Extreme Networks

Article ID: 9757

Products
C5, C3, C2-Series
B5, B3, B2-Series
A2-Series

Goals
Overview of the SecureStack user login settings and limitations as of December 2010.

Solution
By default there are three login accounts created on the switch:

1. ro for read only access
2. rw for read write access
3. admin for administrator access

The default password (5463) for all three accounts is (no password).

Change the password for any account with the 'set password <account>' command:
C2(su)->set password admin
Please enter new password:4support
Please re-enter new password:4support
Password Changed.
C2(su)->

This would change the password to '4support', for the admin super-user.
Limits on the password are that you cannot use the exclamation point ("!") or the question mark ("?"), but all other characters are permitted.

View the current accounts with the 'show system login' command:
C2(su)->show system login
Password history size: 0
Password aging : disabled

Username Access State

admin super-user enabled
ro read-Only enabled
rw read-write enabled
C2(su)->
Create a new login account, or modify an existing account's access or status, with the 'set system login <username> <access> <status>' command:
C2(su)->set system login Enterasys read-write enable
C2(su)->

This would permit a user named 'Enterasys' to login using a blank password, for read-write access.
Limits on the username are that you can only use letters (upper and/or lower case) and numbers (7707).
The minimum is 1 and the maximum is 80 characters in length.

Optionally set the password at creation time by adding the 'password <password>' option onto the end of the command:
C2(su)->set system login Enterasys read-write enable password 4support
C2(su)->

This would permit a user named 'Enterasys' to login using a password of '4support', for read-write access.

Remove a user account with the 'clear system login <username>' command:
C2(su)->clear system login Enterasys
C2(su)->

To restore a deleted account, it will need to be created again.

Create a super-user account using the standard command, except specifying "super-user" access:
C2(su)->set system login Enterasys super-user enable password 4support
C2(su)->

This would permit a user named 'Enterasys' to login using a password of '4support', for super-user access.

Removing a user-created super-user account first requires changing its access to read-only or read-write:
C2(su)->set system login Enterasys super-user enable
C2(su)->clear system login Enterasys
Admin cannot be deleted
C2(su)->set system login Enterasys read-write enable
C2(su)->clear system login Enterasys
C2(su)->
The default "admin" account cannot be deleted or have its super-user access changed.
It can, however, be disabled with the 'set system login admin super-user disable' command (There must be at least one other user with super-user privileges before the admin user may be disabled.):
C2(su)->set system login admin read-write enable
Incorrect access for this default user.
Set was unsuccessful.
C2(su)->set system login admin super-user disable
C2(su)->
The minimum password length may be adjusted to anywhere within the range of 0-40 with the 'set system password length ' command:
C2(su)->set system password length 4
C2(su)->set system login Enterasys read-write enable password 1234
C2(su)->

The default minimum password length is 8 characters, and the maximum is 80 characters.

Force non-admin users to change their passwords at a set interval with the 'set system password aging ' command.
Force changed passwords to be non-duplicates of earlier passwords with the 'set system password history ' command:
C2(su)->set system password aging 365
C2(su)->set system password history 10
C2(su)->

The default aging is disabled, and it can be adjusted within the range of 1-365 days.
The default history size is 0, and it can be adjusted within the range of 0 (repetition is allowed) to 10 (the last 10 passwords must be unique).

Returning the password aging and history settings to defaults:
C2(su)->set system password aging disable
C2(su)->set system password history 0
C2(su)->
Set the system to lock an account after a number of failed login attempts with the 'set system lockout [attempts ] [time ]' command:
C2(su)->set system lockout attempts 2 time 10
C2(su)->show system lockout
Lockout attempts: 2
Lockout time: 10 minutes.
C2(su)->set system lockout attempts 5
C2(su)->set system lockout time 5
C2(su)->show system lockout
Lockout attempts: 5
Lockout time: 5 minutes.
C2(su)->

The default number of attempts is 3 times, and it can be adjusted within the range of 1-15.
The default lockout time is 15 minutes, and it can be adjusted within the range of 0 (lock out the account until super-user intervention) to 65535 minutes (about 45 days).

Investigate a non-functioning (apparently locked) account from another account with the 'show system login' command, and manually re-enable it from a super-user access account with the 'set system login <username> <access> enable' command:
C2(su)->show system login
Password history size: 0
Password aging : disabled

Username Access State

admin super-user enabled
ro read-Only disabled
rw read-write enabled
C2(su)->set system login ro read-only enable
C2(su)->
See also: 5628.