U Commands

This chapter describes the Cisco NX-OS security commands that begin with U.

use-vrf

To specify a virtual routing and forwarding (VRF) instance for a RADIUS or TACACS+ server group, use the use-vrf command. To remove the VRF instance, use the no form of this command.

use-vrf {vrf-name | default | management}

no use-vrf {vrf-name | default | management}

Syntax Description

vrf-name

VRF instance name. The name is case sensitive and can be a maximum of 32 alphanumeric characters.

default

Specifies the default VRF.

management

Specifies the management VRF.


Command Default

None

Command Modes

RADlUS server group configuration mode
TACACS+ server group configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can configure only one VRF instance for a server group.

Use the aaa group server radius command RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.

If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.

You must use the feature tacacs+ command before you configure TACACS+.

Examples

This example shows how to specify a VRF instance for a RADIUS server group: 

switch(config)# aaa group server radius RadServer 

switch(config-radius)# use-vrf management 

 
   
 
    
   
 This example shows how to specify a VRF instance for a TACACS+ server group: 
 
    
   
 
    
switch(config)# aaa group server tacacs+ TacServer 

 
   
 
    
   
 
    
switch(config-tacacs+)# use-vrf management 

 
   
 
    
   
 
    
 
   
 
    
   
 This example shows how to remove the VRF instance from a TACACS+ server group: 
 
    
   
 
    
switch(config)# aaa group server tacacs+ TacServer 

 
   
 
    
   
 
    
switch(config-tacacs+)# no use-vrf management 

 
   
 
    
   
 
    
 
   
 
    
   
 Related Commands
 
   
 
    
 
      
      
      
 
        
        

          Command 
        
 		 
        
        

          Description 
        
 		 
      
 
      
 
       
 aaa group server 
 		 
       
 Configures AAA server groups. 
 		 
      
 
      
 
       
 feature tacacs+ 
 		 
       
 Enables TACACS+. 
 		 
      
 
      
 
       
 radius-server host 
 		 
       
 Configures a RADIUS server. 
 		 
      
 
      
 
       
 show radius-server groups 
 		 
       
 Displays RADIUS server information. 
 		 
      
 
      
 
       
 show tacacs-server groups 
 		 
       
 Displays TACACS+ server information. 
 		 
      
 
      
 
       
 tacacs-server host 
 		 
       
 Configures a TACACS+ server. 
 		 
      
 
      
 
       
 vrf 
 		 
       
 Configures a VRF instance. 
 		 
      
 
      
    
 
   
 
   
 
   
 
 
    
     
    
    
   
 username 
 
    
   
 To create and configure a user account, use the username command. To remove a user account, use the no form of this command. 
 
    
   
username user-id [expire date] [password {0 | 5} password] [role role-name] [priv-lvl level] 
 
    
   
username user-id sshkey {key | filename filename} 
 
    
   
no username user-id 
 
    
   
 Syntax Description
 
   
 
    
 
      
      
      
 
       
 user-id 
 		 
       
 User identifier for the user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. 
 
 Note The Cisco NX-OS software does not allowed the "#" and "@" characters in the user-id argument text string. 
 		 
      
 
      
 
       
 expire date 
 		 
       
 (Optional) Specifies the expire date for the user account. The format for the date argument is YYYY-MM-DD. 
 		 
      
 
      
 
       
 password 
 		 
       
 (Optional) Specifies a password for the account. The default is no password. 
 		 
      
 
      
 
       
 0 
 		 
       
 Specifies that the password that follows should be in clear text. This is the default mode. 
 		 
      
 
      
 
       
 5 
 		 
       
 Specifies that the password that follows should be encrypted. 
 		 
      
 
      
 
       
 password 
 		 
       
 Password for the user (clear text). The password can be a maximum of 64 characters. 
 
 Note Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (" or `), vertical bars (|), or right angle brackets (>). 
 		 
      
 
      
 
       
 role role-name 
 		 
       
 (Optional) Specifies the role which the user is to be assigned to. Valid values are as follows: 
 
default-role—User role 
 
network-admin—System configured role 
 
network-operator—System configured role 
 
priv-0—Privilege role 
 
priv-1—Privilege role 
 
priv-2—Privilege role 
 
priv-3—Privilege role 
 
priv-4—Privilege role 
 
priv-5—Privilege role 
 
priv-6—Privilege role 
 
priv-7—Privilege role 
 
priv-8—Privilege role 
 
priv-9—Privilege role 
 		 
      
 
      
 
         
       
priv-10—Privilege role 
 
priv-11—Privilege role 
 
priv-12—Privilege role 
 
priv-13—Privilege role 
 
priv-14—Privilege role 
 
priv-15—Privilege role 
 
vdc-admin—System configured role 
 
vdc-operator—System configured role 
 		 
      
 
      
 
       
 priv-lvl level 
 		 
       
 (Optional) Specifies the privilege level to assign the user. Valid values are from 0 to 15. 
 		 
      
 
      
 
       
 sshkey 
 		 
       
 (Optional) Specifies an SSH key for the user account. 
 		 
      
 
      
 
       
 key 
 		 
       
 SSH key string. 
 		 
      
 
      
 
       
 filename filename 
 		 
       
 Specifies the name of a file that contains the SSH key string. 
 		 
      
 
      
    
 
   
 
   
 
   
 
 
    
   
 Command Default 
 
    
   
 No expiration date, password, or SSH key. 
 
    
   
 Command Modes 
 
    
   
 Global configuration mode 
 
    
   
 Command History
 
   
 
    
 
      
      
      
 
        
        

          Release 
        
 		 
        
        

          Modification 
        
 		 
      
 
      
 
       
 4.0(0)N1(1a) 
 		 
       
 This command was introduced. 
 		 
      
 
      
 
       
 5.0(2)N1(1) 
 		 
       
 The priv-lvl keyword was added. 
 		 
      
 
      
    
 
   
 
   
 
   
 
 
    
   
 Usage Guidelines 
 
    
   
 The switch accepts only strong passwords. The characteristics of a strong password include the following: 
 
    
   
At least eight characters long 
 
    
   
Does not contain many consecutive characters (such as "abcd") 
 
    
   
Does not contain many repeating characters (such as "aaabbb") 
 
    
   
Does not contain dictionary words 
 
    
   
Does not contain proper names 
 
    
   
Contains both uppercase and lowercase characters 
 
    
   
Contains numbers 
 
   
 
     
   
 
   
 
    
   
 
    Caution  
    If you do not specify a password for the user account, the user might not be able to log in to the account. 
   
 
   
 
    
   
 You must enable the cumulative privilege roles for TACACS+ server using the feature privilege command to see the priv-lvl keyword. 
 
    
   
 Examples 
 
    
   
 This example shows how to create a user account with a password: 
 
    
   
 
    
switch(config)# username user1 password Ci5co321 

 
   
 
    
   
 
    
switch(config)#

 
   
 
    
   
 
    
 
   
 
    
   
 This example shows how to configure the SSH key for a user account: 
 
    
   
 
    
switch(config)# username user1 sshkey file bootflash:key_file 

 
   
 
    
   
 
    
switch(config)#

 
   
 
    
   
 
    
 
   
 
    
   
 This example shows how to configure the privilege level for a user account: 
 
    
   
 
    
switch(config)# username user1 priv-lvl 15 

 
   
 
    
   
 
    
switch(config)#

 
   
 
    
   
 
    
 
   
 
    
   
 Related Commands
 
   
 
    
 
      
      
      
 
        
        

          Command 
        
 		 
        
        

          Description 
        
 		 
      
 
      
 
       
 feature privilege 
 		 
       
 Enables the cumulative privilege of roles for command authorization on TACACS+ servers. 
 		 
      
 
      
 
       
 show privilege 
 		 
       
 Displays the current privilege level, username, and status of cumulative privilege support for a user. 
 		 
      
 
      
 
       
 show user-account 
 		 
       
 Displays the user account configuration.