show cli password

Display the access, logon name, and password combinations.

Syntax

show cli password

Default

None

Command Mode

User EXEC

Usage Guidelines

After you enable enhanced secure mode, the parameters in the output for the show cli password command apply to all of the role-based users, except for the admin user. So for instance, the system mandates that the admin user must have a password length of 15, and a password with two of each of the following characters:

uppercase
lowercase
numeric
special character

However, the admin user can configure this differently for the other user access levels. The values that display for min-passwd-len and password-rule are those configured by admin, and they apply to the privilege, operator, security, and auditor access levels.

Command Output

The show cli password command displays the following information:


Output field	Description
aging	Displays the maximum validity period, in days, for a password.
min-passwd-len	Displays the minimum length for passwords.
password-history	Displays the number of previous passwords the switch stores.
password-hashing	Displays the Secure Hash Algorithm (SHA) level.
change-interval	Displays the minimum period of time, in hours, between password changes.
password-rule	Displays the password complexity rule. The first variable defines the number of uppercase characters required. The second variable defines the number of lowercase characters required. The third variable defines the number of numeric characters required. The fourth variable defines the number of special characters required.
pre-expiry-notification-interval	Displays the interval between notifications to users that their passwords will expire.
post-expiry-notification-interval	Displays the interval between notifications to users that their passwords have expired.
ACCESS	Displays the access level.
LOGIN	Displays the username associated with the access level.
STATE	Displays if the access level is enabled.
MAX-SSH-SESSIONS	Displays the maximum number of SSH sessions allowed for each access level.
Default Lockout Time	Displays the lockout time, in seconds, after the configured number of invalid attempts.
Default Lockout Retries	Displays the number of invalid attempts allowed before lockout.
Lockout-Time	Displays the IP address and timeout for locked out hosts due to invalid login attempts.

Examples

The following example displays output from the show cli password command if enhanced secure mode is disabled.

Switch:1#show cli password
        access-level
        aging     90

        min-passwd-len 10
        password-history 3
        password-hashing sha2 

        ACCESS    LOGIN            STATE
        l3        l3               ena
        l2        l2               ena
        l1        l1               ena
        Default Lockout Time       60
        Default Lockout Retries		3
        Lockout-Time:
                IP                  Time
                src =  10.1.213.11       timeout = 60

The following example displays output from the show cli password command if enhanced secure mode is enabled.

Switch:1#show cli password
        change-interval 24
        min-passwd-len 8
        password-history 3
        password-rule 1 1 1 1
        pre-expiry-notification-interval 1 7 30
        post-expiry-notification-interval 1 7 30
        access-level
        ACCESS        LOGIN       AGING  MAX-SSH-SESSIONS  STATE
        admin         rwa         90     3                 ena
        privilege                 90     3                 dis
        operator      oper1       90     3                 ena
        security      security    90     3                 ena
        auditor       auditor     90     3                 ena
        Default Lockout Time       60
        Lockout-Time: