Configures a user with Administrator privileges in the current context.
Mode
Exec > Global Configuration > Context Configuration
configure > context context_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-ctx)#
administrator user_name [ encrypted ] [ nopassword ] password password [ max-age days][ no-max-age ]| [ ecs ] [ expiry-date date_time ] [ ftp [ sftp-server sftp_name ] ] [ li-administration ] [ nocli ] [ noconsole ] [ noecs ] [ timeout-absolute timeout_absolute ] [ timeout-min-absolute timeout_min_absolute ] [ timeout-idle timeout_idle ][ timeout-min-idle timeout_min_idle ] [ exp-grace-interval days] [ exp-warn-interval days] [ no-exp-grace-interval ] [ no-exp-warn-interval ]
Syntax Description
no administrator user_name
no
Removes Security Administrator privileges for the specified user name.
user_name
Specifies the username for which Security Administrator privileges must be enabled in the current context. user_name must be an alphanumeric string of 1 through 32 characters.
[ encrypted ] password password
Specifies password for the user name. Optionally, the encrypted keyword can be used to specify the password uses encryption.
password must be an alphanumeric string of 1 through 63 characters without encryption, and 1 through 132 characters with encryption.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration
file.
[ nopassword ]
This option allows you to create an administrator without an associated password. Enable this option when using ssh public
keys (authorized key command in SSH Configuration mode) as a sole means of authentication. When enabled this option prevents someone from using
an administrator password to gain access to the user account.
ecs
Permits the user to use ACS-specific configuration commands. Default: Permitted
expiry-date date_time
Specifies the date and time that this login account expires.
Enter the date and time in the YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss format. Where YYYY is the year, MM is the month, DD
is the day of the month, HH is the hour, mm is minutes, and ss is seconds.
ftp
Permits the user to use FTP and SFTP. Default: Not permitted
[ sftp-server
sftp_name
]
Assigns an optional root directory and access privilege to this user. sftp_name must have been previously created via the SSH Server Configuration mode subsystem sftp command.
li-administration
Refer to the Lawful Intercept Configuration Guide for a description of this parameter.
nocli
Prevents the user from using the command line interface. Default: Permitted
noconsole
Disables user access to a Console line.
Note
|
The Global Configuration mode local-user allow-aaa-authentication noconsole command takes precedence in a normal (non-Trusted) StarOS build. In this case, all AAA-based users cannot access a Console
line.
|
noecs
Prevents the user from accessing ACS-specific commands.
timeout-absolute timeout_absolute
Important
|
This keyword is obsolete. It has been left in place for backward compatibility. If used, a warning is issued and the value
entered is rounded to the nearest whole minute.
|
Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is forcibly
terminated. timeout_absolute must be an integer from 0 through 300000000.
The value 0 disables this timeout configuration.
Default: 0
timeout-min-absolute timeout_min_absolute
Specifies the maximum time (in minutes) the Security Administrator may have a session active before the session is forcibly
terminated. timeout_min_absolute must be an integer from 0 through 525600. The value 0 disables this timeout configuration. Default: 0
timeout-idle timeout_idle
Important
|
This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value
entered is rounded to the nearest whole minute.
|
Specifies the maximum time, in seconds, the Security Administrator may have a session active before the session is terminated.
timeout_idle must be an integer from 0 through 300000000.
The value 0 disables the idle timeout configuration.
Default: 0
timeout-min-idle timeout_min_idle
Specifies the maximum time, in minutes, the Security Administrator may have a session active before the session is terminated.
timeout_min_idle must be an integer from 0 through 525600. The value 0 disables the idle timeout configuration. Default: 0
Usage Guidelines
Use this command to create new Security Administrators or modify existing user's settings.
Security Administrator users have read-write privileges and full access to all contexts and command modes. Refer to the Command Line Interface Overview chapter for more information.
Important
|
A maximum of 128 administrative users and/or subscribers may be locally configured per context.
|
[
max-age
days]
Defines the maximum age of a user password before it has to be changed. max-age is the replacement for expiry-date .
[
no-max-age
]
This parameter ensures that password never expires (these are non expiring passwords).
exp-warn-interval
days
Impends password expiry warning interval in days. There is no default value at per user level. If any of the value is specified,
Context global values are considered.
For example:administrator trexpac111 password pass@1234
In the previous example, there are no values for expiry, grace, and warn are provided. In this case, Global values for both
of them will be considered.
[ no-exp-warn-interval
]
Disables impending password expiry warnings .
exp-grace-interval
days
Specifies password expiry grace interval in days. Default = 3 days after expiry.
[ no-exp-grace-interval
]
Disables grace period of expired password.
Example
The following command creates a Security Administrator account named user1 with access to ACS configuration commands: administrator user1 password secretPassword
The following removes the Security Administrator account named user1 : no administrator user1
Example
The following command shows the notifications you will receive if the password is not reset before the expiration date:
administrator user_name password password [ max-age days][ password-exp-grace-interval days] [ password-exp-grace-interval days]
login: xxx
password: xxx
1. <Normal>
# <you are logged in>
2. <When in warning period>
Warning: Your password is about to expire in 0 days.
We recommend you to change password after login.
Logins are not allowed without acknowleding this.
Do you wish to continue [y/n] (times out in 30 seconds) :
3.<when in grace period>
Your password has expired
Current password:
New password:
Repeat new password:
4. <after the grace period>
Password Expired (even beyond grace period, if configured). Contact Security Administrator to reset password