Page tree


A user must have an admin account to log in to the NIOS appliance. Each admin account belongs to an admin group, which contains roles and permissions that determine the tasks a user can perform. For information, see About Admin Groups.

When an admin connects to the appliance and logs in with a username and password, the appliance starts a two-step process that includes both authentication and authorization. First, the appliance tries to authenticate the admin using the username and password. Second, it determines the authorized privileges of the admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully completes this process.

The NIOS appliance can authenticate users that are stored on its local database as well as users stored remotely on an Active Directory domain controller, a RADIUS server, a TACACS+ server or an LDAP server. The group from which the admin receives privileges and properties is stored locally.

NIOS can authenticate users based on X.509 client certificates irrespective of the client certificate source. For example, smart card holders such as U.S. Department of Defense CAC users and PIV card holders. The status of these certificates is stored remotely on OCSP (Online Certificate Status Protocol) responders. NIOS uses two-factor authentication to validate these users. For more information about two-factor authentication and how to configure it, see Authenticating Admins Using Two-Factor Authentication.

The tasks involved in configuring administrator accounts locally and remotely are listed in Table 4.1. Table 4.1 Storing Admin Accounts Locally and Remotely

NIOS ApplianceRADIUS server/AD Domain Controller/TACAS+ server/LDAP server/Certificate authentication service
To store admin accounts locally
  • Use the default admin group ("admin-group") or define a new group
  • Set the privileges and properties for the group
  • Add admin accounts to the group

To store admin accounts remotely
  • Configure communication settings with a RADIUS server, an Active Directory domain controller, TACACS+ server, or LDAP server

If you use admin groups on the RADIUS server, Active Directory domain controller, TACACS+ server, or LDAP server:

  • Configure admin groups that match the remote admin groups
  • Set the privileges and properties for the groups

If you do not use admin groups on the RADIUS server, Active Directory domain controller, TACACS+ server, or LDAP server:

  • Assign an admin group as the default
  • Configure communication settings with the NIOS appliance

If you use admin groups:

  • Import Infoblox VSAs (vendor-specific attributes) (if RADIUS)
  • Define an admin group with the same name as that on the NIOS appliance
  • Define admin accounts and link them to an admin group

If you do not use admin groups:

  • Define admin accounts

The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, Active Directory, TACACS+, or LDAP. You must add RADIUS, Active Directory, TACACS+, or LDAP as one of the authentication methods in the admin policy to enable that authentication method for admins. See Defining the Authentication Policy for more information about configuring the admin policy.


Local passwords are stored in the database as part of the user object. Values for passwords are stored after applying a random salt and hashed with SHA-128.

Figure 4.1 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and permissions and properties.
Figure 4.1 Privileges and Properties Applied to Local and Remote Admin Accounts

Complete the following tasks to create an admin account:

  1. Use the default admin group or create an admin group. See About Admin Groups.
  2. Define the administrative permissions of the admin group. See About Administrative Permissions.
  3. Create the admin account and assign it to the admin group.

This page has no comments.