user (management-policy)

Adds a new user account. Use this option to add a new user and define the role, access type, and allowed locations assigned to the user.

Management services like Telnet, SSHv2, HTTP, HTTPS and FTP require users (administrators) enter a valid username and password, which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password, which is authenticated by the SNMPv3 module. For CLI users, the controller or service platform also requires user role information to know what permissions to assign.
  • If local authentication is used, associated role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-only permissions.
Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the user‘s access assignment to determine if the user has permissions to access an interface:
  • If local authentication is used, role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes.

The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account‘s access mode list.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|
system-admin|vendor-admin|web-user-admin]
user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|
system-admin|web-user-admin] access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})
user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>

Parameters

user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|
superuser|system-admin|web-user-admin] access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})

user <USERNAME>

Adds a new user account to this management policy
  • <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.
password [0 <PASSWORD>| 1 <SHA1-PASSWORD>| <PASSWORD>] Configures a password for this user
  • 0 <PASSWORD> – Sets a clear text password
  • 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password
    • <PASSWORD> – Sets the password

role

Configures the user role. The options are:
  • device-provisioning-admin – Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived.
    Note:

    You can restrict a device-provisioning-admin user's access to devices within a specific location or locations, by configuring the allowed-locations parameter (description provided below in this table).

  • helpdesk – Helpdesk administrator. Performs troubleshooting tasks, such as run troubleshooting utilities (like a sniffer), view/retrieve logs, clear statistics, reboot, create and copy technical support dumps. The helpdesk administrator can also create a guest user account and password for registration. However, the helpdesk admin cannot execute controller or service platform reloads.
  • monitor – Monitor. Has read-only access to the system. Can view configuration and statistics except for secret information.
  • network-admin – Network administrator. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF.
  • security-admin – Security administrator. Modifies WLAN keys and passphrases.
  • superuser – Superuser. Has full access, including halt and delete startup-config.
  • system-admin – System administrator. Upgrades image, boot partition, time, and manages admin access.
  • web-user-admin – Web user administrator. This role is used to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.

access [all|console|ssh| telnet|web]

Configures the services this user can use for remote device access

  • all – Allows all access types: console, SSH, Telnet, and Web

  • console – Allows only console access

  • ssh – Allows only SSH access

  • telnet – Allows only Telnet access

  • web – Allows only Web access

allowed-locations <ALLOWED-LOCATIONS>

Optional. This keyword is recursive and optional. It associates an allowed-locations tag with this user. When associated, the user can only access the RF Domains/sites/tree-node paths associated with the specified 'allowed-locations' tag.

  • <ALLOWED-LOCATIONS> – Specify the allowed-locations tag (should be existing and configured).
Note:

The "allowed-locations" parameter is only applicable to the WiNGdevice-provisioning-admin role user. Please refer to the Examples: Restricting User Access to Devices in Specific Locations section of this topic for configuration details.

Note: Extreme NSight is a separate target, and NSight user accounts and access rights should be configured through the Extreme NSight UI.
Note:

For information on configuring the allowed-locations tag, see allowed-locations.

user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>
user <USERNAME> Adds a new user account to this management policy
  • <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.
password [0 <PASSWORD>| 1 <SHA1-PASSWORD>| <PASSWORD>] Configures a password
  • 0 <PASSWORD> – Sets a clear text password 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password
  • <PASSWORD> – Sets the password
role vendor-admin Configures this user‘s role as vendor-admin. Once created, the vendor-admin can access the online device-registration portal to add devices to the RADIUS vendor group to which he/she belongs. Vendor-admins have only Web access to the device registration portal.

The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a ‘vendor-admin‘ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN.

If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration.

Note: Use the service → show → wireless → credential-cache command to view on-boarded device‘s VLAN assignment. Ensure that the REST server is enabled, to allow vendor users access to the online device registration portal.
Note: By default the REST server is enabled. For more information, see rest-server.
group <VENDOR-GROUP-NAME> Associates this vendor-admin user with a vendor group, required for RADIUS authentication. The vendor group should be existing and configured in the RADIUS group policy. For more information on configuring RADIUS groups, see radius-group.
  • <VENDOR-GROUP-NAME> – Provide the vendor group name. In case of multiple allowed groups, provide a list of comma-separated group names.

Examples

rfs4000-6DB5D4(config-management-policy-test)#user TESTER password test123 role superuser access all
rfs4000-6DB5D4(config-management-policy-test)#show context
management-policy test
 telnet port 200
 no http server
 https server
 ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162
 user TESTER password 1 b6b37c51405f4e93c67fe8af82d450c9fd6af69324cd56a55055cefe695b6a14 role superuser access all
 snmp-server community snmp1 ro
 snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123
 snmp-server host 172.16.10.23 v3 162
 aaa-login radius external
 aaa-login radius policy test
 idle-session-timeout 0
 restrict-access host 172.16.10.2 log all
rfs4000-6DB5D4(config-management-policy-test)#
nx9500-6C8809(config-management-policy-OB)#user test password 0 test123 role vendor-admin group Apple,Sony,Samsung
nx9500-6C8809(config-management-policy-OB)#user Samsung password 0 samsung role vendor-admin group Samsung
nx9500-6C8809(config-management-policy-OB)#show context
management-policy OB
 telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 d9849649218dcaa79109fbd47bbf1a24ecdf1edda220d21f76ce4c15a4e7e696 role superuser access all
 user test password 1 62fca173a1ffc0e9cc4eef782b1978a5e0c47f66bc57a32992f03e3e00fe0bc4 role vendor-admin group Apple,Sony,Samsung
 user Samsung password 1 39cb036b8e09c2ec625ebcda6e4001f4584263ed86fa69fc1f6b284113772eb0 role vendor-admin group Samsung
nx9500-6C8809(config-management-policy-OB)#

Examples: Restricting User Access to Devices in Specific Locations

The following set of configurations show how to use the 'allowed-locations' option to permit or deny device-provisioning-admin users access to devices within specific RF Domains/sites.

  1. Configure following RF Domains:
    1. RF Domain 'default' without tree-node.
      rf-domain default
       country-code us
    2. RF Domain 'California' with tree-node defined as 'Country > Region'.
      rf-domain California
       no country-code
       tree-node country us region CA
    3. RF Domain 'SanJose' with tree-node defined as 'Country > Region > City'.
      rf-domain SanJose
       no country-code
       tree-node country us region CA city SJ
    4. RF Domain 'SJCollege' with tree-node defined as 'Country > Region > City > Campus'.
      rf-domain SJCollege
       no country-code
       tree-node country us region CA city SJ campus SJCollege
  2. In the Management Policy context,
    1. Configure following allowed-location tags:
      management-policy AccessControl
       telnet
       no http server
       https server
       rest-server
       ssh
       user admin password 1 superuser role superuser access all
       allowed-location test1 locations US
       allowed-location test2 locations /US/CA/SJ/SJCollege
      Note

      Note

      In the above configuration, allowed-location test1 includes the entire location 'US'. Whereas, allowed-location test2 only contains the site 'SJCollege'. By assigning 'test1' or 'test2' to a user you can provide access across location 'US' or restrict access to the site 'SJCollege' respectively.
    2. Configure device-provisioning-admin users and associate the 'allowed-locations' tags (test1 & test2) with each user.
      • Create user 'dev-admin' with full access.
        management-policy AccessControl
         telnet
         no http server
         https server
         rest-server
         ssh
         user admin password 1 superuser role superuser access all
         user dev-admin password 1 test123 role device-provisioning-admin access all
        Note

        Note

        Since allowed-locations parameter has not been specified, this user will have access to all locations 'default', 'California', 'SanJose' and 'SJCollege'.
      • Create user 'dev-admin1' with allowed-location 'test1'.
        management-policy AccessControl
         telnet
         no http server
         https server
         rest-server
         ssh
         user admin password 1 superuser role superuser access all
         user dev-admin password 1 test123 role device-provisioning-admin access all
         user dev-admin1 password 1 test112233 role device-provisioning-admin access all allowed-locations test1
        Note

        Note

        Since the allowed-location assigned is 'test1', this user will have access to all RF Domains ('California', 'SanJose' and 'SJCollege') within location 'US'. However, the user will NOT be able to access RF Domain 'default'.
      • Configure user 'dev-admin2' with access to allowed-location 'test2'.
        management-policy AccessControl
         telnet
         no http server
         https server
         rest-server
         ssh
         user admin password 1 superuser role superuser access all
         user dev-admin password 1 test123 role device-provisioning-admin access all
         user dev-admin1 password 1 test112233 role device-provisioning-admin access all allowed-locations test1
         user dev-admin2 password 1 test556677 role device-provisioning-admin access all allowed-locations test2
        Note

        Note

        Since the allowed-location assigned is 'test2', this user's access will be restricted to the location 'SJCollege'.

The following example shows how to restrict a device-provisioning-admin user's access to devices in a specific RF Domain.

  1. Configure RF Domain without tree-node:
    rf-domain Global
     no country-code
  2. Configure 'allowed-locations' and 'device-provisioning-admin' user as shown in the following output:
    management-policy AccessControl
     telnet
     http server
     https server
     rest-server
     ssh
     allowed-location test1 locations US
     allowed-location test2 locations /US/CA/SJ/SJCollege
     allowed-location RFD locations Global
     user admin password 1 superuser role superuser access all
     user dev-admin password 1 test123 role device-provisioning-admin access all
     user dev-admin1 password 1 test112233 role device-provisioning-admin access all allowed-locations test1
     user dev-admin2 password 1 test556677 role device-provisioning-admin access all allowed-locations test2
     user dev-admin3 password 1 test8899 role device-provisioning-admin access all allowed-locations RFD

Related Commands

no

Removes a user account configuration