Changing passwords
Configure new passwords for each access level, or change the logon or password for the different access levels of the switch. After you receive the switch, use default passwords to initially access CLI. If you use Simple Network Management Protocol version 3 (SNMPv3), you can change encrypted passwords.
If you enable the hsecure flag, after the aging time expires, the system prompts you to change your password. If you do not configure the aging time, the default is 90 days.
If you enable enhanced secure mode with the boot config flags enhancedsecure-mode command, you enable new access levels, along with stronger password complexity, length, and minimum change intervals. For more information on system access fundamentals and configuration, see System access fundamentals.
Before you begin
-
You must use an account with read-write-all privileges to change passwords. For security, the switch saves passwords to a hidden file.
Procedure
Example
Switch:1> enable
Switch:1# configure terminal
Change a password:
Switch:1(config)# cli password rwa read-write-all
Enter the old password: ***
Enter the new password: ***
Re-enter the new password: ***
Set password to an access level of read-write-all and the expiration period for the password to 60 days:
Switch:1(config)# password access-level rwa aging-time 60
Variable definitions
Use the data in the following table to use the cli password command.
Variable |
Value |
---|---|
layer1|layer2|layer3|read-only|read-write|read-write-all |
Changes the password for the specific access level. |
WORD<1–20> |
Specifies the user logon name. |
Use the data in the following table to use the password command.
Variable |
Value |
|
---|---|---|
access-level WORD<2–8> |
Permits or blocks this access level. The available access level values are as follows:
|
|
aging-time day <1-365> |
Configures the expiration period for passwords in days, from 1–365. The default is 90 days. |
|
default-lockout-time <60-65000> |
Changes the default lockout time after three invalid attempts. Configures the lockout time, in seconds, and is in the 60–65000 range. The default is 60 seconds. To configure this option to the default value, use the default operator with the command. |
|
lockout WORD<0–46> time <60-65000> |
Configures the host lockout time.
|
|
min-passwd-len <10-20> |
Configures the minimum length for passwords in high-secure mode. The default is 10 characters. To configure this option to the default value, use the default operator with the command. |
|
password-history <3-32> |
Specifies the number of previous passwords the switch stores. You cannot reuse a password that is stored in the password history. The default is 3. To configure this option to the default value, use the default operator with the command. |