Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1
Cisco NAC Profiler UI User Administration
Downloads: This chapterpdf (PDF - 392.0KB) The complete bookPDF (PDF - 15.68MB) | Feedback

Cisco NAC Profiler UI User Administration

Table Of Contents

Cisco NAC Profiler UI User Administration

Overview

Managing Cisco NAC Profiler Web User Accounts

Create UI User Accounts of Type Analyst

Create UI User Accounts of Type Operator

View UI User Accounts

Edit UI Interface User Accounts

Enabling RADIUS Authentication for Cisco NAC Profiler User Accounts

Changing the Cisco NAC Profiler UI Admin Password via the CLI


Cisco NAC Profiler UI User Administration


Topics in this chapter include:

Overview

Managing Cisco NAC Profiler Web User Accounts

Enabling RADIUS Authentication for Cisco NAC Profiler User Accounts

Changing the Cisco NAC Profiler UI Admin Password via the CLI

Overview

The Cisco NAC Profiler Server has user accounts both at the individual appliance level (operating system command line), and for the web user interface which is the primary management interface for Cisco NAC Profiler systems. At the appliance level, every Cisco NAC Profiler Server appliance has two system user accounts which can be utilized for managing the appliance at the command line. Those two accounts are the 'root' and 'beacon' user accounts. These accounts are created and passwords assigned as each Cisco NAC Profiler Server appliance is initially started up as described in Chapter 4, "Installing and Performing an Initial Configuration" immediately after the appliance is powered-on for the first time. The root and beacon system user accounts on each appliance are managed via the appliance command line only which is accessed via a console connection or via SSH.

The principal management interface for NAC Profiler systems is the web management interface. Once a NAC Profiler Server appliance has been initially configured as outlined in Chapter 4, "Installing and Performing an Initial Configuration", virtually all NAC Profiler system administration and management tasks for the Profiler Server and Collectors can be completed via the web UI. However, it may be necessary from time to time to access the command line of a Profiler Server appliance. The CLI of a Profiler appliance may be accessed either via terminal emulation using the console port, via a keyboard and monitor connected to the appliance (or through a KVM switch), or over the network using SSH.


Tip A Cisco NAC Profiler appliance can only be accessed via SSH by the 'beacon' system user. Once an SSH session is established as beacon, the su - command can be used to elevate to the root system user access-level. Both the root and beacon system user accounts can be accessed directly when connecting to the appliance via the console port, or using a keyboard and monitor connected to an appliance by using the passwords assigned at system startup.


As a NAC Profiler Server or HA-pair is configured as a new system is installed a default web interface user of type Administrator, username ''admin'' is created at system initialization. The password for the web admin user is set during the execution of the startup scripts, and is used to access the web interface of a new NAC Profiler system for the first time. By default the UI password for the admin user is set to `profiler' but this can be changed during system startup, or changed later as described at the end of this chapter.

The Admin user is the most privileged (for example, ''super user'') of the NAC Profiler UI, and as such is the only user that is enabled to manage the NAC Profiler UI user accounts including the optional RADIUS user authentication capability. As outlined inChapter 5, "Configuring the Cisco NAC Profiler for the Target Environment", as a new NAC Profiler system is initially configured, it is highly recommended that one or more Operator accounts be created and enabled, and those accounts used for system configuration and operation tasks, reserving use of the Admin user account only for user account administration.


Note The admin user account has a non-configurable idle session timeout of 30 minutes. After 30 minutes of inactivity the admin user is automatically logged out of the NAC Profiler UI and must re-enter credentials to continue the session. Also, only one session as admin is permitted from any single IP address. Starting a UI session on a machine that has one established will result in logout from the existing session automatically.


By default, authentication of NAC Profiler UI users is performed locally on the Profiler Server appliance serving the UI for the system. As an option, the NAC Profiler system can be configured to use external RADIUS authentication of UI users. Instructions for configuration of this option are provided later in this chapter.

Managing Cisco NAC Profiler Web User Accounts

The User Accounts portion of the web interface enables the creation and management of the user accounts that allow access to the NAC Profiler system configuration via the web interface as described throughout this guide. The Cisco NAC Profiler web-based GUI has three user account types: Administrator, Analyst and Operator.

Administrator is the most privileged user account type, and each NAC Profiler system has one user account of this type, username ''admin'' that is created and assigned an initial password when the NAC Profiler Server appliance or HA-pair is started up. The admin user account provides initial access to the UI, and should be used only for administration of user accounts once the NAC Profiler system is made operational.

Operator users have full access to the NAC Profiler system with the exception of adding, deleting, and enabling/disabling UI user accounts. They are able to make NAC Profiler system configuration changes, view the Endpoint Console, and use the NAC Profiler system in Port Provisioning mode when NAC Profiler has been configured with SNMP read-write access to network devices.


Note An Operator account should be established as soon as practical after a new system is started up, and used for the majority of NAC Profiler administration and operation via the Cisco NAC Profiler UI.


Analyst users have read-only access to the NAC Profiler system. They cannot make configuration changes to the NAC Profiler system itself, or use the NAC Profiler system in Port Provisioning mode (for example, cannot change port settings via the Manage view of the Endpoint Console). Analyst users can view all NAC Profiler data, and use the Cisco NAC Profiler Utilities such as advanced search and view endpoint data.

To manage NAC Profiler web UI user accounts, you start from the Cisco NAC Profiler main page (Figure 14-1). To manage user accounts, you must be logged into the UI as the admin user, navigate to the Configuration tab, and select the Accounts link from the secondary menu of the Configuration tab.

Figure 14-1 Cisco NAC Profiler Main Page

Create UI User Accounts of Type Analyst

To create a new NAC Profiler web user account of type Analyst, complete the following steps:


Step 1 Select the Create Users link in the NAC Profiler Users table. The Add User form is displayed in the resulting page as shown in Figure 14-2, with the analyst user type selected as the default:

Figure 14-2 Add NAC Profiler Analyst User Form

Step 2 Enter the desired User Name for the new Analyst user. NAC Profiler UI Usernames must be unique.

Step 3 Enter the desired Password for this username.


Tip The following characters cannot be used for UI usernames/passwords throughout the NAC Profiler System: ;`'|"()[]{} also newline (\n), carriage return (\r), and null.


Step 4 Retype selected Password to verify.

Step 5 Choose to enable/disable user upon creation (default is enabled).


Create UI User Accounts of Type Operator

When the Operator radio button on the Add User form is selected, the Add User form changes slightly as illustrated in Figure 14-3:

Figure 14-3 Add NAC Profiler Operator User Form


Note As a security measure, Operator accounts must be configured with an automatic idle timeout setting of 5, 15 or 30 minutes (default). If the session to the NAC Profiler UI using an Operator account is allowed to go idle for greater than the time specified for the user account the session was established for, the user will be forced to re-authenticate if they try to resume using the session.


To add a new Operator user account, complete the form fields as described below.


Step 1 Enter a unique name for the new Operator user account.

Step 2 Enter a password for this Operator user account.


Tip The following characters cannot be used for UI usernames/passwords throughout the NAC Profiler System: ;`'|"()[]{} also newline (\n), carriage return (\r), and null.


Step 3 Re-enter the password for this user account to confirm

Step 4 Select the desired idle session timeout value from the drop down menu: 5, 15, or 30 minutes for this Operator user account.

Step 5 Select the desired status (enabled/disabled) for the new Operator user as it is added to the config.


View UI User Accounts

To view all NAC Profiler UI user accounts and their status (for example, enabled or disabled and the current timeout value for Operator user accounts) currently defined in the system configuration, select the View/Edit Users List link in the table on the NAC Profiler UI Users page. The Table of Users is presented as illustrated by Figure 14-4.

Figure 14-4 Table of NAC Profiler UI Users

Edit UI Interface User Accounts

Existing user interface user accounts on the NAC Profiler system can be edited using the UI. Note that all usernames in the Table of Users are hyperlinks. Selecting the red hyperlink username will redirect the interface to the Save User form shown in Figure 14-5. The current configuration for the selected username is pre-populated in the form.


Tip The only configurable parameter for the admin account is the password, which can be changed from the Save User form.


Figure 14-5 Save User Form

To change any of the parameters for the selected user account, make the desired changes on the form and select Save User to commit the changes.


Tip If no changes to the password are desired, simply leave the password fields blank, make the other changes and save the user. The password for the user account will be left unchanged. If changes to the password for the user account are desired, enter and retype the same password string to change the password for the user.


To save changes to a user account, select Save User.

To delete a user from the system configuration, select Delete User.

Enabling RADIUS Authentication for Cisco NAC Profiler User Accounts

By default, Cisco NAC Profiler UI user authentication of users for all user account types is provided locally by the NAC Profiler Server. As an option, in some environments it may be desirable to authenticate Operator and Analyst user access leveraging existing enterprise AAA systems. As of version 3.1, the NAC Profiler system can be configured to authenticate users as they establish sessions to the UI utilizing existing RADIUS infrastructures. This provides several advantages in the enterprise environment in terms of centralizing user administration.

Configuration of the NAC Profiler system to utilize RADIUS authentication instead of the local capability is straightforward, but assumes proper configuration of the RADIUS server and supporting infrastructure to properly authenticate users requesting access to the NAC Profiler UI. In order for NAC Profiler to utilize RADIUS authentication of UI users, the RADIUS server must be set up to accept RADIUS requests from the NAC Profiler Server (NAC Profiler Server added as a client to the RADIUS sever) using the Password Authentication Protocol (PAP).

Users to be authenticated successfully via RADIUS must return one of the following Filter-ID response to a user authentication request from the NAC Profiler Server when authenticating logins to the UI: ''Beacon-Analyst'' or ''Beacon-Operator'' which correspond to the two levels of UI access outlined earlier in the chapter. Note that the attribute values are case-sensitive.


Tip For NAC Profiler HA-pairs, the RADIUS server must be configured with RADIUS clients for both nodes of the NAC Profiler HA-pair. This enables either appliance to make UI user authentication requests to the RADIUS system successfully while it is the Primary node and accessible via the UI.


The steps to configure the RADIUS UI user authentication capability on the NAC Profiler system are as follows:


Step 1 Establish a UI session using the admin user account, then navigate to the Configuration tab, select the Accounts link from the secondary menu, then select Setup RADIUS to display the Setup RADIUS page illustrated in Figure 14-6.

The RADIUS configuration form enables the entry of the required parameters to configure the system to enable RADIUS authentication of UI users as they attempt to initiate sessions.

Figure 14-6 Setup RADIUS

Step 2 Enter the following parameters in the form to enable RADIUS user authenticated access to the NAC Profiler UI:

IP Address

Enter the IP address of the RADIUS server/service that is to be used for authenticating user access to NAC Profiler UI.

Display Shared Secret

Check this box to show the RADIUS secret in clear text.

Shared Secret

Enter the shared secret that is used by clients of the RADIUS service NAC Profiler will be utilizing for UI user authentication.

Select the Save Settings button to commit the RADIUS authentication parameters to the NAC Profiler configuration. Clear Settings is used to clear these settings, and revert back to local authentication.

Step 3 Select Save Settings to save the RADIUS authentication settings.



Note Any local accounts including the admin user, and Operator and Analyst user accounts created through the UI are still active (and authenticated locally), but upon the successful establishment of RADIUS authentication, users in groups configured to return the aforementioned Filter-IDs via RADIUS authentication will be authenticated using this mechanism such that future access to the NAC Profiler UI is administered via RADIUS, and not locally.


To revert back to local user authentication for the NAC Profiler UI, navigate to the Setup RADIUS form and select the Clear Settings button.

Changing the Cisco NAC Profiler UI Admin Password via the CLI

The password for the 'admin' UI user can be changed on a NAC Profiler system from the appliance command line. Follow these steps to change the password:


Step 1 Log into the NAC Profiler Server command line as the 'beacon' system user. For HA-pairs, use the VIP for the pair to ensure the session is with the Primary node.

Step 2 Issue the following command to change the password for the 'admin' UI user:

/usr/beacon/www/bin/userAdmin.php -u 1 password new_pass

Where new_pass is the desired password for the admin user

Step 3 Initiate a session to the NAC Profiler UI and attempt login as the admin user with new password.



Tip This procedure can also be used for recovery of the password for the admin UI user, as long as the root system user password for the NAC Profiler Server is known.