How to Configure User Access to Extreme Management Center Applications

---

This Help topic describes the steps for configuring the authentication and authorization process that provides access for Extreme Management Center users. When you install Management Center, the user performing the installation is automatically created as an Authorized User with Extreme Management Center Administrator capabilities. This administrative user is capable of creating additional Management Center users and assigning their access levels.

The Users and Groups tab of the Authorization/Device Access tool is where you will define the method that will be used to authenticate users who are attempting to launch a Management Center client or access the Management Center database using the Management Center Server Administration web page or the NAC Manager Dashboard. There are three authentication methods available: OS Authentication (the default), LDAP Authentication, and RADIUS Authentication. Steps for configuring each of these methods are provided below.

The tab is also used to create the authorization groups that define the access privileges (called Capabilities) assigned to authenticated users. When a user successfully authenticates, they are assigned membership in an authorization group that grants specific capabilities in the application. For example, you may have an authorization group called "IT Staff" that grants access to a wide range of capabilities, while another authorization group called "Guest" grants a very limited range of capabilities.

	NOTE:	When changes to authentication and authorization configurations are made, clients must be restarted in order to be subject to the new configuration. It is suggested that you disconnect those clients affected by the changes made to your authentication and authorization configurations. You can use the Client Connections tab in the Server Information window to help identify which clients are affected by the changes, and disconnect those clients.

Use the instructions below for configuring authentication and authorization based on the authentication method appropriate for your network.

Instructions for configuring:

• OS Authentication
• LDAP Authentication
• RADIUS Authentication

OS Authentication

OS Authentication is the default authentication method, where the Management Center Server uses the underlying host operating system to authenticate users. Use the following instructions to configure the OS authentication method and set up your users and authorization groups.

NOTE:

You must have user accounts created for your Management Center users in the underlying operating system. For Windows operating systems, access your Windows OS Help to determine the appropriate steps for adding a user account. For Linux operating systems, from the command line use the useradd and passwd commands to add a user account.

1. Click the   toolbar button, or select Authorization/Device Access from the Tools menu. The Authorization/Device Access window opens with the Users/Groups tab selected.
2. Create your Authorization Groups.
   1. In the Authorized Groups section, click Add Group. The Add Group window opens where you can define the capabilities for the new group.
   2. Enter a name for your new group in the Authorization Group Name field.
   3. Do not enter anything in the Membership Criteria field.
   4. Select the Capabilities tab and expand the tree, and select the capabilities granted to users that are members of this group. See Authorization Group Capabilities for an explanation of each capability.
   5. Select the Settings tab and choose a SNMP Redirect option for members of this group:
      • Allow Users to Configure SNMP Redirect in Options - lets users edit the Suite-wide Option setting for Client/Server SNMP Redirect. 
      • Always Redirect SNMP to the Management Center (NetSight) Server - all SNMP requests always go through the server.
      • Never Redirect SNMP to the Management Center (NetSight) Server - SNMP requests are always made from the client system.
      These settings have no effect when both the client and server are running on the same system.
   6. Click Apply to confirm your selections and Close to dismiss the Add Group window.
   7. Your new group now appears in the Authorization Groups table. 
3. Create a list of authorized users.
   1. In the Authorized Users section, click Add User. The Add User window opens where you can define a new Authorized User and assign it a group membership.
   2. Enter the user's name and the domain/hostname that will be used to authenticate.
   3. Select the authorization group to which to add the current user.
   4. Click Apply to confirm your selections and Close to dismiss the Add User window.
   5. The new user now appears in the Authorized Users table.
4. Specify your authentication method.
   1. In the User Authentication section, select the Default (OS Authentication) Authentication Method.
   2. If desired, enable Automatic Membership and specify an authorization group. The Automatic Membership feature allows a user who has not been manually added to the Authorized Users table to be authenticated by the operating system, and dynamically added to the table and assigned to the specified authorization group the first time that they log in. These users are indicated by a "Yes" in the Automatic Member column of the Authorized Users table.
5. Changes made to the Users/Groups tab are automatically saved to the Extreme Management Center Database.

LDAP Authentication

With LDAP authentication, the Management Center Server uses the specified LDAP configuration to authenticate users. You can configure dynamic assignment of users to authorization groups based on the attributes associated with a user in Active Directory. For example, you could create an authorization group that matches everyone in a particular organization, department, or location. Use the following instructions to configure the LDAP authentication method and set up your users and authorization groups.

1. Click the   toolbar button, or select Authorization/Device Access from the Tools menu. The Authorization/Device Access window opens with the Users/Groups tab selected.
2. Create your Authorization Groups. When a user authenticates using LDAP authentication, the attributes associated with that user are matched against a list of criteria specified as part of each authorization group. The first group listed in the table that includes a criteria that matches the user's attributes becomes the authorization group for that user. The user is then added to the Authorized Users table as an automatic member, with that authorization group.
   Every user must be assigned to a group. A user whose attributes don't match any of the criteria specified for any of the groups will not be authenticated and will not be allowed to log in. For this reason, it is recommended to create a "catch-all" group (for example, objectClass=person), whose criteria is very generic and whose capabilities are highly restricted. This will help differentiate between a user who cannot authenticate successfully, and a user who does not belong to any group.
   1. In the Authorized Groups section, click Add Group. The Add Group window opens where you can define the capabilities for the new group.
   2. Enter a name for your new group in the Authorization Group Name field.
   3. Enter the Membership Criteria that will be used to match against user attributes to determine group membership. The criteria is entered as name=value pairs, for example, department=IT. A user must have the specified attribute with a value that matches the specified value in order to meet the criteria to belong to this group. Multiple name=value pairs may be listed using a semicolon (";") to separate them. However, a user is considered a member of the group if they match at least one of the specified criteria; they do not need to match all of them.

      	NOTE:	You cannot define membership criteria for the Management Center Administrator Group. Membership in the administrator group must be assigned manually using the Authorized Users table.

   4. Select the Capabilities tab and expand the tree, and select the capabilities granted to users that are members of this group. See Authorization Group Capabilities for an explanation of each capability.
   5. Select the Settings tab and choose a SNMP Redirect option for members of this group:
      • Allow Users to Configure SNMP Redirect in Options - lets users edit the Suite-wide Option setting for Client/Server SNMP Redirect.
      • Always Redirect SNMP to the Management Center (NetSight) Server - all SNMP requests always go through the server.
      • Never Redirect SNMP to the Management Center (NetSight) Server - SNMP requests are always made from the client system.
      These settings have no effect when both the client and server are running on the same system.
   6. Click Apply to confirm your selections and Close to dismiss the Add Group window.
   7. The new group is listed in the table. Use the Move Up and Move Down buttons to adjust the group's position in the table, keeping in mind that users are assigned group membership based on the first group listed in the table that they match.
3. Create a list of authorized users. You only need to do this if you want to manually create special users that will authenticate using OS Authentication and be assigned membership in the Management Center Administrator Group or another authorization group.
   1. In the Authorized Users section, click Add User. The Add User window opens where you can define a new Authorized User and assign it a group membership.
   2. Enter the user's name and the domain/hostname that will be used to authenticate.
   3. Select an authorization group where this user will be a member.
   4. Click Apply to confirm your selections and Close to dismiss the Add User window.
   5. The new user now appears in the Authorized Users table.
4. Specify your authentication method.
   1. Select the LDAP Authentication Method.
   2. Use the drop-down list to select the LDAP configuration for the LDAP server on your network that you want to use to authenticate users. Use the configuration menu button (to the right of the drop-down list) to add or edit an LDAP configuration, or manage your LDAP configurations.
   3. If desired, enable Authenticate to OS on LDAP failure and specify an authorization group. This feature provides the option to use OS Authentication Automatic Membership if the LDAP authentication should fail for any reason. Automatic Membership allows a user who has not been manually added to the Authorized Users table to be authenticated by the operating system, and dynamically added to the table and assigned to the specified authorization group the first time that they log in. These users are indicated by a "Yes" in the Automatic Member column of the Authorized Users table.

   	NOTE:	If LDAP authentication should fail for any reason, and the Authenticate to OS on LDAP failure feature in not enabled, users that have been manually added to the Authorized Users table will still have permission to log in.

5. Changes made to the Users/Groups tab are automatically saved to the Management Center Database.

RADIUS Authentication

With RADIUS authentication, the Management Center Server uses the specified RADIUS servers to authenticate users. You can configure dynamic assignment of users to authorization groups based on the attributes associated with a user in Active Directory. Use the following instructions to configure the RADIUS authentication method and set up your users and authorization groups.

	NOTE:	The RADIUS Authentication mode supports the PAP authentication type.

1. Click the   toolbar button, or select Authorization/Device Access from the Tools menu. The Authorization/Device Access window opens with the Users/Groups tab selected.
2. Create your Authorization Groups. When a user authenticates using RADIUS authentication, the attributes associated with that user are matched against a list of criteria specified as part of each authorization group. The first group listed in the table that has a criteria that matches the user's attributes becomes the authorization group for that user. The user is then added to the Authorized Users table as an automatic member, with that authorization group.
   A user whose attributes don't match any of the criteria specified for any of the groups will not be authenticated and will not be allowed to log in. For this reason, it is recommended to create a "catch-all" group whose criteria is very generic and whose capabilities are highly restricted. This will help differentiate between a user who cannot authenticate successfully, and a user who does not belong to any group.
   1. In the Authorized Groups section, click Add Group. The Add Group window opens where you can define the capabilities for the new group.
   2. Enter a name for your new group in the Authorization Group Name field.
   3. Enter the Membership Criteria that will be used to match against user attributes to determine group membership. The criteria is entered as name=value pairs, for example, Service-Type=Framed-User. A user must have the specified attribute with a value that matches the specified value in order to meet the criteria to belong to this group. Multiple name=value pairs may be listed using a semicolon (";") to separate them. However, a user is considered a member of the group if they match at least one of the specified criteria; they do not need to match all of them.

      	NOTE:	You cannot define membership criteria for the Management Center Administrator Group. Membership in the administrator group must be assigned manually using the Authorized Users table.

   4. Select the Capabilities tab and expand the tree, and select the capabilities granted to users that are members of this group. See Authorization Group Capabilities for an explanation of each capability.
   5. Select the Settings tab and choose a SNMP Redirect option for members of this group:
      • Allow Users to Configure SNMP Redirect in Options - lets users edit the Suite-wide Option setting for Client/Server SNMP Redirect.
      • Always Redirect SNMP to the ECC (NetSight) Server - all SNMP requests always go through the server.
      • Never Redirect SNMP to the Management Center (NetSight) Server - SNMP requests are always made from the client system.
      These settings have no effect when both the client and server are running on the same system.
   6. Click Apply to confirm your selections and Close to dismiss the Add Group window.
   7. The new group will be listed in the table. Use the Move Up and Move Down buttons to adjust the group's position in the table, keeping in mind that users are assigned group membership based on the first group listed in the table that they match.
3. Create a list of authorized users. You will only need to do this if you want to manually create special users that will authenticate using OS Authentication and be assigned membership in the Management Center Administrator Group or another authorization group.
   1. In the Authorized Users section, click Add User. The Add User window opens where you can define a new Authorized User and assign it a group membership.
   2. Enter the user's name and the domain/hostname that will be used to authenticate.
   3. Select an authorization group where this user will be a member.
   4. Click Apply to confirm your selections and Close to dismiss the Add User window.
   5. The new user now appears in the Authorized users table.
4. Specify your authentication method.
   1. Select the RADIUS Authentication Method.
   2. Use the drop-down list to select the primary RADIUS server  and backup RADIUS server (optional) on your network that you want to use to authenticate users. Use the configuration menu button (to the right of the drop-down list) to add or edit a RADIUS server, or manage your RADIUS servers.
   3. If desired, enable Authenticate to OS on RADIUS failure and specify an authorization group. This feature provides the option to use OS Authentication Automatic Membership if the RADIUS authentication should fail for any reason. Automatic Membership allows a user who has not been manually added to the Authorized Users table to be authenticated by the operating system, and dynamically added to the table and assigned to the specified authorization group the first time that they log in. These users are indicated by a "Yes" in the Automatic Member column of the Authorized Users table.

   	NOTE:	If RADIUS authentication should fail for any reason, and the Authenticate to OS on RADIUS failure feature in not enabled, users that have been manually added to the Authorized Users table will still have permission to log in.

5. Changes made to the Users/Groups tab are automatically saved to the Management Center Database.

---

Related Information

For information on related windows:

• Manage SNMP Passwords Tab
• Users/Groups Tab
• Profile/Device Mapping Tab
• Profiles/Credentials Tab

For information on related tasks:

• How To Configure Profiles and Credentials
• How To Configure Profile/Device Mapping
• How to Manage SNMP Passwords