Table Of Contents
Configuring User Authentication and Assigning Privileges
Configuring External Authentication Servers
Configuring LDAP Server Settings
Configuring NTLM Server Settings
Configuring RADIUS Server Settings
Configuring TACACS+ Server Settings
Configuring Login Authentication and Configuration Authorization
Configuring Content Request Authentication
Setting the Authentication Scheme for Request Authentication
Authentication Cache Size Adjustments
Configuring Local User Accounts and Assigning Privileges
Creating and Managing User Accounts
Creating New User Accounts in the Content Distribution Manager GUI
Modifying and Deleting User Accounts
Viewing User Accounts
Creating and Managing Roles
Modifying and Deleting Roles
Viewing Role Settings
Assigning Roles to User Accounts
Configuring Domains
Adding an Entity to a Domain
Modifying and Deleting Domains
Viewing Domains
Assigning Domains to User Accounts
Changing the CLI User Password
Viewing Audit Trail Logs
Configuring User Authentication and Assigning Privileges
This chapter explains how to configure authentication servers, login and configuration authentication settings, and local user accounts and access privileges. It contains the following sections:
•
Configuring External Authentication Servers
•Configuring Login Authentication and Configuration Authorization
•Configuring Content Request Authentication
•Configuring Local User Accounts and Assigning Privileges
ACNS 5.x software provides authentication, authorization, and accounting (AAA) support for users who use external access servers, and for users who need a local access database with AAA features.
Authentication (or "login") verifies a user's identity and associates it with the user's IP address. Authorization permits or denies privileges for authenticated users in the network. Accounting logs the authorized use of services by the user and all failed attempts at authentication and authorization.
Some Cisco ACNS network users use an external access server as a centralized location for controlling the authentication, authorization, and accounting of user accounts and activities. External authentication servers are implemented at the protocol and application level with TACACS+, RADIUS, Lightweight Directory Access Protocol (LDAP), and Windows NT LAN Manager (NTLM). Options are provided during Content Distribution Manager setup to choose between using an external access server or the internal (local) Content Distribution Manager-based AAA system for user access management.
Note Only one type of request authentication can be enabled at a time. For example, you cannot enable both LDAP authentication and NTLM authentication at the same time.
Login and configuration privileges are maintained in three databases in ACNS 5.x software: the internal Content Distribution Manager database, TACACS+ database, and RADIUS database. If all databases are enabled, then all databases are queried; if the user data cannot be found in the first database queried, then the second and third databases are queried. By default, the local method is enabled, with TACACS+ and RADIUS both disabled for login and configuration.
Configuring External Authentication Servers
This section describes how to configure LDAP, NTLM, RADIUS, and TACACS+ server settings for the Content Engine.
Configuring LDAP Server Settings
System administrators can use the Content Engine to restrict user Internet access using an LDAP server for authentication purposes. With an HTTP query, the Content Engine obtains a set of credentials from the user (user ID and password) and compares them against those in an LDAP server database. When the Content Engine authenticates a user through the LDAP server, a record of that authentication is stored locally in the Content Engine RAM (authentication cache). As long as the authentication entry is kept, subsequent attempts to access restricted Internet content by that user do not require LDAP server lookups.
The default time interval between the user's last Internet access and the removal of that user's entry from the authorization cache is 480 minutes. The minimum time interval is 1 minute, and the maximum is 1440 minutes (24 hours). The Content Engine forces reauthentication with the LDAP server once this time interval expires.
The Content Engine supports LDAP authentication for both proxy mode and transparent (WCCP) mode access. In proxy mode, the Content Engine uses the client's user ID as a key for the authentication database, whereas in transparent mode, the Content Engine uses the client's IP address as a key for the authentication database. The Content Engine uses simple (nonencrypted) authentication to communicate with the LDAP server.
ACNS 5.x software supports LDAP Version 2 and Version 3 and supports all LDAP features except for Secure Authentication and Security Layer (SASL).
To configure LDAP server settings using the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose Authentication > LDAP Server. The LDAP Server Settings window appears. (See Figure 9-1.) Table 9-1 describes the fields shown in this window.
Figure 9-1 LDAP Server Settings Window
Step 4 Check the Enable LDAP Servers check box.
Step 5 Choose the LDAP protocol version to be used from the LDAP Version drop-down list.
Step 6 In the Time to wait field, specify the number of seconds that the Content Engine waits before timing out.
Step 7 In the Number of Retransmits field, specify the number of retry attempts allowed.
Step 8 In the User-id Attribute field, enter the user ID attribute.
Step 9 In the Filter field, enter the filter string to be used by the LDAP server.
Step 10 In the Base Distinguished Name field, enter the base distinguished name string for the search in the LDAP server.
Step 11 In the Administrative DN field, enter the administrative distinguished name.
Step 12 In the Administrative DN password field, enter the administrative distinguished name password.
Step 13 Check the Allow-Mode check box to enable access to users when the LDAP server is unavailable.
Step 14 Check the Active Directory Groups check box to allow the use of Windows Active Directory groups.
Step 15 Specify a port in the Server Port field. The default port value of 389 is suggested.
Step 16 Enter the IP address of the primary LDAP server in the Primary Host field.
Step 17 Enter the IP address of the secondary LDAP server in the Secondary Host field.
Step 18 Click Submit to save the settings.
Table 9-1 LDAP Server Key Parameter Settings
Parameter
|
Description
|
CLI Command
|
Enable LDAP Servers
|
Enables HTTP authentication using LDAP servers.
|
ldap server enable
|
LDAP Version
|
LDAP protocol version to be used. Choose either Version 2 or Version 3.
|
ldap server version
|
Time to wait
|
Number of seconds that the Content Engine waits for a response before timing out on a connection to a particular LDAP server. The default value is 5 seconds.
|
ldap server timeout
|
Number of Retransmits
|
Number of times that a connection to an LDAP server is allowed to be attempted before this connection is made. The default value is 2 times.
|
ldap server retransmit
|
User-id Attribute
|
Name of the user ID attribute at the LDAP server. The default user ID attribute is "uid."
|
ldap server userid-attribute
|
Filter
|
LDAP filter string. There is no default value.
|
ldap server filter
|
Base Distinguished Name
|
Base distinguished name of the starting point for the search of the LDAP server. This allows for a search on a particular string, such as the domain "com."
|
ldap server base
|
Administrative DN
|
Administrative distinguished name. This allows for a search on a particular user belonging to the base distinguished name chosen.
|
ldap server administrative-dn
|
Administrative DN Password
|
Password for the administrative distinguished name.
|
ldap server administrative-passwd
|
Allow-Mode
|
Allows access to users when the LDAP server is unavailable.
|
ldap server allow-mode
|
Active Directory Group
|
Allows access to Windows Active Directory groups.
|
ldap server active-directory-group
|
Server Port
|
Port number on which the LDAP server is listening. The default port number is 389.
|
ldap server port
|
Primary Host
|
IP address of the primary LDAP server.
|
ldap server host
|
Secondary Host
|
IP address of the secondary LDAP server.
|
ldap server host
|
Configuring NTLM Server Settings
The NTLM protocol can be used to authenticate and block user access to the Internet. When a user logs in to a Windows NT or a Windows 2000 domain and starts a browser, the authentication information is stored by the browser and later used as NTLM credentials to access the Internet. The browser sends the NTLM credentials with the domain name to the ACNS software cache, which in turns sends a request to the Windows NT domain controller to check the validity of the user in the domain. If the user is not a valid user in the domain, then the request to access the Internet is denied. If authentication succeeds, the source IP address is entered in the authentication cache. Future requests from this IP address are not challenged until the authentication cache entry expires or is cleared.
Before invoking an NTLM authentication request, make sure that the following conditions exist:
•The NTLM primary domain controller (PDC) has an entry in the DNS that matches its NetBIOS-named computer account.
•The primary domain controller is both forward and reverse DNS-resolvable.
•The domain name configured on the Content Engine should be a domain that can be authenticated through the primary domain controller.
Note This domain can be either a domain hosted by the PDC, or a trusted domain that the PDC can authenticate by contacting other PDCs.
To configure NTLM server settings using the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose Authentication > NTLM Server. The NTLM Server Settings window appears. (See Figure 9-2.) Table 9-2 describes the fields shown in this window.
Figure 9-2 NTLM Server Settings Window
Step 4 Check the Enable NTLM Servers check box.
Step 5 In the Domain Name field, enter the domain name in which users should be authenticated.
Step 6 In the Primary Domain Server field, enter the IP address for the primary domain server.
Step 7 In the Secondary Domain Server field, enter the IP address for the secondary domain server.
Step 8 Click Submit to save the settings.
Table 9-2 NTLM Server Key Parameter Settings
Key Parameter
|
Description
|
CLI Command
|
Domain Name
|
Domain name in which the user should be authenticated.
|
ntlm server domain name
|
Primary Domain Server
|
NTLM server that serves as the primary host.
|
ntlm server host hostname or ip-address primary
|
Secondary Domain Server
|
NTLM server that serves as the secondary host.
|
ntlm server host hostname or ip-address secondary
|
Configuring RADIUS Server Settings
RADIUS authentication clients reside on devices running ACNS 5.x software. When enabled, these clients send authentication requests to a central RADIUS server, which contains user authentication and network service access information.
Tip The Content Distribution Manager does not cache the user authentication information. Therefore, the user is reauthenticated against the RADIUS server for every request. To prevent performance degradation caused by many authentication requests, install the Content Distribution Manager in the same location as the RADIUS server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.
To configure RADIUS server settings using the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose Authentication > RADIUS Server. The RADIUS Server Settings window appears. (See Figure 9-3.) Table 9-3 describes the fields in this window.
Figure 9-3 RADIUS Server Settings Window
Step 4 Check the Enable RADIUS Servers check box to enable RADIUS authentication.
Step 5 In the Time to wait field, specify how long the Content Engine should wait before timing out. The default value is 5 seconds.
Step 6 In the Number of Retransmits field, specify the number of retry attempts allowed.
Step 7 Check the Enable Redirect check box to enable RADIUS redirection.
Step 8 Enter a redirect message for the user in the Redirect Message field. Three redirect messages are allowed.
Step 9 In the Location field, enter a location where the redirect message should be sent. Three separate locations are allowed.
Step 10 In the Shared Encryption Key field, enter the secret key that is used to communicate with the RADIUS server.
Step 11 Enter an IP address or host name information in the Server Name field. Five different hosts are allowed.
Step 12 In the Server Port field, enter the port number on which the RADIUS server is listening. Five different ports are allowed.
Step 13 Click Submit to save the settings.
Table 9-3 RADIUS Server Key Parameter Settings
Key Parameter
|
Description
|
CLI Command
|
Enable RADIUS Servers
|
Enables HTTP authentication using RADIUS servers.
|
radius-server enable
|
Time to wait
|
Number of seconds to wait for a response before timing out on a connection to a particular RADIUS server. The range is from 1 to 20 seconds. The default value is 5 seconds.
|
radius-server timeout
|
Number of retransmits
|
Number of times that a connection to an LDAP server is allowed to be attempted before a connection is made. The default value is 2 times.
|
radius-server retransmit
|
Enable redirect
|
Redirects an authentication response to a different authentication server if an authentication request using the RADIUS server fails.
|
radius-server redirect enable
|
Redirect Message
|
Message sent to the user if redirection occurs.
|
radius-server redirect message
|
Location
|
Sets an HTML page location. This is the URL destination of authentication failure instructions. The first location is a required entry.
|
radius-server redirect message reply location url
|
Shared Encryption Key
|
Encryption key shared with the RADIUS server.
|
radius-server key keyword
|
Server Name
|
IP address or host name of the RADIUS server.
|
radius-server host hostname or ip-address
|
Server Port
|
Port number on which the RADIUS server is listening.
|
radius-server host auth-port port
|
Configuring TACACS+ Server Settings
The TACACS+ database validates users before they gain access to a Content Engine. TACACS+ is derived from the United States Department of Defense (RFC 1492) and is used by Cisco Systems as an additional control of nonprivileged and privileged mode access. ACNS 5.x software supports TACACS+ only and not TACACS or Extended TACACS.
To enable TACACS+ for HTTP request authentication, use the tacacs enable global configuration configuration command. This authentication is independent of the user authentication and authorization options shown in the "Configuring HTTP and HTTPS Settings" section.
Tip The Content Distribution Manager does not cache user authentication information. Therefore, the user is reauthenticated against the TACACS+ server for every request. To prevent performance degradation caused by many authentication requests, install the Content Distribution Manager in the same location as the TACACS+ server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.
To configure TACACS+ server settings using the Content Distribution Manager GUI, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose Authentication > TACACS+ Server. The TACACS+ Server Settings window appears. (See Figure 9-4.) Table 9-4 describes the fields in this window.
Figure 9-4 TACACS+ Server Settings Window
Step 4 Check the Enable TACACS+ Servers check box to enable TACACS+ authentication.
Step 5 Check the Use ASCII Password Authentication check box to use the ASCII password type for authentication. The default password type is PAP (Password Authentication Protocol). However, you can change the password type to ASCII when the authentication packets are to be sent in ASCII clear text format.
Step 6 In the Time to wait field, specify how long the Content Engine should wait before timing out. The default value is 5 seconds.
Step 7 In the Number of Retransmits field, specify the number of retry attempts allowed. The default value is 2.
Step 8 In the Security Word field, enter the secret key that is used to communicate with the TACACS+ server.
Step 9 In the Primary Server field, enter an IP address or host name information for the primary TACACS+ server.
Step 10 In the Secondary Server field, enter an IP address or host name information for a secondary TACACS+ server.
Step 11 In the Tertiary Server field, enter an IP address or host name information for a tertiary TACACS+ server.
Step 12 Click Submit to save the settings.
Table 9-4 TACACS+ Server Key Parameter Settings
Key Parameter
|
Description
|
CLI Command
|
Enable TACACS+ Servers
|
Enables TACACS+ authentication.
|
tacacs enable
|
Use ASCII Password Authentication
|
Changes the default password type from PAP (Password Authentication Protocol) to ASCII clear text format.
|
|
Time to wait
|
Number of seconds to wait for a response before timing out on a connection to a particular TACACS+ server. The range is from 1 to 20 seconds. The default value is 5 seconds.
|
tacacs timeout
|
Number of retransmits
|
Number of times that a connection to a TACACS+ server is allowed to be attempted before a connection is made. The default value is 2 times.
|
tacacs retransmit
|
Security Word
|
Encryption key shared with the TACACS+ server.
|
tacacs key
|
Primary Server
|
IP address or host name of the primary TACACS+ server.
|
tacacs server ip-address or hostname [primary]
|
Secondary Server
Tertiary Server
|
IP address or host name of the backup TACACS+ server. 2 backup servers are allowed.
|
tacacs server ip-address or hostname
|
Configuring Login Authentication and Configuration Authorization
Login authentication is the act of verifying usernames and passwords. Configuration authentication or authorization refers to the setting of privileges for authenticated users in a network. Generally, login authentication precedes configuration authorization in a network.
To configure login authentication and configuration authorization, follow these steps. In this example, local is configured as the primary database, TACACS+ as the secondary database, and RADIUS as the tertiary database.
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose Authentication > Login Authentication. The Login Authentication Settings window appears. (See Figure 9-5.)
Figure 9-5 Login Authentication Settings Window
Step 4 Check the Enable Failover Server Unreachable check box to query the secondary authentication database if the primary authentication server is unreachable. (Optional.)
To use this feature, you must set TACACS+ or RADIUS as the primary authentication method and local as the secondary authentication method.
Step 5 Check the Authentication Login Servers check box.
This enables authentication privileges using the local, TACACS+, or RADIUS databases.
Step 6 From the drop-down list, choose local as the selection for the Primary Login Server.
Step 7 From the drop-down list, choose TACACS+ as the selection for the Secondary Login Server.
Step 8 From the drop-down list, choose RADIUS as the selection for the Tertiary Login Server.
Step 9 Check the Authentication Config Servers check box.
This enables authorization privileges using the local, TACACS+, or RADIUS databases.
Step 10 From the drop-down list, choose local as the selection for the Primary Config Server.
Step 11 From the drop-down list, choose TACACS+ as the selection for the Secondary Config Server.
Step 12 From the drop-down list, choose RADIUS as the selection for the Tertiary Config Server.
Step 13 Click Submit to add authentication and authorization settings for the Content Engine.
Note You must configure TACACS+ and RADIUS servers before you submit these settings. See the "Configuring TACACS+ Server Settings" section and the "Configuring RADIUS Server Settings" section for information on how to configure these servers.
Configuring Content Request Authentication
This section outlines the requirements for the Content Distribution Manager authentication and authorization management system and the integration with back-end access control servers.
ACNS 5.x software supports TACACS+, NTLM, LDAP, and RADIUS server HTTP request authentication. In the case of NTLM, HTTP request authentication authenticates a user's domain, username, and password with a preconfigured primary domain controller (PDC) before allowing requests from the user to be served by the Content Engine.
Setting the Authentication Scheme for Request Authentication
To enable an authentication scheme for request authentication, follow these steps:
Step 1 From the Content Distribution Manager GUI, choose Devices > Content Engines.
Step 2 Click the Edit icon next to the name of the Content Engine that you want to configure. The Contents pane appears on the left.
Step 3 From the Contents pane, choose Authentication > Authentication Scheme. (See Figure 9-6.)
Figure 9-6 Authentication Scheme Settings Window
Step 4 Choose an authentication scheme from the Authentication Scheme drop-down list.
Note You must configure and enable an authentication server before you can save the authentication scheme settings from this window.
Step 5 Click Submit to save the settings.
Authentication Cache Size Adjustments
If the authentication cache is not large enough to accommodate all authenticated users at the same time, the Content Engine purges older entries that have not yet timed out. The Content Engine has a timeout value range from 1 to 1440 minutes (24 hours). Its default timeout value is 480 minutes.
The default time interval between the user's last Internet access and the removal of that user's entry from the authorization cache is 480 minutes. The minimum time interval is 1 minute, and the maximum is 24 hours. The Content Engine forces reauthentication with the access control server once this time interval expires.
When LDAP, RADIUS, and TACACS+ are used in proxy redirection mode, the authentication record kept in the authentication cache is indexed by the username and the password entered. When LDAP, RADIUS, and TACACS+ are used in WCCP-enabled router redirection mode, the authentication record indexed is the IP address of the Content Engine sending the request in transparent mode.
When an NTLM server is used in either proxy redirection mode or WCCP-enabled router redirection mode, all authentication records are indexed by using the IP address of the requesting Content Engine.
Configuring Local User Accounts and Assigning Privileges
In a service provider environment, it is necessary to manage user authorization to services and access to domains (sets of Content Engines, device groups, and content providers). Typically, a service provider creates a user account for itself with admin-level privileges, and then creates user accounts for its customers. Service provider customers then have the ability to set up and manage user accounts on their own, which inherit the same level of rights as their main customer account, unless the customers choose to further limit user account privileges.
ACNS 5.x software provides services for user administration, role management, domain management, and accounting. These services can be configured in the Content Distribution Manager GUI.
Tasks include the following:
•Creating and Managing User Accounts
•Creating and Managing Roles
•Configuring Domains
•Changing the CLI User Password
In ACNS 5.0 software, any user with user, role, and domain service rights enabled can create user accounts and assign roles and domains as well as modify any other user accounts in the Content Distribution Manager. The problem is that these users can give any user authorizations to services that they themselves do not have. Similarly they can assign access control to domains that they do not have access to.
To address this problem, ACNS 5.1 software provides a new type of user account called the user manager. The user manager is responsible for creating a group of user accounts and managing only that group of accounts.
User managers must be assigned the admin role, which authorizes all services and access to all domains. Only users with admin-level authorization are allowed to create and manage user accounts.
All user manager accounts created in ACNS 5.0 software, that do not meet the above requirement are prevented from performing user manager services after an upgrade to ACNS 5.1 software. In other words, these users can log into the Content Distribution Manager GUI, but do not have access to the User Management pages. These accounts can again have the User Management pages enabled by having their authorization increased to admin role. This can only be done by those users with the admin role.
Creating and Managing User Accounts
When you create a user account, you enter information about the user. A user account contains a username, the name of the individual who owns the account, contact information, job title, and department. All user account information is stored in an internal database on the Content Distribution Manager.
Each user account can then be assigned to a role and a domain. A role defines which Content Distribution Manager GUI configuration pages the user can access and which services the user has authority to configure or modify. A domain defines which entities in the network the user can access and configure or modify. You can assign a user account to zero or more roles, and to zero or more domains.
Two default user accounts are preconfigured in the Content Distribution Manager and come with the ACNS software. The first account, called admin, is assigned the admin role that allows access to all services and access to all entities in the system. This account cannot be deleted from the system, but it can be modified. Only the username and the role for this account are unchangeable.
The second preconfigured user account is called default. Any user account that is authenticated but has not been registered in the Content Distribution Manager obtains the access rights (role and domains) assigned to the default account. This account is configurable, but it cannot be deleted nor its username changed.
Using the Content Manager Distribution GUI, you can perform these tasks:
•Create a new user account.
•Modify and delete existing user accounts.
•View all user accounts in the system.
Creating New User Accounts in the Content Distribution Manager GUI
When you create a new user account in the Content Distribution Manager GUI, you have the option to enable the user account in the CLI at the same time. Enabling the new account in the CLI provides the following benefits:
•The user account is created in the primary Content Distribution Manager management database and in the CLI from one central point.
•The user account is created in the management database and in the CLI of any standby Content Distribution Managers.
•Users can change their passwords, and the password change will propagate to standby Content Distribution Managers.
If you choose to create the user account in the GUI without enabling the CLI user, the following results apply:
•The user account is created in the primary and standby Content Distribution Manager management databases.
•No user account is created in the CLI and the user cannot log into the Content Distribution Manager GUI until an account is created from the CLI.
•Users cannot change their passwords.
To create a new user account, follow these steps:
Step 1 Choose Admin > Users. Click the Create New User Accounts icon. The Creating New User Account window appears. (See Figure 9-7.)
Figure 9-7 Creating New User Account Window
Step 2 Enter the user account name in the Username field.
Step 3 Click the Create CLI User check box to allow CLI configuration privileges. To deny CLI configuration privileges, leave the box unchecked.
Step 4 Enter a password for the CLI user in the Password field and reenter the same password in the Confirm Password field.
Step 5 Choose a privilege level for the CLI user from the drop-down list. The choices are 0 (zxero) (normal user) or 15 (superuser). The default value is 0.
Note A superuser can use privileged EXEC-level commands, whereas a normal user can use only user-level EXEC commands.
Step 6 Enter the following information about the user in the Username fields: First Name, Last Name, Phone Number, Email Address, Job Title, and Department.
Step 7 Enter any additional information about this account in the Comments field.
Step 8 Click Submit.
Modifying and Deleting User Accounts
Note Modifying a user account from the CLI does not update the Centralized Management System (CMS) database.
To modify an existing user account, follow these steps:
Step 1 In the Content Distribution Manager GUI, choose Admin > Users. The User Accounts window appears.
Step 2 Click the Edit icon next to the user account that you want to modify. The Modifying User Account window appears.
Step 3 Edit the name of the user in the Username field, if needed.
Step 4 Check the Change CLI User Password to enable the password fields and privilege level drop-down list for modification.
Step 5 Edit other information or settings as needed.
Step 6 Click Submit to save your settings.
Note Deleting a user account from the CLI does not disable the corresponding user account in the CMS database. Consequently, the user account remains active in the CMS database. User accounts created in the Content Distribution Manager GUI should always be deleted from the Content Distribution Manager GUI.
To delete a user account from the Content Distribution Manager GUI, follow these steps:
Step 1 In the Content Distribution Manager GUI, choose Admin > Users. The User Accounts window appears.
Step 2 Click the Edit icon next to the user account that you want to delete. The Modifying User Account window appears.
Step 3 Click the Trash icon in the taskbar.
Note If the CLI user was created in the GUI, the corresponding CLI user account is removed from the CLI and is also deleted from all standby Content Distribution Managers.
Step 4 Click OK to confirm.
Viewing User Accounts
To view all user accounts, choose Admin > Users from the Content Distribution Manager GUI. The User Accounts window displays all the user accounts in the management database.
Creating and Managing Roles
The Content Distribution Manager provides many types of services. Not all users have access to all services. Users are assigned a role, which indicates what services they have access to. A role is a set of enabled services.
Each user account can be assigned to zero or more roles. Roles are not inherited or embedded. Using the Content Distribution Manager GUI, you can perform these tasks:
•Create new roles.
•Modify and delete existing roles.
•Assign roles to user accounts.
•View all roles in the system.
The Content Distribution Manager provides one predefined role, known as the admin role. The admin role has access to all services and all ACNS network entities. To create a role, follow these steps:
Step 1 Choose Admin > Roles. Click the Create New Role icon. The Creating New Role window appears. (See Figure 9-8.)
Figure 9-8 Creating New Role Window
Step 2 Enter the name of the role in the Name field.
Step 3 Check the check box next to the service that you want to enable for this role. To choose all the services under one category simultaneously, check the check box next to the top-level service.
Step 4 Enter any comments about this role in the Comments field.
Step 5 Click Submit.
Modifying and Deleting Roles
Note The admin user account, by default, is allowed access to all services and cannot be modified.
To modify a role, follow these steps:
Step 1 Choose Admin > Roles. The Roles window appears.
Step 2 To modify an existing role, click the Edit Role icon next to the name of the role you want to change. The Modifying Role window appears.
Step 3 Enter a new or change the existing name of the role in the Name field.
Step 4 Check the check box next to the services that you want to enable for this role. To disable a previously selected service, uncheck the check box next to the service you want to disable. To choose all the services under one category simultaneously, check the check box next to the top-level service.
Step 5 Enter any comments about this role in the Comments field.
Step 6 Click Submit to save your settings.
Viewing Role Settings
You might want to view the role settings before assigning the role to a particular user account.
To view the role settings, follow these steps:
Step 1 Choose Admin > Users. The User Accounts window appears with all configured user accounts listed.
Step 2 Click the Edit icon next to the user account for which you want to assign roles. The Modifying User Account window appears.
Step 3 Choose Role Management from the Contents pane. The Role Management for User Account User window appears.
Step 4 In the Role Management for User Account User window, click the View (eyeglass) icon next to the role name to display a new popup window, the Viewing Role window.
The role names, comments about this role, and services that are enabled for this role are displayed.
Step 5 Click Close once you have finished viewing the settings.
Assigning Roles to User Accounts
Note The admin user account, by default, is assigned to the role that allows access to all domains and access to all entities in the system. It is not possible to change the role for this user account.
To assign roles to user accounts, follow these steps:
Step 1 Choose Admin > Users. The User Accounts window appears with all configured user accounts listed.
Step 2 Click the Edit icon next to the user account for which you want to assign roles. The Modifying User Account window appears.
Step 3 Choose Role Management from the Contents pane. The Role management for User Account User window appears with all configured role names listed.
Step 4 Click the Assign icon (blue cross mark) that appears next to the role name that you wish to assignto the selected user account.
Step 5 To unassign a previously assigned user account role, click the Unassign (green tick mark) next to the role name.
Note Click the Assign all Roles icon next to Roles to assign all roles in the current window to a user account. Alternatively, click the Remove all Roles icon to unassign all roles associated with a user account.
Step 6 Click Submit to save your settings. A green tick mark appears next to the assigned roles and a blue cross mark appears next to the unassigned roles. The roles assigned to this user account will be listed in the Roles section in the Modifying User Account window.
Configuring Domains
A domain is a set of ACNS network entities or objects that make up the ACNS network. Whereas a role defines which services a user can perform in the ACNS network, a domain defines which entities the user has access to. The Content Distribution Manager GUI provides three predefined entities. An entity can be a Content Engine, content provider, or device group. These predefined entities are treated like services and can be enabled or disabled when you set up user roles.
When you configure a domain, you can choose to include Content Engines, content providers, or device groups in the domain. Using the Content Distribution Manager GUI, you can perform these tasks:
•Create new domains.
•Modify and delete existing domains.
•View all domains in the system.
To create a new domain, follow these steps:
Step 1 Choose Admin > Domains. Click the Create New Domain icon. The Creating New Domain window appears. (See Figure 9-9.)
Figure 9-9 Creating New Domain Window
Step 2 Enter the name of the domain in the Name field.
Step 3 Choose the entity type that you want to assign to the domain from the Entity Type drop-down list. Entity choices include Content Engines, content providers, or device groups.
Step 4 Enter any comments about this domain in the Comments field.
Step 5 Click Submit. If the entity type you chose has not already been assigned to the domain, then a message indicating that the entity type has not been assigned appears.
Adding an Entity to a Domain
To add an entity to a domain, follow these steps:
Step 1 Choose Admin > Domains and click the Edit icon next to the name of the domain that you want to modify.
Step 2 In the Contents pane, choose Entity Management. The Entity Assignment to Domain window for the current domain appears. (See Figure 9-10.) In Figure 9-10, the entitiy is a content provider.
Figure 9-10 Entity Assignment to Domain Window—Content Provider Entity Shown
Step 3 To add an entity to the current domain, click the Assign icon (blue cross mark) next to the name of the entity that you want to add. A green tick mark appears next to the selected entity when you submit the window settings.
Alternatively, you can click the Assign all devices icon in the taskbar to add all entities to the selected domain.
Step 4 To remove an entity from the current domain, click the Unassign icon (green tick mark) next to the name of the entity that you want to remove from the domain. A blue cross mark appears next to the unassigned entity on submission of the window settings.
Alternatively, you can click the Unassign All entities icon in the task bar to remove all entities from the domain.
Step 5 Click Submit.
Modifying and Deleting Domains
To modify or delete an existing domain, follow these steps:
Step 1 Choose Admin > Domains. The Domains window appears.
Step 2 Click the Edit icon next to the domain that you want to modify. The Modifying Domain window appears.
Step 3 Modify the settings as desired.
Step 4 Click Submit to save your settings.
Step 5 To delete the domain, click the Trash icon in the taskbar.
Step 6 Click OK to confirm the action.
Viewing Domains
To view the domain configuration for a particular user account, follow these steps:
Step 1 In the Domain Management for User Account User window, click the View (eyeglass) icon next to the domain name to display a new popup window, the Viewing Domain window.
The domain name, entity type, comments about this domain, and entities assigned to this domain are displayed.
Step 2 Click Close after you have finished viewing the settings.
Assigning Domains to User Accounts
To assign domains to user accounts, follow these steps:
Step 1 Choose Admin > Users. The User Accounts window appears with all configured user accounts listed.
Step 2 Click the Edit icon next to the user account for which you want to assign domains. The Modifying User Account window appears.
Step 3 Choose Domain Management from the Contents pane. The Domain management for User Account User window appears with all configured domains and their entity types listed.
Step 4 Click the Assign icon (blue cross mark) that appears next to the domain name that you wish to assign to the selected user account.
Step 5 To dissociate an already associated domain from the user account, click the Unassign (green tick mark) next to the domain name.
Note Click the Assign all Domains icon next to Domains to assign all domains in the current window to a user account. Alternatively, click the Remove all Domains icon to unassign all domains associated with a user account.
Step 6 Click Submit to save your settings. A green tick mark appears next to the assigned domains and a blue cross mark appears next to the unassigned domains. The domains assigned to a user account are listed in the Domains section in the Modifying User Account window.
Changing the CLI User Password
Note You cannot change the password for the admin user account.
When you are logged in to the Content Distribution Manager GUI, you can change your CLI user password, if you meet the following requirements:
•Your CLI user account and password were created in the Content Distribution Manager GUI and not in the CLI.
•You are authorized to access the password window.
Note We do not recommend changing the CLI user password from the CLI. Any changes to CLI user passwords from the CLI are not updated in the management database and are not propagated to the standby Content Distribution Manager. Therefore, passwords in the management database will not match a new password configured in the CLI.
Note The advantage of initially setting passwords from the Content Distribution Manager GUI is that both the primary and the standby Content Distribution Managers will be synchronized, and GUI users will not have to access the CLI to change their password.
To change your CLI user password, follow these steps:
Step 1 In the Content Distribution Manager GUI, choose Admin > Password. The Changing Password for User Account window appears.
Step 2 Enter the changed password in the New Password field.
Step 3 Reenter the password for confirmation in the Confirm New Password field.
Step 4 Click Submit to save your settings.
Viewing Audit Trail Logs
The Content Distribution Manager logs user activity in the system. The only activities that are logged are those that change the ACNS network. This feature provides accountability in terms of which user did what and when. Logged activities include the following:
•Creation of ACNS network entities
•Modification and deletion of ACNS network entities
•System configurations
To view audit trail logs, follow these steps:
Step 1 Choose Admin > Audit. The Audit Log window appears. (See Figure 9-11.) All logged transactions in the Content Distribution Manager are listed by date and time, user, actual transaction that was logged, and the IP address of the machine that was used.
Figure 9-11 Audit Log Window
Step 2 Choose the number of rows that you want to display by selecting a number from the Rows drop-down list.
