Determining which Account Type to Set Up
| Version | Authentication | Authorization | Required User Type |
|---|---|---|---|
| Alteon - OS 29.0 and later | Remote or Local | Remote or Local | Administrator role |
Setting up the LiveAssurance User Account:
Creating a Local Account via CLI:
-
To enter into user configuration, type the following:
/cfg/sys/access/user/uid <#>-
Create the user name:
"name" -
Change the password:
"pswd" -
Establish the privilege level:
"cos admin"
-
-
Type
enable -
Type
apply
Creating a New Local Administrator Account in Alteon:
-
In the directory on the left, select . Select the + symbol
-
To create the correct user for LiveAssurance, you need to:
-
Enable the User.
-
Define the User ID , User Name, User Roles (administrator only) and define the new password.Note: Up to 11 credentials can be defined at a time
-
Optional Configuration: You can enable fallback to RADIUS/TACACS should the local database fail at any point. This allows Radware to communicate with the RADIUS/TACACS server configured for authentication/authorization. Please read the Alteon application user guide to properly configure this.
-
-
After configuring the user, click on Submit
-
Click on Apply and Save to save your configurations. Make sure you are not accidentally making any additional changes to the devices. You can identify this by clicking on the Diff button on the top right.
Configuring the administrator account for remote authentication (RADIUS/TACACS)
For both RADIUS and TACACS:
-
To configure the Alteon to communicate with a RADIUS and TACACs server over the web GUI, select Remote Authentication which is just below Local Users
-
Make sure to configure the fields required for your RADIUS/TACACs server as the only way to test if the server connected is SSH using the new configurations.
Radius Authentication Only:
Ensure that the credentials used have the correct RADIUS attribute. For administrator privileges, the default attribute “6” works just fine.
TACACs Authentication Only:
TACACS+ uses the AAA architecture, which separates Authentication, Authorization, and Accounting. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting.
For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After Alteon authenticates a user on a Kerberos server, it requests authorization information from a TACACS+ server without requiring re-authentication. Alteon informs the TACACS+ server that it has successfully authenticated the user on a Kerberos server and the server then provides authorization information.
TACACS Disclaimer
Alteon supports ASCII inbound logins, however, the following are not supported:
PAP, CHAP, and ARAP login methods.
TACACS+ change password requests.
One-time password authentication
For TACACS Authorization, privilege level differs in the following scenarios:
Disabled Privilege Level Mapping. TACACs+ Level should be set to 6
Enabled Privilege Level Mapping. TACACs+ Level should be set to 14 or 15
Frequently Asked Questions
Why does LiveAssurance need administrator access?
The Alteon devices are heavily restricted from viewing data outside each privilege levels. Privileges are designed around what may be configured on the load balancers.
For example, networking has only access to L2-L3 configurations of the Alteon while the “server operator” privileges can only view configurations involving the application servers that LiveAssurance is connected to. This separation makes it difficult to utilize one account to view all level of data unless utilizing administrator privilege.
LiveAssurance is strictly read-only. We do not execute any changes against the device.