Logging On to the System

After the startup sequence is complete, the login prompt appears.

Note

Note

With enhanced secure mode enabled, the person in the role-based authentication level of administrator configures the login and password values for the other role-based authentication levels. The administrator initially logs on to the switch using the default login of admin and the default password of admin. After the initial login, the switch prompts the administrator to create a new password.

The administrator then configures default logins and passwords for the other users based on the role-based authentication levels of the user. For more information on enhanced secure mode, see System access security enhancements.

The following table shows the default values for login and password for the console and Telnet sessions.

Table 1. Access levels and default logon values

Access level

Description

Default logon

Default password

Read-only

Permits view only configuration and status information. This access level is equivalent to Simple Network Management Protocol (SNMP) read-only community access.

ro

ro

Layer 1 read-write

View most switch configuration and status information and change physical port settings.

l1

l1

Layer 2 read-write

View and change configuration and status information for Layer 2 (bridging and switching) functions.

l2

l2

Layer 3 read-write

View and change configuration and status information for Layer 2 and Layer 3 (routing) functions.

l3

l3

Read-write

View and change configuration and status information across the switch. Read-write access does not allow you to change security and password settings. This access level is equivalent to SNMP read-write community access.

rw

rw

Read-write-all

Permits all the rights of read-write access and the ability to change security settings. This access level allows you to change the command line interface (CLI) and Web-based management user names and passwords and the SNMP community strings.

rwa

rwa

You can enable or disable users with particular access levels, eliminating the need to maintain large numbers of access levels and passwords for each user.

The system denies access to a user with a disabled access level who attempts to log on. The following error message appears after a user attempts to log on with a blocked access level:

CPU1 [mm/dd/yy hh:mm:ss] 0x0019bfff GlobalRouter CLI WARNING Slot 1: Blocked unauthorized cli access

The system logs the following message to the log file:

User <user-name> tried to connect with blocked access level <access-level> from <src-ipaddress> via <login type>.

The system logs the following message for the console port:

User <user-name> tried to connect with blocked access level <access-level> from console port.

RADIUS authentication

Remote Authentication Dial-in User Service (RADIUS) authentication takes precedence over the local configuration. If you enable RADIUS authentication on the switch, the user can access the switch even if you block an access level on the switch.

Important

Important

When you enable RADIUS on the switch and configure a RADIUS server to be used by CLI or EDM, the server authenticates the connection, whether it is FTP, HTTPS, SSH, or TELNET. However, in the event that the RADIUS server is unresponsive or is unreachable, the switch will fall back to the local authentication, so that you can access the switch using your local login credentials.

If you disable an access level, all running sessions, except FTP sessions, with that access level to the switch terminate.

Important

Important

Only the RWA user can disable an access level on the switch. You cannot disable the RWA access level on the switch.

The system preserves these configurations across restarts.

hsecure mode boot configuration flag

The switch supports a configurable flag called high secure (hsecure). Use the hsecure flag to enable the following password features:

If you activate the hsecure flag, the software enforces the 10-character rule for all passwords. The password must contain a minimum of two uppercase characters, two lowercase characters, two numbers, and two special characters.

If you enable hsecure for the first time and the password file does not exist, then the device creates a normal default username (rwa) and password (rwa). In this case, the password does not meet the minimum requirements for hsecure and as a result the system prompts you to change the password.

For more information about the hsecure flag, see hsecure Mode.

Enhanced secure mode

If you enable enhanced secure mode, the system uses different authentication levels. Enhanced secure mode allows the system to:

For more information on enhanced secure mode, see System access security enhancements.

Default Web-Server Behavior

The default switch configuration enforces the following restrictions for web-server access:

For information about how to enable and configure the web server, see Configure the Web Server or Configure the Web Management Interface. For information about supported browser versions, see Supported Browsers.