show cli password

Display the access, logon name, and password combinations.

Syntax

Default

None

Command Mode

User EXEC

Usage Guidelines

After you enable enhanced secure mode, the parameters in the output for the show cli password command apply to all of the role-based users, except for the admin user. So for instance, the system mandates that the admin user must have a password length of 15, and a password with two of each of the following characters:

However, the admin user can configure this differently for the other user access levels. The values that display for min-passwd-len and password-rule are those configured by admin, and they apply to the privilege, operator, security, and auditor access levels.

Command Output

The show cli password command displays the following information:

Output field

Description

aging

Displays the maximum validity period, in days, for a password.

min-passwd-len

Displays the minimum length for passwords.

password-history

Displays the number of previous passwords the switch stores.

password-hashing

Displays the Secure Hash Algorithm (SHA) level.

change-interval

Displays the minimum period of time, in hours, between password changes.

password-rule

Displays the password complexity rule. The first variable defines the number of uppercase characters required. The second variable defines the number of lowercase characters required. The third variable defines the number of numeric characters required. The fourth variable defines the number of special characters required.

pre-expiry-notification-interval

Displays the interval between notifications to users that their passwords will expire.

post-expiry-notification-interval

Displays the interval between notifications to users that their passwords have expired.

ACCESS

Displays the access level.

LOGIN

Displays the username associated with the access level.

STATE

Displays if the access level is enabled.

MAX-SSH-SESSIONS

Displays the maximum number of SSH sessions allowed for each access level.

Default Lockout Time

Displays the lockout time, in seconds, after the configured number of invalid attempts.

Default Lockout Retries

Displays the number of invalid attempts allowed before lockout.

Lockout-Time

Displays the IP address and timeout for locked out hosts due to invalid login attempts.

Examples

The following example displays output from the show cli password command if enhanced secure mode is disabled.

Switch:1#show cli password
        access-level
        aging     90

        min-passwd-len 10
        password-history 3
        password-hashing sha2 

        ACCESS    LOGIN            STATE
        l3        l3               ena
        l2        l2               ena
        l1        l1               ena
        Default Lockout Time       60
        Default Lockout Retries		3
        Lockout-Time:
                IP                  Time
                src =  10.1.213.11       timeout = 60

The following example displays output from the show cli password command if enhanced secure mode is enabled.

Switch:1#show cli password
        change-interval 24
        min-passwd-len 8
        password-history 3
        password-rule 1 1 1 1
        pre-expiry-notification-interval 1 7 30
        post-expiry-notification-interval 1 7 30
        access-level
        ACCESS        LOGIN       AGING  MAX-SSH-SESSIONS  STATE
        admin         rwa         90     3                 ena
        privilege                 90     3                 dis
        operator      oper1       90     3                 ena
        security      security    90     3                 ena
        auditor       auditor     90     3                 ena
        Default Lockout Time       60
        Lockout-Time: