Cisco Nexus 1000V Security Configuration Guide, Release 4.2(1)SV2(2.1)
Managing User Accounts
Downloads: This chapterpdf (PDF - 1.38MB) The complete bookPDF (PDF - 5.57MB) | The complete bookePub (ePub - 1.44MB) | Feedback

Managing User Accounts

This chapter contains the following sections:

Information About User Accounts

Access to the Cisco Nexus 1000V is accomplished by setting up user accounts that define the specific actions permitted by each user. You can create up to 256 user accounts. Each user account includes the following criteria:

  • Role
  • Username
  • Password
  • Expiration date

Role

A role is a collection of rules that define the specific actions that can be shared by a group of users. The following broadly defined roles, for example, can be assigned to user accounts. These roles are predefined in the Cisco Nexus 1000V and cannot be modified:

role: network-admin
  description: Predefined network admin role has access to all commands
  on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity                  
  -------------------------------------------------------------------
  1       permit  read-write  

role: network-operator
  description: Predefined network operator role has access to all read
  commands on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity                  
  -------------------------------------------------------------------
  1       permit  read        

You can create an additional 64 roles that define access for users.

Each user account must be assigned at least one role and can be assigned up to 64 roles.

You can create roles that, by default, permit access to the following commands only. You must add rules to allow users to configure features.

  • show
  • exit
  • end
  • configure terminal

Username

A username identifies an individual user by a unique character string, such as daveGreen. Usernames are case sensitive and can consist of up to 28 alphanumeric characters. A username consisting of all numerals is not allowed. If an all-numeric username exists on an AAA server and is entered during login, the user is not logged in.

Password

A password is a case-sensitive character string that enables access by a specific user and helps prevent unauthorized access. You can add a user without a password, but they may not be able to access the device. Passwords should be strong so that they cannot be easily guessed for unauthorized access.

The following characters are not permitted in clear text passwords:

  • dollar signs ($)
  • spaces

The following special characters are not permitted at the beginning of the password:

  • quotation marks (" or ')
  • vertical bars (|)
  • right angle brackets (>)

The following table lists the characteristics of strong passwords.

Table 1 Characteristics of Strong Passwords

Strong passwords have:

Strong passwords do not have:

At least eight characters

Consecutive characters, such as “abcd”

Uppercase letters

Repeating characters, such as “aaabbb”

Lowercase letters

Dictionary words

Numbers

Proper names

Special characters

 

Some examples of strong passwords are as follows:

  • If2CoM18
  • 2004AsdfLkj30
  • Cb1955S21

Check of Password Strength

The device checks password strength automatically by default. When you add a username and password, the strength of the password is evaluated. If it is a weak password, the following error message is displayed to notify you:

switch# config terminal
switch (config)# username daveGreen password davey
password is weak
Password should contain characters from at least three of the classes:
 lower case letters, upper case letters, digits, and special characters

Password strength checking can be disabled.

Expiration Date

By default, a user account does not expire. You can, however, explicitly configure an expiration date on which the account will be disabled.

Guidelines and Limitations for Creating User Accounts

  • You can create up to 64 roles in addition to the two predefined user roles.
  • You can create up to 256 rules in a user role.
  • You can create up to 64 feature groups.
  • You can add up to 256 users.
  • You can assign a maximum of 64 user roles to a user account.
  • If you have a user account that has the same name as a remote user account on an AAA server, the user roles for the local user account are applied to the remote user, not the user roles configured on the AAA server.

Guidelines for Creating User Accounts

  • You can add up to 256 user accounts
  • Changes to user accounts do not take effect until the user logs in and creates a new session.
  • Do not use the following words in user accounts. These words are reserved for other purposes

    adm

    gdm

    mtuser

    rpcuser

    bin

    gopher

    neews

    shutdown

    daemon

    haltlp

    nobody

    sync

    ftp

    mail

    nscd

    sys

    ftpuser

    mailnull

    operator

    uucp

    games

    man

    rpc

    xfs

  • You can add a user password as either clear text or encrypted.
    • Clear text passwords are encrypted before they are saved to the running configuration.
    • Encrypted passwords are saved to the running configuration without further encryption.
  • A user account can have up to 64 roles, but must have at least one role.
  • If you do not specify a password, the user might not be able to log in
  • For information about using SSH public keys instead of passwords, see Configuring an OpenSSH Key.

Default Settings for User Access

Parameters

Default

User account password

Undefined

User account expiration date

None

User account role

Network-operator

Interface policy

All interfaces are accessible

VLAN policy

All VLANs are accessible

Configuring User Access

Enabling the Check of Password Strength

You can enable the Cisco Nexus 1000V to check the strength of passwords to avoid creating weak passwords for user accounts.

Checking password strength is enabled by default. This procedure can be used to enable it again should it become disabled.

Before You Begin

Log in to the CLI in EXEC mode.

Procedure
      Command or Action Purpose
    Step 1 switch# configure terminal 

    Enters global configuration mode.

     
    Step 2 switch(config)# password strength-check 

    Enables password-strength checking. The default is enabled.

    You can disable the checking of password strength by using the no form of this command.

     
    Step 3 switch(config)# show password strength-check  (Optional)

    Displays the configuration for checking password strength.

     
    Step 4 switch(config)# copy running-config startup-config  (Optional)

    Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

     

    This example shows how to check the strength of your password:

    switch# configure terminal
    switch(config)# password strength-check
    switch(config)# show password strength-check
    Password strength check enabled
    switch(config)# copy running-config startup-config

    Disabling the Check of Password Strength

    Before You Begin

    Log in to the CLI in EXEC mode.

    Procedure
        Command or Action Purpose
      Step 1 switch# configure terminal 

      Enters global configuration mode.

       
      Step 2 switch(config)# no password strength-check 

      Disables password-strength checking.

      The default is enabled.

       
      Step 3 switch(config)# show password strength-check  (Optional)

      Displays the configuration for checking password strength.

       
      Step 4 switch(config)# copy running-config startup-config  (Optional)

      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

       

      This example shows how to disable the check of password strength:

      switch# configure terminal
      switch(config)# no password strength-check
      switch(config)# show password strength-check
      switch(config)# copy running-config startup-config

      Creating a User Account

      Before You Begin

      Log in to the CLI in EXEC mode.

      Procedure
          Command or Action Purpose
        Step 1 switch# configure terminal 

        Enters global configuration mode.

         
        Step 2 switch(config)# show role  (Optional)

        Displays the available roles that can be assigned to users.

         
        Step 3 switch(config)# username name [password [0 | 5] password] [expire date] [role role-name] 

        Creates a user account.

        The arguments and keywords are as follows:

        • username name—A case-sensitive, alphanumeric character string of up to 28 characters in length.
        • password password—The default password is undefined.
          • 0—(the default) Specifies that the password you are entering is in clear text. The Cisco Nexus 1000V encrypts the clear text password before saving it in the running configuration. In the example shown, the password 4Ty18Rnt is encrypted in your running configuration in password 5 format.
          • 5—Specifies that the password you are entering is already in encrypted format. The Cisco Nexus 1000V does not encrypt the password before saving it in the running configuration. User passwords are not displayed in the configuration files.
        • expire date—YYYY-MM-DD. The default is no expiration date.
        • role-name role—You must assign at least one role. You can assign up to 64 roles. The default role is network-operator
         
        Step 4 switch(config)# show user-account username 

        Displays the new user account configuration.

         
        Step 5 switch(config)# copy running-config startup-config  (Optional)

        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

         

        This example shows how to create a user account:

        switch# configure terminal
        switch(config)# show role
        switch(config)# username NewUser password 4Ty18Rnt
        switch(config)# show user-account NewUser
        user: NewUser
             this user account has no expiry date
             roles:network-operator network-admin
        switch# copy running-config startup-config
        

        Creating a Role

        Before You Begin
        • Log in to the CLI in EXEC mode.
        • Know that you can configure up to 64 user roles.
        • Know that you can configure up to up to 256 rules for each role.
        • Know that you can assign a single role to more than one user.
        • Know that the rule number specifies the order in which it is applied, in descending order. For example, if a role has three rules, rule 3 is applied first, rule 2 is applied next, and rule 1 is applied last.
        • Know that by default, the user roles that you create allow access only to the show, exit, end, and configure terminal commands. You must add rules to allow users to configure features.
        Procedure
            Command or Action Purpose
          Step 1 switch# configure terminal 

          Enters global configuration mode.

           
          Step 2 switch(config)# role name role-name 

          Names a user role and places you in role configuration mode for that role.

          The role-name is a case-sensitive, alphanumeric string of up to 16 characters.

           
          Step 3 switch(config-role)# description description-string  (Optional)

          Configures the role description, which can include spaces.

           
          Step 4 switch(config-role)# rule number {deny| permit} command command-string
          • switch(config-role)# rule number {deny | permit} {read | read-write}

            Creates one rule to permit or deny all operations.

          • switch(config-role)# rule number {deny | permit} {read | read-write} feature feature-name

            Creates a rule for feature access.

            Use the show role feature command to display a list of available features.

          • switch(config-role)# rule number {deny | permit} {read | read-write} feature-group group-name

            Creates a rule for feature group access.

            Use the show role feature-group command to display a list of feature groups.



          Example:

          This example configures a rule that denies access to the clear users command.

           

          Creates a rule to permit or deny a specific command.

          The command you specify can contain spaces and regular expressions. For example, interface ethernet * permits or denies access to all Ethernet interfaces.

           
          Step 5 Repeat Step 4 to create all needed rules for the specified role.   
          Step 6 switch(config-role)# show role  (Optional)

          Displays the user role configuration.

           
          Step 7 switch(config-role)# copy running-config startup-config  (Optional)

          Copies the running configuration to the startup configuration.

           

          This example shows how to create a role:

          switch# configure terminal
          switch(config)# role name UserA
          switch(config-role)# description Prohibits use of clear commands
          switch(config-role)# rule 1 deny command clear users
          switch(config-role)# rule 2 deny read-write
          switch(config-role)# rule 3 permit read feature eth-port-sec
          switch(config-role)# rule 4 deny read-write feature-group eth-port-sec
          
          
          switch# configure terminal
          switch(config)# role name UserA
          switch(config-role)# rule 3 permit read feature snmp
          switch(config-role)# rule 2 permit read feature dot1x
          switch(config-role)# rule 1 deny command clear *

          Creating a Feature Group

          You can create and configure a feature group. You can create up to 64 custom feature groups.

          Before You Begin
          • Log in to the CLI in EXEC mode.
          • Know that you can create up to 64 custom feature groups.
          Procedure
              Command or Action Purpose
            Step 1 switch# configure terminal 

            Enters global configuration mode.

             
            Step 2 switch(config)# role feature-group name group-name 

            Places you into the role feature group configuration mode for the named group.

            The group-name argument is case-sensitive, alphanumeric string of up to 32 characters in length.

             
            Step 3 switch(config-role-featuregrp)# show role feature 

            Displays a list of available features for use in defining the feature group.

             
            Step 4 switch(config-role-featuregrp)# feature feature-name 

            Adds a feature to the feature group.

            Repeat this step for all features to be added to the feature group.

             
            Step 5 switch(config-role-featuregrp)# show role feature-group  (Optional)

            Displays the feature group configuration.

             
            Step 6 switch(config-role-featuregrp)# copy running-config startup-config  (Optional)

            Copies the running configuration to the startup configuration.

             

            This example shows how to create a feature group named GroupA:

            switch# configure terminal
            switch(config)# role feature-group name GroupA
            switch(config-role-featuregrp)# show role feature
            feature: aaa
            feature: access-list
            feature: cdp
            feature: install
            . . .
            switch(config-role-featuregrp)# feature syslog
            switch(config-role-featuregrp)# show role feature-group
            feature group: GroupA
            feature: syslog
            feature: snmp
            feature: ping
            switch(config-role-featuregrp)# copy running-config startup-config
            
            
            

            This example shows how to create a feature group named Security-features:

            switch# configure terminal
            switch(config)# role feature-group name Security-features
             switch(config-role-featuregrp)# feature radius
             switch(config-role-featuregrp)# feature tacacs
             switch(config-role-featuregrp)# feature dot1x
             switch(config-role-featuregrp)# feature aaa
             switch(config-role-featuregrp)# feature snmp
             switch(config-role-featuregrp)# feature acl
             switch(config-role-featuregrp)# feature access-list

            Configuring Interface Access

            By default, a role allows access to all interfaces. You modify a role that you have already created by denying access to all interfaces and then permitting access to selected interfaces.

            Before You Begin
            • Log in to the CLI in EXEC mode
            • You must have created one or more user roles. In this procedure, you are modifying a role that you have already created.
            Procedure
                Command or Action Purpose
              Step 1 switch# configure terminal 

              Enters global configuration mode.

               
              Step 2 switch(config)# role name role-name 

              Specifies a user role and enters role configuration mode for the named role.

               
              Step 3 switch(config-role)# interface policy deny 

              Enters the interface configuration mode and denies all interface access for the role.

              Access to any interface must now be explicitly defined for this role by using the permit interface command

               
              Step 4 switch(config-role-interface)# permit interfaceinterface-list 

              Specifies the interface(s) that users assigned to this role can access.

              Repeat this command to specify all interface lists that users assigned to this role are permitted to access.

               
              Step 5 switch(config-role-interface)# show role role-name  (Optional)

              Displays the role configuration.

               
              Step 6 switch(config-role-featuregrp)# copy running-config startup-config  (Optional)

              Copies the running configuration to the startup configuration.

               

              This example shows how to configure interface access:

              switch# configure terminal
              switch(config)# role name network-observer
              switch(config-role)# interface policy deny
              switch(config-role-interface)# permit interface ethernet 2/1-4
              switch(config-role-interface)# show role name network-observer
              role: network-observer
                description: temp
                Vlan policy: permit (default)
                Interface policy: deny
                Permitted interfaces: Ethernet2/1-4
              switch(config-role-featuregrp)# copy running-config startup-config

              Configuring VLAN Access

              By default, access is allowed to all VLANs. In this procedure you are modifying a role that you have already created by denying access to all VLANs and then permitting access to selected VLANs.

              Before You Begin
              • Log in to the CLI in EXEC mode.
              • You must have already created one or more user roles. In this procedure, you are modifying a role that you have already created.
              Procedure
                  Command or Action Purpose
                Step 1 switch# configure terminal 

                Enters global configuration mode.

                 
                Step 2 switch(config)# role name role-name 

                Specifies a user role and enters role configuration mode.

                 
                Step 3 switch(config-role)# vlan policy deny 

                Enters the VLAN configuration mode and denies all VLAN access for the role.

                Access to any VLAN must now be explicitly defined for this role by using the permit vlan command.

                 
                Step 4 switch(config-role-vlan)# permit vlan vlan-range 

                Specifies the VLANs that users assigned to this role can access.

                Specify a VLAN range by using a dash. For example, 1-9 or 20-30.

                Repeat this command to specify all VLANs that users assigned to this role are permitted to access.

                 
                Step 5 switch(config-role)# show role role-name  (Optional)

                Displays the role configuration.

                The role-name argument is the name that you have assigned to the role you created.

                 
                Step 6 switch(config-role)# copy running-config startup-config  (Optional)

                Copies the running configuration to the startup configuration.

                 

                This example shows how to configure VLAN access:

                switch# configure terminal
                switch(config)# role name network-observer
                switch(config-role)# vlan policy deny
                switch(config-role-vlan)# permit vlan 2/1-4
                switch(config-role)# show role name network-observer
                role: network-observer
                  description: temp
                  Vlan policy: permit (default)
                  Interface policy: deny
                  Permitted interfaces: Ethernet2/1-4
                switch(config-role)# copy running-config startup-config
                

                Verifying the User Access Configuration

                Use one of the following commands to verify the configuration.

                Command

                Purpose

                show role

                Displays the available user roles and their rules.

                show role feature

                Displays a list of available features.

                show role feature-group

                Displays a list of available feature groups.

                show startup-config security

                Displays the user account configuration in the startup configuration.

                show running-config security [all]

                Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts.

                show user-account

                Displays user account information.

                Configuration Examples

                Configuration Example for Creating a Feature Group

                This example shows how to create a feature group:

                switch# configure terminal
                switch(config-role)# role feature-group name security-features
                switch(config-role)# feature radius
                switch(config-role)# feature tacacs
                switch(config-role)# feature dot1x
                switch(config-role)# feature aaa
                switch(config-role)# feature snmp
                switch(config-role)# feature acl
                switch(config-role)# feature access-list

                Configuration Example for Creating a Role

                This example shows how to create a role:

                switch# config terminal
                switch(config)# role name UserA
                switch(config-role)# rule 3 permit read feature snmp
                switch(config-role)# rule 2 permit read feature dot1x
                switch(config-role)# rule 1 deny command clear *

                MIBs

                MIBs

                MIBs Link

                CISCO-COMMON-MGMT-MIB

                To locate and download MIBs, go to the following URL:

                http:/​/​www.cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

                Feature History for User Accounts

                This table includes only the updates for those releases that have resulted in additions or changes to the feature.

                Feature Name

                Releases

                Feature Information

                User Accounts

                4.0(4)SV1(1)

                This feature was introduced.