Configuring User Accounts and RBAC

This chapter describes how to configure user accounts and role-based access control (RBAC) on Cisco NX-OS devices.

This chapter includes the following sections:

About User Accounts and RBAC

You can create and manage users accounts and assign roles that limit access to operations on the Cisco NX-OS device. RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations.

User Accounts

You can configure up to a maximum of 256 user accounts. By default, the user account does not expire unless you explicitly configure it to expire. The expire option determines the date when the user account is disabled.

The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, root, rpc, rpcuser, xfs, gdm, mtsuser, ftpuser, man, and sys.


Note

User passwords are not displayed in the configuration files.


Caution

Usernames must begin with an alphanumeric character and can contain only these special characters: ( + = . _ \ -). The # and ! symbols are not supported. If the username contains characters that are not allowed, the specified user is unable to log in.

Characteristics of Strong Passwords

A strong password has the following characteristics:

  • Is at least eight characters long

  • Does not contain many consecutive characters (such as abcd)

  • Does not contain many repeating characters (such as aaabbb)

  • Does not contain dictionary words

  • Does not contain proper names

  • Contains both uppercase and lowercase characters

  • Contains numbers

The following are examples of strong passwords:

  • If2CoM18

  • 2004AsdfLkj30

  • Cb1955S21


Note

Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (" or '), vertical bars (|), or right angle brackets (>).


Note

All printable ASCII characters are supported in the password string if they are enclosed in quotation marks.

If a password is trivial (such as a short, easy-to-decipher password), the Cisco NX-OS software will reject your password configuration if password-strength checking is enabled. Be sure to configure a strong password as shown in the sample configuration. Passwords are case sensitive.

User Roles

User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules, and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, then users who belong to both role1 and role2 can access configuration and debug operations. You can also limit access to specific virtual routing and forwarding instances (VRFs), VLANs, and interfaces.

The Cisco NX-OS software provides the following user roles:

  • network-admin—Complete read-and-write access to the entire Cisco NX-OS device

  • network-operator or vdc-operator—Complete read access to the entire Cisco NX-OS device


Note

You cannot change the user roles.


Note

Some show commands may be hidden from network-operator users. In addition, some non-show commands (such as telnet ) may be available for this user role.

By default, the user accounts without an administrator role can access only the show , exit , end , and configure terminal commands. You can add rules to allow users to configure features.

Note

If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands.

User Role Rules

The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. You can apply rules for the following parameters:

Command
A command or group of commands defined in a regular expression.
Feature
A command or group of commands defined in a regular expression.
Feature group
Default or user-defined group of features.
OID
An SNMP object identifier (OID).

The command, feature, and feature group parameters create a hierarchical relationship. The most basic control parameter is the command. The next control parameter is the feature, which represents all commands associated with the feature. The last control parameter is the feature group. The feature group combines related features and allows you to easily manage the rules. The Cisco NX-OS software also supports the predefined feature group L3 that you can use.

You can configure up to 256 rules for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

Guidelines and Limitations for User Accounts and RBAC

User accounts and RBAC have the following configuration guidelines and limitations:

  • You can add up to 256 rules to a user role.

  • You can add up to 64 user-defined feature groups in addition to the default feature group, L3.

  • You can configure up to 256 users.

  • You can assign a maximum of 64 user roles to a user account.

  • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.

  • You cannot delete the default admin and SNMP user accounts.

  • You cannot remove the default user roles from the default admin user accounts.

  • The network-operator role cannot run the show running-config and show startup-config commands.


Note
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Default Settings for User Accounts and RBAC

This table lists the default settings for user accounts and RBAC parameters.

Table 1. Default User Accounts and RBAC Parameters

Parameters

Default

User account password

Undefined

User account expiry date

None

User account role

Network-operator if the creating user has the network-admin role

Default user role

Network-operator

Interface policy

All interfaces are accessible

VLAN policy

All VLANs are accessible

VRF policy

All VRFs are accessible

Feature group

L3

Enabling Password-Strength Checking

You can enable password-strength checking which prevents you from creating weak passwords for user accounts.


Note

When you enable password-strength checking, the Cisco NX-OS software does not check the strength of existing passwords.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

password strength-check

Example:

switch(config)# password strength-check

Enables password-strength checking. The default is enabled.

You can disable password-strength checking by using the no form of this command.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 4

(Optional) show password strength-check

Example:

switch# show password strength-check
 (Optional)

Displays the password-strength check configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Configuring User Accounts

You can create a maximum of 256 user accounts on a Cisco NX-OS device. User accounts have the following attributes:

  • Username

  • Password

  • Expiry date

  • User roles

You can enter the password in clear text format or encrypted format. The Cisco NX-OS password encrypts clear text passwords before saving them to the running configuration. Encrypted format passwords are saved to the running configuration without further encryption.

User accounts can have a maximum of 64 user roles. The user can determine what commands are available by using the command-line interface (CLI) context sensitive help utility.


Note

Changes to user account attributes do not take effect until the user logs in and creates a new session.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

(Optional) show role

Example:

switch(config)# show role
 (Optional)

Displays the user roles available. You can configure other user roles, if necessary.

Step 3

username user-id [password [0 | 5] password] [expire date] [role role-name]

Example:

switch(config)# username NewUser password 4Ty18Rnt

Configures a user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. Valid characters are uppercase letters A through Z, lowercase letters a through z, numbers 0 through 9, hyphen (-), period (.), underscore (_), plus sign (+), and equal sign (=). The at symbol (@) is supported in remote usernames but not in local usernames.

Usernames must begin with an alphanumeric character.

The default password is undefined. The 0 option indicates that the password is clear text, and the 5 option indicates that the password is encrypted. The default is 0 (clear text).

Note

 

If you do not specify a password, the user might not be able to log in to the Cisco NX-OS device.

Note

 

If you create a user account with the encrypted password option, the corresponding SNMP user will not be created.

The expire date option format is YYYY-MM-DD. The default is no expiry date.

User accounts can have a maximum of 64 user roles.

Step 4

username user-id ssh-cert-dn dn-name {dsa | rsa}

Example:

switch(config)# username NewUser ssh-cert-dn "/CN = NewUser, OU = Cisco Demo, O = Cisco, C = US" rsa

Example:

switch(config)# username jsmith ssh-cert-dn "/O = ABCcompany, OU = ABC1,
emailAddress = jsmith@ABCcompany.com, L = Metropolis, ST = New York, C = US, CN = jsmith" rsa

Specifies an SSH X.509 certificate distinguished name and DSA or RSA algorithm to use for authentication for an existing user account. The distinguished name can be up to 512 characters and must follow the format shown in the examples. Make sure the email address and state are configured as emailAddress and ST, respectively.

Step 5

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 6

(Optional) show user-account

Example:

switch# show user-account
 (Optional)

Displays the role configuration.

Step 7

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Configuring Roles

This section describes how to configure user roles.

Creating User Roles and Rules

You can configure up to 64 user roles. Each user role can have up to 256 rules. You can assign a user role to more than one user account.

The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.


Note
Regardless of the read-write rule configured for a user role, some commands can be executed only through the predefined network-admin role.

Before you begin

If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

role name role-name

Example:

switch(config)# role name UserA
switch(config-role)#

Specifies a user role and enters role configuration mode. The role-name argument is a case-sensitive, alphanumeric character string with a maximum length of 16 characters.

Step 3

rule number {deny | permit} command command-string

Example:

switch(config-role)# rule 1 deny command clear users

Configures a command rule.

The command-string argument can contain spaces and regular expressions. For example, interface ethernet includes all Ethernet interfaces.

Repeat this command for as many rules as needed.

Step 4

rule number {deny | permit} {read | read-write}

Example:

switch(config-role)# rule 2 deny read-write

Configures a read-only or read-and-write rule for all operations.

Step 5

rule number {deny | permit} {read | read-write} feature feature-name

Example:

switch(config-role)# rule 3 permit read feature router-bgp

Configures a read-only or read-and-write rule for a feature.

Use the show role feature command to display a list of features.

Repeat this command for as many rules as needed.

Step 6

rule number {deny | permit} {read | read-write} feature-group group-name

Example:

switch(config-role)# rule 4 deny read-write feature-group L3

Configures a read-only or read-and-write rule for a feature group.

Use the show role feature-group command to display a list of feature groups.

Repeat this command for as many rules as needed.

Step 7

rule number {deny | permit} {read | read-write} oid snmp_oid_name

Example:

switch(config-role)# rule 5 deny read-write oid 1.3.6.1.2.1.1.9
Configures a read-only or read-and-write rule for an SNMP object identifier (OID). You can enter up to 32 elements for the OID. This command can be used to allow SNMP-based performance monitoring tools to poll devices but restrict their access to system-intensive branches such as the IP routing table, MAC address tables, specific MIBs, and so on.

Note

 

The deepest OID can be at the scalar level or at the table root level.

Repeat this command for as many rules as needed.

Step 8

(Optional) description text

Example:

switch(config-role)# description This role does not allow users to use clear commands
 (Optional)

Configures the role description. You can include spaces in the description.

Step 9

exit

Example:

switch(config-role)# exit
switch(config)#

Exits role configuration mode.

Step 10

(Optional) show role

Example:

switch(config)# show role
 (Optional)

Displays the user role configuration.

Step 11

(Optional) show role {pending | pending-diff}

Example:

switch(config)# show role pending
 (Optional)

Displays the user role configuration pending for distribution.

Step 12

(Optional) role commit

Example:

switch(config)# role commit
 (Optional)

Applies the user role configuration changes in the temporary database to the running configuration.

Step 13

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Creating Feature Groups

You can create custom feature groups to add to the default list of features provided by the Cisco NX-OS software. These groups contain one or more of the features. You can create up to 64 feature groups.


Note

You cannot change the default feature group L3.

Before you begin

If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

role feature-group name group-name

Example:

switch(config)# role feature-group name GroupA
switch(config-role-featuregrp)#

Specifies a user role feature group and enters role feature group configuration mode.

The group-name argument is a case-sensitive, alphanumeric character string with a maximum length of 32 characters.

Step 3

feature feature-name

Example:

switch(config-role-featuregrp)# feature radius

Specifies a feature for the feature group.

Repeat this command for as many features as needed.

Note

 

Use the show role component command to display a list of features.

Step 4

exit

Example:

switch(config-role-featuregrp)# exit
switch(config)#

Exits role feature group configuration mode.

Step 5

(Optional) show role feature-group

Example:

switch(config)# show role feature-group
 (Optional)

Displays the role feature group configuration.

Step 6

(Optional) show role {pending | pending-diff}

Example:

switch(config)# show role pending
 (Optional)

Displays the user role configuration pending for distribution.

Step 7

(Optional) role commit

Example:

switch(config)# role commit
 (Optional)

Applies the user role configuration changes in the temporary database to the running configuration.

Step 8

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Changing User Role Interface Policies

You can change a user role interface policy to limit the interfaces that the user can access. By default, a user role allows access to all interfaces.

Before you begin

Create one or more user roles.

If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

role name role-name

Example:

switch(config)# role name UserA
switch(config-role)#

Specifies a user role and enters role configuration mode.

Step 3

interface policy deny

Example:

switch(config-role)# interface policy deny
switch(config-role-interface)#

Enters role interface policy configuration mode.

Step 4

permit interface interface-list

Example:

switch(config-role-interface)# permit interface ethernet 2/1-4

Specifies a list of interfaces that the role can access.

Repeat this command for as many interfaces as needed.

Step 5

exit

Example:

switch(config-role-interface)# exit
switch(config-role)#

Exits role interface policy configuration mode.

Step 6

(Optional) show role

Example:

switch(config-role)# show role
 (Optional)

Displays the role configuration.

Step 7

(Optional) show role {pending | pending-diff}

Example:

switch(config-role)# show role pending
 (Optional)

Displays the user role configuration pending for distribution.

Step 8

(Optional) role commit

Example:

switch(config-role)# role commit
 (Optional)

Applies the user role configuration changes in the temporary database to the running configuration.

Step 9

(Optional) copy running-config startup-config

Example:

switch(config-role)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Changing User Role VLAN Policies

You can change a user role VLAN policy to limit the VLANs that the user can access. By default, a user role allows access to all VLANs.

Before you begin

Create one or more user roles.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

role name role-name

Example:

switch(config)# role name UserA
switch(config-role)#

Specifies a user role and enters role configuration mode.

Step 3

vlan policy deny

Example:

switch(config-role)# vlan policy deny
switch(config-role-vlan)#

Enters role VLAN policy configuration mode.

Step 4

permit vlan vlan-list

Example:

switch(config-role-vlan)# permit vlan 1-4

Specifies a range of VLANs that the role can access.

Repeat this command for as many VLANs as needed.

Step 5

exit

Example:

switch(config-role-vlan)# exit
switch(config-role)#

Exits role VLAN policy configuration mode.

Step 6

(Optional) show role

Example:

switch(config)# show role
 (Optional)

Displays the role configuration.

Step 7

(Optional) show role {pending | pending-diff}

Example:

switch(config-role)# show role pending
 (Optional)

Displays the user role configuration pending for distribution.

Step 8

(Optional) role commit

Example:

switch(config-role)# role commit
 (Optional)

Applies the user role configuration changes in the temporary database to the running configuration.

Step 9

(Optional) copy running-config startup-config

Example:

switch(config-role)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Changing User Role VRF Policies

You can change a user role VRF policy to limit the VRFs that the user can access. By default, a user role allows access to all VRFs.

Before you begin

Create one or more user roles.

If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

role name role-name

Example:

switch(config)# role name UserA
switch(config-role)#

Specifies a user role and enters role configuration mode.

Step 3

vrf policy deny

Example:

switch(config-role)# vrf policy deny
switch(config-role-vrf)#

Enters role VRF policy configuration mode.

Step 4

permit vrf vrf-name

Example:

switch(config-role-vrf)# permit vrf vrf1

Specifies the VRF that the role can access.

Repeat this command for as many VRFs as needed.

Step 5

exit

Example:

switch(config-role-vrf)# exit
switch(config-role)#

Exits role VRF policy configuration mode.

Step 6

(Optional) show role

Example:

switch(config-role)# show role
 (Optional)

Displays the role configuration.

Step 7

(Optional) show role {pending | pending-diff}

Example:

switch(config-role)# show role pending
 (Optional)

Displays the user role configuration pending for distribution.

Step 8

(Optional) role commit

Example:

switch(config-role)# role commit
 (Optional)

Applies the user role configuration changes in the temporary database to the running configuration.

Step 9

(Optional) copy running-config startup-config

Example:

switch(config-role)# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

About No Service Password-Recovery

The No Service Password-Recovery feature enables anyone with console access, the ability to access the router and its network. The No Service Password-Recovery feature prevents the password recovery with standard procedure as described in the Cisco Nexus 3400-S NX-OS Troubleshooting Gude..

Enabling No Service Password-Recovery

If the no service password-recovery feature is enabled, then none except the administrator with network privileges will be able to modify the administrator password.

Before you begin

If you plan to enter the no service password-recovery command, Cisco recommends that you save a copy of the system configuration file in a location away from the device.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

no service password-recovery

Example:

switch(config)# no service password-recovery
WARNING: Executing this command will disable the password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? (y/n) : [y] y
switch(config)# copy run start
[########################################] 100%
Copy complete, now saving to disk (please wait)...
Copy complete.

Disables the password recovery mechanism.

Step 3

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Step 4

Reload

Example:

switch(config)# Reload
This command will reboot the system. (y/n)?  [n] y
2018 Jun 26 16:23:19 BAR %$ VDC-1 %$ %PLATFORM-2-PFM_SYSTEM_RESET: Manual system restart from Command Line Interface
 
CISCO SWITCH Ver 8.34
 
CISCO SWITCH Ver 8.34
Manual system restart from Command Line Interface
writing reset reason 9,
..
..
              
switch(boot)# config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(boot)(config)# admin-password Abcd!123$
ERROR: service password-recovery disabled. Cannot change password!
switch(boot)(config)#

Step 5

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 6

(Optional) show user-account

Example:

switch# show user-account
 (Optional)

Displays the role configuration.

Step 7

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Verifying User Accounts and RBAC Configuration

To display user account and RBAC configuration information, perform one of the following tasks:

Command

Purpose

show cli syntax roles network-admin

Displays the syntax of the commands that the network-admin role can use.

show cli syntax roles network-operator

Displays the syntax of the commands that the network-operator role can use.

show role

Displays the user role configuration.

show role feature

Displays the feature list.

show role feature-group

Displays the feature group configuration.

show startup-config security

Displays the user account configuration in the startup configuration.

show running-config security [all]

Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts.

show user-account

Displays user account information.

Configuration Examples for User Accounts and RBAC

The following example shows how to configure a user role: 

role name User-role-A
  rule 2 permit read-write feature bgp
  rule 1 deny command clear *

The following example shows how to create a user role that can configure an interface to enable and show BGP and show EIGRP: 

role name iftest
	  rule 1 permit command config t; interface *; bgp *
	  rule 2 permit read-write feature bgp
	  rule 3 permit read feature eigrp

In the above example, rule 1 allows you to configure BGP on an interface, rule 2 allows you to configure the config bgp command and enable the exec-level show and debug commands for BGP, and rule 3 allows you to enable the exec-level show and debug eigrp commands.

The following example shows how to configure a user role that can configure only a specific interface: 

role name Int_Eth2-3_only
  rule 1 permit command configure terminal; interface *
  interface policy deny
    permit interface Ethernet2/3

The following example shows how to configure a user role feature group: 

role feature-group name Security-features
  feature radius
  feature tacacs
  feature aaa
  feature acl
  feature access-list

The following example shows how to configure a user account: 

username user1 password A1s2D4f5 role User-role-A

The following example shows how to add an OID rule to restrict access to part of the OID subtree: 

role name User1
		rule 1 permit read feature snmp
		rule 2 deny read oid 1.3.6.1.2.1.1.9
show role name User1

Role: User1
  Description: new role
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  2       deny    read        oid                 1.3.6.1.2.1.1.9
  1       permit  read        feature             snmp

The following example shows how to give write permission to a specified OID subtree: 

role name User1
rule 3 permit read-write oid 1.3.6.1.2.1.1.5
show role name User1

Role: User1
  Description: new role
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  3       permit  read-write  oid                 1.3.6.1.2.1.1.5
  2       deny    read        oid                 1.3.6.1.2.1.1.9
  1       permit  read        feature             snmp

Additional References for User Accounts and RBAC

This section includes additional information related to implementing user accounts and RBAC.

Related Documents

Related Topic

Document Title

Cisco NX-OS Licensing

Cisco NX-OS Licensing Guide

VRF configuration

Cisco Nexus 3400-S NX-OS Unicast Routing Configuration Guide

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.