In this video, we will show you how to configure SONiC 4.1 CLI Role-Based Access Control or RBAC. These steps assume that your switch has SONiC OS installed and will act as a stand-alone unit. For SONiC version 4.0 and earlier, there are two roles. There's the Admin role which has full read and write access to the whole system, CLI and shell. The Admin role will connect into shell. Operator role has limited read access to the show commands but can't configure anything. They have no access to shell.
The Operator access starts in CLI. Starting in release 4.1, there are two additional roles. There's Secadmin who has access to all the security related commands in the system and there's Netadmin who has access to the configuration features that manage traffic flowing through the switch. We are logged in as the default Admin account and have started SONiC CLI. We first enter config mode and create a user with the username 'oper' and the role of 'operator'. Next, we will create a user 'admin1' with the role of 'admin'. We will 'exit' configuration mode and look at our configured users with the 'show users configured' command.
As you can see, we have 'admin1' and 'oper' now with their roles. Next, we will exit the CLI and shell and log back in with the 'oper' user with the Operator role. Notice there is no root or shell prompt. We start in the SONiC CLI. We can execute show commands such as 'show interface status', 'show logging lines 10', 'show users'. These all execute properly. But when we try to enter 'configure' mode, it errors. We're not allowed because we are a read only role. Now we will 'exit' out of the switch and then log in with 'admin1' one as an Admin user. The first time I will intentionally fail the login with a bad password and then I will log in correctly. Notice we come into the shell prompt and have to start SONiC CLI.
We will show the audit log and grep for 'failure'. As you can see, we have the failed login as an authentication failure. This concludes the steps needed to configure Role Based Access Control or RBAC in the SONiC 4.1 CLI. Thank you for watching.