02-28-2011 02:36 AM
Hello,
My issue is very simple. I work on N1Kv and i want to create an user who have network-admin role. I've created a user nammed Test with the role network-admin, but when I'm connected to the Nexus with this account, I dont have access to many CLI command, only show command and 3 or 4 others ... is it normal ?
Maybe I miss a part of the correct configuration ?
Thank You all
THibault
02-28-2011 07:09 AM
Hi Thibault,
To confirm the user you created has network-admin rights can you check the output of the show user-account command?
Also what version are you on and what are the command avaiable for this user?
./Abhinav
02-28-2011 07:18 AM
Hello Abbharga,
My new account is "tmolinier", account named "admin" was created during the Nexus installation :
N1Ks# show user-account
user:admin
this user account has no expiry date
roles:network-admin
user:adminreso
this user account has no expiry date
roles:network-admin network-operator
user:tmolinier
this user account has no expiry date
roles:network-admin
ssh public key: ssh-rsa *********
N1Ks# show role
Role: network-admin
Description: Predefined network admin role has access to all commands
on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: network-operator
Description: Predefined network operator role has access to all read
commands on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
When i'm connected with the account "tmolinier", i can go to global configuration mode but without any command available :
N1Ks(config)# ?
no Negate a command or set its defaults
username Configure user information.
end Go to exec mode
exit Exit from command interpreter
I work on version 4.2(1)SV1(4)
Thanks a lot
Thibault
03-01-2011 05:12 PM
Hi Thibault,
Are you using either TACACS or Radius for authentication/authorization by any chance? If so, please include the user's config on the server as well as the Nexus1000v config.
Can you also include the output for these commands? Please remove any sensitve information before posting the output.
show running-config aaa all
show running-config tacacs all
show running-config radius all
Thanks,
Van
03-02-2011 12:48 AM
Hello,
I think I've understand the problem and It's probably a bug on this version ( 4.2(1)SV1(4) ).
The problem appear only with user that have more than 8 letters. I've enable some debug option ( debug security user-db ... ) So We can see that during the authentication exchange, the nexus split the user to the 8 first letters, and so Nexus say " No user exist" but accept the connection without any admin role.
My log, with two user,one with 8 letters and an other with less than 8 :
03-04-2011 08:05 PM
Hi Thibault,
We did some more testing and its definately a new bug in SV1(4) as you have pointed,
We have filed a New bug "CSCtn75755 - Username with more than 8 characters logins but has limited CLI access" for this issue.
This will be fixed in next maintenance release, at the moment i don't have ETA on its release.
Thanks for your help,
Best Regards,
Rahul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide