Local Users
Setting User Access
Path: Administration > Security > Local Users > options
The Administrator user account always has access to the UPS Network Management Card (NMC).
The Device User and Read-Only User accounts are enabled by default. To disable the Device User or Read-Only User accounts, select the user account from the left navigation menu, then clear the "Enable" checkbox.
You set the case-sensitive user name and password for each account type in the same manner. Maximum length is 64 characters for a user name and 64 characters for a password. Blank passwords (passwords with no characters) are not allowed.
ReferenceFor information on the permissions granted to each account type (Administrator, Device User, and Read-Only User), refer to the "Types of User Accounts" section in the, "General Information" chapter of this manual.
| Account Type | Default User Name | Default Password | Permitted Access |
|---|---|---|---|
| Administrator | cat | cat | web interface and command-line interface |
| Device User | device | cat | |
| Read-Only User | read-only | cat | web interface only |
Remote Users
Authentication
Path: Administration > Security > Remote Users > Authentication Method
Use this option to select how to administer remote access to the NMC.
ReferenceFor information about local authentication (not using the centralized authentication of a RADIUS server), see the Security Handbook.
The authentication and authorization functions of RADIUS (Remote Authentication Dial-In User Service) is supported.
- When a user accesses the Network Management Card or other network-enabled device that has RADIUS enabled, an authentication request is sent to the RADIUS server to determine the users permission level.
- RADIUS user names used with the Network Management Card are limited to 32 characters.
Select one of the following:
Local Authentication Only - RADIUS is disabled. Local authentication is enabled.
RADIUS, then Local Authentication - RADIUS and local authentication are enabled. Authentication is requested from the RADIUS server first. If the RADIUS server fails to respond, local authentication is used.
RADIUS Only - RADIUS is enabled. Local authentication is disabled.
Note: If RADIUS Only is selected, and the RADIUS server is unavailable, improperly identified, or improperly configured, remote access is unavailable to all users. Use a serial connection to the "Command Line Interface" and change the access setting to local or "radiusLocal" to regain access. For example, the command to change the access setting to local would be:
radius -a local
RADIUS
Path: Administration > Security > Remote Users > RADIUS
Use this option to do the following:
- List the RADIUS servers (a maximum of two) available to the NMC and the time-out period for each.
- Click on a link, and configure the parameters for authentication by a new RADIUS server.
- Click a listed RADIUS server to display and modify the servers parameters.
| RADIUS Setting | Definition |
|---|---|
| RADIUS Server | The server name or IP address (IPv4 or IPv6) of the RADIUS server. Click on a link to configure the server. NOTE: RADIUS servers use port 1812 by default to authenticate users. To use a different port, add a colon followed by the new port number to the end of the RADIUS server name or IP address. |
| Secret | The shared secret between the RADIUS server and the NMC. |
| Timeout | The time in seconds that the NMC waits for a response from the RADIUS server. |
| Test Settings | Enter the Administrator user name and password to test the RADIUS server path that you have configured. |
| Skip Test and Apply | Do not test the RADIUS server path. |
Configuring the RADIUS Server
Summary of the Configuration Procedure
Configure your RADIUS server to work with the NMC.
ReferenceFor examples of the RADIUS users file with Vendor Specific Attributes (VSAs) and an example of an entry in the dictionary file on the RADIUS server, see the Security Handbook.
- Add the IP address of the NMC to the RADIUS server client list (file).
- Users must be configured with Service-Type attributes unless Vendor Specific Attributes (VSAs) are defined. If no Service-Type attributes are configured, users will have read-only access (on the "Web Interface" only).
ReferenceSee your RADIUS server documentation for information about the RADIUS users file, and see the Security Handbook for an example.
- VSAs can be used instead of the Service-Type attributes provided by the RADIUS server. VSAs require a dictionary entry and a RADIUS users file. In the dictionary file, define the names for the ATTRIBUTE and VALUE keywords, but not for the numeric values. If you change numeric values, RADIUS authentication and authorization will fail. VSAs take precedence over standard RADIUS attributes.
Configuring a RADIUS Server on UNIX® with Shadow Passwords
If UNIX shadow password files are used (/etc/passwd) with the RADIUS dictionary files, the following two methods can be used to authenticate users:
- If all UNIX users have administrative privileges, add the following to the RADIUS "user" file. To allow only Device Users, change the CAT-Service-Type to Device.
"DEFAULT Auth-Type = System"
"CAT-Service-Type = Admin"
- Add user names and attributes to the RADIUS "user" file, and verify the password against "/etc/ passwd". The following example is for users "bconners" and "thawk":
"bconners Auth-Type = System"
"CAT-Service-Type = Admin"
"thawk Auth-Type = System"
"CAT-Service-Type = Device"
Supported RADIUS Servers
FreeRADIUS and Microsoft IAS 2003 are supported. Other commonly available RADIUS applications may work but have not been fully tested.
Inactivity Timeout
Path: Administration > Security > Auto Log Off
Use this option to configure the time (3 minutes by default) that the system waits before logging off an inactive user. If you change this value, log off for the change to take effect.
Note: This timer continues to run if a user closes the browser window without first logging off by clicking "Log Off" at the upper right. Because that user is still considered logged on, no user can log on until the time specified as "Minutes of Inactivity" expires. For example, with the default value for "Minutes of Inactivity", if a user closes the browser window without logging off, no user can log on for 3 minutes.