Configure Management User Account

About this task

Management services (Telnet, SSHv2, HTTP, HTTPS, and FTP) require administrators to enter a valid username and password which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password which is authenticated by the SNMPv3 module. For CLI and Web UI users, the controller or service platform also requires user role information to know what permissions to assign.
  • If local authentication is used, associated role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied RADIUS using vendor specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-only permissions.
Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the user‘s access assignment to determine if the user has permissions to access an interface:
  • If local authentication is used, role information is defined on the controller or service platform when the user account is created.
  • If RADIUS is used, role information is supplied by RADIUS using vendor specific return attributes.

The controller or service platform also supports multiple RADIUS server definitions as well as fallback to provide authentication in the event of failure. If the primary RADIUS server is unavailable, the controller or service platform authenticates with the next RADIUS sever, as defined in the AAA policy. If a RADIUS server is not reachable, the controller or service platform can fall back to the local database for authentication. If both RADIUS and local authentication services are unavailable, read-only access can be optionally provided.

The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account‘s access mode list.

Use the Management tab to review existing administrators, their access medium type, and administrative role within the controller, service platform or access point managed network. New administrators can be added, and existing administrative user configurations modified or deleted as required.
Note

Note

The management policy administrator role requires to have at least one Superuser.

Procedure

  1. Add a new user to a management policy.
  2. Configure the following user settings for existing administrators:
    Setting Description
    Username The field displays the default name assigned to the administrators upon creation of their account. The name field cannot be modified
    Password Password associated with the username
    Confirm Password Re-type the password to confirm associated password
    Access type Lists the console, SSH, telnet, and web UI access type assigned to each listed administrator. A single administrator can have any one or all of these roles assigned at the same time
    Options include:
    • Console - select this option to enable access to the device's console
    • SSH - select this option to enable access to the device using SSH
    • Telnet - select this option to enable access to the device using Telnet
    • Web UI - select this option to enable access to the device‘s Web User Interface
    Administrator role Lists the role assigned to each listed administrator. An administrator can only be assigned one role at a time
    Options include:
    • Device Provisioning admin - Assigns the device provisioning administrator role to the new user. This role has privileges to update provision device configuration files or firmware. However, such updates run the risk of overwriting and loss of existing device configurations unless properly archived.
      Note: You can restrict a device-provisioning-admin user's access to devices within a specific location or locations by applying the Locations tag. When applied, this user will only have access to devices within the locations (sites/tree-node paths) associated with the locations tag

      For more information, see set locations configuration

    • Help Desk - Assign this role to the person who troubleshoots and debugs problems reported by the customer. The Help Desk manager typically runs troubleshooting utilities, runs service commands, views, and retrieves logs. Help Desk personnel are not allowed to conduct controller or service platform reloads
    • Monitor - Assigns the System Monitor role to the new user. This role has read only access to the system. The user can only view configuration and statistics. The user cannot view protected information and passwords. Select Monitor to assign permissions without any administrative rights
    • Network Admin - The Network administrator role provides full access to configure all wired and wireless parameters like IP configuration, VLANs, L2/L3 security, WLANs, radios, and captive portal
    • Rest API User - Assigns the REST API user role. This user role provides read-only permission for the user to use APIs to retrieve statistics, etc. The user will not have permission to change or write configurations
    • Security Admin - Select Security administrator to set the administrative rights for a security administrator allowing configuration of all security parameters
    • Superuser - Select this option to assign complete administrative rights to the user. This entails all the roles listed for all the other administrative roles
    • System Admin - The System administrator role provides permissions to configure general settings like NTP, boot parameters, licenses, perform image upgrades, auto install, manager redundancy or clustering and control access
    • Vendor Admin - Configures this user‘s role as vendor-admin. Once created, the vendor-admin can access the online device-registration portal to add devices to the RADIUS vendor group to which the admin belongs. Vendor-admins only have web access to the device registration portal.

      The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a ‘vendoradmin‘ user who is assigned a unique username and password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN.

      If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration.
      Note: The Allowed Location option is not applicable to this role
    • Web User admin - Assigns the Web User administrator role to the new user. This role allows the user to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI
    Allowed Location Use the allowed location field to specify the allowed-locations tag. Each allowed-location tag is mapped to one or multiple locations (RF Domains/sites/tree-node paths). By specifying an allowed location tag, you are restricting the user's access to the locations mapped to the tag. However, in WiNG, this option is only applicable to the Device Provisioning admin user role
    Note: Ensure that the allowed location tag is existing and configured. Use the locations tab on the Management dashboard to create a tag and map it to locations (RF Domains, sites, tree-node paths, etc.) within your managed network. For more information, see Set Location Configuration
    Group Specify the group to which the user belongs
9037026-03 Rev AA