U Commands

This chapter describes the Cisco NX-OS security commands that begin with U.

use-vrf

To specify a virtual routing and forwarding (VRF) instance for a RADIUS or TACACS+ server group, use the use-vrf command. To remove the VRF instance, use the no form of this command.

use-vrf { vrf-name | default | management }

no use-vrf { vrf-name | default | management }

 
Syntax Description

vrf-name

VRF instance name. The name is case sensitive and can be a maximum of 32 alphanumeric characters.

default

Specifies the default VRF.

management

Specifies the management VRF.

 
Command Default

None

 
Command Modes

RADlUS server group configuration mode
TACACS+ server group configuration mode

 
Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.

 
Usage Guidelines

You can configure only one VRF instance for a server group.

Use the aaa group server radius command RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.

If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.

You must use the feature tacacs+ command before you configure TACACS+.

Examples

This example shows how to specify a VRF instance for a RADIUS server group:

switch(config)# aaa group server radius RadServer
switch(config-radius)# use-vrf management
 

This example shows how to specify a VRF instance for a TACACS+ server group:

switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# use-vrf management
 

This example shows how to remove the VRF instance from a TACACS+ server group:

switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no use-vrf management
 

 
Related Commands

Command
Description

aaa group server

Configures AAA server groups.

feature tacacs+

Enables TACACS+.

radius-server host

Configures a RADIUS server.

show radius-server groups

Displays RADIUS server information.

show tacacs-server groups

Displays TACACS+ server information.

tacacs-server host

Configures a TACACS+ server.

vrf

Configures a VRF instance.

username

To create and configure a user account, use the username command. To remove a user account, use the no form of this command.

username user-id [ expire date ] [ password { 0 | 5 } password ] [ role role-name ] [ priv-lvl level ]

username user-id sshkey { key | filename filename }

no username user-id

 
Syntax Description

user-id

User identifier for the user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters.

Note The Cisco NX-OS software does not allowed the “#” and “@” characters in the user-id argument text string.

expire date

(Optional) Specifies the expire date for the user account. The format for the date argument is YYYY-MM-DD.

password

(Optional) Specifies a password for the account. The default is no password.

0

Specifies that the password that follows should be in clear text. This is the default mode.

5

Specifies that the password that follows should be encrypted.

password

Password for the user (clear text). The password can be a maximum of 64 characters.

Note Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (“ or ‘), vertical bars (|), or right angle brackets (>).

role role-name

(Optional) Specifies the role which the user is to be assigned to. Valid values are as follows:

  • default-role —User role
  • network-admin —System configured role
  • network-operator —System configured role
  • priv-0 —Privilege role
  • priv-1 —Privilege role
  • priv-2 —Privilege role
  • priv-3 —Privilege role
  • priv-4 —Privilege role
  • priv-5 —Privilege role
  • priv-6 —Privilege role
  • priv-7 —Privilege role
  • priv-8 —Privilege role
  • priv-9 —Privilege role

 
  • priv-10 —Privilege role
  • priv-11 —Privilege role
  • priv-12 —Privilege role
  • priv-13 —Privilege role
  • priv-14 —Privilege role
  • priv-15 —Privilege role
  • vdc-admin —System configured role
  • vdc-operator —System configured role

priv-lvl level

(Optional) Specifies the privilege level to assign the user. Valid values are from 0 to 15.

sshkey

(Optional) Specifies an SSH key for the user account.

key

SSH key string.

filename filename

Specifies the name of a file that contains the SSH key string.

 
Command Default

No expiration date, password, or SSH key.

 
Command Modes

Global configuration mode

 
Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.

 
Usage Guidelines

The switch accepts only strong passwords. The characteristics of a strong password include the following:

  • At least eight characters long
  • Does not contain many consecutive characters (such as “abcd”)
  • Does not contain many repeating characters (such as “aaabbb”)
  • Does not contain dictionary words
  • Does not contain proper names
  • Contains both uppercase and lowercase characters
  • Contains numbers
Caution If you do not specify a password for the user account, the user might not be able to log in to the account.

You must enable the cumulative privilege roles for TACACS+ server using the feature privilege command to see the priv-lvl keyword.

Examples

This example shows how to create a user account with a password:

switch(config)# username user1 password Ci5co321
switch(config)#
 

This example shows how to configure the SSH key for a user account:

switch(config)# username user1 sshkey file bootflash:key_file
switch(config)#
 

This example shows how to configure the privilege level for a user account:

switch(config)# username user1 priv-lvl 15
switch(config)#
 

 
Related Commands

Command
Description

feature privilege

Enables the cumulative privilege of roles for command authorization on TACACS+ servers.

show privilege

Displays the current privilege level, username, and status of cumulative privilege support for a user.

show user-account

Displays the user account configuration.