18-9
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
18






Administering

the

Cisco

Application

Networking

Manager
Configuring
User

Authentication

and

Authorization
Note
When
configuring
device

RBAC

though

Config
>
Devices,

a

message

displays

reminding

you

that
you
are
configuring

RBAC

outside

of

ANM

for

direct

access.

Be

aware

that

this

may

contradict

your

ANM
settings.
For
more

information

on

centralizing

direct

access

to

devices

through

RBAC

on

individual

devices,

see
the
“Configuring

ACE

Module

and

Appliance

Role-Based

Access

Controls”

section

on

pa

ge

5-53 .
Case
Example
In
this

example,

a

CSM

device

must

have

a

level

15

access

which

by

default

makes

the

admin

a
supervisor
on

everything

in

the

switch

(and

everything

in

the

module).

Another

way

of

looking

at

this

is
providing
read-only

access

to

everything

or

configuration

access

to

everything.
ACE
hardware

can

be

configured

on

a

virtual

context

to

perform

that

task

on

a

subset

domain

for

every
individual
module,

on

every

context,

but

t

his

type

of

configuration

must


be

configured

individually.
A
system

administrator

might

need

to

configure

a

network

admin

to

manage

two

CSM

modules,

one

out
of
six

virtual

contexts,

and

all

East

Coast

web

servers.

With

ANM,

the

admin

could

create

one
configuration
set

that

includes

a

user

account

with

a

Network-Admin

role

and

a

domain

that

includes
these
objects.

ANM

then

becomes

the

security

window

through

which

this

user

passes

to

get

to

their
destination
for

t

hat

domain

and

for

that

vi

rtual

context.
If
there

were

six

users,

nine

domains,

and

three

virtual

contexts,

there

would

be

54

entries

required

into
a
AAA

Server

and

ACE

module.

In

ANM

there

is

one

entry

completed

for

each

of

the

six

users.
Configuring
User

Authentication

and

Authorization
In
ANM,

you

can

configure

authentication

for

your

users

by

specifying

the

authentication

method

to

use
for
specific

user;

the

local

method

using

ANM

or

a

remote

method

using

an

AAA

servers.

You

do

this
through
organizations.

An

organization

allows

you

to

configure

your

local

or

AAA

server

lookup

for
your
users,

then

associate

specific

users,

roles,

and

domains

with

those

organizations.
The
following

sections

describe

the

organization

authentication

tasks

that

you

can

complete

in

ANM:


Adding
a

New

Organization,

page
18-10


Configuring
AAA

Server

lookup
for
your
users—See
Adding
a

New

Organization,
page
18-10


Changing
server

passwords—See
Changing
Authentication

Ser

ver

Passwords,

page
18-14


Modifying
Organizations,

page
18-14


Duplicating
an

Organization,

page
18-15


Displaying
Authentication

Server

Organizations,

page
18-16


Deleting
Organizations,

page
18-16
The
Default

organization

(i

n

which

all

users

belong)

authenticates

users

through

t

he

ANM

i

nternal
mechanism,
which

is

based

on

the

RBAC

security

model.

This

mechanism

authenticates

users

through
the
local

authentication

module

and

a

l

ocal

dat

abase

of

user

IDs

and

passwords.

If


you

choose

to

use

a
remote
authentication

method,

you

must

specify

the

authentication

server

and

port.
Many
organizations,

however,

already

have

an

authentication

service.

To

use

your

own

authentication
service
instead

of

the

local

module,

you

can

choose

one

of

the

alternate

modules:


TACACS+


RADIUS