Cisco ACNS Software Configuration Guide for Centrally Managed Deployments, Release 5.2 - Chapter 14: Configuring Login Authentication and Authorization [Cisco Application and Content Networking System (ACNS) Software]

Table Of Contents

Configuring Login Authentication, Configuration Authorization and Accounting

Understanding Login Authentication and Authorization

Default Login Authentication and Authorization Configuration

Understanding Login Authentication Failover

Understanding Local Login Authentication and Authorization

Understanding RADIUS Authentication and Authorization

Understanding TACACS+ Authentication and Authorization

Configuring Login Authentication and Configuration Authorization

Configuring Login Authentication Servers

Configuring RADIUS Server Settings

Configuring TACACS+ Server Settings

Configuring Authentication and Authorization Schemes

Understanding User Accounts and Privilege Profiles

Configuring User Accounts and Assigning Privileges

Creating and Managing User Accounts

Creating New User Accounts Using the Content Distribution Manager GUI

Modifying and Deleting User Accounts

Viewing User Accounts

Creating and Managing Roles

Modifying and Deleting Roles

Viewing Role Settings

Assigning Roles to User Accounts

Configuring Domains

Adding an Entity to a Domain

Modifying and Deleting Domains

Viewing Domains

Assigning Domains to User Accounts

Changing the CLI User Password

Configuring AAA Accounting

Viewing Audit Trail Logs

Configuring Login Authentication, Configuration Authorization and Accounting

This chapter explains how to configure login (user) authentication and configuration authorization support for Content Distribution Managers, Content Engines, and Content Routers deployed in a centrally managed environment. It describes how to configure devices to use local authentication, RADIUS, or TACACS+ login authentication methods.

This chapter contains the following sections:

•Understanding Login Authentication and Authorization

•Configuring Login Authentication and Configuration Authorization

•Understanding User Accounts and Privilege Profiles

•Configuring User Accounts and Assigning Privileges

•Configuring AAA Accounting

•Viewing Audit Trail Logs

Note Login (user) authentication and authorization is independent of request authentication and authorization. For information about request authentication and authorization, see "Configuring Request Authentication and Authorization."

Understanding Login Authentication and Authorization

Login authentication and authorization is used to control user access rights to Content Distribution Managers, Content Engines, and Content Routers. Login authentication is the act of verifying usernames and passwords. Configuration authorization refers to the setting of privileges for authenticated users in a network. Generally, login authentication precedes configuration authorization in a network.

When you log in to a device before authentication and authorization have been configured, you can access the device by using the default user account and password. Devices that are running ACNS software come with a single, predefined superuser user account (root administrator) that can be used for initial access to the device in order to initially configure the device and then add other user accounts. The username for this predefined superuser user account is admin and the default password is default. (If these defaults have been changed by another ACNS system administrator, you need to obtain the new username and password.)

Users with administrative privileges can add, delete, or modify user accounts through the Content Distribution Manager GUI or the device CLI. For example, if an administrator logs in to a Content Engine with the predefined ACNS software superuser account (root administrator), the Content Engine grants that user the highest privilege level (level 15), which allows that user to perform any Content Engine administrative task during that login session.

For instance, that user could perform any of the following administrative tasks:

•Configure the Content Engine.

•Obtain statistical information that the Content Engine has collected.

•Reload the device.

For more information about managing user accounts, see the "Understanding User Accounts and Privilege Profiles" section.

User authentication data and user configuration privilege data can be maintained in any combination of these three databases in a centrally-managed ACNS network:

•Content Distribution Manager (local database)

•RADIUS server (external database)

•TACACS+ server (external database)

Options are provided during Content Distribution Manager setup to choose between using an external access server or the internal (local) Content Distribution Manager-based authentication, authorization, and accounting (AAA) system for user access management. You can choose one method or any combination of the three methods.

If all three databases are enabled, then all databases are queried; if the user data cannot be found in the first database queried, then the second and third databases are queried. By default, Content Distribution Managers, Content Engines, and Content Routers use the local database to process login requests, with TACACS+ and RADIUS both disabled for login and configuration.

When the administrator logs in to a Content Distribution Manager, Content Engine, or Content Router, the device checks the specified authentication database to verify the user's username and password and to determine the access rights that this particular user should be granted during this login session.

Note In TACACS+ there is an "enable password" feature that allows an administrator to define a different enable password for each user. If an ACNS user logs in to the Content Engine with a normal user account (privilege level of 0) instead of an admin or admin-equivalent user account (privilege level of 15), the user must enter the admin password in order to access privileged-level EXEC mode. This caveat applies even if these ACNS users are using TACACS+ for login authentication.

Default Login Authentication and Authorization Configuration

Table 14-1 lists the default configuration for login authentication and authorization.

Table 14-1 Default Configuration for Login Authentication and Authorization

Feature

Default Value

Login authentication

Enabled

Configuration authorization

Enabled

Authentication server failover because the authentication server is unreachable

Disabled

TACACS+ login authentication (console and Telnet)

Disabled

TACACS+ authorization (console and Telnet)

Disabled

TACACS+ key

None specified

TACACS+ server timeout

5 seconds

TACACS+ retransmit attempts

2 times

RADIUS login authentication (console and Telnet)

Disabled

RADIUS authorization (console and Telnet)

Disabled

RADIUS server IP address

None specified

RADIUS server UDP authorization port

Port 1645

RADIUS key

None specified

RADIUS server timeout

5 seconds

RADIUS retransmit attempts

2 times

You can change these defaults through the Content Distribution Manager GUI or through the device CLI, as described in the "Configuring Login Authentication and Configuration Authorization" section.

Understanding Login Authentication Failover

By default, ACNS devices fail over to the secondary method of login authentication whenever the primary login authentication method fails. In ACNS software, Release 5.0.5 and later, you can change this default login authentication failover method. For centrally managed deployments, you can use the Content Distribution Manager GUI (for example, choose Devices > Devices > General Settings > Authentication > Login Authentication and check the Enable Failover Server Unreachable box) or the CLI (use the authentication fail-over server unreachable global configuration command) to enable the failover due to unreachable server option.

Failover occurs only if the specified authentication server is unreachable. The following example sets login authentication failover to occur if the authentication server is unreachable. In this case, the Content Engine will only query the next authentication method if the login authentication server is unreachable.
ContentEngine(config)#authentication fail-over server-unreachable
ContentEngine(config)#
To use the login authentication failover feature, you must set TACACS+, or RADIUS as the primary login authentication method, and local as the secondary login authentication method.

If the failover due to unreachable server option is enabled, then note the following:

•Only two login authentication schemes (a primary and secondary scheme) are allowed on the device.

•The device will fail over from the primary authentication scheme to the secondary authentication scheme only if all specified authentication servers of the primary authentication scheme are unreachable.

For example, if the failover due to server unreachable option is enabled and RADUIS is set as the primary login authentication scheme and local is set as secondary login authentication scheme, the following occurs:

1. When the device receives a login request, it queries all configured RADIUS authentication servers.

2. If one of the configured RADIUS servers is reachable, the device uses this RADIUS database to authenticate the user.

3. If all configured RADIUS servers are not reachable, the device tries the secondary authentication scheme (that is, it queries its local authentication database) to authenticate the user.

Note Only if this RADIUS server is not reachable will the local database be contacted for authentication. In any other case (for example, if the authentication fails in the RADIUS server), then the local database is not contacted for authentication.

Conversely, if the failover due to unreachable server option is disabled, then the device contacts the secondary authentication database regardless of the reason why the authentication failed with the primary authentication database.

If all the authentication databases are enabled for use, then all the databases are queried in the order of priority selected and based on the failover reason. If no failover reason is specified, then all the databases are queried in the order of their priority. For example, first the primary authentication database is queried, then the secondary authentication database is queried, and finally the tertiary database is queried.

The local and the remote databases (TACACS+ and RADIUS) can be enabled or disabled through the Content Distribution Manager GUI or through the device CLI. The device verifies whether all are disabled and if so, sets the system to the default state (that is, local database is queried for authentication). (For information about this default state, see the "Default Login Authentication and Authorization Configuration" section.)

For more information on the various types of login authentication and authorization schemes, see the following sections:

•Understanding Local Login Authentication and Authorization

•Understanding RADIUS Authentication and Authorization

•Understanding TACACS+ Authentication and Authorization

For information about how to configure login authentication and authorization on Content Distribution Managers, Content Engines, and Content Routers, see the "Configuring Login Authentication and Configuration Authorization" section

Understanding Local Login Authentication and Authorization

ACNS 5.x software provides authentication, authorization, and accounting (AAA) support for users who need a local access database with AAA features. Local login authentication can be configured on individual Content Engines using the Content Engine GUI or CLI, or when devices are managed centrally, local login can be configured using the Content Distribution Manager GUI.

When the primary login server and primary configuration server are set to local, usernames and passwords are local to each device and are not mapped to individual usernames. Local authentication and authorization uses locally configured login and passwords to authenticate login attempts.

By default, local login authentication is enabled first. You can disable local login authentication only after enabling one or more of the other login authentication methods. However, when local login authentication is disabled, if you disable all other login authentication methods, local login authentication is reenabled automatically.

Understanding RADIUS Authentication and Authorization

RADIUS is a client/server authentication and authorization access protocol used by a network access server (NAS) to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses the User Datagram Protocol (UDP) for transport between the RADIUS client and server.

You can configure a RADIUS key on the client and server. If you configure a key on the client, it must be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not configure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network.

Note For more information about how the RADIUS protocol operates, refer to RFC 2138, Remote Authentication Dial In User Service (RADIUS).

RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can also specify which method to use first. For more information about configuring RADIUS authentication, see the "Configuring Login Authentication and Configuration Authorization" section.

Understanding TACACS+ Authentication and Authorization

TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or an entity. TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control protocol specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.

TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ login authentication occurs when a user first logs on to the locally deployed Content Engine.

When a user requests restricted services, TACACS+ encrypts the user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.

A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use any or all of the three services.7-7

When the TACACS+ server receives a packet, it does the following:

•Authenticates the user information and notifies the client that login authentication has either succeeded or failed.

•Notifies the client that authentication will continue and that the client must provide additional information. This challenge-response process can continue through multiple iterations until login authentication either succeeds or fails.

You can configure a TACACS+ key on the client and server. If you configure a key on the Content Engine, it must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key, packets are not encrypted.

TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time. For more information about configuring TACACS+ as a login authentication scheme, see the next section.

Configuring Login Authentication and Configuration Authorization

To configure login authentication and authorization for a Content Distribution Manager, Content Engine or Content Router, complete the following tasks:

1. Determine the login authentication scheme that you want to configure the device to use when authenticating login requests (for example, use the local database as the primary login database and your RADIUS server as the secondary authentication database).

2. Configure the login authentication server settings on the device (if a remote authentication database is to be used). (See the "Configuring Login Authentication Servers" section.)

For example, specify the IP address of the remote RADIUS servers or TACACS+ servers that the device should use to authenticate log-in requests.

3. Specify which authentication databases the device should check to process a login request. (See the "Configuring Authentication and Authorization Schemes" section.)

–Specify the login authentication server failover scheme.

–Specify the login server scheme.

–Specify the config server scheme.

Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local authentication and authorization. If you disable local authentication and RADIUS or TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the device.

When local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.

Configuring Login Authentication Servers

If you have determined that your login authentication scheme is to include one or both external authentication servers, you must configure these server settings before you can configure the authentication scheme in the Content Distribution Manager GUI. The following sections provide steps for configuring RADIUS and TACACS+ server settings using the Content Distribution Manager GUI.

Configuring RADIUS Server Settings

RADIUS authentication clients reside on devices running ACNS 5.x software. When enabled, these clients send authentication requests to a central RADIUS server, which contains user authentication and network service access information.

Tip The Content Distribution Manager does not cache user authentication information. Therefore, the user is reauthenticated against the RADIUS server for every request. To prevent performance degradation caused by many authentication requests, install the Content Distribution Manager in the same location as the RADIUS server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.

To configure RADIUS server settings using the Content Distribution Manager GUI, follow these steps:

Step 1 From the Content Distribution Manager GUI, choose Devices > Devices. The Devices window appears.

Step 2 Click the Edit icon next to the name of the device that you want to configure. The Contents pane appears on the left.

Step 3 From the Contents pane, choose General Settings > Authentication > RADIUS Server. The RADIUS Server Settings window appears. (See Figure 14-1.) Table 14-2 describes the fields in this window.

Figure 14-1 RADIUS Server Settings Window

Step 4 Check the Enable RADIUS Servers check box to enable RADIUS authentication.

Step 5 In the Time to wait field, specify how long the Content Engine should wait before timing out. The default value is 5 seconds.

Step 6 In the Number of Retransmits field, specify the number of attempts allowed to connect to a RADIUS server.

Step 7 Check the Enable Redirect check box to enable RADIUS redirection.

Step 8 Enter a redirect message for the user in the Redirect Message field. Three redirect messages are allowed.

Step 9 In the Location field, enter a location where the redirect message should be sent. Three separate locations are allowed.

Step 10 In the Shared Encryption Key field, enter the secret key that is used to communicate with the RADIUS server.

Step 11 Enter an IP address or host name information in the Server Name field. Five different hosts are allowed.

Step 12 In the Server Port field, enter a UDP port number on which the RADIUS server is listening. You must specify at least one port. Five different ports are allowed.

Step 13 Click Submit to save the settings.

Table 14-2 RADIUS Server Settings

Key Parameter

Description

CLI Command

Enable RADIUS Servers

Enables HTTP authentication using RADIUS servers.

radius-server enable

Time to wait

Number of seconds to wait for a response before timing out on a connection to a particular RADIUS server. The range is from 1 to 20 seconds. The default value is 5 seconds.

radius-server timeout

Number of retransmits

Number of attempts allowed to connect to a RADIUS server. The default value is 2 times.

radius-server retransmit

Enable redirect

Redirects an authentication response to a different authentication server if an authentication request using the RADIUS server fails.

radius-server redirect enable

Redirect Message

Message sent to the user if redirection occurs.

radius-server redirect message

Location

Sets an HTML page location.This is the URL destination of the redirect message that is sent when authentication fails.

radius-server redirect message reply location url

Shared Encryption Key

Encryption key shared with the RADIUS server.

radius-server key keyword

Server Name

IP address or host name of the RADIUS server.

radius-server host hostname or ip-address

Server Port

Port number on which the RADIUS server is listening.

radius-server host auth-port port

Configuring TACACS+ Server Settings

The TACACS+ database validates users before they gain access to a Content Engine. TACACS+ is derived from the United States Department of Defense (RFC 1492) and is used by Cisco Systems as an additional control of nonprivileged and privileged mode access. ACNS 5.x software supports TACACS+ only and not TACACS or Extended TACACS.

Tip The Content Distribution Manager does not cache user authentication information. Therefore, the user is reauthenticated against the TACACS+ server for every request. To prevent performance degradation caused by many authentication requests, install the Content Distribution Manager in the same location as the TACACS+ server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.

To configure TACACS+ server settings using the Content Distribution Manager GUI, follow these steps:

Step 1 From the Content Distribution Manager GUI, choose Devices > Devices. The Devices window appears.

Step 2 Click the Edit icon next to the name of the device that you want to configure. The Contents pane appears on the left.

Step 3 From the Contents pane, choose General Settings > Authentication > TACACS+ Server. The TACACS+ Server Settings window appears. (See Figure 14-2.) Table 14-3 describes the fields in this window.

Figure 14-2 TACACS+ Server Settings Window

Step 4 Check the Enable TACACS+ Servers check box to enable TACACS+ authentication.

Step 5 Check the Use ASCII Password Authentication check box to use the ASCII password type for authentication. The default password type is PAP (Password Authentication Protocol). However, you can change the password type to ASCII when the authentication packets are to be sent in ASCII clear text format.

Step 6 In the Time to wait field, specify how long the Content Engine should wait before timing out. The default value is 5 seconds.

Step 7 In the Number of Retransmits field, specify the number of attempts allowed to connect to a TACACS+ server. The default value is 2.

Step 8 In the Security Word field, enter the secret key that is used to communicate with the TACACS+ server.

Step 9 In the Primary Server field, enter an IP address or host name information for the primary TACACS+ server.

Step 10 In the Secondary Server field, enter an IP address or host name information for a secondary TACACS+ server.

Step 11 In the Tertiary Server field, enter an IP address or host name information for a tertiary TACACS+ server.

Step 12 Click Submit to save the settings.

Table 14-3 TACACS+ Server Key Parameter Settings

Key Parameter

Description

CLI Command

Enable TACACS+ Servers

Enables TACACS+ authentication.

tacacs enable

Use ASCII Password Authentication

Changes the default password type from PAP (Password Authentication Protocol) to ASCII clear text format.

tacacs password ascii

Time to wait

Number of seconds to wait for a response before timing out on a connection to a particular TACACS+ server. The range is from 1 to 20 seconds. The default value is 5 seconds.

tacacs timeout

Number of retransmits

Number of times that a connection to a TACACS+ server is allowed to be attempted before a connection is made. The default value is 2 times. The range is 1 to 3 times.

tacacs retransmit

Security Word

Encryption key shared with the TACACS+ server.

tacacs key

Primary Server

IP address or host name of the primary TACACS+ server.

tacacs host ip-address or hostname [primary]

Secondary Server

Tertiary Server

IP address or host name of the backup TACACS+ server. 2 backup servers are allowed.

tacacs host ip-address or hostname

Configuring Authentication and Authorization Schemes

To configure the login authentication and configuration authorization scheme for the device, follow these steps. In the following example, local is configured as the primary database, TACACS+ as the secondary database, and RADIUS as the tertiary database.

Step 1 From the Content Distribution Manager GUI, choose Devices > Devices. The Devices window appears.

Step 2 Click the Edit icon next to the name of the device that you want to configure. The Contents pane appears on the left.

Step 3 From the Contents pane, choose General Settings > Authentication > Login Authentication. The Login Authentication Settings window appears. (See Figure 14-3.)

Figure 14-3 Login Authentication Settings Window

Step 4 Check the Enable Failover Server Unreachable check box to query the secondary authentication database if the primary authentication server is unreachable.

To use this feature, you must set TACACS+ or RADIUS as the primary authentication method and local as the secondary authentication method.

Step 5 Check the Authentication Login Servers check box to enable authentication privileges using the local, TACACS+, or RADIUS databases.

Step 6 From the Primary Login Server drop-down list, choose local.

Step 7 From the Secondary Login Server drop-down list, choose TACACS+.

Step 8 From the Tertiary Login Server drop-down list, choose RADIUS.

Step 9 Check the Authentication Config Servers check box to enable authorization privileges using the local, TACACS+, or RADIUS databases.

Step 10 From the Primary Config Server drop-down list, choose local.

Step 11 From the Secondary Config Server drop-down list, choose TACACS+.

Step 12 From the Tertiary Config Server drop-down list, choose RADIUS.

Step 13 Click Submit to add authentication and authorization settings for the Content Engine.

Note You must configure TACACS+ and RADIUS servers before you submit these settings. See the "Configuring TACACS+ Server Settings" section and the "Configuring RADIUS Server Settings" section for information on how to configure these servers.

Understanding User Accounts and Privilege Profiles

ACNS software uses privilege profiles to determine which tasks a user can perform, and the level of access provided.

The two types of predefined privilege profiles are:

•Normal user—User has read access, and can see some of the Content Engine settings.

•Superuser—User has administrative privileges such as creating new users and modifying the Content Engine settings.

A privilege profile must be assigned to each new user account. A Content Distribution Manager, Content Engine, or Content Router that is running ACNS software comes with a predefined superuser account that can be used initially to access the device and add other users.

Configuring User Accounts and Assigning Privileges

In a service provider environment, it is necessary to manage user authorization to services and access to domains (sets of Content Engines, device groups, and content providers). Typically, a service provider creates a user account for itself with administrator-level privileges, and then creates user accounts for its customers. Service provider customers then have the ability to set up and manage user accounts on their own, which inherit the same level of rights as their main customer account, unless the customers choose to further limit user account privileges.

ACNS 5.x software provides services for user administration, role management, domain management, and accounting. These services can be configured in the Content Distribution Manager GUI.

Tasks include the following:

•Creating and Managing User Accounts

•Creating and Managing Roles

•Configuring Domains

•Changing the CLI User Password

ACNS 5.2 software supports a user manager account for creating and managing user accounts. The user manager is responsible for creating a group of user accounts, assigning roles and domains, as well as modifying any other user accounts in the Content Distribution Manager. User managers must be assigned the admin role, which authorizes all services and access to all domains. Only users with administrator-level authorization are allowed to create and manage user accounts.

After an upgrade to ACNS 5.2 software, any user accounts that do not meet the above requirement are prevented from performing user manager services. In other words, these users can log in to the Content Distribution Manager GUI but do not have access to the User Management pages. These accounts can access the User Management pages by having their authorization increased to the administrator role. This can only be done by those users with the administrator role.

Creating and Managing User Accounts

When you create a user account, you enter information about the user. A user account contains a username, the name of the individual who owns the account, contact information, job title, and department. All user account information is stored in an internal database on the Content Distribution Manager.

Each user account can then be assigned to a role and a domain. A role defines which Content Distribution Manager GUI configuration pages the user can access and which services the user has authority to configure or modify. A domain defines which entities in the network the user can access and configure or modify. You can assign a user account to zero or more roles, and to zero or more domains.

Two default user accounts are preconfigured in the Content Distribution Manager and come with the ACNS software. The first account, called admin, is assigned the administrator role that allows access to all services and access to all entities in the system. This account cannot be deleted from the system, but it can be modified. Only the username and the role for this account are unchangeable.

The second preconfigured user account is called default. Any user account that is authenticated but has not been registered in the Content Distribution Manager obtains the access rights (role and domains) assigned to the default account. This account is configurable, but it cannot be deleted nor its username changed.

Using the Content Manager Distribution GUI, you can perform these tasks:

•Create a new user account.

•Modify and delete existing user accounts.

•View all user accounts in the system.

Creating New User Accounts Using the Content Distribution Manager GUI

When you create a new user account in the Content Distribution Manager GUI, you have the option to create the user account in the CLI at the same time. Using this GUI option to create the new account in the CLI provides the following benefits:

•The user account is created in the primary Content Distribution Manager management database and in the CLI from one central point.

•The user account is also created in the standby Content Distribution Manager management database and in the CLI from one central point.

•Users can change their passwords, and the password change will propagate to standby Content Distribution Managers.

If you choose to create the user account from the GUI without creating the user account in the CLI at the same time from the GUI, the following results apply:

•The user account is created in the primary and standby Content Distribution Manager management databases.

•No user account is created in the CLI and the user cannot log in to the Content Distribution Manager GUI until an account is created from the CLI.

•Local users cannot change their passwords using the GUI.

•Local users can change their passwords using the CLI; however, the password change is not propagated from the CLI to the CMS when the CLI user option is enabled in the GUI.

If a user account has been created from the CLI only, when you log in to the Content Distribution Manager for the first time, the Centralized Management Ssystem (CMS) automatically creates a user account (with the same username as configured in the CLI) with default authorization and access control. However, to change the password in this scenario, the user account must be explicitly configured from the GUI with CLI user option enabled.

To create a new user account, follow these steps:

Step 1 Choose System > Users. Click the Create New User Accounts icon. The Creating New User Account window appears. (See Figure 14-4.)

Figure 14-4 Creating New User Account Window

Step 2 Enter the user account name in the Username field.

Step 3 Click the Create CLI User check box if you want to create a local user account with password and privilege level from the Content Distribution Manager GUI. The user account is created automatically in the CLI. To deny creating a CLI user account from the GUI, leave the box unchecked.

Step 4 In the Password field, enter a password for the CLI user account, and reenter the same password in the Confirm Password field.

Step 5 Choose a privilege level for the CLI user account from the drop-down list. The choices are 0 (zero) (normal user) or 15 (superuser). The default value is 0.

Note A superuser can use privileged EXEC-level commands, whereas a normal user can use only user-level EXEC commands.

Step 6 Enter the following information about the user in the Username fields: First Name, Last Name, Phone Number, Email Address, Job Title, and Department.

Step 7 Enter any additional information about this account in the Comments field.

Step 8 Click Submit.

Modifying and Deleting User Accounts

Note Modifying a user account from the CLI does not update the Centralized Management System (CMS) database.

To modify an existing user account, follow these steps:

Step 1 In the Content Distribution Manager GUI, choose System > Users. The User Accounts window appears.

Step 2 Click the Edit icon next to the user account that you want to modify. The Modifying User Account window appears.

Step 3 Edit the name of the user in the Username field, if needed.

Step 4 Check the Change CLI User Password to make the password fields and privilege level drop-down list available for modification.

Step 5 Edit other information or settings as needed.

Step 6 Click Submit to save your settings.

Note Deleting a user account from the CLI does not disable the corresponding user account in the CMS database. Consequently, the user account remains active in the CMS database. User accounts created in the Content Distribution Manager GUI should always be deleted from the Content Distribution Manager GUI.

To delete a user account from the Content Distribution Manager GUI, follow these steps:

Step 1 In the Content Distribution Manager GUI, choose System > Users. The User Accounts window appears.

Step 2 Click the Edit icon next to the user account that you want to delete. The Modifying User Account window appears.

Step 3 Click the Trash icon in the taskbar.

Note If the CLI user account was created using the GUI, the corresponding CLI user account is removed from the CLI and is also deleted from all standby Content Distribution Managers.

Step 4 Click OK to confirm.

Viewing User Accounts

To view all user accounts, choose System > Users from the Content Distribution Manager GUI. The User Accounts window displays all the user accounts in the management database.

Creating and Managing Roles

The Content Distribution Manager provides many types of services. Not all users have access to all services. Users are assigned a role, which indicates what services they have access to. A role is a set of enabled services.

Each user account can be assigned to zero or more roles. Roles are not inherited or embedded. Using the Content Distribution Manager GUI, you can perform these tasks:

•Create new roles.

•Modify and delete existing roles.

•Assign roles to user accounts.

•View all roles in the system.

The Content Distribution Manager provides one predefined role, known as the admin role. The admin role has access to all services and all ACNS network entities. To create a role, follow these steps:

Step 1 Choose System > Roles. The Roles listing window appears.

Step 2 Click the Create New Role icon in the taskbar. The Creating New Role window appears. (See Figure 14-5.)

Figure 14-5 Creating New Role Window

Step 3 Enter the name of the role in the Name field.

Step 4 Click a folder to expand the listing of services under that category, then check the check box next to the service or services that you want to enable for this role. To choose all the services under one category simultaneously, check the check box next to the top-level folder for those services.

Step 5 Enter any comments about this role in the Comments field.

Step 6 Click Submit.

Modifying and Deleting Roles

Note The admin user account, by default, is allowed access to all services and cannot be modified.

To modify a role, follow these steps:

Step 1 Choose System > Roles. The Roles window appears.

Step 2 To modify an existing role, click the Edit icon next to the name of the role you want to change. The Modifying Role window appears.

Step 3 Enter a new or change the existing name of the role in the Name field.

Step 4 Check the check box next to the services that you want to enable for this role. To disable a previously selected service, uncheck the check box next to the service you want to disable. To choose all the services under one category simultaneously, check the check box next to the top-level service.

Step 5 Enter any comments about this role in the Comments field.

Step 6 Click Submit to save your settings.

Viewing Role Settings

You might want to view role settings before assigning a role to a particular user account.

To view role settings, follow these steps:

Step 1 Choose System > Users. The User Accounts window appears with all configured user accounts listed.

Step 2 Click the Edit icon next to the user account for which you want to assign roles. The Modifying User Account window appears.

Step 3 Choose Role Management from the Contents pane. The Role Management for User Account User window appears.

Step 4 In the Role Management for User Account User window, click the View (eyeglass) icon next to the role name to display a new popup window, the Viewing Role window.

The role names, comments about this role, and services that are enabled for this role are displayed.

Step 5 Click Close once you have finished viewing the settings.

Assigning Roles to User Accounts

Note The admin user account, by default, is assigned to the role that allows access to all domains and all entities in the system. It is not possible to change the role for this user account.

To assign roles to user accounts, follow these steps:

Step 1 Choose System > Users. The User Accounts window appears with all configured user accounts listed.

Step 2 Click the Edit icon next to the user account for which you want to assign roles. The Modifying User Account window appears.

Step 3 Choose Role Management from the Contents pane. The Role Management for User Account User window appears with all configured role names listed.

Step 4 Click the Assign icon (blue cross mark) that appears next to the role name that you wish to assign to the selected user account.

Step 5 To unassign a previously assigned user account role, click the Unassign (green tick mark) next to the role name.

Note Click the Assign all Roles icon in the taskbar to assign all roles in the current window to a user account. Alternatively, click the Remove all Roles icon to unassign all roles associated with a user account.

Step 6 Click Submit to save your settings. A green tick mark appears next to the assigned roles and a blue cross mark appears next to the unassigned roles. The roles assigned to this user account will be listed in the Roles section in the Modifying User Account window.

Configuring Domains

A domain is a set of ACNS network entities or objects that make up the ACNS network. Whereas a role defines which services a user can perform in the ACNS network, a domain defines which entities the user has access to. The Content Distribution Manager GUI provides three predefined entities. An entity can be a Content Engine, content provider, or device group. These predefined entities are treated like services and can be enabled or disabled when you set up user roles.

When you configure a domain, you can choose to include Content Engines, content providers, or device groups in the domain. Using the Content Distribution Manager GUI, you can perform these tasks:

•Create new domains.

•Modify and delete existing domains.

•View all domains in the system.

To create a new domain, follow these steps:

Step 1 Choose System > Domains. The Domains listing window appears.

Step 2 Click the Create New Domain icon in the taskbar. The Creating New Domain window appears. (See Figure 14-6.)

Figure 14-6 Creating New Domain Window

Step 3 Enter the name of the domain in the Name field.

Step 4 Choose the entity type that you want to assign to the domain from the Entity Type drop-down list. Entity choices include Content Engines, content providers, or device groups.

Step 5 Enter any comments about this domain in the Comments field.

Step 6 Click Submit. If the entity type you chose has not already been assigned to the domain, then a message indicating that the entity type has not been assigned appears.

Adding an Entity to a Domain

To add an entity to a domain, follow these steps:

Step 1 Choose System > Domains and click the Edit icon next to the name of the domain that you want to modify.

Step 2 In the Contents pane, choose Entity Management. The Entity_name Assignments for Domain window for the current domain appears. (See Figure 14-7.) In Figure 14-7, the entity is a content provider.

Figure 14-7 Entity Assignment to Domain Window—Content Provider Entity Shown

Step 3 To add an entity to the current domain, click the Assign icon (blue cross mark) next to the name of the entity that you want to add. A green tick mark appears next to the selected entity when you submit the settings.

Alternatively, you can click the Assign all icon in the taskbar to add all entities to the selected domain.

Step 4 To remove an entity from the current domain, click the Unassign icon (green tick mark) next to the name of the entity that you want to remove from the domain. A blue cross mark appears next to the unassigned entity after you submit the settings.

Alternatively, you can click the Remove all icon in the taskbar to remove all entities from the domain.

Step 5 Click Submit.

Modifying and Deleting Domains

To modify or delete an existing domain, follow these steps:

Step 1 Choose System > Domains. The Domains window appears.

Step 2 Click the Edit icon next to the domain that you want to modify. The Modifying Domain window appears.

Step 3 Modify the settings as desired.

Step 4 Click Submit to save your settings.

Step 5 To delete the domain, click the Trash icon in the taskbar.

Step 6 Click OK to confirm the action.

Viewing Domains

To view the domain configuration for a particular user account, follow these steps:

Step 1 Choose System > Users. The User Accounts window appears with all configured user accounts listed.

Step 2 Click the Edit icon next to the user account for which you want to view the domain configuration. The Modifying User Account window appears.

Step 3 In the Contents pane, choose Domain Management. The Domain Management for User Account User window appears.

Step 4 Click the View (eyeglass) icon next to the domain name to display a new popup window, the Viewing Domain window.

The domain name, entity type, comments about this domain, and entities assigned to this domain are displayed.

Step 5 Click Close after you have finished viewing the settings.

Assigning Domains to User Accounts

To assign domains to user accounts, follow these steps:

Step 1 Choose System > Users. The User Accounts window appears with all configured user accounts listed.

Step 2 Click the Edit icon next to the user account for which you want to assign domains. The Modifying User Account window appears.

Step 3 Choose Domain Management from the Contents pane. The Domain Management for User Account User window appears with all configured domains and their entity types listed.

Step 4 Click the Assign icon (blue cross mark) that appears next to the domain name that you wish to assign to the selected user account.

Step 5 To dissociate an already associated domain from the user account, click the Unassign (green tick mark) next to the domain name.

Note Click the Assign all Domains icon in the taskbarto assign all domains in the current window to a user account. Alternatively, click the Remove all Domains icon to unassign all domains associated with a user account.

Step 6 Click Submit to save your settings. A green tick mark appears next to the assigned domains, and a blue cross mark appears next to the unassigned domains. The domains assigned to a user account are listed in the Domains section in the Modifying User Account window.

Changing the CLI User Password

Note You cannot change the password for the admin user account.

When you are logged in to the Content Distribution Manager GUI, you can change your CLI user password if you meet the following requirements:

•Your CLI user account and password were created in the Content Distribution Manager GUI and not in the CLI.

•You are authorized to access the password window.

Note We do not recommend changing the CLI user password from the CLI. Any changes to CLI user passwords from the CLI are not updated in the management database and are not propagated to the standby Content Distribution Manager. Therefore, passwords in the management database will not match a new password configured in the CLI.

Note The advantage of initially setting passwords from the Content Distribution Manager GUI is that both the primary and the standby Content Distribution Managers will be synchronized, and GUI users will not have to access the CLI to change their password.

To change your CLI user password, follow these steps:

Step 1 In the Content Distribution Manager GUI, choose System > Password. The Changing Password for User Account window appears.

Step 2 Enter the changed password in the New Password field.

Step 3 Reenter the password for confirmation in the Confirm New Password field.

Step 4 Click Submit to save your settings.

Configuring AAA Accounting

Collectively, authentication, authorization, and accounting are sometimes referred to as AAA. Central management of AAA means the information is in a single, centralized, secure database. This is much easier to administer than information distributed across numerous devices.

Authentication determines who the user is and whether he or she should be allowed access to the network. It allows network administrators to bar intruders from their networks. It may use a simple database of users and passwords. It can also use one-time passwords.

Authorization determines what the user is allowed to do. It allows network managers to limit which network services are available to different users.

Accounting tracks what users did and when they did it. It can be used for an audit trail or for billing for connection time or resources used (bytes transferred).

The TACACS+ protocol allows effective communication of AAA information between Content Engines and a central server. It uses TCP for reliable connections between clients and servers. Content Engines send authentication and authorization requests, as well as accounting information to the TACACS+ server.

The ACNS accounting feature uses TACACS+ server logging. Accounting information is sent only to the TACACS+ server and not to the console or any other device. The syslog file on the Content Engine logs accounting events locally. The format of events stored in the syslog is different from the format of accounting messages.

Note Before you can configure the AAA accounting settings for any device, you must first configure a TACACS+ server for the device. (See the "Configuring TACACS+ Server Settings" section.)

To configure AAA accounting settings, follow these steps:

Step 1 From the Content Distribution Manager GUI, choose Devices > Devices. The Devices window appears.

Step 2 Click the Edit icon next to the name of the device that you want to configure. The Device Home window appears.

Step 3 In the Contents pane, choose General Settings > AAA Accounting. The AAA Accounting Settings window appears. (See Figure 14-8.) Table 14-4 describes the fields in this window and provides the corresponding CLI global configuration commands that are available on the Content Distribution Manager.

Figure 14-8 AAA Accounting Settings Window

Step 4 To activate accounting for system events, choose a keyword from the System Events drop-down list that indicates when accounting is to take place.

Step 5 To activate accounting for EXEC mode processes, choose a keyword from the Exec Shell and Login/Logout Events drop-down list that indicates when accounting is to take place.

Step 6 To activate accounting for all commands at the normal user level, choose a keyword from the Normal User Commands drop-down list that indicates when accounting is to take place.

Step 7 To activate accounting for all commands at the administrative user level, choose a keyword from the Administrative User Commands drop-down list that indicates when accounting is to take place.

Caution Before using the wait-start option, make sure that your Content Engine is configured with the TACACS+ server and is able to sucessfully contact the server. If the Content Engine cannot contact a configured TACACS+ server, it might become unresponsive.

Table 14-4 AAA Accounting Settings

GUI Parameter

Function

CLI Command

Event Type

System Event

Accounting for all system-level events not associated with users, such as reloads.

aaa accounting system default {start-stop | stop-only} tacacs

Exec Shell and Login/Logout Events

Accounting for EXEC shell and user login and logout events on the Content Engine. Reports include username, date, start and stop times, and Content Engine IP address.

aaa accounting exec default {start-stop | stop-only | wait-start} tacacs

Normal User Commands

Accounting for all commands at the normal user privilege level.

aaa accounting commands 0 default {start-stop | stop-only | wait-start} tacacs

Administrative User Commands

Accounting for all commands at the administrative user privilege level.

aaa accounting commands 15 default {start-stop | stop-only | wait-start} tacacs

Options

stop-only

The Content Engine sends a stop record accounting notice at the end of the specified activity or event to the TACACS+ accounting server.

aaa accounting {commands | exec | system} default stop-only tacacs

start-stop

The Content Engine sends a start record accounting notice at the beginning of an event and a stop record at the end of the event to the TACACS+ accounting server.

The start accounting record is sent in the background. The requested user service begins regardless of whether or not the start accounting record was acknowledged by the TACACS+ accounting server.

aaa accounting {commands | exec | system} default start-stop tacacs

wait-start

Causes both a start and a stop accounting record to be sent to the TACACS+ accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.

aaa accounting {commands | exec} default wait-start tacacs

Do Not Set

Disables accounting for the specified event.

no aaa accounting

Step 8 Click Submit to save the settings.

Viewing Audit Trail Logs

The Content Distribution Manager logs user activity in the system. The only activities that are logged are those that change the ACNS network. This feature provides accountability in terms of which user did what and when. Logged activities include the following:

•Creation of ACNS network entities

•Modification and deletion of ACNS network entities

•System configurations

To view audit trail logs, follow these steps:

Step 1 Choose System > Logs > Audit Trail Logs. The Audit Log window appears. (See Figure 14-9.) All logged transactions in the Content Distribution Manager are listed by date and time, user, actual transaction that was logged, and the IP address of the machine that was used.

Figure 14-9 Audit Log Window

Step 2 Choose the number of rows that you want to display by selecting a number from the Rows drop-down list.