Table Of Contents
Managing User Access
User Authentication Methods
Pre-configured System User Profiles
Viewing the Users List
Creating a User Profile
Deleting a User Profile
Changing the Current User Password
Changing the Password of Another User
Configuring User Profiles on a TACACS+ Server
Managing User Access
You control access to the Guard by creating user profiles. When a user attempts to log on to the WBM, the Guard authenticates the login username and password against the user profile database. This chapter describes how to use the WBM to create and delete user profiles.
This chapter includes the following sections:
•
User Authentication Methods
•Pre-configured System User Profiles
•Viewing the Users List
•Creating a User Profile
•Deleting a User Profile
•Changing the Current User Password
•Changing the Password of Another User
•Configuring User Profiles on a TACACS+ Server
User Authentication Methods
Depending on how you configure the Guard using the CLI, the Guard performs user authentication using one or both of the following methods:
•Local authentication—The Guard authenticates the user against the user profile information residing in the Guard database. You configure each username with a user privilege level that allows the user to execute a pre-defined set of command functions. You configure local user authentication using the WBM.
•AAA services (authentication, authorization, and accounting)—The Guard authenticates the user against the user profile information residing in the database of one or more TACACS+ servers. In addition to configuring user authentication and command authorization, AAA services includes the accounting feature that allows you to track user-initiated events, such as Guard configuration changes. You must use the CLI to enable AAA services and to define the TACACS+ servers on the Guard. You must also configure each TACACS+ server with the user profile information.
Pre-configured System User Profiles
The Guard is preconfigured with the following two user profiles, or system users, on the local database:
•admin—Use this default username to initially access the CLI on the Guard. You assign a password to this system user profile during the initial log on process using a console connection. Once you log on as an administrator, you have full access to the CLI commands and the admin password you entered is saved to the admin user profile. Use this system user profile to configure the Guard operation and create other user profiles.
•riverhead—The Cisco Traffic Anomaly Detector uses this username to initially access the Guard and establish the communication channel between the Cisco Traffic Anomaly Detector and Guard. You assign a password to this system user profile during the initial log on process using a console connection. After the initial communication link has been established between the Cisco Traffic Anomaly Detector and the Guard, the two devices use SSL to establish future communication links, eliminating the need for user intervention. The riverhead system user profile is configured with the dynamic user privilege level.
You can change the password of a system user, but you cannot delete a system user from the Guard database.
We recommend that you create new user accounts and refrain from using the system user accounts after initial configuration so that you can monitoring user actions.
Viewing the Users List
The WBM allows you to display a list of users currently authorized to access the Guard. From the user list, you can add or delete a user profile. The user list is divided into two categories:
•System users—User profiles that are pre-defined by Cisco and cannot be deleted (see the "Pre-configured System User Profiles" section).
•Users—User profiles that you define.
To view the list of users authorized to access to the Guard:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Users > Users list from the Guard summary menu. The Users List appears.
Creating a User Profile
To create a user profile on the local data base, you must have administration access rights.
Note If the Guard is configured to authenticate users using local and AAA services for authentication (or just AAA services), you must also configure user profile information on each TACACS+ server used for authentication purposes (see the "Configuring User Profiles on a TACACS+ Server" section).
To create a new user profile:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Use one of the following methods to display the Create User screen:
•Choose Users > Create user from the Guard summary menu.
•Choose Users > Users list from the Guard summary menu (the Users List appears), then click Add.
Step 3 Define the user profile parameters as described in Table 3-1:
Table 3-1 User Profile Parameters
Parameter
|
Description
|
User name
|
Name of the user profile. Starting with a letter, enter an alphanumeric string 1 to 63 characters in length. The string cannot contain spaces, but can contain underscores.
|
Initial password
|
User password. Enter an alphanumeric string 6 to 24 characters in length with no spaces.
|
Type
|
User privilege level. Choose a user privilege level from the Type drop-down list:
•show—Permits access to monitoring and diagnostics operations.
•dynamic—Permits access to monitoring and diagnostics operations, detection, and learning-related operations. Users with Dynamic privileges can also configure the Flex-content and Dynamic filters.
•config—Permits full access to all WBM functions except for user profile management.
•admin—Permits full access to all WBM functions.
|
Step 4 Choose one of the following options:
•OK—Saves the user profile information to the local database. The user details screen appears with the new user profile parameters displayed.
•Clear—Clears the User Form of any information you added.
•Cancel—Exits the Create User screen without saving any information. The User List appears.
Deleting a User Profile
When you delete a user profile, the associated user can longer access the Guard if authentication is performed using the local user database only.
To delete a user profile:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Users > Users list from the Guard summary menu. The Users List appears.
Step 3 Click the check box of the desired user name to delete, then click Delete. To select and delete all the user names listed, click the User check box, then click Delete. The delete validation message appears.
Step 4 Choose one of the following options:
•OK—Deletes the user profile from the local database. The User List appears.
•Cancel—Ignores the delete user request. The User List appears.
Changing the Current User Password
The WBM allows all users to change their login password. To change the password of the user currently logged on:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Users > Change Password from the Guard summary menu. The Change Password screen appears.
Step 3 Enter the current password in the Old Password field.
Step 4 Enter a new password in the New Password field. The password must be an alphanumeric string with no spaces and 6 to 24 characters in length.
Step 5 Re-enter the new password in the Confirm New Password field.
Step 6 Choose one of the following options:
•OK—Saves the new password to the user profile on the Guard database. The Guard summary screen appears.
•Cancel—Exits the Change Password screen without saving any information. The Guard summary screen appears.
If you enter an invalid current password or the Guard cannot verify the new password, the Guard displays an error message. Click Go Back to repeat the procedure.
Changing the Password of Another User
The WBM allows users with an administration user privilege level to change passwords assigned to other users.
To change the password of another user:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Users > Users list from the Guard summary menu. The Users List appears.
Step 3 Click on a user name. The user details screen appears.
Step 4 Click Config. The Config User screen appears.
Step 5 Enter the new password. The password must be 6 to 24 characters in length with no spaces.
Step 6 Choose one of the following options:
•OK—Saves the new password to the user profile on the local database. The User List screen appears.
•Clear—Clears the User Form of any information you added.
•Cancel—Exits the Config User screen without saving any information. The User List screen appears.
Configuring User Profiles on a TACACS+ Server
The information contained in this section of the chapter is intended for administrators that must configure the WBM user profile information on a TACACS+ server.
You can specify the access rights for a group of commands that are defined by the user privilege level. Table 3-2 displays the WBM commands and command groups that you can configure on a TACACS+ server.
Note All commands are case sensitive.
Table 3-2 WBM Commands
Privilege Level
|
TACACS+ Command Group
|
Commands
|
Show
|
WBM-Show
|
ChangeLocalOwnPassword
|
Dynamic
|
WBM-Dynamic
|
AcceptPendingDynFilter
ActivateZone
ConfigExtendedFlexFilter
ConfigZoneFlexFilter
CreateDynamicFilter
DeleteAllDynamicFilters
DeleteDynamicFilter
RecommendationAccept
RecommendationAcceptForever
RecommendationIgnore
RemoveDynamicFilters
ZoneActivation
|
Configuration (config)
|
WBM-Config
|
acceptTh
ActivatePolicy
AddPolicyThreshold
AddService
|
Configuration (config)
(continued)
|
WBM-Config
(continued)
|
AddPolicyThreshold
AddZoneIP
ChangePolicyState
ConfigLearn
ConfigPolicies
ConfigPolicy
ConfigPolicyGroup
ConfigPolicyTemplate
ConfigPolicyThreshold
ConfigZone
CopyPacketDump
CreateBypassFilter
CreateExtendedFlexFilter
CreateSnapshot
CreateUserFilter
CreateUserFilters
CreateZone
CreateZoneTemplate
deactivate
DeactivatePolicy
DeleteBypassFilters
DeleteExtendedFlexFilter
DeletePacketDump
DeletePolicyThreshold
DeleteReports
|
Configuration (config)
(continued)
|
WBM-Config
(continued)
|
DeleteSnapshot
DeleteUserFilters
DeleteZone
DeleteZoneIP
DeleteZones
DeleteZoneTemplate
ExportReports
protectIP
RemoveService
RenamePacketDump
SaveAsZone
SavePoliciesRecommendations
SetFtpServer
StartPacketDump
|
Administration (admin)
|
WBM-Admin
|
CreateUser
ConfigUser
DeleteUsers
DeleteUser
|
Note Authorizing a privilege level grants access only to the commands in that privilege level. Therefore, you must grant access to the user privilege levels of WBM-Dynamic and WBM-Config to enable access to the configuration functions.
The following example shows how to define access for the user Robin, with a privilege level of Dynamic, to WBM screens on the TACACS+ server:
