User Accounts
- Define and manage users from You can specify the type of users such as local, LDAP, or RADIUS users.
- Configure the LDAP server parameters using
- Configure the RADIUS server parameters using
- Configure the certificate-based authentication parameters using
- Configure the account suspension criteria using
The Users tab also serves as the dashboard where you see a snapshot of the user privileges. From the Users dashboard, you can edit individual user accounts, change the password, lock or unlock the user account, and delete the user. These actions are available for individual users; not for multiple users.
User Roles and their Privileges
CV-CUE supports four types of users — Superuser, Administrator, Operator and Viewer. You must have the Superuser privileges to manage users in CV-CUE.
Privileges | Superuser | Administrator | Operator | Viewer |
---|---|---|---|---|
User Account Management | ||||
Set or modify identification and authentication option (Local, RADIUS, LDAP, and Certificate) | Yes | No | No | No |
Add and delete users | Yes | No | No | No |
View and modify properties of any users (in Users tab) | Yes | No | No | No |
Define password strength, account locking policy, maximum concurrent sessions for all user. | Yes | No | No | No |
View and modify preferences in Manage Account (email, password, language preferences, and time zone) | Yes | Yes | Yes | Yes |
User actions audit | ||||
Download user actions audit log | Yes | No | No | No |
Modify user actions audit lifetime | Yes | No | No | No |
System and operation settings | ||||
Modify system settings and operating policies |
Yes |
Yes | No | No |
Events, devices, and locations | ||||
View generated events | Yes | Yes | Yes | Yes |
Modify and delete generated events | Yes | Yes | Yes | No |
View devices | Yes | Yes | Yes | Yes |
Add, delete, and modify devices (APs, Clients, Sensors) | Yes | Yes | Yes | No |
View locations | Yes | Yes | Yes | Yes |
Add, delete, and modify locations | Yes | Yes | Yes | No |
Calibrate location tracking | Yes | Yes | Yes | No |
Reports | ||||
Add, delete, modify — Shared Report | Yes | Yes (only self created) | Yes (only self created) | No |
Generate — Shared Report | Yes | Yes | Yes | Yes |
Schedule — Shared Report | Yes | Yes | Yes | No |
Add, delete, modify, generate, schedule — My Report | Yes (only self created) | Yes (only self created) | Yes (only self created) | No |
Manage Users
The Users tab serves as the dashboard where you see a snapshot of the user privileges. From the Users dashboard, you can edit individual user accounts, change the password, lock or unlock the user account, and delete the user. If a user account is temporarily suspended due to multiple unsuccessful password attempts, you can unlock such temporary suspensions from the Users dashboard. These actions are available for individual users; not for multiple users.
Add Users
- Go to
- Click Add User.
- The User Name page opens.
- Provide the user details on the User Name page and then save the page.
Field | Description |
---|---|
User Type | Specifies the type of user. You can define a local, LDAP, or RADIUS user. |
Login ID | Specifies the login id of the user. For RADIUS and LDAP users, the login ID must be the same as defined in LDAP and RADIUS settings. |
First Name | Specifies the first name of the user. Not applicable for LDAP users. |
Last Name | Specifies the last name of the user. Not applicable for LDAP users. |
Specifies the e-mail id of the user. Not applicable for LDAP users. | |
Language Preference | Specifies the language in which the user wants to view the UI text. The default value is English. |
Time Zone | Specifies the time zone in which the user operates. |
Authorization | |
Role | Specifies the role assigned to the user. Choose from Viewer, Operator, Administrator and Super User. For more information on what individual roles |
Allowed Locations | Specifies the locations for which the user can operate. Click Change hyperlink to modify the list of allowed locations. A user can operate on one or more locations. For instance, a Superuser could have rights to multiple locations. |
Wi-Fi Access Management | Enables users to access the Wi-Fi management settings and functions on CV-CUE. Depending on the role, users have restricted access to the Wi-Fi management operations. |
WIPS Management | Enables users to access the WIPS management settings and functions on CV-CUE. Depending on the role, users have restricted access to the WIPS management operations. |
Password (Not applicable for LDAP and RADIUS users) | |
Set Password | Specifies the password for the user. |
Confirm Password | Repeat the password for confirmation. |
Force user to change password | Specifies that the user must change the password after the first login. |
Password Expiry — Never Expires | Specifies that the password set by users after the first login never expires. Users can manually change the password any time but the system never forces users to change the password. |
Password Expiry — Expires | Specifies that
users must change the password after the specified duration.
Configure the duration in the Expires After field, after which the
password expires. The unit is calculated in days. The Warn Before
field specifies that users will be warned before the specified days
of the expiry day. For example, if you configure the Expires After as 90 days and Warn Before as 15 days, then the password will expire after 90 days and the user will be warned to change the password after 75 days, which is 15 days before the expiry of the password. Note that if users do not change the password when intimated, they will be locked out of the application and the Superuser needs to reset their password. |
Password Expiry — Expires After | Specifies the duration in days from the time of change of the password after which the password expires. |
Password Expiry — Warn Before | Specifies the time in days before the password expiry to prompt the user to change the password. |
Session Timeout |
|
Session Timeout | Specifies the idle time interval after which the user's User Interface (UI) session should be timed out. Two options are available. Select Never Expires, if you do not want the session to timeout. Select Expires After and specify the time in minutes (between 10 and 120 minutes) after which the session should time out. |
Additional User Fields (Not applicable for LDAP and RADIUS users) | |
Additional User Fields | Specifies some predefined and custom user fields that you can create for users. For example, you can assign a department to each user and assign them specific privileges. Use the Add/Remove Columns button in the Users tab to enable and view any of the additional user fields in the table. |
Edit a User
- Go to
- Right-click the user and click Edit.
- Edit the user details and save the changes.Note: You cannot edit the User Type and Login ID fields.
Change the Password of a User
While creating the user, if you have not assigned any password to the user, you can do so using the Change Password option. Also, you can also change any existing password of a user.
- Go to
- Right-click the user and click Change Password.
- In the Change Password right-panel, provide the new password.
- Save the changes.
LDAP Server-based Authentication
For on-premises deployments, you can configure your LDAP server and map it to CV-CUE to authenticate CV-CUE users. After you have configured the LDAP server, users or groups defined in the LDAP server can log in to CV-CUE. Based on the authentication and user role defined in CV-CUE, users get restricted access to Wi-Fi, WIPS, or both configuration pages.
- Connection Details: Connects CV-CUE with your primary and secondary LDAP servers.
- LDAP Configuration Parameters: Allows access to the LDAP compliant directories.
- Privileges for LDAP Users: Specifies the role and locations assigned to LDAP users. The specified values apply to all users authenticated via LDAP.
You must have Superuser privileges to configure the LDAP server access parameters.
- Go to .
- Click the LDAP Authentication check box.
- Configure the LDAP connection details as described in the Connection Details table.
- If you have selected Verify LDAP Server's Certificate, you must add a certificate. Click Add Certificate to add trusted root CA Certificate(s) for the LDAP server. Choose the certificate from your local drive.
- Specify the LDAP configuration details as described in the LDAP Configuration Details table.
- If the directory does not allow an anonymous search, you must configure user credentials to search the LDAP compliant directory. Click the Authentication required to search LDAP check box. Configure the user credentials as described in the User Credentials table.
- Click Start Test to test the authentication options.
- Configure user privileges as described in the Privileges for LDAP Users table.
- Save the changes.
Connection Details
Field | Description |
---|---|
Primary Server IP Address/Hostname | The IP address or hostname of the primary LDAP server. |
(Primary Server) Port | The port number of the primary LDAP server. The default port is 389. |
Backup Server IP Address/Hostname | The IP address or hostname of the backup LDAP server. |
(Backup Server) Port | The port number of the backup LDAP server. |
Enforce Use of SSL/TLS | Enable this option to ensure only the SSL/TLS connection to the LDAP server is allowed. If you do not select this option, even Open connection to the LDAP server is allowed, besides SSL/TLS. |
Verify LDAP Server’s Certificate | Enable this option to ensure that the CV-CUE user cannot connect to the LDAP server unless the certificate check passes. When this option is not selected, the CV-CUE user can connect to the LDAP server without verifying the LDAP server certificate. |
Field | Description |
---|---|
Base Distinguished Name | Specifies the
base distinguished name (Base DN) of the directory to which you want
to connect, for example, o=democorp, c=au. Distinguished Name is a unique identifier of an entry in the Directory Information Tree (DIT). The name is the concatenation of Relative Distinguished Names (RDNs) from the top of the DIT down to the entry in question. |
Filter String | This is a
mandatory argument. It is a string specifying the attributes
(existing or new) that the LDAP server uses to filter users. For
example, IsUser=A is a filter string. By specifying a filter string,
you can allow or deny login to a particular organizational unit (OU)
or a group of users defined in the active directory (AD). You can specify a DN (Distinguish Name) of any particular group to allow access to only those users who are members of that group. For example, memberOf=DC=GroupName,DC=com. You can include members from multiple groups by using an OR condition. For example, to allow access to users under Base DN who are member of any of the two groups — Admins OR Reviewer, you must include the following filter string: (|(memberOf=CN= Admins,DC=ITShop,DC=Com)OR (memberOf=CN= Reviewer,DC=ITShop,DC=Com)) Similarly, to allow access to users under Base DN who are member of both Admins AND Reviewer groups, you must include the following filter string: (&(memberOf=CN=Admins, DC=ITShop,DC=Com) AND (memberOf=CN= Reviewer,DC=ITShop,DC=Com)) You can have alternative configurations in the AD, such as, adding a new attribute named ATNWIFI to the users in AD that are granted access and then setting the filter string to allow users with that attribute only. For example, filter string = ATNWIFI You can also create a new group of users in the AD with access granted and include that group in the filter string. A common filter string that you can use is 'objectClass=*'.You can use this string when you do not want to filter out any LDAP entry. |
User ID Attribute | Specifies the string defined in the LDAP schema that the system uses to identify the user. (Default: cn) |
Field | Description |
---|---|
Admin User DN | Specifies the DN of the administrator user that is used for authentication in the LDAP server. |
Password | Specifies the password for the administrator user. |
Append Base DN | Indicates that when selected the base DN specified in the LDAP Configuration Details section is appended to the Admin User DN. |
Feild | Description |
---|---|
User Role Attribute | Specifies the user role attribute string that the system uses to identify a user’s role, as defined in the LDAP schema. |
User Role | Specifies the default role for the new LDAP users. You can select one of the following four options — Superuser, Administrator, Operator, and Viewer. |
User Location Attribute | Specifies the user location attribute string that the system uses to identify the locations where the user is allowed access, as defined in your LDAP schema. |
Locations | The location to which a new LDAP user has access rights. You can select another location by clicking Change. |
RADIUS-based Authentication
For on-premises deployments, you can use a RADIUS server to facilitate user authentication to access CV-CUE. Configure the RADIUS server access parameters from the System > User Accounts > RADIUS tab.
You can configure the Authentication, Accounting, and Advanced Settings parameters for the RADIUS server.
- Go to
- Click the Authentication section.
- Specify the IP address or hostname, port number, and shared secret for the primary RADIUS server. Configuring the secondary RADIUS server is optional.
- Click Test to test the connection to the RADIUS server.
- In RADIUS users log in to the WiFi server using, click CLI if you want users to access CV-CUE using the command line. Click UI if you want the users to access CV-CUE using the GUI.
- Select vendor specific attributes as appropriate. The option you select here will be used when vendor specific attributes are not defined for the RADIUS server.
- Select the Role of RADIUS users and the location that users can access in CV-CUE. The user can access the selected location and all its child locations.
You have configured the RADIUS authentication.
The next steps are to configure the RADIUS accounting server and some advanced settings. If you do not want to configure the RADIUS accounting server, you can save the page.
Configure the RADIUS Accounting Server
- Click the Accounting section.
- Specify the IP address/ hostname, port number and shared secret for the primary and secondary RADIUS accounting servers.
- Click the Advanced Settingssection.
- Enter the realm or domain for CLI users.
- Enter the realm or domain for GUI users.
- Select the Use Prefix Notation check box to use the realm or domain as prefix. If you do not select the check box, the realm or domain is used as a postfix notation.
- Save the changes.
Certificate-based Authentication
In on-premises deployments, you can authenticate users using digital certificates. Configure the settings for user authentication from
option.- Allow access with certificate only
- Allow access without certificate
- Users must provide password along certificate
Authentication Criteria
Allow access without certificate: The user authentication is performed using the password. The user has to enter the user name and the password at the login prompt. The password may be locally verified by the system or may be verified using the external LDAP or RADIUS authentication service, as appropriate.
Allow access with certificate only: The user authentication is performed using the client certificate (such as smart card). The system verifies the client certificate and obtains user identity (user name) from the certificate. Other attributes for the user are retrieved either locally or from the external authentication services such as LDAP or RADIUS, as appropriate.
Users must provide certificate along with password: Both client certificate and password are required for the user authentication. The user provides the client certificate and the password at the login prompt. The system verifies the password locally or using the external LDAP or RADIUS authentication service, as appropriate.
Configure Certificate-based Authentication
- Go to
- Enable the Certificate-Based Authentication check box.
- Select one of the following values from the Use field in certificate
as user identity drop down list:
- CN — Indicates the common name or fully qualified domain name of the web server receiving the certificate.
- EMAIL — Indicates the email ID of the user.
- SAN RFC22 Name — Indicates a user identifier name, which include IP address, email address, URI, and other.
- SAN Principal Name — Indicates the login ID of the user or server.
- Specify your Authentication Criteria.
- Click Add Certificate and select the certificate from your local drive. After adding the certificate, you can view the details of the certificate and even delete the certificate.
- Click the Certificate Revocation checkbox to define the certificate revocation criteria. Note that you must select at least one option in the Certificate Revocation section.
- Click Use Online Certificate Status Protocol (OCSP) check box to verify the revocation status of digital certificates.
- Click the Check against Certificate Revocation Lists check box to verify the certificates that are revoked by the issuing certificate authority.
- Select Valid or Invalid in Treat certificate as when certificate status cannot be confirmed. The default status is Valid.
- Save the settings.
User Account Suspension
For on-premises deployments, a Superuser can configure the account suspension criteria for other users. Account suspension protects the system from fake logins through dictionary attacks or from multiple failed login attempts. There are four roles available in CV-CUE — Superuser, Administrator, Viewer, and Operator. You can configure different settings for each of these user roles.
Configure Account Suspension
- Go to
- Expand each role and specify the number of failed login attempts and the duration for the account suspension to activate.
- Specify a suspension time during which the consecutive failed login attempts happen. For example, Consecutive login failures are more than 4 [3 - 10] times in 5 [5 - 30] minutes. Suspension Time is 30 minutes. This indicates that if a user tries to log in 4 times in a duration of 5 minutes, then that user account will be suspended for 30 minutes.
- Save the changes.