Display the access, logon name, and password combinations.
show cli password
None
User EXEC
After you enable enhanced secure mode, the parameters in the output for the show cli password command apply to all of the role-based users, except for the admin user. So for instance, the system mandates that the admin user must have a password length of 15, and a password with two of each of the following characters:
uppercase
lowercase
numeric
special character
However, the admin user can configure this differently for the other user access levels. The values that display for min-passwd-len and password-rule are those configured by admin, and they apply to the privilege, operator, security, and auditor access levels.
The show cli password command displays the following information:
Output field |
Description |
---|---|
aging |
Displays the maximum validity period, in days, for a password. |
min-passwd-len |
Displays the minimum length for passwords. |
password-history |
Displays the number of previous passwords the switch stores. |
password-hashing |
Displays the Secure Hash Algorithm (SHA) level. |
change-interval |
Displays the minimum period of time, in hours, between password changes. |
password-rule |
Displays the password complexity rule. The first variable defines the number of uppercase characters required. The second variable defines the number of lowercase characters required. The third variable defines the number of numeric characters required. The fourth variable defines the number of special characters required. |
pre-expiry-notification-interval |
Displays the interval between notifications to users that their passwords will expire. |
post-expiry-notification-interval |
Displays the interval between notifications to users that their passwords have expired. |
ACCESS |
Displays the access level. |
LOGIN |
Displays the username associated with the access level. |
STATE |
Displays if the access level is enabled. |
MAX-SSH-SESSIONS |
Displays the maximum number of SSH sessions allowed for each access level. |
Default Lockout Time |
Displays the lockout time, in seconds, after the configured number of invalid attempts. |
Default Lockout Retries |
Displays the number of invalid attempts allowed before lockout. |
Lockout-Time |
Displays the IP address and timeout for locked out hosts due to invalid login attempts. |
The following example displays output from the show cli password command if enhanced secure mode is disabled.
Switch:1#show cli password access-level aging 90 min-passwd-len 10 password-history 3 password-hashing sha2 ACCESS LOGIN STATE l3 l3 ena l2 l2 ena l1 l1 ena Default Lockout Time 60 Default Lockout Retries 3 Lockout-Time: IP Time src = 10.1.213.11 timeout = 60
The following example displays output from the show cli password command if enhanced secure mode is enabled.
Switch:1#show cli password change-interval 24 min-passwd-len 8 password-history 3 password-rule 1 1 1 1 pre-expiry-notification-interval 1 7 30 post-expiry-notification-interval 1 7 30 access-level ACCESS LOGIN AGING MAX-SSH-SESSIONS STATE admin rwa 90 3 ena privilege 90 3 dis operator oper1 90 3 ena security security 90 3 ena auditor auditor 90 3 ena Default Lockout Time 60 Lockout-Time: