Cisco NAC Profiler UI User Administration

Transcription

1 CHAPTER 14 Topics in this chapter include: Overview, page 14-1 Managing Cisco NAC Profiler Web User Accounts, page 14-2 Enabling RADIUS Authentication for Cisco NAC Profiler User Accounts, page 14-7 Changing the Cisco NAC Profiler UI Admin Password via the CLI, page 14-8 Overview The Cisco NAC Profiler Server has user accounts both at the individual appliance level (operating system command line), and for the web user interface which is the primary management interface for Cisco NAC Profiler systems. At the appliance level, every Cisco NAC Profiler Server appliance has two system user accounts which can be utilized for managing the appliance at the command line. Those two accounts are the 'root' and 'beacon' user accounts. These accounts are created and passwords assigned as each Cisco NAC Profiler Server appliance is initially started up as described in Chapter 4, Installing and Performing an Initial Configuration immediately after the appliance is powered-on for the first time. The root and beacon system user accounts on each appliance are managed via the appliance command line only which is accessed via a console connection or via SSH. The principal management interface for NAC Profiler systems is the web management interface. Once a NAC Profiler Server appliance has been initially configured as outlined in Chapter 4, Installing and Performing an Initial Configuration, virtually all NAC Profiler system administration and management tasks for the Profiler Server and Collectors can be completed via the web UI. However, it may be necessary from time to time to access the command line of a Profiler Server appliance. The CLI of a Profiler appliance may be accessed either via terminal emulation using the console port, via a keyboard and monitor connected to the appliance (or through a KVM switch), or over the network using SSH. A Cisco NAC Profiler appliance can only be accessed via SSH by the 'beacon' system user. Once an SSH session is established as beacon, the su - command can be used to elevate to the root system user access-level. Both the root and beacon system user accounts can be accessed directly when connecting to the appliance via the console port, or using a keyboard and monitor connected to an appliance by using the passwords assigned at system startup. 14-1

2 Managing Cisco NAC Profiler Web User Accounts Chapter 14 As a NAC Profiler Server or HA-pair is configured as a new system is installed a default web interface user of type Administrator, username ''admin'' is created at system initialization. The password for the web admin user is set during the execution of the startup scripts, and is used to access the web interface of a new NAC Profiler system for the first time. By default the UI password for the admin user is set to profiler but this can be changed during system startup, or changed later as described at the end of this chapter. The Admin user is the most privileged (for example, ''super user'') of the NAC Profiler UI, and as such is the only user that is enabled to manage the NAC Profiler UI user accounts including the optional RADIUS user authentication capability. As outlined inchapter 5, Configuring the Cisco NAC Profiler for the Target Environment, as a new NAC Profiler system is initially configured, it is highly recommended that one or more Operator accounts be created and enabled, and those accounts used for system configuration and operation tasks, reserving use of the Admin user account only for user account administration. Note The admin user account has a non-configurable idle session timeout of 30 minutes. After 30 minutes of inactivity the admin user is automatically logged out of the NAC Profiler UI and must re-enter credentials to continue the session. Also, only one session as admin is permitted from any single IP address. Starting a UI session on a machine that has one established will result in logout from the existing session automatically. By default, authentication of NAC Profiler UI users is performed locally on the Profiler Server appliance serving the UI for the system. As an option, the NAC Profiler system can be configured to use external RADIUS authentication of UI users. Instructions for configuration of this option are provided later in this chapter. Managing Cisco NAC Profiler Web User Accounts The User Accounts portion of the web interface enables the creation and management of the user accounts that allow access to the NAC Profiler system configuration via the web interface as described throughout this guide. The Cisco NAC Profiler web-based GUI has three user account types: Administrator, Analyst and Operator. Administrator is the most privileged user account type, and each NAC Profiler system has one user account of this type, username ''admin'' that is created and assigned an initial password when the NAC Profiler Server appliance or HA-pair is started up. The admin user account provides initial access to the UI, and should be used only for administration of user accounts once the NAC Profiler system is made operational. Operator users have full access to the NAC Profiler system with the exception of adding, deleting, and enabling/disabling UI user accounts. They are able to make NAC Profiler system configuration changes, view the Endpoint Console, and use the NAC Profiler system in Port Provisioning mode when NAC Profiler has been configured with SNMP read-write access to network devices. Note An Operator account should be established as soon as practical after a new system is started up, and used for the majority of NAC Profiler administration and operation via the Cisco NAC Profiler UI. 14-2

3 Chapter 14 Managing Cisco NAC Profiler Web User Accounts Analyst users have read-only access to the NAC Profiler system. They cannot make configuration changes to the NAC Profiler system itself, or use the NAC Profiler system in Port Provisioning mode (for example, cannot change port settings via the Manage view of the Endpoint Console). Analyst users can view all NAC Profiler data, and use the Cisco NAC Profiler Utilities such as advanced search and view endpoint data. To manage NAC Profiler web UI user accounts, you start from the Cisco NAC Profiler main page (Figure 14-1). To manage user accounts, you must be logged into the UI as the admin user, navigate to the Configuration tab, and select the Accounts link from the secondary menu of the Configuration tab. Figure 14-1 Cisco NAC Profiler Main Page Create UI User Accounts of Type Analyst To create a new NAC Profiler web user account of type Analyst, complete the following steps: Step 1 Select the Create Users link in the NAC Profiler Users table. The Add User form is displayed in the resulting page as shown in Figure 14-2, with the analyst user type selected as the default: 14-3

4 Managing Cisco NAC Profiler Web User Accounts Chapter 14 Figure 14-2 Add NAC Profiler Analyst User Form Step 2 Step 3 Enter the desired User Name for the new Analyst user. NAC Profiler UI Usernames must be unique. Enter the desired Password for this username. The following characters cannot be used for UI usernames/passwords throughout the NAC Profiler System: ;`' "()[]{} also newline (\n), carriage return (\r), and null. Step 4 Step 5 Retype selected Password to verify. Choose to enable/disable user upon creation (default is enabled). Create UI User Accounts of Type Operator When the Operator radio button on the Add User form is selected, the Add User form changes slightly as illustrated in Figure 14-3: 14-4

5 Chapter 14 Managing Cisco NAC Profiler Web User Accounts Figure 14-3 Add NAC Profiler Operator User Form Note As a security measure, Operator accounts must be configured with an automatic idle timeout setting of 5, 15 or 30 minutes (default). If the session to the NAC Profiler UI using an Operator account is allowed to go idle for greater than the time specified for the user account the session was established for, the user will be forced to re-authenticate if they try to resume using the session. To add a new Operator user account, complete the form fields as described below. Step 1 Step 2 Enter a unique name for the new Operator user account. Enter a password for this Operator user account. Step 3 Step 4 Step 5 The following characters cannot be used for UI usernames/passwords throughout the NAC Profiler System: ;`' "()[]{} also newline (\n), carriage return (\r), and null. Re-enter the password for this user account to confirm Select the desired idle session timeout value from the drop down menu: 5, 15, or 30 minutes for this Operator user account. Select the desired status (enabled/disabled) for the new Operator user as it is added to the config. View UI User Accounts To view all NAC Profiler UI user accounts and their status (for example, enabled or disabled and the current timeout value for Operator user accounts) currently defined in the system configuration, select the View/Edit Users List link in the table on the NAC Profiler UI Users page. The Table of Users is presented as illustrated by Figure

6 Managing Cisco NAC Profiler Web User Accounts Chapter 14 Figure 14-4 Table of NAC Profiler UI Users Edit UI Interface User Accounts Existing user interface user accounts on the NAC Profiler system can be edited using the UI. Note that all usernames in the Table of Users are hyperlinks. Selecting the red hyperlink username will redirect the interface to the Save User form shown in Figure 14-5 on page The current configuration for the selected username is pre-populated in the form. The only configurable parameter for the admin account is the password, which can be changed from the Save User form. Figure 14-5 Save User Form To change any of the parameters for the selected user account, make the desired changes on the form and select Save User to commit the changes. If no changes to the password are desired, simply leave the password fields blank, make the other changes and save the user. The password for the user account will be left unchanged. If changes to the password for the user account are desired, enter and retype the same password string to change the password for the user. To save changes to a user account, select Save User. To delete a user from the system configuration, select Delete User. 14-6

7 Chapter 14 Enabling RADIUS Authentication for Cisco NAC Profiler User Accounts Enabling RADIUS Authentication for Cisco NAC Profiler User Accounts By default, Cisco NAC Profiler UI user authentication of users for all user account types is provided locally by the NAC Profiler Server. As an option, in some environments it may be desirable to authenticate Operator and Analyst user access leveraging existing enterprise AAA systems. As of version 3.1, the NAC Profiler system can be configured to authenticate users as they establish sessions to the UI utilizing existing RADIUS infrastructures. This provides several advantages in the enterprise environment in terms of centralizing user administration. Configuration of the NAC Profiler system to utilize RADIUS authentication instead of the local capability is straightforward, but assumes proper configuration of the RADIUS server and supporting infrastructure to properly authenticate users requesting access to the NAC Profiler UI. In order for NAC Profiler to utilize RADIUS authentication of UI users, the RADIUS server must be set up to accept RADIUS requests from the NAC Profiler Server (NAC Profiler Server added as a client to the RADIUS sever) using the Password Authentication Protocol (PAP). Users to be authenticated successfully via RADIUS must return one of the following Filter-ID response to a user authentication request from the NAC Profiler Server when authenticating logins to the UI: ''Beacon-Analyst'' or ''Beacon-Operator'' which correspond to the two levels of UI access outlined earlier in the chapter. Note that the attribute values are case-sensitive. For NAC Profiler HA-pairs, the RADIUS server must be configured with RADIUS clients for both nodes of the NAC Profiler HA-pair. This enables either appliance to make UI user authentication requests to the RADIUS system successfully while it is the Primary node and accessible via the UI. The steps to configure the RADIUS UI user authentication capability on the NAC Profiler system are as follows: Step 1 Establish a UI session using the admin user account, then navigate to the Configuration tab, select the Accounts link from the secondary menu, then select Setup RADIUS to display the Setup RADIUS page illustrated in Figure The RADIUS configuration form enables the entry of the required parameters to configure the system to enable RADIUS authentication of UI users as they attempt to initiate sessions. Figure 14-6 Setup RADIUS 14-7

8 Changing the Cisco NAC Profiler UI Admin Password via the CLI Chapter 14 Step 2 Enter the following parameters in the form to enable RADIUS user authenticated access to the NAC Profiler UI: IP Address Enter the IP address of the RADIUS server/service that is to be used for authenticating user access to NAC Profiler UI. Display Shared Secret Check this box to show the RADIUS secret in clear text. Step 3 Shared Secret Enter the shared secret that is used by clients of the RADIUS service NAC Profiler will be utilizing for UI user authentication. Select the Save Settings button to commit the RADIUS authentication parameters to the NAC Profiler configuration. Clear Settings is used to clear these settings, and revert back to local authentication. Select Save Settings to save the RADIUS authentication settings. Note Any local accounts including the admin user, and Operator and Analyst user accounts created through the UI are still active (and authenticated locally), but upon the successful establishment of RADIUS authentication, users in groups configured to return the aforementioned Filter-IDs via RADIUS authentication will be authenticated using this mechanism such that future access to the NAC Profiler UI is administered via RADIUS, and not locally. To revert back to local user authentication for the NAC Profiler UI, navigate to the Setup RADIUS form and select the Clear Settings button. Changing the Cisco NAC Profiler UI Admin Password via the CLI The password for the 'admin' UI user can be changed on a NAC Profiler system from the appliance command line. Follow these steps to change the password: Step 1 Step 2 Log into the NAC Profiler Server command line as the 'beacon' system user. For HA-pairs, use the VIP for the pair to ensure the session is with the Primary node. Issue the following command to change the password for the 'admin' UI user: /usr/beacon/www/bin/useradmin.php -u 1 password new_pass Where new_pass is the desired password for the admin user Step 3 Initiate a session to the NAC Profiler UI and attempt login as the admin user with new password. This procedure can also be used for recovery of the password for the admin UI user, as long as the root system user password for the NAC Profiler Server is known. 14-8