The next time a console session starts for either the menu interface or the CLI, a prompt appears requesting a password. Because you protected both the manager and operator levels, the level of access to the console interface is determined by which password is entered in response to the prompt.
If you configure only a manager password (with no operator password), and in a later session the manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session. If the switch has a password for both the manager and operator levels, and neither is entered correctly in response to the switch’s password prompt, then the switch does not allow management access for that session.
If you configure only an operator password, entering the operator password enables full manager privileges.
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: When configuring an operator or manager password a message appears indicating that (USB) autorun has been disabled. See Appendix A, “File Transfers”, in the Management and Configuration Guide for your switch for more information on the autorun feature. |
|
|
![[CAUTION: ]](images/caution.gif)
If you set a manager password, you can configure an inactivity timer which causes the console session to end after the specified period of inactivity. This provides an additional level of security against unauthorized console access.
|
|
|
|
|
NOTE: If the console inactivity-timer expires, it terminates any outbound Telnet or SSH sessions open on the switch. |
|
|
-
Select Set Manager Password or Set operator Password.
You are prompted to
Enter new password.Type a password of up to 64 ASCII characters with no spaces, and press [Enter]. (Remember that passwords are case-sensitive.)
When prompted to
Enter new password again, retype the new password and press [Enter].
If you start a new console session, the switch prompts you to enter the new password. Remember that user names are optional. If you use the CLI to configure an optional user name, the switch prompts you for the user name, and then the password.
This procedure deletes all user names (if configured) and passwords (manager and operator).
Option one
-
To clear all password protection when you have physical access to the switch, press and hold the [Clear] button on the front of the switch for a minimum of one second.
-
Enter new passwords as described in Setting a new console password.
Option two
To clear all password protection when you do not have physical access to the switch and you have manager-level access, do the following:
If you cannot start a console session at the manager level because of a lost manager password, clear the password by following these steps:
This deletes all passwords and user names (manager and operator) used by the console.
|
|
|
|
|
NOTE: The password command has changed. You can now configure manager and operator passwords in one step. |
|
|
Syntax
[no]
password<manager|operator|all|port-access>[user-name ASCII-STR] [ <plaintext | sha1>ASCII-STR]Sets or clears a local user name/password for a given access level.
The command sets or changes existing passwords. If no password is provided in the command, you are prompted to enter the new password twice.
The
[no]form of the command removes specific local password protection.
NOTE: The
port-accessoption is available only ifinclude-credentialsis enabled.
For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a password as a parameter have the echo of the password typing replaced with asterisks. The input for the password is prompted for interactively.
Syntax
Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated passwords. (This command also clears the user name associated with a password you are removing.) For example, to remove the operator password (and user name, if assigned) from the switch, you would do the following:
Syntax
[no]
passwordExecuting this command removes password protection from the operator level so anyone able to access the switch console can gain operator access without entering a user name or password.
Syntax
Example
User names and passwords are case-sensitive. ASCII characters in the range of 33-126 are valid, including:
-
A through Z uppercase characters
-
a through z lower case characters
-
0 through 9 numeric characters
-
Special characters ‘ ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ‘ “ , < > / ?.
NOTE: The SPACE character is allowed to form a user name or password pass-phrase. The user name must be in quotes, for example “The little brown fox”. A space is not allowed as part of a user name without the quotes. A password that includes a space or spaces should not have quotes.
To set the minimum password length for manager, operator, and local management privilege user, use the following command.
Syntax
[no]
password<manager|operator|port-access|all>[user-name ASCII-STR][<plaintext|sha1> ASCII-STR] minimum-lengthnumSets or clears the local password/user name to access levels of manager, operator, and local management. Configures minimum password length for a given access level equal to or greater than 15 alpha/numeric digits.
Invoked without
[no], the command sets or changes the existing passwords. If no password is provided in the command, the user is prompted to enter the new password twice. The command removes specific local password protection.The option
password minimum-lenghtconfigures the minimum password length applicable to the manager, operator or local management. The range available for password length is 15–64.
NOTE: “Port-access” is available only if “include-credentials” is enabled.
Usernames and passwords can be set using the CLI command setmib. They cannot be set using SNMP.
-
Quotes are permitted for enclosing other characters, for example, a user name or password of abcd can be enclosed in quotes “abcd” without the quotes becoming part of the user name or password itself. Quotes can also be inserted between other characters of a user name or password, for example, ab”cd. A pair of quotes enclosing characters followed by any additional characters is invalid, for example, “abc”d.
-
Spaces are allowed in user names and passwords. The user name or password must be enclosed in quotes, for example, “one two three”. A blank space or spaces between quotes is allowed, for example, “ ”.
Some authentication servers prevent the usage of special symbols such as the backslash (\) and quotes (“”). The switch allows the use of these symbols in configurable credentials, but using them can limit access for some users who can use different client software. See the vendor’s documentation for specific information about these restrictions.
When you update software from a version that does not support long passwords to a version that supports long passwords, the existing user names and passwords continue to be there and no further action is required.
Before downgrading to a software version that does not include this feature, use one of the following procedures:
-
Reset the user name and/or password to be no more than 16 characters in length, without using any special characters, from the CLI command
password. -
Execute the CLI command
[no] password all. This clears all the passwords. -
Clear the password by using the [Clear] button on the switch.