User Account Management

User Account Management

1. Function Overview

This product provides the functions shown below for managing user accounts.

  • Functions for setting user information

  • Functions for user authentication by user name and password

2. Definition of Terms Used

Default Administrative User
Users with administrator rights specified in default factory settings.
Username: admin and password: admin

Administrative User
Users with administrator rights.
Administrative users are users with the privilege option switched on using the username command.

Guest User
Users without administrator rights and that require entering the privileged password (administrative password) in order to access the privileged EXEC mode.
Guest users are users with the privilege option switched off using the username command.

Privileged Password (Administrative Password)
The password used to assign administrator rights and specified using the enable password command.

Unnamed User
Users with a blank username setting.
Rev. 2.02.23 or earlier firmware versions permitted using unnamed user accounts under factory default settings, but unnamed user accounts were eliminated for newer firmware versions with stronger user account management functionality.

3. Function Details

3.1. User account function settings

3.1.1. User information settings

Use the username command to specify the following user information.

  • User name

  • Password

  • Assignment of administrator rights

With factory default settings, the administrative username and password are both “admin”.

3.1.2. Setting the privileged password (administrative password)

The privileged password (administrative password) is set using the enable password command.
Privileged passwords (administrative passwords) are used for the following applications.

  • To initialize devices

  • To transition users without administrator rights to the privileged EXEC mode by using the console

  • To use a TFTP client to send a config file or firmware to the switch

The factory default privileged password (default administrative password) setting is admin, but the operations described above cannot be performed if the privileged password (default administrative password) is set to the default setting.
To perform any of those operations, change the privileged password (administrative password) in advance.

3.1.3. Administrator rights

User login operations can be restricted depending on whether or not the user has administrator rights.

  • Users with administrator rights can change device settings or update firmware.

  • Users without administrator rights can only view device information without changing any settings.

Specifically, the following differences apply depending on whether or not the user has administrator rights.

Console

Web GUI

Administrative user (with rights)

Guest user (without rights)

Administrative user (with rights)

Guest user (without rights)

Show device information

Yes

Yes

Yes

Yes

View settings

Yes

No

Yes

Limited (*1)

Change settings

Yes

No

Yes

No

Restart or initialize devices

Yes

No

Yes

No

Update firmware

Yes

No

Yes

No

*1: Cannot view passwords or other security-related settings.

Once the enable command is executed and the privileged password (administrative password) is entered, the privileged EXEC mode can be accessed to perform operations equivalent to an administrative user, even if logged in as a guest user.
For information about the rights required to execute each command, refer to the command reference.

3.1.4. Encrypt password

Specified passwords can be encrypted using the password-encryption command.
To encrypt a password, specify the password-encryption enable setting.
Once a password has been encrypted, it cannot be restored to an unencrypted character string state, even by specifying the password-encryption disable setting.
Encryption applies to the passwords specified by the following commands.

  • enable password command

  • username command

3.2. User authentication

3.2.1. When logging in to the console

When the following login prompt appears after connecting to the console, log in by entering the specified username and password.

Username:
Password:

For factory default settings, log in by entering “admin” as the default administrative username (and “admin” as the password).
After using “admin” to log in, the password must be changed to specify a new password.

Username: admin
Password: (1)

SWX2310P-28GT Rev.2.02.06 (Tue Mar 13 08:41:39 2018)
  Copyright (c) 2015-2016 Yamaha Corporation. All Rights Reserved.

Please change the default password for admin.
New Password: (2)
New Password(Confirm): (3)
Saving ...
Succeeded to write configuration
1 Enter “admin”
2 Enter the new password.
3 Enter the same password again.

If an incorrect password is entered three successive times, login by that same user is restricted for one minute.

Username: User
Password:
% Incorrect username or password, or login as User is restricted.
Password:
% Incorrect username or password, or login as User is restricted.
Password:
% Incorrect username or password, or blocked upon 3 failed login attempts for User.
% Please try again later.

If a login restriction occurs, the following message is output in the INFO level SYSLOG.

Connection method

Output message

Serial console

Login access from serial console as {username} was restricted

TELNET

Login access from TELNET as {username} was restricted: {IP address}

SSH

Login access from SSH as {user name} was restricted: {IP address}

Web GUI

Login access from HTTP as {username} was restricted: {IP address}

Note that if a user with a login restriction enters an incorrect password again, the remaining time until the restriction is cancelled is reset to one minute again.

3.2.2. When logging in to the web GUI

When the following login form appears after accessing the web GUI, log in by entering the specified username and password.

image

For factory default settings, log in by entering “admin” as the default administrative username (and “admin” as the password).
If prompted to change the password after using “admin” to log in, specify a new password.

image

3.3. What to do if you forget your login password

If the product is rebooted connected to the serial console and “I” (uppercase letter I) is entered during the booting process, the product can be rebooted with factory default settings.
Note that the function is disabled if SD card booting is used.

BootROM - X.XX
Booting from SPI flash

SWX2310P-28GT BootROM Ver.1.00      #### Enter “I” as soon as the boot ROM version is displayed. ####

Initialize or not ?(y/n) y

Loading config0 because can't read config in SD card.
Starting ..............................................
Loading configuration ... Done!

SWX2310P-28GT Rev.2.02.06 (Tue Mar 13 08:41:39 2018)
  Copyright (c) 2015-2016 Yamaha Corporation. All Rights Reserved.

4. Related Commands

Related commands are indicated below.
For details, refer to the Command Reference.

Operations Operating commands

Setting the privileged password (administrative password)

enable password

Encrypt password

password-encryption

Set user

username

Show user information

show users

5. Examples of Command Execution

5.1. Adding a user

The following example assigns administrator rights to the user “yamaha” and specifies the password “yamaha_pass”.

Yamaha#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Yamaha(config)#username yamaha privilege on password yamaha_pass
Yamaha(config)#exit
Yamaha#exit

Username: yamaha
Password:

SWX2310P-28GT Rev.2.02.06 (Tue Mar 13 08:41:39 2018)
  Copyright (c) 2015-2016 Yamaha Corporation. All Rights Reserved.

Yamaha>enable
Yamaha#

6. Points of Caution

  • If no administrative user (user with administrator rights) exists in startup-config when the product is booted, then a default administrative user (with username “admin” and password “admin”) will be added automatically.
    For example, that would occur in the following case.

    • Product is booted with factory default settings configured

    • Firmware is updated to a newer version than Rev. 2.02.23 after the product was operated using Rev. 2.02.23 or older firmware and only unnamed users.

  • If a user with no password is specified in startup-config when the product is booted, then a password with the same character string as the username will be added automatically.
    For example, that would occur in the following case.

    • Firmware is updated to a newer version than Rev. 2.02.23 after Rev. 2.02.23 or older firmware was used to specify users with no password.

      Settings configured with Rev. 2.02.23 or earlier firmware version

      username yamaha1
      username yamaha2 privilege on

      Settings after updating firmware to a newer version than Rev. 2.02.23

      username yamaha1 password yamaha1
      username yamaha2 privilege on password yamaha2
  • If the password (admin) for the default administrative user admin is left unchanged, then the following restrictions are applied.

    • Network switches cannot be accessed by TELNET, SSH, HTTP, or HTTPS from a network segment other than the maintenance VLAN.

    • Login by users other than the default administrative user is not permitted.

      Username: yamaha
      Password:
      % Please login as user "admin".
    • The following commands cannot be executed. Similar setting changes cannot be performed via the web GUI either.

      • ip address / no ip address
        Note: Only “ip address dhcp” can be executed.

      • auto-ip / no auto-ip

      • ipv6 / no ipv6

      • ipv6 address / no ipv6 address

      • management interface / no management interface