aaa accounting commands
The command configures a list of CLI command accounting methods.
The use of a negative form (no) of the command sets the default value.
Syntax
aaa accounting commands stop-only <METHOD>
no aaa accounting commands stop-only
Parameters
<METHOD> – accounting methods:
- tacacs – command accounting by TACACS;
Default value
Accounting is not kept.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa accounting commands stop-only tacacs
aaa accounting login
The command configures a list of user sessions accounting methods. Accounting is enabled and disabled when a user logs on and disconnects from the system that corresponds to the 'start' and 'stop' values in RADIUS and TACACS messages.
The use of a negative form (no) of the command sets the default value.
Syntax
aaa accounting login start-stop <METHOD 1> [ <METHOD 2> ]
no aaa accounting login start-stop
Parameters
<METHOD> – accounting methods:
- tacacs – session accounting by TACACS;
- radius – session accounting by RADIUS.
Default value
Session accounting is locally logged.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa accounting login start-stop tacacs
aaa authentication attempts max-fail
The command sets the maximum amount of failed authentication attempts until a user is blocked and the blocking time.
The use of a negative form (no) of the command sets the amount of attempts and blocking time by default.
Syntax
aaa authentication attempts max-fail <COUNT> <TIME>
no aaa authentication attempts max-fail
Parameters
<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];
<TIME> – user blocking time in seconds, takes the values of [1..65535].
Default value
Amount of failed attempts – 5
Blocking time – 300
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa authentication attempts max-fail 5 30
aaa authentication enable
The command creates the lists of authentication methods for user privileges escalation. If an attempt to authenticate by one method fails, the attempt is made to authenticate by the next method in the list.
The default configuration includes a list named 'default'. The 'default' list includes one authentication method – 'enable'. To use the list for user privileges escalation authentication, it is necessary to bind it by the command described in Section enable authentication.
The use of a negative form (no) of the command removes the authentication methods list.
Syntax
aaa authentication enable <NAME> <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]
no aaa authentication enable <NAME>
Parameters
<NAME> – list name: string of up to 31 characters;
- default – «default» list name.
<METHOD> – authentication methods:
- enable – authentication by enable passwords;
- tacacs – authentication by TACACS;
- radius – authentication by RADIUS;
- ldap – authentication by LDAP.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa authentication enable enable-test tacacs enable
aaa authentication login
The command creates the lists of authentication methods for user login. If an attempt to authenticate by one method fails, the attempt is made to authenticate by the next method in the list.
The default configuration includes a list named 'default'; the list contains one authentication method – «local». To use the list for user login authentication, it is necessary to activate it by the command described in Section login authentication.
The use of a negative form (no) of the command removes the authentication methods list.
Syntax
aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]
no aaa authentication login { default | <NAME> }
Parameters
<NAME> – list name, set by the string of up to 31 characters;
Authentication methods:
- local – authentication by local user base;
- tacacs – authentication by TACACS server list;
- radius – authentication by RADIUS server list;
- ldap – authentication by LDAP server list.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa authentication login login-test tacacs local
aaa authentication mode
The command defines the mode of operation with authentication method lists.
The use of a negative form (no) of the command removes the authentication methods list.
Syntax
[no] aaa authentication mode { break | chain }
Parameters
break – during authentication, the following methods will be used in case of a higher priority one being unavailable;
chain – during authentication, the following methods will be used in case of a higher priority one’s refusal.
Default value
chain
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa authentication mode break
aaa das-profile
The command1 is used to add DAS server and to switch to DAS SERVER PROFILE command mode.
The use of a negative form (no) of the command removes a specified profile of dynamic authorization servers (DAS).
Syntax
[no] aaa das-profile <NAME>
Parameters
<NAME> – DAS profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa das-profile profile1 esr(config-aaa-das-profile)#
1 In the current firmware version, this functionality is supported only by ESR-100/200/1000/1200/1500/1510/1700 routers.
aaa disable
This command disables access to the router through the console interface.
The use of a negative form of the command (no) enables the access to the router through the console interface.
Syntax
[no] aaa disable
Parameters
None.
Default value
Access to the router via the console interface is enabled.
Required privilege level
10
Command mode
CONFIG-LINE-CONSOLE
Example:
esr(config-line-console)# aaa disable
aaa radius-profile
The command1 is used to add RADIUS server profile and to switch to RADIUS SERVER PROFILE command mode.
The use of a negative form (no) of the command removes a specified RADIUS server profile.
Syntax
[no] aaa radius-profile <NAME>
Parameters
<NAME> – RADIUS server profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# aaa radius-profile profile1 esr(config-aaa-radius-profile)#
1 In the current firmware version, this functionality is supported only by ESR-100/200/1000/1200/1500/1510/1700 routers.
acct-port
The command specifies a port number to exchange data with a remote RADIUS server when accounting.
The use of a negative form (no) of the command sets the default value.
Syntax
acct-port <PORT>
no acct-port
Parameters
<PORT> – number of UDP port to exchange data with a remote server, takes values of [1..65535].
Default value
1813
Required privilege level
15
Command mode
CONFIG-RADIUS-SERVER
Example:
esr(config-radius-server)# acct-port 4444
auth-port
The command specifies a port number to exchange data with a remote RADIUS server when authenticating and authorizing.
The use of a negative form (no) of the command sets the default value.
Syntax
auth-port <PORT>
no auth-port
Parameters
<PORT> – number of UDP port to exchange data with a remote server, takes values of [1..65535].
Default value
1812
Required privilege level
15
Command mode
CONFIG-RADIUS-SERVER
Example:
esr(config-radius-server)# auth-port 4444
clear users blocked
The command removes the information on incorrect attempts of various users authentication.
Syntax
clear users blocked <NAME>
Parameters
<NAME> – name of the user for which you want to clean the statistics on incorrect authentication attempts, set by the string of up 31 characters.
Without specifying the user name, the whole table of incorrect authentication attempts is cleaned.
Required privilege level
15
Command mode
ROOT
Example:
esr# clear users blocked
clients
The command specifies the list of dynamic authorization clients (DAC) requests of which the dynamic authorization server (DAS) will response to.
The use of a negative form (no) of the command removes the list of dynamic authorization clients (DAC).
Syntax
clients object-group <NAME>
no clients
Parameters
<NAME> – name of IP addresses profile that contains addresses of dynamic authorization clients, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-DAS-SERVER
Example:
esr(config-das-server)# clients object-group pcrf
das-server
The command is used to add dynamic authorization server (DAS) and to switch to DAS SERVER command mode. Dynamic authorization servers (DAS) accept RADIUS CoA queries from dynamic authorization clients (DAC), for example disabling or renewed requesting for user services list.
The use of a negative form (no) of the command removes a specified DAS server.
Syntax
[no] das-server <NAME>
Parameters
<NAME> – DAS name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# das-server main esr(config-das-server)#
dead-interval
The command specifies the interval during which the packets will not be sent to RADIUS server. RADIUS server is switched to this condition when the timeout of waiting for the response to the last valid retry request expires (see Section radius-server retransmit).
The use of a negative form (no) of the command sets the default value.
Syntax
dead-interval <SEC>
no dead-interval
Parameters
<SEC> – time interval in seconds, takes values of [0..3600].
Default value
120
Required privilege level
10
Command mode
CONFIG-RADIUS-SERVER
Example:
esr(config-radius-server)# dead-interval 600
description
The command is used to change the description of dynamic authorization servers (DAS) profile or RADIUS servers profile.
The use of a negative form (no) of the command removes a profile description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – profile description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-DAS-SERVER-PROFILE
CONFIG-RADIUS-SERVER-PROFILE
Example:
Set the description for IP addresses profile:
esr(config-aaa-das-profile)# description "Main profile"
disable
The command reduces the user privilege level to initial one.
Syntax
disable
Parameters
The command does not contain parameters.
Required privilege level
2
Command mode
ROOT
Example:
esr# disable esr>
enable
The command escalates the user privilege level. Methods of user privilege escalation authentication are specified by the command described in Section aaa authentication attempts max-fail.
'Enable' password authentication method is set in the configuration by default. At the same time, passwords are not set, that is, any system user can get the required 15 level of privileges.
To authenticate privilege escalation via TACACS/RADIUS/LDAP, $enab<PRIV>$ users, where <PRIV> – required privilege level of a user to be authenticated, should be created on the server.
Syntax
enable [ <PRIV> ]
Parameters
<PRIV> – required privilege level, takes value in the range of [2..15].
Default value
15
Required privilege level
1
Command mode
ROOT
Example:
esr> enable 10 esr#
enable authentication
The command enables the user privilege escalation authentication list that will be used in a configured terminal.
The default configuration includes a list named 'default'; the list contains one authentication method – 'enable'.
The use of a negative form (no) of the command enables the 'default' list.
Syntax
enable authentication <NAME>
no enable authentication
Parameters
<NAME> – list name, set by the string of up to 31 characters.
Default value
default
Required privilege level
15
Command mode
CONFIG-LINE-CONSOLE
CONFIG-LINE-TELNET
CONFIG-LINE-SSH
Example:
esr(config-line-console)# enable authentication enable-test
enable password
The command sets the password that will be required when escalating the user privilege level.
By default, passwords are not set, that is, any system user can get the required 15 level of privileges.
The use of a negative form (no) of the command removes a password from the system.
Syntax
enable password { <CLEAR-TEXT> | encrypted <HASH_SHA512> } [ privilege <PRIV> ]
no enable password [ privilege <PRIV> ]
Parameters
<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F];
<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters;
<PRIV> – required privilege level, takes value in the range of [2..15], 15 by default.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# enable password 12345678 privilege 10
exec-timeout
The command specifies the time interval after which an idle session will be disconnected.
The use of a negative form (no) of the command sets the default value.
Syntax
exec-timeout <SEC>
no exec-timeout
Parameters
<SEC> – time interval in minutes, takes values of [1..65535].
Default value
30 minutes
Required privilege level
15
Command mode
CONFIG-LINE-CONSOLE
CONFIG-LINE-SSH
CONFIG-LINE-TELNET
CONFIG-LINE-AUX1
Example:
esr(config-line-ssh)# exec-timeout 600
1 Only for ESR-21
ip sftp enable
This command enables sftp access on the router for the configurable user.
The use of a negative form of the command (no) disables sftp access for the configurable user.
Syntax
[no] ip sftp enable
Parameters
None
Default value
Disabled
Required privilege level
10
Command mode
CONFIG-USER
Example:
esr(config-user)# ip sftp enable
key
The command specifies an authentication password on a remote server.
The use of a negative form (no) of the command removes a specified password for authentication on a remote server.
Syntax
key ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }
no key
Parameters
<TEXT> – string [8..16] of ASCII symbols (for TACACS server – up to 60 symbols);
<ENCRYPTED-TEXT> – encrypted password, size [8..16] bytes, is specified by the string [16..32] characters (for a TACACS server - up to 120 characters).
Required privilege level
15
Command mode
CONFIG-TACACS-SERVER
CONFIG-RADIUS-SERVER
CONFIG-DAS-SERVER
Example:
esr(config-tacacs-server)# key ascii-text 12345678
ldap-server base-dn
The command specifies primary DN (Distinguished name) which will be used when searching for users.
The use of a negative form (no) of the command removes a specified primary DN.
Syntax
ldap-server base-dn <NAME>
no ldap-server base-dn
Parameters
<NAME> – basic DN, set by the string of up to 255 characters.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server base-dn “dc=example,dc=com”
ldap-server bind authenticate root-dn
The command specifies DN (Distinguished name) of a user with administrator rights, under which authorization will take place on LDAP server when searching for users.
The use of a negative form (no) of the command removes a specified user’s DN.
Syntax
ldap-server bind authenticate root-dn <NAME>
no bind authenticate root-dn
Parameters
<NAME> – DN of a user with administration rights, set by the string of up to 255 characters.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server bind authenticate root-dn “cn=admin,dc=example,dc=com”
ldap-server bind authenticate root-password
The command specifies password of a user with administrator rights, under which authorization will take place on LDAP server when searching for users.
The use of a negative form (no) of the command removes a specified user’s password.
Syntax
ldap-server bind authenticate root-password ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }
no bind authenticate root-password
Parameters
<TEXT> – string [8..16] ASCII characters;
<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server bind authenticate root-password ascii-text 12345678
ldap-server bind timeout
The command sets the interval after which the device considers LDAP server as unavailable.
The use of a negative form (no) of the command sets the default value.
Syntax
ldap-server bind timeout <SEC>
no ldap-server bind timeout
Parameters
<SEC> – time interval in seconds, takes values of [1..30].
Default value
3 seconds
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server bind timeout 5
ldap-server dscp
The command sets the DSCP code value for the use in IP headers of LDAP server outgoing packets.
The use of a negative form (no) of the command sets the default DSCP value.
Syntax
ldap-server dscp <DSCP>
no ldap-server dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Default value
63
Required privilege level
10
Command mode
CONFIG
Example:
esr(config)# ldap-server dscp 40
ldap-server host
The command is used to add LDAP server to the list of servers in use and to switch to LDAP SERVER command mode.
The use of a negative form (no) of the command removes a specified LDAP server.
Syntax
[no] ldap-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters.
<ADDR> – LDAP server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<IPV6-ADDR> – LDAP server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server host 10.100.100.1 esr(config-ldap-server)#
ldap-server naming-attribute
The command sets the name of object attribute, value of which is compared with the name of a desired user on LDAP server.
The use of a negative form (no) of the command sets the default value.
Syntax
ldap-server naming-attribute <NAME>
no ldap-server naming-attribute
Parameters
<NAME> – object attribute name, set by the string of up to 127 characters.
Default value
uid
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server naming-attribute displayName
ldap-server privilege-level-attribute
The command sets the name of object attribute, value of which will define the initial privileges of a user on the device. The attribute should take values of [1..15]. If there is no specified attribute or it contains invalid value, initial user privileges will satisfy privileges of 'remote' user.
The use of a negative form (no) of the command sets the default value.
Syntax
ldap-server privilege-level-attribute <NAME>
no ldap-server privilege-level-attribute
Parameters
<NAME> – object attribute name, set by the string of up to 127 characters.
Default value
priv-lvl
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server privilege-level-attribute title
ldap-server search filter user-object-class
The command sets the name of the class of objects among which you should search for users on the LDAP server.
The use of a negative form (no) of the command sets the default value.
Syntax
ldap-server search filter user-object-class <NAME>
no ldap-server search filter user-object-class
Parameters
<NAME> – object class name, set by the string of up to 127 characters.
Default value
posixAccount
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server search filter user-object-class shadowAccount
ldap-server search scope
The command specifies a user search scope in LDAP server tree.
The use of a negative form (no) of the command sets the default value.
Syntax
ldap-server search scope <SCOPE>
no ldap-server search scope
Parameters
<SCOPE> – user search scope on LDAP server, takes the following values:
- onelevel – search through the objects on the level following a basic DN tree in LDAP server tree;
- subtree – search through all objects of basic DN subtree in LDAP server tree.
Default value
subtree
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server search scope onelevel
ldap-server search timeout
The command sets the interval after which the device considers that LDAP server has not found users’ entries matching the search condition.
The use of a negative form (no) of the command sets the default value.
Syntax
ldap-server search timeout <SEC>
no ldap-server search timeout
Parameters
<SEC> – time interval in seconds, takes values of [0..30].
Default value
0 – device is waiting for search completion and response from LDAP server.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# ldap-server search timeout 10
line
The command switches to the configuration mode of the corresponding terminal: local console, remote console (Telnet), remote secure console (SSH).
The use of a negative form (no) of the command sets the default terminal parameters. The default settings are described in sections login authentication and enable authentication.
Syntax
[no] line <TYPE>
Parameters
<TYPE> – console type:
- console – local console;
- telnet – remote console;
- ssh – secure remote console;
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# line console esr(config-line-console)#
login authentication
The command enables the user login authentication list that will be used in a configured terminal.
The default configuration includes a list named 'default'; the list contains one authentication method – 'local'.
The use of a negative form (no) of the command enables the 'default' list.
Syntax
login authentication <NAME>
no login authentication
Parameters
<NAME> – list name, set by the string of up to 31 characters.
Default value
default
Required privilege level
15
Command mode
CONFIG-LINE-CONSOLE
CONFIG-LINE-TELNET
CONFIG-LINE-SSH
Example:
esr(config-line-console)# login authentication login-test
password
The command is used to set a password for a certain user to log-in. The password can be set both in clear text and in the form of sha512 hash.
The use of a negative form (no) of the command removes users password from the system.
Syntax
password { <CLEAR-TEXT> | encrypted <HASH_SHA512> }
no password
Parameters
<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F];
<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters.
Required privilege level
15
Command mode
CONFIG-USER
CHANGE-EXPIRED-PASSWORD
Example:
esr(config-user) password test
port
The command specifies a port number to exchange data with a remote server.
The use of a negative form (no) of the command sets the default value.
Syntax
port <PORT>
no port
Parameters
<PORT> – number of TCP/UDP port to exchange data with a remote server, takes values of [1..65535].
Default value
49 for TACACS server
389 for LDAP server
Not set for DAS server
Required privilege level
15
Command mode
CONFIG-TACACS-SERVER
CONFIG-LDAP-SERVER
CONFIG-DAS-SERVER
Example:
esr(config-tacacs-server)# port 4444
priority
The command sets remote server priority. The lower value, the higher the priority of server is.
The use of a negative form (no) of the command sets the default value.
Syntax
priority <PRIORITY>
no priority
Parameters
<PRIORITY> – remote server priority, takes values in the range of [1..65535].
Default value
1
Required privilege level
15
Command mode
CONFIG-TACACS-SERVER
CONFIG-RADIUS-SERVER
CONFIG-LDAP-SERVER
Example:
esr(config-tacacs-server)# priority 5
privilege
The command sets the user privilege level. Command set available for a user, depends on the privilege level. Users with 1 to 9 privilege levels only can view the information. Users with 10 to 15 privilege level have access to most part of configuration commands. Users with 15 privilege level have access to the full command set. The required privilege level can be modified, the description is given in Section description.
The use of a negative form (no) of the command sets the default privilege level.
Assignment of initial privilege level to users is as follows:
- Required privilege level is assigned to local database users by the command mentioned above;
- Required privilege level for users authorized via RADIUS is taken from cisco-avpair = "shell:priv-lvl=<PRIV>' attribute;
- Required privilege level for users authorized via TACACS is taken from priv-lvl=<PRIV> attribute;
- privilege level for users authorized by LDAP is taken from the attribute specified by the privilege-level-attribute command, described in Section line, default is priv-lvl=<PRIV>;
If the option mentioned above was not received during user authentication via TACACS/RADIUS/LDAP or an option with invalid value was received, a user will be assigned with 'remote' user privileges, 1 by default; You can change required privilege level of 'remote' user in the same way as for any other user from local base by the command above.
Syntax
privilege <PRIV>
no privilege
Parameters
<PRIV> – required privilege level, takes value in the range of [1..15].
Default value
1
Required privilege level
15
Command mode
CONFIG-USER
Example:
esr(config-user)# privilege 15
privilege
The command sets the minimum privilege level necessary for from a specified command subtree.
The use of a negative form (no) of the command sets the default privilege level.
Syntax
privilege <COMMAND-MODE> level <PRIV> <COMMAND>
no privilege <COMMAND-MODE> <COMMAND>
Parameters
<COMMAND-MODE> – command mode, the description of modes is given in Table 3;
<PRIV> – required command subtree privilege level, takes value in the range of [1..15];
<COMMAND> – command subtree, set by the string of up to 255 characters.
Required privilege level
15
Command mode
CONFIG
Example:
Set the required privilege level 2 for 'show' command subtree of root command mode. The commands of 'show interfaces' subtree should be assigned with privilege level 1.
esr(config)# privilege root level 2 "show" esr(config)# privilege root level 1 "show interfaces"
radius-server dscp
The command sets the DSCP code value for the use in IP headers of RADIUS server outgoing packets.
The use of a negative form (no) of the command sets the default DSCP value.
Syntax
radius-server dscp <DSCP>
no radius-server dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Default value
63
Required privilege level
10
Command mode
CONFIG
Example:
esr(config)# radius-server dscp 40
radius-server host
The command is used to add RADIUS server to the list of servers in use and to switch to RADIUS SERVER command mode.
The use of a negative form (no) of the command removes a specified RADIUS server.
Syntax
[no] radius-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters.
<ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# radius-server host 10.100.100.1 esr(config-radius-server)#
radius-server host
The command is used to add RADIUS server to RADIUS server profile.
The use of a negative form (no) of the command removes a specified RADIUS server from the profile.
Syntax
[no] radius-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters.
<ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
Required privilege level
15
Command mode
CONFIG-RADIUS-SERVER-PROFILE
Example:
esr(config-aaa-radius-profile)# radius-server host 10.100.100.1
radius-server retransmit
The command sets the number of iterative requests to the last active RADIUS server which will be executed before the execution of requests to RADIUS servers next on the list.
The use of a negative form (no) of the command sets the default value.
Syntax
radius-server retransmit <COUNT>
no radius-server retransmit
Parameters
<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10].
Default value
1
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# radius-server retransmit 5
radius-server timeout
The command sets the interval after which the device considers RADIUS server as unavailable.
The use of a negative form (no) of the command sets the default value.
Syntax
radius-server timeout <SEC>
no radius-server timeout
Parameters
<SEC> – time interval in seconds, takes values of [1..30].
Default value
3 seconds
Required privilege level
10
Command mode
CONFIG
Example:
esr(config)# radius-server timeout 5
retransmit
The command sets the number of iterative requests to RADIUS server which will be executed before the execution of requests to RADIUS servers next on the list.
The use of a negative form (no) of the command sets the default value.
Syntax
retransmit <COUNT>
no retransmit
Parameters
<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10].
Default value
Is not specified, global parameter value described in Section radius-server retransmit is used.
Required privilege level
15
Command mode
CONFIG-RADIUS-SERVER
Example:
esr(config)# retransmit 5
root login enable
The command enables low-level local access to the system using the 'root' user.
This command is applicable only if the user password is set to 'root'. Otherwise, the router displays a message that the command cannot be applied.
The use of a negative form (no) of the command disables low-level local access to the system using the 'root' user.
Syntax
[no] root login enable
Parameters
The command does not contain parameters.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# root login enable
security passwords default-expired
The command enables the default password reset request for admin user.
The use of a negative form (no) of the command disables the default password reset request.
Syntax
[no] security passwords default-expired
Parameters
The command does not contain parameters
Default value
Password reset request is disabled by default.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords default-expired
security passwords history
The command enables prohibition mode for the use of previously set local user passwords. Amount of passwords kept in the router’s memory is specified as a parameter.
The use of a negative form (no) of the command lifts restrictions on re-use of passwords.
Syntax
security passwords history <COUNT>
no security passwords history
Parameters
<COUNT> – amount of passwords kept in the router’s memory [0..15]. When reducing this value, the extra older passwords are deleted.
Default value
1
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords history 5
security passwords lifetime
The command sets local user password lifetime. When attempting to connect a user with an expired password, the user will be switched to the mode of forced password reset.
The use of a negative form (no) of the command lifts restrictions on local user password lifetime.
Syntax
security passwords lifetime <TIME>
no security passwords lifetime
Parameters
<TIME> – interval of password lifetime in days, takes values of [1..365].
Default value
The lifetime of local user password is unlimited.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords lifetime 30
security passwords lower-case
The command sets the minimum amount of lower case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
The use of a negative form (no) of the command lifts restrictions on amount of lower case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
Syntax
security passwords lower-case <COUNT>
no security passwords lower-case
Parameters
<COUNT> – minimum amount of lower case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..128].
Default value
0
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords lower-case 2
security passwords max-length
The command sets the restriction on maximum length of local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
The use of a negative form (no) of the command disables the restriction on maximum amount of characters in the password.
Syntax
security passwords max-length <NUM>
no security passwords max-length
Parameters
<NUM> – maximum amount of characters in password, set in the range of [8..128].
Default value
0
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords max-length 30
security passwords min-length
The command sets the restriction on minimum length of local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
The use of a negative form (no) of the command disables the restriction on minimum amount of characters in the password.
Syntax
security passwords min-length <NUM>
no security passwords min-length
Parameters
<NUM> – minimum amount of characters in the password, set in the range of [8..128].
Default value
0
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords min-length 10
security passwords numeric-count
The command sets the minimum amount of digits in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
The use of a negative form (no) of the command lifts restrictions on amount of digits in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2c with community.
Syntax
security passwords numeric-count <COUNT>
no security passwords numeric-count
Parameters
<COUNT> – minimum amount of digits in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..128].
Default value
0
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords numeric-count 2
security passwords special-case
The command sets the minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
The use of a negative form (no) of the command lifts restrictions on amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
Syntax
security passwords special-case <COUNT>
no security passwords special-case
Parameters
<COUNT> – minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..128].
Default value
0
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords special-case 2
security passwords symbol-types
The command sets the minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
The use of a negative form (no) of the command sets the default value for minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
Syntax
security passwords symbol-types <COUNT>
no security passwords symbol-types
Parameters
<COUNT> – minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [1..4].
Default value
1
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords symbol-types 2
security passwords upper-case
The command sets the minimum amount of upper case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2c with community.
The use of a negative form (no) of the command lifts restrictions on amount of upper case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.
Syntax
security passwords upper-case <COUNT>
no security passwords upper-case
Parameters
<COUNT> – minimum amount of upper case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..128].
Default value
0
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# security passwords upper-case 2
show aaa accounting
The command displays configured accounting parameters.
Syntax
show aaa accounting
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
ROOT
Example:
esr# show aaa accounting Login : radius Commands : tacacs
show aaa authentication
The command displays lists of user authentication methods, as well as active lists of each type of terminals.
Syntax
show aaa authentication
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
ROOT
Example:
esr# show aaa authentication Login Authentication Method Lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List Methods ---------------- -------------------------------- default local Enable Authentication Method Lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List Methods ---------------- -------------------------------- default enable Lines configuration ~~~~~~~~~~~~~~~~~~~ Line Login method list Enable method list --------- -------------------------------- -------------------------------- console default default telnet default default ssh default default
show aaa ldap-servers
The command displays LDAP servers parameters.
Syntax
show aaa ldap-servers
Parameters
The command does not contain parameters.
Required privilege level
1
Command mode
ROOT
Example:
esr# show aaa ldap-servers Base DN: dc=example,dc=com Root DN: cn=admin,dc=example,dc=com Root password: CDE65039E5591FA3 Naming attribute: uid Privilege level attribute: priv-lvl User object class: posixAccount DSCP: 63 Bind timeout: 3 Search timeout: 0 Search scope: subtree IP Address Port Priority -------------------------------- ------------ ------------ 10.100.100.1 389 1
show aaa radius-servers
The command displays RADIUS servers parameters.
Syntax
show aaa radius-servers
Parameters
The command does not contain parameters.
Required privilege level
15
Command mode
ROOT
Example:
esr# show aaa radius-servers Timeout: 3 Retransmit: 1 DSCP: 63 IP Addres Timeout Priority Usage Key ------------ ---------- ---------- ---------- --------------------------- 2.2.2.2 -- 1 all 9DA7076CA30B5FFE0DC9C4 2.4.4.4 -- 1 all 9DA7076BA30B4EFCE5
show aaa tacacs-servers
The command displays TACACS servers parameters.
Syntax
show aaa tacacs-servers
Parameters
The command does not contain parameters.
Required privilege level
15
Command mode
ROOT
Example:
esr# show aaa tacacs-servers Timeout : 3 DSCP: 63 IP Address Port Priority Key ---------------------- ------------ ------------ -------------------------------- 10.100.100.1 49 1 CDE65039E5591FA3 10.100.100.5 49 10 CDE65039E5591FA3
show users
The command displays system users active sessions.
Syntax
show users
Parameters
The command does not contain parameters.
Required privilege level
1
Command mode
ROOT
Example:
esr# show users User name Logged in at Host Timers Login/Priv level -------------- ----------------- -------------- ----------------- ----- admin 13/02/15 01:14:25 Console 00:29:57/00:00:00 15 1 user sessions.
show users accounts
The command displays system users configuration.
Syntax
show users accounts
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
ROOT
Example:
esr# show user accounts
Name Password Privilege
-------------------------------- -------------------------------- ---------
admin $6$1sxrvGaV8Za8oX/K$YNel5xYPZ4cj 15
bemYWYNpQBQKDxWE9v0aoKgQ
kRCEb0EMNuusO9Kmg7UBs7nA3buEM87e
Eu.rA6tZq0
techsupport $6$YfwntIwU$ah7UxPZTemKhjpSWvVsV 15
9jHcp. 9lweQaSldw7ZtUr
uH66uZx9.EBASff//hUj8ObUaC484TNR
x.
remote $6$YfwntIwU$ah7UxPZTemKhjpSWvVsV 1
9jHcp.kqFAK.vmvyY9lweQaSldw7ZtUr
uH66uZx9.EBASff//hUj8ObUaC484TNR
x.
operator $6$eILpbbyRxedCzvVD$4RHP08mjXvNf 1
urX7V/ULCZ1oHIWMwE6h5f
zgwZQUZcPoZCEyaqQQqCicRMRuPwhxrQ
bvGChWreW1
show users blocked
The command displays the list of users with incorrect password entered. A user is removed from the list after entering the correct password during authentication.
Syntax
show users blocked [ <NAME> ]
Parameters
<NAME> – name of the user for which you want to show the statistics on incorrect authentication attempts, set by the string of up 31 characters.
Without specifying the user name, the whole table of incorrect authentication attempts is shown.
Required privilege level
1
Command mode
ROOT
Example:
esr# show users blocked User name Failures Latest failure From -------------------- -------- ----------------- ---------------- tester 4 10/09/17 08:29:42 0.0.0.0
source-address
The command specifies IPv4/IPv6 address of the router which will be used as IPv4/IPv6 source address in packets sent to AAA server being configured.
The use of a negative form (no) of the command removes a specified source IPv4/IPv6 address.
Syntax
source-address { <ADDR> | <IPV6-ADDR> }
no source-address
Parameters
<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
Required privilege level
15
Command mode
CONFIG-RADIUS-SERVER
CONFIG-TACACS-SERVER
CONFIG-LDAP-SERVER
Example:
esr(config-radius-server)# source-address 220::71
source-interface
The command specifies router interface or tunnel, IPv4/IPv6 address of which will be used as IPv4/IPv6 source address in packets sent to AAA server being configured.
The use of a negative form (no) of the command removes a specified interface or tunnel.
Syntax
source-interface { <IF> | <TUN> }
no source-interface
Parameters
<IF> – an interface's name, specified in the form described in Section Types and naming order of router interfaces;
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
Required privilege level
15
Command mode
CONFIG-RADIUS-SERVER
Example:
esr(config-radius-server)# source-interface gigabitethernet 1/0/1
tacacs-server dscp
The command sets the DSCP code value for the use in IP headers of TACACS server outgoing packets.
The use of a negative form (no) of the command sets the default DSCP value.
Syntax
tacacs-server dscp <DSCP>
no tacacs-server dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Default value
63
Required privilege level
10
Command mode
CONFIG
Example:
esr(config)# tacacs-server dscp 40
tacacs-server host
The command is used to add TACACS server to the list of servers in use and to switch to TACACS SERVER command mode.
The use of a negative form (no) of the command removes a specified TACACS server.
Syntax
[no] tacacs-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters.
<ADDR> – TACACS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
<IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# tacacs-server host 10.100.100.1 esr(config-tacacs-server)#
tacacs-server timeout
The command sets the interval after which the device considers TACACS server as unavailable.
The use of a negative form (no) of the command sets the default value.
Syntax
tacacs-server timeout <SEC>
no tacacs-server timeout
Parameters
<SEC> – time interval in seconds, takes values of [1..30].
Default value
3 seconds.
Required privilege level
10
Command mode
CONFIG
Example:
esr(config)# tacacs-server timeout 5
tech-support login enable
The command enables low-level remote access to the system using the 'techsupport' user. Low-level access to the system provides technical support with all required information when it is necessary.
The use of a negative form (no) of the command disables low-level remote access to the system using the 'techsupport' user.
Syntax
[no] tech-support login enable
Parameters
The command does not contain parameters.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# tech-support login enable
timeout
The command sets the interval after which the device considers RADIUS server as unavailable.
The use of a negative form (no) of the command sets the default value.
Syntax
timeout <SEC>
no timeout
Parameters
<SEC> – time interval in seconds, takes values of [1..30].
Default value
Is not specified, global timer value described in Section radius-server timeout is used.
Required privilege level
10
Command mode
CONFIG-RADIUS-SERVER
Example:
esr(config-radius-server)# timeout 7
usage
The command specifies type of connections for authentication of which RADIUS server will be used.
The use of a negative form (no) of the command sets the default value.
Syntax
usage { all | aaa | auth | acct | pptp | l2tp }
no usage
Parameters
all – all connection types;
aaa – RADIUS server will be used for authentication, authorization and accounting of telnet, ssh console sessions;
auth – RADIUS server will be used for authentication and authorization of telnet, ssh console sessions;
acct – RADIUS server will be used for accounting of telnet, ssh console sessions;
pptp – RADIUS server will be used for authentication, authorization and accounting of remote users connected via PPTP;
l2tp – RADIUS server will be used for authentication, authorization and accounting of remote users connected via L2TP over IPsec.
Default value
all
Required privilege level
15
Command mode
CONFIG-RADIUS-SERVER
Example:
esr(config-radius-server)# usage pptp
username
The command adds a user to the local user base and performs the switch to user parameters configuration mode.
The use of a negative form (no) of the command removes a user from the system.
Syntax
[no] username <NAME>
Parameters
<NAME> – user name, set by the string of up to 31 characters. If the command is used for removal, when specifying the 'all' value all users will be removed.
Required privilege level
15
Command mode
CONFIG
Example:
esr(config)# username test esr(config-user)#