|
|
This chapter contains the following sections that describe how to use the Security Manager and Domain Manager applications:
The Security Manager application allows you to protect your CiscoWorks applications and network devices from unauthorized individuals. You must define what degree of access each group/domain has for each CiscoWorks application that uses security. If you do not require security, skip ahead to the next chapter.
With Security Manager, you can set up your CiscoWorks environment to require a login to access each application. This protection ensures that only users who have a valid account can perform tasks such as configuring a router, deleting database device information, or defining polling procedures.
The CiscoWorks security system is turned off upon the first installation or upgrade of CiscoWorks. Until you turn on the authentication checking in the Security Manager, anyone can access any CiscoWorks application without a username or password. Authentication checking requests that users prove their identity by entering a valid CiscoWorks username and, optionally, a password. If you do not possess a valid username and password, you will be denied access.
 | Caution Do not set Security Manager until all other security works. If you get locked out, call TAC. |
Before you can protect your applications with Security Manager, you should confirm that device entries exist in the database. To ensure that the device list is updated, you may want to run Sync w/Sybase before setting application privileges. For more information on running Sync w/Sybase, refer to the "Device Management" chapter.
Following is an overview of how to use the Security Manager application to protect your network devices and data:
Step 1 Run Domain Manager to create domains. Domains are logical groupings of devices.
Step 2 On Site/SunNet/Domain manager, select Security Mgr from the Tools menu.
On HP OpenView, select Administer>Security>CW - Security Mgr.
On NetView, select Administer>Security>CW - Security Mgr.
Step 3 Select Options>Users and Groups.
Step 4 Establish users and groups, being careful to add each user to only one group. (A user can belong to only one group.)
Step 5 Select Options>Domains and Groups and add domains to groups.
Step 6 From the Security Manager window, click on the toggle button for the CiscoWorks application to which you want to apply privileges.
Step 7 Select Options>Permissions.
Step 8 Click on the Group button to display a list of groups.
Step 9 Select a group name.
Step 10 Select a domain name from the right list box.
The bottom scrolled region will update, showing the current privileges for each application. You can see the current privileges at the top of the window in the Group/Domain box.
Step 11 Enable or disable privileges for each application, as required, by clicking on the red or green privilege buttons.
Step 12 Click on the Apply button at the bottom of the Security Manager window to confirm that you want to assign privileges for the selected CiscoWorks applications.
Step 13 Select Options>Permissions to display the Permissions window.
For each CiscoWorks application, give full access privileges to at least one group/domain. This ensures that at least one person, presumably the network administrator, can always modify the restrictions to a specific application. In particular, ensure that someone has full privileges to Security Manager before you exit Security Manager, to prevent being locked out when you attempt to re-enter the application.
Step 14 Repeat Steps 11 to 14 for each group/domain combination.
Figure 6-1 illustrates the Security Manager window. Table 6-1 describes its components.
| Component | Subcomponent | Description |
|---|---|---|
| File | Print
Exit | Opens the screen capture facility for your system.
Closes the current window. |
| Security | Change User
Privileges | Enables user to change user ID.
Provides current user privileges. |
| Options | Users and Groups Domains and Groups | Opens a subwindow that allows you to create, modify, and delete users and groups, and to add users to groups.
Opens a subwindow that allows you to assign domains to groups or delete domains from groups. Opens a subwindow that displays the application authority status for selected groups and domains. This window allows you to assign specific access privileges of a specific application to a specific group/domain combination. |
| Help | On Version
On Security Manager | Displays the CiscoWorks version information for this application.
Provides help text on the current window. |
| Check Privileges toggle buttons | Enables authentication checking on the corresponding CiscoWorks application. | |
| Apply | Confirms authentication checking for the CiscoWorks applications whose Check-Privileges buttons were enabled. Applies changes to the database. |
Table 6-2 lists the Security Manager applications for which privileges can be set, the available privileges for each application, and a brief description of the access privilege. The application names in parentheses are filenames. If you start the application from the command line, enter the filename. For more information on starting applications from the command line, refer to Appendix B.
The remaining CiscoWorks applications do not require usernames and passwords. These applications are meant to be shared by your network users without restrictions.
| Application | Available Privileges | Description |
|---|---|---|
| CiscoView (nmcview) | Execute | User can execute this application |
| Configuration Management (nmconfman) | Execute | User can execute this application. |
| CiscoView SNMP Set | User can perform configuration tasks using CiscoView windows. | |
| Write Password | User can download a configuration file to a router. | |
| Read Password | User can access files or data, but not modify them. | |
| File To Database | User can copy a configuration file from a disk to the database. | |
| Compare Configs | User can view configuration differences in the database. | |
| Delete from Database | User can permanently remove a configuration file from the database. | |
| Device to Database | User can upload a running configuration file to the database. | |
| Database to Device | User can download an edited configuration file to a router. | |
| Browse Config File | User can read an uploaded configuration file. | |
| Edit Config File | User can make changes to a specific configuration file. | |
| Security Manager (nmadmin) | Execute
Add Groups Add Users | User can open this application.
Allows creation of new group access. Allows creation of new user access. |
| Process Manager (nmproc) | Execute
Start/Stop Process | User can open this application.
User can alter Process Manager functions. |
| Device Management (nmdevman) | Execute
Write to Sybase Modify SNMP comm-string Modify Line Password Modify Enable Password | User can open this application.
File or data changes are permitted. User can view and change the community string. User can view and change the Line Password. User can view and change the Enable Password. |
| Device Monitor (nmdevmon)-- Site/SunNet/Domain manager platform only | Execute
Configure Device | User can open this application.
User can alter Device Monitor functions. |
| Sync with Sybase (nmsync) | Execute | User can open this application. |
| Device Polling (nmpoll) | Execute
Modify Polling | User can open this application.
User can alter Device Polling functions. |
| Polling Summary (nmsummary) | Execute
Modify Polling | User can open this application.
User can alter Polling Summary functions. |
| AutoInstall Manager (nmautoinst) | Execute
Modify Config View Config | User can open this application.
User can change the configuration. User can see the configuration, but not change it. |
| Software Library Manager (nmswman) | Execute
View Device Inventory Import Software | User can open this application.
User can view a list of all devices in all domains. User can copy files from another directory (disk or Flash memory of a device) into the CiscoWorks database. User can add comments to the configuration file. |
| Software Inventory Manager (devinventory) | Execute
Update Device | User can open this application.
User can download system or microcode image to a specified device. User can edit the device inventory seen from within Software Management. |
| Device Software Manager (nmdevman) | Execute | User can open this application. |
| Reload Device | User can reload a device. | |
| Upgrade Device | User can replace existing software or microcode in the device with a version from Flash memory. | |
| Edit Software Comments | User can change comments associated with the operating system. | |
| Domain Manager (nmdomain) | Execute
Delete Domain Modify Domain Add Domain | User can open this application.
User can permanently remove a domain. User can change the domain organization. User can create a new domain. |
| Global Command Manager (nmgcmd)
| Execute
Delete Commands | User can open this application.
User can delete configuration commands from a specified router or set of routers. User can change configuration commands from a specified router or set of routers. |
| Global Command Scheduler (nmscheduler)
| Execute
Schedule Delete cron | User can open and run this application.
User can schedule a task. User can permanently remove the cron file. |
| TACACS Account Manager (nmtacacs)
| Execute
Modify Accounts | User can open this application.
User can change (modify, add, or delete) the ownership of TACACS accounts. |
| Configuration Snap-In Manager (nmpccmd) | Execute
Schedule Batch Command Download while in Application | User can open and run this application.
User can schedule batch commands. User can download configuration file while running the application. |
The following sections describe how to set up user and group permissions for these applications.
The CiscoWorks software contains a default account password for CiscoWorks applications that access the Sybase database. The administrator password is referred to as the SA (system administrator) password. The SA Password application allows you to change the default password encryption key; you can also use the nmsanms program, a command line interface, to change the default account password. Run the SA Password application (or the nmsanms program) when you are not using the Security Manager application.
Run the SA Password application (or the nmsanms program) in the following situations:
hostname%cd $NMSROOT/etchostname%sudirectory_ownerPassword:passwordhostname% cp /dev/null ncspwdhostname% chmod 660 ncspwdhostname%exit
To run the SA Password application, perform the following steps:
Step 1 Ensure that Security Manager is not being used.
Step 2 On Site/SunNet/Domain manager, select Tools>CW - SA Password.
On HP OpenView, select Administer>Security>CW - SA Password.
On NetView, select Administer>Security>CW - SA Password.
Enter the following at the command line (either a Bourne shell or a C shell) to start the nmsanms program:
% $NMSROOT/bin/nmsanms
The User Identification window appears with the SA name in the window. (See Figure 6-2.)
Step 3 Enter your SA account password.
Step 4 Click on OK. An nmsanms encryption window appears. (See Figure 6-3.)
Step 5 Enter your password encryption key of up to 64 characters.
The encryption key is used for generating the default password. For example, beta is the default keyword. The nmsanms program inserts your new password encryption key in $NMSROOT/etc/ncspwd.
Step 6 Click on OK.
Step 7 To verify your new password encryption key, list the file ncspwd to ensure that it has the correct date:
ls -l $NMSROOT/etc/ncspwd
The most current date on the file appears.
Step 8 To display the password encryption key word, enter the more command.
more $NMSROOT/etc/ncspwd
Using Security Manager, you can add new users able to access the CiscoWorks applications that can take advantage of security or authentication checking. The CiscoWorks applications that can take advantage of Security Manager are those that use the Sybase database. You will give privileges to users so they can access secured CiscoWorks applications.
Note that before running these tools, you need a defined user ID and password.
Every user must belong to a group. To authorize users to access applications that have security restrictions, define groups of users that can access each application via their usernames. The first time you access the Users and Groups window, there are no groups or users defined. You must define group names and authorized users for each group.
To add new group names to the Security Manager, perform the following steps:
Step 1 On Site/SunNet/Domain manager, select Tools>CW - Security Manager.
On HP OpenView, select Administer>Security>CW - Security Mgr.
On NetView, select Administer>Security>CW - Security Mgr.
The Security Manager window appears. (See Figure 6-1.)
Step 2 Select Options>Users and Groups.
The Users and Groups window appears. (See Figure 6-4.)
Step 3 To create or add group names, click on the New button under the Groups scroll window.
The New Group window appears. (See Figure 6-5.)
Step 4 Enter your group name.
Step 5 Click on OK.
The Users and Groups window appears.
There are no spaces or quotation marks allowed in group names, usernames, or passwords. The maximum length for passwords, group names, or usernames is 32 characters. For specific details on legal username and password information, refer to your Sybase documentation.
Step 6 Repeat Steps 3 through 5 until you have entered all your group names.
This section describes how to edit existing group names, if necessary. After you finish adding and editing your group names, you will need to add your usernames.
To change the name of a group, you must access the Security Manager and edit an existing group name. The relationship between the users and groups remains unchanged. In other words, users affiliated with the previous group name automatically move to the new group name.
To edit group names in Security Manager, perform the following steps:
Step 1 Select CW - Security Manager.
Step 2 From the Security Manager window, select Options>Users and Groups. (See Figure 6-1.)
The Users and Groups window appears. (See Figure 6-4.)
Step 3 Select an existing group name from the Groups scroll window.
The usernames associated with this group appear in the Users scroll window.
Step 4 Click on the Modify button under the Groups scroll window.
The Modify Group window appears, asking for a new name for the selected group. (See Figure 6-6.)
Step 5 Enter the new name for the existing group name.
Step 6 Click on OK.
You are returned to the Users and Groups window. The modified group name appears in the scroll window.
Step 7 Repeat Steps 1 through 5 until you have modified the necessary group names.
If you are setting up first-time group and user permissions, continue with the section "Adding New Users," later in this chapter.
To remove security permissions for an entire group, delete the group name from the Security Manager application. After you delete the group name, all users in that group will no longer have privileges assigned to that group.
To delete group names from the Security Manager, perform the following steps:
Step 1 Select CW - Security Manager.
Step 2 From the Security Manager window, select Options>Users and Groups. (See Figure 6-1.)
Step 3 Select a group name from the Groups scroll window.
The usernames associated with this group appear in the Users scroll window.
Step 4 Click on the Delete button under the Groups scroll window.
A window appears that prompts you to confirm the deletion.
Step 5 To delete the group name, click on OK.
By deleting the group name, all usernames associated with that group no longer have the group privileges.
To cancel the delete request and return to the Users and Groups window, click on Cancel.
In order to grant users permission to access protected applications, you must enter every user account name (or username) that receives permission to use the CiscoWorks applications.
To add new usernames to the Security Manager, perform the following steps:
Step 1 Select Admin>CW - Security>CW - Security Manager.
Step 2 From the Security Manager window, select Options>Users and Groups.
The Users and Groups window appears. (See Figure 6-4.)
Step 3 Click on the New button under the Users scroll window.
The New User window appears. (See Figure 6-7.)
Step 4 Enter your username and password and verify the password by reentering it on the next line.
No spaces or quotation marks are allowed in group names, usernames, or passwords. The maximum length for each is 32 characters.
Step 5 Click on OK.
The Group List window appears. (See Figure 6-8.)
Step 6 Select the group you want the user to be connected to.
Step 7 Click OK.
To change the password of a user, you need to access the Security Manager application. The relationship between the users and groups remains unchanged. The previous groups affiliated with the old username will be assigned to the new username.
To modify passwords in Security Manager, perform the following steps:
Step 1 Select CW - Security Manager.
Step 2 From the Security Manager window, select Options>Users and Groups. (See Figure 6-1.)
The Users and Groups window appears. (See Figure 6-4.)
Step 3 Select a username in the User scroll window.
The name is highlighted, and group names associated with this user appear in the Groups scroll window.
Step 4 Click on the Modify button under the Users scroll window.
The User Identification Window appears. (See Figure 6-9.)
Step 5 Enter the SA password.
Step 6 Click on OK.
The Modify Password window appears.
Step 7 Enter the new password, and verify the password by reentering it.
Step 8 Click on OK.
The window disappears, and the Users and Groups window appears. The modified password is now active.
Step 9 Repeat Steps 1 through 6 until you have modified the necessary passwords.
To remove security permissions for a user, you must delete the username from the Security Manager application. After you delete the username, this individual will not be authorized to access the CiscoWorks applications previously indicated.
To delete usernames from the Security Manager, perform the following steps:
Step 1 Select the username from the Users and Groups window. (See Figure 6-4.)
The group names associated with this user display in the Groups scroll window.
Step 2 Click on the Delete button under the Users scroll window.
A window appears that prompts you to confirm the deletion.
Step 3 To delete the username, click on OK.
To return to the Users and Groups window and cancel the delete request, click on Cancel.
By deleting a username, you also delete the user's association with a group. However, the group and the usernames still associated with it remains undisturbed.
The Security Manager authorizes groups to access CiscoWorks applications based on the permissions set in the Security Manager application. Therefore, you need to connect each user to a group. Users then get permission to the application because they are part of a group.
With the Users and Groups window, you can add an individual user to a group, or you can add several users to a group at one time. Each of these procedures is described in the following subsections.
To connect an individual user to a group, perform the following steps:
Step 1 From the Users and Groups window, select an individual username from the User scroll window. (See Figure 6-4.)
The username is highlighted.
Step 2 Select Options>Add User to Groups.
The Group List window appears. See Figure 6-10.
Step 3 Select the group name to which you want to add the user.
Step 4 Click on Apply to connect this username with the selected group.
The username is added to the group, and the Group List window appears.
To connect several users to a group at once, perform the following steps:
Step 1 From the Users and Groups window (see Figure 6-4), select a group name from the Groups scroll window.
The group name is highlighted.
Step 2 Select Options>Add User to Groups.
The User List window appears. (See Figure 6-11.)
Step 3 Select the usernames you want to add to this group.
Step 4 Click on Apply to connect the users selected with this group.
The users are connected to the groups you indicate, and you return to the Users and Groups window.
Use the Users and Groups Summary window to check your group assignments. This window allows you to sort by groups or users. Sorting by groups provides a quick look at all user accounts with this group's privileges. Sorting by users provides a quick look at all groups associated with one user.
To display your user or group assignments, perform the following steps:
Step 1 From the Users and Groups window, select Options>Summary. (See Figure 6-4.)
The Users and Groups Summary window appears. (See Figure 6-12.)
Step 2 Click on the small button above the scroll bar to display a drop-down menu.
The drop-down menu allows you to change the sort category in order to view by Groups or by Users.
Step 3 Select the way you want to sort the accounts (by Groups or by Users).
The Users and Groups Summary window displays the newly selected sort category information.
Step 4 Click on OK to exit the window.
Domains are logical collections of devices, just as groups are collections of people. A device is any network entity that contains an SNMP agent. (Devices generally include routers, bridges, or communication servers.)
Creating domains gives you the flexibility to establish a new sphere of security because groups can be assigned privileges according to their connected domain. By incorporating the use of domains, you can allow a local network center to assign privileges for its own devices. The ability of a user to exercise one or more features of a given application is now defined by the group and domain association.
Upon installation, CiscoWorks automatically creates a World domain, which contains all the devices listed in the database. The World domain is predefined and cannot be deleted.
Depending on your needs, you can establish and modify other domains by using the Domain Manager application. For example, consider a large business whose expanding financial hub is located in New York. As a network administrator, you determine a need to protect the New York device configurations and inventories by securing the CiscoWorks applications that can potentially access them. Therefore, you establish the group of devices in New York as its own domain.
World domain group privileges are the lowest level of privileges for a group. Access permissions are bumped up for other domains and the world group.
Users of the World domain can look into the New York domain to see its devices, but are denied any other privileges. However, New York users are also part of the World domain, so they can exercise the same privileges granted to others in the World domain.
Privileges to devices for users in New York depends on the definitions set by the New York-based network administrator. The network administrator assigns the application-specific privileges (such as read-only or execute) by using the Security Manager application.
Although a user can only belong to one group, a single group can contain many users. By applying this feature, the New York-based administrator decides to govern access to devices even further. Application-specific privileges can be assigned to groups to grant or restrict varying levels of access. In the New York domain, the administrator determines that only users of a specified group are granted the special privileges to modify the configuration files on selected routers. Next, the administrator creates a second group whose users are granted the application-specific privileges needed to modify other router information. Groups with other levels of privileges to other applications can be created or modified as the needs of the domain determine.
The net result is that corporate-wide users can view devices in the New York domain. But access to New York devices is restricted to its connected groups. Each connected group is further restricted to the application-specific privileges that were granted by the New York-based network administrator who toggled on each application-specific privilege in Security Manager.
If you want to learn how to create additional domains and the other functions of Domain Manager, go to the next section, "How Domain Manager Works." If you want to connect the default World domain (or other domains that may already exist) to the groups you established in the previous section, perform the following steps:
Step 1 From the Options menu of Security Manager, select Domains and Groups.
The Domains and Groups window appears, as shown in Figure 6-13.
Step 2 From the Domains and Groups window, select the domain name to which you want to assign group-wide privileges.
If the domain already has privileges of one or more groups assigned, the names appear in the Groups column. The domain you select contains the devices you specified in the Domain Manager application. If necessary, use the Domain Manager application to review the devices to which you are about to assign privileges.
Step 3 From the Domains and Groups window, select Options>Add Domain to Groups.
The Group List window appears. (See Figure 6-14.)
Step 4 From the Group List window, select the name of the group to which you want to add the specified domain.
Step 5 Click on Apply to confirm your action. (Click Cancel to close the window without saving any changes.)
If you clicked the Apply button, the devices in the specified domain are part of the group you selected in the previous step. Users in this group can now apply their assigned privileges to access devices in the connected domain.
The Domain Manager application enables you to assign meaningful alias names to groups of devices. Using the various alias domain names you created to manage your network, you can use other CiscoWorks applications to focus on certain domains in order to complete network management tasks.
You can use the Security Manager application to assign group privileges to certain domains. For example, a domain named "North America" might only allow a group called "America-admin" to perform configuration management on these Cisco devices.
Other applications can use domains efficiently to perform their tasks. The Domain Manager communicates domain information to the following CiscoWorks applications:
The Domain Manager dynamically sends update messages to these applications, so the domain name and device information are always accurate.
Figure 6-15 illustrates the Domain Manager window. Table 6-3 describes the components in this window.
| Component | Subcomponent | Description |
|---|---|---|
| File | Import
Exit | Opens the File Selection Box window, which allows you to open an ASCII file to import domain information.
Prints a snapshot of the current window. Exits the current window. |
| Security | Change User
Privileges | Enables you to log in again as another user.
Displays the current user's security privileges. |
| Help | On Version
| Displays the CiscoWorks version information for this application.
Provides help text on the current window. |
| Domains | Displays a list of current groups of devices. | |
| Domain Devices | Displays a list of current devices within the domain selected. | |
| New | OK
| Creates a domain containing the added devices or, if no devices are added, creates a domain without any devices.
Creates new domain names. Allows you to add devices or copy an existing domain. When a new domain name is specified, allows you to copy all the device information from an existing domain to the newly established one. Closes the window without saving any changes. |
| Modify | Allows you to edit the name of an existing domain. | |
| Delete | Deletes domain names from the scroll window. Updates other CiscoWorks applications on any changes to domain list. | |
| Add | Adds devices to the selected domain. | |
| Remove | Removes devices from the selected domain. |
You can perform the following tasks with the Domain Manager application:
Part of the process of creating domains, or groups of devices associated to an alias, is to first create a domain name and then associate devices with that domain name.
There are three ways to add a new domain to CiscoWorks:
The following sections provide procedures for each of the tasks.
To create a domain, perform the following steps:
Step 1 Select CW - Domain Manager.
On Site/SunNet/Domain manager, select Tools>CW - Domain Manager.
On HP OpenView, select Administer>CW - Security>CW - Domain Mgr.
On NetView, select Administer>CW - Security>CW - Domain Mgr.
The Domain Manager window appears. (See Figure 6-15.)
Step 2 From the Domain Manager window, click on New.
The New Domain window appears.
Step 3 Enter the new domain name in the text field.
Step 4 Click on Add Devices.
The Adding Devices window appears.
Step 5 Select the devices you want to include in this domain and click on OK.
The Domain Manager window updates automatically to include the new domain name and the devices included in that domain.
You can create a new domain by copying devices from one or more existing domains. To copy an existing domain, perform the following steps:
Step 1 Select CW - Domain Manager.
Step 2 From the Domain Manager window, click on New.
The New Domain window appears.
Step 3 Enter the new domain name in the text field.
Step 4 Click on Copy Domain.
The Copy Domain window appears.
Step 5 Select the domain or domains you want to copy and click on OK.
For example, select the World domain and click on the OK button. The Domain Manager window updates automatically to include the new domain name and the devices included in that domain.
To create an ASCII file that contains domain data and import it into the Domain Manager, perform the following steps:
Step 1 Create a file (for example, domain_new) using a text editor, such as vi, textedit (Sun only), or vuepad (HP-UX only).
Step 2 Add the following information to the new file in the proper sequence (the first line is essential for checking the format of the imported file):
Step 3 Save the new file.
Step 4 To import the ASCII file into Domain Manager, select File>Open.
The File Selection window appears.
Step 5 If you know the directory path to the ASCII file, enter the pathname including the ASCII file name into the Filter field. If you do not know the path, select one of the directories displayed in the Directories scroll window and then select the filename from the Files scroll window.
Your selection appears in the Selection field.
Step 6 When the selection field displays the correct file to import, click on the OK button.
The Domain Manager window updates automatically to include the new domain name and the devices included in that domain. If some devices do not display in the Domain Devices scroll window, check to ensure that the missing device names are valid.
To change the name of an existing domain, perform the following steps:
Step 1 Select CW - Domain Manager.
Step 2 From the Domain Manager window, select the domain name you want to modify and click on Modify. (See Figure 6-15.)
The Edit Domain Name window appears.
Step 3 Enter the new domain name in the text field and click on OK.
To add or delete devices associated with an existing domain, perform the following steps:
Step 1 Select CW - Domain Manager.
Step 2 From the Domain Manager window, select the domain name you want to modify. (See Figure 6-15.)
Step 3 Click on Add to add devices to the selected domain.
The Adding Devices window appears.
Step 4 Select the device names you want to add and click on OK.
The additional devices are display in the Domain Manager window.
Step 5 To delete devices from the selected domain, select the device you want to delete and click on Remove.
The device is deleted from the Domain Devices scroll window and is no longer associated with the selected domain name.
To delete domains from the Domain Manager, perform the following steps:
Step 1 Select CW - Domain Manager.
Step 2 From the Domain Manager window, select the domain name you want to delete. (See Figure 6-15.)
Step 3 Click on Delete.
The domain name selected is removed from the Domains scroll window.
To view which devices make up the domain, perform the following steps:
Step 1 From the Domain Manager window, select the domain name from which you want to view information.
The Domain Manager window refreshes with the domain devices displaying in the Domain Devices scroll window. Note that the scroll window scroller is enabled when the list of devices extends past the window parameters.
Step 2 To close the Domain Manager, select the File menu Exit option.
After you created users and groups and connect them to domains, you are ready to establish access to applications, a process called authentication checking. This section describes how to establish user-group permissions and how to set up authentication checking to require login information.
To establish user-group permissions, following these steps:
Step 1 Select CW - Security Manager.
Step 2 On the Security Manager window, click the toggle button of the applications you want protect. (See Figure 6-1.)
For example, in Figure 6-16, the toggle button for Configuration Manager was clicked to designate that it is a protected application.
Step 3 Click on Apply to save the authentication-checking information to the database.
Step 4 Select Options>Permissions to view or modify the levels of permissions for enabled applications.
The Permissions window appears. (See Figure 6-17.) Initially, the Group and Domains boxes are empty.
Step 5 Select a group from the drop-down menu in the Group box.
Domains that belong to that group will appear in the Domains box.
Step 6 Select a domain.
After you select a domain from the list, the window will be updated to reflect the application-specific privileges to the selected group/domain pair.
The lower portion of the Permissions window lists the CiscoWorks applications that are now supporting authentication-checking. In addition, for each application that you enabled for authentication checking, the application-specific privileges appear. You will see specific privileges such as Execute, Write Password, and Read Password for all applications that you designated for authentication checking.
Step 7 For each application designated for authentication checking, select the application-specific privileges that you want to apply.
Depending on the application, you may have to use the scroll bars to see other privileges. As you select a specific privilege, it changes color from red (off) to green (on).
Step 8 When you are finished applying specific privileges to each group/domain combination, click on Apply to save your changes.
Depending on the application that has authentication checking enabled, you may be required to log in to an application before receiving access. You can log in to CiscoWorks applications in two ways:
Use the CiscoWorks Login application to log in to use any secured application for which you have permissions. You will be asked for your username and password only once.
The next sections describe the two login scenarios.
To log into all CiscoWorks applications you have access to, perform the following steps:
Step 1 On Site/SunNet/Domain manager, select Tools>CW - Login.
On HP OpenView, select Misc>CW - Login.
On NetView, select Misc>CW - Login.
The User Identification window appears. (See Figure 6-9.)
Step 2 Enter your username and password.
Step 3 Click on OK.
You are prompted to select a domain name.
Step 4 Select a domain name, then click on OK to complete the Login process.
You are now logged in to all secured CiscoWorks applications for which you were granted access.
If you do not want to use the Login application, each CiscoWorks application you enter will prompt you for your user identification information.
To log in to any CiscoWorks application for the first time (without the Login application), perform the following steps:
Step 1 Launch any CiscoWorks application.
If the authentication checking is enabled, the User Identification window appears.
Step 2 Enter your username and password.
Step 3 Click on OK.
You are prompted to select a domain name.
Step 4 Select a domain name and click on OK to complete the Login process.
The CiscoWorks application window appears.
To ensure network security, log out of the CiscoWorks applications after you are done using them. You need to perform this procedure only if you have previously logged in using the Login application.
If you select Logout and you have not previously used the Login application, you will receive the following error message: "There is no CiscoWorks login for this process. Logout is not needed."
To log out of CiscoWorks applications, perform the following steps:
Step 1 On Site/SunNet/Domain manager, select Tools>CW - Logout.
On HP OpenView, select Misc>CW - Logout.
On NetView, select Misc>CW - Logout.
The CiscoWorks Logout window appears. (See Figure 6-18.)
Step 2 To secure your username and exit the CiscoWorks Login application, click on OK.
You will be denied immediate access into any secured CiscoWorks application. You must supply your username and password the next time you access a secured CiscoWorks application.
The Terminal Access Controller Access Control System (TACACS) Account Manager application maintains the TACACS password file on UNIX hosts that act as TACACS security servers. TACACS controls Internet host access from terminals using dial-up lines. The TACACS Account Manager allows you to easily create and update TACACS accounts in a graphical user interface. This application also creates computer-generated passwords. Use this application to designate which users have access to your security server.
The TACACS user can perform numerous commands on Cisco devices. For more information on tacacs-server commands, refer to the Router Products Configuration Guide or the Router Products Command Reference publication.
For information on the TACACS daemon, refer to the "Using CiscoWorks Process Manager" chapter.
Figure 6-19 illustrates the TACACS Account Manager window. Table 6-4 describes its components.
| Component | Subcomponent | Description |
|---|---|---|
| File | Print
Exit | Opens the screen capture facility for your system.
Closes the current window. |
| Security | Change Domain
Change User Privileges | Enables you to view devices in another domain.
Enables you to log in again as another user. Displays your current privileges. |
| Help | On Version
On TACACS | Provides information on the application version.
Provides information on the current window. |
| TACACS User Listing | Displays current list of UNIX TACACS users. | |
| Add | Adds new TACACS user data, including TACACS name, user's full name, access ID, user ID, password, and account expiration date. | |
| Modify | Edits TACACS user data, including TACACS name, user's full name, access ID, user ID, password, and account expiration date. | |
| Delete | Deletes TACACS user data. |
Figure 6-20 illustrates the Add a TACACS User window. The Edit a TACACS User window is the same except the window title and the ReadWrite permissions to each field are different. Table 6-5 describes its components.
| Component | Subcomponent | Description |
|---|---|---|
| Username | Displays TACACS username. | |
| User's Full Name | Displays user's name. For reference only. | |
| Access id | Displays current access rights to Cisco devices, if defined. | |
| User id | Displays numeric user ID in UNIX for system administrator convenience. Not used in TACACS. | |
| Password | Set/Change | Sets or changes the current user password from a user-entered password or generated list of passwords. |
| Account Expiration (Days) | Long (180)
Short (30) Temporary (7) User-defined | Specifies how long the TACACS password is valid. |
Figure 6-21 illustrates the PasswdSelectBox_popup window.
To add a TACACS user, perform the following steps:
Step 1 On Site/SunNet/Domain manager, select Tools>CW - TACACS Mgr.
On HP OpenView, select Administer>Security>CW - TACACS Mgr.
On NetView for AIX, select Administer>Security>CW - TACACS Mgr.
The TACACS Account Manager window appears. (See Figure 6-19.)
Step 2 Click on Add.
The Add a TACACS User window appears. (See Figure 6-20.)
Step 3 Enter the TACACS username, and enter the full name of the user.
Step 4 Enter the Access ID.
Step 5 Enter the numeric user ID.
This information is not used by TACACS, but is displayed for system administrator convenience.
Step 6 Click on Set/Change to set the TACACS password for this user.
The PasswdSelectBox_popup window appears. (See Figure 6-21.)
Step 7 To enter a password, select one of the machine-generated passwords.
or
Enter a customized password in the Selection field.
Step 8 Click on OK.
Step 9 To choose account expiration date, click on the appropriate button in the Account Expiration section.
or
Enter a user-defined expiration date by entering the number of days you want this TACACS user to remain active.
Step 10 Click on OK to save all new user information.
There is a special TACACS account user named $enable$. You need to add the $enable$ user as a privileged account if you are running routers in the extended TACACS mode. This account is used to access routers that use the extended TACACS mode. The $enable$ user has normal and enable mode privileges on your Cisco routers.
To add the $enable$ user, perform the previous steps for adding a TACACS user. Use the following guidelines to fill in the Add TACACS User window:
If a TACACS user forgets a password, or if system maintenance requires that a new password be assigned at periodic intervals, use this procedure to change the current password for any TACACS user.
To change a TACACS password, perform the following steps:
Step 1 On Site/SunNet/Domain manager, select Tools>CW - TACACS Mgr.
On HP OpenView, select Administer>Security>CW - TACACS Mgr.
On NetView for AIX, select Administer>Security>CW - TACACS Mgr.
The TACACS Account Manager window appears. (See Figure 6-19.)
Step 2 Select a TACACS username in the window.
Step 3 Click on Modify to edit the user information.
The Edit a TACACS User window appears.
Step 4 To change the TACACS password, click on Set/Change.
The Password Select Box window appears. (See Figure 6-21.)
Step 5 Select one of the machine-generated passwords.
or
Enter a customized password in the Selection field.
Step 6 Click on OK.
Step 7 Update the account expiration for this TACACS user in the Account Expiration section by clicking on the appropriate button.
Step 8 Click on Save to save all changes made to user information.
To change the TACACS account expiration, perform the following steps:
Step 1 On Site/SunNet/Domain manager, select Tools>CW - TACACS Mgr.
On HP OpenView, select Administer>Security>CW - TACACS Mgr.
On NetView for AIX, select Administer>Security>CW - TACACS Mgr.
The TACACS Account Manager window appears. (See Figure 6-19.)
Step 2 Select the TACACS username in the window.
Step 3 Click on Modify to edit the user information.
The Edit a TACACS User window appears.
Step 4 Edit the TACACS account expiration in the Account Expiration section by clicking on the appropriate button.
or
Enter a user-defined expiration date by entering the number of days you want this TACACS user to remain active.
Step 5 Click on OK to save all changes made to user information.
To view current TACACS account information, perform the following steps:
Step 1 On Site/SunNet/Domain manager, select Tools>CW - TACACS Mgr.
On HP OpenView, select Administer>Security>CW - TACACS Mgr.
On NetView, select Administer>Security>CW - TACACS Mgr.
The TACACS Account Manager window appears. (See Figure 6-19.)
Step 2 Select a TACACS username from the window.
Step 3 Click on Modify to view TACACS account information.
The Edit a TACACS User window appears.
Step 4 After you review the necessary information, click on the Cancel button.
To delete a TACACS user account, perform the following steps:
Step 1 On Solstice Site/SunNet/Domain manager, select Tools>CW - TACACS Mgr.
On HP OpenView, select Administer>Security>CW - TACACS Mgr.
On NetView, select Administer>Security>CW - TACACS Mgr.
The TACACS Account Manager window appears. (See Figure 6-19.)
Step 2 Select a TACACS username from the window.
Step 3 Click on Delete to delete the user information.
The Delete a TACACS User window appears.
Step 4 Click on OK to delete the TACACS account for this user.
During installation, you are presented with options to have two special TACACS accounts created automatically for you. The first is used by the CiscoWorks applications to remotely log in to your managed Cisco devices. The second is used to access routers in the extended TACACS mode. The name of the account used to access routers in extended mode is $enable$. The name $enable$ cannot be changed. However, you can modify other information relating to the special TACACS accounts.
To modify the special TACACS accounts created at installation time, perform the following steps:
Step 1 Log in as the superuser (using the root login).
Step 2 Run the following script to return to the installation portion of the script that allows you to create special TACACS accounts:
$NMSROOT/etc/tacacs_config
Step 3 Respond to each of the prompts (shown in the following sample output) that addresses special TACACS accounts:
When you return to the UNIX prompt, any changes you made to the TACACS accounts are enabled.
|
|