9.2 Managing AAA via the web. Westermo RFI-219-F4G-T7G, Viper-212A-T5G-P8-HV, RFI-219-F4G-T7G-F8, RFI-211-F4G-T7G, L106-F2G, Viper-212A, L205-S1, Viper-112A-T5G, L110-F2G, Viper-112A-T3G
Add to my manuals
1088 Pages
advertisement
Westermo OS Management Guide
Version 4.22.0-0
9.2
Managing AAA via the web interface
9.2.1
Login Account Management via the Web Interface
Menu path: Maintenance ⇒ Password
In this section the password for the built-in account admin can be changed.
New Password Enter the new password for the admin account.
Repeat New Password To minimise risk of typing error, enter the new password for the admin account once again.
© 2017 Westermo Teleindustri AB 201
Westermo OS Management Guide
Version 4.22.0-0
9.2.2
Select Login Method via the Web Interface
It is possible to add a centralised authentication server/group ( section 9.2.9
local database ( section 9.2.3
) as login method, in addition to the built-in admin
account.
Menu path: Configuration ⇒ AAA ⇒ Login
Method Select login method from the drop-down box. Only configured local databases and servers/groups, of type RADIUS and TACACS+, will be visible in the box. If Disabled is selected, only the built-in admin account will be enabled.
202 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.3
Local User Databases
Menu path: Configuration ⇒ AAA ⇒ Local User DB
The main page for local user databases shows an overview of created databases.
ID A unique identifier for the local user database.
Description The users description of this database.
Edit Click this icon to edit the user database. See
for details.
Delete
New
Click this icon to remove the user database. You will be asked to acknowledge the removal before it is actually executed.
Click this button to add a new user database. See
for details. You can create at maximum
4 databases.
© 2017 Westermo Teleindustri AB 203
Westermo OS Management Guide
Version 4.22.0-0
9.2.4
New Local User Database
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒ New
ID The local user database identifier. This is generated automatically in the web interface and can not be changed.
Description Optional.
A user defined description for this database that will be visible in listings.
After pressing the Apply button, users can be added to the database. See
9.2.5
Edit a local user database
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒
See
for descriptions of the fields on this page.
204 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.6
Users
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒
The users list is displayed on the edit page for the local user database.
Username A username unique in this database.
New User Press this button to create a new user in this database. See
© 2017 Westermo Teleindustri AB 205
Westermo OS Management Guide
Version 4.22.0-0
9.2.7
New User
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒ ⇒ New User
Username A username unique in this database.
Password The password for this user.
9.2.8
Edit User
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒ ⇒ (Users table)
See
for descriptions of the fields on this page.
206 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.9
Remote Server overview
Menu path: Configuration ⇒ AAA ⇒ Remote Server
The main page for Remote Server shows an overview of configured server groups and the remote server configurations.
© 2017 Westermo Teleindustri AB 207
Westermo OS Management Guide
Version 4.22.0-0
9.2.9.1
Server Groups in the overview
ID The group identifier
Description The user defined name of this group
Type The type of remote servers in the group (RADIUS or
TACACS+), which can not be mixed.
Servers List of servers included in this group. Each server is presented by its description name and the server identifier inside parentheses
Edit Click this icon to edit the RADIUS group. See
for details.
Delete Click this icon to remove the group. You will be asked to acknowledge the removal before it is actually executed. Removing a group will not remove the config of the included servers.
New Group Click this button to add a new group.
See
for details. You can create at maximum
2 groups.
9.2.9.2
Remote servers in the overview
ID The remote server identifier
Description The user defined name on this server
Type
Address
The type of remote servers (RADIUS or TACACS+).
IP or FQDN of the server
Auth Port The port used for authentication
Edit Click this icon to edit the remote server setting. See
for details.
Delete Click this icon to remove the remote server setting.
You will be asked to acknowledge the removal before it is actually executed.
New Server Click this button to add a new remote server configuration. See
for details. You can define at maximum 6 remote server configurations.
208 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.10
Edit a server group
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ (Server Groups)
ID The group identifier. This is generated automatically in the web interface and can not be changed.
Description Optional. A user defined name for this group that will be visible in listings.
Type
Servers
The group type (RADIUS or TACACS+).
Remote servers that are included in this group. The order of this list is important as it defines the order that servers are queried. Select a server in the dropdown list and add it by clicking the plus icon. Only remote servers of the same type as the group will be added. Use the icon to remove a server from the group. You are limited to max 3 servers per group.
© 2017 Westermo Teleindustri AB 209
Westermo OS Management Guide
Version 4.22.0-0
9.2.11
Add a server group
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ New Group
See
for descriptions of the fields on this page. You can have at maximum 2 server groups.
210 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.12
Edit a remote server
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ (Remote Servers)
ID
Description Optional. A user defined name for this server configuration that will be visible in listings.
Type The type of remote-servers (RADIUS or TACACS+).
Address Mandatory. The IP number or Fully Qualified Domain
Name (FQDN) to the remote server
Auth Port
The remote server identifier. This is generated automatically in the web interface and can not be changed.
Mandatory.
The port number for server authentication requests.
The default and standardised port number for this is 1812 for RADIUS and 49 for
TACACS+ but can be changed here if needed. If port number 0 is entered, the standardised port number will be configured.
Secret Optional. A shared secret (password) that should be used to encrypt the communication with this server.
© 2017 Westermo Teleindustri AB 211
Westermo OS Management Guide
Version 4.22.0-0
9.2.13
Add a remote server
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ New Server
See
for descriptions of the fields on this page. You can have at maximum 6 remote server configurations.
212 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.14
Authentication Chains Overview
Menu path: Configuration ⇒ AAA ⇒ Auth Chain
The main page for authentication chains shows an overview of created chains.
ID A unique identifier for the authentication chain.
Description The users description of the authentication chain.
Methods An ordered list of the methods in the authentication chain.
Edit Click this icon to edit the authentication chain. See
for details.
Delete
New
Click this icon to remove the authentication chain.
You will be asked to acknowledge the removal before it is actually executed.
Click this button to add a new authentication chain.
See
for details. You can create at maximum 4 authentication chains.
© 2017 Westermo Teleindustri AB 213
Westermo OS Management Guide
Version 4.22.0-0
9.2.15
New Authentication Chain
Menu path: Configuration ⇒ AAA ⇒ Auth Chain ⇒ New
ID
Description
The authentication chain identifier. This is generated automatically in the web interface and can not be changed.
Optional. A user defined description for this authentication chain that will be visible in listings.
Continue on Reject Default Enabled. If enabled continue to next method if rejected, if disabled stop on reject, only continue if method unavailable. See
for more information.
Methods The list of methods. Select method and click the Add to add the method to the list.
Press the Apply button to store changes.
9.2.16
Edit an authentication chain
Menu path: Configuration ⇒ AAA ⇒ Auth Chain ⇒
Click the pen icon in the overview page to edit a specific chain. See
for descriptions of the fields on this page.
214 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.17
IEEE 802.1X authentication
Menu path: Configuration ⇒ AAA ⇒ 802.1X
Here you see a listing of currently configured 802.1X instances.
ID The IEEE 802.1X instance identifier
Enabled If this instance is active, A green check-mark means yes and a dash means no
Description The user defined name on this IEEE 802.1X instance
Method The server or group used for authentication, which needs to be of type RADIUS.
Edit Click this icon to edit the instance See for details.
Delete
New
Click this icon to remove the instance. You will be asked to acknowledge the removal before it is actually executed. Removing an IEEE 802.1X instance will not remove the referenced RADIUS group or server.
Click this button to add a new IEEE 802.1X instance.
See
for details. You can currently only
create one instance.
© 2017 Westermo Teleindustri AB 215
9.2.18
Edit an IEEE 802.1X instance
Menu path: Configuration ⇒ AAA ⇒ 802.1X ⇒
Westermo OS Management Guide
Version 4.22.0-0
ID The IEEE 802.1X instance identifier. This is generated automatically in the web interface and can not be changed.
Enabled
Description
Check to enable this instance.
Optional. A user defined name for this instance.
Method Mandatory. Use this drop-down menu to select a
RADIUS group or a remote RADIUS server. Remote servers and groups, of type RADIUS, are created separately. See
and
Active Authentication Enable/disable Authentication initiation
Re-Authenticate Enable/disable periodic reauthentication
IMPORTANT: Creating an IEEE 802.1X instance does not in itself activate authentication. Port access is managed in the VLAN configuration. See
and
. The instance here must be referenced from the port access configu-
ration for it to be used!
216 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.19
Add an IEEE 802.1X instance
Menu path: Configuration ⇒ AAA ⇒ 802.1X ⇒ New
See
for descriptions of the fields on this page. You can currently
only configure one IEEE 802.1X instance.
© 2017 Westermo Teleindustri AB 217
Westermo OS Management Guide
Version 4.22.0-0
9.2.20
MAC based authentication
Menu path: Configuration ⇒ AAA ⇒ MAC Auth
Here you see a listing of currently configured MAC authentication lists.
ID
Enabled
The MAC authentication list identifier
If this list is active, A green check-mark means yes and a dash means no
Description The user defined name on this MAC authentication list
Edit Click this icon to edit the list See details.
for
Delete
New List
Click this icon to remove the list. You will be asked to acknowledge the removal before it is actually executed.
Click this button to add a new MAC authentication list. See
for details. You can create up to 8 MAC authentication lists.
218 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.21
Edit a MAC authentication list
Menu path: Configuration ⇒ AAA ⇒ MAC Auth ⇒
ID The MAC authentication list identifier. This is generated automatically in the web interface and can not be changed.
Enabled Check to enable this list.
Description Optional. A user defined name for this list.
MAC Optional.
A list of MAC addresses and MAC address patterns.
Single MAC addresses are specified in the format: HH:HH:HH:HH:HH:HH. A wildcard * can be used at the end of the pattern to match a block of addresses. Examples: 00:80:C8:*,
00:D8:AA:2C:85:01. Use the drop-down list to select a port if you want the pattern to only be valid for requests coming in through a specific port. The description field is optional. Add a pattern by clicking on the plus icon. Use the icon to remove a pattern. A list is limited to max 44 addresses/patterns.
IMPORTANT: Creating a MAC authentication list does not in itself activate filtering of addresses. Port access is managed in the VLAN configuration. See
and
. The created MAC authentication list must be referenced
from the port access configuration for it to be used!
© 2017 Westermo Teleindustri AB 219
Westermo OS Management Guide
Version 4.22.0-0
9.2.22
Add a new MAC authentication list
Menu path: Configuration ⇒ AAA ⇒ MAC Auth ⇒ New List
See
for descriptions of the fields on this page.
220 © 2017 Westermo Teleindustri AB
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement