Configuring User Accounts; Guidelines On Creating Users - Cisco MDS 9000 Series Configuration Manual

Configuring User Accounts

Configuring User Accounts
Every Cisco MDS 9000 Family switch user has the account information stored by the system. Your
authentication information, user name, user password, password expiration date, and role membership are
stored in your user profile.
The tasks explained in this section enable you to create users and modify the profile of an existing user. These
tasks are restricted to privileged users as determined by your administrator.
This section includes the following topics:

Guidelines on Creating Users

The passphrase specified in the snmp-server user option and the password specified username option are
synchronized.
By default, the user account does not expire unless you explicitly configure it to expire. The expire option
determines the date on which the user account is disabled. The date is specified in the YYYY-MM-DD format.
When creating users, note the following guidelines:
• You can configure up to a maximum of 256 users on a switch.
• The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync,
• User passwords are not displayed in the switch configuration file.
• The length of the password must be a minimum of eight characters for Cisco DCNM to discover a fabric.
• If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Be sure to
• Starting from Cisco MDS NX-OS Release 8.2(1), user accounts will have passwords encrypted with
• To issue commands with the internal keyword for troubleshooting purposes, you must have an account
Caution
Cisco MDS NX-OS supports user names that are created with alphanumeric characters or specific special
characters (+ [plus], = [equal], _ [underscore], - [hyphen], \ [backslash], and . [period]) whether created
remotely (using TACACS+ or RADIUS) or locally, provided that the user name starts with an alphanumeric
character. Local user names cannot be created with any special characters (apart from those specified). If a
nonsupported special character user name exists on an AAA server, and is entered during login, then the user
is denied access.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
24
shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs,
gdm, mtsuser, ftpuser, man, and sys.
This restriction is applicable starting from Cisco DCNM Release 5.2(1).
configure a strong password as shown in the sample configuration. Passwords are case-sensitive. "admin"
is no longer the default password for any Cisco MDS 9000 Family switch. You must explicitly configure
a strong password.
SHA-2 by default. Corresponding SNMP users that are created will continue to be encrypted with MD5.
Existing user accounts encrypted with MD5 will remain as is unless the password is modified. This
feature is supported only on Cisco MDS 9132T, Cisco MDS 9148S, MDS 9396S, MDS 9250i, and MDS
9700 Series Switches.
that is a member of the network-admin group.
Common Roles