The first time that you log in to your switch through the console, you have to use the default username and password, which is cisco. You are then prompted to enter and configure a new password for the Cisco account. Password complexity is enabled by default. If the password that you choose is not complex enough, you are prompted to create another password.
Since passwords are used to authenticate users accessing the device, simple passwords are potential security hazards. Therefore, password complexity requirements are enforced by default and may be configured as necessary.
This article provides instructions on how to define basic password settings, line password, enable password, service password recovery, password complexity rules on the user accounts, and password aging settings on your switch through the Command Line Interface (CLI).
Note: You have the option to configure the password strength and complexity settings through the web-based utility of the switch as well. click here for instructions.
From the options below, choose the password settings that you want to configure:
Configure Basic Password Settings
Configure Line Password Settings
Configure Enable Password Settings
Configure Service Password Recovery Settings
Configure Password Complexity Settings
Configure Password Aging Settings
Step 1. Log in to the switch console. The default username and password is cisco.
Note: The available commands or options may vary depending on the exact model of your device. In this example, the SG350X switch is used.
Step 2. You will be prompted to configure new password for better protection of your network. Press Y for Yes or N for No on your keyboard.
Note: In this example, Y is pressed.
Step 3. Enter the old password then press Enter on your keyboard.
Step 4. Enter and confirm the new password accordingly then press Enter on your keyboard.
Step 5. Enter Privileged EXEC mode with the enable command. In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
SG350X#copy running-config startup-configStep 6. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the basic password settings on your switch through the CLI.
Step 1. Log in to the switch console. The default username and password is cisco. If you have configured a new username or password, enter those credentials instead.
Step 2. In the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configure terminalStep 3. To configure a password on a line such as console, Telnet, Secure Shell (SSH), and so on, enter the password Line Configuration mode by entering the following:
SG350X(config)#line [line-name]Note: In this example, the line used is Telnet.
Step 4. Enter the password command for the line by entering the following:
SG350X(config-line)#password [password][encrypted]The options are:
Note: In this example, the password Cisco123$ is specified for the Telnet line.
Step 5. (Optional) To return the line password to the default password, enter the following:
SG350X(config-line)#no passwordStep 6. Enter the end command to go back to the Privileged EXEC mode of the switch.
SG350X(config)#endStep 7. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
SG350X#copy running-config startup-configStep 8. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the line password settings on your switch through the CLI.
When you configure a new enable password, it is automatically encrypted and saved to the running configuration file. No matter how the password was entered, it will appear in the running configuration file with the keyword encrypted together with the encrypted password.
Follow these steps to configure the enable password settings on your switch through the CLI:
Step 1. Log in to the switch console. The default username and password is cisco. If you have configured a new username or password, enter those credentials instead.
Step 2. In the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configure terminalStep 3. To configure a local password on specific user access levels on your switch, enter the following:
SG350X(config)#enable password [level privilege-level] [unencrypted-password | encrypted encrypted-password]The options are:
- Read-Only CLI Access (1) — User cannot access the GUI, and can only access CLI commands that do not change the device configuration.
- Read/Limited Write CLI Access (7) — User cannot access the GUI, and can only access some CLI commands that change the device configuration. See the CLI Reference Guide for more information.
- Read/Write Management Access (15) — User can access the GUI, and can configure the device.
SG350X(config)#enable password level 7 Cisco123$Note: In this example, the password Cisco123$ is set for the level 7 user account.
Note: In this example, the password Cisco123$ is used.
Note: In this example, the encrypted password used is 6f43205030a2f3a1e243873007370fab. This is the encrypted version of Cisco123$.
Note: In the above example, the enable password Cisco123$ is set for the level 7 access.
Step 4. (Optional) To return the user password to the default password, enter the following:
SG350X(config)#no enable passwordStep 5. Enter the exit command to go back to the Privileged EXEC mode of the switch.
SG350X(config)#exitStep 6. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
SG350X#copy running-config startup-configStep 7. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the enable password settings on your switch through the CLI.
The service password recovery mechanism provides you with physical access to the console port of the device with the following conditions:
Service password recovery is enabled by default. Follow these steps to configure the service password recovery settings on your switch through the CLI:
Step 1. Log in to the switch console. The default username and password is cisco. If you have configured a new username or password, enter those credentials instead.
Step 2. In the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configure terminalStep 3. (Optional) To enable the password recovery setting on the switch, enter the following:
SG350X#service password-recoveryStep 4. (Optional) To disable the password recovery setting on the switch, enter the following:
SG350X#no service password-recoveryStep 5. (Optional) Press Y for Yes or N for No on your keyboard once prompt below appears.
Note: In this example, Y is pressed.
Step 6. Enter the exit command to go back to the Privileged EXEC mode of the switch.
SG350X(config)#exitStep 7. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
SG350X#copy running-config startup-configStep 8. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the password recovery settings on your switch through the CLI.
The password complexity settings of the switch enable complexity rules for passwords. If this feature is enabled, new passwords must conform to the following default settings:
You can control the above attributes of password complexity with specific commands. If you have previously configured other complexity settings, then those settings are used.
This feature is enabled by default. Follow these steps to configure the password complexity settings on your switch through the CLI:
Step 1. Log in to the switch console. The default username and password is cisco. If you have configured a new username or password, enter those credentials instead.
Step 2. In the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configure terminalStep 3. (Optional) To enable the password complexity settings on the switch, enter the following:
SG350X(config)#passwords complexity enableStep 4. (Optional) To disable the password complexity settings on the switch, enter the following:
SG350X(config)#no passwords complexity enableStep 5. (Optional) To configure the minimum requirements for a password, enter the following:
SG350X(config)#passwords complexity [min-length number] [min-classes number] [not-current] [no-repeat number] [not-username] [not manufacturer-name]The options are:
Note: These commands do not wipe out the other settings. Configuring the passwords complexity settings only work as a toggle.
Note: In this example, the password complexity is set to at least 9 characters, cannot repeat or reverse the user name, and cannot be the same as the current password.
Step 6. Enter the exit command to go back to the Privileged EXEC mode of the switch.
SG350X(config)#exitStep 7. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
SG350X#copy running-config startup-configStep 8. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the password complexity settings on your switch through the CLI.
To show the password configuration settings on the CLI of your switch, skip to Show Passwords Configuration Settings.
Aging is relevant only to users of the local database with privilege level 15 and to configured enable passwords of privilege level 15. The default configuration is 180 days.
Follow these steps to configure the password aging settings on your switch through the CLI:
Step 1. Log in to the switch console. The default username and password is cisco. If you have configured a new username or password, enter those credentials instead.
Step 2. In the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configure terminalStep 3. To specify the password aging setting on the switch, enter the following:
SG350X(config)#passwords aging [days]Note: In this example, the password aging is set to 60 days.
Step 4. (Optional) To disable password aging on the switch, enter the following:
SG350X(config)#no passwords aging 0Step 5. (Optional) To return the password aging to the default setting, enter the following:
SG350X(config)#no passwords aging [days]Step 6. Enter the exit command to go back to the Privileged EXEC mode of the switch.
SG350X(config)#exitStep 7. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file, by entering the following:
SG350X#copy running-config startup-configStep 8. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have configured the password aging settings on your switch through the CLI.
To show the password configuration settings on the CLI of your switch, skip to Show Passwords Configuration Settings.
Aging is relevant only to users of the local database with privilege level 15 and to configured enable passwords of privilege level 15. The default configuration is 180 days.
Step 1. In the Privileged EXEC mode of the switch, enter the following:
SG350X(config)#show passwords configuration