HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide

i

HP Intelligent Management Center TACACS+ Authentication Manager Administrator Guide Abstract

This guide contains comprehensive information for network administrators, engineers, and operators working with the TAM service module.

Part number: 5998-3316

Software version: IMC TAM 5.1 (E0303)

Document version: 5PW100-20120612

i

Copyright 2012 Hewlett-Packard Development Company, L.P.

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Acknowledgments

Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

i

Contents

1 TACACS+ Authentication Manager overview 1 TAM features 1 TAM functional structure 2

TAM user types 3 Scenario-based authorization 3 Login authorization and command authorization 3 Online user management 4 Log management 4

Login methods and authentication-authorization methods 4 TAM local authentication and authorization 4 LDAP authentication + TAM local authorization 5

2 Device user authentication configuration guide 7 Configuring TAM local authentication and authorization 7

TAM 8 Configuring a device 11 Configuring the PC of the device user 12

Configuring LDAP authentication + TAM local authorization 12 Configuring an LDAP server 13 Configuring TAM 13 Configuring a device 17 Configuring the PC of the device user 18

Comparing the authentication-authorization methods 18

3 Performing device-related configuration 19 Viewing the device list 19 Querying devices 20 Viewing device details 20 Adding a device 21 Importing devices 24 Modifying a device 25 Batch modifying devices 26 Batch deleting devices 27 Modifying the device area and type 27

4 Authorization scenarios 29 Managing device areas 29

Viewing the device area list 29 Viewing device area details 30 Adding a device area 30 Adding a sub-area 31

ii

Modifying a device area or a sub-area 31 Deleting a device area or a sub-area 31 Viewing devices in a device area or sub-areas 32

Managing device types 32 Viewing the device type list 33 Viewing device type details 33 Adding a device type 34 Adding a sub-type 34 Modifying a device type or a sub-type 34 Deleting a device type or a sub-type 35 Viewing devices of a device type or sub-types 35

Configuring authorized time range policies 35 Viewing the authorized time range policy list 36 Viewing authorized time range policy details 37 Adding an authorized time range policy 37 Modifying an authorized time range policy 38 Deleting an authorized time range policy 39

5 Authorization command 40 Shell profile 40

Viewing the shell profile list 40 Viewing shell profile details 41 Adding a shell profile 41 Modifying a shell profile 42 Deleting a shell profile 43

Command set 43 Viewing the command set list 44 Viewing command set details 44 Adding a command set 45 Modifying a command set 46 Copying a command set 47 Deleting a command set 48

6 Authorization policy 49 Viewing the authorization policy list 49 Viewing authorization policy details 49 Adding an authorization policy 50 Modifying an authorization policy 52 Deleting an authorization policy 54

7 Managing device users 55 Configuring device user groups 55

Viewing the device user group list 55 Viewing device user group details 56 Adding a device user group 56

iii

Adding a sub-group 57 Modifying a device user group or a sub-group 58 Deleting a device user group or a sub-group 59 Viewing device users in a device user group or sub-group 59 Modifying operator privileges for device user groups 59

Configuring device users 60 Viewing the device user list 60 Querying device users 61 Viewing device user details 63 Adding a device user 64 Importing device users 65 Modifying a device user 67 Batch modifying device users 68 Regrouping device users 69 Batch cancelling device users 69

Configuring the blacklist user function 70 Viewing blacklist users 71 Querying blacklist users 71 Viewing blacklist user details 72 Adding device users to the blacklist 73 Removing device users from the blacklist 73

8 LDAP authentication 75 LDAP Overview 75

Managing LDAP servers 76 Viewing the LDAP server list 76 Viewing LDAP server details 77 Adding an LDAP server 79 Testing connectivity to an LDAP server 81 Modifying LDAP server settings 81 Deleting an LDAP server 83

Managing LDAP synchronization policies 83 Viewing the LDAP synchronization policy list 83 Viewing LDAP synchronization policy details 84 Adding an LDAP synchronization policy 85 Modifying an LDAP synchronization policy 87 Deleting an LDAP synchronization policy 88 Executing an LDAP synchronization policy 89 Managing users bound to an LDAP synchronization policy 89 Validating on-demand synchronization policies 90

Managing LDAP users 90 Viewing LDAP users 90 Querying LDAP users 92 Viewing LDAP user details 92

iv

Binding device users with an LDAP synchronization policy 94 Unbinding users with an LDAP synchronization policy 95 Synchronizing LDAP users 95 Modifying LDAP user information 96 Cancelling LDAP users 96 Adding an LDAP user to the blacklist 97 Releasing an LDAP user from the blacklist 98 Exporting LDAP users 98 Batch operations for LDAP users 99

9 Managing online users 100 Viewing the online user list 100 Querying online users 101

Basic query 101 Advanced query 101

Viewing online user details 102 Clearing online user information 103 Adding an online user to the blacklist 104 Releasing a blacklisted user 104

10 Managing logs 105 Managing authentication logs 105

Viewing the authentication log list 105 Querying authentication logs 106 Viewing authentication log details 108 Exporting authentication logs 109

Managing authorization logs 109 Viewing the authorization log list 110 Querying authorization logs 111 Viewing authorization log details 113 Exporting authorization logs 114

Managing audit logs 114 Viewing the audit log list 115 Querying audit logs 115 Viewing audit log details 117 Exporting audit logs 118

11 Configuring global system settings 120 Configuring system parameters 120 Configuring system operation log parameters 121 Validating the system configuration 122

12 Support and other resources 123 Contacting HP 123

Subscription service 123 Related information 123

v

Documents 123 Websites 123

Conventions 124 About HP IMC documents 124

Index 126

1

1 TACACS+ Authentication Manager overview

To centrally manage network maintainers, HP delivers the TACACS+ Authentication Manager (TAM). TAM operates based on the IMC platform to provide authentication, authorization, and auditing for network maintainers. After TAM is deployed on the IMC server, the server is capable of performing TACACS+ authentication.

TAM supports the following services:

AuthenticationAuthenticates maintainers to make sure that only valid maintainers can log in to devices.

AuthorizationAssigns different device management privileges to different maintainers, so they can perform only authorized operations on devices.

AuditAudits maintainers by monitoring and recording their online behaviors.

CollaborationCooperates with the mainstream TACACS+ supporting devices, such as HP devices, H3C devices, and Cisco devices.

TAM features Reliable identity authentication

Authentication by account name and password.

Multiple password transmission methods, such as PAP, CHAP, and ASCII, to satisfy different network scenarios.

LDAP authentication by LDAP servers such as Windows AD, OpenLDAP, and third-party mail systems that support the LDAP protocol.

Simple user management

User typeSupports two user types, common device user and LDAP user. Different types of users are suitable for different network scenarios.

Batch operationSupports abundant batch operations, such as batch open/cancel/modify accounts.

BlacklistAdds suspicious device users to the blacklist to prevent attacks.

User groupAssigns users of the same type to one group for unified management, reducing device maintenance work for operators and facilitating operator privilege assignment.

Online user monitoringMonitors information about online users, including the login device IP, user IP, and online duration.

LoggingRecords the authentication, authorization, and audit logs for device users, helping operators to monitor user logins and audit their device management behaviors.

2

Strict and refined user privilege control

Scenario-based authorizationAuthorizes device users according to different access scenarios. Three elements define a scenario: login time, login device IP, and login device type.

Login authorization and command authorizationLogin authorization controls login behaviors of device users. Command authorization specifies the commands that device users can execute.

Limit on the number of concurrent users of one account.

High-performance, expansible deployment solutions

Two installation environments: "PC server + Windows + SQL Server" and "PC server + Linux + Oracle."

Distributed deployment.

TAM functional structure TAM functions based on the device user + authorization policy structure. See Figure 1.

Figure 1 TAM functional structure

3

A device user is a network maintainer that uses account name and password to log in to manage a device. An authorization policy is a set of rules that control device user privileges.

An authorization policy defines multiple access scenarios, which correspond to different authorization rules. When a device user logs in to manage a device, TAM authorizes the device user according to the authorization rule defined in the access scenario that the device user matches.

An authorization policy can be applied to a device user or a device user group. A device user preferably uses the authorization policy specified for it. If no authorization policy is specified for the device user, it uses the authorization policy of the user group to which it belongs.

TAM user types TAM contains the following types of users:

Common device usersA common device user that uses an account name and password for authentication. TAM saves and maintains user information.

LDAP usersAn LDAP user is a TAM device user bound with an LDAP policy. When TAM receives a user authentication request, it delivers the account name and password to the LDAP server for authentication. LDAP user information is saved in both the LDAP server and the TAM server. The LDAP server maintains user information. TAM periodically synchronizes user information from the LDAP server. If a network already uses an LDAP server to manage users, HP recommends using LDAP users when deploying the TAM system to the network.

Scenario-based authorization TAM supports access scenario-based authorization. An authorization policy defines multiple access scenarios. When a device user logs in to manage a device, if the device user matches a scenario, TAM authorizes the device user according to the rule defined in the matching scenario.

Login authorization and command authorization TAM assigns an authorization policy to perform login authorization and command authorization for a device user.

Login authorizationTAM uses shell profiles to control login behaviors of device users. A shell profile specifies these authorization items: ACL, auto run command, privilege level, user-defined attributes, idle time, and timeout.

Command authorizationTAM uses command sets to control the commands that a user can execute. When a user executes a command, TAM determines whether to allow the user to execute the command according to the command set that the user matches.

4

Online user management Use this function to view basic information about users that have logged in to a device, and trace the online behaviors of the users.

Log management

Logs include authentication logs, authorization logs, and audit logs. These logs record the device login, usage, and logoff behaviors of device users. Operators can query the logs for auditing device users.

Login methods and authentication-authorization methods

A TAM authentication system comprises TAM, managed devices, and device users.

TAM supports authenticating and authorizing the device users who log in to the devices through these methods:

Telnet

Console

SSH

FTP

TAM local authentication and authorization

LDAP authentication + TAM local authorization.

To log in to a device, a device user only needs to use the client software (corresponding to the login mode) to initiate a login request.

Refer to the following information for details about the authentication-authorization methods.

TAM local authentication and authorization The device to which a user wants to log in sends the user account name and password to TAM. TAM authenticates the user to allow or deny user login. If the user is permitted login to the device, TAM performs login authorization and command authorization for the user. The entire authentication-authorization exchange process is performed over the TACACS+ protocol.

Device user information and the authorization policy assigned to the device user are all saved in the TAM local database.

5

Figure 2 TAM local authentication and authorization

In Figure 2, PCs in blue represent the PCs used by device users, and Devices in blue represent the manageable devices.

In TAM local authentication-authorization mode, when a device user logs in to manage a device, the TAM server performs authentication for the device user. If the device user passes authentication, the TAM server uses a locally saved authorization policy to perform login authorization and command authorization for the device user.

LDAP authentication + TAM local authorization The device to which a user wants to log in sends the user account name and password to the TAM server, which then sends the information to the LDAP server for authentication. The LDAP server sends the authentication result back to the TAM server. TAM permits or denies user login to the device according to the authentication result.

If the user is permitted login to the device, TAM performs login authorization and command authorization for the user. The device and the TAM server use the TACACS+ protocol to exchange packets with each other. The TAM server and the LDAP server use the LDAP protocol to exchange packets with each other.

The device user information is saved in the LDAP server. The authorization policies for device users are saved in the TAM local database.

6

Figure 3 LDAP authentication and TAM authorization

In Figure 3, PCs in blue represent the PCs used by device users, and Devices in blue represent the manageable devices.

In the LDAP authentication + TAM authorization mode, when a device user logs in to manage a device, the TAM server sends the authentication request to the LDAP server over the LDAP protocol and the LDAP server authenticates the user.

If the device user passes authentication, the TAM server uses a locally saved authorization policy to perform login authorization and command authorization for the device user.

7

2 Device user authentication configuration guide

TAM supports the following login methods:

Telnet Console SSH FTP

TAM supports the following authentication and authorization methods: TAM local authentication and authorizationThe device to which a user wants to log in sends the

user account name and password to TAM. TAM authenticates the user to allow or deny user login. If the user is permitted login to the device, TAM performs login authorization and command authorization for the user.

LDAP authentication and TAM local authorizationThe device to which a user wants to log in sends the user account name and password to the TAM server, which then sends the information to the LDAP server for authentication. The LDAP server sends the authentication result to the TAM server. TAM permits or denies user login to the device according to the authentication result. If the user is permitted login to the device, TAM performs login authorization and command authorization for the user.

A login method and an authentication-authorization method work together to implement user authentication and authorization. TAM supports authenticating and authorizing users who log in to the devices through Telnet, console, and SSH.

For device users logging in through FTP, TAM supports only authentication.

Configuring TAM local authentication and authorization

Configure TAM local authentication and authorization on TAM, the device, and the PC used by the device user, respectively. Figure 4 shows the recommended configuration procedure.

8

Figure 4 Recommended TAM local authentication and authorization configuration procedure

TAM HP recommends that you configure TACACS+ authentication and authorization in this order:

1. Add a device.

2. Add an authorization scenario.

3. Add authorization command.

4. Add an authorization policy.

5. Add a device user.

Adding a device

A device can cooperate with TAM to implement TACACS+ authentication and authorization only when the device is added to TAM.

HP recommends that you first add devices to TAM because:

Device is an element in an authorization scenario. Adding devices is a must to configure an authorization scenario.

Different devices might use different command sets. After you add a device, you can configure a command set for the device.

To enter the page for configuring devices, select Service > TACACS+ AuthN Manager > Device List. See Figure 5. For more information, see "Performing device-related configuration."

9

Figure 5 Entering the page for configuring devices

Adding an authorization scenario

An authorization scenario includes three elements: device area, device type, and access period, which work together to define one scenario. Scenarios with one element different are considered different scenarios. TAM authorizes device users according to different scenarios.

To enter the page for configuring authorization scenarios, select Service > TACACS+ AuthN Manager > Authorization Scenarios. See Figure 6. For more information, see "Authorization scenarios."

Figure 6 Entering the page for configuring authorization scenarios

Adding authorization command

TAM uses authorization command sets to control the commands that a user can use. An authorization command includes shell profiles and command sets.

A shell profile controls login behaviors of device users, such as the privilege level and the command that can be automatically executed. A command set controls commands that a device user can execute after login.

10

To enter the page for configuring an authorization command, select Service > TACACS+ AuthN Manager > Authorization Command. See Figure 7. For more information, see "Authorization command."

Figure 7 Entering the page for configuring an authorization command

Adding an authorization policy

An authorization policy defines multiple access scenarios and defines an authorization command for each scenario. When a device user logs in to manage a device, if the device user matches a scenario, the device user is controlled by the corresponding authorization command (shell profile and command set).

To enter the page for configuring authorization policies, select Service > TACACS+ AuthN Manager > Authorization Policies. See Figure 8. For more information, see "Authorization policy."

Figure 8 Entering the page for configuring authorization policies

Adding a device user

A device user is a network maintainer that uses account name and password to log in to manage a device.

To enter the page for configuring device users, select User > Device User View > All Device Users. See Figure 9. For more information, see "Managing device users."

11

Figure 9 Entering the page for configuring a device user

Configuring a device When you configure a device, the following order is recommended:

1. Creating a TACACS+ scheme.

2. Creating a domain.

3. Configuring scheme authentication and enabling command line authorization and accounting.

Creating a TACACS+ scheme

A device cooperates with the TAM server to implement TACACS+ authentication according to the configured TACACS+ scheme. Follow these guidelines when you configure a TACACS+ scheme:

The IP address specified for the AAA server in the TACACS+ scheme must be the IP address of the TAM server.

The shared key, authentication, authorization, and accounting ports specified in the TACACS+ scheme must be the same as those configured on the TAM server.

If you specify the nas-ip in the TACACS+ scheme, configure the IP address of the device as the nas-ip on TAM. If you do not specify the nas-ip in the TACACS+ scheme, configure the IP address of the device as the IP address of the interface that connects the device to the TAM server on TAM.

Creating a domain

The scheme used in a domain for login, raising the right, and command line authorization must be the TACACS+ scheme that you have just created.

Configuring scheme authentication and enabling command line authorization and accounting

Configure the scheme authentication on different interfaces for different login methods.

Enable command line authorization and accounting on different interfaces according to different login methods.

Configuration example

Take an HP A series device or H3C device as an example. The command lines needed for TACACS+ authentication and authorization are as follows:

12

system-view

[Device]hwtacacs scheme test

[Device-hwtacacs-test]primary authentication 192.168.0.96 49

[Device-hwtacacs-test]primary authorization 192.168.0.96 49

[Device-hwtacacs-test]primary accounting 192.168.0.96 49

[Device-hwtacacs-test]key authentication hello

[Device-hwtacacs-test]key authorization hello

[Device-hwtacacs-test]key accounting hello

[Device-hwtacacs-test]nas-ip 190.12.0.2

[Device-hwtacacs-test]user-name-format without-domain

[Device-hwtacacs-test]quit

[Device]domain tel

[Device-isp-tel]authentication login hwtacacs-scheme test

[Device-isp-tel]authentication super hwtacacs-scheme test

[Device-isp-tel]authorization login hwtacacs-scheme test

[Device-isp-tel]authorization command hwtacacs-scheme test

[Device-isp-tel]accounting login hwtacacs-scheme test

[Device-isp-tel]accounting command hwtacacs-scheme test

[Device-isp-tel]quit

[Device]user-interface vty 0 4

[Device-ui-vty0-4]authentication-mode scheme

[Device-ui-vty0-4]command authorization

[Device-ui-vty0-4]command accounting

Configuring the PC of the device user A user only needs to log in to the device by using the related client software.

Configuring LDAP authentication + TAM local authorization

Configure LDAP authentication and TAM local authorization on the LDAP server, the device, and the PC used by the device user, respectively. Figure 10 shows the recommended configuration procedure.

13

Figure 10 Recommended LDAP authentication and TAM local authorization configuration procedure

Configuring an LDAP server Create device user data.

A device user is a network maintainer that uses account name and password to log in to manage a device.

Configuring TAM HP recommends that you configure TACACS+ authentication and authorization by following this order:

1. Add a device.

2. Add an authorization scenario.

3. Add authorization command.

4. Add an authorization policy.

5. Add an LDAP user.

6. Add an LDAP synchronization policy.

Adding a device

A device can cooperate with TAM to implement TACACS+ authentication and authorization only when the device is added to TAM.

HP recommends that you first add devices to TAM because:

Device is an element in an authorization scenario. Adding devices is a must to configure an authorization scenario.

Different devices might use different command sets. After you add a device, you can configure a command set for the device.

To enter the page for configuring devices, select Service > TACACS+ AuthN Manager > Device List. See Figure 11. For more information, see "Performing device-related configuration."

14

Figure 11 Entering the page for configuring devices

Adding an authorization scenario

An authorization scenario includes three elements: device area, device type, and access period, which work together to define one scenario.

Scenarios with one element different are considered different scenarios. TAM authorizes device users according to different scenarios.

To enter the page for configuring authorization scenarios, select Service > TACACS+ AuthN Manager > Authorization Scenarios. See Figure 12. For more information, see "Authorization scenarios."

Figure 12 Entering the page for configuring authorization scenarios

Adding authorization command

TAM uses authorization command sets to control the commands that a user can use.

An authorization command includes shell profiles and command sets. A shell profile controls login behaviors of device users. A command set controls commands that a device user can execute after login.

15

To enter the page for configuring an authorization command, select Service > TACACS+ AuthN Manager > Authorization Command. See Figure 13. For more information, see "Authorization command."

Figure 13 Entering the page for configuring an authorization command

Adding an authorization policy

An authorization policy defines multiple access scenarios and defines an authorization command for each scenario.

When a device user logs in to manage a device, if the device user matches a scenario, the device user is controlled by the corresponding authorization command (shell profile and command set).

To enter the page for configuring authorization policies, select Service > TACACS+ AuthN Manager > Authorization Policies. See Figure 14. For more information, see "Authorization policy."

Figure 14 Entering the page for configuring authorization policies

Adding an LDAP server

Add an LDAP server on TAM, and configure the parameters for logging in to the LDAP server. After the LDAP server is created, TAM can read device user data from the LDAP server.

16

To enter the page for configuring the LDAP server, click the Service tab, and select TACACS+ AuthN Manager > LDAP Service > LDAP Servers from the navigation tree. See Figure 15. For more information, see "Managing LDAP servers."

Figure 15 Entering the page for configuring LDAP servers

Adding an LDAP synchronization policy

Create LDAP synchronization policies on TAM so TAM can periodically synchronize device user data from the LDAP server. You can also manually synchronize device user data from the LDAP server at any time.

To enter the page for configuring LDAP synchronization policies, click the Service tab, and select TACACS+ AuthN Manager > LDAP Service > Sync Policies from the navigation tree. See Figure 16. For more information, see "Managing LDAP synchronization policies."

17

Figure 16 Entering the page for configuring LDAP synchronization policies

Configuring a device When you configure a device, the following order is recommended:

1. Creating a TACACS+ scheme.

2. Creating a domain.

3. Configuring scheme authentication and enabling command line authorization and accounting.

Creating a TACACS+ scheme

A device cooperates with the TAM server to implement TACACS+ authentication according to the configured TACACS+ scheme. Follow these guidelines when you configure a TACACS+ scheme:

The IP address specified for the AAA server in the TACACS+ scheme must be the IP address of the TAM server.

The shared key, and the authentication, authorization, and accounting ports specified in the TACACS+ scheme must be the same as those configured on the TAM server.

If you specify the nas-ip in the TACACS+ scheme, configure the IP address of the device as the nas-ip. If you do not specify the nas-ip in the TACACS+ scheme, configure the IP address of the device as the IP address of the interface that connects the device to the TAM server.

Creating a domain

The scheme used in a domain for login, raising the right, and command line authorization must be the TACACS+ scheme that you have just created.

Configuring scheme authentication and enabling command line authorization and accounting

Configure the scheme authentication on different interfaces for different login methods.

18

Enable command line authorization and accounting on different interfaces according to different login methods.

Configuration example

Take an HP A series or H3C device as an example. The command lines needed for TACACS+ authentication and authorization are as follows: system-view

[Device]hwtacacs scheme test

[Device-hwtacacs-test]primary authentication 192.168.0.96 49

[Device-hwtacacs-test]primary authorization 192.168.0.96 49

[Device-hwtacacs-test]primary accounting 192.168.0.96 49

[Device-hwtacacs-test]key authentication hello

[Device-hwtacacs-test]key authorization hello

[Device-hwtacacs-test]key accounting hello

[Device-hwtacacs-test]nas-ip 190.12.0.2

[Device-hwtacacs-test]user-name-format without-domain

[Device-hwtacacs-test]quit

[Device]domain tel

[Device-isp-tel]authentication login hwtacacs-scheme test

[Device-isp-tel]authentication super hwtacacs-scheme test

[Device-isp-tel]authorization login hwtacacs-scheme test

[Device-isp-tel]authorization command hwtacacs-scheme test

[Device-isp-tel]accounting login hwtacacs-scheme test

[Device-isp-tel]accounting command hwtacacs-scheme test

[Device-isp-tel]quit

[Device]user-interface vty 0 4

[Device-ui-vty0-4]authentication-mode scheme

[Device-ui-vty0-4]command authorization

[Device-ui-vty0-4]command accounting

Configuring the PC of the device user A user only needs to log in to the device by using the related client software.

Comparing the authentication-authorization methods

The configuration for "TAM local authentication and authorization" and that for "LDAP authorization and TAM local authorization" have the following similarities and differences:

Device and PC configurations are the same because devices and PCs do not need to be aware of the authentication and authorization processes.

The device, authorization scenario, authorization command, and authorization policy configurations on TAM are the same.

For TAM local authentication, you need to create device users on TAM. For LDAP authentication, you need to perform LDAP configuration such as configuring the LDAP server and synchronization policies on TAM, which can synchronize device user information from the LDAP server.

19

3 Performing device-related configuration

A "device", in the context of this information, refers to a network device that users log in to manage. A device can cooperate with TAM to implement TACACS+ authentication and authorization only when the device is added to TAM.

Device in TAM is an element in an authorization scenario. Adding devices is a must to configure an authorization scenario. For more information about authorization scenarios, see "Authorization scenarios."

Different devices might use different command sets. After adding a device, configure a command set for the device. For more information about authorization command set, see "Authorization command."

Viewing the device list To view the device list:

1. Click the Service tab.

2. Select TACACS+ AuthN Manager > Device List from the navigation tree.

The Device List displays all devices.

Device list contents

Device NameDevice label, which links to the device details page. If the device is managed by the IMC Platform, this field is the same as the Device Label parameter on the IMC Platform.

If the device is manually added to TAM without being managed by the IMC Platform, this field is empty.

Device IPIP address. If the device is managed by the IMC Platform, this field displays the management IP address of the device.

If the device is manually added to TAM without being managed by the IMC Platform, this field displays the IP address manually entered.

Device ModelDevice vendor and model. If the device is managed by the IMC Platform, this field is the same as the Device Model parameter on the IMC Platform.

If the device is manually added to TAM without being managed by the IMC Platform, this field is empty.

Device AreaArea to which a device belongs. One device can belong to multiple areas, which are separated by colons (;).

Device area is an important part of an authorization scenario. For more information, see "Managing device areas."

Device TypeDevice type.

One device can only belong to one type.

Device type is an important part of an authorization scenario. For more information, see "Managing device types."

20

Configuration InformationProvides the Details icon to the details page of a device.

ModifyClick the Modify icon to modify the device.

Navigating the device list

Click to page forward in the device list.

Click to page forward to the end of the device list.

Click to page backward in the device list.

Click to page backward to the front of the device list.

Click 8, 15, 50, 100, or 200 on the upper right side of the main pane to configure how many items per page you want to view.

Querying devices To query devices: 1. Click the Service tab.



3. Enter or select one or multiple of the following query criteria: Device IP Range From/ToEnter an IP address range for a device. You must enter a complete

IPv4 address in each field.

If you only enter the start IP address, the range is from the start IP address to 255.255.255.255.

If you only enter the end IP address, the range is from 0.0.0.0 to the end IP address.

If you enter both the start IP address and end IP address, the range is from the start IP address to the end IP address. The end IP address must be no smaller than the start IP address.

Device AreaClick the icon. The Select Device Area window appears. Select an area and click OK. To delete a device area, click .

If a device area has sub-areas, the device area and all its sub-areas are queried.

Device area is an important part of an authorization scenario. For more information, see "Managing device areas."

Device TypeClick the icon. The Select Device Type window appears. Select a device type and click OK. To delete a device type, click . Device type is an important part of an authorization scenario. For more information, see "Managing device types."

If a field is empty, this field does not serve as a query criterion.

4. Click Query.

The Device List displays all devices matching the query criteria.

5. To clear the query criteria, click Reset.

The Device List will display all devices.

Viewing device details To view detailed information about a device:

21




3. Click the Details link of an access device to view its details.

Device NameDevice label. If the device is managed by the IMC Platform, this field is the same as the Device Label parameter on the IMC Platform. If the device is manually added to TAM without being managed by the IMC Platform, this field is empty.

Device IPIP address. If the device is managed by the IMC Platform, this field displays the management IP address of the device. If the device is manually added to TAM without being managed by the IMC Platform, this field displays the IP address manually entered.

Device ModelDevice vendor and model. If the device is managed by the IMC Platform, this field is the same as the Device Model parameter on the IMC Platform. If the device is manually added to TAM without being managed by the IMC Platform, this field is empty.

Shared KeyUsed for the device and TAM to authenticate each other. The value must be the same as what is configured on the device at the command line interface (CLI).

Authentication PortUsed by TAM to listen for authentication, authorization, and accounting packets. The default value is 49. The value must be the same as what is configured on the device at the CLI.

Device AreaArea to which a device belongs. One device can belong to multiple areas, which are separated by colons (;). Device area is an important part of an authorization scenario. For more information, see "Managing device areas."

Device TypeDevice type. One device can only belong to one type. Device type is an important part of an authorization scenario. For more information, see "Managing device types."

Single ConnectionIncludes the Supported and Not Supported options. The former indicates that TAM supports establishing multiple sessions in one TCP connection when communicating with the device. The latter indicates that TAM supports establishing only one session in one TCP connection when communicating with the device. The configuration of this field must be the same as what is configured on the device at the CLI.

WatchdogIncludes the Supported and Not Supported options. The former indicates that TAM keeps the online status and duration of an online device user by receiving Watchdog packets sent by the device. The latter indicates that TAM does not keep the online status and duration of an online device user because it does not receive Watchdog packets sent by the device.

DescriptionDescription of the device for easy maintenance.

4. To return to the command set list, click Back.

Adding a device To add a device: 1. Click the Service tab.



3. Click Add in the Device List area.

The page for adding a device appears.

22

4. Configure the following common parameters in the Device Configuration area:

Shared KeyEnter a shared key, which is used for the device and TAM to authenticate each other. The value must be the same as what is configured on the device at the CLI.

Authentication PortEnter the port for TAM to listen for authentication, authorization, and accounting packets. The port must be the same as what is configured on the device at the CLI. The default is 49.

Device AreaClick the Device Area icon . The Select Device Area window appears. Select one or multiple areas and click OK. To delete a device area, click . Device area is an important part of an authorization scenario. For more information, see "Managing device areas."

Device TypeClick the Device Type icon . The Select Device Type window appears. Select a device type and click OK. To delete a device type, click . Device type is an important part of an authorization scenario. For more information, see "Managing device types."

Single ConnectionSelect Supported or Not Supported from the list. The former indicates that TAM supports establishing multiple sessions in one TCP connection when communicating with the device. The latter indicates that TAM supports establishing only one session in one TCP connection when communicating with the device. The configuration of this field must be the same as what is configured on the device at the CLI. If the device supports single connections, you can enable or disable this feature on the device. If you enable this feature on the device, use Supported in TAM. If you disable this feature on the device, use Not Supported in TAM. If the device does not support single connections, HP recommends that you use Supported.

WatchdogSelect Supported or Not Supported from the list. The former indicates that TAM keeps the online status and duration of an online device user by receiving Watchdog packets sent by the device. The latter indicates that TAM does not keep the online status and duration of an online device user because it does not receive Watchdog packets sent by the device. If the device does not support sending Watchdog packets, or the device supports Watchdog but sending Watchdog packets is disabled, use Not Supported. If the device supports sending Watchdog packets, and sending Watchdog packets is enabled, use Supported.

DescriptionDescription of the device for easy maintenance.

5. Click Select in Device List to select devices from the IMC Platform.

You can choose to select access devices from the IMC Platform as described in this step, manually add access devices as described in step 6, or perform both operations. You cannot add devices by selecting devices from the Device List in the following cases:

The nas-ip command is configured at the CLI and the device IP in the IMC platform is not the IP address configured in the nas-ip command.

The nas-ip command is not configured at the CLI and the device IP in the IMC platform is not the IP address of the interface that connects the device to TAM.

You can select devices by view or by advanced query.

Selecting devices by view

a. Click the By View tab. The view options include IP View, Device View, and Custom View.

b. Click of the target view to expand the view, and then click a sub-view. All devices in the sub-view appear in the Devices Found list on the right.

To add one or more devices from the Devices Found list to the Selected Devices list, select the devices and click . To add all the found devices to the Selected Devices list, click .

23

To remove one or more devices from the Selected Devices list, select the devices and click . To remove all the devices from the Selected Devices list, click .

Selecting devices by advanced query

c. Click the Advanced tab.

d. Enter or select one or multiple of the following query criteria:

Device IPEnter an IPv4 address. If you select Exact Query, enter a complete IPv4 address. If not, you can enter only a portion of an IP address. For example, if you enter 192, all the devices with IP addresses containing 192 are matched.

Device IP ListClick the link. The Device IP List Configuration window appears. Enter one or more IP addresses in the Input Device IP field and click Add. If you enter multiple IP addresses, press Enter every time you enter an IP address. To delete an IP address, select the IP address in the Device IP List and click Delete. To complete adding IP addresses, click OK. To delete all IP addresses, click . Device LabelEnter a partial or complete name. TAM supports fuzzy matching for this filed. For example, if you enter s55, all devices with device labels containing s55 are matched.

Device StatusSelect a device status from the list.

Device CategorySelect a device category from the list.

Device SeriesSelect a device series from the list.

ContactEnter the contact information. TAM supports fuzzy matching for this field. For example, if you enter bob, all devices with contact information containing bob are matched.

LocationEnter the location information. TAM supports fuzzy matching for this field. For example, if you enter lab, all devices with location information containing lab are matched.

Device ReachabilitySelect a device reachability status from the list.

If a field is empty, this field does not serve as a query criterion.

e. Click Query. All devices matching the query criteria appear in the Devices Found list on the right. To add one or more devices from the Devices Found list to the Selected Devices list, select the devices and click . To add all the found devices to the Selected Devices list, click .

To remove one or more devices from the Selected Devices list, select the devices and click .

To remove all the devices from the Selected Devices list, click .

f. Click OK to return to the page for adding devices. The added devices appear in the Device List.

g. Click Clear All in Device List to remove all the devices from the device list. You can click the icon of a device to delete the device.

6. Manually add devices:

If the nas-ip command is configured on the device, the imported device IP must be the same as what is configured on the device. If the nas-ip command is not configured on the device at the CLI, the imported device IP must be the same as the IP address of the interface that connects the device to TAM. a. Click Add Manually in the Device List area.

b. Enter the start and end IP addresses.

When you enter the two IP addresses, follow these guidelines:

The IPv4 addresses must be complete.

24

The start IP address cannot be higher than the end IP address.

The two IP addresses must be on the same network with a 24-bit mask, which means the first three octets of the IP addresses must be the same.

c. Click OK to return to the page for adding devices. The added devices appear in the Device List.

d. Click Clear All in Device List to remove all the devices from the device list. You can click the icon of a device to delete the device.

7. Click OK. The configuration result page appears.

8. To return to the device list, click Back.

Importing devices To import devices in batches: 1. Click the Service tab.

2. Select TACACS+ AuthN Manager > Device List from the navigation tree. The Device List displays all devices.

3. Click Batch Import in the Device List area.

4. Click Browse next to the Import File field. The Choose File window appears. Browse to the target file that contains the device information. The file must be a text file with columns separated by delimiters. The system automatically populates the field with the file path and name.

5. Column SeparatorSelect the column separator used as the delimiter in the file. Available options include Space, Tab, comma (,), colon (:), pound (#), and dollar sign ($).

6. Click Next. The Basic Information page appears.

Device IPIP address of the device. If the nas-ip command is configured on the device at the CLI, the imported device IP must be the same as what is configured on the device. If the nas-ip command is not configured on the device at the CLI, the imported device IP must be the same as the IP address of the interface that connects the device to TAM. This field must be imported from the file to be imported. You must select column n as the device IP.

Shared KeyShared key, which is used for the device and TAM to authenticate each other. The value must be the same as what is configured on the device at the CLI. Select the column in the file that contains the shared key, or select Not Import from File to manually set the same shared key for all imported devices.

Authentication PortPort for TAM to listen for authentication, authorization, and accounting packets. The port must be the same as what is configured on the device at the CLI. Select the column in the file that contains the authentication port, or select Not Import from File to manually set the same authentication port for all imported devices. You can also use the default value 49.

Device AreaArea to which a device belongs. Select the column in the file that contains the device area. To import multiple device areas, separate the device areas with semicolons (;). If the value of a line of column n contains a device area that does not exist in TAM, the device on this line fails to be imported. Select Not Import from File to manually select the same device area for all imported devices. To select a device area, click the Device Area icon . The Select Device Area window appears. Select one or multiple device areas and click OK. To delete a device area, click . Device area is an important part of an authorization scenario. For more information, see "Managing device areas."

Device TypeModel and type of the device. Select the column in the file that contains the device type. If the value of a line of column n contains a device type that does not exist in TAM,

25

the device on this line fails to be imported. Select Not Import from File to manually select the same device type for all imported devices. To select a device type, click the Device Type icon

. The Select Device Type window appears. Select a device type and click OK. To delete a device type, click . Device type is an important part of an authorization scenario. For more information, see "Managing device types."

Single ConnectionIdentifies whether the device supports single connections. Supported indicates that TAM supports establishing multiple sessions in one TCP connection when communicating with the device. Not Supported indicates that TAM supports establishing only one session in one TCP connection when communicating with the device. The configuration of this field must be the same as what is configured on the device at the CLI. If the device supports single connections, you can enable or disable this feature on the device. If you enable this feature on the device, use Supported in TAM. If you disable this feature on the device, use Not Supported in TAM. If the device does not support single connections, HP recommends that you use Supported. Select the column in the file that contains the single connection option. The value of the column can only be Supported or Not Supported. Select Not Import from File to manually select the options. Select Supported or Not Supported from the list.

WatchdogIdentifies whether the device supports sending Watchdog packets. Supported indicates that TAM keeps the online status and duration of an online device user by receiving Watchdog packets sent by the device. Not Supported indicates that TAM does not keep the online status and duration of an online device user because it does not receive Watchdog packets sent by the device. If the device does not support sending Watchdog packets, or the device supports Watchdog but sending Watchdog packets is disabled, use Not Supported. If the device supports sending Watchdog packets, and sending Watchdog packets is enabled, use Supported. Select the column in the file that contains the Watchdog option. The value of the column can only be Supported or Not Supported. Select Not Import from File to manually select the options. Select Supported or Not Supported from the list.

DescriptionDescription of the device. Select the column in the file that contains the description or select Not Import from File and manually enter the same description for all imported devices.

7. To view the first 10 devices imported according to your settings, click Preview. To close the Preview window, click Close.

8. Click OK to import devices. Importing many devices takes time. After importing devices is complete, the system displays the number of devices that have been successfully imported and failed to be imported. If any device failed to be imported, the Download link appears. You can click the link to save or open an error log, which records the reasons for importing failures.


Modifying a device Operators can modify a device at any time. However, if a device user is online, modifying the device might affect user management of the device. HP recommends that operators modify a device after all users go offline.

To modify a device: 1. Click the Service tab.



3. Click the Modify icon for the device you want to modify.

26

The page for modifying devices appears.

4. Configure the following common parameters in the Device Configuration area:

Device IPIP address of the device, which cannot be modified.

Shared KeyEnter a shared key, which is used for the device and TAM to authenticate each other. The value must be the same as what is configured on the device at the CLI.

Authentication PortEnter the port for TAM to listen for authentication, authorization, and accounting packets. The port must be the same as what is configured on the device at the CLI.

Device AreaClick the Device Area icon . The Select Device Area window appears. Select one or multiple areas and click OK. To delete a device area, click . Device area is an important part of an authorization scenario. For more information, see "Managing device areas."

Device TypeClick the Device Type icon . The Select Device Type window appears. Select a device type and click OK. To delete a device type, click . Device type is an important part of an authorization scenario. For more information, see "Managing device types."

Single ConnectionSelect Supported or Not Supported from the list. The former indicates that TAM supports establishing multiple sessions in one TCP connection when communicating with the device. The latter indicates that TAM supports establishing only one session in one TCP connection when communicating with the device. The configuration of this field must be the same as what is configured on the device at the CLI. If you do not know whether the device supports single connection or not, HP recommends that you use Supported.


DescriptionEnter a description of the device for easy maintenance.

5. Click OK.

Batch modifying devices Operators can modify devices at any time. However, if a device user is online, modifying the device might affect user management of the device. HP recommends that operators modify devices in batches after all users go offline.

To modify devices in batches: 1. Click the Service tab.



3. Select one or more boxes before the device names. Click Batch Modify in the Device List area.

The page for modifying devices appears. Shared KeyEnter a shared key, which is used for the device and TAM to authenticate each

other. The value must be the same as what is configured on the device at the CLI.

27

Authentication PortEnter the port for TAM to listen for authentication, authorization, and accounting packets. The port must be the same as what is configured on the device at the CLI. The default is 49.

Single ConnectionSelect Supported or Not Supported from the list. The former indicates that TAM supports establishing multiple sessions in one TCP connection when communicating with the device. The latter indicates that TAM supports establishing only one session in one TCP connection when communicating with the device. The configuration of this field must be the same as what is configured on the device at the CLI. If you do not know whether the device supports single connection or not, HP recommends that you use Supported.


DescriptionEnter a description for the device to aid maintenance.

4. Click OK.

The configuration result page appears, which displays the number of devices that have been successfully modified and failed to be modified.


Batch deleting devices You cannot delete devices that have online users.

To delete devices in batches: 1. Click the Service tab.



3. Select one or more boxes before the device names. Click Batch Delete in the Device List area. A confirmation dialog box appears.

4. Click OK.

The configuration result page appears, which displays the number of devices that have been successfully deleted and failed to be deleted.


Modifying the device area and type Modifying the device area and type does not affect the shell profile for the online users (users that have logged in to the device). If modifying the device area and type results in the authorization scenario change of the online users, the users are controlled by the command set corresponding to the new scenario.

Assume authorization scenario A and B are configured for an authorization policy. Scenario A contains device area S that contains device D. Scenario B contains device area T. A user is controlled by the command set corresponding to scenario A after logging in to device D.

28

When the user is online, move device D from area S to area T. After the modification, the user belongs to scenario B, rather than scenario A, and controlled by the command set corresponding to scenario B. For more information about authorization scenarios, see "Authorization scenarios." For more information about authorization command, see "Authorization command." For more information about authorization policy, see "Authorization policy."

To modify the area and type to which a device belongs: 1. Click the Service tab.



3. Select one or more boxes before the device names. Click Move Device in the Device List area.

The page for modifying device areas and types appears.

4. Device AreaClick the Device Area icon . The Select Device Area window appears. Select one or multiple areas and click OK. To delete a device area, click . Device area is an important part of an authorization scenario. For more information, see "Managing device areas."

5. Device TypeClick the Device Type icon . The Select Device Type window appears. Select a device type and click OK. To delete a device type, click . Device type is an important part of an authorization scenario. For more information, see "Managing device types."

6. Click OK. The configuration result page appears, which displays the number of devices that have been successfully moved and failed to be moved.


29

4 Authorization scenarios

An authorization policy defines one or multiple authorization scenarios, and assigns each scenario one shell profile and one command set. Administrators can assign authorization policies to individual device users or device user groups. When a device user logs in to manage a device, TAM matches the user with a scenario and applies the shell profile and command set of the scenario to the user for device management.

An authorization scenario is identified by the combination of the following three elements: Device areaArea to which the device belongs. Operators can divide device areas by location or

network layer of the device. Device TypeType of the device. Command lines provided by devices of different types may be

different. Authorized time rangeTime range during which a user logs in to manage the device.

TAM can authorize device users with different device login and management privileges according to the device area, device type, and authorized time range.

Managing device areas Operators can classify device areas by various criteria, for example, location or network layer. TAM supports hierarchical management of device areas. You can divide a level-1 (top level) device area into one or multiple level-2 device areas.

TAM supports a device area hierarchy of at most 5 levels. Two device areas in adjacent levels are referred to as parent area and child area, respectively. For example, a level-1 device area is the parent area of all its level-2 areas, and the level-2 device areas are the child areas of the level-1 device area.

A device area can contain only devices or sub-areas. If a device area already contains a device, you cannot add sub-areas for it. If a device area has a sub-area, you cannot add devices to the device area.

TAM can authorize device users with different device login and management privileges according to the device area.

Viewing the device area list To view the device area list: 1. Click the Service tab.

2. Select TACACS+ AuthN Manager > Authorization Scenarios > Device Areas from the navigation tree.

The Device Area List displays all device areas.

Device area list contents

Area NameDevice area name, which must be unique in TAM. Click the name link of a device area to view its details.

DescriptionDescription of the device area.

Device ListClick the Device List icon for a device area to view its device list.

30

Add Sub-AreaClick the Add Sub-Area icon for a device area to enter the page for adding a sub-area.

ModifyClick the Modify icon to enter the page for modifying a device area.

DeleteClick the Delete icon to delete a device area. The Delete icon is available only for device areas that have no sub-areas.

Expanding and collapsing the device area list

Click the Expand All icon in the device area list area to expand the Device Area List in a

tree structure. Click the Collapse All icon to collapse the Device Area List.

Click the Expand icon next to the Area Name field to expand the associated device area. Click the Collapse icon next to the Area Name field to collapse the associated device area.

If a device area carries an icon next to the Area Name field, it contains sub-areas. If a device area carries an icon next to the Area Name field, it contains no sub-areas.

3. Click Refresh in the Device Area List area to update the device area list.

Viewing device area details To view a device area details: 1. Click the Service tab.



3. Click the name link of a device area to enter the device area details page.

Area NameDevice area name.

Parent Area NameParent area name of the device area. For a level-1 device area that has no parent area, this field is displayed as two hyphens (--).

DescriptionDescription of the device area.

4. Click Back to return to the Device Area List.

Adding a device area You can add up to 256 device areas (including sub-areas) in TAM.

To add a device area:




3. Click Add in the Device Area List area.

The Add Device Area page appears.

4. Configure device area information:

Area NameEnter a device area name, which must be unique in TAM.

Parent Area NameDo not need to configure. For a level-1 device area that has no parent

area, this field is displayed as two hyphens (--).

31

DescriptionEnter a brief description of the device area for easy maintenance.

5. Click OK.

Adding a sub-area You can add up to 256 device areas (including sub-areas) in TAM.

You cannot add a sub-area for a device area that contains devices. To do so, move the devices to another device area first.

To add a sub-area for a device area:


2. Select TACACS+ AuthN Manager > Authorization Scenarios > Device Areas from the navigation tree. The Device Area List displays all device areas.

3. Click the Add Sub-Area icon for the device area to which you want to add a sub-area.

4. Configure sub-area information:

Area NameEnter a device area name, which must be unique in TAM.

Parent Area NameThe system automatically populates this field with the parent area name of the sub-area.

DescriptionEnter a brief description of the sub-area for easy maintenance.

5. Click OK.

Modifying a device area or a sub-area To modify a device area or a sub-area: 1. Click the Service tab.

2. Select TACACS+ AuthN Manager > Authorization Scenarios > Device Areas from the navigation tree. The Device Area List displays all device areas.

3. Click the Modify icon for the target device area or sub-area to enter the Modify Device Area page.

4. Modify the device area information: Area NameEnter a device area name, which must be unique in TAM.

Parent Area NameCannot be modified.

DescriptionEnter a brief description of the device area for easy maintenance.

5. Click OK.

Deleting a device area or a sub-area You cannot delete the following device areas:

A device area used by an authorization policy. To delete such a device area, modify the authorization policy to cancel their associations first. For more information about modifying an authorization policy, see "Modifying an authorization policy."

32

A device area that contains a device or a sub-area. To delete such a device area, move the device to another area, or delete the sub-area first. For more information about moving a device between device areas, see "Modifying the device area and type."

To delete a device area or a sub-area: 1. Click the Service tab.



3. Click the Delete icon for the device area or sub-area you want to delete.

4. Click OK.

Viewing devices in a device area or sub-areas If you view devices of a device area that contains sub-areas, TAM displays all devices contained in the sub-areas of the device area.

To view the devices in a device area (or those in its sub-areas): 1. Click the Service tab.



3. Click the Device List icon of a device area.

The Device List page appears. In the Query Devices area, TAM automatically sets the selected device area as the query criteria and displays in the Device List the query result, which includes all devices contained in the device area or those in its sub-areas. For more information about the device list, see "Viewing the device list."

Managing device types Device type refers to the vendors and types of the devices.

A network may comprise devices from different vendors or of different types, and these devices support different command lines. Operators need to assign different command sets to device users for them to manage devices of different types. A usual practice is as follows:

1. Categorize the devices in TAM by device type.

2. Configure the authorization policy to authorize to device users different command sets based on device type. For information about configuring an authorization policy, see "Authorization policy."

With the previous configuration, after a user logs in to a device, TAM can perform command line authorization for the user based on the device type.

TAM supports hierarchical management of devices by device type. A level-1 (top level) device type can be further divided into multiple level-2 device types, and a maximum of 5 device type levels can be created. Two device types in adjacent levels are referred to as parent type and child type, respectively. For example, a level-1 device type is the parent type of all its level-2 types, and the level-2 device types are the child types of the level-1 device type.

33

Viewing the device type list To view the device type list: 1. Click the Service tab.

2. Select TACACS+ AuthN Manager > Authorization Scenarios > Device Types from the navigation tree.

The Device Type List displays all device types.

Device type list contents

Type NameDevice type name, which must be unique in TAM. Click the name link of a device type to view its details.

DescriptionDescription of the device type. Assign descriptive information for easy maintenance.

Device ListClick the Device List icon for a device type to view its device list.

Add Device Sub-TypeClick the Add Device Sub-Type icon for a device type to enter the page for adding a sub-type for the device type.

ModifyClick the Modify icon for a device type to enter the page for modifying the device type.

DeleteClick the Delete icon for a device type to delete the device type. The Delete icon is available only for device types that have no sub-types.

Expanding and collapsing the device type list

Click the Expand All icon in the device type list area to expand the Device Type List in a

tree structure. Click the Collapse All icon to collapse the device type list.

To expand a specific device type, click the Expand icon next to the Type Name field. Click the Collapse icon to collapse the device type.

If a device type carries an icon next to the Type Name field, it contains sub-types. If a device type carries an icon next to the Type Name field, it does not contain any sub-type.

3. Click Refresh in the Device Type List area to update the device type list.

Viewing device type details To view detailed information about a device type:


2. Select TACACS+ AuthN Manager > Authorization Scenarios > Device Types from the navigation tree. The Device Type List displays all device types.

3. Click the name link of a device type to enter the Device Type Information page.

Device type details contents

Type NameName of the device type.

Parent Type NameName of the parent device type. For a level-1 device type that has no parent type, this field is displayed as two hyphens (--).

DescriptionDescription of the device type.

4. Click Back to return to the Device Type List.

34

Adding a device type You can add up to 256 device types (including sub-types) in TAM.

To add a device type: 1. Click the Service tab.


3. Click Add in the Device Type List area.

The Add Device Type page appears.

4. Configure basic information about the device type:

Type NameEnter a device type name, which must be unique in TAM.

Parent Type NameDo not need to configure. A level-1 device type has no parent type, and this field is displayed as two hyphens (--).

DescriptionEnter a brief description of the device type for easy maintenance.

5. Click OK.

Adding a sub-type You can add up to 256 device types (including sub-types) in TAM.

To add a sub-type for a device type that contains a device, change the type of the device first.

To add a sub-type for a device type:




3. Click the Add Device Sub-Type icon of the device type to which you want to add a sub-type.

4. Configure the sub-type information:


Parent Type NameThe system automatically populates this field with the parent type name of the sub-type.

DescriptionEnter a brief description of the sub-type for easy maintenance.

5. Click OK.

Modifying a device type or a sub-type You cannot modify a device type that contains a device.

To modify a device type or a sub-type: 1. Click the Service tab.


35

3. Click the Modify icon of the device type or sub-type you want to modify.

The Modify Device Type page appears.

4. Modify the device type information:


Parent Type NameCannot be modified.

DescriptionEnter a brief description of the device type for easy maintenance.

5. Click OK.

Deleting a device type or a sub-type You cannot delete the following device types:

A device type or sub-type used by an authorization policy. To delete such a device type, modify the authorization policy to cancel their associations first. For information about modifying an authorization policy, see "Modifying an authorization policy."

A device type that contains a device or sub-type. To delete such a device type, first change the type of the device or delete the sub-type. For more information about changing the device type of a device, see "Modifying the device area and type."

To delete a device type or a sub-type:




3. Click the Delete icon for the device type or sub-type you want to delete.

4. Click OK.

Viewing devices of a device type or sub-types If you view devices of a device type that contains sub-types, TAM displays all devices contained in the sub-types of the device type.

To view the devices of a device type (or those in its sub-types):



3. Click the Device List icon of a device type.

The Device List page appears. In the Query Devices area, TAM automatically sets the selected device type as the query criteria and displays in the Device List the query result, which includes all devices contained in the device type and or those in its sub-types. For more information about the device list, see "Viewing the device list."

Configuring authorized time range policies TAM allows you to configure authorized time range policies. A device user is controlled by different authorized time range policies when accessing and managing the devices at different times.

36

TAM applies an authorized time range policy to a device user if the device user accesses and manages the device at a time after the policy takes effect, before the policy expires, and within a time range defined in the policy.

For example, if an authorized time range policy takes effect on 2012-1-1 and expires on 2013-12-31, and the time range is 10:00 to 12:00 every morning, a device user who accesses the network from 10:00 to 12:00 every morning in 2012 will be controlled by the policy.

The following describes how the authorized time range works with the shell profile and the command set to control device user behaviors:

A device user's login time determines the shell profile to be applied to the device user. Each time a device user logs in to the device, TAM determines the authorized time range of the user according to the login time, and applies to the user the shell profile corresponding to the authorized time range until the user logs off.

For example, if you configure two authorized time ranges, A (8:00 to 10:00 every morning) and B (10:30 to 11:00 every morning), when a device user logs in to the device at 9:00 a.m., TAM applies the shell profile configured for authorized time range A to the user.

TAM continues to use authorized time range A as long as the device stays online, even after authorized time range A expires (10:40, for example). However, if the user logs off and then re-logs in at 10:45, the shell profile configured for authorized time range B applies. For information about shell profiles, see "Shell profile."

A command's execution time determines the command set to be applied. Each time a device user issues a command, TAM determines the authorized time range of the operation according to the command execution time, and allows or denies the user according to the command set configured for the authorized time range.

For example, if you configure two authorized time ranges, A (8:00 to 10:00 every morning) and B (10:30 to 11:00 every morning), when a device user issues a command at 9:00, TAM determines whether to carry out this command according to the command set configured in authorized time range A.

If a user issues a command at 10:40, TAM determines whether to carry out this command according to the command set configured in authorized time range B. For more information about command sets, see "Command set."

Viewing the authorized time range policy list To view the authorized time range policy list:


2. Select TACACS+ AuthN Manager > Authorization Scenarios > Authorized Time Range Policies from the navigation tree.

The Authorized Time Range Policy List displays all authorized time range policies.

Authorized time range policy list contents

Policy NameAuthorized time range policy name, which must be unique in TAM. Click the name link of an authorized time range policy to enter the authorized time range policy details page.

Effective Time/Expiration TimeEffective time range of the authorized time range policy.

ModifyClick the Modify icon for an authorized time range policy to modify the policy.

DeleteClick the Delete icon for an authorized time range policy to delete the policy.

37

3. Click Refresh in the Authorized Time Range List area to update the authorized time range list.

Viewing authorized time range policy details To view authorized time range policy details: 1. Click the Service tab.



3. Click the name link of an authorized time range policy to enter the authorized time range policy details page.

Basic Information

Policy NameAuthorized time range policy name.

Effective Time/Expiration TimeEffective time range of the authorized time range policy.

DescriptionDescription of the authorized time range policy.

Authorized time range Information

TypeThe authorized time range types include Once, By Year, By Month, By Week, and By Day. The Once type displays the start time and end time in the format of YYYY-MM-DD hh:mm:ss, and takes effect only once. The By Year type displays the start time and end time in the format of MM-DD hh:mm:ss, and takes effect within this time range every year. The By Month type displays the start time and end time in the format of DD hh:mm:ss, and takes effect within this time range every month. The By Week type displays the start time and end time in the format of Day hh:mm:ss, and takes effect within this time range every week. The By Day type displays the start time and end time in the format of hh:mm:ss, and takes effect within this time range every day.

Start Time/End TimeThe authorized time range.

If you configure multiple time ranges, the authorized time range policy takes the union of all time ranges. For example, if you configure two time ranges, A (10:00 to 11:00 every morning) and B (10:30 to 12:00 every morning), the final effective authorized time range is 10:00 to 12:00 every morning.

4. Click Back to return to Authorized Time Range Policy List.

Adding an authorized time range policy To add an authorized time range policy: 1. Click the Service tab.



3. Click Add in the Authorized Time Range Policy List area.

The page for adding an authorized time range policy appears.

4. Configure basic information: Policy NameEnter the authorized time range policy name, which must be unique in TAM.

38

Effective Time/Expiration TimeClick the Calendar icon to specify the effective time range for the policy. Or, enter the effective time range in the format of YYYY-MM-DD hh:mm.

DescriptionEnter a brief description of the authorized time range policy for easy maintenance.

5. Configure authorized time range information:

a. Click Add in the Authorized Time Range Information area.

The Authorized Time Range Policy Information window appears.

b. Select an authorized time range type.

The authorized time range types include Once, By Year, By Month, By Week, and By Day.

c. Specify the start time and end time.

If you select the Once type, specify the start time and end time in the format of YYYY-MM-DD hh:mm:ss. If you select the By Year type, specify the start time and end time in the format of MM-DD hh:mm:ss. If you select the By Month type, specify the start time and end time in the format of DD hh:mm:ss. If you select the By Week type, specify the start time and end time in the format of Day hh:mm:ss. If you select the By Day type, specify the start time and end time in the format of hh:mm:ss.

d. Click OK.

e. To delete a time range, click the Delete icon for the time range.

If you configure multiple time ranges, the authorized time range policy takes the union of all time ranges. For example, if you configure two time ranges, A (10:00 to 11:00 every morning) and B (10:30 to 12:00 every morning), the final effective authorized time range is 10:00 to 12:00 every morning.

6. Click OK.

Modifying an authorized time range policy The following describes how the modifications to an authorized time range policy affect online users (device users who have logged in to the devices):

A modification does not affect the shell profiles that have been authorized to the online users. If a modification to the authorized time range policy results in an authorization scenario change to

an online user, the command set configured for the new scenario applies to the user.

For example, suppose an authorization policy contains scenarios A and B. Scenario A includes authorized time range T (8:00 to 10:00 in the morning) and command set X. Scenario B includes authorized time range M (6:00 to 12:00 in the morning) and command set Y.

Scenario A has a higher priority than Scenario B. If a user logs in to the device at 8:30 a.m., authorization scenario A applies and the user is controlled by command set X.

If you change the authorized time range T to "8:00 to 9:00" at 9:30, then authorization scenario B instead of A applies to the user, and the user is controlled by command set Y. For more information about authorization policies, see "Authorization policy."

To modify an authorized time range policy: 1. Click the Service tab.

2. Select TACACS+ AuthN Manager > Authorization Scenarios > Authorized time range Policies from the navigation tree. The Authorized Time Range Policy List displays all authorized time range policies.

39

3. On the authorized time range policy list, click the Modify icon of an authorized time range policy to enter the page for modifying the authorized time range policy.

4. Modify basic information:

Policy NameEnter the authorized time range policy name, which must be unique in TAM.

Effective Time/Expiration TimeClick the Calendar icon to specify the effective time range for the policy. Or, enter the effective time range in the format of YYYY-MM-DD hh:mm.

DescriptionEnter a brief description of the authorized time range policy for easy maintenance.

5. Modify authorized time range information:

a. Click Add in the Authorized time range Information area.

The Authorized time range Policy Information dialog box appears.

b. Select an authorized time range type.

The authorized time range types include Once, By Year, By Month, By Week, and By Day.

c. Specify the start time and end time.

If you select the Once type, you must specify the start time and end time in the format of YYYY-MM-DD hh:mm:ss; if you select the By Year type, you must specify the start time and end time in the format of MM-DD hh:mm:ss; if you select the By Month type, you must specify the start time and end time in the format of DD hh:mm:ss; if you select the By Week type, you must specify the start time and end time in the format of Day hh:mm:ss; if you select the By Day type, you must specify

HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide

Documents

Transcript of HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide