Configuring Nexus SAN Admin Role

If you’re in a company that uses Nexus 5Ks to run both LAN and SAN, and for some strange reason your SAN Administrator wants access to the 5Ks for zoning, just deny it.  Okay, okay, I guess that won’t fly, so let’s configure role-based access control (RBAC) to lock down what the SAN Administrator has access to.

Good thing about Nexus 5K is there is a built-in role called san-admin that we can use for this purpose.  Let’s take a look at the role privileges:

N5K-2# sh role name san-admin

Role: san-admin
  Description: Predefined system role for san administrators. This role
  cannot be modified.
  vsan policy: permit(default)
  Vlan policy: permit(default)
  Interface policy: permit(default)
  Vrf policy: permit(default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity                  
  -------------------------------------------------------------------
  27      permit  read        
  26      permit  read-write  feature             fcdomain                
  25      permit  read-write  feature             rdl                     
  24      permit  read-write  feature             trunk                   
  23      permit  read-write  feature             fcmgmt                  
  22      permit  read-write  feature             fcfe                    
  21      permit  read-write  feature             port-track              
  20      permit  read-write  feature             fcoe                    
  19      permit  read-write  feature             port-security           
  18      permit  read-write  feature             copy                    
  17      permit  read-write  feature             rmon                    
  16      permit  read-write  feature             rscn                    
  15      permit  read-write  feature             fspf                    
  14      permit  read-write  feature             fdmi                    
  13      permit  read-write  feature             fcsp                    
  12      permit  read-write  feature             fcns                    
  11      permit  read-write  feature             span                    
  10      permit  read-write  feature             zone                    
  9       permit  read-write  feature             wwnm                    
  8       permit  read-write  feature             vsan                    
  7       permit  read-write  feature             vsanIfvsan              
  6       permit  read-write  feature             fabric-binding          
  5       permit  read-write  feature             interface               
  4       permit  read-write  feature             trapRegEntry            
  3       permit  read-write  feature             snmpTargetAddrEntry     
  2       permit  read-write  feature             snmpTargetParamsEntry   
  1       permit  read-write  feature             snmp     

If you noticed at the top, full privileges are included in this profile for adding/modifying/deleting interfaces, VLANs and VRFs.  Not cool.

 Vlan policy: permit(default)
 Interface policy: permit(default)
 Vrf policy: permit(default)

Additionally, notice the privilege to configure device aliases is missing (yikes!). Needless to say, we will likely want to create a new role with some minor modifications.

Notice the “features” that are attached to the san-admin role. If we want to find out exactly what is included in these features, run this command:

show role feature name X

Here’s an example:

N5K-2# show role feature name zone
zone            (Zone related commands)
  show zone *
  config t ; zone *
  zone *
  clear zone *
  debug zone *
  show zoneset *
  config t ; zoneset *
  zoneset *
  clear zoneset *
  debug zoneset *
  show zone-attribute-group *
  config t ; zone-attribute-group *
  zone-attribute-group *
  clear zone-attribute-group *
  debug zone-attribute-group *
  show fcalias *
  config t ; fcalias *
  fcalias *
  clear fcalias *
  debug fcalias *

Now to build the new role:

role name custom-san-admin
  description Customized SAN Admin Role
  rule 20 permit read 
  rule 19 permit command debug device-alias *
  rule 18 permit command clear device-alias *
  rule 17 permit command config t ; device-alias *
  rule 16 permit read-write feature zone
  rule 15 permit read-write feature wwnm
  rule 14 permit read-write feature vsanIfvsan
  rule 13 permit read-write feature vsan
  rule 12 permit read feature snmp
  rule 11 permit read-write feature trunk
  rule 10 permit read-write feature rscn
  rule 9 permit read-write feature rdl
  rule 8 permit read-write feature ping
  rule 7 permit read-write feature interface
  rule 6 permit read-write feature fspf
  rule 5 permit read-write feature fdmi
  rule 4 permit read-write feature fcmgmt
  rule 3 permit read-write feature fcfe
  rule 2 permit read-write feature fcdomain
  rule 1 permit read-write feature copy
  vlan policy deny
  interface policy deny
    permit interface fc1/23-32
  vrf policy deny

Verify the configuration:

N5K-1# show role name custom-san-admin
 
Role: custom-san-admin
  Description: Customized SAN Admin Role
  vsan policy: permit(default)
  Vlan policy: deny
  Permitted vlans: none
  Interface policy: deny
  fc1/23-32
  Vrf policy: deny
  Permitted vrfs:
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity                 
  -------------------------------------------------------------------
  20      permit  read       
  19      permit  command                         debug device-alias *   
  18      permit  command                         clear device-alias *   
  17      permit  command                         config t ; device-alias *
  16      permit  read-write  feature             zone                   
  15      permit  read-write  feature             wwnm                   
  14      permit  read-write  feature             vsanIfvsan             
  13      permit  read-write  feature             vsan                   
  12      permit  read        feature             snmp                   
  11      permit  read-write  feature             trunk                   
  10      permit  read-write  feature             rscn                   
  9       permit  read-write  feature             rdl                    
  8       permit  read-write  feature             ping                   
  7       permit  read-write  feature             interface              
  6       permit  read-write  feature             fspf                   
  5       permit  read-write  feature             fdmi                   
  4       permit  read-write  feature             fcmgmt                 
  3       permit  read-write  feature             fcfe                   
  2       permit  read-write  feature             fcdomain               
  1       permit  read-write  feature             copy   

If you’re not using AAA, other than creating a local user attached to the custom-san-admin role, you’re all done. If you’re using AAA with something like Cisco ACS TACACS+, proceed below.

Assuming you’re already connected to ACS, configure AAA, make sure authorization is set to local (this will only show up in a “show run all”).

aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
aaa authentication login error-enable
aaa authorization commands default local
aaa authorization config-commands default local

Assuming ACS is already in production, we just need to add a new shell profile.

Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*”custom-san-admin”

And corresponding authorization policy:

You should now be able to login with the restricted custom-san-admin role. Verify:

N5K-1# sh user-account tester
user:tester
        roles:custom-san-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible

Resources:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/system_management/521_n1_1/b_5k_System_Mgmt_Config_521N11/b_5k_System_Mgmt_Config_521N11_chapter_0111.html

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

http://jeremywaldrop.wordpress.com/2012/10/22/nexus-5500-san-admin-rbac/
Thanks, Jeremy!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s