Configuring Users Accounts and Setting Credentials 



NetVisor OS provides a pre-created user account called network-admin with all access privileges set. However, other user accounts can be created by specifying only the required privileges. For these users, usernames and passwords can be managed locally on each network node, or globally on all nodes of the fabric.


For local authentication, the user attributes are defined and stored locally on each switch. In the case of fabric-wide authentication, the attributes are stored on every switch of the fabric. For example, the network-admin user (which is the default user) created by NetVisor OS is a fabric-scoped user and the attributes are stored on all switches in the fabric.


You can create new roles and new users with specified roles on a local switch or on all nodes of a fabric.


To create a new user and apply a new role on a local switch, use the command:


CLI (network-admin@switch) > user-create name name-string scope local


name name-string

Enter a name for the new user that you are configuring.

scope local|fabric

Specify if the scope is local or fabric. 

Specify any of the following options:


initial-role role name

Specify the initial role for the new user.

login-fail-count login-fail-count-number

This option enables you to customize a user with a pre-allowed limit for authorization failures. When the user exceeds the maximum allowed or configured number of authentication failures, then NetVisor automatically locks the user account.

The default value for this option is zero (0), which means the account does not get locked out.


This parameter is added in NetVisor OS version 6.1.1.


lock-account|no-lock-account

The lock-account option is used to manually lock any user account (that is purportedly misbehaving with the system privileges). This can be done only by the network-admin account. Being the super-user for NetVisor, the network-admin account cannot be locked out.  Likewise, any user account that is in locked state can be un-locked only by network-admin using the no-lock-account option in the command.


This parameter is added in NetVisor OS version 6.1.1.


minimum-pw-length 6..65

Specify a minimum password length for user accounts. The password length should be in the range of 6-65 characters. The default value is 6 characters.

An error is displayed if the configured minimum-pw-length is not honored.


This parameter is added in NetVisor OS version 6.1.0 as per Common Criteria compliance.



Note: The effectiveness of a selected login-fail-count value is dependent on the client and server configuration. For example, if you have N as NumberOfPasswordPrompts for ssh client and N+1 as MaxAuthTries for ssh server, then setting login-fail-count of N will lock the user account when N failed attempts are made with non-empty passwords.


Note: If the default value of zero (0) is configured for login-fail-count, then the user account does not get locked even after multiple failed authentications as the failed authentication limit error check is invalid (scenario prior to NetVisor OS 6.1.0).

Additionally, you can also configure the minimum-pw-length parameter for SFTP service by using the admin-sftp-modify command. For example,


CLI (network-admin@switch) > admin-sftp-modify enable minimum-pw-length 10

sftp password:

confirm sftp password:

password length matched..!

CLI (network-admin@switch) >  


To delete an existing user, use the command:


CLI (network-admin@switch) > user-delete name name-string 


To modify an existing user, use the command:


CLI (network-admin@switch) > user-modify name name-string 


name name-string

Enter the username.

Specify any of the following options:


password password-string

Enter the plain text password. You must enter the password characters based on the limit set for the minimum-pw-length parameter.  

login-fail-count login-fail-count-number

Specify the allowed limit for authorization failures before locking the user account.

For more details, see the user-create table above.


lock-account|no-lock-account

Specify to lock a user account upon reaching maximum login errors.

For more details, see the user-create table above.


minimum-pw-length 6..65

Specify a minimum password length for user accounts. The password length should be in the range of 6-65 characters. The default value is 6 characters.

For more details, see the user-create table above.


Note: The details of all changes are added to the session logs file and you can view the details using the log-session-show command. A sample configuration output is provided below as a reference:


CLI (network-admin@ara01) > log-session-show

 


To view the configuration details, use the command:


CLI (network-admin@switch) > user-show name name-string 


Specify any of the following options:


name name-string

Enter the username for which you want to view the details.

[ scope local|fabric ]

Specify to view user account details on either a local switch or on all switches in the fabric.

[ uid uid-number ]

Enter the user ID of the account.

[ type netvisor|unix |tacacs|web-token|mfg ]

Enter the user type to view any specific type of account.


[ server aaa-tacacs name ]

Enter the TACACS server name to view only those details.


login-fail-count login-fail-count-number

Enter the allowed limit for authorization failures before locking the user account.

For more details, see the user-create table above.

lock-account|no-lock-account

Specify to view the locked/unlocked account details.

For more details, see the user-create table above.

minimum-pw-length 6..65

Specify to view the minimum password length for user accounts. 

For more details, see the user-create table above.


Note: As in all the show commands, use the formatting options to display the details as desired.


Further, here is an example configuration to explain the security aspects of different user accounts:


  • Create a user account on a local switch using the command:


CLI (network-admin@switch) > user-create name example1 scope local


  • Modify the account specifying:


CLI (network-admin@switch) > user-modify name example1 no-lock-account


  • Verify the configuration:


CLI (network-admin@switch) > user-show


name          scope  uid   type     login-fail-count lock-account minimum-pw-length

------------- ------ ----- -------- ---------------- ------------ -----------------

network-admin fabric 39999 netvisor 0                false        6

example1      local  40000 netvisor 0                false        6


Note: The minimum-pw-length field is displayed only for network-admin accounts.


  • Now, modify the configuration to lock the user account after 3 failed attempts and also set other parameters:


CLI (network-admin@switch) > user-modify name example1 login-fail-count 3 lock-account minimum-pw-length 9


This command prompts the user to enter a new password that meets minimum-pw-length specified.


CLI (network-admin@switch) > user-show


name          scope  uid   type     login-fail-count lock-account minimum-pw-length

------------- ------ ----- -------- ---------------- ------------ -----------------

network-admin fabric 39999 netvisor 0                false        6

example1      local  40000 netvisor 3                true         9


  • Additionally, you can also configure minimum-pw-length after enabling SFTP:


CLI (network-admin@switch) > admin-sftp-modify minimum-pw-length 9 enable

sftp password:

confirm sftp password:


CLI (network-admin@switch) > admin-sftp-show


switch:            switch

sftp-user:         sftp

enable:            yes


General Guidelines


Following are the guidelines to keep in mind while configuring new user accounts:


  • To setup a system to be ready for Common Criteria conformance test with regard to SSH, the scripts /usr/bin/setup-cc-ssh-config.ksh should be executed on target switch. And the script /usr/bin/setup-cc-ssh-keygen.ksh should be run from the client system.
  • If a user account gets locked out by NetVisor OS due to authentication failure, then SSH sessions are disabled until a network-admin user (with full privileges) unlocks the account.
  • If all accounts get locked out without access to SSH sessions, then only the network-admin account user can log in using local or management console (telnet) because the network-admin user is a pre-created account by NetVisor OS and cannot be locked out.
  • You can use either the CLI or the RESTful API to configure the user authentication parameters.
  • Other applications such as UNUM that uses NetVisor OS’s authentication mechanism currently reflects the configuration changes. 

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south