User Management and Password Control

User Groups

A factory-default switch comes with a single user named admin member of built-in administrators group. Up to 63 local users can be added, for a total of 64 users including the default user admin. A user can belong to only one group. The switch provides the following built-in user groups with corresponding roles. Each of these roles comes with a set of privileges.

  • Administrators—full access (privilege level 15)
    • Perform firmware upgrades
    • Make configuration changes
    • View all switch configuration information, including sensitive data such as ciphertext passwords
    • Add and remove local user accounts, and change user passwords
    • All REST interface methods (GET, PUT, POST, PATCH, DELETE) can be used
  • Operators – limited access (privilege level 1)
    • Display-only CLI access
    • View non-sensitive configuration information
    • Only the REST interface GET method can be used
  • Auditors – limited access (privilege level 19)
    • Access to Commands in “auditor” context only
    • Web-UI “system->Log Page” view only.
    • REST Interface GET method available only for following resources only
      • Audit log: /logs/audit
      • Event log: /logs/event

Apart from the built-in groups, the switch enables you to create up to 29 user-defined local user groups, for the purpose of configuring local authorization. Local authorization uses role-based access control (RBAC) to provide role-based privilege levels plus optional user-defined local user groups with command execution rules. Each of the 29 user-defined groups support up to 1024 CLI command authorization rules that define what CLI commands can be executed by members of the group.

Sample Configuration to create user-defined local user group:

switch(config)# user-group sample-group switch(config-usr-grp-sample-group)# 10 comment Deny all show aaa commands switch(config-usr-grp-sample-group)# 10 deny cli command "show aaa .*" switch(config-usr-grp-sample-group)# 20 comment Permit all other show commands switch(config-usr-grp-sample-group)# 20 permit cli command "show .*" switch(config-usr-grp-sample-group)# exit

6200(config)# show user-group GROUP NAME GROUP TYPE INCLUDED GROUP NUMBER OF RULES -------------- -------------- ------------------ ------------------- administrators built-in n/a n/a auditors built-in n/a n/a operators built-in n/a n/a sample-group configuration -- 2

Security User Group

Security log commands for showing, clearing, and copying the security logs can be made available to a security user. To have a security user, the admin must create a security user group and add a user to the group. The admin must also grant permission to members of the security user group for the three security log commands. Only users who are members of the security group have permission to execute the security log commands. The admin user who created the security user group does not have permission to use the security log commands:

switch(config)# user-group security-group switch(config-usr-grp-security-group)# permit cli command "show security-logs*" switch(config-usr-grp-security-group)# permit cli command "clear security-logs" switch(config-usr-grp-security-group)# permit cli command "copy security-log*" switch(config-usr-grp-security-group)# exit switch(config)# user security-user group security-group password Adding user security-user Enter password:************ Confirm password:************

Showing the security logs:

switch# show security-logs

Copying the security logs:

switch# copy security-log sftp://user1@99.99.99.99/coredump.xz vrf mgmt

Hardening Password Rules

When managing an AOS-CX Switches, setting up a secure network is essential. A crucial factor in security is the selection of a strong password. Passwords are never displayed in plaintext format in CLIs and config files. Passwords are encrypted when stored in the config file .

Passwords must:

  • Contain only ASCII characters from decimal 33 to 126 ( Hexadecimal 21 to 7E). Spaces are not allowed
  • Contain at most 64 characters.

Passwords are portable to different switch using default or customer configured non-default export key. The password complexity feature will help organization to set password policy for their administrators

Password Complexity

The password complexity feature helps in enforcement of complexity rules when configuring local user account passwords. It is disabled by default. The password complexity feature will help organization to set password policy for their users. Remember to enable the password complexity feature after configuring it for the rules to be enforced. Enabling or changing password complexity settings affects password creation or password change after the password complexity feature is enabled or changed.

The following enforcement will apply to new user creation or a password update once the password complexity feature is enabled:

  • User creation/Password update with `ciphertext-password` is not allowed, because password complexity check cannot be performed on ciphertext password.
  • The following password complexity check will be enforced

switch(config)# password complexity switch(config-pwd-cplx)# minimum-length 9 switch(config-pwd-cplx)# history-count 4 switch(config-pwd-cplx)# position-changes 5 switch(config-pwd-cplx)# enable switch(config-pwd-cplx)# exit switch # show password-complexity Global password complexity checking criteria: Password complexity : Enabled Previous passwords to check : 4 Minimum password length : 9 Minimum position changes : 5 Maximum adjacent characters count : 0 Password composition Minimum lowercase characters : 1 Minimum uppercase characters : 1 Minimum special characters : 1 Minimum numeric characters : 1

Non-Default Export Password

The export password is used to transform critical sensitive information into ciphertext suitable for exporting and showing by commands such as show running-config. Transformation enables safe switch configuration import and export. All factory-default switches have identical default export passwords. For security, it is recommended that you set the same non-default export password on every switch in a group that will exchange sensitive configuration information. Only switches with identical export passwords can exchange sensitive configuration information.

switch# show service export-password Export password: default switch# config t switch(config)# service export-password Enter password: ******** Confirm password: ******** switch(config)# show service export-password Export password: custom

Built-in Admin Account Password Reset

When administrators forget their switch console passwords, they must endure a time-consuming reset process, resulting in loss of productivity. If there are multiple administrators for the switch, it is recommended to reset the password using another administrator account. There are two ways to reset the password in case there is single admin user only for the switch:

Reverting the switch to factory defaults

  1. At the manager command prompt, enter erase startup-config.

    2. switch(config)# erase startup-config

  1. Boot the switch without saving the current configuration

    2. switch# boot system Do you want to save the current configuration (y/n)? n This will reboot the entire switch and render it unavailable until the process is complete. Continue (y/n)? y The system is going down for reboot.

Resetting the switch admin password using the serviceOS console

Perform this task only when the switch admin user password has been forgotten:

Refer to the “Managing users and groups” section of the Security Guide for your switch model for more information.