Manage Users

About user profiles

A user profile defines the login, password, email, and role (permissions) of a user.

You can configure both internal and external profiles for users. Internal user profiles reside in Catalyst Center, and external user profiles reside on an external AAA server.

A default user profile with SUPER-ADMIN-ROLE permissions is created when you install Catalyst Center.

About user roles

Each user is assigned a user role that specifies the functions the user is permitted to perform:

  • Administrator (SUPER-ADMIN-ROLE): Users with this role have full access to all Catalyst Center functions. They can create other user profiles with various roles, including those with the SUPER-ADMIN-ROLE.

  • Network Administrator (NETWORK-ADMIN-ROLE): Users with this role have full access to all of the network-related Catalyst Center functions. However, they do not have access to system-related functions, such as backup and restore.

  • Observer (OBSERVER-ROLE): Users with this role have view-only access to the Catalyst Center functions. Users with the observer role cannot access functions that configure or control Catalyst Center or the devices it manages.

  • Customized Role: User with SUPER-ADMIN-ROLE privileges can define custom roles that permit or restrict user access to specific Catalyst Center functions.

Create an internal user

You can create a user and assign a role to them.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1

From the main menu, choose System > Users & Roles > User Management.

Step 2

Click Add.

Step 3

Enter the first name, last name, email address, and username for the new user.

The email address must comply with the requirements defined by the Apache EmailValidator class.

Step 4

Under Role List, choose one of the following roles: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE.

Step 5

Enter a password and confirm it.

Step 6

Click Save.

Edit a user

You can edit some user properties (but not the username).

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1

From the main menu, choose System > Users & Roles > User Management.

Step 2

Click the radio button next to the user that you want to edit.

Step 3

Click Edit.

Step 4

Edit the first name, last name, or email address, if needed.

Step 5

Under Role List, choose a new role, if needed: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE.

Step 6

Click Save.

Delete a user

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1

From the main menu, choose System > Users & Roles > User Management.

Step 2

Click the radio button next to the user you want to delete.

Step 3

Click Delete.

Step 4

At the confirmation prompt, click Continue.

Password policy

After you have deployed Catalyst Center, review these password policy requirements.

Fresh Catalyst Center deployments

This section describes password policies for new deployments.

  • The default password for the maglev user and admin superuser is P@ssword9.

    You are prompted to change the password for the admin superuser after you log in to the Catalyst Center GUI for the first time.

  • When you change any user's password or configure a new user, ensure their password complies with the new requirements.

Catalyst Center upgrades

This section explains password behavior during system upgrades.

  • Role-Based Access Control (RBAC) users configured in an earlier version of Catalyst Center can continue using their current password to log in to Catalyst Center 2.3.7.9 and later.

    For example, you upgraded an appliance from version 2.3.7.6 to 2.3.7.10. You backed up the data from the appliance. Later, you restored the backup file onto another appliance with Catalyst Center 2.3.7.10 installed. Existing RBAC users can log in using their current password.

  • When you change any user's password or configure a new RBAC user, ensure their password complies with the new requirements.

See Password requirements to learn the criteria your new password must meet.

Password requirements

Any user password you configure in Catalyst Center 2.3.7.9 or later must meet these requirements:

  • Is at least nine characters in length.

  • Includes characters from at least three of these categories:

    • Uppercase letters (A to Z)

    • Lowercase letters (a to z)

    • Numbers (0 through 9)

    • Special characters (such as !, $, and #)

  • Does not contain more than four consecutive characters on an English QWERTY keyboard.

    For example, 59Asdfpj! is not a valid password because it contains the characters a, s, d, and f in succession.

  • Does not contain two or more consecutive characters from the associated username.

  • Does not contain a complete word from any language.

  • Does not contain a phrase based on personal information.


Note

You can reuse a previous password only after you use 24 different passwords.

Reset a user password

You can reset another user's password.

For security reasons, passwords are not displayed to any user, not even to the users with administrator privileges.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1

From the main menu, choose System > Users & Roles > User Management.

Step 2

Click the radio button next to the user whose password you want to reset.

Step 3

From the More Actions drop-down list, click Reset Password.

Step 4

Enter a new password and confirm it.

Step 5

Click Save.

Change your own user password

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure

Step 1

From the main menu, choose System > Users & Roles > Change Password.

Step 2

Enter information in the required fields.

Step 3

Click Update.

Change your own user password without admin permission

The following procedure describes how to change your password without admin permission.

Procedure

Step 1

From the top-right corner, click your displayed username and choose My Profile and Settings > My Account.

Step 2

In the Password field, click Update Password.

Step 3

In the Update Password dialog box, enter the new password and confirm the new password.

Step 4

Click Update.

Reset a forgotten password

If you forgot your password, you can reset it through the CLI.


Note

For added security, access to the root shell is disabled in Catalyst Center. With restricted shell, users can't access the underlying operating system and file system, which reduces operational risk. However, the commands in this section require that you contact the Cisco TAC to access the root shell temporarily.

Procedure

Step 1

Enter this command to check if the user is created in the system.

magctl user display <username>

The command returns the tenant-name, which can be used to reset the password. The output looks similar to:

User admin present in tenant TNT0 (where TNT0 is the tenant-name)

Step 2

Enter this command and the tenant-name to reset the password. 

magctl user password update <username> <tenant-name>

You are prompted to enter a new password.

Step 3

Enter the new password.

You are prompted to reenter the new password to confirm.

Step 4

Enter the new password.

The password is reset, and you can log in to Catalyst Center using the new password.

Configure role-based access control

Catalyst Center supports role-based access control (RBAC), which enables a user with SUPER-ADMIN-ROLE privileges to define custom roles that permit or restrict user access to certain Catalyst Center functions and sites.

Use this procedure to define a custom role and then assign a user to that role.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.

Procedure

Step 1

Define a custom role.

  1. From the main menu, choose System > Users & Roles > Role Based Access Control.

  2. Click Create a New Role.

  3. If a task overview window opens, click Let’s do it to go directly to the workflow.

  4. In the Create a New Role window, enter a name for the role and then click Next.

  5. In the Define the Access window, click the > icon corresponding to the desired function to view the associated features.

  6. Set the permission level to Deny, Read, or Write for the desired features and click Next.

    If you set the permission level of a feature to Deny, the user to whom you assign this role cannot view this feature in the GUI.

    For dependent features, if you override the recommended permission level settings, a warning message indicating the permission level violation of dependent features is shown in the Summary window.

  7. Review the configuration settings. To make any changes, click Edit.

  8. Click Create Role.

Step 2

To assign a user to the custom role you created, go to Users & Roles > User Management.

  • To assign the custom role to an existing user:

    1. In the User Management window, click the radio button corresponding to the user to whom you want to assign the custom role, and then click Edit.

    2. In the Update Internal User slide-in pane, click the Roles drop-down list and choose the custom role.

    3. Click Save.

  • To assign the custom role to a new user:

    1. In the User Management window, click Add.

    2. In the Create Internal User slide-in pane, enter the first name, last name, and username.

    3. From the Roles drop-down list, choose the custom role.

    4. Enter the password and then confirm it.

    5. Click Save.

Step 3

If you are an existing user who was logged in when the administrator was updating your access permissions, you must log out of Catalyst Center and then log back in for the new permission settings to take effect.

Catalyst Center user role permissions

Table 1. Catalyst Center user role permissions
Capability Description

Recommended permission settings for dependent capabilities

Assurance

Assure consistent service levels with complete visibility across all aspects of your network.

Monitoring

Monitor and manage the health of your network with issue troubleshooting and remediation, proactive network monitoring, and insights driven by AI Network Analytics.

This role lets you:

  • Resolve, close, and ignore issues.

  • Run Machine Reasoning Engine (MRE) workflows.

  • Analyze trends and insights.

  • Troubleshoot issues, including path trace, sensor dashboards, and rogue management.

  • Run workflows for rogue and Cisco Advanced Wireless Intrusion Prevention System (aWIPS). These workflows include AP-allowed list, vendor-allowed list, aWIPS profile creation, assigning an aWIPS profile, and so on.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Utilities > Machine Reasoner: Read

  • Utilities > Reports: Read

  • Utilities > App Hosting: Read

  • Utilities > Command Runner: Read

Settings

Configure and manage issues. Update network, client, and application health thresholds.

  • Assurance > Monitoring: Read

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Utilities > App Hosting: Read

Troubleshooting

Create and manage sensor tests. Schedule on-demand forensic packet captures (Intelligent Capture) for troubleshooting clients.

  • Assurance > Monitoring: Read

  • Assurance > Troubleshooting: Write

  • Network Provision > Device Provision: Write

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Utilities > Machine Reasoner: Read

  • Utilities > App Hosting: Read

  • Utilities > Command Runner: Read

Extensions

Open platform for accessible intent-based workflows, data exchange, notifications, and third-party app integrations.

Note

 

This permission cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

Event Subscription

Subscribe to near real-time notifications of network and system events. Initiate corrective actions.

Note

 

This permission must be set as Write when ITSM is integrated with Visibility and Control of Configurations.

  • System > System Settings: Read

ITSM

Configure and activate preconfigured bundles for ITSM integration.

Note

 

This permission cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

  • Extensions > Intent API: Write

Intent API

Access the product through REST APIs.

Network Design

Configure network profiles and settings. Manage templates. Update the software image repository. Configure wireless maps for managing your sites and network devices.

Profiles and Settings

Manage site-wide network settings such as AAA, NTP, DHCP, and so on. Manage telemetry and profiles.

  • Network Management > Hierarchy: Read

Wireless Maps

Visualize your wireless network and configure wireless maps.

  • Network Management > Hierarchy: Write

  • Network Management > Inventory: Write

  • Network Design > Profiles and Settings: Write

  • Assurance > Monitoring: Read

Network Management

Discover and build your network.

Discovery

Discover new devices on your network.

  • Network Management > Hierarchy: Write

  • Network Management > Inventory: Write

  • Network Design > Profiles and Settings: Read

Hierarchy

Create a network hierarchy of areas, buildings, and floors based on geographic location. This role also includes CMX server settings.

Inventory

Add, update, or delete devices on your network. Manage device attributes; view and manage network topology and configurations.

  • Network Management > Hierarchy: Read

  • Network Design > Profiles and Settings: Read

License

Manage software and network assets relative to license usage and compliance.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

  • Assurance > Monitoring: Read

Network-wide Settings

Configure network-wide settings to monitor your network and device.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

Network Operations

Manage and maintain your network devices.

Compliance

Monitor device compliance and out-of-band changes. Manage Cisco field notices and view EoX statuses.

  • Network Management > Hierarchy: Read

  • Network Management > Network-wide Settings: Read

  • Security > Security Advisory: Read

  • Network Operations > SWIM: Read

LAN Automation

Provision your network through LAN automation.

  • Network Management > Hierarchy: Read

  • Network Management > Network-wide Settings: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read
Plug and Play

Automatically onboard new devices, assign them to sites, and configure them with site-specific settings.

  • Network Management > Hierarchy: Read

  • Network Management > Network-wide Settings: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

RMA

Replace faulty devices in your network.

  • Network Management > Hierarchy: Read

  • Network Management > License: Read

  • Network Management > Inventory: Read

  • Network Operations > Plug and Play: Write

  • Network Operations > SWIM: Write

SWIM

Manage software images. Update physical and virtual network entities.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

Network Provision

Configure, upgrade, provision, and manage network devices.

Device Provision

Provision devices with site-specific settings and policies that are configured for the network. This role includes Application Policy, Application Visibility, Cloud, Site-to-Site VPN, Network/Application Telemetry, Security Service Insertion, Stealthwatch, and Umbrella provisioning.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Network Design > Template: Write

  • Network Operations > Plug and Play: Write

  • Network Operations > Compliance: Read

  • Utilities > Command Runner: Write

  • System > System Settings: Read

Network-wide Config

Manage virtual networks, extranet policies, and other network-wide configurations.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

SD-Access

Configure, manage, and monitor an SD-Access Fabric.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Management > Discovery: Read

  • Network Management > Network-wide Settings: Read

  • Network Provision > Device Provision: Write

  • Network Design > Template: Write

  • Network Operations > Plug and Play: Write

  • Network Operations > Network-wide Config: Read

  • Policy > Group-based Policy: Read

  • Network Operations > LAN Automation: Read

  • Network Operations > SWIM: Read

  • Network Operations > Compliance: Read

  • Network Design > Profiles and Settings: Read

  • Utilities > Event Viewer: Read

Policy

Configure and manage policies that reflect your organization's business intent.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

Application Policy

Manage QoS policies to make efficient use of network resources.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Network Operations > Compliance: Read

  • Utilities > Command Runner: Write

  • System > System Settings: Read

Group-Based Policy

Manage group-based policies that enforce network segmentation and access control.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

IP-Based Access Control

Manage IP-based access control lists that enforce network segmentation.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Security

Manage and control secure access to the network.

Audit Log

View logs of changes made through the UI or API to the system, network devices, and settings.

Rogue and aWIPS

Monitor rogue and aWIPS threats in your network.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Provision > Device Provision: Write

  • Assurance > Monitoring: Read

  • Assurance > Troubleshooting: Read

  • Network Design > Profiles and Settings: Write

  • Security > Audit Log: Write

  • System > System Settings: Read

  • Utilities > Reports: Write

Security Advisory

Scan the network for Cisco security advisories. Review the impact of published security advisories that may affect your network.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

Stealthwatch

Configure network elements to send data to Cisco Stealthwatch to detect and mitigate threats, even in encrypted traffic.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Write

  • Network Provision > Device Provision: Write

  • System > System Settings: Read

  • System > System Administration: Read

Umbrella

Configure network elements to use Cisco Umbrella as the first line of defense against cybersecurity threats.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

System

Perform centralized administration for configuration management, network connectivity, software upgrades, and more.

System Administration

Manage core system administrative capabilities including HA, Disaster Recovery, and Backup and Restore.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • System > System Settings: Write

System Settings

Manage core system connectivity settings. This role includes Integrity Verification, Integration Settings, Debugging Logs, Telemetry Collection, System EULA, IPAM, Data Platform, Cisco Credentials, Smart account, Smart Licensing, SSM Connection Mode, and Device EULA.

This role also includes permissions related to certificate management.

This role enables the configuration of automatic updates to the machine reasoning knowledge base.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Utilities

Use common utilities to help manage your network.

App Hosting

Deploy, manage, and monitor virtualized and container-based applications running on devices.

Bonjour

Use the wide-area bonjour service to enable policy-based service discovery across your network.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Command Runner

Display the running configuration of a device.

  • Network Management > Inventory: Read

Event Viewer

View device and client events for troubleshooting.

Machine Reasoner

Scan the network for defects or bugs known by Cisco and troubleshoot various issues on your network through workflows.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • Network Management > Inventory: Read

  • Network Management > Hierarchy: Read

Remote Device Support

Allow Cisco support personnel to remotely troubleshoot managed network devices.

Note

 

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Reports

Use predefined reporting templates to generate reports for all areas of your network.

Display role-based access control statistics

You can display statistics that show how many users belong to each user role. You can also drill down to view the list of users who have a selected role.

Procedure

Step 1

From the main menu, choose System > Users & Roles > Role Based Access Control.

All default user roles and custom roles are displayed.

Step 2

Click the number corresponding to each user role to view the list of users who have that role.

Configure site-based, role-based access control

Catalyst Center supports site-based, role-based access control (SRBAC), which enables you to create an access group that limits access to certain network sites. Access group is a combination of the role and site. The site can be the global site or a specific site. At any point, you can log in to one specific access group.

Catalyst Center supports these default access groups:

  • NW-ADMIN_Global - Access group for global access to the role NW-ADMIN

  • OBSERVER_Global - Access group for global access to the role OBSERVER

  • SUPER-ADMIN_Global - Access group for global access to the role SUPER-ADMIN

Use this procedure to define an access group and then assign a user to the access group. You can also assign more than one access group to a user.

Procedure

Step 1

Define an access group.

  1. From the main menu, choose System > Users & Roles > Access Group.

  2. Click Create Access Group to create a new access group.

  3. In the Create Your Access Group window, enter this information:

    • Name: Enter a unique name for the access group.

    • Role: Choose a role from the available list.

    • Scope: Choose the site hierarchy.

      Note

       

      External users are mapped to default access group with global scope. This option is not applicable for external users.

  4. Click Next and review the access group composition in the Summary window.

  5. Click Create Access Group.

    In the success message, click the Back to Access Group link to view the newly created access group in the Access Group window.

  6. To edit the access group, choose the access group and click Edit Access Group.

    In the access group slide-in pane, edit the role or site hierarchy and click Save.

Step 2

To assign a user to the access group you created, go to Users & Roles > User Management.

  • To assign the access group to an existing user:

    1. In the User Management window, click the radio button corresponding to the user to whom you want to assign the access group, and then click Edit.

    2. In the Update Internal User slide-in pane, click the Access Group drop-down list and choose the access group.

    3. Click Save.

  • To assign the access group to a new user:

    1. In the User Management window, click Add.

    2. In the Create Internal User slide-in pane, enter the first name, last name, and username.

    3. From the Access Group drop-down list, choose the access group.

    4. Enter the password and then confirm it.

    5. Click Save.

Use case example: assign multiple access groups to an internal user

This sample use case shows how to create three different access groups and assign the access groups to a new internal user, User1.

Username

Access groups

User1

AG1, AG2, AG3

Access group

Role

Scope

Description

AG1

Custom-role1

Global

Access group for global access to the role Custom-role1

AG2

Custom-role2

IN-BGL

Access group for Bangalore site to the role Custom-role2

AG3

Custom-role3

US-SJ

Access group for San Jose site to the role Custom-role3

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.

Procedure

Step 1

Define the custom roles Custom-role1, Custom-role2 and Custom-role3.

  1. From the main menu, choose System > Users & Roles > Role Based Access Control.

  2. Click Create a New Role.

  3. If a task overview window opens, click Let’s do it to go directly to the workflow.

  4. In the Create a New Role window, enter a name for the role and then click Next.

  5. In the Define the Access window, click the > icon corresponding to the desired function to view the associated features.

  6. Set the permission level to Deny, Read, or Write for the desired features and click Next.

    If you set the permission level of a feature to Deny, the user to whom you assign this role cannot view this feature in the GUI.

    For dependent features, if you override the recommended permission level settings, a warning message indicating the permission level violation of dependent features is shown in the Summary window.

  7. Review the configuration settings. To make any changes, click Edit.

  8. Click Create Role.

Step 2

Define the access groups AG1, AG2, and AG3.

  1. From the main menu, choose System > Users & Roles > Access Group.

  2. Click Create Access Group to create a new access group.

  3. In the Create Your Access Group window, enter this information:

    • Name: Enter a unique name for the access group.

    • Role: Choose a role from the available list.

    • Scope: Choose the site hierarchy.

  4. Click Next and review the access group composition in the Summary window.

  5. Click Create Access Group.

    In the success message, click the Back to Access Group link to view the newly created access group in the Access Group window.

  6. To edit the access group, choose the access group and click Edit Access Group.

    In the access group slide-in pane, edit the role or site hierarchy and click Save.

Step 3

Assign the access groups AG1, AG2, and AG3 to a new user, User1.

  1. Navigate to Users & Roles > User Management.

  2. In the User Management window, click Add.

  3. In the Create Internal User slide-in pane, enter the first name, last name, and username.

  4. From the Access Group drop-down list, choose the access groups.

  5. Enter the password and then confirm it.

  6. Click Save.

Use case example: assign multiple access groups to an external user

This sample use case shows how to create three different access groups and assign the access groups to an external user, User-ise, created in Cisco ISE.

Username

Access groups

User-ise

AG4, AG5, AG6

Access group

Role

Scope

Description

AG4

Custom-role4

Global

Access group for global access to the role Custom-role4

AG5

Custom-role5

IN-BGL

Access group for Bangalore site to the role Custom-role5

AG6

Custom-role6

US-SJ

Access group for San Jose site to the role Custom-role6

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.

Procedure

Step 1

Define the custom roles custom-role4, custom-role5, and custom-role6.

  1. From the main menu, choose System > Users & Roles > Role Based Access Control.

  2. Click Create a New Role.

  3. If a task overview window opens, click Let’s do it to go directly to the workflow.

  4. In the Create a New Role window, enter a name for the role and then click Next.

  5. In the Define the Access window, click the > icon corresponding to the desired function to view the associated features.

  6. Set the permission level to Deny, Read, or Write for the desired features and click Next.

    If you set the permission level of a feature to Deny, the user to whom you assign this role cannot view this feature in the GUI.

    For dependent features, if you override the recommended permission level settings, a warning message indicating the permission level violation of dependent features is shown in the Summary window.

  7. Review the configuration settings. To make any changes, click Edit.

  8. Click Create Role.

Step 2

Define the access groups AG4, AG5, and AG6.

  1. From the main menu, choose System > Users & Roles > Access Group.

  2. Click Create Access Group to create a new access group.

  3. In the Create Your Access Group window, enter this information:

    • Name: Enter a unique name for the access group.

    • Role: Choose a role from the available list.

    • Scope: Choose the site hierarchy.

  4. Click Next and review the access group composition in the Summary window.

  5. Click Create Access Group.

    In the success message, click the Back to Access Group link to view the newly created access group in the Access Group window.

  6. To edit the access group, choose the access group and click Edit Access Group.

    In the access group slide-in pane, edit the role or site hierarchy and click Save.

Step 3

Define the access groups AG4, AG5, and AG6 in Cisco ISE server and assign the access groups to external user, User-ise.

For more information, see Configure external authentication.

Impact of SRBAC on Catalyst Center features

The behavior of Catalyst Center features depends on the user role and site specified in the access group.

Table 2. SRBAC effect on Catalyst Center features

Feature

Effect of SRBAC

Discovery

Discovery job

  • Discovery jobs created by a site user are visible only to users within the site user's access group and its parent site hierarchy access group.​

  • A parent site hierarchy user has the ability to rerun discovery jobs that were initially created by a child site hierarchy user.

  • The devices discovered are limited to those accessible to the user initiating the discovery.

Note

 

The results of the discovery jobs might differ if performed by two users due to differences in their access group site hierarchies.

Global Credentials

  • Credentials created by any site administrator are accessible to all site users in read-only mode.​

  • Credentials can only be edited or deleted by the user who created them or by super users within the same hierarchy, provided they have write access.

Inventory

Add device

  • Devices added by a site user will be visible only to users in the site user's access group and its parent site hierarchy access group.

  • If a device is added by a user with parent site hierarchy access group, it will not be visible to the users in the child site hierarchy access groups.

  • If a child site hierarchy user tries to re-add or import the same device, an error will occur stating that the device already exists, even though the user cannot view the device in their inventory.

Topology

Shared custom view layouts

  • Custom views created by lower-level access groups are accessible by higher-level access groups, but the reverse is not permitted.​

  • Users can view only the devices and site hierarchy associated with their access group.​

Plug and Play

Method of adding device

Visibility rules

Plug and Play discovery

Initially visible to all users.

After claiming to a site, the discovered devices are visible only to access group users and parent site hierarchy access group users.

Add plug and play device manually

Visible only to access group users and parent site hierarchy access group users.

Add a device from Cisco Smart Account

Visible only to access group users and parent site hierarchy access group users who added the devices.​

Claim device to a site

  • When a device is claimed to a site on plug and play, it will be visible to access group users of that specific site hierarchy and its parent site hierarchy.​

  • The device's plug and play history is visible to all the users in the site access group irrespective of any prior access groups of the device.​

  • All related plug and play workflows associated with the device are assigned to the specific site hierarchy to which the device was claimed.​

After a device has been onboarded through plug and play and added to inventory:​

If the device is assigned to a different site​, the device record in plug and play is updated with the siteHierarchyId of the new site and is visible to access group users of the new site.​

RMA and Network Refresh

  • Users associated with an access group can mark and unmark the devices belonging to the current access group or lower-level access group for replacement or refresh.​

  • To mark a fabric device faulty, the user must have access to all its neighbor devices.

  • Once a user marked the device for replacement or refresh, users from the current access group or higher-level access group can trigger the replacement workflow.

  • Users associated to the access group can schedule the workflow. Users from higher-level access groups can modify or cancel the workflow.

Tagging

Tags created by site users will be visible to all the other site users. However, editing of tags such as renaming and changing dynamic rules can be done only by the access group users who created the tags.

Licensing

The Licensing and System Settings permission sets cannot be assigned to site-scoped (non-global) access groups if they are configured with Read/Write access. For a site-scoped user, licensing and system settings pages will not be visible.

Network Settings

  • Site profiles can only be edited or deleted from the access groups they were created in, but sites can be assigned to any profile in the system.

  • AAA/ISE server settings are global in nature and are allowed to be created, edited, or deleted only by users with access group of global site.

  • All wireless settings like SSID and RF Profile are global in nature and are allowed to be created only by user with access group of global site.

  • User with access group of a specific site can override the settings of that specific site.

Wireless controller provision

Managed AP Location

  • Site user can choose the Managed AP Location based on the site associated with the access group.

  • Catalyst Center validates the accessibility for both the wireless controller location and managed AP location.

  • To provision a wireless controller with multiple managed AP locations, user must have access to a site that is a parent site for all the managed AP locations.

    For example, if the network hierarchy includes Area1 (parent site) with Sub-area1 and Sub-area2 (child sites), to provision a wireless controller that is managing APs in Sub-area1 and Sub-area2, user must have access to Area1.

    If site user has access to only Sub-area1 or Sub-area2, provisioning fails.

AP provision

  • Access group user can provision APs to the sites associated with the access group.

  • The AP provision is allowed based on user accessibility to its associated controller physical and managed AP location.

  • User must have access to AP's associated controller and its managed locations.

  • User must have access to AP's secondary controller and its managed locations.

Certificate

 Certificates are associated with a specific site or access group. Access group user can view only the certificates of devices assigned to the site associated with the access group.

Rogue and aWIPS

  • Users with global site access only can enable or disable Rogue and aWIPS feature from Rogue Overview dashboard.

  • The Threats table in the Overview dashboard shows the only the rogues which are strongly detected by the APs present in the current logged in user owned site. Basically, the Detecting AP site in the table should be one of the sites owned by the logged in user.

  • Wireless Rogue containment operation is allowed only if the user is able to access the strongest detecting wireless controller for that rogue.

    Wired Rogue containment operation is allowed only if the user is able to access the switch where the rogue is detected.

  • Access group users with access to global site can create or remove the MAC addresses from Allowed List.

  • Users can view all the profiles created by others. However, users can edit, delete, or assign site only if they own all the sites that are part of the profile. If users do not own all the sites that are part of the profile, only read-only details will be displayed when they click on the profile name.

aWIPS profile configuration

  • Any admin can create the profile but can only map it to the devices under the sites they own.

  • Edit or delete of mapped profile is only allowed if the user has access to all the wireless controllers mapped on that profile. If the user has mapped a profile to one of the devices and then later the device is moved to another site which the user doesn't have access to, the user cannot edit or delete that profile.

  • In the profile assignment screen, only the devices which are accessible to the current user will be displayed.

SD-Access

REP

A REP ring created by a site user is visible to:

  • Users in the site user's access group

  • Users in the parent site's hierarchy access group, and

  • Users in the access group that is the closest common parent of all ring members in the site hierarchy.

PRP

  • User having access to both LAN-A and LAN-B fabric sites will be allowed to configure and view PRP.

  • User having access to only LAN-A site will see partial data along with banner message indicating limited access.

MRP

  • User having access to all ring members can see the complete MRP ring details.

  • User having access to partial ring members will see partial data along with banner message indicating limited access.

Configure external authentication

If you are using an external server for authentication and authorization of external users, you should enable external authentication in Catalyst Center.

Before you begin

  • Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

  • You must configure at least one authentication server.

  • For SRBAC, you must define the access group on the Cisco ISE server.

    Configure the Cisco ISE server similar to how roles are configured in Catalyst Center. For example, <AAA attribute name>=rds=<comma separated list of rd names>. The first rd can be treated as the default access group profile.


Note

If Catalyst Center is deployed on a physical appliance, review this note.

When external authentication is enabled, Catalyst Center does not fall back to local users if the AAA server is unreachable or the AAA server rejects an unknown username.

By default, external authentication fallback is enabled and supported only for local admins. With it enabled, local admins can log in to Catalyst Center.

To re-enable external authentication fallback, SSH to the Catalyst Center instance and enter this CLI command: 

magctl rbac external_auth_fallback enable

Procedure

Step 1

From the main menu, choose System > Users & Roles > External Authentication.

Step 2

To enable external authentication in Catalyst Center, check the Enable External User check box.

Step 3

(Optional) Configure the AAA attribute.

For TACACS authentication, the following AAA attributes are supported:

Catalyst Center TACACS

Empty

cisco-av-pair

cisco-av-pair

cisco-av-pair

Cisco-AVPair

Cisco-AVPair

For RADIUS authentication, the following AAA attributes are supported:

Catalyst Center RADIUS

Empty

cisco-av-pair

Cisco-AVPair

cisco-av-pair

  1. In the AAA Attribute field, enter the appropriate attribute for your use case, as described in the preceding tables. The default value of the AAA Attribute field is null.

  2. Click Update.

Step 4

(Optional) Configure the AAA server or servers.

Configure these settings only if you want to swap the current primary or secondary AAA servers or define different AAA servers. From the main menu, choose System > Settings > External Services > Authentication and Policy Servers to open the Authentication and Policy Servers window.

  1. From the Primary AAA Server IP Address drop-down list, choose the IP address of one of the preconfigured AAA servers.

  2. From the Secondary AAA Server IP Address drop-down list, choose the IP address of one of the preconfigured AAA servers.

  3. (Optional) If you are using a Cisco ISE server, you can update the settings, if necessary.

    For information about Cisco ISE policies, see "Segmentation" in the Cisco Identity Services Engine Administrator Guide.

    Table 3. Cisco ISE server settings
    Name Description

    Shared Secret

    Key for device authentications. The shared secret can contain up to 100 characters.

    The shared secret must be provided before the AAA address can be updated.

    Username

    Name that is used to log in to the Cisco ISE CLI.

    Password

    Password for the Cisco ISE CLI username.

    FQDN

    Fully qualified domain name (FQDN) of the Cisco ISE server. The FQDN consists of two parts, a hostname and the domain name, in the following format:

    hostname.domainname.com

    For example, the FQDN for a Cisco ISE server might be ise.cisco.com.

    Subscriber Name

    A unique text string—for example, acme—that is used during Catalyst Center-to-Cisco ISE integration to set up a new pxGrid client in Cisco ISE.

    Virtual IP Address(es)

    Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses.

  4. (Optional) To update advanced settings, click View Advanced Settings and update the settings, if necessary.

    Table 4. AAA server advanced settings
    Name Description

    Protocol

    TACACS or RADIUS.

    Authentication Port

    Port used to relay authentication messages to the AAA server.

    • For RADIUS, the default is UDP port 1812.

    • For TACACS, the port is 49 and can’t be changed.

    Accounting Port

    Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes.

    • For RADIUS, the default UDP port is 1813.

    • For TACACS, the port is 49 and can’t be changed.

    Retries

    Number of times that Catalyst Center can attempt to connect with Cisco ISE.

    Timeout

    Length of time that Catalyst Center waits for Cisco ISE to respond. The maximum timeout value is 60 seconds.

  5. Click Update.

Two-factor authentication

Two-factor authentication, also known as 2FA, adds another layer of security to user verification by using an identifier method in addition to a user's name and password. The identifier method is generally something that only the actual intended user possesses (such as a phone app or keyfob) and is intentionally separated from the original login method.

The Catalyst Center implementation of two-factor authentication supports the use of a token client (that generates single-use token codes after the appropriate PIN is entered), a token server (that validates token codes), and an authentication server to manage user access. Authentication can be handled using either the RADIUS or TACACS+ protocol.

Prerequisites for two-factor authentication

The following prerequisites must be in place to set up two-factor authentication for use with Catalyst Center:

  • An authentication server that is able to return attribute-value pairs to convey RBAC role authorizations for authenticated Catalyst Center users. In our example, we use Cisco Identity Services Engine (Cisco ISE) 2.3 Patch 1.

  • A two-factor token server that you will integrate with your authentication server. In our example, we use RSA Authentication Manager 7.2.

  • A token card application on the client’s machine that generates software tokens. In our example, we use RSA SecurID Software Token.

Two-factor authentication workflow

Here is a summary of what happens when a user logs in to a Catalyst Center appliance on which two-factor authentication has been configured:

  1. In an RSA SecurID token client, a user enters their PIN to get a token code.

  2. In the Catalyst Center login page, they enter their username and token code.

  3. Catalyst Center sends the login request to Cisco ISE using either the RADIUS or TACACS+ protocol.

  4. Cisco ISE sends the request to the RSA Authentication Manager server.

  5. RSA Authentication Manager validates the token code and informs Cisco ISE whether the user has been authenticated successfully.

  6. If the user has been authenticated, Cisco ISE matches the authenticated user with their configured authorization profile and returns the role=NETWORK-ADMIN-ROLE attribute-value pair.

  7. Catalyst Center grants access to the features and pages associated with the user's role-based access control (RBAC) role.

Configure two-factor authentication

To configure two-factor authentication on your Catalyst Center appliance, complete the following procedure.

Procedure

Step 1

Integrate RSA Authentication Manager with Cisco ISE:

  1. In RSA Authentication Manager, create two users: cdnac_admin (for the Admin user role) and cdnac_observer (for the Observer role).

    For more information, see the "Add a User to the Internal Database" topic in the RSA Self-Service Console Help. To access this topic, do the following:

    1. Open the RSA Self-Service Console Help.

    2. In the Search help field, enter Add a User to the Internal Database and then click Search help.

  2. Create a new authentication agent.

    For more information, see the "Add an Authentication Agent" topic in the RSA Self-Service Console Help.

  3. Generate the Authentication Manager agent configuration file (sdconf.rec):

    1. From the RSA Security Console, choose Access > Authentication Agents > Generate Configuration File.

      The Configure Agent Timeout and Retries tab opens.

    2. For the Maximum Retries and Maximum Time Between Each Retry fields, use the default values.

    3. Click Generate Configuration File.

      The Download Configuration File tab opens.

    4. Click the Download Now link.

    5. When prompted, click Save to Disk to save a local copy of the zip file.

    6. Unzip the file and use this version of the sdconf.rec file to overwrite the version that is currently installed on the agent.

  4. Generate a PIN for the cdnac_admin and cdnac_observer users that you created in Step 1a.

    For more information, see the "Create My On-Demand Authentication PIN" topic in the RSA Self-Service Console Help.

  5. Start Cisco ISE, choose Administration > Identity Management > External Identity Sources > RSA SecurID, and then click Add.

  6. In the RSA SecurID Identity Sources page, click Browse, choose the sdconf.rec file you downloaded, and then click Open.

  7. Check the Reauthenticate on Change PIN check box, then click Submit.

Step 2

Create two authorization profiles, one for the Admin user role and one for the Observer user role.

  1. In Cisco ISE, choose Policy > Policy Elements > Results > Authorization > Authorization Profiles.

  2. For both profiles, enter the following information:

    • Name: Enter the profile name.

    • Access Type: Choose ACCESS_ACCEPT.

    • Advanced Attributes Settings area: Choose Cisco:cisco-av-pair from the first drop-down list.

      If you are creating an authorization profile for the Admin user role, choose Role=NETWORK-ADMIN-ROLE from the second drop-down list.

      If you are creating an authorization profile for the Observer user role, choose Role=OBSERVER-ROLE from the second drop-down list.

Step 3

Create an authentication policy for your Catalyst Center appliance.

In the Cisco Identity Services Engine Administrator Guide, see the "Configure Authentication Policies" topic.

Step 4

Create two authorization policies, one for the Admin user role and one for the Observer user role.

In the Cisco Identity Services Engine Administrator Guide, see the "Configure Authorization Policies" topic.

Step 5

In the RSA Authentication Manager Security Console, verify that software tokens have been assigned to both users.

For more information, see the "View a Token" topic in the RSA Self-Service Console Help.

Note

 

If you need to assign tokens, complete the steps described in the "Assign a Software Token to a User" topic.

Enable two-factor authentication using RADIUS

To enable two-factor authentication that uses a Cisco ISE server configured for RADIUS, complete the following procedure:

Procedure

Step 1

Integrate Cisco ISE with Catalyst Center.

In the Catalyst Center Installation Guide, see the "Integrate Cisco ISE with Catalyst Center" topic.

Step 2

Configure Catalyst Center to use your Cisco ISE server for authentication.

See Configure External Authentication.

Important

 

Ensure that you specify the same shared secret for both Cisco ISE and Catalyst Center.

Enable two-factor authentication using TACACS+

To enable two-factor authentication that uses a Cisco ISE server configured for TACACS+, complete the following procedure:

Procedure

Step 1

In Cisco ISE, choose Administration > Network Resources > Network Devices to open the Network Devices window.

Step 2

Click TACACS Authentication Settings to view its contents. Ensure that a shared secret has already been configured for the Catalyst Center device that you added previously.

Step 3

Choose Work Centers > Device Administration > Policy Elements to open the TACACS Profiles window.

Step 4

Create TACACS+ profiles for the example_admin and example_observer user roles:

  1. Click Add.

  2. Complete the following tasks:

    • Enter the profile name.

    • After clicking the Raw View tab, enter the following text into the Profile Attributes text box:

      • For the example_admin user role, enter Cisco-AVPair=ROLE=NETWORK-ADMIN-ROLE

      • For the example_observer user role, enter Cisco-AVPair=ROLE=OBSERVER-ROLE

  3. Click Save.

Step 5

Integrate Cisco ISE with Catalyst Center.

In the Catalyst Center Installation Guide, see the "Integrate Cisco ISE with Catalyst Center" topic.

Step 6

Configure Catalyst Center to use your Cisco ISE server for authentication.

See Configure External Authentication.

Important

 

Ensure that you specify the same shared secret for both Cisco ISE and Catalyst Center.

Log in using two-factor authentication

To log in to Catalyst Center using two-factor authentication, complete the following procedure:

Procedure

Step 1

From the Catalyst Center login page, enter the appropriate username.

Step 2

Open the RSA SecurID token client and enter the PIN you configured previously to generate a one-time token.

Step 3

Copy this token and paste it into the Password field of the Catalyst Center login page.

Step 4

Click Log In.

Display external users

You can view the list of external users who have logged in through RADIUS or TACACS for the first time. The information that is displayed includes their usernames and roles.

Procedure

Step 1

From the main menu, choose System > Users & Roles > External Authentication.

Step 2

Scroll to the bottom of the window, where the External Users area lists the external users.