7. Managing Switch User Accounts. Alcatel-Lucent OmniSwitch 6800 Series, OmniSwitch 9000 Series, OmniSwitch 6850 Series
Add to My manuals292 Pages
advertisement
7 Managing Switch User
Accounts
Switch user accounts may be set up locally on the switch for users to log into and manage the switch. The accounts specify login information (combinations of usernames and passwords) and privilege or profile information depending on the type of user.
The switch has several interfaces (console, Telnet, HTTP, FTP, Secure Shell, and SNMP) through which users may access the switch. The switch may be set up to allow or deny access through any of these interfaces. See
Chapter 8, “Managing Switch Security,” for information about setting up management inter-
faces.
In This Chapter
This chapter describes how to set up user accounts locally on the switch through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
This chapter provides an overview of user accounts. In addition, configuration procedures described in this chapter include:
•
“Creating a User” on page 7-10 .
•
“Configuring Password Policy Settings” on page 7-12 .
•
“Configuring Privileges for a User” on page 7-17 .
•
“Setting Up SNMP Access for a User Account” on page 7-18
.
•
“Setting Up End-User Profiles” on page 7-20
.
For information about enabling management interfaces on the switch, see
For information about connecting a management station to the switch, see
Files,” and the appropriate Getting Started Guide.
User information may also be configured on external servers in addition to, or instead of, user accounts configured locally on the switch (except end-user profiles, which may only be configured on the switch).
For information about setting up external servers that are configured with user information, see the
“Managing Authentication Servers” chapter in the OmniSwitch 6800/6850/9000 Network Configuration
Guide.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-1
User Database Specifications
User Database Specifications
Maximum number of alphanumeric characters in a username
Maximum number of alphanumeric characters in a user password
Maximum number of alphanumeric characters in an end-user profile name
Maximum number of user accounts
Maximum number of end-user profiles
31
31
32
64
128
Managing Switch User Accounts
User Account Defaults
• Two user accounts are available on the switch by default: admin and default. For more information
about these accounts, see “Startup Defaults” on page 7-5
and
“Default User Settings” on page 7-8 .
• New users inherit the privileges of the default user if the specific privileges for the user are not configured; the default user is modifiable.
• Password defaults are as follows:
Description Command
Minimum password length
Default password expiration for any user
Password expiration for particular user user password-size min user password-expiration
expiration keyword in the user command
Username is not allowed in password.
Minimum number of uppercase characters allowed in a password.
user password-policy cannot-contain-username user password-policy min-uppercase
Minimum number of lowercase characters allowed in a password.
Minimum number of base-10 digits allowed in a password.
user password-policy min-lowercase user password-policy min-digit
Minimum number of non-alphanumeric characters allowed in a password.
Maximum number of old passwords to retain in the password history.
Minimum number of days user is blocked from changing password.
user password-policy min-nonalpha user password-history user password-min-age
Default
8 characters disabled none disabled
0 (disabled)
0 (disabled)
0 (disabled)
0 (disabled)
4
0 (disabled) page 7-2 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts
• Global user account lockout defaults are as follows:
Parameter Description
Length of time during which failed login attempts are counted.
Length of time a user account remains locked out of the switch before the account is automatically unlocked.
Maximum number of failed login attempts allowed during the lockout window time period.
Command user lockout-window user lockout-duration user lockout-threshold
User Account Defaults
Default
0—all attempts are counted
0—account remains locked until manually unlocked
0—no limit to the number of failed login attempts
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-3
Overview of User Accounts Managing Switch User Accounts
Overview of User Accounts
A user account includes a login name, password, and user privileges. The account also includes privilege or profile information, depending on the type of user account. There are two types of accounts: network administrator accounts and end-user or customer login accounts.
Network administrator accounts are configured with user (sometimes called functional) privileges. These privileges determine whether the user has read or write access to the switch and which command domains and command families the user is authorized to execute on the switch.
Customer login accounts are configured with end-user profiles rather than functional privileges. Profiles are configured separately and then attached to the user account. A profile specifies command areas to which a user has access as well as VLAN and/or port ranges to which the user has access.
The designation of particular command families/domains or command families for user access is sometimes referred to as partitioned management. The privileges and profiles are sometimes referred to as
authorization.
Note. End-user command areas are different from the command domains/families used for network administrator accounts. In general, command areas are much more restricted groups of commands (see
Functional privileges (network administration) and end-user profiles (customer login) are mutually exclusive. Both types of users may exist on the switch, but any given user account can only be one type, network administrator or customer login. The CLI in the switch prevents you from configuring both privileges and a profile for the same user.
End-user profiles also cannot be configured on an authentication server; however, users configured on an external authentication server may have profile attributes, which the switch will attempt to match to profiles configured locally.
Note that if user information is configured on an external server (rather than locally on the switch through the CLI) with both functional privilege attributes and profile attributes, the user is seen by the switch as an end-user and will attempt to match the profile name to a profile name configured on the switch. If there is no match, the user will not be able to log into the switch.
Note. For information about setting up user information on an authentication (AAA) server, see the
“Managing Authentication Servers” chapter of the OmniSwitch 6800/6850/9000 Network Configuration
Guide.
Users typically log into the switch through one of the following methods:
• Console port—A direct connection to the switch through the console port.
• Telnet—Any standard Telnet client may be used for logging into the switch.
• FTP—Any standard FTP client may be used for logging into the switch.
• HTTP—The switch has a Web browser management interface for users logging in via HTTP. This management tool is called WebView.
page 7-4 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Overview of User Accounts
• Secure Shell—Any standard Secure Shell client may be used for logging into the switch.
• SNMP—Any standard SNMP browser may be used for logging into the switch.
For more information about connecting to the switch through one of these methods, see Chapter 2,
and the appropriate Getting Started Guide.
Startup Defaults
By default, a single user management account is available at the first bootup of the switch. This account has the following user name and password:
• user name—admin
• password—switch
Initially, the admin user can only be authorized on the switch through the console port. Management access through any other interface is disabled. The Authenticated Switch Access commands may be used to enable access through other interfaces/services (Telnet, HTTP, etc.); however, SNMP access is not allowed for the admin user. Also, the admin user cannot be modified, except for the password.
Password expiration for the admin user is disabled by default. See
“Configuring Password Expiration” on page 7-13 .
In addition, another account, default, is available on the switch for default settings only; this account cannot be used to log into the switch. It is used to store and modify default settings for new users.
Note. Up to 64 users may be configured in the local switch database.
To set up a user account, use the user command, which specifies the following:
• Password—The password is required for new users or when modifying a user’s SNMP access. The password will not appear in an ASCII configuration file created via the snapshot command.
•
Privileges—The user’s read and write access to command domains and families. See “Configuring
Privileges for a User” on page 7-17 for more details.
• SNMP access—Whether or not the user is permitted to manage the switch via SNMP. See
SNMP Access for a User Account” on page 7-18 for more details.
• End-User Profile—The user’s read and write access to command areas, port ranges, and VLAN ranges; used for customer login accounts. See
“Setting Up End-User Profiles” on page 7-20 .
Typically, options for the user (privileges or end-user profile; SNMP access) are configured at the same time the user is created. An example of creating a user and setting access privileges for the account is given here:
-> user thomas techpubs read-write domain-policy md5+des
For more details about command syntax, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-5
Overview of User Accounts Managing Switch User Accounts
Quick Steps for Network Administrator User Accounts
1 Configure the user with the relevant username and password. For example, to create a user called
thomas with a password of techpubs, enter the following:
-> user thomas password techpubs
For information about creating a user and setting up a password, see
“Creating a User” on page 7-10 .
2 Configure the user privileges (and SNMP access) if the user should have privileges that are different than those set up for the default user account. For example:
-> user thomas read-write domain-network ip-helper telnet
For information about the default user settings, see the next section. For information about setting up privileges, see
“Configuring Privileges for a User” on page 7-17
.
Note. Optional. To verify the user account, enter the show user command. The display is similar to the following:
User name = admin
Read Only for domains
Read/Write for domains
Snmp not allowed
User name = public
Read Only for domains
Read/Write for domains
Snmp authentication
User name = thomas
Read Only for domains
Read/Write for domains
Read/Write for families
Snmp not alloweds
= None,
= All ,
= None,
= All ,
= NONE, Snmp encryption = NONE
= None,
= Network ,
= telnet ip-helper ,
User name = default
Read Only for domains
Read/Write for domains
Snmp not allowed
= None,
= None,
For more information about the show user command, see the OmniSwitch CLI Reference Guide.
page 7-6 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Overview of User Accounts
Quick Steps for Creating Customer Login User Accounts
1 Set up a user profile through the end-user profile command. For example, configure a profile called
Profile1 that specifies read-write access to the physical and basic-ip-routing command areas:
-> end-user profile Profile1 read-write physical basic-ip-routing
2 Specify ports to which the profile will allow access. In this example, Profile1 will be configured with access to ports on slot 1 and slot 2.
-> end-user profile Profile1 port-list 1/1-2 1/4-5 2/1-8
3 Specify VLANs or VLAN ranges to which the profile will allow access. In this example, Profile1 will be configured with access to VLANs 3 through 8.
-> end-user profile Profile1 vlan-range 3-8
Note. Optional. To verify the end-user profile, enter the show end-user profile command. The display is similar to the following:
End user profile : Profile1
Area accessible with read and write rights : physical, basic ip routing,
Slot : 1, ports allowed : 1-2, 4-5
Slot : 2, ports allowed : 1-8
Vlan Id :
3-8
For more information about the show end-user profile command, see the OmniSwitch CLI Reference
Guide.
4 Associate the profile with a user account. Enter the user command with the relevant username and password and specify Profile1. In this example, the user name is Customer1 and the password is
my_passwd:
-> user Customer1 password my_passwd end-user profile Profile1
For more information about creating a user and setting up a password, see
“Creating a User” on page 7-10
.
For information about creating end-user profiles, see
“Setting Up End-User Profiles” on page 7-20
.
Note. Optional. To verify the user account, enter the show user command. The display is similar to the following:
User name = Customer1
END user profile
SNMP authentication
= Profile1
= NONE, Snmp encryption = NONE
User name = default
END user profile
Snmp not allowed
Profile5
For more information about the show user command, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-7
Overview of User Accounts Managing Switch User Accounts
Default User Settings
The default user account on the switch is used for storing new user defaults for privileges and profile information. This account does not include a password and cannot be used to log into the switch.
At the first switch startup, the default user account is configured for:
• No read or write access.
• No SNMP access.
• No end-user profile.
Any new users created on the switch will inherit the privileges or the end-user profile of the default user unless the user is configured with specific privileges or a profile.
The default user settings may be modified. Enter the user command with default as the user name. Note that the default user may only store default functional privileges or a default end-user profile. The default user cannot be configured with both privileges and a profile.
The following example modifies the default user account with read-write access to all CLI commands:
-> user default read-write all
In this example, any new user that is created will have read and write access to all CLI commands (unless a specific privilege or SNMP access is configured for the new user). For more information about configuring privileges, see
“Setting Up End-User Profiles” on page 7-20 .
The privilege default is particularly important for users who are authenticated via an ACE/Server, which only supplies username and password information; or for users who are authenticated via a RADIUS or
LDAP server on which privileges are not configured. For more information about these servers, see the
“Managing Authentication Servers” chapter of the OmniSwitch 6800/6850/9000 Network Configuration
Guide.
Account and Password Policy Settings
The switch includes global password settings that are used to implement and enforce password complexity when a password is created, modified, and used. These user-configurable settings apply the following password requirements to all user accounts configured for the switch:
• Minimum password size.
• Whether or not a password can contain the account username.
• Minimum password character requirements.
• Password expiration.
• Password history.
• Minimum password age.
In addition to global password settings, the switch also includes global user lockout settings that determine when a user account is locked out of the switch and the length of time the user account remains locked.
See
“Configuring Password Policy Settings” on page 7-12 and
“Configuring Global User Lockout
Settings” on page 7-15 for more information.
page 7-8 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Overview of User Accounts
How User Settings Are Saved
Unlike other settings on the switch, user settings configured through the user and password commands are saved to the switch configuration automatically. These settings are saved in real time in the local user database.
At bootup, the switch reads the database file for user information (rather than the boot.cfg file). The write memory , copy running-config working , or configuration snapshot commands are not required to save user or password settings over a reboot.
Note. Password settings configured through the user password-policy commands are not automatically saved to the switch configuration.
For information about using the write memory, copy running-config working, and configuration
snapshot commands, see
Chapter 4, “Managing CMM Directory Content,”
Configuration Files,” and the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-9
Creating a User Managing Switch User Accounts
Creating a User
To create a new user, enter the user command with the desired username and password. Use the password keyword. For example:
-> user thomas password techpubs
In this example, a user account with a user name of thomas and a password of techpubs is stored in the local user database.
Typically the password should be a string of non-repeating characters. The CLI uses the first occurrence of the character series to uniquely identify the password. For example, the password tpubtpub is the same as
tpub. A better password might be tpub3457.
Note. The exclamation point (!) is not a valid password character. In addition, specifying an asterisk (*) as one or more characters in a password is allowed as long as every character is not an asterisk. For example,
password **123456** is allowed; password ******** is not allowed.
If privileges are not specified for the user, the user will inherit all of the privileges of the default user account. See
“Default User Settings” on page 7-8 .
Note that the password will not display in clear text in an ASCII configuration file produced by the
snapshot command. Instead, it will display in encrypted form. See
Chapter 6, “Working With Configuration Files,” for information about using the snapshot command.
Removing a User
To remove a user from the local database, use the no form of the command:
-> no user thomas
The user account for thomas is removed from the local user database.
User-Configured Password
Users may change their own passwords by using the password command. In this example, the current user wants to change her password to my_passwd. Follow these steps to change the password:
1 Enter the password command. The system displays a prompt for the new password:
-> password enter old password:
2 Enter the old password. (The password is concealed with asterisks.) A prompt displays for the new password.
-> password enter old password:******** enter new password: page 7-10 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Creating a User
3 Enter the desired password. The system then displays a prompt to verify the password.
-> password enter old password:******** enter new password: ********* reenter new password:
4 Enter the password again.
-> password enter old password:******** enter new password: ********* reenter new password: *********
->
The password is now reset for the current user. At the next switch login, the user must enter the new password.
Note. A new password cannot be identical to the current password; it cannot be identical to any of the three passwords that preceded the current password. Also, the exclamation point (!) is not a valid password character and specifying an asterisk (*) as one or more characters in a password is allowed as long as every character is not an asterisk. For example, password **123456** is allowed; password ******** is not allowed.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-11
Configuring Password Policy Settings Managing Switch User Accounts
Configuring Password Policy Settings
The global password policy settings for the switch define the following requirements that are applied to all user accounts:
• Minimum password size.
• Whether or not the password can contain the username.
• The minimum number of uppercase characters required in a password.
• The minimum number of uppercase characters required in a password.
• The minimum number of base-10 digits required in a password.
• The minimum number of non-alphanumeric characters (symbols) required in a password.
• Password expiration.
• The maximum number of old passwords that are saved in the password history.
• The minimum number of days during which a user is not allowed to change their password.
Password policy settings are applied when a password is created or modified. The following subsections describe how to configure these settings using CLI commands.
To view the current policy configuration, use the show user password-policy command. For more information about this command and those used in the configuration examples throughout this section, see the
OmniSwitch CLI Reference Guide.
Setting a Minimum Password Size
The default minimum password length (or size) is 8 characters. To configure a minimum password size, enter the user password-size min command. For example:
-> user password-size min 10
The minimum length for any passwords configured for users is now 10 characters.
Note that the maximum password length is 31 characters.
Configuring the Username Password Exception
By default, specifying the username as all or part of a password is allowed. Use the user password-policy cannot-contain-username command to block the ability to configure a password that contains the username. For example:
-> user password-policy cannot-contain-username enable
Enabling this functionality prevents the user from specifying the username in the password that is configured for the same user account. For example, the password for the account username of public can not contain the word public in any part of the password. However, the username of another account is still allowed.
page 7-12 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Configuring Password Policy Settings
Configuring Password Character Requirements
The character requirements specified in the global password policy determine the minimum number of uppercase, lowercase, non-alphanumeric, and 10-base digit characters required in all passwords. These requirements are configured using the following user password-policy commands:
Command user password-policy min-uppercase user password-policy min-lowercase user password-policy min-digit user password-policy min-nonalpha
Configures ...
The minimum number of uppercase characters required in all passwords.
The minimum number of lowercase characters required in all passwords.
The minimum number of base-10 digits required in all passwords.
The minimum number of non-alphanumeric characters (symbols) required in all passwords.
Specifying zero with any of the these commands disables the requirement. For example, if the number of minimum uppercase characters is set to zero (the default), then there is no requirement for a password to contain any uppercase characters.
Configuring Password Expiration
By default, password expiration is disabled on the switch. A global default password expiration may be specified for all users or password expiration may be set for an individual user.
Note. When the current user’s password has less than one week before expiration, the switch will display an expiration warning after login.
If a user’s password expires, the user will be unable to log into the switch through any interface; the
admin user must reset the user’s password. If the admin user’s password expires, the admin user will have access to the switch through the console port with the currently configured password.
Default Password Expiration
To set password expiration globally, use the user password-expiration command with the desired number of days; the allowable range is 1 to 150 days. For example:
-> user password-expiration 3
The default password expiration is now set to three days. All user passwords on the switch will be set or reset with the three-day expiration. If an individual user was configured with a different expiration through the user command, the expiration will be reset to the global value.
The expiration is based on the switch system date/time and date/time the user password-expiration command is entered. For example, if a user is configured with a password expiration of 10 days, but the global setting is 20 days, that user’s password will expire in 10 days.
To disable the default password expiration, use the user password-expiration command with the disable option:
-> user password-expiration disable
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-13
Configuring Password Policy Settings Managing Switch User Accounts
Specific User Password Expiration
To set password expiration for an individual user, use the user command with the expiration keyword and the desired number of days or an expiration date. For example:
-> user bert password techpubs expiration 5
This command gives user bert a password expiration of five days.
To set a specific date for password expiration, include the date in mm/dd/yyyy hh:mm format. For example:
-> user bert password techpubs expiration 02/19/2003 13:30
This command sets the password expiration to February 19, 2003, at 1:30pm; the switch will calculate the expiration based on the system date/time. The system date/time may be displayed through the system date and system time commands. For more information about the system date/time, see the OmniSwitch 6800/
6850/9000 Switch Management Guide.
Note. The expiration will be reset to the global default setting (based on the user password-expiration command) if the user password is changed or the user password-expiration command is entered again.
Configuring the Password History
The password history refers to the number of old passwords for each user account that are saved by the switch. This functionality prevents the user from using the same password each time their account password is changed. For example, if the password history is set to 10 and a new password entered by the user matches any of the 10 passwords saved, then an error message is displayed notifying the user that the password is not available.
By default, the password history is set to save up to 4 old passwords for each user account. To configure the number of old passwords to save, use the user password-history command. For example:
-> user password-history 2
To disable the password history function, specify 0 as the number of old passwords to save. For example:
-> user password-history 0
Note that a password is dropped from the password history when it no longer falls within the number of passwords that are retained by the switch.
Configuring the Minimum Age for a Password
The password minimum age setting specifies the number of days during which a user is not allowed to change their password. Note that it is necessary to configure a password minimum age value that is less than the password expiration value.
The default minimum age is set to zero, which means that there is no minimum age requirement for a password. To configure a minimum password age, use the user password-min-age command. For example:
-> user password-min-age 7
This command specifies that the user is prevented from changing their password for seven days from the time the password was created or modified. page 7-14 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Configuring Global User Lockout Settings
Configuring Global User Lockout Settings
The following user lockout settings configured for the switch apply to all user accounts:
• Lockout window—the length of time a failed login attempt is aged before it is no longer counted as a failed attempt.
• Lockout threshold—the number of failed login attempts allowed within a given lockout window period of time.
• Lockout duration—the length of time a user account remains locked until it is automatically unlocked.
In addition to the above lockout settings, the network administrator also has the ability to manually lock and unlock user accounts. The following subsections describe how to configure user lockout settings and how to manually lock and unlock user accounts.
Note. Only the admin user is allowed to configure user lockout settings. The admin account is protected from lockout; therefore, it is always available.
Lockout settings are saved automatically; that is, these settings do not require the write memory , copy running-config working , or configuration snapshot command to save user settings over a reboot. To view the current lockout settings configured for the switch, use the show user lockout-setting command.
For more information about this command and those used in the configuration examples throughout this section, see the OmniSwitch CLI Reference Guide.
Configuring the User Lockout Window
The lockout window is basically a moving observation window of time in which failed login attempts are
user account is locked out of the switch.
Note that if a failed login attempt ages beyond the observation window of time, that attempt is no longer counted towards the threshold number. For example, if the lockout window is set for 10 minutes and a failed login attempt occurred 11 minutes ago, then that attempt has aged beyond the lockout window time and is not counted. In addition, the failed login count is decremented when the failed attempt ages out.
By default, the lockout window is set to 0; this means that there is no observation window and failed login attempts are not counted. The user is allowed an unlimited number of failed login attempts. To configure the lockout window time, in minutes, use the user lockout-window command. For example:
-> user lockout-window 30
Do not configure an observation window time period that is greater than the lockout duration time period
(see “Configuring the User Lockout Duration Time” on page 7-16 ).
Configuring the User Lockout Threshold Number
The lockout threshold number specifies the number of failed login attempts allowed during any given
lockout window period of time (see “Configuring the User Lockout Window” on page 7-15 ). For exam-
ple, if the lockout window is set for 30 minutes and the threshold number is set for 3 failed login attempts, then the user is locked out when 3 failed login attempts occur within a 30 minute time frame.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-15
Configuring Global User Lockout Settings Managing Switch User Accounts
By default, the lockout threshold number is set to 0; this means that there is no limit to the number of failed login attempts allowed, even if a lockout window time period exists. To configure a lockout threshold number, use the user lockout-threshold command. For example:
-> user lockout-threshold 3
Note that a locked user account is automatically unlocked when the lockout duration time (see
user account.
Configuring the User Lockout Duration Time
The user lockout duration time specifies the number of minutes a user account remains locked until it is automatically unlocked by the switch. This period of time starts when the user account is locked out of the switch. Note that at any point during the lockout duration time, the admin user can still manually unlock the user account.
By default, the user lockout duration time is set to 0; this means that there is no automatic unlocking of a user account by the switch. The locked user account remains locked until it is manually unlocked by the
admin user. To configure a lockout duration time, use the user lockout-duration command. For example:
-> user lockout-duration 60
Manually Locking and Unlocking User Accounts
The user lockout unlock command is used to manually lock or unlock a user account. This command is only available to the admin user or a user who has read/write access privileges to the switch.
To lock a user account, enter user lockout and the username for the account. For example,
-> user lockout j_smith
To unlock a user account, enter user unlock and the username for the locked account. For example,
-> user unlock j_smith
In addition to this command, the admin user or users with read/write access privileges can change the user account password to unlock the account.
not configured for the switch, then it is only possible to manually unlock a user account with the user
lockout command or by changing the user password. page 7-16 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Configuring Privileges for a User
Configuring Privileges for a User
To configure privileges for a user, enter the user command with the read-only or read-write option and the desired CLI command domain names or command family names. The read-only option provides access to show commands; the read-write option provides access to configuration commands and show commands. Command families are subsets of command domains.
If you create a user without specifying any privileges, the user’s account will be configured with the privileges specified for the default user account.
Command domains and families are listed here:
Domain domain-admin domain-system domain-physical domain-network domain-layer2 domain-service domain-policy domain-security
Corresponding Families file telnet debug system aip snmp rmon webmgt config chassis module interface pmm health ip rip ospf bgp vrrp ip-routing ipx ipmr ipms rdp ospf3 ipv6 vlan bridge stp 802.1q linkagg ip-helper dns qos policy slb session avlan aaa
In addition to command families, the keywords all or none may be used to set privileges for all command families or no command families respectively.
An example of setting up user privileges:
-> user thomas read-write domain-network ip-helper telnet
User thomas will have write access to all the configuration commands and show commands in the network domain, as well as Telnet and IP helper (DHCP relay) commands. The user will not be able to execute any other commands on the switch.
Use the keyword all to specify access to all commands. In the following example, the user is given read access to all commands:
-> user lindy read-only all
Note. When modifying an existing user, the user password is not required. If you are configuring a new user with privileges, the password is required.
The default user privileges may also be modified. See
“Default User Settings” on page 7-8
.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-17
Setting Up SNMP Access for a User Account Managing Switch User Accounts
Setting Up SNMP Access for a User Account
By default, users can access the switch based on the SNMP setting specified for the default user account.
The user command, however, may be used to configure SNMP access for a particular user. SNMP access may be configured without authentication and encryption required (supported by SNMPv1, SNMPv2, or
SNMPv3). Or it may be configured with authentication or authentication/encryption required (SNMPv3 only).
SNMP authentication specifies the algorithm that should be used for computing the SNMP authentication key. It may also specify DES encryption. The following options may be configured for a user’s SNMP access with authentication or authentication/encryption:
• SHA—The SHA authentication algorithm is used for authenticating SNMP PDU for the user.
• MD5—The MD5 authentication algorithm is used for authenticating SNMP PDU for the user.
• SHA and DES—The SHA authentication algorithm and DES encryption standard is used for authenticating and encrypting SNMP PDU for the user.
• MD5 and DES—The MD5 authentication algorithm and the DES encryption standard is used for authenticating and encrypting SNMP PDU for the user.
The user’s level of SNMP authentication is superseded by the SNMP version allowed globally on the switch. By default, the switch allows all SNMP requests. Use the snmp security command to change the
SNMP security level on the switch.
Note. At least one user with SHA/MD5 authentication and/or DES encryption must be configured on the switch for SNMPv3 communication with OmniVista.
The community string carried in the SNMP PDU identifies the request as an SNMPv1 or SNMPv2 request. The way the community string is handled on the switch is determined by the setting of the snmp community map mode command. If the community map mode is enabled, the community string is checked against the community strings database (populated by the snmp community map command). If the community map mode is disabled, then the community string value is checked against the user database. In either case, if the check fails, the request is dropped.
For more information about configuring SNMP globally on the switch, see
The next sections describe how to configure SNMP access for users. Note the following:
• SNMP access cannot be specified for the admin user.
• When modifying a user’s SNMP access, the user password must be re-entered (or a new one configured). This is required because the hash algorithm used to save the password in the switch depends on the SNMP authentication level.
SNMP Access Without Authentication/Encryption
To give a user SNMP access without SNMP authentication required, enter the user command with the no
auth option. For example, to give existing user thomas SNMP access without SNMP authentication, enter the following:
-> user thomas password techpubs no auth page 7-18 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Setting Up SNMP Access for a User Account
For this user, if the SNMP community map mode is enabled (the default), the SNMP community map must include a mapping for this user to a community string. In this example, the community string is
our_group:
-> snmp community map our_group user thomas
In addition, the global SNMP security level on the switch must allow non-authenticated SNMP frames through the switch. By default, the SNMP security level is privacy all; this is the highest level of SNMP security, which allows only SNMPv3 frames through the switch. Use the snmp security command to change the SNMP security level. For more information about configuring SNMP globally on the switch, see
SNMP Access With Authentication/Encryption
To configure a user with SNMP access and authentication, enter the user command with the desired authentication type (sha, md5, sha+des, and md5+des).
-> user thomas password techpubs sha+des
When SNMP authentication is specified, an SNMP authentication key is computed from the user password based on the authentication/encryption setting. In this example, the switch would use the SHA authentication algorithm and DES encryption on the techpubs password to determine the SNMP authentication key for this user. The key is in hexadecimal form and is used for encryption/de-encryption of the
SNMP PDU.
The authentication key is only displayed in an ASCII configuration file if the snapshot command is entered. The key is indicated in the file by the syntax authkey key. See
Chapter 6, “Working With Configuration Files,”
for information about using the snapshot command. The key is not displayed in the CLI.
Removing SNMP Access From a User
To deny SNMP access, enter the user command with the no snmp option:
-> user thomas no snmp
This command results in thomas no longer having SNMP access to manage the switch.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-19
Setting Up End-User Profiles Managing Switch User Accounts
Setting Up End-User Profiles
End-user profiles are designed for user accounts in the carrier market. With end-user profiles, a network administrator can configure customer login accounts that restrict users to particular command areas over particular ports and/or VLANs.
End-user profiles are only managed and stored on the switch; profiles are not stored on external servers.
Note. End-user profiles cannot be used in conjunction with user partitioned management; the features are mutually exclusive.
The following table shows the end-user command areas and the commands associated with each area:
Area Keyword physical vlan-table
Available Commands trap port link flow flow wait interfaces admin vlan vlan stp vlan authentication vlan router ipx vlan port default show vlan show vlan port show vlan router mac status vlan 802.1q
vlan 802.1q frame type vlan 802.1q force tag internal show 802.1q
interfaces alias interfaces interfaces no L2 statistics show interfaces vlan dhcp mac vlan dhcp mac range vlan dhcp port vlan dhcp generic vlan binding mac-ip-port vlan binding mac-port-protocol vlan binding mac-port vlan binding mac-ip vlan binding ip-port vlan mac vlan mac range vlan ip vlan ipx vlan protocol vlan user vlan port vlan port mobile vlan port default vlan restore vlan port authenticate show vlan rules show vlan port mobile mac-filtering-table spantree basic-ip-routing ip-routes-table mac-address-table mac-address-table aging-time show mac-address-table show mac-address-table count show mac-address aging-time show spantree show spantree ports show arp show ip route page 7-20 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Setting Up End-User Profiles
Creating End-User Profiles
To set up an end-user profile, use the end-user profile command and enter a name for the profile. Specify read-only or read-write access to particular command areas. The profile can also specify port ranges and/ or VLAN ranges. The port ranges and VLAN ranges must be configured on separate command lines and are discussed in the next sections.
In this example, a profile is created with access to physical commands on the switch:
-> end-user profile Profile3 read-write physical
A profile named Profile3 is now available on the switch and may be associated with a user through the
user command.
Note that if port ranges or VLAN ranges are not configured, a user with this profile will not be able to use any commands that require port or VLAN values or view any show outputs that contain port or VLAN values.
Setting Up Port Ranges in a Profile
To set up port ranges for a profile, enter the end-user profile port-list command with the relevant profile name and the desired slots/ports. For example:
-> end-user profile Profile3 port-list 2 3/1-4
In this example, the port list includes all ports in slot 2, and ports 1 through 4 on slot 3. A user with this profile will be able to manage these ports (depending on the command areas specified in the profile).
To remove a port list, use the no form of the command with the relevant slot number(s). All ports in the port list on a given slot will be removed. For example:
-> end-user profile Profile3 no port-list 3
In this example, all ports on slot 3 are removed from the profile.
Setting Up VLAN Ranges in a Profile
To set up VLAN ranges for a profile, enter the end-user profile vlan-range command with the relevant profile name and the desired VLAN range. For example:
-> end-user profile Profile3 vlan-range 2-4 7-8
In this example, the VLAN range includes VLANs 2, 3, 4, 7, and 8. A user with this profile will be able to manage these VLANs (depending on the command areas specified in the profile).
To remove a VLAN range from a profile, use the no form of the command and the VLAN ID of the start of the range to be removed. For example:
-> end-user profile Profile3 no vlan-range 7
This command removes VLANs 7 and 8 from Profile3.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-21
Setting Up End-User Profiles Managing Switch User Accounts
Associating a Profile With a User
To associate a profile with a user, enter the user command with the end-user profile keywords and the relevant profile name. For example:
-> user Customer2 end-user profile Profile3
Profile3 is now associated with Customer2. When Customer2 logs into the switch, Customer2 will have access to command areas, port ranges, and VLAN ranges specified by Profile3.
Note that user information stored on an external server may include a profile name. When the user attempts to log into the switch, the switch will attempt to match the profile name to a profile stored on the switch.
Removing a Profile From the Configuration
To delete a profile from the configuration, enter the no form of the end-user profile command with the name of the profile you want to delete. For example:
-> no end-user profile Profile3
Profile3 is deleted from the configuration.
Note. If the profile name is associated with a user, and the profile is deleted from the configuration, the user will not have access to the switch.
page 7-22 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Managing Switch User Accounts Verifying the User Configuration
Verifying the User Configuration
To display information about user accounts configured locally in the user database, use the show commands listed here: show user show user password-size
Displays information about all users or a particular user configured in the local user database on the switch.
Displays the minimum number of characters that are required for a user password.
show user password-expiration Displays the expiration date for passwords configured for user accounts stored on the switch.
show user password-policy show user lockout-setting
Displays the global password settings configured for the switch.
Displays the global user lockout settings configured for the switch.
show end-user profile show aaa priv hexa
Displays information about end-user profiles.
Displays hexadecimal values for command domains/families.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer-
ence Guide. An example of the output for the show user command is also given in “Quick Steps for
Network Administrator User Accounts” on page 7-6 .
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 7-23
Verifying the User Configuration Managing Switch User Accounts page 7-24 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
advertisement
Related manuals
advertisement