Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0)
Managing User Access
Download this chapter
Managing User AccessManaging User Access
Download the complete book
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL-Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL- (PDF - 3 MB)
give_us_feedback

Table Of Contents

Managing User Access

User Authentication Methods

Pre-configured System User Profiles

Viewing the Users List

Creating a User Profile

Deleting a User Profile

Changing the Current User Password

Changing the Password of Another User

Configuring User Profiles on a TACACS+ Server


Managing User Access

You control access to the Detector module by creating user profiles. When a user attempts to log on to the WBM, the Detector module authenticates the login username and password against the user profile database. This chapter describes how to use the WBM to create and delete user profiles.

This chapter includes the following sections:

User Authentication Methods

Pre-configured System User Profiles

Viewing the Users List

Creating a User Profile

Deleting a User Profile

Changing the Current User Password

Changing the Password of Another User

Configuring User Profiles on a TACACS+ Server

User Authentication Methods

Depending on how you configure the Detector module using the CLI, the Detector module performs user authentication using one or both of the following methods:

Local authentication—The Detector module authenticates the user against the user profile information residing in the Detector module database. You configure each username with a user privilege level that allows the user to execute a pre-defined set of command functions. You configure local user authentication using the WBM.

AAA services (authentication, authorization, and accounting)—The Detector module authenticates the user against the user profile information residing in the database of one or more TACACS+ servers. In addition to configuring user authentication and command authorization, AAA services includes the accounting feature that allows you to track user-initiated events, such as Detector module configuration changes. You must use the CLI to enable AAA services and to define the TACACS+ servers on the Detector module. You must also configure each TACACS+ server with the user profile information.

Pre-configured System User Profiles

The Detector module is preconfigured with the following two user profiles, or system users, on the local database:

admin—Use this default username to initially access the CLI on the Detector module. You assign a password to this system user profile during the initial log on process using a console connection. Once you log on as an administrator, you have full access to the CLI commands and the admin password you entered is saved to the admin user profile. Use this system user profile to configure the Detector module operation and create other user profiles.

riverhead—The Detector module uses this username to initially access the Cisco Anomaly Guard Module and establish the communication channel between the Detector and Cisco Anomaly Guard Module. You assign a password to this system user profile during the initial log on process using a console connection. After the initial communication link has been established between the Detector and the Cisco Anomaly Guard Module, the two devices use SSL to establish future communication links, eliminating the need for user intervention. The riverhead system user profile is configured with the dynamic user privilege level.

You can change the password of a system user, but you cannot delete a system user from the Detector module database.

We recommend that you create new user accounts and refrain from using the system user accounts after initial configuration so that you can monitoring user actions.

Viewing the Users List

The WBM allows you to display a list of users currently authorized to access the Detector module. From the user list, you can add or delete a user profile. The user list is divided into two categories:

System users—User profiles that are pre-defined by Cisco and cannot be deleted (see the "Pre-configured System User Profiles" section).

Users—User profiles that you define.

To view the list of users authorized to access to the Detector module:

Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.

Step 2 Choose Users > Users list from the Detector module summary menu. The Users List appears.

Creating a User Profile

To create a user profile on the local data base, you must have administration access rights.

Note If the Detector module is configured to authenticate users using local and AAA services for authentication (or just AAA services), you must also configure user profile information on each TACACS+ server used for authentication purposes (see the "Configuring User Profiles on a TACACS+ Server" section).

To create a new user profile:

Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.

Step 2 Use one of the following methods to display the Create User screen:

Choose Users > Create user from the Detector module summary menu.

Choose Users > Users list from the Detector module summary menu (the Users List appears), then click Add.

Step 3 Define the user profile parameters as described in Table 3-1:

Table 3-1 User Profile Parameters 

Parameter
Description

User name

Name of the user profile. Starting with a letter, enter an alphanumeric string 1 to 63 characters in length. The string cannot contain spaces, but can contain underscores.

Initial password

User password. Enter an alphanumeric string 6 to 24 characters in length with no spaces.

Type

User privilege level. Choose a user privilege level from the Type drop-down list:

show—Permits access to monitoring and diagnostics operations.

dynamic—Permits access to monitoring and diagnostics operations, detection, and learning-related operations. Users with Dynamic privileges can also configure the Flex-content and Dynamic filters.

config—Permits full access to all WBM functions except for user profile management.

admin—Permits full access to all WBM functions.


Step 4 Choose one of the following options:

OK—Saves the user profile information to the local database. The user details screen appears with the new user profile parameters displayed.

Clear—Clears the User Form of any information you added.

Cancel—Exits the Create User screen without saving any information. The User List appears.

Deleting a User Profile

When you delete a user profile, the associated user can longer access the Detector module if authentication is performed using the local user database only.

To delete a user profile:

Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.

Step 2 Choose Users > Users list from the Detector module summary menu. The Users List appears.

Step 3 Click the check box of the desired user name to delete, then click Delete. To select and delete all the user names listed, click the User check box, then click Delete. The delete validation message appears.

Step 4 Choose one of the following options:

OK—Deletes the user profile from the local database. The User List appears.

Cancel—Ignores the delete user request. The User List appears.

Changing the Current User Password

The WBM allows all users to change their login password. To change the password of the user currently logged on:

Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.

Step 2 Choose Users > Change Password from the Detector module summary menu. The Change Password screen appears.

Step 3 Enter the current password in the Old Password field.

Step 4 Enter a new password in the New Password field. The password must be an alphanumeric string with no spaces and 6 to 24 characters in length.

Step 5 Re-enter the new password in the Confirm New Password field.

Step 6 Choose one of the following options:

OK—Saves the new password to the user profile on the Detector module database. The Detector module summary screen appears.

Cancel—Exits the Change Password screen without saving any information. The Detector module summary screen appears.

If you enter an invalid current password or the Detector module cannot verify the new password, the Detector module displays an error message. Click Go Back to repeat the procedure.

Changing the Password of Another User

The WBM allows users with an administration user privilege level to change passwords assigned to other users.

To change the password of another user:

Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.

Step 2 Choose Users > Users list from the Detector module summary menu. The Users List appears.

Step 3 Click on a user name. The user details screen appears.

Step 4 Click Config. The Config User screen appears.

Step 5 Enter the new password. The password must be 6 to 24 characters in length with no spaces.

Step 6 Choose one of the following options:

OK—Saves the new password to the user profile on the local database. The User List screen appears.

Clear—Clears the User Form of any information you added.

Cancel—Exits the Config User screen without saving any information. The User List screen appears.

Configuring User Profiles on a TACACS+ Server

The information contained in this section of the chapter is intended for administrators that must configure the WBM user profile information on a TACACS+ server.

You can specify the access rights for a group of commands that are defined by the user privilege level. Table 3-2 displays the WBM commands and command groups that you can configure on a TACACS+ server.

Note All commands are case sensitive.

Table 3-2 WBM Commands 

Privilege Level
TACACS+ Command Group
Commands

Show

WBM-Show

ChangeLocalOwnPassword

Dynamic

WBM-Dynamic

AcceptPendingDynFilter

ActivateZone

ConfigExtendedFlexFilter

ConfigZoneFlexFilter

CreateDynamicFilter

DeleteAllDynamicFilters

DeleteDynamicFilter

RecommendationAccept

RecommendationAcceptForever

RecommendationIgnore

RemoveDynamicFilters

ZoneActivation

Configuration (config)

WBM-Config

acceptTh

ActivatePolicy

AddPolicyThreshold

AddService

AddPolicyThreshold

AddZoneIP

ChangePolicyState

ConfigLearn

ConfigPolicies

ConfigPolicy

ConfigPolicyGroup

Configuration (config)
(continued)

WBM-Config
(continued)

ConfigPolicyTemplate

ConfigPolicyThreshold

ConfWormSrcIPs

ConfigZone

CopyPacketDump

CreateBypassFilter

CreateExtendedFlexFilter

CreateSnapshot

CreateUserFilter

CreateUserFilters

CreateZone

CreateZoneTemplate

deactivate

DeactivatePolicy

DeleteBypassFilters

DeleteExtendedFlexFilter

DeletePacketDump

DeletePolicyThreshold

DeleteReports

DeleteSnapshot

DeleteUserFilters

DeleteZone

DeleteZoneIP

DeleteZones

DeleteZoneTemplate

ExportReports

Configuration (config)
(continued)

WBM-Config
(continued)

protectIP

RemoveService

RenamePacketDump

SaveAsZone

SavePoliciesRecommendations

SetFtpServer

StartPacketDump

Administration (admin)

WBM-Admin

CreateUser

ConfigUser

DeleteUsers

DeleteUser


Note Authorizing a privilege level grants access only to the commands in that privilege level. Therefore, you must grant access to the user privilege levels of WBM-Dynamic and WBM-Config to enable access to the configuration functions.

The following example shows how to define access for the user Robin, with a privilege level of Dynamic, to WBM screens on the TACACS+ server: 

user = Robin 

{ 

cmd = WBM-Show 

{ 

permit .* 

} 

cmd = WBM-Dynamic 

{ 

permit .* 

} 

cmd = WBM-Config 

{ 

deny .* 

} 

cmd = WBM-Admin 

{ 

deny .* 

} }