AAA configuration

aaa accounting commands

The command configures a list of CLI command accounting methods.

The use of a negative form (no) of the command sets the default value.

Syntax

aaa accounting commands stop-only <METHOD>

no aaa accounting commands stop-only

Parameters

<METHOD> – accounting methods:

tacacs – command accounting by TACACS;

Default value

Accounting is not kept.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa accounting commands stop-only tacacs

CODE

aaa accounting login

The command configures a list of user sessions accounting methods. Accounting is enabled and disabled when a user logs on and disconnects from the system that corresponds to the 'start' and 'stop' values in RADIUS and TACACS messages.

The use of a negative form (no) of the command sets the default value.

Syntax

aaa accounting login start-stop <METHOD 1> [ <METHOD 2> ]

no aaa accounting login start-stop

Parameters

<METHOD> – accounting methods:

tacacs – session accounting by TACACS;
radius – session accounting by RADIUS.

Default value

Session accounting is locally logged.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa accounting login start-stop tacacs

CODE

aaa authentication attempts max-fail

The command sets the maximum amount of failed authentication attempts until a user is blocked and the blocking time.

The use of a negative form (no) of the command sets the amount of attempts and blocking time by default.

Syntax

aaa authentication attempts max-fail <COUNT> <TIME>

no aaa authentication attempts max-fail

Parameters

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in seconds, takes the values of [1..65535].

Default value

Amount of failed attempts – 5

Blocking time – 300

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa authentication attempts max-fail 5 30

CODE

aaa authentication enable

The command creates the lists of authentication methods for user privileges escalation. If an attempt to authenticate by one method fails, the attempt is made to authenticate by the next method in the list.

The default configuration includes a list named 'default'. The 'default' list includes one authentication method – 'enable'. To use the list for user privileges escalation authentication, it is necessary to bind it by the command described in Section enable authentication.

The use of a negative form (no) of the command removes the authentication methods list.

Syntax

aaa authentication enable <NAME> <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

no aaa authentication enable <NAME>

Parameters

<NAME> – list name: string of up to 31 characters;

default – «default» list name.

<METHOD> – authentication methods:

enable – authentication by enable passwords;
tacacs – authentication by TACACS;
radius – authentication by RADIUS;
ldap – authentication by LDAP.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa authentication enable enable-test tacacs enable

CODE

aaa authentication login

The command creates the lists of authentication methods for user login. If an attempt to authenticate by one method fails, the attempt is made to authenticate by the next method in the list.

The default configuration includes a list named 'default'; the list contains one authentication method – «local». To use the list for user login authentication, it is necessary to activate it by the command described in Section login authentication.

The use of a negative form (no) of the command removes the authentication methods list.

Syntax

 aaa authentication login { default | <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] 
[ <METHOD 4> ]

 no aaa authentication login { default | <NAME> }

Parameters

<NAME> – list name, set by the string of up to 31 characters;

Authentication methods:

local – authentication by local user base;
tacacs – authentication by TACACS server list;
radius – authentication by RADIUS server list;
ldap – authentication by LDAP server list.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa authentication login login-test tacacs local

CODE

aaa authentication mode

The command defines the mode of operation with authentication method lists.

The use of a negative form (no) of the command removes the authentication methods list.

Syntax

[no] aaa authentication mode { break | chain }

Parameters

break – during authentication, the following methods will be used in case of a higher priority one being unavailable;

chain – during authentication, the following methods will be used in case of a higher priority one’s refusal.

Default value

chain

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa authentication mode break

CODE

aaa das-profile

The command is used to add DAS server and to switch to DAS SERVER PROFILE command mode.

The use of a negative form (no) of the command removes a specified profile of dynamic authorization servers (DAS).

Syntax

[no] aaa das-profile <NAME>

Parameters

<NAME> – DAS profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa das-profile profile1
esr(config-aaa-das-profile)#

CODE

aaa disable

This command disables access to the router through the console interface.

The use of a negative form of the command (no) enables the access to the router through the console interface.

Syntax

[no] aaa disable

Parameters

The command does not contain parameters.

Default value

Access to the router via the console interface is enabled.

Required privilege level

10

Command mode

CONFIG-LINE-CONSOLE

Example:

esr(config-line-console)# aaa disable

CODE

aaa radius-profile

The command is used to add RADIUS server profile and to switch to RADIUS SERVER PROFILE command mode.

The use of a negative form (no) of the command removes a specified RADIUS server profile.

Syntax

[no] aaa radius-profile <NAME>

Parameters

<NAME> – RADIUS server profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# aaa radius-profile profile1
esr(config-aaa-radius-profile)#

CODE

acct-port

The command specifies a port number to exchange data with a remote RADIUS server when accounting.

The use of a negative form (no) of the command sets the default value.

Syntax

acct-port <PORT>

no acct-port

Parameters

<PORT> – number of UDP port to exchange data with a remote server, takes values of [1..65535].

Default value

1813

Required privilege level

15

Command mode

CONFIG-RADIUS-SERVER

Example:

esr(config-radius-server)# acct-port 4444

CODE

auth-port

The command specifies a port number to exchange data with a remote RADIUS server when authenticating and authorizing.

The use of a negative form (no) of the command sets the default value.

Syntax

auth-port <PORT>

no auth-port

Parameters

<PORT> – number of UDP port to exchange data with a remote server, takes values of [1..65535].

Default value

1812

Required privilege level

15

Command mode

CONFIG-RADIUS-SERVER

Example:

esr(config-radius-server)# auth-port 4444

CODE

clear users blocked

The command removes the information on incorrect attempts of various users authentication.

Syntax

 clear users blocked <NAME>

Parameters

<NAME> – name of the user for which you want to clean the statistics on incorrect authentication attempts, set by the string of up 31 characters.

Without specifying the user name, the whole table of incorrect authentication attempts is cleaned.

Required privilege level

15

Command mode

ROOT

Example:

esr# clear users blocked

CODE

clear user-session

This command closes the CLI user work session.

Syntax

 clear user-session [ <USERNAME> | <SESSION> ]

Parameters

<NAME> – The name of the user whose session should be closed, specified by a string of up to 31 characters.

<SESSION> – number of terminal session to close, set by number in the range [1...10].

Required privilege level

15

Command mode

ROOT

Example:

esr# clear users-session

CODE

clients

The command specifies the list of dynamic authorization clients (DAC) requests of which the dynamic authorization server (DAS) will response to.

The use of a negative form (no) of the command removes the list of dynamic authorization clients (DAC).

Syntax

clients object-group <NAME>

no clients

Parameters

<NAME> – name of IP addresses profile that contains addresses of dynamic authorization clients, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-DAS-SERVER

Example:

esr(config-das-server)# clients object-group pcrf

CODE

das-server

The command is used to add dynamic authorization server (DAS) and to switch to DAS SERVER command mode. Dynamic authorization servers (DAS) accept RADIUS CoA queries from dynamic authorization clients (DAC), for example disabling or renewed requesting for user services list.

The use of a negative form (no) of the command removes a specified DAS server.

Syntax

[no] das-server <NAME>

Parameters

<NAME> – DAS name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# das-server main
esr(config-das-server)#

CODE

das-server

The command is used to add dynamic authorization server (DAS) to a configurable profile of dynamic authorization servers.

The use of a negative form (no) of the command removes a specified DAS server.

Syntax

[no] das-server <NAME>

Parameters

<NAME> – DAS name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-AAA-DAS-PROFILE

Example

esr(config)# das-server mainesr(config-das-server)#

CODE

dead-interval

The command specifies the interval during which the packets will not be sent to RADIUS server. RADIUS server is switched to this condition when the timeout of waiting for the response to the last valid retry request expires (see Section radius-server retransmit).

The use of a negative form (no) of the command sets the default value.

Syntax

dead-interval <SEC>

no dead-interval

Parameters

<SEC> – time interval in seconds, takes values of [0..3600].

Default value

120

Required privilege level

10

Command mode

CONFIG-RADIUS-SERVER

Example:

esr(config-radius-server)# dead-interval 600

CODE

description

The command is used to change the description of dynamic authorization servers (DAS) profile or RADIUS servers profile.

The use of a negative form (no) of the command removes a profile description.

Syntax

description <DESCRIPTION>

no description

Parameters

<DESCRIPTION> – profile description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-DAS-SERVER-PROFILE

CONFIG-RADIUS-SERVER-PROFILE

Example:

Set the description for IP addresses profile:

esr(config-aaa-das-profile)# description "Main profile"

CODE

disable

The command reduces the user privilege level to initial one.

Syntax

disable

Parameters

The command does not contain parameters.

Required privilege level

2

Command mode

ROOT

Example:

esr# disable
esr>

CODE

enable

The command escalates the user privilege level. Methods of user privilege escalation authentication are specified by the command described in Section aaa authentication attempts max-fail.

'Enable' password authentication method is set in the configuration by default. At the same time, passwords are not set, that is, any system user can get the required 15 level of privileges.

To authenticate privilege escalation via TACACS/RADIUS/LDAP, $enab<PRIV>$ users, where <PRIV> – required privilege level of a user to be authenticated, should be created on the server.

Syntax

enable [ <PRIV> ]

Parameters

<PRIV> – required privilege level, takes value in the range of [2..15].

Default value

15

Required privilege level

1

Command mode

ROOT

Example:

esr> enable 10
esr#

CODE

enable authentication

The command enables the user privilege escalation authentication list that will be used in a configured terminal.

The default configuration includes a list named 'default'; the list contains one authentication method – 'enable'.

The use of a negative form (no) of the command enables the 'default' list.

Syntax

enable authentication <NAME>

no enable authentication

Parameters

<NAME> – list name, set by the string of up to 31 characters.

Default value

default

Required privilege level

15

Command mode

CONFIG-LINE-CONSOLE

CONFIG-LINE-TELNET

CONFIG-LINE-SSH

Example:

esr(config-line-console)# enable authentication enable-test

CODE

enable password

The command sets the password that will be required when escalating the user privilege level.

By default, passwords are not set, that is, any system user can get the required 15 level of privileges.

The use of a negative form (no) of the command removes a password from the system.

Syntax

enable password { <CLEAR-TEXT> | encrypted <HASH_SHA512> } [ privilege <PRIV> ]

no enable password [ privilege <PRIV> ]

Parameters

<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F];

<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters;

<PRIV> – required privilege level, takes value in the range of [2..15], 15 by default.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# enable password 12345678 privilege 10

CODE

exec-timeout

The command specifies the time interval after which an idle session will be disconnected.

The use of a negative form (no) of the command sets the default value.

Syntax

exec-timeout <SEC>

no exec-timeout

Parameters

<SEC> – time interval in minutes, takes values of [1..65535].

Default value

30 minutes

Required privilege level

15

Command mode

CONFIG-LINE-CONSOLE

CONFIG-LINE-SSH

CONFIG-LINE-TELNET

CONFIG-LINE-AUX¹

Example:

esr(config-line-ssh)# exec-timeout 600

CODE

¹ Only for ESR-21

ip sftp enable

This command enables sftp access on the router for the configurable user.

The use of a negative form of the command (no) disables sftp access for the configurable user.

Syntax

[no] ip sftp enable

Parameters

None

Default value

Disabled

Required privilege level

10

Command mode

CONFIG-USER

Example:

esr(config-user)# ip sftp enable

CODE

key

The command specifies an authentication password on a remote server.

The use of a negative form (no) of the command removes a specified password for authentication on a remote server.

Syntax

key ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }

no key

Parameters

<TEXT> – string [8..16] of ASCII symbols (for TACACS server – up to 60 symbols);

<ENCRYPTED-TEXT> – encrypted password, size [8..16] bytes, is specified by the string [16..32] characters (for a TACACS server - up to 120 characters).

Required privilege level

15

Command mode

CONFIG-TACACS-SERVER

CONFIG-RADIUS-SERVER

CONFIG-DAS-SERVER

Example:

esr(config-tacacs-server)# key ascii-text 12345678

CODE

ldap-server base-dn

The command specifies primary DN (Distinguished name) which will be used when searching for users.

The use of a negative form (no) of the command removes a specified primary DN.

Syntax

ldap-server base-dn <NAME>

no ldap-server base-dn

Parameters

<NAME> – basic DN, set by the string of up to 255 characters.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server base-dn “dc=example,dc=com”

CODE

ldap-server bind authenticate root-dn

The command specifies DN (Distinguished name) of a user with administrator rights, under which authorization will take place on LDAP server when searching for users.

The use of a negative form (no) of the command removes a specified user’s DN.

Syntax

ldap-server bind authenticate root-dn <NAME>

no bind authenticate root-dn

Parameters

<NAME> – DN of a user with administration rights, set by the string of up to 255 characters.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server bind authenticate root-dn “cn=admin,dc=example,dc=com”

CODE

ldap-server bind authenticate root-password

The command specifies password of a user with administrator rights, under which authorization will take place on LDAP server when searching for users.

The use of a negative form (no) of the command removes a specified user’s password.

Syntax

ldap-server bind authenticate root-password ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }

no bind authenticate root-password

Parameters

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server bind authenticate root-password ascii-text 12345678

CODE

ldap-server bind timeout

The command sets the interval after which the device considers LDAP server as unavailable.

The use of a negative form (no) of the command sets the default value.

Syntax

ldap-server bind timeout <SEC>

no ldap-server bind timeout

Parameters

<SEC> – time interval in seconds, takes values of [1..30].

Default value

3 seconds

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server bind timeout 5

CODE

ldap-server dscp

The command sets the DSCP code value for the use in IP headers of LDAP server outgoing packets.

The use of a negative form (no) of the command sets the default DSCP value.

Syntax

ldap-server dscp <DSCP>

no ldap-server dscp

Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value

63

Required privilege level

10

Command mode

CONFIG

Example:

esr(config)# ldap-server dscp 40

CODE

ldap-server host

The command is used to add LDAP server to the list of servers in use and to switch to LDAP SERVER command mode.

The use of a negative form (no) of the command removes a specified LDAP server.

Syntax

 [no] ldap-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

Parameters

<VRF> – VRF instance name, set by the string of up to 31 characters.

<ADDR> – LDAP server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – LDAP server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server host 10.100.100.1
esr(config-ldap-server)#

CODE

ldap-server naming-attribute

The command sets the name of object attribute, value of which is compared with the name of a desired user on LDAP server.

The use of a negative form (no) of the command sets the default value.

Syntax

ldap-server naming-attribute <NAME>

no ldap-server naming-attribute

Parameters

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value

uid

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server naming-attribute displayName

CODE

ldap-server privilege-level-attribute

The command sets the name of object attribute, value of which will define the initial privileges of a user on the device. The attribute should take values of [1..15]. If there is no specified attribute or it contains invalid value, initial user privileges will satisfy privileges of 'remote' user.

The use of a negative form (no) of the command sets the default value.

Syntax

ldap-server privilege-level-attribute <NAME>

no ldap-server privilege-level-attribute

Parameters

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value

priv-lvl

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server privilege-level-attribute title

CODE

ldap-server search filter user-object-class

The command sets the name of the class of objects among which you should search for users on the LDAP server.

The use of a negative form (no) of the command sets the default value.

Syntax

ldap-server search filter user-object-class <NAME>

no ldap-server search filter user-object-class

Parameters

<NAME> – object class name, set by the string of up to 127 characters.

Default value

posixAccount

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server search filter user-object-class shadowAccount

CODE

ldap-server search scope

The command specifies a user search scope in LDAP server tree.

The use of a negative form (no) of the command sets the default value.

Syntax

ldap-server search scope <SCOPE>

no ldap-server search scope

Parameters

<SCOPE> – user search scope on LDAP server, takes the following values:

onelevel – search through the objects on the level following a basic DN tree in LDAP server tree;
subtree – search through all objects of basic DN subtree in LDAP server tree.

Default value

subtree

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server search scope onelevel

CODE

ldap-server search timeout

The command sets the interval after which the device considers that LDAP server has not found users’ entries matching the search condition.

The use of a negative form (no) of the command sets the default value.

Syntax

ldap-server search timeout <SEC>

no ldap-server search timeout

Parameters

<SEC> – time interval in seconds, takes values of [0..30].

Default value

0 – device is waiting for search completion and response from LDAP server.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# ldap-server search timeout 10

CODE

line

The command performs the switch to a certain terminal configuration mode: local console, remote console (Telnet), remote secure console (SSH).

The use of a negative form (no) of the command sets the default terminal parameters. The default settings are described in sections login authentication and enable authentication.

Syntax

[no] line <TYPE>

Parameters

<TYPE> – console type:

console – local console;
telnet – remote console;
ssh – secure remote console;

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# line console
esr(config-line-console)#

CODE

login authentication

The command enables the user login authentication list that will be used in a configured terminal.

The default configuration includes a list named 'default'; the list contains one authentication method – 'local'.

The use of a negative form (no) of the command enables the 'default' list.

Syntax

login authentication <NAME>

no login authentication

Parameters

<NAME> – list name, set by the string of up to 31 characters.

Default value

default

Required privilege level

15

Command mode

CONFIG-LINE-CONSOLE

CONFIG-LINE-TELNET

CONFIG-LINE-SSH

Example:

esr(config-line-console)# login authentication login-test

CODE

password

The command is used to set a password for a certain user to log-in. The password can be set both in clear text and in the form of sha512 hash.

The use of a negative form (no) of the command removes users password from the system.

Syntax

password { <CLEAR-TEXT> | encrypted <HASH_SHA512> }

no password

Parameters

<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F];

<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters.

Required privilege level

15

Command mode

CONFIG-USER

CHANGE-EXPIRED-PASSWORD

Example:

esr(config-user) password test

CODE

port

The command specifies a port number to exchange data with a remote server.

The use of a negative form (no) of the command sets the default value.

Syntax

port <PORT>

no port

Parameters

<PORT> – number of TCP/UDP port to exchange data with a remote server, takes values of [1..65535].

Default value

49 for TACACS server

389 for LDAP server

Not set for DAS server

Required privilege level

15

Command mode

CONFIG-TACACS-SERVER

CONFIG-LDAP-SERVER

CONFIG-DAS-SERVER

Example:

esr(config-tacacs-server)# port 4444

CODE

priority

The command sets remote server priority. The lower value, the higher the priority of server is.

The use of a negative form (no) of the command sets the default value.

Syntax

 priority <PRIORITY>

 no priority

Parameters

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

Default value

1

Required privilege level

15

Command mode

CONFIG-TACACS-SERVER

CONFIG-RADIUS-SERVER

CONFIG-LDAP-SERVER

Example:

esr(config-tacacs-server)# priority 5

CODE

privilege

The command sets the user privilege level. Command set available for a user, depends on the privilege level. Users with 1 to 9 privilege levels only can view the information. Users with 10 to 15 privilege level have access to most part of configuration commands. Users with privilege level 15 have access to the full set of commands. The required command privilege level can be changed, described in the description section.

The use of a negative form (no) of the command sets the default privilege level.

Assignment of initial privilege level to users is as follows:

Required privilege level is assigned to local database users by the command mentioned above;
Required privilege level for users authorized via RADIUS is taken from cisco-avpair = "shell:priv-lvl=<PRIV>' attribute;
Required privilege level for users authorized via TACACS is taken from priv-lvl=<PRIV> attribute;
privilege level for users authorized by LDAP is taken from the attribute specified by the

privilege-level-attribute command, described in Section line, default is priv-lvl=<PRIV>;

If the option mentioned above was not received during user authentication via TACACS/RADIUS/LDAP or an option with invalid value was received, a user will be assigned with 'remote' user privileges, 1 by default; You can change required privilege level of 'remote' user in the same way as for any other user from local base by the command above.

Syntax

privilege <PRIV>

no privilege

Parameters

<PRIV> – required privilege level, takes value in the range of [1..15].

Default value

1

Required privilege level

15

Command mode

CONFIG-USER

Example:

esr(config-user)# privilege 15

CODE

privilege

The command sets the minimum privilege level necessary for from a specified command subtree.

The use of a negative form (no) of the command sets the default privilege level.

Syntax

privilege <COMMAND-MODE> level <PRIV> <COMMAND>

no privilege <COMMAND-MODE> <COMMAND>

Parameters

<COMMAND-MODE> – command mode, the description of modes is given in Table 3;

<PRIV> – required privilege level, takes value in the range of [1..15];

<COMMAND> – command subtree, set by the string of up to 255 characters.

Required privilege level

15

Command mode

CONFIG

Example:

Set the required privilege level 2 for 'show' command subtree of root command mode. The commands of 'show interfaces' subtree should be assigned with privilege level 1.

esr(config)# privilege root level 2 "show"
esr(config)# privilege root level 1 "show interfaces"

CODE

radius-server dscp

The command sets the DSCP code value for the use in IP headers of RADIUS server outgoing packets.

The use of a negative form (no) of the command sets the default DSCP value.

Syntax

radius-server dscp <DSCP>

no radius-server dscp

Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value

63

Required privilege level

10

Command mode

CONFIG

Example:

esr(config)# radius-server dscp 40

CODE

radius-server host

The command is used to add RADIUS server to the list of servers in use and to switch to RADIUS SERVER command mode.

The use of a negative form (no) of the command removes a specified RADIUS server.

Syntax

[no] radius-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

Parameters

<VRF> – VRF instance name, set by the string of up to 31 characters.

<ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# radius-server host 10.100.100.1
esr(config-radius-server)#

CODE

radius-server host

The command is used to add RADIUS server to RADIUS server profile.

The use of a negative form (no) of the command removes a specified RADIUS server from the profile.

Syntax

[no] radius-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

Parameters

<VRF> – VRF instance name, set by the string of up to 31 characters.

<ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

Required privilege level

15

Command mode

CONFIG-RADIUS-SERVER-PROFILE

Example:

esr(config-aaa-radius-profile)# radius-server host 10.100.100.1

CODE

radius-server retransmit

The command sets the number of iterative requests to the last active RADIUS server which will be executed before the execution of requests to RADIUS servers next on the list.

The use of a negative form (no) of the command sets the default value.

Syntax

radius-server retransmit <COUNT>

no radius-server retransmit

Parameters

<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10].

Default value

1

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# radius-server retransmit 5

CODE

radius-server timeout

The command sets the interval after which the device considers RADIUS server as unavailable.

The use of a negative form (no) of the command sets the default value.

Syntax

radius-server timeout <SEC>

no radius-server timeout

Parameters

<SEC> – time interval in seconds, takes values of [1..30].

Default value

3 seconds

Required privilege level

10

Command mode

CONFIG

Example:

esr(config)# radius-server timeout 5

CODE

retransmit

The command sets the number of iterative requests to RADIUS server which will be executed before the execution of requests to RADIUS servers next on the list.

The use of a negative form (no) of the command sets the default value.

Syntax

retransmit <COUNT>

no retransmit

Parameters

<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10].

Default value

Is not specified, global parameter value described in Section radius-server retransmit is used.

Required privilege level

15

Command mode

CONFIG-RADIUS-SERVER

Example:

esr(config)# retransmit 5

CODE

security passwords default-expired

The command enables the default password reset request for admin user.

The use of a negative form (no) of the command disables the default password reset request.

Syntax

[no] security passwords default-expired

Parameters

The command does not contain parameters

Default value

Password reset request is disabled by default.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords default-expired

CODE

security passwords history

The command enables prohibition mode for the use of previously set local user passwords. Amount of passwords kept in the router’s memory is specified as a parameter.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords history <COUNT>

no security passwords history

Parameters

<COUNT> – amount of passwords kept in the router’s memory [0..15]. When reducing this value, the extra older passwords are deleted.

Default value

1

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords history 5

CODE

security passwords lifetime

The command sets local user password lifetime. When attempting to connect a user with an expired password, the user will be switched to the mode of forced password reset.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords lifetime <TIME>

no security passwords lifetime

Parameters

<TIME> – interval of password lifetime in days, takes values of [1..365].

Default value

The lifetime of local user password is unlimited.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords lifetime 30

CODE

security passwords lower-case

The command sets the minimum amount of lower case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords lower-case <COUNT>

no security passwords lower-case

Parameters

<COUNT> – minimum amount of lower case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..32].

Default value

0

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords lower-case 2

CODE

security passwords max-length

This command sets a limit on the maximum length of the local user password and the ENABLE password.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords max-length <NUM>

no security passwords max-length

Parameters

<NUM> – maximum amount of characters in password, set in the range of [8..32].

Default value

128

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords max-length 30

CODE

security passwords min-length

This command sets a limit on the minimum length of the local user password and the ENABLE password.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords min-length <NUM>

no security passwords min-length

Parameters

<NUM> – minimum amount of characters in password, set in the range of [8..32].

Default value

8

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords min-length 10

CODE

security passwords numeric-count

The command sets the minimum amount of digits in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords numeric-count <COUNT>

no security passwords numeric-count

Parameters

<COUNT> – minimum amount of digits in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..32].

Default value

0

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords numeric-count 2

CODE

security passwords special-case

The command sets the minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords special-case <COUNT>

no security passwords special-case

Parameters

<COUNT> – minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..32].

Default value

0

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords special-case 2

CODE

security passwords symbol-types

The command sets the minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords symbol-types <COUNT>

no security passwords symbol-types

Parameters

<COUNT> – minimum amount of special characters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [1..4].

Default value

1

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords symbol-types 2

CODE

security passwords upper-case

The command sets the minimum amount of upper case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2c with community.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords upper-case <COUNT>

no security passwords upper-case

Parameters

<COUNT> – minimum amount of upper case letters in local user password, ENABLE password, SMNPv3 user name and SMNPv1/SMNPv2 with community [0..32].

Default value

0

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security passwords upper-case 2

CODE

security snmp-community max-length

This command is used to set a limit on the maximum length of SMNPv1/SMNPv2 from a community.

The use of a negative form (no) of the command sets the default value.

Syntax

security snmp-community max-length <NUM>

no security snmp-community max-length

Parameters

<NUM> – maximum amount of characters in comunity, set in the range of [1..128].

Default value

128

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security snmp-community max-length 30

CODE

security snmp-community min-length

This command is used to set a limit on the minimum length of SMNPv1/SMNPv2 from a community.

The use of a negative form (no) of the command sets the default value.

Syntax

security passwords min-length <NUM>

no security passwords min-length

Parameters

<NUM> – minimum amount of characters in comunity, set in the range of [1..128].

Default value

1

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# security snmp-community min-length 10

CODE

show aaa accounting

The command displays configured accounting parameters.

Syntax

show aaa accounting

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

ROOT

Example:

esr# show aaa accounting
Login :          radius
Commands :       tacacs

CODE

show aaa authentication

The command displays lists of user authentication methods, as well as active lists of each type of terminals.

Syntax

show aaa authentication

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

ROOT

Example:

esr# show aaa authentication
   Login Authentication Method Lists
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List               Methods
----------------   --------------------------------
default            local
   Enable Authentication Method Lists
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List               Methods
----------------   --------------------------------
default            enable
   Lines configuration
   ~~~~~~~~~~~~~~~~~~~
Line        Login method list                  Enable method list
---------   --------------------------------   --------------------------------
console     default                            default
telnet      default                            default
ssh         default                            default

CODE

show aaa ldap-servers

The command displays LDAP servers parameters.

Syntax

show aaa ldap-servers

Parameters

The command does not contain parameters.

Required privilege level

15

Command mode

ROOT

Example:

esr# show aaa ldap-servers
Base DN:                      dc=example,dc=com
Root DN:                      cn=admin,dc=example,dc=com
Root password:                CDE65039E5591FA3
Naming attribute:             uid
Privilege level attribute:    priv-lvl
User object class:            posixAccount
DSCP:                         63
Bind timeout:                 3
Search timeout:               0
Search scope:                 subtree
IP Address                         Port           Priority
--------------------------------   ------------   ------------
10.100.100.1                       389            1

CODE

show aaa radius-servers

The command displays RADIUS servers parameters.

Syntax

show aaa radius-servers

Parameters

The command does not contain parameters.

Required privilege level

15

Command mode

ROOT

Example:

esr# show aaa radius-servers
Timeout:     3
Retransmit:  1
DSCP:        63
IP Addres        Timeout      Priority     Usage        Key
------------    ----------   ----------   ----------   ---------------------------
2.2.2.2             --           1            all          9DA7076CA30B5FFE0DC9C4
2.4.4.4             --           1            all          9DA7076BA30B4EFCE5

CODE

show aaa tacacs-servers

The command displays TACACS servers parameters.

Syntax

show aaa tacacs-servers

Parameters

The command does not contain parameters.

Required privilege level

15

Command mode

ROOT

Example:

esr# show aaa tacacs-servers
Timeout :       3
DSCP:          63
IP Address               Port           Priority       Key
----------------------   ------------   ------------   --------------------------------
10.100.100.1             49             1              CDE65039E5591FA3
10.100.100.5             49             10             CDE65039E5591FA3

CODE

show users

The command displays system users active sessions.

Syntax

show users

Parameters

The command does not contain parameters.

Required privilege level

1

Command mode

ROOT

Example:

esr# show users
User name         Logged in at        Host             Timers Login/Priv   level
--------------    -----------------   --------------   -----------------   -----
admin             13/02/15 01:14:25   Console          00:29:57/00:00:00   15
1 user sessions.

CODE

show users accounts

The command displays system users configuration.

Syntax

show users accounts

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

ROOT

Example:

esr# show user accounts
Name                               Password                           Privilege
--------------------------------   --------------------------------   ---------
admin                              $6$1sxrvGaV8Za8oX/K$YNel5xYPZ4cj   15
                                   bemYWYNpQBQKDxWE9v0aoKgQ
                                   kRCEb0EMNuusO9Kmg7UBs7nA3buEM87e
                                   Eu.rA6tZq0
techsupport                        $6$YfwntIwU$ah7UxPZTemKhjpSWvVsV   15
                                   9jHcp. 9lweQaSldw7ZtUr
                                   uH66uZx9.EBASff//hUj8ObUaC484TNR
                                   x.
remote                             $6$YfwntIwU$ah7UxPZTemKhjpSWvVsV   1
                                   9jHcp.kqFAK.vmvyY9lweQaSldw7ZtUr
                                   uH66uZx9.EBASff//hUj8ObUaC484TNR
                                   x.
operator                           $6$eILpbbyRxedCzvVD$4RHP08mjXvNf   1
                                   urX7V/ULCZ1oHIWMwE6h5f
                                   zgwZQUZcPoZCEyaqQQqCicRMRuPwhxrQ
                                   bvGChWreW1

CODE

show users blocked

The command displays the list of users with incorrect password entered. A user is removed from the list after entering the correct password during authentication.

Syntax

show users blocked [ <NAME> ]

Parameters

<NAME> – name of the user for which you want to show the statistics on incorrect authentication attempts, set by the string of up 31 characters.

Without specifying the user name, the whole table of incorrect authentication attempts is shown.

Required privilege level

1

Command mode

ROOT

Example:

esr# show users blocked
User name              Failures   Latest failure      From
--------------------   --------   -----------------   ----------------
tester                 4          10/09/17 08:29:42   0.0.0.0

CODE

source-address

The command specifies IPv4/IPv6 address of the router which will be used as IPv4/IPv6 source address in packets sent to AAA server being configured.

The use of a negative form (no) of the command removes a specified source IPv4/IPv6 address.

Syntax

source-address { <ADDR> | <IPV6-ADDR> }

no source-address

Parameters

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

Required privilege level

15

Command mode

CONFIG-RADIUS-SERVER

CONFIG-TACACS-SERVER

CONFIG-LDAP-SERVER

Example:

esr(config-radius-server)# source-address 220::71

CODE

source-interface

The command specifies router interface or tunnel, IPv4/IPv6 address of which will be used as IPv4/IPv6 source address in packets sent to AAA server being configured.

The use of a negative form (no) of the command removes a specified interface or tunnel.

Syntax

source-interface { <IF> | <TUN> }

no source-interface

Parameters

<IF> – an interface's name, specified in the form described in Section Types and naming order of router interfaces;

<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;

Required privilege level

15

Command mode

CONFIG-RADIUS-SERVER

Example:

esr(config-radius-server)# source-interface gigabitethernet 1/0/1

CODE

system configuration-exclusively

This command is used to limit the number of CLI sessions to one.

The use of a negative form (no) of the command sets the default value.

Syntax

[no] system configuration-exclusively

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# system configuration-exclusively

CODE

tacacs-server dscp

The command sets the DSCP code value for the use in IP headers of TACACS server outgoing packets.

The use of a negative form (no) of the command sets the default DSCP value.

Syntax

tacacs-server dscp <DSCP>

no tacacs-server dscp

Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value

63

Required privilege level

10

Command mode

CONFIG

Example:

esr(config)# tacacs-server dscp 40

CODE

tacacs-server host

The command is used to add TACACS server to the list of servers in use and to switch to TACACS SERVER command mode.

The use of a negative form (no) of the command removes a specified TACACS server.

Syntax

[no] tacacs-server host { <ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

Parameters

<VRF> – VRF instance name, set by the string of up to 31 characters.

<ADDR> – TACACS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

<IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# tacacs-server host 10.100.100.1
esr(config-tacacs-server)#

CODE

tacacs-server timeout

The command sets the interval after which the device considers TACACS server as unavailable.

The use of a negative form (no) of the command sets the default value.

Syntax

tacacs-server timeout <SEC>

no tacacs-server timeout

Parameters

<SEC> – time interval in seconds, takes values of [1..30].

Default value

3 seconds.

Required privilege level

10

Command mode

CONFIG

Example:

esr(config)# tacacs-server timeout 5

CODE

tech-support login enable

The command enables low-level remote access to the system using the 'techsupport' user. Low-level access to the system provides technical support with all required information when it is necessary.

The use of a negative form (no) of the command disables low-level remote access to the system using the 'techsupport' user.

Syntax

[no] tech-support login enable

Parameters

The command does not contain parameters.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# tech-support login enable

CODE

timeout

The command sets the interval after which the device considers RADIUS server as unavailable.

The use of a negative form (no) of the command sets the default value.

Syntax

timeout <SEC>

no timeout

Parameters

<SEC> – time interval in seconds, takes values of [1..30].

Default value

Is not specified, global timer value described in Section radius-server timeout is used.

Required privilege level

10

Command mode

CONFIG-RADIUS-SERVER

Example:

esr(config-radius-server)# timeout 7

CODE

usage

The command specifies type of connections for authentication of which RADIUS server will be used.

The use of a negative form (no) of the command sets the default value.

Syntax

usage { all | aaa | auth | acct | pptp | l2tp }

no usage

Parameters

all – all connection types;

aaa – RADIUS server will be used for authentication, authorization and accounting of telnet, ssh console sessions;

auth – RADIUS server will be used for authentication and authorization of telnet, ssh console sessions;

acct – RADIUS server will be used for accounting of telnet, ssh console sessions;

pptp – RADIUS server will be used for authentication, authorization and accounting of remote users connected via PPTP;

l2tp – RADIUS server will be used for authentication, authorization and accounting of remote users connected via L2TP over IPsec.

Default value

all

Required privilege level

15

Command mode

CONFIG-RADIUS-SERVER

Example:

esr(config-radius-server)# usage pptp

CODE

username

The command adds a user to the local user base and performs the switch to user parameters configuration mode.

The use of a negative form (no) of the command removes a user from the system.

Syntax

[no] username <NAME>

Parameters

<NAME> – user name, set by the string of up to 31 characters. If the command is used for removal, when specifying the 'all' value all users will be removed.

Required privilege level

15

Command mode

CONFIG

Example:

esr(config)# username test
esr(config-user)#

CODE