Role-Based Authorization - Cisco 9134 - MDS Multilayer Fabric Switch Troubleshooting Manual
Mds 9000 family
Hide thumbs
Also See for 9134 - MDS Multilayer Fabric Switch:
- Release notes (10 pages) ,
- Configuration manual (1484 pages) ,
- Installation manual (108 pages)
Table of Contents
Advertisement
Overview
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•
•
•
If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Passwords are
case-sensitive. The default password for any Cisco MDS 9000 Family switch is no longer "admin". You
must explicitly configure a strong password.
Clear text passwords can only contain alphanumeric characters. Special characters such as the dollar sign
Note
($) or the percent sign (%) are not allowed.
The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync,
Tip
shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs,
gdm, mtsuser, ftpuser, man, and sys.
Caution
Cisco MDS SAN-OS does not support all numeric user names, whether created with TACACS+ or
RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric user
name exists on an AAA server and is entered during login, the user is not logged in.
Role-Based Authorization
Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based
authorization limits access to switch operations by assigning users to roles. This kind of authentication
restricts users to management operations based on the roles to which they have been assigned the user.
When you execute a command, perform command completion, or obtain context sensitive help, the
switch software allows the operation to progress if you have permission to access that switch operation.
Each role can be assigned to multiple users and each user can be part of multiple roles. If a user has
multiple roles, the user has access to a combination of roles. For example, if role1 users are only allowed
access to configuration commands, and role2 users are only allowed access to debug commands, then if
Joe belongs to both role1 and role2, he can access configuration as well as debug commands.
If a user belongs to multiple roles, the user can execute a union of all the commands permitted by these
Note
roles. Access to a command takes priority over being denied access to a command. For example, suppose
you belong to a TechDocs group and you were denied access to configuration commands. However, you
also belong to the engineering group and have access to configuration commands. In this case, you will
have access to configuration commands.
Any role, when created, does not allow user access to the required commands immediately. The
Tip
administrator must configure appropriate rules for each role to allow user access to the required
commands.
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
18-2
If2CoM18
2004AsdfLkj30
Cb1955S21
Chapter 18
Troubleshooting Users and Roles
OL-9285-05
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
