User authentication

The Authentication > Users page allows users logged in as administrators to add new users or edit existing users and their privilege levels. Depending on the selected role, the user has the following privileges:

• administrator: full control, limitless administration and system update;
• user: create and set rules, aggregate and filter traffic, and port configuration;
• viewer: view only: settings, statistics, active rules.

The minimum requirements for the passwords are as follows:

• 8 characters;
• one letter uppercase;
• one letter lowercase;
• one digit.

The Authentication > TACACS+ page allows adding up to three TACACS+ servers, and configuring the following details:

• priority (sets the order in which the servers will be taken into account, if more are added, with a lower number corresponding to a higher priority);
• login type (chap, login, pap);
• server hostname;
• port;
• secret key;
• timeout (waiting time for response from the TACACS+ server, can be set between 1 and 3 seconds);
• privilege mapping (translates the 15 privilege levels from TACACS+ into those of the viewers, users and admins; can be configured).

The Authentication > RADIUS page allows adding up to three RADIUS servers, and configuring the following details:

• priority (sets the order in which the servers will be taken into account, if more are added, with a lower number corresponding to a higher priority);
• server hostname;
• port;
• secret key;
• timeout (waiting time for response from the RADIUS server, can be set between 1 and 3 seconds);
• privilege mappings count (allows adding one or more rules for users. These rules are integer or string type attributes, requiring a name and a value. During authentication, the system checks if a user matches the rules. If there is a match between a user and a rule, then a role is applied for the user);
  Note: To add a new rule, click the + button. To apply the rule, click the ✔ button.
• fallback role (comes into effect when there isn’t a match between a user and a rule, with the ‘none’ option denying authentication access to any user).

The Authentication > LDAP page offers the possibility to configure one or more LDAP servers for user authentication. In order to set up the LDAP access, the following settings are required:

• server hostname or address;
• server port: (default 389 for LDAP and 636 for LDAPS);
• priority (sets the order in which the servers will be taken into account, if more are added, with a lower number corresponding to a higher priority);
• timeout (waiting time for response from the LDAP server, can be set between 1 and 3 seconds);
• base DN (base domain name): this is the base domain name used to query the LDAP servers for its information (example: ou=people,dc=example,dc=com);
• user DN (user domain name): domain name parameter used to query for the usernames. (example: uid);
• LDAP version: it is possible to configure both LDAP Version 2 and Version 3 servers;
• privilege mappings count (allows adding one or more rules for users. These rules are integer or string type attributes, requiring a name and a value. During authentication, the system checks if a user matches the rules. If there is a match between a user and a rule, then a role is applied for the user);
  Note: To add a new rule, click the + button. To apply the rule, click the ✔ button.
• fallback role (comes into place when there isn’t a match between a user and a rule, with the ‘none’ option denying authentication access to any user);
• TLS mode: the user can select whether the server requires TLS (for LDAPS), and if they wish to enforce strict TLS session validation. Note that if this option is set to “strict”, the user will likely need to import a private CA certificate on the device (Administration > Setup GUI page).

Profitap Supervisor can be used as a centralized authentication facility for all XX-Series and X2-Series packet brokers.

This feature can be enabled in the Supervisor when registering the device. The centralized manager will automatically register in the device as an authentication facility. From this moment on, the X2-Series device will query the Supervisor to verify, using its authentication configuration, if the credentials used for login are valid. This feature allows the user to define the whole authentication configuration for all Profitap NPBs in a single point and have it being used across the whole fleet of packet brokers.

On the Authentication > Profitap Supervisor page, it is possible to visualize if any Supervisor has been registered with the device and eventually modify the address, port and registration token. Note that the Supervisor is already performing the registration process automatically and these settings shouldn't require any manual change.

When disabling the Profitap Supervisor from this GUI, the X2-Series device will stop reaching to the Supervisor for authentication.

X2-Series products allow users to not only define multiple authentication methods, but also to configure how the different methods are used by the device. Clicking the Configure Authentication button on any tab of the Authentication page allows users to see the list of available authentication methods and change their priority and activation strategy.

For each method, one of the following strategies can be selected:

• Enable: The method is activated and will be used to authenticate users;
• Disable: The method is not active and its configuration will be ignored;
• Restrict: A restricted authentication method is activated only if all higher priority methods are failing access. In the case of RADIUS, TACACS+, LDAP, and Supervisor methods, this means that no server is responding (or no server is programmed). If only one of the registered RADIUS/TACACS+/LDAP servers replies with a rejection, the following restricted methods will be skipped. Note that “Local Users” are always available, meaning that any “restrict” method after that will never be activated.

All authentication methods and their configured priority and activation strategy apply to all login methods: Serial CLI, SSH CLI, GUI, HTTPS RestAPI, and Ansible.