Use the Users tab to create the authorization groups that define the access privileges (called Capabilities) to specific ExtremeCloud IQ Site Engine application features. When a user successfully authenticates, they are assigned membership in an authorization group. Based on their membership in a particular group, users are granted specific capabilities in the application. For example, create an authorization group called "IT Staff" that grants access to a wide range of capabilities and another authorization group called "Guest" grants a very limited range of capabilities.
The tab is also where you define the method used to authenticate users using ExtremeCloud IQ Site Engine. There are four authentication methods available: OS Authentication (the default), LDAP Authentication, RADIUS Authentication, and TACACS+ Authentication.
| NOTE: | When changes to authentication and authorization configurations are made,
clients must restart in order to be subject to the new configuration. Disconnect those clients affected by the changes made to your
authentication and authorization configurations. Use the Client
Connections tab in the Server Information window to help identify which clients
are affected by the changes, and disconnect those clients. |
|---|
For instructions about how to add authorized users in ExtremeCloud IQ Site Engine, see How to Add Users in ExtremeCloud IQ Site Engine.
Users/Groups Access
Select the Acquire Lock button to make changes to the Users tab. Only one user can make changes to the fields on this tab at one time, so selecting this button restricts access to other users.
Once you are finished making changes, select the button again to release the lock.
Authentication Method
Use this section to configure the method used to authenticate users who are attempting to launch an ExtremeCloud IQ Site Engine client or access the ExtremeCloud IQ Site Engine database using the ExtremeCloud IQ Site Engine Server Administration web page.
The following authentication methods are available:
| WARNING: | Changes to the Authentication Type are automatically saved to the server, which can prevent access to users. |
|---|
OS Authentication (Default)
With this authentication method, the ExtremeCloud IQ Site Engine Server uses the underlying host operating system to authenticate users. Use the Authorized Users table to create a list of users allowed access and define their access capabilities.
If desired, enable Automatic Membership and specify an authorization group. The Automatic Membership feature allows the operating system to authenticate a user who is not manually added to the Authorized Users table, dynamically add that user to the table, and assign that user to the specified authorization group the first time they log in. These users are indicated by a true in the Automatic Member column of the Authorized Users table.
LDAP Authentication
With this authentication method, the ExtremeCloud IQ Site Engine Server uses the specified LDAP configuration to authenticate users.
Use the drop-down list to select the LDAP configuration for the LDAP server on your network that you want to use to authenticate users. Use the New menu option to add a new configuration or select the Manage option to manage your LDAP configurations.
With LDAP Authentication, configure dynamic assignment of users to authorization groups based on the attributes associated with a user in Active Directory. For example, create an authorization group that matches everyone in a particular organization, department, or location. When a user authenticates, the attributes associated with that user are matched against a list of criteria specified as part of each authorization group. The first group with criteria met by the user's attributes becomes the authorization group for that user. The user is then added to the Authorized Users table as an automatic member, with that authorization group.
The Authenticate to OS on Failure To Authorization Group feature provides the option to use OS Authentication automatic membership if the LDAP authentication fails. Users authenticated by the operating system are dynamically assigned to the specified authorization group when they log in, and are automatically added to the Authorized Users table. These users are indicated by a true in the Automatic Member column of the table.
RADIUS Authentication
With this authentication method, the ExtremeCloud IQ Site Engine Server uses the specified RADIUS servers to authenticate users.
| NOTE: | The RADIUS Authentication mode supports the PAP authentication type. |
Use the drop-down list to select the primary RADIUS server and backup RADIUS server (optional) on your network that you want to use to authenticate users. Use the New menu option to add a RADIUS server, or select Manage to manage your RADIUS servers.
With RADIUS Authentication, configure dynamic assignment of users to authorization groups based on the attributes associated with a user in Active Directory. When a user authenticates, the attributes associated with that user are matched against a list of criteria specified as part of each authorization group. The first group with a criteria met by the user's attributes becomes the authorization group for that user. The user is then added to the Authorized Users table as an automatic member, with that authorization group.
The Authenticate to OS on Failure to Authorization Group feature provides the option to use OS Authentication automatic membership if the RADIUS server authentication fails. Users authenticated by the operating system are dynamically assigned to the specified authorization group when they log in, and are automatically added to the Authorized Users table. These users are indicated by a true in the Automatic Member column of the table.
TACACS+ Authentication
With this authentication method, the ExtremeCloud IQ Site Engine Server uses up to three specified TACACS+ servers to authenticate users.
Use the drop-down list to select the primary server, the secondary server (optional), and the tertiary server (optional) on your network that you want to use to authenticate users. Use the New menu option to add a server via the Add TACACS+ Server window, or select Manage to manage your servers.
With TACACS+ authentication, users are dynamically assigned to authorization groups based on the attributes associated what that user in TACACS+ server. ExtremeCloud IQ Site Engine looks for the XMC-Authorization-Group attribute / value pair (for example, XMC-Authorization-Group=Domain Admin Group) and if that value matches the authorization group name, the user is associated with the group. If there is no XMC-Authorization-Group attribute being returned by TACACS+ server, other attributes (for examle, ip=ppp) are validated and used to authorize and associate the group to the user.
ExtremeCloud IQ Site Engine attempts to authenticate a client from the primary to the secondary and to the tertiary server in the event of communicating to the TACACS+ server. However, if a TACACS+ server responds with any status, the client does not fall through to the next server.
The Authenticate to OS on Failure to Authorization Group feature provides the option to use OS Authentication automatic membership if the TACACS+ server authentication fails. Users authenticated by the operating system are dynamically assigned to the specified authorization group when they log in, and are automatically added to the Authorized Users table. These users are indicated by a true in the Automatic Member column of the table.
Select the Authenticate to OS Only if TACACS+ Servers are Unresponsive checkbox to use OS Authentication only in the event the TACACS+ servers are not responding. If a user attempts to authenticate via a TACACS+ server and is denied when this checkbox is selected, ExtremeCloud IQ Site Engine does not then attempt to authenticate using the host operating system as a fall through.
Network Settings
SSH configuration provides additional security features for the ExtremeCloud IQ Site Engine engine. Select the Manage SSH Configuration button to open the SSH Configuration window.
| NOTE: | This option requires root privileges. If the server is not running with root privileges then the desired configuration changes must be accomplished through the CLI. |
Select the Manage SSH Configuration check box and provide the following SSH information.
Port
The port field allows you to configure a custom port to be used when launching SSH to the engine. The standard default port number is 22.
Disable Remote root Access
Select this option to disable remote root access via SSH to the engine and force a user to first log in with a real user account and then su to root (or use sudo) to perform an action. When remote root access is allowed, there is no way to determine who is accessing the engine. With remote root access disabled, the /var/log/message file displays users who log in and su to root. The log messages looks like these two examples:
sshd[19735]: Accepted password for <username> from 10.20.30.40 port 36777 ssh2
su[19762]: + pts/2 <username>-root
Enabling this option does not disable root access via the console. Do not disable root access unless you have configured RADIUS authentication or this disables remote access to the ExtremeCloud IQ Site Engine engine.
RADIUS Authentication
This option lets you specify a centralized RADIUS server to manage user login credentials for users that are authorized to log into the engine using SSH. Select a primary and backup RADIUS server to use, and use the table below to create a list of authorized RADIUS users.
SSH Users Table
Use the toolbar buttons to create a list of users allowed to log in to the ExtremeCloud IQ Site Engine engine using SSH. You can add Local and RADIUS users and grant the user Administrative privileges, if appropriate. A user that is granted administrative rights can run sudo commands and commands that only a root user would be able to run. For example, some commands that require administrative rights to run would be:
sudo nacctl restart
sudo reboot
sudo nacdb
If a user is not granted administrative rights, they can log in, view files, and run some commands such a ping and ls.
Authorized Users Table
This table lists all of the users who are currently authorized to access the ExtremeCloud IQ Site Engine database and allows you to add, edit, and delete users and define a user's membership in an authorization group. Each entry shows the user name and authorization group for the user and whether the user is an Automatic Member.
For users manually added to the Authorized Users table using this tab, the Automatic Member column is No. These users are granted permission to log in, no matter what the authentication setting is set to: OS Authentication, LDAP Authentication, RADIUS authentication, or TACACS+ Authentication. All authentication methods allow the non-automatic users to log in.
- User Name
- The users added as authorized users. The column may also display the Client ID, a unique, system-defined numeric identifier for the client.
- Domain/Host Name
- The user's domain/hostname used to authenticate to the ExtremeCloud IQ Site Engine database.
- Automatic Member
- A value of Yes indicates that the user is automatically added to the authorization group via LDAP, RADIUS, or TACACS+ authentication, or the OS Authentication Automatic Membership feature. A value of No indicates that the user is an authorized user that was manually added to the table.
- Add
- Opens the Add/Edit User window, which allows you to define the username, domain, and authorization group for a new authorized user.
- Edit
- Opens the Add/Edit User window, which allows you to modify the authorization group membership for the selected user.
Authorization Groups Table
This table lists all of the authorization groups created. Authorization groups define the access privileges to the ExtremeCloud IQ Site Engine application features. Based on their membership in a particular authorization group, users are granted specific capabilities in the application.
When users are added to the Authorized Users table, they are assigned an authorization group. With LDAP, RADIUS, or TACACS+ authentication, users are dynamically assigned to authorization groups based on the attributes associated with that user in Active Directory (or in TACACS+ Server for TACACS+ Authentication). The attributes are used to match against a list of criteria specified as part of each authorization group. The groups are checked in the order they are displayed in this table, from top to bottom. The first group with criteria matched by the user's attributes becomes the effective authorization group for that user.
Every user must be assigned to a group. A user whose attributes don't match any of the criteria specified for any of the groups are not authenticated and are unable to log in. Create a "catch-all" group (for example, you could use objectClass=person for an LDAP Active Directory), whose criteria is very generic and whose capabilities are highly restricted to allow access to these unauthenticated users. This helps differentiate between a user who cannot authenticate successfully, and a user who does not belong to any group.
When ExtremeCloud IQ Site Engine is connected to ExtremeCloud IQ, the following Authorization Groups are automatically created. These authorization roles are applied to the user based on Single Sign-On (SSO) authentication from ExtremeCloud IQ:
| Name | Role in ExtremeCloud IQ |
|---|---|
| XIQ-Administrator | Administrator |
| XIQ-Operator | Operator |
| XIQ-Monitor | Monitor |
| XIQ-Help Desk | Help Desk |
| XIQ-Observer | Observer |
| XIQ-Installer | Installer |
- Name
- This is the name assigned to the group. The Netsight Administrator group is created during installation and is granted Full capabilities and access. This group cannot be deleted or changed, but its capabilities can be viewed.
- Precedence
- This column, hidden by default, is available if the Authentication Method is LDAP, RADIUS, or TACACS+. This indicates the order of precedence when a user is a member of multiple authorization groups. The authorization group with the higher precedence is the group to which the user is assigned. Use the Up Arrow and Down Arrow buttons to change the order of precedence for the authorization groups.
- Automatic Membership Criteria
- This column displays the membership criteria for automatic members defined for the associated group. Members authenticated via LDAP or RADIUS using Automatic Membership functionality are validated using the criteria defined here. Users created manually using an Authorization Group are not validated against the criteria defined in this field.
- Capabilities
- This column summarizes the capabilities granted to the associated group: Full (all capabilities) or Customized (a subset of capabilities).
- SNMP Redirect
- This column, hidden by default, indicates whether users in the authorization group can edit the setting for Client/Server SNMP Redirect.
- Auto Group
- This column, hidden by default, indicates whether the group allows users to be automatically added via LDAP or RADIUS authentication, or the OS Authentication Automatic Membership feature.
- Zones
- This column displays the end-system zones to which users in the authorization group have access.
- Add
- Opens the Add/Edit Group window, which allows you to define the capabilities and settings for a new group.
- Edit
- Opens the Add/Edit Group window, which allows you to modify the capabilities and settings for a selected group.
- Copy
- Duplicates the selected group from the Groups table and creates a new group with identical capabilities.
Add/Edit User Window
This window lets you define a user's user name, domain, and membership in an authorization group. This information is used to authenticate the user to the ExtremeCloud IQ Site Engine database.
- Domain/Host Name
- The user's domain/hostname used to authenticate to the ExtremeCloud IQ Site Engine database.
- Authorization Group
- Use the drop-down list to select the authorization group to which the user is added.
Add/Edit Group Window
This window lets you define a new authorization group or edit an existing group. For additional information, see Authorization Group Capabilities.
- Name
- This is the name given to the group. When adding a group, enter any text string that is descriptive of the members of this group.
- Membership Criteria
- When a user is successfully authenticated using LDAP or RADIUS
authentication, the
Active Directory attributes associated with that user are used to match against this list of
criteria to determine membership in the authorization group. The criteria is entered as name=value pairs, for example,
department=IT (LDAP) or Service-Type=Framed-User (RADIUS). A user must have the specified attribute with a
value that matches the specified value in order to meet the criteria
to belong to this group. Multiple name=value pairs may be listed
using a semicolon (";") to separate them. However, a user is
considered a member of the group if they match at least one of the
specified criteria; they do not need to match all of them.
With a user authenticated using TACACS+ authentication, the TACACS+ server attributes associated with that user are used in the same way as LDAP or RADIUS authentication. However, the criteria is not needed to be entered to associate the authorization group if TACACS+ server returns 'XMC-Authorization-Group' attribute with a value. The value is the name of authorization group to associate to the user. ExtremeCloud IQ Site Engine looks for the XMC-Authorization-Group attribute first and then uses other attributes to match.
NOTE: The Netsight Administrator Group does not allow you to define membership criteria. Membership in the administrator group must be assigned manually using the Authorized Users table.
- SNMP Redirect
- ALLOW — Lets users edit the setting for Client/Server SNMP Redirect.
- ALWAYS — Redirects all SNMP requests to the ExtremeCloud IQ Site Engine Server, regardless of the setting for Client/Server SNMP Redirect.
- NEVER — Never redirects SNMP requests to the ExtremeCloud IQ Site Engine Server, regardless of the setting for Client/Server SNMP Redirect.
- Capability Tab
- Expand the Capability tree in this tab and select the specific capabilities granted to users who are members of this group. The capabilities are divided into suite-wide and application-specific capabilities. Access to a particular capability is granted when it is checked in the tree. For a description of each capability, see Authorization Group Capabilities.
For information on related help topics: