- Index
- Preface
- Product Overview
-
- Configuring Ethernet Interfaces
- Configuring VLANs
- Configuring Private VLANs
- Configuring Rapid PVST+
- Configuring Multiple Spanning Tree
- Configuring STP Extensions
- Configuring Port Channels
- Configuring Access and Trunk Interfaces
- Configuring the MAC Address Table
- Configuring IGMP Snooping
- Configuring Traffic Storm Control
-
- Configuring Fibre Channel Interfaces
- Configuring Domain Parameters
- Configuring N-Port Virtualization
- Configuring VSAN Trunking
- Configuring SAN PortChannels
- Configuring and Managing VSANs
- Configuring and Managing Zones
- Distributing Device Alias Services
- Configuring Fibre Channel Routing Services and Protocols
- Managing FLOGI, Name Server, FDMI, and RSCN Databases
- Discovering SCSI Targets
- Advanced Features and Concepts
- Configuring FC-SP and DHCHAP
- Configuring Port Security
- Configuring Fabric Binding
- Configuring Fabric Configuration Servers
- Configuring Port Tracking
Configuring User Accounts and RBAC
This chapter describes how to configure user accounts and role-based access control (RBAC) on the Nexus 5000 Series switch.
Information About User Accounts and RBAC
You can create and manage users accounts and assign roles that limit access to operations on the Nexus 5000 Series switch. RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations.
This section includes the following topics:
- About User Accounts
- Characteristics of Strong Passwords
- About User Roles
- About Rules
- About User Role Policies
About User Accounts
Tip The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs, gdm, mtsuser, ftpuser, man, and sys.
Note User passwords are not displayed in the configuration files.
Characteristics of Strong Passwords
A strong password has the following characteristics:
- At least eight characters long
- Does not contain many consecutive characters (such as “abcd”)
- Does not contain many repeating characters (such as “aaabbb”)
- Does not contain dictionary words
- Does not contain proper names
- Contains both uppercase and lowercase characters
- Contains numbers
The following are examples of strong passwords:
Note Clear text passwords can contain alphanumeric characters only. Special characters, such as the dollar sign ($) or the percent sign (%), are not allowed.
Tip If a password is trivial (such as a short, easy-to-decipher password), the Nexus 5000 Series switch will reject your password configuration. Be sure to configure a strong password as shown in the sample configuration. Passwords are case sensitive.
About User Roles
User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, then users who belong to both role1 and role2 can access configuration and debug operations. You can also limit access to specific VSANs, VLANs and interfaces.
The Nexus 5000 Series switch provides the following default user roles:
- network-admin (superuser)—Complete read and write access to the entire Nexus 5000 Series switch.
- network-operator—Complete read access to the Nexus 5000 Series switch.
Note If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the users also has RoleB, which has access to the configuration commands. In this case, the users has access to the configuration commands.
About Rules
The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. You can apply rules for the following parameters:
- Command—A command or group of commands defined in a regular expression.
- Feature—Commands that apply to a function provided by the Nexus 5000 Series switch.
– Enter the show role feature command to display the feature names available for this parameter.
– Enter the show role feature-group command to display the default feature groups available for this parameter.
These parameters create a hierarchical relationship. The most basic control parameter is the command. The next control parameter is the feature, which represents all commands associated with the feature. The last control parameter is the feature group. The feature group combines related features and allows you to easily manage of the rules.
You can configure up to 256 rules for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
About User Role Policies
You can define user role policies to limit the switch resources that the user can access. You can define user role policies to limit access to interfaces, VLANs and VSANs.
User role policies are constrained by the rules defined for the role. For example, if you define an interface policy to permit access to specific interfaces, the user will not have access to the interfaces unless you configure a command rule for the role to permit the interface command. The Changing User Role Interface Policies contains an example configuration.
If a command rule permits access to specific resources (interfaces, VLANs or VSANs), the user is permitted to access these resources, even if they are not listed in the user role policies associated with that user.
Guidelines and Limitations
User account and RBAC have the following configuration guidelines and limitations:
- You can add up to 256 rules to a user role.
- You can assign a maximum of 64 user roles to a user account.
Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Note A user account must have at least one user role.
Configuring User Accounts
You can create a maximum of 256 user accounts on a Nexus 5000 Series switch. User accounts have the following attributes:
User accounts can have a maximum of 64 user roles. For more information on user roles, see the “Configuring RBAC” section.
Note Changes to user account attributes do not take effect until the user logs in and creates a new session.
To configure a user account, perform this task:
|
|
|
---|---|---|
(Optional) Displays the user roles available. You can configure other user roles, if necessary (see the “Creating User Roles and Rules” section) |
||
switch(config)# username user-id [ password password ] [ expire date ] [ role role-name ] |
Configure a user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. The default password is undefined. Note If you do not specify a password, the user might not be able to log in to the Nexus 5000 Series switch. The expire date option format is YYYY-MM-DD. The default is no expiry date. |
|
(Optional) Copies the running configuration to the startup configuration. |
The following example shows how to configure a user account:
Configuring RBAC
This section includes the following topics:
Creating User Roles and Rules
Each user role can have up to 256 rules. You can assign a user role to more that one user account.
The rule number you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
To create user roles and specify rules, perform this task:
The following example shows how to create user roles and specify rules:
switch(config)# role name UserA
switch(config-role)# rule deny command clear users
switch(config-role)# rule deny read-write
switch(config-role)# rule permit read feature router-bgp
switch(config-role)# rule deny read-write L3
switch(config-role)# description This role does not allow users to use clear commands
Creating Feature Groups
To create feature groups, perform this task:
Changing User Role Interface Policies
You can change a user role interface policy to limit the interfaces that the user can access. To change a user role interface policy, perform this task:
You can specify a list of interfaces that the role can access. You can specify it for as many interfaces as needed:
switch(config-role-interface)# permit interface ethernet 2/1
Changing User Role VLAN Policies
You can change a user role VLAN policy to limit the VLANs that the user can access. To change a user role VLAN policy, perform this task:
|
|
|
---|---|---|
switch(config-role)# rule number permit command configure terminal ; vlan * |
||
(Optional) Copies the running configuration to the startup configuration. |
Changing User Role VSAN Policies
You can change a user role VSAN policy to limit the VSANs that the user can access.
To change a user role VSAN policy to limit the VSANs that the user can access, perform this task:
|
|
|
---|---|---|
switch(config-role)# rule number permit command vsan database; vsan * |
||
(Optional) Copies the running configuration to the startup configuration. |
Verifying User Accounts and RBAC Configuration
To display user account and RBAC configuration information, perform one of the following tasks:
Example User Accounts and RBAC Configuration
The following example shows how to configure a user role:
The following example shows how to configure a user role feature group:
Default Settings
Table 1-1 lists the default settings for user accounts and RBAC parameters.
|
|
---|---|