MANAGEMENT ACCESS AND SECURITY GUIDE

A10 Thunder Series and AX Series

ACOS 2.7.2-P1
14 May 2014
©
5/14/2014 A10 Networks, Inc. - All Rights Reserved
Information in this document is subject to change without notice.

Patents
A10’s products (including all AX Series products) are protected by one or more of the following U.S. patents: 8595819, 8595791,
8595383, 8584199, 8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378,
7665138, 7647635, 7627672, 7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286,
5875185, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695, 7287084, 6970933, 6473802, 6374300.

Trademarks
The A10 logo, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDsentrie, IP to ID,
Link Director, MultiLink Director, SoftAX, Thunder, the Thunder logo, VirtualN, and vThunder are trademarks or registered trademarks of
A10 Networks, Inc. All other trademarks are property of their respective owners.

Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.

A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as
confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:

1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means

2. sublicense, rent or lease the Software.

Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.

Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the
manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your
area.

Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
About This Book

This document describes features of the A10 Networks Advanced Core Operating System (ACOS). These features are sup-
ported on the following product lines:

• A10 Thunder™ Series Application Delivery Controller (example models shown in Figure 1 and Figure 2)
• AX™ Series Application Delivery Controller

FIGURE 1 Thunder 6630

FIGURE 2 Thunder 5430-11

page 3 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Preface

User Documentation
Information is available for ACOS products in the following documents. These documents are included on the documenta-
tion CD shipped with your product, and also are available on the A10 Networks support site.

Basic Setup

• Installation Guides
• System Configuration and Administration Guide

Security Guides

• Management Access Security Guide

• Application Access Management and DDoS Mitigation Guide
• Web Application Firewall Guide

Application Delivery Guides

• Application Delivery and Server Load Balancing Guide

• Global Server Load Balancing Guide

References

• LOM Reference
• GUI Reference
• CLI Reference
• aFleX Reference
• MIB Reference
• aXAPI Reference

Make sure to use the basic deployment instructions in the Installation Guide for your Thunder or AX model, and in the System
Configuration and Administration Guide. Also make sure to set up your device’s Lights Out Management (LOM) interface, if
applicable.

NOTE: Some guides may display GUI configuration examples. These examples are subject to
change and may not display all the available options.

Audience
This document is intended for use by network architects for determining applicability and planning implementation, and for
system administrators for provision and maintenance of A10 Networks products.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 4

A10 Thunder Series and AX Series—Management Access and Security Guide
Preface

Documentation Updates
Updates to these documents are published periodically to the A10 Networks support site, on an updated documentation CD
(posted as a zip archive). To access the latest version, please log onto your A10 support account.

http://www.a10networks.com

A10 Virtual Application Delivery Community

You can use your A10 support login to access the A10 Virtual Application Delivery Community (VirtualADC). The VirtualADC
is an interactive forum where you can find and share product and feature information. To access the VirtualADC, navigate
here:

http://www.a10networks.com/adc/

page 5 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Preface

Document No.: 272P1-MAS-001 - 5/14/2014 | page 6

Table of Contents

About This Book ............................................................................................................................. 3

User Documentation......................................................................................................................................... 4
Audience................................................................................................................................................................ 4
Documentation Updates ................................................................................................................................. 5
A10 Virtual Application Delivery Community.......................................................................................... 5

Admin Accounts ...........................................................................................................................11

Configure Additional Admin Accounts.....................................................................................................11
Use the GUI to Configure Admin Accounts ....................................................................................................... 11
Assign GUI Access Roles for the Admin Account ............................................................................................ 13
Pre-Configured GUI Access Roles ..................................................................................................................... 13
Configure Custom GUI Access Role ................................................................................................................ 16
Assign a GUI Access Role to an Admin ......................................................................................................... 16
Delete an Admin Account ............................................................................................................................................. 17
Configure Admin Lockout .............................................................................................................................18
Admin Lockout Parameters .......................................................................................................................................... 18
Use the GUI to Configure Admin Lockout ........................................................................................................... 18
Use the CLI to Configure Admin Lockout ............................................................................................................ 19
Configure Access Control Based on Management Interface............................................................19
Use the GUI to Configure Management Interface Access ........................................................................ 20
Use the CLI to Configure Management Interface Access .......................................................................... 20

Access Based on Management Interface ............................................................................21

Default Management Access Settings......................................................................................................21
Configure Management Access Using Access Control Lists .............................................................21
Configure ACL Support on the Management Interface ............................................................................. 22
Configure ACL Support on Data Interfaces ........................................................................................................ 22
Implicit Deny Rule .............................................................................................................................................................. 22
Configure Management Access Through Ethernet Interfaces.........................................................22
Use the GUI to Configure Management Access .............................................................................................. 23
Use the CLI to Configure Management Access ............................................................................................... 23
Use the CLI to Disable Management Access ............................................................................................ 23
Use the CLI to Enable Management Access .............................................................................................. 24

page 7 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Contents

Viewing the Current Management Access Settings ............................................................................24

Regaining Access if You Accidentally Block All Access........................................................................25

Configuring Web Access ...........................................................................................................27

Web Access Default Settings........................................................................................................................27
Configure Web Access ....................................................................................................................................28
Use the GUI to Configure Web Access .......................................................................................................... 28
Use the CLI to Configure Web Access ........................................................................................................... 28
Configure Object Access Control................................................................................................................29
Use the GUI to Configure Object Access Control ................................................................................... 29

Public Key Authentication for SSH ........................................................................................35

Generate a Key Pair From the Remote Client .........................................................................................35
Import the Public Key to the ACOS Device .............................................................................................35
Delete a Public Key ..........................................................................................................................................36

TACACS+ and RADIUS ................................................................................................................37

Configuring Authentication .........................................................................................................................37
Configure Multiple Authentication Methods .................................................................................................... 38
Configure Tiered Authentication .............................................................................................................................. 38
Flowcharts Describing the Authentication Process ...................................................................................... 39
Disable Local Authentication for the Admin Account ................................................................................. 41
Use the GUI to Disable Local Authentication for the Admin Account ...................................... 41
Use the CLI to Disable Local Authentication for the Admin Account ....................................... 42
Token-based Authentication Support for RADIUS ......................................................................................... 42
Configure Authorization ................................................................................................................................43
Authorization Based on Management Interface ............................................................................................. 44
RADIUS Configuration for Management Interface Access ............................................................... 44
TACACS+ Configuration for Management Interface Access ........................................................... 44
LDAP Configuration for Management Interface Access .................................................................... 45
Authorization for GUI Access ....................................................................................................................................... 45
RADIUS Configuration for GUI Access Roles .............................................................................................. 45
TACACS+ Configuration for GUI Access Roles .......................................................................................... 45
Compatibility with Privilege Levels Assigned by RADIUS or TACACS+ ..................................... 46
Authorization for CLI Access ........................................................................................................................................ 46
Operational Commands Disabled for Read-Only Admins ................................................................ 46
RADIUS CLI Authorization ..................................................................................................................................... 47
TACACS+ CLI Authorization ................................................................................................................................. 48
Authorization Based on Private Partition ............................................................................................................. 49

Document No.: 272P1-MAS-001 - 5/14/2014 | page 8

A10 Thunder Series and AX Series—Management Access and Security Guide
Contents

RADIUS Configuration for Partition Access ................................................................................................ 49

TACACS+ Configuration for Partition Access ............................................................................................ 49
LDAP Configuration for Partition Access .............................................................................................................. 49
RADIUS Authorization Based on Service-Type .................................................................................................. 50
Configure Accounting ....................................................................................................................................50
Command Accounting (TACACS+ only) .............................................................................................................. 50
TACACS+ Accounting Debug Options .................................................................................................................. 51
Configuring Authentication, Authorization, Accounting and for Admin Access ......................51
Configuring Authentication ......................................................................................................................................... 52
Use the GUI to Configure Remote Authentication ............................................................................... 52
Use the CLI to Configure Remote Authentication ................................................................................. 55
Additional TACACS+ Authentication Options .................................................................................................. 56
Configure Password Self-Service for Admins Authenticated by TACACS+ ............................ 56
Configure Direct Access to CLI Privileged EXEC Level for TACACS+-Authenticated Admins 57
Configuring Authorization ............................................................................................................................................ 57
Configuring Accounting ................................................................................................................................................. 58
Examples .............................................................................................................................................................58
RADIUS Authentication Example .............................................................................................................................. 59
TACACS+ Authorization Example ............................................................................................................................. 59
TACACS+ Accounting Example .................................................................................................................................. 59
RADIUS Server Setup Example ................................................................................................................................... 59
Windows IAS Setup for RADIUS...................................................................................................................61
Procedure Overview ......................................................................................................................................................... 61
Configure Access Groups ............................................................................................................................................... 62
If Active Directory Is Not Installed .................................................................................................................... 62
Configure RADIUS Client for ACOS device .......................................................................................................... 63
Configure Remote Access Policies ........................................................................................................................... 64
Add Active Directory Users to ACOS Access Groups .................................................................................... 73
Register the IAS Server in Active Directory ......................................................................................................... 75
Configure RADIUS on the ACOS device ................................................................................................................ 76
Verify the Configuration .................................................................................................................................................. 76

Lightweight Directory Access Protocol ...............................................................................77

Configure LDAP for ACOS Admins .............................................................................................................77
Add the LDAP Servers to the ACOS device ........................................................................................................ 77
Use the GUI to Configure LDAP Authentication ..................................................................................... 77
Use the CLI to Configure LDAP Authentication ...................................................................................... 79
Configuring the OpenLDAP Server ......................................................................................................................... 80
A10 Schema File for OpenLDAP ........................................................................................................................ 80

page 9 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Contents

A10 Admin Account Files for LDAP ................................................................................................................. 82

Configuring Microsoft Active Directory ................................................................................................................ 82
Configure ACOS Admin Accounts ................................................................................................................... 82
Add the A10 LDAP Attribute Types ................................................................................................................. 93
Restart the LDAP Process .................................................................................................................................... 105

Command Auditing ................................................................................................................. 113

Command Auditing Overview.................................................................................................................. 113
Enable and Configure Command Auditing ......................................................................................... 113
Use the GUI to Configure Command Auditing ............................................................................................. 114
Use the CLI to Configure Command Auditing .............................................................................................. 114
Audit Log Examples...................................................................................................................................... 114

Document No.: 272P1-MAS-001 - 5/14/2014 | page 10

Admin Accounts

This chapter describes how to configure and modify admin accounts for management access to ACOS.

The following topics are covered:

• Configure Additional Admin Accounts

• Configure Admin Lockout
• Configure Access Control Based on Management Interface

Configure Additional Admin Accounts

The ACOS device comes with one admin account, “admin”, by default. The “admin” account has global Read Write privileges.

The admin account, and other admin accounts with global Read Write privileges, can configure additional admin accounts.
For each admin account, the following settings can be configured:

• Username and password

• IP host or subnet address from which the admin is allowed to log on
• Management interfaces the admin is allowed to use (CLI, GUI, or aXAPI)
• GUI access Role (read-write privileges for GUI page access)
• Role-Based Administration (RBA) or Layer 3 Virtualization (L3V) partition, if applicable
• Account state (enabled or disabled)

NOTE: If you are configuring an admin account for a private partition, also see “configuring Par-
tition Admin Accounts” in the System Configuration and Administration Guide.

This section contains the following topics pertaining to additional admin accounts:

• Use the GUI to Configure Admin Accounts

• Assign GUI Access Roles for the Admin Account
• Delete an Admin Account

Use the GUI to Configure Admin Accounts

To configure an admin account using the GUI:

1. Select Config Mode > System > Admin > Administrator.

2. Click Add. The Administrator section appears.

page 11 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Additional Admin Accounts

3. Enter the name in the Administrator Name field.

4. Enter the password for the new admin account in the Password and Confirm Password fields.
5. To restrict login access by the admin to a specific host or subnet:
a. Enter the address in the Trusted Host IP Address field.
b. To restrict access to just a single host, edit the value in the Netmask for Trusted Host field to 255.255.255.255.
c. To restrict access to a subnet, edit the value in the Netmask for Trusted Host field to the subnet mask for the subnet.

NOTE: To allow access from any host, leave the Trusted Host IP Address and Netmask fields
blank.

6. Select the role from the Role drop-down list. The role defines the read or write access allowed to the admin for each
GUI page. (See “Assign GUI Access Roles for the Admin Account” on page 13.)
7. To restrict access to specific management interfaces, click the checkboxes next to Access Type.
8. If you are configuring an admin for a private Role-Based Administration (RBA) partition, select the partition from the
Partition drop-down list.
9. Make sure Enabled is selected in the Status field.
10. Click OK.

NOTE: For information about the SSH Key File section, see “Public Key Authentication for SSH”
on page 35.

FIGURE 1 Config Mode > Admin > Admin

11. Verify that the new admin (named “exampleadmin” in this example) appears in the Admin table.

FIGURE 2 Config Mode > Admin - new admin added

Document No.: 272P1-MAS-001 - 5/14/2014 | page 12

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Additional Admin Accounts

Assign GUI Access Roles for the Admin Account

This section contains the following:

• Pre-Configured GUI Access Roles

• Configure Custom GUI Access Role
• Assign a GUI Access Role to an Admin

Pre-Configured GUI Access Roles

Admin roles enable you to restrict the GUI options an admin is authorized to use. For each GUI page, the admin role specifies
whether the admin is allowed to access (view) the page. If the admin is allowed to access the page, the role specifies
whether the admin has read-only or read-write privileges for the page.

You can assign an admin to a preconfigured role or a custom role that you configure. You also can customize the preconfig-
ured roles. Table 1 lists the preconfigured roles and the types of GUI page access allowed by each one.

TABLE 1 Preconfigured GUI Access Roles

Role and Access
GUI Page* 1 2 3 4 5 6 7 8 9 10 11 12
Monitor Pages
Monitor > Overview > Summary R R R R R R R R R R R R
Monitor > Overview > Status R R H H H R R R H R R R
Monitor > Overview > Statistics R R H H H R R R H R R R
Monitor > Overview > Performance R R H H H R R R H R R R
Monitor > SLB > Service > Virtual Server R R H H H R R R H R R R
Monitor > SLB > Service > Virtual Service R R H H H R R R H R R R
Monitor > SLB > Service > Service Group R R H H H R R R H R R R
Monitor > SLB > Service > Server R R H H H R R R H R R R
Monitor > SLB > Health Monitor R R H H H R R R H R R R
Monitor > SLB > Black-White List R R H H H R R R H R R R
Monitor > SLB > aFleX R R H H H R R R H R R R
Monitor > SLB > Session R R H H H R R R H R R R
Monitor > SLB > Application R R H H H R R R H R R R
Monitor > GSLB > Site R R H H H H H R H H H R
Monitor > GSLB > Zone R R H H H H H R H H H R
Monitor > GSLB > Protocol R R H H H H H R H H H R
Monitor > Security > WAF R R H H H H H R H H H R
Monitor > Security > Authentication R R H H H H H R H H H R
Monitor > Security > ACL R R H H H H H R H H H R
Monitor > NAT > Pool R R H H H H H R H H H R
Monitor > NAT > Static NAT R R H H H H H R H H H R
Monitor > Network > Interface R R H R R H H R R H H R
Monitor > Network > Trunk R R H R R H H R H H H R

page 13 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Additional Admin Accounts

TABLE 1 Preconfigured GUI Access Roles (Continued)

Role and Access
*
GUI Page 1 2 3 4 5 6 7 8 9 10 11 12
Monitor > Network > LACP R R H R R H H H H H H H
Monitor > Network > VLAN R R H R R H H R R H H R
Monitor > Network > ARP R R H R R H H R R H H R
Monitor > Network > Route R R H R R H H R R H H R
Monitor > System > Admin R R R H H H H R H H H H
Monitor > System > sFlow R R H R R R R R R R R R
Monitor > System > NetFlow Monitor R R H R R R R R R R R R
Monitor > System > Logging R R R H H H H R H H H H
Monitor > System > Resource Usage R R H H H H H R H H H H
Monitor > System > Diagnosis R R R H H H H H H H H H
Monitor > System > aVCS R R R H H H H H H H H H
Monitor > System > HA R R H H H R R H H H H H
Monitor > System > VRRP-A R R H H H R R R H R R R
Config Pages
Config > Get Started > Basic System R W H W R H H H H H H H
Config > Get Started > Smart Template R W H H H W R W H W R R
Config > Get Started > GSLB Easy Config R W H H H H H W H H H H
Config > SLB > Service R W H H H W R W H W R R
Config > SLB > Template R W H H H W R W H W R R
Config > SLB > Health Monitor R W H H H W R W H W R R
Config > SLB > Black-White List R W H H H W R W H W R R
Config > SLB > aFleX R W H H H W R W H W R R
Config > SLB > SSL Management R W H H H W R W H W R R
Config > SLB > Network Map R W H H H W R W H W W R
Config > GSLB > FQDN R W H H H H H W R H H R
Config > GSLB > FQDN Group R W H H H H H W H H H R
Config > GSLB > Zone R W H H H H H W H H H R
Config > GSLB > Site R W H H H H H W H H H R
Config > GSLB > Service IP R W H H H H H W H H H R
Config > GSLB > DNS Proxy R W H H H H H W H H H R
Config > GSLB > Geo-location R W H H H H H W H H H R
Config > GSLB > Policy R W H H H H H W H H H R
Config > GSLB > GSLB HM R W H H H H H H H H H H
Config > GSLB > Global R W H H H H H H H H H H
Config > Security > WAF R W H H H H H W H H H R
Config > Security > Authentication R W H H H H H W H H H R
Config > Security > Template R W H H H H H W H H H R
Config > Security > Network R W H H H H H W H H H R
Config > NAT† > IPv4 Pool R W H H H H H W H W R R
Config > NAT† > IPv6 Pool R W H H H H H W H W R R

Document No.: 272P1-MAS-001 - 5/14/2014 | page 14

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Additional Admin Accounts

TABLE 1 Preconfigured GUI Access Roles (Continued)

Role and Access
*
GUI Page 1 2 3 4 5 6 7 8 9 10 11 12
Config > NAT† > Group R W H H H H H W H W R R
Config > NAT† > ACL Bind R W H H H H H W H W R R
†
Config > NAT > Interface R W H H H H H W H W R R
Config > NAT† > NAT Range R W H H H H H W H W R R
Config > NAT† > Static NAT R W H H H H H W H W R R
Config > NAT† > Global R W H H H H H H H H H H
Config > Network > Interface† R W H W R H H W R H H R
Config > Network > Trunk† R W H W R H H H H H H H
Config > Network > LACP R W H W R H H H H H H H
Config > Network > VLAN † R W H W R H H W R H H R
Config > Network > ARP† R W H W R H H W R H H R
Config > Network > Route† R W H W R H H W R H H R
Config > Network > DNS† R W H W R H H H H H H H
Config > Network > BPDU-Fwd-Group† R W H W R H H H H H H H
Config > System > Settings > Web R W W H H H H W H H H R
Config > System > Settings > Web Certificate R W W H H H H H H H H H
Config > System > Settings > Access Control R W W W R H H W H H H R
Config > System > Settings > Time R W W W R H H H H H H H
Config > System > Settings > Terminal R W W H H H H H H H H H
Config > System > Settings > Log R W W W R H H H H H H H
Config > System > Settings > General R W W H H H H H H H H H
Config > System > Settings > Boot R W W H H H H H H H H H
Config > System > Settings > Action H W W H H H H H H H H H
Config > System > Admin R W W H H H H H H H H H
Config > System > sFlow R W H W R W R W W W W W
Config > System > NetFlow Monitor R W H W R W R W W W W W
Config > System > SNMP R W W W R H H H H H H H
Config > System > Maintenance R W W H H H H H H H H H
Config > System > Console R W H H H H H H H H H H
Config > System > Config File R W W H H H H H H H H H
Config > System > aVCS R W W H H H H H H H H H
Config > System > HA R W H H H W R H H H H H
Config > System > VRRP-A R W H H H W R W H W R R

*. In some cases, where the same access privileges apply to all pages at a given GUI level, only the high-level page name is listed in
this table. However, access can be configured on an individual page basis for all GUI pages.
†. For the partition roles (8-12), the access privileges shown in the table are for admins of partitions in which Layer 2/3 virtualization
is enabled.If Layer 2/3 virtualization is disabled in the partition, the page is hidden.

page 15 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Additional Admin Accounts

The following table summarizes the roles and access privileges of each number in the “Roles and Access” column inTable 1:

Role Access Role Access

1 ReadOnlyAdmin 7 SLBServiceOperator
2 ReadWriteAdmin 8 PartitionReadWrite
3 SystemAdmin 9 PartitionNetworkOperator
4 NetworkAdmin 10 PartitionSLBServiceAdmin
5 NetworkOperator 11 PartitionSLBServiceOperator
6 SLBServiceAdmin 12 PartitionReadOnly

NOTE: If you configure GUI-based access in RADIUS, LDAP or TACACS+, these are the numbers
to use when specifying a preconfigured role.

The following letters indicate the access privileges for the GUI page:

• R – Read-only
• W – Read-write
• H – Hidden (page can not be viewed by the admin)

Configure Custom GUI Access Role

In addition to the pre-configured GUI access roles, you can also configure a custom role to suit your needs:

1. Select Config Mode > Settings > Admin > Role.

2. Click Add.
3. Enter the role name in the Role Name field.
4. Select the access privileges for each page.
• Hide – The page can not be viewed by admins with this role.
• RO – Read-only access.
• RW – Read-write access.
The filter options hide or display all pages of the selected access levels. For example, to display only the pages that are
hidden, select Hide next to Filter Options.

To select individual pages under Monitor or Config, click to remove the checkbox, expand the page list, and select the
access levels for the individual pages.

5. Click OK.

Assign a GUI Access Role to an Admin

To assign a GUI access role to an admin, use the following procedure.

1. Select Config Mode > Settings > Admin > Administrator and click Add.
2. If configuring a new admin, enter the username and password.
3. Select the admin role from the Role drop-down list.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 16

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Additional Admin Accounts

The role can be any one of the preconfigured roles (“Pre-Configured GUI Access Roles” on page 13) or a custom role you
have created (“Configure Custom GUI Access Role” on page 16).

4. If you are configuring an admin for an RBA partition, select the partition from the Partition drop-down list.
5. Click OK.

Delete an Admin Account

An admin with Root privileges can delete other admin accounts.

Before you delete an admin account, you must:

1. Display the admin session table to determine whether the admin has any active admin sessions.
2. Clear any sessions the admin has open.

To delete an admin account, you first must terminate any active sessions the admin account has open. The account is
not deleted if there are any open sessions for the account.

Use the GUI to Delete an Admin Account

To delete an admin account using the GUI:

1. To display the admin session table, select Monitor Mode > System > Admin.
2. To clear an admin session, click on the checkbox next to the session to select it, then click Delete.
3. To delete the admin account:
a. Select Config Mode > System > Admin.
b. Click on the checkbox next to the admin name.
c. Click Delete.

Use the CLI to Delete an Admin Account

To delete an admin account using the CLI:

1. To display the admin session table, use the following command at the Privileged EXEC level or any configuration level:

show admin session

2. To clear an admin session, use the following command at the Privileged EXEC level or any configuration level:

clear admin session session-id

The session-id is the ID listed in the ID column of the show admin session output.

3. To delete the admin account, use the following command at the global configuration level:

no admin admin-username

page 17 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Admin Lockout

Configure Admin Lockout

By default, there is no limit to the number of times an incorrect password can be entered with an admin account to attempt
access. You can enable the ACOS device to lock admin accounts for a specific period of time following a specific number of
invalid passwords entered for the account.

This section contains the following topics:

• Admin Lockout Parameters

• Use the GUI to Configure Admin Lockout
• Use the CLI to Configure Admin Lockout

Admin Lockout Parameters

Table 2 lists the admin lockout parameters you can configure.

TABLE 2 Admin Lockout Parameters

Parameter Description Default
Feature state Controls whether admin accounts can be locked. Disabled
Threshold Number of failed login attempts allowed for an admin account before it is locked. 5
Reset time Number of minutes the ACOS device remembers a failed login attempt. 10 minutes
For an account to be locked, greater than the number of failed login attempts speci-
fied by the threshold must occur within the reset time.
Duration Number of minutes a locked account remains locked. To keep accounts locked until 10 minutes
you or another authorized administrator unlocks them, set the value to 0.

Use the GUI to Configure Admin Lockout

To enable the lockout feature using the GUI:

1. Select Config Mode > System > Admin.

2. Select Lockout Policy on the menu bar.
3. Select the checkbox in the Administrator lockout Feature field to enable this feature.

Once enabled, you can configure the threshold, reset time, and duration of the admin lockout. See Table 2 on page 18
for more information about the admin lockout parameters.

4. Click OK.

To view lockout status or manually unlock a locked account:

1. Select Monitor Mode > System > Admin.

2. Select the Admin Locked tab to view the admin accounts that are locked.
3. Select the admin account you want to unlock.
4. Click Unlock.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 18

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Access Control Based on Management Interface

Use the CLI to Configure Admin Lockout

To configure admin lockout using the CLI:

1. Log on through the CLI and access the global configuration level.
2. Optionally, enter the following commands to change lockout settings:

The following example locks the admin account after 5 failed login attempts:
ACOS(config)# admin lockout threshold 5

The following example keeps a locked admin account locked for 15 minutes:
ACOS(config)# admin lockout duration 15

The following example keeps a locked admin account locked until it is manually unlocked by an authorized admin:
ACOS(config)# admin lockout duration 0

The following example locks the admin account after 5 failed login attempts, and sets the ACOS device to remember
the last failed login for 10 minutes.
ACOS(config)# admin lockout reset-time 10

For more information, refer to Table 2 on page 18.

3. Use the following command to enable admin lockout:

ACOS(config)# admin lockout enable

To view lockout status or manually unlock a locked account:

1. Log on through the CLI and access the global configuration level.
2. Enter the following command to view the lockout status of the account for “admin1”:
ACOS(config)# show admin admin1 detail

3. Enter the following command to access the configuration level for the admin account for “admin1”:
ACOS(config)# admin admin1

4. Use the following command to unlock the account:

ACOS(config)# unlock

Configure Access Control Based on Management

Interface
You can specify the ACOS management interfaces individual admins are allowed to access. In this release, you can deny an
admin from accessing the ACOS device:

page 19 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Access Control Based on Management Interface

• Use the GUI to Configure Management Interface Access)

• Use the CLI to Configure Management Interface Access)
• aXAPI

Refer to the aXAPI Reference for information about how to configure access control using aXAPI.

Use the GUI to Configure Management Interface Access

To configure management interface access using the GUI:

1. Select Config Mode > System > Settings > Admin > Administrator.
2. Click on the admin name or click Add to add a new one.
3. If configuring a new admin, enter the username and password.
4. Next to Access Type, select the interfaces the admin is allowed to access.
5. Click OK.

NOTE: For information about the admin roles listed in the Role drop-down list, see “Configure
Access Control Based on Management Interface” on page 19.

For information about the SSH Key File option, see “Public Key Authentication for SSH”
on page 35.

Use the CLI to Configure Management Interface Access

To deny or permit an admin to access the ACOS device through a specific management interface, use the following com-
mand at the configuration level for the admin account:

[no] access {cli | web | axapi}

The following commands deny management access by admin “admin2” using the CLI or aXAPI:

ACOS(config)# admin admin2

ACOS(config-admin:admin2)# no access cli
ACOS(config-admin:admin2)# no access axapi

Document No.: 272P1-MAS-001 - 5/14/2014 | page 20

Access Based on Management Interface

By default, certain types of management access through the ACOS device’s Ethernet interfaces are blocked. This chapter
describes how to configure management access based on the interface.

The following topics are covered:

• Default Management Access Settings

• Configure Management Access Using Access Control Lists
• Configure Management Access Through Ethernet Interfaces
• Viewing the Current Management Access Settings
• Regaining Access if You Accidentally Block All Access

Default Management Access Settings

Table 3 lists the default settings for each management service.

TABLE 3 Default Management Access

Management Service Ethernet Management Interface Ethernet and VE Data Interface
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
Ping Enabled Enabled

You can enable or disable management access for individual access types and interfaces. You also can use an Access Control
List (ACL) to permit or deny management access through the interface by specific hosts or subnets.

Configure Management Access Using Access Control Lists

This section contains important information regarding Access Control List (ACL) support.

page 21 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Management Access Through Ethernet Interfaces

Configure ACL Support on the Management Interface

The management interface supports only a single ACL. The ACL can be applied (bound to the interface) as an enable-
management ACL, or can be applied directly to the interface as a filter. In either case, only one ACL is supported. To replace
the ACL with a different one, you must remove the ACL that is already on the interface first.

For example, either of the following sets of commands is valid but not both:

ACOS(config)# enable-management service acl 1 management

or

ACOS(config)# interface management

ACOS(config-if:management)# access-list 1 in

Additionally, if you apply an enable-management ACL to the management interface, an ACL for an individual service is not
supported. For example, the following rule is not supported on the management interface:

ACOS(config)# enable-management service ping acl 1 management

Configure ACL Support on Data Interfaces

Data interfaces can support multiple ACLs, including multiple enable-management ACLs. If a data interface has multiple
enable-management ACLs, they are applied in the following order of precedence:

1. enable-management service
{ping | ssh | telnet | http | https}
acl {id | name}
{ethernet port-num [to port-num] | ve ve-num
[to ve-num]}
2. enable-management service acl {id | name}
{ethernet port-num [to port-num] | ve ve-num
[to ve-num]}

Implicit Deny Rule

Each ACL has an implicit deny any any rule at the end. If the management traffic’s source address does not match a permit
rule in the ACL, the implicit deny any any rule is used to deny access.

Configure Management Access Through Ethernet

Interfaces
Management access through Ethernet interfaces can be configured:

• Using the GUI (“Use the GUI to Configure Management Access” on page 23)

Document No.: 272P1-MAS-001 - 5/14/2014 | page 22

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Management Access Through Ethernet Interfaces

• Using the CLI (“Use the CLI to Configure Management Access” on page 23)

Use the GUI to Configure Management Access

To change management access settings for interfaces:

1. Select Config Mode > System > Settings > Access Control.
2. For each interface (each row), select or de-select the checkboxes for the access types.
3. To use an ACL to control access, select the ACL from the ACL drop-down list in the row for the interface.
4. After selecting the settings for all the interfaces, click OK.

Use the CLI to Configure Management Access

This section contains the following topics:

• Use the CLI to Disable Management Access

• Use the CLI to Enable Management Access

Use the CLI to Disable Management Access

To disable management access, use either of the following commands at the global configuration level of the CLI:

disable-management service
{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}

or

disable-management service acl acl-num

{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}

In both commands, the following options specify the interfaces to protect:

• management – The out-of-band Ethernet management interface (MGMT)

• ve ve-num [to ve-num] – A VE data interface or range of VE data interfaces
• ethernet port-num [to port-num] – An Ethernet data interface or range of Ethernet data interfaces

In the first command, the following options specify the type of management access you are configuring:

• all – Disables access to all the management services listed below.

• ssh – Disables SSH access to the CLI.
• telnet – Disables Telnet access to the CLI.
• http – Disables HTTP access to the management GUI.
• https – Disables HTTPS access to the management GUI.
• snmp – Disables SNMP access to the ACOS device’s SNMP agent.

page 23 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Viewing the Current Management Access Settings

• ping – Disables ping replies from ACOS interfaces.

NOTE: Disabling ping replies from being sent by the ACOS device does not affect the device’s
ability to ping other devices.

In the second command, the acl acl-id option specifies an ACL. Management access from any host address that matches the
ACL is either permitted or denied, depending on the action (permit or deny) used in the ACL.

The following example command disables HTTP access to the out-of-band management interface:

ACOS(config)# disable-management service http management

You may lose connection by disabling the http service.
Continue? [yes/no]:yes

Use the CLI to Enable Management Access

To enable management access, use either of the following commands at the global configuration level of the CLI:

enable-management service
{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}

or

enable-management service acl acl-num

{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}

The options are the same as those for the disable-management command.

The following example command enables Telnet access to data interface 6:

ACOS(config)# enable-management service telnet ethernet 6

Viewing the Current Management Access Settings

To view the management access settings that are currently in effect, enter the show management command at any level of
the CLI.

The following example shown an ACOS device that has 12 Ethernet data ports. In this example, all the access settings are set
to their default values:

ACOS# show management

PING SSH Telnet HTTPHTTPSSNMPSYSLOGSNMP-TRAPACL
-------------------------------------------------------------------------
mgmt on on offon onon off off -
eth1 on off offoff offoff off off -
eth2 on off offoff offoff off off -
eth3 on off offoff offoff off off -

Document No.: 272P1-MAS-001 - 5/14/2014 | page 24

A10 Thunder Series and AX Series—Management Access and Security Guide
Regaining Access if You Accidentally Block All Access

eth4 on off offoff offoff off off -

eth5 on off offoff offoff off off -
eth6 on off offoff offoff off off -
eth7 on off offoff offoff off off -
eth8 on off offoff offoff off off -
eth9 on off offoff offoff off off -
eth10 on off offoff offoff off off -
eth11 on off offoff offoff off off -
eth12 on off offoff offoff off off -

Regaining Access if You Accidentally Block All Access

If you disable the type of access you are using on the interface you are using at the time you enter a disable-management
command, your management session will end. If you accidentally lock yourself out of the device altogether (for example, if
you use the all option for all interfaces), you can still access the CLI by connecting a PC to the ACOS device’s serial port.

page 25 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Regaining Access if You Accidentally Block All Access

Document No.: 272P1-MAS-001 - 5/14/2014 | page 26

Configuring Web Access

By default, access to the ACOS management GUI is enabled and is secure. A valid admin username and password are
required to log in.

This chapter contains the following topics:

• Web Access Default Settings

• Configure Web Access
• Configure Object Access Control

Web Access Default Settings

Table 4 lists the default settings for Web access.

TABLE 4 Default Web Access Settings

Parameter Description Default
Auto-redirect Automatically redirects requests for the unsecured port (HTTP) Enabled
to the secure port (HTTPS).
HTTP server HTTP server on the ACOS device. Enabled
HTTP port Protocol port number for the unsecured (HTTP) port. 80
HTTPS server HTTPS server on the ACOS device. Enabled
HTTPS port Protocol port number for the secure (HTTPS) port. 443
Timeout Number of minutes a Web management session can remain Range: 0-60 minutes
idle before it times out and is terminated by the ACOS device.
To disable the timeout, specify 0.
Default: 10 minutes
aXAPI Timeout Number of minutes an aXAPI session can remain idle 0-60 minutes. If you specify 0,
before being terminated. Once the aXAPI session is termi- sessions never time out.
nated, the session ID generated by the ACOS device for Default: 10 minutes
the session is no longer valid.
Note: For information about aXAPI, see the aXAPI Reference.

NOTE: If you disable HTTP or HTTPS access, any sessions on the management GUI are immedi-
ately terminated.

page 27 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Web Access

Configure Web Access

To configure web access, you can:

• Use the GUI to Configure Web Access

• Use the CLI to Configure Web Access

Use the GUI to Configure Web Access

To configure web access using the GUI:

1. Select Config Mode > System > Settings.

2. On the menu bar, select Web.
3. Edit the settings you want to change.
4. Click OK.

NOTE: The Preference section sets the default IP address type (IPv4 or IPv6) for GUI configura-
tion fields that require an IP address. The Preference section does not affect access to the
GUI itself.

Use the CLI to Configure Web Access

Use the web-service command at the global configuration level of the CLI to configure web access.

The following command enables management access on HTTP:

ACOS(config)# web-service enable

The following command sets the HTTP port to 80:

ACOS(config)# web-service port 80

The following command sets the idle timeout to 30 minutes:

ACOS(config)# web-service timeout-policy idle 30

The show web-service command is used to verify your configuration:

At the global configuration level of the CLI, use the following command:

ACOS(config)# show web-service

ACOS Web Server:
Idle time: 30 minutes
Http port: 80
Https port: 443
Auto redirect: Enabled
Https: Enabled
Http: Enabled

Document No.: 272P1-MAS-001 - 5/14/2014 | page 28

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Object Access Control

aXAPI Idle time: 10 minutes

Configure Object Access Control

The Object Access Control (OAC) feature provides increased user privilege control for SLB objects within a single partition or
in multiple partitions.

The previous release provided role-based access privileges for a given user within the whole partition or multiple partitions.
It did not provide the capability to restrict user access to SLB objects, such as a real server, service group, or a virtual server.

This feature alleviates the need to create a separate partition for different users to allow exclusive control over different SLB
objects.

Privilege control, such as read/write or read only, still is based on role-based control.

The limitations of the object access control feature are listed below:

• The object access control module must be configured before it can be assigned to a user.
• Some SLB objects (such as virtual servers, service groups, and servers) can be authorized using the object access con-
trol module. This feature does not provide control over all SLB objects, such as the ports belonging to a real server,
members of a service group, or the ports belonging to a virtual server.
• The maximum number for OAC objects that can be defined in all partitions is 128. For each type of SLB object,
such as virtual servers, service groups, and servers, you can configure up to 100 per OAC.
• Once you configure OAC for an administrative user, this feature is only configurable via the GUI, not the CLI or the
aXAPI. The administrator will not be able to login using either the CLI or aXAPI.

Use the GUI to Configure Object Access Control

To configure Object Access Control using the GUI:

1. Select Config Mode > System > Admin > Object Access Control.
The following menu will be displayed with any existing OBC objects:

This window will also display whether these objects are visible or hidden.

2. Create a new OAC object by clicking Add.

You can either choose to create an object in the shared partition or switch to a private partition to create an OAC object
within that partition. In the example below, if you switch to partition p1 from the Partition tab in the top navigation bar
and confirm your selection by clicking on OK:

page 29 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Object Access Control

For purposes of illustration, this example shows creating an OAC in the shared partition. The following window will be
displayed:

a. Either type in the name of an existing object or use the default drop-down list to choose from the list all available
virtual server objects in the current partition, shared:

Document No.: 272P1-MAS-001 - 5/14/2014 | page 30

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Object Access Control

NOTE: When you add a virtual server to the authorized virtual server list, the service group, and
server that use this virtual server or virtual server’s port, will also inherit the same privi-
leges you assign to this virtual server. Though you will be able to see the service group
and real server, you will not be able to select them. Similarly, when you configure a ser-
vice group and assign it some privileges, the real server will also acquire the same access
privileges as the service group’s OAC, since privileges are inherited.

NOTE: If you configure an OAC, but do not assign any authorized virtual servers, service groups,
or real servers, when you assign this OAC to an administrator, you will not be able to see
any virtual servers, service groups, or real servers, since none have been associated with
the OAC.

b. Click on Add to see the name of the virtual server appear in the “Authorized Virtual Server” list.
c. Repeat the same procedures to add authorized service groups:

d. Repeat the same procedures to add authorized real servers:

e. Click on Ok when done adding your authorized virtual servers, service groups, and servers. Your OAC will appear in
the list of available OACs:

page 31 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Object Access Control

3. After you create the OAC objects, assign them to the administrator. To create an administrator, do the following: Cur-
rently, do not select the role tab.
a. Go to Config Mode > System > Admin.
b. Click on Add to create a new administrator.

The following window appears:

c. Enter the name of the administrator and fill out the mandatory fields that are flagged with an asterisk. In this case,
specify the Administrator Name, Password, Confirm Password, and Role. Mainly, from the drop down list in the
Object Access Control field, choose the OAC you wish to assign to this administrator.
d. Click OK.

Your administrator will be added to the list of administrators. In the following example Tester1 was added as the
administrator for the shared partition, has Read and Write access, and has been assigned OAC A-Test:

Document No.: 272P1-MAS-001 - 5/14/2014 | page 32

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Object Access Control

4. If you have created the OAC within a partition, select the partition read or write role. You can add a partition and attach
it to an OAC in the partition list, or if you do not want to use OAC feature, you can just leave the OAC field blank.

NOTE: Both, the multiple partition list and OAC features will disable CLI and aXAPI access.

page 33 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Object Access Control

Document No.: 272P1-MAS-001 - 5/14/2014 | page 34

Public Key Authentication for SSH

ACOS provides an option to simplify management access through the CLI, with support for public key authentication.

Public key authentication allows an ACOS admin to log in through SSH without entering a password. When the admin enters
their username and presses Enter, the SSH client on the admin’s PC sends a signature file for the admin. The ACOS device
compares the signature file to the admin’s public key stored on the ACOS device. If they match, the admin is granted access.

To use public key authentication, perform the following steps:

1. Generate a Key Pair From the Remote Client

2. Import the Public Key to the ACOS Device

Instructions for deleting a public key are provided in Delete a Public Key.

Generate a Key Pair From the Remote Client

On the remote client (for example, a PC) from which the admin will access the ACOS device CLI, use the PC’s SSH client to
generate an RSA key pair for the admin. The key pair consists of a public key and a private key.

NOTE: In the current release, only the OpenSSH client is supported.

An example of how to do this is shown below (the admin account is “admin2”):

OpenSSHclient$ mkdir ~/.ssh

OpenSSHclient$ chmod 700 ~/.ssh
OpenSSHclient$ ssh-keygen -q -f ~/.ssh/ACOS_admin2 -t rsa
Enter passphrase (empty for no passphrase): …
Enter same passphrase again: …

NOTE: Do no enter any characters at the passphrase prompts; just press Enter.

Import the Public Key to the ACOS Device

After the key pair is generated, follow this procedure to import the public key to the ACOS device.

1. Log in the ACOS device with root or global read-write privileges.

2. Access the configuration level for the admin account.
3. Import only the public key onto the ACOS device. (Do not import the private key onto the ACOS device.)

page 35 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Delete a Public Key

You can import public keys in separate files or grouped together into a single file.

NOTE: The “admin” account has root privileges and can manage the public certificates for all
admins. Any other admin account can manage only the public key belonging to that
admin account.

To import an SSH public key onto the ACOS device, use the following command at the configuration level for the
admin account:
ACOS(config)# ssh-pubkey import url

The url specifies the file transfer protocol, username (if required), and directory path for exporting the public key file.

You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you
enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL:

• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file

4. Verify the installation of the public key by using the following command:
ACOS(config)# ssh-pubkey list

An example of how to import a public key is shown below for the admin user “admin2”:

ACOS(config)# admin admin2

ACOS(config-admin:admin2)# ssh-pubkey import scp:
Address or name of remote host []? 10.10.10.69
User name []? ACOSadmin2
Password []? *********
File name [/]? ACOS_admin2.pem
ACOS(config-admin:admin2)# ssh-pubkey list

Delete a Public Key

To delete an SSH public key from the ACOS device, use the following command:

ACOS(config)# ssh-pubkey delete num

The num option specifies the key number on the ACOS device. The key numbers are displayed along with the keys them-
selves by the ssh-pubkey list command.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 36

TACACS+ and RADIUS

You can configure the ACOS device to use remote servers for Authentication, Authorization, and Accounting (AAA) for admin
sessions. The ACOS device supports RADIUS, TACACS+, and LDAP servers.

RADIUS and TACACS+ AAA support are described in this chapter:

• Disable Local Authentication for the Admin Account

• Configuring Authentication
• Configure Authorization
• Configure Accounting
• Configuring Authentication, Authorization, Accounting and for Admin Access
• Examples
• Windows IAS Setup for RADIUS

For information about LDAP support, see “Lightweight Directory Access Protocol” on page 77.

Configuring Authentication
Authentication grants or denies access based on the credentials presented by the person who is attempting access. Authen-
tication for management access to the ACOS device grants or denies access based on the admin username and password.

By default, when someone attempts to log into the ACOS device, the device checks its local admin database for the user-
name and password entered by the person attempting to gain access.

Without additional configuration, the authentication process stops at this point. If the admin username and password are in
the local database, the person is granted access. Otherwise, they are denied.

You can configure the ACOS device to also use external RADIUS, TACACS+ or LDAP servers for authentication.

This section contains the following topics:

• Configure Multiple Authentication Methods

• Configure Tiered Authentication
• Flowcharts Describing the Authentication Process
• Disable Local Authentication for the Admin Account
• Token-based Authentication Support for RADIUS

page 37 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication

Configure Multiple Authentication Methods

The current release enables you to specify more than 2 authentication methods for authentication of ACOS admins. For
example, you can configure the ACOS device to try the following methods when authenticating an admin:

1. LDAP
2. TACACS+
3. RADIUS
4. Local database

In this case, the ACOS device tries to use the LDAP servers first. If no LDAP servers respond, the ACOS device then tries to use
the TACACS+ servers. If no TACACS+ servers respond either, the ACOS device then tries the RADIUS servers. If no RADIUS
servers respond either, the ACOS device uses the local database.

Configure Tiered Authentication

In addition to selecting multiple methods of authentication (“Configure Multiple Authentication Methods” on page 38), you
can also configure the ACOS device to use tiers of authentication and configure backup authentication methods if the pri-
mary authentication method is unavailable.

By default, the backup authentication method is used only if the primary method does not respond. If the primary method
does respond and denies access, the secondary method is not used. The admin is not granted access.

You can enable the ACOS device to check the next method if the primary method does respond but authentication fails
using that method. This option is called “tiered authentication”.

For example, if the primary method is RADIUS and the next method is TACACS+, and RADIUS rejects the admin, tiered
authentication attempts to authenticate the admin using TACACS+.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 38

A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication

Table 5 describes the ACOS authentication behavior based on the tiered authentication setting.

TABLE 5 Authentication Process Based on Tiered Authentication Setting

Tiered
Authentication
Setting ACOS Behavior
Single 1. Try method1. If a method1 server replies, permit or deny access based on the server reply.
(default)
2. Only if no method1 servers reply, try method2. If a method2 server replies, permit or deny access
based on the server reply.
3. Only if no method2 servers reply, try method3. If a method3 server replies, permit or deny access
based on the server reply.
4. Only if no method3 servers reply, try method4. If authentication succeeds, the admin is permitted.
Otherwise, the admin is denied.
Multiple 1. Try method1. If a method1 server replies, permit or deny access based on the server reply.
2. If no method1 servers reply or a method1 server denies access, try method2.
3. If no method2 servers reply or a method2 server denies access, try method3.
4. If no method3 servers reply or a method3 server denies access, try method4. If authentication suc-
ceeds, the admin is permitted. Otherwise, the admin is denied.

Tiered authentication is disabled (set to single) by default. You can enable it on a global basis.

Flowcharts Describing the Authentication Process

You can specify whether to check the local database or the remote server first. Figure 3 and Figure 4 show the authentication
processes used if the ACOS device is configured to check remote AAA servers (RADIUS, TACACS+, or LDAP) first.

If the RADIUS, TACACS+, or LDAP server responds, the local database is not checked.

• If the admin name and password are found on the RADIUS, TACACS+, or LDAP server, the admin is granted access.
• If the admin name and password are not found on the RADIUS, TACACS+, or LDAP server, the admin is denied access.

Only if there is no response from any RADIUS, TACACS+, or LDAP server, checks the ACOS device its local database for the
admin name and password.

NOTE: An exception is made for the “admin” account; by default, the ACOS device always uses
local authentication for “admin”.

Local authentication can be disabled for “admin”, in which case the authentication pro-
cess is the same as for other admin accounts. For more information, see “Disable Local
Authentication for the Admin Account” on page 41.

page 39 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication

FIGURE 3 Authentication Process When Remote Authentication Is First (2 remote servers configured) – Example
shown is for RADIUS

Document No.: 272P1-MAS-001 - 5/14/2014 | page 40

A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication

FIGURE 4 Authentication Process When Remote Authentication Is First (1 remote server configured) – Example shown
is for TACACS+

Disable Local Authentication for the Admin Account

By default, the ACOS device always locally authenticates “admin” even if RADIUS, TACACS+, or LDAP is used as the primary
authentication method. This behavior can be disabled:

• Use the GUI to Disable Local Authentication for the Admin Account
• Use the CLI to Disable Local Authentication for the Admin Account

NOTE: If the RADIUS, TACACS+, or LDAP server can not be reached, the ACOS device then uses
local authentication for “admin”. This is the same behavior as is used for other admin
accounts when the remote AAA server can not be reached.

Use the GUI to Disable Local Authentication for the Admin Account
To disable local authentication for the admin account using the GUI:

page 41 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication

1. Select Config Mode > System > Admin > External Authentication > General.
2. Select “Disable the local authentication when the external authentication is available”.
3. Click OK.

Use the CLI to Disable Local Authentication for the Admin Account
To disable automatic local authentication of the admin account using the CLI:

1. Log in using the admin account.

2. Use the following command at the global configuration level of the CLI:
ACOS(config)# authentication disable-local

Token-based Authentication Support for RADIUS

The ACOS Series supports RSA token-based RADIUS authentication. Token-based authentication provides additional login
security by requiring the admin to enter a string, the token, in addition to the username and password. This enhancement
supports the Access-Challenge function described in RFC 2865, Remote Authentication Dial In User Service (RADIUS).

After the admin enters the username and password, the ACOS device sends them to the RADIUS server. If the username and
password are valid, and the server is configured to use token-based authentication, the server replies with an Access-Chal-
lenge message. The ACOS device then displays a prompt for the required token.

• If the token is also valid, the admin is granted access.

• If the token is invalid, access is denied, even though the username and password are valid.

Support for token-based RADIUS authentication is enabled by default and can not be disabled. No additional configuration is
required on the ACOS device.

The following sections show examples of login sessions in which a token is required for login.

Use the GUI to Configure Token-Based Authentication for RADIUS

In the following GUI example, an admin initiates login by entering their username and password. The ACOS device presents
a challenge value and prompts for the response.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 42

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Authorization

FIGURE 5 GUI Token-based Login

Use the CLI to Configure Token-Based Autentication for RADIUS

In the following CLI example, an admin initiates login by entering their username and password. The ACOS device presents a
challenge value and prompts for the response.

login as: admin2

Using keyboard-interactive authentication.
Password: ********
Using keyboard-interactive authentication.
Challenge: 133420
Response: ******
Last login: Fri Jul 1 21:51:35 2011 from 192.168.32.153

[type ? for help]

ACOS>

Configure Authorization
You can configure authorization based on the following:

• Authorization Based on Management Interface

• Authorization for GUI Access

page 43 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Authorization

• Authorization for CLI Access

• Authorization Based on Private Partition
• LDAP Configuration for Partition Access
• RADIUS Authorization Based on Service-Type

Authorization Based on Management Interface

You can deny an admin from accessing the ACOS device through one or more of the following management interfaces:

• CLI
• GUI
• aXAPI

By default, admins are allowed to use any of the management interfaces.

RADIUS Configuration for Management Interface Access

To configure authorization based on management interface, use the following A10-Admin-Access-Type values:

• cli
• web
• axapi

To authorize access to more than one management interface, use a comma between each value. For example: cli,web

If you do not specify an A10-Admin-Access-Type value, access through all three interfaces is permitted.

TACACS+ Configuration for Management Interface Access

To configure authorization based on management interface, use the following Attribute Value Pair (AVP).

a10-access-type=mgmt-int

The mgmt-int can be one or more of the following:

• cli
• web
• axapi

To authorize access to more than one management interface, use a comma between each value. For example:

a10-access-type=cli,web

If you do not specify an A10-Admin-Access-Type value, access through all three interfaces is permitted.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 44

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Authorization

NOTE: An AVP is the combination of an attribute, which is a parameter associated with an

ACOS admin account, and the value of the parameter.

LDAP Configuration for Management Interface Access

Authorization for LDAP is based on a schema file. For details refer to “A10 Schema File for OpenLDAP” on page 80.

Authorization for GUI Access

Each admin account configured on the ACOS device includes a GUI access role. The GUI access role specifies the GUI pages
to which the admin has write privileges, the pages to which the admin has read-only privileges, and if applicable, the pages
that are hidden from the admin.

For each GUI page, the admin role specifies whether the admin is allowed to access (view) the page. If the admin is allowed
to access the page, the role specifies whether the admin has read-only or read-write privileges for the page.

You can assign an admin to a preconfigured role or a custom role that you configure. You also can customize the preconfig-
ured roles. Table 1 on page 13 lists the preconfigured roles and the types of GUI page access allowed by each one.

NOTE: The GUI access roles do not apply to admins who log in through the CLI.

For additional information, see “Authorization for CLI Access” on page 46 and “RADIUS
Authorization Based on Service-Type” on page 50.

RADIUS Configuration for GUI Access Roles

To configure role-based authorization for access to the GUI, use the A10-Admin-Privilege option. For example, to authorize
access to the GUI pages associated with the PartitionReadWrite role, use the following statement in the admin definition:

A10-Admin-Role = "PartitionReadWrite"

NOTE: In the current release, the A10-Admin-Privilege option applies only to GUI access. It does
not restrict CLI or aXAPI access.

TACACS+ Configuration for GUI Access Roles

To configure role-based authorization for access to the GUI, use the following AVP:

a10-admin-role=role-name

NOTE: In the current release, this AVP applies only to GUI access. It does not restrict CLI or aXAPI
access.

page 45 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Authorization

Compatibility with Privilege Levels Assigned by RADIUS or TACACS+

It is required to assign a proper privilege level (defined on the ACOS device) to the external user on the RADIUS or TACACS+
server, so that the user may be authenticated and be granted access to the ACOS device. After the ACOS device authenti-
cates the privilege level, it will use the GUI access role assigned to the user to manage the device.

It is not required to assign a privilege level to an ACOS admin on the RADIUS or TACACS+ server used to authenticate the
admin. The ACOS device uses the GUI access role assigned to the admin in the admin’s account on the ACOS device.

However, if a privilege level is assigned to the admin on the RADIUS or TACACS+ server, that privilege level must match the
role assigned to the admin in the ACOS configuration. Otherwise, the admin will be denied access.

Table 6 lists the RADIUS and TACACS+ privilege levels that match the GUI access roles.

TABLE 6 RADIUS / TACACS+ Privilege Levels and Matching GUI Access Roles
Privilege Level
GUI Access Role RADIUS TACACS+ Partition Role
ReadWriteAdmin 2 15 N
SystemAdmin 3 14 N
NetworkAdmin 4 13 N
NetworkOperator 5 12 N
SlbServiceAdmin 6 11 N
SlbServiceOperator 7 10 N
ReadOnlyAdmin 1 0 N
PartitionReadWrite 8 9 Y
PartitionNetworkOperator 9 8 Y
PartitionSlbServiceAdmin 10 7 Y
PartitionSlbServiceOperator 11 6 Y
PartitionReadOnly 12 5 Y

The Partition Role column indicates whether the GUI access role is for a partition admin and requires specification of a private
partition name. If the privilege level for a partition role is specified on the RADIUS or TACACS+ server, the partition name also
must be specified on the server. If the privilege level is for a non-partition role, it is invalid to specify a partition name on the
server.

Authorization for CLI Access

You can configure the ACOS device to use external RADIUS, TACACS+, or LDAP servers to authorize commands entered by
admins who log in using the CLI.

Following successful Authentication, the authenticated party is granted access to specific system resources by Authorization.
For an ACOS admin, authorization specifies the CLI levels they can access.

Operational Commands Disabled for Read-Only Admins

Admins who are authenticated by RADIUS, TACACS+, or LDAP, and authorized for read-only access directly to the Privileged
EXEC level of the CLI, are not allowed to run certain operational commands.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 46

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Authorization

For these admins, the following operational commands at the Privileged EXEC level of the CLI are disabled:

• backup
• config
• import
• locale
• reboot
• reload
• shutdown

This includes admins with the ReadOnlyAdmin or PartitionReadOnly role.

RADIUS CLI Authorization

To configure RADIUS CLI Authorization, use the following settings on the RADIUS server:

VALUE A10-Admin-Privilege Read-only-Admin 1

VALUE A10-Admin-Privilege Read-write-Admin 2

The first line grants access to the User EXEC level and Privileged EXEC level. The admin’s CLI session begins at the User EXEC
level. The admin can access the Privileged EXEC level, without entering an enable password. Access to the configuration
level is not allowed.

login as: admin3

Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

[type ? for help]

ACOS> enable
ACOS#

The second line grants access to all levels. The admin’s CLI session begins at the Privileged EXEC level.

login as: admin4

Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

[type ? for help]

ACOS#

NOTE: Also see “RADIUS Authorization Based on Service-Type” on page 50.

page 47 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Authorization

TACACS+ CLI Authorization

To configure TACACS+ CLI Authorization:

• Configure the TACACS+ server to authorize or deny execution of specific commands or command groups.
• Configure the ACOS device to send commands to the TACACS+ server for authorization before executing those com-
mands.

NOTE: This authorization process does not apply to admins who log in through the GUI. (See
“Authorization for GUI Access” on page 45.)

CLI Access Levels

You can use TACACS+ to authorize an admin to execute commands at one of the following CLI access levels:

• 15(admin) – This is the most extensive level of authorization. Commands at all CLI levels, including those used to con-
figure admin accounts, are sent to TACACS+ for authorization.
• 14(config) – Commands at all CLI levels except those used to configure admin accounts are sent to TACACS+ for
authorization. Commands for configuring admin accounts are automatically allowed.
• 1(priv EXEC) – Commands at the Privileged EXEC and User EXEC levels are sent to TACACS+ for authorization. Com-
mands at other levels are automatically allowed.
• 0 (user EXEC) – Commands at the User EXEC level are sent to TACACS+ for authorization. Commands at other levels
are automatically allowed.

Access levels 1-15 grant access to the Privileged EXEC level or higher, without challenging the admin for the enable pass-
word. Access level 0 grants access to the User EXEC level only.

NOTE: Command levels 2-13 are equivalent to command level 1.

CAUTION: The most secure option is 15(admin). If you select a lower option, for example, 1(priv
EXEC), make sure to configure the TACACS+ server to deny any unmatched commands
(these are commands that are not explicitly allowed by the server). Otherwise,
unmatched commands, including commands at higher levels, will automatically be
authorized to execute.

TACACS+ Authorization Debug Options

You can enable the following TACACS+ debug levels for troubleshooting:

• 0x1 – Common system events such as “trying to connect with TACACS+ servers” and “getting response from
TACACS+ servers”. These events are recorded in the syslog.
• 0x2 – Packet fields sent out and received by the AX Series device, not including the length fields. These events are
written to the terminal.
• 0x4 – Length fields of the TACACS+ packets will also be displayed on the terminal.
• 0x8 – Information about TACACS+ MD5 encryption will be sent to the syslog.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 48

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Authorization

Authorization Based on Private Partition

If the ACOS device is configured with RBA or L3V partitions, you can specify the private partitions a remotely authenticated
admin is authorized to access. You can authorize an admin for up to 8 partitions.

The partition name specified on the RADIUS or TACACS+ server must match the partition name specified in the admin’s
account configuration on the ACOS device.

NOTE: For admins with global access (access to the shared partition), do not specify a partition
name.

RADIUS Configuration for Partition Access

To authorize an admin to access only the resources in a specific RBA partition, use the A10-Admin-Partition option. For exam-
ple, to authorize an admin to access only the resources in partition “aa”, use the following statement in the admin definition:

A10-Admin-Partition = "partition-name"

To authorize an admin to access more than one partition, use the following syntax:

A10-Admin-Partition = "partition-name1”
A10-Admin-Partition += " partition-name2”
A10-Admin-Partition += " partition-name3”
A10-Admin-Partition += " partition-name4”
A10-Admin-Partition += " partition-name5”
A10-Admin-Partition += " partition-name6”
A10-Admin-Partition += " partition-name7”
A10-Admin-Partition += " partition-name8”

TACACS+ Configuration for Partition Access

To authorize an admin to access only the resources in a specific RBA partition, use the following AVP:

a10-partition=partition-name

To authorize an admin to access more than one partition, use the following syntax:

a10-partition = partition-name1,partition-name2,
partition-name3,partition-name4,partition-name5,
partition-name6,partition-name7,partition-name8

LDAP Configuration for Partition Access

Authorization for LDAP is based on a schema file. For details refer to “A10 Schema File for OpenLDAP” on page 80.

page 49 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure Accounting

RADIUS Authorization Based on Service-Type

The ACOS device supports the RADIUS Service-Type attribute values listed in Table 7:

TABLE 7 Supported RADIUS Service-Type Attribute Values

Attribute Value Description
Service-Type=Login Allows access to the EXEC level of the CLI (“ACOS>” prompt) and read-only
access to the GUI.
Service-Type=NAS Prompt Allows access to the Privileged EXEC level of the CLI (“ACOS#” prompt) and read-
only access to the GUI.
Service-Type=Administrative Allows access to the configuration level of the CLI (“ACOS(config)#” prompt) and
read-only access to the GUI.

By default, if the Service-Type attribute is not used, or the A10 vendor attribute is not used, successfully authenticated
admins are authorized for read-only access. You can change the default privilege authorized by RADIUS from read-only to
read-write. To change the default access level authorized by RADIUS, use the following command at the global configuration
level of the CLI:

[no] radius-server default-privilege-read-write

Configure Accounting
You can configure the ACOS device to use external RADIUS, or TACACS+ for accounting.

Accounting keeps track of user activities while the user is logged on. For ACOS admins, you can configure accounting for the
following:

• Login/logoff activity (start/stop accounting)

• Commands

Command Accounting (TACACS+ only)

You can use TACACS+ servers to track attempts to execute commands at one of the CLI access levels described in Table 8:

TABLE 8 CLI Access Levels for Accounting

Access Level Description
15 (admin) This is the most extensive level of accounting. Commands at all CLI levels, including those
used to configure admin accounts, are tracked.
14 (config) Commands at all CLI levels except those used to configure admin accounts are tracked. Com-
mands for configuring admin accounts are not tracked.
1 (privileged EXEC) Commands at the Privileged EXEC and User EXEC levels are tracked. Commands at other levels
are not tracked.
0 (user EXEC) Commands at the User EXEC level are tracked. Commands at other levels are not tracked.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 50

A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication, Authorization, Accounting and for Admin Access

NOTE: Command levels 2-13 are equivalent to command level 1 (privileged EXEC).

TACACS+ Accounting Debug Options

The same debug levels that are available for TACACS+ Authorization are also available for TACACS+ Accounting. (See
“TACACS+ Authorization Debug Options” on page 48.)

Configuring Authentication, Authorization, Accounting

and for Admin Access
To configure authentication, authorization, and accounting (AAA) for admin access:

1. Prepare the AAA servers:

• Add admin accounts (usernames and passwords).
• Add the ACOS device as a client. For the client IP address, specify the ACOS IP address.
• For authorization, configure the following settings for the admin accounts:
• Specify the management interfaces the admin is allowed to access (CLI, GUI, or aXAPI).
• If using TACACS+, specify the CLI commands or command groups that are to be allowed or denied execution.
• If using RADIUS, specify the access role for the GUI.
• If using LDAP, refer to “Lightweight Directory Access Protocol” on page 77.
• For private partition admins, specify the partition name.
2. To use RADIUS, TACACS+, or LDAP for Authentication:
a. Add the RADIUS, TACACS+, or LDAP server(s) to the ACOS device.
b. Add RADIUS, TACACS+, or LDAP as an authentication method to use along with the local database.
c. Optionally, if you want to use more than one AAA protocol, refer to “Configuring Authentication” on page 37.
3. Configure Authorization:
a. Add the TACACS+, RADIUS, or LDAP servers, if not already added for authentication.
b. Specify the access level:
• If using TACACS+, specify the CLI command levels to be authorized.
• If using RADIUS, specify the GUI access to be authorized.
• If using LDAP, refer to “Lightweight Directory Access Protocol” on page 77.
4. Configure Accounting:
a. Add the TACACS+, RADIUS, or LDAP servers, if not already added for Authorization.
b. Specify whether to track logon/logoff activity. You can track both logons and logoffs, logoffs only, or neither.
c. Optionally, is using TACACS+, specify the command levels to track.

page 51 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication, Authorization, Accounting and for Admin Access

Configuring Authentication
To configure remote authentication:

• Use the GUI to Configure Remote Authentication

• Use the CLI to Configure Remote Authentication

Use the GUI to Configure Remote Authentication

To configure remote authentication using the GUI:

1. Configuring the Global AAA Settings on the ACOS Device

2. Configuring the AAA Servers on the ACOS Device

Configuring the Global AAA Settings on the ACOS Device

1. Select Config Mode > System > Admin > External Authentication > General.

FIGURE 6 External Authentication General

2. Specify the Authentication Type and Authentication Console Type, and specify the order in which to use them. To do
so, follow these steps:
a. Click on the desired authentication name (such as RADIUS or LDAP) in the Available pane.
b. Click on the redirect arrows (>>) to the right of the Available pane to move your choices from the Available pane to
the Selected window pane. Use the redirect arrows (<<) to move any wrong choices from the Selected pane back
to the Available pane.
3. Click on the radio button next to Local, TACACS+, Local/TACACS+, TACACS+/Local.
4. Optionally, to enable tiered authentication, for Mode, select Multiple as opposed to the default choice, Single.
5. Click on either the Enabled or Disabled radio button for the Login Privilege Mode.
6. Click on Disable local authentication when the external authentication is available, if desired.
7. Click OK.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 52

A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication, Authorization, Accounting and for Admin Access

Configuring the AAA Servers on the ACOS Device

Select one of the following AAA server options:

• Configuring RADIUS Servers

• Configuring TACACS+ Servers
• Configuring LDAP Servers

Configuring RADIUS Servers

To configure a RADIUS server, follow these steps:

1. Select Config Mode > System > Admin > External Authentication > RADIUS.
2. Enter information on the primary or secondary server using these steps:
a. To add the primary server, click Server 1 to display the configuration fields for the server.
b. To add a backup server to use if the primary server can not be reached, click Server 2 to display the configuration
fields for that server.
c. Enter the primary and secondary server configuration information in the following window:

3. Enter the hostname or IP address of the server in the Hostname field.

4. In the Secret and Confirm Secret fields, enter the shared secret (password) expected by the server when it receives
requests.
5. Accept or change the default values that are automatically populated in the Authentication, Account, Retransmit, or
Timeout fields.
6. Click OK.

Configuring TACACS+ Servers

To configure a TACACS+ server, follow these steps:

1. Select Config Mode > System > Admin > External Authentication > TACACS+
2. Enter information on the primary or secondary server using these steps:

page 53 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication, Authorization, Accounting and for Admin Access

a. To add the primary server, click TACACS+ Server 1 to display the configuration fields for the server.
b. To add a backup server to use if the primary server can not be reached, click TACACS+ Server 2 to display the config-
uration fields for that server.
c. Enter the primary and secondary server configuration information in the following window:

3. Enter the hostname or IP address of the server in the Hostname field.

4. In the Secret and Confirm Secret fields, enter the shared secret (password) expected by the server when it receives
requests.
5. Accept or change the default values that are automatically populated in the Port or Timeout fields.
6. Click OK.

Configuring LDAP Servers

To configure LDAP servers, follow these steps:

1. Select Config Mode > System > Admin > External Authentication > LDAP
2. Enter information on the primary or secondary server using these steps:
a. To add the primary server, click LDAP Server 1 to display the configuration fields for the server.
b. To add a backup server to use if the primary server can not be reached, click LDAP Server 2 to display the configura-
tion fields for that server.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 54

A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication, Authorization, Accounting and for Admin Access

c. Enter the primary and secondary server configuration information in the following window:

3. Enter the hostname or IP address of the server in the Hostname field.

4. Enter the Common Name (CN) option attribute.
5. Enter the Distinguished Name (DN) option attribute. Do not use quotation marks as part of your entry.
6. Accept or change the default values that are automatically populated in the Timeout or Port fields.
7. Select Use SSL if encryption is desired.
8. Click OK.

For details on LDAP servers, refer to “Lightweight Directory Access Protocol” on page 77.

Use the CLI to Configure Remote Authentication

Follow the instructions in this section to configure remote authentication using the CLI.

NOTE: The command syntax shown in this section is simplified to show the required or more
frequently used options. For complete syntax information, see the CLI Reference.

1. Use one of the following commands at the global configuration level of the CLI to add the primary server:
[no] radius-server host {hostname | ipaddr}
secret secret-string

[no] tacacs-server host {hostname | ipaddr}

secret secret-string
[no] ldap-server host {hostname | ipaddr}
cn cn-name dn dn-name

The secret-string is the shared secret (password) expected by the server when it receives requests.

For all three protocols, the host option specifies the IP address or hostname of the server.

page 55 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication, Authorization, Accounting and for Admin Access

For LDAP, the cn option specifies the value for the Common Name (CN) attribute. The dn option specifies the value for
the Distinguished Name (DN) attribute. For the dn option, do not use quotation marks. For example, the following DN
string syntax is valid:
cn=xxx3,dc=mACOScrc,dc=com

The following string is not valid:

“cn=xxx3,dc=mACOScrc,dc=com”

2. To add a backup server to use if the primary server can not be reached, repeat the command, using the backup server’s
information.
3. Use one of the following commands to specify the order in which to use the authentication methods:
[no] authentication type method1
[method2 [method3 [method4]]]

NOTE: Use of the backup authentication methods (method2, method3, and method4) depends
on the authentication server response and on whether tiered authentication is enabled.
See “Configuring Authentication” on page 37.

The console option applies the authentication settings only to access through the console (serial) port. Without this
option, the settings apply to all types of admin access.

(For more information, see “Flowcharts Describing the Authentication Process” on page 39.)

4. Optionally, to enable tiered authentication, use the following command at the global configuration level of the CLI:
[no] authentication mode {multiple | single}

The default is single.

For additional details on tiered authentication, refer to “Configuring Authentication” on page 37.

Additional TACACS+ Authentication Options

This section describes additional TACACS+ AAA options.

Configure Password Self-Service for Admins Authenticated by TACACS+

ACOS supports TACACS+ TAC_PLUS_AUTHEN_CHPASS (password change) messages. When this option is enabled on the
TACACS+ server, the server can send a TACACS+ TAC_PLUS_AUTHEN_CHPASS message in response to an authentication
request from the ACOS device for the admin.

In this case, the ACOS device displays prompts for the current and new passwords, and sends the password change to the
TACACS+ server. The ACOS device then grants access to the admin.

This feature is enabled by default and can not be disabled. The feature is activated only if the TACACS+ server sends a pass-
word change message.

NOTE: The current release supports TAC_PLUS_AUTHEN_CHPASS messages only for login to
the CLI.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 56

A10 Thunder Series and AX Series—Management Access and Security Guide
Configuring Authentication, Authorization, Accounting and for Admin Access

Configure Direct Access to CLI Privileged EXEC Level for TACACS+-Authenticated Admins
You can enable an option to place TACACS+-authenticated admins who log into the CLI at the Privileged EXEC level of the
CLI instead of the User EXEC level.

This option is disabled by default. You can enable it on a global basis.

Use the GUI to Configure Direct Access to the Privileged EXEC Level
To enable direct access to the Privileged EXEC level of the GUI for TACACS+-authenticated admins:

1. Select Config Mode > System > Admin > External Authentication > General.
2. Next to Mode, select Login Privilege-Mode.
3. Click OK.

Use the CLI to Configure Direct Access to the Privileged EXEC Level
To enable direct access to the Privileged EXEC level of the CLI for TACACS+-authenticated admins, use the following com-
mand at the global configuration level of the CLI:

ACOS(config)# authentication login privilege-mode

Configuring Authorization

NOTE: The command syntax shown in this section is simplified to show the required or more
frequently used options. For complete syntax information, see the CLI Reference.

NOTE: The configuration options described in this section are available only in the CLI.

1. Add the RADIUS, TACACS+, or LDAP server(s), if not already added.

[no] tacacs-server host {hostname | ipaddr}

secret secret-string
[no] radius-server host {hostname | ipaddr}
secret secret-string

2. Optionally, if using TACACS+, specify the command levels the TACACS+ server will be used to authorize:

authorization commands cmd-level method tacplus [none]

The cmd-level can be one of the following: 15, 14, 1, or 0.

The none option allows a command to execute if Authorization cannot be performed (for example, if all TACACS+ serv-
ers are down).

(For descriptions, see “Authorization for CLI Access” on page 46.)

NOTE: If using RADIUS, you can set the GUI access levels on the RADIUS server itself. See
“Authorization for GUI Access” on page 45.

page 57 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Examples

3. Optionally, if using TACACS+, enable Authorization debugging:

authorization debug debug-level

The debug-level can be one of the following: 0x1, 0x2, 0x4, or 0x8.

(See “TACACS+ Authorization Debug Options” on page 48.)

4. If using LDAP, refer to “Lightweight Directory Access Protocol” on page 77.

Configuring Accounting

NOTE: The command syntax shown in this section is simplified to show the required or more
frequently used options. For complete syntax information, see the CLI Reference.

NOTE: The configuration options described in this section are available only in the CLI.

1. Add the RADIUS or TACACS+ server(s), if not already added.

[no] tacacs-server host {hostname | ipaddr}

secret secret-string
[no] radius-server host {hostname | ipaddr}
secret secret-string

2. To configure Accounting for logon/logoff activity, use the following command:

[no] accounting exec {start-stop | stop-only}

{radius | tacplus}

3. Optionally, if using TACACS+, configure accounting for command execution:

accounting commands cmd-level stop-only tacplus

4. Optionally, if using TACACS+, enable Accounting debugging:

accounting debug debug-level

Examples
This section provides the following examples:

• RADIUS Authentication Example

• TACACS+ Authorization Example
• TACACS+ Accounting Example
• RADIUS Server Setup Example

Document No.: 272P1-MAS-001 - 5/14/2014 | page 58

A10 Thunder Series and AX Series—Management Access and Security Guide
Examples

RADIUS Authentication Example

The following commands configure a pair of RADIUS servers and configure the ACOS device to use them first, before using
the local database. Since 10.10.10.12 is added first, this server will be used as the primary server. Server 10.10.10.13 will be
used only if the primary server is unavailable.

ACOS(config)#radius-server host 10.10.10.12 secret radp1

ACOS(config)#radius-server host 10.10.10.13 secret radp2
ACOS(config)#authentication type radius local

TACACS+ Authorization Example

The following commands configure the ACOS device to use TACACS+ server 10.10.10.13 to authorize commands at all CLI
levels. In this example, the none option is not used. As a result, if TACACS+ authorization cannot be performed (for example,
due to server unavailability), the command is denied.

ACOS(config)# tacacs-server host 10.10.10.13 secret SharedSecret

ACOS(config)# authorization commands 15 method tacplus

TACACS+ Accounting Example

The following commands configure the ACOS device to use the same TACACS+ server for accounting of logon/logoff activity
and of all command activity:

ACOS(config)# accounting exec start-stop tacplus

ACOS(config)# accounting commands 15 stop-only tacplus

RADIUS Server Setup Example

This example shows the ACOS commands to configure an ACOS device to use a RADIUS server, and also shows the changes
to make on the RADIUS server itself.

The RADIUS server in this example is freeRADIUS. The IP address is 192.168.1.157, and the shared secret is “a10rad”.

To implement the solution, the following steps are required:

1. On the ACOS device, run the following commands to add the RADIUS server, then enable RADIUS authentication:
ACOS(config)# radius-server host 192.168.1.157 secret a10rad
ACOS(config)# authentication type local radius

2. On the freeRADIUS server:

a. In the /usr/local/etc/raddb/clients.conf file, add the ACOS device as a client.
client 192.168.1.0/24 {
secret = a10rad
shortname = private-network-1
}

page 59 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Examples

NOTE: In this example, the ACOS device’s subnet is added as the client.

b. Add the /usr/local/share/freeradius/dictionary.a10networks dictionary file for vendor “a10networks” (specify

“22610” as the vendor code), and add the file to the dictionary.

After authenticating an admin, the RADIUS server must return the A10-Admin-Privilege attribute, with one of the
values shown in the following example.
# A10-Networks dictionary
# Created by Software Tools of A10 Networks.
#
VENDOR A10-Networks 22610

BEGIN-VENDOR A10-Networks
ATTRIBUTE A10-App-Name 1 string
ATTRIBUTE A10-Admin-Privilege 2 integer
ATTRIBUTE A10-Admin-Partition 3 string
ATTRIBUTE A10-Admin-Access-Type 4 string
ATTRIBUTE A10-Admin-Role 5 string
VALUE A10-Admin-Privilege Read-only-Admin 1
VALUE A10-Admin-Privilege Read-write-Admin 2
VALUE A10-Admin-Privilege System-Admin 3
VALUE A10-Admin-Privilege Network-Admin 4
VALUE A10-Admin-Privilege Network-Operator 5
VALUE A10-Admin-Privilege Slb-Service-Admin 6
VALUE A10-Admin-Privilege Slb-Service-Operator 7
VALUE A10-Admin-Privilege Partition-Read_write 8
VALUE A10-Admin-Privilege Partition-Network-Operator 9
VALUE A10-Admin-Privilege Partition-SlbService-Admin 10
VALUE A10-Admin-Privilege Partition-SlbService-Operator 11
VALUE A10-Admin-Privilege Partition-Read-Only 12
END-VENDOR A10-Networks

c. In /usr/local/share/freeradius/dictionary, add the file to the dictionary.

$INCLUDE dictionary.a10networks #new added for a10networks

d.
e. In the /usr/local/etc/raddb/users file, add each ACOS admin as a user.

Bellow are some examples of ACOS admin definitions in a RADIUS users file on the RADIUS server:
###################################

#this is a read-write user

rw Cleartext-Password := "111111"
A10-Admin-Privilege = Read-write-Admin,
#this is a read-only user
ro Cleartext-Password := "111111"
A10-Admin-Privilege = Read-only-Admin,

#this is a partition read-write

prw Cleartext-Password := "111111"
A10-Admin-Privilege = Partition-SlbService-Admin,
A10-Admin-Partition = "aa"

Document No.: 272P1-MAS-001 - 5/14/2014 | page 60

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

#this is a partition read-only

pro Cleartext-Password := "111111"
A10-Admin-Privilege = Partition-Read-Only,
A10-Admin-Partition = "aa"

#this is a partition enable-disable

pedCleartext-Password := "111111"
A10-Admin-Privilege = Partition-SlbService-Operator,
A10-Admin-Partition = "aa"

#this is partition read-write, has role PartitionReadWrite, only login from web.
prw_r_w Cleartext-Password := "111111"
A10-Admin-Privilege = Partition-SlbService-Admin,
A10-Admin-Partition = "aa",
A10-Admin-Role = "PartitionReadWrite",
A10-admin-Access-type = "web"

#this is partition read-write, has a user-defined role name role1, only login from
cli
prw_r_c Cleartext-Password := "111111"
A10-Admin-Privilege = Partition-SlbService-Admin,
A10-Admin-Partition = "aa",
A10-Admin-Role = "role1",
A10-admin-Access-type = "cli"

Windows IAS Setup for RADIUS

This section describes how to configure Windows Server 2003 Internet Authentication Service (IAS) for use with ACOS
RADIUS authentication. These steps assume that IAS and Active Directory (AD) are already installed on the Windows 2003
server.

Procedure Overview
To configure Windows IAS for ACOS RADIUS authentication:

1. On the IAS server, create the following access groups (see “Configure Access Groups” on page 62):
• AX-Admin-Read-Only
• AX-Admin-Read-Write
2. On the IAS server, configure a RADIUS client for the ACOS device (“Configure RADIUS Client for ACOS device” on
page 63).
3. On the IAS server, configure the following remote access policies (“Configure Remote Access Policies” on page 64):
• AX-Admin-Read-Only-Policy
• AX-Admin-Read-Write-Policy).
4. On the IAS server, add AD users to appropriate ACOS device access groups (“Add Active Directory Users to ACOS Access
Groups” on page 73).
5. Register the IAS server in AD (“Register the IAS Server in Active Directory” on page 75).
6. Configure RADIUS on the ACOS device (“Configure RADIUS on the ACOS device” on page 76).

page 61 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

7. Test the configuration by attempting to log onto the ACOS device with AD users added in step 4 (“Verify the Configura-
tion” on page 76).

The following sections provide detailed steps for each of these tasks.

Configure Access Groups

1. Select Start > All programs > Administrator tools > Active directory user and computers.

If Active Directory Is Not Installed

If AD is not installed on the IAS server, you can use the following steps to add the users and groups. However, the rest of this
section assumes that AD will be used.

1. Open the Computer Management tool by selecting Start > Programs > Administrative Tools > Computer Management.
2. Open the System Tools and Local Users and Groups items, if they are not already open.
3. Right click on Group and select New Group.
4. Enter the following information for the first group:
• Group Name – AX-Admin-Read-Only
• Group Description – Read-Only Access to ACOS devices
• Members – Add the members using the Add button.

5. Click Create.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 62

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

6. Enter the following information for the second group:

• Group Name – AX-Admin-Read-Write
• Group Description – Read-Write to ACOS devices
• Members – Add members as desired using the Add button
7. Click Create.
8. Click Close.

Configure RADIUS Client for ACOS device

1. Open Internet Authentication Service, by selecting Start > Programs > Administrative Tools > Internet Authentication
Service.
2. Right-click on Client and select New Client.
3. Enter the following information in the Add Client dialog box:
• Friendly name – Useful name for the ACOS device; for example, ACOS2000_slb1
• Protocol – RADIUS

NOTE: 192.168.1.238 is the IP address of the ACOS device that will use the IAS server for exter-
nal RADIUS authentication.

4. Click Next.
5. Enter the following information in the Add RADIUS Client dialog box:
• Client address – IP address or domain name for the client (ACOS device)

page 63 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

• Client-Vendor – RADIUS Standard

• Shared secret – Secret to be shared between IAS and ACOS. You also will need to enter this in the RADIUS configu-
ration on the ACOS device.
• Confirm shared secret – Same as above

NOTE: Do not select “Request must contain the Message Authenticator attribute”. ACOS
RADIUS authentication does not support this option.

6. Click Next.

Configure Remote Access Policies

To configure the remote access policies:

1. Open the Internet Authentication Service, if not already open.

2. To create the first remote access policy, right-click on Remote Access Policies, select New Remote Access Policy, and
enter the following information:

Policy Friendly name – AX-Admin-Read-Only-Policy

Document No.: 272P1-MAS-001 - 5/14/2014 | page 64

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

3. Click Next.
4. In the Add Remote Access Policy dialog box, click Add.
5. In the Select Attribute dialog box, double-click Client Friendly Name.
6. In the Client-Friendly-Name dialog box, enter the friendly name used to define the ACOS device (for example, AX-
Admin-Read-Only-Policy) and click OK.
7. In the same Add Remote Access Policy dialog box as before, click Add again.
8. In the Select Attribute dialog box, double-click Windows-Groups.

page 65 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

9. In the Groups dialog box, click Add, then double-click AX-Admin-Read-Only group, Click OK to add the group, then
click OK once more to confirm the groups.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 66

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

10. In the same Add Remote Access Policy dialog box as before, click Next.

page 67 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

11. Select Grant remote access permission, and click Next.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 68

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

12. Click Edit Profile.

page 69 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

13. In the Edit Dial-in Profile dialog box, select the Authentication tab. Select the type of authentication you are using:
CHAP and PAP.

14. Select the Advanced tab, and click Add.

15. In the RADIUS attributes list, find and double-click the line beginning with Vendor-Specific.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 70

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

16. In the Multivalued Attribute Information dialog box, click Add and enter the following:

page 71 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

• Enter vendor code – 22610 (for A10 Networks)

• Conforms to RADIUS RFC – Yes

17. Click Configure Attribute, and enter the following information:

• Vendor-assigned attribute number – 2
• Attribute format – Decimal
• Attribute value – 1

NOTE: Attribute value 1 is read-only. Attribute value 2 is read-write.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 72

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

18. Click OK for the Configure VSA, Vendor-Specific Attribute Information, and Multivalued Attribute Information dialog
boxes.
19. Click Close in the Add Attributes dialog box.
20. Click OK in the Edit Dial-In Profile dialog box. Optionally, read the suggested help by clicking OK.
21. Click Finish in the Add Remote Access Policy dialog box.
22. To create the second Remote Access Policy, repeat the above steps with the following changes:
• Policy Friendly name – AX-Admin-Read-Write-Policy
• Group to add – AX-Admin-Read-Write
• Attribute value – 2

Add Active Directory Users to ACOS Access Groups

To add Active Directory users to the ACOS access groups:

page 73 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

1. In the Active Directory management console, add the ACOS access group to the user, tester1:

2. Make sure Remote Access Permission is enabled:

Document No.: 272P1-MAS-001 - 5/14/2014 | page 74

A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

Register the IAS Server in Active Directory

The IAS RADIUS server must be registered with AD. Otherwise, RADIUS will use compatibility mode instead of AD to authen-
ticate users.

1. Open the IAS main window.

2. Click Action on the menu bar, and click “register server on active directory”.

page 75 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Windows IAS Setup for RADIUS

Configure RADIUS on the ACOS device

Add the RADIUS server (IAS server) to the ACOS device. Make sure the shared secret is the same as the one specified for the
RADIUS client configured for the ACOS server on the IAS server.

ACOS(config)#radius server 192.168.230.10 secret shared-secret

ACOS(config)#authentication type local radius

NOTE: 192.168.230.10 is the IP address of w2003-10.com, and shared-secret is the secret entered
in the step 5 in “Configure RADIUS Client for ACOS device” on page 63.

Verify the Configuration

1. Access the ACOS CLI command prompt.
2. Enter the login name, in the following format:

user-name@AD-domain-name

In this example, use “[email protected]”.

3. Enter the password.

4. Press Enter.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 76

Lightweight Directory Access Protocol

The current release adds support for the Lightweight Directory Access Protocol (LDAP). LDAP is a AAA protocol that the
ACOS device can use to authenticate admins, and authorize their management access based on admin account information
on external LDAP servers.

At the time of printing, this release supports the following types of LDAP servers:

• OpenLDAP
• Microsoft Active Directory (AD)

LDAP AAA support is described in this chapter. For information about RADIUS and TACACS+ support, see “TACACS+ and
RADIUS” on page 37.

Configure LDAP for ACOS Admins

To configure LDAP authentication and authorization for ACOS admins:

1. Enable LDAP authentication.

2. Add the LDAP server(s) to the ACOS configuration. See “Add the LDAP Servers to the ACOS device” on page 77.
3. Prepare the LDAP server. See the applicable section below for the type of LDAP server you plan to use:
• “Configuring the OpenLDAP Server” on page 80
• “Configuring Microsoft Active Directory” on page 82
4. Test the configuration by logging in using an ACOS admin account administered on the LDAP server.

Add the LDAP Servers to the ACOS device

To add LDAP servers to the ACOS device:

• Use the GUI to Configure LDAP Authentication

• Use the CLI to Configure LDAP Authentication

Use the GUI to Configure LDAP Authentication

To configure LDAP authentication, you need to:

• Enable LDAP Authentication on the ACOS Device

• Configure an LDAP Server on the ACOS Device

page 77 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Enable LDAP Authentication on the ACOS Device

TO enable LDAP authentication:

1. Select Config Mode > System > Admin > External Authentication > General.
2. In the Authentication Type section, select LDAP in the Available column.
3. Click >> to move LDAP to the Selected column.
4. (Optional) To make LDAP the primary authentication method, select any other methods that are in the Selected col-
umn. Repeat for any additional backup authentication methods.
5. Click OK.

Configure an LDAP Server on the ACOS Device

To configure an LDAP server:

1. Select Config Mode > System > Admin > External Authentication > LDAP.
2. To add the primary server, select LDAP Server 1 (if not already selected) to display the configuration fields for the server.
3. Enter the hostname or IP address of the server in the Hostname field.
4. In the CN field, enter the value for the Common Name (CN) attribute.
5. In the DN field, enter the value for the Distinguished Name (DN) attribute.

NOTE: For the DN option, do not use quotation marks. For example, the following DN string
syntax is valid:

cn=xxx3,dc=mACOScrc,dc=com

The following string is not valid:

“cn=xxx3,dc=mACOScrc,dc=com”

To use nested OUs, specify the nested OU first, then the root.

6. If the LDAP server does not use the well-known LDAP port (389), change the value in the Port field to the port number
used by the LDAP server.
7. Change the value in the Timeout field to configure the maximum number of seconds the ACOS device waits for a reply
from the LDAP server for a given request. You can specify 1-60 seconds. If the LDAP server does not reply before the
timeout, authentication of the admin fails.
8. To add a backup server to use if the primary server can not be reached, select LDAP Server 2 and enter the configuration
information for the server.
9. Click OK.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 78

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

FIGURE 7 Enabling LDAP authentication

Use the CLI to Configure LDAP Authentication

To enable LDAP authentication, use the authentication type command at the global configuration level of the CLI:

ACOS(config)# authentication type ldap

To use backup methods, specify them in the order you want to use them (see “Configure Multiple Authentication Methods”
on page 38 and “Configure Tiered Authentication” on page 38). For example:

ACOS(config)# authentication type ldap local radius tacplus

To configure an LDAP server on the ACOS device, use the ldap-server host command at the global configuration level of the
CLI:

ACOS(config)# ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

NOTE: For the dn option, do not use quotation marks. For example, the following DN string
syntax is valid:

cn=xxx3,dc=mACOScrc,dc=com

The following string is not valid:

“cn=xxx3,dc=mACOScrc,dc=com”

To configure the ACOS device to provide LDAP AAA for “UserAccUser1”, use a command such as the following:

ACOS(config)# ldap-server host ldapserver.ad.example.edu cn cn dn

ou=StaffElevatedAccounts, ou=Service Accounts,dc=ad,dc=example,dc=edu

To use nested OUs, specify the nested OU first, then the root. For example, a user account could be nested as follows:

Root OU= Service Accounts -> OU=StaffElevatedAccounts -> UserAccUser1

page 79 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Refer to the Command Line Reference for detailed information about these commands.

Configuring the OpenLDAP Server

To configure an OpenLDAP server to provide authentication and authorization for ACOS admins:

1. Add the A10 schema file. You can copy and paste it directly from the section below (“A10 Schema File for OpenLDAP”
on page 80). Place the schema file in the following location:

openldap_install_directory/schema

For example, the location on your server might be as follows:

C:\Program Files\OpenLDAP\schema

2. Add the admin accounts. (See “A10 Admin Account Files for LDAP” on page 82.)
3. Restart the LDAP service.

A10 Schema File for OpenLDAP

Here is an example of the schema file that is required on the OpenLDAP server for providing authentication and authoriza-
tion to ACOS admins.

# all a10 LDAP OID be placed in 1.3.6.1.4.1.22610.300.

# all attributetype start from 1.3.6.1.4.1.22610.300.1.
# all objectclass start from 1.3.6.1.4.1.22610.300.2.

attributetype ( 1.3.6.1.4.1.22610.300.1.1
NAME 'A10AdminRole'
DESC 'admin Role'
syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.22610.300.1.2
NAME 'A10AdminPartition'
DESC 'admin Partition'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
syntax 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.22610.300.1.3
NAME 'A10AccessType'
DESC 'admin Access Type'
syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

Document No.: 272P1-MAS-001 - 5/14/2014 | page 80

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

objectclass ( 1.3.6.1.4.1.22610.300.2.1
NAME 'A10Admin' SUP top AUXILIARY
DESC 'A10 Admin object class '
MAY ( A10AdminRole $ A10AdminPartition $ A10AccessType ) )

The LDAP schema file for ACOS admin authentication and authorization contains the following items:

• A10Admin – This is the object class for A10 Networks, and can contain one or more of the following attribute types.
You can specify the values to assign to these attributes in the definition file for the admin. (See “A10 Admin Account
Files for LDAP” on page 82.)
• A10AdminRole – This attribute type specifies the admin’s role, which defines the scope of read-write operations the
admin is allowed to perform on the ACOS device. The ACOS device has the following predefined roles:
• ReadOnlyAdmin
• ReadWriteAdmin
• SystemAdmin
• NetworkAdmin
• NetworkOperator
• SlbServiceAdmin
• SlbServiceOperator
• PartitionReadWrite
• PartitionNetworkOperator
• PartitionSlbServiceAdmin
• PartitionSlbServiceOperator
• PartitionReadOnly
To specify one of these roles in the definition file for the admin account, use the role name as the attribute value. For
example:
A10AdminRole: ReadWriteAdmin

If you do not use this attribute in the definition file for the admin account, the ReadOnlyAdmin role is assigned to the
admin.

• A10AdminPartition – This attribute type specifies the ACOS partition the admin is authorized to log onto.
• For the shared partition, enter “shared”. For example:
A10AdminPartition: shared
• For a private partition, enter the partition name. For example:
A10AdminPartition: privpart1
If you do not use this attribute in the definition file for the admin account, the admin is allowed to log into the shared
partition.

• A10AccessType – This attribute type specifies the management interface(s) the admin authorized to use. You can
specify one or more of the following:
• cli – CLI
• web – GUI
• axapi – aXAPI
If you do not use this attribute in the definition file for the admin account, the admin is allowed to log in though any of
these interfaces.

page 81 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

A10 Admin Account Files for LDAP

Admin accounts managed by an LDAP server are stored in files on the server. Here is an example:

dn: cn=xxx3,dc=mACOScrc,dc=com
cn: xxx3
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: A10Admin
userPassword: 111111
sn: fefefe
ou: guest
A10AdminRole: ReadWriteAdmin

This file configures admin “xxx3”. The objectClass value “A10Admin” and the “A10AdminRole” attribute are specific to A10 Net-
works and are defined in the schema file, which also must be added to the LDAP server.

In this example, the A10AdminPartition and A10AccessType attributes are omitted. The default values are used. (See “A10
Schema File for OpenLDAP” on page 80.)

Configuring Microsoft Active Directory

This section describes how to configure Microsoft Active Directory for LDAP authentication and authorization of ACOS
admins.

NOTE: The information in this section is based on Windows Server 2008.

Summary:

1. Install AD on Windows Server 2008, if it is not already installed.

Refer to your Microsoft documentation for installation instructions.

2. Configure the admin accounts. See “Configure ACOS Admin Accounts” on page 82.
3. (Optional) Add the A10 LDAP attribute types to the server. See “Add the A10 LDAP Attribute Types” on page 93.

NOTE: If you plan to use the default settings for all the A10 attributes, you can skip this step.

Configure ACOS Admin Accounts

This section describes how to configure an admin account.

• Configure a Read-Only Admin

• Test the Read-Only Admin Account

Document No.: 272P1-MAS-001 - 5/14/2014 | page 82

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

• Configure a Read-Write Admin

• Test the Read-Write Admin Account

Configure a Read-Only Admin

The following screens configure a read-only admin (an admin with the ReadOnlyAdmin role).

page 83 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 84

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

page 85 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 86

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

page 87 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Test the Read-Only Admin Account

Here is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!
authentication type ldap
!

Here is an example of the session login by the read-only admin. Access to the configuration level by this admin is not
allowed.

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:05:51 2012 from 192.168.100.148

ACOS system is ready now.

[type ? for help]

ACOS>
ACOS> enable

Document No.: 272P1-MAS-001 - 5/14/2014 | page 88

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Password: <blank>
ACOS# show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
------------------
*99 test 13:08:10 CST Thu Jun 21 2012 192.168.100.148 CLI Ldap
ReadOnlyAdmin No
ACOS# config
^
% Unrecognized command.Invalid input detected at '^' marker.

ACOS#

Configure a Read-Write Admin

The following screens configure a read-write admin (an admin with the ReadWriteAdmin role).

In this example, the “ou” attribute is set to “operator”.

page 89 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 90

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

page 91 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Test the Read-Write Admin Account

Here is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!
authentication type ldap
!

Here is an example of the session login by the read-write admin. Access to the configuration level by this admin is allowed.

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:08:10 2012 from 192.168.100.148

ACOS system is ready now.

[type ? for help]

ACOS> enable
Password: <blank>

Document No.: 272P1-MAS-001 - 5/14/2014 | page 92

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

ACOS# show admin session

Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
------------------
*101 test 13:22:16 CST Thu Jun 21 2012 192.168.100.148 CLI Ldap
ReadWriteAdmin No
ACOS# config
ACOS(config)#

Add the A10 LDAP Attribute Types

This section shows how to add the A10 LDAP attribute types to the server.

NOTE: If you plan to use the default settings for all the A10 attributes, you can skip the rest of
this section.

The following topics are covered:

• A10 LDAP Object Class and Attribute Types

•
•

CAUTION: Please add the attributes carefully. Once they are added, they can not be changed or
deleted.

A10 LDAP Object Class and Attribute Types

The LDAP object class for A10 Networks is A10Admin, and can contain one or more of the following attribute types. You can
specify the values to assign to these attributes in the definition file for the admin.

• A10AdminRole – This attribute type specifies the admin’s role, which defines the scope of read-write operations the
admin is allowed to perform on the ACOS device. The ACOS device has the following predefined roles:
• ReadOnlyAdmin
• ReadWriteAdmin
• SystemAdmin
• NetworkAdmin
• NetworkOperator
• SlbServiceAdmin
• SlbServiceOperator
• PartitionReadWrite
• PartitionNetworkOperator
• PartitionSlbServiceAdmin
• PartitionSlbServiceOperator
• PartitionReadOnly

page 93 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

To specify one of these roles in the definition file for the admin account, use the role name as the attribute value. For
example:
A10AdminRole: ReadWriteAdmin

If you do not use this attribute in the definition file for the admin account, the ReadOnlyAdmin role is assigned to the
admin.

• A10AdminPartition – This attribute type specifies the ACOS partition the admin is authorized to log onto.
• For the shared partition, enter “shared”. For example:
A10AdminPartition: shared

• For a private partition, enter the partition name. For example:

A10AdminPartition: privpart1

If you do not use this attribute in the definition file for the admin account, the admin is allowed to log into the shared
partition.

• A10AccessType – This attribute type specifies the management interface(s) the admin authorized to use. You can
specify one or more of the following:
• cli – CLI
• web – GUI
• axapi – aXAPI
If you do not use this attribute in the definition file for the admin account, the admin is allowed to log in though any of
these interfaces.

Add the Attribute Type

Document No.: 272P1-MAS-001 - 5/14/2014 | page 94

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

page 95 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 96

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

page 97 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 98

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

page 99 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 100

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

page 101 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 102

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

The following screens change the “object Class” and add “a10Admin” to it. After this, all the attributes can be added to admin
“test”.

page 103 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 104

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Restart the LDAP Process

To place the LDAP changes into effect, restart the LDAP process on the server. To access the process controls, under Adminis-
trative Tools, select Services.

page 105 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Document No.: 272P1-MAS-001 - 5/14/2014 | page 106

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

Change the Admin Role (A10AdminRole)

The screens in this example set the admin role for admin “test” to ReadWriteAdmin.

page 107 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

The following screen clears the setting of the “ou” attribute.

Here is a login example for an admin:

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:22:16 2012 from 192.168.100.148

ACOS system is ready now.

[type ? for help]

ACOS>enable
Password: <blank>

Document No.: 272P1-MAS-001 - 5/14/2014 | page 108

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

ACOS#
ACOS# show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
------------------
*106 test 14:15:13 CST Thu Jun 21 2012 192.168.100.148 CLI Ldap
ReadWriteAdmin No
ACOS#
ACOS# config
ACOS(config)#

Add Private Partition Information (A10AdminPartition)

The following screen configures admin “test” as a private partition admin, and assigns the admin to private partition “test1”.

NOTE: The shared partition does to need to be added to the LDAP server. If the A10AdminParti-
tion attribute is not set, the admin is permitted to access the shared partition.

ACOS Configuration

Here is the partition configuration on the ACOS device:

!
partition test1 network-partition
partition test2 network-partition
partition test3 network-partition
partition test4 network-partition
partition test5 network-partition
partition test6 network-partition
partition test7 network-partition
partition test8 network-partition
!

LDAP Server Configuration

The following screen sets the a10AdminPartition attribute to “test1”. This indicates that the admin can access a private
partition called “test1”. The A10AdminRole attribute is set to “PartitionReadWrite”. This restricts the admin to read-write
operations within the private partition.

page 109 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

When admin “test” logs in, the session opens in private partition “test1”.

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 14:19:41 2012 from 192.168.3.196

ACOS system is ready now.

[type ? for help]

ACOS2500-1[test1]>
ACOS2500-1[test1]>enable
Password: <quick>

Document No.: 272P1-MAS-001 - 5/14/2014 | page 110

A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

ACOS2500-1[test1]#
ACOS2500-1[test1]#config
ACOS2500-1[test1](config)#show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
------------------
*108 test 14:22:51 CST Thu Jun 21 2012 192.168.100.148 CLI test1 Ldap Par-
titionReadWriteYes

Change the Access Type (A10AccessType)

The following example screen sets the access type for the PartitionReadWrite admin to web (GUI) and aXAPI. This
configuration prohibits the admin from logging in through the CLI.

page 111 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Configure LDAP for ACOS Admins

The example below shows what happens if the admin tries to log in through the CLI:

[root@Linux-PC-148 ~]# ssh -l test1 192.168.100.46

Password:***
Password:***
Couldn’t login via CLI, check the log message with admin/a10
ACOS2500-1#show log
Log Buffer: 30000
Jun 21 2012 14:30:42 Error [SYSTEM]:The user, test1, from the remote host,
192.168.100.148, failed in the CLI authentication.
Jun 21 2012 14:30:42 Warning [SYSTEM]:Ldap authentication failed(user: test1): The user
access interface is not authenticated.

Document No.: 272P1-MAS-001 - 5/14/2014 | page 112

Command Auditing

This chapter describes how to enable and configure command auditing on your ACOS device.

The following topics are covered:

• Command Auditing Overview

• Enable and Configure Command Auditing
• Audit Log Examples

Command Auditing Overview

You can enable command auditing to log the commands entered by ACOS admins. Command auditing logs the following
types of system management events:

• Admin logins and logouts for CLI, GUI, and aXAPI sessions
• Unsuccessful admin login attempts
• Configuration changes. All attempts to change the configuration are logged, even if they are unsuccessful.
• CLI commands at the Privileged EXEC level (if audit logging is enabled for this level)
• HA configuration synchronization

The audit log is maintained in a separate file, apart from the system log. The audit log is RBA-aware. The audit log messages
displayed for an admin depend upon the admin’s role (privilege level). Admins with Root, Read Write, or Read Only privileges
who view the audit log can view all messages, for all system partitions.

Admins who have privileges only within a specific partition can view only the audit log messages related to management of
that partition. Partition Real Server Operator admins can not view any audit log entries.

NOTE: Backups of the system log include the audit log.

Enable and Configure Command Auditing

Command auditing is disabled by default. To alter this configuration, you can:

• Use the GUI to Configure Command Auditing

• Use the CLI to Configure Command Auditing

page 113 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Audit Log Examples

Use the GUI to Configure Command Auditing

To enable command auditing using the GUI:

1. Select Config Mode > System > Settings > Log.

2. Click to expand the Audit section.
3. Select the audit level:
• Disabled – disable command auditing.
• Enabled – enable auditing of configuration commands only.
• Enable Privilege – enable auditing of both configuration commands and Privileged EXEC commands.
4. To modify the maximum number of entries the log can hold, edit the number in the Audit Buffer Size field. You can
specify 1000-30000 entries. The default is 20000.
5. Click OK.

To view audit log entries, navigate to the following page:

Monitor Mode > System > Logging > Audit

Use the CLI to Configure Command Auditing

To enable command auditing from the CLI, use the audit enable command at the global configuration level. This command
logs configuration command only.

ACOS(config)# audit enable

To log both configuration and Privileged EXEC commands, use the following command:

ACOS(config)# audit enable privilege

The following command sets the buffer size to 30,000. When the log is full, the oldest entries are removed to make room for
new entries. The default is 20,000 entries.

ACOS(config)# audit size num-entries 30000

Use the following command to disable command auditing:

ACOS(config)# no audit enable

To show audit log entries, use the show audit command:

ACOS(config)# show audit

Audit Log Examples

The following audit log indicates a change to the image to use for booting, performed using the CLI:

Jul 06 2010 23:27:25 admin cli: bootimage hd sec

Document No.: 272P1-MAS-001 - 5/14/2014 | page 114

A10 Thunder Series and AX Series—Management Access and Security Guide
Audit Log Examples

The following audit logs indicate configuration and operational actions related to virtual server “vip1” performed using the
GUI:

Jun 08 2010 09:06:04 [12] web: [admin] add virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2010 09:06:05 [12] web: [admin] edit virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2010 09:06:06 [12] web: [admin] disable virtual server [vip1] successfully.
Jun 08 2010 09:06:06 [12] web: [admin] enable virtual server [vip1] successfully.
Jun 08 2010 09:06:07 [12] web: [admin] delete virtual server [vip1] successfully.

The following audit logs indicate configuration actions related to virtual server “vip1” performed using the aXAPI:

Jun 08 2010 09:06:13 [12] aXAPI: [admin] add virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2010 09:06:14 [12] aXAPI: [admin] edit virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2010 09:06:15 [12] aXAPI: [admin] delete virtual server [vip1] successfully.

page 115 | Document No.: 272P1-MAS-001 - 5/14/2014

 A10 Thunder Series and AX Series—Management Access and Security Guide
Audit Log Examples

Document No.: 272P1-MAS-001 - 5/14/2014 | page 116

A10 Thunder Series and AX Series—Management Access and Security Guide

117 of 118 | Document No.: 272P1-MAS-001 - 5/14/2014 118

1

Document No.: 272P1-MAS-001 | 5/14/2014