Table of Contents

Access Rights

Administration | Access Rights

This section of the Manager lets you configure and control administrative access to the VPN Concentrator.

Administration | Access Rights | Administrators

Administrators are special users who can access and change the configuration, administration, and monitoring functions on the VPN Concentrator. Only administrators can use the VPN Concentrator Manager.

Cisco provides five predefined administrators:

This section of the Manager lets you change administrator properties and rights. Any changes take effect as soon as you click Apply.

Note   The VPN Concentrator saves Administrator parameter settings from this screen and the Modify Properties screen in nonvolatile memory, not in the active configuration (CONFIG) file. Thus, these settings are retained even if the system loses power. These settings are also retained even if you reboot the system with the factory configuration file.

Group Number

This is a reference number for the administrator. Cisco assigns these numbers so you can refer to administrators by groups of properties. The numbers cannot be changed.

Username

The username, or login name, of the administrator. You can change this name on the Administration | Access Rights | Administrators | Modify Properties screen.

Note   The default passwords that Cisco supplies are the same as the usernames. We strongly recommend that you change these passwords.

Properties / Modify

To modify the username, password, and access rights of the administrator, click Modify. See the Administration | Access Rights | Administrators | Modify Properties screen.

Administrator

To assign "system administrator" privileges to one administrator, click the radio button. Only the "system administrator" can access and configure properties in this section. You can select only one. By default, admin is selected.

Enabled

Check the Enabled check box to enable, or clear the box to disable, an administrator. Only enabled administrators can log in to, and use, the VPN Concentrator Manager. You must enable at least one administrator, and you can enable all administrators. By default, only admin is enabled.

Apply / Cancel

To save the settings of this screen in nonvolatile memory, click Apply. The settings immediately affect new sessions. The Manager returns to the Administration | Access Rights screen.

To discard your settings or changes, click Cancel. The Manager returns to the Administration | Access Rights screen.

Administration | Access Rights | Administrators | Modify Properties

This screen lets you modify the username, password, and rights for an administrator. Any changes affect new sessions as soon as you click Apply or Default.

Table 8-1 shows the matrix of Cisco-supplied default rights for the five administrators.

Username

Enter or edit the unique username for this administrator. The maximum length is 31 characters.

Password

Enter or edit the unique password for this administrator. The maximum length is 31 characters. The field displays only asterisks.

Note   The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password.

Verify

Re-enter the password to verify it. The field displays only asterisks.

Access Rights

The Access Rights determine access to and rights in VPN Concentrator Manager functional areas (Authentication or General), or via SNMP. Click the Access Rights drop-down menu button and choose the access rights:

Authentication

This area consists of VPN Concentrator Manager functions that affect authentication:

General

This area consists of all VPN Concentrator Manager functions except authentication and administration. (The Administrator radio button on the Administration | Access Rights | Administrators screen controls access to administration functions.)

SNMP

This parameter governs limited changes to the VPN Concentrator Manager via SNMP, using a network management system. In other words, it determines what the administrator can do via SNMP.

Files

This parameter governs rights to access and manage files in VPN Concentrator Flash memory, and to save the active configuration in a file. (Flash memory acts like a disk.) Click the Files drop-down menu button and choose the file management rights:

AAA Access Level

This parameter governs the level of access for administrators authenticated by a TACACS+ server. On the TACACS+ server you configure levels of privilege, maximum 0-15, to suit your environment. You can set the number of privilege levels and order them as you choose (numbered in ascending order, descending order, or whatever scheme meets your requirements). You then set this AAA Access Level parameter to one of the levels configured on the TACACS+ server. Administrators have access privileges corresponding to the level you assign.

Apply / Default / Cancel

To save your settings in nonvolatile memory, click Apply. The settings take effect immediately. The Manager returns to the Administration | Access Rights | Administrators screen.

To restore the Cisco-supplied access rights for this administrator, and to save your settings in nonvolatile memory, click Default. The settings take effect immediately. This action does not restore the default username or password. The Manager returns to the Administration | Access Rights | Administrators screen.

To discard your changes, click Cancel. The Manager returns to the Administration | Access Rights | Administrators screen.

Administration | Access Rights | Access Control List

This section of the Manager lets you configure and prioritize the systems (workstations) that are allowed to access the VPN Concentrator Manager. For example, you might want to allow access only from one or two PCs that are in a locked room. If no systems are listed, then anyone who knows the VPN Concentrator IP address and the administrator username/password combination can gain access.

As soon as you add a workstation to the list, access control becomes effective for new sessions. Therefore, the first entry on the list should be the IP address of the workstation you are now using to configure the VPN Concentrator. Otherwise, if you log out or time out, you will not be able to access the Manager from the workstation.

These entries govern administrator access and management by any remote means: HTTP, HTTPS, FTP, TFTP, SNMP, Telnet, SSH, etc.

Manager Workstations

The Manager Workstations list shows the configured workstations that are allowed to access the VPN Concentrator Manager, in priority order. Each entry shows the priority number, IP address/ mask, and administrator group number, for example: 1. 10.10.1.35/255.255.255.255 Group=1. If no workstations have been configured, the list shows --Empty--.

Add / Modify / Delete / Move

To configure a new manager workstation, click Add. The Manager opens the Administration | Access Rights | Access Control List | Add screen.

To modify a configured manager workstation, select the entry from the list and click Modify. The Manager opens the Administration | Access Rights | Access Control List | Modify screen.

To remove a configured manager workstation, select the entry from the list and click Delete. The Manager refreshes the screen and shows the remaining entries in the Manager Workstations list.

To change the priority order for configured manager workstations, select the entry from the list and click Move Up or Move Down The Manager refreshes the screen and shows the reordered Manager Workstations list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Administration | Access Rights | Access Control List |
Access Control List: Add or Modify

These screens let you:

Priority (Modify screen only)

This field shows the priority number of this workstation in the list of Manager Workstations. You cannot edit this field. To change the priority, use the Move buttons on the Administration | Access Rights | Access Control List screen.

IP Address

Enter the IP address of the workstation in dotted decimal notation, for example: 10.10.1.35.

IP Mask

Enter the mask for the IP address in dotted decimal notation. This mask lets you restrict access to a single IP address, a range of addresses, or all addresses. To restrict access to a single IP address, enter 255.255.255.255 (the default). To allow all IP addresses, enter 0.0.0.0. To allow a range of IP addresses, enter the appropriate mask. For example, to allow IP addresses 10.10.1.32 through 10.10.1.35, enter the mask 255.255.255.252.

Access Group

To assign rights of an administrator group to this IP address, click the appropriate radio button. The default choice is Group 1 (admin). You can assign only one group, or you can specify No Access.

Add or Apply / Cancel

To add this workstation to the list, click Add. Or to apply your changes to this workstation, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Administration | Access Rights | Access Control List screen. Any new entry appears at the bottom of the Manager Workstations list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Administration | Access Rights | Access Control List screen, and the Manager Workstations list is unchanged.

Administration | Access Rights | Access Settings

This screen lets you configure general options for administrator access to the VPN Concentrator Manager.

Session Idle Timeout

Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period, the VPN Concentrator Manager session terminates. The minimum period is 1 second. The default period is 600 seconds. The maximum period is 1800 seconds (30 minutes).

The Manager resets the inactivity timer only when you click an action button (Apply, Add, Cancel, etc.) or a link on a screen—that is, when you invoke a different screen. Entering values or setting parameters on a given screen does not reset the timer.

If you close out of the Manager without logging off, no one can change the configuration from a different PC until the logout time has been reached. Either you must log in and then log out, or the other user must wait until the session idle timeout limit has occurred.

Session Limit

Enter the maximum number of simultaneous administrative sessions allowed. The minimum is 1 session. The default is 10 sessions. The maximum is 50 sessions.

Config File Encryption

The CONFIG file is in ASCII text format (.INI format). The Config File Encryption radio button allows you to encrypt sensitive entries in this file, such as passwords, keys, and user information.

Apply / Cancel

To save your settings in the active configuration, click Apply. The Manager returns to the
Administration | Access Rights screen.

To cancel your settings, click Cancel. The Manager returns to the Administration | Access Rights screen.

Administration | Access Rights | AAA Servers

This section lets you configure AAA servers to authenticate administrators for this VPN Concentrator.

Before you configure a TACACS+ server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers.

You can configure and prioritize up to 10 TACACS+ servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative.

Note   In addition to configuring AAA servers, to use TACACS+ you must set a value in the AAA Access Level parameter; see Administration | Access Rights | Administrators | Modify.

Caution   Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.

To configures TACACS+ servers, click Authentication--authentication servers.

Administration | Access Rights | AAA Servers | Authentication

The Manager displays the Administration | Access Rights | AAA Servers | Authentication screen. This screen lets you add, modify, delete, or change the priority order of TACACS+ administrator authentication servers.

Authentication Servers

The Authentication Servers list shows the configured TACACS+ servers, in priority order. Each entry shows the server identifier. If no servers have been configured, the list shows --Empty--. The first server of each type in the list is the primary TACACS+ server, the rest are backup.

Add / Modify / Delete / Move / Test

To configure and add a new TACACS server, click Add. The Manager opens the Administration | Access Rights | AAA Servers | Add screen.

To modify parameters for an authentication server that has been configured, select the server from the list and click Modify. The Manager opens the Administration | Access Rights | AAA Servers | Modify screen.

To remove a server that has been configured, select the server from the list and click Delete.

Note   There is no confirmation or undo.

The Manager refreshes the screen and shows the remaining servers in the list.

To change the priority order for a TACACS+ server, click Move Up or Move Down to move it up or down on the list of servers configured for this group.

When you are finished configuring TACACS+ servers, click Done. This action includes your settings in the active configuration. The Manager returns to the Administration | Access Rights screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Administration | Access Rights | AAA Servers | Authentication | Add or Modify

These screens let you add or modify TACACS+ administration authentication servers.

Authentication Server

Enter the IP address or host name of the TACACS+ authentication server, for example: 192.168.12.34. The maximum length is 32 characters. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

Server Port

Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 49.

Timeout

Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.

Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next TACACS+ authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum is number is 10.

Server Secret

Enter the TACACS+ server secret (also called the shared secret), for example: C8z077f. The maximum length is 32 characters. The field shows only asterisks.

Verify

Re-enter the TACACS+ server secret to verify it. The field shows only asterisks.

Add/Apply or Cancel

To add the new server to the list of configured user TACACS+ servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Administration | Access Rights | AAA Servers | Authentication screen. Any new server appears at the bottom of the TACACS+ Authentication Servers list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Administration | Access Rights | AAA Servers | Authentication screen, and the TACACS+ Authentication Servers list is unchanged.

Administration | Access Rights | AAA Servers | Test

This screen lets you test a configured TACACS+ server to determine that:

Caution   Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.

User Name

To test connectivity and valid authentication, enter the username for a valid user who has been configured on the TACACS+ server. The maximum length is 32 characters. Entries are case-sensitive.

To test connectivity and authentication rejection, enter a username that is invalid on the TACACS+ server.

Password

Enter the password for the username. The maximum length is 32 characters. Entries are case-sensitive. The field displays only asterisks.

OK / Cancel

To send the username and password to the selected TACACS+ server, click OK. The authentication and response process takes a few seconds. The Manager displays a Success or Error screen.

To cancel the test and discard your entries, click Cancel. The Manager returns to the Administration | Access Rights | AAA Servers | Authentication screen.

Success (AAA)

If the authentication succeeds, the Manager displays a success screen.

Continue

To return to the Administration | Access Rights | AAA Servers screen, click Continue.

If the authentication is unsuccessful for any reason—invalid username or password, no active server, etc.—the Manager displays an Error screen.

Error (AAA)

To return to the Administration | Access Rights | AAA Servers | Authentication Test screen, click Retry the operation.

To go to the main VPN Concentrator Manager screen, click Go to main menu.

Note   You must set a value in the AAA Access Level parameter; see Administration | Access Rights | Administrators | Modify.