Table Of Contents
Access Rights
Administration | Access Rights
Administrators
Screen Elements
Administrators | Modify Properties
Screen Elements
Access Control List
Screen Elements
Access Control List | Add or Modify
Screen Elements
Access Settings
Screen Elements
AAA Servers
AAA Servers | Authentication
Screen Elements
AAA Servers | Authentication | Add or Modify
Screen Elements
AAA Servers | Test
Screen Elements
Success (AAA)
Error (AAA)
Screen Elements
Access Rights
Administration | Access Rights
This section of the Manager lets you configure and control administrative access to the VPN Concentrator.
•
Administrators: Configure administrator usernames, passwords, and rights.
•Access Control List: Configure IP addresses for workstations with access rights.
•Access Settings: Set administrative session timeout and limits.
•AAA Servers: Set administrative authentication using TACACS+.
Figure 9-1 Administration | Access Rights Screen
Administrators
Administrative users are special users who can access and change the configuration, administration, and monitoring functions on the VPN Concentrator. Only administrative users can use the VPN Concentrator Manager. Of the administrative users, only one at a time can be the System Administrator. The System Administrator is the single administrative user who can access and change all areas of the VPN Concentrator Manager.
Cisco provides five predefined administrative users:
•1 - admin = By default, this user is the System Administrator and also the only administrative user enabled. This is the only administrator who can log in to, and use, the VPN Concentrator Manager as supplied by Cisco.
•2 - config = Configuration administrator with all rights except SNMP access and file access.
•3 - isp = Internet service provider administrator with limited general configuration rights.
•4 - mis = Management information systems administrator with the same rights as config.
•5 - user = User administrator with rights only to view system statistics.
This section of the Manager lets you change administrator properties and rights. Any changes take effect as soon as you click Apply.
Note The VPN Concentrator saves Administrator parameter settings from this screen and the Modify Properties screen in nonvolatile memory, not in the active configuration (CONFIG) file. Thus, these settings are retained even if the system loses power. These settings are also retained even if you reboot the system with the factory configuration file.
Figure 9-2 Administration | Access Rights | Administrators Screen
Screen Elements
•Group Number — This is a reference number for the administrator. Cisco assigns these numbers so you can refer to administrators by groups of properties. The numbers cannot be changed.
•Username — The username, or login name, of the administrator. You can change this name on the Administration | Access Rights | Administrators | Modify Properties screen.
Note The default passwords that Cisco supplies are the same as the usernames. We strongly recommend that you change these passwords.
•Properties / Modify — To modify the username, password, and access rights of the administrator, click Modify. See the Administration | Access Rights | Administrators | Modify Properties screen.
•Administrator — To make one administrative user the System Administrator, click the radio button. Only the System Administrator can access and change all areas of the VPN Concentrator Manager. You can select only one Administrator. By default, admin is selected.
•Enabled — Check this box to enable, or clear the box to disable, an administrator. Only enabled administrators can log in to, and use, the VPN Concentrator Manager. You must enable at least one administrator, and you can enable all administrators. By default, only administrator is enabled.
•Apply — Click to save the settings of this screen in nonvolatile memory. The settings immediately affect new sessions. The Manager returns to the Administration | Access Rights screen.
•Cancel — Click to discard your settings or changes. The Manager returns to the Administration | Access Rights screen.
Administrators | Modify Properties
This screen lets you modify the username, password, and rights for an administrator. Any changes affect new sessions as soon as you click Apply or Default.
Figure 9-3 Administration | Access Rights | Administrators | Modify Properties Screen
Table 9-1 shows the matrix of Cisco-supplied default rights for the five administrators.
Table 9-1 Cisco-Supplied Default Administrator Rights
Administrator
|
Authentication
|
General
|
SNMP
|
Files
|
1 - admin
|
Modify Config
|
Modify Config
|
Modify Config
|
Read/Write Files
|
2 - config
|
Modify Config
|
Modify Config
|
Stats Only
|
Read/Write Files
|
3 - isp
|
Stats Only
|
Modify Config
|
Stats Only
|
Read Files
|
4 - mis
|
Modify Config
|
Modify Config
|
Stats Only
|
Read Files
|
5 - user
|
Stats Only
|
Stats Only
|
Stats Only
|
Read Files
|
Screen Elements
•Username — Enter or edit the unique username for this administrator. The maximum length is 31 characters.
•Password — Enter or edit the unique password for this administrator. The maximum length is 31 characters. The field displays only asterisks.
Note The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password.
•Verify — Re-enter the password to verify it. The field displays only asterisks.
•Access Rights: Authentication — The Access Rights determine access to and rights in VPN Concentrator Manager functional areas (Authentication or General), or via SNMP. This drop-down list box pertains to VPN Concentrator Manager functions that affect authentication:
–Configuration | User Management
–Configuration | Policy Management | Access Hours
–Configuration | System | Servers | Authentication and Configuration | System | Servers | Accounting.
Click the Authentication Access Rights drop-down list box and choose one of the following:
–None = No access or rights.
–Stats Only = Access to only the Monitoring section of the VPN Concentrator Manager. No rights to change parameters.
–View Config = Access to permitted functional areas of the VPN Concentrator Manager, but no rights to change parameters.
–Modify Config = Access to permitted functional areas of the VPN Concentrator Manager, and rights to change parameters.
•Access Rights: General — This area consists of all VPN Concentrator Manager functions except authentication and administration. (The Administrator radio button on the Administration | Access Rights | Administrators screen controls access to administration functions.) See the drop-down list box choices described for Authentication Access Rights.
•Access Rights: SNMP — This parameter governs limited changes to the VPN Concentrator Manager via SNMP, using a network management system. In other words, it determines what the administrator can do via SNMP. See the drop-down list box choices described for Authentication Access Rights.
•Access Rights: Files — This parameter governs rights to access and manage files in VPN Concentrator Flash memory, and to save the active configuration in a file. (Flash memory acts like a disk.)
Note Only the System Administrator has access to the Administration | File Management screen. If you want this user to list, read, or write files (other than the active configuration file), make the user System Administrator. See Administrators.
Click the Files drop-down menu button and choose file management rights:
–None = No file access or management rights.
–List Files = See a list of files in VPN Concentrator Flash memory.
–Read Files = Read (view) files in Flash memory.
–Read/Write Files = Read and write files in Flash memory, clear or save the event log, and save the active configuration to a file.
•AAA Access Level — This parameter governs the level of access for administrators authenticated by a TACACS+ server. On the TACACS+ server you configure levels of privilege, maximum 0-15, to suit your environment. You can set the number of privilege levels and order them as you choose (numbered in ascending order, descending order, or whatever scheme meets your requirements). You then set this AAA Access Level parameter to one of the levels configured on the TACACS+ server. Administrators have access privileges corresponding to the level you assign.
•Apply — Click to save your settings in nonvolatile memory. The settings take effect immediately. The Manager returns to the Administration | Access Rights | Administrators screen.
•Default — Click to restore the Cisco-supplied access rights for this administrator, and to save your settings in nonvolatile memory. The settings take effect immediately. This action does not restore the default username or password. The Manager returns to the Administration | Access Rights | Administrators screen.
•Cancel — Click to discard your changes. The Manager returns to the Administration | Access Rights | Administrators screen.
Access Control List
This section of the Manager lets you configure and prioritize the systems (workstations) that are allowed to access the VPN Concentrator Manager. For example, you might want to allow access only from one or two PCs that are in a locked room. If no systems are listed, then anyone who knows the VPN Concentrator IP address and the administrator username/password combination can gain access.
As soon as you add a workstation to the list, access control becomes effective for new sessions. Therefore, the first entry on the list should be the IP address of the workstation you are now using to configure the VPN Concentrator. Otherwise, if you log out or time out, you will not be able to access the Manager from the workstation.
These entries govern administrator access and management by any remote means: HTTP, HTTPS, FTP, TFTP, SNMP, Telnet, SSH, etc.
Figure 9-4 Administration | Access Rights | Access Control List Screen
Screen Elements
•Manager Workstations — This list shows the configured workstations that are allowed to access the VPN Concentrator Manager, in priority order. Each entry shows the priority number, IP address/ mask, and administrator group number, for example: 1. 10.10.1.35/255.255.255.255 Group=1. If no workstations have been configured, the list shows --Empty--.
•Add — Click to configure a new manager workstation. The Manager opens the Administration | Access Rights | Access Control List | Add screen.
•Modify — To modify a configured manager workstation, select the entry from the list and click Modify. The Manager opens the Administration | Access Rights | Access Control List | Modify screen.
•Delete — To remove a configured manager workstation, select the entry from the list and click Delete. The Manager refreshes the screen and shows the remaining entries in the Manager Workstations list.
•Move — To change the priority order for configured manager workstations, select the entry from the list and click Move Up or Move Down The Manager refreshes the screen and shows the reordered Manager Workstations list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Access Control List | Add or Modify
These screens let you add a manager workstation to the list of those that are allowed to access the VPN Concentrator Manager or modify a previously configured workstation.
Figure 9-5 Administration | Access Rights | Access Control List | Add or Modify Screen
Screen Elements
•Priority (Modify screen only) — This field shows the priority number of this workstation in the list of Manager Workstations. You cannot edit this field. To change the priority, use the Move buttons on the Administration | Access Rights | Access Control List screen.
•IP Address — Enter the IP address of the workstation, for example: 10.10.1.35.
•IP Mask — Enter the mask for the IP address. This mask lets you restrict access to a single IP address, a range of addresses, or all addresses. To restrict access to a single IP address, enter 255.255.255.255 (the default). To allow all IP addresses, enter 0.0.0.0. To allow a range of IP addresses, enter the appropriate mask. For example, to allow IP addresses 10.10.1.32 through 10.10.1.35, enter the mask 255.255.255.252.
•Access Group — To assign rights of an administrator group to this IP address, click the appropriate radio button. The default choice is Group 1 (admin). You can assign only one group, or you can specify No Access.
•Add / Apply — Click to add this workstation to the list or to apply your changes to this workstation. Both actions include your entry in the active configuration. The Manager returns to the Administration | Access Rights | Access Control List screen. Any new entry appears at the bottom of the Manager Workstations list.
•Cancel — Click to discard your settings. The Manager returns to the Administration | Access Rights | Access Control List screen, and the Manager Workstations list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Access Settings
This screen lets you configure options for administrator access to the VPN Concentrator Manager.
Figure 9-6 Administration | Access Rights | Access Settings Screen
Screen Elements
•Session Idle Timeout — Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period, the VPN Concentrator Manager session terminates. The minimum period is 1 second. The default period is 600 seconds. The maximum period is 1800 seconds (30 minutes).
The Manager resets the inactivity timer only when you click an action button (Apply, Add, Cancel, etc.) or a link on a screen—that is, when you invoke a different screen. Entering values or setting parameters on a given screen does not reset the timer.
If you close out of the Manager without logging off, no one can change the configuration from a different PC until the logout time has been reached. Either you must log in and then log out, or the other user must wait until the session idle timeout limit has occurred.
•Session Limit — Enter the maximum number of simultaneous administrative sessions allowed. The minimum is 1 session. The default is 10 sessions. The maximum is 50 sessions.
•Config File Encryption — The CONFIG file is in ASCII text format (.INI format). This radio button allows you to encrypt sensitive entries in this file, such as passwords, keys, and user information.
–RC4 = Encrypt sensitive entries in the CONFIG file, using RC4 encryption. This is the default.
–None = Use clear text for all CONFIG file entries. For maximum security, we do not recommend this option.
–DES = Encrypt sensitive entries in the CONFIG file, using DES encryption. A CONFIG file that is encrypted with DES can be used only by the VPN Concentrator that encrypted it. This option prevents the sharing of encrypted configuration files across different VPN Concentrators.
Caution If a VPN Concentrator that is using a DES encrypted CONFIG file totally fails, all encrypted information is lost.
•Apply — Click to save your settings in the active configuration. The Manager returns to the Administration | Access Rights screen.
•Cancel — Click to discard your settings. The Manager returns to the Administration | Access Rights screen.
AAA Servers
This section lets you configure AAA servers to authenticate administrators for this VPN Concentrator.
Before you configure a TACACS+ server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers.
You can configure and prioritize up to 10 TACACS+ servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative.
Note In addition to configuring AAA servers, to use TACACS+ you must set a value in the AAA Access Level parameter; see Administration | Access Rights | Administrators | Modify Properties.
Caution Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.
Figure 9-7 Administration | Access Rights | AAA Servers Screen
To configures TACACS+ servers, click Authentication--authentication servers.
AAA Servers | Authentication
The Manager displays the Administration | Access Rights | AAA Servers | Authentication screen. This screen lets you add, modify, delete, or change the priority order of TACACS+ administrator authentication servers.
Figure 9-8 Administration | Access Rights | AAA Servers | Authentication Screen
Screen Elements
•Authentication Servers — This list shows the configured TACACS+ servers, in priority order. Each entry shows the server identifier. If no servers have been configured, the list shows --Empty--. The first server of each type in the list is the primary TACACS+ server; the rest are backup.
•Add — Click to configure and add a new TACACS server. The Manager opens the Administration | Access Rights | AAA Servers | Authentication | Add or Modify screen.
•Modify —To modify parameters for an authentication server that has been configured, select the server from the list and click Modify. The Manager opens the Administration | Access Rights | AAA Servers | Authentication | Add or Modify screen.
•Delete — To remove a server that has been configured, select the server from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining servers in the list.
•Move — To change the priority order for a TACACS+ server, click Move Up or Move Down to move it up or down on the list of servers configured for this group.
•Done — Click when you are finished configuring TACACS+ servers. This action includes your settings in the active configuration. The Manager returns to the Administration | Access Rights screen.
AAA Servers | Authentication | Add or Modify
These screens let you add or modify TACACS+ administration authentication servers.
Figure 9-9 Administration | Access Rights | AAA Servers | Add or Modify Screens
Screen Elements
•Authentication Server — Enter the IP address or host name of the TACACS+ authentication server, for example: 192.168.12.34. The maximum length is 32 characters. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•Server Port — Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 49.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next TACACS+ authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum is number is 10.
•Server Secret — Enter the TACACS+ server secret (also called the shared secret), for example: C8z077f. The maximum length is 32 characters. The field shows only asterisks.
•Verify — Re-enter the TACACS+ server secret to verify it. The field shows only asterisks.
•Add / Apply — Click to add the new server to the list of configured user TACACS+ servers or to apply your changes to the configured server. Both actions include your entries in the active configuration. The Manager returns to the Administration | Access Rights | AAA Servers | Authentication screen. Any new server appears at the bottom of the TACACS+ Authentication Servers list.
•Cancel — Click to discard your entries. The Manager returns to the Administration | Access Rights | AAA Servers | Authentication screen, and the TACACS+ Authentication Servers list is unchanged.
AAA Servers | Test
This screen lets you test a configured TACACS+ server to determine that:
•The VPN Concentrator is communicating properly with the TACACS+ server.
•The server correctly authenticates a valid administrator.
•The server correctly rejects an invalid user.
Caution Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.
Figure 9-10 Administration | Access Rights | AAA Servers | Test Screen
Screen Elements
•User Name — To test connectivity and valid authentication, enter the username for a valid user who has been configured on the TACACS+ server. The maximum length is 32 characters. Entries are case-sensitive.
To test connectivity and authentication rejection, enter a username that is invalid on the TACACS+ server.
•Password — Enter the password for the username. The maximum length is 32 characters. Entries are case-sensitive. The field displays only asterisks.
•OK — Click to send the username and password to the selected TACACS+ server. The authentication and response process takes a few seconds. The Manager displays a Success or Error screen.
•Cancel — Click to cancel the test and discard your entries. The Manager returns to the Administration | Access Rights | AAA Servers | Authentication screen.
Success (AAA)
If the authentication succeeds, the Manager displays a success screen.
Figure 9-11 Administration | Access Rights | AAA Servers | Authentication Success Screen
•Continue — Click to return to the Administration | Access Rights | AAA Servers screen.
Error (AAA)
If the authentication is unsuccessful for any reason—invalid username or password, no active server, etc.—the Manager displays an Error screen.
Figure 9-12 Administration | Access Rights | AAA Servers | Authentication Error Screen
Screen Elements
•Retry the operation — Click to return to the Administration | Access Rights | AAA Servers | Test screen.
•Go to main menu — Click to go to the main VPN Concentrator Manager screen.
Note You must set a value in the AAA Access Level parameter; see Administration | Access Rights | Administrators | Modify Properties.
