Creating an Administrator Configuration

About this task

Management services (Telnet, SSHv2, HTTP, HTTPS and FTP) require administrators enter a valid username and password which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password which is authenticated by the SNMPv3 module. For CLI and Web UI users, the controller or service platform also requires user role information to know what permissions to assign.
  • If local authentication is used, associated role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied RADIUS using vendor specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-only permissions.

Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the user‘s access assignment to determine if the user has permissions to access an interface:

  • If local authentication is used, role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied by RADIUS using vendor specific return attributes.

The controller or service platform also supports multiple RADIUS server definitions as well as fallback to provide authentication in the event of failure. If the primary RADIUS server is unavailable, the controller or service platform authenticates with the next RADIUS sever, as defined in the AAA policy. If a RADIUS server is not reachable, the controller or service platform can fall back to the local database for authentication. If both RADIUS and local authentication services are unavailable, read-only access can be optionally provided.

The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account‘s access mode list.

Use the Administrators tab to review existing administrators, their access medium (type) and administrative role within the controller, service platform or access point managed network. New administrators can be added, and existing administrative user configurations modified or deleted as required.

To create administrators and assign them access types and roles:

Procedure

  1. Select the Administrators tab if not selected by default.
    The Administrators screen displays.
    Click to expand in new window
    GUID-A6AC2FE0-7C7A-4418-A5DC-F6A1FBC30FC6-low.png
  2. Refer to the following high-level configurations of existing administrators:
    User Name Displays the name assigned to the administrator upon creation of their account. The name cannot be modified as part of the administrator configuration edit process.
    Access Type Lists the Web UI, Telnet, SSH or Console access type assigned to each listed administrator. A single administrator can have any one (or all) of these roles assigned at the same time.
    Role Lists the Superuser, System, Network, Security, Monitor, Help Desk, Web User, Device Provisioning or Vendor Admin role assigned to each listed administrator. An administrator can only be assigned one role at a time.
  3. Select Add to create a new administrator configuration, Edit to modify an existing configuration or Delete to permanently remove an administrator from the list of those available.
    The Administrators screen displays.
    Click to expand in new window
    GUID-B9BF786E-4536-4C14-B70A-A0455BF94E8B-low.png
  4. If creating a new administrator, enter a name in the User Name field.
    This is a mandatory field for new administrators and cannot exceed 32 characters. Optimally assign a name representative of the user and role.
  5. Provide a strong password for the administrator within the Password field. Reconfirm the password to ensure its accurately entered. This is a mandatory field.
  6. Select Access options to define the permitted access for the user. Access modes can be assigned to management user accounts to restrict which management interfaces the user can access. A management user can be assigned one or more access roles allowing access to multiple management interfaces. If required, all four options can be selected and invoked simultaneously.
    Web UI Select this option to enable access to the device‘s Web User Interface.
    Telnet Select this option to enable access to the device using TELNET.
    SSH Select this option to enable access to the device using SSH.
    Console Select this option to enable access to the device‘s console.
  7. Select the Administrator Role for the administrator using this profile. Only one role can be assigned.
    Superuser Select this option to assign complete administrative rights to the user. This entails all the roles listed for all the other administrative roles.
    System The System administrator role provides permissions to configure general settings like NTP, boot parameters, licenses, perform image upgrades, auto install, manager redundancy/clustering and control access.
    Network The Network administrator role provides privileges to configure all wired and wireless parameters like IP configuration, VLANs, L2/L3 security, WLANs, radios, and captive portal.
    Security Select Security administrator to set the administrative rights for a security administrator allowing configuration of all security parameters.
    Monitor Assigns the System Monitor role to the new user. This role has read-only access to the system. The user can only view configuration and statistics. The user cannot view secret information and passwords. Select Monitor to assign permissions without any administrative rights.
    Help Desk Assign this role to someone who typically troubleshoots and debugs problems reported by the customer. The Help Desk manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views and retrieves logs. Help Desk personnel are not allowed to conduct controller or service platform reloads.
    Web User Assigns the Web User Administrator role to the new user. This role allows the user to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.
    Device Provisioning Assigns the Device provisioning administrator role to the new user. This role has privileges to update (provision) device configuration files or firmware. However, such updates run the risk of overwriting and loss of existing device configurations unless properly archived.
    Note: You can restrict a device-provisioning-admin user's access to devices within a specific location or locations by applying the Allowed Locations tag. When applied, this user, will only have access to devices within the locations (RF Domains/sites/tree-node paths) associated with the allowed-locations tag.

    For information on configuring the allowed-locations tag, click here.
    Vendor Admin Configures this user‘s role as vendor-admin. Once created, the vendor-admin can access the online device-registration portal to add devices to the RADIUS vendor group to which he/she belongs. Vendor-admins have only Web access to the device registration portal.

    The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a ‘vendor-admin‘ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN.

    If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration.

    Note: The Allowed Locations option is not applicable to this role.
    REST API User Assigns the REST API user role. This user role provides read-only permission for the user to use APIs to retrieve statistics, etc. The user will not have permission to change/write configurations.
  8. Use the Allowed Locations field to specify the allowed-locations tag. Each allowed-locations tag is mapped to one or multiple locations (RF Domains/sites/tree-node paths). By specifying an allowed-locations tag you are restricting the user's access to the location(s) mapped to the tag. However, in WiNG, this option is only applicable to the Device Provisioning user role.
    Note

    Note

    Ensure that the allowed-locations tag is existing and configured. Use the Allowed Locations tab to create a tag and map it to locations (RF Domains, sites, tree-node paths, etc.) within your managed network. For more information, see Setting an Allowed Location Configuration.
  9. Use the Group field to specify the user group to which this user belongs.
  10. Click OK to save the administrator‘s configuration, or click Reset to revert to the last saved configuration.
9036314-02 REV AA