Configuring an AAA local user
Blue Cedar Connect Gateway users can be defined in a local database or in an external authentication database. This section describes how to define gateway users in a local database. If you are using an external authentication database (such as Active Directory, LDAP, RADIUS, or a web server) to define gateway users, see the setup instructions in Setting up authentication providers.
To configure a user, an administrator must choose a unique username, a password, and (optionally) a group to which the user belongs. This is the template:
% set aaa auth-provider local name_of_local_database user username group groupname email-address string password string
About the username, password, and email address
The username is a unique character sequence that should not contain any spaces. The password is a string that will be used to authenticate the user. When connecting to a gateway through a Blue Cedar-secured mobile app, the username and password will correspond to the XAUTH username and password parameters that the mobile device sends.
Passwords are required for each user and can be entered in two different modes:
- If the password keyword is the last element on the command-line, the gateway prompts you to enter the password using a secure, non-echoed input mechanism. Blue Cedar recommends using this input mechanism for interactive use.
- You can also supply the password value on the command-line inline as the last element. This is intended to be used for scripting or other non-interactive usage.
Email addresses are optional for each user. The only exception is if you are using the gateway's certificate enrollment feature and if you have configured this feature to email a PIN to the device user to complete certificate enrollment. In this case, you must configure an email address.
Example
To configure a user without exposing the password on the command-line, the CLI administrator would omit the password value from the command-line and enter it when prompted:
% set aaa auth-provider local user nsmith email-address nsmith@acme.com password
Enter user's new password:
Verify:
% commit
Passwords are never stored in plaintext on the gateway. Passwords are hashed using SHA2-512 with 8 bits of salt to provide security. This means that a user's password is never visible in plaintext within the stored configuration. After running the previous example, showing the newly created "nsmith" would show the hashed and salted value for the password rather than the plaintext:
% show aaa auth-provider local user nsmith
user nsmith {
email-address nsmith@acme.com;
password $6$N91dsnNA$zm97Foror6uK/RxaxooirVraomc1iSGmopuBVzcZQ.aZ1a9D8CZFNHnDf1ADzFbjrpLkJFs0;
}
Optionally, a user can also be associated with a group. If a user is not associated with a group, they will default to the following values:
- Not permitted to log in from a jailbroken device
- Not permitted to administer the gateway
Regarding the ability to connect to the management interface for the gateway using SSH, this ability is restricted to only users who are a member of a group that has admin access.
For more details about groups, see Configuring an AAA local group.