The commands shown in this chapter apply to the Catalyst 8540 MSR, Catalyst 8510 MSR, and LightStream 1010 ATM switch routers. Where an entire command or certain attributes of a command have values specific to a particular switch or switch router, an exception is indicated by the following callouts:
Catalyst 8540 MSR
Catalyst 8510 MSR and LightStream 1010
Note Commands that are identical to those documented in the Cisco IOS software
documentation have been removed from this chapter.
Note Commands that no longer function as expected in ATM environments have also been
removed from this chapter.
Refer to Appendix D of this command reference for a detailed list of commands that have been removed, changed or replaced.
username
To establish a username-based authentication system at login, even though your network cannot support a TACACS service, use the username global configuration command.
Specifies the username to which this command applies. The name argument can only be one word. White spaces and quotation marks are not allowed.
access-class-num
Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command; used for the duration of that session.
command
Specifies a command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
dialstring
Specifies a dialback string for connections initiated by the user.
line
Specifies a line to associate with this callback.
group
Specifies a rotary group to associate with this callback.
nocallback-verify
Does not require authentication after callback.
noescape
Prevents a user from using an escape character on the host where the user is connected.
nohangup
Prevents the communication server from disconnecting the user after an automatic command (set up with the autocommand keyword) is complete. Instead, the user gets another login prompt.
dnis
No password is required for this user when obtained via DNIS.
nopassword
No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.
encryption-type
A one-digit number that defines whether the text immediately following is encrypted, and what type of encryption is used. Currently defined encryption types are 0 ( the text immediately following is not encrypted), and 7 (the text is encrypted using an encryption algorithm defined by Cisco).
password
A password can contain embedded spaces and must be the last option specified in the username command.
level
Sets the user privilege level.
Command Modes
Global configuration
Command History
Release
Modification
11.1(4)
New command
Usage Guidelines
The username command provides username/password authentication for login purposes only.
Note The username command does not provide username/password authentication for enable
mode when the enable
use-tacacs command is also used.)
Multiple username commands can be used to specify options for a single user.
Add a username entry for each remote system that the local switch communicates with and requires authentication from. The remote device must have a username entry for the local switch router. This entry must have the same password as the local switch's entry for that remote device.
This command can be useful for defining usernames that get special treatment, for example, an "info" username that does not require a password but connects the user to a general-purpose information service.
The username command is also required as part of the configuration for the CHAP. For each remote system that requires authentication from the local switch communicates, add a username entry.
Note To enable the local switch to respond to remote CHAP challenges, one username name
entry must be the same as the
hostname name entry that was
already assigned to your switch.
If there is no secret specified and debug serial-interface is enabled, an error is displayed when an interface is established and the CHAP challenge is not implemented. Debugging information on CHAP is available using the debug serial-interface and debug serial-packet commands. For more information about debug commands, refer to the Debug Command Reference publication.
Examples
To implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the switch, the username command takes the following form.
Switch# username who nopassword nohangup autocommand show users
To implement an information service that does not require a password, the command takes the following form.
Switch# username info nopassword noescape autocommand telnet nic.ddn.mil
To implement an ID that works even if all TACACS servers go down, the command takes the following form.
Switch# username superuser password superpassword
The following example configuration enables CHAP on interface serial 0. It also defines a password for local server Adam and remote server Eve.
Switch# configure terminal
Switch(config)# hostname Adam
Switch(config)# interface serial 0
Switch(config-if)# encapsulation ppp
Switch(config-if)# ppp authentication chap
Switch(config-if)# end
Switch(config)# username Adam password oursystem
Switch(config)# username Eve password theirsystem
When you look at your configuration file, the passwords are encrypted and the display looks similar to the following output.
Switch# configure terminal
Switch(config)# hostname Adam
Switch(config)# interface serial 0 encapsulation ppp
Switch(config-if)# ppp authentication chap
Switch(config-if)# end
Switch(config)# username Adam password 7 1514040356