Configuring User Accounts and RBAC
This chapter describes how to configure user accounts and role-based access control (RBAC) on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as Cisco CG-OS router).
Information About User Accounts and RBAC
You can create and manage user accounts and assign roles that limit access to operations on the Cisco CG-OS router. RBAC allows you to define the rules for and assign roles that restrict the authorization that the user has to access management operations.
This section includes the following topics:
About User Accounts
You can configure up to a maximum of 256 user accounts. Cisco CG-OS provides one default user account: admin .
By default, the user account does not expire unless you explicitly configure it to expire. The expire option determines the date when Cisco CG-OS disables the user account.
Tip The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, root, rpc, rpcuser, xfs, gdm, mtsuser, ftpuser, man, and sys.
Characteristics of Strong Passwords
A strong password has the following characteristics:
- At least eight characters long
- Does not contain many consecutive characters (such as “abcd”)
- Does not contain many repeating characters (such as “aaabbb”)
- Does not contain dictionary words
- Does not contain proper names
- Contains both uppercase and lowercase characters
- Contains numbers
The following are examples of strong passwords:
Note Please note these important notes about passwords on the Cisco CG-OS router:
- User passwords are not displayed in the configuration files.
- Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (" or '), vertical bars (|), or right angle brackets (>).
- When a password is trivial (such as a short, easy-to-decipher password), Cisco CG-OS rejects the password configuration when password-strength checking is enabled. (See Enabling Password-Strength Checking.) Be sure to configure a strong password as shown in the sample configuration. Passwords are case sensitive.
About User Roles
User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, then users who belong to both role1 and role2 can access configuration and debug operations. You can also change a user role interface policy to limit the interfaces that the user can access.
Cisco CG-OS provides four default user roles within the default VDC:
- network-admin—Complete read-and-write access to the entire Cisco CG-OS router
- network-operator—Complete read access to the entire Cisco CG-OS router
- vdc-admin—Read-and-write access limited to a VDC (in this case, the default VDC)
- vdc-operator—Read access limited to a VDC (in this case, the default VDC)
Note You cannot change the default user roles.
You can create custom roles within the default VDC. By default, the user roles that you create allow access only to the show , exit , end , and configure terminal commands.You must add rules to allow users to display or configure features.
Note When you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands.
About User Role Rules
The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. You can apply rules for the following parameters:
- Command—A command or group of commands defined in a regular expression
- Feature—Commands that apply to a function provided by Cisco CG-OS
- Feature group—Default or user-defined group of features
These parameters create a hierarchical relationship. The most basic control parameter is the command. The next control parameter is the feature, which represents all commands associated with the feature. The last control parameter is the feature group. The feature group combines related features and allows you to easily manage the rules. Cisco CG-OS also supports the predefined feature group L3 that you can use.
You can configure up to 256 rules for each role.
The user-specified rule number determines the order in which the rules are applied. Rules are applied in descending order. For example, when a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
Guidelines and Limitations
You can configure up to 256 user accounts on the Cisco CG-OS router.
If you have a user account configured on the local Cisco CG-OS router that has the same name as a remote user account on an AAA server, Cisco CG-OS applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
You cannot delete the default admin user account.
You cannot remove the default user roles from the default admin user account.
Note A user account must have at least one user role.
You can create up to 64 user-defined roles on the Cisco CG-OS router in addition to the four default user roles (network-admin, vdc-admin, network-operator, and vdc-operator).You cannot change the default user roles.
You can add up to 256 rules to a user role.
You can assign a maximum of 64 user roles to a user account.
You can add up to 64 user-defined feature groups on the Cisco CG-OS router in addition to the default feature group, L3.
Default Settings
Table 7-1 lists the default settings for user accounts and RBAC parameters.
Enabling Password-Strength Checking
You can enable password-strength checking, which prevents you from creating weak passwords for user accounts. For information about strong passwords, see Characteristics of Strong Passwords.
By default, this option is enabled on the Cisco CG-OS router.
DETAILED STEPS
Configuring User Accounts
You can create a maximum of 256 user accounts on a Cisco CG-OS router. User accounts have the following attributes:
You can enter the password in clear text format or encrypted format for the Cisco CG-OS router. The password encrypts clear text passwords before saving them to the running configuration. Encrypted format passwords are saved to the running configuration without further encryption.
User accounts can have a maximum of 64 user roles. For more information on user roles, see Configuring Roles.
Note The Cisco CG-OS router only supports the default VDC. The Cisco CG-OS router does not support multiple VDCs.
Note Changes to user account attributes do not take effect until the user logs in and creates a new session.
Note You cannot delete the default admin user account. You can create another account with the network-admin or vdc-admin role.
DETAILED STEPS
(Optional) Displays the user roles available. You can configure other user roles, if necessary. (See Creating User Roles and Rules.) |
||
username user-id [ password [ 0 | 5 ] password ] [ expire date ] [ role role-name ] |
Configures a user account. User accounts can have a maximum of 64 user roles. user-id –Case-sensitive, alphanumeric character string with a maximum length of 28 characters. password –Default password is undefined. The 0 option indicates that the password is clear text and the 5 option indicates that the password is encrypted. The default is 0 (clear text). Note If you do not specify a password, the user might not be able to log in to the |
|
(Optional) Copies the running configuration to the startup configuration. |
Configuring Roles
This section includes the following topics:
- Creating User Roles and Rules
- Creating Feature Groups
- Changing User Role Interface Policies
- Verifying Configuration
Creating User Roles and Rules
You can configure up to 64 user roles. Each user role can have up to 256 rules. You can assign a user role to more that one user account.
The rule number that you specify determines the order in which the rules are applied. Cisco CG-OS applies the rules in descending order. For example, when a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
DETAILED STEPS
Creating Feature Groups
You can create custom feature groups to add to the default list of features provided by Cisco CG-OS. These groups contain one or more of the features. You can create up to 64 feature groups on the
Cisco CG-OS router.
Note You cannot change the default feature group L3.
DETAILED STEPS
EXAMPLE
This example shows how to create the custom feature group GroupA to expand the default list of features provided by Cisco CG-OS.
router_cgr01(config-role-featuregrp)# feature abc
router_cgr01(config-role-featuregrp)# copy running-config startup-config
Changing User Role Interface Policies
You can change a user role interface policy to limit the interfaces that the user can access. By default, a user role (unless specifically configured otherwise) allows a user to have access to all interfaces on the Cisco CG-OS router.
Note You cannot change the default roles network-admin, network-operator, vdc-admin, and vdc-operator.
BEFORE YOU BEGIN
Create one or more user roles. (See Creating User Roles and Rules.)
DETAILED STEPS
Verifying Configuration
To display user account and RBAC configuration information, enter any or all of the following commands:
Feedback