Configuring Username and Password Security

Overview

Console access includes both the menu interface and the CLI. There are two levels of console access: manager and operator. For security, you can set a password pair (username and password) on each of these levels.


[NOTE: ]

NOTE: Usernames are optional. Also, in the menu interface, you can configure passwords, but not usernames. To configure usernames, use the CLI or the WebAgent.

Usernames and passwords for manager and operator access can also be configured using SNMP. See Using SNMP to view and configure switch authentication features.

Usernames and passwords for manager and operator access can also be configured using the Management Interface Wizard. See Using the Management Interface wizard.


Level Actions Permitted
Manager:

Access to all console interface areas.

This is the default level. That is, if a manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.

Operator:

Access to the Status and Counters menu, the Event Log, and the CLI, but no Configuration capabilities.

[a]

On the operator level, the configuration menus, Download OS, and Reboot Switch options in the Main Menu are not available.

[a] Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable command if you can provide the manager password.

Configuring password security

To set up password security:

  1. Set a Manager password pair (and an operator password pair, if applicable for your system).

  2. Exit from the current console session. A Manager password pair will now be needed for full access to the console.

If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password. Assuming you have protected both the manager and operator levels, the level of access to the console interface will be determined by which password is entered in response to the prompt.

If you set a manager password, you may also want to configure an inactivity timer. This causes the console session to end after the specified period of inactivity, thus giving you added security against unauthorized console access.


[NOTE: ]

NOTE: If the console inactivity-timer expires, any outbound Telnet or SSH sessions open on the switch are terminated.


You can use either of the following to set the inactivity timer:

  • Menu Interface: System Information screen, Select option 2 — Switch Configuration.

  • CLI: Use the command ( and options) as follows:

    console inactivity-timer <0|1|5|10|15|20|30|60|120>


[NOTE: ]

NOTE: The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and WebAgent.

If you configure only a manager password (with no operator password), and in a later session the manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.

If the switch has a password for both the manager and operator levels, and neither is entered correctly in response to the switch’s password prompt, then the switch does not allow management access for that session.

Passwords are case-sensitive.

When configuring an operator or manager password a message will appear indicating that (USB) autorun has been disabled. For more information on the autorun feature, refer to the “File Transfers” chapter in the Management and Configuration Guide for your switch.



[CAUTION: ]

CAUTION: If the switch has neither a manager nor an operator password, anyone having access to the switch through either Telnet, the serial port, or the WebAgent can access the switch with full manager privileges. Also, if you configure only an operator password, entering the operator password enables full manager privileges.