|
|
The commands shown in this chapter apply to the Catalyst 8540 MSR, Catalyst 8510 MSR, and LightStream 1010. Where an entire command or certain attributes of a command have values specific to a particular switch, an exception is indicated by the following callouts:
To establish a username-based authentication system at login, even though your network cannot support a TACACS service, use the username global configuration command.
username name [access-class access-class-num]
name | Specifies the username to which this command applies. The name argument can only be one word. White spaces and quotation marks are not allowed. |
access-class-num | Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command; used for the duration of that session. |
command | Specifies a command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line. |
dialstring | Specifies a dialback string for connections initiated by the user. |
line | Specifies a line to associate with this callback. |
group | Specifies a rotary group to associate with this callback. |
nocallback-verify | Does not require authentication after callback. |
noescape | Prevents a user from using an escape character on the host where the user is connected. |
nohangup | Prevents the communication server from disconnecting the user after an automatic command (set up with the autocommand keyword) is complete. Instead, the user gets another login prompt. |
dnis | No password is required for this user when obtained via DNIS. |
nopassword | No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword. |
encryption-type | A one-digit number that defines whether the text immediately following is encrypted, and what type of encryption is used. Currently defined encryption types are 0 ( the text immediately following is not encrypted), and 7 (the text is encrypted using an encryption algorithm defined by Cisco). |
password | A password can contain embedded spaces and must be the last option specified in the username command. |
level | Sets the user privilege level. |
Global configuration
The username command provides username/password authentication for login purposes only.
(Note that it does not provide username/password authentication for enable mode when the enable use-tacacs command is also used.)
Multiple username commands can be used to specify options for a single user.
Add a username entry for each remote system that the local switch communicates with and requires authentication from. The remote device must have a username entry for the local switch. This entry must have the same password as the local switch's entry for that remote device.
This command can be useful for defining usernames that get special treatment, for example, an "info" username that does not require a password but connects the user to a general-purpose information service.
The username command is also required as part of the configuration for the CHAP. For each remote system that requires authentication from the local switch communicates, add a username entry.
If there is no secret specified and debug serial-interface is enabled, an error is displayed when an interface is established and the CHAP challenge is not implemented. Debugging information on CHAP is available using the debug serial-interface and debug serial-packet commands. For more information about debug commands, refer to the Debug Command Reference publication.
To implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the switch, the username command takes the following form.
Switch# username who nopassword nohangup autocommand show users
To implement an information service that does not require a password, the command takes the following form.
Switch# username info nopassword noescape autocommand telnet nic.ddn.mil
To implement an ID that works even if all TACACS servers go down, the command takes the following form.
Switch# username superuser password superpassword
The following example configuration enables CHAP on interface serial 0. It also defines a password for local server Adam and remote server Eve.
Switch# configure terminal Switch(config)# hostname Adam Switch(config)# interface serial 0 Switch(config-if)# encapsulation ppp Switch(config-if)# ppp authentication chap Switch(config-if)# end Switch(config)# username Adam password oursystem Switch(config)# username Eve password theirsystem
When you look at your configuration file, the passwords are encrypted and the display looks similar to the following output.
Switch# configure terminal Switch(config)# hostname Adam Switch(config)# interface serial 0 encapsulation ppp Switch(config-if)# ppp authentication chap Switch(config-if)# end Switch(config)# username Adam password 7 1514040356 Switch(config)# username Eve password 7 121F0A18
Posted: Mon May 8 18:41:11 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.