ACOS 5.0.

1
Management Access and Security
Guide
For A10 Thunder® Series TPS
7 October 2020
© 2020 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual patent marking provi-
sions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Networks' products, including all Thunder
Series products, are protected by one or more of U.S. patents and patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking

TRADEMARKS
A10 Networks trademarks are listed at:

https://www.a10networks.com/company/legal-notices/a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed,
copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confidential
information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this document
or available separately. Customer shall not:

1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any means.
2. Sub-license, rent, or lease the Software.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fit-
ness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this pub-
lication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be
available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and ser-
vices are subject to A10 Networks’ standard terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufac-
turer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can be
found by visiting www.a10networks.com.
Table of Contents

ADMINISTRATOR ACCOUNTS ............................................................................... 7

Additional Administrator Accounts .......................................................................................... 7
Default Administrator Account .................................................................................................................7
Configuring an Administrator Account by Using the GUI ................................................................. 8
Configuring an Administrator Account by Using the CLI .................................................................. 9
Deleting an Administrator Account ........................................................................................................ 9
Deleting an Administrator Account Using the GUI .....................................................................10
Deleting an Administrator Account Using the CLI ......................................................................10
Recovering an Administrator Password ............................................................................................... 11
Administrator Lockouts............................................................................................................. 12
Lockout Parameters ...................................................................................................................................12
Configuring Administrator Lockout Using the CLI .............................................................................12

ACCESS BASED ON THE MANAGEMENT INTERFACE ............................................. 15

Default Management Access Settings .................................................................................. 15
Configuring Access by Using Access Control Lists ............................................................ 16
Configuring ACL Support on the Management Interface ................................................................16
Configuring ACL Support on Data Interfaces .....................................................................................16
Implicit Deny Rule ....................................................................................................................................... 17
Configure Management Access Through Ethernet Interfaces ........................................ 17
Viewing the Current Management Access Settings........................................................... 17
Regaining Access if You Accidentally Block All Access.....................................................18

CONFIGURING WEB ACCESS ............................................................................. 19

Default Web Access Settings................................................................................................... 19
Configure Web Access.............................................................................................................. 20
Configuring Web Access by Using the CLI ...................................................................................20

PUBLIC KEY AUTHENTICATION FOR SSH ........................................................... 21

Generating a Key Pair From the Remote Client ................................................................... 21
Importing the Public Key to the ACOS Device..................................................................... 22
Deleting a Public Key ................................................................................................................ 22

TACACS+ AND RADIUS ................................................................................23

Authentication ........................................................................................................................... 23
Multiple Authentication Methods .......................................................................................................... 23

3
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder™ Series TPS
Contents

Tiered Authentication ............................................................................................................................... 24

Authentication Process ........................................................................................................................... 25
Disabling Local Authentication for the Administrator Account by Using the CLI ............. 27
Token-based Authentication Support for RADIUS ...........................................................................28
Configuring Token-Based Authentication for RADIUS .............................................................28
Authorization.............................................................................................................................. 29
Authorization Based on a User Interface ............................................................................................ 29
RADIUS Configuration for User Interface Access ...................................................................... 29
TACACS+ Configuration for User Interface Access .................................................................. 29
LDAP Configuration for User Interface Access ..........................................................................30
Authorizing Admin Privileges .................................................................................................................30
Compatibility with Privilege Levels Assigned by RADIUS or TACACS+ ................................30
RADIUS Configuration for GUI Privileges .......................................................................................31
TACACS+ Configuration for GUI Access Roles ............................................................................31
Authorization for CLI Access ...................................................................................................................31
Disabled Commands for Read-Only Administrators ..................................................................31
RADIUS CLI Authorization ................................................................................................................ 32
TACACS+ CLI Authorization ............................................................................................................. 33
RADIUS Authorization Based on Service-Type .................................................................................34
Configure Accounting .............................................................................................................. 34
Command Accounting (TACACS+ only) .............................................................................................. 35
TACACS+ Accounting Debug Options ................................................................................................. 35
Configuring Authentication, Authorization, Accounting and for Administrator Access
35
Configuring Authentication .................................................................................................................... 36
Configure Remote Authentication by Using the GUI ................................................................36
Configuring Remote Authentication by Using the CLI .............................................................38
Additional TACACS+ Authentication Options ....................................................................................38
Password Self-Service ......................................................................................................................38
Configuring Access to the Privileged EXEC Level in the CLI ..................................................38
Remote AAA CLI Examples...................................................................................................... 39
RADIUS Authentication ............................................................................................................................ 39
TACACS+ Authorization ...........................................................................................................................40
TACACS+ Accounting ..............................................................................................................................40
RADIUS Server Setup ...............................................................................................................................40
Windows IAS Setup for RADIUS.............................................................................................. 42
Configure Access Groups ........................................................................................................................ 42
Configure RADIUS Client for ACOS Device .........................................................................................44
Configure Remote Access Policies .......................................................................................................45
Add Active Directory Users to ACOS Access Groups ....................................................................... 55
Register the IAS Server in Active Directory ........................................................................................ 56
Configuring RADIUS on the ACOS Device ........................................................................................... 57
Verifying the Configuration .................................................................................................................... 57

LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL ................................................... 59

Configuring LDAP for ACOS Administrators........................................................................ 59

4
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder™ Series TPS
Contents

Configuring an LDAP Server ................................................................................................... 60

Configuring an LDAP Server by Using the GUI ..................................................................................60
Configuring an LDAP Server by Using the CLI ...................................................................................60
Configuring an OpenLDAP Server........................................................................................... 61
A10 Schema File for OpenLDAP ..............................................................................................................61
A10 Administrator Account Files for LDAP ......................................................................................... 63
Configuring Microsoft Active Directory................................................................................ 64
Configure ACOS Administrator Accounts ...........................................................................................64
Creating a Read-Only Administrator ............................................................................................. 65
Testing the Read-Only Administrator Account ..........................................................................66
Configuring a Read-Write Administrator ...................................................................................... 67
Testing the Read-Write Administrator Account .........................................................................68
A10 LDAP Object Class and Attribute Types ...................................................................................... 69
Adding A10 LDAP Attribute Types ................................................................................................. 70
Adding “a10Admin” to the object Class ........................................................................................ 74
Restarting the LDAP Process .......................................................................................................... 75
Changing the Administrator Role (A10AdminRole) ............................................................................77
Login Example ..................................................................................................................................... 79
Changing the Access Type (A10AccessType) ...................................................................................80
Login Example ......................................................................................................................................81

COMMAND AUDITING ........................................................................................83

Command Auditing Overview ................................................................................................. 83
Enable and Configure Command Auditing........................................................................... 84
Use the GUI to Configure Command Auditing ...................................................................................84
Use the CLI to Configure Command Auditing ....................................................................................84
Audit Log Examples .................................................................................................................. 85

5
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder™ Series TPS
Contents

6
Feedback ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

ADMINISTRATOR ACCOUNTS

This chapter describes how to configure and modify administrator accounts for management access to ACOS
and provides the following information:

• Additional Administrator Accounts

• Administrator Lockouts

Additional Administrator Accounts

This section contains the following topics:

• Default Administrator Account

• Configuring an Administrator Account by Using the GUI

• Configuring an Administrator Account by Using the CLI

• Deleting an Administrator Account

• Recovering an Administrator Password

Default Administrator Account

By default, the ACOS device has one administrator account called admin. This account has global read/write
privileges and can configure additional administrator accounts with the following settings:

• A username and password

• An IP host or subnet address from which the administrator can log in

• A user interface that the administrator can use (CLI, GUI, or aXAPI)

• An account state (enabled or disabled)

7
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Additional Administrator Accounts

Configuring an Administrator Account by Using the GUI

To configure an administrator account for “newadmin” who will have global read and write privileges:

1. Hover over System in the menu bar, then select Admin from the drop-down menu.
2. On the Users tab, click Create.
3. Enter “newadmin” in the Username field.
4. Enter and confirm the password for the new administrator account.
5. Verify that Enable is selected in the Status field (selected by default).
6. In the User Privilege field, select Read-Write.
7. In the Access Interface section, verify that all three user interfaces are selected (they should be selected
by default).

8. Click Apply.
9. Return to the Admin table and verify that the new administrator appears in the list.

8
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Configuring an Administrator Account by Using the CLI

To configure an administrator account:

1. To specify an admin username and password, enter the following commands:

ACOS(config)# admin admin1 password admin_a10

2. To enable or disable access to a user interface, enter one of the following commands:
• To enable access to a user interface (for example, GUI access), enter the following command:
ACOS(config-admin:admin1)# access web

• To disable access to a user interface (for example, CLI) enter the following command:
ACOS(config-admin:admin1)# no access cli

3. To set user privileges, enter the following commands:

ACOS(config-admin:admin1)# privilege read
ACOS(config-admin:admin1)# privilege write

4. To set up a trusted host IP, enter the trusted-host command:

ACOS(config-admin:admin1)# trusted-host 255.255.255.255 /24

5. To activate the user, enter the following command:

ACOS(config-admin:admin1)# enable
Modify Admin User successful!

Deleting an Administrator Account

An administrator with root privileges can delete other administrator accounts.

Before you delete an administrator account, complete the following tasks:

• Determine whether the administrator has active sessions.

• Clear any sessions the administrator has open.

To delete an admin account, you first must terminate any active sessions the administrator account has
open. The account is not deleted if open sessions exist.

9
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Additional Administrator Accounts

Deleting an Administrator Account Using the GUI

To delete an administrator account:

1. Navigate to System / Admin / Sessions / List.

2. Delete any open sessions; select the session you want to delete and click Delete.
3. Navigate to System / Admin / Users / List.
4. Select the admin you want to delete, then click Delete.

Deleting an Administrator Account Using the CLI

To delete an admin account:

1. Use the show admin session command to view active admin sessions on the device:
ACOS(config)# show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------------
------------
*98 admin 03:11:31 IST Wed Aug 24 2016 172.17.0.224 CLI Local Read-
WriteAdmin Yes
100 admin2 03:16:08 IST Wed Aug 24 2016 172.17.12.238 CLI Local Read-
WriteAdmin No

2. Use the clear admin session command to clear a specific admin session. In this example, we will clear
session ID 100, for admin2:
ACOS(config)# clear admin session 100

3. Use the no admin command to delete the admin (in this example, we are deleting admin2):
ACOS(config)# no admin admin2
By this command, sessions (if any) with this admin will be automatically logout. Continue? [yes/
no]:yes

4. Use the show admin session and show admin commands to verify that the admin is removed (in this exam-
ple, admin2 should no longer appear in the output:
ACOS(config)# show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------------
------------
96 admin 02:53:18 IST Wed Aug 24 2016 172.17.0.224 WEB Local Read-
WriteAdmin No
*98 admin 03:11:31 IST Wed Aug 24 2016 172.17.0.224 CLI Local Read-
WriteAdmin Yes
ACOS(config)(UNSUPPORTED-PLATFORM)# show admin

10
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Total number of configured users: 3

Privilege R: read-only, W: write, P: partition, En: Enable
Access Type C: cli, W: web, A: axapi

UserName Status Privilege Access

--------------------------------------------------------------------
admin Enabled R/W C/W/A
jason Enabled S C
rons Enabled S C

Recovering an Administrator Password

This section describes how to recover in the event your admin password is lost.

This procedure can only be performed through the security console, and only within the first five minutes of
rebooting the ACOS device.

1. Use the show version or show hardware commands and record the serial number for your device.
2. Reboot the ACOS device.
3. Connect to the serial console.
4. When prompted for the user name and password, enter the following:
User Name: reset
Password: serial number for your device
Use the serial number recorded in step 1, or locate the serial number on the rear of your ACOS device.
5. After logging in, the CLI presents the following questions:
a. Do you want to reset admin password to default?[y/n]:
Answering y to this question resets the admin user name and password to the factory default admin
and a10.
b. Do you want to reset enable password to default?[y/n]:
Answering y to this question resets the enable password to the factory default, which is no password.
c. Do you want to erase startup config?[y/n]:
Answering y to this question clears the startup config, thus returning the device to its factory default
settings.

CAUTION: Answering y to this questions means you must reconfigure the device.

11
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Administrator Lockouts

6. Answer y to the first question so that you can log on to the device; answer the other two questions as
desired for your needs.
7. After you log on to the device, change the admin password for security purposes.

Administrator Lockouts
By default, there is no limit to the number of times you can enter an incorrect password with an administrator
account to log in. You can enable the ACOS device to lock administrator accounts for a period after a specific
number of invalid passwords have been entered.

This section contains the following information:

• Lockout Parameters

• Configuring Administrator Lockout Using the CLI

Lockout Parameters

Table 1 lists the administrator lockout parameters that you can configure.

TABLE 1 : Admin Lockout Parameters

Parameter Description Default
Feature state Controls whether admin accounts can be locked. Disabled
Threshold Number of failed login attempts allowed for an admin account before it is 5
locked.
Reset time Number of minutes the ACOS device remembers a failed login attempt. 10 minutes

For an account to be locked, greater than the number of failed login

attempts specified by the threshold must occur within the reset time.
Duration Number of minutes a locked account remains locked. To keep accounts 10 minutes
locked until you or another authorized administrator unlocks them, set the
value to 0.

Configuring Administrator Lockout Using the CLI

You can enter the following commands to configure administrator lockout:

• To enable an administrator lockout, enter the following command:

ACOS(config)# admin-lockout enable

12
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

• To lock an administrator account, enter the following command:

ACOS(config)# admin-lockout threshold 5

This example locks the administrator out after 5 failed attempts.

• To lock out the administrator for a specified number of minutes, enter the following command:
ACOS(config)# admin-lockout duration 15

This example locks the administrator out for 15 minutes.

• To keep the administrator account locked until the account is manually unlocked by an authorized
administrator, enter the following command:
ACOS(config)# admin-lockout duration 0

• To lock the administrator account after, for example, 5 failed login attempts and set the ACOS device to
remember the previous failed login for 10 minutes, enter the following commands:
ACOS(config)# admin-lockout reset-time 10

For more information, see Table 1.

To view the lockout status or manually unlock an account:

1. To view the lockout status of the account for “admin1”, enter the following command:
ACOS(config)# show admin admin1 detail

2. To unlock an admin account, access the configuration level for the admin, then enter the unlock com-
mand:
ACOS(config)# admin admin1
ACOS(config-admin:admin1)# unlock

13
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Administrator Lockouts

14
Feedback ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

ACCESS BASED ON THE MANAGEMENT INTERFACE

By default, certain types of management access through the ACOS device’s Ethernet interfaces are blocked.
This chapter describes how to configure management access based on the interface.

This chapter provides the following information:

• Default Management Access Settings

• Configuring Access by Using Access Control Lists

• Configure Management Access Through Ethernet Interfaces

• Viewing the Current Management Access Settings

• Regaining Access if You Accidentally Block All Access

Default Management Access Settings

Table 2 provides the default settings for each management service.

TABLE 2 : Default Management Access

Management Service Ethernet Management Interface Ethernet and VE Data Interface
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
Ping Enabled Enabled

You can enable or disable management access for each access type and interface. You also can use an
Access Control List (ACL) to permit or deny management access through the interface by using specific
hosts or subnets.

15
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Access by Using Access Control Lists

Configuring Access by Using Access Control Lists

This section contains important information about ACL support:

• Configuring ACL Support on the Management Interface

• Configuring ACL Support on Data Interfaces

• Implicit Deny Rule

Configuring ACL Support on the Management Interface

The management interface supports only one ACL, which can be bound to the interface as an enable-
management ACL or directly to the interface as a filter. To replace the current ACL with a different one, you
must first remove the ACL that is currently bound to the interface.

For example, enter only one of the following sets of commands:

• ACOS(config)# enable-management service acl-v4 1

• ACOS(config)# interface management
ACOS(config-if:management)# access-list 1 in

Additionally, if you apply an enable-management ACL to the management interface, an ACL for an individual
service is not supported. For example, you cannot enter the following rule on the management interface:

ACOS(config)# enable-management service ping

ACOS(config-enable-management ping)# acl-v4 1

Configuring ACL Support on Data Interfaces

Data interfaces can support multiple ACLs, including multiple enable-management ACLs. If a data interface
has multiple enable-management ACLs, the ACLs are applied in the following order:

1. enable-management service
{ping | ssh | telnet | http | https} acl {id | name}
{ethernet port-num [to port-num] | ve ve-num
[to ve-num]}

2. enable-management service acl {id | name}

{ethernet port-num [to port-num] | ve ve-num
[to ve-num]}

16
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Implicit Deny Rule

Each ACL has an implicit deny any any rule at the end. If the management traffic’s source address does not
match a permit rule in the ACL, the implicit deny any any rule is used to deny access.

Configure Management Access Through Ethernet

Interfaces
To disable management access, enter the disable-management service command at the global configuration
level of the CLI.

The following example command disables HTTP access to the out-of-band management interface:

ACOS(config)# disable-management service http

You may lose connection by disabling the http service.
Continue? [yes/no]:yes

To enable management access, enter the enable-management service command at the global configuration
level of the CLI:

The following example command enables Telnet access to data interface 6:

ACOS(config)# enable-management service telnet ethernet 6

Viewing the Current Management Access Settings

To view the management access settings that are currently in effect, enter the show management command at
any level of the CLI.

The following example shows an ACOS device with 12 Ethernet data ports. In this example, all the access
settings are set to their default values:

ACOS# show management

PING SSH Telnet HTTP HTTPS SNMP ACL
--------------------------------------------------------------------------------------------------
-----------
mgmt on on off on on on -
eth1 on off off off off off -
eth2 on off off off off off -

17
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Regaining Access if You Accidentally Block All Access

eth3 on off off off off off -

eth4 on off off off off off -
eth5 on off off off off off -
eth6 on off off off off off -
eth7 on off off off off off -
eth8 on off off off off off -
eth9 on off off off off off -
eth10 on off off off off off -
eth11 on off off off off off -
eth12 on off off off off off -
ve3 on off off off off off -
ve5 on off off off off off -

Regaining Access if You Accidentally Block All

Access
If you disable the type of access that you are using at the time you enter the disable-management command,
your management session will end. If you accidentally enter the all option for all interfaces, which locks you
out of the device completely, you can still access the CLI by connecting a computer to the ACOS device’s
serial port.

18
Feedback ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

CONFIGURING WEB ACCESS

By default, access to the ACOS management GUI is enabled and is secure. A valid administrator username
and password are required to log in.

This chapter provides information about the following topics:

• Default Web Access Settings

• Configure Web Access

Default Web Access Settings

Table 3 provides information about the default settings for web access.

TABLE 3 : Default Web Access Settings

Parameter Description Default
Auto-redirect Automatically redirects requests for the unsecured port Enabled
(HTTP) to the secure port (HTTPS).
HTTP server HTTP server on the ACOS device. Enabled
HTTP port Protocol port number for the unsecured (HTTP) port. 80
HTTPS server HTTPS server on the ACOS device. Enabled
HTTPS port Protocol port number for the secure (HTTPS) port. 443
Timeout Number of minutes a Web management session can Range: 0-60 minutes
remain idle before it times out and is terminated by the
ACOS device. To disable the timeout, spec-
ify 0.

Default: 10 minutes
aXAPI Timeout Number of minutes an aXAPI session can remain 0-60 minutes. If you specify
idle before being terminated. Once the aXAPI ses- 0, sessions never time out.
sion is terminated, the session ID generated by the
ACOS device for the session is no longer valid. Default: 10 minutes

For more information about aXAPI, see the aXAPI

Reference documentation.

NOTE: If you disable HTTP or HTTPS access, sessions on the management GUI are
immediately terminated.

19
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configure Web Access

Configure Web Access

You can configure web access by using the CLI.

Configuring Web Access by Using the CLI

To configure web access, enter the web-service command at the global configuration level of the CLI.

• By default, the web server is enabled on the system. The following command disabled the web server:
ACOS(config)# web-service server disable

• The following command sets the HTTP port to 80:

ACOS(config)# web-service port 80

20
Feedback ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

PUBLIC KEY AUTHENTICATION FOR SSH

ACOS provides an option to simplify management access through the CLI, with support for public key
authentication.

Public key authentication allows an ACOS administrator to log in through SSH without entering a password.
When the administrator enters a username and presses Enter, the SSH client on the administrator’s
computer sends a signature file for the administrator. The ACOS device compares the signature file to the
administrator’s public key that is stored on the ACOS device. If they match, the administrator is granted
access.

To use public key authentication, complete the following tasks:

1. Generating a Key Pair From the Remote Client

2. Importing the Public Key to the ACOS Device

To delete a public key, see Deleting a Public Key.

Generating a Key Pair From the Remote Client

On the remote client (for example, a computer) from where the administrator accesses the ACOS device’s
CLI, use the computer’s SSH client to generate an RSA key pair for the administrator. The key pair consists of
a public key and a private key.

NOTE: In the current release, only the OpenSSH client is supported.

The following example show you how to generate a key pair from a remote client with the administrator
account admin2:

OpenSSHclient$ mkdir ~/.ssh

OpenSSHclient$ chmod 700 ~/.ssh
OpenSSHclient$ ssh-keygen -q -f ~/.ssh/ACOS_admin2 -t rsa
Enter passphrase (empty for no passphrase): …
Enter same passphrase again: …

NOTE: At the passphrase prompts, press Enter and do not enter any characters.

21
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Importing the Public Key to the ACOS Device

Importing the Public Key to the ACOS Device

After the key pair is generated, to import the public key to the ACOS device:

1. Log in to the ACOS device with root or global read-write privileges.

2. Access the configuration level for the administrator account.
3. Import only the public key, and not the private key, to the ACOS device.
You can import public keys in separate files or grouped in one file.

NOTE: The admin account has root privileges and can manage the public certificates
for all administrators. Other administrators accounts can manage only the public
key that belongs to that administrators account.

The following example shows you how to import a public key for the administrator user admin2:

ACOS(config)# admin admin2

ACOS(config-admin:admin2)# ssh-pubkey import scp:
Address or name of remote host []? 10.10.10.69
User name []? ACOSadmin2
Password []? *********
File name [/]? /home/admin2/.ssh/ACOS_admin2.pub
ACOS(config-admin:admin2)# ssh-pubkey list

For more information, see the admin command in the Command Line Interface Reference, in the section were
the ssh-pubkey import command is described.

You can enter the ssh-pubkey list command to view the public keys on your system.

Deleting a Public Key

To delete an SSH public key from the ACOS device, enter the following command:

ACOS(config-admin:admin2)# ssh-pubkey delete num

The num option specifies the key number on the ACOS device. You can display the key numbers and the keys
by entering the ssh-pubkey list command.

22
Feedback ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

TACACS+ AND RADIUS

You can configure the ACOS device to use remote servers for Authentication, Authorization, and Accounting
(AAA) for administrative sessions. The ACOS device supports RADIUS, TACACS+, and LDAP servers.

This chapter provides the following information:

• Authentication

• Authorization

• Configure Accounting

• Configuring Authentication, Authorization, Accounting and for Administrator Access

• Remote AAA CLI Examples

• Windows IAS Setup for RADIUS

For information about LDAP support, see “Lightweight Directory Access Protocol” on page 59.

Authentication
Authentication grants or denies access to the device based on the credentials provided by the user (admin
user name and password).

By default, when someone attempts to log in to the ACOS device, the device determines whether the
username and password exist in the local administrative database. Without additional configuration, the
authentication process stops at this point. If the administrator username and password exist in the local
database, the user is granted access; otherwise, access to the device is denied.

You can configure the ACOS device to also use external RADIUS, TACACS+ or LDAP servers for
authentication.

Multiple Authentication Methods

You can specify multiple methods for authenticating ACOS administrators. For example, you can configure
the ACOS device to try the these servers in the following order:

1. LDAP

23
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Authentication

2. TACACS+
3. RADIUS
4. Local database

In this example, the ACOS device tries to use the LDAP servers first. If no LDAP servers respond, the ACOS
device tries to use the TACACS+ servers. If no TACACS+ servers respond, the ACOS device tries the RADIUS
servers. If no RADIUS servers respond, the ACOS device uses the local database.

Tiered Authentication

In addition to selecting multiple methods of authentication, if the primary authentication method is

unavailable, you can configure the ACOS device to use tiers of authentication and configure backup
authentication methods. By default, the backup authentication method is used only if the primary method
does not respond. If the primary method responds and denies access, the secondary method is not used. The
administrator is not granted access.

You can enable the ACOS device to check the next method if the primary method does respond and
authentication fails. This option is called “tiered authentication”. For example, the primary method is RADIUS
and the next method is TACACS+. If RADIUS rejects the administrator, tiered authentication attempts to
authenticate the administrator by using TACACS+.

24
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Table 4 provides information about the ACOS authentication behavior based on tiered authentication.

TABLE 4 : Authentication Process Based on Tiered Authentication

Tiered
Authenticati
on Setting ACOS Behavior
Single 1. Try method1. If a method1 server replies, permit or deny access based on the server
(default) reply.

2. Only if no method1 servers reply, try method2. If a method2 server replies, permit or
deny access based on the server reply.

3. Only if no method2 servers reply, try method3. If a method3 server replies, permit or
deny access based on the server reply.

4. Only if no method3 servers reply, try method4. If authentication succeeds, the admin is
permitted. Otherwise, the admin is denied.
Multiple 1. Try method1. If a method1 server replies, permit access based on the server reply.

2. If no method1 servers reply or a method1 server denies access, try method2. If a meth-
od2 server replies, permit access based on the server reply.

3. If no method2 servers reply or a method2 server denies access, try method3. If a meth-
od3 server replies, permit access based on the server reply.

4. If no method3 servers reply or a method3 server denies access, try method4. If authen-
tication succeeds, the admin is permitted. Otherwise, the admin is denied.

By default, tiered authentication is disabled and is set to single. You can enable it on a global basis.

Authentication Process

You can specify whether to check the local database or the remote server first. Figure 1 and Figure 2 show
the authentication processes that are used if the ACOS device is configured to check remote AAA servers
first.

If the RADIUS, TACACS+, or LDAP server responds, the local database is not checked, and one of the
following situations occurs:

• If the administrator’s credentials are found on the RADIUS, TACACS+, or LDAP server, the administrator
is granted access.
• If the administrator credentials are not found on the RADIUS, TACACS+, or LDAP server, the administra-
tor is denied access.

If there is no response from RADIUS, TACACS+, or LDAP server, the ACOS device checks its local database for
the administrator name and password.

25
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Authentication

NOTE: An exception is made for the admin account; by default, the ACOS device always
uses local authentication for admin.

Local authentication can be disabled for admin, in which case the authentication
process is the same as for other administrator accounts. For more information,
see “Disabling Local Authentication for the Administrator Account by Using the
CLI” on page 27.

FIGURE 1 : Authentication Process When Remote Authentication Is First (two remote servers configured) –
RADIUS

26
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

FIGURE 2 : Authentication Process When Remote Authentication Is First (one remote server configured) –
TACACS+

Disabling Local Authentication for the Administrator Account by Using the CLI
By default, the ACOS device always locally authenticates admin even if RADIUS, TACACS+, or LDAP is used as
the primary authentication method.

To disable automatic local authentication for the administrator account, access the admin configuration level
for the admin you want to disable, then use the disable command. For example:

ACOS(config)# admin exampleuser password examplepassword

ACOS(config-admin:exampleuser)# disable
Modify Admin User successful!
ACOS(config-admin:exampleuser)#

NOTE: If the RADIUS, TACACS+, or LDAP server can not be reached, the ACOS device
then uses local authentication for admin. This behavior is also used for other
administrator accounts when the remote AAA server can not be reached.

27
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Authentication

Token-based Authentication Support for RADIUS

The ACOS Series supports RSA token-based RADIUS authentication, which provides additional login security
by requiring the administrator to enter a string and a token in addition to the username and password. This
enhancement supports the Access-Challenge function in RFC 2865.

After the administrator enters a username and a password, the ACOS device sends the credentials to the
RADIUS server. If the username and password are valid, and the server is configured to use token-based
authentication, the server replies with an Access-Challenge message. The ACOS device displays a prompt for
the required token.

The ACOS device attempts to verify the token, and one of the following situations occurs:

• If the token is valid, the administrator is granted access.

• If the token is invalid, even though the username and password are valid, access is denied.

By default, support for token-based RADIUS authentication is enabled and can not be disabled. No additional
configuration is required on the ACOS device.

Configuring Token-Based Authentication for RADIUS

You can configure token-based authentication for RADIUS by using the GUI or the CLI.

Use the CLI to Configure Token-Based Authentication for RADIUS

In the following CLI example, an administrator initiates the log in process by entering a username and a
password. The ACOS device presents a challenge value and prompts for the response.

login as: admin2

Using keyboard-interactive authentication.
Password: ********
Using keyboard-interactive authentication.
Challenge: 133420
Response: ******
Last login: Fri Jul 1 21:51:35 2011 from 192.168.32.153

[type ? for help]

ACOS>

28
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Authorization
You can configure authorization based on the following:

• Authorization Based on a User Interface

• Authorizing Admin Privileges

• Authorization for CLI Access

• RADIUS Authorization Based on Service-Type

Authorization Based on a User Interface

You can deny an administrator access to the ACOS device by using one or more of the following user
interfaces:

• CLI

• GUI

• aXAPI

By default, administrators are allowed to use all three user interfaces.

RADIUS Configuration for User Interface Access

To configure RADIUS authorization based on the user interface, use:

A10-Admin-Access-Type

The following are valid A10-Admin-Access-Type values:

• cli
• web
• axapi

To authorize access to more than one user interface, enter a comma between each value. For example, to
authorize access to the CLI and web interfaces, enter cli,web.

TACACS+ Configuration for User Interface Access

To configure authorization based on the user interface, enter the following Attribute Value Pair (AVP):

a10-access-type=user-interface

29
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Authorization

Replace user-interface with one or more of the following options:

• cli
• web
• axapi

To authorize access to more than one user interface, enter a comma between each value, for example,

a10-access-type=cli,web

NOTE: An AVP is the combination of an attribute, which is a parameter that is associ-

ated with an ACOS administrator account, and the value of the parameter.

LDAP Configuration for User Interface Access

Authorization for LDAP is based on a schema file. For more information, see “A10 Schema File for OpenLDAP”
on page 61.

Authorizing Admin Privileges

The privileges for each admin are the same across all three user interfaces. For example, if you create an
admin with global read and write privileges, then the same privileges apply to both the CLI and GUI.

Compatibility with Privilege Levels Assigned by RADIUS or TACACS+

It is required to assign a proper privilege level (defined on the ACOS device) to the external user on the
RADIUS or TACACS+ server, so that the user may be authenticated and be granted access to the ACOS
device. After the ACOS device authenticates the privilege level, it will use the GUI access role assigned to the
user to manage the device.

It is not required to assign a privilege level to an ACOS admin on the RADIUS or TACACS+ server used to
authenticate the admin. The ACOS device uses the GUI access role assigned to the admin in the admin’s
account on the ACOS device.

However, if a privilege level is assigned to the admin on the RADIUS or TACACS+ server, that privilege level
must match the privilege assigned to the admin in the ACOS configuration. Otherwise, the admin will be
denied access.

30
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Table 5 lists the RADIUS and TACACS+ privilege levels that match the GUI privileges.

TABLE 5 : RADIUS / TACACS+ Privilege Levels and Matching GUI Access Roles
Privilege Level
GUI Access Role RADIUS TACACS+
ReadWriteAdmin 2 15
ReadOnlyAdmin 1 0

RADIUS Configuration for GUI Privileges

To configure admin privileges for RADIUS, use the A10-Admin-Privilege option. For example, to authorize
both read and write privileges, use the following statement in the admin definition:

A10-Admin-Role = "ReadWriteAdmin"

NOTE: The A10-Admin-Privilege option applies only to GUI access. It does not restrict
CLI or aXAPI access.

TACACS+ Configuration for GUI Access Roles

To configure admin privileges for TACACS+, use the following attribute-value pair (AVP):

a10-admin-role=role-name

NOTE: This attribute-value pair applies only to GUI access. It does not restrict CLI or
aXAPI access.

Authorization for CLI Access

You can configure the ACOS device to use external RADIUS, TACACS+, or LDAP servers to authorize CLI
commands. After a successful authentication, the authenticated party is granted access to specific system
resources by authorization. For an ACOS administrator, authorization specifies the CLI levels that they can
access.

Disabled Commands for Read-Only Administrators

Administrators who are authenticated by using RADIUS, TACACS+, or LDAP, and are authorized for read-only
access directly to the Privileged EXEC level of the CLI, cannot run the following operational commands:

• backup

31
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Authorization

• config
• import
• locale
• reboot
• reload
• shutdown

RADIUS CLI Authorization

To configure RADIUS CLI Authorization, enter the following settings on the RADIUS server:

VALUE A10-Admin-Privilege Read-only-Admin 1

VALUE A10-Admin-Privilege Read-write-Admin 2

The first line grants access to the User EXEC level and Privileged EXEC level. The administrator’s CLI session
begins at the User EXEC level. The administrator can access the Privileged EXEC level without entering an
enable password, but the administrator cannot access the configuration level:

login as: admin

Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

[type ? for help]

ACOS> enable
ACOS#

The second line grants access to all levels, and the administrator’s CLI session begins at the Privileged EXEC
level:

login as: admin2

Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

[type ? for help]

ACOS#

For more information, see “RADIUS Authorization Based on Service-Type” on page 34.

32
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

TACACS+ CLI Authorization

To configure TACACS+ CLI authorization, complete the following tasks:

• Configure the TACACS+ server to authorize or deny the execution of specific commands or command
groups.
• Configure the ACOS device to send commands to the TACACS+ server for authorization before execut-
ing those commands.

This authorization process does not apply to administrators who log in by using the GUI. For more
information, see “Authorizing Admin Privileges” on page 30.

CLI Access Levels

You can use TACACS+ to authorize an administrator to execute commands at one of the following CLI access
levels:

• 15 (admin) – This is the most extensive level of authorization. The commands at all CLI levels, including
those used to configure administrative accounts, are sent to TACACS+ for authorization.
• 14 (config) – Commands at all CLI levels, except the commands that are used to configure administra-
tive accounts, are sent to TACACS+ for authorization. The commands that are used to configure admin-
istrator accounts are automatically allowed.
• 1 (admin) – This is the most extensive level of authorization and is the same as access level 15. The
commands at the Privileged EXEC and User EXEC levels are sent to TACACS+ for authorization, and the
commands at other levels are automatically allowed.
• 0 (user EXEC) – This is the equivalent of Read-only privileges. The commands at the User EXEC level
are sent to TACACS+ for authorization, and the commands at other levels are automatically allowed.

Access levels 1-15 grant access to the Privileged EXEC level or higher, without challenging the administrator
for the enable password. Access level 0 grants access only to the User EXEC level.

NOTE: Privilege level 1 supports Read-write or admin privileges. The highest privilege
level is 1 and 15 (Read-write), and the lowest privilege level is 0 (Read-only).

TACACS+ Authorization Debug Options

You can enable the following TACACS+ debug levels for troubleshooting:

• 0x1 – Common system events such as “trying to connect with TACACS+ servers” and “getting response
from TACACS+ servers”. These events are recorded in the syslog.
• 0x2 – Packet fields sent out and received by the Thunder Series device, not including the length fields.
These events are written to the terminal.
• 0x4 – Length fields of the TACACS+ packets will also be displayed on the terminal.

33
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configure Accounting

• 0x8 – Information about TACACS+ MD5 encryption will be sent to the syslog.

RADIUS Authorization Based on Service-Type

The ACOS device supports the RADIUS Service-Type attribute values listed in Table 6:

TABLE 6 : Supported RADIUS Service-Type Attribute Values

Attribute Value Description
Service-Type=Login Allows access to the EXEC level of the CLI and read-only access to the
GUI. The EXEC level of the CLI is denoted by the following prompt (as
an example):

ACOS>
Service-Type=NAS Prompt Allows access to the Privileged EXEC level of the CLI and read-only
access to the GUI. The Privileged EXEC level of the CLI is denoted by
the following prompt (as an example):

ACOS#
Service-Type=Administrative Allows access to the configuration level of the CLI and read-only
access to the GUI. The configuration level of the CLI is denoted by the
following prompt (as an example):

ACOS(config)#

By default, if the Service-Type attribute or the A10 vendor attribute is not used, successfully authenticated
administrators are authorized for read-only access. You can change the default privilege that is authorized by
RADIUS from read-only to read-write. To change the default access level authorized by RADIUS, enter the
following command at the global configuration level of the CLI:

ACOS(config)# radius-server default-privilege-read-write

Configure Accounting
Accounting keeps track of user activities while the user is logged on. You can configure the ACOS device to
use external RADIUS or TACACS+ for accounting for the following activities:

• Log in/log off activity

When the user logs in, the accounting process starts, and when the user logs off, the accounting process
stops.
• Commands

34
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Command Accounting (TACACS+ only)

Table 7 shows the CLI levels in which you can use TACACS+ servers to track attempts to execute commands:

TABLE 7 : CLI Access Levels for Accounting

Access Level Description
15 (admin) This is the most extensive accounting level. Commands at all CLI levels, including
those used to configure administrator accounts, are tracked.
14 (config) Commands at all CLI levels, except the commands that are used to configure
administrator accounts, are tracked. The commands that are used to configure
administrator accounts are not tracked.
1 (privileged EXEC) Commands at the Privileged EXEC and User EXEC levels are tracked. Commands at
other levels are not tracked.
0 (user EXEC) Commands at the User EXEC level are tracked. Commands at other levels are not
tracked.

NOTE: Command levels 2-13 are equivalent to command level 1 (privileged EXEC).

TACACS+ Accounting Debug Options

The same debug levels that are available for TACACS+ Authorization are also available for TACACS+
Accounting. For more information, see “TACACS+ Authorization Debug Options” on page 33.

Configuring Authentication, Authorization,

Accounting and for Administrator Access
To configure authentication, authorization, and accounting (AAA):

1. Prepare the AAA servers:

a. Add administrator accounts (user names and passwords).
b. Add the ACOS device as a client.
For the client IP address, specify the ACOS IP address.
c. For authorization, configure the following settings for the administrator accounts:
• Specify the user interfaces that the administrator is allowed to access (CLI, GUI, or aXAPI).
• If you are using TACACS+, specify the CLI commands or command groups that are to be allowed or
denied execution.

35
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Authentication, Authorization, Accounting and for Administrator Access

• If you are using RADIUS, specify the admin privileges for the CLI and GUI.
• If you are using LDAP, for more information, see “Lightweight Directory Access Protocol” on
page 59.
2. To use RADIUS, TACACS+, or LDAP for authentication:
a. Add the RADIUS, TACACS+, or LDAP server(s) to the ACOS device.
b. Add a RADIUS, TACACS+, or LDAP server as an authentication method to use with the local database.
c. To use more than one AAA protocol, see “Authentication” on page 23.
3. Configure the authorization:
a. Add the TACACS+, RADIUS, or LDAP servers for authentication, if necessary.
b. Specify the access level:
• If you are using TACACS+, specify the CLI command levels to be authorized.
• If you are using RADIUS, specify the admin privilege levels for CLI and GUI.
• If you are using LDAP, see “Lightweight Directory Access Protocol” on page 59.
4. Configure accounting:
a. Add the TACACS+, RADIUS, or LDAP servers for authorization, if necessary.
b. Specify whether to track logon/logoff activity.
You can track log ons and log offs, log offs only, or neither.
c. If you are using TACACS+, specify the command levels to track.

Configuring Authentication

You can configure remote authentication by using the GUI or the CLI.

Configure Remote Authentication by Using the GUI

You can configure remote authentication using the GUI.

Configuring Global Authentication Settings on the ACOS Device

To configure global authentication settings, navigate to System / Authentication / General / Edit.

There are no mandatory fields that need to be completed on the Authentication Settings page; you can
configure your desired global authentication settings as needed. Refer to the GUI online help for more
information about the fields on this page.

Click Apply when you are finished specifying your desired configuration.

36
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Configuring a RADIUS Server

To configure a RADIUS server:

1. Navigate to System / Authentication / RADIUS / Edit.

2. Click RADIUS Server 1 to designate a RADIUS server and enter settings.
3. Enter the hostname or IP address of the server in the Server field.
4. In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.
5. In the Secret field, enter the shared secret (password) expected by the server when it receives requests.
6. Complete the other fields on this page as desired; refer to the online help for additional information.
7. Click Apply.

The first RADIUS server configured will act as the primary server and the ACOS device will attempt to use this
server first for authentication. You can configure additional RADIUS servers as needed, if you want to have
any backup servers.

Configuring a TACACS+ Server

To configure a TACACS+ server:

1. Navigate to System / Authentication / TACACS+ / Edit.

2. Click TACACS+ Server 1 to designate a TACACS+ server and enter settings.
3. Enter the hostname or IP address of the server in the Server field.
4. In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.
5. In the Secret Value field, enter the password expected by the server when it receives requests.
6. Complete the other fields on this page as desired; refer to the online help for additional information.
7. Click Apply.

The first TACACS server configured will act as the primary server and the ACOS device will attempt to use this
server first for authentication. You can configure additional TACACS servers as needed, if you want to have
any backup servers.

Configuring an LDAP Server

To configure an LDAP server:

1. Navigate to System / Authentication / LDAP / Edit.

37
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Authentication, Authorization, Accounting and for Administrator Access

2. Click LDAP Server 1 to designate a TACACS+ server and enter settings.

3. Enter the hostname or IP address of the server in the Server field.
4. In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.
5. Specify the LDAP common name and distinguished name.
6. Complete the other fields on this page as desired; refer to the online help for additional information.
7. Click Apply.

The first LDAP server configured will act as the primary server and the ACOS device will attempt to use this
server first for authentication. You can configure additional LDAP servers as needed, if you want to have any
backup servers.

For more information on LDAP servers, refer to “Lightweight Directory Access Protocol” on page 59.

Configuring Remote Authentication by Using the CLI

You can configure remote authentication by using the CLI. For examples, see “Remote AAA CLI Examples” on
page 39.

Additional TACACS+ Authentication Options

This section describes additional TACACS+ AAA options.

Password Self-Service
ACOS supports TACACS+ TAC_PLUS_AUTHEN_CHPASS (password change) messages. When this option is
enabled on the TACACS+ server, the server sends a TACACS+ TAC_PLUS_AUTHEN_CHPASS message in
response to an authentication request from the ACOS device. The ACOS device prompts the administrator for
the current and new passwords and sends the password change to the TACACS+ server. The ACOS device
then grants access to the administrator.

Password self-service is enabled by default and cannot be disabled and is activated only when the TACACS+
server sends a password change message.

NOTE: The current release supports TAC_PLUS_AUTHEN_CHPASS messages only for

login to the CLI.

Configuring Access to the Privileged EXEC Level in the CLI

You can enable TACACS+-authenticated administrators to log in at the Privileged EXEC level of the CLI
instead of at the User EXEC level. This option is disabled by default, and you can enable it on a global basis.

38
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Configuring Access to the Privileged EXEC Level by Using the GUI

To enable direct access to the Privileged EXEC level of the GUI for TACACS+-authenticated admins:

1. Navigate to System / Authentication / General / Edit.

2. Select the checkbox in the Login Privilege Mode field.
3. Click Apply.

Configuring Access to the Privileged EXEC Level by Using the CLI

To enable access to the Privileged EXEC level of the CLI for TACACS+-authenticated administrators, enter the
following command at the global configuration level:

ACOS(config)# authentication login privilege-mode

Remote AAA CLI Examples

This section provides the following configuration examples for Authentication, Authorization, and Accounting
(AAA):

• RADIUS Authentication

• TACACS+ Authorization

• TACACS+ Accounting

• RADIUS Server Setup

RADIUS Authentication

The following commands configure a pair of RADIUS servers for remote authentication and configure the
ACOS device to use these servers before using the local database. Since the RADIUS server 10.10.10.12 is
added first, this server is used as the primary server. Server 10.10.10.13 is used only if the primary server is
unavailable.

The following text is an example of configuring RADIUS authentication:

ACOS(config)# radius-server host 10.10.10.12 secret radp1

ACOS(config)# radius-server host 10.10.10.13 secret radp2
ACOS(config)# authentication type radius local

39
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Remote AAA CLI Examples

TACACS+ Authorization

The following commands configure the ACOS device to use TACACS+ server 10.10.10.13 to authorize
commands at all CLI levels. In this example, the none option is not used. As a result, if TACACS+ authorization
cannot be performed, for example, due to server unavailability, the command is denied.

The following text is an example of configuring TACACS+ authorization:

ACOS(config)# tacacs-server host 10.10.10.13 secret SharedSecret

ACOS(config)# authorization commands 15 method tacplus

TACACS+ Accounting

The following commands configure the ACOS device to use the same TACACS+ server for the accounting of
log on, log off, and all command activity:

ACOS(config)# accounting exec start-stop tacplus

ACOS(config)# accounting commands 15 stop-only tacplus

RADIUS Server Setup

This example shows the ACOS commands that you can enter to complete the following tasks:

• Configure an ACOS device to use a RADIUS server

• Display the changes that you can make on the RADIUS server

The RADIUS server in this example is freeRADIUS, the IP address is 192.168.1.157, and the shared secret is
a10rad.

To implement this solution:

1. On the ACOS device, to add the RADIUS server and enable RADIUS authentication, enter run the follow-
ing commands:
ACOS(config)# radius-server host 192.168.1.157 secret a10rad
ACOS(config)# authentication type local radius

2. Complete the following steps on the freeRADIUS server:

40
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

a. In the /usr/local/etc/raddb/clients.conf file, to add the ACOS device as a client, enter the following
commands:
client 192.168.1.0/24 {
secret = a10rad
shortname = private-network-1
}

NOTE: In this example, the ACOS device’s subnet is added as the client.

b. To add the /usr/local/share/freeradius/dictionary.a10networks dictionary file for vendor a10net-

works (22610 is the vendor code) and add the file to the dictionary, enter the following commands:

NOTE: After authenticating an administrator, the RADIUS server must return the
A10-Admin-Privilege attribute, with one of the values shown in the following
example.

# A10-Networks dictionary
# Created by Software Tools of A10 Networks.
#
VENDOR A10-Networks 22610

BEGIN-VENDOR A10-Networks
ATTRIBUTE A10-App-Name 1 string
ATTRIBUTE A10-Admin-Privilege 2 integer
ATTRIBUTE A10-Admin-Access-Type 4 string
ATTRIBUTE A10-Admin-Role 5 string
VALUE A10-Admin-Privilege Read-only-Admin 1
VALUE A10-Admin-Privilege Read-write-Admin 2
END-VENDOR A10-Networks

c. In the /usr/local/share/freeradius/dictionary directory, to add the file to the dictionary, enter the
following command:
$INCLUDE dictionary.a10networks #new added for a10networks

d. In the /usr/local/etc/raddb/users file, to add each ACOS admin as a user, enter the following com-
mands:

NOTE: The following text contains examples of ACOS administrator definitions in a

RADIUS users file on the RADIUS server.

###################################

#this is a read-write user

rw Cleartext-Password := "111111"
A10-Admin-Privilege = Read-write-Admin,

41
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

#this is a read-only user

ro Cleartext-Password := "111111"
A10-Admin-Privilege = Read-only-Admin,

Windows IAS Setup for RADIUS

This section describes how to configure Windows Server 2003 Internet Authentication Service (IAS) with
ACOS RADIUS authentication. These steps assume that IAS and Active Directory (AD) are already installed on
the Windows 2003 server.

To configure Windows IAS for ACOS RADIUS authentication:

1. On the IAS server, create the following access groups (see “Configure Access Groups” on page 42):
• ACOS-Admin-Read-Only
• ACOS-Admin-Read-Write
2. On the IAS server, configure a RADIUS client for the ACOS device (“Configure RADIUS Client for ACOS
Device” on page 44).
3. On the IAS server, configure the following remote access policies (“Configure Remote Access Policies” on
page 45):
• ACOS-Admin-Read-Only-Policy
• ACOS-Admin-Read-Write-Policy).
4. On the IAS server, add AD users to appropriate ACOS device access groups (“Add Active Directory Users
to ACOS Access Groups” on page 55).
5. Register the IAS server in AD (“Register the IAS Server in Active Directory” on page 56).
6. Configure RADIUS on the ACOS device (“Configuring RADIUS on the ACOS Device” on page 57).
7. Test the configuration by attempting to log onto the ACOS device with AD users added in step 4 (“Verify-
ing the Configuration” on page 57).

The following sections provide detailed steps for each of these tasks.

Configure Access Groups

To configure access groups, select Start > All programs > Administrator tools > Active directory user
and computers.

42
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

If AD is not installed on the IAS server, you can use the following steps to add the users and groups. However,
the rest of this section assumes that AD will be used.

1. Open the Computer Management tool by selecting Start > Programs > Administrative Tools > Com-
puter Management.
2. Open the System Tools and Local Users and Groups items, if they are not already open.
3. Right click on Group and select New Group.
4. Enter the following information for the first group:
• Group Name – AX-Admin-Read-Only
• Group Description – Read-Only Access to ACOS devices
• Members – Add the members using the Add button.

5. Click Create.
6. Enter the following information for the second group:
• Group Name – AX-Admin-Read-Write
• Group Description – Read-Write to ACOS devices
• Members – Add members as desired using the Add button
7. Click Create.

43
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

8. Click Close.

Configure RADIUS Client for ACOS Device

1. Open Internet Authentication Service, by selecting Start > Programs > Administrative Tools > Inter-
net Authentication Service.
2. Right-click on Client and select New Client.
3. Enter the following information in the Add Client dialog box:
• Friendly name – Useful name for the ACOS device; for example, ACOS2000_slb1
• Protocol – RADIUS

NOTE: 192.168.1.238 is the IP address of the ACOS device that will use the IAS server
for external RADIUS authentication.

4. Click Next.
5. Enter the following information in the Add RADIUS Client dialog box:
• Client address – IP address or domain name for the client (ACOS device)

44
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

• Client-Vendor – RADIUS Standard

• Shared secret – Secret to be shared between IAS and ACOS. You also will need to enter this in the
RADIUS configuration on the ACOS device.
• Confirm shared secret – Same as above

NOTE: Do not select “Request must contain the Message Authenticator attribute”.
ACOS RADIUS authentication does not support this option.

6. Click Next.

Configure Remote Access Policies

To configure the remote access policies:

1. Open the Internet Authentication Service, if not already open.

2. To create the first remote access policy, right-click on Remote Access Policies, select New Remote
Access Policy, and enter the following information:

45
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

Policy Friendly name – AX-Admin-Read-Only-Policy

3. Click Next.
4. In the Add Remote Access Policy dialog box, click Add.
5. In the Select Attribute dialog box, double-click Client Friendly Name.
6. In the Client-Friendly-Name dialog box, enter the friendly name used to define the ACOS device (for
example, AX-Admin-Read-Only-Policy) and click OK.
7. In the same Add Remote Access Policy dialog box as before, click Add again.
8. In the Select Attribute dialog box, double-click Windows-Groups.

46
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

9. In the Groups dialog box, click Add, then double-click AX-Admin-Read-Only group, Click OK to add the
group, then click OK once more to confirm the groups.

47
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

10.In the same Add Remote Access Policy dialog box as before, click Next.

48
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

11. Select Grant remote access permission, and click Next.

49
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

12. Click Edit Profile.

50
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

13. In the Edit Dial-in Profile dialog box, select the Authentication tab. Select the type of authentication you
are using: CHAP and PAP.

14.Select the Advanced tab, and click Add.

15. In the RADIUS attributes list, find and double-click the line beginning with Vendor-Specific.

51
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

16.In the Multivalued Attribute Information dialog box, click Add and enter the following:

52
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

• Enter vendor code – 22610 (for A10 Networks)

• Conforms to RADIUS RFC – Yes

17. Click Configure Attribute, and enter the following information:

• Vendor-assigned attribute number – 2
• Attribute format – Decimal
• Attribute value – 1

NOTE: Attribute value 1 is read-only. Attribute value 2 is read-write.

53
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

18.Click OK for the Configure VSA, Vendor-Specific Attribute Information, and Multivalued Attribute Infor-
mation dialog boxes.
19. Click Close in the Add Attributes dialog box.
20.Click OK in the Edit Dial-In Profile dialog box. Optionally, read the suggested help by clicking OK.
21. Click Finish in the Add Remote Access Policy dialog box.
22.To create the second Remote Access Policy, repeat the above steps with the following changes:
• Policy Friendly name – AX-Admin-Read-Write-Policy
• Group to add – AX-Admin-Read-Write
• Attribute value – 2

54
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Add Active Directory Users to ACOS Access Groups

To add Active Directory users to the ACOS access groups:

1. In the Active Directory management console, add the ACOS access group to the user, tester1:

55
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

2. Make sure Remote Access Permission is enabled:

Register the IAS Server in Active Directory

The IAS RADIUS server must be registered with AD. Otherwise, RADIUS will use compatibility mode instead of
AD to authenticate users.

1. Open the IAS main window.

2. Click Action on the menu bar, and click “register server on active directory”.

56
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Configuring RADIUS on the ACOS Device

To add the RADIUS server (IAS server) to the ACOS device, enter the following commands:

ACOS(config)# radius-server host 192.168.230.10 secret shared-secret

ACOS(config)# authentication type local radius

NOTE: Ensure that the shared secret is the same as the value that you specified for the
RADIUS client that you configured for the ACOS server on the IAS server.

In this example, 192.168.230.10 is the IP address of w2003-10.com, and shared-secret is the secret that you
entered in the step 5 in “Configure RADIUS Client for ACOS Device” on page 44.

Verifying the Configuration

To verify the configuration:

1. Log in to the ACOS CLI.

2. At the command prompt, enter the username in the following format:
user-name@AD-domain-name
For example, you might enter [email protected].
3. Enter the password.
4. Press Enter.

57
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Windows IAS Setup for RADIUS

58
Feedback ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL

This chapter describes how an ACOS device can use Lightweight Directory Access Protocol (LDAP), an AAA
protocol, to authenticate administrators and authorize management access based on the account
information on external LDAP servers.

Either OpenLDAP or Microsoft Active Directory (AD) can be used as the LDAP server.

This chapter contains the following topics:

• Configuring LDAP for ACOS Administrators

• Configuring an LDAP Server

• Configuring an OpenLDAP Server

• Configuring Microsoft Active Directory

Configuring LDAP for ACOS Administrators

To configure LDAP authentication and authorization for ACOS administrators:

1. To enable LDAP authentication, enter the following command:

ACOS(config)# authentication type ldap local

2. To add the LDAP server(s) to the ACOS configuration, enter the ldap-server host command. For exam-
ple:
ACOS(config)# ldap-server host 192.168.4.0 cn cn dn example-dn-string port 638 ssl timeout 5

The following list provides additional information on the options:

• If you do not use SSL, the default port is 389. If you use SSL, the default port is 636.
• The default timeout value is 3.
3. Prepare the LDAP server.
For more information, see the one of the following sections:
• Configuring an OpenLDAP Server
• Configuring Microsoft Active Directory

59
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring an LDAP Server

4. Test the configuration by using an ACOS administrator account to log in to the LDAP server.

Configuring an LDAP Server

You can configure an LDAP server by using the GUI or the CLI.

Configuring an LDAP Server by Using the GUI

To configure an LDAP server on the ACOS device:

1. Navigate to the System / Authentication / General / Edit page.

2. Click the LDAP Server tab.
3. Specify the name or IP address of the server.
4. Specify the common and distinguished names.
5. Modify any other fields on this page as needed. For more information, refer to the online help.
6. Click Apply.

Configuring an LDAP Server by Using the CLI

To enable LDAP authentication, enter the following command at the global configuration level of the CLI:

ACOS(config)# authentication type ldap

• To use backup methods, specify the methods in the order in which you want to use them. For more
information, see “Multiple Authentication Methods” on page 23 and “Tiered Authentication” on page 24.
For example:
ACOS(config)# authentication type ldap local radius tacplus

• To configure an LDAP server on the ACOS device, use the ldap-server host command at the global
configuration level of the CLI:
ACOS(config)# ldap-server host 192.168.101.24 cn UserName dn cn=UserName,dc=UserAccount,dc=exam-
ple,dc=com

Do not use quotation marks for the dn option. For example, the following DN string syntax is valid:

60
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

cn=xxx3,dc=mACOScrc,dc=com

The following string is not valid:

“cn=xxx3,dc=mACOScrc,dc=com”

Spaces are not allowed in the dn specification.

• To configure the ACOS device and provide LDAP AAA for UserAccUser1, enter a command like the fol-
lowing:
ACOS(config)# ldap-server host ldapserver.ad.example.edu cn ExampleUser dn
ou=StaffElevatedAccounts,ou=ServiceAccounts,dc=ad,dc=example,dc=edu

To use nested OUs, specify the nested OU first, then the root. For example, a user account could be
nested in the following way:
Root OU= Service Accounts -> OU=StaffElevatedAccounts -> UserAccUser1

For more information about these commands, see “ldap-server” in the System Configuration and
Administration Guide.

Configuring an OpenLDAP Server

When logging in to the ACOS device via LDAP, the ACOS devices needs to send LDAP packets to LDAP server
(for example, OpenLDAP or Windows AD). OpenLDAP can be installed on Windows or Linux.

To configure an OpenLDAP server and provide authentication and authorization for ACOS administrators:

1. Add the A10 schema file by copying the file and pasting it in the following location:
openldap_install_directory\schema

For example, on your server, the location might be C:\Program Files\OpenLDAP\schema.

For more information, see “A10 Schema File for OpenLDAP” on page 61.
2. Add the administrator accounts.
For more information, see “A10 Administrator Account Files for LDAP” on page 63.
3. Restart the LDAP service.

A10 Schema File for OpenLDAP

The following text is an example of the schema file that is required on the OpenLDAP server to provide
authentication and authorization to ACOS administrators:

61
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring an OpenLDAP Server

# all a10 LDAP OID be placed in 1.3.6.1.4.1.22610.300.

# all attributetype start from 1.3.6.1.4.1.22610.300.1.
# all objectclass start from 1.3.6.1.4.1.22610.300.2.

attributetype ( 1.3.6.1.4.1.22610.300.1.1
NAME 'A10AdminRole'
DESC 'admin Role'
syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.22610.300.1.2
NAME 'A10AdminPartition'
DESC 'admin Partition'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
syntax 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.22610.300.1.3
NAME 'A10AccessType'
DESC 'admin Access Type'
syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.22610.300.2.1
NAME 'A10Admin' SUP top AUXILIARY
DESC 'A10 Admin object class '
MAY ( A10AdminRole $ A10AdminPartition $ A10AccessType ) )

The LDAP schema file for ACOS administrator authentication and authorization contains the following items:

• A10Admin – This is the object class for A10 Networks, and can contain one or more of the following
attribute types. You can specify the values to assign to these attributes in the definition file for the
administrator. (See “A10 Administrator Account Files for LDAP” on page 63.)
• A10AdminRole – This attribute type specifies the administrator’s role, which defines the scope of read-
write operations the administrator is allowed to perform on the ACOS device. The ACOS device has the
following predefined roles:
• ReadOnlyAdmin
• ReadWriteAdmin
• PartitionSlbServiceOperator
• PartitionReadOnly
• PartitionReadWrite

62
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

To specify one of these roles in the definition file for the administrator account, use the role name as the
attribute value. For example:
A10AdminRole: ReadWriteAdmin

If you do not use this attribute in the definition file for the administrator account, the ReadOnlyAdmin role
is assigned to the administrator.
• A10AdminPartition – This attribute type specifies the ACOS partition the administrator is authorized to
log onto.
• For the shared partition, enter “shared”. For example:
A10AdminPartition: shared

• For an L3V partition, enter the partition name. For example:

A10AdminPartition: privpart1

If you do not use this attribute in the definition file for the administrator account, the administrator is
allowed to log into the shared partition.
• A10AccessType – This attribute type specifies the user interface(s) the administrator authorized to use.
You can specify one or more of the following:
• cli – CLI
• web – GUI
• axapi – aXAPI
If you do not use this attribute in the definition file for the administrator account, the admin is allowed to
log in though any of these interfaces.

A10 Administrator Account Files for LDAP

Administrator accounts managed by an LDAP server are stored in files on the server.

The following text is an example of how to create an LDAP user:

dn: cn=user1,dc=my-domain,dc=com
cn: user1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: A10Admin
userPassword: 123456
sn: sn
ou: guest

63
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

A10AdminRole: ReadWriteAdmin

This file configures admin “user1”. The objectClass value A10Admin and the A10AdminRole attribute are specific
to A10 Networks and are defined in the schema file, which also must be added to the LDAP server.

Configuring Microsoft Active Directory

You can configure Microsoft Active Directory for LDAP authentication and authorization of ACOS
administrators. When the user logs into the ACOS device, the device sends the user name and password to
Active Directory to validate the credentials.

NOTE: The information in this section is based on Windows Server 2008.

Summary:

1. Install Active Directory on your Windows server.

For more information, see http://technet.microsoft.com/en-us/library/jj574166.aspx.
2. Configure the administrator accounts.
For more information, see “Configure ACOS Administrator Accounts” on page 64.
3. Add a user name and password to Active Directory.
For more information, see http://technet.microsoft.com/en-us/library/dd894463(v=WS.10).aspx.
4. (Optional) Add the A10 LDAP attribute types to the server. See “Adding A10 LDAP Attribute Types” on
page 70.

NOTE: If you plan to use the default settings for all the A10 attributes, you can skip this
step.

Configure ACOS Administrator Accounts

This section describes how to configure an administrator account.

• Creating a Read-Only Administrator

• Testing the Read-Only Administrator Account

• Configuring a Read-Write Administrator

• Testing the Read-Write Administrator Account

64
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

Creating a Read-Only Administrator

To create an administrator with the ReadOnlyAdmin role:

1. Go to the Active Directory Users and Computers.

2. Click File > New.
3. Complete the following steps in the New Object - User window:
a. Enter a first name.
b. Enter a last name.
c. Enter a full name.
d. Enter a user logon name.
e. Select the domain.
f. If applicable, enter the pre-Windows 2000 logon name.
g. Click Next.
4. Select User Account in the left pane to see the user that you just created displayed in the right pane.

65
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

FIGURE 3 : Creating a Read-Only Administrator

Testing the Read-Only Administrator Account

Here is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!
authentication type ldap
!

Here is an example of the session login by the read-only admin. Access to the configuration level by this
admin is not allowed.

[root@Linux-PC-148 ~]#ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:05:51 2012 from 192.168.100.148

ACOS system is ready now.

[type ? for help]

ACOS>

66
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

ACOS>enable
Password: <blank>
ACOS#show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
*99 test 13:08:10 CST Thu Jun 21 2012 192.168.100.148 CLI Ldap ReadOnlyAdmin
No
ACOS#config
^
% Unrecognized command.Invalid input detected at '^' marker.

ACOS#

Configuring a Read-Write Administrator

In this example, the ou attribute is set to operator.

To configure a read-write administrator with a ReadWriteAdmin role:

1. Go to Active Directory Users and Computers.

2. Right-click User Account, and in the right-pane, select a user name.
3. Right-click on the user name and select Properties.
4. On the Attribute Editor tab, click ou, and click Edit.
5. In the Multi-value String Editor, in Value to add, enter Operator.
6. Click OK.

67
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

FIGURE 4 : Multi-valued String Editor

Testing the Read-Write Administrator Account

Here is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!
authentication type ldap
!

Here is an example of the session login by the read-write administrator:

NOTE: This administrator is allowed to access the configuration level.

[root@Linux-PC-148 ~]#ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:08:10 2012 from 192.168.100.148

ACOS system is ready now.

68
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

[type ? for help]

ACOS>enable
Password: <blank>
ACOS#show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
*101 test 13:22:16 CST Thu Jun 21 2012 192.168.100.148 CLI Ldap ReadWrite-
Admin No
ACOS# config
ACOS(config)#

A10 LDAP Object Class and Attribute Types

You can add A10 LDAP attribute types to the server.

NOTE: If you plan to use the default settings for all the A10 attributes, you can skip the
rest of this section.

CAUTION: Please add the attributes carefully. Once they are added, they can not be
changed or deleted.

The LDAP object class for A10 Networks is A10Admin, and can contain one or more of the following attribute
types. You can specify the values to assign to these attributes in the definition file for the admin.

• A10AdminRole

This attribute type specifies the administrator’s role, which defines the scope of read-write operations
that the administrator is allowed to perform on the ACOS device.
The following predefined roles are included on the ACOS device:
• ReadOnlyAdmin
• ReadWriteAdmin
• PartitionReadWrite
• PartitionSlbServiceOperator
• PartitionReadOnly

69
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

Adding A10 LDAP Attribute Types

To specify one of these roles in the definition file for the administrator account, enter the role name as
the attribute value.
For example, A10AdminRole: ReadWriteAdmin
If you do not use this attribute in the definition file for the administrator account, the ReadOnlyAdmin role
is assigned to the administrator.
• A10AdminPartition specifies the ACOS partition that the administrator is authorized to access.

• For the shared partition, enter “shared”.

For example, A10AdminPartition: shared
• For an L3V partition, enter the partition name.
For example, A10AdminPartition: privpart1
If you do not use this attribute in the definition file for the administrator account, the administrator can
log in to the shared partition.
• A10AccessType specifies the user interface(s) that the administrator authorized to use.

You can specify one or more of the following interfaces:

• cli
• web
• axapi
If you do not use this attribute in the definition file for the administrator account, the administrator can
log in though any of these interfaces.

Adding the Attribute Type by Using the GUI

In Windows, to add the attribute type:

1. Click Start > All Programs > Accessories > Run.

2. To start Microsoft Management Console, enter mmc.
3. In the console, click File > Add/Remove Snap-In.
4. In Add or Remove Snap-ins, select Active Directory Schema in the left pane and click Add.
5. Click OK.
6. In the Console, right-click the Attributes folder, and click New > Attribute.

70
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

FIGURE 5 : Attribute Add Schema

7. In Create New Attribute, complete the fields, and click OK.

FIGURE 6 : Creating a New Attribute

71
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

8. In Console, right-click Classes, and click New > Class.

9. Enter the appropriate information in the Identification and Inheritance and Type sections and click
Next.

FIGURE 7 : Creating a New Class

72
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

10.Enter the appropriate information in the Mandatory and Optional sections and click Finish.

73
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

Adding “a10Admin” to the object Class

Figure 8 and Figure 9 change the object Class and add a10Admin to the objectClass. After this, all the
attributes can be added to administrator test.

FIGURE 8 : Adding admin test to the objectClass

74
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

FIGURE 9 : Editing the Values

Restarting the LDAP Process

To place the LDAP changes into effect, restart the LDAP process on the server. To access the process
controls, under Administrative Tools, select Services.

75
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

FIGURE 10 : Restarting the LDAP Process - step 1

76
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

FIGURE 11 : Restarting the LDAP Process - step 2

Changing the Administrator Role (A10AdminRole)

Figure 12 and Figure 13 set the administrator role for administrator test to ReadWriteAdmin.

77
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

FIGURE 12 : Changing the Administrator Role

78
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

FIGURE 13 : Clearing the ou Attribute

Login Example
Here is a login example for an administrator:

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:
Last login: Thu Jun 21 13:22:16 2014 from 192.168.100.148

ACOS system is ready now.

[type ? for help]

ACOS> enable
Password: <blank>

79
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

ACOS#
ACOS# show admin session
Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
*106 test 14:15:13 CST Thu Jun 21 2014 192.168.100.148 CLI Ldap ReadWriteAdmin
No
ACOS#
ACOS#config
ACOS(config)#

Changing the Access Type (A10AccessType)

Figure 14 sets the access type for the administrator to web (GUI) and aXAPI. This configuration prohibits the
administrator from logging in through the CLI.

80
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

FIGURE 14 : Changing the Access Type

Login Example
The example below shows what happens if the admin tries to log in through the CLI:

[root@Linux-PC-148 ~]# ssh -l test1 192.168.100.46

Password:***
Password:***
Couldn’t login via CLI, check the log message with admin/a10
ACOS2500-1# show log
Log Buffer: 30000
Jun 21 2012 14:30:42 Error [SYSTEM]:The user, test1, from the remote host, 192.168.100.148, failed
in the CLI authentication.
Jun 21 2012 14:30:42 Warning [SYSTEM]:Ldap authentication failed(user: test1): The user access

81
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Configuring Microsoft Active Directory

interface is not authenticated.

82
Feedback ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

COMMAND AUDITING

This chapter describes how to enable and configure command auditing on your ACOS device.

The following topics are covered:

• Command Auditing Overview

• Enable and Configure Command Auditing

• Audit Log Examples

Command Auditing Overview

You can enable command auditing to log the commands entered by ACOS administrators. Command auditing
logs the following types of system management events:

• Administrator logins and log outs for CLI, GUI, and aXAPI sessions

• Unsuccessful administrator login attempts

• Configuration changes. All attempts to change the configuration are logged, even if they are unsuc-
cessful.
• CLI commands at the Privileged EXEC level (if audit logging is enabled for this level)

The audit log is maintained in a separate file, apart from the system log. The audit log messages displayed for
an admin depend upon the administrator’s privilege level. Administrators with Root, Read Write, or Read Only
privileges who view the audit log can view all messages, for all system partitions.

Administrators who have privileges only within a specific partition can view only the audit log messages
related to management of that partition.

NOTE: Backups of the system log include the audit log.

83
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Enable and Configure Command Auditing

Enable and Configure Command Auditing

Command auditing is enabled by default. To alter this configuration, you can:

• Use the GUI to Configure Command Auditing

• Use the CLI to Configure Command Auditing

Use the GUI to Configure Command Auditing

To enable command auditing using the GUI:

1. Navigate to System / Settings / Loging / Update.

2. Click on the Audit Log tab at the bottom of the page.
3. In the “Audit log host” field, specify the IPv4 or IPv6 address of the audit logging host.
4. Click Apply.

Use the CLI to Configure Command Auditing

To enable command auditing from the CLI, use the audit enable command at the global configuration level.
This command logs configuration command only.

ACOS(config)# audit enable

To log both configuration and Privileged EXEC commands, use the following command:

ACOS(config)# audit enable privilege

The following command sets the buffer size to 30,000. When the log is full, the oldest entries are removed to
make room for new entries. The default is 20,000 entries.

ACOS(config)# audit size 30000

Use the following command to disable command auditing:

ACOS(config)# no audit enable

To show audit log entries, use the show audit command:

84
Feedback
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS

ACOS(config)# show audit

Audit Log Examples

The following audit log indicates a change to the image to use for booting, performed using the CLI:

Jul 06 2010 23:27:25 admin cli: bootimage hd sec

The following audit logs indicate configuration and operational actions related to virtual server “vip1”
performed using the GUI:

Jun 08 2014 09:06:04 [12] web: [admin] add virtual server [name:vip1, ip:1.1.1.1, vport1:8001(TCP).]
successfully.
Jun 08 2014 09:06:05 [12] web: [admin] edit virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2014 09:06:06 [12] web: [admin] disable virtual server [vip1] successfully.
Jun 08 2014 09:06:06 [12] web: [admin] enable virtual server [vip1] successfully.
Jun 08 2014 09:06:07 [12] web: [admin] delete virtual server [vip1] successfully.

The following audit logs indicate configuration actions related to virtual server “vip1” performed using the
aXAPI:

Jun 08 2014 09:06:13 [12] aXAPI: [admin] add virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2014 09:06:14 [12] aXAPI: [admin] edit virtual server [name:vip1, ip:1.1.1.1,
vport1:8001(TCP).] successfully.
Jun 08 2014 09:06:15 [12] aXAPI: [admin] delete virtual server [vip1] successfully.

85
 FeedbackF
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder® Series TPS Fee
e
Audit Log Examples

86
ACOS 5.0.1 Management Access and Security Guide for A10 Thunder™ Series TPS
Contents

87