Changing passwords

Configure new passwords for each access level, or change the logon or password for the different access levels of the switch. After you receive the switch, use default passwords to initially access CLI. If you use Simple Network Management Protocol version 3 (SNMPv3), you can change encrypted passwords.

Before you begin

  • You must use an account with read-write-all privileges to change passwords. For security, the switch saves passwords to a hidden file.

About this task

If you enable the hsecure flag, after the aging time expires, the system prompts you to change your password. If you do not configure the aging time, the default is 90 days.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Change a password:

    cli password WORD<1–20> {layer1|layer2|layer3|read-only|read-write|read-write-all}

  3. Enter the old password.
  4. Enter the new password.
  5. Enter the new password a second time.
  6. Configure password options:

    password access-level WORD<2–8>

    password aging-time day <1-365>

    password default-lockout-time <60-65000>

    password lockout WORD<0–46> [time <60-65000>]

    password min-passwd-len <10-20>

    password password-history <3-32>

Example

Switch:1>enable

Switch:1#configure terminal

Change a password:

Switch:1(config)# password smith read-write-all

Enter the old password:

Switch:1(config)#*********

Enter the new password:

Switch:1(config)#*********

Enter the new password a second time:

Switch:1(config)#*********

Set password to an access level of read-write-all and the expiration period for the password to 60 days:

Switch:1(config)#access-level rwa aging-time 60

Variable Definitions

The following table defines parameters for the cli password command.

Table 1. Variable definitions

Variable

Value

layer1|layer2|layer3|read-only|read-write|read-write-all

Changes the password for the specific access level.

WORD<1–20>

Specifies the user logon name.

The following table defines parameters for the password command.

Table 2. Variable definitions

Variable

Value

access level WORD<2–8>

Permits or blocks this access level. The available access level values are as follows:

  • l1

  • l2

  • l3

  • ro

  • rw

  • rwa

aging-time day <1-365>

Configures the expiration period for passwords in days, from 1–365. The default is 90 days.

default-lockout-time <60-65000>

Changes the default lockout time after three invalid attempts. Configures the lockout time, in seconds, and is in the 60–65000 range. The default is 60 seconds.

To configure this option to the default value, use the default operator with the command.

lockout WORD<0–46> time <60-65000>

Configures the host lockout time.

  • WORD<0–46> is the host IP address in the format a.b.c.d.

  • <60-65000> is the lockout-out time, in seconds, in the 60–65000 range. The default is 60 seconds.

min-passwd-len <10-20>

Configures the minimum length for passwords in high-secure mode. The default is 10 characters.

To configure this option to the default value, use the default operator with the command.

password-history <3-32>

Specifies the number of previous passwords the switch stores. You cannot reuse a password that is stored in the password history. The default is 3.

To configure this option to the default value, use the default operator with the command.