user (management-policy)

Adds a new user account. Use this option to add a new user and define the role, access type, and allowed locations assigned to the user.
Management services like Telnet, SSHv2, HTTP, HTTPS and FTP require users (administrators) enter a valid username and password, which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password, which is authenticated by the SNMPv3 module. For CLI users, the controller or service platform also requires user role information to know what permissions to assign.
  • If local authentication is used, associated role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-only permissions.
Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the user‘s access assignment to determine if the user has permissions to access an interface:
  • If local authentication is used, role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes.

The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account‘s access mode list.

Supported on the following devices:

Syntax

user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|
rest-api-user|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin]

user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|
rest-api-user|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin] 
access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})

user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>

Parameters

user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|
rest-api-user|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin] 
access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})
user <USERNAME> Adds a new user account to this management policy
  • <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.
password [0 <PASSWORD>| 1 <SHA1-PASSWORD>| <PASSWORD>] Configures a password for this user
  • 0 <PASSWORD> – Sets a clear text password
  • 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password
    • <PASSWORD> – Sets the password
role Configures the user role. The options are:
  • device-provisioning-admin – Assigns the Device provisioning administrator role to the new user. This role has privileges to update (provision) device configuration files or firmware. However, such updates run the risk of overwriting and loss of existing device configurations unless properly archived.
    Note: You can restrict a device-provisioning-admin user's access to devices within a specific location or locations, by configuring the allowed-locations parameter (description provided below in this table).
  • helpdesk – Assigns the Helpdesk Administrator role to the new user. This role performs troubleshooting tasks, such as run troubleshooting utilities (like a sniffer), view/retrieve logs, clear statistics, reboot, create and copy technical support dumps. The helpdesk administrator can also create a guest user account and password for registration. However, the helpdesk admin cannot execute controller or service platform reloads.
  • monitor – Assigns the System Monitor role to the new user. This role has read-only access to the system. The user can view configuration and statistics except for secret information.
  • network-admin – Assigns the Network Administrator role to the new user. This user manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF.
  • rest-api-user – Assigns the REST API user role. This user role provides read-only permission for the user to use APIs to retrieve statistics, etc. The user will not have permission to change/write configurations.
  • security-admin – Assigns the Security Administrator role to the new user with permissions to modify WLAN keys and passphrases.
  • superuser – Assigns the Superuser role to the new user. This user role has full access, including halt and delete startup-config permissions.
  • system-admin – Assigns the System Administrator role to the new user. This user can upgrade images, boot partition, set system time, and manage admin access.
  • web-user-admin – Assigns the Web User Administrator role to the new user. This role is allows the user to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.
Note: Please see succeeding table for 'vendor-admin' role details.
access [all|console|ssh| telnet|web] Configures the services this user can use for remote device access
  • all – Allows all access types: console, SSH, Telnet, and Web
  • console – Allows only console access
  • ssh – Allows only SSH access
  • telnet – Allows only Telnet access
  • web – Allows only Web access
allowed-locations <ALLOWED-LOCATIONS> Optional. This keyword is recursive and optional. It associates an allowed-locations tag with this user. When associated, the user can only access the RF Domains/sites/tree-node paths associated with the specified 'allowed-locations' tag.
  • <ALLOWED-LOCATIONS> – Specify the allowed-locations tag (should be existing and configured).
Note:

The "allowed-locations" parameter is only applicable to the WiNGdevice-provisioning-admin role user. Please refer to the Examples: Restricting User Access to Devices in Specific Locations section of this topic for configuration details.

Note: For information on configuring the allowed-locations tag, see allowed-locations.
 
user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>
user <USERNAME> Adds a new user account to this management policy
  • <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.
password [0 <PASSWORD>| 1 <SHA1-PASSWORD>| <PASSWORD>] Configures a password
  • 0 <PASSWORD> – Sets a clear text password 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password
  • <PASSWORD> – Sets the password
role vendor-admin Configures this user‘s role as vendor-admin. Once created, the vendor-admin can access the online device-registration portal to add devices to the RADIUS vendor group to which he/she belongs. Vendor-admins have only Web access to the device registration portal.

The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a ‘vendor-admin‘ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN.

If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration.

Note: Use the service > show > wireless > credential-cache command to view on-boarded device‘s VLAN assignment. Ensure that the REST server is enabled, to allow vendor users access to the online device registration portal.
Note: By default the REST server is enabled. For more information, see rest-server.
group <VENDOR-GROUP-NAME> Associates this vendor-admin user with a vendor group, required for RADIUS authentication. The vendor group should be existing and configured in the RADIUS group policy. For more information on configuring RADIUS groups, see radius-group.
  • <VENDOR-GROUP-NAME> – Provide the vendor group name. In case of multiple allowed groups, provide a list of comma-separated group names.

Examples

nx9500-6C8809(config-management-policy-test)#user TESTER password test123 role superuser access all

nx9500-6C8809(config-management-policy-test)#show context
management-policy test
 telnet port 200
 no http server
 https server
 ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162
 user TESTER password 1 b6b37c51405f4e93c67fe8af82d450c9fd6af69324cd56a55055cefe695b6a14 role superuser access all
 snmp-server community snmp1 ro
 snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123
 snmp-server host 172.16.10.23 v3 162
 aaa-login radius external
 aaa-login radius policy test
 idle-session-timeout 0
 restrict-access host 172.16.10.2 log all
nx9500-6C8809(config-management-policy-test)#

nx9500-6C8809(config-management-policy-OB)#user test password 0 test123 role vendor-admin group Apple,Sony,Samsung

nx9500-6C8809(config-management-policy-OB)#user Samsung password 0 samsung role vendor-admin group Samsung

nx9500-6C8809(config-management-policy-OB)#show context
management-policy OB
 telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 d9849649218dcaa79109fbd47bbf1a24ecdf1edda220d21f76ce4c15a4e7e696 role superuser access all
 user test password 1 62fca173a1ffc0e9cc4eef782b1978a5e0c47f66bc57a32992f03e3e00fe0bc4 role vendor-admin group Apple,Sony,Samsung
 user Samsung password 1 39cb036b8e09c2ec625ebcda6e4001f4584263ed86fa69fc1f6b284113772eb0 role vendor-admin group Samsung
nx9500-6C8809(config-management-policy-OB)#

Examples: Restricting User Access to Devices in Specific Locations

The following set of configurations show how to use the 'allowed-locations' option to permit or deny device-provisioning-admin users access to devices within specific RF Domains/sites.

  1. Configure following RF Domains:
    1. RF Domain 'default' without tree-node.
      rf-domain default
 country-code us
    2. RF Domain 'California' with tree-node defined as 'Country > Region'.
      rf-domain California
 no country-code
 tree-node country us region CA
    3. RF Domain 'SanJose' with tree-node defined as 'Country > Region > City'.
      rf-domain SanJose
 no country-code
 tree-node country us region CA city SJ
    4. RF Domain 'SJCollege' with tree-node defined as 'Country > Region > City > Campus'.
      rf-domain SJCollege
 no country-code
 tree-node country us region CA city SJ campus SJCollege
  2. In the Management Policy context,
    1. Configure following allowed-location tags:
      management-policy AccessControl
 telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 superuser role superuser access all
 allowed-location test1 locations US
 allowed-location test2 locations /US/CA/SJ/SJCollege
      Note

      Note

      In the above configuration, allowed-location test1 includes the entire location 'US'. Whereas, allowed-location test2 only contains the site 'SJCollege'. By assigning 'test1' or 'test2' to a user you can provide access across location 'US' or restrict access to the site 'SJCollege' respectively.
    2. Configure device-provisioning-admin users and associate the 'allowed-locations' tags (test1 & test2) with each user.
      • Create user 'dev-admin' with full access.
        management-policy AccessControl
 telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 superuser role superuser access all
 user dev-admin password 1 test123 role device-provisioning-admin access all
        Note

        Note

        Since allowed-locations parameter has not been specified, this user will have access to all locations 'default', 'California', 'SanJose' and 'SJCollege'.
      • Create user 'dev-admin1' with allowed-location 'test1'.
        management-policy AccessControl
 telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 superuser role superuser access all
 user dev-admin password 1 test123 role device-provisioning-admin access all
 user dev-admin1 password 1 test112233 role device-provisioning-admin access all allowed-locations test1
        Note

        Note

        Since the allowed-location assigned is 'test1', this user will have access to all RF Domains ('California', 'SanJose' and 'SJCollege') within location 'US'. However, the user will NOT be able to access RF Domain 'default'.
      • Configure user 'dev-admin2' with access to allowed-location 'test2'.
        management-policy AccessControl
 telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 superuser role superuser access all
 user dev-admin password 1 test123 role device-provisioning-admin access all
 user dev-admin1 password 1 test112233 role device-provisioning-admin access all allowed-locations test1
 user dev-admin2 password 1 test556677 role device-provisioning-admin access all allowed-locations test2
        Note

        Note

        Since the allowed-location assigned is 'test2', this user's access will be restricted to the location 'SJCollege'.

The following example shows how to restrict a device-provisioning-admin user's access to devices in a specific RF Domain.

  1. Configure RF Domain without tree-node:
    rf-domain Global
 no country-code
  2. Configure 'allowed-locations' and 'device-provisioning-admin' user as shown in the following output:
    management-policy AccessControl
 telnet
 http server
 https server
 rest-server
 ssh
 allowed-location test1 locations US
 allowed-location test2 locations /US/CA/SJ/SJCollege
 allowed-location RFD locations Global
 user admin password 1 superuser role superuser access all
 user dev-admin password 1 test123 role device-provisioning-admin access all
 user dev-admin1 password 1 test112233 role device-provisioning-admin access all allowed-locations test1
 user dev-admin2 password 1 test556677 role device-provisioning-admin access all allowed-locations test2
 user dev-admin3 password 1 test8899 role device-provisioning-admin access all allowed-locations RFD

Related Commands

no Removes a user account configuration
9037762-02 Rev AA