Cisco SDWAN and User Account (20.8.1)
Deepak Kumar
Chief Technology Strategist | CCIE # 65763 | Network Architect | SD-WAN & SDA Specialist | Nexus & ACI Expert | Cisco VIP | Team Leader and Mentor | Automation Engineer
A few days ago, I posted the above image with a bug detail on my LinkedIn profile and got some interesting feedback in the DM or comments. So, I decided to draft an article about SDWAN User access and its basic rules. Notebook says:
Let's start with Configuring a user:
The rule for Username: The username can be 1 to 128 characters long, but it must start with a latter (Don't know why) and only hold lower case letters and a few special characters such as hyphens, underscores, period (dot), and digits (0-9). The following usernames are reserved, so you cannot configure them: backup, basic, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, proxy, quagga, root, sshd, sync, sys, uucp, and www-data. Also, names that start with viptela-reserved are reserved. The user admin is automatically placed in the group "netadmin". All users learned from a RADIUS or TACACS+ server are placed in the group basic.
The rule for Passwords: Have you enabled the Hardened Password feature? If you didn't and running on or after 20.3.1 vManage, try it. After enabling it, you are forced to use some basic rules as the password must be between 6-32 characters, uppercase, lowercase, min one number, and one special character. It would not allow adding space or username as a password. By default, password expiration is 90 days and you will also get a warning banner 30 days prior to password expiration. Your account will be locked after password expiration.
This password expiration policy does not apply to the "admin" account.
User Groups: Three main groups are preconfigured as "netadmin", "basic", and "operator". you can create or delete other groups according to your requirements, but you cannot delete the three standard groups.
Password attack security: To block dictionary/guessing/brute-force etc. attacks, a user account will be locked for 15 minutes after six consecutive attempts. Also, check if you are not hitting with a bug CSCvu41291. If your account is locked, wait for 15 minutes or ask the Administrator for help, and restarting will not help you.
An account can get locked even if no password is provided multiple times. When you do not enter anything in the password field, it is considered an invalid password. strange.
领英推荐
Create a password cli:
Vmanage(config)# system aaa user deepak group netadmin password Pass!!12!!
If the "Type 6 Password" feature (20.4.1 & above) is enabled, then it allows you to use type 6 passwords that use secure reversible encryption. This encryption provides enhanced security by using more secure algorithms to encrypt your passwords.
Unlock a User:
Vmanage# request aaa unlock-user?deepak
Authentication Order in Brief: A default authentication orders as "Local", then "Radius", and then "tacacs". It will first check whether a username and password are available on the local device. If local authentication fails, then the authentication process stops (Auth-fallback is also not enabled). If Auth-fallback is enabled, then it will next be available or all Radius servers one by one.
Audit logs or login details:
When a user is a login, logout, or changes, the system will save all logs on the auth log file ( if audit logs are not disabled). /var/log/auth.log
You can use GUI or cli to check all logs.
Analista de Infraestrutura de TI I
1 年Deepak Kumar, thank you very much for this article it was of great value.