This chapter describes the various tasks associated with setting up admin groups, admin roles, admin accounts, and permissions. It contains the following sections:
- About Admin Accounts
- About Admin Groups
- About Admin Roles
- Managing Admin Groups and Admin Roles
- About Administrative Permissions
- Authenticating Administrators
- Creating Local Admins
- About Remote Admins
- Authenticating Admins Using RADIUS
- Authentication Protocols
- Accounting Activities Using RADIUS
- Configuring Remote RADIUS Servers
- Configuring RADIUS Authentication
- Configuring a RADIUS Authentication Server Group
- Authenticating Admins Using Active Directory
- Authenticating Admin Accounts Using TACACS+
- Authenticating Admins Using LDAP
- Defining the Authentication Policy
- Authenticating Admins Using Two-Factor Authentication
- Changing Password Length Requirements
- Notifying Administrators
- Administrative Permissions for Common Tasks
- Administrative Permission for the Grid
- Administrative Permissions for IPAM Resources
- Administrative Permissions for DNS Resources
- Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges on page252
- Best Practices for Configuring Permissions in Networks and Ranges
- Changes to Default Behavior
- Enabling Permissions for DNS Resources in Networks and Ranges
- Configuring Permissions for DNS Resources in Networks and Ranges
- Administrative Permissions for DHCP Resources
- Administrative Permissions for Network Views
- Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks
- Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations
- Administrative Permissions for IPv4 or IPv6 DHCP Enabled Host Addresses
- Administrative Permissions for IPv4 and IPv6 DHCP Ranges
- Administrative Permissions for IPv4 or IPv6 DHCP Templates
- Administrative Permissions for Roaming Hosts
- Administrative Permissions for MAC Address Filters
- Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories
- Administrative Permissions for File Distribution Services
- Administrative Permissions for Dashboard Tasks
- Administrative Permissions for Certificate Authentication Services and CA Certificates
- Administrative Permissions for Object Change Tracking
- Administrative Permissions for Named ACLs
- Administrative Permissions for DNS Threat Protection
- Administrative Permissions for Threat Analytics service
- Administrative Permissions for Cloud Objects
- Administrative Permissions for Reporting
About Admin Accounts
A user must have an admin account to log in to the NIOS appliance. Each admin account belongs to an admin group, which contains roles and permissions that determine the tasks a user can perform. For information, see About Admin Groups.
When an admin connects to the appliance and logs in with a username and password, the appliance starts a two-step process that includes both authentication and authorization. First, the appliance tries to authenticate the admin using the username and password. Second, it determines the authorized privileges of the admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully completes this process.
The NIOS appliance can authenticate users that are stored on its local database as well as users stored remotely on an Active Directory domain controller, a RADIUS server, a TACACS+ server or an LDAP server. The group from which the admin receives privileges and properties is stored locally.
NIOS can authenticate users based on X.509 client certificates irrespective of the client certificate source. For example, smart card holders such as U.S. Department of Defense CAC users and PIV card holders. The status of these certificates is stored remotely on OCSP (Online Certificate Status Protocol) responders. NIOS uses two-factor authentication to validate these users. For more information about two-factor authentication and how to configure it, see Authenticating Admins Using Two-Factor Authentication.
The tasks involved in configuring administrator accounts locally and remotely are listed in Table 4.1. Table 4.1 Storing Admin Accounts Locally and Remotely
|NIOS Appliance||RADIUS server/AD Domain Controller/TACAS+ server/LDAP server/Certificate authentication service|
|To store admin accounts locally|
|To store admin accounts remotely|
If you use admin groups on the RADIUS server, Active Directory domain controller, TACACS+ server, or LDAP server:
If you do not use admin groups on the RADIUS server, Active Directory domain controller, TACACS+ server, or LDAP server:
If you use admin groups:
If you do not use admin groups:
The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, Active Directory, TACACS+, or LDAP. You must add RADIUS, Active Directory, TACACS+, or LDAP as one of the authentication methods in the admin policy to enable that authentication method for admins. See Defining the Authentication Policy for more information about configuring the admin policy.
Figure 4.1 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and permissions and properties.
Figure 4.1 Privileges and Properties Applied to Local and Remote Admin Accounts
Complete the following tasks to create an admin account:
- Use the default admin group or create an admin group. See About Admin Groups.
- Define the administrative permissions of the admin group. See About Administrative Permissions.
- Create the admin account and assign it to the admin group.
This page has no comments.