Manual Chapter :
User Management
Applies To:
Show Versions
F5OS-C
- 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0
User Management
User management overview
The VELOS system has different levels of user management:
- System Controller level (Chassis)
- Partition level
- Tenant level
You can manage the system at all levels from the CLI, the WebUI, or using
RestAPIs. Each of these levels is distinct from one another requiring separate usernames
and passwords.
At the system controller level, after basic configuration of the device is
done, the system includes default root (bash access only) and admin accounts to log
into. The system controller administrator uses the admin account and can change the
default passwords when logging in the first time. At that point, the admin user can
create additional accounts for other users such as other system controller
administrators or operators. The system controller administrator is also the one that
creates the chassis partitions.
At the chassis partition level, the partition administrator logs into the
chassis partition previously created by the system controller administrator. The chassis
partition provides a default admin account, and a partition root account is included for
accessing the console of the blades that are part of the chassis partition. The
partition administrator uses the admin account to manage the partition, adding users,
such as additional partition administrators, operators, and tenant console
operators.
Since the tenants are independent of the rest of the VELOS system, the users
and user management are not covered in this guide. Refer to the tenant documentation
(such as BIG-IP documentation on
support.f5.com
) for details.User roles
Management of a VELOS device can be viewed in terms of different user roles, performing
different sets of administrative actions at conceptually different levels.
Users can have the following roles at the system controller level.
Role |
Description |
---|---|
admin |
Used by the system controller administrator. Provides access to
the system controller CLI or system controller webUI to configure the system at the system
controller level (unrestricted read/write access). Can unlock any system controller users.
Logs in to the active system controller or floating IP address. No bash access. On first
login, you are forced to change the password. |
operator |
Used for the system controller operator. Allows read access to
system controller level configuration from the system controller CLI or system controller
webUI; write access to change password only. Logs in to the active system controller or
floating-point management IP address. No bash access. |
partition_n (1-8) |
Created at the system controller CLI. The system controller administrator can create
one partition console role per partition, where n refers to the partition ID. When a user
with the partition_n role logs in on a specific blade port, they are presented with the blade
console through the terminal server. This is for troubleshooting and debugging the
system. |
root |
Created by the system. Used by the system controller administrator. Provides bash shell
access to the entire system including all components including the blades. The system
controller root account can be accessed from any system controller IP address, and from the
system controller console. The root password can be changed using the passwd command, or by
an admin user from the CLI. On first login, you are forced to change the password. F5 recommends disabling the root account using appliance mode in production
to reduce the attack surface of the system and protect it from any
vulnerabilities. |
Users have the following roles at the chassis partition level:
Role |
Description |
---|---|
admin |
Used for the chassis partition administrator. Provides access to
the chassis partition CLI or chassis partition webUI to configure the system at the partition
level with unrestricted read/write access. Can unlock operator users. Logs in to the
partition management IP address. No bash access. On first login, you are forced to change the
password. |
operator |
Used for the chassis partition operator. Provides read access to
the chassis partition configuration from the chassis partition CLI or chassis partition
webUI; write access to change their password only. Logs in to the partition management IP
address. No bash access. |
tenant console | Has virtual console access to tenants from the partition CLI. Tenant console access is
authenticated by tenant root credentials. No read access to any part of the chassis
partition |
partition root |
Has bash access to blades that are part of the chassis partition. Provided on the
system. Log in to the console on a blade. The root password can be changed using the passwd
command, or by an admin user from the CLI. Should be used only in rare cases when
troubleshooting the system. F5 recommends disabling the root account
using appliance mode in production to reduce the attack surface of the system and protect it
from any vulnerabilities. |
Users with admin access can make configuration changes at the level they are
working in, either the system controller level or the partition level.
- System controller administratorshave broader ability and can create chassis partitions, configure management interfaces, install system controller level software, modify system settings, activate licensing, set up high availability for the two system controllers, and perform user management for the system controllers.
- Chassis partition administratorscan access only the chassis partition or partitions to which they have been assigned. They can configure network settings, port groups, interfaces, VLANs, LAGs, partition log settings, tenant deployments, system settings, and perform user management for those chassis partitions.
Operator users have read-only access to every screen and every configuration
object at the level they are working in, either the system controller level or the chassis
partition level. However, if an operator tries to modify any setting, the system displays a
warning that explains that their role is unauthorized to make the configuration change.
Group IDs and system authentication roles
Each user role on the VELOS system controller is internally mapped to a
group ID. Users created and managed on external LDAP and RADIUS servers must have the same group
IDs on the external servers as they do on VELOS systems to allow authentication and authorization
to occur on VELOS systems. So you need to make sure that the users created on external LDAP or
RADIUS servers are associated with one of these group IDs on the system.
You can only use
existing roles and cannot create new roles.
Role |
VELOS Group ID |
---|---|
admin |
9000 |
limited |
9999 (internal only) |
operator |
9001 |
partition_1 |
9101 |
partition_2 |
9102 |
partition_3 |
9103 |
partition_4 |
9104 |
partition_5 |
9105 |
partition_6 |
9106 |
partition_7 |
9107 |
partition_8 |
9108 |
root |
0 |
ts_admin |
9100 |
user |
9002 (internal only) |
You can display the system controller roles with their associated group IDs from the CLI of the
system controller using an account with admin or operator access.
syscon-1-standby# show system aaa authentication roles ROLENAME ROLENAME GID USERS --------------------------------------- admin admin 9000 - limited limited 9999 - operator operator 9001 - partition_1 partition_1 9101 - partition_2 partition_2 9102 - partition_3 partition_3 9103 - partition_4 partition_4 9104 - partition_5 partition_5 9105 - partition_6 partition_6 9106 - partition_7 partition_7 9107 - partition_8 partition_8 9108 - root root 0 - ts_admin ts_admin 9100 - user user 9002 - syscon-1-standby#
User management from the webUI
You can perform user management tasks from the webUI. Perform the tasks in
the order in which they are described.
Configure local password policy in the webUI
Password policy lets you qualify what a valid
password is and maximum password attempts for Local Authentication
(
/etc/passwd
). You configure local password policy at both the
chassis level and the partition level. - Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- In theLocal Password Policyarea, forMinimum Length, type the minimum number of characters required for a password; allowed range is 6 to 255.
- ForRequired Characters, type the minimum number ofNumeric,Uppercase,Lowercase, andSpecialcharacters required in a valid password.
- ForNew/Old Password Differential, type the number of character changes in the new password that differentiate it from the old password. (Default is 8.)
- ForDisallow Username:
- Set toTrue, if you want the system to check whether the name of the user in forward or reversed form is contained in the password.
- Set toFalse, if the system check is not required.
When set toTrue, if any variant of the username is found in the password, the new password is rejected. - SetApply Password Policy to Root AccounttoTrueto use the same password policy for the root account. (Default isFalse.)
- ForMaximum Password Retries, type the number of times a user can try to create an acceptable password at the prompt. (Default is 3.)
- ForMaximum Login Attempts, type the allowed number of times a user can attempt to log in before the account is temporarily suspended. (Default is 10 tries.)If set to 0, there is no limit to the number of login attempts.
- ForLockout Duration, type the amount of time in minutes that must lapse before a previously suspended user's account is unlocked. (Default auto unlock time is 1 minute.)If the value is set to 0, the administrator will have to manually unlock the user's account.
- ForMaximum Password Age, type the number of days the password will expire after being changed.If the last change was today and Maximum Password Age is 90, then the password will expire in 91 days. If set to 0 (the default), the password never expires.
- ClickSave.
You have configured the local password policy
for the chassis or the partition you are working in. On the same screen, you can
configure the Authentication settings.
Configure authentication settings in the webUI
You need to configure the type of
authentication and settings to use at both the chassis level and the partition level.
VELOS systems support Local Authentication, LDAP, and RADIUS.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- If using an external authentication server, in the Authentication Methods area, afterEnable, selectLDAPand/orRADIUS.If specified, the LDAP or RADIUS server must be configured and reachable from the VELOS system.Local authentication is always enabled, by default, so the administrator can always access the device in case of external authentication server failure.
- The rest of the settings, those in the Common LDAP Configuration area, are only required if you want to use LDAP and create LDAP server groups with LDAP servers.
- In the Common LDAP Configuration area, forBase DN, type the base distinguished name (name-value pairs) from which to start the search for the LDAP user. For example:dc=example,dc=org
- In theBindsetting, specify the information for binding the LDAP server administrative user.
- ForDN, type the distinguished name with which to bind to the LDAP directory server for lookups. For example:cn=admin,dc=example,dc=org
- ForPassword, type the admin password for the LDAP server.It is highly recommended that the domain administrator password is set to never expire. Otherwise, if it expires, LDAP authentication will not be possible and may result in users getting locked out of the system.
- ForConfirm, retype the password.
- ForConnect Timeout (seconds), specify the maximum amount of time, in seconds, that the system controller or the partition waits before timing out when trying to reach the LDAP server.
- ForRead Timeout (seconds), specify the maximum amount of time, in seconds, that the system controller or the partition waits to receive an LDAP response before aborting the read attempt.
- ForIdle Timeout (seconds), specify the maximum amount of time, in seconds, that an LDAP connection can be inactive before the connection is closed.
- ForLDAP Version, select the version of the LDAP protocol to use, or use the default of3.
- If the LDAP server has Transport Layer Security (TLS) support, from theTLSlist, select whether to use TLS to encrypt the transfer of authentication data between the LDAP server and the VELOS system.
- Onmeans use TLS to secure all connections.
- Offmeans do not use TLS.
- StartTLSstarts a connection in unencrypted mode on a port configured for plain text and negotiates the encryption with the client. If selected, it is used rather than raw LDAP over SSL.
If set toOnorStartTLS, additional TLS-related fields are enabled. - ForTLS Certificate Validation, specify what checks to perform on a server-supplied certificate
- Nevermeans TLS certificate is not required.
- Allowmeans allow the connection. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it is ignored and the session proceeds normally.
- Trymeans request the TLS certificate. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
- Demandmeans request the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
- Hardmeans request the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
- ForTLS CA Certificate, paste the contents of the X.509 certificate (self-signed or from a CA) for peer authentication.
- ForCipher String, type the cipher string to specify the type of encryption to use. For example, ECDHE-RSA-AES256-GCM-SHA384 or ECDHE-RSA-AES128-GCM-SHA256.The cipher string can take several additional forms. It can consist of a single cipher suite such as RC4-SHA. It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example, SHA1 represents all cipher suites using the digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms.You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation. For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.For additional information, refer to the ciphers man page at ciphers.html.
- In theTLS Certificatefield, paste the text of the local certificate for client TLS authentication.
- In theTLS Keyfield, paste the text of the private key for client TLS authentication.
- ClickSave.
The authentication settings are configured at
the chassis level or the partition in which you are working. When a user logs in, the
system attempts to authenticate them against the configured authentication methods. When
the account has a match within any of the configured authentication methods, the user is
authenticated and given access.
Create server groups from the webUI
You can create server groups at both the chassis
level and the partition level. This is because the authentication servers used on the
partition may differ from those used on the system controllers at the chassis level.
Server groups organize servers using the same type of authentication.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickAdd.
- ForName, type a recognizable name for the server group.
- ForProvider Type, selectLDAPorRADIUSto qualify the type of servers that will be in the group.
- ClickSave.
You have created the server group.
Next, you can add servers to the server
groups.
Add servers to server groups from the webUI
You need to have created at least one server group.
You can add servers to the LDAP or RADIUS server group you created.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- Click the server group to which you want to add servers.The Edit Server Group screen opens.
- ClickAdd.
- Add the RADIUS or LDAP server to the group.For LDAP:
- ForHost, type the IP address of the LDAP server to add.
- ForPort, make sure the port number is correct for LDAP traffic. Default for LDAP is636.
- From theTypelist, selectLDAP over TCPorLDAP over SSL(secured) depending on which is supported.
- ClickSave.
For RADIUS:- ForServer/ Host, type the IP address of the RADIUS server to add.
- ForPort, make sure the port number is correct for RADIUS traffic. Default for RADIUS is1812.
- ForSecret, type the shared secret used to access the server.
- ForTimeout (seconds), type the number of seconds to timeout if unable to access the server.
- ClickSave.
Add as many servers as needed to the RADIUS or LDAP group. - When done, clickSave & Close.
Add users from the webUI
You can add users at both the chassis level
and the partition level. Default root and admin accounts are provided on the system. You
can change the passwords on those accounts but they cannot be deleted.
You can
create only admin and operator users from the webUI. You can create other roles from
the CLI.
- Log in to the VELOS system controller webUI or the chassis partition webUI using an account with admin access.
- On the left, click.
- ClickAdd.
- ForUsername, type a name for the user.
- ForSet Password, type a valid password according to the local password policy defined in the Auth Settings.
- ForConfirm Password, retype the password.
- From theRolelist, select the role to assign appropriate capabilities for the user.At the chassis levelOptionDescriptionAdminUsed for the chassis administrator. Provides access to the chassis CLI or chassis webUI to configure the system at the chassis level (unrestricted read/write access). Can unlock any chassis users. Logs in to the active system controller or floating IP address.OperatorUsed for the chassis operator. Provides read access to chassis level configuration; write access to change password only. Logs in to the active system controller or floating IP address.At the chassis partition levelOptionDescriptionAdminUsed for the partition administrator. Provides access to the partition CLI or partition webUI to configure the system at the chassis partition level (unrestricted read/write access). Can unlock Operator users. Logs in to the partition management IP address.OperatorUsed for the partition operator. Provides read access to chassis partition configuration using the partition CLI or partition webUI; write access to change password only. Logs in to the partition management IP address.
- ClickSave & Closeto create the user.
The user account is created where you are
working at either the chassis level or the chassis partition. Create as many users as
needed to manage the system at the chassis level and the partition.
User management from the CLI
You can perform the user management tasks from the CLI.
Configure VELOS for LDAP authentication from the CLI
The LDAP service needs to be set up on a server
that is accessible to the VELOS chassis. The default port for the LDAP service is 389
for unsecure protocol (ldap), 636 for secure (ldaps). If the service is configured with
a different port, take note. You need that during configuration.
You can configure VELOS for LDAP
authentication from the VELOS system controller CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the authentication method to LDAP.system aaa authentication config authentication-method LDAP_ALL
- Commit the configuration changes.commit
- Set the LDAP configuration details.system aaa authentication ldap base dc=velocity,dc=local
- Add the LDAP service details to the authentication server groups.
- Create the server group.system aaa server-groups server-group ldap-group config name ldap-group type LDAP
- Add the server and IP address of the LDAP service.servers server 10.145.69.85 config address 10.145.69.85
- Customize the LDAP configuration details (secure ldaps configuration is shown here).ldap config auth-port 636 type ldaps
- Commit the configuration changes.commit
Create an LDAP server group from the CLI
You can use the VELOS CLI to create an LDAP
server group if you have multiple external LDAP servers to connect to.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create the server group.system aaa server-groups server-group<group_name>config name<group_name>type LDAPThis example creates an LDAP server group calledldap-group:system aaa server-groups server-group ldap-group config name ldap-group type LDAP
- Add the host name for the LDAP service.This host name might need to be resolved in /etc/hosts, or by DNS.For example:servers server ldap.server config address ldap.server:
- Commit the configuration changes.commit
Add LDAP certificates from the CLI
You can add the LDAP certificates and key
from the CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Add the TLS config key:system aaa tls config key (<AES encrypted string>)syscon-2-active(config)# system aaa tls config key (<AES encrypted string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN PRIVATE KEY----- > MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDarxbhnYlm8DoQ > W23fxEm6qZF5+DEBinym3IAZe7V3eV/v1UmuqSMKmz3pLX5oYTZ0Fqj+mW4XdMxK > kW93w91xYLZoOOn/P9ELt4Cu9YIoDTy3OU68EETjQarw9wd+0/JqKTRPWa+VAWGn > hMg6N2OCY7hNc8FWFU2YD2x6MryacVCgCi20uhzde2G89pJlqGrm9KpbCN1ZV4Hc > 4OWEnMAO/yyb8FceKQNgJ0pk9+kBosKfyYypZ8SjP9Bg4E76of5xMHBtbXNu/f3Y > hJk/0gmMyuoTKl5d9AAUhU+gOZP6z2GTc2UfWnG0dfG6SWUGVmBtZ8u8y3nPi7Y9 > G1K5R3TzAgMBAAECggEAVamQhQB4+mHP3OhzudviJcSWv/iA+eGNwq9NXq4e/5YE > Bqa+HjUTDOyS6+xuP+UUt5TIzjK79WRDQlKGH5wR+n+v9FOXFe2hrb1MIzz4p0fI > KN3CAdk9oufuVkXuIbhUlVFetFalePD5l+1joapgyIrXfz+A1H+zzYT9MUD+sGBJ > bYkTqxFgAwsJoMaPruemfzFLHeWRDh/o0fG7aA6v4AA+urIaK13bEs+U/38A6D4X > j+Mzr2RP4bQJHBKE5vYJ0bwqfO3we21CPYpkla4APJUNGOLuZwfGhH1QREQy31rA > sIru7KRBcxYikvfKI4oL8aUfPurcZbnaCD1bdUhlQQKBgQD3lQ4Qp53c3QGww/bQ > s0tvJD6T86t5ve47j0V6hKHbp8Kq/zm+3jkRVNjH8nipyleQ44YJuSqPfo4EVKLC > OYPDEEQP+2fAWmt1LUugoB/ilQHOHMJVuPUj9Hyt7wetp1EeFZqNqpgohdP9eM5/ > R8jSIuNhqIjPKTliqwOn4hLnvwKBgQDiHoE/O87/GadvmS/G6ExWFAE2j7l16y1f > pz/cqY/p674TF/VUYsyKaLKM08iOhT6XeDACto+z7TYd5YNYAgawuxcDvDWXOZxe > mWLpdzlQGzumeTz2Rsx3U3NnXETlGBWEjj6kAUq4oqFrRSBNGbHb4D7XVNuQPPSX > rZ8CfNxfzQKBgG/rZ7JLs2c2WR9JVve9NWqGnetQCcI9A8bU23mpH2omii+2tKn9 > 1xpomp64k6ddmvwafmtC02SOtzBp+jGGwnOZlMsMwTgJJ+6OjVONTxykc25zPb52 > oAqi6QHPvk7YBiltZrKH3cTjypMY23BaSQQFVXi+MSpE3nYmDL8FyboNAoGAVIDp > 9GO5nAROWpp5DHDL9m9LdMSJntPhBRpP93s22UjMo/4UJRE3N5KhB5guH3UUSy8T > YjAvzCIeU1Xum/lF3s5Mb4zqyjUxhvjzyiRQOuuygyhT7AXRa9a4DiyhYqx5fixa > pJgHALFmedw/khDEM1O+qGKCG4lsLzMndZqMERECgYEA5LQ128pxYmpp3lyK6a62 > 01W/1/BtuiApuEFdcqwk6MTtateS5Kpb5uA9orWISmtd7mZLcXZGTBuJEoWsHBs4 > BE/B1urijsnmFzGRwmwF9DwhhDuyLW/cAqQSWAb4IBkU0lo0MOwm80EgcLwoy/53 > zicLAzdPQOiNQEyIh5U46xg= > -----END PRIVATE KEY----- >
- Add the TLS config certificate:system aaa tls config certificate (<string>)syscon-2-active(config)# system aaa tls config certificate (<string>): [Multiline mode, exit with ctrl-D.] > -----BEGIN CERTIFICATE----- > MIIESzCCAzOgAwIBAgIJALgGgs+5qgX1MA0GCSqGSIb3DQEBCwUAMIG7MQswCQYD > VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ > MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph > dGlvbmFsVW5pdDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJ > KoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMDEwMjMy > MjMwNTZaFw0yMTEwMjMyMjMwNTZaMIG7MQswCQYDVQQGEwItLTESMBAGA1UECAwJ > U29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2Fu > aXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UE > AwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxv > Y2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC > ggEBANqvFuGdiWbwOhBbbd/ESbqpkXn4MQGKfKbcgBl7tXd5X+/VSa6pIwqbPekt > fmhhNnQWqP6Zbhd0zEqRb3fD3XFgtmg46f8/0Qu3gK71gigNPLc5TrwQRONBqvD3 > B37T8mopNE9Zr5UBYaeEyDo3Y4JjuE1zwVYVTZgPbHoyvJpxUKAKLbS6HN17Ybz2 > kmWoaub0qlsI3VlXgdzg5YScwA7/LJvwVx4pA2AnSmT36QGiwp/JjKlnxKM/0GDg > Tvqh/nEwcG1tc279/diEmT/SCYzK6hMqXl30ABSFT6A5k/rPYZNzZR9acbR18bpJ > ZQZWYG1ny7zLec+Ltj0bUrlHdPMCAwEAAaNQME4wHQYDVR0OBBYEFJ8f90ExRYYD > 0j2rQSKhMbRaKz0vMB8GA1UdIwQYMBaAFJ8f90ExRYYD0j2rQSKhMbRaKz0vMAwG > A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACzFSIiJ01qLtl9Nom5rtFRh > m+iH0RewmO2YV9rQTl53shma1/Wa2D5PXsFt6w0wiXRa6Gab1YVxaHkP9E4RK6us > B5s5pR+SijP02Ijw5y4RICegkWApx86wlW09NDBgPFQdz+xQnpx8LfAFDzkAEf02 > eI4SI25Vi3fDW6qeOKeQmS5itcRFXBi/E2+FwYu3zvtMEIp7WB90f0mvxiEd1bz8 > UY0pODHlYUzc/4jl9CGWGPl+80KHsjppqwsFzZs3koe2IyKbzMKfpdQ+oIiJP17+ > IVJgNbRCO5TgGXtFW3p3CJ2fHzEPongFdvbPOTr/cE/KkGxKqcoeN7d22g7POas= > -----END CERTIFICATE----- >
- Commit the configuration changes.commit
Configure VELOS for RADIUS authentication from the CLI
Before you start, the RADIUS service needs to
be set up on a server that is accessible to the VELOS chassis. The default port for
RADIUS service is 1812. If the service is configured with a different port, take note.
You need that during configuration.
In addition, users need to be assigned valid
system group IDs on the external RADIUS server. Refer to
Group IDs and system
authentication roles
for more information.You can configure VELOS for RADIUS
authentication from the VELOS CLI.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set the authentication method to RADIUS.system aaa authentication config authentication-method RADIUS_ALL
- Commit the configuration changes.commit
- Add the RADIUS service details to the authentication server groups.
- Create the server group.system aaa server-groups server-group radius-group config name radius-group type RADIUS
- Add the server and IP address for the RADIUS service.servers server 10.145.68.85 config address 10.145.68.85
- Customize the RADIUS configuration details.radius config auth-port 1812 secret-key secret timeout 3
- Commit the configuration changes.commit
Create a RADIUS server group from the CLI
You can use the VELOS CLI to create a RADIUS
server group if you have multiple RADIUS servers to connect to.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Create the server group.system aaa server-groups server-group<group_name>config name<group_name>type RADIUSThis example creates a RADIUS server group calledradius-group:system aaa server-groups server-group radius-group config name radius-group type RADIUS
- Add the server and IP address of the RADIUS service.For example:servers server 10.145.69.85 config address 10.145.69.85
- Commit the configuration changes.commit
Add a user from the CLI
You can use the VELOS command-line
interface (CLI) to create additional users on your VELOS system.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Add a user.system aaa authentication users user<user_name>config username<user_name>role<role>expiry-date<mm-dd-yyyy>Where expiry-date is the date <mm-dd-yyyy> you want the account to expire. Other values for expiry-date are -1 for no expiration date (the default value), and 1 for expired.This example creates an admin user namedtestuserwith an account expiration date of November 20, 2025:system aaa authentication users user testuser config username test role admin expiry-date 11-20-2025Users can be assigned more than one role, if needed. Here is the list of roles that are available:controller-1(config) system aaa authentication users user test config username test role ? Possible completions: admin operator partition_1, partition_2, partition_3, partition_4, partition_5, partition_6, partition_7, partition_8 ts_admin useradminThe admin has full read/write access and can make configuration changes at the level in which they are working (chassis or partition).operatorOperator users have read-only access to every screen and every configuration object at the level in which they are working (chassis or partition).partition_n(1-8)The chassis administrator can create one terminal server role per partition, wherenrefers to the partition ID. When a user with the partition_n role logs in on a specific blade port, they are presented with the blade console through the terminal server. This is for troubleshooting and debugging the system.ts_adminTerminal server admin. User with this role have terminal server access to all consoles on the system regardless of partition restrictions.userThis role is unprivileged and cannot do anything on system. One or more supported roles need to be assigned to make this user account useful.
- Commit the configuration changes.commit
The system creates the account with the specified
role.
Disable a user from the CLI
You can use the VELOS command-line interface
(CLI) to disable user accounts on your VELOS system.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Disable a user.An expiry-date of 1 disables the account immediately, and -1 causes the account never to expire. You can also set the expiry-date to a future date. In that case, set the expiry date in MM-DD-YYYY format to the date you want the account to expire.system aaa authentication users user<user_name>config expiry-date 1This example disables a user namedtestuser:system aaa authentication users usertestuserconfig expiry-date 1
- Commit the configuration changes.commit
Set an admin password from the CLI
You can use the VELOS command-line
interface (CLI) to set an admin user's password.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Set a password for an admin user.system aaa authentication users user<user_name>config set-passwordThis example sets the password for an admin user namedtestadmin:system aaa authentication users user testadmin config set-passwordThe system prompts you to set a new password for the specified admin user.
- Commit the configuration changes.commit
Set maximum password age
You can globally set the maximum password age
for all users. To do this, you specify the number of days after which the password will
expire since it was last changed. For example, if the last change was today and the
maximum age is 1, the password will expire tomorrow.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Specify the number of days after which a password will expire since it was last changed.system aaa password-policy config max-age <# of days>system aaa password-policy config max-age 1
- Commit the configuration changes.commit
When you log in to the console or SSH, you receive a message that the password will
expire in # of
days.
[partition1]# ssh admin@localhost admin@localhost's password: Warning: your password will expire in 1 day Last login: Wed Jan 18 05:56:21 2020 from ::1
Change a password from the CLI
You can use the VELOS command-line
interface (CLI) to change a user's password.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change a specified user's password.system aaa authentication users user<user_name>config change-passwordThis example changes the password for a user namedtestuser:system aaa authentication users user testuser config change-passwordThe system prompts you to confirm the old password, set a new password, and confirm the new password for the specified user.
- Commit the configuration changes.commit
Delete a user from the CLI
You can use the VELOS CLI to delete a specified
user.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Delete a user.no system aaa authentication users user<user_name>This example deletes a user namedtestuser:no system aaa authentication users user testuser
- Commit the configuration changes.commit
Modify user options from the CLI
You can use the VELOS command-line
interface (CLI) to modify or set options for a specified user.
- Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.When you log in to the system, you are in user (operational) mode.
- Change to config mode.configThe CLI prompt changes to include(config).
- Change user options for a user.system aaa authentication users user<user_name>config last-change<time>expiry-date<mm-dd-yyyy>This example sets a last change date of zero (0) and an expiration date of January 1, 2030 for an admin user namedtestuser:system aaa authentication users user testuser config last-change 0 expiry-date 01-01-2030
- Commit the configuration changes.commit