User authentication
For XX-1800G rev. 2, see X2-Series User authentication.
Local users
The Authentication > Local page allows users logged in as administrators to add new users or edit existing users and their privilege levels. Depending on the selected role, the user has the following privileges:
- administrator: full control, limitless administration and system update;
- user: create and set rules, aggregate and filter traffic, and port configuration;
- viewer: view only: settings, statistics, active rules.
The minimum requirements for the passwords are as follows:
- 8 characters;
- one letter uppercase;
- one letter lowercase;
- one digit;
- one special character.
TACACS+
The Authentication > TACACS+ page allows adding up to five TACACS+ servers, and configuring the following details:
- priority (sets the order in which the servers will be taken into account, if more are added, with a lower number corresponding to a higher priority);
- login type (chap, login, pap);
- server hostname;
- port;
- secret key;
- timeout (waiting time for response from the TACACS+ server, can be set between 1 and 3 seconds);
- privilege mapping (translates the 15 privilege levels from TACACS+ into those of the viewers, users and admins; can be configured).
Enabling TACACS+ server authentication applies to all login methods: serial, SSH, and GUI.
If multiple servers are present, server priority can be changed by using the arrow buttons and clicking the Save server list button.
RADIUS
XX-Series doesn't support RADIUS authentication natively, though it is possible via Profitap Supervisor.
Supervisor
Profitap Supervisor can be used as a centralized authentication facility for all XX-Series and X2-Series packet brokers.
This feature can be enabled in the Supervisor when registering the device. The centralized manager will automatically register in the device as an authentication facility. From this moment on, the XX-Series device will query the Supervisor to verify, using its authentication configuration, if the credentials used for login are valid. This feature allows the user to define the whole authentication configuration for all Profitap NPBs in a single point and have it being used across the whole fleet of packet brokers.
On the Authentication > Profitap Supervisor page, it is possible to visualize if any Supervisor has been registered with the device and eventually modify the address, port and registration token. Note that the Supervisor is already performing the registration process automatically and these settings shouldn't require any manual change.
When disabling the Profitap Supervisor from this GUI, the XX-Series device will stop reaching to the Supervisor for authentication.
Note: The Profitap Supervisor Authentication is only supported for GUI and REST API access.
Authentication methods priorities
For the CLI, the authentication methods priorities are: TACACS+ > Local Users.
For the GUI and RestAPI, the priorities are: Local Users > Supervisor > TACACS+.