Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Configuring User Access (NSM Procedure)
This section includes the following topics:
Configuring Login Classes
You can define any number of login classes and then apply one login class to an individual user account. All users who can log in to the router must be in a login class. With login classes, you define the following:
- Access privileges users have when they are logged in to the router
- Commands and statements that users can and cannot specify
- How long a login session can be idle before it times out and the user is logged out
To configure login classes:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab and then double-click the device for which you want to configure a login class.
- Click the Configuration tab. In the configuration tree, select System>Login>Class .
- Add or modify login class settings as specified in Table 27.
- Click one:
- New—Adds a new login class.
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Search—Search a login class.
Table 27: Login Class Authentication Configuration Details
Option | Function | Your Action |
|---|---|---|
| Class | ||
Name | Specifies a name for the login class. | Enter a name for the login class. |
Comment | Specifies the comment added to the class. | Enter a comment. |
Access Start | Specifies the start time for remote access. | Enter the start time for remote access in hh:mm format. |
Access End | Specifies the end time for remote access. | Enter the end time for remote access in hh:mm format. |
Idle Timeout | Specifies the maximum idle time before logout. | Enter the maximum idle time before logout in minutes. |
Login Alarms | Displays the system alarms when logging in. | – |
Login Script | Executes the login-script when logging in. | – |
Login Tip | Displays tips when logging in. | – |
Allow Commands | Specifies the operational mode commands that members of a login class can use. | Enter the command name enclosed in quotation marks. For example, “request system reboot”. |
Deny Commands | Specifies the regular expression for commands to deny explicitly. | Enter the command name enclosed in quotation marks. For example, "(show system statistics)|(show bgp summary)". |
Allow Configuration | Specifies the regular expression for configure to be allowed explicitly. | Enter the configuration in quotation marks. For example, “regular expression 1”. |
Deny Configuration | Specifies the regular expression for configure to be denied explicitly. | Enter the configuration in quotation marks. For example, “system services”. |
Security Roles | Specifies the common criteria for security role. | The options available are:
|
| Login > Class > Allow Configuration Regexps | ||
Allow Configuration Regexps | Specifies the object path regular expressions to be allowed. | Enter a regular expression string. For example, “interfaces .* description .*” “interfaces .* unit .* description .*” "interfaces .* unit .* family inet address .* “interfaces .* disable” . |
| Login > Class > Allowed Days | ||
Allowed Days | Specifies the day(s) of week when access is allowed. | Select the day(s) from the drop down box. For example, Monday. |
| Login > Class > Deny Configuration Regexps | ||
Deny Configuration Regular Expressions | Specifies the object path regular expressions to be denied. | Enter the regular expression string. For example, “system” “protocols” . |
| Login > Class > Permissions | ||
Permissions | Configures the login access privileges to be provided on the device. | Enter a new permission. |
Configuring User Accounts
User accounts provide one way for users to access the device. (Users can access the router without accounts if you configured RADIUS or TACACS+ servers.) For each account, define the login name for the user and, optionally, information that identifies the user. After you have created an account, a home directory is created for the user.
To configure user accounts:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab and then double-click the device for which you want to configure login class.
- Click the Configuration tab. In the configuration tree, select System > Login > User.
- Add or modify login class settings as specified in Table 28.
- Click one:
- New—Adds a new user account.
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Search—Search the available login classes.
Table 28: User Authentication Configuration Details
Option | Function | Your Action |
|---|---|---|
Name | Identifies the user with a unique name. | Enter a unique name for the user. |
Comment | Specifies the comment added to the login class. | Enter a comment. |
Full Name | Specifies the full name of the user. | Enter the full name. |
Uid | Specifies the user identifier. | Enter an user ID. For example, 100...64000. |
Class | Specifies the user's login class. | Select the class name. |
| Login > User > Authentication | ||
Plain Text Password Value | Specifies the user’s password. | Enter the plain text password for the user. |
| Login > User > Authentication > Ssh DSA | ||
Ssh DSA | Specifies the secure shell (ssh) DSA public key string. | Enter a DSA public key string. |
Name | Specifies the name of the DSA public string. | Enter an unique name for the DSA public string. |
Comment | Specifies the comment added to the ssh data. | Enter a comment. |
From | Specifies the pattern-list of hosts allowed. | – |
| Login > User > Authentication > Ssh Rsa | ||
Ssh RSA | Specifies the secure shell (ssh) RSA public key string. | Enter a RSA public key string. |
Name | Specifies the name of the RSA public string. | Enter an unique name for the RSA public string. |
Comment | Specifies the comment added to the RSA data. | Enter a comment. |
From | Specifies the pattern-list of hosts allowed. | – |
