Cisco N5K-M1600 - Expansion Module - 6 Ports Troubleshooting Manual page 131

Chapter 6 Troubleshooting Security Issues
S e n d d o c u m e n t c o m m e n t s t o n e x u s 5 k - d o c f e e d b a c k @ c i s c o . c o m .
Role's interface or VLAN policy does not appear to work correctly
When a user-defined role is assigned to a user account and the role's interface or VLAN policy is set to
deny access to a certain interface, the user account can still use show commands to display configuration,
status, setting, or statistics on the access-denied interface or VLAN.
Possible Cause
You are checking the interface or VLAN role policy with CLI commands, such as show interface brief
or show vlan.
Solution
RBAC does not support filtering when displaying commands. Interface or VLAN role policies only
apply to configuration or operational commands.
Possible Cause
You are not assigned to the role properly.
Solution
•
•
Assigning multiple roles to single user does not seem to work correctly
When a user account is assigned to multiple roles, the user can access commands that are denied by one
of the roles that it gets assigned to. This gives the appearance that the command parser does not work
with multiple roles.
Possible Cause
You might expect that multiple roles on the same user account are parsed sequentially.
Solution
The NX-OS design is to parse multiple roles in a union-to-permit function, that each command is
examined and compared to all the roles.
If any of the roles permit the command, then the CLI allows the user to continue.
For example, if the role permits the interface eth1/1 command, then the CLI allows the you to enter the
interface eth1/1 configuration mode.
Each role applies their policies (that is, interface, VLAN, VSAN, and so on) separately. If a role has an
interface policy that denies eth1/1 as in the example, then that role would reject the command, but other
roles might have a different interface policy allowing the same interface.
Change to role configuration does not get applied
When a user account is assigned to a role and you are logged into the Nexus 5000 switch, any changes
made to the role configuration does not get applied immediately.
Possible Cause
While a user account is logged in and has been assigned to role A, the administrator makes some changes
to role A with the expectation that the change would immediately affect the user that is logged in.
However, the user is not assigned to the role properly.
OL-25300-01
Check the user role assignment with the show user-account command.
Verify the role definition with the show role name <name> command.
Cisco Nexus 5000 Series Troubleshooting Guide
Roles
6-3