Sample: how do I configure NFM-P user authentication?

Use case

Figure 9-1, Sample NFM-P user and user group authentication shows an example of how NFM-P performs user and user group authentication.

Note: RADIUS and TACACS+ authentication servers support multiple users. If the NFM-P cannot reach the first authentication server, the NFM-P sequentially attempts the user authentication using the remaining authentication servers.

If user authentication fails against the first authentication server in a sequence, for example, because of an incorrect password, there is no attempt to authenticate the user against the next authentication server in the sequence.

The NFM-P session log records unsuccessful user authentication attempts for known and unknown users. A user that is defined on an external AAA server but not in the NFM-P.

Figure 9-1: Sample NFM-P user and user group authentication
Sample NFM-P user and user group authentication

The following table lists the high-level tasks required to configure this sample.

Table 9-5: Sample NFM-P user authentication configuration

Task

Description

Pre-configurations

Ensure correct RADIUS or TACACS+ server configuration, according to your company requirements. PAP authentication is supported for RADIUS and TACACS+. The NFM-P must be able to communicate with the authentication servers to validate users. All configuration tasks require admin user privileges. The NFM-P server IP address must be configured as the client of the RADIUS or TACACS+ server. The NFM-P and RADIUS or TACACS+ server secret keys must match.

1. Configure the remote authentication order for all users

Choose Administration→Security→NFM-P Remote User Authentication from the NFM-P main menu.

Set the authentication order parameters to the following, and then specify the RADIUS and TACACS+ servers on the RADIUS and TACACS tabs.

  • Authentication Order 1—radius

  • Authentication Order 2—tacplus

  • Authentication Order 3—local

2. Create scope of command profiles

Choose Administration→Security→NFM-P User Security from the NFM-P main menu.

Create a CLI scope of command profile and assign the default CLI management role to the profile. Create at least one scope of command profile that does not allow CLI access by assigning the default scope of command role, which has no access permissions to CLI management.

3. Create and configure user groups

Choose Administration→Security→NFM-P User Security from the NFM-P main menu.

Create a CLI user group and at least one user group that does not allow CLI access. Assign the scope of command profile with CLI management access to the CLI user group. Assign the scope of command profile without CLI management access to the user group without CLI access. Authorization is done using user groups, so each user must belong to a user group with a local account on the NFM-P.

4. Create and configure user accounts

You can create local NFM-P user accounts by performing the following steps, or define remote users using RADIUS and TACACS+. The local accounts are available when RADIUS or TACACS+ authentication is not available.

Choose Administration→Security→NFM-P User Security from the NFM-P main menu.

Create users.

Assign the appropriate user group to restrict or allow CLI access to each user.

5.Configure notification

Choose Administration→Security→NFM-P User Security from the NFM-P main menu.

Configure the authentication failure action parameters, including the parameters that allow the email account of the administrator to be notified after login failure.

Consider the following: