An administrative group defines the access privileges for a list of administrative users. Use the group command to add a new group to the ARX, or to edit an existing group. You can also use this command to re-create or edit a Windows group, so that you can assign administrative privileges to the groups Windows users.

Use the no form of this command to remove a group.

name (1-64 characters) is a name that you choose for the group. Surround this with quotation marks () if it contains any spaces.

This command puts you into gbl-group mode. From gbl-group mode, you can use the role command to select a role for all the groups users. Each role is associated with a set of CLI commands; you can use the role command multiple times to assign multiple roles to a group. You must set at least one role for the group to function. Default groups (such as network-engineer) already have their roles configured.

For a group of Windows administrators, defined externally in your Active Directory, you can choose a group name that is the same as an existing Windows group. For example, you could create a group named Domain Admins. Then use the windows-domain (gbl-group) command to specify one or more domains where the group is allowed access; Domain Admins in medarch.org may be allowed to access the CLI, but Domain Admins in competitor.com may not. Finally, use the authentication command to allow Active-Directory authentications at the CLI and/or GUI. Windows users in the group/domain can then log into the CLI or GUI with their Windows username and password, and they get the access privileges assigned by the role command. This type of group does not require any users; all users are established externally, on your Windows Domain Controllers.

For a locally-defined group of administrators, use the user (gbl-group) command to add each administrator to the group.

Use the show group all command for a list of existing groups.

Use the group command to add the current user to an additional group. Use no group to remove the current user from a group.

name (1-64 characters) is a name of an existing group.

A user can belong to multiple groups, where each group is associated with a role. The groups role determines the access privileges for its users. Every command in this manual is labeled with the role or roles that are permitted to use the command. See Security Role(s), above, as an example: this command can only be used by users who belong to groups with the crypto-officer role.

The ARX is shipped with several pre-defined groups. Use the show group all command to show all groups, and use show group roles to show the role associated with each group. You can add new groups with the group command.

An administrator with the crypto-officer role can use the password (gbl-user) command to change the password for any user account.

Use the password command to change the password for an administrative-user account.

This command changes the password for an administrative-user account that is not necessarily your own. A crypto officer can use this command to manage administrative accounts on the ARX. To change the password on the current account, any administrator can use the password command from priv-exec mode.

This only applies to locally-defined accounts. It has no effect on user accounts defined externally in the Windows Active Directory. (See windows-domain (gbl-group) for information about allowing externally-defined users to access the ARX as administrators.)

Use the show users command to show all administrative users.

A groups role determines the accessible CLI commands for its administrative users. Each group can have multiple roles. Use the role command to set a role for the current group.

Use the no role command to remove a role from the group.

Each role is associated with a set of CLI commands. Administrators with the storage-engineer role, for example, have access to commands that are associated with storage management. Use show group roles to show all configured groups and roles.

Each CLI command has one or more Security Roles that are listed in this manual. If an administrators group has one of the roles that can access a command, the administrator can use the command. For example, an administrator with the network-technician role can see a command that is assigned to network-engineer and network-technician, but cannot see a command that allows only storage-engineers.

Use the ssh-key command to paste a public SSH key into the current administrative account.

Use the no ssh-key command to remove one or more SSH keys from the current account.

dsa | rsa | rsa1 is a required choice, which selects the encryption type and SSH version for the key:

public-key (optional, 1-2500 characters) is a public SSH key, pasted from the client. Use quotation marks around this string, as it invariably contains spaces. Take care that the copy/paste operation does not add any <Return> or <Line-Feed> characters to break up the string. If you omit the public-key, the CLI prompts for it on the next line.

key-id (1-2,147,483,647) identifies the SSH key by an ID number assigned at the switch. Use show ssh-user to see all key IDs for all SSH keys.

fingerprint (1-50) identifies the SSH key by its fingerprint. Use show ssh-user to see all fingerprints.

dsa | rsa | rsa1 identifies the type of key to remove. This removes all SSH keys of the given type from the current administrative account.

all removes all SSH keys from the current administrative account.

When administrators access the CLI through SSH, they are typically challenged for the account password. The SSH protocol supports public-key authentication, which skips this challenge. When an administrator accesses SSH on the switch, the switchs SSH server attempts to use the administrators public-key first. If the public key is configured properly for this administrator, he or she never sees a password challenge.

The show ssh-user command shows all administrative accounts with SSH public keys.

Use the show group all command to display all administrative groups configured for the ARX.

This shows all administrative groups. Use the show group users command to find the locally-defined administrative users in each group.

Use the show group roles command to find the administrative role assigned to each group. This shows the access privileges for the groups users.

Each group has a role which defines CLI-access privileges for the groups users. Use the show group roles command to show all administrative groups and their roles.

Use the group command to configure a new group.

Use the role command to set a groups role.

Use the show group users command to find the administrative users in each locally-defined group.

Use the show group users command to cross-reference the switchs administrative groups and their locally-defined users.

Use the user command to configure a new administrative user.

Use the group command to create (or edit) a group. Use the user (gbl-group) command to add a user to the group.

Use the show group roles command to find the administrative role assigned to each group.

Use the show ssh-user command to show the SSH public keys entered for administrative users, if any.

account-name (optional, 1-32 characters) identifies a particular administrative account to show. If you omit this, the SSH keys are shown for all administrative accounts.

User is the name of the administrative-user account, set with the user command.

KeyId is an internally-assigned ID for this public key. You can use this with no ssh-key id to remove the SSH key from the account.

Type is dsa (DSA encryption over SSHv2), rsa (RSA encryption over SSHv2), or rsa1 (RSA encryption over SSHv1).

Fingerprint is used by SSH as a shorter equivalent to the public key. This is a unique identifier for a particular user at a particular host. You can use this with no ssh-key fingerprint to remove the SSH key from the account.

Use the show users command to display all administrative users that have been locally configured for the ARX.

Use the show group all command to show all administrative groups.

Use the user command to add a new, local administrative user to the ARX.

Use the no form of this command to remove a user account.

username (1-32 characters) is a username that you choose.

This puts you into gbl-user mode, which has commands for editing the user account. Use the password command to change the password for the account. For administrators that use SSH to access this account, you can use the ssh-key command to add their public key to the account; if they log in from a management station with the same public key, they do not have to enter the account password.

A users group determines its CLI-access privileges. A new users default group, operator, has minimal access privileges. Each user can belong to multiple groups, thereby expanding his access privileges. After you create the user account with this command, you can use the group (gbl-user) command to add this user to another group.

Use the show users command to show all administrative users.

Use the gbl-group user command to add a local administrative user to the current group.

Use no user to remove a local user from the current group.

username (1-64 characters) identifies an administrative user account on this ARX. Use show group users for a list of all available user accounts.

This command adds a user to the current group. The no form of the command removes a user, thus revoking the group privileges for that user. These administrative users are locally defined on the ARX.

This command is unnecessary for a Windows group that is defined in your Active Directory (AD). For a group defined in the AD, you can use the windows-domain (gbl-group) command to specify the domain(s) where the groups users can gain access to the ARX. Any valid Windows user in the group and domain can use their Windows username and password to gain access. The users are defined externally, on your Windows Domain Controllers.

Use the no form of the command to remove a Windows domain from the group configuration. This prevents the Windows users from the given domain/group from logging in with their Windows credentials.

domain-name (1-256 characters) is the name of the Windows domain for this Windows group. This must be a Fully-Qualified-Domain Name (FQDN) so Windows users can log in with it. This makes it possible for Windows users to authenticate with Kerberos.

all (optional with the no form) removes all of the Windows domains that have been associated with this group.

The role command establishes the administrative permissions for members of this group. To see the current roles for the group, use show group roles.

You must also configure the GUI and/or the CLI to allow Active-Directory (AD) authentication. To open a given access point (such as HTTP or HTTPS for the GUI) for AD authentication, use the authentication command.