Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
5
Replies

Nexus 1000v and User-account

thibault.molinier
Level 1
Level 1

‎02-28-2011 02:36 AM

     Hello,

      My issue is very simple. I work on N1Kv and i want to create an user who have network-admin role. I've created a user nammed Test with the role network-admin, but when I'm connected to the Nexus with this account, I dont have access to many CLI command, only show command and 3 or 4 others ... is it normal ?

Maybe I miss a part of the correct configuration ?

Thank You all


THibault

Labels:
0 Helpful
5 Replies 5

abbharga
Level 4
Level 4

‎02-28-2011 07:09 AM

Hi Thibault,

To confirm the user you created has network-admin rights can you check the output of the show user-account command?

Also what version are you on and what are the command avaiable for this user?

./Abhinav

0 Helpful

thibault.molinier
Level 1
Level 1
In response to abbharga

‎02-28-2011 07:18 AM

Hello Abbharga,

    My new account is "tmolinier", account named "admin"  was created during the Nexus installation :

  N1Ks# show user-account
user:admin
        this user account has no expiry date
        roles:network-admin
user:adminreso
        this user account has no expiry date
        roles:network-admin network-operator
user:tmolinier
        this user account has no expiry date
        roles:network-admin
        ssh public key: ssh-rsa *********

N1Ks# show role

Role: network-admin
  Description: Predefined network admin role has access to all commands
  on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write

Role: network-operator
  Description: Predefined network operator role has access to all read
  commands on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read

When i'm connected with the account "tmolinier", i can go to global configuration mode but without any command available :

N1Ks(config)# ?
  no        Negate a command or set its defaults
  username  Configure user information.
  end       Go to exec mode
  exit      Exit from command interpreter

I work on version 4.2(1)SV1(4)

Thanks a lot


Thibault

0 Helpful

valieu
Cisco Employee
Cisco Employee
In response to thibault.molinier

‎03-01-2011 05:12 PM

Hi Thibault,

Are you using either TACACS or Radius for authentication/authorization by any chance?  If so, please include the user's config on the server as well as the Nexus1000v config.

Can you also include the output for these commands?  Please remove any sensitve information before posting the output.

show running-config aaa all

show running-config tacacs all

show running-config radius all

Thanks,

Van

0 Helpful

thibault.molinier
Level 1
Level 1
In response to valieu

‎03-02-2011 12:48 AM

Hello,

   I think I've understand the problem and It's probably a bug on this version ( 4.2(1)SV1(4) ).

The problem appear only with user that have more than 8 letters. I've enable some debug option ( debug security user-db ... ) So We can see that during the authentication exchange, the nexus split the user to the 8 first letters, and so Nexus say " No user exist" but accept the connection without any admin role.

My log, with two user,one with 8 letters and an other with less than 8 :

User "thibaultmolinier"
2011 Mar  1 17:17:38.927063 securityd: GET for user:thibault roles
2011 Mar  1 17:17:38.927799 securityd: status for the operation:user not present, desc user not present
2011 Mar  1 17:17:38.928066 securityd: usrdb_read_user: thibault
2011 Mar  1 17:17:38.928377 securityd: usrdb_read_user: User Exists No
2011 Mar  1 17:17:38.928644 securityd: no roles are configured for thibault
2011 Mar  1 17:18:00.611788 securityd: In security_user_roles_config:
User "fzana" :
2011 Mar  1 17:18:00.612058 securityd: GET for user:fzana roles
2011 Mar  1 17:18:00.612903 securityd: status for the operation:success, desc success
Regards
0 Helpful

rvavale
Cisco Employee
Cisco Employee
In response to thibault.molinier

‎03-04-2011 08:05 PM

Hi Thibault,

We did some more testing and its definately a new bug in SV1(4) as you have pointed,

We have filed a New bug "CSCtn75755 - Username with more than 8 characters logins but has limited CLI access" for this issue.

This will be fixed in next maintenance release, at the moment i don't have ETA on its release.

Thanks for your help,

Best Regards,
Rahul

0 Helpful
Customers Also Viewed These Support Documents