Cisco Crosswork Network Controller 7.2 Administration Guide

PDF

Configure AAA settings

Want to summarize with AI?

Log in

Configure AAA settings to control authentication, authorization, and accounting policies for user access and session management in Crosswork Network Controller.


Users with relevant AAA permissions can configure the AAA settings.

Configure these settings when you need to establish or update how users are authenticated, what resources they can access, and how their activities are tracked. Proper AAA settings help safeguard network resources and ensure compliance with organizational access policies.

Before you begin

  • Ensure you have administrator permissions or equivalent AAA configuration rights.

  • Review your organization's authentication and password policy requirements.

  • Gather information about external authentication servers (if applicable).

  • Notify affected users of possible session interruptions during configuration changes.

Procedure

1.

From the main menu, choose Administration > AAA > Settings .

2.

Select the relevant setting for Fallback to local. By default, Crosswork Network Controller prefers external authentication servers over local database authentication.

Note

Admin users are always authenticated locally.

3.

Under Browser session timeout, select the relevant value for the Log out inactive users after field. Any user who remains idle beyond the specified limit will be automatically logged out.

This timeout is enforced by the system and applies even if the user closes the browser tab without explicitly logging out. If no activity (token usage) is detected after the tab is closed, the session expires after the configured timeout. For example, with a 10-minute timeout, if a user closes the browser tab after 5 minutes of activity, the user must log in again if they return after 10 minutes.

Note
  • The default timeout value is 30 minutes.

  • Changes to the timeout value take effect immediately, including for active sessions.

  • Session termination can take upto a minute more than the configured timeout due to backend scheduling.

  • This setting applies only to browser-based UI sessions. API-based sessions continue to follow the existing 8-hour validity behavior.

4.

Under Parallel session, enter relevant values for the Number of parallel sessions and Number of parallel sessions per user fields.

Note

Crosswork Network Controller supports between 5 to 200 parallel session for concurrent users. If the number of parallel sessions are exceeded, an error is displayed while logging in to Crosswork Network Controller .

Note

Crosswork Network Controller supports 50 simultaneous NBI sessions up to 400 sessions.

5.

Under Source IP, enable auditing of user source IP addresses.

  1. Select the Enable source IP for auditing checkbox to log the user's source IP address for auditing and accounting. This option is disabled by default.

  2. Log out, wait a few minutes, then log back in. This pause ensures the change is applied and the actual client IP address is accurately captured.

    During this transition, audit logs may temporarily display the Crosswork node IP instead of the client IP. The correct client IP will appear in new audit log entries created after you log in again. Previous log entries will continue to show the node IP. Once enabled and you have logged in again, the Source IP column will appear on both the Audit Log and Active sessions pages.

6.

Select the relevant settings for the Local password policy. Certain password settings are enabled by default and cannot be disabled (for example, Change password on first login).

Note

Any changes in the password policy is enforced only the next time when the users change their password. Existing passwords are not checked for compliance during login.

Note

Local password policy allows administrators to configure the number of unsuccessful login attempts a user can make before they are locked out of Crosswork Network Controller , and the lockout duration. Users can attempt to login with the correct credentials once the wait time is over.