Last Updated on August 3, 2021 by Admin 2
You issue the following commands on a Nexus 7000 Series switch that is already configured to authenticate users by using TACACS+:
switchto vdc myvdc configure terminal aaa user default-role no aaa user default-role exit copy running-config start-config
Which of the following will occur when a remote user attempts to log in to the VDC named MyVDC by using TACACS+?
- The user will be assigned the vdc-operator role.
- The user will be assigned the network-operator role.
- The user will be assigned the network-admin role.
- The user will be assigned the vdc-admin role.
- The user will not be assigned a role and will be denied login.
The user will not be assigned a role and will be denied login when the remote user attempts to log in to the virtual device context (VDC) named MyVDC by using Terminal Access Controller Access-Control System Plus (TACACS+). In this scenario, TACACS+ is already configured on the Cisco Nexus 7000 Series switch. In addition, the aaa user default-role command has been issued but is immediately followed by the no aaa user default-role command in the configuration. Remote users who attempt to log in to the VDC named MyVDC will be denied access because no user role is assigned to those users.
Cisco Nexus switches use role-based access control (RBAC) to assign management privileges to a given user. By default, a Nexus 7000 switch is configured with the following user roles:
network-admin — has read and write access to all VDCs on the switch
network-operator — has read-only access to all the VDCs on the switch
vdc-admin — has read and write access to a specific VDC on the switch
vdc-operator — has read-only access to a specific VDC on the switch
The user will not be assigned the vdc-operator role, because the no aaa user default-role command has been issued. In this scenario, the aaa user default-role command has been issued in the VDC named MyVDC, which is a nondefault VDC on the switch. The aaa user default-role command configures the Authentication, Authorization, and Accounting (AAA) feature on the switch to automatically assign remote users the default user role at login. The default remote user role for nondefault VDCs on a Cisco Nexus switch is the vdc-operator role. However, this configuration will not apply in this scenario because of the no aaa user default-role command.
The user will not be assigned the vdc-admin user role. The vdc-admin user role allows read and write access to a specific VDC on the switch. If remote users were automatically assigned the vdc-admin role when logging in to the VDC named MyVDC, those users would have administrative access to the VDC, which is a security risk.
The user will not be assigned the network-admin role. In addition, the user will not be assigned the network-operator role. These roles are applied to users who have access to all VDCs that are configured on the switch, not a specific nondefault VDC. If the aaa user default-role command had been issued in the default VDC in this scenario, remote users who log in to the default VDC would be assigned a network-operator user role.