Configure AAA

For Releases 16.1R2 and later, except as noted.

This article describes how to configure authentication, authorization, and accounting (AAA) on a Director server.

Configure User Authentication

To authenticate a user in Versa Director, the user database can be internal or external. If the users are added directly in
Versa Director, no user configuration is required. However, to access an external user database, perform the
configuration procedure explained in this article.

You can connect Versa Director to the following external servers:

• RADIUS
• TACACS
• LDAP
• Active Directory

Versa Director allows you to configure multiple redundant authentication servers for RADIUS, TACACS, LDAP, and
Active Directory. Authentication by external servers is based on the configured order. If the first authentication server is
not reachable, authentication falls back to the next server, and so on.

Configure External Authentication Connectors

1. In Director view, go to Administration > Connectors > Authentication. The Authentication screen displays.

2. Click the

Add icon in the Authentication Connectors box to add a connector. The following screen displays. Enter the
required information.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
1
 Field Description

Name
Enter a name for the authentication connector.
(Required)

Select the type of server:

◦ LDAP
Type of server
(Required) ◦ Radius
◦ TACACS
◦ Active Directory

Default IDP Connector Click to set the connector as the default identity provider (IDP) connector.

3. Click the

Add icon to add a connector. In the Add Details popup window, enter information for the following fields (the Add
Details screen for Active Directory is displayed below).

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
2
 Field Description

IP Address/
Enter the IP address or FQDN of the server to connect to.
FQDN
(Required)

Enter the port number on the server to connect to.

Port For Active Directory, specify one of the following port numbers to connect to global catalog:
◦ 3268—Connect to the global catalog server.
◦ 3269—Connect securely to the global catalog server.

Bind DN For LDAP server and Active Directory, enter the bind domain name.

Bind
Enter the bind domain name password for LDAP server or Active Directory authentication.
Credential

Base DN For LDAP server and Active Directory, enter the base domain name.

Secret
For RADIUS and TACACS, enter the password to access the server.
String

Select to enable secure connectivity to the Active Directory server. Click Choose File to browse
Secure
and select the SSL certificate to upload.

3. Click OK. The main pane displays the authentication connector to access an external server.

Ensure that one of the authentication connectors is the default connector to add a provider user later.

To select or change a default connector, do the following:

1. Click the

Edit icon in the Default Connector box in the Authentication main panel to open the Default Connector window.
2. Select a default connector from the menu.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
3
 3. Click OK.
4. To optionally rename the default connector, click the

Edit icon in the Service Configuration box in the Authentication main panel to open the Service Configuration
window.

5. Enter an alpha-numeric string in the field provided. The string can contain special characters. For
example, abc@123!@#$.
6. Click OK.

Associate Organizations with Default Connector

1. In Director view, go to Administration > Organizations.

2. Select an entity in the Organization Name column to open the Edit Organization screen.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
4
 3. From the Authentication Connector list, select the server type.
4. Click OK.
5. Repeat Steps 3 and 4 for other organizations.

Director User Login Conventions

Versa Director supports both internal (local) and external (users on an external server) users. When you configure an
external server in Versa Director as a default auth connector, only external users can log in and local Versa Director
users cannot log in.

External provider users can log in using a username only. The @system is optional.

If the external server is unreachable, the login operation falls back to the local user. For this to happen, you must create
a provider user in Versa Director. For example, if the user VersaSupport exists on the external server, then, in Director,
create the username VersaSupport. In this way, when the external server is unreachable, the user VersaSupport is able
to log in.

The following table describes the username conventions for logging in to Versa Director UI.

User Type Internal External

The following is the login convention when connecting to global catalog server using LDAP, RADIUS, and TACACS:

UserName (for example, UserName@System (for example, SuperAdmin@System). Here,

Provider
SuperAdmin) @System is optional.

Organization UserName (for example, UserName@OrgName (for example,

(Tenant) Admin) Thomas@TelecomProvider).

The following is the login convention when connecting to global catalog server for the Active Directory connector
configured on port 3268 or 3269:

Here, DomainName is the domain name of the active directory of the user.

UserName (for example,

Provider
Admin) DomainName/UserName (for example, adone.abc/admin).

Organization UserName (for example, DomainName/UserName@OrgName (for example, adone.abc/

(Tenant) Admin) Bob@TelecomProvider).

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
5
The following is a login example screenshot of an external provider user:

Configure User Authorization

After a user authenticates and starts using Vera Director, each user action needs authorization. Versa Director
provisions provider and tenant user types, which supports specific roles that determines the user access level. You
assign the user access level when you configure each user.

Versa Director supports two user types:

• Provider—Provider users are independent of an organization and can perform operations across all organizations.
The following are the provider user roles:
◦ ProviderDataCenterSystemAdmin—This is a super-admin role that has access to the complete Versa Director
system across all tenants.
◦ ProviderDataCenterAdmin—This is a super-admin role that is similar to ProviderDataCenterSystemAdmin, but
that does not have access to the following system-level resources:
▪ Local CMS management
▪ CMS_CONNECTOR
▪ AUTH_CONNECTOR
▪ SYSLOG_SERVER
▪ AMQP_Connector
▪ ANALYTICS_CONNECTOR
▪ Analytics cluster
▪ HA_MANAGEMENT_VDC
▪ APPLICATION_CLIENT (authorization clients)
▪ REGISTRATION_TOKEN_M (registration token)
▪ Static routes
▪ Uptime

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
6
 ▪ License
▪ DNS
▪ IP address pool
▪ Resource
▪ NTP server
▪ Subjugate address
▪ VD upgrade
▪ SSO
◦ ProviderDataCenterOperator—This user role has read-only access to Versa Director across all tenants.
• Tenant—Tenant users belong to a single organization and can access and perform operations only in their
organization. The following are the tenant user roles:
◦ TenantSuperAdmin—This is a super-admin role for the tenant to which the user belongs, and can perform all
operations for that tenant.
◦ TenantOperator—This user role has read-only access to the tenant to which the user belongs.
◦ TenantSecurityAdmin—This user role performs all security operations for the tenant to which the user belongs,
and can perform operations for features such as zones, ZTP, and firewall.
◦ TenantADCAdmin—This user role manages application delivery controller (ADC) operations.

Add Provider Users

1. In Director view, go to Administration > Director User Management > Provider Users.
2. Click the

Add icon. In the Add Provider User popup window, enter information for the following fields.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
7
 Field Description

Username Enter the login name for the provider user.

First Name Enter the first name of the provider user.

Last Name Enter the last name of the provider user.

Password Enter the password for the provider user.

Confirm Password Re-enter the password for the provider user.

Email Address Enter the email address of the provider user

Idle Time Out Enter the duration after which the login session expires.

Phone Number Enter the contact telephone number of the provider user.

Roles (Group of Fields)

◦ Available Roles Select the role to assign to the provider user.

◦ Landing Page Select the first page to appear when the provider user logs int o the application.

3. Click OK. The main pane displays the provider user and their assigned role.

Add Tenant (Organization) Users

1. In Director view, go to Administration > Director User Management > Organization Users.
2. Click the

to add an organization user.

3. In Roles, click the

Add icon in the Available Roles section to select a user role. Enter information for the following fields.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
8
 Field Description

Username Enter the username for the tenant user.

First Name Enter the first name of the tenant user.

Last Name Enter the last name of the tenant user.

Password Enter the password for the tenant user.

Confirm Password Re-enter the password for the tenant user.

Email Address Enter the email address of the tenant user

Idle Time Out Enter the duration after which the login session expires.

Enable Two Factor

Click to enable or disable two-factor authentication of the user.
Authentication.

Roles (Group of Fields)

◦ Available Roles Select the role to assign to the tenant user.

◦ Primary Role Select the main role to assign to the tenant user.

Select the first page to appear when the tenant user logs in to the
◦ Landing Page
application.

3. Click OK. The main pane displays the tenant (organization) user and their assigned role.

Configure External AAA

To configure external authentication, authorization, and accounting (AAA):

1. In Director view, go to Configuration > Devices. In the Devices dashboard, click on the required appliance. The
view changes to Appliance view.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
9
2. Select the Configuration tab, and in the Others tab

, go to System > Appliance User Management > External AAA.

3. Click the

Edit icon. On the Edit External AAA popup window, enter information for the following fields.

Field Description

Protocol Select the protocol type:

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
10
 Field Description

◦ TACACS
◦ RADIUS

Select the order of authorization:

Auth-Order ◦ local-then-remote
◦ remote-then-local

Click to select the AAA action:

Action ◦ Authentication
◦ Accounting
◦ Both

Server (Group of Fields)

◦ Key Enter the password to use to access the server.

◦ IP Address Enter the IP address of the server.

◦ Routing Instance Select the routing instance to use to reach the AAA server.

4. Click OK. The main pane shows the external AAA configuration.

Configure Users and Roles

You can configure Director users and assign them roles using RADIUS, TACACS, or LDAP. This topic provides the file
information required for the respective server types.

The vendor ID assigned for Versa Network is 42359. It is recommended that you use this ID whenever a third-party
RADIUS vendor looks for the vendor ID attribute for its RADIUS configuration. This is not a Versa Director configuration

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
11
requirement.

RADIUS
Alex CleartextPassword:= "versa123"
VersaRole= "TenantSuperAdmin",
VersaTenant= GalaxyFoods,
VersaGUIIdleTimeOut= 20

Tony CleartextPassword:= "versa123"iza

VersaRole= "TenantOperator",
VersaTenant= GalaxyFoods,
VersaGUIIdleTimeOut= 20

Antony CleartextPassword:= "versa123"

VersaRole= "TenantADCAdmin",
VersaTenant= GalaxyFoods,
VersaGUIIdleTimeOut= 20

Amy CleartextPassword:= "versa123"

VersaRole= "TenantSecurityAdmin",
VersaTenant= GalaxyFoods,
VersaGUIIdleTimeOut= 20

Clark CleartextPassword:= "versa123"

VersaRole= "ProviderDataCenterAdmin",
VersaGUIIdleTimeOut= 20

Bill CleartextPassword:= "versa123"

VersaRole= "ProviderDataCenterOperator",
VersaGUIIdleTimeOut= 20

TACACS
group = TenantSuperAdminGroup {
login = PAM
service = test{
Versa-Role = "TenantSuperAdmin"
Versa-Tenant = "Galaxy-Foods"
Versa-GUI-Idle-TimeOut = "300"
}
}

group = TenantOperatorGroup {
login = PAM
service = test {
Versa-Role = "TenantOperator"
Versa-Tenant = "Galaxy-Foods"
Versa-GUI-Idle-TimeOut = "300"
}
}

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
12
 group = TenantSecurityAdminGroup {
login = PAM service = test {
Versa-Role = "TenantSecurityAdmin"
Versa-Tenant = "Galaxy-Foods"
Versa-GUI-Idle-TimeOut = "300"
}
}

group = TenantADCAdminGroup {
login = PAM
service = test {
Versa-Role = "TenantADCAdmin"
Versa-Tenant = "Galaxy-Foods"
Versa-GUI-Idle-TimeOut = "300"
}
}

group = ProviderDataCenterAdminGroup {
login = PAM
service = test {
Versa-Role = "ProviderDataCenterAdmin"
Versa-GUI-Idle-TimeOut = "300"
}
}

group = ProviderDataCenterOperatorGroup {
login = PAM service = test {
Versa-Role = "ProviderDataCenterOperator"
Versa-GUI-Idle-TimeOut = "300"
}
}

LDAP

Configuring roles:

dn: cn=ProviderDataCenterAdmin,ou=Roles,dc=test,dc=com
objectClass: top
objectClass: organizationalRole
cn: ProviderDataCenterAdmin

dn: cn=TenantSuperAdmin,ou=Roles,dc=test,dc=com
objectClass: top
objectClass: organizationalRole
cn: TenantSuperAdmin

dn: cn=ProviderDataCenterOperator,ou=Roles,dc=test,dc=com
objectClass: top
objectClass: organizationalRole
cn: ProviderDataCenterOperator

dn: cn=TenantADCAdmin,ou=Roles,dc=test,dc=com

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
13
 objectClass: top
objectClass: organizationalRole
cn: TenantADCAdmin

dn: cn=TenantSecurityAdmin,ou=Roles,dc=test,dc=com
objectClass: top
objectClass: organizationalRole
cn: TenantSecurityAdmin

dn: cn=TenantOperator,ou=Roles,dc=test,dc=com
objectClass: top
objectClass: organizationalRole
cn: TenantOperator

Configuring tenants:

dn: ou=testOrg,ou=Tenants,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
ou: testOrg

Configuring users:

dn: cn=org1_user,ou=Users,dc=test,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: org1_user
sn: org1
ou: cn=TenantSuperAdmin,ou=Roles,dc=test,dc=com
userPassword:: e21kNX1OeGJycGpNVXE3K0hJOWVTdi9Jb0lRPT0=

Active Directory

Create groups in Active Directory with prefixes for group names that indicate the type of group, such as Versa Role or
Versa Tenant.

For example:

• for a tenant named Org1, provide the group name as Versa Tenant - Org1
• for the role TenantSuperAdmin, provide group name as Versa Role - TenantSuperAdmin

The older format of group names (without prefixes) is also supported.

View Active Users

You can view and block specific active users from accessing Versa Director by enforcing system logout.

1. In Director view, go to Administration > Director User Management > Active Users. Select the check box of the
user to logout.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
14
 2. Click the

Force Logout icon on the top right corner. The active user is logged out, and the login screen displays:

Unlock Users
You can unlock users that are previously locked.

1. In Director view, go to Administration > Director User Management > Locked Users. Select the check box of the
user to be unlocked.

2. Click the

Unlock icon on the top right corner.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
15
Configure Roles
After you configure users and user roles in Versa Director, the next action is to map users with roles.

1. In Director view, go to Administration > Director User Management > External SSO role mapping.
2. Click the

Edit icon on the top right corner of the Provider User Roles screen.

a. Click the

Add icon.
b. Repeat the above to add multiple roles.

Field Description

Customer Role Name of the customer role

Director Role Role to be associated with the customer role.

3. Click OK.
4. Click the

Edit icon on the top right corner of the Tenant User Roles screen.

a. Click the

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
16
 Add icon.
b. Repeat the above to add multiple roles.

Field Description

Customer Role Name of the customer role

Director Role Role to be associated with the customer role

5. Click OK. The main pane shows the mapping between users and roles:

Configure User Global Settings

For Releases 20.2 and later.

1. In Director view, select the Administration tab in the top menu bar.
2. Select Director User Management > User Global Settings in the left menu bar.

3. Click the

Edit icon. In the Edit User Global Settings popup window, enter information for the following fields.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
17
 Field Description

Enter the default unlock time, in milliseconds. If a user enters the wrong password too many
Default Unlock times and is locked out, the user's account is unlocked after this amount of time has
Time passed.

Default: 900 milliseconds

Enter the number of user login attempts that are allowed before the user's account access
User Login is locked. Configuring a maximum number of login attempts protects against brute force
Attempts login attacks.
Allowed
Default: 3

Reset
Password for Click to prompt the user to reset their password when they first log in.
First-Time Login

Password
Click one or more items to define the password policy.
Policy

Expire User
Click to have the user's password expire.
Password

◦ Days to
Enter the number of days to use a password before it expires.
Expire User
Default: 90 days
Password

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
18
 Field Description

Password
Click to store the password history.
History

◦ Password
Enter the number of past passwords that the user is not allowed to reuse.
History
Default: 3
Size

4. Click OK.

Configure RBAC
Versa Director is shipped with default set of provider roles and tenant roles for use with role-based access control
(RBAC). These provider roles and tenant roles are created by default when you create an organization in the Versa
Director.

• Provider Roles—This is independent of the organization and tenant and can access other tenant information.
• Tenant Roles—This is specific to the tenant and has access to tenant specific information only.

Multiple roles are created every time you create an organization on Versa Director. You can select the roles of interest
when you are creating and organizations and tenants.

Director supports multitenancy RBAC, which allows you to select the roles to a tenant and extent the same to all its
subtenants.

Configure RBAC
You can select the roles when you create an organization or a tenant.

1. In Director view, go to Administration > Organization and click the

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
19
 Add icon to create an Organization/Tenant. This opens the Add Organization window.

2. Select the Supported User Roles tab in the Add Organization window and enter these details:

3. Click OK to save the RBAC configuration for the provider or tenant.

Create Organization and Tenant Users

You cannot create organization or tenant users if you do not select RBAC roles.

1. In Director view, go to Administration > Director User Management > Organization Users. Select an organization
from the Organization list.
2. Click to the

Add icon add a user.

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
20
Software Release Information
Releases 16.1R2 and later support all content described in this article, except:

• Release 20.2 adds configuration of user global settings.

• Release 20.2.1 adds support for redundant authentication servers for RADIUS, TACACS, LDAP, and Active
Directory.
• Release 21.1 adds support for connecting to Active Directory global catalogs.

Additional Information
Configure AAA (for VOS Devices)

https://docs.versa-networks.com/Versa_Director/Versa_Director_Configuration/Configure_AAA
Updated: Wed, 01 Jul 2020 14:39:53 GMT
Copyright © 2020, Versa Networks, Inc.
21