When you create an admin account, you must specify the authentication type, name, password, and admin group of the administrator. You can also control in which time zone the appliance displays the time in the audit log and the DHCP and IPAM tabs of Grid Manager, such as the DHCP Lease History and DHCP Leases panels. The appliance can use the time zone that it automatically detects from the management system that the admin uses to log in.

Alternatively, you can override the time zone auto-detection feature and specify the time zone. To create an admin account and add it to an admin group:

• Log in as a superuser.

• From the Administration tab, select the Administrators tab -> Admins tab, and then click the Add icon.
  or
  From the Administration tab, select the Administrators tab -> Groups tab -> admin_group, and then click the Add icon.

• In the Add Administrator wizard, complete the following:

  • Authentication Type: The default is Local. When you select Local, NIOS authenticates admins against the local database. 
    Local: The following fields are displayed when you select Local authentication type. Enter the following:

    • Login: Enter a name for the administrator. This is the user name that the administrator uses to log in to the appliance. This user name is stored in the NIOS local database.

    • Password: Enter a password for the administrator. This is the password that the administrator uses to log in to the appliance. This password is stored in the NIOS local database.

    • Confirm Password: Enter the same password.

      Note In NIOS 8.5.2 or later, when you set up the account for a Grid Master or a standalone vNIOS instance that is deployed on AWS, the minimum password length must be four characters. The password must consist of at least one uppercase character, one lowercase character, one numeric character, and one symbol character. Example: Infoblox1!

      If the symbol character is at the beginning of the password, then include the password within quotes (''). Example: '@Infoblox123'.

  • Use AWS SSH authentication keys: To prevent CLI login failures after upgrading, you will need to enable Use AWS SSH authentication keys for each user that needs CLI access to AWS appliances. When you select Use AWS SSH authentication keys, NIOS allows you to access the CLI either by using a key pair and entering a password, or only by using the key pair which means the password-only authentication is blocked for the user. You can upload the SSH key by using the Manage SSH Public Keys field. It is mandatory to upload a valid SSH public key if you select the Use AWS SSH authentication keys option. 
    If you use the User data field in the AWS console to install a NIOS license, the Use AWS SSH authentication key option is enabled by default. For more information about the User data field, see the Initializing New Infoblox vNIOS for AWS Instances with the AWS User Data Field section in the Installation Guide for vNIOS for AWS documentation.

    Note for a TE-V4025 appliance, if you use the User data field to install the TE-4025 license, the Use AWS SSH authentication key option will not be enabled by default. Therefore, Infoblox recommends that you first deploy the vNIOS instance without specifying the IB-4025 license, and then install the license from the NIOS CLI.

  • Authentication Method: You can choose Key pair or Key pair + Password methods from the Authentication Method drop-down list. A server generates two distinct, but related keys: a public key that you upload and a corresponding private key that is stored in the system. A Key pair is the combination of these two related keys and is the default authentication method. If you select Key pair as the authentication method, then a user can access the CLI with a valid key pair. If you select Key pair + Password as the authentication method, the user must provide a password to access the CLI even after a successful key pair authentication. For information on defining and managing passwords, see Managing Passwords below.

  • Manage SSH Public Keys: You need to upload a valid SSH public key file. The supported key types are RSA, EDSA, and ED25519. TheKey TypeandKey Valuefields in theMANAGE SSH PUBLIC KEYS are automatically updated once you upload a valid SSH key.

  Note that from NIOS 8.5.2 onwards, the Use AWS SSH authentication keys, Authentication Method, and Manage SSH Public Keys fields are not available for the Remote and SAML Only authentication types. That is, you cannot use the CLI to access vNIOS for AWS if you are a remote user or a SAML user.
  
  

  • Remote: When you select Remote, NIOS authenticates admins based on the user credentials stored remotely on authentication servers, such as RADIUS servers, AD domain controllers, LDAP servers, or TACACS+ servers. The Login field is displayed when you select Remote  authentication type. Enter a name for the administrator that is stored in the database of the remote server. This is the user name that the administrator uses to log in to the appliance.

  • SAML Only: When you select SAML Only, NIOS authenticates admins based on the user credentials stored in the IDP (Identity Provider). An admin can log in to NIOS only by clicking the SSO Login button and if the user credentials exist in the IDP account.

  • SAML/Local: When you select SAML/Local, NIOS authenticates admins based on the user credentials stored in the IDP, when the SSO Login button is clicked or against the local database when the User name and Password is supplied and the Login button is clicked. For SSO Login, the user name and password need not be supplied in the NIOS GUI, rather it should be supplied in the IDP's login prompt. For information about SAML authentication, see Authenticating Admins Using SAML.

Email Address: Enter the email address for this administrator. The appliance uses this email address to send scheduling notifications.

• Admin Group: Click Select to specify an admin group. If there are multiple admin groups, Grid Manager displays the Admin Group Selector dialog box from which you can select one. An admin can belong to only one admin group at a time.

NIOS appliance creates a new group, fireeye-group, when you add the first FireEye zone. The FireEye admin group is read-only and you cannot assign permissions to it. Select fireeye-group for the admin group and add users to this group. For more information, see About FireEye Integrated RPZs.

• Comment: Enter useful information about the administrator.

• Disable: Select this checkbox to retain an inactive profile for this administrator in the configuration. For example, you might want to define a profile for a recently hired administrator who has not yet started work. Then when he or she does start, you simply need to clear this checkbox to activate the profile.

• Status: Displays the status of the administrator. The status can be one of the following:

  • Active: The administrator account is active. This is the default status.

  • Disabled: The administrator account is disabled. 

  • Locked: The administrator account is locked because the password has been entered incorrectly a specified number of times. 

  • Inactive:The administrator account is inactive because the account has not been logged in to for a specified period of time. For more information about configuring security features , see Managing Security Operations.

   4. Optionally, click Next to add extensible attributes to the admin account. For information, see About Extensible Attributes.

   5. Save the configuration and click Restart if it appears at the top of the screen.

Managing Passwords

Superusers can define requirements for the passwords of local admins according to your organization's policies. In addition to specifying the minimum password length, you can define rules that specify the character types that are allowed in the password. You can also specify whether passwords expire, their duration, and when reminders are sent to the users. Additionally, you can specify whether the history of used password needs to be stored, and you can require admins to change their passwords when they first log in or after their passwords are reset.

You set the requirements at the Grid level, so they apply to all local admins who log in to the Grid. You can also set the requirements at the standalone system level. The requirements that you define appear in the User Profile of all local admins and when users are required to change their password.

To define the password requirements for local admins:

1. Grid: From the Grid tab, select the Grid Manager tab. Expand the Toolbar and select Grid Properties -> Edit.
   or,
   Standalone system: From the System tab, select the System Manager tab. Expand the Toolbar and select System Properties Editor.

2. In the editor, select the Password tab and complete the following:

   • Minimum Password Length: Specify the minimum number of characters that are required in a password.

   • Password Complexity: You can set up some requirements around how users compose a password by specifying the category and the number of characters and/or symbols the password must contain. The default is 0 for all categories, which means the password is not required to contain those characters. Specify the minimum number of characters the password must contain for the following:

     • lowercase characters [a-z]

     • uppercase characters [A-Z]

     • numeric characters [0-9]

     • symbol characters. Allowed characters are: ! @ # $ % ^ & * ( )

     • character changes from previous passwords. To discourage users from reusing previous passwords, you can require a minimum change of characters from previous passwords.

     • password encryption. Passwords with more than 64 characters are not encrypted. 

   • Password must expire: Specify the number of days after which the password must expire and the number of days before which NIOS must send a reminder to the user that the password will expire.

   • Enforce Password History: Select this checkbox to store the history of used passwords in the NIOS database. This option is disabled by default. 

     • In the Remember last passwords field, specify the number of passwords to be stored. You can specify a value from 1 to 20. The default value is 5.
       
       

   • Minimum password age: Specify the minimum number of days the password must be active before the user can attempt to change it. You can specify a value between 0 to 9998. The recommended value is 2.

      

     Note that if the Password must expire checkbox is enabled, you must set the Minimum password age to a value less than the password expiration interval value. Superusers can override the Minimum password age and reset the passwords of local admins.
     
     

   • Force password change at next login: Select this checkbox to force all new users to change their passwords when they log in for the first time, and to force existing users whose passwords were reset by superusers or whose passwords were just reset to change their passwords.

   3. Click Save & Close.

Modifying and Deleting Admin Accounts

You can modify and delete admin accounts that you create, but you can only partially modify the default superuser account "admin"—and only when you are logged in as a superuser account. Furthermore, because there must always be a superuser account on the appliance, you can only remove the default "admin" account after you create another superuser account.

To modify an admin account:

1. From the Administration tab, select the Administrators tab -> Admins tab -> admin_account checkbox, and then click the Edit icon.
   or
   From the Administration tab, select the Administrators tab -> Groups tab -> admin_group -> admin_account checkbox, and then click the Edit icon.

2. The Administrator editor provides the following tabs from which you can modify data:

   • General: In the General Basic tab, modify the data of the admin account.

     Note that if the Use AWS SSH authentication keys option was previously disabled and is allowed when modifying an existing admin account, then password-only authentication is blocked. If the Use AWS SSH authentication keys option was earlier enabled and is now disabled, then password-only authentication is allowed.
     On the General Advanced tab, complete the following:

     • Time Zone: Select a time zone from the drop-down list if you want to specify the time zone for the administrator. By default, the appliance automatically detects the time zone from the management system that the administrator uses to connect to the appliance. The appliance uses this time zone when it displays the timestamps for relevant data.

     • Enable Certificate Authentication: Select the checkbox to enable the certificate authentication service. You must also specify the serial number of the client certificate and associate a CA certificate that signs the client certificate. For more information, see Enabling Certificate Authentication Service for a User.

   • Extensible Attributes: Add and delete extensible attributes that are associated with the admin account. You can also modify the values of the extensible attributes. For information, see About Extensible Attributes.

3. Save the configuration and click Restart if it appears at the top of the screen.

To delete an admin account:

1. From the Administration tab, select the Administrators tab -> Admins tab -> admin_account checkbox, and then click the Delete icon.
   or
   From the Administration tab, select the Administrators tab -> Groups tab -> admin_group -> admin_account checkbox, and then click the Delete icon.

2. In the Delete Confirmation dialog box, click Yes.

When you remove a Grid member from the Grid, local admin accounts are not removed and you will still be able to see these admin accounts.