User Permissions and Device Access

User Interfaces, User Types, and How To Transition Between Them

These topics describe the GUI and CLI interfaces used by Cisco EPN Manager, and how to transition between the Cisco EPN Manager and Linux CLI interfaces.

User Interfaces and User Types

The following table describes the user interfaces employed by Cisco EPN Manager (CEPNM), and the types of users that can access each interface.

CEPNM User Interface

Interface Description

CEPNM User Types

CEPNM web GUI

Web interface that facilitates day-to-day and administration operations using the web GUI. These users can have varying degrees of privileges and are classified into role-based access control (RBAC) classes and subclasses.

This interface provides a subset of operations that are provided by the Cisco EPN Manager CLI admin and CLI config users.

Cisco EPN Manager web GUI everyday users—Created by web GUI root user. These users have varying degrees of privileges and are classified into role-based access control (RBAC) classes and subclasses called user groups (Admin, Super Users, Config Managers, and so forth). For information on the user groups, see Types of User Groups.

Cisco EPN Manager web GUI root user—Created at installation and intended for first-time login to the web GUI, and for creating other user accounts. This account should be disabled after creating at least one web GUI user that has Admin privileges, that is, a web GUI user that belongs to the Admin or Super Users user group. See Disable and Enable the Web GUI root User.

Note 
The Cisco EPN Manager web GUI root user is not the same as the Linux CLI root user, nor is it the same as the Cisco EPN Manager CLI admin user.

North Bound Interface (NBI) REST API

NBI is REST Application Programming Interface that allows a client system to talk to CEPNM to carry out day-to-day and administration operations. Special privileged service account users are assigned to a client system to allow talking to CEPNM using this interface.

These NBI users can also have varying degrees of privileges and are also classified into role-based access control (RBAC) classes and subclasses.

Cisco EPN Manager NBI users—Created by web GUI root user. These users have three different types of privileges and are classified into role-based access control (RBAC) classes and subclasses called NBI user groups (NBI Read and NBI Write). For information on the user groups, see section User Groups—NBI

CEPNM Admin CLI

Cisco proprietary shell which provides secure and restricted access to the system (as compared with the Linux shell). This Admin shell and CLI provide commands for advanced Cisco EPN Manager administration tasks. These commands are explained throughout this guide. To use this CLI, you must have Cisco EPN Manager CLI admin user access. You can access this shell from a remote computer using SSH.

Cisco EPN Manager CLI Admin user—Created at installation time and used for administration operations such as stopping and restarting the application and creating remote backup repositories. (A subset of these administration operations is available in the web GUI.)

To display a list of operations this user can perform, enter ? at the prompt.

Some tasks must be performed in config mode. To transition to config mode, use the procedure in Transition Between the Cisco EPN Manager admin CLI and Cisco EPN Manager config CLI.

The admin CLI user can create other CLI users for various reasons, using the following command:
(config) username username password role {admin|user} password

These users may have admin-like privilege/roles or lower-level privileges as defined during creation time. To create a Cisco EPN Manager CLI user with admin privileges, run the username command with the admin keyword; otherwise, use the user keyword. For password limitations, see Create Admin User.

CEPNM Config CLI

Cisco proprietary shell which is restricted and more secure than the Linux shell. This Config shell and CLI provide commands for Cisco EPN Manager system configuration tasks. These commands are explained throughout this guide. To use this CLI, you must have admin-level user access (see the information in the User Types column of this table). You can access this shell in the Admin CLI shell.

Linux CLI

Linux shell which provides all Linux commands. The Linux shell should only be used by Cisco technical support representatives. Regular system administrators should not use the Linux shell. You cannot reach this shell from a remote computer using SSH; you can only reach it through the Cisco EPN Manager admin shell and CLI.

Linux CLI admin user—Created at installation time and used for Linux-level administration purposes.

How to Transition Between the CLI User Interfaces in Cisco EPN Manager

Refer to the following section to understand how to transition between the Cisco EPN Manager admin CLI and Cisco EPN Manager config CLI

Transition Between the Cisco EPN Manager admin CLI and Cisco EPN Manager config CLI

To move from the Cisco EPN Manager admin CLI to the Cisco EPN Manager config CLI, enter config at the admin prompt.

(admin)# config
(config)#

To move from the config CLI back to the admin CLI, enter exit or end at the config prompt:

(config)# exit
(admin)#

Enable and Disable root Access for the Cisco EPN Manager Web GUI

After installation, you should disable the Cisco EPN Manager web GUI root user after creating at least one other web GUI user that has Admin or Super Users privileges. See Disable and Enable the Web GUI root User.

Disable and Enable the Web GUI root User

Procedure


Step 1

Log into the Cisco EPN Manager web GUI as root, and create another web GUI user that has root privileges—that is, a web GUI user that belongs to the Admin or Super Users user group. Once this is done, you can disable the web GUI root account.

Step 2

Disable the Cisco EPN Manager web GUI root user account. (The web GUI admin account, which remains active, can perform all required CLI functions.)

ncs webroot disable

Step 3

To re-enable the account:

ncs webroot enable


Control the Tasks Web Interface Users Can Perform

For Web Interface users, in Cisco EPN Manager user authorization is implemented through user groups. A user group contains a list of tasks that control which parts of Cisco EPN Manager a user can access and the tasks the user can perform in those parts.

While user groups control what the user can do, virtual domains control the devices on which a user can perform those tasks. Virtual domains are described in Create Virtual Domains to Control User Access to Devices.

Cisco EPN Manager provides several predefined user groups. If a user belongs to a user group, the user inherits all of the authorization settings for that group. A user is normally added to user groups when their account is created.

These topics explain how to manage user authorization:

Types of User Groups

Cisco EPN Manager provides the following predefined user groups:

For information about CLI users, see User Interfaces and User Types.

User Groups—Web UI

Cisco EPN Manager provides the default web GUI user groups that are listed in the following table. You can assign users to multiple groups, except for the users that belong to the Monitor Lite user group (because Monitor Lite is for users with limited permissions).

See View and Change the Tasks a Group Can Perform for information on the tasks that pertain to each user group and the default settings.

User Group

Group Task Focus

Root

All operations. The group permissions are not editable. The root web UI user is available after installation and is described in User Interfaces and User Types. The best practice is to create other users with Admin or Super Users privileges, and disable the root web UI user as described in Disable and Enable the Web GUI root User.

Super Users

All operations (not by default). The group permissions are editable. Can enable permissions similar to those of a root user.

Admin

Administer the system and server. Can also perform monitoring and configuration operations. The group permissions are editable.

Config Managers

Configure and monitor the network (no administration tasks). The permissions assigned to this group are editable.

System Monitoring

Monitor the network (no configuration tasks). The group permissions are editable.

Help Desk Admin

Only has access to the help desk and user preferences-related pages. This is a special group which lacks access to the user interface.

Lobby Ambassador

User administration for Guest users only. Members of this user group cannot be members of any other user group.

User–Defined 1–50

N/A; these are blank groups and can be edited and customized as required.

Monitor Lite

View network topology and use tags. The group permissions are not editable. Members of this user group cannot be members of any other user group.

North Bound API

Access to the SOAP APIs.

User Assistant

Local Net user administration only. Members of this user group cannot be members of any other user group.

mDNS Policy Admin

mDNS policy administration functions.

User Groups—NBI

Cisco EPN Manager provides the default NBI user groups that are listed in the following table. The permissions in these groups are not editable.

See View and Change the Tasks a Group Can Perform for information on the tasks that pertain to each user group and the default settings.

User Group

Provides access to:

NBI Read

RESTCONF NBI read operations (HTTP GET). Can also belong to other NBI and web UI user groups.

NBI Write

RESTCONF NBI write operations (HTTP PUT, POST, DELETE). Can also belong to other NBI and web UI user groups.

View and Change the Tasks a User Can Perform

The tasks a user can perform is controlled by the user groups the user belongs to. Follow these steps to find out which groups a user belongs to and which tasks a user is authorized to perform.


Note

If you want to check the devices a user can access, see Assign Virtual Domains to Users.


Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA and locate the user name.

Step 2

Locate the user name and check the Member of column to find out which user groups the user belongs to.

Step 3

Click a user group hyperlink. The Group Detail window lists the tasks that group members can and cannot perform.

  • A checked check box means group members have permission to perform that task. If a checked box is greyed-out, it means you cannot disable the task. For example, Cisco EPN Manager does not allow you to remove the "View tags" task for the Monitor Lite user group because it is an integral task for that user group.
  • A blank check box means group members cannot perform that task. If a blank check box is greyed out, it means you cannot enable the task for the user group.

The web GUI root and Monitor Lite groups, and the NBI groups, are not editable.

Step 4

If you want to change permissions, you have these choices:

Note 

Be careful. Selecting and deselecting tasks in the Group Detail window will apply your changes to all group members.


View and Change the Groups a User Belongs To

The tasks users can perform is determined by the user groups they belong to. This is normally configured when a user account is created (see Add and Delete Users). User groups are described in Types of User Groups.

This procedure explains how to view the groups a user belongs to and, if necessary, change the user's group membership.

Procedure


Step 1

Choose > Administration > Users, Roles & AAA Users, then choose Users.

Step 2

In the User Name, column, locate and click the user name hyperlink to open the User Details window. All user groups are listed under the General tab.

  • A checked check box means the user belongs to that group. If a checked box is greyed-out, it means you cannot remove the user from that group. For example, Cisco EPN Manager will not allow you to remove the user named root from the root user group.
  • A blank check box means the user does not belong to that group. If a blank check box is greyed-out, it means you cannot add the user to that group.

(To check the tasks that a group can perform, choose User Groups from the left sidebar menu and click a group name.)

Step 3

To change the groups the user belongs to, select and unselect the appropriate groups in the User Details window, then click Save.


View User Groups and Their Members

Users can belong to multiple groups, unless they belong to a very restricted group such as Monitoring Lite. This procedure explains how to view existing user groups and their members.

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then choose User Groups.

The User Groups page lists all existing user groups and a short list of their members. For a description of these groups, see Types of User Groups.

Step 2

To view all members of a group, click a group hyperlink to open the Group Details window, then click the Members tab.

Step 3

If you want to make changes to these groups, see:


User Group Permissions and Task Description

The following table describes user group permissions and task descriptions.

Table 1. User Group Permissions and Task Description

Task Group Name

Task Name

Description

Administrative Operations

Device Console Config

Allows user to run configuration commands on Device Console

Device Console Show

Allows user to run show commands on Device Console

Export Audit Logs Access

Allows user to access Import Policy Update through Admin Mega menu

Health Monitor Details

Allows user to modify Site Health Score definitions

High Availability Configuration

Allows user to configure High Availability for pairing primary and secondary servers

Import Policy Update

Allow user to manually download and import the policy updates into the compliance and Audit manager engine

License Center/Smart License

Allows user to access license center/smart license

Logging

Gives access to the menu item which allows user to configure the logging levels

Scheduled Tasks and Data Collection

Controls access to the screen to view the background tasks

System Settings

Controls access to the Administration > System Settings menu

User Defined Fields

Allows user to create user defined fields

User Preferences

Controls access to the Administration > User Preference menu.

View Audit Logs Access

Allows user to view Network and System audits

Alerts and Events

Ack and Unack Alerts

Allows user to acknowledge or unacknowledge existing alarms

Alarm Policies

Allows user to access alarm policies.

Alarm Policies Edit Access

Allows user to edit alarm policies

Delete and Clear Alerts

Allows user to clear and delete active alarms

Email Notification

Allows user to configure email notification forwarding

Notification Policies Read Access

Allows user to view alarm notification policy

Notification Policies Read-Write Access

Allows user to configure alarm notification policy

Pick and Unpick Alerts

Allows user to pick and unpick alerts

Troubleshoot

Allows user to do basic troubleshooting, such as traceroute and ping, on alarms

View Alert Condition

Allows user to view alert condition.

View Alerts and Events

Allows user to view a list of events and alarms

License Check

License Check

Allows user to check validity of license, Controller license and MSE license

Configure Menu Task

Configure Menu Access

Allows user to access all features under Configuration Menu

Unsanitized Device Config Export

Allows user to expose unsanitized Configuration Archive

Diagnostic Tasks

Diagnostic Information

Controls access to diagnostic page.

Unsanitized Device Config Export

Allows user to expose unsanitized Configuration Archive

Feedback and Support Tasks

Automated Feedback

Allows access to automatic feedback

TAC Case Management Tool

Allows user to open a TAC case

Global Variable Configuration

Global Variable Access

Allows user to access global variables.

Groups Management

Add Group Members

Allows user to add an entity, such as a device or port, to groups

Add Groups

Allows user to create groups

Delete Group Members

Allows user to remove members from groups

Delete Groups

Allows user to delete groups

Export Groups

Allows user to export groups

Import Groups

Allows user to import groups

Modify Groups

Allows user to edit group attributes such as name, parent, and rules

Help Menu Task

Help Menu Access

Allows user to access Help Menu

Home Menu Task

Home Menu Access

Allows user to access Homepage

Job Management

Approve Job

Allows user to submit a job for approval by another user

Cancel Job

Allows user to cancel the running jobs

Delete Job

Allows user to delete jobs from job dashboard

Edit Job

Allows user to edit jobs from job dashboard

Pause Job

Allows user to pause running and system jobs

Schedule Job

Allows user to schedule jobs

View Job

Allows user to view scheduled jobs.

Config Deploy Edit Job

Allows user to edit config delployed jobs

Device Config Backup Job Edit Access

Allows user to change the external backup settings such as repository and file encrytion password

Job Notification Mail

Allows user to configure notification mails for various job types

Run Job

Allows user to run paused and scheduled jobs

System Jobs Tab Access

Allows user to view the system jobs

Monitor Menu Task

Monitor Menu Access

Allows user to access all features under Monitor Menu

Network Configuration

Add Device Access

Allows user to add devices to Cisco EPN Manager

Admin Templates Write Access

Check thois check-box for enabling admin templates write access for user defind role

Auto Provisioning

Allows access to auto provisioning

Alarm Monitor Policies

Allows access to Alarm monitor policies

Compliance Audit Fix Access

Allows user to view, schedule and export compliance fix job/ report

Compliance Audit PAS Access

Allows user to view, schedule and export "PSIRT" and "EOX" job/ report

Compliance Audit Policy Access

Allows user to create, modify, delete, import and export compliance policy

Compliance Audit Profile Access

Allows user to view, schedule and export compliance audit job or report view and download violations summary

Compliance Audit Profile Edit Access

Allows user to create, modify and delete compliance profiles view and schedule export compliance audit job or report view and download violations summary

Config Archive Read Task

Allows config archive read access

Config Archive Read-Write Task

Allows config archive read-write access

Configuration Templates Read Access

Allows to access configuration templates in read only mode

Configure ACS View Servers

Allows acess to manage ACS View Servers

Configure Config Groups

Allows access to Config Group

Configure ISE Servers

Allows users to manage ISE servers on Cisco EPN Manager

Configure Templates

Allow the user to do the CRUD operation of Feature Templates and configuration Template

Credential Profile Add_Edit Access

Allows user to Add and edit credential profile

Credential Profile Delete Access

Allows user to delete credential profile

Credential Profile View Access

Allows user to view credential profile

Delete Device Access

Allows user to delete devices from Cisco EPN Manager

Deploy Configuring Access

Allows user to deploy Configuration and IWAN templates

Design Configuration Template Access

Allows user to create Configuration > Shared Policy Object templates and Configuration Group templates

Device Bulk Import Access

Allows user to perform bulk import of devices from CSV files

Device View configuration Access

Allows user to configure devices in the Device Work Center

Edit Device Access

Allows user to edit device credentials and other device details

Export Device Access

Allows user to export the list of devices, including credentials, as a CSV file.

Network Devices

Allows user to access to the Network devices

Network Topology Edit

Allows user to create devices, links and network in the topology map, edit the manually created link to assign the interface

Provisioning Access

Allows access to Provisioning

QoS Profile Configuration Access

Allows user to create, modify, delete QoS profil;es and schedule QoS profiles deployment job or associate/disassociate interface and Import/Export QoS discovered profiles

Network Monitoring

Admin Dashboard Access

Allows user to access the Admin Dashboard

Chassis View Read

Allows chassis view read access

Chassis View Read-Write

Allows chassis view read-write access

Config Audit Dashboard

Allows users to access Config Audit Dashboard

Data Collection Management Access

Allow user to access the Assurance Data Sources page

Details Dashboard Access

Allow user to access the Detail dashboards

Incidents Alarms Events Access

Allows user to access incidents alarms events.

Latest Config Audit Report

Allows user to view the latest config audit reports

Network Topology

Allows users to launch the Network Topology map and view the devices and links in the map

Performance Dashboard Access

Allow user to access the Performance dashboard

OTDR

OTDR Configure Profiles

Allows access to OTDR configure profiles

OTDR run scans

Allows user access to OTDR scans

OTDR Set Baselines

Allows access to OTDR baselines.

OTDR View Scan results

Allows user to view OTDR scan results

Product Usage

Product Feedback

Allows user to access Help Us Improve page

Reports

Device Reports

Allow user to run reports specific to monitoring specific report related to Devices

Device Reports Read Only

Allows user to read generated device reports

Network Summary Reports

Allows user to create and run network summary reports

Network Summary Reports Read Only

Allows user to view all Summary reports

Optical Performance Reports

Allows user to create Optical performance reports

Optical Performance Reports Read Only

Allows user to view Optical performance reports

Performance Reports

Allows user to create performance reports

Performance Reports Read Only

Allows user to view performance reports

Report Launch Pad

Allows user to access the Report page

Report Run History

Allows user to view report history

Run Reports List

Allows user to run reports

Saved Reports List

Allows user to save reports

System Monitoring Reports

Allows user to view System Monitoring Reports

Virtual Domains List

Allows user to create the Virtual Domain related report

Software Image Management

Add Software Image Management Servers

Allows user to add software imagemanagement servers

Image Details View

Allows user to view the image details

Manage Protocol

Allows user to manage the Protocols

Swim Access Privilege

Swim Access Privilege

Swim Activation

Swim Activation

Swim Collection

Swim Collection

Swim Delete

Swim Delete

Swim Distribution

Swim Distribution

Swim Preference Save

Allows user to save preference options on System Settings à Image Management page

Software Info Update

Allows the user to edit and save image properties such as minimum RAM, minimum FLASH and minimum boot ROM version

Swim Recommendation

Allows user to recommend images from Cisco.com and from the local repository

Swim Upgrade Analysis

Allows user to analyze software images to determine if the hardware upgrades (boot ROM, flash memory, RAM, and boot flash, if applicable) are required before performing a software upgrade

User Administration

Audit Trails

Allows user to access the Audit trails on user login and logout

LDAP Server

Allows user to access the LDAP Server menu

RADIUS Servers

Allows user to access the RADIUS Servers menu

SSO Server AAA Mode

Allows user to access the AAA menu

SSO Servers

Allows user to access the SSO menu

TACACS+ Servers

Allows user to access the TACACS+ Servers menu

Users and Groups

Allows user to access the Users and Groups menu

Virtual Domain Management

Allows user to access the Virtual Domain Management menu

Virtual Elements Tab Access

When creating virtual domain or adding members to a virtual domain, allows uses to access the virtual elements tab, so as to allow user to add virtual elements (Datacenters, Clusters and Hosts) to virtual domain

View Online Help

OnlineHelp

Allows user to access the online help

Create a Customized User Group

Cisco EPN Manager provides a set of predefined user groups that help you control user authorization. These groups are described in Types of User Groups and include four User Defined groups which you can customize to create a user group that is specific to your deployment. The following procedure explains how to create a customized group using one of the four predefined User Defined group templates.

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then choose User Groups.

Step 2

Locate a User Defined group that has no members, then click its group name hyperlink.

Step 3

Customize the group permissions by checking and unchecking tasks in the Group Detail window. If a task is greyed-out, it means you cannot adjust its setting. You can rename any of the user groups..

Step 4

Click Save to save your group settings.

Step 5

Add members to your group by editing the relevant user accounts and adding the user to your new group. See Add and Delete Users for information on adjusting user accounts.


View and Change the Tasks a Group Can Perform

Follow these steps to get information about existing user groups and the tasks group members can perform. The predefined user groups are described in View User Groups and Their Members.


Note

If you want to change device access, see Assign Virtual Domains to Users.


Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then choose User Groups.

The User Groups page lists all existing user groups.

Step 2

Click a user group hyperlink. The Group Detail window lists the group permissions.

  • A checked task means group members have permission to perform that task. If a checked box is greyed-out, it means you cannot disable the task.
  • A blank check box means group members cannot perform that task. If a blank check box is greyed out, it means you cannot enable the task for the user group.

The web GUI root and Monitor Lite groups, and the NBI groups, are not editable.

Step 3

If you want to change the group permissions—which will affect all group members—check and uncheck tasks, then click Save.

Note 

Be careful. Selecting and deselecting tasks in the Group Detail window will apply your changes to all group members. An alternative is to create a new group using one of the User Defined group templates; see Create a Customized User Group.


Use Cisco EPN Manager User Groups with RADIUS and TACACS+

Your RADIUS or TACACS+ servers must be configured to recognize the user groups that exist in Cisco EPN Manager. You can do this using the procedure in Export the Cisco EPN Manager User Group and Role Attributes for RADIUS and TACACS+.

Export the Cisco EPN Manager User Group and Role Attributes for RADIUS and TACACS+

If you are using RADIUS or TACACS+, you must copy all Cisco EPN Manager user group and role information into your Cisco Access Control Server (ACS) or Cisco Identity Services Engine (ISE) server. You can do this using the Task List dialog box provided in the Cisco EPN Manager web GUI. If you do not export the data into your Cisco ACS or Cisco ISE server, Cisco EPN Manager will not allow users to perform their assigned tasks.

The following information must be exported:

  • TACACS+—Requires virtual domain and role information (tasks are automatically added).

  • RADIUS—Requires virtual domain and role information (tasks are automatically added).

Information in the Task List dialog is preformatted for use with the Cisco ACS server.


Note

When you add tasks to the external server, be sure to add the Home Menu Access task. It is mandatory for all users.


Before you begin

Make sure you have added the AAA server and configured the AAA mode as explained in Configure External Authentication .

Procedure

Step 1

In Cisco EPN Manager:

  1. Choose Administration > Users > User Groups.

  2. From the User Groups table, copy the role for each user group by clicking the Task List hyperlink (at the end of a user group row).

    • If you are using RADIUS, right-click the role0 line in the RADIUS Custom Attributes field and choose Copy.

    • If you are using TACACS+, right-click the role0 line in the TACACS+ Custom Attributes field and choose Copy.

Step 2

Paste the information into your Cisco ACS or Cisco ISE server. These steps show how to add the information to an existing user group in Cisco ACS. If you have not yet added this information to Cisco ACS or Cisco ISE, see:

  1. Navigate to User or Group Setup.

  2. For the applicable user or group, click Edit Settings.

  3. Paste the attributes list into the appropriate text box.

  4. Select the check boxes to enable these attributes, then click Submit + Restart.


Add Users and Manage User Accounts

Create Web GUI Users with Administrator Privileges

After installation, Cisco EPN Manager has a web GUI root account named root. This account is used for first-time login to the server to create:

  • Web GUI users with Administrator privileges who will manage the product and features

  • All other user accounts

You should not use the web GUI root account for normal operations. For security purposes, create a new web GUI user with Administrator privileges (and access to all devices), and then disable the web GUI root account.

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then choose Users.

Step 2

Enter the username in the Username text box.

Step 3

Enter a password. The new password must satisfy the conditions specified in the password policy. Click the ? icon to view the password policy.

(Optional) Click the Generate New Password button to set a secured system-generated password. On clicking this button, a new password will be displayed in the adjacent text box. The same is also displayed in the New Password and Confirm Password text boxes. Click the eye icon in the text box to view or hide the password. You can also copy the password to clipboard by clicking the Copy button.

Click the Reset button to clear the values in the text box.

Step 4

(Optional) Enter the First Name, Last Name, and Description for the user.

Step 5

Enter the email address in the Email Address text box.

Step 6

In the General tab under Groups Assigned to This User, click Admin.

Step 7

Click the Virtual Domains tab to specify which devices the user can access. You should have at least one Admin web GUI user that has access to all devices (ROOT-DOMAIN). For more information on virtual domains, see Create Virtual Domains to Control User Access to Devices.

Note 

If you select a parent virtual domain the child (subordinate) virtual domains under it will also get selected.

Step 8

Click Save.

Note 

When you create a new user, do not auto-fill or save the user’s credentials in the browser.


What to do next

If you have not done so already, for security purposes, disable the web GUI root account as described in Disable and Enable the Web GUI root User.

Add and Delete Users

Before you create user accounts, create virtual domains to control device access so you can apply them during account creation. Otherwise you will have to edit the user account to add the domain access. See Create Virtual Domains to Control User Access to Devices.

If you want to temporarily disable an account (rather than delete it), see Disable (Lock) a User Account.

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then choose Users.

Step 2

Click Add User.

Step 3

Configure the user account.

  1. Enter a username and password.

    Note 

    To auto-generate the password, enter the username and the email address. For more information, see Auto-generate a User's Password.

  2. Enter the first name, last name, and a description for the user.

  3. Control the actions the user can perform by selecting one or more user groups. For descriptions of user groups, see View User Groups and Their Members.

  4. Control the devices a user can access by clicking the Virtual Domains tab and assigning domains to the user. (see Create Virtual Domains to Control User Access to Devices).

Step 4

Click Save.

Note 

When you create a new user, do not auto-fill or save the user’s credentials in the browser.

Step 5

To delete user accounts, select a users, and click Delete User(s).


Disable (Lock) a User Account

Disable a user account when you temporarily want to disallow a user from logging in to the Cisco EPN Manager GUI. You might want to do this if a user is temporarily changing job functions. If the user tries to log in, Cisco EPN Manager displays a message saying the login failed because the account is locked. You can unlock the account later without having to re-create the user. If you want to delete a user account, see Add and Delete Users.

User accounts may be disabled automatically if the password is not changed before expiration. Only an administrator can reset the password in this case. See Change a User’s Password and Configure Global Password Policies for Local Authentication.

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then click Users.

Step 2

Select the user whose access you want to disable or enable.

Step 3

Click Lock User(s) (or Unlock User(s)).


Change a User’s Password

You can configure password rules to force users to change their passwords (see Configure Global Password Policies for Local Authentication). Users can change their own passwords as described in Change Your Password. To change a user's password manually, use this procedure:

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then click Users.

Step 2

Click the username hyperlink.

Step 3

Enter the new password in the password fields, then click Save.


Auto-generate a User's Password

Cisco EPN Manager offers you the option to auto-generate the password for new and existing users based on the email server availability. If this option is enabled, the system sends an email to the user with password details.


Note

The Auto-generate Passwords option is available only if the email server is configured.

To auto-generate the password and email it to the user, follow this procedure:

Before you begin

Configure the email sever. For more information, see Set Up the SMTP E-Mail Server.

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA > Local Password Policy

Step 2

Select the Auto-generate Passwords check box.

Step 3

Click Save to save your changes.

Step 4

Go to Administration > Users > Users, Roles & AAA, then click Users.

  1. For a new user, enter the user name and email address.

  2. For an existing user,select Reset Password.

Step 5

Click Save to save your changes and send an email notification to the user.


Find Out Which Users Are Currently Logged In

Use this procedure to find out who is currently logged into the Cisco EPN Manager server. You can also view a historical list of the actions performed by the user in the current web GUI session and past sessions.


Note

By default, Cisco EPN Manager displays 50 records without pagination for the subsequent records. To view more than 50 records, click the settings icon at the top right corner of the screen and enter the required value in My Preferences > General > Items per Page List field.


Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA, then choose Active Sessions. Cisco EPN Manager lists all users that are currently logged in to the Cisco EPN Manager server, including their client machine IP address. If the user performed any actions on managed devices (for example, the user added new devices to Cisco EPN Manager), the device IP addresses are listed in the Device IP Address column.

Step 2

To view a historical list of all actions performed by this user, click the Audit Trail icon that corresponds to the user name.

Step 3

If you want to end an active user session, click End Session.

Note 

End Session will only terminate an active user session. If you want to prevent the user from logging back in again, see Disable (Lock) a User Account.


View the Tasks Performed By Users (Audit Trail)

Cisco EPN Manager maintains a history of all actions performed by users in active and past web GUI sessions. Follow these steps to view a historical list of tasks performed by a specific user or by all members of a specific user group. The audit information includes a description of the task, the IP address of the client from which the user performed the task, and the time at which the task was performed. If a task affects a managed device (for example, a user adds a new device or issues commands on a network element through the Device Console), the affected device's IP address is listed in the Device IP Address column. If a change is made to multiple devices (for example, a user deploys a configuration template to 10 switches), Cisco EPN Manager displays an audit entry for each switch.   

To find out which users are currently logged into the Cisco EPN Manager web GUI, see Find Out Which Users Are Currently Logged In.

To view audits that are not user-specific, see these topics:

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA.

Step 2

To view the tasks performed by a specific user:

  1. Choose Users.

  2. Locate the user name, then click the Audit Trail icon corresponding to that user.

Step 3

To view a historical list of the tasks performed by all members of a user group:

  1. Choose User Groups.

  2. Locate the user group name, then click the Audit Trail icon corresponding to that group.


Configure Job Approvers and Approve Jobs

Use job approval when you want to control jobs that could significantly impact the network. If a job requires approval, Cisco EPN Manager sends an e-mail to all users with Admin privileges and does not run the job until one of them approves it. If a job is rejected by an approver, the job is removed from the database. By default, all jobs do not require approval.

If job approval is already enabled and you want to view jobs that need approval, approve a job, or reject a job, choose Administration > Dashboards > Job Dashboard, then click the Job Approval link.

To enable job approval and configure the jobs that require approval before running:

Procedure


Step 1

Choose Administration > Settings > System Settings, then choose General > Job Approval.

Step 2

Check the Enable Job Approval check box.

Step 3

Find the jobs you want to configure for approval, and move them from the left field to the right field. For example, if you want an Admin user to approve adding new devices, move the Import job type.

Step 4

To specify a customized job type, enter a string using regular expressions in the Job Type field, then click Add. For example, to enable job approval for all job types that start with Config, enter Config*.

Step 5

Click Save.


Configure Global Password Policies for Local Authentication

If you are using local authentication (Cisco EPN Manager's authentication mechanism), you control the global password policies from the web GUI. If you are authenticating Cisco EPN Manager users using external authentication, the policies are controlled by an external application (see Set Up External Authentication Using the CLI).

By default, users are not forced to change passwords after any period of time. To enforce password changes and configure other password rules, choose Administration > Users > Users, Roles & AAA, then choose Local Password Policy.


Note

You must select the Change password on the first login check box to prompt the new users to change the default password on their initial login to Cisco EPN Manager. De-selecting this check box will launch the Home Dashboard page on logging in.


Configure Number of Parallel Sessions Allowed

Cisco EPN Manager provides an option to configure the number of parallel sessions that you can run simultaneously. You can configure up to 15 parallel sessions.


Note

This setting applies only to the sessions logged in from the Cisco EPN Manager web-interface.


Procedure


Step 1

Choose Administration > Settings > System Settings, then choose General > Server.

Step 2

Under Parallel Sessions, enter a value between 1 and 15 in the Number of parallel sessions allowed field.

Step 3

Click Save. You need to restart the system for this change to take effect.


Configure the Global Timeout for Idle Users

Cisco EPN Manager provides two settings that control when and how idle users are automatically logged out:

  • User Idle Timeout—You can disable or configure this setting, which ends your user session automatically when you exceed the timeout. It is enabled by default and is set to 15 minutes.

  • Global Idle Timeout—The Global Idle Timeout setting overrides the User Idle Timeout setting. The Global Idle Timeout is enabled by default and is set to 15 minutes. Only users with administrative privileges can disable the Global Idle Timeout setting or change its time limit.

The Idle Timeout feature starts functioning when the browser is open, but there is no user interaction. It means that, if the idle timeout is 10 minutes and the browser is open and user does not have any key strokes or mouse clicks, then the user will be logged out after 10 minutes of inactivity. However, if the browser is killed without logging out from Cisco EPN Manager, by default, the session expires in 60 minutes regardless of the idle timeout value set in Cisco EPN Manager.

By default, client sessions are disabled and users are automatically logged out after 15 minutes of inactivity. This is a global setting that applies to all users. For security purposes, you should not disable this mechanism, but you can adjust the timeout value using the following procedure. To disable/change the timeout for an idle user, see Disable Idle User Timeout.

Procedure


Step 1

Choose Administration > Settings > System Settings, then choose General > Server.

Step 2

In the Global Idle Timeout area, make sure the Logout all idle users check box is selected (this means the mechanism is enabled).

Step 3

Configure the timeout by choosing a value from the Logout all idle users after drop-down list.

Step 4

Click Save. You will must log out and log back in for this change to take effect.


Disable Idle User Timeout

By default, client sessions are disabled and users are automatically logged out after certain period of inactivity. This is a global setting that applies to all users. To avoid being logged out during the installation, it is recommended to disable automatic logout of idle users in the system settings using the following procedure.


Note

The Global Idle Timeout setting overrides the User Idle Timeout setting. To configure Global Idle Timeout settings, see Configure the Global Timeout for Idle Users.

Irrespective of the customer disabling the "Logout all idle users" in system settings and / Or disabling the "Logout idle user" in the Root user my preference setting, the session will ultimately be timed out once the web-server's session time-out is reached. This is essentially to maintain the security posture. For more guidelines on increasing/decreasing the session time-out, see https://owasp.org/www-community/Session_Timeout


Note

Session will be timed out only if it is inactive whereas active user sessions are not timed.

Procedure


Step 1

Choose Administration > Settings > System Settings, then choose General > Server.

Step 2

In the Global Idle Timeout area, uncheck the Logout all idle users check box and click Save.

Step 3

Click at the top right of web GUI window and choose My Preferences.

Step 4

In the User Idle Timeout area, uncheck the Logout idle user check box and click Save.

If you must change the idle timeout value, then select Logout idle user check box and from the Logout idle user after drop-down list, choose one of the idle timeout limits. (But this cannot exceed the value set in the Global Idle Timeout settings.)

Step 5

Click Save. You must log out and log back in for this change to take effect.


Create Virtual Domains to Control User Access to Devices

What Are Virtual Domains?

Virtual domains are logical groupings of devices, sites, and other NEs, and are used to control who has access to those NEs. You choose which elements are included in a virtual domain and which users have access to that virtual domain. Virtual domains can be based on physical sites, device types, user communities, or any other designation you choose. All devices belong to ROOT-DOMAIN, which is the parent domain for all new virtual domains.

Virtual domains work in conjunction with user groups. Virtual domains control the devices a user can access, while user groups determine the actions a user can perform on those devices. Users with access to a virtual domain (depending on their privileges) can configure devices, view alarms, and generate reports for the NEs in their virtual domain.

You can create virtual domains after you have added devices to Cisco EPN Manager. Each virtual domain must have a name and can have an optional description, email address, and time zone. Cisco EPN Manager uses the email address and time zone that you specify to schedule and email domain-specific reports.

Users work in one virtual domain at a time. Users can change the current virtual domain by choosing a different one from the Virtual Domain drop-down list (see Work In a Different Virtual Domain).

Before you set up virtual domains, determine which users are responsible for managing particular areas of the network. Then organize your virtual domains according to those needs—for example, by geography, by device type, or by the user community served by the network.

How Virtual Domains Affect Cisco EPN Manager Features

Virtual domains are organized hierarchically. The ROOT-DOMAIN domain includes all virtual domains.

Because network elements are managed hierarchically, user views of devices—as well as some associated features and components—are affected by the user's virtual domain. The following topics describe the effects of virtual domains on these features.

Reports and Virtual Domains

Reports only include components that belong to the active virtual domain. A parent virtual domain cannot view reports from its child domains. New components are only reflected in reports that are generated after the components were added.

Search and Virtual Domains

Search results only include components that belong to the active domain. You can only view saved search results if you are in the same domain from which the search was performed and saved. When working in a parent domain, you cannot view the results of searches performed in child domains.

Alarms and Virtual Domains

When a component is added to a virtual domain, no previous alarms for that component are visible to that virtual domain . Only new alarms are visible. For example, if a network element is added to Cisco EPN Manager, and that network element generated alarms before and after it was added, its alarm history would only include alarms generated after it was added.


Note

For alarm email notifications, only the ROOT-DOMAIN virtual domain can enable Location Notifications, Location Servers, and Cisco EPN Manager email notifications.

Maps and Virtual Domains

Maps only display network elements that are members of the active virtual domain.

Configuration Templates and Virtual Domains

When you create or discover a configuration template in a virtual domain, it can only be applied to network elements in that virtual domain. If you apply a template to a device and then add that device to a child domain, the template is also available to the same device in the child domain.


Note

If you create a child domain and then apply a configuration template to both network elements in the virtual domain, Cisco EPN Manager might incorrectly reflect the number of partitions to which the template was applied.

Config Groups and Virtual Domains

A parent domain can view the network elements in a child domain's configuration groups. The parent domain can also edit the child domain's configuration groups.

Email Notifications and Virtual Domains

Email notifications can be configured per virtual domain.

For alarm email notifications, only the ROOT-DOMAIN can enable Location Notifications, Location Servers, and email notifications.

Create New Virtual Domains

To create a new virtual domain, use one of the following procedures depending on the desired hierarchy of the virtual domain.

To create a new virtual domain (new-domain) here:

See this procedure:

ROOT-DOMAIN > new-domain

Create Virtual Domains Directly Under ROOT-DOMAIN

ROOT-DOMAIN > existing-domain > new-domain

Create Child Virtual Domains (Subdomains)

ROOT-DOMAIN > existing-domain > existing-domain > new-domain

(etc.)

Create Virtual Domains Directly Under ROOT-DOMAIN

The following procedure creates an empty virtual domain under ROOT-DOMAIN. You can also create multiple virtual domains at one time by using the procedure in Import a List of Virtual Domains.

If a virtual domain already exists under ROOT-DOMAIN, and you want to create a new domain under it (a child domain), see Create Child Virtual Domains (Subdomains).

Procedure

Step 1

Choose Administration > Users > Virtual Domains.

Step 2

In the Virtual Domains sidebar menu, click the + icon (Add New Domain).

Step 3

Enter a name in the Name text box. This is required.

Step 4

(Optional) Enter the new domain's time zone, email address and description.

Step 5

Click Submit to view a summary of the newly-created virtual domain.


What to do next

Add devices to the virtual domain as described in Add Network Devices to Virtual Domains.

Create Child Virtual Domains (Subdomains)

The following procedure creates a child virtual domain (also called a subdomain). A child virtual domain is a domain that is not directly under ROOT-DOMAIN; it is under a domain that is under ROOT-DOMAIN.

Do not use this procedure if you want the new virtual domain to appear directly under ROOT- DOMAIN. In that case, see Create Virtual Domains Directly Under ROOT-DOMAIN.

Procedure

Step 1

Choose Administration > Users > Virtual Domains.

Step 2

In the Virtual Domains sidebar menu:

  1. Locate the domain under which you want to create a new child domain. (This is called the parent domain.) In this example, the parent domain is California.

  2. Click the information (i) icon next to the domain name. This opens a data popup window.

  3. In the popup window, click Create Sub Domain. The navigation pane switches to the list view, with the parent domain California displayed above Untitled.

Step 3

Enter a name in the Name text box. This is required. In this example, the new child domain is named Los Angeles. (The name in the navigation pane will not change from Untitled to Los Angeles until you save the new child domain.)

Step 4

(Optional) Enter the new domain's time zone, email address and description.

Step 5

Click Submit and confirm the creation of the new child domain. To revert back to the hierarchical view, click the view toggle button at the top of the navigation pane.

The view reverts to the hierarchical view.


What to do next

Add devices to the virtual domain as described in Add Network Devices to Virtual Domains.

Import a List of Virtual Domains

If you plan to create many virtual domains, or give them a complex hierarchy, you will find it easier to specify them in a properly formatted CSV file, and then import it. The CSV format allows you to specify a name, description, time zone, and email address for each virtual domain you create, as well as each domain's parent domain. Adding network elements to the virtual domains must be performed separately.

Procedure


Step 1

Choose Administration > Users > Virtual Domains.

Step 2

Click the Import Domain(s) icon, download a sample CSV file from the link provided in the popup, and prepare the CSV file.

Step 3

Click Choose File and navigate to your CSV file.

Step 4

Click Import to import the CSV and create the virtual domains you specified.


What to do next

Add devices to the virtual domains as explained in Add Network Devices to Virtual Domains.

Add Network Devices to Virtual Domains

Use this procedure to add network devices to a virtual domain. When you add a new network device to an existing virtual domain, the device becomes immediately accessible to users with access to that domain (users do not have to restart the web GUI).

Procedure


Step 1

Choose Administration > Users > Virtual Domains.

Step 2

From the Virtual Domains sidebar menu, click the virtual domain to which you want to add network devices.

Step 3

Click the Network Devices tab, then click Add.

Step 4

Select the network devices you want to add to the domain. Note that the Select Network Devices dialog lists all managed devices, not only those that are in the parent domain. If you add a device that is not included in the parent domain, Cisco EPN Manager adds it to both the child and parent domain.

  1. Select the devices you want to add to the domain. You can use the Filter By drop-down list to locate the devices you want to add.

  2. Click Select.

Note 

You cannot add more than 500 network devices in a single shot using Select All function. To add more than 500 devices, use the Filter By option multiple times.

Step 5

Click Submit to view the summary of the virtual domain contents.

Step 6

Click Save to confirm your changes.


What to do next

Give users access to the virtual domain as described in Assign Virtual Domains to Users.

Assign Virtual Domains to Users

Once a virtual domain is assigned to a user account, the user is restricted to viewing and performing operations on the devices in their assigned domain(s).


Note

When using external AAA, be sure to add the custom attributes for virtual domains to the appropriate user or group configuration on the external AAA server. See Use Cisco EPN Manager Virtual Domains with RADIUS and TACACS+.

Procedure


Step 1

Choose Administration > Users > Users, Roles & AAA > Users.

Step 2

Select the user to whom you want to grant device access.

Step 3

Click the Virtual Domains tab.

Step 4

Use the Add and Remove buttons to make your assignment changes, then click Save.


Edit a Virtual Domain

To adjust a virtual domain, choose it from the Virtual Domain Hierarchy on the left sidebar menu to view or edit its assigned network devices. You cannot edit any of the settings for ROOT-DOMAIN.

Procedure


Step 1

Choose Administration > Users > Virtual Domains.

Step 2

Click the virtual domain you want to edit in the Virtual Domains sidebar menu.

Step 3

To adjust the name, email address, time zone, or description, enter your changes in the text boxes.

Step 4

To adjust device members:

Step 5

Click Submit, then check the summary of your changes.

Step 6

Click Save to apply and save your edits.


Delete a Virtual Domain

Use this procedure to delete a virtual domain from Cisco EPN Manager. This procedure only deletes the virtual domain; it does not delete the network elements from Cisco EPN Manager (the network elements will continue to be managed by Cisco EPN Manager).

Before you begin

You can only delete a virtual domain if:

  • The virtual domain does not contain any network elements and does not have any child domains.

  • It is not the only domain a user can access. In other words, if a Cisco EPN Manager user has access to only that domain, you cannot delete it.

  • No users are logged into the domain.

Procedure


Step 1

Choose Administration > Users > Virtual Domains.

Step 2

In the Virtual Domains sidebar menu, click the information (i) icon next to the virtual domain name. This opens a data popup window.

Step 3

In the popup window, click Delete.

Step 4

Click OK to confirm deleting the virtual domain.


Use Cisco EPN Manager Virtual Domains with RADIUS and TACACS+

Your RADIUS or TACACS+ servers must be configured to recognize the virtual domains that exist in Cisco EPN Manager. You can do this using the procedure in Export the Cisco EPN Manager Virtual Domain Attributes for RADIUS and TACACS+ .

If your RADIUS or TACACS+ server does not have any virtual domain information for a user, the following occurs, depending on the number of virtual domains that are configured in Cisco EPN Manager:

  • If Cisco EPN Manager has only one virtual domain (ROOT-DOMAIN), the user is assigned the ROOT-DOMAIN by default.

  • If Cisco EPN Manager has multiple virtual domains, the user is prevented from logging in.

Export the Cisco EPN Manager Virtual Domain Attributes for RADIUS and TACACS+

If you are using RADIUS or TACACS+, you must copy all Cisco EPN Manager virtual domain information into your Cisco ACS or Cisco ISE server. You can do this using the Virtual Domains Custom Attributes dialog box provided in the Cisco EPN Manager web GUI. If you do not export the data into your Cisco ACS or Cisco ISE server, Cisco EPN Manager will not allow users to log in.

The following information must be exported, depending on the protocol you are using:

  • TACACS+—Requires virtual domain, role, and task information.

  • RADIUS—Requires virtual domain and role information (tasks are automatically added).

When you create a child domain for an existing virtual domain, the sequence numbers for the RADIUS/TACACS+ custom attributes are also updated in the parent-virtual domain. These sequence numbers are for representation only and do not impact AAA integration.

Information in the Virtual Domains Custom Attributes dialog is preformatted for use with Cisco ACS server.


Note

When you add tasks to the external server, be sure to add the Home Menu Access task. It is mandatory for all users.


Before you begin

Make sure you have added the AAA server and configured the AAA mode as explained in Configure External Authentication.

Procedure

Step 1

In Cisco EPN Manager:

  1. Choose Administration > Users > Virtual Domains.

  2. Click Export Custom Attributes at the top right of the window. This opens the Virtual Domain Custom Attributes dialog.

  3. Copy the attributes list.

    • If you are using RADIUS, right-click all of the text in the RADIUS Custom Attributes field and choose Copy.

    • If you are using TACACS+, right-click all of the text in the TACACS+ Custom Attributes field and choose Copy.

Step 2

Paste the information into your Cisco ACS or Cisco ISE server. These steps show how to add the information to an existing user group in Cisco ACS. If you have not yet added this information to Cisco ACS or Cisco ISE, see:

  1. Navigate to User or Group Setup.

    If you want to specify virtual domains on a per-user basis, then you must make sure you add all of the custom attributes (for example, tasks, roles, virtual domains) information to the User custom attribute page.

  1. For the applicable user or group, click Edit Settings.

  2. Paste the attributes list into the appropriate text box.

  3. Select the check boxes to enable these attributes, then click Submit + Restart.


Configure Local Authentication

Cisco EPN Manager uses local authentication by default, which means that user passwords are stored and verified from the Cisco EPN Manager database. To check the authentication mode that is being used, choose Administration > Users > Users, Roles & AAA, then choose AAA Mode Settings. The selection is displayed on the AAA Mode Settings page. If you are using local authentication, be sure to configure strong password policies. See Configure Global Password Policies for Local Authentication.

If you want to use SSO with local authentication, see Use SSO With Local Authentication.

For information on external authentication, see Configure External Authentication .

Use SSO With Local Authentication

To use SSO with local authentication, you must add the SSO server and then configure Cisco EPN Manager to use SSO in local mode.

If you have deployed Cisco EPN Manager in a high availability environment where you have a primary and backup server, refer to the instructions in Configure an SSO Server in an HA Environment.

Cisco EPN Manager does not support localization on the SSO sign-in page.

The following topics describe how to configure SSO for external authentication, but you can use the same procedures to configure SSO for local authentication. The only difference is that when you configure the SSO mode on the Cisco EPN Manager server, choose Local mode (not RADIUS or TACACS+).

Configure External Authentication

Users with web GUI root user or SuperUser privileges can configure Cisco EPN Manager to communicate with external LDAP, RADIUS, TACACS+, and SSO servers for external authentication, authorization, and accounting (AAA). If you choose to configure external authentication, the user groups, users, authorization profiles, authentication policies, and policy rules must be created in the external server through which all access requests to Cisco EPN Manager will be routed.

You can use a maximum of three AAA servers. Users are authenticated on the second server only if the first server is not reachable or has network problems.


Note

You can use up to three AAA servers together, only if they support the same RADIUS, TACACS+, or LDAP protocol. Using servers having different protocols together is not supported. However, if you want to use multiple AAA servers running different protocols, then you must use Cisco ISE or ACS as a proxy between EPNM and the AAA servers. In this case, you'll need to set up your authentication logic based on the Cisco ISE or Cisco ACS configurations.

If you want to configure external authentication from the CLI, see Set Up External Authentication Using the CLI.

See the following topics for more information.

Use RADIUS or TACACS+ for External Authentication

These topics explain how to configure Cisco EPN Manager to use RADIUS or TACACS+ servers.

Add a RADIUS or TACACS+ Server to Cisco EPN Manager

To add a RADIUS or TACACS+ server to Cisco EPN Manager:

Procedure

Step 1

Choose Administration > Users > Users, Roles & AAA, then choose RADIUS Servers.

Step 2

Select the type of server you want to add.

  • For RADIUS, choose RADIUS Servers. From the Select a command drop-down list, choose Add RADIUS Server, then click Go.
  • For TACACS+, choose TACACS+ Servers. From the Select a command drop-down list, choose Add TACACS+ Server, then click Go.
    Note 
    You can use Move Up and Move Down arrow to reorder the available IP address.
Step 3

Enter the required information—IP address, DNS Name, and so forth. For Cisco EPN Manager to communicate with the external authentication server, the shared secret you enter on this page must match the shared secret configured on the RADIUS or TACACS+ server. You can use alphabets, numbers, and special characters except ‘ (single quote) and “ (double quote) while entering the shared secret key for a third-party TACACS+ or RADIUS server. Enter the Retransmit Timeout and the Retries.

Step 4

Select the authentication type.

  • PAP—Password-based authentication is the protocol where two entities share a password in advance and use the password as the basis of authentication.
  • CHAP—Challenge-Handshake Authentication Protocol requires that both the client and server know the plain text of the secret, although it is never sent over the network. CHAP provides greater security than Password Authentication Protocol (PAP).
Step 5

If you have enabled the High Availability feature and configured a virtual IP address for the Local Interface IP, choose the virtual IP address of eth0. (See the information on setting up and installing high availability on a secondary server in the Cisco Evolved Programmable Network Manager Installation Guide.)

Note 

The IP address configured in the external authentication server must match the Local Interface IP.

Step 6

Click Save.


Configure RADIUS or TACACS+ Mode on the Cisco EPN Manager Server

Procedure

Step 1

Choose Administration > Users > Users, Roles & AAA, then choose AAA Mode.

Step 2

Select TACACS+ or RADIUS.

Step 3

Check the Enable Fallback to Local check box to enable the use of the local database when the external AAA server is down.

Step 4

If you want to revert to local authentication if the external RADIUS or TACACS+ server goes down, perform the following steps:

  1. Select Enable Fallback to Local. I

  2. Specify the fall back conditions—either ONLY on no server response or on authentication failure or no server response.

Step 5

Select the Enable Single Sign-Out check box if you want to enable the single sign-out.

Step 6

Select the Ticket Granting Ticket Timeout from the drop down list.

Step 7

Click Save.


Use Cisco ISE With RADIUS or TACACS+ for External Authentication

Cisco Identity Services Engine (ISE) uses the RADIUS or TACACS+ protocols for authentication, authorization, and accounting (AAA). You can integrate Cisco EPN Manager with Cisco ISE to authenticate the Cisco EPN Manager users using the RADIUS or TACACS+ protocols. When you use external authentication, the details such as users, user groups, passwords, authorization profiles, authorization policies, and policy rules that are required for AAA must be stored and verified from the Cisco ISE database.


Note

Cisco EPN Manager natively supports LDAP.


Complete the following tasks to use Cisco ISE with the RADIUS or TACACS+ protocol for external authentication:

Tasks to be completed to use Cisco ISE for external authentication

For information, see:

Make sure you are using a supported version of Cisco ISE

Supported Versions of Cisco ISE in Cisco EPN Manager

Add Cisco EPN Manager as an AAA client in Cisco ISE

Add Cisco EPN Manager as a Client in Cisco ISE

Create a user group in Cisco ISE

Create a User Group in Cisco ISE

Create a user in Cisco ISE and add the user to the user group that is created in Cisco ISE

Create a User and Add the User to a User Group in Cisco ISE

(If using RADIUS) Create an authorization profile for network access in Cisco ISE, and add the RADIUS custom attributes with user roles and virtual domains created in Cisco EPN Manager

Note 
For RADIUS, you do not need to add the attributes for user tasks. They are automatically added based on the user roles.

Create an Authorization Profile for RADIUS in Cisco ISE

(If using TACACS+) Create an authorization profile for network access in Cisco ISE, and add the TACACS+ custom attributes with user roles and virtual domains created in Cisco EPN Manager

Note 
For TACACS+, you need not add the attributes for user tasks. They are automatically added based on the user roles.

Create an Authorization Profile for TACACS+ in Cisco ISE

Create an authorization policy in Cisco ISE and associate the policy with the user groups and authorization profile created in Cisco ISE

Configure an Authorization Policy in Cisco ISE

Create an authentication policy to define the protocols that Cisco ISE must use to communicate with Cisco EPN Manager, and the identity sources that it uses for authenticating users to Cisco EPN Manager

Create an Authentication Policy in Cisco ISE

Add Cisco ISE as a RADIUS or TACACS+ server in Cisco EPN Manager

Configure the RADIUS or TACACS+ mode on the Cisco EPN Manager server

Configure RADIUS or TACACS+ Mode on the Cisco EPN Manager Server

Supported Versions of Cisco ISE in Cisco EPN Manager

Cisco EPN Manager supports Cisco ISE 1.x and 2.x releases .

Add Cisco EPN Manager as a Client in Cisco ISE

Procedure

Step 1

Log in to Cisco ISE as the admin user.

Step 2

Choose Administration > Network Resources > Network Devices.

Step 3

In the Network Devices page, click Add.

Step 4

Enter the device name and IP address of the Cisco EPN Manager server.

Step 5

Check the Authentication Settings check box, and then enter the shared secret.

Note 

Ensure that this shared secret matches the shared secret you enter when adding the Cisco ISE server as the RADIUS server in Cisco EPN Manager.

Step 6

Click Submit.


Create a User Group in Cisco ISE

Procedure

Step 1

Log in to Cisco ISE as the admin user.

Step 2

Choose Administration > Identity Management > Groups.

Step 3

In the User Identity Groups page, click Add.

Step 4

In the Identity Group page, enter the name and description of the user group.

Step 5

Click Submit.


Create a User and Add the User to a User Group in Cisco ISE

Procedure

Step 1

Log in to Cisco ISE as the admin user.

Step 2

Choose Administration > Identity Management > Identities.

Step 3

In the Network Access Users page, click Add.

Step 4

From the Select an item drop-down list, choose a user group to assign the user to.

Step 5

Click Submit.


Create an Authorization Profile for RADIUS in Cisco ISE

You create authorization profiles to define how different types of users are authorized to access the network. For example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than a user attempting to access the network through a wired connection.

When you create an authorization profile for device administration, you must add the RADIUS custom attributes that are associated with user roles, tasks, and virtual domains created in Cisco EPN Manager.


Note

For RADIUS, you can add the user role attributes without adding the task attributes. The tasks are automatically added with the user roles.   

For more information about Cisco ISE authorization profiles, see the information on managing authorization policies and profiles in the Cisco Identity Services Engine Administrator Guide.

To create an authorization profile for RADIUS in Cisco ISE:

Before you begin

Make sure you have the complete list of the following Cisco EPN Manager custom attributes for RADIUS. You will need to add this information to Cisco ISE in this procedure.

Procedure

Step 1

Log in to Cisco ISE as the admin user.

Step 2

Choose Policy > Policy Elements > Results.

Step 3

From the left sidebar, choose Authorization > Authorization Profiles.

Step 4

In the Standard Authorization Profiles page, click Add.

Step 5

In the Authorization Profile page, enter the name and description of the authorization profile.

Step 6

From the Access Type drop-down list, choose ACCESS_ACCEPT.

Step 7

In the Advanced Attributes Settings area, paste in the complete list of RADIUS custom attributes for:

  • User roles

  • Virtual domains

Note 
If you do add user tasks, be sure to add the Home Menu Access task. It is mandatory.   
Step 8

Click Submit.


Create an Authorization Profile for TACACS+ in Cisco ISE

You can create authorization profiles to define how different types of users are authorized to access the network. For example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than a user attempting to access the network through a wired connection.

When you create an authorization profile for device administration, you must add the TACACS+ custom attributes that are associated with user roles, tasks, and virtual domains created in Cisco EPN Manager.

For more information about Cisco ISE authorization profiles, see the information on managing authorization policies and profiles in the Cisco Identity Services Engine Administrator Guide.

To create an authorization profile for TACACS+ in Cisco ISE:

Before you begin

Make sure you have the complete list of the following Cisco EPN Manager custom attributes for TACACS+. You will need to add this information to Cisco ISE in this procedure.

Procedure

Step 1

Log in to Cisco ISE as the admin user.

Step 2

Choose Work Center > Device Administration > Policy Elements.

Step 3

From the left sidebar, choose Results > TACACS Profiles.

Step 4

In the TACACS Profiles page, click Add.

Step 5

From the Access Type drop-down list, choose ACCESS_ACCEPT.

Step 6

In the TACACS Profiles page, enter the name and description of the authorization profile.

Step 7

In the Raw View Profile Attributes area, paste in the complete list of TACACS+ custom attributes for:

  • User roles, including the tasks

  • Virtual domains

Note 
Be sure to add the Home Menu Access task. It is mandatory.
Step 8

Click Submit.


Configure an Authorization Policy in Cisco ISE

An authorization policy consists of a rule or a set of rules that are user-defined and produce a specific set of permissions, which are defined in an authorization profile. Based on the authorization profile, access requests to Cisco EPN Manager are processed.

There are two types of authorization policies that you can configure:
  • Standard—Standard policies are intended to be stable and are created to remain in effect for long periods of time, to apply to a larger group of users, devices, or groups that share a common set of privileges.

  • Exception—Exception policies are created to meet an immediate or short-term need, such as authorizing a limited number of users, devices, or groups to access network resources. An exception policy lets you create a specific set of customized values for an identity group, condition, or permission that are tailored for one user or a subset of users.

For more information about authorization policies, see the “Manage Authorization Policies and Profiles” chapter in the Cisco Identity Services Engine Administrator Guide.

To create an authorization policy in Cisco ISE:

Procedure

Step 1

Log in to Cisco ISE as the admin user.

Step 2

Choose Policy > Authorization.

Step 3

In the Standard area, click the down arrow on the far right and select either Insert New Rule Above or Insert New Rule Below.

Step 4

Enter the rule name and choose identity group, condition, attribute, and permission for the authorization policy.

For example, you can define a user group as Cisco EPN Manager-System Monitoring-Group and choose this group from the Identity Groups drop-down list. Similarly, define an authorization profile as Cisco EPN Manager-System Monitoring-authorization profile and choose this profile from the Permissions drop-down list. Now, you have defined a rule where all users belonging to the Cisco EPN Manager System Monitoring identity group receive an appropriate authorization policy with system monitoring custom attributes defined.

Step 5

Click Done, and then click Save.


Create an Authentication Policy in Cisco ISE

Authentication policies define the protocols that Cisco ISE uses to communicate with Cisco EPN Manager, and the identity sources that it uses for authenticating users to Cisco EPN Manager. An identity source is an internal or external database where the user information is stored.

You can create two types of authentication policies in Cisco ISE:
  • Simple authentication policy - In this policy, you can choose the allowed protocols and identity sources to authenticate users.

  • Rule-based authentication policy - In this policy, you can define conditions that allow Cisco ISE to dynamically choose the allowed protocols and identity sources.

For more information about authentication policies, see the "Manage Authentication Policies" chapter in the Cisco Identity Services Engine Administrator Guide.

To create an authentication policy in Cisco ISE:

Procedure

Step 1

Log in to Cisco ISE as the Super Admin or System Admin user.

Step 2

Choose Policy > Authentication.

Step 3

Choose the Policy Type as Simple or Rule-Based to create the required authentication policy.

Step 4

Enter the required details based on the policy type selected.

Step 5

Click Save.


Use Cisco ACS With RADIUS or TACACS+ for External Authentication


Note

The Cisco Secure Access Control System (ACS) is no longer being sold. Please see the End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System for more information. There will be no new development on the integration of Cisco Evolved Programmable Network Manager with Cisco ACS. The last date of support for the integration with ACS is scheduled for August 31, 2020, the date at which the ACS product will become obsolete.


Cisco Secure Access Control System (ACS) uses RADIUS and TACACS+ protocol for authentication, authorization, and accounting (AAA).You can integrate Cisco EPN Manager with Cisco ACS to authenticate the Cisco EPN Manager users using the RADIUS or TACACS+ protocol. When you use an external authentication, the details such as users, user roles, passwords, authorization profiles, authorization policies, and policy rules that are required for AAA must be stored and verified from the Cisco ACS database.

Complete the following tasks to use Cisco ACS with the RADIUS or TACACS+ protocol for external authentication:

Tasks to be completed to use Cisco ACS for external authentication

For information, see:

Make sure you are using a supported version of Cisco ACS

Supported Versions of Cisco ACS in Cisco EPN Manager

Add Cisco EPN Manager as an AAA client in Cisco ACS

Add Cisco EPN Manager as a Client in Cisco ACS

Create a user group in Cisco ACS

Create a User Group in Cisco ACS

Create a user in Cisco ACS and add the user to the Cisco ACS user group

Create a User and Add the User to a User Group in Cisco ACS

(If using RADIUS) Create an authorization profile for network access in Cisco ACS, and add the RADIUS custom attributes for user roles and virtual domains created in Cisco EPN Manager.

Note 
For RADIUS, you do not need to add the attributes for user tasks. They are automatically added based on the user roles.

Create an Authorization Profile for RADIUS in Cisco ACS

(If using TACACS+) Create an authorization profile for device administration in Cisco ACS, and add the TACACS+ custom attributes with user roles and virtual domains created in Cisco EPN Manager.

Note 
For TACACS+, you need not add the attributes for user tasks. They are automatically added based on the user roles.

Create an Authorization Profile for TACACS+ in Cisco ACS

Create an access service in Cisco ACS and define a policy structure for the access service.

Create an Access Service for Cisco EPN Manager in Cisco ACS

Create an authorization policy rule in Cisco ACS, and map the authorization or shell profile based on the access type (network access or device administration).

Create an Authorization Policy Rule in Cisco ACS

Configure a service selection policy in Cisco ACS and assign an access service to an incoming request.

Configure a Service Selection Policy in Cisco ACS

Add Cisco ACS as a RADIUS or TACACS+ server in Cisco EPN Manager.

Add a RADIUS or TACACS+ Server to Cisco EPN Manager

Configure the RADIUS or TACACS+ mode on the Cisco EPN Manager server.

Configure RADIUS or TACACS+ Mode on the Cisco EPN Manager Server

Supported Versions of Cisco ACS in Cisco EPN Manager

Cisco EPN Manager supports Cisco ACS 5.x releases.

Add Cisco EPN Manager as a Client in Cisco ACS

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, choose Network Resources > Network Devices > Network Devices and AAA Clients.

Step 3

In the Network Devices page, click Create.

Step 4

Enter the device name and IP address of the Cisco EPN Manager server.

Step 5

Choose the authentication option as RADIUS or TACACS+, and enter the shared secret.

Note 

Ensure that this shared secret matches the shared secret you enter when adding the Cisco ACS server as the RADIUS or TACACS+ server in Cisco EPN Manager.

Step 6

Click Submit.


Create a User Group in Cisco ACS

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, Choose Users and Identity Stores > Identity Groups.

Step 3

In the Identity Groups page, click Create.

Step 4

Enter the name and description of the user group.

Step 5

Select a network device group parent for the user group.

Step 6

Click Submit.


Create a User and Add the User to a User Group in Cisco ACS

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, Choose Users and Identity Stores > Internal Identity Stores > Users.

Step 3

In the Internal Users page, click Create.

Step 4

Enter the required details.

Step 5

In the Identity Group field, click Select to choose a user group to assign the user to.

Step 6

Click Submit.


Create an Authorization Profile for RADIUS in Cisco ACS

You create authorization profiles to define how different types of users are authorized to access the network. For example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than a user attempting to access the network through a wired connection.

When you create an authorization profile for device administration, you must add the RADIUS custom attributes that are associated with user roles, tasks, and virtual domains created in Cisco EPN Manager.

Note

For RADIUS, you can add the user role attributes without adding the task attributes. The tasks are automatically added with the user roles.   

For more information about Cisco ACS authorization profiles and policies, see chapters on managing policy elements and access policies in the User Guide for Cisco Secure Access Control System.

To create an authorization profile for RADIUS in Cisco ACS:

Before you begin

Make sure you have the complete list of the following Cisco EPN Manager custom attributes for RADIUS. You will need to add this information to Cisco ACS in this procedure.

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, choose Policy Elements > Authorizations and Permissions > Network Access > Authorization Profiles.

Step 3

Click Create.

Step 4

On the General tab, enter the name and description of the authorization profile.

Step 5

Click the RADIUS Attributes tab, and paste in the complete list of RADIUS custom attributes for:

  • User roles
  • Virtual domains
Note 
If you do add user tasks, be sure to add the Home Menu Access task. It is mandatory.
Step 6

Click Submit.


Create an Authorization Profile for TACACS+ in Cisco ACS

When you create an authorization profile for device administration, you must add the TACACS+ custom attributes that are associated with user roles and virtual domains created in Cisco EPN Manager.


Note

For TACACS+, you need not add the attributes for user tasks. They are automatically added based on the user roles.


For more information about Cisco ACS authorization profiles and policies, see chapters on managing policy elements and access policies in the User Guide for Cisco Secure Access Control System.

To create an authorization profile for TACACS+ in Cisco ACS:

Before you begin

Make sure you have the complete list of the following Cisco EPN Manager custom attributes. You will need to add this information to Cisco ACS in this procedure.

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, choose Policy Elements > Authorizations and Permissions > Device Administration > Shell Profiles.

Step 3

Click Create.

Step 4

On the General tab, enter the name and description of the authorization profile.

Step 5

Click the Custom Attributes tab, and paste in the complete list of TACACS+ custom attributes for:

  • User roles, including the tasks

  • Virtual domains

Step 6

Click Submit.


Create an Access Service for Cisco EPN Manager in Cisco ACS

Access services contain the authentication and authorization policies for access requests. You can create separate access services for different use cases; for example, device administration (TACACS+), network access (RADIUS), and so on.

When you create an access service in Cisco ACS, you define the type of policies and policy structures that it contains; for example, policies for device administration, network access, and so on.


Note

You must create access services before you define service selection rules, although you do not need to define the policies in the services.


To create an access service for Cisco EPN Manager requests:

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, choose Access Policies > Access Services.

Step 3

Click Create.

Step 4

Enter the name and description of the access service.

Step 5

Choose one of the following options to define a policy structure for the access service:

  • Based on service template—Creates an access service containing policies based on a predefined template.
  • Based on existing service—Creates an access service containing policies based on an existing access service. However, the new access service does not include the existing service's policy rules.
  • User selected service type—Provides you the option to select the access service type. The available options are Network Access (RADIUS), Device Administration (TACACS+), and External Proxy (External RADIUS or TACACS+ servers).
Step 6

Click Next.

Step 7

Choose the authentication protocols that are allowed for the access service.

Step 8

Click Finish.


Create an Authorization Policy Rule in Cisco ACS

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, choose Access Policies > Access Services > service > Authorization.

Step 3

Click Create.

Step 4

Enter the name of the rule and then choose the rule status.

Step 5

Configure the required conditions for the rule.

For example, you can create a rule based on the location, device type, or user group that you have created.

Step 6

If you are creating an authorization policy rule for network access (RADIUS), choose the required authorization profile(s) to map to the authorization policy rule.

Alternatively, if you are creating an authorization policy rule for device administration (TACACS+), choose the required shell profile(s) to map to the authorization policy rule.

Note 
If you are using multiple authorization profiles or shell profiles, make sure you order them in priority.
Step 7

Click OK.


Configure a Service Selection Policy in Cisco ACS

A service selection policy determines which access service applies to an incoming request. For example, you can configure a service selection policy to apply the device administration access service to any access request that uses the TACACS+ protocol.

You can configure two types of service selection policy:
  • Simple service selection policy—Applies the same access service to all requests.
  • Rule-based service selection policy—Contains one or more conditions and a result, which is the access service that will be applied to an incoming request.

To configure a service selection policy:

Procedure

Step 1

Log in to Cisco ACS as the admin user.

Step 2

From the left sidebar, choose Access Policies > Access Services > Service Selection Rules.

Step 3

If you want to configure a simple service selection policy, click the Single result selection radio button, and then choose an access service to apply to all requests.

Alternatively, if you want to configure a rule-based service selection policy, click the Rule based result selection radio button, and then click Create.

Step 4

Enter the name of the rule and then choose the rule status.

Step 5

Choose either RADIUS or TACACS+ as the protocol for the service selection policy.

Step 6

Configure the required compound condition, and then choose an access service to apply to an incoming request.

Step 7

Click OK, and then click Save Changes.


Use SSO with External Authentication

To set up and use SSO (with or without a RADIUS or TACACS+ server), see these topics:

Cisco EPN Manager does not support localization on the SSO sign-in page.

Add the SSO Server

If you have deployed Cisco EPN Manager in a high availability environment where you have a primary and backup server, refer to the instructions in Configure an SSO Server in an HA Environment.

Cisco EPN Manager can be configured with a maximum of three AAA servers.

Procedure

Step 1

Choose Administration > Users > Users, Roles & AAA, then choose SSO Servers.

Step 2

From the Select a command drop-down list, choose Add SSO Servers, then click Go.

Step 3

Enter the SSO information. The maximum number of server retries for an SSO server authentication request is 3.

Step 4

Click Save.

Note 

You can also add the EPNM server you are using as an SSO server. From the Select a command drop-down list, choose Add self as SSO Servers, then click Go.


Delete SSO Server

You can delete the SSO server that is added to EPNM. To delete the SSO server:

Procedure

Step 1

Choose Administration > Users > Users, Roles & AAA, then choose SSO Servers.

Step 2

Select the servers that you want to delete.

Step 3

From the Select a command drop-down list, choose Delete SSO Server(s), then click Go.

Step 4

Click Ok to confirm the server deletion.


Configure SSO Mode on the Cisco EPN Manager Server

The SSO functionality distributes CA certificate when the SSO server is added to the SSO client.

Cisco EPN Manager supports CA and self-signed certificates as long as the Common Name (CN) field of the certificate contains the Fully Qualified Domain Name (FQDN) of the server on both the SSO client and the SSO server. The server must be capable of name resolution from the IP address to the FQDN. In addition, the hostname must match the left-most component of the FQDN. SSO requires accurate DNS configuration. You must define the DNS with fully qualified domain name (FQDN). For example, the nslookup command and expected data when configuring DNS with FQDN is:

hostname CUSTOMER_HOSTNAME
nslookup CUSTOMER_HOSTNAME
Server:...
Address:...
Name: CUSTOMER_HOSTNAME.example.com
Address:....

For SSO operation, Cisco EPN Manager requires that the SSL/TLS certificate hold the FQDN in the CN field. To verify that the certificate used by your Cisco EPN Manager server has the FQDN in the CN field, use your browser to view the certificate. If the certificate does not contain the FQDN in the CN field, you must regenerate the certificate and redistribute it to all users that have the old certificate.


Note

If you are using this procedure to configure SSO but are using local authentication, choose Local in Step 2.


Procedure

Step 1

Choose Administration > Users > Users, Roles & AAA, then choose SSO Server Settings.

Step 2

Choose which SSO Server AAA Mode you want to use. You can select only one at a time.

Step 3

Click OK.