Changing passwords

Configure new passwords for each access level, or change the logon or password for the different access levels of the switch. After you receive the switch, use default passwords to initially access CLI. If you use Simple Network Management Protocol version 3 (SNMPv3), you can change encrypted passwords.

Before you begin

  • You must use an account with read-write-all privileges to change passwords. For security, the switch saves passwords to a hidden file.

About this task

If you enable the hsecure flag, after the aging time expires, the system prompts you to change your password. If you do not configure the aging time, the default is 90 days.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Change a password:

    cli password WORD<1–20> {layer1|layer2|layer3|read-only|read-write|read-write-all}

  3. Enter the old password.
  4. Enter the new password.
  5. Enter the new password a second time.
  6. Configure password options:

    password [access-level WORD<2–8>] [aging-time <1-365>] [default-lockout-time <60-65000>] [lockout WORD<0–46> time <60-65000>] [min-passwd-len <10-20>] [password-history <3-32>]

Example

Change a password, and then set the password to an access level of read-write-all and the expiration period for the password to 60 days:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#cli password smith read-write-all
Switch:1(config)#Enter the old password : winter
Switch:1(config)#Enter the New password : summer
Switch:1(config)#Re-enter the New password : summer
Switch:1(config)#password access-level rwa aging-time 60

Variable Definitions

The following table defines parameters for the cli password command.

Variable

Value

layer1|layer2|layer3|read-only|read-write|read-write-all

Changes the password for the specific access level.

WORD<1–20>

Specifies the user logon name.

Use the data in the following table to use the password command.

Variable

Value

access level WORD<2–8>

Permits or blocks this access level. The available access level values are as follows:

  • l1

  • l2

  • l3

  • ro

  • rw

  • rwa

aging-time <1-365>

Configures the expiration period for passwords in days, from 1–365. The default is 90 days.

default-lockout-time <60-65000>

Changes the default lockout time after three invalid attempts. Configures the lockout time, in seconds, and is in the 60–65000 range. The default is 60 seconds.

To configure this option to the default value, use the default operator with the command.

lockout WORD<0–46> time <60-65000>

Configures the host lockout time.

  • WORD<0–46> is the host IP address in the format a.b.c.d.

  • <60-65000> is the lockout-out time, in seconds, in the 60–65000 range. The default is 60 seconds.

min-passwd-len <10-20>

Configures the minimum length for passwords in high-secure mode. The default is 10 characters.

To configure this option to the default value, use the default operator with the command.

password-history <3-32>

Specifies the number of previous passwords the switch stores. You cannot reuse a password that is stored in the password history. The default is 3.

To configure this option to the default value, use the default operator with the command.