User accounts

Logging in

There are 2 default CLI user accounts:

  • admin: this account is used to configure the router. Its default password is admin.
  • viewer: this account is restricted to monitoring capabilities as shown below. Its default password is viewer.
Users capabilities
features viewer admin
Display network/system configuration Yes Yes
Use network diagnostic tools (ping, traceroute, …) Yes Yes
Use SSH client Yes Yes
Set viewer user password Yes Yes
Create and export troubleshooting report Yes Yes
Delete core files or report archives No Yes
kill a processus No Yes
Edit network configuration No Yes
Edit system image configuration No Yes
Edit SSH configuration No Yes
Edit system date No Yes
Flush dynamic entries No Yes
Set admin user password No Yes
Halt/Reboot system No Yes

It is possible to create additional accounts with similar rights. Refer to Managing System Users for details. Refer to that same section to change users passwords.

Logging out

The logout command exits from CLI to login prompt.

router{}logout

Example

router{}logout

router
login:

Managing System Users

Users are configured from the users context:

router{}edit system users
router{system:users}display
# System users
user admin
  password $6$FpKgwCEm$cNBgirhcBNl1JZ1UEAUhbVbj3dwhL31oSJVTzJymhUPqAn2rt6oFPef20c4w5zcwft72xRCI4lFT8gOch13o91
  group admin
  userid 10001
user viewer
  password $6$f2HLgfYw$JhtEQi4sTbe0G8WBhUaSbBhovzWIQaagR7obVuQrwMVKqWLaGqbcZiZUd1MtBxbEcOwm9vHvw0BYbL7hHuGBg0
  group viewer
  userid 10002
user foo
  password $6$JNMBCCGTShKSi9$Yr6Iv7E62CnQ.6fFMtGflHi7UV2/ZE8errqlX8oLBdOW.XahFkMtzIxg6S83.aQWLNYLDtkUmSYZCp32QMQ5T0
  group viewer
  userid 1001
router{system:users}

Configuring local users

Inside the users context, you may configure a new user with:

router{system:users}user USERNAME

The user password is specified as follows. You can either provide the password in encrypted form, or the CLI will encrypt it for you.

router{system:users-foo}password PASSWORD [METHOD]
PASSWORD
The user password you want. It will be encrypted using the given METHOD, SHA-512 by default.
METHOD
Available encryption methods: “md5”, “des”, “sha-256” or “sha-512”. Use “encrypted” if PASSWORD is already in encrypted form.

If you do not specify a password, the defaut one will be used: mypassword.

By default, the new user will be added to the viewer group, with thus limited access to the CLI. To specify the user’s group:

router{system:users-foo}group admin|viewer

Lastly, you may specify a custom userid:

router{system:users-foo}userid ID
ID
The user ID (from 1000 to 60000).

If you do not configure a specific userid, then it will be automatically generated on the system when saving your configuration.

Users may also be authenticated using AAA, as described in Authentication, Authorization and Accounting (AAA).

Saving Users Configuration

Once you are finished with your users configuration, you need to apply it on the system. To that effect, call:

router{system:users}save

Removing users

To remove users from the users configuration, you can either delete individual users one at a time, or delete them all:

router{system:users}delete user NAME|all

Even when requiring to delete all users, viewer and admin will remain. The only permitted change for these users is to modify their password.