- Preface
- New and Changed Information
- Overview
- Managing User Accounts
- Configuring VSD
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH
- Configuring Telnet
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Disabling the HTTP Server
- Blocking Unknown Unicast Flooding
- Configuring Cisco TrustSec
- Index
Contents
- Managing User Accounts
- Information About User Accounts
- Role
- Username
- Password
- Check of Password Strength
- Expiration Date
- Guidelines and Limitations for Creating User Accounts
- Guidelines for Creating User Accounts
- Default Settings for User Access
- Configuring User Access
- Enabling the Check of Password Strength
- Disabling the Check of Password Strength
- Creating a User Account
- Creating a Role
- Creating a Feature Group
- Configuring Interface Access
- Configuring VLAN Access
- Verifying the User Access Configuration
- Configuration Examples
- Configuration Example for Creating a Feature Group
- Configuration Example for Creating a Role
- MIBs
- Feature History for User Accounts
Managing User Accounts
This chapter contains the following sections:
- Information About User Accounts
- Guidelines and Limitations for Creating User Accounts
- Guidelines for Creating User Accounts
- Default Settings for User Access
- Configuring User Access
- Verifying the User Access Configuration
- Configuration Examples
- MIBs
- Feature History for User Accounts
Information About User Accounts
Access to the Cisco Nexus 1000V is accomplished by setting up user accounts that define the specific actions permitted by each user. You can create up to 256 user accounts. Each user account includes the following criteria:
Role
A role is a collection of rules that define the specific actions that can be shared by a group of users. The following broadly defined roles, for example, can be assigned to user accounts. These roles are predefined in the Cisco Nexus 1000V and cannot be modified:
role: network-admin description: Predefined network admin role has access to all commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write role: network-operator description: Predefined network operator role has access to all read commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read
You can create an additional 64 roles that define access for users.
Each user account must be assigned at least one role and can be assigned up to 64 roles.
You can create roles that, by default, permit access to the following commands only. You must add rules to allow users to configure features.
Username
A username identifies an individual user by a unique character string, such as daveGreen. Usernames are case sensitive and can consist of up to 28 alphanumeric characters. A username consisting of all numerals is not allowed. If an all-numeric username exists on an AAA server and is entered during login, the user is not logged in.
Password
A password is a case-sensitive character string that enables access by a specific user and helps prevent unauthorized access. You can add a user without a password, but they may not be able to access the device. Passwords should be strong so that they cannot be easily guessed for unauthorized access.
The following characters are not permitted in clear text passwords:
The following special characters are not permitted at the beginning of the password:
The following table lists the characteristics of strong passwords.
Strong passwords have: |
Strong passwords do not have: |
|---|---|
At least eight characters |
Consecutive characters, such as “abcd” |
Uppercase letters |
Repeating characters, such as “aaabbb” |
Lowercase letters |
Dictionary words |
Numbers |
Proper names |
Special characters |
Some examples of strong passwords are as follows:
Check of Password Strength
The device checks password strength automatically by default. When you add a username and password, the strength of the password is evaluated. If it is a weak password, the following error message is displayed to notify you:
switch# config terminal switch (config)# username daveGreen password davey
password is weak Password should contain characters from at least three of the classes: lower case letters, upper case letters, digits, and special characters
Password strength checking can be disabled.
Expiration Date
By default, a user account does not expire. You can, however, explicitly configure an expiration date on which the account will be disabled.
Guidelines and Limitations for Creating User Accounts
You can create up to 64 roles in addition to the two predefined user roles.
You can create up to 256 rules in a user role.
You can create up to 64 feature groups.
You can add up to 256 users.
You can assign a maximum of 64 user roles to a user account.
If you have a user account that has the same name as a remote user account on an AAA server, the user roles for the local user account are applied to the remote user, not the user roles configured on the AAA server.
Guidelines for Creating User Accounts
You can add up to 256 user accounts
Changes to user accounts do not take effect until the user logs in and creates a new session.
Do not use the following words in user accounts. These words are reserved for other purposes
adm
gdm
mtuser
rpcuser
bin
gopher
neews
shutdown
daemon
haltlp
nobody
sync
ftp
mail
nscd
sys
ftpuser
mailnull
operator
uucp
games
man
rpc
xfs
You can add a user password as either clear text or encrypted.
A user account can have up to 64 roles, but must have at least one role.
If you do not specify a password, the user might not be able to log in
For information about using SSH public keys instead of passwords, see Configuring an OpenSSH Key.
Default Settings for User Access
Parameters |
Default |
|---|---|
User account password |
Undefined |
User account expiration date |
None |
User account role |
Network-operator |
Interface policy |
All interfaces are accessible |
VLAN policy |
All VLANs are accessible |
Configuring User Access
Enabling the Check of Password Strength
You can enable the Cisco Nexus 1000V to check the strength of passwords to avoid creating weak passwords for user accounts.
Checking password strength is enabled by default. This procedure can be used to enable it again should it become disabled.
Log in to the CLI in EXEC mode.
This example shows how to check the strength of your password:
switch# configure terminal switch(config)# password strength-check switch(config)# show password strength-check Password strength check enabled switch(config)# copy running-config startup-config
Disabling the Check of Password Strength
Log in to the CLI in EXEC mode.
This example shows how to disable the check of password strength:
switch# configure terminal switch(config)# no password strength-check switch(config)# show password strength-check switch(config)# copy running-config startup-config
Creating a User Account
Log in to the CLI in EXEC mode.
This example shows how to create a user account:
switch# configure terminal
switch(config)# show role
switch(config)# username NewUser password 4Ty18Rnt
switch(config)# show user-account NewUser
user: NewUser
this user account has no expiry date
roles:network-operator network-admin
switch# copy running-config startup-config
Creating a Role
Log in to the CLI in EXEC mode.
Know that you can configure up to 64 user roles.
Know that you can configure up to up to 256 rules for each role.
Know that you can assign a single role to more than one user.
Know that the rule number specifies the order in which it is applied, in descending order. For example, if a role has three rules, rule 3 is applied first, rule 2 is applied next, and rule 1 is applied last.
Know that by default, the user roles that you create allow access only to the show, exit, end, and configure terminal commands. You must add rules to allow users to configure features.
This example shows how to create a role:
switch# configure terminal switch(config)# role name UserA switch(config-role)# description Prohibits use of clear commands switch(config-role)# rule 1 deny command clear users switch(config-role)# rule 2 deny read-write switch(config-role)# rule 3 permit read feature eth-port-sec switch(config-role)# rule 4 deny read-write feature-group eth-port-sec
switch# configure terminal switch(config)# role name UserA switch(config-role)# rule 3 permit read feature snmp switch(config-role)# rule 2 permit read feature dot1x switch(config-role)# rule 1 deny command clear *
Creating a Feature Group
You can create and configure a feature group. You can create up to 64 custom feature groups.
This example shows how to create a feature group named GroupA:
switch# configure terminal switch(config)# role feature-group name GroupA switch(config-role-featuregrp)# show role feature feature: aaa feature: access-list feature: cdp feature: install . . . switch(config-role-featuregrp)# feature syslog switch(config-role-featuregrp)# show role feature-group feature group: GroupA feature: syslog feature: snmp feature: ping switch(config-role-featuregrp)# copy running-config startup-config
This example shows how to create a feature group named Security-features:
switch# configure terminal switch(config)# role feature-group name Security-features switch(config-role-featuregrp)# feature radius switch(config-role-featuregrp)# feature tacacs switch(config-role-featuregrp)# feature dot1x switch(config-role-featuregrp)# feature aaa switch(config-role-featuregrp)# feature snmp switch(config-role-featuregrp)# feature acl switch(config-role-featuregrp)# feature access-list
Configuring Interface Access
By default, a role allows access to all interfaces. You modify a role that you have already created by denying access to all interfaces and then permitting access to selected interfaces.
This example shows how to configure interface access:
switch# configure terminal switch(config)# role name network-observer switch(config-role)# interface policy deny switch(config-role-interface)# permit interface ethernet 2/1-4 switch(config-role-interface)# show role name network-observer role: network-observer description: temp Vlan policy: permit (default) Interface policy: deny Permitted interfaces: Ethernet2/1-4 switch(config-role-featuregrp)# copy running-config startup-config
Configuring VLAN Access
By default, access is allowed to all VLANs. In this procedure you are modifying a role that you have already created by denying access to all VLANs and then permitting access to selected VLANs.
This example shows how to configure VLAN access:
switch# configure terminal switch(config)# role name network-observer switch(config-role)# vlan policy deny switch(config-role-vlan)# permit vlan 2/1-4 switch(config-role)# show role name network-observer role: network-observer description: temp Vlan policy: permit (default) Interface policy: deny Permitted interfaces: Ethernet2/1-4 switch(config-role)# copy running-config startup-config
Verifying the User Access Configuration
Use one of the following commands to verify the configuration.
Command |
Purpose |
|---|---|
show role |
Displays the available user roles and their rules. |
show role feature |
Displays a list of available features. |
show role feature-group |
Displays a list of available feature groups. |
show startup-config security |
Displays the user account configuration in the startup configuration. |
show running-config security [all] |
Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts. |
show user-account |
Displays user account information. |
Configuration Examples
Configuration Example for Creating a Feature Group
This example shows how to create a feature group:
switch# configure terminal switch(config-role)# role feature-group name security-features switch(config-role)# feature radius switch(config-role)# feature tacacs switch(config-role)# feature dot1x switch(config-role)# feature aaa switch(config-role)# feature snmp switch(config-role)# feature acl switch(config-role)# feature access-list
Configuration Example for Creating a Role
This example shows how to create a role:
switch# config terminal switch(config)# role name UserA switch(config-role)# rule 3 permit read feature snmp switch(config-role)# rule 2 permit read feature dot1x switch(config-role)# rule 1 deny command clear *
MIBs
MIBs |
MIBs Link |
|---|---|
CISCO-COMMON-MGMT-MIB |
To locate and download MIBs, go to the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
Feature History for User Accounts
This table includes only the updates for those releases that have resulted in additions or changes to the feature.
Feature Name |
Releases |
Feature Information |
|---|---|---|
User Accounts |
4.0(4)SV1(1) |
This feature was introduced. |