Table Of Contents
Managing User Access
Understanding User Authentication and Authorization Methods
Using Preconfigured System User Profiles
Displaying the Users List
Creating a User Profile
Deleting a User Profile
Changing Your Password
Changing the Password of Another User
Moving Between User Privilege Levels
Configuring User Profiles on a TACACS+ Server
Managing User Access
This chapter describes how to control access to the Cisco Anomaly Guard Module (Guard module) by creating user profiles. When a user attempts to log on to the WBM, the Guard module authenticates the login username and password against a user profile database.
This chapter refers to the Cisco Detector (Detector), the companion product of the Guard module. The Detector is a Distributed Denial of Service (DDoS) attack detection device that analyzes a copy of the zone traffic. The Detector can activate the Guard module attack mitigation services when the Detector determines that the zone is under attack. The Detector can also synchronize zone configurations with the Guard module. For more information about the Detector, see the Cisco Traffic Anomaly Detector Module Configuration Guide and Cisco Traffic Anomaly Detector Configuration Guide.
This chapter contains the following sections:
•
Understanding User Authentication and Authorization Methods
•Using Preconfigured System User Profiles
•Displaying the Users List
•Creating a User Profile
•Deleting a User Profile
•Changing Your Password
•Changing the Password of Another User
•Moving Between User Privilege Levels
•Configuring User Profiles on a TACACS+ Server
Understanding User Authentication and Authorization Methods
Depending on how you configure the Guard module using the CLI, the Guard module performs user authentication and authorization using one or both of the following methods:
•Local—Authenticates the username and password against its own internal database. You can configure each username with a user privilege level that allows the user to execute a predefined set of commands.
The local authentication and authorization method is the default. You configure local user authentication and authorization using the WBM.
•AAA (authentication, authorization, and accounting)—Authenticates the username and password against an external database that resides on one or more Terminal Access Controller Access Control System Plus (TACACS+) servers. AAA authorization enables you to specify access rights for each command. In addition to configuring user authentication and command authorization, AAA services allow you to configure accounting, which enables you to track user-initiated events, such as Guard module configuration changes.
You must use the CLI to enable AAA services and to define the TACACS+ servers on the Guard module.
Using Preconfigured System User Profiles
The Guard module is preconfigured with the following two system user profiles on the local database:
•admin—Use this default username to initially access the CLI on the Guard module. You assign a password to the admin user profile when you log into the Guard module for the first time. If you log on as an administrator, you have full access to the CLI commands and the WBM windows. Use the admin user profile to configure the Guard module and to create other user profiles.
•riverhead—The Detector uses the riverhead username to initially access the Guard module and establish the communication channel between them. You assign a password to the riverhead user profile when you log into the Guard module for the first time. After the initial communication link has been established between the Detector and the Guard module, the two devices use a private-public key pair to establish future communication links, eliminating the need for user intervention. The riverhead system user profile is configured with the dynamic user privilege level.
You can change the password of a system user, but you cannot delete a system user from the Guard module database.
Note We recommend that you create new user accounts and avoid using the system user accounts after initial configuration so that you can monitor user actions.
Displaying the Users List
The WBM allows you to display a list of the users that are defined in the local user database. From the user list, you can add or delete a user profile. The user list is divided into two categories as follows:
•System users—User profiles that are predefined by Cisco and cannot be deleted (see the "Using Preconfigured System User Profiles" section).
•Users—User profiles that you define.
To view the list of users that are defined in the local user database, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Users list. The Users list appears.
Creating a User Profile
To create a user profile on the local database, you must have administration access rights.
Note If the Guard module is configured to authenticate users using local and AAA services for authentication (or just AAA services), you must also configure user profile information on each TACACS+ server that is used for authentication purposes (see the "Configuring User Profiles on a TACACS+ Server" section).
To create a new user profile, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 Use one of the following methods to display the Create User screen:
•From the Guard summary menu, choose Users > Create user.
•From the Guard summary menu, choose Users > Users list (the Users list appears) and then click Add.
Step 3 Define the user profile parameters as described in Table 3-1.
Table 3-1 User Profile Parameters
Parameter
|
Description
|
User name
|
Name of the user profile. Enter a case-sensitive alphanumeric string from 1 to 63 characters that starts with an alphabetic character. The string cannot contain spaces but can contain underscores.
|
Initial password
|
User password. Enter a case-sensitive 6- to 24-character string with no spaces.
|
Type
|
User privilege level. Choose one of the following user privilege levels from the Type drop-down list:
•show—Permits access to monitoring and diagnostic operations.
•dynamic—Permits access to monitoring and diagnostic operations, protection, and learning-related operations. Users with Dynamic privileges can also configure the flex-content and dynamic filters.
•config—Permits full access to all WBM functions except for user profile management.
•admin—Permits full access to all WBM functions.
|
Step 4 Choose one of the following options:
•OK—Saves the user profile information to the local database. The user details screen appears and displays the new user profile parameters.
•Clear—Clears the User form of any information that you added.
•Cancel—Exits the Create User screen without saving any information. The Users list appears.
Deleting a User Profile
When you delete a user profile, the associated user can no longer access the Guard module if authentication is performed using the local user database only.
To delete a user profile, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Users list. The Users list appears.
Step 3 Check the check box of the desired username to delete, and then click Delete. To delete all the usernames listed, check the User check box, and then click Delete. The delete validation message appears.
Step 4 Choose one of the following options:
•OK—Deletes the user profile from the local database. The Users list appears.
•Cancel—Ignores the delete user request. The Users list appears.
Changing Your Password
You can change your own password. Administrators can change their own password and the passwords of other users (see the "Changing the Password of Another User" section).
To change your own password, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Change Password. The Change Password screen appears.
Step 3 In the Old Password field, enter your current password.
Step 4 In the New Password field, enter a new password. The password must be a case-sensitive 6- to 24-character string with no spaces.
Step 5 In the Confirm New Password field, reenter the new password.
Step 6 Choose one of the following options:
•OK—Saves the new password to the user profile on the Guard module database. The Guard summary screen appears.
•Cancel—Exits the Change Password screen without saving any information. The Guard summary screen appears.
If you enter an invalid current password, the Guard module displays an error message because it cannot verify the new password. Click Go Back to repeat the procedure.
Changing the Password of Another User
Users with an administration user privilege level can change passwords of other users.
To change the password of another user, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Change Password. The Change Password screen appears.
Step 3 Click on a username. The user details screen appears.
Step 4 Click Config. The Config User screen appears.
Step 5 Enter the new password. The password must be a case-sensitive 6- to 24-character string with no spaces.
Step 6 Choose one of the following options:
•OK—Saves the new password to the user profile on the local database. The User List screen appears.
•Clear—Clears the User form of any information that you added.
•Cancel—Exits the Config User screen without saving any information. The User List screen appears.
Moving Between User Privilege Levels
You can move between user privilege levels.
To move between user privilege levels, perform the following steps:
Step 1 From the information area, click Enable.
The Enable Authentication window appears.
Step 2 From the Level drop-down list, choose a user privilege level to which you want to move. The privilege level can be one of the following:
•admin—Permits full access to all WBM functions.
•config—Permits full access to all WBM functions except for user profile management.
•dynamic—Permits access to monitoring and diagnostic operations, protection, and learning-related operations. Users with Dynamic privileges can also configure the flex-content and dynamic filters.
Step 3 In the Password field, enter the privilege level password.
Step 4 To apply the change, click OK.
Configuring User Profiles on a TACACS+ Server
The information in this section is intended for administrators who must configure the WBM user profile information on a TACACS+ server.
You can specify the access rights for a group of commands that are defined by the user privilege level. Table 3-2 displays the WBM commands and command groups that you can configure on a TACACS+ server.
Note All commands are case sensitive.
Table 3-2 WBM Commands
Privilege Level
|
TACACS+ Command Group
|
Commands
|
Show
|
WBM-Show
|
ChangeLocalOwnPassword
|
Dynamic
|
WBM-Dynamic
|
AcceptPendingDynFilter
ActivateZone
ConfigExtendedFlexFilter
ConfigZoneFlexFilter
CreateDynamicFilter
DeleteAllDynamicFilters
DeleteDynamicFilter
RecommendationAccept
RecommendationAcceptForever
RecommendationIgnore
RemoveDynamicFilters
ZoneActivation
|
Configuration (config)
|
WBM-Config
|
acceptTh
ActivatePolicy
AddPolicyThreshold
AddService
AddPolicyThreshold
AddZoneIP
ChangePolicyState
ConfigLearn
ConfigPolicies
ConfigPolicy
ConfigPolicyGroup
ConfigPolicyTemplate
ConfigPolicyThreshold
ConfigZone
CopyPacketDump
CreateBypassFilter
CreateExtendedFlexFilter
CreateSnapshot
CreateUserFilter
CreateUserFilters
CreateZone
CreateZoneTemplate
deactivate
DeactivatePolicy
DeleteBypassFilters
DeleteExtendedFlexFilter
|
Configuration (config)
(continued)
|
WBM-Config
(continued)
|
DeletePacketDump
DeletePolicyThreshold
DeleteReports
DeleteSnapshot
DeleteUserFilters
DeleteZone
DeleteZoneIP
DeleteZones
DeleteZoneTemplate
ExportReports
protectIP
RemoveService
RenamePacketDump
SaveAsZone
SavePoliciesRecommendations
SetFtpServer
StartPacketDump
|
Administration (admin)
|
WBM-Admin
|
CreateUser
ConfigUser
DeleteUsers
DeleteUser
|
Note Authorizing a privilege level grants access only to the commands in that privilege level. You must grant access to the user privilege levels of WBM-Dynamic and WBM-Config to enable access to the configuration functions.
The following example shows how to define the access for the user Robin with a privilege level of Dynamic to WBM screens on the TACACS+ server:
