Nexus - Indeni user creation

Owned by Former user (Deleted)
Last updated: Aug 25, 2017 by Vasileios Bouloukos (Unlicensed)
6 min read

Introduction

A user with the predefined NX-OS administrator role can easily be configured in order the Indeni Server get remote access to the Nexus switches. The Indeni Server connects to the Nexus switches via a secure ssh (SSHv2) connection. Then the next NX-OS show commands are executed remotely and periodically by the Indeni 5.9 Release in order to collect the information required for an in depth analysis and monitoring.

NX-OS commands executed by the Indeni 5.9 Release

show clock

show hsrp

show vpc role

show vrrp detail

show hsrp

show module

show interface

show ip  pim neighbors

show system resources

show system internal flash

show inventory

show logging server

show ntp peer-status

show running-config diff | count

show ip route direct

show ip bgp summary

show running configuration

show version

show debugging

show feature

show environment

show http-server

show snmp

show telnet server

show license usage

show ip route static

Setting up the Indeni user account at a Nexus switch

NX-OS uses the concept of the User Roles to define the access level of a user. User Roles contain rules that define the operations allowed for a particular user assigned to a role. The Cisco NX-OS software provides four default user roles:

  • Network-Admin—Complete read-and-write access to the entire NX-OS device (only available in the default Virtual Device Context - VDC ).
  • Network-Operator—Complete read access to the entire NX-OS device (Default User Role).
  • VDC-Admin—Read-and-write access limited to a VDC.
  • VDC-Operator—Read access limited to a VDC (Default User Role).

Note: The VDC-Admin and VDC-Operator roles applies only to the Nexus 7000 & 7700 Series switches. 

The Indeni user can be assigned to the predefined network-admin level to execute all the NX-OS commands supported by the Indeni R.5.9 required for analysis and monitoring. It should be noticed that all the show commands of the Indeni server can be executed also with a Network Operator predefined role except of the show running configuration. So, it is recommended to create or use an existing account with admin level rights in order the Indeni Server can provide alerting and remedation for all the scripts included to the Knowledge Database.

Let's move to the configuration and the background theory for the creation of the Indeni user in NX-OS. A new user will be assigned a default User-Role, if a Role was not configured during the authentication process when logging into a Nexus with no AAA (Authentication Authorization Accounting)  or with AAA only for Authentication. The default User-Role assigned depends on the Nexus model. In particular, when logging into a N5K series switch or a N7K series switch the default User-Roles assigned is “network-operator”. In case that a user logging into a VDC, the default User-Roles is “vdc-operator”. The default User Roles are limited to only certain commands and can not perform any configuration changes.

Next is described how to configure a user to the local database of the switch with network-admin rights.

Note: The username and password can be different from the one described to the example.

It is possible to see the new user and the level of access from the output of the next command

 

Finally you can confirm that a user with network-admin rights is configured with permanent read-write access

Special attention should be taken when a Radius or TACACS is used for AAA. In particular, it should be noticed that when no AAA is configured the role is retrieved from the local “username” configuration command. In case that the role is not configured the default role level (network operator) is used.  If AAA with the Authentication option only is configured then a Nexus switch expects the TACACS or RADIUS server to issue a Role along with the user credentials within the response, else a default User-Role is used. In case that AAA with Authentication and Authorization is configured then it overwrites the use of the default User Roles and custom User Roles.

Frequently Asked Questions

Can I limit the Indeni user to have privilege level to execute only NX-OS show commands?

You can easily do this by assigning the Indeni user level to the NX-OS prefined role of “network operator”. Although most of the NX-OS commands required by the Indeni R.5.9 can be executed with the predefined and default network-operator role , the “show running configuration * “ command cannot be executed by a user with this role. So, the Indeni user should not be assigned to the predefined network-operator role but with the predefined network-admin role or create a new custom role.

Can I limit the Indeni user to have access to execute only the required show commands needed to collect the information by a Nexus Switch?

Yes. NX-OS RBAC (Role Based Access Control) allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations. User roles contain rules that define the operations allowed for the user who is assigned the role.

Below is provided an example with the configuration of a role with 2 rules.

The role is assigned to the new user named indeni2

The user has been successfully created and assigned the configured“management” role.

We login to the Nexus with the indeni2 user. The user can execute only the commands permitted for the assigned role. A warning message is received when it attempts to execute a command not included to the assigned role.

So, you can easily create a Role and limit the Indeni user to execute only the provided show commands required by the Indeni Server for alerting and analysis. However, this setup requires additional operational cost for maintaining the Indeni custom role to support all the new NX-OS commands required to the new Indeni Releases.

Further information regarding NX-OS RBAC feature can be found to the next link:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_rbac.html?referring_site=cisco_cli_analyzer#wp1431439

Which NX-OS commands are executed by the Indeni R.5.9 Server?

All the commands executed by the Indeni R.5.9 Release can be found to the next link:

https://indeni.atlassian.net/wiki/spaces/IKP/pages/86442018/NX-OS+commands+executed+by+Indeni+Server

Is required the Indeni user to have access-level to the NX-OS configuration mode?

No. The Indeni user is required to run only specific show commands. The executed NX-OS show commands are mentioned per Indeni Release.

Is safe the Indeni user to login remotely to the Nexus Switch?

Yes. The Indeni Server connects remotely with a ssh session to a Nexus switch. All the commands are executed periodically and via one ssh session.

Can I keep track of the commands executed by the Indeni user?

Yes. You can easily keep track of the commands executed to a Nexus switch either by configuring to log all the commands to a Syslog server or by just searching the output of the show accounting log all command.

An example is provided below:

The configuration option of the show accounting command can be found below

The next configuration should be applied in order to enable the logging of the show commands

For testing purposes the show ver command is executed.

The show accounting log all command provides detailed information regarding the date, the user and the IP address of the user connected to the Nexus and run the show ver command.