Table Of Contents
U Commands
This chapter describes the Cisco NX-OS security commands that begin with U.
use-vrf
To specify a virtual routing and forwarding instance (VRF) name for a RADIUS, TACACS+, or LDAP server group, use the use-vrf command. To remove the VRF name, use the no form of this command.
use-vrf vrf-name
no use-vrf vrf-name
Syntax Description
Defaults
None
Command Modes
RADlUS server group configuration
TACACS+ server group configuration
LDAP server group configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification5.0(2)
Added support for LDAP server groups.
4.0(1)
This command was introduced.
Usage Guidelines
You can configure only one VRF instance for a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode, the aaa group server tacacs+ command to enter TACACS+ server group configuration mode, or the aaa group server ldap command to enter LDAP server group configuration mode.
If the server is not found, use the radius-server host command, the tacacs-server host command, or the ldap-server host command to configure the server.
Note You must use the feature tacacs+ command before you configure TACACS+ or the feature ldap command before you configure LDAP.
This command does not require a license.
Examples
This example shows how to specify a VRF name for a RADIUS server group:
switch# config tswitch(config)# aaa group server radius RadServerswitch(config-radius)# use-vrf vrf1This example shows how to specify a VRF name for a TACACS+ server group:
switch# config tswitch(config)# feature tacacs+switch(config)# aaa group server tacacs+ TacServerswitch(config-tacacs+)# use-vrf vrf2This example shows how to remove the VRF name from a TACACS+ server group:
switch# config tswitch(config)# feature tacacs+switch(config)# aaa group server tacacs+ TacServerswitch(config-tacacs+)# no use-vrf vrf2This example shows how to specify a VRF name for an LDAP server group:
switch# config tswitch(config)# feature ldapswitch(config)# aaa group server ldap LdapServerswitch(config-tacacs+)# use-vrf vrf3This example shows how to remove the VRF name from an LDAP server group:
switch# config tswitch(config)# feature ldapswitch(config)# aaa group server ldap LdapServerswitch(config-tacacs+)# no use-vrf vrf3Related Commands
user-certdn-match
To configure the attribute name, search filter, and base-DN for the certificate DN match search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the user-certdn-match command. To disable this configuration, use the no form of this command.
user-certdn-match attribute-name attribute-name search-filter filter base-DN base-DN-name
no user-certdn-match
Syntax Description
Defaults
None
Command Modes
LDAP search map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the certificate DN match search operation in order to send a search query to the LDAP server:
switch# conf tswitch(config)# ldap search-map s0switch(config-ldap-search-map)# user-certdn-match attribute-name certificateDN search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=comswitch(config-ldap-search-map)#Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap search-map
Configures an LDAP search map.
show ldap-search-map
Displays the configured LDAP search maps.
user-pubkey-match
To configure the attribute name, search filter, and base-DN for the public key match search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the user-pubkey-match command. To disable this configuration, use the no form of this command.
user-pubkey-match attribute-name attribute-name search-filter filter base-DN base-DN-name
no user-pubkey-match
Syntax Description
Defaults
None
Command Modes
LDAP search map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the public key match search operation in order to send a search query to the LDAP server:
switch# conf tswitch(config)# ldap search-map s0switch(config-ldap-search-map)# user-pubkey-match attribute-name sshPublicKey search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=comswitch(config-ldap-search-map)#Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap search-map
Configures an LDAP search map.
show ldap-search-map
Displays the configured LDAP search maps.
user-switch-bind
To configure the attribute name, search filter, and base-DN for the user-switchgroup search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the user-switch-bind command. To disable this configuration, use the no form of this command.
user-switch-bind attribute-name attribute-name search-filter filter base-DN base-DN-name
no user-switch-bind
Syntax Description
Defaults
None
Command Modes
LDAP search map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the user-switchgroup search operation in order to send a search query to the LDAP server:
switch# conf tswitch(config)# ldap search-map s0switch(config-ldap-search-map)# user-switch-bind attribute-name memberuid search-filter (&(objectClass=posixGroup)(cn=dcgroup)) base-DN dc=acme,dc=comswitch(config-ldap-search-map)#Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap search-map
Configures an LDAP search map.
show ldap-search-map
Displays the configured LDAP search maps.
username
To create and configure a user account in a virtual device context (VDC), use the username command. To remove a user account, use the no form of this command.
username user-id [expire date] [password [0 | 5] password] [role role-name]
username user-id [sshkey {key | file filename}]
username user-id [keypair generate {rsa [bits [force]] | dsa [force]}]
username user-id [keypair {export | import} {bootflash:filename | volatile:filename} {rsa | dsa} [force]]
username user-id [priv-lvl n] [expire date] [password [0 | 5] password]
no username user-id
Syntax Description
Defaults
Unless specified, usernames have no expire date, password, or SSH key.
In the default VDC, the default role is network-operator if the creating user has the network-admin role, or the default role is vdc-operator if the creating user has the vdc-admin role.
In nondefault VDCs, the default user role is vdc-operator.
You cannot delete the default admin user role. Also, you cannot change the expire date or remove the network-admin role for the default admin user role.
To specify privilege levels, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command. There is no default privilege level.
This command does not require a license.
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The Cisco NX-OS software creates two default user accounts in the VDC: admin and adminbackup. The nondefault VDCs have one default user account: admin. You cannot remove a default user account.
User accounts are local to the VDCs. You can create user accounts with the same user identifiers in different VDCs.
Caution The Cisco NX-OS software does not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric user name exists on an AAA server and is entered during login, the user is not logged in.
The Cisco NX-OS software accepts only strong passwords when you have password-strength checking enabled using the password strength-check command. The characteristics of a strong password include the following:
•At least eight characters long
•Does not contain many consecutive characters (such as "abcd")
•Does not contain many repeating characters (such as "aaabbb")
•Does not contain dictionary words
•Does not contain proper names
•Contains both uppercase and lowercase characters
•Contains numbers
Caution If you do not specify a password for the user account, the user might not be able to log in to the account.
To use this command, you must enable the cumulative privilege of roles using the feature privilege command.
A passphrase is required when you export or import the key-pair. The passphrase encrypts the exported private key for the user and decrypts it during import.
This command does not require a license.
Examples
This example shows how to create a user account with a password and a user role:
switch# config tswitch(config)# username user1 password Ci5co321 role vdc-adminThis example shows how to configure the SSH key for a user account:
switch# config tswitch(config)# username user1 sshkey file bootflash:key_fileThis example shows how to generate the SSH public and private keys and store them in the home directory of the Cisco NX-OS device for the user:
switch# config tswitch(config)# username user1 keypair generate rsagenerating rsa key(2048 bits)......generated rsa keyThis example shows how to export the public and private keys from the home directory of the Cisco NX-OS device to the bootflash directory:
switch# config tswitch(config)# username user1 keypair export bootflash:key_rsa rsaEnter Passphrase:switch(config)# dir...951 Jul 09 11:13:59 2009 key_rsa221 Jul 09 11:14:00 2009 key_rsa.pub..The private key is exported as the file that you specify, and the public key is exported with the same filename followed by a .pub extension.
This example shows how to import the exported public and private keys from the bootflash directory to the home directory of the Cisco NX-OS device:
switch# config tswitch(config)# username user1 keypair import bootflash:key_rsa rsaEnter Passphrase:switch(config)# show username user1 keypair**************************************rsa Keys generated: Thu Jul 9 11:10:29 2009ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJT+oQhIcvnrMbx2BmD0P8boZElTfJFx9fexWp6rOiztlwODtehnjadWc6A+DE2DvYNvqsrU9TBypYDPQkR/+Y6cKubyFWVxSBG/NHztQc3+QC1zdkIxGNJbEHyFoajzNEO8LLOVFIMCZ2Td7gxUGRZc+fbqS33GZsCAX6v0=bitcount:262144fingerprint:8d:44:ee:6c:ca:0b:44:95:36:d0:7d:f2:b5:78:74:7d**************************************could not retrieve dsa key information**************************************switch(config)#The private key is imported as the file that you specify, and the public key is imported with the same filename followed by a .pub extension.
This example shows how to assign privilege level 15 to the user:
switch# config tswitch(config)# feature privilegeswitch(config)# enable secret 5 def456 priv-lvl 15switch(config)# username user2 priv-lvl 15Related Commands
userprofile
To configure the attribute name, search filter, and base-DN for the user profile search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the userprofile command. To disable this configuration, use the no form of this command.
userprofile attribute-name attribute-name search-filter filter base-DN base-DN-name
no userprofile
Syntax Description
Defaults
None
Command Modes
LDAP search map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the user profile search operation in order to send a search query to the LDAP server:
switch# conf tswitch(config)# ldap search-map s0switch(config-ldap-search-map)# userprofile attribute-name description search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=comswitch(config-ldap-search-map)#Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap search-map
Configures an LDAP search map.
show ldap-search-map
Displays the configured LDAP search maps.