User Accounts

For on-premises deployments, you can manage users from CV-CUE. You can create new users, and then define LDAP and RADIUS configuration as applicable for the authentication of users. You can configure certificate-based authentication of users with the Superuser role. Similarly, you can set the password policy, and user account suspension criteria.
  • Define and manage users from System > User Accounts > Users. You can specify the type of users such as local, LDAP, or RADIUS users.
  • Configure the LDAP server parameters using System > User Accounts > LDAP.
  • Configure the RADIUS server parameters using System > User Accounts > RADIUS.
  • Configure the certificate-based authentication parameters using System > User Accounts > Certificate.
  • Configure the account suspension criteria using System > User Accounts > Account Suspension.

The Users tab also serves as the dashboard where you see a snapshot of the user privileges. From the Users dashboard, you can edit individual user accounts, change the password, lock or unlock the user account, and delete the user. These actions are available for individual users; not for multiple users.

This chapter contains the following topics:

User Roles and their Privileges

CV-CUE supports four types of users — Superuser, Administrator, Operator and Viewer. You must have the Superuser privileges to manage users in CV-CUE.

The following table details the role-wise privileges in CV-CUE.
Privileges Superuser Administrator Operator Viewer
User Account Management
Set or modify identification and authentication option (Local, RADIUS, LDAP, and Certificate) Yes No No No
Add and delete users Yes No No No
View and modify properties of any users (in Users tab) Yes No No No
Define password strength, account locking policy, maximum concurrent sessions for all user. Yes No No No
View and modify preferences in Manage Account (email, password, language preferences, and time zone) Yes Yes Yes Yes
User actions audit
Download user actions audit log Yes No No No
Modify user actions audit lifetime Yes No No No
System and operation settings
Modify system settings and operating policies

Yes

 Yes No No
Events, devices, and locations
View generated events Yes Yes Yes Yes
Modify and delete generated events Yes Yes Yes No
View devices Yes Yes Yes Yes
Add, delete, and modify devices (APs, Clients, Sensors) Yes Yes Yes No
View locations Yes Yes Yes Yes
Add, delete, and modify locations Yes Yes Yes No
Calibrate location tracking Yes Yes Yes No
Reports
Add, delete, modify — Shared Report Yes Yes (only self created) Yes (only self created) No
Generate — Shared Report Yes Yes Yes Yes
Schedule — Shared Report Yes Yes Yes No
Add, delete, modify, generate, schedule — My Report Yes (only self created) Yes (only self created) Yes (only self created) No

Manage Users

The Users tab serves as the dashboard where you see a snapshot of the user privileges. From the Users dashboard, you can edit individual user accounts, change the password, lock or unlock the user account, and delete the user. If a user account is temporarily suspended due to multiple unsuccessful password attempts, you can unlock such temporary suspensions from the Users dashboard. These actions are available for individual users; not for multiple users.

Add Users

To add a user, do the following.
  1. Go to System > User Accounts > Users.
  2. Click Add User.
  3. The User Name page opens.
  4. Provide the user details on the User Name page and then save the page.
The following table describes some of the fields on the User Name page. Some of the fields are not applicable for RADIUS and LDAP users.
Field Description
User Type Specifies the type of user. You can define a local, LDAP, or RADIUS user.
Login ID Specifies the login id of the user. For RADIUS and LDAP users, the login ID must be the same as defined in LDAP and RADIUS settings.
First Name Specifies the first name of the user. Not applicable for LDAP users.
Last Name Specifies the last name of the user. Not applicable for LDAP users.
Email Specifies the e-mail id of the user. Not applicable for LDAP users.
Language Preference Specifies the language in which the user wants to view the UI text. The default value is English.
Time Zone Specifies the time zone in which the user operates.
Authorization
Role Specifies the role assigned to the user. Choose from Viewer, Operator, Administrator and Super User. For more information on what individual roles
Allowed Locations Specifies the locations for which the user can operate. Click Change hyperlink to modify the list of allowed locations. A user can operate on one or more locations. For instance, a Superuser could have rights to multiple locations.
Wi-Fi Access Management Enables users to access the Wi-Fi management settings and functions on CV-CUE. Depending on the role, users have restricted access to the Wi-Fi management operations.
WIPS Management Enables users to access the WIPS management settings and functions on CV-CUE. Depending on the role, users have restricted access to the WIPS management operations.
Password (Not applicable for LDAP and RADIUS users)
Set Password Specifies the password for the user.
Confirm Password Repeat the password for confirmation.
Force user to change password Specifies that the user must change the password after the first login.
Password Expiry — Never Expires Specifies that the password set by users after the first login never expires. Users can manually change the password any time but the system never forces users to change the password.
Password Expiry — Expires Specifies that users must change the password after the specified duration. Configure the duration in the Expires After field, after which the password expires. The unit is calculated in days. The Warn Before field specifies that users will be warned before the specified days of the expiry day.

For example, if you configure the Expires After as 90 days and Warn Before as 15 days, then the password will expire after 90 days and the user will be warned to change the password after 75 days, which is 15 days before the expiry of the password. Note that if users do not change the password when intimated, they will be locked out of the application and the Superuser needs to reset their password.
Password Expiry — Expires After Specifies the duration in days from the time of change of the password after which the password expires.
Password Expiry — Warn Before Specifies the time in days before the password expiry to prompt the user to change the password.

Session Timeout
Session Timeout Specifies the idle time interval after which the user's User Interface (UI) session should be timed out. Two options are available. Select Never Expires, if you do not want the session to timeout. Select Expires After and specify the time in minutes (between 10 and 120 minutes) after which the session should time out.
Additional User Fields (Not applicable for LDAP and RADIUS users)
Additional User Fields Specifies some predefined and custom user fields that you can create for users. For example, you can assign a department to each user and assign them specific privileges. Use the Add/Remove Columns button in the Users tab to enable and view any of the additional user fields in the table.

Edit a User

You can edit only one user details at a time. To edit a user, do the following.
  1. Go to System > User Accounts > Users.
  2. Right-click the user and click Edit.
  3. Edit the user details and save the changes.
    Note: You cannot edit the User Type and Login ID fields.

Change the Password of a User

While creating the user, if you have not assigned any password to the user, you can do so using the Change Password option. Also, you can also change any existing password of a user.

To change the password, follow these steps:
  1. Go to System > User Accounts > Users.
  2. Right-click the user and click Change Password.
  3. In the Change Password right-panel, provide the new password.
  4. Save the changes.

LDAP Server-based Authentication

For on-premises deployments, you can configure your LDAP server and map it to CV-CUE to authenticate CV-CUE users. After you have configured the LDAP server, users or groups defined in the LDAP server can log in to CV-CUE. Based on the authentication and user role defined in CV-CUE, users get restricted access to Wi-Fi, WIPS, or both configuration pages.

You can configure the following attributes in LDAP:
  • Connection Details: Connects CV-CUE with your primary and secondary LDAP servers.
  • LDAP Configuration Parameters: Allows access to the LDAP compliant directories.
  • Privileges for LDAP Users: Specifies the role and locations assigned to LDAP users. The specified values apply to all users authenticated via LDAP.

You must have Superuser privileges to configure the LDAP server access parameters.

To configure LDAP server access parameters, do the following.
  1. Go to System > User Accounts > LDAP .
  2. Click the LDAP Authentication check box.
  3. Configure the LDAP connection details as described in the Connection Details table.
  4. If you have selected Verify LDAP Server's Certificate, you must add a certificate. Click Add Certificate to add trusted root CA Certificate(s) for the LDAP server. Choose the certificate from your local drive.
  5. Specify the LDAP configuration details as described in the LDAP Configuration Details table.
  6. If the directory does not allow an anonymous search, you must configure user credentials to search the LDAP compliant directory. Click the Authentication required to search LDAP check box. Configure the user credentials as described in the User Credentials table.
  7. Click Start Test to test the authentication options.
  8. Configure user privileges as described in the Privileges for LDAP Users table.
  9. Save the changes.

Connection Details

Field Description
Primary Server IP Address/Hostname The IP address or hostname of the primary LDAP server.
(Primary Server) Port The port number of the primary LDAP server. The default port is 389.
Backup Server IP Address/Hostname The IP address or hostname of the backup LDAP server.
(Backup Server) Port The port number of the backup LDAP server.
Enforce Use of SSL/TLS Enable this option to ensure only the SSL/TLS connection to the LDAP server is allowed. If you do not select this option, even Open connection to the LDAP server is allowed, besides SSL/TLS.
Verify LDAP Server’s Certificate Enable this option to ensure that the CV-CUE user cannot connect to the LDAP server unless the certificate check passes. When this option is not selected, the CV-CUE user can connect to the LDAP server without verifying the LDAP server certificate.
LDAP Configuration Details
Field Description
Base Distinguished Name Specifies the base distinguished name (Base DN) of the directory to which you want to connect, for example, o=democorp, c=au.

Distinguished Name is a unique identifier of an entry in the Directory Information Tree (DIT). The name is the concatenation of Relative Distinguished Names (RDNs) from the top of the DIT down to the entry in question.
Filter String This is a mandatory argument. It is a string specifying the attributes (existing or new) that the LDAP server uses to filter users. For example, IsUser=A is a filter string. By specifying a filter string, you can allow or deny login to a particular organizational unit (OU) or a group of users defined in the active directory (AD).

You can specify a DN (Distinguish Name) of any particular group to allow access to only those users who are members of that group. For example, memberOf=DC=GroupName,DC=com.

You can include members from multiple groups by using an OR condition. For example, to allow access to users under Base DN who are member of any of the two groups — Admins OR Reviewer, you must include the following filter string:

(|(memberOf=CN= Admins,DC=ITShop,DC=Com)OR

(memberOf=CN= Reviewer,DC=ITShop,DC=Com))

Similarly, to allow access to users under Base DN who are member of both Admins AND Reviewer groups, you must include the following filter string:

(&(memberOf=CN=Admins,

DC=ITShop,DC=Com)

AND (memberOf=CN= Reviewer,DC=ITShop,DC=Com))

You can have alternative configurations in the AD, such as, adding a new attribute named ATNWIFI to the users in AD that are granted access and then setting the filter string to allow users with that attribute only. For example, filter string = ATNWIFI

You can also create a new group of users in the AD with access granted and include that group in the filter string.

A common filter string that you can use is 'objectClass=*'.You can use this string when you do not want to filter out any LDAP entry.
User ID Attribute Specifies the string defined in the LDAP schema that the system uses to identify the user. (Default: cn)
User Credentials
Field Description
Admin User DN Specifies the DN of the administrator user that is used for authentication in the LDAP server.
Password Specifies the password for the administrator user.
Append Base DN Indicates that when selected the base DN specified in the LDAP Configuration Details section is appended to the Admin User DN.
Privileges for LDAP Users
Feild Description
User Role Attribute Specifies the user role attribute string that the system uses to identify a user’s role, as defined in the LDAP schema.
User Role Specifies the default role for the new LDAP users. You can select one of the following four options — Superuser, Administrator, Operator, and Viewer.
User Location Attribute Specifies the user location attribute string that the system uses to identify the locations where the user is allowed access, as defined in your LDAP schema.
Locations The location to which a new LDAP user has access rights. You can select another location by clicking Change.

RADIUS-based Authentication

For on-premises deployments, you can use a RADIUS server to facilitate user authentication to access CV-CUE. Configure the RADIUS server access parameters from the System > User Accounts > RADIUS tab.

You can configure the Authentication, Accounting, and Advanced Settings parameters for the RADIUS server.

Follow these steps to configure the RADIUS server:
  1. Go to System > User Accounts > RADIUS.
  2. Click the Authentication section.
  3. Specify the IP address or hostname, port number, and shared secret for the primary RADIUS server. Configuring the secondary RADIUS server is optional.
  4. Click Test to test the connection to the RADIUS server.
  5. In RADIUS users log in to the WiFi server using, click CLI if you want users to access CV-CUE using the command line. Click UI if you want the users to access CV-CUE using the GUI.
  6. Select vendor specific attributes as appropriate. The option you select here will be used when vendor specific attributes are not defined for the RADIUS server.
  7. Select the Role of RADIUS users and the location that users can access in CV-CUE. The user can access the selected location and all its child locations.

You have configured the RADIUS authentication.

The next steps are to configure the RADIUS accounting server and some advanced settings. If you do not want to configure the RADIUS accounting server, you can save the page.

Configure the RADIUS Accounting Server

RADIUS accounting server is an optional configuration. You can use the accounting service of the RADIUS server independent of the RADIUS authentication services. The RADIUS accounting service is used to monitor the network and collect statistical data of the connected client.
  1. Click the Accounting section.
  2. Specify the IP address/ hostname, port number and shared secret for the primary and secondary RADIUS accounting servers.
  3. Click the Advanced Settingssection.
  4. Enter the realm or domain for CLI users.
  5. Enter the realm or domain for GUI users.
  6. Select the Use Prefix Notation check box to use the realm or domain as prefix. If you do not select the check box, the realm or domain is used as a postfix notation.
  7. Save the changes.

Certificate-based Authentication

In on-premises deployments, you can authenticate users using digital certificates. Configure the settings for user authentication from System > User Accounts > Certificate option.

There are three authentication criteria:
  • Allow access with certificate only
  • Allow access without certificate
  • Users must provide password along certificate

Authentication Criteria

Allow access without certificate: The user authentication is performed using the password. The user has to enter the user name and the password at the login prompt. The password may be locally verified by the system or may be verified using the external LDAP or RADIUS authentication service, as appropriate.

Allow access with certificate only: The user authentication is performed using the client certificate (such as smart card). The system verifies the client certificate and obtains user identity (user name) from the certificate. Other attributes for the user are retrieved either locally or from the external authentication services such as LDAP or RADIUS, as appropriate.

Users must provide certificate along with password: Both client certificate and password are required for the user authentication. The user provides the client certificate and the password at the login prompt. The system verifies the password locally or using the external LDAP or RADIUS authentication service, as appropriate.

Note:In order to use the certificate-based authentication, ensure that the UI host can access the server using TCP port 4433. If there is a firewall between the UI host and the server, you must open the port 4433 from the host to the server.

Configure Certificate-based Authentication

To configure the certificate-based authentication, do the following:
  1. Go to System > User Accounts > Certificate.
  2. Enable the Certificate-Based Authentication check box.
  3. Select one of the following values from the Use field in certificate as user identity drop down list:
    • CN — Indicates the common name or fully qualified domain name of the web server receiving the certificate.
    • EMAIL — Indicates the email ID of the user.
    • SAN RFC22 Name — Indicates a user identifier name, which include IP address, email address, URI, and other.
    • SAN Principal Name — Indicates the login ID of the user or server.
  4. Specify your Authentication Criteria.
  5. Click Add Certificate and select the certificate from your local drive. After adding the certificate, you can view the details of the certificate and even delete the certificate.
  6. Click the Certificate Revocation checkbox to define the certificate revocation criteria. Note that you must select at least one option in the Certificate Revocation section.
  7. Click Use Online Certificate Status Protocol (OCSP) check box to verify the revocation status of digital certificates.
  8. Click the Check against Certificate Revocation Lists check box to verify the certificates that are revoked by the issuing certificate authority.
  9. Select Valid or Invalid in Treat certificate as when certificate status cannot be confirmed. The default status is Valid.
  10. Save the settings.

User Account Suspension

For on-premises deployments, a Superuser can configure the account suspension criteria for other users. Account suspension protects the system from fake logins through dictionary attacks or from multiple failed login attempts. There are four roles available in CV-CUE — Superuser, Administrator, Viewer, and Operator. You can configure different settings for each of these user roles.

Configure Account Suspension

To configure the Account Suspension settings for a user role, do the following:
  1. Go to System > User Accounts > Account Suspension.
  2. Expand each role and specify the number of failed login attempts and the duration for the account suspension to activate.
  3. Specify a suspension time during which the consecutive failed login attempts happen. For example, Consecutive login failures are more than 4 [3 - 10] times in 5 [5 - 30] minutes. Suspension Time is 30 minutes. This indicates that if a user tries to log in 4 times in a duration of 5 minutes, then that user account will be suspended for 30 minutes.
  4. Save the changes.