Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Docsity AI
Docsity AI
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search for your university

Find the specific documents for your university's exams

Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

Configure AAA on FlexVNF Devices, Summaries of Accounting

University of California - BerkeleyAccounting

The external database can be on a RADIUS or TACACS+ server. After a user is authenticated on a FlexVNF device, each user action that they perform must be ...

Typology: Summaries

2022/2023

Uploaded on 02/28/2023

ebby
ebby 🇺🇸

4.2

(17)

243 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Configure AAA
For Releases 16.1R2 and later, except as noted in the “Software Release Information” section.
This article describes how to configure authentication, authorization, and accounting (AAA) for users who access
FlexVNF devices.
Authentication identifies users to determine whether they are allowed to access a FlexVNF device, the network, and
related services. To authenticate a user, you can use an internal or an external user database. The external database
can be on a RADIUS or TACACS+ server.
After a user is authenticated on a FlexVNF device, each user action that they perform must be authorized. Authorization
is the method for remote access control, including one-time authorization and service authorization based on user or
user account and profile. The FlexVNF software provisions three user types, or rolesSystem, Tenant, and Remote
that determine the access level for individual users. When you create a user, you assign them to the desired role.
Authorization uses a database to define the authorization methods. The database can be located locally on the access
server or on a router, or it can be hosted remotely on a RADIUS or TACACS+ server. The authorization process
assembles a set of attributes that describe what the user is authorized to perform, compares them to the information in
the authorization database, and then returns to AAA the user's permissions and restrictions.
Accounting collects and sends security server information that is used for billing, auditing, and reporting, such as user
identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. The
accounting information allows you to track the services that users are accessing and the amount of network resources
they are consuming.
Configure TACACS+
TACACS+ provides detailed accounting information and flexible administrative control over authentication and
authorization processes.
To configure TACACS+:
1. In Director view, select Workflows > Templates.
2. Click the
Add icon to add a template, or select a template to edit it.
3. In the Create Template popup window, select the Management Servers tab. Enter information for the following
fields:
pf3
pf4
pf5

Partial preview of the text

Download Configure AAA on FlexVNF Devices and more Summaries Accounting in PDF only on Docsity!

Configure AAA

For Releases 16.1R2 and later, except as noted in the “Software Release Information” section. This article describes how to configure authentication, authorization, and accounting (AAA) for users who access FlexVNF devices. Authentication identifies users to determine whether they are allowed to access a FlexVNF device, the network, and related services. To authenticate a user, you can use an internal or an external user database. The external database can be on a RADIUS or TACACS+ server. After a user is authenticated on a FlexVNF device, each user action that they perform must be authorized. Authorization is the method for remote access control, including one-time authorization and service authorization based on user or user account and profile. The FlexVNF software provisions three user types, or roles—System, Tenant, and Remote— that determine the access level for individual users. When you create a user, you assign them to the desired role. Authorization uses a database to define the authorization methods. The database can be located locally on the access server or on a router, or it can be hosted remotely on a RADIUS or TACACS+ server. The authorization process assembles a set of attributes that describe what the user is authorized to perform, compares them to the information in the authorization database, and then returns to AAA the user's permissions and restrictions. Accounting collects and sends security server information that is used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. The accounting information allows you to track the services that users are accessing and the amount of network resources they are consuming.

Configure TACACS+

TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. To configure TACACS+:

  1. In Director view, select Workflows > Templates.
  2. Click the Add icon to add a template, or select a template to edit it.
  3. In the Create Template popup window, select the Management Servers tab. Enter information for the following fields:

Field Description AAA Servers (Group of Fields)

  • TACACS+ Servers Click to configure TACACS+ servers.
  • Reachability via Select the reachability network between the Controller and TACACS+ server.
  • IP Address IP address of the server to connect.
  • Authentication Key Enter the authentication key.
  1. Click Save. The main pane shows the new or edited templates.

Configure Local Authentication

SteelConnect FlexVNF supports the following users:

  • Default users
  • System users
  • Organization users Default users are system users created by default and cannot be deleted. SteelConnect EX FlexVNF has the following default users:
  • admin. Super user with sudo privileges. Admin can SSH to the box on port 22.
  • versa. Console user. Users can log in via the physical or virtual console. The default password for the above users is versa123. Password-less authentication can be set for admin via SSH public keys. System users can log in to the SteelConnect EX FlexVNF host OS. The user is created in Linux when a system user is configured. System users can have the following roles:
  • Admin. Can modify any part of the configuration.
  • Operator. Can only view the configuration. System users can have the following login types:
  • Shell. Will land on bash post-authentication.
  • CLI. Will land on CLI prompt post-authentication. Organization users can only log in to SteelConnect EX FlexVNF CLI. Organization users can only SSH to port 2024. SSH to port 22 is prohibited for all Organization users. For now, SteelConnect EX FlexVNF supports password-less authentication for Organization users. SteelConnect EX FlexVNF provides the following pre-defined RBAC roles for Organization users: User Description adc-admin Can view/modify ADC specific configuration only. cgnat-admin Can view/modify CGNAT specific configuration only.

User Description sdwan-admin Can view/modify configuration related to SDWAN. security-admin Can view/modify security configuration only. tenant-admin Can view/modify all tenant configuration. oper Can view all tenant configuration. No modification allowed. To create unique Org usernames in the system, when an Organization user is created, SteelConnect EX FlexVNF appends @Orgname to the username. For example, if the username is john@kayak, the user must SSH as ssh'john@kayak'@77.1.1.1 OR ssh77.1.1.1 - l john@kayak. SteelConnect EX FlexVNF also supports password-less authentication for system users using SSH public key. This provides enhanced security and the system is then protected against SSH brute force password attacks. Multiple SSH keys can be configured for a system user.

Add System Users

  1. In the Appliance view, go to Configuration > Others

    System > Appliance User Management > System Users.

  2. Click the Add icon on the top right corner to add a system user. Configure information for the following fields.

Field Description

User Name Enter the user name.

Login

Select from:

  • CLI

Add Organization Users

  1. In Director view, go to Administration > Director User Management > Organization Users and click the Add icon on the top right corner to add an organization user. Enter information for the following fields. Field Description User Name, Password, Confirm Password Enter the user details. Login Select CLI as the SSH login type. Role Select the role to be assigned to the user. SSH Name, SSH Contents Enter the SSH details.
  2. Click OK. An organization user with the assigned role is created.

Software Release Information

Releases 16.1R2 and later support all content described in this article.

  • Release 21.1 adds support for TACACS+ on SteelConnect EX Analytics nodes. Riverbed and any Riverbed product or service name or logos used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.