Table Of Contents
Managing User Access
Understanding User Authentication and Authorization Methods
Using Preconfigured System User Profiles
Displaying the Users List
Creating a User Profile
Deleting a User Profile
Changing Your Password
Changing the Password of Another User
Moving Between User Privilege Levels
Configuring User Profiles on a TACACS+ Server
Managing the WBM Portal to Restrict User Access to Specific Zones
Managing Authorization to Specific WBM Commands
Managing User Access
This chapter describes how to control access to the Cisco Traffic Anomaly Detector Module (Detector module) by creating user profiles. When a user attempts to log on to the WBM, the Detector module authenticates the login username and password against a user profile database.
This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.
This chapter contains the following sections:
•
Understanding User Authentication and Authorization Methods
•Using Preconfigured System User Profiles
•Displaying the Users List
•Creating a User Profile
•Deleting a User Profile
•Changing Your Password
•Changing the Password of Another User
•Moving Between User Privilege Levels
•Configuring User Profiles on a TACACS+ Server
Understanding User Authentication and Authorization Methods
Depending on how you configure the Detector module using the CLI, the Detector module performs user authentication and authorization using one or both of the following methods:
•Local—Authenticates the username and password against its own internal database. You can configure each username with a user privilege level that allows the user to execute a predefined set of commands.
The local authentication and authorization method is the default. You configure local user authentication and authorization using the WBM.
•AAA (authentication, authorization, and accounting)—Authenticates the username and password against an external database that resides on one or more Terminal Access Controller Access Control System Plus (TACACS+) servers. AAA authorization enables you to specify access rights for each command. In addition to configuring user authentication and authorization, AAA services allow you to configure accounting, which enables you to track device events. For example, you can track user-initiated events, such as Detector module configuration changes.
You must use the CLI to enable AAA services and to define the TACACS+ servers on the Detector module.
Using Preconfigured System User Profiles
The Detector module is preconfigured with the following two system user profiles on the local database:
•admin—Use this default username to initially access the CLI on the Detector module. You assign a password to the admin user profile when you log into the Detector module for the first time. If you log on as an administrator, you have full access to the CLI commands and the WBM windows. Use the admin user profile to configure the Detector module and to create other user profiles.
•riverhead—The Detector module uses the riverhead username to initially access the Guard and establish the communication channel between them. You assign a password to the riverhead user profile when you log into the Detector module for the first time. After the initial communication link has been established between the Guard and the Detector module, the two devices use a private-public key pair to establish future communication links, eliminating the need for user intervention. The riverhead system user profile is configured with the dynamic user privilege level.
You can change the password of a system user, but you cannot delete a system user from the Detector module database.
Note We recommend that you create new user accounts and avoid using the system user accounts after initial configuration so that you can monitor user actions.
Displaying the Users List
The WBM allows you to display a list of the users that are defined in the local user database. From the user list, you can add or delete a user profile. The user list is divided into two categories as follows:
•System users—User profiles that are predefined by Cisco and cannot be deleted (see the "Using Preconfigured System User Profiles" section).
•Users—User profiles that you define.
To view the list of users that are defined in the local user database, perform the following steps:
Step 1 In the navigation pane, click Detector Summary. The Detector module summary menu appears.
Step 2 From the Detector module summary menu, choose Users > Users list. The Users list appears.
Creating a User Profile
To create a user profile on the local database, you must have administration access rights.
Note If the Detector module is configured to authenticate users using local and AAA services for authentication (or just AAA services), you must also configure the user profile information on each TACACS+ server that is used for authentication purposes (see the "Configuring User Profiles on a TACACS+ Server" section).
To create a new user profile, perform the following steps:
Step 1 In the navigation pane, click Detector Summary. The Detector module summary menu appears.
Step 2 Use one of the following methods to display the Create User screen:
•From the Detector module summary menu, choose Users > Create user.
•From the Detector module summary menu, choose Users > Users list (the Users list appears) and then click Add.
Step 3 Define the user profile parameters as described in Table 3-1.
Table 3-1 User Profile Parameters
Parameter
|
Description
|
Name
|
Name of the user profile. Enter a case-sensitive alphanumeric string from 1 to 63 characters that starts with an alphabetic character. The string cannot contain spaces but can contain underscores.
|
Initial password
|
User password. Enter a case-sensitive 6- to 24-character string with no spaces.
|
Type
|
User privilege level. Choose one of the following user privilege levels from the Type drop-down list:
•show—Permits access to monitoring and diagnostic operations.
•dynamic—Permits access to monitoring and diagnostic operations, protection, and learning-related operations. Users with Dynamic privileges can also configure the flex-content and dynamic filters.
•config—Permits full access to all WBM functions except for user profile management.
•admin—Permits full access to all WBM functions.
|
Step 4 Choose one of the following options:
•OK—Saves the user profile information to the local database. The user details screen appears and displays the new user profile parameters.
•Clear—Clears the User form of any information that you added.
•Cancel—Exits the Create User screen without saving any information. The User List appears.
Deleting a User Profile
When you delete a user profile, the associated user can no longer access the Detector module if authentication is performed using the local user database only.
To delete a user profile, perform the following steps:
Step 1 In the navigation pane, click Detector Summary. The Detector module summary menu appears.
Step 2 From the Detector module summary menu, choose Users > Users list. The Users list appears.
Step 3 Check the check box next to the username that you want to delete, and then click Delete. To delete all the usernames listed, check the User check box, and then click Delete. The delete validation message appears.
Step 4 Choose one of the following options:
•OK—Deletes the user profile from the local database. The Users list appears.
•Cancel—Ignores the delete user request. The Users list appears.
Changing Your Password
You can change your own password. Administrators can change their own password and the passwords of other users (see the "Changing the Password of Another User" section).
To change your own password, perform the following steps:
Step 1 In the navigation pane, click Detector Summary. The Detector module summary menu appears.
Step 2 From the Detector module summary menu, choose Users > Change Password. The Change Password screen appears.
Step 3 In the Old Password field, enter your current password.
Step 4 In the New Password field, enter a new password. The password must be a case-sensitive 6- to 24-character string with no spaces.
Step 5 In the Confirm New Password field, reenter the new password.
Step 6 Choose one of the following options:
•OK—Saves the new password to the user profile on the Detector module database. The Detector module summary screen appears.
•Cancel—Exits the Change Password screen without saving any information. The Detector module summary screen appears.
If you enter an invalid current password, the Detector module displays an error message because it cannot verify the new password. Click Go Back to repeat the procedure.
Changing the Password of Another User
Users with an administration user privilege level can change passwords of other users.
To change the password of another user, perform the following steps:
Step 1 In the navigation pane, click Detector Summary. The Detector module summary menu appears.
Step 2 From the Detector module summary menu, choose Users > Change Password. The Change Password screen appears.
Step 3 Click on a username. The user details screen appears.
Step 4 Click Config. The Config User screen appears.
Step 5 Enter the new password. The password must be a case-sensitive 6- to 24-character string with no spaces.
Step 6 Click OK to save the new password to the user profile on the local database.
Moving Between User Privilege Levels
You can move between user privilege levels.
To move between user privilege levels, perform the following steps:
Step 1 From the information area, click Enable.
The Enable Authentication window appears.
Step 2 From the Level drop-down list, choose a user privilege level to which you want to move. The privilege level can be one of the following:
•admin—Permits full access to all WBM functions.
•config—Permits full access to all WBM functions except for user profile management.
•dynamic—Permits access to monitoring and diagnostic operations, protection, and learning-related operations. Users with Dynamic privileges can also configure the flex-content and dynamic filters.
Step 3 In the Password field, enter the privilege level password.
Step 4 To apply the change, click OK.
Configuring User Profiles on a TACACS+ Server
The information in this section is intended for administrators who must configure the WBM user profile information on a TACACS+ server. To manage user access to the WBM using a TACACS+ server and AAA services, you must use the Detector module CLI to enable the AAA services and to define the TACACS+ servers on the Detector module (see the Cisco Traffic Anomaly Detector Module Configuration Guide).
Note When you enable TACACS+ accounting, each recorded event is assigned a task identification (task_id) number. For WBM events, the task_id numbering sequence begins at 40000.
You can configure user authorization on a TACACS+ server to restrict user access to specific zones and WBM functions.
Note All commands are case sensitive.
This section contains the following topics:
•Managing the WBM Portal to Restrict User Access to Specific Zones
•Managing Authorization to Specific WBM Commands
Managing the WBM Portal to Restrict User Access to Specific Zones
You can customize the WBM portal to limit the zones that a user can view and access by configuring the TACACS+ server with the command ShowZonePortal command and the zone_name attribute.
Caution The following commands, which provide basic WBM navigation, are mandatory and must always be configured to
permit:
ShowGuardPortal and
ShowZonesList.
For example, in the following TACACS+ server configuration, user ABC is granted permission to access zones ABC_1 and ABC_2 only, regardless of how many zones you have configured on the device.
cmd = ShowDetectorPortal {
Managing Authorization to Specific WBM Commands
Every WBM menu item and function button is mapped to a command that allows you to control whether or not a user is authorized to access specific menu items or function buttons. Table 3-2 displays the WBM commands that you can configure on a TACACS+ server to manage user access to WBM functionality.
Table 3-2 WBM Operations Supported by TACACS+
Privilege Level
|
Function
|
Command
|
Admin
|
User management
|
ShowUserList
|
AddUser
|
DeleteUser
|
ShowUserDetails
|
ConfigUser
|
Config
|
Create/Add
|
CreateBypassFilter
|
CreateZone
|
CreateZoneTemplate
|
AddZoneIP
|
AddPolicyThreshold
|
AddService
|
Config
(continued)
|
Delete
|
DeleteZones
|
DeleteZoneIP
|
DeleteZoneTemplate
|
DeleteReports
|
DeleteBypassFilters
|
DeletePacketDump
|
DeleteSnapshot
|
DeletePolicyThreshold
|
RemoveService
|
ClearCounters
|
Export
|
ExportReports
|
SetFtpServer
|
Learn
|
StartDetect&Learn
|
StartPolicyConstruction
|
StopPolicyConstruction
|
StartThresholdTuning
|
StopThresholdTuning
|
AcceptPolicyConstruction
|
AcceptThresholdTuning
|
CreateSnapshot
|
DeleteSnapshot
|
RejectResults
|
NoLearningAccept
|
NoLearningReject
|
SavePoliciesRecommendations
|
Config
(continued)
|
Configure
|
ConfigExtendedFlexFilter
|
ConfigWormSrcIPs
|
ConfigPolicies
|
ConfigPolicyTemplate
|
ConfigZone
|
ConfigLearn
|
ConfigPolicy
|
ConfigPolicyGroup
|
ConfigPolicyThreshold
|
ChangePolicyState
|
RecommendationAcceptForever
|
SaveAsZone
|
Dynamic
|
Create/Add/Delete
|
CreateExtendedFlexFilter
|
DeleteExtendedFlexFilter
|
CreateDynamicFilter
|
DeleteAllDynamicFilters
|
DeleteDynamicFilters
|
RecommendationIgnore
|
RecommendationAccept
|
Victim Activation
|
StartDetection
|
StopDetection
|
ActivatePolicy
|
DeactivatePolicy
|
AcceptPendingDynFilter
|
Packet-dump
|
StartPacketDump
|
StopPacketDump
|
SavePacketDump
|
RenamePacketDump
|
CopyPacketDump
|
ExportPacketDump
|
ImportPacketDump
|
Show
|
Password/Login/Logout
|
UserLogin
|
UserLogout
|
EnableUser
|
ChangePassword
|
Show
(continued)
|
Show
|
ShowGuardPortal
|
ShowGuardCounters
|
ShowGuardRealtimeCounters
|
ShowGuardLog
|
ShowZoneList
|
ShowTemplateList
|
ShowPolicyComparison
|
ShowZonePortal
|
ShowZoneCounters
|
ShowRealtimeCounters
|
ShowZoneLog
|
ShowAttacksSummary
|
ShowAttack
|
ShowAttackDetails
|
ShowZombiesAttack
|
ShowPolicyStatistics
|
ShowPacketDumpList
|
ShowCaptureAnalysis
|
ShowDynamicFilters
|
ShowDynamicFilterDetails
|
ShowPendingRecommendations
|
ShowPendingFilters
|
ShowSnapshotList
|
ShowGeneralConfiguration
|
ShowUserFilters
|
ShowBypassFilters
|
ShowFlexContentFilters
|
ShowPolicyTemplate
|
ShowPolicies
|
ShowPolicyDetails
|
ShowLearningParams
|
ShowPolicyComparison
|
ShowSignatureExtraction
|
ShowVersion
|
The following TACACS+ server example shows how to configure Customer A user with authorization to access the following zones and functionality:
•Zones A1 and A2 only.
•All WBM functions except for the following diagnostic functions:
–Guard counters
–Real time counters
–Show logs
default authentication = file /etc/passwd
accounting file = /var/log/tacacs.log
default authorization = permit
permit "zone_name_zone_A1"
permit "zone_name_zone_A2"
cmd = ShowGuardCounters {
cmd = ShowGuardRealtimeCounters {
