Managing User Accounts
This chapter contains the following sections:
- Information About User Accounts
- Guidelines and Limitations for Creating User Accounts
- Guidelines for Creating User Accounts
- Default Settings for User Access
- Verifying the User Access Configuration
- MIBs
- Feature History for User Accounts
Information About User Accounts
Access to the Cisco Nexus 1000V is accomplished by setting up user accounts that define the specific actions permitted by each user. You can create up to 256 user accounts. Each user account includes the following criteria:
Role
A role is a collection of rules that define the specific actions that can be shared by a group of users. The following broadly defined roles, for example, can be assigned to user accounts. These roles are predefined in the Cisco Nexus 1000V and cannot be modified:
role: network-admin description: Predefined network admin role has access to all commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write role: network-operator description: Predefined network operator role has access to all read commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read
You can create an additional 64 roles that define access for users.
Each user account must be assigned at least one role and can be assigned up to 64 roles.
You can create roles that, by default, permit access to the following commands only. You must add rules to allow users to configure features.
Username
A username identifies an individual user by a unique character string, such as daveGreen. Usernames are case sensitive and can consist of up to 28 alphanumeric characters. A username consisting of all numerals is not allowed. If an all-numeric username exists on an AAA server and is entered during login, the user is not logged in.
Password
A password is a case-sensitive character string that enables access by a specific user and helps prevent unauthorized access. You can add a user without a password, but they may not be able to access the device. Passwords should be strong so that they cannot be easily guessed for unauthorized access.
The following characters are not permitted in clear text passwords:
The following special characters are not permitted at the beginning of the password:
The following table lists the characteristics of strong passwords.
Strong passwords have: |
Strong passwords do not have: |
---|---|
At least eight characters |
Consecutive characters, such as “abcd” |
Uppercase letters |
Repeating characters, such as “aaabbb” |
Lowercase letters |
Dictionary words |
Numbers |
Proper names |
Special characters |
Some examples of strong passwords are as follows:
Check of Password Strength
The device checks password strength automatically by default. When you add a username and password, the strength of the password is evaluated. If it is a weak password, the following error message is displayed to notify you:
switch# config terminal switch (config)# username daveGreen password davey
password is weak Password should contain characters from at least three of the classes: lower case letters, upper case letters, digits, and special characters
Password strength checking can be disabled.
Expiration Date
By default, a user account does not expire. You can, however, explicitly configure an expiration date on which the account will be disabled.
Guidelines and Limitations for Creating User Accounts
- You can create up to 64 roles in addition to the two predefined user roles.
- You can create up to 256 rules in a user role.
- You can create up to 64 feature groups.
- You can add up to 256 users.
- You can assign a maximum of 64 user roles to a user account.
- If you have a user account that has the same name as a remote user account on an AAA server, the user roles for the local user account are applied to the remote user, not the user roles configured on the AAA server.
Guidelines for Creating User Accounts
- You can add up to 256 user accounts
- Changes to user accounts do not take effect until the user logs in and creates a new session.
-
Do not use the following words in user accounts. These words are reserved for other purposes
adm
gdm
mtuser
rpcuser
bin
gopher
neews
shutdown
daemon
haltlp
nobody
sync
ftp
mail
nscd
sys
ftpuser
mailnull
operator
uucp
games
man
rpc
xfs
- You can add a user password as either clear text or encrypted.
- A user account can have up to 64 roles, but must have at least one role. For more information about roles, Guidelines for Creating User Accounts
- If you do not specify a password, the user might not be able to log in
- For information about using SSH public keys instead of passwords, see Configuring an OpenSSH Key.
Default Settings for User Access
Parameters |
Default |
---|---|
User account password |
Undefined |
User account expiration date |
None |
User account role |
Network-operator |
Interface policy |
All interfaces are accessible |
VLAN policy |
All VLANs are accessible |
Configuring User Access
Enabling the Check of Password Strength
Use this procedure to enable the Cisco Nexus 1000V to check the strength of passwords to avoid creating weak passwords for user accounts.
Checking password strength is enabled by default. This procedure can be used to enable it again should it become disabled.
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# password strength-check
3. (Optional) switch(config)# show password strength-check
4. (Optional) switch(config)# copy running-config startup-config
DETAILED STEPS
switch# configure terminal switch(config)# password strength-check switch(config)# show password strength-check Password strength check enabled switch(config)# copy running-config startup-config
Disabling the Check of Password Strength
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# no password strength-check
3. (Optional) switch(config)# show password strength-check
4. (Optional) switch(config)# copy running-config startup-config
DETAILED STEPS
switch# configure terminal switch(config)# no password strength-check switch(config)# show password strength-check switch(config)# copy running-config startup-config
Creating a User Account
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
1. switch# configure terminal
2. (Optional) switch(config)# show role
3. switch(config)# username name [password [0 | 5] password] [expire date] [role role-name]
4. switch(config)# show user-account username
5. (Optional) switch(config)# copy running-config startup-config
DETAILED STEPS
switch# configure terminal switch(config)# show role switch(config)# username NewUser password 4Ty18Rnt switch(config)# show user-account NewUser user: NewUser this user account has no expiry date roles:network-operator network-admin switch# copy running-config startup-config
Creating a Role
- Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
- You can configure up to 64 user roles.
- You can configure up to up to 256 rules for each role.
- You can assign a single role to more than one user.
- The rule number specifies the order in which it is applied, in descending order. For example, if a role has three rules, rule 3 is applied first, rule 2 is applied next, and rule 1 is applied last.
- By default, the user roles that you create allow access only to the show, exit, end, and configure terminal commands. You must add rules to allow users to configure features.
-
switch(config-role)# rule number {deny | permit} {read | read-write}
Creates one rule to permit or deny all operations.
-
switch(config-role)# rule number {deny | permit} {read | read-write} feature feature-name
Creates a rule for feature access.
Use the show role feature command to display a list of available features.
-
switch(config-role)# rule number {deny | permit} {read | read-write} feature-group group-name
Creates a rule for feature group access.
Use the show role feature-group command to display a list of feature groups.
1. switch# configure terminal
2. switch(config)# role name role-name
3. (Optional) switch(config-role)# description description-string
4. switch(config-role)# rule number {deny| permit} command command-string
5. Repeat Step 4 to create all needed rules for the specified role.
6. (Optional) switch(config-role)# show role
7. (Optional) switch(config-role)# copy running-config startup-config
DETAILED STEPS
switch# configure terminal switch(config)# role name UserA switch(config-role)# description Prohibits use of clear commands switch(config-role)# rule 1 deny command clear users switch(config-role)# rule 2 deny read-write
switch# configure terminal switch(config)# role name UserA switch(config-role)# rule 3 permit read feature snmp switch(config-role)# rule 2 permit read feature dot1x switch(config-role)# rule 1 deny command clear *
Creating a Feature Group
Use this procedure to create and configure a feature group. You can create up to 64 custom feature groups.
1. switch# configure terminal
2. switch(config)# role feature-group name group-name
3. switch(config-role-featuregrp)# show role feature
4. switch(config-role-featuregrp)# feature feature-name
5. (Optional) switch(config-role-featuregrp)# show role feature-group
6. (Optional) switch(config-role-featuregrp)# copy running-config startup-config
DETAILED STEPS
Configuring Interface Access
By default, a role allows access to all interfaces. You modify a role you have already created by denying access to all interfaces, and then permitting access to selected interfaces.
Before beginning this procedure you must have done the following:
1. switch# configure terminal
2. switch(config)# role name role-name
3. switch(config-role)# interface policy deny
4. switch(config-role-interface)# permit interfaceinterface-list
5. (Optional) switch(config-role-interface)# show role role-name
6. (Optional) switch(config-role-featuregrp)# copy running-config startup-config
DETAILED STEPS
Configuring VLAN Access
By default, access is allowed to all VLANs. In this procedure you will modify a role you have already created by denying access to all VLANs, and then permitting access to selected VLANs.
Before beginning this procedure, you must:
1. switch# configure terminal
2. switch(config)# role name role-name
3. switch(config-role)# vlan policy deny
4. switch(config-role-vlan)# permit vlan vlan-range
5. (Optional) switch(config-role)# show role role-name
6. (Optional) switch(config-role)# copy running-config startup-config
DETAILED STEPS
Verifying the User Access Configuration
Use one of the following commands to verify the configuration.
Command |
Purpose |
---|---|
show role |
Displays the available user roles and their rules. |
show role feature |
Displays a list of available features. |
show role feature-group |
Displays a list of available feature groups. |
show startup-config security |
Displays the user account configuration in the startup configuration. |
show running-config security [all] |
Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts. |
show user-account |
Displays user account information. |
Configuration Examples
Configuration Example for Creating a Feature Group
switch# config terminal switch(config-role)# role feature-group name security-features switch(config-role)# feature radius switch(config-role)# feature tacacs switch(config-role)# feature dot1x switch(config-role)# feature aaa switch(config-role)# feature snmp switch(config-role)# feature acl switch(config-role)# feature access-list
Configuration Example for Creating a Role
switch# config terminal switch(config)# role name UserA switch(config-role)# rule 3 permit read feature snmp switch(config-role)# rule 2 permit read feature dot1x switch(config-role)# rule 1 deny command clear *
MIBs
MIBs |
MIBs Link |
---|---|
CISCO-COMMON-MGMT-MIB |
To locate and download MIBs, go to the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
Feature History for User Accounts
This table includes only the updates for those releases that have resulted in additions or changes to the feature.
Feature Name |
Releases |
Feature Information |
---|---|---|
User Accounts |
Release 5.2(1)IC1(1.1) |
This feature was introduced. |