User Access And Authentication
Local User Configuration
Section titled “Local User Configuration”show local-user brief
Section titled “show local-user brief”[Command]
show local-user brief
[Purpose]
Display local user information
[View]
System view
[Use Cases]
sonic# show local-user briefUSER ONLINE BLOCKED LOGIN IP LOGIN TIMEadmin yes no Nov 3 17:24admin yes no 150.1.0.1 Nov 4 23:20test no yesshow local-user brief This command display description table
| Fields | Description |
| ONLINE | Whether the current user is online or not yes User Online no User is not online |
| BLOCKED | Whether the current user is locked out or not yes Locked no Unlocked |
| LOGIN IP | The IP address used by the current user to log in to the device, if the user is online and the LOGIN IP is empty, it means that the user is logging in through the serial port |
| LOGIN TIME | Current user login time to the device |
show local-user block-conf
Section titled “show local-user block-conf”[Command]
show local-user block-conf
[Purpose]
Displays the device’s configured method for processing successive incorrect password entries by the user
[View]
System view
[Use Cases]
sonic# show local-user briefUSER ONLINE BLOCKED LOGIN IP LOGIN TIMEadmin yes no 2025-05-10 14:2admin yes no 192.168.200.24 2025-05-10 16:05show local-user blocked
Section titled “show local-user blocked”[Command]
show local-user blocked
[Purpose]
Show locked users
[View]
System view
[Use Cases]
sonic(config)# do show local-user blockedLogin Failures Latest failure Fromhappy 2 05/10/25 16:24:33 192.168.200.240local-user name
Section titled “local-user name”[Command]
local-user name name passwd password
no local-user name
[Purpose]
Create local user
[Parameter]
name Username
password Password
[View]
System configuration view
[Use Cases]
sonic(config)# local-user name test passwd testuserlocal-user block-time
Section titled “local-user block-time”[Command]
local-user block-time time
[Purpose]
Configure local users to continuously enter incorrect password account lockout time
[Parameter]
time Value range: 1-65535, unit: min
[View]
System configuration view
[Notes]
Locked for 5 minutes by default.
[Use Cases]
sonic(config)# local-user block-time 5local-user retry-count
Section titled “local-user retry-count”[Command]
local-user retry-count count
no local-user retry-count
[Purpose]
Configure a limit on the number of consecutive incorrect password entries for local users
[Parameter]
count Value range: 2-65535
[View]
System configuration view
[Notes]
By default, 5 attempts are allowed
[Use Cases]
sonic(config)# local-user retry-count 5local-user password-control
Section titled “local-user password-control”[Command]
local-user password-control enable|min-len|min-lowercase|min-uppercase|min-digits|min-special-chars|expiration-time|expiration-warning
no local-user password-control enable|min-len|min-lowercase|min-uppercase|min-digits|min-special-chars|expiration-time|expiration-warning
[Purpose]
Configure security rules such as local user password strength settings and expiration dates
[Parameter]
enable Enable password-control, default ‘disable’
min-len Minimum password length, default 8
min-lowercase Minimum lowercase letters, default 0
min-uppercase Minimum uppercase letters, default 0
min-digits Minimum digits, default 0
min-special-chars Minimum special characters, default 0
expiration-time The password expiration time (days unit), default 180
expiration-warning The password expiration warning time (days unit), default 15
[View]
System configuration view
[Notes]
To ensure sufficient password strength for local users, the strength of password configuration can be set. By increasing the complexity of passwords and regularly changing them, it can effectively resist brute force cracking and other forms of password guessing attacks.
[Use Cases]
sonic(config)# local-user password-control enablesonic(config)# local-user password-control min-len 10telnet max session count
Section titled “telnet max session count”[Command]
telnet max session count
no telnet max session count
[Purpose]
Set the maximum number of telnet user sessions
[Parameter]
count The range of value is: 1-100, default value is: 10
[View]
System configuration view
[Use Cases]
sonic(config)# telnet max session 5ssh max session count
Section titled “ssh max session count”[Command]
ssh max session count
no ssh max session count
[Purpose]
Set the maximum number of SSH user sessions
[Parameter]
count The range of value is: 1-100, default value is: 10
[View]
System configuration view
[Use Cases]
sonic(config)# ssh max session 5AAA Configuration
Section titled “AAA Configuration”show aaa
Section titled “show aaa”[Command]
show aaa
[Purpose]
View the authentication, authorization and billing settings configured in the network node
[View]
System view
[Use Cases]
sonic# show aaaAAA accounting command local (default)AAA authentication login local (default)AAA authentication failthrough False (default)AAA authorization command local (default)show tacacs status
Section titled “show tacacs status”[Command]
show tacacs status
[Purpose]
Display the TACACS server status
[View]
System view
[Use Cases]
sonic# show tacacs statusSERVER IP STATUS------------ --------192.168.0.78 onlineaaa accounting command
Section titled “aaa accounting command”[Command]
aaa accounting command {tacacs+|local|default}
[Purpose]
Configure AAA billing method
[Parameter]
tacacs+ Command billing with TACACS+
local Local Billing
default Reset back to default values, local billing
[View]
System configuration view
[Notes]
Tacacs+ and local can be used individually or in combination.
[Use Cases]
sonic(config)# aaa accounting command local tacacs+aaa authentication failthrough {enable|default}
Section titled “aaa authentication failthrough {enable|default}”[Command]
aaa authentication failthrough {enable|default}
no aaa authentication failthrough enable
[Purpose]
Enable fail-through
[Parameter]
default Default
enable Enable
[View]
System configuration view
[Notes]
This command is useful when the user has multiple tacacs + servers configured and the user has tacacs+ authentication enabled. When an authentication request to the first server fails, this configuration allows the request to continue to the next server. When this configuration is enabled, the authentication process will continue through all servers configured. If this option is disabled and the authentication request fails on the first server, the authentication process will stop and logins will be disabled.
[Use Cases]
sonic(config)# aaa authentication failthrough enableaaa authentication fallback {enable|default}
Section titled “aaa authentication fallback {enable|default}”[Command]
aaa authentication fallback {enable|default}
no aaa authentication fallback enable
[Purpose]
Enable fallback
[Parameter]
default Default
enable Enable
[View]
System configuration view
[Notes]
When enabled, this command will fall back to local authentication when tacacs + authentication fails.
[Use Cases]
sonic(config)# aaa authentication fallback enableaaa authentication login
Section titled “aaa authentication login”[Command]
aaa authentication login {tacacs+|local|default}
[Purpose]
Configure aaa login authentication method
[Parameter]
tacacs+ - Remote authentication based on tacacs +
local - Using Local Authentication
default - Reset back to the default value to enable local authentication only
[View]
System configuration view
[Notes]
Tacacs+ and local as optional parameter, can be configured separately or combined.
[Use Cases]
sonic(config)# aaa authentication login tacacs+,localaaa authorization command
Section titled “aaa authorization command”[Command]
aaa authentication command {tacacs+|local|default}
[Purpose]
Configure the aaa command authentication method
[Parameter]
tacacs+ Using tacacs + for command authentication
local Command Local Authentication
default Reset back to default values, local forensics
[View]
System configuration view
[Notes]
Tacacs+ and local as optional parameter, can be configured separately or combined.
[Use Cases]
sonic(config)# aaa authentication command tacacs+,local