We always recommend a system administrator defer to the vendor’s official documentation on credential creation. Please follow the vendor’s instructions for configuring the device for access with an ssh key, and then use the Indeni WebGUI to store the Private key in the relevant Credential Profile.
Determining which Account Type to Set Up
By default, admin privileges are created for all Alteon devices. However, please see the below on recommended configuration for the Indeni user.
Setting up the Indeni User Account:
Please Note: Up to 10 users can be created at any time.
Creating a Local Account via CLI:
- To enter into user configuration, type the following: /cfg/sys/access/user/uid <#>
a. Create the user name: “name”
b. Change the password: “pswd”
c. Establish the privilege level: “cos admin“
- Type “enable“
- Type “apply“
Creating a New Local Administrator Account in Alteon:
- In the directory on the left, select “Users” → “Local Users“. Select the ‘+‘ symbol
- To create the correct user for Indeni, you need to:
a. Enable the User.
b. Define the User ID , User Name, User Roles (administrator only) and define the new password.
Please Note: Up to 11 credentials can be defined at a time
c. Optional Configuration: You can enable fallback to RADIUS/TACACS should the local database fail at any point. This allows Radware to communicate with the RADIUS/TACACS server configured for authentication/authorization. Please read the Alteon application user guide to properly configure this.
- After configuring the user, click on “Submit“
- Click on “Apply” and “Save” to save your configurations. Make sure you are not accidentally making any additional changes to the devices. You can identify this by clicking on the “Diff” button on the top right.
Configuring the administrator account for remote authentication (RADIUS/TACACS)
For both RADIUS and TACACS:
- To configure the Alteon to communicate with a RADIUS and TACACs server over the web GUI, select “Remote Authentication” which is just below “Local Users“
- Make sure to configure the fields required for your RADIUS/TACACs server as the only way to test if the server connected is SSH using the new configurations.
Radius Authentication Only:
Ensure that the credentials used have the correct RADIUS attribute. For administrator privileges, the default attribute “6” works just fine.
TACACs Authentication Only:
TACACS+ uses the AAA architecture, which separates Authentication, Authorization, and Accounting. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting.
For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After Alteon authenticates a user on a Kerberos server, it requests authorization information from a TACACS+ server without requiring re-authentication. Alteon informs the TACACS+ server that it has successfully authenticated the user on a Kerberos server and the server then provides authorization information.
Alteon supports ASCII inbound logins, however, the following are not supported:
- PAP, CHAP, and ARAP login methods.
- TACACS+ change password requests.
- One-time password authentication
For TACACS Authorization, privilege level differs in the following scenarios:
- Disabled Privilege Level Mapping. TACACs+ Level should be set to 6
- Enabled Privilege Level Mapping. TACACs+ Level should be set to 14 or 15
Frequently Asked Questions
Why does Indeni need administrator access?
The Alteon devices are heavily restricted from viewing data outside each privilege levels. Privileges are designed around what may be configured on the load balancers.
For example, networking has only access to L2-L3 configurations of the Alteon while the “server operator” privileges can only view configurations involving the application servers that Indeni is connected to. This separation makes it difficult to utilize one account to view all level of data unless utilizing administrator privilege.
Indeni is strictly read-only. We do not execute any changes against the device.