Device Administrator Account Configuration Overview
You must create an account for each device administrator on the managed device. The device administrator account contains a device admin privilege level, username, password, and optional PKA keys for the admin.
Additionally, for security devices that run ScreenOS 5.0 or later, you can configure privileges for the Trustee, such as granting the permission to configure the untrust Ethernet interface and the permission to configure the untrust modem interface.
Configuring Privilege Level
A security device supports multiple device administrators. NSM connects to the device as the root device administrator, and has complete administrative privileges for the device.
A security device can have only one root device administrator which cannot be deleted. Additionally, after you create the root device administrator (or import from an existing device) you cannot change the name of the root device administrator. To delete an existing root device administrator, you can change the privilege level of the administrator to a non-root privilege, and then save and delete the administrator. If you delete the root device administrator, however, you must then create a new root device administrator before installing the modeled configuration on the managed device (NSM must use the root device administrator account to communicate with the managed device).
For ScreenOS 5.x devices, you can set or change the root device admin password using the directive “Set Root Admin.” To execute this directive, right-click the device in the Device Manager device list and select Device > Set Root Admin.
When you create other device administrators, you must assign a privilege level; these privileges are accessible to the device admin after successful log in to the device as described in Table 1.
Table 1: Privilege Level
Read/Write Device Administrator
The read/write administrator has the same privileges as the root device administrator, but cannot create, modify, or remove other device administrators. Privileges include:
Read-Only Device Administrator
The read-only device administrator has only viewing privileges using the Web UI, and can only issue the get and ping CLI commands. Privileges include:
Virtual System Device Administrator (available on security devices that support virtual systems)
Each virtual system (vsys) is a unique security domain, which can be managed by virtual system device administrators with privileges that apply only to that vsys. Virtual system administrators independently manage virtual systems through the CLI or Web UI. Privileges include:
Virtual System Read-Only Device Administrator (available on security devices that support virtual systems)
A virtual system read-only administrator has the same set of privileges as a read-only administrator, but only within a specific virtual system. A virtual system read-only administrator has viewing privileges for a particular vsys through the Web UI, and can only issue the enter, exit, get, and ping CLI commands within that vsys.
For any configuration change made by a device administrator, the managed device generates a log entry with the name of the device administrator making the change, the IP address from which the change was made, and the time of the change. These log entries appear as configuration logs in the NSM Log Viewer.
A device administrator can authenticate a connection to a security device using one of two authentication methods: Password or Public Key (ScreenOS 5.x devices only). However, regardless of the authentication method you want the device administrator to use, you must initially define a password for the admin account. If you later bind a public key to the admin, the password becomes irrelevant.
Use password authentication for device administrators who need to configure or monitor the managed device. You can use this authentication method for device administrators on ScreenOS 5.x devices.
All passwords handled by NSM are case-sensitive.
To configure authentication, enter a username, password, and privilege level for the device administrator account, and then select SSH Password Authentication.
To connect using an SSH-aware application, the device administrator (the SSH client) initiates an SSH connection to the managed device (the SSH server). When SSH is enabled on the interface receiving the connection request, the managed device prompts the admin for username and password, and then compares that information to the information in the device admin account. If the username and passwords match, the device authenticates the connection; if they do not match, the device rejects the connection request.
Use Public Key Authentication (PKA) for greater security or to run automated scripts. You can use this authentication method for device administrators on a ScreenOS 5.x device.
To configure PKA, generate the PKA public/private key pair using the key generate program in an SSH client application (see the SSH client application documentation for more information). The key pair is RSA for SSHv1 and DSA for SSHv2. Assign the private key to the device administrator account, and then load the public key on the managed device using a TFTP server or SSP (ScreenOS 5.1 and later only).
To connect using an SSH-aware application, the device administrator (the SSH client) initiates an SSH connection to the managed device (the SSH server). When SSH is enabled on the interface receiving the connection request, the managed device prompts the admin for username and public key (of a public/private key pair), and then compares that information with up to four public keys for that device admin account. If one of the keys matches, the device authenticates the connection; if no keys match, the device rejects the connection request.
When the managed device receives the connection request, it first checks the device administrator account for a public key bound to that administrator. If a matching key is found, the managed device authenticates the administrator using PKA; if no matching key is found, the managed device prompts for a username and password. You can store up to four PKA keys for each device administrator.
You must enable SSH on the interface through which the device administrator connects to the managed device using an SSH connection.
Admin Access Lock Setting
Admin access lock configuration locks out the administrator who fails to authenticate before the configured timeout from the specified account. If this option is disabled, you cannot set the authentication failure length and the default value is set to 1. If this option is enabled, you can set the admin access locking time to lock out the account. The lockout occurs after the specified number of failed login attempts.
Roles for Device Administrator Accounts
You can configure role attributes for admin users. If you select the privilege of admin user as root, you cannot set the role attribute (that is, the root administrator cannot set role attributes.) If you set privilege as read-write or read-only, you can assign any of the available role attributes. The default value is Not Assigned.