Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4112F-ON/S4112T-ON

1321

○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range,

port-channel, and VLAN modes.

○ route-map — Accesses route-map mode.

○ router — Accesses router-bgp and router-ospf modes.

○ line — Accesses line-vty mode.

● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.

● command-string — Enter the command supported at the privilege level.

For sysadmin, netadmin, and secadmin roles, you cannot configure a privilege level less than 2 .

2. Configure an enable password for each privilege level in CONFIGURATION mode.

enable password encryption-type password-string priv-lvl privilege-level

● encryption-type — Enter an encryption type for the password entry:

○ 0 — Use plain text with no password encryption.

○ sha-256 — Encrypt the password using the SHA-256 algorithm.

○ sha-512 — Encrypt the password using the SHA-512 algorithm.

● priv-lvl privilege-level — Enter a privilege level, from 1 to 15.

OS10(config)# privilege exec priv-lvl 3 "show version"

OS10(config)# enable password 0 P@$$w0Rd priv-lvl 3

OS10(config)# privilege exec priv-lvl 12 "configure terminal"

OS10(config)# privilege configure priv-lvl 12 route-map

OS10(config)# privilege route-map priv-lvl 12 "set local-preference"

OS10(config)# enable password sha-256 $5$2uThib1o$84p.tykjmz/w7j26ymoKBjrb7uepkUB priv-

lvl 12

Passwords for user accounts

OS10 allows you to configure password check and strength for the user accounts.

Configuration notes

All Dell EMC PowerSwitches except MX-Series, S4200-Series, S5200 Series, and Z9332F-ON:

When you enter a password in an OS10 command, either at a password prompt or in the command syntax, you can enter only

alphanumeric and certain special characters - $ - _ . + ! * ' () - unencoded. You cannot enter any other special characters in the

password. Use URL encoding instead.

For example, in the image download command, the password a@b is not accepted: image download ftp://

username:a@b@10.11.63.122/filename. You must enter the password as image download ftp://username:a

%40b@10.11.63.122/filename. The URL encoding for @ is %40. For information about other characters that require URL

encoding, go to URL Encoding.

Enable user lockout

By default, a maximum of three consecutive failed password attempts is supported on the switch. You can set a limit to the

maximum number of allowed password retries with a specified lockout period for the user ID. Audit logs include authentication

failures on the console as well.

This feature is available only for the sysadmin and secadmin roles.

NOTE:

If you are downgrading OS10 to a release earlier than 10.5.2.1, check the password-attributes command and

ensure that only the supported parameters are configured.

● Configure user lockout settings in CONFIGURATION mode.

password-attributes {[max-retry number ] [lockout-period minutes] [console-exempt]}

○ max-retry number — Sets the maximum number of consecutive failed login attempts for a user before the user is

locked out, from 0 to 16; default 3.

○ lockout-period minutes — Sets the amount of time that a user ID is prevented from accessing the system after

exceeding the maximum number of failed login attempts, from 0 to 43,200; default 5.

Security

1327