ServerIron ADX Administration Guide
Release 12.0.00
June 15, 2009

Table of Contents Previous Next Print


Secure Access Management > Setting Passwords

Setting Passwords
Passwords can be used to secure the following access methods:
This section also provides procedures for enhancing management privilege levels, recovering from a lost password, and disabling password encryption.
NOTE: You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account a management privilege level. See “Setting Up Local User Accounts”.
Setting a Telnet Password
By default, the device does not require a user name or password when you log in to the CLI using Telnet.
To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level:
ServerIron(config)# enable telnet password letmein
Syntax: [no] enable telnet password <string>
Suppressing Telnet Connection Rejection Messages
By default, if a ServerIron denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a denied Telnet client does not receive a message from the ServerIron. Instead, the denied client simply does not gain access.
To suppress the connection rejection message, use the following CLI method.
To suppress the connection rejection message sent by the device to a denied Telnet client, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# telnet server suppress-reject-message
Syntax: [no] telnet server suppress-reject-message
Setting Passwords for Management Privilege Levels
You can set one password for each of the following management privilege levels:
Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
Port Configuration level – Allows read-and-write access for specific ports but not for global (system-wide) parameters.
Read Only level – Allows access to the Privileged EXEC mode and CONFIG mode of the CLI but only with read access.
You can assign a password to each management privilege level. You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account to one of the three privilege levels. See “Setting Up Local User Accounts”.
NOTE: You must use the CLI to assign a password for management privilege levels. You cannot assign a password using the Web management interface.
If you configure user accounts in addition to privilege level passwords, the device will validate a user’s access attempt using one or both methods (local user account or privilege level password), depending on the order you specify in the authentication-method lists. See “Configuring Authentication-Method Lists”.
To set passwords for management privilege levels:
1.
ServerIron> enable
ServerIron#
2.
ServerIron# configure terminal
ServerIron(config)#
3.
ServerIron(config)# enable super-user-password <text>
NOTE: You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number.
4.
ServerIron(config)# enable port-config-password <text>
ServerIron(config)# enable read-only-password <text>
NOTE: If you forget your Super User level password, see “Recovering from a Lost Password”.
Augmenting Management Privilege Levels
Each management privilege level provides access to specific areas of the CLI by default:
You can grant additional access to a privilege level on an individual command basis. To grant the additional access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the individual command.
NOTE: This feature applies only to management privilege levels on the CLI. You cannot augment management access levels for the Web management interface.
To enhance the Port Configuration privilege level so users also can enter IP commands at the global CONFIG level, enter a command such as the following:
ServerIron(config)# privilege configure level 4 ip
In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands. Users who log in with valid Port Configuration level user names and passwords can enter commands that begin with “ip” at the global CONFIG level.
Syntax: [no] privilege <cli-level> level <privilege-level> <command-string>
The <cli-level> parameter specifies the CLI level and can be one of the following values:
exec – EXEC level; for example, ServerIron> or ServerIron#
configure – CONFIG level; for example, ServerIron(config)#
interface – Interface level; for example, ServerIron(config-if-6)#
virtual-interface – Virtual-interface level; for example, ServerIron(config-vif-6)#
rip-router – RIP router level; for example, ServerIron(config-rip-router)#
ospf-router – OSPF router level; for example, ServerIron(config-ospf-router)#
port-vlan – Port-based VLAN level; for example, ServerIron(config-vlan)#
protocol-vlan – Protocol-based VLAN level
The <privilege-level> indicates the number of the management privilege level you are augmenting. You can specify one of the following:
0 – Super User level (full read-write access)
4 – Port Configuration level
5 – Read Only level
The <command-string> parameter specifies the command you are allowing users with the specified privilege level to enter. To display a list of the commands at a CLI level, enter “?” at that level's command prompt.
Recovering from a Lost Password
NOTE: You can perform this procedure only from the console.
Recovery from a lost password requires direct access to a system console and a system reset. You need to configure the system to ignore the saved configuration and to use the system default. When the system boots up with the default configuration, use username admin and password brocade to get access to the console. Change the user password, and the super-user password if necessary, and reload the box after saving the configuration.
To recover from a lost password, follow these steps:
1.
2.
3.
4.
Enter use default config at the prompt.
NOTE: You cannot abbreviate this command. This command causes the device to ignore saved config.
5.
Enter boot system flash primary at the prompt.
6.
After the login prompt appears, use user name admin and password brocade to gain access to the Exec Mode.
7.
Enter enable to gain access to the privileged mode.
8.
9.
Displaying the SNMP Community String
If you want to display the SNMP community string, enter the following commands:
ServerIron(config)# enable password-display
ServerIron(config)# show snmp server
The enable password-display command enables display of the community string, but only in the output of the show snmp server command. Display of the string is still encrypted in the startup-config file and running-config. Enter the command at the global CONFIG level of the CLI.
Disabling Password Encryption
When you configure a password, then save the configuration to the ServerIron’s flash memory, the password is also saved to flash as part of the configuration file. By default, the passwords are encrypted so that the passwords cannot be observed by another user who displays the configuration file. Even if someone observes the file while it is being transmitted over TFTP, the password is encrypted.
If you want to remove the password encryption, you can disable encryption by entering the following command:
ServerIron(config)# no service password-encryption
Syntax: [no] service password-encryption
Specifying a Minimum Password Length
By default, the ServerIron imposes no minimum length on the Line (Telnet), Enable, or Local passwords. You can configure the device to require that Line, Enable, and Local passwords be at least a specified length.
For example, to specify that the Line, Enable, and Local passwords be at least 8 characters, enter the following command:
ServerIron(config)# enable password-min-length 8
Syntax: enable password-min-length <number-of-characters>
The <number-of-characters> can be from 1 – 48.

Secure Access Management > Setting Passwords

Table of Contents Previous Next Print
Copyright © 2009 Brocade Communications Systems, Inc.