Reference Guide
role, and many users can have the same role. A user role authenticates and authorizes a user at login, and places you in EXEC mode (see
CLI basics).
OS10 supports four pre-dened roles: sysadmin, secadmin, netadmin, and netoperator. Each user role assigns permissions that determine
the commands a user can enter, and the actions a user can perform. RBAC provides an easy and ecient way to administer user rights. If a
user’s role matches one of the allowed user roles for a command, command authorization is granted.
The OS10 RBAC model provides separation of duty as well as greater security. It places some limitations on each role’s permissions to allow
you to partition tasks. For greater security, only some user roles can view events, audits, and security system logs.
Assign user role
To limit OS10 system access, assign a role when you congure each user.
• Enter a user name, password, and role in CONFIGURATION mode.
username username password password role role
– username username — Enter a text string (up to 32 alphanumeric characters; 1 character minimum).
– password password — Enter a text string (up to 32 alphanumeric characters; 9 characters minimum).
– role role — Enter a user role:
◦ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the le system, and
access to the system shell. A system administrator can create user IDs and user roles.
◦ secadmin — Full access to conguration commands that set security policy and system access, such as password strength,
AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic
keys, login statistics, and log information.
◦ netadmin — Full access to conguration commands that manage trac owing through the switch, such as routes,
interfaces, and ACLs. A network administrator cannot access conguration commands for security features or view security
information.
◦ netoperator — Access to EXEC mode to view the current conguration. A network operator cannot modify any
conguration setting on a switch.
Create user and assign role
OS10(config)# username smith password silver403! newuser role sysadmin
View users
OS10# show users
Index Line User Role Application Idle Login-Time Location
----- ---- ------ ------ ----------- ---- --------------------- -------------
1 ttyS root root -bash >24h 2018-05-23 T23:05:03Z console
2 pts/0 admin sysadmin bash 1.1s 2018-05-30 T20:04:27Z 10.14.1.214[ssh]
RADIUS authentication
To congure a RADIUS server for authentication, enter the server's IP address or host name, and the key used to authenticate the OS10
switch on a RADIUS host. You can enter the authentication key in plain text or encrypted format. You can change the UDP port number on
the server.
• Congure a RADIUS authentication server in CONFIGURATION mode. By default, a RADIUS server uses UDP port 1812.
radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key
| authentication-key} [auth-port port-number]
Re-enter the radius-server host command multiple times to congure more than one RADIUS server. If you congure multiple
RADIUS servers, OS10 attempts to connect in the order you congured them. An OS10 switch connects with the congured RADIUS
520
System management