User Authentication and User Roles

User Authentication

Authentication grants or denies access to the device based on the credentials provided by the user (admin user name and password).

By default, when someone attempts to log in to the device, the device determines whether the username and password exist in the local administrative database. Without additional configuration, the authentication process stops at this point. If the administrator username and password exist in the local database, the user is granted access; otherwise, access to the device is denied.

The user can configure the device to also use external RADIUS, TACACS plus or LDAP servers for authentication.

Multiple Authentication Methods

The user can specify multiple methods for authenticating administrators. For example, the user can configure the device to try the these servers in the following order:

  • Local Authentication
  • LDAP
  • Google Authentication
  • Tacacs plus
  • Radius

Authentication Process

Prerequisites

Before the user can fine-tune the admin accounts using RBA, consider the following:

  • The admin user accounts must be created before they can be fine tuned using Role Based Access (RBA).
  • If you plan to use an RBA role, it must be configured before it can be bound to admin accounts.
  • Define users and email on Radius or Tacacs server

Follow the steps to set the authentication using one of the authentication methods:

  1. Refer to the subscription email for A10 Harmony Controller and access the link to activate your account and set your password.

    _images/email.png
  2. Accept the terms and conditions and select the one of the authentication modes.

    _images/subscription.png
    _images/auth_mode.png
  3. If local authentication is selected as the authentication mode, select local authenticaiton and click set authentication.

    _images/Local_Authentication.png
  4. If LDAP is selected as the authentication mode, refer to LDAP Authentication Mode for additional information.

    _images/LDAP.png
  5. If Google Authentication is selected as the authentication mode, refer to Google Authentication Mode for additional information.

    _images/Google_Authentication.png
  6. If Radius is selected as the authentication mode, enter the host address, port number and shared secret information and retries (optional) and click set authentication.

    _images/Radius.png
  7. If Tacacs plus is selected as the authentication mode, enter the host address, port number, shared secret information and timeout (optional), retries (optional), remote address (optional) and click set authentication.

    _images/TACACS.png
  8. To edit the configuration or change the authentication settings, click Organization > Authentication > Edit Configuration.

    _images/edit_configuration.png

Roles and Permissions

There are different roles and corresponding permissions in the Provider-Tenant configuration:

The root user can have any of these roles:

  • Root user (can be Root Admin)
  • Root level-Tenant Admin
  • Root level-Tenant’s user

The administrator roles include:

  • Root Level Administrator
  • Provider-level Administrator
  • Tenant Administrator

Provider-Tenant High-Level Diagram Explaining Different Roles

In the high-level Provider-Tenant configuration, the roles fit in as shown in this diagram.

_images/user-roles.png