Managing User Access

This section has the following topics for managing users and roles in IoT FND:

blank.gifManaging the Password Policy

blank.gifConfiguring Remote Authentication

blank.gifManaging Roles

blank.gifManaging Users

All user management actions are accessed through the Admin > Access Management menu (Admin Menu).

Figure 1 Admin Menu

 

421749.jpg

Managing the Password Policy

IoT FND provides default password policy values that you can enforce among IoT FND users.

Note: To modify these values, you must be logged in either as root or as a user with Administrative Operations permissions.

Caution: In some cases, changing password policies immediately terminates all user sessions and resets all passwords.

Note: The “Password history size” and “Max unsuccessful login attempts” policies do not apply to IoT FND North Bound API users.

These changes invalidate all user sessions and expire their passwords (including the root user):

blank.gifWhen you increase the minimum length of passwords

blank.gifWhen you decrease the password expiry interval

blank.gifWhen you enable “ Password cannot contain username or reverse of username

blank.gifWhen you enable “ Password cannot be cisco or ocsic (cisco reversed)

blank.gifWhen you enable “ No character can be repeated more than three times consecutively in the password

blank.gifWhen you enable “ Must contain at least one character from all the character sets (upper-case, lower-case, digits and special characters)

To edit password policies:

1.blank.gif Choose ADMIN > Access Management > Password Policy.

 

347148.tif

2.blank.gif To enable or disable a policy, choose the appropriate option (Enabled or Disabled) from the Status drop-down menu.

3.blank.gif To modify the value of a policy, if applicable, enter the new value in the Value field.

Note: IoT FND supports a maximum password length of 32 characters.

4.blank.gif Click Save to start enforcing the new policies.

Note: The password policy you configure in IoT FND applies only to local users and not to remote Active Directory (AD) users. The password policy for AD users is determined and enforced by the AD admin.

Configuring Remote Authentication

To configure remote authentication for IoT FND, you need to perform configurations steps in Active Directory (AD) and IoT FND.

blank.gifSupport for Remote Authentication

blank.gifConfiguring Remote Authentication in AD

blank.gifConfiguring Security Policies on the RADIUS Server

blank.gifConfiguring Remote Authentication in IoT FND

blank.gifEnabling and Disabling Remote User Accounts

blank.gifDeleting Remote User Accounts

blank.gifLogging In to IoT FND Using a Remote User Account

Support for Remote Authentication

With Remote Authentication, it is easier to integrate IoT FND into an existing AD and Network Policy Server (NPS) infrastructure. This allows administrators to configure IoT FND access for users in AD.

When you configure remote authentication in IoT FND, it hands over the authentication and authorization responsibility to AD and NPS. AD performs user authentication to check the validity of user credentials. The RADIUS server performs user authorization to check whether a user belongs to a group that defines the user role. If so, the server returns the role name to IoT FND.

 

347334.eps

The following is the flow of user authentication and authorization by AD and NPS:

1.blank.gif The user enters their credentials.

blank.gifIf user was created locally on the NMS server, authentication and authorization occurs locally.

blank.gifIf IoT FND determines that the user is a remote user, authentication and authorization occurs on the configured RADIUS server.

blank.gifIf remote authentication is not configured, authentication fails and user is denied access.

2.blank.gif For remote users, if authentication and authorization are successful, the assigned user role returns to the NMS server from the RADIUS server.

3.blank.gif If the role that returns is valid, the user is granted access.

Note: When remote authentication is enabled, user management is done in AD. If an AD user logs in who was deleted from IoT FND, their profile is added back to IoT FND. To prevent access to IoT FND, their AD user profiles must first be deleted from AD.

Configuring Remote Authentication in AD

To configure AD to allow IoT FND to remotely authenticate users:

1.blank.gif Log in to NPS.

2.blank.gif Add IoT FND as a radius client on the RADIUS server.

Provide a friendly name, and IP address or DNS name of the IoT FND server and configure the shared secret that IoT FND uses to connect to the RADIUS server.

 

347319.tif

An entry for the RADIUS client appears under RADIUS Clients and Servers.

 

347318.tif

3.blank.gif Log in to AD and create an organizational unit.

Cisco recommends that you create all security groups (IoT FND roles) within this organizational unit.

 

347328.tif

4.blank.gif Add security groups corresponding to IoT FND roles to the organizational unit.

The following example shows the security groups defined in the NMS_ROLES organizational unit.

 

347320.tif

Tip: When creating the security groups, ensure that they map one-to-one to IoT FND roles (that is, every role defined in IoT FND maps to only one AD security group). The name of the security group does not have to match a role name in IoT FND, but for organizational purposes, Cisco recommends using names that correlate the security group name to a IoT FND role.

Note: You cannot create or assign the IoT FND root role in AD.

 

347335.eps

5.blank.gif Assign AD users a role by adding them to the security group mapping to that role.

Since, users can only belong to one security group, the IoT FND role that the user is assigned after log in is dependent on their assigned AD security group.

Tip: In AD, users cannot be assigned multiple IoT FND roles, and cannot belong to multiple security groups. To assign permissions from more than one role to a group of users, create a new IoT FND role with the required permissions, and a create the corresponding AD security group. Users in this new group can then carry out the tasks allowed by this role.

 

347316.tif

6.blank.gif Configure the Dial-in Network Access Permission to use the NPS Network Policy.

 

347317.tif

Configuring Security Policies on the RADIUS Server

To authorize users for IoT FND access, configure security policies for the RADIUS server.

To configure security policies on the RADIUS server, follow these steps:

1.blank.gif Create a network policy for each security group you created in AD.

2.blank.gif Configure the policy as follows:

a.blank.gif In the Overview pane, define the policy name, enable it, and grant access permissions.

 

347320.tif

b.blank.gif Click the Conditions tab, select the User Groups condition, and click Add.

 

347322.tif

The User Groups condition specifies that the connecting user must belong to the selected group. For this policy to pass, the user being authorized must belong to the user group configured in this policy.

c.blank.gif In the User Groups window, click Add Groups.

 

347323.tif

d.blank.gif In the Select Group window, enter the name of the group

e.blank.gif Click OK to close the Select Group dialog box, and then click OK to close the User dialog box.

 

347324.tif

f.blank.gif Click Cancel to close the Select condition window.

The condition appears in the Conditions pane.

 

347321.tif

g.blank.gif Click the Settings tab, and then click Add to display the Attribute Information window.

 

347331.tif

h.blank.gif Click Add to define a Vendor Specific Attribute (VSA) that is sent to IoT FND (RADIUS client) after the user credentials and security group membership are verified.

The VSA to configure is:

blank.gifAttribute Name: Cisco-AV-Pair

blank.gifAttribute number: 5000

blank.gifAttribute format: String.

blank.gifAttribute value: Enter the attribute value to send to IoT FND.

 

347326.tif

Note: The string entered in the Attribute value field must be the exact string listed in the Radius Server VSA column on the Roles page in IoT FND (ADMIN >blank.gif Access Management > Roles).

 

347329.tif

i.blank.gif Click OK.

 

347325.tif

The VSA attribute appears in the Settings pane.

 

347327.tif

j.blank.gif Click OK.

Configuring Remote Authentication in IoT FND

You enable remote user authentication and configure RADIUS server settings on the Remote Authentication page (Admin > Access Management > Remote Authentication).

To configure remote authentication:

1.blank.gif Choose ADMIN > Access Management > Remote Authentication.

2.blank.gif Check the Enable Remote Authentication check box.

3.blank.gif Enter this information about the RADIUS server:

Field
Description

IP

The IP address of the RADIUS server.

Radius Server Description

A descriptive name of the RADIUS server.

Shared Secret

The shared secret you configured on the RADIUS server.

Confirm Shared Secret

Authentication Port

The RADIUS server port that IoT FND uses to send request to. The default port is 1812.

Accounting Port

The RADIUS server accounting port. The default port is 1813.

Retries

The number of times to send a request to the RADIUS server before IoT FND times out and remote authentication fails because no response was received from the RADIUS server.

Timeout (seconds)

The number of seconds before IoT FND times out and remote authentication fails because no response was received from the RADIUS server.

4.blank.gif To ensure that IoT FND can reach the RADIUS server, click Test Connectivity.

a.blank.gif Enter your Remote (AD) username and password.

b.blank.gif Click Submit.

The results of the configuration test displays.

c.blank.gif Click OK.

5.blank.gif Click Save when done.

Enabling and Disabling Remote User Accounts

In IoT FND you cannot enable or disable remote AD user accounts. To enable or disable remote AD user accounts, use your AD server.

Deleting Remote User Accounts

In IoT FND, you can delete remote user accounts. However, this only removes the user from the IoT FND Users page (ADMIN > Access Management > Users); it does not delete the user account from AD. If a deleted user logs in to IoT FND and AD authentication is successful, an entry for the user is added to the IoT FND Users page.

Logging In to IoT FND Using a Remote User Account

Logging in to IoT FND using a remote AD user account is transparent to the user. In the background, IoT FND checks whether the account is local, and for remote users sends an authentication request to the RADIUS server configured on the Remote Authentication page (ADMIN > Access Management > Remote Authentication). If both authentication and authorization are successful, IoT FND adds an entry for the user in the Users page (ADMIN > Access Management > Users).

Unlike entries for local users on the Users page, the user name filed in remote user entries is not a link. You cannot click the name of a remote user to obtain more information about the user.

Note: Remote users cannot be managed through IoT FND. If a remote user wants to update their password, they must use their organization’s AD password update tool. Remote users cannot update their password using IoT FND.

Managing Roles

Use roles to assign permissions based on the role or roles a user plays. Roles define the type of tasks IoT FND users can perform. This section has the following topics:

blank.gifAdding Roles

blank.gifDeleting Roles

blank.gifEditing Roles

blank.gifViewing Roles

IoT FND lets you assign a role to any user (ADMIN >Access Management > Roles). The operations the user can perform are based on the permissions enabled for the role. The following topics are discussed in this section:

blank.gifBasic User Permissions

blank.gifSystem-Defined User Roles

blank.gifCustom User Roles

Basic User Permissions

IoT FND User Permissions describes basic IoT FND permissions.

Table 1 IoT FND User Permissions

Permission
Description

Add/Modify/Delete Devices

Allows users to import, remove and change router and endpoint devices.

Administrative Operations

Allows users to perform system administration operations such as user management, role management, and server configuration settings.

Endpoint Configuration

Allows users to edit configuration templates and push configuration to MEs.

Endpoint Firmware Update

Allows users to add and delete firmware images and perform ME firmware update operations.

Endpoint Group Management

Allows users to assign, remove and change devices from ME configuration and firmware groups.

Endpoint Reboot

Allows users to reboot the ME device.

GOS Application Management

Allows uses to add and delete Guest OS applications.

Issue Management

Allows users to close issues.

Label Management

Allows users to add, change, and remove labels.

Manage Device Credentials

Allows users to view router credentials such as WiFi pre-shared key, admin user password, and master key.

Manage Head-End Devices Credentials

Allows users to view the ASR admin NETCONF password.

NBAPI Audit Trail

Allows users to query and delete audit trails using IoT FND NB API.

NBAPI Device Management

Allows users to add, remove, export, and change router and endpoint devices using IoT FND NB API.

NBAPI Endpoint Operations

Allows users to manage endpoint operations using IoT FND NB API.

NBAPI Event Subscribe

Allows users to search events, subscribe and unsubscribe from events (including Outage events) using IoT FND NB API.

NBAPI Reprovision

Allows users to reprovision devices using IoT FND NB API.

NBAPI Rules

Allows users to search, create, delete, activate, and deactivate rules using IoT FND NB API.

NBAPI Search

Allows users to search devices, get device details, group information, and metric history using IoT FND NB API.

Router Configuration

Allows users to edit router configuration templates and push configuration to routers.

Router Firmware Update

Allows users to add and delete firmware images and perform firmware update operations for routers.

Router Group Management

Allows users to assign, remove, and change device assignments to router configuration and firmware groups.

Router Reboot

Allows users to reboot the router.

Rules Management

Allows users to add, edit, activate, and deactivate rules.

Security Policy

Allows users to block mesh devices, refresh mesh keys, and so on.

Tunnel Provisioning Management

Allows users to manage tunnel groups, edit/apply tunnel-related templates, and perform factory reprovisioning.

Work Order Management

Allows users to manage work orders for IoT-DM.

System-Defined User Roles

Note: The system-defined Root role cannot be assigned to users.

System-defined User Roles lists system-defined roles. These roles cannot be modified.

Table 2 System-defined User Roles

Role
Description

Add Devices

This role can add, modify, and delete devices from IoT FND.

Administrator

This role combines these basic permissions:

blank.gifAdministrative Operations

blank.gifLabel Management

blank.gifRules Management

Endpoint Operator

This role combines these basic permissions:

blank.gifLabel Management

blank.gifEndpoint Configuration

blank.gifEndpoint Firmware Update

blank.gifEndpoint Group Management

blank.gifEndpoint Reboot

Monitor Only

This role provides users with read-only access to IoT FND. By default, this role is defined for every user.

North Bound API

This role combines these basic permissions:

blank.gifNB API Audit Trail

blank.gifNB API Device Management

blank.gifNB API Endpoint Operations

blank.gifNB API Event Subscribe

blank.gifNB API Orchestration Service

blank.gifNB API Rules

blank.gifNB API Search

Router Operator

This role combines these basic permissions:

blank.gifLabel Management

blank.gifRouter Configuration

blank.gifRouter Firmware Update

blank.gifRouter Group Management

blank.gifRouter Reboot

Router Operator with Manage Device Creds

This role combines the permissions of a Router Operator with:

blank.gifDevice credential management

Security Policy

This role can manage security policies through IoT FND.

Tunnel Provisioning Management

This role can provision tunnels.

Custom User Roles

In IoT FND you can define custom roles. For each role you create, you can assign it one or more basic user permissions (see IoT FND User Permissions). These permissions specify the type of actions users with this role can perform.

Adding Roles

To add IoT FND user roles:

1.blank.gif Choose ADMIN > Access Management > Roles.

2.blank.gif Click Add.

 

347169.tif

3.blank.gif Enter the name of the role.

4.blank.gif Check the appropriate check boxes to assign permissions.

5.blank.gif Click Save.

6.blank.gif To continue to add roles, click Yes ; otherwise, click No to return to the Roles page.

Deleting Roles

Note: You cannot delete a custom role if it is in use.

To delete IoT FND user roles:

1.blank.gif Choose ADMIN > Access Management > Roles.

2.blank.gif Check the check boxes of the roles to delete.

3.blank.gif Click Delete.

4.blank.gif Click Yes.

5.blank.gif Click OK.

Editing Roles

Note: You cannot edit system-defined roles, but you can edit custom roles.

To edit IoT FND custom roles:

1.blank.gif Choose ADMIN > Access Management > Roles.

2.blank.gif Click the role to edit.

3.blank.gif Make changes to the permission assignments by checking or unchecking the relevant check boxes.

4.blank.gif Click Save.

Viewing Roles

To view IoT FND user roles:

1.blank.gif Choose ADMIN > Access Management > Roles.

 

For every role, IoT FND lists the Users assigned to this role and the RADIUS Server VSA.

2.blank.gif To view permission assignments for the role, click the role link.

Managing Users

This section has the following topics on managing users:

blank.gifResetting Passwords

blank.gifViewing Users

blank.gifAdding Users

blank.gifDeleting Users

blank.gifEnabling Users

blank.gifDisabling Users

blank.gifEditing Users

Resetting Passwords

As the root user of the Linux server on which IoT FND runs, you can reset your password and use the password utility to reset the password for any other IoT FND user.

To reset a password, enter this command:

[root@yourname-lnx1 bin}#./password_admin.sh root
 

IoT FND manages its own user account database; therefore, you must add all new local users from the IoT FND user interface at the Admin > Access Management > Users page. Remote users are automatically added to the database. You can also enable, disable, edit, or delete users on this page.

A user with a disabled account cannot log in until an administrator enables their account. After a user account is active, the user must reset their password. There is no limit to the number of users that you can define on the system other than the available database storage.

Viewing Users

To view IoT FND users, open the Users page (ADMIN > Access Management > Users).

 

IoT FND displays this information about users:

Field
Description

User Name

Specifies the user name.

Default Domain

Shows the default domains for each user.

Enabled

Indicates whether the user account is enabled.

Time Zone

Specifies the user’s time zone.

Roles

Specifies the roles assigned to the user.

Audit Trail

A link to the user’s audit trail.

Remote User

Indicates whether the user account is stored locally. If the value is false, the user account is stored in Active Directory and is accessed via the RADIUS server configured in the Remote Authentication page (ADMIN > Access Management > Remote Authentication).

Adding Users

To add users to IoT FND:

1.blank.gif Choose ADMIN > Access Management > Users.

2.blank.gif Click + icon to Add User.

3.blank.gif Enter the following user information:

Field
Description

User Name

Enter the user name.

New Password

Enter the password. The password must conform to the IoT FND password policy.

Confirm Password

Re-enter the password.

Time Zone

Choose a time zone from the drop-down menu.

4.blank.gif Click Assign Domain and select domains from the panel that opens to assign for the user.

5.blank.gif Click Assign to save the entries.

IoT FND creates a record for this user in the IoT FND database.

6.blank.gif To add the new user, click Disk icon ; otherwise, click X to close the window and return to the Users page.

Note: A new user account is enabled by default. This means that the user can access IoT FND.

You can make future edits to the User entry by selecting the Edit or Delete buttons that appear under the Actions column.

Deleting Users

Deleting user accounts removes user preferences such as the default map location from the system. Disable a user account to temporarily deactivate it.

To delete users from IoT FND:

1.blank.gif Choose ADMIN > Access Management > Users.

2.blank.gif Check the check boxes of the user accounts to delete.

3.blank.gif Click Delete.

4.blank.gif Click Yes to confirm.

5.blank.gif Click OK.

Enabling Users

You must enable the user account for users to access IoT FND. When users log in for the first time, IoT FND prompts them to change their password.

To enable user accounts in IoT FND:

1.blank.gif Choose Admin > Access Management > Users.

2.blank.gif Check the check boxes for the user accounts to enable.

3.blank.gif Click Enable.

4.blank.gif Click Yes.

5.blank.gif Click OK.

Disabling Users

To prevent users from accessing IoT FND, disable their accounts. Disabling user accounts does not delete their records from the IoT FND database.

To disable user accounts in IoT FND:

1.blank.gif Choose Admin > Access Management > Users.

2.blank.gif Check the check boxes for the user accounts to disable.

3.blank.gif Click Disable.

Note: If you disable a user account, IoT FND resets the user password.

4.blank.gif Click Yes.

5.blank.gif Click OK.

Editing Users

To edit user settings in IoT FND:

1.blank.gif Choose Admin > Access Management > Users.

2.blank.gif To edit user credentials:

a.blank.gif Click the user name link.

b.blank.gif Edit the role assignments.

c.blank.gif Click Save.