Citrix

Produktdokumentation



Ganzes Dokument herunterladen

Configuring Security Settings

Dec. 18, 2015

You can configure various parameters to ensure that only authenticated users log on to Command Center. You can also create users and groups and assign specific operations to the groups.

In this section:

Configuring Authentication Settings

Command Center supports authentication policies for external authentication of users.

When a user for whom no configuration has been created in Command Center logs on for the first time, the user is assigned to the default Users group. The administrator must assign the new user to the appropriate group or groups, depending on the privileges the user needs.

Command Center supports the following authentication servers:

  • Local
  • LDAP (Lightweight Directory Access Protocol)
    • Active Directory
    • OpenLDAP (Open source implementation of LDAP)
  • RADIUS (Remote Authentication Dial-In User Service)
  • TACACS (Terminal Access Controller Access Control System)

Note: If you use Active Directory, OpenLDAP, or RADIUS servers for authentication, groups in Command Center are configured to match groups configured on the authentication servers. When a user logs on and is authenticated, if a group name in an authentication server matches a group name in Command Center, the user inherits the settings of the Command Center group.

Command Center supports deployment of RADIUS authentication with an Active Directory server (realm deployment). For a realm deployment, you must enable group extraction and specify the group vendor identifier and the type of group attribute.

By default, Command Center uses the local authentication.

In this section:

Configuring the LDAP Authentication Server

You can configure either an Active Directory or an OpenLDAP authentication server in Command Center. You can enable group extraction to apply Active Directory or OpenLDAP authorization settings to groups configured in Command Center.

To configure an Active Directory or OpenLDAP authentication server

1.       In Command Center, on the Administration tab, in the right pane, under Security, click Authentication Settings.

2.       Under Configure Authentication Settings, in Authentication Server, select LDAP.

3.       In the Server Type on which the LDAP is configured* list, select Active Directory or OpenLDAP.

4.       Set the following parameters:

  • Server Name/IP Address*. Server Name or IP address of the Active Directory or the OpenLDAP server.
  • Server Port*. Port number of the Active Directory or the OpenLDAP server.
  • Base DN*.  Fully qualified domain name. For example, 'DC=company,DC=net'.
  • Administrator Bind DN*. User name of the Active Directory or OpenLDAP server. For example, admin@company.net or CN=admin,CN=Users,DC=company,DC=net
  • Administrator Password*. Password for the Active Directory or OpenLDAP server.

5.       Select the Enable Group Extraction option to apply the Active Directory or OpenLDAP authorization settings to groups configured in Command Center.

6.       Set the following parameters:

  • Logon Name Attribute*. Name attribute used by Command Center to query the external Active Directory or OpenLDAP server. For example, sAMAccountName or uid.
  • Search Filter. Search string to extract groups from the Active Directory or OpenLDAP server.
  • Group Attribute*.  Attribute name of group extraction from the Active Directory or OpenLDAP server. For example, memberOf.
  • Group Sub Attribute*. Sub-attribute name of group extraction from the Active Directory or OpenLDAP server. For example, cn.

7.       Click OK.

Configuring the RADIUS Authentication Server

RADIUS authentication uses a secret key, an IP address, and the port number.

If Command Center servers are configured in an HA mode, you must provide the identification code assigned to the secondary server.

To configure a RADIUS authentication server

1. In Command Center, on the Administration tab, in the right pane, under Security, click Authentication Settings.
2. Under Configure Authentication Settings, in Authentication Server, select RADIUS.
3. Set the following parameters:

•  Server Name/IP Address*. Server Name or IP address of the RADIUS server.
•  Server Port*. Port number of the RADIUS server.
 Secret Key*. Key shared between Command Center and the RADIUS server for communication.
•  Password Encoding*. Type of encoding of passwords for packets travelling from Command Center to the RADIUS server.
•  NAS IP Address. IP address of Command Center. The Command Center IP address is sent to the RADIUS server as the Network Access Server (NAS) IP Address.
•  NAS Identifier. String sent to the RADIUS server as the Network Access Server ID (NASID).

4. In Secondary Server NAS Identifier, you must specify the NAS identifier assigned to the secondary server if Command Center servers are configured in HA mode.
5. Select the Enable Group Extraction option to apply the RADIUS authorization settings to groups configured in Command Center.
6. Set the following parameters:

•  Group Vendor Identifier. RADIUS vendor ID attribute, used for RADIUS group extraction.
•  Group Attribute Type. RADIUS attribute type, used for RADIUS group extraction.

7. Click OK.
 

Configuring the TACACS Authentication Server

Similar to RADIUS authentication, TACACS+ uses a secret key, an IP address, and the port number. The default port number is 49.

To configure a TACACS authentication server

1. In Command Center, on the Administration tab, in the right pane, under Security, click Authentication Settings.
2. Under Configure Authentication Settings, in Authentication Server, select TACACS+.
3. Set the following parameters:
•  Server Name/IP Address*. Server Name or IP address of the TACACS server.
•  Server Port*. Port number of the TACACS server.
•  Secret Key*. Key shared between Command Center and the TACACS server for communication.
•  Password Encoding*. Type of encoding of passwords for packets travelling from Command Center to the TACACS server.
4. Click OK.
 

Configuring Groups

Groups are logical sets of users that need to access common information or perform similar kinds of tasks. You can organize users into groups defined by a set of common operations. By providing specific permissions to groups rather than individual users, you can save time when creating new users.

If you are using an Active Directory server for authentication, groups in the Command Center can be configured to match groups configured on Active Directory servers. When a user belonging to a group whose name matches a group on an authentication server, logs on and is authenticated, the user inherits the settings for the group in the Command Center.

In this section:

Adding Groups

You can add groups and assign permissions to the groups.

To add groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, click Add.
  3. Under Add Group, in Group Name, type the name of the new group or multiple comma-delimited groups that you want to create. In case you have enabled group extraction from Active Directory, you can browse and add groups extracted from the Active Directory server after you have configured Active Directory settings under Authentication settings. Click on the Browse button to select the group name from the retrieved Active Directory group names.
    Note: The Browse button is available only if you have enabled group extraction and provided the Active Directory group attributes.
    Important: When creating groups in the Command Center for group extraction from Active Directory, group names must be the same as those defined in Active Directory. Group names are also case-sensitive and must match those in Active Directory. Special characters are supported in group names.
  4. Select the check boxes against the permissions you want to assign for each feature. Note that selecting Grant administrative privileges assigns permission to perform all operations on only the Administration tab.

Assigning Users to Groups

You can assign Command Center users to a group depending on the permissions that you want to grant them.

To assign user to groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, click the group to which you want to assign users and from the action drop-down list select, and then click Assign To.
  3. Under Configure Group, in Available Users, click the user(s) that you want to include in the group, and then click the + icon.

Note: To remove a selected user, click the user you want to remove in Configured Users, and then click the- icon.

Modifying Groups

After you have added a group, you can modify the permissions assigned to that group. You can also add or remove users assigned to a group.

You can also modify a group to provide fine-grained authorization support. You can ensure that the user performs operations only on those devices or data defined by the authorization settings assigned to his or her account or group. For example, if you want to restrict any operations that the user performs to a specific set of devices (for example, NetScaler VPX), then you must set the authorization criteria with the relevant property values as described in the following procedure.

To modify groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, click the group you want to modify.
  3. To add or remove a user, and select Assign To from the action drop-down list, and make the modifications as required.
  4. To change the permissions assigned to a group, click Edit, make changes to the permissions you want to assign for each feature.
  5. To configure authorization settings, click Advanced Settings.
  6. Under Advanced Settings, in Property Name, select the property for which you want to add the authorization settings (for example, Device Type), and in Property Value, enter the value of the property (for example, NetScaler VPX), and then click OK.
    Note: You can enter the property value along with the wildcard character %. For example, you can if you enter the server name as webin%, or %storfron%, then Command Center looks for server names beginning with 'webin' or server names containing the term 'storfron', then adds the authorization settings.

Deleting Groups

You can delete groups that you no longer want to use from the database. Ensure that all the users assigned to the group are removed from the group before deleting the group.

To delete groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, select the groups that you want to remove, and then click Delete.

Configuring Users

A user is an individual entity that logs on to Command Center to perform a set of device management tasks. To allow someone access to Command Center, you must create a user account for that user. After you create a user account, you can associate the user with groups and set permissions according to the group requirements.

From the Command Center interface, you can seamlessly specify local or external as the authentication type for a user. You can specify the authentication type when adding the user to Command Center, or you can edit the user's settings later.

Important: The external authentication type is supported only when you set up one of the authentication servers: Radius, Active Directory or TACACS+.

This topic includes the following details:

Adding Users

You can add new users whenever you need to provide a user access to Command Center. By default, a new user has only log on permission. You can provide access to various modules by making the user a member of pre-configured groups that contain those modules.

To add users

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click Add.
  3. In User name, type a user name for the new user and in Password and Confirm Password, type a password for the user name.
  4. In Groups, click Available, and then, select the groups to which you want to add the new user.
    Note: To add the new user account to a new group, type the name of the group, and click Add.
  5. In Password Expires In, type the number of days after which you want the password to expire.
    Note: If the user logs on after the password expires, the user is directed to the Change Password page to reset the password. The user can change the password only if the authentication type of the user is Local.
  6. In Account Expires In, type the number of days after which you want the account to expire.
  7. Set the authentication type for the user. Select Local Authentication User value as True for local authentication. For external authentication, select False.
    Note: The external authentication type is supported only when you set up one of the authentication servers: Radius, Active Directory or TACACS+.
  8. Click Create. The user is added to Command Center, with the selected authorization type. You can view the details on the Users page.

Assigning Groups to a User

You must associate a user to a minimum of one group.

To assign groups to a user

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click a user name to which you want to associate a group and from the action drop-down list select, and then click Assign To.
  3. In Configure User, click + Add, click the groups that you want to associate with the user, and then click OK.

Viewing Permissions Assigned to Users

You can view the permissions that are assigned to a user.

To view permitted operations assigned to users

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click the user name for which you want to view the permitted operations and from the action drop-down list select Assign To.
  3. In Groups page, for the groups associated, view the permitted operations by clicking Edit.

Modifying User Profiles

You can modify the user profiles you have created. You can make changes to various parameters, such as the state of a user, password to log on, password expiration, account expiration, authentication type, assigned groups, and permitted operations.

To modify user profiles

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click the user profile you want to modify, click Edit.
  3. Under Configure User, make changes as required. To modify the authentication type of the user, select the options in Local Authentication User.
    Note: If you modify the authentication type for a user from external to local, the default password is same as the username.
  4. Click OK.

Changing the Root User Password

The root user account is the super user account in Command Center. The default password for the root account is public. Citrix recommends that you change the password after you install the Command Center server.

If you specify the password expiry value for the user account, the password expires after the number of days specified. When the password is about to expire, a notification is displayed when you log on to Command Center server, and you are prompted to navigate to the Change Password screen to modify the password.

 

In Command Center appliance, when you modify the root user credentials on the primary, the password for the root user in Command Center, SSH root user of the CentOS, SSH root user of the XenServer, and the database password in both primary and secondary devices are modified.

To change the root user password

  1. On the Administration tab, under Security, click Users.
  2. Under Users, select the root user name, and then click Edit.
  3. Under Configure User, in New password and Re-type password, type and retype the new password you want to use, and then click OK.

Deleting Users

You can remove user accounts you do not want to use.

To delete users

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click the user name(s) you want to delete, and then click Delete.

Configuring Password Policy

Updated: 2014-07-31

Command Center applies a password policy to provide security against hackers and password-cracking software.

The password policy specifies the minimum length and complexity of a password.

To set the password policy

On the Administration tab, click Security, and in the right pane, select Password Policy.

Viewing Audit Logs for All Users

Use audit logs to view the operations that a Command Center user has performed. The audit log identifies all operations that a user performs, the date and time of each operation, and the success or failure status of the operation. Citrix recommends that you periodically clear audit logs after reviewing them.

You can perform the following operations on audit logs:

  • View the audit log details of all users or a single user.
  • Sort the details by user, operation, audit time, category, AuditedObject, and status by clicking the appropriate column heading.
  • Clear the audit logs when you no longer need to manage them.

To view audit logs for all users

  1. On the Administration tab, in the right pane, under Security, click Audit Logs.
  2. Under Audit Logs, you can view and do the following:
    • User: Specifies the user name of the user for which you can view the audit logs. Click the user name to view the audit details of that user.
    • Operation: Specifies the operation the user has performed for which the audit log is available.
    • Time: Specifies the time when the audit log was generated.
    • Status: Specifies the status of the audit, such as Success or Failed.
    • Category: Specifies the category of the operation that is audited, such as Authentication.
    • Audited Object: Specifies the security administration operations, such as operations on users or groups, that are audited by Command Center.
    • Export: Click Export if you want to export all the audited information to a CSV file.

Configuring a Command Center Appliance as an SNMP Agent

You can configure a Command Center appliance as an SNMP agent, therefore any external SNMP manager can monitor the appliance and query any of its Management Information Base (MIB) objects. To query the Command Center MIB objects, you must specify the community string, the IP address of the SNMP Manager, and the SNMP access level.

To configure an SNMP agent

  1. On the Administration tab, under Security, click SNMP Agent Configuration.
  2. Click Add, and configure the SNMP agent to communicate with the SNMP manager.
Back to Top