Send documentation comments to mdsfeedback-doc@cisco.com
18-2
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
Chapter 18 Troubleshooting Users and Roles
Overview
• If2CoM18
• 2004AsdfLkj30
• Cb1955S21
If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Passwords are
case-sensitive. The default password for any Cisco MDS 9000 Family switch is no longer “admin”. You
must explicitly configure a strong password.
Note Clear text passwords can only contain alphanumeric characters. Special characters such as the dollar sign
($) or the percent sign (%) are not allowed.
Tip The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync,
shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs,
gdm, mtsuser, ftpuser, man, and sys.
Caution Cisco MDS SAN-OS does not support all numeric user names, whether created with TACACS+ or
RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric user
name exists on an AAA server and is entered during login, the user is not logged in.
Role-Based Authorization
Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based
authorization limits access to switch operations by assigning users to roles. This kind of authentication
restricts users to management operations based on the roles to which they have been assigned the user.
When you execute a command, perform command completion, or obtain context sensitive help, the
switch software allows the operation to progress if you have permission to access that switch operation.
Each role can be assigned to multiple users and each user can be part of multiple roles. If a user has
multiple roles, the user has access to a combination of roles. For example, if role1 users are only allowed
access to configuration commands, and role2 users are only allowed access to debug commands, then if
Joe belongs to both role1 and role2, he can access configuration as well as debug commands.
Note If a user belongs to multiple roles, the user can execute a union of all the commands permitted by these
roles. Access to a command takes priority over being denied access to a command. For example, suppose
you belong to a TechDocs group and you were denied access to configuration commands. However, you
also belong to the engineering group and have access to configuration commands. In this case, you will
have access to configuration commands.
Tip Any role, when created, does not allow user access to the required commands immediately. The
administrator must configure appropriate rules for each role to allow user access to the required
commands.
To Next Page
Loading...
Need help?
General