AAA Settings¶
CC: Administration > AAA Settings
CC: Inventory > Local Manager Summary > Security > Authentication
The Control Center and Local Managers can perform user authentication, authorization, and accounting (AAA) functions locally or these functions can be deferred to one or more third-party AAA servers.
Authentication/authorization/accounting settings for the Control Center can be managed globally from the AAA Settings page under the Administration tab. They can also be customized for specific portions of the deployment (i.e., Local Managers) from the appropriate group within the inventory.
The 'administrator' User¶
The administrator user is a default account intended for the initial provisioning and configuration of the Lantronix Control Center. Once you have configured other named administrator accounts (users with admin privileges assigned on the CC), the administrator user should be disabled and its password changed.
The initial workflow should look like this:
- Log into newly deployed CC as administrator
- Create an account for yourself
- Assign new account the admin role on the CC (Administration / Server Privileges)
- Log out of the CC
- Log in as your new account
- Change administrator account's password and disable it (Administration / Users)
Danger
The administrator user cannot be assigned privileges on Local Managers or Inventory groups, and therefore cannot log into Local Managers. The account itself is not synchronized throughout the deployment.
Control Center AAA¶
To configure AAA settings for the Control Center, click on AAA Settings under the Administration tab. This page also includes strong password settings and other password-related settings such as lockout after login failure.
To apply changes on this page to the Control Center, click Save.
Inventory Group AAA¶
To configure AAA settings for an inventory group, open the detail page for that group and click Authentication from the Security menu to open the Authentication Settings page.
Settings available on the Authentication Settings page are inherited by all the members of this inventory group, except where they would overwrite existing, locally configured settings. Select Force update on children to overwrite all existing settings.
Single Local Manager AAA¶
To configure AAA settings for a single Local Manager, navigate to the Local Manager and select Authentication from the Security menu.
Authentication Settings¶
Most authentication settings available through the Control Center mirror those available through the config system authentication command on the Local Manager command line. They include the ability to select the type of authentication, to specify the necessary configuration information for each type, and to limit the number of concurrent sessions per account.
Authentication Type and Method¶
Select the type of authentication to use. Local, RADIUS, and TACACS are available. If using TACACS or RADIUS, select the authentication method as well. PAP, CHAP, and MS-CHAP are available.
A Local Manager or inventory group can be configured to delegate authentication to the Control Center. The CC uses its authentication settings to validate the user's password. If both Create Users and Use Remote authorization are selected, the CC will create the user if it doesn't exist on CC and query the remote authorization server for the groups to assign the user to.
Use Remote Authorization¶
Some AAA servers support returning authorization keys that can be used by the Control Center to assign privileges to users. For information on configuring this, see Using Third-Party AAA to Manage Privileges.
Create Users¶
If users are managed on the authentication server, they are able to authenticate but may not have accounts on the Control Center or Local Managers. If this setting is enabled, the user is created if they do not exist. If remote authorization is not used, users initially have no privileges - so they are not able to log in, as this requires the login privilege.
Cache Passwords¶
Enable this setting if the Control Center is configured to use authentication server(s) and Fail Over to Local is selected. This allows users to use a previously saved password if no authentication server is available and the Control Center fails over to local authentication.
Fail Over to Local¶
Enable this setting to allow the Control Center to authenticate users locally when no configured authentication server is available. When using this setting, enable Cache Passwords to make the passwords available for local authentication. If Cache Passwords is not enabled, users will still be able to log in with locally defined passwords.
Limit Maximum Concurrent Sessions and Maximum Number of Concurrent Sessions¶
These settings allow you to limit the number of open sessions that any user may have on any particular Local Manager at a given time. Set the maximum number to 0 to allow unlimited concurrent sessions.
Authentication and Accounting Servers¶
If the Control Center or Local Managers are configured within the inventory to use RADIUS or TACACS, at least one of the appropriate type of server must be configured. Up to four authentication servers and up to four accounting servers can be specified for redundancy. All must be of the same type, either RADIUS or TACACS. If an authentication server fails to respond, the next server is queried; the first response determines whether the authentication is successful.
Accounting servers settings apply only to Local Managers; they are configured at the inventory group or local manager resource.
For each server, enter the IP address and port; then enter and confirm the secret. For RADIUS servers, the default port is 1645 or 1812; for TACACS, the default port is 49.
To remove server information already configured, click the Clear button associated with that server.
Choosing how to Apply AAA Changes¶
When making changes on the Administration > AAA page, click Save to apply the AAA settings only on the Control Center.
When making changes at the inventory group level from the Authentication page, apply them without changing settings on Local Managers currently in the group or overwrite the Local Managers' authentication settings.
- Update AAA settings for the group without changing settings on Local Managers currently in the inventory—click Save.
- Update AAA settings for the group, overwriting existing settings on all Local Managers in the group and its child groups—select Force update on children, then click Save.
Password Settings¶
Configure strong passwords at any level within the inventory, on the Control Center only, or globally. The password requirements can be tailored separately for different groups or Local Managers within the deployment.
For password restrictions to take effect, Use strong passwords must be selected. To remove strong password restrictions temporarily, clear Use strong passwords while leaving the restrictions configured.
Restrictions include:
Setting | Description |
---|---|
Require mixed case | Password must have both capital and lowercase characters Valid password example: PassWord |
Require numbers and punctuation | Password must include at least one numeral and at least one symbol. Valid password example: P@ssW0rd |
Reject variation of Login ID | Password cannot be derived from the login ID Invalid Example: admin1 |
Reject word in dictionary Reject standard substitutions (@ for a, 3 for e, etc.) |
If both options are selected, users may not set passwords such as p@$$w0rd. Valid password example: P&ssW*r# |
Reject sequences in numbers or letters | Users may not set passwords that consist of all the letters or numbers on one row of the keyboard, in sequence either from left to right or right to left, or a character string that contains such a sequence. Partial or broken sequences such as abc!defg or qwerty12 may be used. |
Reject previous password Number of previous passwords to check |
Recently used passwords may not be reused |
Reject single character difference from previous password | When changing a password, at least two characters must be changed |
Enforce minimum password length Minimum password length |
Keeps users from setting passwords short enough to be easily guessed. |
Expire password Number of valid days |
Forces users to change their passwords periodically. |
Number of invalid attempts before lockout Lockout duration in minutes |
Specify the maximum number of times a user can attempt to log into a Local Manager before the Local Manager refuses further attempts, and the length of the lockout period. Set the number of attempts to 0 to disable lockout protection. The default lockout time is 30 minutes. These settings apply only to Local Managers, not to the Lantronix Control Center. |
Note
Do not create a password that ends with a space character. When an attempt is made to log into a Local Manager using a password that ends with a space, the Local Manager strips the space character and the login fails.