system aaa user—Configure a login account for each user who can access the local Viptela device, assigning the user a login name and a password and placing them into an authorization group.
Only a user who is logged in as the admin user has permission to create login accounts for users.
If an admin user changes the privileges of a user by changing their group, and if that user is currently logged in to the device, the user is logged out and must log back in again.
vManage Feature Template
For all Viptela devices:
Configuration ► Templates ► AAA
- Authorization Group
- group group-name
Name of an authorization group configured with the usergroup command. You must assign the user to one or more groups.
Name for the user. In Releases 17.1 and later, username can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters. In Releases 16.3 and earlier, username can be 1 to 32 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, and the hyphen (-) and underscore (_) characters. The name cannot contain any uppercase letters. The Viptela software provides one standard username, admin, which is a superuser who has read and write permissions to all commands and operations on the device.
The following usernames are reserved, so you cannot configure them: backup, basic, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, proxy, quagga, root, sshd, sync, sys, uucp, and www-data. Also, names that start with viptela-reserved are reserved.
If a remote server validates authentication and that user is not configured locally, the user is logged in to the vshell as the user "basic", with a home directory of /home/basic. If a remote server validates authentication and that user is configured locally, the user is logged in to the vshell under their local username (say, eve) with a home direction of /home/username (so, /home/eve).
- User Password
- password password
Password for the user. password is an MD5 digest string, and it can contain any Unicode and ISO/IEC 10646 characters, including tabs, carriage returns, and linefeeds. To include an exclamation point (!) in a password, enclose the entire password in quotation marks (for example, "Pass01!"). For more information about allowed password characters, see Section 9.4 in RFC 7950, The YANG 1.1 Data Modeling Language.
Each username is required to have a password, and each user is allowed to change their own password.
After you type the password during the CLI configuration process, the string is immediately encrypted and a readable version of the password is never displayed. When you type the password in the vManage AAA feature template, a readable version is never displayed.
When a user is logging in to a Viptela device, they have five chances to enter the correct password. After the fifth incorrect attempt, the user is locked out of the device, and they must wait 15 minutes before attempting to log in again.
Configure a user whose role is to be a system operator:
Viptela# config Entering configuration mode terminal Viptela(config)# system aaa vedge-1(config-aaa)# user eve Viptela(config-user-eve)# password 123456 Viptela(config-user-eve)# group operator Viptela(config-user-eve)# exit Viptela(config-aaa)# show configuration system aaa user eve password encrypted-password group operator ! ! !
Command introduced in Viptela Software Release 14.1.
In Release 17.1, increase maximum group name to 128 characters and support periods (.) in group name.