Last Updated on August 2, 2021 by Admin 2
You want to allow remote users to log in to a Nexus 7000 Series switch nondefault VDC by using TACACS+. The TACACS+ configuration has been previously completed on the switch. You issue the following commands:
switchto vdc MyVDC
aaa user default-role
copy running-config start-config
Which of the following user roles will occur when a remote user logs in to the VDC named MyVDC by using TACACS+?
- The user will be assigned the vdc-operator role.
- The user will be assigned the network-admin role.
- The user will not be assigned a role and will be denied login.
- The user will be assigned the vdc-admin role.
- © The user will be assigned the network-operator role.
The user will be assigned the vdc-operator role when the remote user logs in by using Terminal Access Controller Access-Control System Plus (TACACS+) in this scenario. The vdc-operator role has read-only access to a specific virtual device context (VDC) on the switch. In this scenario, the aaa user default-role command has been issued in the VDC named MyVDC, which is a nondefault VDC on the switch. The aaa user default-role command configures the Authentication, Authorization, and Accounting (AAA) feature on the switch to automatically assign remote users the default user role at login. The default remote user role for nondefault VDCs on a Cisco Nexus switch is the vdc-operator role.
Cisco Nexus switches use role-based access control (RBAC) to assign management privileges to a given user. By default, a Nexus 7000 switch is configured with the following user roles:
– network-admin — has read and write access to all VDCs on the switch
– network-operator — has read-only access to all the VDCs on the switch
– vdc-admin — has read and write access to a specific VDC on the switch
– vdc-operator — has read-only access to a specific VDC on the switch
The user will not be assigned the network-admin role. In addition, the user will not be assigned the network-operator role. These roles are applied to users who have access to all VDCs that are configured on the switch, not a specific nondefault VDC. If the aaa user default-role command had been issued in the default VDC in this scenario, remote users who log in to the default VDC would be assigned a network-operator user role.
The user will not be assigned the vdc-admin user role. The vdc-admin user role allows read and write access to a specific VDC on the switch. If remote users were automatically assigned the vdc-admin role when logging in to the VDC named MyVDC, those users would have administrative access to the VDC, which is a security risk.
The user will be assigned a role and will not be denied login. In this scenario, TACACS+ is already configured on the Cisco Nexus 7000 Series switch. In addition, the aaa user default-role command has been issued. If the command had not been issued or if the no aaa user default-role command had been issued later in the configuration, remote users who attempt to log in to the VDC named MyVDC would be denied access because no user role is assigned to those users.