Manage Cisco NAC Profiler User Accounts
This chapter includes the following topics:
•Viewing NAC Profiler Web Interface User Accounts
•Editing Cisco NAC Profiler Web Interface User Accounts
•Cisco NAC Profiler User Administration
The Cisco NAC Profiler Server has user accounts both at the individual appliance level (Linux command line), and for the web interface which is the primary management interface for Cisco NAC Profiler systems. At the appliance level, every Profiler Server has two Linux accounts which can be utilized for managing the appliance at the command line. Those two accounts are the `root' and `beacon' Linux user accounts. These accounts are created and passwords assigned as each Profiler Server appliance is initially started up as described in Chapter 4, "Installation and Initial Configuration" immediately after the appliance is powered-on for the first time. The root and beacon Linux accounts on each appliance are managed via the Linux command line only.
The principal management interface for Cisco NAC Profiler systems is the web management interface. Once a NAC Profiler appliance has been initially configured as outlined in Chapter 4, "Installation and Initial Configuration", virtually all system administration and management tasks can be completed via the web GUI. However, it may be necessary from time to time to access the command line of a Profiler Server appliance. The CLI of a Profiler Server appliance may be accessed either via terminal emulation using the console port, via a keyboard and monitor connected to the appliance (or through a KVM switch), or over the network using SSH. A Profiler Server appliance can only be accessed via SSH by Linux user beacon using the password assigned to the beacon Linux user when the appliance was initially configured. Once an SSH session is established as beacon, the su - Linux command can be used to switch to the root user in order to issue commands requiring it. Both the root and beacon Linux user accounts can be accessed when connecting to the appliance via the console port, or using a keyboard and monitor connected to an appliance by using the passwords assigned at system startup.
On every Profiler Server a default web interface Administrator user, user name "admin," is created at system initialization. The password for the web beacon user is set during the execution of the startup scripts, and is used to access the web interface of a new Cisco NAC Profiler system for the first time as described in Chapter 5, "Configuring Cisco NAC Profiler for the Target Environment."
Managing Cisco NAC Profiler Web User Accounts
Only the admin web interface user is allowed manage Cisco NAC Profiler web management user accounts. To add, delete or enable/disable users of Cisco NAC Profiler web interface, make sure to log into the web interface as the admin user.
The User Accounts portion of the web interface enables the creation and management of the user accounts that allow access to Cisco NAC Profiler configuration via the web interface as described throughout this guide. The Cisco NAC Profiler web-based GUI has three user account types: Administrator, Analyst and Operator.
Operator users have full access to Cisco NAC Profiler with the exception of adding, deleting, and enabling/disabling users. They are able to make Cisco NAC Profiler system configuration changes, view the Endpoint Console, and use Cisco NAC Profiler in Port Provisioning mode when Cisco NAC Profiler has been configured with SNMP read-write access.
Analyst users have read-only access to Cisco NAC Profiler. They cannot make configuration changes to Cisco NAC Profiler itself, or use Cisco NAC Profiler in Port Provisioning mode (e.g., cannot change port settings via the Manage view of the Endpoint Console). Analyst users can view all Cisco NAC Profiler data, and use the Cisco NAC Profiler Utilities to search for endpoints, or view Profile data.
To manage Cisco NAC Profiler web UI user accounts, ensure you are logged in as the admin user, and then select the Configuration tab and either select User Accounts from the left navigation bar or from the table on the main Configuration page. The main Cisco NAC Profiler Users configuration page displays as shown in Figure 12-1.
Figure 12-1 Cisco NAC Profiler Users Page
Create NAC Profiler Web User Accounts
To create a Cisco NAC Profiler web user account, select the Create Users link in the Cisco NAC Profiler Users table. The Add User form is displayed in the resulting page:
Figure 12-2 Add Web User Account Form
Complete the following fields on the Add User form to add a web user account to the Cisco NAC Profiler configuration:
Enter a unique name for the new user.
Enter a password for this user. The identical password has to be entered twice to ensure that it is entered accurately.
Select the appropriate access level for this user, Operator or Analyst.
Select the desired status for the user.
When the information for the new user is added to the form, select the Add User button to create the new web user account. After adding the new web user the Table of Users is displayed which will reflect the new user account added to the configuration.
Viewing NAC Profiler Web Interface User Accounts
To view all Cisco NAC Profiler web users and their status (e.g., enabled or disabled) currently defined in the system configuration, select the View/Edit Users List link in the Cisco NAC Profiler Users table. Figure 12-3 shows the Table of Users.
Figure 12-3 Table of Users
Editing Cisco NAC Profiler Web Interface User Accounts
Existing web user accounts with the exception of the admin account can be edited via the web UI. Note that all usernames in the Table of Users other than admin are hyperlinks. Selecting the green hyperlink username redirects the interface to the Save User form shown in Figure 12-4. The current configuration for the selected user account is pre-populated in the form.
Figure 12-4 Save User Form
To change any of the parameters for the selected account, make the desired changes on the form and select Save User to commit the changes. Selecting the Save User button will display the Table of Users, allowing edits to additional web user accounts if desired.
To delete a user from the system configuration, select the Delete User button.
Cisco NAC Profiler User Administration
As described earlier, the admin web user is a privileged account. The username of the admin account cannot be changed, nor can the account be disabled. The password can be changed however via the command line interface.
To change the admin web user password, establish a command-line session via SSH, console or keyboard and monitor connection to the appliance running the Server module for Cisco NAC Profiler. Login as the beacon Linux user and enter the command htpasswd -s /usr/beacon/config/htpasswd admin at the prompt as shown in Figure 12-5. Enter the new password for the admin web user, and confirm it to make the change permanent. Accessing the web UI with username admin will now require the new password.
Figure 12-5 Change Admin User Password