Information About User Accounts and RBAC
Cisco Nexus Series switches use role-based access control (RBAC) to define the amount of access that each user has when the user logs into the switch.
With RBAC, you define one or more user roles and then specify which management operations each user role is allowed to perform. When you create a user account for the switch, you associate that account with a user role, which then determines what the individual user is allowed to do on the switch.
User Roles
User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, users who belong to both role1 and role2 can access configuration and debug operations. You can also limit access to specific VLANs, and interfaces.
The switch provides the following default user roles:
- network-admin (superuser)
-
Complete read and write access to the entire switch.
- network-operator
-
Complete read access to the switch. However, the network-operator role cannot run the show running-config and show startup-config commands.
Note |
If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands. |
Note |
Only network-admin user can perform a Checkpoint or Rollback in the RBAC roles. Though other users have these commands as a permit rule in their role, the user access is denied when you try to execute these commands. |
Rules
The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. You can apply rules for the following parameters:
- Command
-
A command or group of commands defined in a regular expression.
- Feature
-
Commands that apply to a function provided by the Cisco Nexus device. Enter the show role feature command to display the feature names available for this parameter.
- Feature group
-
Default or user-defined group of features. Enter the show role feature-group command to display the default feature groups available for this parameter.
- OID
-
An SNMP object identifier (OID).
These parameters create a hierarchical relationship. The most basic control parameter is the command. The next control parameter is the feature, which represents all commands associated with the feature. The last control parameter is the feature group. The feature group combines related features and allows you to easily manage the rules.
SNMP OID is supported for RBAC. You can configure a read-only or read-and-write rule for an SNMP OID.
You can configure up to 256 rules for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
User Role Policies
You can define user role policies to limit the switch resources that the user can access, or to limit access to interfaces, VLANs, and VSANs.
User role policies are constrained by the rules defined for the role. For example, if you define an interface policy to permit access to specific interfaces, the user does not have access to the interfaces unless you configure a command rule for the role to permit the interface command.
If a command rule permits access to specific resources (interfaces, VLANs), the user is permitted to access these resources, even if the user is not listed in the user role policies associated with that user.
User Account Configuration Restrictions
The following words are reserved and cannot be used to configure users:
-
adm
-
bin
-
daemon
-
ftp
-
ftpuser
-
games
-
gdm
-
gopher
-
halt
-
lp
-
mail
-
mailnull
-
man
-
mtsuser
-
news
-
nobody
-
san-admin
-
shutdown
-
sync
-
sys
-
uucp
-
xfs
User Password Requirements
Cisco Nexus device passwords are case sensitive and can contain alphanumeric characters. Special characters, such as the dollar sign ($) or the percent sign (%), are not allowed.
Note |
Beginning with Cisco NX-OS Release 7.2(0)N1(1), special characters, such as the dollar sign ($) or the percent sign (%), can be used in Cisco Nexus device passwords. |
Note |
Special characters, such as the dollar sign ($) or the percent sign (%), can be used in Cisco Nexus device passwords. |
If a password is trivial (such as a short, easy-to-decipher password), the Cisco Nexus device rejects the password. Be sure to configure a strong password for each user account. A strong password has the following characteristics:
-
At least eight characters long
-
Does not contain many consecutive characters (such as "abcd")
-
Does not contain many repeating characters (such as "aaabbb")
-
Does not contain dictionary words
-
Does not contain proper names
-
Contains both uppercase and lowercase characters
-
Contains numbers
The following are examples of strong passwords:
-
If2CoM18
-
2009AsdfLkj30
-
Cb1955S21
Note |
For security reasons, user passwords do not display in the configuration files. |