Configure Authentication

This chapter describes the procedures to create users and configure authentication.

Understand Authentication

Authentication is a way of identifying a user before permitting access to the network and network services. When Authentication is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it. Cisco NCS 4000 series uses the RADIUS/TACACS+ server for authenticating remote users.

RADIUS

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS is a client/server protocol that runs in the application layer that uses User Datagram Protocol (UDP) for transport.

The RADIUS server process runs in background on a UNIX or Microsoft Windows server and client would be the Cisco network element (NE). RADIUS clients run on Cisco routers and sends the authentication requests to a central RADIUS server that contains all the user authentication and network service access information.

TACACS+

Terminal Access Controller Access-Control System Plus (TACACS+) is a new protocol developed by Cisco and released as an open standard. TACACS+ uses TCP for transport. TACACS+ protocol is a security application that provides centralized validation of users attempting to gain access to a network element. Since, TCP is connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout and others, as it rides on UDP that is connectionless. RADIUS encrypts only the user password as it travels from the RADIUS client to RADIUS server. All other information, for example, username, authorization, and accounting are transmitted in clear text. Therefore, it is vulnerable to various types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.

NTP-G23 Create Users and Assign Privileges

Purpose

This procedure creates users and assigns their privilege levels.

Tools/Equipment

None

Prerequisite Procedures

Required/As Needed

As needed

Onsite/Remote

Onsite or remote

Security Level

Superuser only

Procedure
    Step 1   Log into the node where you need to create users.
    Note   

    You must log in as a Superuser to create additional users. The root user can be used to set up other users.

    Step 2   Complete the “DLP-G54 Create a New User on a Single Node” task or the “DLP-G55 Create a New User on Multiple Nodes” task as needed.
    Note   

    You must add the same user name and password to each node that a user will access.

    Stop. You have completed this procedure.

    Step 3   Complete the DLP-G282 Viewing and Terminating Active Logins as needed.
    Step 4   If you want to modify the security policy settings, including password aging and idle user timeout policies, complete the NTP-G88 Modify Users and Change Security procedure.

    Stop. You have completed this procedure.

    DLP-G54 Create a Local User on a Single Node Using CTC

    Purpose

    This task creates a local user on a single node.

    Tools/Equipment

    None

    Prerequisite Procedures

    • DLP-G46 Log into CTC

    • "Login to CTC" in System Setup and Software Installation Guide for Cisco NCS 4000 Series

    Required/As Needed

    As needed

    Onsite/Remote

    Onsite or remote

    Security Level

    Superuser only

    Procedure
      Step 1   In node view or network view, click the Provisioning > Security > Users tabs.
      Step 2   In the Users window, click Create.
      Step 3   In the Create User dialog box, enter the following:

      • Name—Type the user name. The user name must be a minimum of six and a maximum of 40 characters (only up to 39 characters for the TACACS and RADIUS authentication). It includes alphanumeric (a-z, A-Z, 0-9) characters and the allowed special characters are @, " - " (hyphen), and " . " (dot). For TL1 compatibility, the user name must be of 6 to 10 characters.

      • Password—Type the user password.

        Note   

        The password change of root user is not supported from CTC.

        The minimum password length for CTC is six and maximum of 127 characters. To set the maximum length of a password, refer to . The password must be a combination of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are not alphabetic and at least one character is a special character; or the password can contain any character. The password must not contain the user name.

      • Confirm Password—Type the password again to confirm it.

      • Security Level—Choose a security level for the user: RETRIEVE, MAINTENANCE, PROVISIONING, or SUPERUSER.

      • Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.

      • Maintenance—Users can access only the maintenance options.

      • Provisioning—Users can access the provisioning and maintenance options.

      • Superusers—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users.

      Step 4   Click OK.
      Step 5   Return to your originating procedure (NTP).

      DLP-G282 Viewing and Terminating Retrieving Active Logins

      Purpose

      This task allows you to view active CTC logins, retrieve the last activity time, and terminate all current logins.

      Tools/Equipment

      None

      Prerequisite Procedures

      • DLP-G46 Log into CTC

      • "Login to CTC" in System Setup and Software Installation Guide for Cisco NCS 4000 Series

      Required/As Needed

      As needed

      Onsite/Remote

      Onsite or remote

      Security Level

      Superuser only

      Procedure
        Step 1   In node view or network view, click the Provisioning > Security > Active Logins tabs. The Active Logins tab displays the following information:

        • Node

        • User

        • Source IP address

        • Session Type (EMS, TL1, FTP, Telnet, or SSH)

        • Login time

        • Last activity time

          Note   

          Active Login tab always display the two telnet sessions for a single CTC session, open by a user using a single IP address.
        Step 2   Click Logout to end the session of every logged-in user. This will log out all current users, excluding the initiating Superuser.
        Step 3   Click Retrieve Last Activity Time to display the most recent activity date and time for users in the Last Activity Time field.
        Step 4   Return to your originating procedure (NTP).