Changing passwords

Configure new passwords for each access level, or change the logon or password for the different access levels of the switch. After you receive the switch, use default passwords to initially access CLI. If you use Simple Network Management Protocol version 3 (SNMPv3), you can change encrypted passwords.

If you enable the hsecure flag, after the aging time expires, the system prompts you to change your password. If you do not configure the aging time, the default is 90 days.

If you enable enhanced secure mode with the boot config flags enhancedsecure-mode command, you enable new access levels, along with stronger password complexity, length, and minimum change intervals. For more information on system access fundamentals and configuration, see System access fundamentals.

Before you begin

  • You must use an account with read-write-all privileges to change passwords. For security, the switch saves passwords to a hidden file.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Change a password:

    cli password WORD<1–20> {layer1|layer2|layer3|read-only|read-write|read-write-all}

  3. Enter the old password.
  4. Enter the new password.
  5. Re-enter the new password.
  6. Configure password options:

    password [access-level WORD<2–8>] [aging-time day <1-365>] [default-lockout-time <60-65000>] [lockout WORD<0–46> time <60-65000>] [min-passwd-len <10-20>] [password-history <3-32>]

Example

Switch:1> enable

Switch:1# configure terminal

Change a password:

Switch:1(config)# cli password rwa read-write-all

Enter the old password: ***

Enter the new password: ***

Re-enter the new password: ***

Set password to an access level of read-write-all and the expiration period for the password to 60 days:

Switch:1(config)# password access-level rwa aging-time 60

Variable Definitions

Use the data in the following table to use the cli password command.

Variable

Value

layer1|layer2|layer3|read-only|read-write|read-write-all

Changes the password for the specific access level.

WORD<1–20>

Specifies the user logon name.

Use the data in the following table to use the password command.

Variable

Value

access-level WORD<2–8>

Permits or blocks this access level. The available access level values are as follows:

  • layer1

  • layer2

  • layer3

  • read-only

  • read-write

  • read-write-all

aging-time day <1-365>

Configures the expiration period for passwords in days, from 1–365. The default is 90 days.

default-lockout-time <60-65000>

Changes the default lockout time after three invalid attempts. Configures the lockout time, in seconds, and is in the 60–65000 range. The default is 60 seconds.

To configure this option to the default value, use the default operator with the command.

lockout WORD<0–46> time <60-65000>

Configures the host lockout time.

  • WORD<0–46> is the host IPv4 or IPv6 address.

  • <60-65000> is the lockout-out time, in seconds, in the 60–65000 range. The default is 60 seconds.

min-passwd-len <10-20>

Configures the minimum length for passwords in high-secure mode. The default is 10 characters.

To configure this option to the default value, use the default operator with the command.

password-history <3-32>

Specifies the number of previous passwords the switch stores. You cannot reuse a password that is stored in the password history. The default is 3.

To configure this option to the default value, use the default operator with the command.