Cisco CNS Network Registrar Users's Guide Web Interface, 6.0
Basic Administration Scenario
Downloads: This chapterpdf (PDF - 293.0KB) The complete bookPDF (PDF - 2.69MB) | Feedback

Basic Administration Scenario

Table Of Contents

Basic Administration Scenario

Introduction to Roles

How Administrators Relate to Groups and Roles

Base Roles

Constrained Roles

Groups

Scenario Description

Tasks to Perform

Create the Administrators

Create the Address Infrastructure

Create the Zone Infrastructure

Create the Zones

Create the Initial Hosts

Create the Constrained Host Role

Assign the Role to the Host Administrator

Create Hosts in the Host Administrator's Zone

Additional Configuration


Basic Administration Scenario


The Cisco CNS Network Registrar Web-based user interface (Web UI) provides a single point to manage any number of DNS, DHCP, and TFTP servers. The Web UI also provides administrator management so that you can assign administrative roles to users logged on to the application.

This chapter describes a basic administrative scenario and presents a simple tutorial with the steps needed to set up the address infrastructure and administrative accounts to handle this scenario.

Table 2-1 Basic Administrative Scenario Topics

If you want to learn about...
See...

Roles and groups

"Introduction to Roles" section

The example scenario

"Scenario Description" section

Tasks to perform for the scenario

"Tasks to Perform" section

Creating the host administrators

"Create the Administrators" section

Creating the address infrastructure

"Create the Address Infrastructure" section

Creating the zone infrastructure

"Create the Zone Infrastructure" section

Creating a constrained host role

"Create the Constrained Host Role" section

Assigning the role to the host administrator

"Assign the Role to the Host Administrator" section

Creating hosts in the host administrator's zone

"Create Hosts in the Host Administrator's Zone" section

Extending the configuration

"Additional Configuration" section


Introduction to Roles

The types of functions that network administrators can perform in Network Registrar are based on the roles that they can perform. The Web UI administrator can define these roles, which lend granularity to and can constrain the network administration functions. Network Registrar differentiates between base roles and constrained roles:

Base roles—General, unconstrained roles for administrative functions. These base roles form the basis for the constrained roles.

Constrained roles—Roles derived from the base roles that are limited in their view of the server data by a set of constraints.

How Administrators Relate to Groups and Roles

There are three administrator concepts in Network Registrar—administrator, group, and role:

Administrator—An account that logs in and that, through its association with one or more groups or roles, can perform certain functions. These functions include host, zone, address space, and DHCP administration. Administrators can be further constrained to manage certain hosts or zones.

Group—A grouping of roles. Two groups are created by default, the address-mgt-group and the dns-mgt-group. These roles provide flexibility and can be used in place of associating a role directly with an administrator.

Role—Defines the functions the administrator can perform and possible additional constraints. An administrators or group must be assigned at least one base role.

Base Roles

You can assign an administrator one or more of the base roles described in Table 2-2. You cannot delete these base roles.

Table 2-2 Web UI Administrator Base Roles 

Base Role
Function

ccm-admin

Global administrator. This role administers the Web UI Central Configuration Management (CCM) database.

host-admin

Host administrator. This administrator is usually focused only on the Address (A) resource records in a zone and administering host IP addresses, rather than the full zone data. This role can be constrained by zone and IP address range, and by host name in a set of zones.

zone-admin

Zone administrator. This administrator is usually focused on administering zone data such as Start of Authority (SOA) and name server attributes, and resource records, rather than hosts in the zone. This role can be constrained by zones and their owners.

dhcp-admin

DHCP administrator. This administrator manages dynamic configuration of hosts in the network, such as by scopes, policies, and failover configuration. This role cannot be further constrained.

addrblock-admin

Address block administrator. This administrator manages address space at a higher level than that of specific subnet or static address allocations, using hierarchical representation of address blocks to organize the available address space. This role cannot be further constrained.


Constrained Roles

You can limit administrator roles by applying constraints on a base role. The base role might be host-admin and the constrained role limiting it to a specific range of IP addresses might be named 192.168.50.0-host-admin. There can be many constrained roles based on the host-admin base role, each requiring a unique name. When these roles are assigned to the appropriate administrator, the administrator logs in with its constraints in effect.

Roles can be further constrained to read-only mode. An administrator can be allowed to read any of the data for that role, but not modify it. When a read-only constraint is applied to a role, it supersedes all other constraints, making the role entirely read-only.

Groups

A group is a grouping of roles. You can create groups and assign them to specific administrators. This provides a convenient way to combine administrators into a single group definition instead of assigning them individual roles, which is especially useful when adding new users.

The Web UI is predefined with two groups (see Table 2-3). You can create additional groups, apply one or more roles to each group, then apply the groups to administrators who would exercise common tasks.

Table 2-3 Web UI Administrator Groups 

Group
Description

address-mgt-group

Combined DHCP, address block, and CCM administrator.

dns-mgt-group

Combined host, zone, and CCM administrator.


Scenario Description

This basic scenario assumes that responsibility for managing zone data at the Example Company is shared by two administrators, named example-zone-admin and example-host-admin. They are responsible for different aspects of managing the company's two DNS zones, example.com and boston.example.com. A third administrator, example-cnr-admin, is responsible for general Network Registrar administration, including monitoring server status and installing or upgrading the software:

The example-cnr-admin administrator is responsible for assuring servers are operating normally. He or she also maintains the list of administrators and sets up access constraints for other administrators.

The example-zone-admin administrator is responsible for assuring that DNS is correctly configured. He or she maintains the example.com zone and boston.example.com zones, their authoritative servers, resource records, and dynamic DNS update capabilities.

The example-host-admin administrator is responsible for coordinating office moves and assuring that hosts can access the network at the Boston location. He or she maintains host lists and their IP address assignments.

Tasks to Perform

The following sections present the steps each user takes to create and then work within this administrative scenario for the Example Company:

1. The admin superuser creates the new administrator accounts.

2. The example-cnr-admin administrator creates the address infrastructure.

3. The example-zone-admin administrator creates the zone infrastructure.

4. The example-zone-admin administrator creates a constrained boston-host-admin role.

5. The example-zone-admin administrator assigns the example-host-admin administrator to the boston-host-admin role.

6. The example-host-admin administrator adds hosts to the boston.example.com zone.

Create the Administrators

For this example, the default superuser needs to create the example-cnr-admin, example-zone-admin, and example-host-admin administrators, with the distinct but overlapping functions described in the "Scenario Description" section.


Step 1 Log in as the default superuser (such as admin).

Step 2 Click the Administration tab on the Primary Navigation bar.

Step 3 On the List/Add Administrators page, enter example-cnr-admin in the Name field and examplecnr in the Password field. (The password appears as asterisks on the page.)

Step 4 Because you want to give example-cnr-admin superuser privileges to manage the server, click the Superuser check box. This setting automatically provides full access to all the server features in the Web UI, command line interface (CLI), and Windows-based graphical user interface (GUI).

Step 5 Click Add Administrator (see Figure 2-1).

Figure 2-1 Adding an Administrator

Step 6 To add the zone administrator, enter example-zone-admin in the Name field and examplezone in the Password field. Because example-zone-admin should have responsibility for the DNS server, the dns-mgt-group is a perfect group in which to include the administrator. This group automatically has the ccm-admin, host-admin, and zone-admin unconstrained roles assigned to it. (Only unconstrained zone administrators can view and edit DNS server properties, and start, stop, and reload the DNS server.) Therefore, select dns-mgt-group in the Groups drop-down list. Click Add Administrator.

Step 7 To add the host administrator, enter example-host-admin in the Name field and examplehost in the Password field. Because example-host-admin should be constrained to creating and managing only certain hosts in the boston.example.com zone, the example-zone-admin administrator you created in the previous step needs to create a special constrained role for this administrator. Consequently, do not select items from either the Groups or Roles drop-down lists. Click Add Administrator.

Step 8 The names of the three administrators should now appear on the List/Add Administrators page. The example-cnr-admin administrator should have the Superuser flag checked, example-zone-admin should have dns-mgt-group listed in the Groups column, and example-host-admin should not have any groups or roles listed.


Create the Address Infrastructure

The prerequisite to setting up administrator roles to manage the zones and hosts required for this example is to configure the network infrastructure that underlies it. In many cases, your network configuration already exists and was previously imported, so that the selections are available in the Web UI. The examples presented assume that you are configuring these settings for the first time.

For this scenario, the example-cnr-admin administrator needs to create the allowable address ranges for the hosts in the boston.example.com zone that will be assigned statically managed IP addresses. You create a range of fixed IP addresses into which the managed hosts should fall. This requires creating the 192.168.50.0/24 subnet and adding a static address range of 192.168.50.101 through 192.168.50.200.


Step 1 Log in as user example-cnr-admin with the password examplecnr.

Step 2 Click the Address Space link to open the View Unified Address Space page.

Step 3 Click the Subnets tab on the Secondary Navigation bar to open the List/Add Subnets page.

Step 4 In the Address/Mask field, enter the address 192.168.50.0 and select the value 24 in the mask drop-down list. Leave the Owner and Region fields as they are, then click Add Subnet (see Figure 2-2).

Figure 2-2 Adding a Subnet

Step 5 Once the 192.168.50.0/24 subnet appears in the list on the page, click its name to edit it.

Step 6 On the Edit Subnet page, add the address range by entering 101 in the Start field and 200 in the End field. Click Add IP Range. This adds the range to the list (see Figure 2-3).

Figure 2-3 Adding an Address Range in the Subnet

Step 7 To confirm your setting, click the Address Space tab on the Secondary Navigation bar, then click the Refresh icon () to refresh the page. The 192.168.50.0/24 subnet should appear in the list.


Create the Zone Infrastructure

For this scenario, the example-zone-admin administrator needs to create the Example Company zones, some host records, and the constrained role that defines limits on host administrator access to the boston.example.com zone:

Create the two zones—example.com and boston.example.com.

Create two hosts in the boston.example.com zone.

Create a constrained role for the boston-host-admin administrator.

Assign the boston-host-role role to the example-host-admin administrator.

Create the Zones

For this scenario, the example.com and boston.example.com zones do not yet exist in the Web UI and must first be created.


Step 1 Log in as user example-zone-admin with the password examplezone. Note that the Address Space and DHCP menu items do not appear, because this administrator is limited to the dns-mgt-group roles.

Step 2 Click the Zone link to open the List/Add Zones page.

Step 3 Enter example.com in the Name field (see Figure 2-4). For this example, no templates or owners are created.

Figure 2-4 Creating a Zone

Step 4 Click Add Zone to open the Add Zone page, then enter the minimum data to create the zone, which is the Start of Authority (SOA) serial number, the primary DNS server name, the hostmaster's contact e-mail address, and the zone's authoritative nameserver. In each of the appropriate fields, enter this data (see Figure 2-5):

Serial Number—1

Nameserver—ns1

Contact E-Mail—hostmaster

In the Nameservers area, next to the Add Nameserver button—ns1 (click Add Nameserver)

You can accept the default values for all the other fields.

Figure 2-5 Adding Zone Information

Step 5 Click Add Zone to create the zone and return to the List/Add Zones page.

Step 6 Create the boston.example.com zone in the same way, using the same zone property values. The List/Add Zones page should now include example.com and boston.example.com in the list of created zones (see Figure 2-6).

Figure 2-6 Viewing the Zones


Create the Initial Hosts

As a confirmation, create two hosts in the example.com zone.


Step 1 Click the Host tab on the Primary Navigation bar to open the List Zones page.

Step 2 Click the Refresh icon () to view the newly created zones (see Figure 2-7).

Figure 2-7 Selecting the Zone to Add Hosts

Step 3 Click example.com in the list of zones. This opens the List/Add Hosts for Zone page.

Step 4 Enter userhost1 in the Name field and 192.168.50.101 in the IP Address field. Leave the Create PTR Records? box checked. Click Add Host (see Figure 2-8).

Figure 2-8 Adding a Host and Address to the Zone

Step 5 Enter userhost2 in the Name field and 192.168.50.102 in the IP Address field. Leave the Create PTR Records? box checked. Click Add Host. The two hosts should now appear on the List/Add Hosts for Zone page.


Create the Constrained Host Role

In these steps, example-zone-admin creates a boston-host-admin-role.


Step 1 Click the Administration tab on the Primary Navigation bar and the Roles tab on the Secondary Navigation bar to open the List/Add Administrator Roles page.

Step 2 Enter boston-host-admin-role in the Name field and click host-admin in the Base Role drop-down list.

Step 3 Click Add Role (see Figure 2-9).

Figure 2-9 Creating a Constrained Role

Step 4 On the Add Host Administrator Role page, confirm that the role has the name boston-host-admin-role and type host-admin. Leave the Read Only Role box unchecked.

Step 5 Under Zone Restrictions, select boston.example.com in the Available list, then click << to move it into the Selected list (see Figure 2-10).

Figure 2-10 Setting Zone Constraints

Step 6 Expand the IP Restrictions area of the page by clicking the + sign next to the heading

Step 7 Select 192.168.50.101 - 192.168.50.200 in the Available list, then click << to move this range into the Selected list (see Figure 2-11).

Figure 2-11 Setting IP Address Restrictions

Step 8 Click Add Role on the bottom of the page. The role now appears in the list of roles under the Name column of the List/Add Administrator Roles page.


Assign the Role to the Host Administrator

In these steps, example-zone-admin assigns boston-host-admin-role to example-host-admin.


Step 1 Click the Administrators tab on the Secondary Navigation bar.

Step 2 On the List/Add Administrators page, click example-host-admin to edit the administrator.

Step 3 Under Roles on the Edit Administrator page, click boston-host-admin-role in the Available list and click << to move it into the Selected list (see Figure 2-12).

Figure 2-12 Assigning a Role

Step 4 Click Modify Administrator. The example-host-admin administrator should now list boston-host-admin-role under the Roles column.

Step 5 To confirm the settings, click the example-host-admin name to open the Edit Administrator page. Expand the Show Current Roles area at the bottom of the page. These are the permissions assigned to the administrator. You should see that the role is defined as constrained to the boston.example.com zone and a certain IP range.


Create Hosts in the Host Administrator's Zone

For this example, the example-host-admin administrator tests an out-of-range address and then adds an acceptable one.


Step 1 Log in as user example-host-admin with the password examplehost. Note that only the Host selection appears, because this administrator is limited to boston-host-admin-role.

Step 2 Click the Host link to open the List Zones page. This goes directly to the List/Add Hosts for Zone page for boston.example.com, because this administrator's view is limited to a single zone.

Step 3 Enter userhost3 in the Name field and enter an out-of-range address in the IP Address field: 192.168.50.51. Click Add Host. An error message appears and the IP Address field becomes empty.

Step 4 Enter a permissible address in the IP Address field, 192.168.50.103, and click Add Host. The host should appear in the list.


Additional Configuration

Given this administration scenario, many more possibilities exist. For example:

Because the zone administrator has not only zone management permissions but can manage administrator accounts, he or she can create further administrators with different constraints.

You can constrain administrators to read-only capabilities for their roles.

You can assign the dhcp-admin base role to an administrator so that he or she can create scopes for dynamic addresses and control other facets of the DHCP configuration. For details on how to do this, see "DHCP Administration."

You can assign the addrblock-admin base role to an administrator so that he or she can create static address blocks, additional subnets, owners, and regions. For details on how to do this, see "Address Block Administration."