Cisco Nexus 4001I and 4005I Switch Module for IBM BladeCenter NX-OS Configuration Guide
Configuring User Accounts and RBAC
Downloads: This chapterpdf (PDF - 162.0KB) The complete bookPDF (PDF - 4.46MB) | Feedback

Configuring User Accounts and RBAC

Table Of Contents

Configuring User Accounts and RBAC

Information About User Accounts and RBAC

About User Accounts

Characteristics of Strong Passwords

About User Roles

About Rules

About User Role Policies

Guidelines and Limitations

Configuring User Accounts

Configuring RBAC

Creating User Roles and Rules

Creating Feature Groups

Changing User Role Interface Policies

Changing User Role VLAN Policies

Verifying User Accounts and RBAC Configuration

Example User Accounts and RBAC Configuration

Default Settings


Configuring User Accounts and RBAC


This chapter describes how to configure user accounts and role-based access control (RBAC) on the Cisco Nexus 4001I and 4005I Switch Module for IBM BladeCenter.

This chapter includes the following sections:

Information About User Accounts and RBAC

Guidelines and Limitations

Configuring User Accounts

Configuring RBAC

Verifying User Accounts and RBAC Configuration

Example User Accounts and RBAC Configuration

Default Settings

Information About User Accounts and RBAC

You can create and manage users accounts and assign roles that limit access to operations on the switch. RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations.

This section includes the following topics:

About User Accounts

Characteristics of Strong Passwords

About User Roles

About Rules

About User Role Policies

About User Accounts


Tip The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs, gdm, mtsuser, ftpuser, man, and sys.



Note User passwords are not displayed in the configuration files.



Caution The switch does not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric username exists on a AAA server and is entered during login, the user is not logged in.

Characteristics of Strong Passwords

A strong password has the following characteristics:

At least eight characters long

Does not contain many consecutive characters (such as "abcd")

Does not contain many repeating characters (such as "aaabbb")

Does not contain dictionary words

Does not contain proper names

Must contain at least three of the following classes: lower case letters, upper case letters, digits, and special characters.

The following are examples of strong passwords:

If2CoM18

2004AsdfLkj30

Cb1955S21


Tip If a password is trivial (such as a short, easy-to-decipher password), the switch will reject your password configuration. Be sure to configure a strong password as shown in the sample configuration. Passwords are case sensitive.
Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (" or '), vertical bars (|), or right angle brackets (>).


About User Roles

User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, then users who belong to both role1 and role2 can access configuration and debug operations. You can also limit access to specific VLANs and interfaces.

The switch provides the following default user roles:

network-admin (superuser)—Complete read and write access to the entire switch.

network-operator—Complete read access to the switch.


Note If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the users also has RoleB, which has access to the configuration commands. In this case, the users has access to the configuration commands.


About Rules

The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. You can apply rules for the following parameters:

Command—A command or group of commands defined in a regular expression.

Feature—Commands that apply to a function provided by the switch.

Enter the show role feature command to display the feature names available for this parameter.

Feature group—Default or user-defined group of features.

Enter the show role feature-group command to display the default feature groups available for this parameter.

These parameters create a hierarchical relationship. The most basic control parameter is the command. The next control parameter is the feature, which represents all commands associated with the feature. The last control parameter is the feature group. The feature group combines related features and allows you to easily manage of the rules.

You can configure up to 256 rules for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

About User Role Policies

You can define user role policies to limit the switch resources that the user can access. You can define user role policies to limit access to interfaces, and VLANs.

User role policies are constrained by the rules defined for the role. For example, if you define an interface policy to permit access to specific interfaces, the user will not have access to the interfaces unless you configure a command rule for the role to permit the interface command. The "Changing User Role Interface Policies" section contains an example configuration.

If a command rule permits access to specific resources (interfaces, or VLANs), the user is permitted to access these resources, even if they are not listed in the user role policies associated with that user.

Guidelines and Limitations

User account and RBAC have the following configuration guidelines and limitations:

You can add up to 256 rules to a user role.

You can assign a maximum of 64 user roles to a user account.


Note A user account must have at least one user role.


Configuring User Accounts

You can create a maximum of 256 user accounts on a switch. User accounts have the following attributes:

Username

Password

Expiry date

User roles

User accounts can have a maximum of 64 user roles. For more information on user roles, see the "Configuring RBAC" section.


Note Changes to user account attributes do not take effect until the user logs in and creates a new session.


To configure a user account, perform this task:

 
Command
Purpose

Step 1 

switch# show role

(Optional) Displays the user roles available. You can configure other user roles, if necessary (see the "Creating User Roles and Rules" section).

Step 2 

switch# configure terminal

Enters configuration mode.

Step 3 

switch(config)# username user-id [password password] [expire date] [role role-name]

Configure a user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters.

The default password is undefined.

Note If you do not specify a password, the user might not be able to log in to the switch.

The expire date option format is YYYY-MM-DD. The default is no expiry date.

Step 4 

switch(config)# exit

Exits global configuration mode.

Step 5 

switch# show user-account

(Optional) Displays the role configuration.

Step 6 

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

The following example shows how to configure a user account:

switch# configure terminal
switch(config)# username NewUser password 4Ty18Rnt
switch(config)# exit
switch# show user-account
switch# copy running-config startup-config

Configuring RBAC

This section includes the following topics:

Creating User Roles and Rules

Changing User Role Interface Policies

Creating User Roles and Rules

Each user role can have up to 256 rules. You can assign a user role to more that one user account.

The rule number you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

To create user roles and specify rules, perform this task:

 
Command
Purpose

Step 1 

switch# configure terminal

Enters configuration mode.

Step 2 

switch(config)# role name role-name

Specifies a user role and enters role configuration mode. The role-name argument is a case-sensitive, alphanumeric character string with a maximum length of 16 characters.

Step 3 

switch(config-role)# rule number {deny | permit} command command-string

Configures a command rule.

The command-string argument can contain spaces and regular expressions. For example, "interface ethernet *" includes all Ethernet interfaces.

Repeat this command for as many rules as needed.

switch(config-role)# rule number {deny | permit} {read | read-write}

Configures a read only or read and write rule for all operations.

switch(config-role)# rule number {deny | permit} {read | read-write} feature feature-name

Configures a read-only or read-and-write rule for a feature.

Use the show role feature command to display a list of features.

Repeat this command for as many rules as needed.

switch(config-role)#

rule number {deny | permit} {read | read-write} feature-group group-name

Configures a read-only or read-and-write rule for a feature group.

Use the show role feature-group command to display a list of feature groups.

Repeat this command for as many rules as needed.

Step 4 

switch(config-role)# description text

(Optional) Configures the role description. You can include spaces in the description.

Step 5 

switch(config-role)# exit

Exits role configuration mode.

Step 6 

switch(config)# show role

(Optional) Displays the user role configuration.

Step 7 

switch(config)# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

The following example shows how to create user roles and specify rules:

switch# config terminal

switch(config-role)# rule 1 deny command clear users

switch(config-role)# rule 2 deny read-write

switch(config-role)# rule 3 permit command config t

switch(config-role)# description This role does not allow users to use clear commands

switch(config-role)# exit

switch(config)# show role

Role: network-admin

Description: Predefined network admin role has access to all commands

on the switch

-------------------------------------------------------------------

Rule Perm Type Scope Entity

-------------------------------------------------------------------

1 permit read-write

Role: network-operator

Description: Predefined network operator role has access to all read

commands on the switch

-------------------------------------------------------------------

Rule Perm Type Scope Entity

-------------------------------------------------------------------

1 permit read

Role: user1

Description: This role does not allow users to use clear commands

vsan policy: permit (default)

Vlan policy: permit (default)

Interface policy: permit (default)

Vrf policy: permit (default)

-------------------------------------------------------------------

Rule Perm Type Scope Entity

-------------------------------------------------------------------

3 permit command config t

2 deny read-write

1 deny command clar suers

switch(config)# copy running-config startup-config

[########################################] 100%

switch(config)#

Creating Feature Groups

To create feature groups, perform this task:

 
Command
Purpose

Step 1 

switch# configure terminal

Enters configuration mode.

Step 2 

switch(config)# role feature-group name group-name

Specifies a user role feature group and enters role feature group configuration mode.

The group-name argument is a case-sensitive, alphanumeric character string with a maximum length of 32 characters.

Step 3 

switch(config-role-featuregrp)# exit

Exits role feature group configuration mode.

Step 4 

switch(config)# show role feature-group

(Optional) Displays the role feature group configuration.

Step 5 

switch(config)# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Changing User Role Interface Policies

You can change a user role interface policy to limit the interfaces that the user can access. To change a user role interface policy, perform this task:

 
Command
Purpose

Step 1 

switch# configure terminal

Enters configuration mode.

Step 2 

switch(config)# role name role-name

Specifies a user role and enters role configuration mode.

Step 3 

switch(config-role)# rule number permit command configure terminal ; interface *

Configures a command rule to allow access to all interfaces.

Step 4 

switch(config-role)# interface policy deny

Enters role interface policy configuration mode.

Step 5 

switch(config-role-interface)# permit interface interface-list

Specifies a list of interfaces that the role can access.

Repeat this command for as many interfaces as needed.

For this command, you can specify Ethernet interfaces.

Step 6 

switch(config-role-interface)# exit

Exits role interface policy configuration mode.

Step 7 

switch(config-role)# show role

(Optional) Displays the role configuration.

Step 8 

switch(config-role)# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

You can specify a list of interfaces that the role can access. You can specify it for as many interfaces as needed:

switch(config-role-interface)# permit interface ethernet 1/1

Changing User Role VLAN Policies

You can change a user role VLAN policy to limit the VLANs that the user can access. To change a user role VLAN policy, perform this task:

 
Command
Purpose

Step 1 

switch# configure terminal

Enters configuration mode.

Step 2 

switch(config)# role name role-name

Specifies a user role and enters role configuration mode.

Step 3 

switch(config-role)# rule number permit command configure terminal ; vlan *

Configures a command rule to allow access to all VLANs.

Step 4 

switch(config-role)# vlan policy deny

Enters role VLAN policy configuration mode.

Step 5 

switch(config-role-vlan)# permit vlan vlan-list

Specifies a range of VLANs that the role can access.

Repeat this command for as many VLANs as needed.

Step 6 

switch(config-role-vlan)# exit

Exits role VLAN policy configuration mode.

Step 7 

switch(config-role)# show role

(Optional) Displays the role configuration.

Step 8 

switch(config-role)# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Verifying User Accounts and RBAC Configuration

To display user account and RBAC configuration information, perform one of these tasks:

Command
Purpose

switch# show role

Displays the user role configuration

switch# show role feature

Displays the feature list.

switch# show role feature-group

Displays the feature group configuration.

switch# show startup-config security

Displays the user account configuration in the startup configuration.

switch# show running-config security [all]

Displays the user account configuration in the running configuration. The all keyword displays the default values for the user accounts.

switch# show user-account

Displays user account information.


Example User Accounts and RBAC Configuration

The following example shows how to configure a user role:

switch(config)# role name UserA
switch(config-role)# rule 3 permit command configure terminal ; vlan *
switch(config-role)# rule 2 permit read feature tacacs
switch(config-role)# rule 1 deny command clear *
switch(config-role)# exit
 
   
 
   

The following example shows how to configure a user role feature group:

switch(config)# role feature-group name Security-features
switch(config-role-featuregrp)# feature radius
switch(config-role-featuregrp)# feature tacacs
switch(config-role-featuregrp)# feature aaa
 
   

Default Settings

Table 22-1 lists the default settings for user accounts and RBAC parameters.

Table 22-1 Default User Accounts and RBAC Parameters 

Parameters
Default

User account password

Undefined.

User account expiry date.

None.

Interface policy

All interfaces are accessible.

VLAN policy

All VLANs are accessible.