The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Access to the Cisco Nexus 1000V is accomplished by setting up user accounts that define the specific actions permitted by each user. You can create up to 256 user accounts. Each user account includes the following criteria:
A role is a collection of rules that define the specific actions that can be shared by a group of users. The following broadly defined roles, for example, can be assigned to user accounts. These roles are predefined in the Cisco Nexus 1000V and cannot be modified:
role: network-admin description: Predefined network admin role has access to all commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write role: network-operator description: Predefined network operator role has access to all read commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read
You can create an additional 64 roles that define access for users.
Each user account must be assigned at least one role and can be assigned up to 64 roles.
You can create roles that, by default, permit access to the following commands only. You must add rules to allow users to configure features.
A username identifies an individual user by a unique character string, such as daveGreen. Usernames are case sensitive and can consist of up to 28 alphanumeric characters. A username consisting of all numerals is not allowed. If an all-numeric username exists on an AAA server and is entered during login, the user is not logged in.
A password is a case-sensitive character string that enables access by a specific user and helps prevent unauthorized access. You can add a user without a password, but they may not be able to access the device. Passwords should be strong so that they cannot be easily guessed for unauthorized access.
The following characters are not permitted in clear text passwords:
The following special characters are not permitted at the beginning of the password:
The following table lists the characteristics of strong passwords.
Strong passwords have: |
Strong passwords do not have: |
---|---|
At least eight characters |
Consecutive characters, such as “abcd” |
Uppercase letters |
Repeating characters, such as “aaabbb” |
Lowercase letters |
Dictionary words |
Numbers |
Proper names |
Special characters |
Some examples of strong passwords are as follows:
The device checks password strength automatically by default. When you add a username and password, the strength of the password is evaluated. If it is a weak password, the following error message is displayed to notify you:
switch# config terminal switch (config)# username daveGreen password davey
password is weak Password should contain characters from at least three of the classes: lower case letters, upper case letters, digits, and special characters
Password strength checking can be disabled.
By default, a user account does not expire. You can, however, explicitly configure an expiration date on which the account will be disabled.
adm |
gdm |
mtuser |
rpcuser |
bin |
gopher |
neews |
shutdown |
daemon |
haltlp |
nobody |
sync |
ftp |
nscd |
sys |
|
ftpuser |
mailnull |
operator |
uucp |
games |
man |
rpc |
xfs |
Parameters |
Default |
---|---|
User account password |
Undefined |
User account expiration date |
None |
User account role |
Network-operator |
Interface policy |
All interfaces are accessible |
VLAN policy |
All VLANs are accessible |
Configuring User Access
Use this procedure to enable the Cisco Nexus 1000V to check the strength of passwords to avoid creating weak passwords for user accounts.
Checking password strength is enabled by default. This procedure can be used to enable it again should it become disabled.
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# password strength-check
3. (Optional) switch(config)# show password strength-check
4. (Optional) switch(config)# copy running-config startup-config
switch# configure terminal switch(config)# password strength-check switch(config)# show password strength-check Password strength check enabled switch(config)# copy running-config startup-config
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# no password strength-check
3. (Optional) switch(config)# show password strength-check
4. (Optional) switch(config)# copy running-config startup-config
switch# configure terminal switch(config)# no password strength-check switch(config)# show password strength-check switch(config)# copy running-config startup-config
Before beginning this procedure, you must be logged in to the CLI in EXEC mode.
1. switch# configure terminal
2. (Optional) switch(config)# show role
3. switch(config)# username name [password [0 | 5] password] [expire date] [role role-name]
4. switch(config)# show user-account username
5. (Optional) switch(config)# copy running-config startup-config
switch# configure terminal switch(config)# show role switch(config)# username NewUser password 4Ty18Rnt switch(config)# show user-account NewUser user: NewUser this user account has no expiry date roles:network-operator network-admin switch# copy running-config startup-config
1. switch# configure terminal
2. switch(config)# role name role-name
3. (Optional) switch(config-role)# description description-string
4. switch(config-role)# rule number {deny| permit} command command-string
Creates one rule to permit or deny all operations.
Creates a rule for feature access.
Use the show role feature command to display a list of available features.
Creates a rule for feature group access.
Use the show role feature-group command to display a list of feature groups.
5. Repeat Step 4 to create all needed rules for the specified role.
6. (Optional) switch(config-role)# show role
7. (Optional) switch(config-role)# copy running-config startup-config
switch# configure terminal switch(config)# role name UserA switch(config-role)# description Prohibits use of clear commands switch(config-role)# rule 1 deny command clear users switch(config-role)# rule 2 deny read-write
switch# configure terminal switch(config)# role name UserA switch(config-role)# rule 3 permit read feature snmp switch(config-role)# rule 2 permit read feature dot1x switch(config-role)# rule 1 deny command clear *
Use this procedure to create and configure a feature group. You can create up to 64 custom feature groups.
1. switch# configure terminal
2. switch(config)# role feature-group name group-name
3. switch(config-role-featuregrp)# show role feature
4. switch(config-role-featuregrp)# feature feature-name
5. (Optional) switch(config-role-featuregrp)# show role feature-group
6. (Optional) switch(config-role-featuregrp)# copy running-config startup-config
By default, a role allows access to all interfaces. You modify a role you have already created by denying access to all interfaces, and then permitting access to selected interfaces.
Before beginning this procedure you must have done the following:
1. switch# configure terminal
2. switch(config)# role name role-name
3. switch(config-role)# interface policy deny
4. switch(config-role-interface)# permit interfaceinterface-list
5. (Optional) switch(config-role-interface)# show role role-name
6. (Optional) switch(config-role-featuregrp)# copy running-config startup-config
By default, access is allowed to all VLANs. In this procedure you will modify a role you have already created by denying access to all VLANs, and then permitting access to selected VLANs.
Before beginning this procedure, you must:
1. switch# configure terminal
2. switch(config)# role name role-name
3. switch(config-role)# vlan policy deny
4. switch(config-role-vlan)# permit vlan vlan-range
5. (Optional) switch(config-role)# show role role-name
6. (Optional) switch(config-role)# copy running-config startup-config
Use one of the following commands to verify the configuration.
Command |
Purpose |
---|---|
show role |
Displays the available user roles and their rules. |
show role feature |
Displays a list of available features. |
show role feature-group |
Displays a list of available feature groups. |
show startup-config security |
Displays the user account configuration in the startup configuration. |
show running-config security [all] |
Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts. |
show user-account |
Displays user account information. |
Configuration Examples
switch# config terminal switch(config-role)# role feature-group name security-features switch(config-role)# feature radius switch(config-role)# feature tacacs switch(config-role)# feature dot1x switch(config-role)# feature aaa switch(config-role)# feature snmp switch(config-role)# feature acl switch(config-role)# feature access-list
switch# config terminal switch(config)# role name UserA switch(config-role)# rule 3 permit read feature snmp switch(config-role)# rule 2 permit read feature dot1x switch(config-role)# rule 1 deny command clear *
MIBs |
MIBs Link |
---|---|
CISCO-COMMON-MGMT-MIB |
To locate and download MIBs, go to the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
This table includes only the updates for those releases that have resulted in additions or changes to the feature.
Feature Name |
Releases |
Feature Information |
---|---|---|
User Accounts |
Release 5.2(1)IC1(1.1) |
This feature was introduced. |