Setting Access Privileges
Defining User Access to Extreme Management Center
The Users and Groups tab of the Authorization/Device Access tool is where you will define the method that will be used to authenticate users who are attempting to launch a Management Center client or access the Management Center database using the Management Center Server Administration web page. There are three authentication methods available: OS Authentication (the default), LDAP Authentication, and RADIUS Authentication.
In addition to configuring the authentication method, you must also create the authorization groups that define the access privileges (called Capabilities) that will be assigned to authenticated users. When a user successfully authenticates, they are assigned membership in an authorization group that grants specific capabilities in the application. For example, you may have an authorization group called "IT Staff" that grants access to a wide range of capabilities, while another authorization group called "Guest" grants a very limited range of capabilities.
When you install Management Center, the user performing the installation is created as an Authorized User with Management Center Administrator capabilities. This administrative user is capable of creating additional Management Center users and assigning their access levels. For complete steps in configuring authentication methods and creating authorization groups, see How to Configure User Access to Extreme Management Center Applications under Authorization/Device Access in the Suite-Wide Tools user guide.
In addition to defining user access to Console, you can define user credentials and profiles to control access to the devices on your network.
Establishing Device Access (Credentials and Profiles)
Establishing access to the devices on your network from Console depends on creating identities that Console can use for authentication when performing SNMP queries and sets. Console supports authentication to devices using SNMPv1, SNMPv2 and SNMPv3. When device models are created in the Management Center database, you can accept the default profile or assign a specific Profile to describe a set of access Credentials that Console will use for authentication at each level of access in the device. (When first installed, Console's default profile uses an SNMPv1 credential that provides Read, Write and Max Access privileges.) The specific profile that is used depends on the protocol that is supported in a device and the credentials that are required to be granted access.
SNMPv1 or SNMPv2
For SNMPv1 or SNMPv2, authentication consists of providing the correct community name for a particular access level (Read, Write and Max Access). As long as device models in Console are assigned a Profile with the correct community names, access is granted.
SNMPv3
Establishing contact with SNMPv3 is somewhat more complex. SNMPv3 uses a User-based Security Model (USM). Before access is granted to a particular level, a security user (in this case Console) and a set of authentication and privacy keys must be verified by the device's SNMP engine. These are defined as a Credential, which are then linked to a Profile that Console will use when contacting a device.
Configuring device access consists of first creating credentials and then
creating the profiles that will use those credentials. For complete
instructions, see
How to Configure Profiles and Credentials under Authorization/Device Access in the Suite-Wide Tools user guide.
For information on related topics:
- Console Overview
- Setting Console Options
- Populating the Extreme Management Center database
- Using Compass to locate a device
- Monitoring Alarms and Events
- Working with FlexViews
- Where to Go from Here