTPUT OMITTED FROM EXAMPLE--------> ! username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20 username JANE role sysuser2 nopassword ! <-------OUTPUT OMITTED FROM EXAMPLE--------> switch(config)#
- These commands reverts a username to the default role by removing its role assignment.
switch(config)# no username FRED role switch(config)# show running-config <-------OUTPUT OMITTED FROM EXAMPLE--------> ! username FRED secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20 username JANE role sysuser2 nopassword ! <-------OUTPUT OMITTED FROM EXAMPLE--------> switch(config)#
Displaying the Role Assignments
The show users accounts command displays role assignment of the configured users. The show users detail command displays roles of users that are currently logged into the switch.
- This command displays the configured users and their role assignments.
switch(config)# show users accounts user: FRED role: <unknown> privilege level: 1 user: JANE role: sysuser2 privilege level: 1 user: admin role: network-admin privilege level: 1 switch(config)#
- This command displays information about the active AAA login sessions.
switch(config)# show aaa session Session Username Roles TTY State Duration Auth Remote Host ------- --------- ------------ ------ ----- -------- ------------- ------------ 2 admin network-operator ttyS0 E 0:01:21 local 4 Fred sysadmin telnet E 0:02:01 local sf.example.com 6 Jane sysuser2 ssh E 0:00:52 group radius ny.example.com 9 admin network-admin ssh E 0:00:07 local bj.example.com 10 max network-admin telnet E 0:00:07 local sf.example.com
Radius Servers
A role can be assigned to a remote user authenticated through a RADIUS server. Roles are assigned through the vendor-specific Attribute-Value (AV) pair named “Arista-AVPair.” The switch extracts the remote user’s role upon a successful authentication when RADIUS authentication is enabled.
Example
# Sample RADIUS server users file
"Jane" Cleartext-Password := "Abc1235"
Arista-AVPair = "shell:roles=sysuser2",
Service-Type = NAS-Prompt-User
"Mary" Cleartext-Password := "xYz$2469"
Arista-AVPair = "shell:roles=sysadmin",
Service-Type = NAS-Prompt-User
"Fred" Cleartext-Password := "rjx4#222"
Arista-AVPair = "shell:roles=network-operator",
Service-Type = NAS-Prompt-User
The aaa authentication login command selects the user authentication service (see Configuring Service Lists ).
Example
switch(config)# aaa authentication login default group radius
Enable Role-Based Access Control
To enable Role-Based Access Control on the switch, apply the following configuration:
switch(config)# aaa authorization commands all default local
AAA and X.509 Authentication
Configure AAA to support X.509 Certificates for Secure Shell (SSH) connections to securely send commands over an unsecured network. X.509 certificates use a type of public key authentication, and must be enabled on the switch.
When a user attempts to log into the network using an X.509 certificate, EOS performs a check to ensure that the certificate grants permissions and compares the username to names extracted from the certificate. By default, an exact match must be located. The configuration extracts subject alternative names (SANs) from the X.509 certificate, and EOS supports uniform resource identifiers (URIs), an email format as defined in RFC822, and the otherName format for Microsoft Active Directory User Principal Name (UPN). If a match cannot be located, the common name is extracted and checked.
Name Extracted from the Certificate | ||
---|---|---|
Login User Name | Username | このメールアドレスはスパムボットから保護されています。閲覧するにはJavaScriptを有効にする必要があります。 |
Username | Valid Match | Match Failure |
このメールアドレスはスパムボットから保護されています。閲覧するにはJavaScriptを有効にする必要があります。 | Match Failure | Valid Match |
Successful login attempts must match one of the names on the certificate.
Before configuring X.509 authentication, enable public-key authentication and keyboard interactive on the switch.
switch(config)#management ssh
switch(config-mgmt-ssh)#authentication protocol public-key keyboard-interactive
Configuring a Secure Socket Layer (SSL) Profile for X.509 Authentication
You must add at least one trusted certificate (CA) to allow X.509 authentication, and specify a Certificate Revocation List (CRL) with revoked certificates.
To enable X.509 on a switch, configure an SSL profile, x509-profile, to link to the SSH configuration:
switch(config)#management security
switch(config-mgmt-security)#ssl profile x509-profile
Add the trusted certificate, trusted-cert, to the configuration:
switch(config-mgmt-sec-profile-x509-profile)#trust trusted-cert
Add the name of the applicable Certificate Revocation List (CRL), my-crl:
switch(config-mgmt-sec-profile-x509-profile)#revocation crl name my-crl
Next, enable public-key authentication on the switch, and add the SSL profile, x509-profile:
switch(config)#management ssh
switch(config-mgmt-ssh)#authentication x509
switch(config-mgmt-ssh-auth-x509)#server ssl profile x509-profile
Configuring X.509 to Omit Domains from the Usernames
Names extracted from the X.509 certificates include domain names, and in some cases, you may want to omit the domain name from the X.509 certificates when comparing the usernames with the login name. To omit the domain name, use the following commands:
switch(config)#management ssh
switch(config-mgmt-ssh)#authentication x509
switch(config-mgmg-ssh-auth-x509)#username domain omit
When configured, the following login behavior occurs on the switch:
Name Extracted from the Certificate | ||
---|---|---|
Login User Name | Username | このメールアドレスはスパムボットから保護されています。閲覧するにはJavaScriptを有効にする必要があります。 |
Username | Valid Match | Valid Match |
このメールアドレスはスパムボットから保護されています。閲覧するにはJavaScriptを有効にする必要があります。 | Match Failure | Match Failure |
Configuring an Online Certificate Status Profile (OCSP) for X.509 Certificates
Instead of using a CRL to perform certificate validation, use an OCSPquery to an authorized server for the revocation status of a certificate. Performing an OCSP lookup requires access to a remote OCSP server, or a local OSCP server. Configure an OCSP profile with the appropriate settings for your network.
Use the following commands to enable OCSP on the switch, and add the OCSP profile, myOCSP:
switch(config)#managment security
switch(config-mgmt-security)#ocsp profile myOSCP
Link an OCSP profile to an SSL profile by adding the parameter, revocation ocsp profile.
Specify a timeout in seconds from one (1) to 600 with a default timeout of 30 seconds.
switch(config-mgmt-sec-ocsp-profile-myOCSP)#timeout 120
Ovveride the OCSP responder and use a URL to a OCSP server for all OCSP queries instead of the values in the X.509 certificate:
switch(config-mgmt-sec-ocsp-profile-myOCSP)#url http://www.myocspserver.com
Add an extension request and response nonce behavior to the configuration. By default, a response contains a nonce but doesn't treat the absence of one as a failure. Configure this parameter to require a nonce in the request or not send one at all. In this case, disable the nonce request:
switch(config-mgmt-sec-ocsp-profile-myOCSP)#extension nonce request disabled
Configure certificates in the chain that require validation using OCSP. By default, the profile uses all. This requires the entire chain up to but not including the root CA to validate with OCSP. If set to leaf, only the client certificate must be validated using OCSP. If set to none, then OCSP only performs validation on certificates with an OCSP responder specified.
switch(config-mgmt-sec-ocsp-profile-myOCSP)#chain certificate requirement responder all
Displaying X.509 Certification Configuration
Use the following command to display the X.509 Authentication configuration:
switch(config)#show run section management ssh
management ssh
authentication X.509
server ssl profile x509-profile
username domain omit
The command, show management ssh, includes additional information about the X.509 authentication configuration:
switch(config)#show management ssh
User certificate authentication methods: x509-certificates
SSL profile: X509-profile invalid. See "show management security ssl profile” output for details.
To display details about the SSL profile configured for SSH authentication, use the show management security ssl profile command:
switch(config)#show management security ssl profile
Profile State Additional Information
---------------------- ------- ----------------------
ARISTA_DEFAULT_PROFILE valid
x509-profile invalid Profile has no data
To display the SSL profile and OCSP profile information, use the following command:
switch(config)#show run section management security
management security
ocsp profile myOCSP
chain certificate requirement responder leaf
extension nonce request response
timeout 20
url http://127.0.0.1:8080
!
ssl profile X509-profile
…
revocation ocsp profile revoke-ocsp
…
In the output, only the leaf certificate validates, and an extension request requires a nonce. The timeout occurs after 20 seconds, and the URL for certificate validation set to the local address.
Activating Security Services
After configuring the access databases, aaa authentication, aaa authorization, and aaa accounting commands designate active and backup services for handling access requests.
These sections describe the methods of selecting the database that the switch uses to authenticate users and authorize access to network resources.
Authenticating Usernames and the Enable Password
Service lists specify the services the switch uses to authenticates usernames and the enable password.
Service List Description
Service list elements are service options, ordered by their priority.
Example
- Location_1 server group - specifies a server group (see Server Groups ).
- Location_2 server group - specifies a server group.
- TACACS+ servers - specifies all hosts for which a tacacs-server host command exists.
- Local file - specifies the local file.
- None - specifies that no authentication is required - all access attempts succeed.
To authenticate a username, the switch checks Location_1 server group. If a server in the group is available, the switch authenticates the username through that group. Otherwise, it continues through the list until it finds an available service or utilizes option 5, which allows the access attempt to succeed without authentication.
Configuring Service Lists
- aaa authentication login specifies services the switch uses to authenticate usernames.
- aaa authentication enable specifies services the switch uses to authenticate the enable password.
- This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
switch(config)# aaa authentication login default group TAC-1 local
- This command configures the switch to authenticate usernames through all TACACS+ servers, then all RADIUS servers if the TACACS+ servers are not available. If the RADIUS servers are unavailable, the switch does not authenticate any login attempts.
switch(config)# aaa authentication login default group tacacs+ group radius none
- This command configures the switch to authenticate the enable password through all TACACS+ servers, then through the local database if the TACACS+ servers are unavailable.
switch(config)# aaa authentication enable default group TACACS+ local
AAA Time-based Lockout
AAA time-based lockout enables managing remote user unsuccessful login attempts for a configurable time duration.
- aaa authentication policy lockout failure command locks the remote user from getting access for a specific duration of time after specific consecutive unsuccessful login attemps within a lockout period. In the following example, a user is allowed 4 attempts to log in within a duration of 1 day (the default window). If the user has 4 unsuccessful consecutive logins, the person will be locked out of the account for 360 seconds.
switch(config)# aaa authentication policy lockout failure 4 duration 360
- show aaa authentication lockout command displays the status of locked-out users.
switch# show aaa authentication lockout
- clear aaa authentication lockout command clears the locked status of a user so as to allow access within a lockout period.
switch# clear aaa authentication lockout
Authorization
Authorization commands control EOS shell access, CLI command access, and configuration access through the console port. The switch also supports role-based authorization, which allows access to specified CLI commands by assigning command profiles (or roles) to usernames. See Role-Based Authorization for details.
During the exec authorization process, TACACS+ server responses may include attribute-value (AV) pairs. The switch recognizes the mandatory AV pair named priv-lvl=x (where x is between 0 and 15).
By default, a TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server. The tacacs-server policy command programs the switch to allow access to TACACS+ servers that send unrecognized mandatory AV pairs.
- To specify the method of authorizing the opening of an EOS shell, enter aaa authorization exec.
- To specify the method of authorizing CLI commands, enter aaa authorization commands.
- This command specifies that TACACS+ servers authorize users attempting to open a CLI shell.
switch(config)# aaa authorization exec default group tacacs+
- This command programs the switch to authorize configuration commands (privilege level 15) through the local file and to deny command access to users not listed in the local file.
switch(config)# aaa authorization commands all default local
- This command programs the switch to permit all commands entered on the CLI.
switch(config)# aaa authorization commands all default none
- This command configures the switch to permit access to TACACS+ servers that send unrecognized mandatory AV pairs.
switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
- To enable the authorization of configuration commands with the policy specified for all other commands, enter aaa authorization config-commands.
- To require authorization of commands entered on the console, enter aaa authorization serial-console.
By default, EOS does not verify authorization of commands entered on the console port.
- This command disables the authorization of configuration commands.
switch(config)# no aaa authorization config-commands
-
This command enables the authorization of configuration commands.
switch(config)# aaa authorization config-commands
-
This command configures the switch to authorize commands entered on the console, using the method specified through a previously executed aaa authorization command.
switch(config)# aaa authorization serial-console
Accounting
The accounting service collects information for billing, auditing, and reporting. The switch supports TACACS+ and RADIUS accounting by reporting user activity to either the TACACS+ server or RADIUS server in the form of accounting records.
- EXEC: Provides information about user CLI sessions.
- Commands: Command authorization for all commands, including configuration commands that are associated with a privilege level.
- start-stop: a start notice is sent when a process begins; a stop notice is sent when it ends.
- stop-only: a stop accounting record is generated after a process successfully completes.
Accounting is enabled by the aaa accounting command.
- This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
switch(config)# aaa accounting commands all default start-stop group tacacs+
- This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
switch(config)# aaa accounting exec console stop group tacacs+
TACACS+ Configuration Examples
These sections describe two sample TACACS+ host configurations.
Single Host Configuration
- IP address: 10.1.1.10.
- encryption key: example_1.
- port number: 49 (global default).
- timeout: 5 seconds (global default).
The switch authenticates the username and enable command against all TACACS+ servers which, in this case, is one host. If the TACACS+ server is unavailable, the switch authenticates with the local file.
Multiple Host Configuration
- IP address 10.1.1.2 - port 49.
- IP address 172.16.4.12 - port 4900.
- IP address 192.168.2.10 - port 49.
- Bldg_1 group consists of the servers at 10.1.1.2 and 172.16.4.12.
- Bldg_2 group consists of the servers at 192.168.2.10.
- encryption key - example_2.
- timeout - 10 seconds.
- username access against Bldg_1 group then, if they are not available, against the local file.
- enable command against Bldg_2 group, then Bldg_1 group, then against the local file.
AAA Accounting for OpenConfig Remote Procedure Call (RPC) Messages Overview
OpenConfig allows network engineers to collaboratively develop programming interfaces and tools to manage networks dynamically and vendor-neutral manner. EOS supports AAAA Accounting for gRPC Network Management Interface (gNMI), gRPC Network Operations (gNOI) Interface, and gRPC Network Security Interface (gNSI) RPCs by logging the accounting records to a TACACS+ server, RADIUS server, or to a Syslog server.
AAA Commands
Local Security File Commands
Accounting, Authentication, and Authorization Commands
- aaa accounting
- aaa accounting dot1x
- aaa accounting system
- aaa authentication dot1x
- aaa authentication enable
- aaa authentication login
- aaa authentication policy local allow-nopassword-remote-login
- aaa authentication policy lockout failure
- aaa authentication policy log
- aaa authorization commands
- aaa authorization config-commands
- aaa authorization exec
- aaa authorization policy local default-role
- aaa authorization serial-console
- clear aaa authentication lockout
- clear aaa counters
- clear aaa counters radius
- clear aaa counters tacacs+
- show aaa
- show aaa authentication lockout
- show aaa counters
- show aaa methods
- show management ldap
- show users detail
Server (RADIUS and TACACS+) Configuration Commands
Server Group Configuration Commands
Role-Based Authorization Configuration Commands
aaa accounting dot1x
The aaa accounting dot1x command enables the accounting of requested 802.1X services for network access.
The no aaa accounting dot1x and default aaa accounting dot1x commands disable the specified method list by removing the corresponding aaa accounting dot1x command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting dot1x default [METHOD_1][METHOD_2][METHOD_N]
no aaa accounting dot1x default
default aaa accounting dot1x default
- MODE accounting mode that defines when accounting notices are sent. Options include:
- start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
- METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.
-
Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:
- group name the server group identified by name.
- group radius server group that includes all defined RADIUS hosts.
-
logging server group that includes all defined TACACS+ hosts.
- This example configures IEEE 802.1X accounting on the switch.
switch(config)# aaa accounting dot1x default start-stop group radius switch(config)#
- This example disables IEEE 802.1X accounting on the switch.
switch(config)# no aaa accounting dot1x default switch(config)#
aaa accounting system
The aaa accounting system command performs accounting for all system-level events.
The no aaa accounting system and default aaa accounting system commands clear the specified method list by removing the corresponding aaa accounting system command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting system default [METHOD_1][METHOD_2] ... [METHOD_N]
no aaa accounting system default
default aaa accounting system default
- MODE accounting mode that defines when accounting notices are sent. Options include:
- none no notices are sent.
- start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
- stop-only a stop accounting record is generated after a process successfully completes.
- METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.
- Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:
- group name the server group identified by name.
- group radius server group that includes all defined RADIUS hosts.
- group tacacs+ server group that includes all defined TACACS+ hosts.
- logging server group that includes all defined TACACS+ hosts.
- group name the server group identified by name.
- This command configures AAA accounting to not use any accounting methods for system events.
switch(config)# aaa accounting system default none switch(config)#
- This command configures the switch to maintain stop accounting records for system events to all defined RADIUS hosts.
switch(config)# aaa accounting system default stop-only group radius switch(config)#
aaa accounting
The aaa accounting command configures accounting method lists for a specified authorization type. Each list consists of a prioritized list of methods. The accounting module uses the first available listed method for the authorization type.
The no aaa accounting and default aaa accounting commands clear the specified method list by removing the corresponding aaa accounting command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting TYPE CONNECTION MODE [METHOD_1][METHOD_2] ... [METHOD_N]
no aaa accounting TYPE CONNECTION
default aaa accounting TYPE CONNECTION
- TYPE authorization type for which the command specifies a method list. Options include:
- EXEC records user authentication events.
- COMMANDS ALL records all entered commands.
- COMMANDS level records entered commands of the specified level (ranges from 0 to 15).
- CONNECTION connection type of sessions for which method lists are reported. Options include:
- console console connection.
- default all connections not covered by other command options.
-
MODE accounting mode that defines when accounting notices are sent. Options include:
- none no notices are sent.
- start-stop a start notice is sent when a process begins; a stop notice is sent when it ends.
- stop-only a stop accounting record is generated after a process successfully completes.
- METHOD_X server groups (methods) to which the switch can send accounting records. The switch sends the method list to the first listed group that is available.
- Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:
- group name the server group identified by name.
- group radius server group that includes all defined RADIUS hosts.
- group tacacs+ server group that includes all defined TACACS+ hosts.
- logging log all accounting messages to Syslog.
- This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
switch(config)# aaa accounting commands all default start-stop group tacacs+ switch(config)#
- This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
switch(config)# aaa accounting exec console stop group tacacs+ switch(config)#
- This command configures the switch to maintain start-stop accounting records for all commands executed by switch users and submits them to all TACACS+ hosts.
switch(config)# aaa accounting commands all default start-stop group tacacs+ switch(config)#
- This command configures the switch to maintain stop accounting records for all user EXEC sessions performed through the console and submits them to all TACACS+ hosts.
switch(config)# aaa accounting exec console stop group tacacs+ switch(config)#
aaa authentication dot1x
The aaa authentication dot1x command configures the default authentication list of requested 802.1X services for network access.
The no aaa authentication dot1x and default aaa authentication dot1x commands remove the default authentication list for IEEE 802.1X.
Command Mode
Global Configuration
Command Syntax
aaa authentication dot1x default group {group_name | radius}
no aaa authentication dot1x default
default aaa authentication dot1x
- default configures the default authentication list of requested 802.1X services for network access.
- group configures server group.
- group_name server group name; multiple group names can be entered in a single command.
- radius list of all defined RADIUS hosts.
switch(config)# aaa authentication dot1x default group auth1
switch(config)#
aaa authentication enable
The aaa authentication enable command configures the service list that the switch references to authorize access to Privileged EXEC command mode.
- A named server group
- All defined TACACS+ hosts
- All defined RADIUS hosts
- Local authentication
- No authentication
The switch authorizes access by using the first listed service option available. When the local file is a service list element, attempts to locally authenticate a usernamenot in the local file results in the switch continuing to the next service list element.
EOS supports a console list for authorizing usernames through the console and a default list for authorizing usernames through all other connections.
- If no console list exists, the console connection uses the default list.
- If no default list exists, the list sets to local.
The no aaa authentication enable and default aaa authentication enable commands revert the list configuration to the default by removing the corresponding aaa authentication enable command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authentication enable [console|default] METHOD_1 [METHOD_2] ... [METHOD_N]
no aaa authentication enable [console|default] default
default aaa authentication enable [console|default] default
Parameters
console - Uses the console authentication list.
default - Uses the default authentication list.
- group name the server group identified by name.
- group radius a server group that consists of all defined RADIUS hosts.
- group tacacs+ a server group that consists of all defined TACACS+ hosts.
- local local authentication.
- none users are not authenticated; all access attempts succeed.
switch(config)# aaa authentication default enable group TACACS+ local
switch(config)#
aaa authentication login
- A named server group
- All defined TACACS+ hosts
- All defined RADIUS hosts
- Local authentication
- No authentication.
When the local file contains a service list element, attempts to locally authenticate a username not in the local file results in the switch continuing to the next service list element.
The switch supports a console list for authenticating usernames through the console and a default list for authenticating usernames through all other connections.
- When the console list is not configured, the console connection uses the default list.
- When the default list is not configured, it is set to local.
The no aaa authentication login and default aaa authentication login commands revert the specified list configuration to its default by removing the corresponding aaa authentication login command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authentication login CONNECTION SERVICE_1 [SERVICE_2] ... [SERVICE_N]
no aaa authentication login CONNECTION
default aaa authentication login CONNECTION
- CONNECTION connection type of sessions for which authentication list is used.
- default the default authentication list.
- console the authentication list for console logins.
- SERVICE_X an authentication service. Settings include:
- group name identifies a previously defined server group.
- group radius a server group that consists of all defined RADIUS hosts.
- group tacacs+ a server group that consists of all defined TACACS+ hosts.
- local local authentication.
- none The switch does not perform authentication. All access attempts succeed.
- This command configures the switch to authenticate usernames through the TAC-1 server group. The local database is the backup method if TAC-1 servers are unavailable.
switch(config)# aaa authentication login default group TAC-1 local switch(config)#
- This command configures the switch to authenticate usernames through all TACACS+ servers, then all RADIUS servers if the TACACS+ servers are not available. If the RADIUS servers are also unavailable, the switch allows access to all login attempts without authentication.
switch(config)# aaa authentication login default group tacacs+ group radius none switch(config)#
aaa authentication policy local allow-nopassword-remote-login
The aaa authentication policy local allow-nopassword-remote-login command permits usernames without passwords to log in from any port. The default switch setting only allows unprotected usernames to log in from the console.
The no aaa authentication policy local allow-nopassword-remote-login and default aaa authentication policy local allow-nopassword-remote-login commands return the switch to the default setting of allowing unprotected usernames to log in only from the console.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy local allow-nopassword-remote-login
no aaa authentication policy local allow-nopassword-remote-login
default aaa authentication policy local allow-nopassword-remote-login
- This command configures the switch to allow unprotected usernames to log in from any port.
switch(config)# aaa authentication policy local allow-nopassword-remote-login switch(config)#
- This command configures the switch to allow unprotected usernames to log in only from the console port.
switch(config)# no aaa authentication policy local allow-nopassword-remote-login switch(config)#
aaa authentication policy lockout failure
The aaa authentication policy lockout failure command configures the switch to lock the remote user from getting access after specific unsuccessful login attempts within a lockout period.
The no aaa authentication policy lockout failure and the default aaa authentication policy lockout failure commands disable the lockout period configuration.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy lockout failure failure_count duration duration_time {window window_time}
no aaa authentication policy lockout failure
default aaa authentication policy lockout failure
- failure_count the number of failed logins allowed during access. The valid number is between 1 and 255.
- duration duration_time the time in seconds to block a user account from login. The value is between 1 and 4294967295 seconds.
- window window_time the time in seconds to track failed logins within this duration. The value is between 1 and 4294967295 seconds while the default is 1 day.
- This command configures the system to allow four attempts to log in within a duration of 1 day (the default window). If the user has 4 unsuccessful consecutive logins, the person will be locked out of the account for 360 seconds.
switch(config)# aaa authentication policy lockout failure 4 duration 360
- This command configures the system to allow five attempts to log in within a duration of 1 day (the default window). If the user has 5 unsuccessful consecutive logins, the person will be locked out of the account for 60 seconds.
switch(config)# aaa authentication policy lockout failure 5 window 10 duration 60
aaa authentication policy log
The aaa authentication policy log command configures the switch to generate syslog messages for login authentication success or failure events.
The no aaa authentication policy log and the default aaa authentication policy log commands restore the default behavior of not generating syslog messages for these events.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy {on-failure | on-success} log
no aaa authentication policy {on-failure | on-success} log
default aaa authentication policy {on-failure | on-success} log
- on-failure generates syslog messages for failed login events.
- on-success generates syslog messages for successful login events.
This command configures the switch to log successful and failed login attempts.
switch(config)# aaa authentication policy on-success log
switch(config)# aaa authentication policy on-failure log
aaa authorization commands
- Level 1: Commands accessible from EXEC mode.
- Level 15: Commands accessible from any mode except EXEC.
Command usage is authorized for each privilege level specified in the command.
- a named server group.
- all defined TACACS+ hosts.
- all defined RADIUS hosts.
- local authorization.
- no authorization.
The list is set to none for all unconfigured privilege levels, allowing all CLI access attempts to succeed.
The no aaa authorization commands and default aaa authorization commands commands revert the list contents to none for the specified privilege levels.
Command Mode
Global Configuration
Command Syntax
aaa authorization commands PRIV default SERVICE_1[SERVICE_2] ... [SERVICE_N]
no aaa authorization commands PRIV default
default aaa authorization commands PRIV default
- PRIV Privilege levels of the commands. Options include:
- level numbers from 0 and 15. Number, range, and comma-delimited list of numbers and ranges.
- all commands of all levels.
- SERVICE_X Authorization service. Command must list at least one service. Options include:
- group name the server group identified by name.
- group tacacs+ a server group that consists of all defined TACACS+ hosts.
- local local authorization.
- none the switch does not perform authorization. All access attempts succeed.
- This command authorizes configuration commands (privilege level 15) through the local file. The switch denies command access to users not listed in the local file.
switch(config)# aaa authorization commands all default local switch(config)#
- This command authorizes all commands entered on the CLI.
switch(config)# aaa authorization commands all default none switch(config)#
aaa authorization config-commands
The aaa authorization config-commands command enables authorization of commands in any configuration mode, such as Global Configuration and all interface configuration modes. Commands are authorized through the policy specified by the aaa authorization commands setting. Authorization is enabled by default, so issuing this command has no effect unless running-config contains the no aaa authorization config-commands command.
The no aaa authorization config-commands command disables configuration command authorization. When configuration command authorization is disabled, running-config contains the no aaa authorization config-commands command. The default aaa authorization config-commands command restores the default setting by removing the no aaa authorization config-commands from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authorization config-commands
no aaa authorization config-commands
default aaa authorization config-commands
- This command enables the authorization of configuration commands.
switch(config)# aaa authorization config-commands switch(config)#
- This command disables the authorization of configuration commands.
switch(config)# no aaa authorization config-commands switch(config)#
aaa authorization exec
The aaa authorization exec command configures the service list that the switch references to authorize access to open an EOS CLI shell.
The list consists of a prioritized list of service options. The switch authorizes access by using the first listed service option to which the switch can connect. When the switch cannot communicate with an entity that provides a specified service option, it attempts to use the next option in the list.
- a named server group.
- all defined TACACS+ hosts.
- all defined RADIUS hosts.
- local authentication.
- no authentication.
EOS supports a console list to authorize access to a CLI shell through the console and a default list to authorize access for all other connections.
- If no console list exists, the console connection uses the default list and you enable aaa authorization serial-console. Otherwise, uses none.
- If no default list exists, the list sets to local.
The no aaa authorization exec and default aaa authorization exec commands set the list contents to none.
Command Mode
Global Configuration
Command Syntax
aaa authorization exec default METHOD_1 [METHOD_2] ... [METHOD_N]
no aaa authorization exec default
default aaa authorization exec default
- METHOD_X authorization service (method). The switch uses the first listed available method.
The command must provide at least one method. Each method is composed of one of the following:
- group name the server group identified by name.
- group radius a server group that consists of all defined RADIUS hosts.
- group tacacs+ a server group that consists of all defined TACACS+ hosts.
- local local authentication.
- none the switch does not perform authorization. All access attempts succeed.
- group radius a server group that consists of all defined RADIUS hosts.
Guidelines
During the EXEC authorization process, the TACACS+ server response may include attribute-value (AV) pairs. The switch recognizes priv-lvl=x (where x is an integer between 0 and 15), which is a mandatory AV pair. A TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server.
switch(config)# aaa authorization exec default group tacacs+
switch(config)#
aaa authorization policy local default-role
The aaa authorization policy local command specifies the name of the default role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.
- local or remote users assigned to a role that is not configured.
- local users to whom a role is not assigned.
When the default-role is not specified, network-operator is assigned to qualified users as the default role. The network-operator role authorizes assigned users access to all CLI commands in EXEC and Privileged EXEC modes.
The no aaa authentication policy local default-role and default aaa authentication policy local default-role commands remove the authentication policy local default-role statement from running-config. Removing this statement restores network-operator as the default role.
Command Mode
Global Configuration
Command Syntax
aaa authorization policy local default-role role_name
no aaa authorization policy local default-role
default aaa authorization policy local default-role
Parameters
role_name Name of the default role.
Related Command
The role command places the switch in role configuration mode for creating and editing roles.
- This command configures the sysuser as the default role.
switch(config)# aaa authorization policy local default-role sysuser switch(config)#
- This command restores network-operator as the default role.
switch(config)# no aaa authorization policy local default-role switch(config)#
- This command displays the contents of the network-operator role.
switch# show users roles network-operator The default role is network-operator role: network-operator 10 deny mode exec command bash|\| 20 permit mode exec command .* switch#
aaa authorization serial-console
The aaa authorization serial-console command configures the switch to authorize commands entered through the console. By default, commands entered through the console do not require authorization.
The no aaa authorization serial-console and default aaa authorization serial-console commands restore the default setting.
Command Mode
Global Configuration
Command Syntax
aaa authorization serial-console
no aaa authorization serial-console
default aaa authorization serial-console
switch(config)# aaa authorization serial-console
switch(config)#
aaa group server radius
The aaa group server radius command enters the Server-group-RADIUS Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.
A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a radius-server host command.
The no aaa group server radius and default aaa group server radius commands delete the specified server group from running-config.
Command Mode
Global Configuration
Command Syntax
aaa group server radius group_name
no aaa group server radius group_name
default aaa group server radius group_name
Parameters
group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a TACACS+ server group.
Commands Available in Server-group-RADIUS Configuration Mode
server (server-group-RADIUS configuration mode).
Related Command
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)#
aaa group server tacacs+
The aaa group server tacacs+ command enters Server-group-TACACS+ Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.
A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a tacacs-server host command.
The no aaa group server tacacs+ and default aaa group server tacacs+ commands delete the specified server group from running-config.
Command Mode
Global Configuration
Command Syntax
aaa group server tacacs+ group_name
no aaa group server tacacs+ group_name
default aaa group server tacacs+ group_name
Parameters
group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a RADIUS server group.
Commands Available in Server-group-TACACS+ Configuration Mode
server (server-group-TACACS+ configuration mode)Related Command
aaa group server radiusswitch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)#
aaa root
The aaa root command specifies the password security level for the root account and can assign a password to the account.
The no aaa root and default aaa root commands disable the root account by removing the aaa root command from running-config. The root account is disabled by default.
Command Mode
Global Configuration
Command Syntax
aaa root SECURITY_LEVEL [ENCRYPT_TYPE] [password]
no aaa root
default aaa root
- SECURITY_LEVEL password assignment level. Settings include:
- secret the root account is assigned to the password.
- nopassword the root account is not password protected.
- ENCRYPT_TYPE encryption level of the password parameter. This parameter is present only when SECURITY_LEVEL is secret. Settings include:
- no parameter the password is entered as clear text.
- 0 the password is entered as clear text. Equivalent to no parameter.
- 5 the password is entered as an MD5-encrypted string.
- sha512 the password is entered as an SHA-512-encrypted string.
- password text that authenticates the username. The command includes this parameter only if SECURITY_LEVEL is secret.
- password must be in clear text if ENCRYPT_TYPE specifies clear text.
- password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.
Encrypted strings entered through this parameter are generated elsewhere.
- These equivalent commands assign f4980 as the root account password.
switch(config)# aaa root secret f4980 switch(config)# aaa root secret 0 f4980
- This command assigns the text (ab234) that corresponds to the encrypted string of $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b. as the root password.
switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b switch(config)#
- This command removes the password from the root account.
switch(config)# aaa root nopassword switch(config)#
- This command disables the root login.
switch(config)# no aaa root switch(config)#
clear aaa authentication lockout
The clear aaa authentication lockout command clears the locked status of a user so as to allow access within a lockout period. If no user is specified, the command clears the locked status of all users.
Command Mode
Privileged EXEC
Command Syntax
clear aaa authentication lockout [user user_name]
- user user_name the specific name of the user.
- This command clears the locked status of the user Alice.
switch# clear aaa authentication lockout user Alice
clear aaa counters radius
The clear aaa counters radius command resets the counters that track the statistics for the RADIUS servers that the switch accesses. The show radius command displays the counters reset by the clear aaa counters radius command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters radius
switch# show radius
RADIUS server : radius/10
Connection opens: 204
Connection closes: 0
Connection disconnects: 199
Connection failures: 10
Connection timeouts: 2
Messages sent: 1490
Messages received: 1490
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: never
switch# clear aaa counters radius
switch# show radius
RADIUS server : radius/10
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: 0:00:03 ago
switch#
clear aaa counters tacacs+
The clear aaa counters tacacs+ command resets the counters that track the statistics for the TACACS+ servers that the switch accesses. The show tacacs command displays the counters reset by the clear aaa counters tacacs+ command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters tacacs+
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 15942
Connection closes: 7
Connection disconnects: 1362
Connection failures: 0
Connection timeouts: 0
Messages sent: 34395
Messages received: 34392
Receive errors: 0
Receive timeouts: 2
Send timeouts: 0
Last time counters were cleared: never
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch# clear aaa counters tacacs+
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: 0:00:03 ago
switch#
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch#
clear aaa counters
The clear aaa counters command resets the counters that track the number of service transactions performed by the switch since the last time the counters were reset. The show aaa counters command displays the counters reset by the clear aaa counters command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters [SERVICE_TYPE]
switch# clear aaa counters
switch# show aaa counters
Authentication
Successful: 0
Failed: 0
Service unavailable: 0
Authorization
Allowed: 1
Denied: 0
Service unavailable: 0
Accounting
Successful: 0
Error: 0
Pending: 0
Last time counters were cleared: 0:00:44 ago
deny (Role)
The deny command adds a deny rule to the configuration mode role. Deny rules prohibit access of specified commands from usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A commands authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the roles last rule.
Deny rules use regular expressions to denote commands. A mode parameter specifies command modes from which commands are restricted. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.
The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.
Command Mode
Role Configuration
Command Syntax
[SEQ_NUM] deny [MODE_NAME] command command_name
no deny [MODE_NAME] command command_name
default deny [MODE_NAME] command command_name
- SEQ_NUM Sequence number assigned to the rule. Options include:
- no parameter Number is derived by adding 10 to the number of the roles last rule.
- 1 - 256 Number assigned to entry.
- MODE_NAME Command mode from which command access is prohibited. Values include:
- no parameter All command modes.
- mode short_name Exact match of a modes short key name.
- mode long_name Regular expression matching long key name of one or more modes.
- mode config Global configuration mode.
- mode config-all All configuration modes, including global configuration mode.
- mode exec EXEC and Privileged EXEC modes.
- command_name Regular expression that denotes the name of one or more commands.
Guidelines
- %p Short mode key.
- %P Long mode key.
Deny statements are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# role sysuser
switch(config-mode-sysuser)# deny mode exec command reload
switch(config-mode-sysuser)#
enable password
The enable password command creates a new enable password or changes an existing password.
The no enable password and default enable password commands delete the enable password by removing the enable password command from running-config.
Command Mode
Global Configuration
Command Syntax
enable password [ENCRYPT_TYPE] password
no enable password
default enable password
- ENCRYPT_TYPE encryption level of the password parameter. Settings include:
- no parameter the password is entered as clear text.
- 0 the password is entered as clear text. Equivalent to <no parameter>.
- 5 the password is entered as an MD5 encrypted string.
- sha512 the password is entered as an SHA-512-encrypted string.
- password text that authenticates the username.
- password must be in clear text if ENCRYPT_TYPE specifies clear text.
- password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.
Encrypted strings entered through this parameter are generated elsewhere.
- These equivalent commands assign xyrt1 as the enable password.
switch(config)#enable password xyrt1 switch(config)#enable password 0 xyrt1
- This command assigns the enable password to the clear text (12345) that corresponds to the encrypted string $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/. The string was generated by an MD5-encryption program using 12345 as the seed.
switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/ switch(config)#
- This command deletes the enable password.
switch(config)# no enable password switch(config)#
ip radius source-interface
The ip radius source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound RADIUS packets. When a source interface is not specified, the switch selects an interface.
The no ip radius source-interface and default ip radius source-interface commands remove the ip radius source-interface command from running-config.
Command Mode
Global Configuration
Command Syntax
ip radius [vrf_inst] source-interface slot_number
no ip radius [vrf_inst] source-interface
default ip radius [vrf_inst] source-interface
- vrf_inst specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- int_name Interface type and number. Options include:
- Ethernet e_num - Ethernet interface specified by slot_number.
- Loopback slot_number - Loopback interface specified by slot_number.
- Management slot_number - Management interface specified by slot_number.
- Port-channel slot_number - Port-channel interface specified by slot_number.
- Tunnel tunnel_number -
- Vlan v_num VLAN interface specified by v_num.
Example
switch(config)# ip radius source-interface loopback 0
switch(config)#
ip tacacs source-interface
The ip tacacs source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound TACACS+ packets. When a source interface is not specified, the switch selects an interface.
The no ip tacacs source-interface and default ip tacacs source-interface commands remove the ip tacacs source-interface command from running-config.
Command Mode
Global Configuration
Command Syntax
ip tacacs [VRF_INST] source-interface INT_NAME
no ip tacacs [VRF_INST] source-interface
default ip tacacs [VRF_INST] source-interface
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- INT_NAME Interface type and number. Options include:
- interface ethernet e_num Ethernet interface specified by e_num.
- interface loopback l_num Loopback interface specified by l_num.
- interface management m_num Management interface specified by m_num.
- interface port-channel p_num Port-channel interface specified by p_num.
- interface vlan v_num VLAN interface specified by v_num.
switch(config)# ip tacacs source-interface loopback 0
switch(config)#
no <sequence number> (Role)
The no <sequence number> command removes the rule with the specified sequence number from the configuration-mode role. The default <sequence number> command also removes the specified rule.
Command Mode
Role Configuration
Command Syntax
no sequence_num
default sequence_num
Parameters
sequence_num sequence number of rule to be deleted. Values range from 1 to 256.
Guidelines
Role statement changes are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 deny mode config command (no |default )?(ip|mac) access-list
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# no 30
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)#
radius-server deadtime
The radius-server deadtime command defines global deadtime period, when the switch ignores a non-responsive RADIUS server. A non-responsive server is one that fails to answer any attempt to retransmit after a timeout expiry. Deadtime is disabled if a value is not configured.
The no radius-server deadtime and default radius-server deadtime commands restore the default global deadtime period of three minutes by removing the radius-server deadtime command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server deadtime dead_interval
no radius-server deadtime
default radius-server deadtime
Parameters
dead_interval period that the switch ignores non-responsive servers (minutes). Values range from 1 to 1000. Default is 3.
switch(config)# radius-server deadtime 120
switch(config)#
radius-server host
The radius-server host command sets parameters for communicating with a specific RADIUS server. These values override global settings when the switch communicates with the specified server.
A RADIUS server is defined by its server address, authorization port, and accounting port. Servers with different address-authorization port-accounting port combinations have separate configurations.
The no radius-server host and default radius-server commands remove settings for the RADIUS server configuration at the specified address-authorization port-accounting port location by deleting the corresponding radius-server host command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server host ADDR [VRF_INST][AUTH][ACCT][TIMEOUT][DEAD][RETRAN][ENCRYPT]
no radius-server host [ADDR][VRF_INST][AUTH][ACCT]
default radius-server host [ADDR][VRF_INST][AUTH][ACCT]
- ADDR RADIUS server location. Options include:
- ipv4_addr server's IPv4 address.
- host_name server's DNS host name (FQDN).
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- AUTH Authorization port number.
- no parameter default port of 1812.
- auth-port number number ranges from 1 to 65535.
- ACCT Accounting port number.
- no parameter default port of 1813.
- acct-port number numbers range from 1 to 65535.
- TIMEOUT timeout period (seconds). Ranges from 1 to 1000.
- no parameter assigns global timeout value (see radius-server timeout).
- timeout number assigns number as the timeout period. Ranges from 1 to 1000.
- DEAD period (minutes) when the switch ignores a non-responsive RADIUS server.
- no parameter assigns global deadtime value (see radius-server deadtime ).
- deadtime number specifies deadtime, where number ranges from 1 to 1000.
- RETRAN attempts to access RADIUS server after the first timeout expiry.
- no parameter assigns global retransmit value (see radius-server retransmit).
- retransmit number specifies number of attempts, where number ranges from 1 to 100.
- ENCRYPT encryption key that switch and server use to communicate.
- no parameter assigns global encryption key (see radius-server key).
- key key_text where key_text is in clear text.
- key 5 key_text where key_text is in clear text.
- key 7 key_text where key_text is provide in an encrypted string.
- This command configures the switch to communicate with the RADIUS server located at 10.1.1.5. The switch uses the global timeout, deadtime, retransmit, and key settings to communicate with this server, and communicates through port 1812 for authorization and 1813 for accounting.
switch(config)# radius-server host 10.1.1.5 switch(config)#
- This command configures the switch to communicate with the RADIUS server assigned the host name RAD-1. Communication for authorization is through port 1850; communication for accounting is through port 1813 (the default).
switch(config)# radius-server host RAD-1 auth-port 1850 switch(config)#
radius-server key
The radius-server key command defines the global encryption key the switch uses when communicating with any RADIUS server for which a key is not defined.
The no radius-server key and default radius-server key commands remove the global key from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server key [ENCRYPT_TYPE] encrypt_key
no radius-server key
default radius-server key
- ENCRYPT_TYPE encryption level of encrypt_key.
- no parameter encryption key is entered as clear text.
- 0 encryption key is entered as clear text. Equivalent to no parameter.
- 7 encrypt_key is an encrypted string.
- encrypt_key shared key that authenticates the username.
- encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
- encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.
Encrypted strings entered through this parameter are generated elsewhere.
Related Command
- This command configures cv90jr1 as the global encryption key.
switch(config)# radius-server key 0 cv90jr1 switch(config)#
- This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
switch(config)# radius-server key 7 020512025B0C1D70 switch(config)#
radius-server retransmit
The radius-server retransmit command defines the global retransmit count, which specifies the number of times the switch attempts to access the RADIUS server after the first timeout expiry.
The no radius-server retransmit and default radius-server retransmit commands restore the global retransmit count to its default value of three by deleting the radius-server retransmit command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server retransmit count
no radius-server retransmit
default radius-server retransmit
Parameters
count retransmit attempts after first timeout expiry. Values range from 1 to 100. Default is 3.
Related Command
switch(config)# radius-server retransmit 5
switch(config)#
radius-server timeout
The radius-server timeout command defines the global timeout the switch uses when communicating with any RADIUS server for which a timeout is not defined.
The no radius-server timeout and default radius-server timeout commands restore the global timeout default period of five seconds by removing the radius-server timeout command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server timeout time_period
no radius-server timeout
default radius-server timeout
Parameters
time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.
Related Commands
switch(config)# radius-server timeout 50
switch(config)#
resequence (Role)
The resequence command assigns sequence numbers to rules in the configuration mode role. Command parameters specify the number of the first rule and the numeric interval between consecutive rules.
The maximum sequence number is 256.
Command Mode
Role Configuration
Command Syntax
resequence start_num inc_num
- start_num sequence number assigned to the first rule. Value ranges from 1 to 256. Default is 10.
- inc_num numeric interval between consecutive rules. Value ranges from 1 to 256. Default is 10.
Guidelines
Role statement changes are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 15 5
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
switch(config)#
permit (Role)
The permit command adds a permit rule to the configuration mode role. Permit rules authorize access to specified commands for usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A command's authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the role's last rule.
Permit rules use regular expression to denote commands. A mode parameter specifies command modes in which commands are authorized. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.
The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.
Command Mode
Role Configuration
Command Syntax
[SEQ_NUM] permit [MODE_NAME] command command_name
no permit [MODE_NAME] command ] command_name
default permit [MODE_NAME] command command_name
- SEQ_NUM Sequence number assigned to the rule. Options include:
- <no parameter> Number is derived by adding 10 to the number of the roles last rule.
- <1 - 256> Number assigned to entry.
- MODE_NAME Command mode in which command access is authorized. Values include:
- no parameter All command modes.
- mode short_name Exact match of a modes short-key name.
- mode long_name Regular expression matching long-key name of one or more modes.
- mode config Global configuration mode.
- mode config-all All configuration modes, including global configuration mode.
- mode exec EXEC and Privileged EXEC modes.
- command_name Regular expression that denotes the name of one or more commands.
Guidelines
- %p Short-mode key.
- %P Long-mode key.
Permit statements are saved to running-config only upon exiting Role configuration mode.
Related Commands
The role command places the switch in Role Cconfiguration mode.
switch(config)# role sysuser
switch(config-mode-sysuser)# permit mode if-Vl(1|2) command .*
switch(config-mode-sysuser)#
role
The role command places the switch in Role Configuration Mode, which is a group-change mode that modifies a role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.
The role command specifies the name of the role that subsequent commands modify and creates a role if it references a nonexistent role. All changes in a group change mode edit session are pending until the session ends:
- The exit command saves pending changes to running-config and returns the switch to Global Configuration Mode. Changes are also saved by entering a different configuration mode.
- The abort command discards pending changes, returning the switch to Global Configuration Mode.
The no role and default role commands delete the specified role by removing the role and its statements from running-config.
Command Mode
Global Configuration
Command Syntax
role role_name
no role role_name
default role role_name
Parameters
role_name Name of role.
Commands Available in Role Configuration Mode:
Related Commands
- This command places the switch in Role configuration mode to modify the speaker role.
switch(config)# role speaker switch(config-role-speaker)#
-
This command saves changes to speaker role, then returns the switch to Global configuration mode.
switch(config-role-speaker)# exit switch(config)#
-
This command discards changes to speaker, then returns the switch to Global configuration mode.
switch(config-role-speaker)# abort switch(config)#
server (server-group-RADIUS configuration mode)
The server (server-group-RADIUS configuration mode) command adds the specified RADIUS server to the configuration-mode group. Servers must be configured with the radius-server host command before adding them to the server group.
A RADIUS server is defined by its server address, authorization port, and accounting port. A group can contain multiple servers with the same IP address that have different authorization or accounting ports.
The no server and default server commands remove the specified server from the group.
Command Mode
Server-Group-RADIUS Configuration
Command Syntax
server LOCATION [VRF_INST][AUTH][ACCT]
no server LOCATION [VRF_INST][AUTH][ACCT]
default server LOCATION [VRF_INST][AUTH][ACCT]
- LOCATION RADIUS server location. Options include:
- ipv4_addr server's IPv4 address.
- host_name server's DNS host name (FQDN).
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- AUTH Authorization port number.
- no parameter default port of 1812.
- auth-port number number ranges from 1 to 65535.
- ACCT Accounting port number.
- no parameter default port of 1813.
- acct-port number number ranges from 1 to 65535.
Related Commands
The aaa group server radius command places the switch in Server-group-RADIUS cConfiguration mode.
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)# server RAC-1
switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1851
switch(config-sg-radius-RAD-SV1)#
server (server-group-TACACS+ configuration mode)
The server (server-group-TACACS+ configuration mode) command adds the specified TACACS+ server to the configuration-mode group. Servers must be configured with the tacacs-server host command before adding them to the server group.
A TACACS+ server is defined by its server address and port number. Servers with different address-port combinations have separate statements in running-config.
The no server and default server commands remove the specified server from the group.
Command Mode
Server-group-TACACS+ Configuration
Command Syntax
server LOCATION [VRF_INST][PORT]
no server LOCATION [VRF_INST][PORT]
default server LOCATION [VRF_INST][PORT]
- LOCATION TACACS+ server location. Options include:
- ipv4_addr server's IPv4 address.
- ipv6_addr server's IPv6 address.
- host_name server's DNS host name (FQDN).
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- no parameter switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- PORT TCP connection port number.
- no parameter default port of 49.
- port number number ranges from 1 to 65535.
Related Command
The aaa group server tacacs+ command places the switch in Server-group-TACACS+ configuration mode.
switch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)# server TAC-1
switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14
switch(config-sg-tacacs+-TAC-GR)#
show aaa
The show aaa command displays the user database. The command displays the encrypted enable password first, followed by a table of usernames and their corresponding encrypted password.
The command does not display unencrypted passwords.
Command Mode
Privileged EXEC
Command Syntax
show aaa
switch# show aaa
Enable password (encrypted): $1$UL4gDWy6$3KqCPYPGRvxDxUq3qA/Hs/
Username Encrypted passwd
-------- ----------------------------------
admin
janis $1$VVnDH/Ea$iwsfnrGNO8nbDsf0tazp9/
thomas $1$/MmXTUil$.fJxLfcumzppNSEDVDWq9.
switch#
show aaa authentication lockout
The show aaa authentication lockout command displays the status of locked-out users who could not log within the specified time and number of login attempts.
Command Mode
Privileged EXEC
Command Syntax
show aaa authentication lockout
- This command displays the status of Alice, who is the locked out user. Alice's last failed login was at 17:50:06, and her lockout will be cleared at 17:51:06, in 58 seconds. When the duration of 58 seconds elapses, Alice’s name will no longer be displayed.
switch# show aaa authentication lockout User Start Time End Time Expires In --------- ------------------------- ------------------------- ---------- alice Fri Jul 12 17:50:06 2020 Fri Jul 12 17:51:06 2020 0:00:58
show aaa counters
The show aaa counters command displays the number of service transactions performed by the switch since the last time the counters were reset.
Command Mode
Privileged EXEC
Command Syntax
show aaa counters
switch# show aaa counters
Authentication
Successful: 30
Failed: 0
Service unavailable: 0
Authorization
Allowed: 188
Denied: 0
Service unavailable: 0
Accounting
Successful: 0
Error: 0
Pending: 0
Last time counters were cleared: never
switch#
show aaa methods
The show aaa methods command displays all the named method lists defined in the specified Authentication, Authorization, and Accounting (AAA) service.
Command Mode
Privileged EXEC
Command Syntax
show aaa methods SERVICE_TYPE
Parameters
- accounting accounting services.
- authentication authentication services.
- authorization authorization services.
- all accounting, authentication, and authorization services.
switch# show aaa methods all
Authentication method lists for LOGIN:
name=default methods=group tacacs+, local
Authentication method list for ENABLE:
name=default methods=local
Authorization method lists for COMMANDS:
name=privilege0-15 methods=group tacacs+, local
Authentication method list for EXEC:
name=exec methods=group tacacs+, local
Accounting method lists for COMMANDS:
name=privilege0-15 default-action=none
Accounting method list for EXEC:
name=exec default-action=none
switch#
show management ldap
The show management ldap command displays information about the LDAP configuration.
Command Mode
EXEC
Command Syntax
show management ldap
Parameter
- no parameter state of the system.
switch# show management ldap
LDAP server: prod-dc-hq1.aristanetworks.com/389
Binds requested: 6
Binds successful: 6
Binds failed: 0
Binds timed out: 0
FIPS is ON
Last time counters were cleared: 1:16:41 ago
The authentication action in LDAP is the bind, which is equivalent to attempting a log-in. There will be two binds per login attempt, one for the admin account and one for the user account.
switch# show management security ssl profile
Profile State
----------------- -----------
testProfile valid
To verify a user accounts authorization being performed by ldap, use “show users detail”:
switch# show users detail
Session Username Roles TTY State Duration Auth Remote Host
-------- --------- ------------- ---- ----- --------- ---------- ---------------------------------------
1006 erahn network-admin vty3 E 0:00:05 group ldap fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7
To validate the role for a current session the vty information in the TTY column must be matched against the Line column in the following command. The row with a “*” character at the start is the current session where the command was run:
switch#show users
Line User Host(s) Idle Location
1 con 0 admin idle 01:19:00 -
2 vty 10 srv-sw-ldaptest idle 01:19:00 172.16.124.151
* 3 vty 3 erahn idle 00:00:04 fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7
show privilege
The show privilege command displays the current privilege level for the CLI session.
Command Mode
EXEC
Command Syntax
show privilege
switch> show privilege
Current privilege level is 15
switch>
show radius
The show radius command displays statistics for the RADIUS servers that the switch accesses.
Command Mode
EXEC
Command Syntax
show radius
switch#show radius
RADIUS server : radius/10
Connection opens: 204
Connection closes: 0
Connection disconnects: 199
Connection failures: 10
Connection timeouts: 2
Messages sent: 1490
Messages received: 1490
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: never
switch#
show tacacs
The show tacacs command displays statistics for the TACACS+ servers that the switch accesses.
Command Mode
EXEC
Command Syntax
show tacacs
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 15942
Connection closes: 7
Connection disconnects: 1362
Connection failures: 0
Connection timeouts: 0
Messages sent: 34395
Messages received: 34392
Receive errors: 0
Receive timeouts: 2
Send timeouts: 0
Last time counters were cleared: never
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch#
show users accounts
The show users accounts command displays the names, roles, and privilege levels of users that are listed in running-config. The SSH public key is also listed for names for which an SSH key is configured.
Command Mode
Privileged EXEC
Command Syntax
show users accounts
switch# show users accounts
user: FRED
role: <unknown>
privilege level: 1
ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjUg2VDiBX7In0q
HtN5PyHOWtYvIoeZsxF5YmesQ/rh++mbpT504dL7So+Bpr9T/0qIj+zilat8fX/JlO42+3pjfkHY/+l
sT2EPNjGTK7uJv1wSGmhc3+90dNmJtr5YVlJFjjQ5m+5Pa+PGe3z4JIV1lY2NhLrV2fXtbciLdjnj6F
AlhXjiLt51DJhG13uUxGBJe0+NlGvpEsTJVJvMdJuS6weMi+xSXc9yQimVD2weJBHsYFnghST2j0pAy
F2S7/EOU13pY42RztDSs42nMNNrutPT0q5Z17aAKvhpd0dDlc+qIwrCrXbeIChHem7+0N8/zA3alBK4
eKSFSZBd3Pb admin@switch
switch#
user: JANE
role: sysuser2
privilege level: 1
user: admin
role: network-admin
privilege level: 1
show users detail
The show users detail command displays information about active AAA login sessions. Information includes username, roles, TTY, state of the session (pending or established), duration, authentication method, and if available, remote host and remote username.
Command Mode
Privileged EXEC
Command Syntax
show users detail
switch# show users detail
Session Username Roles TTY State Duration Auth Remote Host
------- ---------- ------------ ------ ----- -------- ------------- ------------
2 admin network-admin ttyS0 E 0:01:21 local
4 joe sysadmin telnet E 0:02:01 local sf.example.com
6 alice sysadmin ssh E 0:00:52 group radius ny.example.com
7 bob sysadmin ssh E 0:00:48 group radius la.example.com
8 kim network-admin1 ssh E 0:00:55 group radius de.example.com
9 admin network-admin ssh E 0:00:07 local bj.example.com
10 max network-admin telnet E 0:00:07 local sf.example.com
show users roles
The show users roles command displays the name of the default role and the contents of the specified roles. Commands that do not specify a role display the rules in all built-in and configured roles.
Command Mode
Privileged EXEC
Command Syntax
show users roles [ROLE_LIST]
Parameters
- no parameter Command displays all roles.
- role_name Name of role displayed by command.
Related Command
The role command places the switch in Role configuration mode, which is used to create new roles or modify existing roles.
switch# show users roles
The default role is network-operator
role: network-admin
10 permit command .*
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
40 deny mode exec command .*
50 permit mode exec command show|clear (counters|platform)|configure
show users
The show users command displays the usernames that are currently logged into the switch.
Command Mode
Privileged EXEC
Command Syntax
show users
switch# show users
Line User Host(s) Idle Location
1 vty 2 john idle 1d 10.22.6.113
2 vty 4 jane idle 21:33:00 10.22.26.26
* 3 vty 6 ted idle 00:00:01 10.17.18.71
switch#
tacacs-server host
The tacacs-server host command sets communication parameters for communicating with a specific TACACS+ server. These values override global settings when the switch communicates with the specified server.
A TACACS+ server is defined by its server address and port number. Servers with different combinations of address-port-VRF-multiplex settings have separate statements in running-config.
The no tacacs-server host and default tacacs-server host commands remove settings for the TACACS+ server configuration at the specified address-port-VRF combination by deleting the corresponding tacacs-server host command from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server host SERVER_ADDR [MULTIPLEX][VRF_INST][PORT][TIMEOUT][ENCRYPT]
no tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]
default tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]
- SERVER_ADDR TACACS+ server location. Options include:
- ipv4_addr server's IPv4 address.
- ipv6_addr server's IPv6 address.
- host_name server's DNS host name (FQDN).
- MULTIPLEX TACACS+ server support of multiplex sessions on a TCP connection.
- no parameter server does not support multiplexing.
- single-connection server supports session multiplexing.
- VRF_INST specifies the VRF instance used to communicate with the specified server.
- <no parameter> switch communicates with the server using the default VRF.
- vrf vrf_name switch communicates with the server using the specified user-defined VRF.
- PORT port number of the TCP connection.
- no parameter default port of 49.
- port number port number ranges from 1 to 65535.
- TIMEOUT timeout period (seconds).
- no parameter assigns the globally configured timeout value (see tacacs-server timeout ).
- timeout number timeout period (seconds). Number ranges from 1 to 1000.
- ENCRYPT encryption key the switch and server use to communicate. Settings include:
- no parameter assigns the globally configured encryption key (see tacacs-server key).
- key key_text where key_text is in clear text.
- key 5 key_text where key_text is in clear text.
- key 7 key_text where key_text is an encrypted string.
- This command configures the switch to communicate with the TACACS+ server located at 10.1.1.5. The switch uses the global timeout, encryption key, and port settings.
switch(config)# tacacs-server host 10.1.1.5 switch(config)#
- This command configures the switch to communicate with the TACACS+ server assigned the host name TAC_1. The switch defines the timeout period as 20 seconds and the encryption key as rp31E2v.
switch(config)# tacacs-server host TAC_1 timeout 20 key rp31E2v switch(config)#
- This command configures the switch to communicate with the TACACS+ server located at 10.12.7.9, indicates that the server supports multiplexing sessions on the same TCP connection, and that access is through port 54.
switch(config)# tacacs-server host 10.12.7.9 single-connection port 54 switch(config)#
tacacs-server key
The tacacs-server key command defines the global encryption key the switch uses when communicating with any TACACS+ server for which a key is not defined.
The no tacacs-server key and default tacacs-server key commands remove the global key from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server key [ENCRYPT_TYPE] encrypt_key
no tacacs-server key
default tacacs-server key
- ENCRYPT_TYPEencryption level of encrypt_key.
- no parameter encryption key is entered as clear text.
- 0 encryption key is entered as clear text. Equivalent to no parameter.
- 7 encrypt_key is an encrypted string.
- encrypt_key shared key that authenticates the username.
- encrypt_key must be in clear text if ENCRYPT_TYPE specifies clear text.
- encrypt_key must be an encrypted string if ENCRYPT_TYPE specifies an encrypted string.
Encrypted strings entered through this parameter are generated elsewhere.
Related Command
- This command configures cv90jr1 as the encryption key.
switch(config)# tacacs-server key 0 cv90jr1 switch(config)#
- This command assigns cv90jr1 as the key by specifying the corresponding encrypted string.
switch(config)# tacacs-server key 7 020512025B0C1D70 switch(config)#
tacacs-server policy
The tacacs-server policy command programs the switch to permit access to TACACS+ servers that send mandatory attribute-value (AV) pairs that the switch does not recognize. By default, the switch denies access to TACACS+ servers when it receives unrecognized AV pairs from the server.
The switch recognizes the following mandatory AV pairs:
priv-lvl=x where x is an integer between 0 and 15.
The no tacacs-server policy and default tacacs-server policy commands restore the switch default of denying access to servers from which it receives unrecognized mandatory AV pair by deleting the tacacs-server policy statement from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server policy unknown-mandatory-attribute ignore
no tacacs-server policy unknown-mandatory-attribute ignore
default tacacs-server policy unknown-mandatory-attribute ignore
switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
switch(config)#
tacacs-server timeout
The tacacs-server timeout command defines the global timeout the switch uses when communicating with any TACACS+ server for which a timeout is not defined.
The no tacacs-server timeout and default tacacs-server timeout commands restore the global timeout default period of five seconds by removing the tacacs-server timeout command from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server timeout time_period
no tacacs-server timeout
default tacacs-server timeout
Parameters
time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.
Related Command
switch(config)# tacacs-server timeout 20
switch(config)#
username ssh-key
The username ssh-key command configures an SSH key for the specified username. Command options allow the key to be entered directly into the CLI or referenced from a file.
The specified username must be previously configured through a username command.
The no username ssh-key and default username ssh-key commands delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.
The no username ssh-key role and default username ssh-key role commands perform the following:
- delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.
- delete the role assignment from the specified username by editing the corresponding username statement in running-config.
Command Mode
Global Configuration
Command Syntax
username name sshkey KEY
no username name sshkey [role]
default username name sshkey [role]
- name username text that the user enters at the login prompt to access the CLI.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
- KEY SSH key. Options include:
- key_text username is associated with ssh key specified by key_text string.
- file key_file username is associated with SSH key in the specified file.
switch(config)# username john secret x245
switch(config)# username john sshkey file john-ssh
switch(config)#
username
The username command adds a username to the local file and optionally assigns a password to the username. If the command specifies an existing username, the command replaces the password in the local file. The command can also define a username without a password or remove the password from a username.
The no username command deletes the specified username by removing the corresponding username statement from running-config. The default username command removes user-specified usernames, but restores the admin username to its default parameters.
The no username role command assigns the default role assignment to the specified username statement by editing the corresponding username statement in running-config. The default username role command reverts the specified username to its default role by editing the corresponding username statement in running-config. For the admin username, this restores network-admin as its role, even if the admin username has been deleted and then created again.
Command Mode
Global Configuration
Command Syntax
username name [PRIVILEGE_LEVEL] SECURITY [ROLE_USER]
no username name [role]
default username name [role]
All parameters except name can be placed in any order.
- name username text that the user enters at the login prompt to access the CLI.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
- PRIVILEGE_LEVEL user’s initial session privilege level. This parameter is used when an authorization command includes the local option.
- no parameter the privilege level is set to 1.
- privilege rank where rank is an integer between 0 and 15.
- SECURITY password assignment option.
- nopassword name is not password protected.
- secret password name is protected by specified password (clear-text string).
- secret 0 password name is protected by specified password (clear-text string).
- secret 5 password name is protected by specified password. (MD5-encrypted string).
- secret sha5 password name is protected by specified password (SHA-512-encrypted string).
- ROLE_USER specifies the role for performing command authorization. Options include:
- no parameter user is assigned default role aaa authorization policy local default-role.
- role role_name specifies role assigned to the user.
Guidelines
Encrypted strings entered through this parameter are generated elsewhere. The secret 5 option (SECURITY) is typically used to enter a list of username-passwords from a script.
The SECURITY parameter is mandatory for unconfigured usernames. For previously configured users, the command can specify a PRIVILEGE_LEVEL or ROLE without a SECURITY setting.
username admin privilege 1 role network-admin nopassword
- These equivalent commands create the username john and assign it the password x245. The password is entered in clear text because the ENCRYPTION parameter is either omitted or zero.
switch(config)# username john secret x245 switch(config)# username john secret 0 x245
- This command creates the username john and assigns it to the text password that corresponds to the encrypted string $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1. The string was generated by an MD5-encryption program using x245 as the seed.
switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1 switch(config)#
A user authenticates the username john by entering x245 when the CLI prompts for a password.
- This command creates the username jane without securing it with a password or removes a password if the jane username exists.
switch(config)# username jane nopassword switch(config)#
- This command removes the username william from the local file.
switch(config)# no username william switch(config)#