After the startup sequence is complete, the system opens the login prompt.
Note
With enhanced secure mode enabled, the person in the role-based authentication level of administrator configures the login and password values for the other role-based authentication levels. The administrator initially logs on to the switch using the default login of admin and the default password of admin. After the initial login, the switch prompts the administrator to create a new password.
The administrator then configures default logins and passwords for the other users based on the role-based authentication levels of the user. For more information on enhanced secure mode, see System access security enhancements.
The following table shows the default values for login and password for the console and Telnet sessions.
Access level |
Description |
Default logon |
Default password |
---|---|---|---|
Read-only |
Permits view only configuration and status information. This access level is equivalent to Simple Network Management Protocol (SNMP) read-only community access. |
ro |
ro |
Layer 1 read-write |
View most switch configuration and status information and change physical port settings. |
l1 |
l1 |
Layer 2 read-write |
View and change configuration and status information for Layer 2 (bridging and switching) functions. |
l2 |
l2 |
Layer 3 read-write |
View and change configuration and status information for Layer 2 and Layer 3 (routing) functions. |
l3 |
l3 |
Read-write |
View and change configuration and status information across the switch. Read-write access does not allow you to change security and password settings. This access level is equivalent to SNMP read-write community access. |
rw |
rw |
Read-write-all |
Permits all the rights of read-write access and the ability to change security settings. This access level allows you to change the command line interface (CLI) and web-based management user names and passwords and the SNMP community strings. |
rwa |
rwa |
You can enable or disable users with particular access levels, eliminating the need to maintain large numbers of access levels and passwords for each user.
The system denies access to a user with a disabled access level who attempts to log on. The system displays the following error message after a user attempts to log on with a blocked access level:
CPU1 [mm/dd/yy hh:mm:ss] 0x0019bfff GlobalRouter CLI WARNING Slot 1: Blocked unauthorized cli access
The system logs the following message to the log file:
User <user-name> tried to connect with blocked access level <access-level> from <src-ipaddress> via <login type>.
The system logs the following message for the console port:
User <user-name> tried to connect with blocked access level <access-level> from console port.
Remote Authentication Dial-in User Service (RADIUS) authentication takes precedence over the local configuration. If you enable RADIUS authentication on the switch, the user can access the switch even if you block an access level on the switch.
Important
When you enable RADIUS on the switch and configure a RADIUS server to be used by CLI or EDM, the server authenticates the connection, whether it is FTP, HTTPS, SSH, or TELNET. However, in the event that the RADIUS server is unresponsive or is unreachable, the switch will fall back to the local authentication, so that you can access the switch using your local login credentials.
If you disable an access level, all running sessions, except FTP sessions, with that access level to the switch terminate.
Important
Only the RWA user can disable an access level on the switch. You cannot disable the RWA access level on the switch.
The system preserves these configurations across restarts.
The switch supports a configurable flag called high secure (hsecure). Use the hsecure flag to enable the following password features:
10 character enforcement
aging time
limitation of failed login attempts
protection mechanism to filter designated IP addresses
If you activate the hsecure flag, the software enforces the 10-character rule for all passwords. The password must contain a minimum of two uppercase characters, two lowercase characters, two numbers, and two special characters.
If you enable hsecure for the first time and the password file does not exist, then the device creates a normal default username (rwa) and password (rwa). In this case, the password does not meet the minimum requirements for hsecure and as a result the system prompts you to change the password.
For more information about the hsecure flag, see hsecure Mode.
If you enable enhanced secure mode, the system uses different authentication levels. Enhanced secure mode allows the system to:
Provide role-based access levels
Stronger password requirements
Stronger rules on password length
Stronger rules on password complexity
Stronger rules on password change intervals
Stronger rules on password reuse
Stronger password maximum age use
For more information on enhanced secure mode, see System access security enhancements.
The default switch configuration enforces the following restrictions for web-server access:
The web-server password must be a minimum of 8 characters.
Secure communications with the web server use Transport Layer Security (TLS) version 1.2 and later.
The switch does not support the RC4 cipher. The switch supports the following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
For information about how to enable and configure the web server, see Configure the Web Server or Configure the Web Management Interface. For information about supported browser versions, see Supported Browsers.