U Commands
This chapter describes the Cisco NX-OS security commands that begin with U.
use-vrf
To specify a virtual routing and forwarding (VRF) instance for a RADIUS or TACACS+ server group, use the use-vrf command. To remove the VRF instance, use the no form of this command.
use-vrf { vrf-name | default | management }
no use-vrf { vrf-name | default | management }
Syntax Description
vrf-name |
VRF instance name. The name is case sensitive and can be a maximum of 32 alphanumeric characters. |
default |
Specifies the default VRF. |
management |
Specifies the management VRF. |
Command Modes
RADlUS server group configuration mode
TACACS+ server group configuration mode
Command History
|
|
6.0(2)N1(1) |
This command was introduced. |
Usage Guidelines
You can configure only one VRF instance for a server group.
Use the aaa group server radius command RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to specify a VRF instance for a RADIUS server group:
switch(config)# aaa group server radius RadServer
switch(config-radius)# use-vrf management
This example shows how to specify a VRF instance for a TACACS+ server group:
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# use-vrf management
This example shows how to remove the VRF instance from a TACACS+ server group:
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no use-vrf management
Related Commands
|
|
aaa group server |
Configures AAA server groups. |
feature tacacs+ |
Enables TACACS+. |
radius-server host |
Configures a RADIUS server. |
show radius-server groups |
Displays RADIUS server information. |
show tacacs-server groups |
Displays TACACS+ server information. |
tacacs-server host |
Configures a TACACS+ server. |
vrf |
Configures a VRF instance. |
username
To create and configure a user account, use the username command. To remove a user account, use the no form of this command.
username user-id [ expire date ] [ password { 0 | 5 } password ] [ role role-name ] [ priv-lvl level ]
username user-id sshkey { key | filename filename }
no username user-id
Syntax Description
user-id |
User identifier for the user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. Note The Cisco NX-OS software does not allowed the “#” and “@” characters in the user-id argument text string. |
expire date |
(Optional) Specifies the expire date for the user account. The format for the date argument is YYYY-MM-DD. |
password |
(Optional) Specifies a password for the account. The default is no password. |
0 |
Specifies that the password that follows should be in clear text. This is the default mode. |
5 |
Specifies that the password that follows should be encrypted. |
password |
Password for the user (clear text). The password can be a maximum of 64 characters. Note Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (“ or ‘), vertical bars (|), or right angle brackets (>). |
role role-name |
(Optional) Specifies the role which the user is to be assigned to. Valid values are as follows:
- default-role —User role
- network-admin —System configured role
- network-operator —System configured role
- priv-0 —Privilege role
- priv-1 —Privilege role
- priv-2 —Privilege role
- priv-3 —Privilege role
- priv-4 —Privilege role
- priv-5 —Privilege role
- priv-6 —Privilege role
- priv-7 —Privilege role
- priv-8 —Privilege role
- priv-9 —Privilege role
|
|
- priv-10 —Privilege role
- priv-11 —Privilege role
- priv-12 —Privilege role
- priv-13 —Privilege role
- priv-14 —Privilege role
- priv-15 —Privilege role
- vdc-admin —System configured role
- vdc-operator —System configured role
|
priv-lvl level |
(Optional) Specifies the privilege level to assign the user. Valid values are from 0 to 15. |
sshkey |
(Optional) Specifies an SSH key for the user account. |
key |
SSH key string. |
filename filename |
Specifies the name of a file that contains the SSH key string. |
Command Default
No expiration date, password, or SSH key.
Command Modes
Global configuration mode
Command History
|
|
6.0(2)N1(1) |
This command was introduced. |
Usage Guidelines
The switch accepts only strong passwords. The characteristics of a strong password include the following:
- At least eight characters long
- Does not contain many consecutive characters (such as “abcd”)
- Does not contain many repeating characters (such as “aaabbb”)
- Does not contain dictionary words
- Does not contain proper names
- Contains both uppercase and lowercase characters
- Contains numbers
Caution
If you do not specify a password for the user account, the user might not be able to log in to the account.
You must enable the cumulative privilege roles for TACACS+ server using the feature privilege command to see the priv-lvl keyword.
Examples
This example shows how to create a user account with a password:
switch(config)# username user1 password Ci5co321
This example shows how to configure the SSH key for a user account:
switch(config)# username user1 sshkey file bootflash:key_file
This example shows how to configure the privilege level for a user account:
switch(config)# username user1 priv-lvl 15
Related Commands
|
|
feature privilege |
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. |
show privilege |
Displays the current privilege level, username, and status of cumulative privilege support for a user. |
show user-account |
Displays the user account configuration. |