Applies To:

Show Versions Show Versions

Manual Chapter: Administrative Users
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

An administrative group defines the access privileges for a list of administrative users. Use the group command to add a new group to the ARX, or to edit an existing group. You can also use this command to re-create or edit a Windows group, so that you can assign administrative privileges to the groups Windows users.
Use the no form of this command to remove a group.
group name
name (1-64 characters) is a name that you choose for the group. Surround this with quotation marks () if it contains any spaces.
This command puts you into gbl-group mode. From gbl-group mode, you can use the role command to select a role for all the groups users. Each role is associated with a set of CLI commands; you can use the role command multiple times to assign multiple roles to a group. You must set at least one role for the group to function. Default groups (such as network-engineer) already have their roles configured.
For a group of Windows administrators, defined externally in your Active Directory, you can choose a group name that is the same as an existing Windows group. For example, you could create a group named Domain Admins. Then use the windows-domain (gbl-group) command to specify one or more domains where the group is allowed access; Domain Admins in medarch.org may be allowed to access the CLI, but Domain Admins in competitor.com may not. Finally, use the authentication command to allow Active-Directory authentications at the CLI and/or GUI. Windows users in the group/domain can then log into the CLI or GUI with their Windows username and password, and they get the access privileges assigned by the role command. This type of group does not require any users; all users are established externally, on your Windows Domain Controllers.
For a locally-defined group of administrators, use the user (gbl-group) command to add each administrator to the group.
Use the show group all command for a list of existing groups.
bstnA(gbl)# group superusers
bstnA(gbl)# group "Domain Users"
Use the group command to add the current user to an additional group. Use no group to remove the current user from a group.
group name
name (1-64 characters) is a name of an existing group.
A user can belong to multiple groups, where each group is associated with a role. The groups role determines the access privileges for its users. Every command in this manual is labeled with the role or roles that are permitted to use the command. See Security Role(s), above, as an example: this command can only be used by users who belong to groups with the crypto-officer role.
The ARX is shipped with several pre-defined groups. Use the show group all command to show all groups, and use show group roles to show the role associated with each group. You can add new groups with the group command.
bstnA(gbl-user[newuser])# group storage-engineer
bstnA(gbl-user[newuser])# no group testgroup2
An administrator with the crypto-officer role can use the password (gbl-user) command to change the password for any user account.
bstnA# password
New Password: myNewPa$$wd
Use the password command to change the password for an administrative-user account.
Use the show users command to show all administrative users.
Password: n3wcrypt1cPa$$wd
Validate Password: n3wcrypt1cPa$$wd
A groups role determines the accessible CLI commands for its administrative users. Each group can have multiple roles. Use the role command to set a role for the current group.
Use the no role command to remove a role from the group.
operator is a clerical administrator,
backup-operator runs backup and restore operations on volumes (see restore data),
network-technician configures layer-2 and IP networks under the guidance of a network-engineer,
network-engineer designs network topologies,
storage-engineer designs and configures network storage, and
crypto-officer keeps passwords and manages network security.
Each CLI command has one or more Security Roles that are listed in this manual. If an administrators group has one of the roles that can access a command, the administrator can use the command. For example, an administrator with the network-technician role can see a command that is assigned to network-engineer and network-technician, but cannot see a command that allows only storage-engineers.
bstnA(gbl-group[superusers])# no role network-technician
Use the ssh-key command to paste a public SSH key into the current administrative account.
Use the no ssh-key command to remove one or more SSH keys from the current account.
dsa | rsa | rsa1 is a required choice, which selects the encryption type and SSH version for the key:
dsa is DSA over SSHv2,
rsa is RSA over SSHv2, and
rsa1 is RSA over SSHv1. By default, SSHv1 is not supported, use ssh-v1 enable to enable SSHv1 support.
public-key (optional, 1-2500 characters) is a public SSH key, pasted from the client. Use quotation marks around this string, as it invariably contains spaces. Take care that the copy/paste operation does not add any <Return> or <Line-Feed> characters to break up the string. If you omit the public-key, the CLI prompts for it on the next line.
key-id (1-2,147,483,647) identifies the SSH key by an ID number assigned at the switch. Use show ssh-user to see all key IDs for all SSH keys.
fingerprint (1-50) identifies the SSH key by its fingerprint. Use show ssh-user to see all fingerprints.
dsa | rsa | rsa1 identifies the type of key to remove. This removes all SSH keys of the given type from the current administrative account.
all removes all SSH keys from the current administrative account.
When administrators access the CLI through SSH, they are typically challenged for the account password. The SSH protocol supports public-key authentication, which skips this challenge. When an administrator accesses SSH on the switch, the switchs SSH server attempts to use the administrators public-key first. If the public key is configured properly for this administrator, he or she never sees a password challenge.
The show ssh-user command shows all administrative accounts with SSH public keys.
bstnA(gbl-user[su])# ssh-key dsa ssh-dss AAAAB3NzaC1kc3MAAACBAPqSVxs6Soxs5D9G7Ul8dQrf7Eo7vNdTawaH0K7DsyV2ND0RqxttRtNpw/fdIcm5cHOrYW4OYL6HJesMeJPguAzY8hbTkwsz+uRJLFnmRTy236DXDFiTc38Er6UQCoa1On9VrKWhoEGNe1YCn+cIsb3S+s44QPOx9GPFSVN1hqdVAAAAFQC8x+2VKzUH16xrAMKuvVh50c53lwAAAIEAvOgRX8Ek2e/uCCJXlme0n7EsL3+yTEsOP7C9Bsl05KoCAgCSYP8G/1rc372Vy0xF3PGL9QsI/bj+48SEAuJJTpJR1eB9MLpwmraVa/IsX16Xhr34eLDwH3NwtlwqRH9fhkjnWwhEoLRC7Bf/g493HoXPD2dNjbKvqiMgq+s7CBEAAACAcAF+a+S/0OUNfpuv6QPV+SX9WoaazJthtUiP8pI4yl6sVAhp3Op5LxWT58Xl4ed+F0vUR2cfdjAF23YGYRwK2c2h4FjnoBjLuoodhXJ+xAC/DPb4EvwEcBtqlPnpWzsPlAFX/I1pPA4fUyUOOifCrP12etsoZ9mnxawLRAAEa+A= juser@clientLinux
Enter user's public key: ssh-dss AAAAB3NzaC1kc3MAAACBAPqSVxs6Soxs5D9G7Ul8dQrf7Eo7vNdTawaH0K7DsyV2ND0RqxttRtNpw/fdIcm5cHOrYW4OYL6HJesMeJPguAzY8hbTkwsz+uRJLFnmRTy236DXDFiTc38Er6UQCoa1On9VrKWhoEGNe1YCn+cIsb3S+s44QPOx9GPFSVN1hqdVAAAAFQC8x+2VKzUH16xrAMKuvVh50c53lwAAAIEAvOgRX8Ek2e/uCCJXlme0n7EsL3+yTEsOP7C9Bsl05KoCAgCSYP8G/1rc372Vy0xF3PGL9QsI/bj+48SEAuJJTpJR1eB9MLpwmraVa/IsX16Xhr34eLDwH3NwtlwqRH9fhkjnWwhEoLRC7Bf/g493HoXPD2dNjbKvqiMgq+s7CBEAAACAcAF+a+S/0OUNfpuv6QPV+SX9WoaazJthtUiP8pI4yl6sVAhp3Op5LxWT58Xl4ed+F0vUR2cfdjAF23YGYRwK2c2h4FjnoBjLuoodhXJ+xAC/DPb4EvwEcBtqlPnpWzsPlAFX/I1pPA4fUyUOOifCrP12etsoZ9mnxawLRAAEa+A= juser@clientLinux
bstnA(gbl-user[su])# no ssh-key rsa
Use the show group all command to display all administrative groups configured for the ARX.
This shows all administrative groups. Use the show group users command to find the locally-defined administrative users in each group.
Use the show group roles command to find the administrative role assigned to each group. This shows the access privileges for the groups users.
Each group has a role which defines CLI-access privileges for the groups users. Use the show group roles command to show all administrative groups and their roles.
Use the group command to configure a new group.
Use the role command to set a groups role.
Use the show group users command to find the administrative users in each locally-defined group.
Use the show group users command to cross-reference the switchs administrative groups and their locally-defined users.
Use the user command to configure a new administrative user.
Use the group command to create (or edit) a group. Use the user (gbl-group) command to add a user to the group.
Use the show group roles command to find the administrative role assigned to each group.
Use the show ssh-user command to show the SSH public keys entered for administrative users, if any.
show ssh-user [account-name]
account-name (optional, 1-32 characters) identifies a particular administrative account to show. If you omit this, the SSH keys are shown for all administrative accounts.
User is the name of the administrative-user account, set with the user command.
KeyId is an internally-assigned ID for this public key. You can use this with no ssh-key id to remove the SSH key from the account.
Type is dsa (DSA encryption over SSHv2), rsa (RSA encryption over SSHv2), or rsa1 (RSA encryption over SSHv1).
Fingerprint is used by SSH as a shorter equivalent to the public key. This is a unique identifier for a particular user at a particular host. You can use this with no ssh-key fingerprint to remove the SSH key from the account.
bstnA# show ssh-user
bstnA# show ssh-user admin
bstnA# show ssh-user
bstnA# show ssh-user admin
Use the show users command to display all administrative users that have been locally configured for the ARX.
Configured Users is a list of all local administrative users. Use the user command to configure a new local user. This does not show any users defined externally in the Windows Active Directory.
Current User shows login name used for the current administrative session. The first set of rows under the user name is the group(s) to which the current user belongs. Each of these rows is labeled group. If you logged in through Active Directory, using your Windows credentials, there is another set of rows labeled role: these are the administrative roles, or privileges, assigned to you.
Use the show group all command to show all administrative groups.
bstnA(gbl)# show users
Use the user command to add a new, local administrative user to the ARX.
Use the no form of this command to remove a user account.
user username
no user username
username (1-32 characters) is a username that you choose.
This puts you into gbl-user mode, which has commands for editing the user account. Use the password command to change the password for the account. For administrators that use SSH to access this account, you can use the ssh-key command to add their public key to the account; if they log in from a management station with the same public key, they do not have to enter the account password.
A users group determines its CLI-access privileges. A new users default group, operator, has minimal access privileges. Each user can belong to multiple groups, thereby expanding his access privileges. After you create the user account with this command, you can use the group (gbl-user) command to add this user to another group.
Use the show users command to show all administrative users.
bstnA(gbl)# user newuser
Password: crypt1cPa$$wd
Validate Password: crypt1cPa$$wd
Use the gbl-group user command to add a local administrative user to the current group.
Use no user to remove a local user from the current group.
user username
no user username
username (1-64 characters) identifies an administrative user account on this ARX. Use show group users for a list of all available user accounts.
This command adds a user to the current group. The no form of the command removes a user, thus revoking the group privileges for that user. These administrative users are locally defined on the ARX.
This command is unnecessary for a Windows group that is defined in your Active Directory (AD). For a group defined in the AD, you can use the windows-domain (gbl-group) command to specify the domain(s) where the groups users can gain access to the ARX. Any valid Windows user in the group and domain can use their Windows username and password to gain access. The users are defined externally, on your Windows Domain Controllers.
Use the no form of the command to remove a Windows domain from the group configuration. This prevents the Windows users from the given domain/group from logging in with their Windows credentials.
windows-domain domain-name
domain-name (1-256 characters) is the name of the Windows domain for this Windows group. This must be a Fully-Qualified-Domain Name (FQDN) so Windows users can log in with it. This makes it possible for Windows users to authenticate with Kerberos.
all (optional with the no form) removes all of the Windows domains that have been associated with this group.
The role command establishes the administrative permissions for members of this group. To see the current roles for the group, use show group roles.
bstnA(gbl-group[Domain Users])# windows-domain medarch.org
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)