This chapter describes the various tasks associated with setting up admin groups, admin roles, admin accounts, and permissions. It contains the following sections:
- 22283784
- About Admin Groups
- About Admin Roles
- Managing Admin Groups and Admin Roles
- About Administrative Permissions
- Authenticating Administrators
- Creating Local Admins
- About Remote Admins
- Authenticating Admins Using RADIUS
- Authentication Protocols
- Accounting Activities Using RADIUS
- Configuring Remote RADIUS Servers
- Configuring RADIUS Authentication
- Configuring a RADIUS Authentication Server Group
- Authenticating Admins Using Active Directory
- Authenticating Admin Accounts Using TACACS+
- Authenticating Admins Using LDAP
- Defining the Authentication Policy
- Authenticating Admins Using Two-Factor Authentication
- Changing Password Length Requirements
- Notifying Administrators
- Administrative Permissions for Common Tasks
- Administrative Permission for the Grid
- Administrative Permissions for IPAM Resources
- Administrative Permissions for DNS Resources
- Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges on page 252
- Best Practices for Configuring Permissions in Networks and Ranges
- Changes to Default Behavior
- Enabling Permissions for DNS Resources in Networks and Ranges
- Configuring Permissions for DNS Resources in Networks and Ranges
- Administrative Permissions for DHCP Resources
- Administrative Permissions for Network Views
- Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks
- Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations
- Administrative Permissions for IPv4 or IPv6 DHCP Enabled Host Addresses
- Administrative Permissions for IPv4 and IPv6 DHCP Ranges
- Administrative Permissions for IPv4 or IPv6 DHCP Templates
- Administrative Permissions for Roaming Hosts
- Administrative Permissions for MAC Address Filters
- Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories
- Administrative Permissions for File Distribution Services
- Administrative Permissions for Dashboard Tasks
- Administrative Permissions for Certificate Authentication Services and CA Certificates
- Administrative Permissions for Object Change Tracking
- Administrative Permissions for Named ACLs
- Administrative Permissions for DNS Threat Protection
About Admin Accounts
A user must have an admin account to log in to the NIOS appliance. Each admin account belongs to an admin group, which contains roles and permissions that determine the tasks a user can perform. For information, see About Admin Groups.
When an admin connects to the appliance and logs in with a username and password, the appliance starts a two-step process that includes both authentication and authorization. First, the appliance tries to authenticate the admin using the username and password. Second, it determines the authorized privileges of the admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully completes this process.
The NIOS appliance can authenticate users that are stored on its local database as well as users stored remotely on an Active Directory domain controller, a RADIUS server, a TACACS+ server or an LDAP server. The group from which the admin receives privileges and properties is stored locally.
NIOS can authenticate users based on X.509 client certificates irrespective of the client certificate source. For example, smart card holders such as U.S. Department of Defense CAC users and PIV card holders. The status of these certificates is stored remotely on OCSP (Online Certificate Status Protocol) responders. NIOS uses two-factor authentication to validate these users. For more information about two-factor authentication and how to configure it, see Authenticating Admins Using Two-Factor Authentication.
The tasks involved in configuring administrator accounts locally and remotely are listed in 22283784. Table 4.1 Storing Admin Accounts Locally and Remotely
NIOS Appliance | RADIUS server/AD Domain Controller/TACAS+ server/LDAP server/Certificate authentication service | |
---|---|---|
To store admin accounts locally |
| |
To store admin accounts remotely |
If you use admin groups on the RADIUS server, Active Directory domain controller, TACACS+ server, or LDAP server:
If you do not use admin groups on the RADIUS server, Active Directory domain controller, TACACS+ server, or LDAP server:
|
If you use admin groups:
If you do not use admin groups:
|
The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, Active Directory, TACACS+, or LDAP. You must add RADIUS, Active Directory, TACACS+, or LDAP as one of the authentication methods in the admin policy to enable that authentication method for admins. See Defining the Authentication Policy for more information about configuring the admin policy.
22283784 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and permissions and properties.
Figure 4.1 Privileges and Properties Applied to Local and Remote Admin Accounts
NIOS appliance
RADIUS, Active Directory, TACACS+, or LDAP
Admin Users
Local Admin Groups
The NIOS appliance first checks the remote admin policy to determine which of the following authentication methods to use and where to get
Remote Admin Groups
Access permissions and properties come from local admin group definitions.
Login
membership information from: local-admin database, RADIUS, Active Directory, TACACS+, or LDAP.
When remote admin
accounts are not in
an admin group (or in a group whose name does not match that of a local group), the NIOS appliance applies the
Adam
Admin-Group1
Login
default admin group permissions and properties (if configured).
Balu
Christine
Login
Default Admin-Group
Admin-Group2
Admin-Group3
Login
Group names must match.
Login
Admin-Group2
Admin-Group3
When admin accounts are in an admin group that matches a group configured locally, the appliance selects the first group (based on remote admin policy) and applies the permissions and properties to the admin belonging to that group.
Dan
Eve
Assigned from local admin group definitions:
Admin Permissions
(for resources, such as zones, networks, members and DHCP lease history)
Properties (for page size)
There can be admin accounts in a local and remote admin group with the same group name.
Note:
= Admin Account
Complete the following tasks to create an admin account:
- Use the default admin group or create an admin group. See About Admin Groups.
- Define the administrative permissions of the admin group. See About Administrative Permissions.
- Create the admin account and assign it to the admin group.
- To add the admin account to the local database, see Creating Local Admins.
- To configure the appliance to authenticate the admin account stored remotely, see About Remote Admins