Security Configuration Command Reference

This command creates a text description stored in the configuration file for a configuration context. This command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of the command removes the string.

The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of the command puts an entity into the administratively enabled state.

This command creates the context to configure security settings.

Security commands manage user profiles and user membership. Security commands also manage user login registrations.

This command enables FTP servers running on the system.

FTP servers are disabled by default. At system startup, only SSH server are enabled.

The no form of the command disables FTP servers running on the system.

Whenever the user executes a save or info command, the system will encrypt all passwords, MD5 keys, etc., for security reasons. At present, two algorithms exist.

The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password. However, because it is the same password and the hash key is limited to the password/key, even the casual observer will notice that it is the same key.

The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version will be different.

This command enables CPM hardware queuing per peer. This means that when a peering session is established, the router will automatically allocate a separate CPM hardware queue for that peer.

The no form of the command disables CPM hardware queuing per peer.

This command specifies the source address that should be used in all unsolicited packets sent by the application.

This feature only applies on inband interfaces and does not apply on the out of band management interface. Packets going out the management interface will keep using that as source IP address. In other words, when the RADIUS server is reachable through both the management interface and a network interface, the management interface is used despite whatever is configured under the source-address statement.

When a source address is specified for the ptp application, the port-based 1588 hardware timestamping assist function will be applied to PTP packets matching the IPv4 address of the router interface used to ingress the SR/ESS or IP address specified in this command. If the IP address is removed, then the port-based 1588 hardware timestamping assist function will only be applied to PTP packets matching the IPv4 address of the router interface.

This command specifies the use of the source IP address specified by the source-address command.

This command specifies the application to use the source IPv6 address specified by the source-address command.

This command enables Telnet servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in networks limit a Telnet clients to three retries to login. The Telnet server disconnects the Telnet client session after three retries.

The no form of the command disables Telnet servers running on the system.

This command enables Telnet IPv6 servers running on the system and only applies to the 7750 SR and 7950 XRS.

Telnet servers are off by default. At system startup, only SSH server are enabled.

The no form of the command disables Telnet IPv6 servers running on the system.

This command configures the rate to limit ICMP replies to packets with label TTL expiry received within all VPRN sentences in the system and from all network IP interfaces. This includes labeled user packets, ping and traceroute packets within VPRN.

This feature currently also limits the same packets when received within the context of an LSP shortcut.

This feature does not rate limit MPLS and service OAM packets (vprn-ping, vprn-trace, lsp-ping, lsp-trace, vccv-ping, and vccv-trace).

The no form of the command disables the rate limiting of the reply to these packets.

This feature only applies to the 7750 SR and 7950 XRS.

This command enables the context to configure system-wide Link Layer Discovery Protocol parameters.

This command configures the duration of the fast transmission period.

This command configures the number of LLDPDUs to send during the fast transmission period.

This command configures the minimum time between change notifications.

This command configures the time before re-initializing LLDP on a port.

This command configures the maximum consecutive LLDPDUs transmitted.

This command configures the multiplier of the tx-interval.

This command configures the LLDP transmit interval time.

This command enables the exponential-backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.

The no form of the command disables exponential-backoff.

This command creates the context to configure FTP login control parameters.

This command configures the idle timeout for FTP, console, or Telnet sessions before the session is terminated by the system.

By default, an idle FTP, console, SSH or Telnet session times out after 30 minutes of inactivity. This timer can be set per session.

The no form of the command reverts to the default value.

This command configures the maximum number of concurrent inbound FTP sessions.

This value is the combined total of inbound and outbound sessions.

The no form of the command reverts to the default value.

This parameter limits the number of inbound Telnet and SSH sessions. A maximum of 30 telnet and ssh connections can be established to the router. The local serial port cannot be disabled.

Telnet and SSH maximum sessions can also use the combined total of both inbound sessions (SSH+Telent). While it is acceptable to continue to internally limit the combined total of SSH and Telnet sessions to N, either SSH or Telnet sessions can use the inbound maximum sessions, if so required by the Operator.

The no form of the command reverts to the default value.

This command enables or disables the display of a login banner. The login banner contains the SR OS copyright and build date information for a console login attempt.

The no form of the command causes only the configured pre-login-message and a generic login prompt to display.

This command creates the context to configure the session control for console, Telnet and FTP.

This command creates the message of the day displayed after a successful console login. Only one message can be configured.

The no form of the command removes the message.

This parameter limits the number of outbound Telnet and SSH sessions. A maximum of 15 telnet and ssh connections can be established from the router. The local serial port cannot be disabled.

The no form of the command reverts to the default value.

This command creates a message displayed prior to console login attempts on the console via Telnet.

Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.

It is possible to add the name parameter to an existing message without affecting the current pre-login-message.

The no form of the command removes the message.

This command enables the context to configure the SSH parameters.

This command enables configuration the list of allowed ciphers by the SSH client.

This command enables configuration of a cipher. Client-ciphers are used when the SR OS is acting as an SSH client. Server-ciphers are used when the SR OS is acting as an SSH server.

This command enables graceful shutdown of SSH sessions.

The no form of the command disables graceful shutdown of SSH sessions.

After enabling this command, private keys, public keys, and host key file will be saved by the server. It is restored following a system reboot or the ssh server restart.

The no form of the command specifies that the keys will be held in memory by the SSH server and is not restored following a system reboot.

This command enables configuration the list of allowed ciphers by the SSH server.

This command enables the SSH servers running on the system.

Specifies the SSH protocol version that will be supported by the SSH server.

This command creates the context to configure the Telnet login control parameters.

This command enables graceful shutdown of telnet sessions.

The no form of the command disables graceful shutdown of telnet sessions.

This command creates the context to edit management access filters and to reset match criteria.

Management access filters control all traffic in and out of the CPM. They can be used to restrict management of the router by other nodes outside either specific (sub)networks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of the command removes management access filters from the configuration.

This command enables the context to configure management access IP filter parameters.

This command enables the context to configure management access IPv6 filter parameters. This command only applies to the 7750 SR and 7950 XRS.

This command configures a management access MAC-filter.

This command creates the action associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

If the packet does not meet any of the match criteria the configured default action is applied.

This command creates the default action for management access in the absence of a specific management access filter match.

The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.

This command configures a source TCP or UDP port number or port range for a management access filter match criterion.

The no form of the command removes the source port match criterion.

This command is used to create or edit a management access IP(v4), IPv6, or MAC filter entry. Multiple entries can be created with unique entry-id numbers. The OS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.

The no form of the command removes the specified entry from the management access filter.

This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default quality of service or real-time service. This command only applies to the 7750 SR and 7950 XRS.

This command enables match logging. When enabled, matches on this entry will cause the Security event mafEntryMatch to be raised.

This command specifies the next header to match. The protocol type such as TCP, UDP or OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17). IPv6 Extension headers are identified by the next header IPv6 numbers as per RFC2460. This command only applies to the 7750 SR and 7950 XRS.

This command configures an IP protocol type to be used as a management access filter match criterion.

The protocol type, such as TCP, UDP, and OSPF, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).

The no form the command removes the protocol from the match criteria.

This command configures a TCP/UDP source or destination port match criterion in IPv4 and IPv6 CPM filter policies. A packet matches this criterion if packet’s TCP/UDP (as configured by protocol/next-header match) source OR destination port matches either the specified port value or a port in the specified port range or port list.

This command is mutually exclusive with src-port and dst-port commands.

The no form of this command deletes the specified port match criterion.

This command configures a router name or service ID to be used as a management access filter match criterion.

The no form the command removes the router name or service ID from the match criteria.

This command renumbers existing management access filter entries for an IP(v4), IPv6, or MAC filter to re-sequence filter entries.

The exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.

This command disables the management-access-filter.

This command configures math criteria for this MAC filter entry.

This command specifies the type of opcode checking to be performed.

If the cfm-opcode match condition is configured then a check must be made to see if the Ethertype is either IEEE802.1ag or Y1731. If the Ethertype does not match then the packet is not CFM and no match to the cfm-opcode is attempted.

The CFM (ieee802.1ag or Y1731) opcode can be assigned as a range with a start and an end number or with a (less than lt, greater than gt, or equal to eq) operator.

If no range with a start and an end or operator (lt, gt, eq) followed by an opcode with the value between 0 and 255 is defined then the command is invalid.

Table 13 lists the opcode values.

Defined by ITU-T Y.1731 32 - 63

Defined by IEEE 802.1. 64 - 255

This command configures Dot1p match conditions.

This command configures dsap match conditions.

This command configures the destination MAC match condition.

Configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.

The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field. For IEEE 802.3 frames, use the dsap, ssap or snap-pid fields as match criteria.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.

The no form of the command removes the previously entered etype field as the match criteria.

This command configures an IEEE 802.3 LLC SNAP Ethernet Frame OUI zero or non-zero value to be used as a MAC filter match criterion.

The no form of the command removes the criterion from the match criteria.

This command configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC filter match criterion.

This is a two-byte protocol id that is part of the IEEE 802.3 LLC SNAP Ethernet Frame that follows the three-byte OUI field.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.

Note: The snap-pid match criterion is independent of the OUI field within the SNAP header. Two packets with different three-byte OUI fields but the same PID field will both match the same filter entry based on a snap-pid match criteria.

The no form of the command removes the snap-pid value as the match criteria.

This command configures a source MAC address or range to be used as a MAC filter match criterion.

The no form of the command removes the source mac as the match criteria.

This command configures an Ethernet 802.2 LLC SSAP value or range for a MAC filter match criterion.

This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.

The no form of the command removes the ssap match criterion.

This command specifies an existing svc-id to use as a match condition.

This command restricts ingress management traffic to either the CPMCCM Ethernet port or any other logical port (for example LAG) on the device.

When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.

The no form of the command reverts to the default value.

This command configures a source IP address range prefix to be used as a management access filter match criterion.

The no form of the command removes the source IP address match criterion.

This command configures a source IPv6 address range prefix to be used as a management access filter match criterion. This command only applies to the 7750 SR and 7950 XRS.

The no form of the command removes the source IPv6 address match criterion.

This command creates the context to configure password management parameters.

This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.

This functionality can be enabled in two contexts:

config>system>security>password>admin-password

<global> enable-admin

If the admin-password is configured in the config>system>security>password context, then any user can enter the special mode by entering the enable-admin command. For more information, see the description for the   command.

enable-admin is in the default profile. By default, all users are given access to this command.

Once the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the complexity command.

Note: The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.

The usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.

For example:

file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile

In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with '****'.

The no form of the command removes the admin password from the configuration.

Refer to the description for the   command. If the admin-password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the   command.

enable-admin is in the default profile. By default, all users are given access to this command.

Once the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the complexity command.

There are two ways to verify that a user is in the enable-admin mode:

This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.

The no form of the command reverts to the default value.

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no attempts command resets all values to default.

This command configures the sequence in which password authentication, authorization, and accounting is attempted among local passwords, RADIUS, TACACS+, and LDAP.

The authentication order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.

If all (operational) methods are attempted and no authentication for a particular login has been granted, then an entry in the security log documents the failed attempt. Both the attempted login identification and originating IP address are logged with the a timestamp.

The no form of the command reverts to the default authentication sequence.

This command defines a list of rules for configurable password options.

The user name is allowed to be used as part of the password.

The no form of the command does not allow user name to be used as password.

The maximum credits given for usage of the different character classes in the local passwords.

The no form of the command resets to default.

Force the use of at least this many different character classes

The no form of the command resets to default.

This command configures the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and des-keys configured in the system security section.

If multiple minimum-length commands are entered each command overwrites the previous entered command.

The no form of the command reverts to default value.

The number of times a characters can be repeated consecutively.

The no form of the command resets to default.

Force the minimum number of different character classes required.

The no form of the command resets to default.

This command configures the password which enables the user to configure dynamic services.

Enable the user to become a system administrator.

When tacplus-map-to-priv-lvl is enabled, and tacplus authorization is enabled with the use-priv-lvl option, typing enable-admin starts an interactive authentication exchange from the node to the TACACS+ server. The start message (service=enable) contains the user-id and the requested admin-priv-lvl. Successful authentication results in the use of a new profile (as configured under config>system>security>tacplus>priv-lvl-map).

This command specifies that RADIUS, TACACS+, and LDAP servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, a trap will be sent based on the type of the server.

The no form of the command disables the periodic monitoring of the RADIUS, TACACS+, and LDAP servers. In this case, the operational status for the active server will be up if the last access was successful.

Configure how many previous passwords a new password is matched against.

Configure the minimum required age of a password before it can be changed again.

This command configures the minimum number of characters required to be different in the new password from a previous password.

The no form of the command reverts to default value.

This command enables the context to configure certificate parameters.

This command creates a new ca-profile or enter the configuration context of an existing ca-profile. Up to 128 ca-profiles could be created in the system. A shutdown the ca-profile will not affect the current up and running ipsec-tunnel or ipsec-gw that associated with the ca-profile. But authentication afterwards will fail with a shutdown ca-profile.

Executing a no shutdown command in this context will cause system to reload the configured cert-file and crl-file.

A ca-profile can be applied under the ipsec-tunnel or ipsec-gw configuration.

The no form of the command removes the name parameter from the configuration. A ca-profile can not be removed until all the association(ipsec-tunnel/gw) have been removed.

This command specifies the filename of a file in cf3:\system-pki\cert as the CA’s certificate of the ca-profile.

Notes:

The no form of the command removes the filename from the configuration.

This command enables the context to configure Certificate Management Protocol Version 2 (CMPv2) parameters.

This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.

The no form of the command causes the system to only accept protected PKI confirmation message.

This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will only accept protected PKI confirmation message.

The no form of the command causes the system to only accept protected PKI confirmation message.

This command enables the context to configure pre-shared key list parameters.

This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.

The password and reference-number is distributed by the CA via out-of-band means.

The configured password is stored in configuration file in an encrypted form by using the SR OS hash2 algorithm.

The no form of the command removes the parameters from the configuration.

This command specifies HTTP URL of the CMPv2 server. The URL must be unique across all configured ca-profiles.

The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.

If the service-id is 0 or omitted, then system will try to resolve the FQDN via DNS server configured in bof.cfg. After resolution, the system will connect to the address in management routing instance first, then base routing instance.

Note: If the service is VPRN, then the system only allows HTTP ports 80 and 8080.

This command specifies the timeout value for HTTP response that is used by CMPv2.

The no form of the command reverts to the default.

This command specifies a imported certificate that is used to verify the CMP response message if they are protected by signature. If this command is not configured, then CA’s certificate will be used.

This command enables the system to use same recipNonce as the last CMPv2 response for poll request.

The no form of the command disables system to use same recipNonce as the last CMPv2 response for poll request.

This command specifies the name of a file in cf3:\system-pki\crl as the Certification Revoke List file of the ca-profile.

Notes:

The no form of the command removes the filename from the configuration.

This command enables the context to configure OCSP parameters.

This command specifies HTTP URL of the OCSP responder for the CA, this URL will only be used if there is no OCSP responder defined in the AIA extension of the certificate to be verified.

This command specifies the service or routing instance that used to contact OCSP responder. This applies to OCSP responders that either configured in CLI or defined in AIA extension of the certificate to be verified.

The responder-url will also be resolved by using the DNS server configured in the configured routing instance.

In case of VPRN service, system will check if the specified service-id or service-name is an existing VPRN service at the time of CLI configuration. Otherwise the configuration will fail.

This command specifies the display format used for the Certificates and Certificate Revocation Lists.

With this command configured, the system will issues two types of warnings related to certificate expiration:

This command specifies when system will issue BeforeExp message before a certificate expires. For example, with certificate-expiration-warning 5, the system will issue a BeforeExp message 5 hours before a certificate expires. An optional repeat <repeat-hour> parameter will enable the system to repeat the BeforeExp message every hour until the certificate expires.

If the user only wants AfterExp, then certificate-expiration-warning 0 can be used to achieve this.

BeforeExp and AfterExp warnings can be cleared in following cases:

This command specifies when system will issue BeforeExp message before a CRL expires. For example, with certificate-expiration-warning 5, the system will issue a BeforeExp message 5 hours before a CRL expires. An optional repeat <repeat-hour> parameter will enable the system to repeat the BeforeExp message every hour until the CRL expires.

If the user only wants AfterExp, then certificate-expiration-warning 0 can be used to achieve this.

BeforeExp and AfterExp warnings can be cleared in following cases:

This command defines the maximum depth of certificate chain verification. This number is applied system wide.

The no form of the command reverts to the default.

Use this command to enable or disable the ca-profile. The system will verify the configured cert-file and crl-file. If the verification fails, then the no shutdown command will fail.

The ca-profile in a shutdown state cannot be used in certificate authentication.

This command enables the context to configure X.509 certificate related operational parameters. For information about CMPv6 admin certificate commands, see the Multiservice Integrated Service Adapter Guide.

This command clears the current OCSP response cache. If optional issuer and serial-number are not specified, then all current cached results are cleared.

This command manually triggers the Certificate Revocation List file (CRL) update for the specified ca-profile.

Using this command requires shutting down the auto-crl-update.

This command displays the content of an input file in plain text.

Note: When displaying the key file content, only the key size and type are displayed.

The following list summarizes the formats supported by this command:

This command performs certificate operations.

This command generatse a RSA or DSA private key/public key pairs and store them in a local file in cf3:\system-pki\key

This command generates a PKCS#10 formatted certificate request by using a local existing key pair file.

This command converts an input file(key/certificate/CRL) to a system format file. The following list summarizes the formats supported by this command:

Note: If there are multiple objects with the same type in the input file, only the first object will be extracted and converted.

This command reloads imported certificate or key file or both at the same time. This command is typically used to update certificate/key file without shutting down ipsec-tunnel/ipsec-gw/cert-profile/ca-profile. Note that type cert and type key will be deprecated in a future release. Use type cert-key-pair instead. Instead of type cert use type key instead.

If the new file does not exists or somehow invalid (bad format, does not contain right extension, etc.), then this command will abort.

In the case of type cert-key-pair, if the new file doesn’t exist or is invalid or cert and key do not match, then this command will abort with an error message.

This command exports IPv6 Secure Neighbor Discovery (SeND) certificates to the file cf[1..3]:\system-pki\secureNdKey in PKCS #7 DER format.

This command imports IPv6 Secure Neighbor Discovery (SeND) certificates from a file, and saves them to cf[1..3]:\system-pki\secureNdKey in PKCS #7 DER format.

This command configures the action associated with the profile entry.

This command configures a command or subtree commands in subordinate command levels are specified.

Because the OS exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition

This command copies a profile or user from a source profile to a destination profile.

This command specifies the default action to be applied when no match conditions are met.

This command is used to create a user profile entry.

More than one entry can be created with unique entry-id numbers. Exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.

The no form of the command removes the specified entry from the user profile.

This command creates a context to create user profiles for CLI command tree permissions.

Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.

Once the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles but a maximum of 8 profiles can be assigned to a user. The user-profile-name can consist of up to 32 alphanumeric characters.

The no form of the command deletes a user profile.

This command renumbers profile entries to re-sequence the entries.

Since the OS exits when the first match is found and executes the actions according to accompanying action command, re-numbering is useful to rearrange the entries from most explicit to least explicit.

This command grants a user permission for FTP, SNMP, console or lawful intercept (LI) access.

If a user requires access to more than one application, then multiple applications can be specified in a single command. Multiple commands are treated additively.

The no form of command removes access for a specific application. no access denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied, for example, no access FTP denies FTP access.

This command configures the authentication and encryption method the user must use in order to be validated by the router. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered.

The keys configured in this command must be localized keys (MD5 or DES hash of the configured SNMP engine-ID and a password). The password is not directly entered in this command (only the localized key).

This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user >snmp>group command. The access command links the group with one or more views, security model (s), security level (s), and read, write, and notify permissions

This command allows a user the privilege to change their password for both FTP and console login.

To disable a user’s privilege to change their password, use the cannot-change-password form of the command.

Note: The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.

This command creates the context to configure user profile membership for the console (either Telnet or CPM serial port user).

This command copies a specific user’s configuration parameters to another (destination) user.

The password is set to a carriage return and a new password at login must be selected.

This command configures the local home directory for the user for both console (file commands and '>' redirection) and FTP access.

If the URL or the specified URL/directory structure is not present, then a warning message is issued and the default is assumed.

The no form of the command removes the configured home directory.

This command configures the profile for the user based on this template.

This command configures a user’s login exec file which executes whenever the user successfully logs in to a console session.

Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.

The no form of the command disables the login exec file for the user.