- New and Changed Information
- Preface
- Overview
- Managing User Accounts
- Configuring VSD
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH
- Configuring Telnet
- Configuring an IP ACL
- Configuring a MAC ACL
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Security Configuration Limits
- Index
Managing User Accounts
This chapter describes how to configure user accounts and includes the following topics:
•Information About User Accounts
•Feature History for User Accounts
Information About User Accounts
Access to the Cisco Nexus 1000V is accomplished by setting up user accounts that define the specific actions permitted by each user. You can create up to 256 user accounts. Each user account includes the following criteria:
•Role
Role
A role is a collection of rules that define the specific actions that can be shared by a group of users. The following broadly defined roles, for example, can be assigned to user accounts. These roles are predefined in the Cisco Nexus 1000V and cannot be modified:
role: network-admin
description: Predefined network admin role has access to all commands
on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
role: network-operator
description: Predefined network operator role has access to all read
commands on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
You can create an additional 64 roles that define access for users.
Each user account must be assigned at least one role and can be assigned up to 64 roles.
You can create roles that, by default, permit access to the following commands only. You must add rules to allow users to configure features.
•show
•exit
•end
•configure terminal
Table 2-1 describes the components that make up a role.
User Name
A user name identifies an individual user by a unique character string, such as daveGreen. User names are case sensitive and can consist of up to 28 alphanumeric characters. A user name consisting of all numerals is not allowed. If an all numeric user name exists on an AAA server and is entered during login, the user is not logged in.
Password
A password is a case-sensitive character string that enables access by a specific user and helps prevent unauthorized access. You can add a user without a password, but they may not be able to access the device. Passwords should be strong so that they cannot be easily guessed for unauthorized access.
The following characters are not permitted in clear text passwords:
•dollar signs ($)
•spaces
The following special characters are not permitted at the beginning of the password:
•quotation marks (" or ')
•vertical bars (|)
•right angle brackets (>)
Table 2-2 lists the characteristics of strong passwords.
The following are examples of strong passwords:
•If2CoM18
•2004AsdfLkj30
•Cb1955S21
Check of Password Strength
The device checks password strength automatically by default. When you add a user name and password, the strength of the password is evaluated. If it is a weak password, then the error message below displays to notify you.
n1000v# config t
n1000v(config)# username daveGreen password davey
password is weak
Password should contain characters from at least three of the classes:
lower case letters,upper case letters, digits, and special characters
Password strength-checking can be disabled.
Expiration Date
By default, a user account does not expire. You can, however, explicitly configure an expiration date on which the account will be disabled.
Guidelines and Limitations
User access has the following configuration guidelines and limitations:
•You can create up to 64 roles in addition to the two predefined user roles.
•You can create up to 256 rules in a user role.
•You can create up to 64 feature groups.
•You can add up to 256 users.
•You can assign a maximum of 64 user roles to a user account.
•If you have a user account that has the same name as a remote user account on an AAA server, the user roles for the local user account are applied to the remote user, not the user roles configured on the AAA server.
Default Settings
Table 2-3 lists the default settings for user access.
Configuring User Access
This section includes the following topics:
•Enabling the Check of Password Strength
•Disabling the Check of Password Strength
Enabling the Check of Password Strength
Use this procedure to enable the Cisco Nexus 1000V to check the strength of passwords to avoid creating weak passwords for user accounts.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following.
•You are logged in to the CLI in EXEC mode.
•Checking password strength is enabled by default. This procedure can be used to enable it again should it become disabled.
SUMMARY STEPS
1. config t
2 password strength-check
3 show password strength-check
4 copy running-config startup-config
DETAILED STEPS
Disabling the Check of Password Strength
Use this procedure to disable the check of password strength.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following.
•You are logged in to the CLI in EXEC mode.
•Checking password strength is enabled by default. This procedure can be used to disable it.
SUMMARY STEPS
1. config t
2 no password strength-check
3 show password strength-check
4 copy running-config startup-config
DETAILED STEPS
Creating a User Account
Use this procedure to create and configure a user account, defining access to the Cisco Nexus 1000V.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following.
•You are logged in to the CLI in EXEC mode.
•You can add up to 256 user accounts.
•Changes to user accounts do not take effect until the user logs in and creates a new session.
•Do not use the following words in user accounts. These words are reserved for other purposes.
adm bin daemon ftp ftpuser games |
gdm gopher haltlp mailnull man |
mtsuser news nobody nscd operator rpc |
rpcuser shutdown sync sys uucp xfs |
•You can add a user password as either clear text or encrypted.
–Clear text passwords are encrypted before they are saved to the running configuration.
–Encrypted passwords are saved to the running configuration without further encryption.
•A user account can have up to 64 roles, but must have at least one role. For more information about roles, see the "Role" section.
•If you do not specify a password, the user might not be able to log in.
•For information about using SSH public keys instead of passwords, see the "Configuring a User Account with a Public Key" section on page 7-5.
SUMMARY STEPS
1. config t
2 show role
3 username user-name [password [0 | 5]password] [expire date] [role role-name]
4 show user-account user-name
5 copy running-config startup-config
DETAILED STEPS
|
|
|
---|---|---|
Step 1 |
config t Example: n1000v# config t n1000v(config)# |
Places you into the CLI Global Configuration mode. |
Step 2 |
show role Example: n1000v(config)# show role |
(Optional) Displays the available roles that can be assigned to users. You can create a new user role with the "Creating a Role" procedure) |
Step 3 |
username name [password [0 | 5] password] [expire date] [role role-name] Example: n1000v(config)# username NewUser password 4Ty18Rnt |
Creates a user account. •name: A case-sensitive, alphanumeric character string of up to 28 characters in length. •password: The default password is undefined. –0 = (the default) Specifies that the password you are entering is in clear text. The Cisco Nexus 1000V encrypts the clear text password before saving it in the running configuration. In the example shown, the password 4Ty18Rnt is encrypted in your running configuration in password 5 format. –5 = Specifies that the password you are entering is already in encrypted format. The Cisco Nexus 1000V does not encrypt the password before saving it in the running configuration. User passwords are not displayed in the configuration files. •expire date: YYYY-MM-DD. •role: You must assign at least one role. You can assign up to 64 roles. The default role is network-operator. |
Step 4 |
show user-account username
Example:
n1000v(config)# show user-account NewUser user:NewUser this user account has no expiry date roles:network-operator network-admin n1000v(config)# |
Displays the new user account configuration. |
Step 5 |
copy running-config startup-config Example: n1000v# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Creating a Role
Use this procedure to create a role defining a set of specific actions that are permitted or denied. This role will be assigned to users whose access requirements match the actions defined.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You can configure up to 64 user roles.
•You can configure up to up to 256 rules for each role.
•You can assign a single role to more that one user.
•The rule number specifies the order in which it is applied, in descending order. For example, if a role has three rules, rule 3 is applied first, rule 2 is applied next, and rule 1 is applied last.
•By default, the user roles that you create allow access only to the show, exit, end, and configure terminal commands. You must add rules to allow users to configure features.
SUMMARY STEPS
1. config t
2 role name role-name
3 (Optional) description string
4 rule number {deny | permit} command command-string
rule number {deny | permit} {read | read-write}
rule number {deny | permit} {read | read-write} feature feature-name
rule number {deny | permit} {read | read-write} feature-group group-name
5 Repeat 4 to create all needed rules for this role.
6 show role
7 copy running-config startup-config
DETAILED STEPS
|
|
|
---|---|---|
Step 1 |
config t Example: n1000v# config t n1000v(config)# |
Places you into the CLI Global Configuration mode. |
Step 2 |
role name role-name Example: n1000v(config)# role name UserA n1000v(config-role)# |
Names a user role and places you in Role Configuration mode for that role. The name is a case-sensitive, alphanumeric string of up to 16 characters. |
Step 3 |
description description-string Example: n1000v(config-role)# description Prohibits use of clear commands |
(Optional) Configures the role description, which can include spaces. |
Step 4 |
rule number {deny | permit} command command-string Example: n1000v(config-role)# rule 1 deny command clear users |
Creates a rule to permit or deny a specific command. The command you specify can contain spaces and regular expressions. For example, "interface ethernet *" permits/denies access to all Ethernet interfaces. This example rule denies access to the clear users command. |
rule number {deny | permit} {read | read-write} Example: n1000v(config-role)# rule 2 deny read-write |
Creates a blanket rule to permit or deny all operations. This example rule permits read-only access for any operation. |
|
rule number {deny | permit} {read | read-write} feature feature-name Example: n1000v(config-role)# rule 3 permit read feature eth-port-sec |
Creates a rule for feature access. Use the show role feature command to display a list of available features. This example rule permits users read-only access to the Ethernet port security feature. |
|
rule number {deny | permit} {read | read-write} feature-group group-name Example: n1000v(config-role)# rule 4 deny read-write feature-group eth-port-sec |
Creates a rule for feature group access. Use the show role feature-group command to display a list of feature groups. This example configures a rule denying access to a feature group. |
|
Step 5 |
Repeat Step 4 to create all needed rules for the specified role. |
|
Step 6 |
show role Example: n1000v(config)# show role |
(Optional) Displays the user role configuration. |
Step 7 |
copy running-config startup-config Example: n1000v(config)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Creating a Feature Group
Use this procedure to create and configure a feature group.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You can create up to 64 custom feature groups.
SUMMARY STEPS
1. config t
2 role feature-group name group-name
3 show role feature
4 feature feature-name
5 Repeat 4 for all features to be added to the feature group.
6 show role feature-group
7 copy running-config startup-config
DETAILED STEPS
|
|
|
---|---|---|
Step 1 |
config t Example: n1000v# config t n1000v(config)# |
Places you into the CLI Global Configuration mode. |
Step 2 |
role feature-group name group-name Example: n1000v(config)# role feature-group name GroupA n1000v(config-role-featuregrp)# |
Places you into the Role Feature Group Configuration mode for the named group. •group-name: A case-sensitive, alphanumeric string of up to 32 characters in length. |
Step 3 |
show role feature Example: n1000v(config-role-featuregrp)# show role feature feature: aaa feature: access-list feature: cdp feature: install . . . n1000v(config-role-featuregrp)# |
Displays a list of available features for use in defining the feature group. |
Step 4 |
feature feature-name Example: n1000v(config-role-featuregrp)# feature syslog n1000v(config-role-featuregrp)# |
Adds a feature to the feature group. |
Step 5 |
Repeat Step 6 for all features to be added to the feature group. |
|
Step 6 |
show role feature-group Example: n1000v(config-role-featuregrp)# show role feature-group feature group: GroupA feature: syslog feature: snmp feature: ping n1000v(config-role-featuregrp)# |
(Optional) Displays the feature group configuration. |
Step 7 |
copy running-config startup-config Example: n1000v(config-role-featuregrp)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Configuring Interface Access
Use this procedure to configure interface access for a specific role.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have already created one or more user roles using the "Creating a Role" procedure. In this procedure, you will be modifying a role you have already created.
•By default, a role allows access to all interfaces. In this procedure you will, first, deny access to all interfaces and then permit access to selected interfaces.
SUMMARY STEPS
1. config t
2 role name role-name
3 interface policy deny
4 permit interface interface-list
5 show role
6 copy running-config startup-config
DETAILED STEPS
Configuring VLAN Access
Use this procedure to define the VLAN access for a role.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have already created one or more user roles using the "Creating a Role" procedure. In this procedure, you will be modifying a role you have already created.
•By default, access is allowed to all VLANs. In this procedure you will, first, deny access to all VLANs and then permit access to selected VLANs.
SUMMARY STEPS
1. config t
2 role name role-name
3 vlan policy deny
4 permit vlan vlan-range
5 exit
6 show role
7 copy running-config startup-config
DETAILED STEPS
Verifying the User Access Configuration
To display user account and RBAC configuration information, perform one of the following tasks:
Example Configuration
The following example shows how to configure a role:
role name UserA
rule 3 permit read feature snmp
rule 2 permit read feature dot1x
rule 1 deny command clear *
The following example shows how to configure a feature group:
role feature-group name Security-features
feature radius
feature tacacs
feature dot1x
feature aaa
feature snmp
feature acl
feature access-list
Additional References
For additional information related to implementing RBAC, see the following sections:
•MIBs
Related Documents
Standards
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
|
|
---|---|
•CISCO-COMMON-MGMT-MIB |
To locate and download MIBs, go to the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
Feature History for User Accounts
This section provides the user accounts release history.
|
|
|
---|---|---|
User Accounts |
4.0 |
This feature was introduced. |