Local password authentication

The following types of built-in local user accounts can be created to provide different levels of access to the switch.

• Manager – full access (default)

  • Ability to make configuration changes.

  • All “enable” command contexts.

  • Read and write access.

• Operator – limited access

  • Status and counters, event-log, and show commands.

  • All “login” command contexts.

  • Read-only access.

Local usernames and passwords are configured on a per-switch basis and provide the most basic form of authentication. The switch allows you to configure manager and operator passwords, as well as an optional username for each. The switch must be configured to require passwords for the two user levels (Manager and Operator) for minimal authorized user identification. Otherwise, if the switch is left with default settings, all management functions would be available to any connected user, authorized or not. Local authentication is often used as the secondary login method to provide a minimum level of security should the primary method fail.

To configure a local manager-level user named admin with a cleartext password:

switch(config)# password manager user-name admin plaintext adminpw123!

To create an operator-level user using the default username operator:

switch(config)# password operator plaintext operatorpw321!

If no custom username is provided, operator and manager usernames default to operator and manager, respectively.

Passwords can also be entered as an SHA-256 (recommended) or SHA-1 hash string, rather than being entered directly. This requires the user to pass their desired password through a hash generator, then use the resulting 40-character (for SHA-1) or 64-character (for SHA-256) string as the input to the password command on the switch, as in the following example:

switch(config)# password manager user-name localadmin sha256 95d30169a59c418b52013315fc81bc99fdf0a7b03a116f346ab628496f349ed5