About User Accounts
Expressway has two types of user account for normal operation:
-
Administrator accounts - Used to configure the Expressway.
-
FindMe accounts - Used by individuals in an enterprise to configure their FindMe profile. (FindMe account configuration via Expressway does not apply if the Expressway is using TMS Provisioning Extension services to provide FindMe data.)
Account Authentication
Administrator and FindMe accounts must be authenticated before access is allowed to the Expressway.
Expressway can authenticate accounts locally, or against a remote directory service using LDAP (currently, Windows Active Directory is supported), or using a combination of local and remotely managed accounts. The remote option allows administration groups to be set up in the directory service for all Expressways in an enterprise, removing the need to have separate accounts on each Expressway.
See Configuring Remote Account Authentication Using LDAP for more information about setting up remote authentication.
If a remote source is used for either administrator or FindMe account authentication, you also need to configure Expressway with the following:
-
Appropriate LDAP server connection settings.
-
Administrator groups and/or FindMe groups that match the corresponding group names already set up in the remote directory service to manage administrator and FindMe access to this Expressway (see Configuring Administrator Groups and Configuring user groups).
The Expressway can also be configured to use certificate-based authentication. This would typically be required if the Expressway is deployed in a highly-secure environment.
Password complexity
Complexity requirements can be specified for locally-managed passwords, from the Password security page ( ).
All passwords and usernames are case sensitive.
Account Types
Administrator accounts
Administrator accounts are used to configure the Expressway.
The Expressway has a default admin local administrator account with full read-write access. It can be used to access the Expressway using the web interface, the API interface or the CLI.
Note |
You cannot access the Expressway via the default admin account if a Remote only authentication source is in use. |
You can add additional local administrator accounts which can be used to access the Expressway, using the web and API interfaces only.
Remotely managed administrator accounts can also be used to access the Expressway, using the web and API interfaces only.
You can configure one administrator account to be the emergency account. This special account gives access to the Expressway even when it disallows local authentication, in case remote authentication is not possible.
Configuration log
The Configuration log records all login attempts and configuration changes made using the web interface, and can be used as an audit trail. This is particularly useful when you have multiple administrator accounts.
Multiple admin sessions
More than one administrator session can be running at the same time. These sessions could be using the web interface, command line interface, or a mixture of both. Be aware that if each administrator session attempts to modify the same configuration settings, changes made in one session will overwrite changes made in another session.
Session limits and timeouts
You can configure account session limits and inactivity timeouts, as described in Network Services.
Login history page (advanced account security)
If the system is in advanced account security mode, a Login history page is displayed immediately after logging in. This page shows the recent activity of the currently logged in account.
FindMe accounts
FindMe accounts are used by individuals in an enterprise to configure the devices and locations on which they can be contacted through their FindMe ID.
Each FindMe account is accessed using a username and password.
-
If remote FindMe account authentication is selected, the Expressway administrator must set up FindMe groups to match the corresponding group names in the remote directory service.
Note
Only the username and password details are managed remotely.
-
All other properties of the FindMe account, such as the FindMe ID, devices and locations are stored in the local Expressway database.
See the Configuring FindMe accounts section for more information about defining FindMe account details and their associated FindMe devices and locations.
We recommend that you use Cisco TMS if you need to provision a large number of FindMe accounts. See Cisco TMS Provisioning Extension Deployment Guide for more details on configuring FindMe and user accounts.
Root account
The Expressway provides a root account which can be used to log in to the Expressway operating system. The root account should not be used in normal operation, and in particular system configuration should not be conducted using this account. Use an administrator account instead.
See the Using the Root Account section for more information.
Caution |
The pre-X8.9 default passwords of the admin and root accounts are well known. You must use strong passwords for these accounts. If your new system is on X8.9 or later, you must supply non-default passwords on startup. |