An admin user (super user) can create user accounts, set the system password, and set the system lockout. Users with read-write access can change their own passwords. See User Management Configuration.
The S- K- or 7100-Series device supports up to 32user accounts, including the admin account, which cannot be disabled or deleted.
The S- K- or 7100-Series supports security profiles that determine user access to certain commands and can also limit parameter settings for certain commands. The security profiles supported are normal and C2. The normal security profile provides standard user access based upon the configured user mode: super-user, read-write, and read-only. C2 is defined as Controlled Access Protection mode and is a security rating established by the U.S. National Computer Security Center (NCSC) and granted to products that pass Department of Defense (DoD) Trusted Computer System Evaluation Criteria (TCSEC) tests. A C2 rating ensures the minimum allowable levels of confidence demanded for government agencies and offices and other organizations that process classified or secure information. Use the set security profile command to set the security profile to either normal or C2 for the device. C2 mode can affect command availability and parameter value defaults and ranges. If C2 security mode affects a command, it is specified in the command entry found in the S-, K-, and 7100 Series CLI Reference Guide.
Access to the boot menu during startup can be disabled. Access to the boot menu during startup is enabled by default.
The S- K- or 7100-Series supports enabling of the Federal Information Processing Standards (FIPS) mode. FIPS mode is a mode where only FIPS approved authentication and encryption algorithms and methods are used. The current implementation supports the SHA1 algorithm in FIPS mode. Use the set security fips mode command to enable FIPS mode on the device.
User management configuration also includes the following:
Step | Task | Command(s) |
---|---|---|
1 | Create a new user login account, or disable or enable an existing account. | set system login username [read-write | read-only | super-user] [enable | disable] [password {password | aging {days | disable | system}] [allowed-interval {HH:MM HH:MM}] [allowed-days {[Sun] [Mon] [Tue] [Wed] [Thu] [Fri] [Sat]}] [simultaneous-logins num] [local-only {yes | no}] |
2 | Change system default passwords or set a new login password on the CLI. (Only available to users with super-user access.) | set password [username] |
3 | Configure system password parameters. A system password can contain the following special characters: !@#$%^&*()-=[]\;?,./` |
set system password [aging {days | disable}] [history {size}] [length characters] [min-required-chars {[uppercase characters] [lowercase characters] [numeric characters] [special characters]}][require-at-creation {yes | no}] [allow-duplicates {yes | no}] [allow-user-id {yes | no}] [substring-match-len characters] [allow-repeating-chars {num | yes | no}] [change-first-login {yes | no} [all]] [change-frequency minutes [all]] [expire-warning days] [grace-period {logins num | time days}] |
4 | Optionally, disable access to the boot menu during bootup. Access to the boot menu is enabled by default. | set security boot-access {enable | disable} |
5 | Set the number of failed login attempts before locking out (disabling) a read-write or read-only user account, the number of minutes to lockout the default admin super user account after maximum login attempts, and the number of inactive days before a non-superuser account is locked out. If you set inactive to 0, no accounts will be locked out due to inactivity. Once a user account is locked out, it can only be re-enabled by a super user with the set system login command. |
set system lockout {[attempts attempts] [time minutes [all]] [port {enable | disable] [inactive days [all]] [emergency-access]} |
6 | Optionally, enable FIPS mode on the device. Fips mode is disabled by default. | set security fips mode {enable | disable} |
7 | Optionally, set the device‘s security profile. The security profile defaults to normal. | set security profile {c2 | normal} |
The following table lists user account management and display commands for S- K- and 7100-Series devices.
Task | Command |
---|---|
To display user login account information. | show system login [-verbose] |
To display current password configuration settings. | show system password |
To display settings for locking out users. | show system lockout |
To display the current boot access state for this device. | show security boot-access |
To display the current security FIPS mode state for this device. | show security fips mode |
To display the current security profile for this device. | show security profile |
To remove a local login user account or to reset a specified option to its default value. The account is removed if no optional parameters are entered. |
clear system login username [allowed-interval] [allowed-days] [password [aging]] [simultaneous-logins] [local-only] |
To reset system lockout parameters to default values. | clear system lockout [attempts] [time] [inactive] |
To clear local login password parameters to default values. If no options are specified, all options are reset to default values. |
clear system password [aging] [history] [length] [min-required-chars {[uppercase] [lowercase] [numeric] [special]}] [require-at-creation] [allow-duplicate] [allow-user-id] [substring-match-len] [allow-repeating-chars] [change-first-login] [change-frequency] [expire-warning] [grace-period] |
To reset access to the boot menu during bootup to the default state of enabled. | clear security boot-access |
To reset FIPS mode state to the default value of disabled on the device. | clear security fips mode |
To reset the device security profile to the default value of normal. | clear security profile |