Table Of Contents
Managing User Access
Understanding User Authentication and Authorization Methods
Using Preconfigured System User Profiles
Displaying the Users List
Creating a User Profile
Deleting a User Profile
Changing Your Password
Changing the Password of Another User
Moving Between User Privilege Levels
Configuring User Profiles on a TACACS+ Server
Managing the WBM Portal to Restrict User Access to Specific Zones
Managing Authorization to Specific WBM Commands
Managing User Access
This chapter describes how to control access to the Cisco Anomaly Guard Module (Guard module) by creating user profiles. When a user attempts to log on to the WBM, the Guard module authenticates the login username and password against a user profile database.
This chapter refers to the Cisco Detector (Detector), the companion product of the Guard module. The Detector is a Distributed Denial of Service (DDoS) attack detection device that analyzes a copy of the zone traffic. The Detector can activate the Guard module attack mitigation services when the Detector determines that the zone is under attack. The Detector can also synchronize zone configurations with the Guard module. For more information about the Detector, see the Cisco Traffic Anomaly Detector Module Configuration Guide and Cisco Traffic Anomaly Detector Configuration Guide.
This chapter contains the following sections:
•
Understanding User Authentication and Authorization Methods
•Using Preconfigured System User Profiles
•Displaying the Users List
•Creating a User Profile
•Deleting a User Profile
•Changing Your Password
•Changing the Password of Another User
•Moving Between User Privilege Levels
•Configuring User Profiles on a TACACS+ Server
Understanding User Authentication and Authorization Methods
Depending on how you configure the Guard module using the CLI, the Guard module performs user authentication and authorization using one or both of the following methods:
•Local—Authenticates the username and password against its own internal database. You can configure each username with a user privilege level that allows the user to execute a predefined set of commands.
The local authentication and authorization method is the default. You configure local user authentication and authorization using the WBM.
•AAA (authentication, authorization, and accounting)—Authenticates the username and password against an external database that resides on one or more Terminal Access Controller Access Control System Plus (TACACS+) servers. AAA authorization enables you to specify access rights for each command. In addition to configuring user authentication and authorization, AAA services allow you to configure accounting, which enables you to track device events. For example, you can track user-initiated events, such as Guard module configuration changes.
Using Preconfigured System User Profiles
The Guard module is preconfigured with the following two system user profiles on the local database:
•admin—Use this default username to initially access the CLI on the Guard module. You assign a password to the admin user profile when you log into the Guard module for the first time. If you log on as an administrator, you have full access to the CLI commands and the WBM windows. Use the admin user profile to configure the Guard module and to create other user profiles.
•riverhead—The Detector uses the riverhead username to initially access the Guard module and establish the communication channel between them. You assign a password to the riverhead user profile when you log into the Guard module for the first time. After the initial communication link has been established between the Detector and the Guard module, the two devices use a private-public key pair to establish future communication links, eliminating the need for user intervention. The riverhead system user profile is configured with the dynamic user privilege level.
You can change the password of a system user, but you cannot delete a system user from the Guard module database.
Note We recommend that you create new user accounts and avoid using the system user accounts after initial configuration so that you can monitor user actions.
Displaying the Users List
The WBM allows you to display a list of the users that are defined in the local user database. From the user list, you can add or delete a user profile. The user list is divided into two categories as follows:
•System users—User profiles that are predefined by Cisco and cannot be deleted (see the "Using Preconfigured System User Profiles" section).
•Users—User profiles that you define.
To view the list of users that are defined in the local user database, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Users list. The Users list appears.
Creating a User Profile
To create a user profile on the local database, you must have administration access rights.
Note If the Guard module is configured to authenticate users using local and AAA services for authentication (or just AAA services), you must also configure user profile information on each TACACS+ server that is used for authentication purposes (see the "Configuring User Profiles on a TACACS+ Server" section).
To create a new user profile, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 Use one of the following methods to display the Create User screen:
•From the Guard summary menu, choose Users > Create user.
•From the Guard summary menu, choose Users > Users list (the Users list appears) and then click Add.
Step 3 Define the user profile parameters as described in Table 3-1.
Table 3-1 User Profile Parameters
Parameter
|
Description
|
User name
|
Name of the user profile. Enter a case-sensitive alphanumeric string from 1 to 63 characters that starts with an alphabetic character. The string cannot contain spaces but can contain underscores.
|
Initial password
|
User password. Enter a case-sensitive 6- to 24-character string with no spaces.
|
Type
|
User privilege level. Choose one of the following user privilege levels from the Type drop-down list:
•show—Permits access to monitoring and diagnostic operations.
•dynamic—Permits access to monitoring and diagnostic operations, protection, and learning-related operations. Users with Dynamic privileges can also configure the flex-content and dynamic filters.
•config—Permits full access to all WBM functions except for user profile management.
•admin—Permits full access to all WBM functions.
|
Step 4 Choose one of the following options:
•OK—Saves the user profile information to the local database. The user details screen appears and displays the new user profile parameters.
•Clear—Clears the User form of any information that you added.
•Cancel—Exits the Create User screen without saving any information. The Users list appears.
Deleting a User Profile
When you delete a user profile, the associated user can no longer access the Guard module if authentication is performed using the local user database only.
To delete a user profile, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Users list. The Users list appears.
Step 3 Check the check box of the desired username to delete, and then click Delete. To delete all the usernames listed, check the User check box, and then click Delete. The delete validation message appears.
Step 4 Choose one of the following options:
•OK—Deletes the user profile from the local database. The Users list appears.
•Cancel—Ignores the delete user request. The Users list appears.
Changing Your Password
You can change your own password. Administrators can change their own password and the passwords of other users (see the "Changing the Password of Another User" section).
To change your own password, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Change Password. The Change Password screen appears.
Step 3 In the Old Password field, enter your current password.
Step 4 In the New Password field, enter a new password. The password must be a case-sensitive 6- to 24-character string with no spaces.
Step 5 In the Confirm New Password field, reenter the new password.
Step 6 Choose one of the following options:
•OK—Saves the new password to the user profile on the Guard module database. The Guard summary screen appears.
•Cancel—Exits the Change Password screen without saving any information. The Guard summary screen appears.
If you enter an invalid current password, the Guard module displays an error message because it cannot verify the new password. Click Go Back to repeat the procedure.
Changing the Password of Another User
Users with an administration user privilege level can change passwords of other users.
To change the password of another user, perform the following steps:
Step 1 In the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Users > Change Password. The Change Password screen appears.
Step 3 Click on a username. The user details screen appears.
Step 4 Click Config. The Config User screen appears.
Step 5 Enter the new password. The password must be a case-sensitive 6- to 24-character string with no spaces.
Step 6 Choose one of the following options:
•OK—Saves the new password to the user profile on the local database. The User List screen appears.
•Clear—Clears the User form of any information that you added.
•Cancel—Exits the Config User screen without saving any information. The User List screen appears.
Moving Between User Privilege Levels
You can move between user privilege levels.
To move between user privilege levels, perform the following steps:
Step 1 From the information area, click Enable.
The Enable Authentication window appears.
Step 2 From the Level drop-down list, choose a user privilege level to which you want to move. The privilege level can be one of the following:
•admin—Permits full access to all WBM functions.
•config—Permits full access to all WBM functions except for user profile management.
•dynamic—Permits access to monitoring and diagnostic operations, protection, and learning-related operations. Users with Dynamic privileges can also configure the flex-content and dynamic filters.
Step 3 In the Password field, enter the privilege level password.
Step 4 To apply the change, click OK.
Configuring User Profiles on a TACACS+ Server
The information in this section is intended for administrators who must configure the WBM user profile information on a TACACS+ server. To manage user access to the WBM using a TACACS+ server and AAA services, you must use the Guard module CLI to enable the AAA services and to define the TACACS+ servers on the Guard module (see the Cisco Anomaly Guard Module Configuration Guide).
Note When you enable TACACS+ accounting, each recorded event is assigned a task identification (task_id) number. For WBM events, the task_id numbering sequence begins at 40000 for each user.
You can configure user authorization on a TACACS+ server to restrict user access to specific zones and WBM functions.
Note All commands listed in this section are case sensitive.
This section contains the following topics:
•Managing the WBM Portal to Restrict User Access to Specific Zones
•Managing Authorization to Specific WBM Commands
Managing the WBM Portal to Restrict User Access to Specific Zones
You can customize the WBM portal to limit the zones that a user can view and access by configuring the TACACS+ server with the command ShowZonePortal command and the zone_name attribute.
Caution The following commands provide basic WBM navigation and are mandatory and must always be configured to
permit:
ShowGuardPortal and
ShowZonesList.
For example, in the following TACACS+ server configuration, user ABC is granted permission to access zones ABC_1 and ABC_2 only, regardless of how many zones you have configured on the device.
Managing Authorization to Specific WBM Commands
Every WBM menu item and function button is mapped to a command that allows you to control whether or not a user is authorized to access specific menu items or function buttons.
Caution Using authorization to manage user access to each WBM command significantly increases the amount of traffic to and from the Guard module addresses. This increase in traffic can trigger the self-protection tcp_outgoing_ns policies of the Guard module. To avoid this problem, we recommend raising the threshold values these policies (see the
Cisco Anomaly Guard Module Configuration Guide).
Table 3-2 displays the WBM commands that you can configure on a TACACS+ server to manage user access to WBM functionality.
Table 3-2 WBM Operations Supported by TACACS+
Privilege Level
|
Function
|
Command
|
Admin
|
User management
|
ShowUserList
|
AddUser
|
DeleteUser
|
ShowUserDetails
|
ConfigUser
|
Config
|
Create/Add
|
CreateUserFilter
|
CreateBypassFilter
|
CreateZone
|
CreateZoneTemplate
|
AddZoneIP
|
AddPolicyThreshold
|
AddService
|
Delete
|
DeleteZones
|
DeleteZoneIP
|
DeleteZoneTemplate
|
DeleteReports
|
DeleteUserFilters
|
DeleteBypassFilters
|
DeletePacketDump
|
DeleteSnapshot
|
DeletePolicyThreshold
|
RemoveService
|
ClearCounters
|
Export
|
ExportReports
|
SetFtpServer
|
Config
(continued)
|
Learn
|
StartProtect&Learn
|
StartPolicyConstruction
|
StopPolicyConstruction
|
StartThresholdTuning
|
StopThresholdTuning
|
AcceptPolicyConstruction
|
AcceptThresholdTuning
|
CreateSnapshot
|
DeleteSnapshot
|
RejectResults
|
NoLearningAccept
|
NoLearningReject
|
SavePoliciesRecommendations
|
Configure
|
ConfigExtendedFlexFilter
|
ConfigWormSrcIPs
|
ConfigPolicies
|
ConfigPolicyTemplate
|
ConfigZone
|
ConfigLearn
|
ConfigPolicy
|
ConfigPolicyGroup
|
ConfigPolicyThreshold
|
ChangePolicyState
|
RecommendationAcceptForever
|
SaveAsZone
|
Dynamic
|
Create/Add/Delete
|
CreateExtendedFlexFilter
|
DeleteExtendedFlexFilter
|
CreateDynamicFilter
|
DeleteAllDynamicFilters
|
DeleteDynamicFilters
|
RecommendationIgnore
|
RecommendationAccept
|
Dynamic
(continued)
|
Victim Activation
|
protectIP
|
StartProtection
|
StopProtection
|
ActivatePolicy
|
DeactivatePolicy
|
AcceptPendingDynFilter
|
Packet-dump
|
StartPacketDump
|
StopPacketDump
|
SavePacketDump
|
RenamePacketDump
|
CopyPacketDump
|
ExportPacketDump
|
ImportPacketDump
|
Show
|
Password/Login/Logout
|
UserLogin
|
UserLogout
|
EnableUser
|
ChangePassword
|
Show
(continued)
|
Show
|
ShowGuardPortal
|
ShowGuardCounters
|
ShowGuardRealtimeCounters
|
ShowGuardLog
|
ShowZoneList
|
ShowTemplateList
|
ShowPolicyComparison
|
ShowZonePortal
|
ShowZoneCounters
|
ShowRealtimeCounters
|
ShowZoneLog
|
ShowAttacksSummary
|
ShowAttack
|
ShowAttackDetails
|
ShowZombiesAttack
|
ShowPolicyStatistics
|
ShowDropStatistics
|
ShowPacketDumpList
|
ShowCaptureAnalysis
|
ShowDynamicFilters
|
ShowDynamicFilterDetails
|
ShowPendingRecommendations
|
ShowPendingFilters
|
ShowSnapshotList
|
ShowGeneralConfiguration
|
ShowUserFilters
|
ShowBypassFilters
|
ShowFlexContentFilters
|
ShowPolicyTemplate
|
ShowPolicies
|
ShowPolicyDetails
|
ShowLearningParams
|
ShowPolicyComparison
|
ShowSignatureExtraction
|
ShowVersion
|
The following TACACS+ server example shows how to configure user Customer A with authorization to access the following zones and functionality:
•Zones A1 and A2 only.
•All WBM functions except for the following diagnostic functions:
–Guard counters
–Real time counters
–Show logs
default authentication = file /etc/passwd
accounting file = /var/log/tacacs.log
default authorization = permit
permit "zone_name_zone_A1"
permit "zone_name_zone_A2"
cmd = ShowGuardCounters {
cmd = ShowGuardRealtimeCounters {
Feedback
