ACOS 4.1.

1-P11
Management Access and Security Guide
for A10 Thunder® Series and AX™ Series
29 May 2019
© 2019 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking

TRADEMARKS
A10 Networks trademarks are listed at:

https://www.a10networks.com/company/legal-notices/a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-
ware as confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later
in this document or available separately. Customer shall not:

1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any
means.
2. Sub-license, rent, or lease the Software.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but
not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the informa-
tion contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The
product specifications and features described in this publication are based on the latest information available; however, specifications
are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for
current information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard
terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact
the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic compo-
nents in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks
location, which can be found by visiting www.a10networks.com.
Table of Contents

Administrator Accounts ............................................................................................................... 9

Overview of Administrator Accounts ....................................................................................9
Default Administrator Account, “admin” ..................................................................................................9
Default Partition, “shared” ...........................................................................................................................9
Partitioning and Partition Administrators ............................................................................................. 10
Using the GUI to Show Administrator Accounts ................................................................................. 11
Using the CLI to Show Administrator Accounts .................................................................................. 11
Configuration Instructions and Examples ..........................................................................12
Overview ...................................................................................................................................................... 12
Use the GUI to Configure a Global Admin Account ............................................................................ 12
Using the GUI to Configure A Partition Admin Account ..................................................................... 13
Using the CLI to Configure Admin Accounts ....................................................................................... 14
Creating a New Admin Account ....................................................................................................... 14
Changing the Admin Interface (CLI, GUI, and aXAPI) .................................................................. 14
Changing the Read and Write Privileges ........................................................................................ 15
Changing HM (Health Monitor) Privilege ....................................................................................... 15
Changing the Partition Privileges .................................................................................................... 16
Configuring a Trusted Host IP Address .......................................................................................... 16
Deleting an Administrator Account ........................................................................................................ 16
Overview ............................................................................................................................................... 17
Using the GUI to Delete an Administrator Account ..................................................................... 17
Using the CLI to Delete an Administrator Account ...................................................................... 17
Recovering an Administrator Password ............................................................................................... 17
Configuring the Administrator Lockout Feature.................................................................18
Configuring the Administrator Lockout Feature Using the GUI ....................................................... 18
Configuring the Administrator Lockout Feature Using the CLI ........................................................ 19
Enabling Administrator Lockout ...................................................................................................... 19
Changing the Number of Failed Login Attempts Allowed .......................................................... 19
Changing the Lockout Duration ....................................................................................................... 19
Changing the Lockout Reset Time .................................................................................................. 20
Showing the Lockout Status ............................................................................................................ 20
Unlocking a Locked Admin Account ............................................................................................... 20
Additional CLI Reference Information .................................................................................20
Admin Configuration Mode Commands ........................................................................................ 21
Global Configuration Commands in this Chapter ........................................................................ 21

Configuring RBA (Role-Based Access) and Fine Tuning Privileges ............................................ 23

Overview of How RBA Fine Tunes Admin Accounts...........................................................23
Overview ...................................................................................................................................................... 23

page 3
ACOS 4.1.1-P11 Management Access and Security Guide
Contents

RBA Privilege Levels .................................................................................................................................. 24

Object Class Lineage ................................................................................................................................. 25
Longest Match Takes Precedence Rule ............................................................................................... 25
RBA Configuration Examples...............................................................................................25
Configuring an RBA User .......................................................................................................................... 25
Configuring an RBA User Using the GUI ........................................................................................ 26
Configuring an RBA User Using the CLI ......................................................................................... 27
Understanding Object Class Lineage in this Configuration Example ....................................... 29
Configuring an RBA Group ....................................................................................................................... 30
Configuring an RBA Group Using the GUI ...................................................................................... 30
Configuring an RBA Group Using the CLI ...................................................................................... 31
Configuring an RBA Role .......................................................................................................................... 32
Configuring an RBA Role Using the GUI ......................................................................................... 32
Configuring an RBA Role Using the CLI .......................................................................................... 33
Additive and Subtractive Methods ......................................................................................33
Overview ...................................................................................................................................................... 34
Understanding Additive RBA ................................................................................................................... 34
Understanding Subtractive RBA ............................................................................................................. 35
Additional CLI Reference Information .................................................................................35
Overview ...................................................................................................................................................... 36
Global RBA Commands ............................................................................................................................ 36
RBA-Group Configuration Mode Commands ....................................................................................... 36
RBA-Group Partition Configuration Mode Commands ...................................................................... 37
RBA-User Configuration Mode Commands ......................................................................................... 37
RBA-User Partition Configuration Mode Commands ......................................................................... 37

Access Based on the Management Interface ............................................................................. 39

Default Management Access Settings................................................................................39
Configuring Access by Using Access Control Lists ...........................................................40
Configuring ACL Support on the Management Interface .................................................................. 40
Configuring ACL Support on Data Interfaces ....................................................................................... 40
Implicit Deny Rule ...................................................................................................................................... 41
Configuring Management Access Through Ethernet Interfaces .......................................41
Configuring Management Access Using the GUI ............................................................................... 41
Configuring Management Access Using the CLI ................................................................................ 41
Disabling Management Access by Using the CLI ........................................................................ 42
Enabling Management Access by Using the CLI ......................................................................... 42
Viewing the Current Management Access Settings...........................................................42
Regaining Access if You Accidentally Block All Access ....................................................43
Additional CLI Reference Information .................................................................................43

Web Access Configuration ......................................................................................................... 45

Default Web Access Settings ..............................................................................................45
Configuring the Web Access................................................................................................46
Configuring the Web (HTTP) Access by Using the CLI ...................................................................... 46

page 4
ACOS 4.1.1-P11 Management Access and Security Guide
Contents

Public Key Authentication for SSH ............................................................................................. 47

Overview................................................................................................................................47
Generating a Key Pair From the Remote Client ..................................................................47
Importing the Public Key to the ACOS Device ....................................................................48
Deleting a Public Key............................................................................................................49
Additional Reference Information .......................................................................................49

TACACS+ and RADIUS ................................................................................................................ 51

Authentication ......................................................................................................................51
Overview ...................................................................................................................................................... 52
Multiple Authentication Methods ........................................................................................................... 52
Tiered Authentication ................................................................................................................................ 52
Authentication Process ............................................................................................................................ 53
Scenario ................................................................................................................................................ 54
Disabling Local Authentication for the Administrator Account by Using the CLI .................. 56
Token-Based Authentication Support for RADIUS .............................................................................. 57
Configuring Token-Based Authentication for RADIUS ....................................................................... 57
Using the CLI to Configure Token-Based Authentication for RADIUS ..................................... 57
Authorization ........................................................................................................................58
Authorizing User Interface and External Health Monitor Access .................................................... 58
RADIUS Configuration for User Interface and External Health Monitor Access .................... 58
TACACS+ Configuration for User Interface and External Health Monitor Access ................ 59
Authorizing Admin Privileges .................................................................................................................. 60
Compatibility with Privilege Levels Assigned by RADIUS or TACACS+ ................................... 60
RADIUS Configuration for GUI Privileges ....................................................................................... 61
TACACS+ Configuration for GUI Access Roles ............................................................................. 62
Performing Authorization for CLI Access ............................................................................................. 62
Overview ............................................................................................................................................... 62
Disabled Commands for Read-Only Administrators ................................................................... 62
RADIUS CLI Authorization ................................................................................................................. 63
TACACS+ CLI Authorization .................................................................................................................... 64
Overview ............................................................................................................................................... 64
CLI Access Levels ............................................................................................................................... 64
TACACS+ Authorization Debug Options ........................................................................................ 65
Authorization Based on L3V Partitions ................................................................................................. 65
Overview ............................................................................................................................................... 65
RADIUS Configuration for Partition Access .................................................................................. 65
TACACS+ Configuration for Partition Access ............................................................................... 66
LDAP Configuration for Partition Access .............................................................................................. 66
RADIUS Authorization Based on Service-Type .................................................................................... 67
Configuring Accounting Options .........................................................................................67
Overview ...................................................................................................................................................... 68
Command Accounting (TACACS+ only) ............................................................................................... 68
TACACS+ Accounting Debug Options ................................................................................................... 68
Configuring Authentication, Authorization, Accounting (AAA) and for Administrator
Access...................................................................................................................................69

page 5
ACOS 4.1.1-P11 Management Access and Security Guide
Contents

Configuring Authentication..................................................................................................70
Configuring Remote Authentication by Using the GUI ....................................................................... 70
Configuring Global Authentication Settings on the ACOS Device ............................................. 70
Configuring a RADIUS Server ........................................................................................................... 70
Configuring a TACACS+ Server ........................................................................................................ 71
Configuring an LDAP Server ............................................................................................................. 72
Configuring Remote Authentication by Using the CLI ....................................................................... 73
Additional TACACS+ Authentication Options .....................................................................73
Password Self-Service .............................................................................................................................. 74
Configuring Access to the Privileged EXEC Level ............................................................................... 74
Configuring Access to the Privileged EXEC Level by Using the GUI ......................................... 74
Configuring Access to the Privileged EXEC Level in the CLI ...................................................... 74
Configuring Access to the Privileged EXEC Level by Using the CLI ......................................... 75
TACACS Server Number Increment and the Limitation ..................................................................... 75
Overview ............................................................................................................................................... 75
Known Issues or Limitations ............................................................................................................ 75
Requirements ...................................................................................................................................... 76
Scenario ................................................................................................................................................ 76
GUI ......................................................................................................................................................... 76
CLI .......................................................................................................................................................... 76
aXAPI ..................................................................................................................................................... 76
Important .............................................................................................................................................. 77
CLI Examples ........................................................................................................................77
RADIUS Authentication ............................................................................................................................. 77
TACACS+ Authorization ........................................................................................................................... 77
TACACS+ Accounting ............................................................................................................................... 78
RADIUS Server Setup ................................................................................................................................ 78
Windows IAS Setup for RADIUS ..........................................................................................80
Configuring Windows IAS for ACOS RADIUS Authentication ........................................................... 81
Configuring Access Groups ..................................................................................................................... 81
If the Active Directory is Not Installed ............................................................................................ 81
Configuring RADIUS Client for ACOS Device ........................................................................................ 83
Configuring Remote Access Policies ..................................................................................................... 84
Adding Active Directory Users to ACOS Access Groups ................................................................... 94
Registering the IAS Server in Active Directory ..................................................................................... 95
Configuring RADIUS on the ACOS Device ............................................................................................. 96
Verifying the Configuration ...................................................................................................................... 96
Additional Reference Information .......................................................................................96

Lightweight Directory Access Protocol (LDAP) .......................................................................... 99

LDAP Overview .....................................................................................................................99
Configuring LDAP for ACOS Administrators .......................................................................99
Configuring an LDAP Server ............................................................................................. 100
Configuring an LDAP Server by Using the GUI ..................................................................................100
Configuring an LDAP Server by Using the CLI ...................................................................................102

page 6
ACOS 4.1.1-P11 Management Access and Security Guide
Contents

Configuring an OpenLDAP Server..................................................................................... 103

Overview ....................................................................................................................................................103
A10 Schema File for OpenLDAP ...........................................................................................................104
A10 Administrator Account Files for LDAP ........................................................................................106
Configuring Microsoft Active Directory............................................................................ 107
Overview ....................................................................................................................................................107
Summary ...................................................................................................................................................107
Configuring ACOS Administrator Accounts ..................................................................... 108
Creating a Read-Only Administrator ....................................................................................................108
Testing the Read-Only Administrator Account ..................................................................................109
Configuring a Read-Write Administrator .............................................................................................110
Testing the Read-Write Administrator Account ................................................................................111
A10 LDAP Object Class and Attribute Types ................................................................... 112
Overview ....................................................................................................................................................112
Adding A10 LDAP Attribute Types .......................................................................................................113
Adding the Attribute Type by Using the GUI .......................................................................................114
Adding “a10Admin” to the objectClass ................................................................................................118
Restarting the LDAP Process ................................................................................................................119
Changing the Administrator Role (A10AdminRole) ..........................................................................121
Scenario ..............................................................................................................................................121
Log-in Example ..................................................................................................................................123
Adding L3V Partition Information (A10AdminPartition) ..................................................................124
Scenario ..............................................................................................................................................124
ACOS Configuration ..........................................................................................................................124
LDAP Server Configuration .............................................................................................................125
Log-in Example ..................................................................................................................................125
Changing the Access Type (A10AccessType) ...................................................................................126
Scenario ..............................................................................................................................................126
Log-in Example ..................................................................................................................................127
Additional Information for Reference............................................................................... 128

Command Auditing .................................................................................................................. 129

Overview............................................................................................................................. 129
Enabling and Configuring the Command Auditing .......................................................... 130
Configuring the Command Auditing in the GUI Mode ......................................................................130
Configuring the Command Auditing in the CLI Mode ......................................................................130
Examples for Audit Log ..................................................................................................... 131
Additional Information for Reference............................................................................... 132

page 7
ACOS 4.1.1-P11 Management Access and Security Guide
Contents

page 8
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

Administrator Accounts

This chapter describes how to configure and modify administrator accounts for management access
to ACOS.

The following topics are covered in this chapter:

• Overview of Administrator Accounts

• Configuration Instructions and Examples

• Configuring the Administrator Lockout Feature

• Additional CLI Reference Information

Overview of Administrator Accounts

The following sections are covered in this topic:

• Default Administrator Account, “admin”

• Default Partition, “shared”

• Partitioning and Partition Administrators

• Using the GUI to Show Administrator Accounts

• Using the CLI to Show Administrator Accounts

Default Administrator Account, “admin”

By default, ACOS is provisioned with one administrator account named “admin” and one partition
named “shared.” The default admin account has root access to ACOS. Root access means that “admin”
has read-write privileges to all ACOS objects across all partitions.

Default Partition, “shared”

By default, all configurations run in the shared partition. To run configurations in isolation from each
other, as if they were running on multiple separate ACOS devices, you can create multiple partitions,
called Application Delivery Partitions (ADPs), as illustrated in (Figure 1).

Feedback page 9
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Overview of Administrator Accounts FFee
e

FIGURE 1 Application Delivery Partitions

Partitioning and Partition Administrators

The Ethernet interfaces and other physical ACOS objects are configured and run only in the shared par-
tition. All other ACOS objects can be configured and run in any partition.

If an ACOS object is configured in the shared partition, it is available to processes and users of all the
ADPs. However, if an ACOS object is created in an ADP, it is available only to processes and users in
that ADP. In other words, partitioning allows the ACOS device to be logically segmented to support sep-
arate systems for separate customers. This provides isolation of configuration objects and also iso-
lates administration of these components.

Each ADP has its own set of Layer 3 - 7 independently running processes. Communication between
partitions is through routed interfaces.

NOTE: ADPs are also called L3V partitions in the ACOS user guides and reference
books.

The section Configuration Instructions and Examples shows how create administrator accounts.

NOTE: Also see “Configuring Admin Access to Partitions” and “Configur-

ing Partition Admin Accounts” in the Configuring Application Delivery
Partitions Guide.

page 10
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Overview of Administrator Accounts

Using the GUI to Show Administrator Accounts

The Users window in the ACOS GUI displays the administrator accounts. Navigate to System >>
Admin >> Users. The following screen capture shows an example of this window for five admin
accounts, one of which is admin, the root admin account:

Using the CLI to Show Administrator Accounts

Use the show admin command to show the administrator accounts. The following example shows the
default admin account plus one other admin account with the username, admin1:

ACOS(config-admin:admin1)# show admin

Total number of configured users: 2
Privilege R: read-only, W: write, P: partition, HM: external health monitor, En: Enable
Access Type C: cli, W: web, A: axapi

UserName Status Privilege Access UserType Partition

--------------------------------------------------------------------
admin Enabled R/W/HM C/W/A Local
admin1 Enabled P.R/W C/W/A Local companyA

page 11
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuration Instructions and Examples FFee
e

Configuration Instructions and Examples

This topic contains the following sections:

• Overview

• Use the GUI to Configure a Global Admin Account

• Using the GUI to Configure A Partition Admin Account

• Using the CLI to Configure Admin Accounts

• Deleting an Administrator Account

• Recovering an Administrator Password

Overview
The “admin” account has global read/write privileges and can configure additional administrator
accounts with the following settings:

• A username and password

NOTE: Administrator username is case insensitive.

• An IP host or subnet address from which the administrator can log in

• A user interface that the administrator can use (CLI, GUI, or aXAPI)

• Authorization to access and manage External Health Monitor files.

• An L3V partition, if applicable

• An account state (enabled or disabled)

NOTE: If you are configuring an administrator account for an L3V partition, see
“Configuring Partition Admin Accounts” in the Configuring Application
Delivery Partitions guide.

Use the GUI to Configure a Global Admin Account

To configure an administrator account for exampleadmin who will have global read and write privi-
leges, perform the following steps:

1. Navigate to System >> Admin >> Users.

2. Click Create. The Create User window appears.

page 12
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuration Instructions and Examples

3. Enter exampleadmin1 in the Username field.

4. Enter a password for the new administrator account.
5. Verify that Enable is selected in the Enable field (selected by default).
6. In the Access section, verify that all three user interfaces are selected (they should be selected by
default).
7. In the Privilege Type field, to create a global admin account that has access to all partitions,
select Global.
8. In the Privilege field, select Read/Write from the drop-down list.
9. Click Create.
10.Return to the Admin table and verify that the new administrator, exampleadmin1, appears in the
list.

Using the GUI to Configure A Partition Admin Account

To configure an administrator account that has read and write privileges only in the p-CBM partition,
perform the following steps:

1. Navigate to System >> Admin >> Users.

2. Click Create. The Create User window appears.
3. Enter exampleadmin2 in the Username field.
4. Enter a password for the new administrator account.
5. Verify that Enable is selected in the Enable field (selected by default).
6. In the Access section, verify that all three user interfaces are selected (they should be selected by
default).
7. In the Privilege Type field, to create a global admin account that has access to all partitions,
select Partition.
8. In the Privilege field, select Read/Write from the drop-down list.
9. In the Partition Privileges field, select the p-CBM partition from the drop-down list.
10.In the Action box, save the selected partition by clicking the red floppy disk icon.
11.Click the Create button.
12.Return to the Admin table and verify that the new administrator, exampleadmin2, appears in the
list.

page 13
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuration Instructions and Examples FFee
e

Using the CLI to Configure Admin Accounts

This section contains the following sub-sections:

• Creating a New Admin Account

• Changing the Admin Interface (CLI, GUI, and aXAPI)

• Changing the Read and Write Privileges

• Changing the Partition Privileges

• Configuring a Trusted Host IP Address

Creating a New Admin Account

1. Specify the admin username and password using the admin command:

ACOS(config)# admin adminuser1 password admin_a10

2. Check the status and privileges of the newly created admin1. By default, global read-only privilege is
granted to the CLI, the GUI (Web), and the AXAPI:

ACOS(config-admin:adminuser1)# show admin

UserName Status Privilege Access UserType Partition
--------------------------------------------------------------------
admin Enabled R/W/HM C/W/A Local
adminuser1 Enabled R C/A Local

Changing the Admin Interface (CLI, GUI, and aXAPI)

Administrators can manage ACOS through its command line interface (CLI), its graphical user interface
(GUI), or its application program interface (aXAPI).

1. To change admin interfaces that admin1 has access to, enter the access command specifying the
allowed interfaces:
ACOS(config-admin:adminuser1)# access cli axapi
Modify Admin User successful!

2. Verify the modified admin1:

ACOS(config-admin:adminuser1)# show admin
UserName Status Privilege Access UserType Partition
--------------------------------------------------------------------
admin Enabled R/W/HM C/W/A Local
adminuser1 Enabled R C/A Local

page 14
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuration Instructions and Examples

Changing the Read and Write Privileges

1. To modify the global read/write user privileges, enter the privilege command. The option write
includes read:
ACOS(config-admin:adminuser1)# privilege write
Modify Admin User successful!

2. Verify the modified adminuser1:

ACOS(config-admin:admin1)# show admin
UserName Status Privilege Access UserType Partition
--------------------------------------------------------------------
admin Enabled R/W/HM C/W/A Local
adminuser1 Enabled R/W C/A Local
ACOS(config-admin:adminuser1)#

Changing HM (Health Monitor) Privilege

HM privilege enables an administrator to access and manage External Health Monitor files. An account
with write privilege that does not include HM privilege cannot import, edit, create, or delete External
Health Monitor files.

By default, only the ACOS root admin is authorized for HM privilege. It should only be enabled only for
other admins sufficiently trusted to perform these operations without malicious purpose or malicious
content which could otherwise compromise security in the ACOS system and its deployed environ-
ment.

For deployments using the external health monitor feature, the most secure configuration would be to
not enable this privilege for configured admins and have all health monitor file operations performed by
the ACOS root admin.

Deployments not using the external health monitor feature of ACOS should avoid enabling this privilege
for any admins.

For more information, see Authorization (page 61), A10 Schema File for OpenLDAP (page 101), and the
Application Delivery and Server Load Balancing Guide (Using External Health Methods section)

1. To authorize external health monitor privileges, in addition to all read/write access, enter the priv-
ilege hm command.
ACOS(config-admin:adminuser1)# privilege hm
Modify Admin User successful!

2. Verify the modified adminuser1:

ACOS(config-admin:adminuser1)# show admin
UserName Status Privilege Access UserType Partition
--------------------------------------------------------------------

page 15
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuration Instructions and Examples FFee
e

admin Enabled R/W/HM C/W/A Local

adminuser1 Enabled R/W/HM C/A Local

Changing the Partition Privileges

1. To set per-partition enable-disable user privileges, remove the global privileges and enter the priv-
ilege command with the name of the partition:
ACOS(config-admin:adminuser1)# no privilege write
Modify Admin User successful!
ACOS(config-admin:adminuser1)# privilege partition-enable-disable Partition1
Modify Admin User successful!

2. Verify the modified adminuser1:

ACOS(config-admin:adminuser1)# show admin
UserName Status Privilege Access UserType Partition
--------------------------------------------------------------------
admin Enabled R/W/HM C/W/A Local
adminuser1 Enabled P.En C/A Local Partition1

Configuring a Trusted Host IP Address

1. To set up a trusted host IP, enter the trusted-host command:

ACOS(config-admin:adminuser1)# trusted-host 255.255.255.255 /24

2. To disable the admin1, enter the disable command:

ACOS(config-admin:adminuser1)# disable adminuser1

Modify Admin User successful!

Deleting an Administrator Account

This topic contains the following sections:

• Overview

• Using the GUI to Delete an Administrator Account

• Using the CLI to Delete an Administrator Account

page 16
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuration Instructions and Examples

Overview
An administrator with root privileges can delete other administrator accounts.

Before you delete an administrator account, complete the following tasks:

• Determine whether the administrator has active sessions.

• Clear any sessions the administrator has open.

To delete an admin account, you first must terminate any active sessions the administrator
account has open. The account is not deleted if open sessions exist.

Using the GUI to Delete an Administrator Account

To delete an administrator account:

1. Navigate to System >> Admin >> Users.

2. Select the checkbox next to the administrator name that you want to delete.
3. Click Delete.

Using the CLI to Delete an Administrator Account

To delete an admin account enter the no admin command with the username of the administrator.

ACOS(config)# no admin adminuser1

Recovering an Administrator Password

This section describes how to recover in the event your admin password is lost.

This procedure can only be performed through the security console, and only within the first five min-
utes of rebooting the ACOS device.

1. Use the show version or show hardware commands and record the serial number for your device.
2. Reboot the ACOS device.
3. Connect to the serial console.
4. When prompted for the user name and password, enter the following:
User Name: reset
Password: serial number for your device

page 17
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring the Administrator Lockout Feature FFee
e

Use the serial number recorded in step 1, or locate the serial number on the rear of your ACOS
device.
5. After logging in, the CLI presents the following questions:
a. Do you want to reset admin password to default?[y/n]:
Answering y to this question resets the admin user name and password to the factory default
admin and a10.

b. Do you want to reset enable password to default?[y/n]:

Answering y to this question resets the enable password to the factory default, which is no
password.
c. Do you want to erase startup config?[y/n]:
Answering y to this question clears the startup config, thus returning the device to its factory
default settings.

CAUTION: Answering y to this questions means you must reconfigure the device.

6. Answer y to the first question so that you can log on to the device; answer the other two questions
as desired for your needs.
7. After you log on to the device, change the admin password for security purposes.

Configuring the Administrator Lockout Feature

This topic contains the following sections:

• Configuring the Administrator Lockout Feature Using the GUI

• Configuring the Administrator Lockout Feature Using the CLI

Administrator lockout occurs after a number of failed login attempts. This topic shows how to enable
this feature and specify the parameters that determine how it operates.

By default, administrator lockout is not enabled and there is no limit to the number of times you can
enter an incorrect password with an administrator account to log in.

Configuring the Administrator Lockout Feature Using the GUI

1. Navigate to System >> Admin >> Users.
2. Click the Lockout tab. The Lockout Policy window appears.

page 18
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring the Administrator Lockout Feature

3. Enter values in the Duration, Threshold and Reset Time fields. These fields determine the
parameters of the administrator lockout feature.
4. After you have entered values, select the Enable checkbox and click OK.

Configuring the Administrator Lockout Feature Using the CLI

This topic contains the following sections:

• Enabling Administrator Lockout

• Changing the Number of Failed Login Attempts Allowed

• Changing the Lockout Duration

• Changing the Lockout Reset Time

• Showing the Lockout Status

• Unlocking a Locked Admin Account

Enabling Administrator Lockout

To enable this feature, enter the following command. The default settings for this feature are enabled.

ACOS(config)# admin-lockout enable

Changing the Number of Failed Login Attempts Allowed

By default, the user is locked out after 5 failed login attempts. To change this number use the admin-
lockout threshold command as in the following example:

To lock an administrator account after 15 failed attempts, enter the following command:

ACOS(config)# admin-lockout threshold 15

Changing the Lockout Duration

By default, the user is locked out 10 minutes. To change this number use the admin-lockout duration
command as in the following examples:

To lock an administrator account for 15 minutes, enter the following command:

page 19
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional CLI Reference Information FFee
e

ACOS(config)# admin-lockout duration 15

To lock an administrator account permanently or until the root administrator unlocks the account,
enter the following command:

ACOS(config)# admin-lockout duration 0

Changing the Lockout Reset Time

By default, if the login attempts are forgotten after 10 minutes. Any failed login attempt that has aged
the 10 minute reset time is not counted toward the threshold. To change this number use the admin-
lockout reset-time command as in the following example:

ACOS(config)# admin-lockout reset-time 10

Showing the Lockout Status

To view the lockout status or manually unlock an account:

To view the lockout status of the account for admin1, enter the following command:

ACOS(config)# show admin adminuser1 detail

Unlocking a Locked Admin Account

To unlock an admin account, access the configuration level for the admin, then enter the unlock com-
mand:

ACOS(config)# admin adminuser1

ACOS(config-admin:adminuser1)# unlock

Additional CLI Reference Information

This topic contains the following sections:

• Admin Configuration Mode Commands

page 20
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Additional CLI Reference Information

• Global Configuration Commands in this Chapter

This section lists commands that are relevant to the examples and instructions of this chapter.

NOTE: Additional information is found in the Command Line Interface Reference.

Admin Configuration Mode Commands

The following commands are accessed in the admin configuration level (also called admin configuration
mode) To access this level, enter the configure command followed by the admin command. The CLI
prompt “ACOS(config-admin:adminuser1)#” seen in the following example shows that you have entered
this level for the administrator name adminuser1:

ACOS# configure
ACOS(config)# admin adminuser1
ACOS(config-admin:adminuser1)#

The following CLI commands are available in the admin configuration mode:

access Config access type

password Config admin user password
privilege Config admin user privilege
ssh-pubkey Config openssh authorized public keys management
trusted-host Set trusted network administrator can login in
unlock Unlock admin user
enable Enable user
disable Disable user

Global Configuration Commands in this Chapter

The admin-lockout command is accessed in the global configuration level (also called global configura-
tion mode) To access this level, enter the configure command. The CLI prompt “ACOS(config)#” seen in
the following example shows that you have entered this level:

ACOS# configure
ACOS(config)# admin adminuser1

The following global configuration commands are relevant to the features configured in this chapter:

admin

page 21
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional CLI Reference Information FFee
e

admin-lockout

page 22
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

Configuring RBA (Role-Based Access) and Fine

Tuning Privileges

Role-Based Access (RBA) provides the ability to fine-tune the permissions and privileges of admin
accounts.

An RBA role is a named bundle of individual administrative privileges that can be bound collectively, like
a template, to admin accounts. Using roles provides a consistent and efficient method of setting the
privileges of administrators that have similar roles or the same role.

An RBA group is a named collection of individual admin accounts that can be bound either to individual
privileges or to RBA roles or both.

Because you can bind individual privileges to admin accounts upon which a role is also bound, you can
insert individual differences in privilege as needed.

The following topics are covered in this chapter:

• Overview of How RBA Fine Tunes Admin Accounts

• RBA Configuration Examples

• Additive and Subtractive Methods

• Additional CLI Reference Information

Overview of How RBA Fine Tunes Admin Accounts

The following sections are covered in this topic:

• Overview

• RBA Privilege Levels

• Object Class Lineage

• Longest Match Takes Precedence Rule

Overview
Before you can fine tune your admin accounts using RBA consider the following:

Feedback page 23
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Overview of How RBA Fine Tunes Admin Accounts FFee
e

• The admin user accounts must be created before they can be fine tuned using RBA. See Configu-
ration Instructions and Examples for instructions.
• If you plan to use an RBA role, it must be configured before it can be bound to admin accounts.

1. Enable RBA.
2. Create RBA user(s) with the same name(s) as existing admin accounts. Optionally, create an RBA
group that includes multiple admin accounts.
3. Specify the partition for the RBA user or group. You can specify the shared partition in this step.

NOTE: RBA privileges for users or groups must be set per partition, including the
shared partition. The shared partition is described in the Configuring
Application Delivery Partitions guide.

4. Inside the partition, bind individual privileges or RBA role to the RBA user or group.
You can configure privileges explicitly using the lineage of the object class with the permitted opera-
tion (for example, slb.virtual-server read) or you specify a role (for example, role1). See Object
Class Lineage for instructions on using object class lineage for RBA privileges. A role is a collection
of explicitly specified privileges. See Configuring an RBA Role for instructions on configuring RBA
roles.
5. You can give the RBA users and groups to have privileges in multiple partitions. Optionally, repeat
steps 3 and 4 for additional partitions.

RBA Privilege Levels

Table 1 defines the privilege levels that can be configured using RBA:

TABLE 1 RBA Privilege Levels

Privilege Description
No-Access (Hid- The ACOS object at this privilege level does not appear in the show running-con-
den) fig command output. The command or operation that configures or operates on
the object is hidden from the user or group.
Read The ACOS object at this privilege level will appear in the s how running-config
command object. All instances of the object will appear. The command or opera-
tion that configures or operates on the object is hidden from the user or group.
Write The ACOS object at this privilege level, users and groups have complete access
to the ACOS object and its instances. You can change, add to, and delete the
object instance configurations using GUI operations or CLI commands. The out-
put of the show running-config command will display the object and its
instances.

page 24
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
RBA Configuration Examples

Object Class Lineage

When you configure the RBA privileges of a user or a role, the first part of the object class lineage is
a dot-separated string that specifies a set of permitted operations. For example, slb.template.vir-
tual-server, means that the permitted operations applies to the ACOS SLB Virtual-Server Template
configuration and operation. The permitted operations might be read, or it might be write, or it might be
enable/disable. If the permitted operation were read, the admin would not be able to configure virtual
server templates, but could view their status and configurations.

If you enter or selected slb as the lineage, it means the permitted operations associated with slb apply
to all the various types of SLB objects in ACOS.

The next section describes what happens if you configured multiple lineages and multiple permitted
operations for the same user (or role).

Longest Match Takes Precedence Rule

When specifying ACOS objects, each level in the object hierarchy is separated from the next level by a
dot (.)

For example, slb.template.virtual-server is a third-level object, while slb.template is a second-level

object. Objects at the third level are more specific than objects at the second level. The third level
object, slb.template.virtual-server is said to be “longer” because it has two dots separating three
names as opposed to slb.template which has only one dot separating two names.

Privileges for a longer (and more specific) object take precedence over a shorter and less specific
ACOS object.

RBA Configuration Examples

The following sections are covered in this topic:

• Configuring an RBA User

• Configuring an RBA Group

• Configuring an RBA Role

Configuring an RBA User

This section provides instructions for configuring RBA users. The RBA user name must be an exact
match of an existing admin user who can be authenticated either locally or remotely using LDAP,
RADIUS, or TACACS+.

page 25
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
RBA Configuration Examples FFee
e

NOTE: See Configuration Instructions and Examples for step-by-step configura-

tion of admin users.

This section contains the following sub-sections:

• Configuring an RBA User Using the GUI

• Configuring an RBA User Using the CLI

• Understanding Object Class Lineage in this Configuration Example

Configuring an RBA User Using the GUI

In this example, an admin user called admin1 is created. In partition companyA. This user will have
write access to SLB operations, but will be limited to read-only access to SLB virtual-servers and no
access to SLB servers:

1. Navigate to System >> Admin >> Users.

2. Select Users from the drop-down list of the RBA tab.
3. Click Create. The Create RBA User window appears.
4. In the Name field, enter admin1.
5. In the Rule List field, click the +Add box.
a. Select companyA from the Partition drop-down list.
b. Select slb from the Object drop-down list.
c. Select write from the Operation drop-down list.
d. In the Action box, save the configure Rule by clicking the red floppy disk icon.
6. In the Rule List field, click the +Add box.

NOTE: To configure an RBA role, follow the same steps as configuring an RBA
user, but in the second step select Role from the drop down list of the
RBA tab.

7. In the Rule List field, click the +Add box again.

a. Select companyA from the Partition drop-down list.
b. Select slb.server from the Object drop-down list.
c. Select no-access from the Operation drop-down list.
d. In the Action box, save the configure Rule by clicking the red floppy disk icon.
8. Click the Create button to save the new administrator account.

page 26
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
RBA Configuration Examples

NOTE: Because of the “Longest Match Takes Precedence Rule” in the following
sections, admin1 does not have write access to SLB virtual-servers and
does not any access SLB real servers. However, for all other SLB objects
in ACOS, the admin1 account has read/write access.

NOTE: If there is a configured RBA role that specifies all the permissions that
you want to grant the user, you can apply the role at the partition level
rather than configuring each privilege separately by using the Role List
field instead of the Rule List field on this screen (see Configuring an
RBA Role).

Configuring an RBA User Using the CLI

1. Select an existing admin user account to which to add RBA attributes. See the configuration Using
the CLI to Configure Admin Accounts for a step-by-step configuration of admin user accounts:

ACOS(config)# admin admin1 password admin_a10

Total number of configured users: 3
Privilege R: read-only, W: write, P: partition, En: Enable
Access Type C: cli, W: web, A: axapi

UserName Status Privilege Access Partition

--------------------------------------------------------------------
admin Enabled R/W C/W/A
adminuser1 Enabled P.R/W C/W/A Partition1
adminuser2 Enabled P.R/W C/W/A Partition2

2. Enable RBA.

ACOS(config)# rba enable

3. Create the RBA user with the same name as the existing admin user.

ACOS(config)# rba user adminuser1

4. Specify the admin partition of the RBA user. If the admin partition does not already exist for the
administrator, this step assigns the RBA user to it.

ACOS(config-user:adminuser1)# partition Partition1

5. Configure the RBA privileges for the user in the partition the object class lineage syntax. Alterna-
tively to this step, you can assign privileges using RBA roles. See step 6.

page 27
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
RBA Configuration Examples FFee
e

Specify the privileges by starting with the highest CLI level and then using a dot (.) to indicate the
next level.
In the following, the first configuration line gives the adminuser1 read-write privileges to all SLB
commands, the second line gives the user read-only privilege to the SLB virtual-server commands,
and the third line give the user no-access to SLB real server commands:

ACOS(config-user:adminuser1-partition:Partition1)# slb write

ACOS(config-user:adminuser1-partition:Partition1)# slb.virtual-server read
ACOS(config-user:adminuser1-partition:Partition1)# slb.server no-access

Use the show rba command to verify this configuration:

ACOS(config-user:adminuser1-partition:Par...)# show config rba

!Section configuration: 104 bytes
!
rba user adminuser1
partition Partition1
slb write
slb.virtual-server read
slb.server no-access

6. Alternatively to step 5, assign an RBA role or roles (Configuring an RBA Role) that specifies all the
privileges that you want to grant the user, you can apply the role at the partition level rather than
configuring each privilege separately. For example:

ACOS(config)# rba user adminuser1

ACOS(config-user:adminuser1)# partition Partition1
ACOS(config-user:adminuser1-partition:Partition1)# role role1

Use the show rba command to verify this configuration:

ACOS(config-user:adminuser1-partition:Par...)# show config rba

!Section configuration: 147 bytes
!
!
rba role role1
slb write
slb.virtual-server read
slb.server no-access
!
rba user adminuser1
partition Partition1
role role1

page 28
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
RBA Configuration Examples

Understanding Object Class Lineage in this Configuration Example

The following slb read command specifies the adminuser1 has read-write privilege to SLB commands.

ACOS(config-user:adminuser1-partition:Partition2)# slb write

To restrict the user to a subset of options available at the command level, enter a dot (.) followed by a
keyword option. For example, the following commands restricts adminuser1 to read-only access to the
slb virtual-server commands and no access to slb server commands, but it does restrict the use of
other slb commands.

ACOS(config-user:adminuser1-partition:Partition2)# slb.virtual-server read

ACOS(config-user:adminuser1-partition:Partition2)# slb.server no-access

NOTE: Longest match takes precedence. The longer and more specific slb.vir-
tual-server and slb.server command lineages take precedence over
the less specific and shorter slb set of command lineage.

The following example configures RBA for user adminuser3. In partition Partition1, this user has read
privileges for SLB virtual server objects (that is commands), write privileges for SLB server objects, but
no access to all other SLB objects. In partition Partition2, this user has all privileges defined by RBA
role role1:

ACOS# show config rba user adminuser3

!
rba user adminuser3
partition Partition1
slb no-access
slb.server write
slb.virtual-server read
partition Partition2
role role1
!

NOTE: The keyword root in a privilege command specifies the root level of the
CLI command set. Root includes the entire set of ACOS commands. The
default admin user has root read-write privileges.

page 29
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
RBA Configuration Examples FFee
e

Configuring an RBA Group

An RBA group combines admin users who can be configured with similar privileges. When you modify
the permissions in a partition for an RBA group, the permissions are applied to all of the users in that
group.

After creating a group, select the users to add to the group or select a partition for which you want to
modify the permissions. You can add users at any time, so you do not need to create users before cre-
ating the group; if you specify a user that does not already exist, the user will be created along with the
group. The group’s permissions are configurable for multiple partitions, although each partition must
be configured separately.

This section contains the following sub-sections:

• Configuring an RBA Group Using the GUI

• Configuring an RBA Group Using the CLI

Configuring an RBA Group Using the GUI

This example shows how to configure a group containing two pre-existing users on the system. In par-
tition companyA, all users in the group will have write access at the SLB operations, read-only privi-
leges for SLB virtual-server operations, but no-access to SLB server operations

1. Navigate to System >> Admin >> Users.

2. Select the RBA tab, then select Groups from the drop-down list.
3. Click Create. The Create Group window appears.
4. In the Name field, enter group1.
5. In the In the User field, select the check box for the existing user, admin1.
6. In the Rule List field, click the +Add box.
a. Select companyA from the Partition drop-down list.
b. Select slb from the Object drop-down list.
c. Select write from the Operation drop-down list.
d. In the Action box, save the configure Rule by clicking the red floppy disk icon.
7. Repeat step 6 to add read-only privileges for SLB virtual-server operations, but no access to SLB
server operations.
8. If there is a configured RBA role that specifies all the permissions that you want to grant the user,
you can apply the role at the partition level rather than configuring each privilege separately by
using the Role List field instead of the Rule List field on this screen (see Configuring an RBA
Role).

page 30
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
RBA Configuration Examples

9. Click Create to create group1 in partition CompanyA.

Configuring an RBA Group Using the CLI

To create an RBA group, enter the rba group command at the global configuration level to specify priv-
ileges and then assign admin users and their define partitions to the group.

1. Enable RBA:

ACOS(config)# rba enable

2. Select existing admin user accounts to which to add RBA attributes. See the configuration Using
the CLI to Configure Admin Accounts for a step-by-step configuration of admin user accounts. In
this example, create an RBA group that includes both adminuser2 and adminuser3:

ACOS(config)# rba group group1

ACOS(config-group:group1)# user adminuser2
ACOS(config-group:group1)# user adminuser3

3. Specify a partition for the RBA group.

ACOS(config-group:group1)# partition Partition2

4. Configure the RBA privileges for the group.

ACOS(config-group:group1-partition:Partition2)# role role1

5. Verify the RBA group configuration:

ACOS(config-group:group1-partition:Partit...)# show config rba

!Section configuration: 226 bytes
!
!
rba role role1
slb write
slb.virtual-server read
slb.server no-access
!
rba group group1
user adminuser2
user adminuser3
partition Partition2
role role1
!

page 31
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
RBA Configuration Examples FFee
e

NOTE: User privileges take precedence over group privileges. An individual user’s
privileges whether assigned by role or individually take precedence over
the group privileges whether assigned by role or individually.

Configuring an RBA Role

An RBA role is a named set of operations or commands that an admin user or group of users has per-
mission or does not have permission to access. Creating an RBA role profile can help simplify the man-
agement of permissions. The privileges defined in the role can be applied to any user or any group;
when applied to a group, the permissions in the role apply to all members of the group. You can assign
multiple roles to an admin user or group.

The following topics are included:

• Configuring an RBA Role Using the GUI

• Configuring an RBA Role Using the CLI

Configuring an RBA Role Using the GUI

1. Navigate to System >> Admin >> Users.
2. Select the RBA tab, then select Roles from the drop-down list.
3. Click Create and the Create RBA Role window appears.
4. In the Name field, enter slb1.
5. In the Rule List field, click the +Add box..
a. Select companyA from the Partition drop-down list.
b. Select slb from the Object drop-down list.
c. Select write from the Operation drop-down list.
d. In the Action box, save the configure Rule by clicking the red floppy disk icon.
6. Repeat step 6 to add read-only privileges for SLB virtual-server operations, but no access to SLB
server operations.
7. Click Create to create and save the role, slb1 in partition CompanyA.

Because longest match takes precedence, admin users that are assigned the role, slb1

• have permission to create, edit, or delete all ACOS SLB objects (such as slb configuration com-
mands) except SLB virtual servers and SLB (real) servers.

page 32
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Additive and Subtractive Methods

• have permission to view the configuration and status of SLB virtual servers.

• have permission to neither configure nor view SLB (real) servers.

Configuring an RBA Role Using the CLI

The following example illustrates the commands used in creating the CLI role named, role1:

Specify the privileges by starting with the highest level and enter a dot (.) to indicate the next level. For
example, to configure write access at the SLB command level, read-only privileges for SLB virtual-serv-
ers, but no access to SLB servers, enter the following commands:

ACOS(config)# rba role role1

ACOS(config-role:role1)# slb write
ACOS(config-role:role1)# slb.virtual-server read
ACOS(config-role:role1)# slb.server no-access

Because longest match takes precedence, admin users that are assigned the role, role1

• have permission to create, edit, or delete all ACOS SLB objects (such as slb configuration com-
mands) except SLB virtual servers and SLB (real) servers.
• have permission to view the configuration and status of SLB virtual servers.

• have permission to neither configure nor view SLB (real) servers.

NOTE: Individual privileges take precedence over role privileges. If the user or group
has individual permissions defined in addition to the role, a combination
of the individual and role permissions are applied. If there are conflicting
privileges between a group’s uniquely configured privileges and an RBA
role’s privileges, the group’s unique privileges are used.

Additive and Subtractive Methods

This topic contains the following sections:

• Overview

• Understanding Additive RBA

• Understanding Subtractive RBA

page 33
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additive and Subtractive Methods FFee
e

Overview
There are two ways in which you can configure object privileges using RBA:

• Additive RBA, which is more useful for granting admins privileges to access certain objects. For
more information, see Understanding Additive RBA.
• Subtractive RBA, which is more useful to denying admins privileges to access certain objects.
For more information, see Understanding Subtractive RBA.

Understanding Additive RBA

An existing admin user with write privileges is able to create, edit, or delete any object. The additive
method of RBA involves the following:

1. Use the root no-access command to overwrite the default write privileges of the admin, thus
removing all of the admin’s create, edit, and delete privileges.
2. Use RBA commands to selectively add the desired privileges.

Consider the following example with admin admin_so who has write privileges by default. The admin is
able to create a health monitor with the default privileges:

ACOS(config)# health monitor hm1

ACOS(config-health:monitor)# exit
ACOS(config)#

The RBA configuration will remove all of the default write privileges (root no-access), and allow only
creation of SLB objects (slb write):

ACOS(config)# rba user admin_so

ACOS(config-user:admin_so)# partition shared
ACOS(config-user:admin_so-partition:shared)# root no-access
ACOS(config-user:admin_so-partition:shared)# slb write

When admin_so tries to configure a health monitor again, they will not be able to:

ACOS(config)# health monitor hm1

Access Denied
ACOS(config)#

But admin_so is able to configure SLB objects, as defined by the RBA configuration:

page 34
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Additional CLI Reference Information

ACOS(config)# slb server rs1 192.168.9.9

ACOS(config-real server)#

The user admin_so had their default write privileges removed, and SLB privileges added back to their
profile.

Understanding Subtractive RBA

An existing admin user with write privileges is able to create, edit, or delete any object. The subtractive
method of RBA selectively removes a subset of these privileges. Consider the following example with
admin_nt with default write privileges. This user is able to view SLB templates in the show running-con-
fig output:

ACOS(config)# show run | inc slb tem

slb template ftp FTP_TEMP1
slb template ftp FTP_TEMP2
slb template HTTP HTTP_TEMP1
...

Now, we add the RBA configuration to give no-access privileges to user admin_nt for SLB templates:

ACOS(config)# rba user admin_nt

ACOS(config-user:admin_nt)# partition shared
ACOS(config-user:admin_nt-partition:shared)# slb.template no-access

When admin_nt tries to run the show command again, no SLB template are visible:

ACOS(config)# show run | inc slb tem

ACOS(config)#

The admin admin_nt will still have all normal privileges to create, edit, or delete all other objects on the
device, just not SLB templates as this has been subtracted from the user’s privileges.

Additional CLI Reference Information

This topic contains the following sections:

page 35
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional CLI Reference Information FFee
e

• Overview

• Global RBA Commands

• RBA-Group Configuration Mode Commands

• RBA-Group Partition Configuration Mode Commands

• RBA-User Configuration Mode Commands

• RBA-User Partition Configuration Mode Commands

Overview
The following commands are described in the Command Line Interface Reference.

NOTE: The clear, do, end, exit, no, show. user-tag, and write commands are not
shown in the following because they are common to all CLI modes and
not specific to any configuration mode.

Global RBA Commands

To enter the admin configuration mode, create a new administration account or modify an existing
account. For example:

ACOS(config)# rba ?
group RBA configuration for a group
role Role configuration for RBA support
user RBA configuration for a user
enable Enable RBA
disable Disable RBA

RBA-Group Configuration Mode Commands

ACOS(config)# rba group group1

ACOS(config-group:group1)# ?
partition RBA configuration for the access privilege of a group within
one partition
user Users in the group

page 36
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Additional CLI Reference Information

RBA-Group Partition Configuration Mode Commands

ACOS(config)# rba group group1

ACOS(config-group:group1)# partition Partition1
ACOS(config-group:group1-partition:Partit...)# ?
role Role in a given partition
NAME<length:1-128> Lineage of object class for permitted operation

RBA-User Configuration Mode Commands

ACOS(config)# rba group useradmin1

ACOS(config-user:useradmin1)# ?
partition RBA configuration for the access privilege of a group within one parti-
tion
user Users in the group

RBA-User Partition Configuration Mode Commands

ACOS(config)# rba user adminuser1

ACOS(config-user:adminuser1)# partition Partition1
ACOS(config-user:adminuser1-partition:Partit...)# ?
role Role in a given partition
NAME<length:1-128> Lineage of object class for permitted operation

page 37
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional CLI Reference Information FFee
e

page 38
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

Access Based on the Management Interface

By default, certain types of management access through the ACOS device’s Ethernet interfaces are
blocked.

The following topics are covered in this chapter:

• Default Management Access Settings

• Configuring Access by Using Access Control Lists

• Configuring Management Access Through Ethernet Interfaces

• Viewing the Current Management Access Settings

• Regaining Access if You Accidentally Block All Access

• Additional CLI Reference Information

This chapter describes how to configure management access based on the interface.

Default Management Access Settings

Table 2 provides the default settings for each management service.

TABLE 2 Default Management Access

Management Service Ethernet Management Interface Ethernet and VE Data Interface
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
Ping Enabled Enabled

You can enable or disable management access for each access type and interface.

You also can use an Access Control List (ACL) to permit or deny management access through the
interface by using specific hosts or subnets.

Feedback page 39
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring Access by Using Access Control Lists FFee
e

Configuring Access by Using Access Control Lists

This topic contains the following sections with important information about ACL support:

• Configuring ACL Support on the Management Interface

• Configuring ACL Support on Data Interfaces

• Implicit Deny Rule

Configuring ACL Support on the Management Interface

The management interface supports only one ACL, which can be bound to the interface as an enable-
management ACL or directly to the interface as a filter.

To replace the current ACL with a different one, you must first remove the ACL that is currently bound
to the interface.

For example, enter only one of the following sets of commands:

ACOS(config)# enable-management service acl-v4 1

ACOS(config)# interface management

ACOS(config-if:management)# access-list 1 in

Additionally, if you apply an enable-management ACL to the management interface, an ACL for an indi-
vidual service is not supported.

For example, you cannot enter the following rule on the management interface:

ACOS(config)# enable-management service ping

ACOS(config-enable-management ping)# acl-v4 1

Configuring ACL Support on Data Interfaces

Data interfaces can support multiple ACLs, including multiple enable-management ACLs.

The following commands enables Telnet access to Ethernet data interface 6 with ACL 1:

ACOS(config)# enable-management service telnet

ACOS(config-enable-management telnet)# ethernet 6

page 40
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring Management Access Through Ethernet Interfaces

ACOS(config-enable-management telnet)# acl-v4 1

Implicit Deny Rule

Each ACL has an implicit deny any any rule at the end. If the management traffic’s source address does
not match a permit rule in the ACL, the implicit deny any any rule is used to deny access.

Configuring Management Access Through Ethernet

Interfaces
This topic contains the following sections:

• Configuring Management Access Using the GUI

• Configuring Management Access Using the CLI

The user can configure management access through Ethernet interfaces in one of the following ways.

Configuring Management Access Using the GUI

To change management access settings for interfaces:

1. Navigate to System >> Settings >> Access Control.

2. For each interface, select or deselect the appropriate access type checkboxes.
3. To use an ACL to control access, select an ACL from the ACLv4 or ACLv6 drop-down lists.
4. Click OK.

Configuring Management Access Using the CLI

The user can enable or disable management access by using the CLI.

This section contains the following sub-sections:

• Disabling Management Access by Using the CLI

• Enabling Management Access by Using the CLI

page 41
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Viewing the Current Management Access Settings FFee
e

Disabling Management Access by Using the CLI

To disable management access, enter the disable-management service command at the global config-
uration level of the CLI.

The following example command disables HTTP access to the out-of-band management interface:

ACOS(config)# disable-management service http

You may lose connection by disabling the http service.
Continue? [yes/no]:yes

Enabling Management Access by Using the CLI

To enable management access, enter the enable-management service command at the global configu-
ration level of the CLI:

The following example command enables Telnet access to data interface 6:

ACOS(config)# enable-management service telnet

ACOS(config-enable-management telnet)# ethernet 6

Viewing the Current Management Access Settings

To view the management access settings that are currently in effect, enter the show management com-
mand at any level of the CLI.

The following example shows an ACOS device with 12 Ethernet data ports. In this example, all the
access settings are set to their default values:

ACOS# show management

PING SSH Telnet HTTP HTTPS SNMP SYSLOG SNMP ACL

-------------------------------------------------------------------------
mgmt on on off on on on off off -
eth1 on off off off off off off off -
eth2 on off off off off off off off -
eth3 on off off off off off off off -
eth4 on off off off off off off off -
eth5 on off off off off off off off -
eth6 on off off off off off off off -

page 42
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Regaining Access if You Accidentally Block All Access

eth7 on off off off off off off off -

eth8 on off off off off off off off -
eth9 on off off off off off off off -
eth10 on off off off off off off off -
eth11 on off off off off off off off -
eth12 on off off off off off off off -

Regaining Access if You Accidentally Block All Access

If you disable the type of access that you are using at the time you enter the disable-management com-
mand, your management session will end.

If you accidentally enter the all option for all interfaces, which locks you out of the device completely,
you can still access the CLI by connecting a computer to the ACOS device’s serial port.

Additional CLI Reference Information

The Command Line Interface Reference provides additional information on the CLI commands used in
this document.

page 43
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional CLI Reference Information FFee
e

page 44
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

Web Access Configuration

By default, access to the ACOS management HTTP Graphical User Interface (GUI) is enabled and is
secure. A valid administrator username and password are required to log in.

The following topics are covered in this chapter:

• Default Web Access Settings

• Configuring the Web Access

Default Web Access Settings

Table 3 provides information about the default settings for web access.

TABLE 3 Default Web Access Settings

Parameter Description Default
Auto-redirect Automatically redirects Enabled
requests for the unsecured port
(HTTP) to the secure port
(HTTPS).
HTTP server HTTP server on the ACOS Enabled
device.
HTTP port Protocol port number for the 80
unsecured (HTTP) port.
HTTPS server HTTPS server on the ACOS Enabled
device.
HTTPS port Protocol port number for the 443
secure (HTTPS) port.

Feedback page 45
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring the Web Access FFee
e

TABLE 3 Default Web Access Settings

Parameter Description Default
Timeout Number of minutes a Web Range: 0-60 minutes
management session can
remain idle before it times out To disable the timeout, specify
and is terminated by the ACOS 0.
device.
Default: 10 minutes
aXAPI Timeout Number of minutes an aXAPI 0-60 minutes. If you specify 0,
session can remain idle before sessions never time out.
being terminated. Once the
aXAPI session is terminated, Default: 10 minutes
the session ID generated by the
ACOS device for the session is
no longer valid.

For more information about

aXAPI, see the aXAPI Reference
documentation.

NOTE: If you disable HTTP or HTTPS access, sessions on the management GUI
are immediately terminated.

Configuring the Web Access

This topic contains the following section:

• Configuring the Web (HTTP) Access by Using the CLI

Configuring the Web (HTTP) Access by Using the CLI

To configure web access, enter the web-service command at the global configuration level of the CLI.

• By default, the web server is enabled on the system. The following command disables the web
server:
ACOS(config)# web-service server disable

• The following command sets the HTTP port to 80:

ACOS(config)# web-service port 80

page 46
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

Public Key Authentication for SSH

The following topics are covered in this chapter:

• Overview

• Generating a Key Pair From the Remote Client

• Importing the Public Key to the ACOS Device

• Deleting a Public Key.

• Additional Reference Information.

Overview
ACOS provides an option to simplify management access through the CLI, with support for public key
authentication.

Public key authentication allows an ACOS administrator to log in through SSH without entering a pass-
word. When the administrator enters a username and presses Enter, the SSH client on the administra-
tor’s computer sends a signature file for the administrator.

The ACOS device compares the signature file to the administrator’s public key that is stored on the
ACOS device. If they match, the administrator is granted access.

Generating a Key Pair From the Remote Client

On the remote client (for example, a computer) from where the administrator accesses the ACOS
device’s CLI, use the computer’s SSH client to generate an RSA key pair for the administrator. The key
pair consists of a public key and a private key.

NOTE: In the current release, only the OpenSSH client is supported.

The following example show you how to generate a key pair from a remote client with the administrator
account admin2:

OpenSSHclient$ mkdir ~/.ssh

Feedback page 47
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Importing the Public Key to the ACOS Device FFee
e

OpenSSHclient$ chmod 700 ~/.ssh

OpenSSHclient$ ssh-keygen -q -f ~/.ssh/ACOS_admin2 -t rsa
Enter passphrase (empty for no passphrase): …
Enter same passphrase again: …

NOTE: At the passphrase prompts, press Enter and do not enter any charac-
ters.

Importing the Public Key to the ACOS Device

After the key pair is generated, to import the public key to the ACOS device:

1. Log in to the ACOS device with root or global read-write privileges.

2. Access the configuration level for the administrator account.
3. Import only the public key, and not the private key, to the ACOS device.
You can import public keys in separate files or grouped in one file.

NOTE: The admin account has root privileges and can manage the public certifi-
cates for all administrators. Other administrators accounts can manage
only the public key that belongs to that administrators account.

The following example shows you how to import a public key for the administrator user admin2:

ACOS(config)# admin admin2

ACOS(config-admin:admin2)# ssh-pubkey import scp:
Address or name of remote host []? 10.10.10.69
User name []? ACOSadmin2
Password []? *********
File name [/]? /home/admin2/.ssh/ACOS_admin2.pub
ACOS(config-admin:admin2)# ssh-pubkey list

NOTE: For more information, see the admin command in the Command Line
Interface Reference, in the section were the ssh-pubkey import command
is described.

You can enter the ssh-pubkey list command to view the public keys on your system.

page 48
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Deleting a Public Key

Deleting a Public Key

To delete an SSH public key from the ACOS device, enter the following command:

ACOS(config-admin:admin2)# ssh-pubkey delete num

The num option specifies the key number on the ACOS device. You can display the key numbers and the
keys by entering the ssh-pubkey list command.

Additional Reference Information

The following commands that appear in the examples of this document are described in the Command
Line Interface Reference.

ACOS(config-admin:adminuser1)# ssh-pubkey ?
delete Delete an authorized public key
import Import an authorized public key
list List all authorized public keys

page 49
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional Reference Information FFee
e

page 50
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

TACACS+ and RADIUS

The following topics are covered in this chapter. The topics provide the necessary information on the
RADIUS and TACACS+ features.

• Authentication

• Authorization

• Configuring Accounting Options

• Configuring Authentication, Authorization, Accounting (AAA) and for Administrator Access

• Configuring Authentication

• Additional TACACS+ Authentication Options

• CLI Examples

• Windows IAS Setup for RADIUS

• Additional Reference Information

You can configure the ACOS device to use remote servers for Authentication, Authorization, and
Accounting (AAA) for administrative sessions.

The ACOS device supports RADIUS, TACACS+, and LDAP servers.

NOTE: For information about LDAP support, see Lightweight Directory Access
Protocol (LDAP).

Authentication
This topic contains the following sections:

• Overview

• Multiple Authentication Methods

• Tiered Authentication

• Authentication Process

• Token-Based Authentication Support for RADIUS

Feedback page 51
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authentication FFee
e

• Configuring Token-Based Authentication for RADIUS

Overview
Authentication grants or denies access to the device based on the credentials provided by the user
(admin user name and password).

By default, when someone attempts to log in to the ACOS device, the device determines whether the
username and password exist in the local administrative database. Without additional configuration,
the authentication process stops at this point.

If the administrator username and password exist in the local database, the user is granted access;
otherwise, access to the device is denied.

You can configure the ACOS device to also use external RADIUS, TACACS+ or LDAP servers for authen-
tication.

Multiple Authentication Methods

You can specify multiple methods for authenticating ACOS administrators. For example, you can con-
figure the ACOS device to try the these servers in the following order:

1. LDAP
2. TACACS+
3. RADIUS
4. Local database

In this example, the ACOS device tries to use the LDAP servers first. If no LDAP servers respond, the
ACOS device tries to use the TACACS+ servers.

If no TACACS+ servers respond, the ACOS device tries the RADIUS servers.

If no RADIUS servers respond, the ACOS device uses the local database.

Tiered Authentication
In addition to selecting multiple methods of authentication, if the primary authentication method is
unavailable, you can configure the ACOS device to use tiers of authentication and configure backup
authentication methods.

By default, the backup authentication method is used only if the primary method does not respond. If
the primary method responds and denies access, the secondary method is not used. The administrator
is not granted access.

page 52
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Authentication

You can enable the ACOS device to check the next method if the primary method does respond and
authentication fails. This option is called “tiered authentication”.

For example, the primary method is RADIUS and the next method is TACACS+. If RADIUS rejects the
administrator, tiered authentication attempts to authenticate the administrator by using TACACS+.

Table 4 provides information about the ACOS authentication behavior based on tiered authentication.

TABLE 4 Authentication Process Based on Tiered Authentication

Tiered
Authenticatio
n Setting ACOS Behavior
Single 1. Try method1. If a method1 server replies, permit or deny access based on the server reply.
(default)
2. Only if no method1 servers reply, try method2. If a method2 server replies, permit or deny
access based on the server reply.

3. Only if no method2 servers reply, try method3. If a method3 server replies, permit or deny
access based on the server reply.

4. Only if no method3 servers reply, try method4. If authentication succeeds, the admin is per-
mitted. Otherwise, the admin is denied.
Multiple 1. Try method1. If a method1 server replies, permit access based on the server reply.

2. If no method1 servers reply or a method1 server denies access, try method2. If a method2
server replies, permit access based on the server reply.

3. If no method2 servers reply or a method2 server denies access, try method3. If a method3
server replies, permit access based on the server reply.

4. If no method3 servers reply or a method3 server denies access, try method4. If authentica-
tion succeeds, the admin is permitted. Otherwise, the admin is denied.

By default, tiered authentication is disabled and is set to single. You can enable it on a global basis.

Authentication Process
This section contains the following sub-sections:

• Scenario

• Disabling Local Authentication for the Administrator Account by Using the CLI

page 53
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authentication FFee
e

Scenario
You can specify whether to check the local database or the remote server first. Figure 2 and Figure 3
show the authentication processes that are used if the ACOS device is configured to check remote AAA
servers first.

If the RADIUS, TACACS+, or LDAP server responds, the local database is not checked, and one of the
following situations occurs:

• If the administrator’s credentials are found on the RADIUS, TACACS+, or LDAP server, the admin-
istrator is granted access.
• If the administrator credentials are not found on the RADIUS, TACACS+, or LDAP server, the
administrator is denied access.

If there is no response from RADIUS, TACACS+, or LDAP server, the ACOS device checks its local data-
base for the administrator name and password.

NOTE: An exception is made for the admin account; by default, the ACOS device
always uses local authentication for admin.

Local authentication can be disabled for admin, in which case the authen-
tication process is the same as for other administrator accounts.

NOTE: For more information, see Disabling Local Authentication for the Admin-
istrator Account by Using the CLI.

page 54
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Authentication

FIGURE 2 Authentication Process When Remote Authentication Is First (Two Remote Servers Configured)
– RADIUS

ĚŵŝŶĞŶƚĞƌƐ
ƵƐĞƌŶĂŵĞĂŶĚ
ƉĂƐƐǁŽƌĚƚŽ
ůŽŐŝŶ͘

hƐĞƌŶĂŵĞĂŶĚ
ƉĂƐƐǁŽƌĚĂƌĞ
Z/h^ƐĞƌǀĞƌ ƌĞĚĞŶƚŝĂůƐĨŽƵŶĚŽŶ
ƐĞŶƚƚŽƚŚĞ zĞƐ EŽ
ƌĞƐƉŽŶĚƐ͍ Z/h^ƐĞƌǀĞƌ͍
ƉƌŝŵĂƌLJ
Z/h^ƐĞƌǀĞƌ͘

EŽ zĞƐ

ƵƚŚĞŶƚŝĐĂƚŝŽŶ
hƐĞƌŶĂŵĞĂŶĚ ƵƚŚĞŶƚŝĐĂƚŝŽŶĨĂŝůƐ͘
ƐƵĐĐĞĞĚƐ͘ĚŵŝŶŝƐ
ƉĂƐƐǁŽƌĚĂƌĞƐĞŶƚƚŽ ĚŵŝŶŝƐĚĞŶŝĞĚĂĐĐĞƐƐ͘
ŐƌĂŶƚĞĚĂĐĐĞƐƐ͘
ďĂĐŬƵƉZ/h^ zĞƐ ƵƚŚĞŶƚŝĐĂƚŝŽŶƉƌŽĐĞƐƐ
ƵƚŚĞŶƚŝĐĂƚŝŽŶƉƌŽĐĞƐƐ
ƐĞƌǀĞƌ͘ ĞŶĚƐ͘
ĞŶĚƐ͘

zĞƐ

ĂĐŬƵƉZ/h^ ƌĞĚĞŶƚŝĂůƐĨŽƵŶĚŽŶ
EŽ
ƐĞƌǀĞƌƌĞƐƉŽŶĚƐ͍ ůŽĐĂůĚĂƚĂďĂƐĞ͍

EŽ

hƐĞƌŶĂŵĞĂŶĚ
ƉĂƐƐǁŽƌĚĂƌĞƐĞŶƚƚŽ
ůŽĐĂůĚĂƚĂďĂƐĞ͘

page 55
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authentication FFee
e

FIGURE 3 Authentication Process When Remote Authentication Is First (One Remote Server Configured) –
TACACS+

ĚŵŝŶĞŶƚĞƌƐ
ƵƐĞƌŶĂŵĞĂŶĚ
ƉĂƐƐǁŽƌĚƚŽ
ůŽŐŝŶ͘

hƐĞƌŶĂŵĞĂŶĚ
ƉĂƐƐǁŽƌĚĂƌĞ
d^нƐĞƌǀĞƌ ƌĞĚĞŶƚŝĂůƐĨŽƵŶĚŽŶ
ƐĞŶƚƚŽƚŚĞ zĞƐ EŽ
ƌĞƐƉŽŶĚƐ͍ Z/h^ƐĞƌǀĞƌ͍
d^н
ƐĞƌǀĞƌ͘

EŽ zĞƐ

hƐĞƌŶĂŵĞĂŶĚ ƵƚŚĞŶƚŝĐĂƚŝŽŶ ƵƚŚĞŶƚŝĐĂƚŝŽŶ

ƉĂƐƐǁŽƌĚĂƌĞƐĞŶƚƚŽ ƐƵĐĐĞĞĚƐ͘ĚŵŝŶŝƐ ĨĂŝůƐ͘ĚŵŝŶŝƐ
ƚŚĞůŽĐĂůĚĂƚĂďĂƐĞ͘ ŐƌĂŶƚĞĚĂĐĐĞƐƐ͘ ĚĞŶŝĞĚĂĐĐĞƐƐ͘
ƵƚŚĞŶƚŝĐĂƚŝŽŶ ƵƚŚĞŶƚŝĐĂƚŝŽŶ
ƉƌŽĐĞƐƐĞŶĚƐ͘ ƉƌŽĐĞƐƐĞŶĚƐ͘

ƌĞĚĞŶƚŝĂůƐĨŽƵŶĚŽŶ
zĞƐ
ůŽĐĂůĚĂƚĂďĂƐĞ͍

EŽ

Disabling Local Authentication for the Administrator Account by Using the CLI
By default, the ACOS device always locally authenticates admin even if RADIUS, TACACS+, or LDAP is
used as the primary authentication method.

To disable automatic local authentication for the administrator account, access the admin configura-
tion level for the admin you want to disable, then use the disable command. For example:

ACOS(config)# admin exampleuser password examplepassword

ACOS(config-admin:exampleuser)# disable
Modify Admin User successful!
ACOS(config-admin:exampleuser)#

NOTE: If the RADIUS, TACACS+, or LDAP server can not be reached, the ACOS
device then uses local authentication for admin. This behavior is also
used for other administrator accounts when the remote AAA server can
not be reached.

page 56
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Authentication

Token-Based Authentication Support for RADIUS

The ACOS Series supports RSA token-based RADIUS authentication, which provides additional login
security by requiring the administrator to enter a string and a token in addition to the username and
password. This enhancement supports the Access-Challenge function in RFC 2865.

After the administrator enters a username and a password, the ACOS device sends the credentials to
the RADIUS server. If the username and password are valid, and the server is configured to use token-
based authentication, the server replies with an Access-Challenge message. The ACOS device displays
a prompt for the required token.

The ACOS device attempts to verify the token, and one of the following situations occurs:

• If the token is valid, the administrator is granted access.

• If the token is invalid, even though the username and password are valid, access is denied.

By default, support for token-based RADIUS authentication is enabled and can not be disabled. No
additional configuration is required on the ACOS device.

Configuring Token-Based Authentication for RADIUS

This section contains the following sub-section:

• Using the CLI to Configure Token-Based Authentication for RADIUS

You can configure token-based authentication for RADIUS by using the GUI or the CLI.

Using the CLI to Configure Token-Based Authentication for RADIUS

In the following CLI example, an administrator initiates the log in process by entering a username and a
password. The ACOS device presents a challenge value and prompts for the response.

login as: admin2

Using keyboard-interactive authentication.
Password: ********
Using keyboard-interactive authentication.
Challenge: 133420
Response: ******
Last login: Fri Jul 1 21:51:35 2011 from 192.168.32.153

[type ? for help]

ACOS>

page 57
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authorization FFee
e

Authorization
This topic contains the following sections:

• Authorizing User Interface and External Health Monitor Access

• Authorizing Admin Privileges

• Performing Authorization for CLI Access

• TACACS+ CLI Authorization

• Authorization Based on L3V Partitions

• LDAP Configuration for Partition Access

• RADIUS Authorization Based on Service-Type

You can configure authorization based on the following.

Authorizing User Interface and External Health Monitor Access

The user can control administrator access to the ACOS device by using one or more of the following
user interfaces:

• CLI

• GUI

• aXAPI

By default, administrators are allowed to use all three user interfaces.

The user can also permit or deny administrator access to edit, create, import, or delete External Health
Monitor files. By default, administrators are not allowed to manage External Health Monitor files.

This section contains the following sub-sections:

• RADIUS Configuration for User Interface and External Health Monitor Access

• TACACS+ Configuration for User Interface and External Health Monitor Access

RADIUS Configuration for User Interface and External Health Monitor Access

To configure RADIUS authorization based on user interface and External Health Monitor access, use:

A10-Admin-Access-Type

page 58
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Authorization

The following A10-Admin-Access-Type values provide access to the corresponding user interface:

• cli
• web
• axapi

To authorize access to more than one user interface, enter a comma between each value. For example,
to authorize access to the CLI and web interfaces, enter cli,web.

The following A10-Admin-Access-Type value provides access to configure External Health Monitors:

• hm

An A10-Admin-Access-Type command that includes the hm value must also include at least one user
interface value.

For example, to authorize access to the CLI and web interfaces, enter cli,web.

SECURITY: The hm value should be enabled only for other admins sufficiently trusted
to perform these operations without malicious purpose or malicious con-
tent which could otherwise compromise security in the ACOS system
and its deployed environment.

For more information, see the Application Delivery and Server Load Bal-
ancing Guide (Using External Health Methods section) and “Configuring
LDAP for ACOS Administrators” on page 99.

TACACS+ Configuration for User Interface and External Health Monitor Access
To configure authorization based on the user interface and External Health Monitor access, enter the
following Attribute Value Pair (AVP):

a10-access-type=user-interface

Replace user-interface with one or more of the following options:

• cli
• web
• axapi
• hm

An AVP pair statement that includes the hm option must also specify a second option. To authorize
access to more than one user interface, enter a comma between each value, for example,

a10-access-type=cli,hm

page 59
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authorization FFee
e

SECURITY: The hm value should be enabled only for other admins sufficiently trusted
to perform these operations without malicious purpose or malicious con-
tent which could otherwise compromise security in the ACOS system
and its deployed environment.

For more information, see the Application Delivery and Server Load Bal-
ancing Guide (Using External Health Methods section) and “Configuring
LDAP for ACOS Administrators” on page 99.

NOTE: An AVP is the combination of an attribute, which is a parameter that is

associated with an ACOS administrator account, and the value of the
parameter.

Authorizing Admin Privileges

The privileges for each admin are the same across all three user interfaces. For example, if you create
an admin with global read and write privileges, then the same privileges apply to both the CLI and GUI.

This section contains the following sub-sections:

• Compatibility with Privilege Levels Assigned by RADIUS or TACACS+

• RADIUS Configuration for GUI Privileges

• TACACS+ Configuration for GUI Access Roles

Compatibility with Privilege Levels Assigned by RADIUS or TACACS+

It is required to assign a proper privilege level (defined on the ACOS device) to the external user on the
RADIUS or TACACS+ server, so that the user may be authenticated and be granted access to the ACOS
device. After the ACOS device authenticates the privilege level, it will use the GUI access role assigned
to the user to manage the device.

It is not required to assign a privilege level to an ACOS admin on the RADIUS or TACACS+ server used
to authenticate the admin. The ACOS device uses the GUI access role assigned to the admin in the
admin’s account on the ACOS device.

However, if a privilege level is assigned to the admin on the RADIUS or TACACS+ server, that privilege
level must match the privilege assigned to the admin in the ACOS configuration. Otherwise, the admin
will be denied access.

page 60
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Authorization

Table 5 lists the RADIUS and TACACS+ privilege levels that match the GUI privileges.

TABLE 5 RADIUS / TACACS+ Privilege Levels and Matching GUI Access Roles
Privilege Level
GUI Access Role RADIUS TACACS+ Partition Role
ReadWriteAdmin 1 2 15 N
ReadOnlyAdmin 1 0 N
PartitionReadWrite 8 9 Y
PartitionSlbServiceOp- 11 6 Y
erator
PartitionReadOnly 12 5 Y

1. The ReadWriteAdmin role includes enabled support for External Health Monitor file access as described above.

The Partition Role column indicates whether the privilege is for a partition admin and requires specifi-
cation of an L3V partition name. If the privilege level for a partition role is specified on the RADIUS or
TACACS+ server, the partition name also must be specified on the server. If the privilege level is for a
non-partition role, it is invalid to specify a partition name on the server.

NOTE: The LDAP configuration on L3V partitions are private and overwrite any
LDAP configuration on the shared L3V partition. However, AAA configu-
ration (RADIUS-server, TACAS-server, authentication, authorization, and
accounting) for administrators is global and not partition specific. When
you enter the show running config command from an L3V partition, the
local partition LDAP configuration is displayed while the shared partition
AAA is displayed.

SECURITY: Given that the ReadWriteAdmin roll enables External Health Monitor File
access, it should only be assigned for admins sufficiently trusted to per-
form these operations as performing without malicious purpose or mali-
cious content which could otherwise compromise security in the ACOS
system and its deployed environment.

For more information, see the Application Delivery and Server Load Bal-
ancing Guide (Using External Health Methods section) and “Configuring
LDAP for ACOS Administrators” on page 99.

RADIUS Configuration for GUI Privileges

To configure admin privileges for RADIUS, use the A10-Admin-Privilege option. For example, to autho-
rize PartitionReadWrite privileges, use the following statement in the admin definition:

A10-Admin-Role = "PartitionReadWrite"

page 61
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authorization FFee
e

NOTE: The A10-Admin-Privilege option applies only to GUI access. It does not
restrict CLI or aXAPI access.

TACACS+ Configuration for GUI Access Roles

To configure admin privileges for TACACS+, use the following attribute-value pair (AVP):

a10-admin-role=role-name

NOTE: This attribute-value pair applies only to GUI access. It does not restrict
CLI or aXAPI access.

Performing Authorization for CLI Access

This section contains the following sub-sections:

• Overview

• Disabled Commands for Read-Only Administrators

• RADIUS CLI Authorization

Overview
You can configure the ACOS device to use external RADIUS, TACACS+, or LDAP servers to authorize
CLI commands.

After a successful authentication, the authenticated party is granted access to specific system
resources by authorization.

For an ACOS administrator, authorization specifies the CLI levels that they can access.

Disabled Commands for Read-Only Administrators

Administrators who are authenticated by using RADIUS, TACACS+, or LDAP, and are authorized for
read-only access directly to the Privileged EXEC level of the CLI, cannot run the following operational
commands:

• backup
• config
• import
• locale
• reboot
• reload

page 62
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Authorization

• shutdown

This includes administrators with the ReadOnlyAdmin or PartitionReadOnly privileges.

RADIUS CLI Authorization

To configure RADIUS CLI Authorization, enter the following settings on the RADIUS server:

VALUE A10-Admin-Privilege Read-only-Admin 1

VALUE A10-Admin-Privilege Read-write-Admin 2

The first line grants access to the User EXEC level and Privileged EXEC level. The administrator’s CLI
session begins at the User EXEC level. The administrator can access the Privileged EXEC level without
entering an enable password, but the administrator cannot access the configuration level:

login as: admin

Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

[type ? for help]

ACOS> enable
ACOS#

The second line grants access to all levels, and the administrator’s CLI session begins at the Privileged
EXEC level:

login as: admin2

Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

[type ? for help]

ACOS#

NOTE: For more information, see RADIUS Authorization Based on Service-Type.

page 63
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authorization FFee
e

TACACS+ CLI Authorization

This section contains the following sub-sections:

• Overview

• CLI Access Levels

• TACACS+ Authorization Debug Options

Overview
To configure TACACS+ CLI authorization, complete the following tasks:

• Configure the TACACS+ server to authorize or deny the execution of specific commands or com-
mand groups.
• Configure the ACOS device to send commands to the TACACS+ server for authorization before
executing those commands.

This authorization process does not apply to administrators who log in by using the GUI.

NOTE: For more information, see Authorizing Admin Privileges.

CLI Access Levels

You can use TACACS+ to authorize an administrator to execute commands at one of the following CLI
access levels:

• 15 (admin) – This is the most extensive level of authorization. The commands at all CLI levels,
including those used to configure administrative accounts, are sent to TACACS+ for authoriza-
tion.
• 14 (config) – Commands at all CLI levels, except the commands that are used to configure
administrative accounts, are sent to TACACS+ for authorization. The commands that are used to
configure administrator accounts are automatically allowed.
• 1 (admin) – This is the most extensive level of authorization and is the same as access level 15.
The commands at the Privileged EXEC and User EXEC levels are sent to TACACS+ for authoriza-
tion, and the commands at other levels are automatically allowed.
• 0 (user EXEC) – This is the equivalent of Read-only privileges. The commands at the User EXEC
level are sent to TACACS+ for authorization, and the commands at other levels are automatically
allowed.

Access levels 1-15 grant access to the Privileged EXEC level or higher, without challenging the adminis-
trator for the enable password. Access level 0 grants access only to the User EXEC level.

page 64
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Authorization

NOTE: Privilege level 1 supports Read-write or admin privileges. The highest

privilege level is 1 and 15 (Read-write), and the lowest privilege level is 0
(Read-only).

TACACS+ Authorization Debug Options

You can enable the following TACACS+ debug levels for troubleshooting:

• 0x1 – Common system events such as “trying to connect with TACACS+ servers” and “getting
response from TACACS+ servers”. These events are recorded in the syslog.
• 0x2 – Packet fields sent out and received by the Thunder Series device, not including the length
fields. These events are written to the terminal.
• 0x4 – Length fields of the TACACS+ packets will also be displayed on the terminal.

• 0x8 – Information about TACACS+ MD5 encryption will be sent to the syslog.

Authorization Based on L3V Partitions

This section contains the following sub-sections:

• Overview

• RADIUS Configuration for Partition Access

• TACACS+ Configuration for Partition Access

Overview
If the ACOS device is configured with L3V partitions, you can specify which partitions a remotely
authenticated administrator can access. You can authorize an administrator to access up to 8 parti-
tions. The partition name that is specified on the RADIUS or TACACS+ server must match the partition
name that is specified in the administrator’s account configuration on the ACOS device.

NOTE: For administrators with global access, which means access to the
shared partition, do not specify a partition name.

RADIUS Configuration for Partition Access

To authorize an administrator to access only the resources in a specific L3V partition, use the A10-
Admin-Partition option. For example, to authorize an administrator to access only the resources in par-
tition1, enter the following statement in the administrator definition:

A10-Admin-Partition = "partition1"

page 65
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Authorization FFee
e

To authorize an administrator for access to multiple partitions, use the following syntax:

A10-Admin-Partition = "partition-name1”
A10-Admin-Partition += " partition-name2”
A10-Admin-Partition += " partition-name3”
A10-Admin-Partition += " partition-name4”
A10-Admin-Partition += " partition-name5”
A10-Admin-Partition += " partition-name6”
A10-Admin-Partition += " partition-name7”
A10-Admin-Partition += " partition-name8”

TACACS+ Configuration for Partition Access

To configure TACACS+ to access partitions:

• To authorize an administrator to access only the resources in a specific L3V partition, use the fol-
lowing AVP:

a10-partition=partition-name

• To authorize an administrator to access multiple partitions, use the following syntax:

a10-partition = partition-name1,partition-name2,
partition-name3,partition-name4,partition-name5,
partition-name6,partition-name7,partition-name8

LDAP Configuration for Partition Access

Authorization for LDAP is based on a schema file.

NOTE: For more information, see A10 Schema File for OpenLDAP.

page 66
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring Accounting Options

RADIUS Authorization Based on Service-Type

The ACOS device supports the RADIUS Service-Type attribute values listed in Table 6:

TABLE 6 Supported RADIUS Service-Type Attribute Values

Attribute Value Description
Service-Type=Login Allows access to the EXEC level of the CLI and read-only access to
the GUI. The EXEC level of the CLI is denoted by the following
prompt (as an example):

ACOS>
Service-Type=NAS Prompt Allows access to the Privileged EXEC level of the CLI and read-
only access to the GUI. The Privileged EXEC level of the CLI is
denoted by the following prompt (as an example):

ACOS#
Service-Type=Administrative Allows access to the configuration level of the CLI and read-only
access to the GUI. The configuration level of the CLI is denoted by
the following prompt (as an example):

ACOS(config)#

By default, if the Service-Type attribute or the A10 vendor attribute is not used, successfully authenti-
cated administrators are authorized for read-only access. You can change the default privilege that is
authorized by RADIUS from read-only to read-write. To change the default access level authorized by
RADIUS, enter the following command at the global configuration level of the CLI:

ACOS(config)# radius-server default-privilege-read-write

Configuring Accounting Options

Accounting keeps track of user activities while the user is logged on.

This topic contains the following sections:

• Overview

• Command Accounting (TACACS+ only)

• TACACS+ Accounting Debug Options

page 67
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring Accounting Options FFee
e

Overview
The user can configure the ACOS device to use external RADIUS or TACACS+ for accounting for the fol-
lowing activities:

• Log in/log off activity

When the user logs in, the accounting process starts, and when the user logs off, the accounting
process stops.
• Commands

Command Accounting (TACACS+ only)

Table 7 shows the CLI levels in which you can use TACACS+ servers to track attempts to execute com-
mands:

TABLE 7 CLI Access Levels for Accounting

Access Level Description
15 (admin) This is the most extensive accounting level. Commands at all CLI levels, including
those used to configure administrator accounts, are tracked.
14 (config) Commands at all CLI levels, except the commands that are used to configure
administrator accounts, are tracked. The commands that are used to configure
administrator accounts are not tracked.
1 (privileged EXEC) Commands at the Privileged EXEC and User EXEC levels are tracked. Commands at
other levels are not tracked.
0 (user EXEC) Commands at the User EXEC level are tracked. Commands at other levels are not
tracked.

NOTE: Command levels 2-13 are equivalent to command level 1 (privileged

EXEC).

TACACS+ Accounting Debug Options

The same debug levels that are available for TACACS+ Authorization are also available for TACACS+
Accounting.

NOTE: For more information, see TACACS+ Authorization Debug Options.

page 68
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring Authentication, Authorization, Accounting (AAA) and for Administrator Access

Configuring Authentication, Authorization, Accounting

(AAA) and for Administrator Access
To configure authentication, authorization, and accounting (AAA):

1. Prepare the AAA servers:

a. Add administrator accounts (user names and passwords).
b. Add the ACOS device as a client.
For the client IP address, specify the ACOS IP address.
c. For authorization, configure the following settings for the administrator accounts:
• Specify the user interfaces that the administrator is allowed to access (CLI, GUI, or aXAPI).
• If you are using TACACS+, specify the CLI commands or command groups that are to be
allowed or denied execution.
• If you are using RADIUS, specify the admin privileges for the CLI and GUI.
• If you are using LDAP, for more information, see Lightweight Directory Access Protocol
(LDAP).
• For private partition administrators, specify the partition name.
2. To use RADIUS, TACACS+, or LDAP for authentication:
a. Add the RADIUS, TACACS+, or LDAP server(s) to the ACOS device.
b. Add a RADIUS, TACACS+, or LDAP server as an authentication method to use with the local
database.
c. To use more than one AAA protocol, see Authentication.
3. Configure the authorization:
a. Add the TACACS+, RADIUS, or LDAP servers for authentication, if necessary.
b. Specify the access level:
• If you are using TACACS+, specify the CLI command levels to be authorized.
• If you are using RADIUS, specify the admin privilege levels for CLI and GUI.
• If you are using LDAP, see Lightweight Directory Access Protocol (LDAP).
4. Configure accounting:
a. Add the TACACS+, RADIUS, or LDAP servers for authorization, if necessary.
b. Specify whether to track logon/logoff activity.
You can track log ons and log offs, log offs only, or neither.
c. If you are using TACACS+, specify the command levels to track.

page 69
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring Authentication FFee
e

Configuring Authentication
This topic contains the following sections:

• Configuring Remote Authentication by Using the GUI

• Configuring Remote Authentication by Using the CLI

You can configure remote authentication by using the GUI or the CLI.

Configuring Remote Authentication by Using the GUI

This section contains the following sub-sections:

• Configuring Global Authentication Settings on the ACOS Device

• Configuring a RADIUS Server

• Configuring a TACACS+ Server

• Configuring an LDAP Server

You can configure remote authentication using the GUI.

Configuring Global Authentication Settings on the ACOS Device

To configure global authentication settings, navigate to System >> Admin >> External Authentica-
tion.

There are no mandatory fields that need to be completed on the Authentication Settings page; you can
configure your desired global authentication settings as needed.

Refer to the GUI online help for more information about the fields on this page.

Click Authentication Settings when you are finished specifying your desired configuration.

Configuring a RADIUS Server

To configure a RADIUS server:

1. Navigate to System >> Admin >> External Authentication >> RADIUS.

2. Click Create to designate a RADIUS server and enter settings.
3. Enter the hostname or IP address of the server in the Server field.
4. In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.

page 70
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring Authentication

5. In the Secret field, enter the shared secret (password) expected by the server when it receives
requests.
6. Complete the other fields on this page as desired; refer to the online help for additional informa-
tion.

FIGURE 4 RADIUS Server Configuration

7. Click Create.

The first RADIUS server configured will act as the primary server and the ACOS device will attempt to
use this server first for authentication.

You can configure additional RADIUS servers as needed, if you want to have any backup servers.

Configuring a TACACS+ Server

To configure a TACACS+ Server:

1. Navigate to System >> Admin >> External Authentication >> TACACS Host.
2. Click Create to designate a TACACS+ server and enter settings.
3. Enter the hostname or IP address of the server in the Server field.
4. In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.
5. In the Secret Value field, enter the password expected by the server when it receives requests.
6. Complete the other fields on this page as desired; refer to the online help for additional informa-
tion.

page 71
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring Authentication FFee
e

FIGURE 5 TACACS+ Server Configuration

7. Click Create.

The first TACACS server configured will act as the primary server and the ACOS device will attempt to
use this server first for authentication.

You can configure additional TACACS servers as needed, if you want to have any backup servers.

Configuring an LDAP Server

To configure an LDAP server:

1. Navigate to System >> Admin >> External Authentication >> LDAP.

2. Click Create to designate a TACACS+ server and enter settings.
3. Enter the hostname or IP address of the server in the Server field.
4. In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.
5. Specify the LDAP common name and distinguished name.
6. Complete the other fields on this page as desired; refer to the online help for additional informa-
tion.

page 72
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Additional TACACS+ Authentication Options

FIGURE 6 Primary and Secondary Information for an LDAP Server

7. Click Create.

The first LDAP server configured will act as the primary server and the ACOS device will attempt to use
this server first for authentication.

You can configure additional LDAP servers as needed, if you want to have any backup servers.

For more information on LDAP servers, refer to Lightweight Directory Access Protocol (LDAP).

Configuring Remote Authentication by Using the CLI

You can configure remote authentication by using the CLI.

NOTE: For examples, see CLI Examples.

Additional TACACS+ Authentication Options

This topic contains the following sections:

• Password Self-Service

• Configuring Access to the Privileged EXEC Level

• TACACS Server Number Increment and the Limitation

page 73
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional TACACS+ Authentication Options FFee
e

This section describes additional TACACS+ AAA options.

Password Self-Service
ACOS supports TACACS+ TAC_PLUS_AUTHEN_CHPASS (password change) messages. When this
option is enabled on the TACACS+ server, the server sends a TACACS+ TAC_PLUS_AUTHEN_CHPASS
message in response to an authentication request from the ACOS device. The ACOS device prompts
the administrator for the current and new passwords and sends the password change to the TACACS+
server. The ACOS device then grants access to the administrator.

Password self-service is enabled by default and cannot be disabled and is activated only when the
TACACS+ server sends a password change message.

NOTE: The current release supports TAC_PLUS_AUTHEN_CHPASS messages only

for login to the CLI.

Configuring Access to the Privileged EXEC Level

This section contains the following sub-sections:

• Configuring Access to the Privileged EXEC Level by Using the GUI

• Configuring Access to the Privileged EXEC Level in the CLI

• Configuring Access to the Privileged EXEC Level by Using the CLI

Configuring Access to the Privileged EXEC Level by Using the GUI

To enable direct access to the Privileged EXEC level of the GUI for TACACS+-authenticated admins:

1. Click System > Admin > External Authentication > Settings.

2. Select the Login Privilege-Mode check box.
3. Click Authentication Settings.

Configuring Access to the Privileged EXEC Level in the CLI

You can enable TACACS+-authenticated administrators to log in at the Privileged EXEC level of the CLI
instead of at the User EXEC level. This option is disabled by default, and you can enable it on a global
basis.

page 74
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Additional TACACS+ Authentication Options

Configuring Access to the Privileged EXEC Level by Using the CLI

To enable access to the Privileged EXEC level of the CLI for TACACS+-authenticated administrators,
enter the following command at the global configuration level:

ACOS(config)# authentication login privilege-mode

TACACS Server Number Increment and the Limitation

This section contains the following sub-sections:

• Overview

• Known Issues or Limitations

• Requirements

• Scenario

• GUI

• CLI

• aXAPI

• Important

Overview
There is a need to increase the limit of the number of the TACACS server from two to three, due to the
following necessities.

• The Exchange server has three TACACS servers for their thousands of devices which are func-
tionally deployed and active with high volume or traffic.
• These deployed devices are running into the limit of two servers configured as the maximum
number of servers on ACOS.
• The user experience and traffic are enhanced once the limit is increased from the current limit of
two TACACS servers to three servers or as an optional number that user can configure.

Known Issues or Limitations

Although the increment in the limit of the number of the TACACS server from two to three is necessary,
it has the following known issues or limitations.

page 75
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional TACACS+ Authentication Options FFee
e

• The TACACS monitor needs to be configured to use the most recently used server as the primary
server.
• The hard limit on the number of the TACACS server is increased to three servers and it starts
behaving in the following modes:
• Active: The first configured server as the Active Server.
• Standby: The other remaining two servers as the Standby Servers.
• In the eventuality of the request going to the first server, and fails, then the request is sent to the
other two servers, as well to check, whether if it passes the other servers or not.

Requirements
To configure the three TACACS servers in running the configuration, the user must ensure the follow-
ing:

• The first assigned or dedicated server must be Active and the other two servers must be on the
Standby Mode.
• The authorization request of any given session must go to the server, which authenticates the
session.

Scenario
The scenario of this feature is as the following:

• The first server is considered as the Active Server by Default.

• The second and the third servers are considered as the Standby Servers.

• If the TACACS Server monitor is configured, then;

• The user uses the logic of requests which is sent to the most recently used server.
• If not, then the active server gets the requests by Default.

GUI
For this, there are no GUI changes required.

CLI
For this, there are no new CLI changes required or introduced.

aXAPI
For this, there are no changes in aXAPI regarding TACACS.

page 76
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
CLI Examples

Important
In this scenario, the following are the important points to consider:

• The new CLI or aXAPI changes or corrections must not work in L3V partitions.

• The changes are only applicable in the Shared Partition.

• All the new CLI or aXAPI changes must be device independent.

CLI Examples
This topic contains the following sections:

• RADIUS Authentication

• TACACS+ Authorization

• TACACS+ Accounting

• RADIUS Server Setup

This section provides the following configuration examples.

RADIUS Authentication
The following commands configure a pair of RADIUS servers for remote authentication and configure
the ACOS device to use these servers before using the local database. Since the RADIUS server
10.10.10.12 is added first, this server is used as the primary server. Server 10.10.10.13 is used only if the
primary server is unavailable.

The following text is an example of configuring RADIUS authentication:

ACOS(config)# radius-server host 10.10.10.12 secret radp1

ACOS(config)# radius-server host 10.10.10.13 secret radp2
ACOS(config)# authentication type radius local

TACACS+ Authorization
The following commands configure the ACOS device to use TACACS+ server 10.10.10.13 to authorize
commands at all CLI levels. In this example, the none option is not used. As a result, if TACACS+ autho-
rization cannot be performed, for example, due to server unavailability, the command is denied.

page 77
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
CLI Examples FFee
e

The following text is an example of configuring TACACS+ authorization:

ACOS(config)# tacacs-server host 10.10.10.13 secret SharedSecret

ACOS(config)# authorization commands 15 method tacplus

TACACS+ Accounting
The following commands configure the ACOS device to use the same TACACS+ server for the account-
ing of log on, log off, and all command activity:

ACOS(config)# accounting exec start-stop tacplus

ACOS(config)# accounting commands 15 stop-only tacplus

RADIUS Server Setup

This example shows the ACOS commands that you can enter to complete the following tasks:

• Configure an ACOS device to use a RADIUS server

• Display the changes that you can make on the RADIUS server

The RADIUS server in this example is freeRADIUS, the IP address is 192.168.1.157, and the shared
secret is a10rad.

To implement this solution:

1. On the ACOS device, to add the RADIUS server and enable RADIUS authentication, enter run the
following commands:

ACOS(config)# radius-server host 192.168.1.157 secret a10rad

ACOS(config)# authentication type local radius

2. Complete the following steps on the freeRADIUS server:

a. In the /usr/local/etc/raddb/clients.conf file, to add the ACOS device as a client, enter the fol-
lowing commands:

client 192.168.1.0/24 {
secret = a10rad
shortname = private-network-1
}

page 78
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
CLI Examples

NOTE: In this example, the ACOS device’s subnet is added as the client.

b. To add the /usr/local/share/freeradius/dictionary.a10networks dictionary file for vendor

a10networks (22610 is the vendor code) and add the file to the dictionary, enter the following
commands:

NOTE: After authenticating an administrator, the RADIUS server must return the
A10-Admin-Privilege attribute, with one of the values shown in the follow-
ing example.

# A10-Networks dictionary
# Created by Software Tools of A10 Networks.
#
VENDOR A10-Networks 22610

BEGIN-VENDOR A10-Networks
ATTRIBUTE A10-App-Name 1 string
ATTRIBUTE A10-Admin-Privilege 2 integer
ATTRIBUTE A10-Admin-Partition 3 string
ATTRIBUTE A10-Admin-Access-Type 4 string
ATTRIBUTE A10-Admin-Role 5 string
VALUE A10-Admin-Privilege Read-only-Admin 1
VALUE A10-Admin-Privilege Read-write-Admin 2
VALUE A10-Admin-Privilege Partition-SlbService-Operator 11
VALUE A10-Admin-Privilege Partition-Read_write 8
VALUE A10-Admin-Privilege Partition-Read-Only 12
END-VENDOR A10-Networks

c. In the /usr/local/share/freeradius/dictionary directory, to add the file to the dictionary,

enter the following command:

$INCLUDE dictionary.a10networks # new added for a10networks

d. In the /usr/local/etc/raddb/users file, to add each ACOS admin as a user, enter the following
commands:

NOTE: The following text contains examples of ACOS administrator definitions

in a RADIUS users file on the RADIUS server.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# this is a read-write user

rw Cleartext-Password := "111111"

page 79
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

A10-Admin-Privilege = Read-write-Admin,

# this is a read-only user

ro Cleartext-Password := "111111"
A10-Admin-Privilege = Read-only-Admin,

# this is a partition read-only

pro Cleartext-Password := "111111"
A10-Admin-Privilege = Partition-Read-Only,
A10-Admin-Partition = "aa"

# this is a partition enable-disable

ped Cleartext-Password := "111111"
A10-Admin-Privilege = Partition-SlbService-Operator,
A10-Admin-Partition = "aa"

# this is partition read-write, has role PartitionReadWrite, only login from web.
prw_r_w Cleartext-Password := "111111"
A10-Admin-Privilege = Partition-Read-Write,
A10-Admin-Partition = "aa",
A10-Admin-Role = "PartitionReadWrite",
A10-admin-Access-type = "web"

Windows IAS Setup for RADIUS

This topic describes how to configure Windows Server 2003 Internet Authentication Service (IAS) with
ACOS RADIUS authentication.

This topic contains the following sub-sections:

• Configuring Windows IAS for ACOS RADIUS Authentication

• Configuring Access Groups

• Configuring RADIUS Client for ACOS Device

• Configuring Remote Access Policies

• Adding Active Directory Users to ACOS Access Groups

• Registering the IAS Server in Active Directory

• Configuring RADIUS on the ACOS Device

• Verifying the Configuration

page 80
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

NOTE: These steps assume that IAS and Active Directory (AD) are already
installed on the Windows 2003 server.

Configuring Windows IAS for ACOS RADIUS Authentication

To configure Windows IAS for ACOS RADIUS authentication:

1. On the IAS server, create the following access groups (see Configuring Access Groups):
• ACOS-Admin-Read-Only
• ACOS-Admin-Read-Write
2. On the IAS server, configure a RADIUS client for the ACOS device (Configuring RADIUS Client for
ACOS Device).
3. On the IAS server, configure the following remote access policies (Configuring Remote Access Pol-
icies):
• ACOS-Admin-Read-Only-Policy
• ACOS-Admin-Read-Write-Policy).
4. On the IAS server, add AD users to appropriate ACOS device access groups (Adding Active Direc-
tory Users to ACOS Access Groups).
5. Register the IAS server in AD (Registering the IAS Server in Active Directory).
6. Configure RADIUS on the ACOS device (Configuring RADIUS on the ACOS Device).
7. Test the configuration by attempting to log onto the ACOS device with AD users added in step 4
(Verifying the Configuration).

The following sections provide detailed steps for each of these tasks.

Configuring Access Groups

To configure access groups, select Select Start > All Programs > Administrator Tools > Active
Directory User and Computers.

This section contains the following sub-section:

• If the Active Directory is Not Installed

If the Active Directory is Not Installed

If AD is not installed on the IAS server, you can use the following steps to add the users and groups.
However, the rest of this section assumes that AD will be used.

page 81
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

1. Open the Computer Management tool by selecting Start > Programs > Administrative Tools >
Computer Management.
2. Open the System Tools and Local Users and Groups items, if they are not already open.
3. Right click on Group and select New Group.
4. Enter the following information for the first group:
• Group Name – AX-Admin-Read-Only
• Group Description – Read-Only Access to ACOS devices
• Members – Add the members using the Add button.

5. Click Create.
6. Enter the following information for the second group:
• Group Name – AX-Admin-Read-Write
• Group Description – Read-Write to ACOS devices
• Members – Add members as desired using the Add button
7. Click Create.
8. Click Close.

page 82
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

Configuring RADIUS Client for ACOS Device

Refer the following steps to configure RADIUS client for ACOS device in GUI mode:

1. Open Internet Authentication Service, by selecting Start > Programs > Administrative Tools >
Internet Authentication Service.
2. Right-click on Client and select New Client.
3. Enter the following information in the Add Client dialog box:
• Friendly name – Useful name for the ACOS device; for example, ACOS2000_slb1
• Protocol – RADIUS

NOTE: 192.168.1.238 is the IP address of the ACOS device that will use the IAS
server for external RADIUS authentication.

4. Click Next.
5. Enter the following information in the Add RADIUS Client dialog box:
• Client address – IP address or domain name for the client (ACOS device)
• Client-Vendor – RADIUS Standard

page 83
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

• Shared secret – Secret to be shared between IAS and ACOS. You also will need to enter this in
the RADIUS configuration on the ACOS device.
• Confirm shared secret – Same as above

NOTE: Do not select “Request must contain the Message Authenticator attri-
bute”. ACOS RADIUS authentication does not support this option.

6. Click Next.

Configuring Remote Access Policies

Refer the following steps to configure remote access policies in GUI mode:

1. Open the Internet Authentication Service, if not already open.

2. To create the first remote access policy, right-click on Remote Access Policies, select New Remote
Access Policy, and enter the following information:
Policy Friendly name – AX-Admin-Read-Only-Policy

page 84
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

3. Click Next.
4. In the Add Remote Access Policy dialog box, click Add.
5. In the Select Attribute dialog box, double-click Client Friendly Name.
6. In the Client-Friendly-Name dialog box, enter the friendly name used to define the ACOS device (for
example, AX-Admin-Read-Only-Policy) and click OK.
7. In the same Add Remote Access Policy dialog box as before, click Add again.
8. In the Select Attribute dialog box, double-click Windows-Groups.

page 85
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

9. In the Groups dialog box, click Add, then double-click AX-Admin-Read-Only group, Click OK to add
the group, then click OK once more to confirm the groups.

page 86
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

10.In the same Add Remote Access Policy dialog box as before, click Next.

page 87
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

11.Select Grant remote access permission, and click Next.

page 88
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

12.Click Edit Profile.

page 89
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

13.In the Edit Dial-in Profile dialog box, select the Authentication tab. Select the type of authentication
you are using: CHAP and PAP.

14.Select the Advanced tab, and click Add.

15.In the RADIUS attributes list, find and double-click the line beginning with Vendor-Specific.

page 90
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

16.In the Multivalued Attribute Information dialog box, click Add and enter the following:

page 91
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

• Enter vendor code – 22610 (for A10 Networks)

• Conforms to RADIUS RFC – Yes

17.Click Configure Attribute, and enter the following information:

• Vendor-assigned attribute number – 2
• Attribute format – Decimal
• Attribute value – 1

NOTE: Attribute value 1 is read-only. Attribute value 2 is read-write.

page 92
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

18.Click OK for the Configure VSA, Vendor-Specific Attribute Information, and Multivalued Attribute
Information dialog boxes.
19.Click Close in the Add Attributes dialog box.
20.Click OK in the Edit Dial-In Profile dialog box. Optionally, read the suggested help by clicking OK.
21.Click Finish in the Add Remote Access Policy dialog box.
22.To create the second Remote Access Policy, repeat the above steps with the following changes:
• Policy Friendly Name – AX-Admin-Read-Write-Policy
• Group to Add – AX-Admin-Read-Write
• Attribute Value – 2

page 93
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Windows IAS Setup for RADIUS FFee
e

Adding Active Directory Users to ACOS Access Groups

Refer the following steps to add Active Directory users to the ACOS access groups in GUI mode:

1. In the Active Directory management console, add the ACOS access group to the user, tester1:

page 94
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Windows IAS Setup for RADIUS

2. Make sure Remote Access Permission is enabled:

Registering the IAS Server in Active Directory

The IAS RADIUS server must be registered with AD. Otherwise, RADIUS will use compatibility mode
instead of AD to authenticate users.

1. Open the IAS main window.

2. Click Action on the menu bar, and click “register server on active directory”.

page 95
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional Reference Information FFee
e

Configuring RADIUS on the ACOS Device

To add the RADIUS server (IAS server) to the ACOS device, enter the following commands:

ACOS(config)# radius-server host 192.168.230.10 secret shared-secret

ACOS(config)# authentication type local radius

NOTE: Ensure that the shared secret is the same as the value that you specified
for the RADIUS client that you configured for the ACOS server on the IAS
server.

In this example, 192.168.230.10 is the IP address of w2003-10.com, and shared-secret is the secret
that you entered in the step 5 in Configuring RADIUS Client for ACOS Device.

Verifying the Configuration

To verify the configuration:

1. Log in to the ACOS CLI.

2. At the command prompt, enter the username in the following format:
user-name@AD-domain-name
For example, enter [email protected].
3. Enter the password.
4. Press Enter.

Additional Reference Information

The following commands that appear in the examples of this document are described in the Command
Line Interface Reference.

ACOS(config)# radius-server ?
default-privilege-read-write Specify the RADIUS default privilege
host Specify the RADIUS server's hostname or IP address

ACOS(config)# authentication ?
console Configure console authentication type
enable The enable-password authentication type

page 96
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Additional Reference Information

login The login mode

mode Configure authentication mode
multiple-auth-reject Multiple same user login reject
type The login authentication type

ACOS(config)# tacacs-server ?
host Specify the hostname of TACACS+ server
monitor Configure TACACS+ servers

ACOS(config)# authorization ?
commands Commands level for authorization
debug Specify the debug level for authorization

ACOS(config)# accounting ?
commands Enable level for commands accounting
debug Specify the debug level for accounting
exec Configuration for EXEC <shell> accounting

page 97
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional Reference Information FFee
e

page 98
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

Lightweight Directory Access Protocol (LDAP)

This chapter describes how an ACOS device can use Lightweight Directory Access Protocol (LDAP), an
AAA protocol, to authenticate administrators and authorize management access based on the account
information on external LDAP servers.

The following topics are covered in this chapter:

• LDAP Overview

• Configuring LDAP for ACOS Administrators

• Configuring an LDAP Server

• Configuring an OpenLDAP Server

• Configuring Microsoft Active Directory

• Configuring ACOS Administrator Accounts

• A10 LDAP Object Class and Attribute Types

• Additional Information for Reference

LDAP Overview
You can use one of the following types of LDAP servers:

• OpenLDAP

• Microsoft Active Directory (AD)

Configuring LDAP for ACOS Administrators

To configure LDAP authentication and authorization for ACOS administrators:

1. To enable LDAP authentication, enter the following command:

ACOS(config)# authentication type ldap local

Feedback page 99
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring an LDAP Server FFee
e

2. To add the LDAP server(s) to the ACOS configuration, enter the ldap-server host command. For
example:

ACOS(config)# ldap-server host 192.168.4.0 cn cn dn example-dn-string port 638 ssl

timeout 5

The following list provides additional information on the options:

• If you do not use SSL, the default port is 389. If you use SSL, the default port is 636.
• The default timeout value is 3.
3. Prepare the LDAP server.
For more information, see the following sections:
• Configuring an OpenLDAP Server
• Configuring Microsoft Active Directory
4. Test the configuration by using an ACOS administrator account to log in to the LDAP server.

Configuring an LDAP Server

This section contains the following sub-sections:

• Configuring an LDAP Server by Using the GUI

• Configuring an LDAP Server by Using the CLI

You can configure an LDAP server by using the GUI or the CLI.

Configuring an LDAP Server by Using the GUI

To configure an LDAP server on the ACOS device:

1. Navigate to System >> Admin.

2. Select LDAP from the External Authentication tab.
3. Verify that System >> Admin >> External Authentication >> LDAP is displayed.
4. Click Create. The Create LDAP Server window appears.
5. Select one of the following for the LDAP Type:
• Name
• IPv4

page 100
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring an LDAP Server

• IPv6
6. Complete one of following tasks:
• If you selected Name, complete the following steps:
a. Select either Domain Name or Common Name.
b. If you selected Domain Name, enter the Domain Name in its text box.
c. If you selected Common Name, enter both the Common Name and the Distinguished
Name in their text boxes.
Do not use quotation marks for the distinguished names. For example:
• The string syntax cn=xxx3,dc=mACOScrc,dc=com DN string syntax is valid.
• The string “cn=xxx3,dc=mACOScrc,dc=com” is not valid.
To use nested OUs, specify the nested OU first, then the root.
d. Enter a port number in the Port text box or accept the default.
e. Enter a timeout value in the Timeout (Seconds) text box or accept the default.
The Timeout field displays the maximum number of seconds that the ACOS device waits for a
reply from the LDAP server for a given request. You can specify 1-60 seconds. If the LDAP
server does not reply before the timeout, authentication of the admin fails.
f. Determine whether you want to enable or disable SSL.
g. Click Create.
h. Verify that you have returned to the System >> Admin >> External Authentication >> LDAP
window and that an LDAP server has been created.
• If you selected IPv4, complete the following steps:

a. Enter the host IP address of the LDAP server in the Server text box.
b. Select either Common Name or Domain Name.
If you selected Common Name, enter both the Common Name and the Distinguished
Name in their text boxes.
If you selected Domain Name, enter the Domain Name in its text boxes.
c. Enter a port number in the Port text box or accept the default.
d. Enter a timeout value in the Timeout (Seconds) text box or accept the default.
The Timeout field displays the maximum number of seconds that the ACOS device waits for a
reply from the LDAP server for a given request. You can specify 1-60 seconds. If the LDAP
server does not reply before the timeout, authentication of the admin fails.
e. Determine whether you want to enable or disable SSL.

page 101
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring an LDAP Server FFee
e

f. Click Create. Verify that you have returned to the

g. Verify that you have returned to the System >> Admin >> External Authentication >> LDAP
window and that an LDAP server has been created.
• If you selected IPv6, complete the following steps:

a. Enter the host IPv6 address of the LDAP server in the Server text box.
b. Select either Common Name or Domain Name.
If you selected Common Name, enter both the Common Name and the Distinguished
Name in their text boxes.
If you selected Domain Name, enter the Domain Name in its text boxes.
c. Enter a port number in the Port text box or accept the default.
d. Enter a timeout value in the Timeout (Seconds) text box or accept the default.
The Timeout field displays the maximum number of seconds that the ACOS device waits for a
reply from the LDAP server for a given request. You can specify 1-60 seconds. If the LDAP
server does not reply before the timeout, authentication of the admin fails.
e. Determine whether you want to enable or disable SSL.
f. Click Create. Verify that you have returned to the
g. Verify that you have returned to the System >> Admin >> External Authentication >> LDAP
window and that an LDAP server has been created.

Configuring an LDAP Server by Using the CLI

To enable LDAP authentication, enter the following command at the global configuration level of the
CLI:

ACOS(config)# authentication type ldap

• To use backup methods, specify the methods in the order in which you want to use them. For
more information, see Multiple Authentication Methods and Tiered Authentication.
For example:
ACOS(config)# authentication type ldap local radius tacplus

• To configure an LDAP server on the ACOS device, use the ldap-server host command at the
global configuration level of the CLI:

ACOS(config)# ldap-server host 192.168.101.24 cn UserName dn cn=UserName,dc=UserAc-

count,dc=example,dc=com

page 102
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring an OpenLDAP Server

Do not use quotation marks for the dn option. For example, the following DN string syntax is valid:

cn=xxx3,dc=mACOScrc,dc=com

The following string is not valid:

“cn=xxx3,dc=mACOScrc,dc=com”

Spaces are not allowed in the dn specification.

• To configure the ACOS device and provide LDAP AAA for UserAccUser1, enter a command like the
following:

ACOS(config)# ldap-server host ldapserver.ad.example.edu cn ExampleUser dn

ou=StaffElevatedAccounts,ou=ServiceAccounts,dc=ad,dc=example,dc=edu

To use nested OUs, specify the nested OU first, then the root. For example, a user account could be
nested in the following way:

Root OU= Service Accounts -> OU=StaffElevatedAccounts -> UserAccUser1

For more information about these commands, see the Command Line Interface Reference.

Configuring an OpenLDAP Server

This topic contains the following sections:

• Overview

• A10 Schema File for OpenLDAP

• A10 Administrator Account Files for LDAP

Overview
When logging in to the ACOS device via LDAP, the ACOS devices needs to send LDAP packets to LDAP
server (for example, OpenLDAP or Windows AD). OpenLDAP can be installed on Windows or Linux.

page 103
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring an OpenLDAP Server FFee
e

To configure an OpenLDAP server and provide authentication and authorization for ACOS administra-
tors:

1. Add the A10 schema file by copying the file and pasting it in the following location:

openldap_install_directory\schema

For example, on your server, the location might be C:\Program Files\OpenLDAP\schema.

NOTE: For more information, see A10 Schema File for OpenLDAP.

2. Add the administrator accounts.

NOTE: For more information, see A10 Administrator Account Files for LDAP.

3. Restart the LDAP service.

A10 Schema File for OpenLDAP

The following text is an example of the schema file that is required on the OpenLDAP server to provide
authentication and authorization to ACOS administrators:

# all a10 LDAP OID be placed in 1.3.6.1.4.1.22610.300.

# all attributetype start from 1.3.6.1.4.1.22610.300.1.
# all objectclass start from 1.3.6.1.4.1.22610.300.2.

attributetype ( 1.3.6.1.4.1.22610.300.1.1
NAME 'A10AdminRole'
DESC 'admin Role'
syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.22610.300.1.2
NAME 'A10AdminPartition'
DESC 'admin Partition'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
syntax 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.22610.300.1.3
NAME 'A10AccessType'
DESC 'admin Access Type'
syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

page 104
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring an OpenLDAP Server

objectclass ( 1.3.6.1.4.1.22610.300.2.1
NAME 'A10Admin' SUP top AUXILIARY
DESC 'A10 Admin object class '
MAY ( A10AdminRole $ A10AdminPartition $ A10AccessType ) )

The LDAP schema file for ACOS administrator authentication and authorization contains the following
items:

• A10Admin – This is the object class for A10 Networks, and can contain one or more of the fol-
lowing attribute types. You can specify the values to assign to these attributes in the definition
file for the administrator. (See A10 Administrator Account Files for LDAP.)
• A10AdminRole – This attribute type specifies the administrator’s role, which defines the scope of
read-write operations the administrator is allowed to perform on the ACOS device. The ACOS
device has the following predefined roles:
• ReadOnlyAdmin
• ReadWriteAdmin
• PartitionSlbServiceOperator
• PartitionReadOnly
• PartitionReadWrite
To specify one of these roles in the definition file for the administrator account, use the role name
as the attribute value.
For example:

A10AdminRole: ReadWriteAdmin

If you do not use this attribute in the definition file for the administrator account, the ReadOnlyAd-
min role is assigned to the administrator.
• A10AdminPartition – This attribute type specifies the ACOS partition the administrator is autho-
rized to log onto.
• For the shared partition, enter “shared”.
For example:

A10AdminPartition: shared

• For an L3V partition, enter the partition name.

For example:

A10AdminPartition: privpart1

page 105
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring an OpenLDAP Server FFee
e

If you do not use this attribute in the definition file for the administrator account, the administrator
is allowed to log into the shared partition.
• A10AccessType – This attribute type specifies the user interface(s) for which the administrator
is authorized and whether the administrator is authorized to create, import, or modify External
Health Monitor files. The user can specify one or more of the following:
• cli – CLI
• web – GUI
• axapi – aXAPI
• hm – External Health Monitors
An administrator is not allowed to log into the device if the corresponding admin account does not
enable at least one of the cli, web, or axapi parameters.
The hm parameter attribute can only be specified for administrator accounts with system-wide,
read+write (R/W) privilege to allow them to be able to create, import, or modify External Health
Monitor files.

SECURITY The hm attribute should be enabled only for other admins sufficiently
trusted to perform these operations without malicious or malicious con-
tent which could otherwise compromise security in the ACOS system
and its deployed environment.

For more information, see the Application Delivery and Server Load Balanc-
ing Guide (Using External Health Methods section) and “Configuring LDAP
for ACOS Administrators” on page 99.

A10 Administrator Account Files for LDAP

Administrator accounts managed by an LDAP server are stored in files on the server.

The following text is an example of how to create an LDAP user:

dn: cn=user1,dc=my-domain,dc=com
cn: user1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: A10Admin
userPassword: 123456
sn: sn
ou: guest
A10AdminRole: ReadWriteAdmin

page 106
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring Microsoft Active Directory

This file configures admin “user1”. The objectClass value A10Admin and the A10AdminRole attribute are
specific to A10 Networks and are defined in the schema file, which also must be added to the LDAP
server.

In this example, the A10AdminPartition and A10AccessType attributes are omitted. The default values
are used (See A10 Schema File for OpenLDAP).

Configuring Microsoft Active Directory

This section contains the following sub-sections:

• Overview

• Summary

Overview
You can configure Microsoft Active Directory for LDAP authentication and authorization of ACOS
administrators. When the user logs into the ACOS device, the device sends the user name and pass-
word to Active Directory to validate the credentials.

NOTE: The information in this section is based on Windows Server 2008.

Summary
1. Install Active Directory on your Windows server.
For more information, see http://technet.microsoft.com/en-us/library/jj574166.aspx.
2. Configure the administrator accounts.

NOTE: For more information, see Configuring ACOS Administrator Accounts.

3. Add a user name and password to Active Directory.

NOTE: For more information, see http://technet.microsoft.com/en-us/library/

dd894463(v=WS.10).aspx.

4. (Optional) Add the A10 LDAP attribute types to the server. See Adding A10 LDAP Attribute Types.

page 107
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring ACOS Administrator Accounts FFee
e

NOTE: If you plan to use the default settings for all the A10 attributes, you can
skip this step.

Configuring ACOS Administrator Accounts

This section describes how to configure an administrator account.

• Creating a Read-Only Administrator

• Testing the Read-Only Administrator Account

• Configuring a Read-Write Administrator

• Testing the Read-Write Administrator Account

Creating a Read-Only Administrator

To create an administrator with the ReadOnlyAdmin role:

1. Go to the Active Directory Users and Computers.

2. Click File > New.
3. Complete the following steps in the New Object - User window:
a. Enter a first name.
b. Enter a last name.
c. Enter a full name.
d. Enter a user logon name.
e. Select the domain.
f. If applicable, enter the pre-Windows 2000 logon name.
g. Click Next.
4. Select User Account in the left pane to see the user that you just created displayed in the right
pane.

page 108
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring ACOS Administrator Accounts

FIGURE 7 Creating a Read-Only Administrator

Testing the Read-Only Administrator Account

The following is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!
authentication type ldap
!

The following is an example of the session login by the read-only admin. Access to the configuration
level by this admin is not allowed.

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:05:51 2012 from 192.168.100.148

ACOS system is ready now.

page 109
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Configuring ACOS Administrator Accounts FFee
e

[type ? for help]

ACOS>
ACOS> enable
Password: <blank>
ACOS# show admin session
Id User Name Start Time Source IP Type Partition Authen
Role Cfg
------------------------------------------------------------------------------------
------
*99 test 13:08:10 CST Thu Jun 21 2012 192.168.100.148 CLI Ldap
ReadOnlyAdmin No
ACOS# config
^
% Unrecognized command.Invalid input detected at '^' marker.

ACOS#

Configuring a Read-Write Administrator

In this example, the ou attribute is set to operator.

To configure a read-write administrator with a ReadWriteAdmin role:

1. Go to Active Directory Users and Computers.

2. Right-click User Account, and in the right-pane, select a user name.
3. Right-click on the user name and select Properties.
4. On the Attribute Editor tab, click ou, and click Edit.
5. In the Multi-value String Editor, in Value to add, enter Operator.
6. Click OK.

page 110
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Configuring ACOS Administrator Accounts

FIGURE 8 Multi-Valued String Editor

Testing the Read-Write Administrator Account

The following is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!
authentication type ldap
!

The following is an example of the session login by the read-write administrator:

NOTE: This administrator is allowed to access the configuration level.

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:

page 111
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

Last login: Thu Jun 21 13:08:10 2012 from 192.168.100.148

ACOS system is ready now.

[type ? for help]

ACOS> enable
Password: <blank>
ACOS# show admin session
Id User Name Start Time Source IP Type Partition Authen
Role Cfg
------------------------------------------------------------------------------------
------
*101 test 13:22:16 CST Thu Jun 21 2012 192.168.100.148 CLI Ldap
ReadWriteAdmin No
ACOS# config
ACOS(config)#

A10 LDAP Object Class and Attribute Types

This topic contains the following sections:

• Overview

• Adding A10 LDAP Attribute Types

• Adding the Attribute Type by Using the GUI

• Adding “a10Admin” to the objectClass

• Restarting the LDAP Process

• Changing the Administrator Role (A10AdminRole)

• Adding L3V Partition Information (A10AdminPartition)

• Changing the Access Type (A10AccessType)

Overview
You can add A10 LDAP attribute types to the server.

page 112
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

NOTE: If you plan to use the default settings for all the A10 attributes, you can
skip the rest of this section.

CAUTION: Please add the attributes carefully. Once they are added, they can not be
changed or deleted.

The LDAP object class for A10 Networks is A10Admin, and can contain one or more of the following
attribute types. You can specify the values to assign to these attributes in the definition file for the
admin.

• A10AdminRole

This attribute type specifies the administrator’s role, which defines the scope of read-write opera-
tions that the administrator is allowed to perform on the ACOS device.
The following predefined roles are included on the ACOS device:
• ReadOnlyAdmin
• ReadWriteAdmin
• PartitionReadWrite
• PartitionSlbServiceOperator
• PartitionReadOnly

Adding A10 LDAP Attribute Types

To specify one of these roles in the definition file for the administrator account, enter the role name
as the attribute value.
For example, A10AdminRole: ReadWriteAdmin
If you do not use this attribute in the definition file for the administrator account, the ReadOnlyAd-
min role is assigned to the administrator.
• A10AdminPartition specifies the ACOS partition that the administrator is authorized to access.

• For the shared partition, enter “shared”.

For example, A10AdminPartition: shared
• For an L3V partition, enter the partition name.
For example, A10AdminPartition: privpart1
If you do not use this attribute in the definition file for the administrator account, the administrator
can log in to the shared partition.
• A10AccessType specifies the user interface(s) that the administrator authorized to use.

The user can specify one or more of the following interfaces:

page 113
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

• cli
• web
• axapi
• hm – External Health Monitors
When you do not enable these attributes in the definition file for the administrator account, the
admin is not allowed to log in though any of these interfaces. Furthermore, the admin cannot cre-
ate, import, or modify External Health Monitor files. The hm parameter can only be specified for
administrator accounts with system-wide, read and write (R/W) privilege.

Adding the Attribute Type by Using the GUI

In Windows, to add the attribute type:

1. Click Start > All Programs > Accessories > Run.

2. To start Microsoft Management Console, enter mmc.
3. In the console, click File > Add/Remove Snap-In.
4. In Add or Remove Snap-ins, select Active Directory Schema in the left pane and click Add.
5. Click OK.
6. In the Console, right-click the Attributes folder, and click New > Attribute.

FIGURE 9 Attribute Add Schema

page 114
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

7. In Create New Attribute, complete the fields, and click OK.

FIGURE 10 Creating a New Attribute

8. In Console, right-click Classes, and click New > Class.

page 115
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

9. Enter the appropriate information in the Identification and Inheritance and Type sections and
click Next.

FIGURE 11 Creating a New Class

page 116
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

10.Enter the appropriate information in the Mandatory and Optional sections and click Finish.

page 117
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

Adding “a10Admin” to the objectClass

Figure 12 and Figure 13 change the object Class and add a10Admin to the objectClass. After this, all the
attributes can be added to administrator test.

FIGURE 12 Adding Admin Test to the objectClass

page 118
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

FIGURE 13 Editing the Values

Restarting the LDAP Process

To place the LDAP changes into effect, restart the LDAP process on the server. To access the process
controls, under Administrative Tools, select Services.

page 119
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

FIGURE 14 Restarting the LDAP Process - Step 1

page 120
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

FIGURE 15 Restarting the LDAP Process - Step 2

Changing the Administrator Role (A10AdminRole)

This section contains the following sub-sections:

• Scenario

• Log-in Example

Scenario
Figure 16 and Figure 17 set the administrator role for administrator test to ReadWriteAdmin.

page 121
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

FIGURE 16 Changing the Administrator Role

page 122
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

FIGURE 17 Clearing the ou Attribute

Log-in Example
The following is a login example for an administrator:

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:22:16 2014 from 192.168.100.148

ACOS system is ready now.

[type ? for help]

ACOS> enable
Password: <blank>

page 123
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

ACOS#
ACOS# show admin session
Id User Name Start Time Source IP Type Partition Authen
Role Cfg
------------------------------------------------------------------------------------
------
*106 test 14:15:13 CST Thu Jun 21 2014 192.168.100.148 CLI Ldap
ReadWriteAdmin No
ACOS#
ACOS# config
ACOS(config)#

Adding L3V Partition Information (A10AdminPartition)

This section contains the following sub-sections:

• Scenario

• ACOS Configuration

• LDAP Server Configuration

• Log-in Example

Scenario
The following screen configures admin test as an L3V partition administrator and assigns the adminis-
trator to partition test1.

NOTE: The shared partition does to need to be added to the LDAP server. If the
A10AdminPartition attribute is not set, the admin is permitted to access
the shared partition.

ACOS Configuration
The following is the partition configuration on the ACOS device:

ACOS# configure
ACOS(config)# partition test1 id 1

page 124
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

LDAP Server Configuration

Figure 18 sets the a10AdminPartition attribute to test1. This indicates that the admin can access the
L3V partition called test1. The A10AdminRole attribute is set to PartitionReadWrite. This restricts the
administrator to read-write operations in the L3V partition.

FIGURE 18 LDAP Server Configuration

Log-in Example
When administrator test logs in, the session opens in partition test1.

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:

page 125
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
A10 LDAP Object Class and Attribute Types FFee
e

Last login: Thu Jun 21 14:19:41 2012 from 192.168.3.196

ACOS system is ready now.

[type ? for help]

ACOS2500-1[test1]>
ACOS2500-1[test1]> enable
Password: <quick>
ACOS2500-1[test1]#
ACOS2500-1[test1]# config
ACOS2500-1[test1](config)# show admin session
Id User Name Start Time Source IP Type Partition Authen
Role Cfg
------------------------------------------------------------------------------------
------
*108 test 14:22:51 CST Thu Jun 21 2012 192.168.100.148 CLI test1 Ldap
PatitionReadWriteYes

Changing the Access Type (A10AccessType)

This section contains the following sub-sections:

• Scenario

• Log-in Example

Scenario
Figure 19 sets the access type for the PartitionReadWrite administrator to web (GUI) and aXAPI. This
configuration prohibits the administrator from logging in through the CLI.

page 126
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
A10 LDAP Object Class and Attribute Types

FIGURE 19 Changing the Access Type

Log-in Example
The following example shows what happens if the admin tries to log in through the CLI:

[root@Linux-PC-148 ~]# ssh -l test1 192.168.100.46

Password:***
Password:***
Couldn’t login via CLI, check the log message with admin/a10
ACOS2500-1# show log
Log Buffer: 30000
Jun 21 2012 14:30:42 Error [SYSTEM]:The user, test1, from the remote host,
192.168.100.148, failed in the CLI authentication.
Jun 21 2012 14:30:42 Warning [SYSTEM]:Ldap authentication failed(user: test1): The

page 127
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional Information for Reference FFee
e

user access interface is not authenticated.

Additional Information for Reference

To get additional information on the commands that appear in the examples of this document go to
the Command Line Interface Reference.

NOTE: To understand these options and how they affect the authentication pro-
cess, go to the Command Line Interface Reference.

The authentication command has the following options.

ACOS(config)# authentication ?
console Configure console authentication type
enable The enable-password authentication type
login The login mode
mode Configure authentication mode
multiple-auth-reject Multiple same user login reject
type The login authentication type

ACOS(config)# ldap-server host ?

NAME<length:1-63> Hostname of LDAP server
A:B:C:D:E:F:G:H IPV6 address of ldap server
A.B.C.D IPV4 address of ldap server

page 128
Feedback ACOS 4.1.1-P11 Management Access and Security Guide

Command Auditing

This chapter describes how to enable and configure command auditing on your ACOS device.

The following topics are covered in this chapter:

• Overview

• Enabling and Configuring the Command Auditing

• Examples for Audit Log

• Additional Information for Reference

Overview
You can enable command auditing to log the commands entered by ACOS administrators. Command
auditing logs the following types of system management events:

• Administrator logins and log outs for CLI, GUI, and aXAPI sessions

• Unsuccessful administrator login attempts

• Configuration changes. All attempts to change the configuration are logged, even if they are
unsuccessful.
• CLI commands at the Privileged EXEC level (if audit logging is enabled for this level)

NOTE: Previously, the audit log (including all of the aXAPI messages) was being
displayed in the console, which affected the scroll back buffers for termi-
nal programs. Starting in release 2.7.2, the audit log is no longer dis-
played, and the API calls are no longer displayed in the console.

The audit log is maintained in a separate file, apart from the system log. The audit log messages dis-
played for an admin depend upon the administrator’s privilege level. Administrators with Root, Read
Write, or Read Only privileges who view the audit log can view all messages, for all system partitions.

Administrators who have privileges only within a specific partition can view only the audit log mes-
sages related to management of that partition.

NOTE: Backups of the system log include the audit log.

Feedback page 129

ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Enabling and Configuring the Command Auditing FFee
e

Enabling and Configuring the Command Auditing

Command auditing is disabled by default. To alter this configuration, you can:

• Configuring the Command Auditing in the GUI Mode

• Configuring the Command Auditing in the CLI Mode

Configuring the Command Auditing in the GUI Mode

To enable command auditing using the GUI:

1. Navigate to System >> Settings.

2. Select the Logging tab.
3. In the Audit log host field, specify the IPv4 or IPv6 address of the audit logging host server, or
specify the Name of the audit logging host server.
4. Select the logging facility from the Facility drop-down list.
5. Click OK.

Configuring the Command Auditing in the CLI Mode

To enable command auditing from the CLI, use the audit enable command at the global configuration
level. This command logs configuration command only.

ACOS(config)# audit enable

To log both configuration and Privileged EXEC commands, use the following command:

ACOS(config)# audit enable privilege

The following command sets the buffer size to 30,000. When the log is full, the oldest entries are
removed to make room for new entries. The default is 20,000 entries.

ACOS(config)# audit size 30000

Use the following command to disable command auditing:

page 130
 ACOS 4.1.1-P11 Management Access and Security Guide
Feedback
Examples for Audit Log

ACOS(config)# no audit enable

To show audit log entries, use the show audit command:

ACOS(config)# show audit

Examples for Audit Log

The following audit log indicates a change to the image to use for booting, performed using the CLI:

Jul 06 2010 23:27:25 admin cli: bootimage hd sec

The following audit logs indicate configuration and operational actions related to virtual server “vip1”
performed using the GUI:

Jun 08 2014 09:06:04 [12] web: [admin] add virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2014 09:06:05 [12] web: [admin] edit virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2014 09:06:06 [12] web: [admin] disable virtual server [vip1] successfully.
Jun 08 2014 09:06:06 [12] web: [admin] enable virtual server [vip1] successfully.
Jun 08 2014 09:06:07 [12] web: [admin] delete virtual server [vip1] successfully.

The following audit logs indicate configuration actions related to virtual server “vip1” performed using
the aXAPI:

Jun 08 2014 09:06:13 [12] aXAPI: [admin] add virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2014 09:06:14 [12] aXAPI: [admin] edit virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2014 09:06:15 [12] aXAPI: [admin] delete virtual server [vip1] successfully.

page 131
ACOS 4.1.1-P11 Management Access and Security Guide
FeedbackFF
Additional Information for Reference FFee
e

Additional Information for Reference

The following commands that appear in the examples of this document are described in the Command
Line Interface Reference.

ACOS(config)# audit ?
enable Enable audit service
size Config audit buffer size, default is 20,000

page 132
 ACOS 4.1.1-P11 Management Access and Security Guide

page 133 134

 CONTACT US
a10networks.com/contact

ACOS 4.1.1-P11 MANAGEMENT ACCESS AND SECURITY GUIDE 29 MAY 2019