Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the user‘s access assignment to determine if the user has permissions to access an interface:
The controller or service platform also supports multiple RADIUS server definitions as well as fallback to provide authentication in the event of failure. If the primary RADIUS server is unavailable, the controller or service platform authenticates with the next RADIUS sever, as defined in the AAA policy. If a RADIUS server is not reachable, the controller or service platform can fall back to the local database for authentication. If both RADIUS and local authentication services are unavailable, read-only access can be optionally provided.
The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account‘s access mode list.
Use the Administrators tab to review existing administrators, their access medium (type) and administrative role within the controller, service platform or access point managed network. New administrators can be added, and existing administrative user configurations modified or deleted as required.
To create administrators and assign them access types and roles:
User Name | Displays the name assigned to the administrator upon creation of their account. The name cannot be modified as part of the administrator configuration edit process. |
Access Type | Lists the Web UI, Telnet, SSH or Console access type assigned to each listed administrator. A single administrator can have any one (or all) of these roles assigned at the same time. |
Role | Lists the Superuser, System, Network, Security, Monitor, Help Desk, Web User, Device Provisioning or Vendor Admin role assigned to each listed administrator. An administrator can only be assigned one role at a time. |
Web UI | Select this option to enable access to the device‘s Web User Interface. |
Telnet | Select this option to enable access to the device using TELNET. |
SSH | Select this option to enable access to the device using SSH. |
Console | Select this option to enable access to the device‘s console. |
Superuser | Select this option to assign complete administrative rights to the user. This entails all the roles listed for all the other administrative roles. |
System | The System administrator role provides permissions to configure general settings like NTP, boot parameters, licenses, perform image upgrades, auto install, manager redundancy/clustering and control access. |
Network | The Network administrator role provides privileges to configure all wired and wireless parameters like IP configuration, VLANs, L2/L3 security, WLANs, radios, and captive portal. |
Security | Select Security administrator to set the administrative rights for a security administrator allowing configuration of all security parameters. |
Monitor | Assigns the System Monitor role to the new user. This role has read-only access to the system. The user can only view configuration and statistics. The user cannot view secret information and passwords. Select Monitor to assign permissions without any administrative rights. |
Help Desk | Assign this role to someone who typically troubleshoots and debugs problems reported by the customer. The Help Desk manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views and retrieves logs. Help Desk personnel are not allowed to conduct controller or service platform reloads. |
Web User | Assigns the Web User Administrator role to the new user. This role allows the user to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI. |
Device Provisioning | Assigns the Device provisioning administrator role to
the new user. This role has privileges to update (provision) device
configuration files or firmware. However, such updates run the risk of
overwriting and loss of existing device configurations unless properly
archived. Note: You
can restrict a device-provisioning-admin user's access to devices
within a specific location or locations by applying the Allowed Locations
tag. When applied, this user, will only have access to
devices within the locations (RF Domains/sites/tree-node paths)
associated with the allowed-locations tag.
For information on configuring the allowed-locations tag, click here. |
Vendor Admin | Configures this user‘s role as vendor-admin. Once created, the
vendor-admin can access the online device-registration portal to add
devices to the RADIUS vendor group to which he/she belongs.
Vendor-admins have only Web access to the device registration portal.
The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a ‘vendor-admin‘ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN. If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration. Note: The Allowed
Locations option is not applicable to this role.
|
REST API User | Assigns the REST API user role. This user role provides read-only permission for the user to use APIs to retrieve statistics, etc. The user will not have permission to change/write configurations. |