cli-session
Syntax
cli-session
no cli-session
Description
config-cli-session
) for the purpose of configuring CLI user session management. Session management enhances security by enforcing specific CLI user session requirements. The following information is provided at time of successful login:
When applicable, the number of failed login attempts since the most recent successful login.
The date, time, and location (console or IP address or hostname) of the most recent previous successful login.
The count of successful logins within the past (configurable) time period.
switch login: admin
Password:
There were 3 failed login attempts since the last successful login
Last login: 2019-04-20 08:51:33 from the console
User "admin" has logged in 73 times in the past 30 days
The no form of this command disables concurrent CLI user session restrictions and reverts
timeout
and
tracking-range
to their default values.
To ensure that enhanced security is maintained, it is recommended that you keep CLI user session management fully enabled by setting max-per-user
to a nondefault value.
The
cli-session
command applies only to SSH/console login connection types. It does not apply to other connection types such as REST.
Command context
config
Subcommands
These subcommands are available within the CLI session context.
[no] max-per-user <SESSIONS>
- Specifies the maximum number of concurrent CLI sessions per user. The no form of this subcommand disables concurrent CLI user session restrictions. Default: Disabled (no value). Range: 1 to 5.
NOTE:
When the same user name is configured for both local and remote authentication, both users, regardless of privilege level, are considered to be the same user for the purpose of counting concurrent CLI sessions. For example, with
max-per-user
set to 1 and useradmin1
configured for local and remote authentication, only the local useradmin1
or the remote useradmin1
can be logged in at any given moment. Bothadmin1
users cannot be logged in simultaneously unlessmax-per-user
is increased to at least 2. [no] timeout <MINUTES>
- Specifies the number of minutes a CLI session can be idle before the session is automatically terminated and the user is logged out. A value of 0 minutes disables the session timeout. The no form of this subcommand sets the timeout value to the default. Default 30: Range 0 to 4320.
NOTE:
This subcommand is the recommended replacement for the
session-timeout
command. [no] tracking-range <DAYS>
- Specifies the maximum number of days to track CLI user session logins. The no form of this subcommand resets the value to its default. Default 30: Range 1 to 30.
exit
- Exits the CLI session context.
end
- Exits the CLI session context and then the config context.
Authority
Administrators
Examples
Configuring CLI user session settings for a maximum of one concurrent session, a 20-minute timeout, and tracking for a maximum of 25 days.
switch(config)# cli-session switch(config-cli-session)# max-per-user 1 switch(config-cli-session)# timeout 20 switch(config-cli-session)# tracking-range 25 switch# exit
After successful earlier logins, logging in from the console without any intervening unsuccessful logins.
switch login: admin1 Password: Last login: 2019-04-15 14:10:21 from the console User 'admin1' has logged in 65 times in the past 25 days
Attempting to log in as
admin1
when already logged in as
admin1
from elsewhere.
switch login: admin1 Password: Too many logins for 'admin1'
After successful earlier logins, attempting to log in twice with an invalid password, followed by a successful login.
switch login: admin1 Password: Login incorrect switch login: admin1 Password: Login incorrect switch login: admin1 Password: There were 2 failed login attempts since the last successful login Last login: 2019-04-15 17:22:45 from 192.168.1.1 User 'admin1' has logged in 72 times in the past 25 days