HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide

HP Intelligent Management Center
TACACS+ Authentication Manager Administrator

Guide
Abstract
This guide contains comprehensive information for network administrators, engineers, and operators working with the TAM
service module.
Part number: 5998-3316

Software version: IMC TAM 5.1 (E0303)
Document version: 5PW100-20120612
Copyright 2012 Hewlett-Packard Development Company, L.P.

No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Acknowledgments
Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
Contents
1 TACACS+ Authentication Manager overview 1
TAM features 1
TAM functional structure 2
TAM user types 3
Scenario-based authorization 3
Login authorization and command authorization 3
Online user management 4
Log management 4
Login methods and authentication-authorization methods 4
TAM local authentication and authorization 4
LDAP authentication + TAM local authorization 5
2 Device user authentication configuration guide 7

Configuring TAM local authentication and authorization 7
TAM 8
Configuring a device 11
Configuring the PC of the device user 12
Configuring LDAP authentication + TAM local authorization 12
Configuring an LDAP server 13
Configuring TAM 13
Configuring a device 17
Configuring the PC of the device user 18
Comparing the authentication-authorization methods 18
3 Performing device-related configuration 19

Viewing the device list 19
Querying devices 20
Viewing device details 20
Adding a device 21
Importing devices 24
Modifying a device 25
Batch modifying devices 26
Batch deleting devices 27
Modifying the device area and type 27
4 Authorization scenarios 29
Managing device areas 29
Viewing the device area list 29
Viewing device area details 30
Adding a device area 30
Adding a sub-area 31
i
Modifying a device area or a sub-area 31

Deleting a device area or a sub-area 31
Viewing devices in a device area or sub-areas 32
Managing device types 32
Viewing the device type list 33
Viewing device type details 33
Adding a device type 34
Adding a sub-type 34
Modifying a device type or a sub-type 34
Deleting a device type or a sub-type 35
Viewing devices of a device type or sub-types 35
Configuring authorized time range policies 35
Viewing the authorized time range policy list 36
Viewing authorized time range policy details 37
Adding an authorized time range policy 37
Modifying an authorized time range policy 38
Deleting an authorized time range policy 39
5 Authorization command 40
Shell profile 40
Viewing the shell profile list 40
Viewing shell profile details 41
Adding a shell profile 41
Modifying a shell profile 42
Deleting a shell profile 43
Command set 43
Viewing the command set list 44
Viewing command set details 44
Adding a command set 45
Modifying a command set 46
Copying a command set 47
Deleting a command set 48
6 Authorization policy 49
Viewing the authorization policy list 49
Viewing authorization policy details 49
Adding an authorization policy 50
Modifying an authorization policy 52
Deleting an authorization policy 54
7 Managing device users 55

Configuring device user groups 55
Viewing the device user group list 55
Viewing device user group details 56
Adding a device user group 56
ii
Adding a sub-group 57
Modifying a device user group or a sub-group 58
Deleting a device user group or a sub-group 59
Viewing device users in a device user group or sub-group 59
Modifying operator privileges for device user groups 59
Configuring device users 60
Viewing the device user list 60
Querying device users 61
Viewing device user details 63
Adding a device user 64
Importing device users 65
Modifying a device user 67
Batch modifying device users 68
Regrouping device users 69
Batch cancelling device users 69
Configuring the blacklist user function 70
Viewing blacklist users 71
Querying blacklist users 71
Viewing blacklist user details 72
Adding device users to the blacklist 73
Removing device users from the blacklist 73
8 LDAP authentication 75
LDAP Overview 75
Managing LDAP servers 76
Viewing the LDAP server list 76
Viewing LDAP server details 77
Adding an LDAP server 79
Testing connectivity to an LDAP server 81
Modifying LDAP server settings 81
Deleting an LDAP server 83
Managing LDAP synchronization policies 83
Viewing the LDAP synchronization policy list 83
Viewing LDAP synchronization policy details 84
Adding an LDAP synchronization policy 85
Modifying an LDAP synchronization policy 87
Deleting an LDAP synchronization policy 88
Executing an LDAP synchronization policy 89
Managing users bound to an LDAP synchronization policy 89
Validating on-demand synchronization policies 90
Managing LDAP users 90
Viewing LDAP users 90
Querying LDAP users 92
Viewing LDAP user details 92
iii
Binding device users with an LDAP synchronization policy 94

Unbinding users with an LDAP synchronization policy 95
Synchronizing LDAP users 95
Modifying LDAP user information 96
Cancelling LDAP users 96
Adding an LDAP user to the blacklist 97
Releasing an LDAP user from the blacklist 98
Exporting LDAP users 98
Batch operations for LDAP users 99
9 Managing online users 100

Viewing the online user list 100
Querying online users 101
Basic query 101
Advanced query 101
Viewing online user details 102
Clearing online user information 103
Adding an online user to the blacklist 104
Releasing a blacklisted user 104
10 Managing logs 105

Managing authentication logs 105
Viewing the authentication log list 105
Querying authentication logs 106
Viewing authentication log details 108
Exporting authentication logs 109
Managing authorization logs 109
Viewing the authorization log list 110
Querying authorization logs 111
Viewing authorization log details 113
Exporting authorization logs 114
Managing audit logs 114
Viewing the audit log list 115
Querying audit logs 115
Viewing audit log details 117
Exporting audit logs 118
11 Configuring global system settings 120

Configuring system parameters 120
Configuring system operation log parameters 121
Validating the system configuration 122
12 Support and other resources 123

Contacting HP 123
Subscription service 123
Related information 123
iv
Documents 123
Websites 123
Conventions 124
About HP IMC documents 124
Index 126
1 TACACS+ Authentication Manager overview

To centrally manage network maintainers, HP delivers the TACACS+ Authentication Manager (TAM).
TAM operates based on the IMC platform to provide authentication, authorization, and auditing for
network maintainers. After TAM is deployed on the IMC server, the server is capable of performing
TACACS+ authentication.
TAM supports the following services:
AuthenticationAuthenticates maintainers to make sure that only valid maintainers can log in to
devices.
AuthorizationAssigns different device management privileges to different maintainers, so they

can perform only authorized operations on devices.
AuditAudits maintainers by monitoring and recording their online behaviors.
CollaborationCooperates with the mainstream TACACS+ supporting devices, such as HP

devices, H3C devices, and Cisco devices.
TAM features
Reliable identity authentication
Authentication by account name and password.
Multiple password transmission methods, such as PAP, CHAP, and ASCII, to satisfy different
network scenarios.
LDAP authentication by LDAP servers such as Windows AD, OpenLDAP, and third-party mail
systems that support the LDAP protocol.
Simple user management
User typeSupports two user types, common device user and LDAP user. Different types of users
are suitable for different network scenarios.
Batch operationSupports abundant batch operations, such as batch open/cancel/modify

accounts.
BlacklistAdds suspicious device users to the blacklist to prevent attacks.
User groupAssigns users of the same type to one group for unified management, reducing device
maintenance work for operators and facilitating operator privilege assignment.
Online user monitoringMonitors information about online users, including the login device IP,
user IP, and online duration.
LoggingRecords the authentication, authorization, and audit logs for device users, helping
operators to monitor user logins and audit their device management behaviors.
1
Strict and refined user privilege control
Scenario-based authorizationAuthorizes device users according to different access scenarios.

Three elements define a scenario: login time, login device IP, and login device type.
Login authorization and command authorizationLogin authorization controls login behaviors of

device users. Command authorization specifies the commands that device users can execute.
Limit on the number of concurrent users of one account.
High-performance, expansible deployment solutions
Two installation environments: "PC server + Windows + SQL Server" and "PC server + Linux +
Oracle."
Distributed deployment.
TAM functional structure

TAM functions based on the device user + authorization policy structure. See Figure 1.
Figure 1 TAM functional structure
A device user is a network maintainer that uses account name and password to log in to manage a
device. An authorization policy is a set of rules that control device user privileges.
An authorization policy defines multiple access scenarios, which correspond to different authorization
rules. When a device user logs in to manage a device, TAM authorizes the device user according to the
authorization rule defined in the access scenario that the device user matches.
An authorization policy can be applied to a device user or a device user group. A device user preferably
uses the authorization policy specified for it. If no authorization policy is specified for the device user, it
uses the authorization policy of the user group to which it belongs.
TAM user types

TAM contains the following types of users:
Common device usersA common device user that uses an account name and password for
authentication. TAM saves and maintains user information.
LDAP usersAn LDAP user is a TAM device user bound with an LDAP policy. When TAM receives
a user authentication request, it delivers the account name and password to the LDAP server for
authentication. LDAP user information is saved in both the LDAP server and the TAM server. The
LDAP server maintains user information. TAM periodically synchronizes user information from the
LDAP server. If a network already uses an LDAP server to manage users, HP recommends using
LDAP users when deploying the TAM system to the network.
Scenario-based authorization
TAM supports access scenario-based authorization. An authorization policy defines multiple access
scenarios. When a device user logs in to manage a device, if the device user matches a scenario, TAM
authorizes the device user according to the rule defined in the matching scenario.
Login authorization and command authorization

TAM assigns an authorization policy to perform login authorization and command authorization for a
device user.
Login authorizationTAM uses shell profiles to control login behaviors of device users. A shell
profile specifies these authorization items: ACL, auto run command, privilege level, user-defined
attributes, idle time, and timeout.
Command authorizationTAM uses command sets to control the commands that a user can
execute. When a user executes a command, TAM determines whether to allow the user to execute
the command according to the command set that the user matches.
Online user management

Use this function to view basic information about users that have logged in to a device, and trace the
online behaviors of the users.
Log management
Logs include authentication logs, authorization logs, and audit logs. These logs record the device login,
usage, and logoff behaviors of device users. Operators can query the logs for auditing device users.
Login methods and authentication-authorization

methods
A TAM authentication system comprises TAM, managed devices, and device users.
TAM supports authenticating and authorizing the device users who log in to the devices through these
methods:
Telnet
Console
SSH
FTP
TAM local authentication and authorization
LDAP authentication + TAM local authorization.
To log in to a device, a device user only needs to use the client software (corresponding to the login mode)
to initiate a login request.
Refer to the following information for details about the authentication-authorization methods.
TAM local authentication and authorization

The device to which a user wants to log in sends the user account name and password to TAM. TAM
authenticates the user to allow or deny user login. If the user is permitted login to the device, TAM
performs
login
authorization
and
command
authorization
for
the
user.
The
entire
authentication-authorization exchange process is performed over the TACACS+ protocol.

Device user information and the authorization policy assigned to the device user are all saved in the TAM
local database.
Figure 2 TAM local authentication and authorization
In Figure 2, PCs in blue represent the PCs used by device users, and Devices in blue represent the
manageable devices.
In TAM local authentication-authorization mode, when a device user logs in to manage a device, the
TAM server performs authentication for the device user. If the device user passes authentication, the TAM
server uses a locally saved authorization policy to perform login authorization and command
authorization for the device user.
LDAP authentication + TAM local authorization

The device to which a user wants to log in sends the user account name and password to the TAM server,
which then sends the information to the LDAP server for authentication. The LDAP server sends the
authentication result back to the TAM server. TAM permits or denies user login to the device according
to the authentication result.
If the user is permitted login to the device, TAM performs login authorization and command authorization
for the user. The device and the TAM server use the TACACS+ protocol to exchange packets with each
other. The TAM server and the LDAP server use the LDAP protocol to exchange packets with each other.
The device user information is saved in the LDAP server. The authorization policies for device users are
saved in the TAM local database.
Figure 3 LDAP authentication and TAM authorization
In Figure 3, PCs in blue represent the PCs used by device users, and Devices in blue represent the
manageable devices.
In the LDAP authentication + TAM authorization mode, when a device user logs in to manage a device,
the TAM server sends the authentication request to the LDAP server over the LDAP protocol and the LDAP
server authenticates the user.
If the device user passes authentication, the TAM server uses a locally saved authorization policy to
perform login authorization and command authorization for the device user.
2 Device user authentication configuration

guide
TAM supports the following login methods:
Telnet
Console
SSH
FTP
TAM supports the following authentication and authorization methods:
TAM local authentication and authorizationThe device to which a user wants to log in sends the
user account name and password to TAM. TAM authenticates the user to allow or deny user login.
If the user is permitted login to the device, TAM performs login authorization and command
authorization for the user.
LDAP authentication and TAM local authorizationThe device to which a user wants to log in
sends the user account name and password to the TAM server, which then sends the information to
the LDAP server for authentication. The LDAP server sends the authentication result to the TAM
server. TAM permits or denies user login to the device according to the authentication result. If the
user is permitted login to the device, TAM performs login authorization and command authorization
for the user.
A login method and an authentication-authorization method work together to implement user

authentication and authorization. TAM supports authenticating and authorizing users who log in to the
devices through Telnet, console, and SSH.
For device users logging in through FTP, TAM supports only authentication.
Configuring TAM local authentication and

authorization
Configure TAM local authentication and authorization on TAM, the device, and the PC used by the
device user, respectively. Figure 4 shows the recommended configuration procedure.
Figure 4 Recommended TAM local authentication and authorization configuration procedure
TAM
HP recommends that you configure TACACS+ authentication and authorization in this order:
1.
Add a device.
2.
Add an authorization scenario.
3.
Add authorization command.
4.
Add an authorization policy.
5.
Add a device user.
Adding a device
A device can cooperate with TAM to implement TACACS+ authentication and authorization only when
the device is added to TAM.
HP recommends that you first add devices to TAM because:
Device is an element in an authorization scenario. Adding devices is a must to configure an

authorization scenario.
Different devices might use different command sets. After you add a device, you can configure a
command set for the device.
To enter the page for configuring devices, select Service > TACACS+ AuthN Manager > Device List. See
Figure 5. For more information, see "Performing device-related configuration."
Figure 5 Entering the page for configuring devices
Adding an authorization scenario

An authorization scenario includes three elements: device area, device type, and access period, which
work together to define one scenario. Scenarios with one element different are considered different
scenarios. TAM authorizes device users according to different scenarios.
To enter the page for configuring authorization scenarios, select Service > TACACS+ AuthN Manager >
Authorization Scenarios. See Figure 6. For more information, see "Authorization scenarios."
Figure 6 Entering the page for configuring authorization scenarios
Adding authorization command

TAM uses authorization command sets to control the commands that a user can use. An authorization
command includes shell profiles and command sets.
A shell profile controls login behaviors of device users, such as the privilege level and the command that
can be automatically executed. A command set controls commands that a device user can execute after
login.
To enter the page for configuring an authorization command, select Service > TACACS+ AuthN
Manager > Authorization Command. See Figure 7. For more information, see "Authorization
command."
Figure 7 Entering the page for configuring an authorization command
Adding an authorization policy

An authorization policy defines multiple access scenarios and defines an authorization command for
each scenario. When a device user logs in to manage a device, if the device user matches a scenario,
the device user is controlled by the corresponding authorization command (shell profile and command
set).
To enter the page for configuring authorization policies, select Service > TACACS+ AuthN Manager >
Authorization Policies. See Figure 8. For more information, see "Authorization policy."
Figure 8 Entering the page for configuring authorization policies
Adding a device user

device.
To enter the page for configuring device users, select User > Device User View > All Device Users. See
Figure 9. For more information, see "Managing device users."
10
Figure 9 Entering the page for configuring a device user
Configuring a device
When you configure a device, the following order is recommended:
1.
Creating a TACACS+ scheme.
2.
Creating a domain.
3.
Configuring scheme authentication and enabling command line authorization and accounting.
Creating a TACACS+ scheme

A device cooperates with the TAM server to implement TACACS+ authentication according to the
configured TACACS+ scheme. Follow these guidelines when you configure a TACACS+ scheme:
The IP address specified for the AAA server in the TACACS+ scheme must be the IP address of the
TAM server.
The shared key, authentication, authorization, and accounting ports specified in the TACACS+
scheme must be the same as those configured on the TAM server.
If you specify the nas-ip in the TACACS+ scheme, configure the IP address of the device as the
nas-ip on TAM. If you do not specify the nas-ip in the TACACS+ scheme, configure the IP address
of the device as the IP address of the interface that connects the device to the TAM server on TAM.
Creating a domain
The scheme used in a domain for login, raising the right, and command line authorization must be the
TACACS+ scheme that you have just created.
Configuring scheme authentication and enabling command line authorization and accounting
Configure the scheme authentication on different interfaces for different login methods.
Enable command line authorization and accounting on different interfaces according to different login
methods.
Configuration example
Take an HP A series device or H3C device as an example. The command lines needed for TACACS+
authentication and authorization are as follows:
11
<Device>system-view
[Device]hwtacacs scheme test
[Device-hwtacacs-test]primary authentication 192.168.0.96 49
[Device-hwtacacs-test]primary authorization 192.168.0.96 49
[Device-hwtacacs-test]primary accounting 192.168.0.96 49
[Device-hwtacacs-test]key authentication hello
[Device-hwtacacs-test]key authorization hello
[Device-hwtacacs-test]key accounting hello
[Device-hwtacacs-test]nas-ip 190.12.0.2
[Device-hwtacacs-test]user-name-format without-domain
[Device-hwtacacs-test]quit
[Device]domain tel
[Device-isp-tel]authentication login hwtacacs-scheme test
[Device-isp-tel]authentication super hwtacacs-scheme test
[Device-isp-tel]authorization login hwtacacs-scheme test
[Device-isp-tel]authorization command hwtacacs-scheme test
[Device-isp-tel]accounting login hwtacacs-scheme test
[Device-isp-tel]accounting command hwtacacs-scheme test
[Device-isp-tel]quit
[Device]user-interface vty 0 4
[Device-ui-vty0-4]authentication-mode scheme
[Device-ui-vty0-4]command authorization
[Device-ui-vty0-4]command accounting
Configuring the PC of the device user

A user only needs to log in to the device by using the related client software.
Configuring LDAP authentication + TAM local

authorization
Configure LDAP authentication and TAM local authorization on the LDAP server, the device, and the PC
used by the device user, respectively. Figure 10 shows the recommended configuration procedure.
12
Figure 10 Recommended LDAP authentication and TAM local authorization configuration procedure
Configuring an LDAP server

Create device user data.
device.
Configuring TAM
HP recommends that you configure TACACS+ authentication and authorization by following this order:
1.
Add a device.
2.
Add an authorization scenario.
3.
Add authorization command.
4.
Add an authorization policy.
5.
Add an LDAP user.
6.
Add an LDAP synchronization policy.
Adding a device
A device can cooperate with TAM to implement TACACS+ authentication and authorization only when
the device is added to TAM.
HP recommends that you first add devices to TAM because:
Device is an element in an authorization scenario. Adding devices is a must to configure an

authorization scenario.
Different devices might use different command sets. After you add a device, you can configure a
command set for the device.
To enter the page for configuring devices, select Service > TACACS+ AuthN Manager > Device List. See
Figure 11. For more information, see "Performing device-related configuration."
13
Figure 11 Entering the page for configuring devices
Adding an authorization scenario

An authorization scenario includes three elements: device area, device type, and access period, which
work together to define one scenario.
Scenarios with one element different are considered different scenarios. TAM authorizes device users
according to different scenarios.
To enter the page for configuring authorization scenarios, select Service > TACACS+ AuthN Manager >
Authorization Scenarios. See Figure 12. For more information, see "Authorization scenarios."
Figure 12 Entering the page for configuring authorization scenarios
Adding authorization command

TAM uses authorization command sets to control the commands that a user can use.
An authorization command includes shell profiles and command sets.
A shell profile controls login behaviors of device users.
A command set controls commands that a device user can execute after login.
14
To enter the page for configuring an authorization command, select Service > TACACS+ AuthN
Manager > Authorization Command. See Figure 13. For more information, see "Authorization
command."
Figure 13 Entering the page for configuring an authorization command

An authorization policy defines multiple access scenarios and defines an authorization command for
each scenario.
When a device user logs in to manage a device, if the device user matches a scenario, the device user
is controlled by the corresponding authorization command (shell profile and command set).
To enter the page for configuring authorization policies, select Service > TACACS+ AuthN Manager >
Authorization Policies. See Figure 14. For more information, see "Authorization policy."
Figure 14 Entering the page for configuring authorization policies
Adding an LDAP server

Add an LDAP server on TAM, and configure the parameters for logging in to the LDAP server. After the
LDAP server is created, TAM can read device user data from the LDAP server.
15
To enter the page for configuring the LDAP server, click the Service tab, and select TACACS+ AuthN
Manager > LDAP Service > LDAP Servers from the navigation tree. See Figure 15. For more information,
see "Managing LDAP servers."
Figure 15 Entering the page for configuring LDAP servers
Adding an LDAP synchronization policy

Create LDAP synchronization policies on TAM so TAM can periodically synchronize device user data
from the LDAP server. You can also manually synchronize device user data from the LDAP server at any
time.
To enter the page for configuring LDAP synchronization policies, click the Service tab, and select
TACACS+ AuthN Manager > LDAP Service > Sync Policies from the navigation tree. See Figure 16. For
more information, see "Managing LDAP synchronization policies."
16
Figure 16 Entering the page for configuring LDAP synchronization policies
Configuring a device
When you configure a device, the following order is recommended:
1.
Creating a TACACS+ scheme.
2.
Creating a domain.
3.
Configuring scheme authentication and enabling command line authorization and accounting.
Creating a TACACS+ scheme

A device cooperates with the TAM server to implement TACACS+ authentication according to the
configured TACACS+ scheme. Follow these guidelines when you configure a TACACS+ scheme:
The IP address specified for the AAA server in the TACACS+ scheme must be the IP address of the
TAM server.
The shared key, and the authentication, authorization, and accounting ports specified in the
TACACS+ scheme must be the same as those configured on the TAM server.
If you specify the nas-ip in the TACACS+ scheme, configure the IP address of the device as the
nas-ip. If you do not specify the nas-ip in the TACACS+ scheme, configure the IP address of the
device as the IP address of the interface that connects the device to the TAM server.
Creating a domain
The scheme used in a domain for login, raising the right, and command line authorization must be the
TACACS+ scheme that you have just created.
Configuring scheme authentication and enabling command line authorization and accounting
Configure the scheme authentication on different interfaces for different login methods.
17
Enable command line authorization and accounting on different interfaces according to different login
methods.
Configuration example
Take an HP A series or H3C device as an example. The command lines needed for TACACS+
authentication and authorization are as follows:
<Device>system-view
[Device]hwtacacs scheme test
[Device-hwtacacs-test]primary authentication 192.168.0.96 49
[Device-hwtacacs-test]primary authorization 192.168.0.96 49
[Device-hwtacacs-test]primary accounting 192.168.0.96 49
[Device-hwtacacs-test]key authentication hello
[Device-hwtacacs-test]key authorization hello
[Device-hwtacacs-test]key accounting hello
[Device-hwtacacs-test]nas-ip 190.12.0.2
[Device-hwtacacs-test]user-name-format without-domain
[Device-hwtacacs-test]quit
[Device]domain tel
[Device-isp-tel]authentication login hwtacacs-scheme test
[Device-isp-tel]authentication super hwtacacs-scheme test
[Device-isp-tel]authorization login hwtacacs-scheme test
[Device-isp-tel]authorization command hwtacacs-scheme test
[Device-isp-tel]accounting login hwtacacs-scheme test
[Device-isp-tel]accounting command hwtacacs-scheme test
[Device-isp-tel]quit
[Device]user-interface vty 0 4
[Device-ui-vty0-4]authentication-mode scheme
[Device-ui-vty0-4]command authorization
[Device-ui-vty0-4]command accounting
Configuring the PC of the device user

A user only needs to log in to the device by using the related client software.
Comparing the authentication-authorization

methods
The configuration for "TAM local authentication and authorization" and that for "LDAP authorization and
TAM local authorization" have the following similarities and differences:
Device and PC configurations are the same because devices and PCs do not need to be aware of
the authentication and authorization processes.
The device, authorization scenario, authorization command, and authorization policy

configurations on TAM are the same.
For TAM local authentication, you need to create device users on TAM. For LDAP authentication,
you need to perform LDAP configuration such as configuring the LDAP server and synchronization
policies on TAM, which can synchronize device user information from the LDAP server.
18
3 Performing device-related configuration

A "device", in the context of this information, refers to a network device that users log in to manage. A
device can cooperate with TAM to implement TACACS+ authentication and authorization only when the
device is added to TAM.
Device in TAM is an element in an authorization scenario. Adding devices is a must to configure an
authorization scenario. For more information about authorization scenarios, see "Authorization
scenarios."
Different devices might use different command sets. After adding a device, configure a command set for
the device. For more information about authorization command set, see "Authorization command."
Viewing the device list

To view the device list:
1.
Click the Service tab.
2.
Select TACACS+ AuthN Manager > Device List from the navigation tree.
The Device List displays all devices.
Device list contents
Device NameDevice label, which links to the device details page.

If the device is managed by the IMC Platform, this field is the same as the Device Label parameter
on the IMC Platform.
If the device is manually added to TAM without being managed by the IMC Platform, this field is
empty.
Device IPIP address.

If the device is managed by the IMC Platform, this field displays the management IP address of the
device.
If the device is manually added to TAM without being managed by the IMC Platform, this field
displays the IP address manually entered.
Device ModelDevice vendor and model.

If the device is managed by the IMC Platform, this field is the same as the Device Model parameter
on the IMC Platform.
If the device is manually added to TAM without being managed by the IMC Platform, this field is
empty.
Device AreaArea to which a device belongs.

One device can belong to multiple areas, which are separated by colons (;).
Device area is an important part of an authorization scenario. For more information, see
"Managing device areas."
Device TypeDevice type.

One device can only belong to one type.
Device type is an important part of an authorization scenario. For more information, see
"Managing device types."
19
Configuration InformationProvides the Details icon
ModifyClick the Modify icon
to the details page of a device.
to modify the device.
Navigating the device list
Click
to page forward in the device list.
Click
to page forward to the end of the device list.
Click
to page backward in the device list.
Click
to page backward to the front of the device list.
Click 8, 15, 50, 100, or 200 on the upper right side of the main pane to configure how many items per
page you want to view.
Querying devices
To query devices:
1.
2.
3.
Enter or select one or multiple of the following query criteria:
Device IP Range From/ToEnter an IP address range for a device. You must enter a complete
IPv4 address in each field.
If you only enter the start IP address, the range is from the start IP address to
255.255.255.255.
If you only enter the end IP address, the range is from 0.0.0.0 to the end IP address.
If you enter both the start IP address and end IP address, the range is from the start IP address
to the end IP address. The end IP address must be no smaller than the start IP address.
Device AreaClick the

icon. The Select Device Area window appears. Select an area and
click OK. To delete a device area, click .
If a device area has sub-areas, the device area and all its sub-areas are queried.
Device area is an important part of an authorization scenario. For more information, see
"Managing device areas."
Device TypeClick the

icon. The Select Device Type window appears. Select a device type
and click OK. To delete a device type, click . Device type is an important part of an
authorization scenario. For more information, see "Managing device types."
If a field is empty, this field does not serve as a query criterion.

4.
Click Query.
The Device List displays all devices matching the query criteria.
5.
To clear the query criteria, click Reset.

The Device List will display all devices.
Viewing device details

To view detailed information about a device:
20
1.
2.
3.
Click the Details link
4.
of an access device to view its details.
Device NameDevice label. If the device is managed by the IMC Platform, this field is the
same as the Device Label parameter on the IMC Platform. If the device is manually added to
TAM without being managed by the IMC Platform, this field is empty.
Device IPIP address. If the device is managed by the IMC Platform, this field displays the
management IP address of the device. If the device is manually added to TAM without being
managed by the IMC Platform, this field displays the IP address manually entered.
Device ModelDevice vendor and model. If the device is managed by the IMC Platform, this
field is the same as the Device Model parameter on the IMC Platform. If the device is manually
added to TAM without being managed by the IMC Platform, this field is empty.
Shared KeyUsed for the device and TAM to authenticate each other. The value must be the
same as what is configured on the device at the command line interface (CLI).
Authentication PortUsed by TAM to listen for authentication, authorization, and accounting
packets. The default value is 49. The value must be the same as what is configured on the
device at the CLI.
Device AreaArea to which a device belongs. One device can belong to multiple areas,
which are separated by colons (;). Device area is an important part of an authorization
scenario. For more information, see "Managing device areas."
Device TypeDevice type. One device can only belong to one type. Device type is an
important part of an authorization scenario. For more information, see "Managing device
types."
Single ConnectionIncludes the Supported and Not Supported options. The former indicates
that TAM supports establishing multiple sessions in one TCP connection when communicating
with the device. The latter indicates that TAM supports establishing only one session in one TCP
connection when communicating with the device. The configuration of this field must be the
same as what is configured on the device at the CLI.
WatchdogIncludes the Supported and Not Supported options. The former indicates that
TAM keeps the online status and duration of an online device user by receiving Watchdog
packets sent by the device. The latter indicates that TAM does not keep the online status and
duration of an online device user because it does not receive Watchdog packets sent by the
device.
DescriptionDescription of the device for easy maintenance.
To return to the command set list, click Back.
Adding a device
To add a device:
1.
2.
3.
Click Add in the Device List area.

The page for adding a device appears.
21
4.
Configure the following common parameters in the Device Configuration area:
5.
Shared KeyEnter a shared key, which is used for the device and TAM to authenticate each
other. The value must be the same as what is configured on the device at the CLI.
Authentication PortEnter the port for TAM to listen for authentication, authorization, and
accounting packets. The port must be the same as what is configured on the device at the CLI.
The default is 49.
Device AreaClick the Device Area icon
. The Select Device Area window appears. Select
one or multiple areas and click OK. To delete a device area, click . Device area is an
areas."
Device TypeClick the Device Type icon . The Select Device Type window appears. Select a
device type and click OK. To delete a device type, click . Device type is an important part of
an authorization scenario. For more information, see "Managing device types."
Single ConnectionSelect Supported or Not Supported from the list. The former indicates that
TAM supports establishing multiple sessions in one TCP connection when communicating with
the device. The latter indicates that TAM supports establishing only one session in one TCP
same as what is configured on the device at the CLI. If the device supports single connections,
you can enable or disable this feature on the device. If you enable this feature on the device,
use Supported in TAM. If you disable this feature on the device, use Not Supported in TAM. If
the device does not support single connections, HP recommends that you use Supported.
WatchdogSelect Supported or Not Supported from the list. The former indicates that TAM
keeps the online status and duration of an online device user by receiving Watchdog packets
sent by the device. The latter indicates that TAM does not keep the online status and duration
of an online device user because it does not receive Watchdog packets sent by the device. If
the device does not support sending Watchdog packets, or the device supports Watchdog but
sending Watchdog packets is disabled, use Not Supported. If the device supports sending
Watchdog packets, and sending Watchdog packets is enabled, use Supported.
DescriptionDescription of the device for easy maintenance.
Click Select in Device List to select devices from the IMC Platform.
You can choose to select access devices from the IMC Platform as described in this step, manually
add access devices as described in step 6, or perform both operations.
You cannot add devices by selecting devices from the Device List in the following cases:
The nas-ip command is configured at the CLI and the device IP in the IMC platform is not the
IP address configured in the nas-ip command.
The nas-ip command is not configured at the CLI and the device IP in the IMC platform is not
the IP address of the interface that connects the device to TAM.
You can select devices by view or by advanced query.

Selecting devices by view
a. Click the By View tab. The view options include IP View, Device View, and Custom View.
b. Click
of the target view to expand the view, and then click a sub-view. All devices in the
sub-view appear in the Devices Found list on the right.
To add one or more devices from the Devices Found list to the Selected Devices list, select the
devices and click
. To add all the found devices to the Selected Devices list, click
22
To remove one or more devices from the Selected Devices list, select the devices and click
. To remove all the devices from the Selected Devices list, click
.
Selecting devices by advanced query
c.
Click the Advanced tab.
d. Enter or select one or multiple of the following query criteria:
Device IPEnter an IPv4 address. If you select Exact Query, enter a complete IPv4 address. If
not, you can enter only a portion of an IP address. For example, if you enter 192, all the
devices with IP addresses containing 192 are matched.
Device IP ListClick the
link. The Device IP List Configuration window appears. Enter one
or more IP addresses in the Input Device IP field and click Add. If you enter multiple IP
addresses, press Enter every time you enter an IP address. To delete an IP address, select the
IP address in the Device IP List and click Delete. To complete adding IP addresses, click OK. To
delete all IP addresses, click .
Device LabelEnter a partial or complete name. TAM supports fuzzy matching for this filed.
For example, if you enter s55, all devices with device labels containing s55 are matched.
Device StatusSelect a device status from the list.
Device CategorySelect a device category from the list.
Device SeriesSelect a device series from the list.
ContactEnter the contact information. TAM supports fuzzy matching for this field. For
example, if you enter bob, all devices with contact information containing bob are matched.
LocationEnter the location information. TAM supports fuzzy matching for this field. For
example, if you enter lab, all devices with location information containing lab are matched.
Device ReachabilitySelect a device reachability status from the list.
e. Click Query. All devices matching the query criteria appear in the Devices Found list on the
right.
To add one or more devices from the Devices Found list to the Selected Devices list, select the
devices and click
. To add all the found devices to the Selected Devices list, click
To remove one or more devices from the Selected Devices list, select the devices and click
.
To remove all the devices from the Selected Devices list, click
f.
Click OK to return to the page for adding devices. The added devices appear in the Device List.
g. Click Clear All in Device List to remove all the devices from the device list. You can click the
icon of a device to delete the device.

6.
Manually add devices:

If the nas-ip command is configured on the device, the imported device IP must be the same as
what is configured on the device. If the nas-ip command is not configured on the device at the CLI,
the imported device IP must be the same as the IP address of the interface that connects the device
to TAM.
a. Click Add Manually in the Device List area.
b. Enter the start and end IP addresses.
When you enter the two IP addresses, follow these guidelines:

The IPv4 addresses must be complete.
23
The start IP address cannot be higher than the end IP address.

The two IP addresses must be on the same network with a 24-bit mask, which means the first
three octets of the IP addresses must be the same.
c.
Click OK to return to the page for adding devices. The added devices appear in the Device List.
d. Click Clear All in Device List to remove all the devices from the device list. You can click the
icon of a device to delete the device.

7.
Click OK. The configuration result page appears.
8.
To return to the device list, click Back.
Importing devices
To import devices in batches:
1.
2.
Select TACACS+ AuthN Manager > Device List from the navigation tree. The Device List displays all
devices.
3.
Click Batch Import in the Device List area.
4.
Click Browse next to the Import File field. The Choose File window appears. Browse to the target
file that contains the device information. The file must be a text file with columns separated by
delimiters. The system automatically populates the field with the file path and name.
5.
Column SeparatorSelect the column separator used as the delimiter in the file. Available options
include Space, Tab, comma (,), colon (:), pound (#), and dollar sign ($).
6.
Click Next. The Basic Information page appears.
Device IPIP address of the device. If the nas-ip command is configured on the device at the
CLI, the imported device IP must be the same as what is configured on the device. If the nas-ip
command is not configured on the device at the CLI, the imported device IP must be the same
as the IP address of the interface that connects the device to TAM. This field must be imported
from the file to be imported. You must select column n as the device IP.
Shared KeyShared key, which is used for the device and TAM to authenticate each other. The
value must be the same as what is configured on the device at the CLI. Select the column in the
file that contains the shared key, or select Not Import from File to manually set the same shared
key for all imported devices.
Authentication PortPort for TAM to listen for authentication, authorization, and accounting
packets. The port must be the same as what is configured on the device at the CLI. Select the
column in the file that contains the authentication port, or select Not Import from File to
manually set the same authentication port for all imported devices. You can also use the default
value 49.
Device AreaArea to which a device belongs. Select the column in the file that contains the
device area. To import multiple device areas, separate the device areas with semicolons (;). If
the value of a line of column n contains a device area that does not exist in TAM, the device on
this line fails to be imported. Select Not Import from File to manually select the same device
area for all imported devices. To select a device area, click the Device Area icon
. The Select
Device Area window appears. Select one or multiple device areas and click OK. To delete a
device area, click . Device area is an important part of an authorization scenario. For more
information, see "Managing device areas."
Device TypeModel and type of the device. Select the column in the file that contains the
device type. If the value of a line of column n contains a device type that does not exist in TAM,
24
the device on this line fails to be imported. Select Not Import from File to manually select the
same device type for all imported devices. To select a device type, click the Device Type icon
. The Select Device Type window appears. Select a device type and click OK. To delete a
device type, click . Device type is an important part of an authorization scenario. For more
information, see "Managing device types."
Single ConnectionIdentifies whether the device supports single connections. Supported

indicates that TAM supports establishing multiple sessions in one TCP connection when
communicating with the device. Not Supported indicates that TAM supports establishing only
one session in one TCP connection when communicating with the device. The configuration of
this field must be the same as what is configured on the device at the CLI. If the device supports
single connections, you can enable or disable this feature on the device. If you enable this
feature on the device, use Supported in TAM. If you disable this feature on the device, use Not
Supported in TAM. If the device does not support single connections, HP recommends that you
use Supported. Select the column in the file that contains the single connection option. The
value of the column can only be Supported or Not Supported. Select Not Import from File to
manually select the options. Select Supported or Not Supported from the list.
WatchdogIdentifies whether the device supports sending Watchdog packets. Supported
indicates that TAM keeps the online status and duration of an online device user by receiving
Watchdog packets sent by the device. Not Supported indicates that TAM does not keep the
online status and duration of an online device user because it does not receive Watchdog
packets sent by the device. If the device does not support sending Watchdog packets, or the
device supports Watchdog but sending Watchdog packets is disabled, use Not Supported. If
the device supports sending Watchdog packets, and sending Watchdog packets is enabled,
use Supported. Select the column in the file that contains the Watchdog option. The value of
the column can only be Supported or Not Supported. Select Not Import from File to manually
select the options. Select Supported or Not Supported from the list.
DescriptionDescription of the device. Select the column in the file that contains the
description or select Not Import from File and manually enter the same description for all
imported devices.
To view the first 10 devices imported according to your settings, click Preview. To close the
Preview window, click Close.
7.
8.
Click OK to import devices. Importing many devices takes time. After importing devices is
complete, the system displays the number of devices that have been successfully imported and
failed to be imported. If any device failed to be imported, the Download link appears. You can
click the link to save or open an error log, which records the reasons for importing failures.
9.
Modifying a device
Operators can modify a device at any time. However, if a device user is online, modifying the device
might affect user management of the device. HP recommends that operators modify a device after all
users go offline.
To modify a device:
1.
2.
3.
Click the Modify icon
for the device you want to modify.

25
The page for modifying devices appears.

4.
Configure the following common parameters in the Device Configuration area:
5.
Device IPIP address of the device, which cannot be modified.

. The Select Device Area window appears. Select
one or multiple areas and click OK. To delete a device area, click . Device area is an
areas."
device type and click OK. To delete a device type, click . Device type is an important part of
an authorization scenario. For more information, see "Managing device types."
same as what is configured on the device at the CLI. If you do not know whether the device
supports single connection or not, HP recommends that you use Supported.
DescriptionEnter a description of the device for easy maintenance.
Click OK.
Batch modifying devices

Operators can modify devices at any time. However, if a device user is online, modifying the device
might affect user management of the device. HP recommends that operators modify devices in batches
after all users go offline.
To modify devices in batches:
1.
2.
3.
Select one or more boxes before the device names. Click Batch Modify in the Device List area.
The page for modifying devices appears.
26
4.
The default is 49.
same as what is configured on the device at the CLI. If you do not know whether the device
supports single connection or not, HP recommends that you use Supported.
DescriptionEnter a description for the device to aid maintenance.
Click OK.
The configuration result page appears, which displays the number of devices that have been
successfully modified and failed to be modified.
5.
Batch deleting devices

You cannot delete devices that have online users.
To delete devices in batches:
1.
2.
3.
Select one or more boxes before the device names. Click Batch Delete in the Device List area. A
confirmation dialog box appears.
4.
Click OK.
The configuration result page appears, which displays the number of devices that have been
successfully deleted and failed to be deleted.
5.
Modifying the device area and type

Modifying the device area and type does not affect the shell profile for the online users (users that have
logged in to the device). If modifying the device area and type results in the authorization scenario
change of the online users, the users are controlled by the command set corresponding to the new
scenario.
Assume authorization scenario A and B are configured for an authorization policy. Scenario A contains
device area S that contains device D. Scenario B contains device area T. A user is controlled by the
command set corresponding to scenario A after logging in to device D.
27
When the user is online, move device D from area S to area T. After the modification, the user belongs
to scenario B, rather than scenario A, and controlled by the command set corresponding to scenario B.
For more information about authorization scenarios, see "Authorization scenarios." For more information
about authorization command, see "Authorization command." For more information about authorization
policy, see "Authorization policy."
To modify the area and type to which a device belongs:
1.
2.
3.
Select one or more boxes before the device names. Click Move Device in the Device List area.
The page for modifying device areas and types appears.
4.

. The Select Device Area window appears. Select one
or multiple areas and click OK. To delete a device area, click . Device area is an important part
of an authorization scenario. For more information, see "Managing device areas."
5.
device type and click OK. To delete a device type, click . Device type is an important part of an
authorization scenario. For more information, see "Managing device types."
6.
Click OK. The configuration result page appears, which displays the number of devices that have
been successfully moved and failed to be moved.
7.
28
4 Authorization scenarios
An authorization policy defines one or multiple authorization scenarios, and assigns each scenario one
shell profile and one command set. Administrators can assign authorization policies to individual device
users or device user groups. When a device user logs in to manage a device, TAM matches the user with
a scenario and applies the shell profile and command set of the scenario to the user for device
management.
An authorization scenario is identified by the combination of the following three elements:
Device areaArea to which the device belongs. Operators can divide device areas by location or
network layer of the device.
Device TypeType of the device. Command lines provided by devices of different types may be
different.
Authorized time rangeTime range during which a user logs in to manage the device.
TAM can authorize device users with different device login and management privileges according to the
device area, device type, and authorized time range.
Managing device areas

Operators can classify device areas by various criteria, for example, location or network layer. TAM
supports hierarchical management of device areas. You can divide a level-1 (top level) device area into
one or multiple level-2 device areas.
TAM supports a device area hierarchy of at most 5 levels. Two device areas in adjacent levels are
referred to as parent area and child area, respectively. For example, a level-1 device area is the parent
area of all its level-2 areas, and the level-2 device areas are the child areas of the level-1 device area.
A device area can contain only devices or sub-areas. If a device area already contains a device, you
cannot add sub-areas for it. If a device area has a sub-area, you cannot add devices to the device area.
TAM can authorize device users with different device login and management privileges according to the
device area.
Viewing the device area list

To view the device area list:
1.
2.
Select TACACS+ AuthN Manager > Authorization Scenarios > Device Areas from the navigation
tree.
The Device Area List displays all device areas.
Device area list contents
Area NameDevice area name, which must be unique in TAM. Click the name link of a device
area to view its details.
DescriptionDescription of the device area.
Device ListClick the Device List icon

29
for a device area to view its device list.
Add Sub-AreaClick the Add Sub-Area icon

adding a sub-area.
for a device area to enter the page for
to enter the page for modifying a device area.
DeleteClick the Delete icon

to delete a device area. The Delete icon
for device areas that have no sub-areas.
is available only
Expanding and collapsing the device area list
Click the Expand All icon
in the device area list area to expand the Device Area List in a
tree structure. Click the Collapse All icon
Click the Expand icon

Click the Collapse icon
to collapse the Device Area List.
next to the Area Name field to expand the associated device area.
next to the Area Name field to collapse the associated device area.
If a device area carries an icon

next to the Area Name field, it contains sub-areas. If a device
area carries an icon next to the Area Name field, it contains no sub-areas.
3.
Click Refresh in the Device Area List area to update the device area list.
Viewing device area details

To view a device area details:
1.
2.
tree.
3.
Click the name link of a device area to enter the device area details page.
4.
Area NameDevice area name.

Parent Area NameParent area name of the device area. For a level-1 device area that has no
parent area, this field is displayed as two hyphens (--).
DescriptionDescription of the device area.
Click Back to return to the Device Area List.
Adding a device area

You can add up to 256 device areas (including sub-areas) in TAM.
To add a device area:
1.
2.
tree.
3.
Click Add in the Device Area List area.

The Add Device Area page appears.
4.
Configure device area information:
Area NameEnter a device area name, which must be unique in TAM.

Parent Area NameDo not need to configure. For a level-1 device area that has no parent
area, this field is displayed as two hyphens (--).
30
5.
DescriptionEnter a brief description of the device area for easy maintenance.
Click OK.
Adding a sub-area
You can add up to 256 device areas (including sub-areas) in TAM.
You cannot add a sub-area for a device area that contains devices. To do so, move the devices to another
device area first.
To add a sub-area for a device area:
1.
2.
tree.
3.
Click the Add Sub-Area icon
4.
Configure sub-area information:
5.
for the device area to which you want to add a sub-area.

Parent Area NameThe system automatically populates this field with the parent area name of
the sub-area.
DescriptionEnter a brief description of the sub-area for easy maintenance.
Click OK.
Modifying a device area or a sub-area

To modify a device area or a sub-area:
1.
2.
tree.
3.

page.
4.
Modify the device area information:
5.
for the target device area or sub-area to enter the Modify Device Area
Parent Area NameCannot be modified.
DescriptionEnter a brief description of the device area for easy maintenance.
Click OK.
Deleting a device area or a sub-area

You cannot delete the following device areas:
A device area used by an authorization policy. To delete such a device area, modify the
authorization policy to cancel their associations first. For more information about modifying an
authorization policy, see "Modifying an authorization policy."
31
A device area that contains a device or a sub-area. To delete such a device area, move the device
to another area, or delete the sub-area first. For more information about moving a device between
device areas, see "Modifying the device area and type."
To delete a device area or a sub-area:

1.
2.
tree.
3.
Click the Delete icon
4.
Click OK.
for the device area or sub-area you want to delete.
Viewing devices in a device area or sub-areas

If you view devices of a device area that contains sub-areas, TAM displays all devices contained in the
sub-areas of the device area.
To view the devices in a device area (or those in its sub-areas):
1.
2.
tree.
3.
Click the Device List icon
of a device area.
The Device List page appears. In the Query Devices area, TAM automatically sets the selected
device area as the query criteria and displays in the Device List the query result, which includes all
devices contained in the device area or those in its sub-areas. For more information about the
device list, see "Viewing the device list."
Managing device types

Device type refers to the vendors and types of the devices.
A network may comprise devices from different vendors or of different types, and these devices support
different command lines. Operators need to assign different command sets to device users for them to
manage devices of different types. A usual practice is as follows:
1.
Categorize the devices in TAM by device type.
2.
Configure the authorization policy to authorize to device users different command sets based on
device type. For information about configuring an authorization policy, see "Authorization
policy."
With the previous configuration, after a user logs in to a device, TAM can perform command line
authorization for the user based on the device type.
TAM supports hierarchical management of devices by device type. A level-1 (top level) device type can
be further divided into multiple level-2 device types, and a maximum of 5 device type levels can be
created. Two device types in adjacent levels are referred to as parent type and child type, respectively.
For example, a level-1 device type is the parent type of all its level-2 types, and the level-2 device types
are the child types of the level-1 device type.
32
Viewing the device type list

To view the device type list:
1.
2.
Select TACACS+ AuthN Manager > Authorization Scenarios > Device Types from the navigation
tree.
The Device Type List displays all device types.
Device type list contents
Type NameDevice type name, which must be unique in TAM. Click the name link of a device
type to view its details.
DescriptionDescription of the device type. Assign descriptive information for easy
maintenance.
Device ListClick the Device List icon
for a device type to view its device list.
Add Device Sub-TypeClick the Add Device Sub-Type icon

page for adding a sub-type for the device type.
type.
for a device type to enter the
for a device type to enter the page for modifying the device

for a device type to delete the device type. The Delete icon
is available only for device types that have no sub-types.
Expanding and collapsing the device type list
Click the Expand All icon
in the device type list area to expand the Device Type List in a
tree structure. Click the Collapse All icon
to collapse the device type list.
To expand a specific device type, click the Expand icon

the Collapse icon
to collapse the device type.
next to the Type Name field. Click
If a device type carries an icon

next to the Type Name field, it contains sub-types. If a device
type carries an icon next to the Type Name field, it does not contain any sub-type.
3.
Click Refresh in the Device Type List area to update the device type list.
Viewing device type details

To view detailed information about a device type:
1.
2.
tree.
3.
Click the name link of a device type to enter the Device Type Information page.
Device type details contents
4.
Type NameName of the device type.

Parent Type NameName of the parent device type. For a level-1 device type that has no
parent type, this field is displayed as two hyphens (--).
DescriptionDescription of the device type.
Click Back to return to the Device Type List.

33
Adding a device type

You can add up to 256 device types (including sub-types) in TAM.
To add a device type:
1.
2.
tree.
3.
Click Add in the Device Type List area.

The Add Device Type page appears.
4.
Configure basic information about the device type:
5.
Type NameEnter a device type name, which must be unique in TAM.

Parent Type NameDo not need to configure. A level-1 device type has no parent type, and
this field is displayed as two hyphens (--).
DescriptionEnter a brief description of the device type for easy maintenance.
Click OK.
Adding a sub-type
You can add up to 256 device types (including sub-types) in TAM.
To add a sub-type for a device type that contains a device, change the type of the device first.
To add a sub-type for a device type:
1.
2.
tree.
3.
Click the Add Device Sub-Type icon
4.
Configure the sub-type information:
5.
of the device type to which you want to add a sub-type.

Parent Type NameThe system automatically populates this field with the parent type name of
the sub-type.
DescriptionEnter a brief description of the sub-type for easy maintenance.
Click OK.
Modifying a device type or a sub-type

You cannot modify a device type that contains a device.
To modify a device type or a sub-type:
1.
2.
tree.
34
3.
of the device type or sub-type you want to modify.
The Modify Device Type page appears.

4.
5.
Modify the device type information:
Parent Type NameCannot be modified.
DescriptionEnter a brief description of the device type for easy maintenance.
Click OK.
Deleting a device type or a sub-type

You cannot delete the following device types:
A device type or sub-type used by an authorization policy. To delete such a device type, modify the
authorization policy to cancel their associations first. For information about modifying an
authorization policy, see "Modifying an authorization policy."
A device type that contains a device or sub-type. To delete such a device type, first change the type
of the device or delete the sub-type. For more information about changing the device type of a
device, see "Modifying the device area and type."
To delete a device type or a sub-type:

1.
2.
tree.
3.
4.
Click OK.
for the device type or sub-type you want to delete.
Viewing devices of a device type or sub-types

If you view devices of a device type that contains sub-types, TAM displays all devices contained in the
sub-types of the device type.
To view the devices of a device type (or those in its sub-types):
1.
2.
tree.
3.
Click the Device List icon
of a device type.
The Device List page appears. In the Query Devices area, TAM automatically sets the selected
device type as the query criteria and displays in the Device List the query result, which includes all
devices contained in the device type and or those in its sub-types. For more information about the
device list, see "Viewing the device list."
Configuring authorized time range policies

TAM allows you to configure authorized time range policies. A device user is controlled by different
authorized time range policies when accessing and managing the devices at different times.
35
TAM applies an authorized time range policy to a device user if the device user accesses and manages
the device at a time after the policy takes effect, before the policy expires, and within a time range
defined in the policy.
For example, if an authorized time range policy takes effect on 2012-1-1 and expires on 2013-12-31,
and the time range is 10:00 to 12:00 every morning, a device user who accesses the network from
10:00 to 12:00 every morning in 2012 will be controlled by the policy.
The following describes how the authorized time range works with the shell profile and the command set
to control device user behaviors:
A device user's login time determines the shell profile to be applied to the device user. Each time a
device user logs in to the device, TAM determines the authorized time range of the user according
to the login time, and applies to the user the shell profile corresponding to the authorized time
range until the user logs off.
For example, if you configure two authorized time ranges, A (8:00 to 10:00 every morning) and
B (10:30 to 11:00 every morning), when a device user logs in to the device at 9:00 a.m., TAM
applies the shell profile configured for authorized time range A to the user.
TAM continues to use authorized time range A as long as the device stays online, even after
authorized time range A expires (10:40, for example). However, if the user logs off and then
re-logs in at 10:45, the shell profile configured for authorized time range B applies. For
information about shell profiles, see "Shell profile."
A command's execution time determines the command set to be applied. Each time a device user
issues a command, TAM determines the authorized time range of the operation according to the
command execution time, and allows or denies the user according to the command set configured
for the authorized time range.
For example, if you configure two authorized time ranges, A (8:00 to 10:00 every morning) and
B (10:30 to 11:00 every morning), when a device user issues a command at 9:00, TAM
determines whether to carry out this command according to the command set configured in
authorized time range A.
If a user issues a command at 10:40, TAM determines whether to carry out this command
according to the command set configured in authorized time range B. For more information about
command sets, see "Command set."
Viewing the authorized time range policy list

To view the authorized time range policy list:
1.
2.
Select TACACS+ AuthN Manager > Authorization Scenarios > Authorized Time Range Policies
from the navigation tree.
The Authorized Time Range Policy List displays all authorized time range policies.
Authorized time range policy list contents
Policy NameAuthorized time range policy name, which must be unique in TAM. Click the
name link of an authorized time range policy to enter the authorized time range policy details
page.
Effective Time/Expiration TimeEffective time range of the authorized time range policy.
for an authorized time range policy to modify the policy.

for an authorized time range policy to delete the policy.
36
3.
Click Refresh in the Authorized Time Range List area to update the authorized time range list.
Viewing authorized time range policy details

To view authorized time range policy details:
1.
2.
3.
Click the name link of an authorized time range policy to enter the authorized time range policy
details page.
Basic Information
Policy NameAuthorized time range policy name.
Effective Time/Expiration TimeEffective time range of the authorized time range policy.
DescriptionDescription of the authorized time range policy.
Authorized time range Information
TypeThe authorized time range types include Once, By Year, By Month, By Week, and By
Day. The Once type displays the start time and end time in the format of YYYY-MM-DD
hh:mm:ss, and takes effect only once. The By Year type displays the start time and end time in
the format of MM-DD hh:mm:ss, and takes effect within this time range every year. The By
Month type displays the start time and end time in the format of DD hh:mm:ss, and takes effect
within this time range every month. The By Week type displays the start time and end time in
the format of Day hh:mm:ss, and takes effect within this time range every week. The By Day
type displays the start time and end time in the format of hh:mm:ss, and takes effect within this
time range every day.
Start Time/End TimeThe authorized time range.
If you configure multiple time ranges, the authorized time range policy takes the union of all time
ranges. For example, if you configure two time ranges, A (10:00 to 11:00 every morning) and B
(10:30 to 12:00 every morning), the final effective authorized time range is 10:00 to 12:00 every
morning.
4.
Click Back to return to Authorized Time Range Policy List.
Adding an authorized time range policy

To add an authorized time range policy:
1.
2.
3.
Click Add in the Authorized Time Range Policy List area.

The page for adding an authorized time range policy appears.
4.
Configure basic information:
Policy NameEnter the authorized time range policy name, which must be unique in TAM.
37
5.
Effective Time/Expiration TimeClick the Calendar icon

to specify the effective time
range for the policy. Or, enter the effective time range in the format of YYYY-MM-DD hh:mm.
DescriptionEnter a brief description of the authorized time range policy for easy
maintenance.
Configure authorized time range information:

a. Click Add in the Authorized Time Range Information area.
The Authorized Time Range Policy Information window appears.

b. Select an authorized time range type.
The authorized time range types include Once, By Year, By Month, By Week, and By Day.
c.
Specify the start time and end time.

If you select the Once type, specify the start time and end time in the format of YYYY-MM-DD
hh:mm:ss. If you select the By Year type, specify the start time and end time in the format of
MM-DD hh:mm:ss. If you select the By Month type, specify the start time and end time in the
format of DD hh:mm:ss. If you select the By Week type, specify the start time and end time in
the format of Day hh:mm:ss. If you select the By Day type, specify the start time and end time
in the format of hh:mm:ss.
d. Click OK.
e. To delete a time range, click the Delete icon
for the time range.
If you configure multiple time ranges, the authorized time range policy takes the union of all
time ranges. For example, if you configure two time ranges, A (10:00 to 11:00 every morning)
and B (10:30 to 12:00 every morning), the final effective authorized time range is 10:00 to
12:00 every morning.
6.
Click OK.
Modifying an authorized time range policy

The following describes how the modifications to an authorized time range policy affect online users
(device users who have logged in to the devices):
A modification does not affect the shell profiles that have been authorized to the online users.
If a modification to the authorized time range policy results in an authorization scenario change to
an online user, the command set configured for the new scenario applies to the user.
For example, suppose an authorization policy contains scenarios A and B. Scenario A includes
authorized time range T (8:00 to 10:00 in the morning) and command set X. Scenario B includes
authorized time range M (6:00 to 12:00 in the morning) and command set Y.
Scenario A has a higher priority than Scenario B. If a user logs in to the device at 8:30 a.m.,
authorization scenario A applies and the user is controlled by command set X.
If you change the authorized time range T to "8:00 to 9:00" at 9:30, then authorization scenario B
instead of A applies to the user, and the user is controlled by command set Y. For more information about
authorization policies, see "Authorization policy."
To modify an authorized time range policy:
1.
2.
Select TACACS+ AuthN Manager > Authorization Scenarios > Authorized time range Policies from
the navigation tree.
38
3.
On the authorized time range policy list, click the Modify icon
of an authorized time range
policy to enter the page for modifying the authorized time range policy.
4.
Modify basic information:
5.
Policy NameEnter the authorized time range policy name, which must be unique in TAM.
Effective Time/Expiration TimeClick the Calendar icon
to specify the effective time
range for the policy. Or, enter the effective time range in the format of YYYY-MM-DD hh:mm.
DescriptionEnter a brief description of the authorized time range policy for easy
maintenance.
Modify authorized time range information:

a. Click Add in the Authorized time range Information area.
The Authorized time range Policy Information dialog box appears.

b. Select an authorized time range type.
The authorized time range types include Once, By Year, By Month, By Week, and By Day.
c.
Specify the start time and end time.

If you select the Once type, you must specify the start time and end time in the format of
YYYY-MM-DD hh:mm:ss; if you select the By Year type, you must specify the start time and end
time in the format of MM-DD hh:mm:ss; if you select the By Month type, you must specify the
start time and end time in the format of DD hh:mm:ss; if you select the By Week type, you must
specify the start time and end time in the format of Day hh:mm:ss; if you select the By Day type,
you must specify the start time and end time in the format of hh:mm:ss.
d. Click OK.
e. To delete a time range, click the Delete icon
in the time range.
If you configure multiple time ranges, the union of all the time ranges is taken. For example, if
you configure two time ranges, A (10:00 to 11:00 every morning) and B (10:30 to 12:00
every morning), the time range 10:00 to 12:00 every morning is taken.
6.
Click OK.
Deleting an authorized time range policy

An authorized time range policy that has already been referenced by an authorization policy cannot be
deleted. To do so, modify the authorization policy to cancel the association first.
To delete an authorized time range policy:
1.
2.
3.
for the target authorized time range policy.
A confirmation dialog box appears.

4.
Click OK.
39
5 Authorization command
An authorization policy comprises authorization scenarios and authorization command. Users can log in
to manage devices in different scenarios.
Authorization command defines the rights that can be authorized to a user. Authorization scenarios and
authorization command work together to authorize a user when the user logs in to the manage devices
in different scenarios.
Authorization command comprises shell profiles and command sets. A shell profile controls the ACL,
automatically executed command, authorization level, custom attributes, idle time, and timeout for device
user login. A command set defines the commands that a device user can execute after login.
Shell profile
To implement shell profile control on login users, configure a shell profile on the TAM server and enable
authorization on the device.
Before a device user logs in to the device, the user is authenticated first. After the user passes the
authentication, if login authorization is enabled on the device, the TAM server controls the ACL,
automatically executed command, authorization level, custom attributes, idle time, and timeout of the
user by shell profile.
When a shell profile works together with an authorized time range to control device users, the login time
applies. When a device user logs in to the device, the TAM server determines the authorized time range
where the user is in according to the login time of the user and uses the shell profile corresponding to this
authorized time range to control the user.
The shell profile always applies until the user logs out. Assume that you have configured two authorized
time ranges A (08:00 to 10:00) and B (10:30 to 11:00). When a user logs in to the device at 09:00,
the shell profile corresponding to authorized time range A applies as long as the user stays online. If the
user goes offline at 10:45 and goes online again, the shell profile corresponding to authorized time
range B applies.
For more information about authorized time range configuration, see "Configuring authorized time
range policies."
Viewing the shell profile list

To view the shell profile list:
1.
2.
Select TACACS+ AuthN Manager > Authorization Command > Shell Profiles from the navigation
tree.
The Shell Profile List displays all shell profiles.
Shell profile list contents
Shell Profile NameName of the shell profile. Click the name to view its details.
ACLACL that controls whether a user can log in to the device. ACL rules must be configured
on the device.
40
3.
Auto RunCommands that can be automatically executed after user login.

Privilege LevelA privilege level corresponds to the default command set that a user can use
after login. Privilege levels vary depending on vendors. For more information, see the
configuration guide of the device.
to modify the shell profile.

to delete the shell profile.
To view the latest shell profile list, click Refresh.
Viewing shell profile details

To view shell profile details:
1.
2.
tree.
3.
Click the name link of a shell profile to enter the shell profile details page.
4.
Shell Profile NameName of the shell profile.

ACLACL, which controls whether a user can log in to the device. If the request sent by the user
for logging in to the device matches the permit rule of the ACL, the user can log in to the device.
If it matches the deny rule of the ACL, the user cannot log in to the device. ACL rules must be
configured on the device.
Privilege LevelA privilege level corresponds to the default command set that a user can use
after login. Privilege levels vary depending on vendors. For more information, see the
Idle TimeMaximum idle time after user login. If a user does not perform any operation within
the idle time, the user is forced to log out.
TimeoutDuration that a user can manage the device after login. If the timeout is reached, the
user is forced to log out.
Auto RunCommands that can be automatically executed after user login.
Custom AttributeAttributes applied to a user when the user logs in to the device. Custom
attributes vary depending on vendors. For more information, see the configuration guide of the
device.
DescriptionDescription of the shell profile.
To return to the shell profile list, click Back.
Adding a shell profile

To add a shell profile:
1.
2.
tree.
3.
Click Add in the Shell Profile List area.
4.
Shell Profile NameEnter the shell profile name, which must be unique.
41
5.
ACLEnter an ACL ID or name.

An ACL controls whether a user can log in to the device. ACL rules must be configured on the
device. TAM deploys only the ACL number or name. If the request sent by a user for logging in to
the device matches the permit rule of the ACL, the user can log in to the device. If it matches the
deny rule of the ACL, the user cannot log in to the device.
6.
Privilege LevelSelect a privilege level.

A privilege level corresponds to the default command set that a user can use after login. Users
cannot view and execute the commands not in the command set. Privilege levels vary depending
on vendors. HP recommends that you see the configuration guide of the device and select a
privilege level from privilege levels 0 through 15 provided by TAM.
7.
Enter the idle time.

If a user does not perform any operation within the idle time, the user is forced to log out.
8.
Enter the timeout.

Duration that a user can manage the device. If the timeout is reached, the user is forced to log out.
9.
Enter the command to be automatically executed after user login.

Only one automatically executed command can be configured.
10.
Click Add Attribute.

A text box appears. Enter a custom attribute. For example, enter ftp-directory=flash:/ if you want
the user to use the default directory flash:/ after logging in to the device through FTP. To delete a
configured attribute, click Delete. To add another attribute, click Add Attribute again. You can add
up to five attributes. Custom attributes vary depending on vendors. For more information, see the
11.
DescriptionEnter a description for the shell profile to aid maintenance.
12.
Click OK.
Modifying a shell profile

Modifying a shell profile does not affect online users (users that have logged in to the device). The ACL,
automatically executed command, privilege level, custom attribute, idle time, and timeout are not
changed when a shell profile is changed. A new shell profile takes effect only when an online user logs
out and logs in again.
To modify a shell profile:
1.
2.
tree.
3.

appears.
for the shell profile you want to modify. The Modify Shell Profile page
4.
Enter the shell profile name, which must be unique in TAM.
5.
Enter the ACL.

An ACL controls whether a user can log in to the device. ACL rules must be configured on the
device. TAM deploys only the ACL number or name. If the request sent by a user for logging in to
the device matches the permit rule of the ACL, the user can log in to the device. If it matches the
deny rule of the ACL, the user cannot log in to the device.
42
6.
Select a privilege level.

A privilege level corresponds to the default command set that a user can use after login. Users
cannot view and execute the commands not in the command set. Privilege levels vary depending
on vendors. HP recommends that you see the configuration guide of the device and select a
privilege level from privilege levels 0 through 15 provided by TAM.
7.
Enter the idle time.

If a user does not perform any operation within the idle time, the user is forced to log out.
8.
Enter the timeout.

Duration that a user can manage the device. If the timeout is reached, the user is forced to log out.
9.
Enter the command to be automatically executed.

The command is automatically executed after user login. Only one command is supported.
10.
Click Add Attribute.

A text box appears. Enter a custom attribute. For example, you only need to enter
ftp-directory=flash:/ if you want the user to use the default directory flash:/ after the user logs in
to the device through FTP. To delete the configured attribute, click Delete. To add another attribute,
click Add Attribute again. You can add up to five attributes. Custom attributes vary depending on
vendors. For more information, see the configuration guide of the device.
11.
Enter a description for the shell profile to aid maintenance.
12.
Click OK.
Deleting a shell profile

You cannot delete a shell profile that is being used by an authorization policy. To delete the shell profile,
remove the association between the shell profile and the authorization policy.
To delete a shell profile:
1.
2.
tree.
3.
for the shell profile you want to delete.

4.
Click OK.
Command set
A command set defines commands that can be executed and cannot be executed by device users.
To implement command set control on login users, configure a command set on the TAM server and
enable command authorization on the device.
After a device user logs in to the device, the user sends a request to the TAM server every time the user
executes a command. The TAM server determines whether the user can execute the command according
to the command set defined in the authorization policy and notifies the device whether the user can
execute the command or not.
When a command set works together with an authorized time range to control device users, the
command execution time applies. When a device user executes a command, the TAM server determines
43
the authorized time range where the user is in according to the command execution time of the user and
determines whether the user can execute the command according to the command set corresponding to
the authorized time range. Assume that you configure two authorized time ranges A (08:00 to 10:00)
and B (10:30 to 11:00). When a user executes a command at 09:00, the command set corresponding
to authorized time range A applies. The command set corresponding to authorized time range B applies
no matter whether the user stays online or logs in again after logs out when a user executes a command
at 10:40. For more information about authorized time range configuration, see "Configuring authorized
time range policies."
Viewing the command set list

To view the command set list:
1.
2.
Select TACACS+ AuthN Manager > Authorization Command > Command Sets from the navigation
tree.
The Command Set List displays all command sets.
Command set list contents
Command Set NameName of the command set. Click the name to view its details.
DescriptionDescription of the command.
CopyClick the Copy icon
3.
To view the latest command set list, click Refresh.
to modify the command set.

to delete the command set.
to copy the command set.
Viewing command set details

To view command set details:
1.
2.
tree.
3.
Click the name link of a command set to enter the command set details page.
Basic Information
Command Set NameName of the command set.

Default Authorization TypeThe values can be Permit or Deny. Permit means a device user can
use commands not in the command set. Deny means a user cannot use commands not in the
command set.
DescriptionDescription of the command set.
Command Set Information

Each line in a command set list defines a rule, which permits or denies a user to execute one or
more commands.
AuthorizationAuthorization type, which can be Permit or Deny. Permit means a user can
execute the command displayed on this line. Deny means a user cannot execute the command
displayed on this line.
44
4.
NameName of the command. For example, the name of the display current-configuration
command is display.
ParametersCommand parameters. For example, the parameter of the display
current-configuration command is current-configuration. If this field is displayed as *, any
parameter of the command is matched.
PriorityThe priorities of all commands in the command set are displayed in descending order.
If a command executed by a user matches multiple rules, the rule with the highest priority
applies.
To return to the command set list, click Back.
Adding a command set

To add a command set:
1.
2.
tree.
3.
Click Add in the Command Set List area.
4.
Configure the basic information:
5.
Command Set NameEnter the name of the command set, which must be unique in TAM.
Default Authorization TypeThe values can be Permit or Deny. Permit means a device user can
use commands not in the command set. Deny means a user cannot use command not in the
command set.
DescriptionEnter a description for the command set to aid maintenance.
Configure the command set information.

Each line in a command set list defines a rule, which permits or denies a user to execute one
command or multiple commands defined by *.
a. Click Add in the Command Set Information area.
b. Select Permit or Deny from the Authorization list.
c.
Enter a command name, which is usually the keyword of the command. For example, the name
of the display current-configuration command is display. When you configure a command
name in TAM, you must enter the complete name of the command. For example, you cannot
enter dis or disp for the display keyword. However, when you enter a command on the device,
you can enter part of a keyword. For example, you can enter disp for the display keyword.
d. Enter the command parameters. You can enter one or more parameters. For example, the
parameter of the display current-configuration command is current-configuration. When you

configure a parameter in TAM, you must enter the complete parameter. For example, you
cannot enter cur or current for current-configuration. However, when you enter a command
parameter on the device, you can enter part of a parameter. For example, you can enter
current for current-configuration. In addition, you can enter * or keep the Parameters field
empty. * means to match any parameter. Empty means to match no parameter.
e. Click OK.
f.
Click the icon

or
to raise or decrease the priority of the rule. If the command you
execute matches multiple rules, the rule with the highest priority applies.
g. Click the Modify icon
for the target rule. Repeat steps b through e.

45
h. To delete a rule, click the

6.
icon for the target rule.
Click OK.
Modifying a command set

A command set immediately takes effect on online users (users that have logged in to the device)
controlled by the command set, which means the modified command set is used to determine the
commands that can be executed by the online users.
To modify a command set:
1.
2.
tree.
3.

appears.
4.
Modify basic information:
5.
for the command set you want to modify. The Modify Command Set page
Default Authorization TypeSelect Permit or deny. Permit means a device user can use
commands not in the command set. Deny means a user cannot use commands not in the
command set. After you configure the authorization mode of a command, the priority of the
configured authorization type takes precedence over the default authorization type.
Modify command set information:

c.
enter dis or disp. However, when you enter a command on the device, you can enter part of
a keyword. For example, you can enter disp, for display.

e. Click OK.
f.
Click the icon

or
h. To delete a rule, click the Delete icon
46
for the target rule.
6.
Click OK.
Copying a command set

Copying a command set allows you to create a similar command set, reducing the workload.
To copy a command set:
1.
2.
tree.
3.
Click the Copy icon
for the command set you want to copy.
The Add Command Set page appears. The command set name is Copy+source command set.
Other fields are the same as the source command set. You simply need to modify the content to
create a new command set.
4.
Modify the basic information:
5.
Default Authorization TypeSelect Permit or deny. Permit means a device user can use
commands not in the command set. Deny means a user cannot use commands not in the
command set. After you configure the authorization mode of a command, the priority of the
configured authorization type takes precedence over the default authorization type.
Modify the command set information:

c.
enter dis or disp. However, when you enter a command on the device, you can enter part of
a keyword. For example, you can enter disp for display.

e. Click OK.
f.
Click the icon

or
h. To delete a rule, click the delete icon

6.
Click OK.
47
for the target rule.
Deleting a command set

You cannot delete a command set that is being used by an authorization policy. To delete the command
set, remove the association between the command set and the authorization policy.
To delete a command set:
1.
2.
tree.
3.
for the command set you want to delete.

4.
Click OK.
48
6 Authorization policy
An authorization policy defines multiple authorization scenarios, and assigns each scenario one shell
profile and one command set. Scenarios in the same authorization policy have different priorities.
Administrators can assign authorization policies to individual device users or device user groups.
When a device user matches one scenario in an authorization policy, TAM applies the shell profile and
command set of the scenario to the user for device management. If the device user matches multiple
scenarios, TAM applies the highest-priority scenario settings to the user. For more information about shell
profiles and command sets, see "Authorization command."
An authorization scenario is identified by the combination of the following elements: device area, device
type, and authorized time range. For more information about authorization scenarios, see
"Authorization scenarios."
Viewing the authorization policy list

To view the authorization policy list:
1.
2.
Select TACACS+ AuthN Manager > Authorization Policies from the navigation tree.
The Authorization Policy List displays all authorization policies.
Authorization Policy List contents
3.
Policy NameName of the authorization policy, which must be unique in TAM. Click the name
link of an authorization policy to view its details.
DescriptionDescription of the authorization policy.
to modify the authorization policy.

to delete an authorization policy.
Click Refresh in the Authorization Policy List area to update the authorization policy list.
Viewing authorization policy details

To view detailed information about an authorization policy:
1.
2.
3.
Click the name link of an authorization policy to enter the authorization policy details page.
Basic Information
Authorization Policy NameName of the authorization policy.
DescriptionDescription of the authorization policy.
Access Authorization Info

Each entry in the Access Authorization Info list represents a separate authorization rule, which
defines the shell profile and command set to be applied to the login users in a specific scenario.
49
4.
Device Area/Device Type/Authorized Time RangeThe combination of the three parameters

uniquely identifies an authorization scenario. A user matches the scenario only when the user
logs in to a device of the specified device type on the device area within the authorized time
range. For more information about configuring device areas, see "Managing device areas."
For more information about configuring device types, see "Managing device types." For more
information about configuring authorized time ranges, see "Configuring authorized time range
policies."
Shell ProfileControls login behaviors of the device user who matches the scenario. For more
information about shell profiles, see "Shell profile."
Authorization Command SetSet of all authorized commands for the device user who
matches the scenario to execute after login. For more information about configuring command
sets, see "Command set."
PriorityPriority of the authorization rule and its scenario. The authorization rules and
scenarios are listed in descending order of priority. If a user matches multiple scenarios, TAM
applies the shell profile and command set defined in the scenario with the highest priority to the
user.
Click Back to return to the Authorization Policy List.

To add an authorization policy:
1.
2.
3.
Click Add in the Authorization Policy List area.

The Add Authorization Policy page appears.
4.
Configure basic information for the authorization policy:
5.
Authorization Policy NameEnter the authorization policy name, which must be unique in
TAM.
DescriptionEnter a brief description of the authorization policy for easy maintenance.
Configure authorization rules for the authorization policy: predefined, user-defined, or both.
Each entry in the Access Authorization Info list represents a separate authorization rule, which
defines the shell profile and command set to be applied to the login users in a specific scenario.
The authorization rules and scenarios are listed in descending order of priority. If a user matches
multiple scenarios, TAM applies the shell profile and command set defined in the scenario with the
highest priority to the user.
Modifying the predefined authorization rule
The Access Authorization Info list contains a predefined authorization rule that always has the
lowest priority. The rule applies to users who match no user-defined authorization rules. With the
default setting, the rule prohibits users from logging in to any device and executing any command.
Operators cannot delete the rule, but can modify its settings.
To modify the predefined authorization rule:
a. Click the Modify icon
for the rule.
The Modify Access Authorization window appears.

b. Modify the following parameters for the rule:
50
The Device Area, Device Type, and Access Period fields cannot be modified.
Shell ProfileSelect a shell profile, Deny, or Default Device Configuration from the list. The
shell profile controls login behaviors of the device user who matches the rule. With the Deny
option, the device denies user logins. With the Default Device Configuration option, the device
applies the default settings configured at the CLI to the user, including the access control list,
commands for automatic execution, authorization level, user-defined attributes, idle time, and
timeout timer.
Authorization Command SetSelect an authorization command set, Unlimited, or Forbid from
the list. The command set includes all authorized commands for the user to execute after login.
The Unlimited option allows the user to execute any command. The Forbid option prohibits the
user from executing any command.
c.
Click OK.
To add a user-defined authorization rule:

d. Click Add in the Access Authorization Info area.
The Add Access Authorization window appears.

e. Define the scenario by setting the device area, device type, and authorized time range. A
device user matches the scenario only when the user logs in to a device of the specified device
type on the device area within the authorized time range.
Device AreaClick the Select Device Area icon
next to the Device Area field. The Select
Device Area window appears. Select a device area or Unlimited, and then click OK. The
device area specifies the range of devices to be matched in the scenario. If you select
Unlimited, any device area matches the scenario. Click the Clear icon
to clear your
selection.
Device TypeClick the Select Device Type icon
next to the Device Type field. The Select
Device Type window appears. Select a device type or Unlimited, and then click OK. The device
type specifies the type of devices to be matched in the scenario. If you select Unlimited, any
device type matches the scenario. Click the Clear icon
to clear your selection.
Authorized Time RangeSelect an authorized time range or Unlimited from the list. This
parameter specifies the login time range to be matched in the scenario. If you select Unlimited,
any time range matches the scenario.
f.
Select the shell profile and command set for the rule:
timeout timer.
The Unlimited option allows the user to execute any command. The Forbid option prohibits the
user from executing any command.
g. Click OK.
h. Repeat the previous steps to add more authorization rules as needed. You cannot add two
authorization rules with the same device area, device type, and authorized time range.
i.
Adjust the priorities for the authorization rules as needed:

Move UpClick the Move Up icon
for an authorization rule to raise its priority.

51
Move DownClick the Move Down icon
for an authorization rule to reduce its priority.
If a device user matches multiple scenarios, TAM applies the shell profile and command set
defined in the scenario that has the highest priority to the user.
j.
To modify an authorization rule, click the Modify icon

through d.
k. To delete an authorization rule, click the Delete icon

6.
for the rule and perform steps b

for the rule.
Click OK.
Modifying an authorization policy

Modifying an authorization policy does not affect the shell profile of the scenario to which an online
device user matches, but affects the command set to be applied.
If the command set of the scenario is changed, the new command set applies to the online device
user.
If the scenario to which the online device user matches is changed, the command set of the new
scenario applies to the user.
To modify an authorization policy:

1.
2.
3.
for the authorization policy you want to modify.
The Modify Authorization Policy page appears.

4.
Modify basic information for the authorization policy:
5.
Authorization Policy NameEnter the authorization policy name, which must be unique in
TAM.
DescriptionEnter a brief description of the authorization policy for easy maintenance.
Modify authorization rules for the authorization policy: predefined, user-defined, or both.
Modifying the predefined authorization rule
The Access Authorization Info list contains a predefined authorization rule that always has the
lowest priority. The rule applies to users who match no user-defined authorization rules. With the
default setting, the rule prohibits users from logging in to any device and executing any command.
Operators cannot delete the rule, but can modify its settings.
a. Click the Modify icon
for the rule.
The Modify Access Authorization window appears.

b. Modify the following parameters for the rule:
The Device Area, Device Type, and Authorized Time Range fields cannot be modified.
timeout timer.
52

The Unlimited option allows the user to perform any command. The Forbid option prohibits the
user from performing any command.
c.
Click OK.
Adding a user-defined authorization rule

d. Click Add in the Access Authorization Info area.
The Add Access Authorization window appears.

e. Define the scenario by setting the device area, device type, and authorized time range. A
device user matches the scenario only when the user logs in to a device of the specified device
type on the device area within the authorized time range.
Device AreaClick the Select Device Area icon
next to the Device Area field. The Select
Device Area window appears. Select a device area or Unlimited and then click OK. The device
area specifies the range of devices to be matched in the scenario. If you select Unlimited, any
device area matches the scenario. Click the Clear icon
Device TypeClick the Select Device Type icon
next to the Device Type field. The Select
Device Type window appears. Select a device type or Unlimited and then click OK. The device
type specifies the type of devices to be matched in the scenario. If you select Unlimited, any
device type matches the scenario. Click the Clear icon
Authorized Time RangeSelect an authorized time range or Unlimited from the list. This
parameter specifies the login time range to be matched in the scenario. If you select Unlimited,
any time range matches the scenario.
f.
Select the shell profile and command set for the rule:
timeout timer.
The Unlimited option allows the user to perform any command. The Forbid option prohibits the
user from performing any command.
g. Click OK.
h. Repeat the previous steps to add more authorization rules as needed. You cannot add two
authorization rules with the same device area, device type, and authorized time range.
i.
Adjust the priorities for the authorization rules as needed:

Move UpClick the Move Up icon
for an authorization rule to raise its priority.
Move DownClick the Move Down icon
for an authorization rule to reduce its priority.
If a device user matches multiple scenarios, TAM applies the shell profile and command set
defined in the scenario that has the highest priority to the user.
j.
To modify an authorization rule, click the Modify icon

through d.
k. To delete an authorization rule, click the Delete icon

6.
Click OK.
53
for the rule and perform steps b

for the rule.
Deleting an authorization policy

You cannot delete an authorization policy that is being used by a device user, device user group, or an
LDAP synchronization policy.
To delete an authorization policy:
1.
2.
3.
for the authorization policy you want to delete.

4.
Click OK.
54
7 Managing device users

Device users refer to the network maintainers who log in and manage devices. A device user is
configured with an account name and a password on TAM for identity authentication of network
maintainers. A network maintainer can log in to manage a device after entering the correct account
name and password.
A TAM administrator needs to build a properly-structured device user database for hierarchical
management of device users. To do so, take the following steps:
1.
Create multiple TAM operators.
2.
Plan and create multiple device user groups, and specify TAM operators that can manage the
device user groups.
3.
Create device users, and assign device users to device user groups as needed.
TAM operators are the operators of the IMC Platform. For information about how to create operators, see
HP IMC Base Platform Administrator Guide.
Configuring device user groups

Use device user groups to implement hierarchical management of device users. The TAM administrator
can divide device user groups according to various criteria, for example, the device management scope
of device users and the working time of device users.
A device user group supports sub-groups for hierarchical management of device users. A level-1 (top
level) device user group can be further divided into multiple level-2 device user groups, and a maximum
of five group levels can be created. Two groups with adjacent levels are referred to as parent group and
child group, respectively. For example, a level-1 group is the parent group of all its level-2 groups, and
the level-2 groups are the child groups of the level-1 group.
TAM predefines a special device user group, called "Ungrouped." An operator cannot delete this group
or add sub-groups for this group, and when modifying it, cannot change its name and description.
Viewing the device user group list

To view the device user group list:
1.
Click the User tab.
2.
Select Device User View > Device User Groups from the navigation tree.
The Device User Group List displays all device user groups.
Device user group list contents
Group NameName of the device user group. Click the group name link to view the device user
group details.
Authorization PoliciesName of the authorization policy used by the device users in the device
user group. If the device users in the group can only log in to the device but cannot execute
commands on the device, this field displays CLI Access Not Supported.
User ListProvides the User List icon

group.
. Click the icon to view all device users in the device user
55
Add Sub-GroupClick the Add Sub-Group icon

to add a sub-group for the device user group.
TAM does not allow operators to add a sub-group for the pre-defined group Ungrouped.

to delete the device user group. TAM does not allow operators to
delete the pre-defined group Ungrouped and groups that contain sub-groups.
to modify the device user group settings.
The Expand and Collapse functions
3.
Click the Expand All link to display all groups on the device user group list in a tree structure.
Click the Collapse All link to collapse the device user group list.
To expand a specific device group user, click the Expand icon
the Collapse icon
to collapse the device user group.
next to the group name. Click
To refresh the device user group list, click Refresh.
Viewing device user group details

To view device user group details:
1.
Click the User tab.
2.
3.
Click the group name link for a device user group to view the device user group details.
Device user group parameters
Group NameName of the device user group.

Authorization PolicyName of the authorization policy used by the device users in the device
user group. If the device users in the device user group can only log in to the device but cannot
execute commands on the device, this field displays CLI Access Not Supported.
Parent Group NameName of the parent group of the device user group. Level-1 group has
no parent group. This field displays two hyphens (--) for level-1 groups.
DescriptionDescriptive information of the device user group.
Authorized operators area

This area lists all IMC operators. In terms of operation role, IMC operators include the
administrator, maintainers, and viewers. An operator with
next to it can maintain or view the
device user group. An operator with
cannot maintain or view the device user group.
4.
Click Back to return to the Device User Group List page.
Adding a device user group

To add a device user group:
1.
Click the User tab.
2.
3.
Click Add.
The Add Device User Group page appears.
4.
Configure the basic information for the device user group:
Group NameEnter the device user group name, which must be unique in TAM.
56
Authorization PolicySelect an authorization policy or select CLI Access Not Supported.

If you select a policy, all device users in the device user group use the policy. If you select CLI
Access Not Supported, the device users in the device user group can only log in to the device
but cannot execute commands on the device. The Authorization Policy field cannot be empty.
Parent Group NameDo not need to configure this field.

A group created in this method is a level-1 group. Level-1 groups have no parent group. This
field displays two hyphens (--) for level-1 groups.
5.
DescriptionEnter a description for the group for easy maintenance.
Specify the operators that can manage the device user group:
The Authorized Operators table lists all IMC operators. In terms of operation role, IMC operators
include the administrator, maintainers, and viewers. The administrator can manage all device user
groups. TAM does not allow canceling the administrator's management privileges to any device
user group.
Select the boxes next to the operators. Selected maintainers can manage the device user group.
Selected viewers can view information about the device user group.
6.
Click OK.
Adding a sub-group
To add a sub-group:
1.
Click the User tab.
2.
3.
Click the Add Sub-Group icon
for a device user group.
The Add Device User Group page appears.

4.
Configure the basic information for the device user sub-group:
Group NameEnter the sub-group name, which must be unique in TAM.

Authorization PolicySelect an authorization policy or the CLI Access Not Supported option,
or leave this field empty.
If you select an authorization policy for the sub-group, all device users in the sub-group use the
selected authorization policy.
If you select the CLI Access Not Supported option, device users in the sub-group can only log in
to the device but cannot execute commands on the device.
If you leave this field empty, the sub-group uses the authorization policy of its parent group.
If the parent group has no authorization policy, either, the sub-group uses the authorization
policy of the upper-level group of the parent group, and so forth to the level-1 group, until a
group is matched.
5.
Parent Group NameDisplays the parent group name of the sub-group. You do not need to
configure this field.
DescriptionEnter a description for the sub-group for easy maintenance.
Specify the operators that can manage the sub-group:

The authorized operators table lists all IMC operators. In terms of operation role, IMC operators
57
user group.
Select the boxes next to the operators. Selected maintainers can manage the device user group.
Selected viewers can view information about the device user group.
6.
Click OK.
Modifying a device user group or a sub-group

After you change the authorization policy of a device user group/sub-group, TAM controls the online
users in the device user group/sub-group as follows:
TAM still applies the shell profile configured in the original authorization policy to the online users.
TAM applies the authorization scenario and command set in the new authorization policy to the
online users.
TAM determines the authorization scenario to which a device user belongs according to the new
authorization policy. The command set configured for the new scenario applies to the device user
when the device user executes commands.
To modify a device user group or sub-group:

1.
Click the User tab.
2.
3.
for the device user group/sub-group you want to modify.
The Modify Device User Group page appears.

4.
Modify the basic information for the device user group/sub-group:
Group NameEnter the group name, which must be unique in TAM.

The group name for the pre-defined device user group Ungrouped cannot be modified.
Authorization PolicySelect an authorization policy or the CLI Access Not Supported option
for a level-1 group. Select an authorization policy or the CLI Access Not Supported option, or
leave this field empty for a level-2 to level-5 group.
If you select an authorization policy, all device users in the group use the selected
authorization policy.
If you select the CLI Access Not Supported option, device users in the group can only log in to
the device but cannot execute commands on the device.
If you leave this field empty, the group uses the authorization policy of its parent group.
If the parent group has no authorization policy, either, the group uses the authorization policy
of the upper-level group of the parent group, and so forth to the level-1 group, until a group is
matched.
Parent Group NameThis field cannot be modified. This field displays two hyphens (--) for a
level-1 group, and displays the name of the parent group for a level-2 to level-5 group.
DescriptionEnter a description for the group for easy maintenance.
The description of the pre-defined device user group Ungrouped cannot be modified.
5.
Specify the operators that can manage the device user group/sub-group:
The Authorized Operators table lists all IMC operators. In terms of operation role, IMC operators
58
user group.
Select the boxes next to the operators. Selected maintainers can manage the device user
group/sub-group. Selected viewers can view information about the device user group/sub-group.
6.
Click OK.
Deleting a device user group or a sub-group

After a device user group/sub-group is deleted, all device users in the group/sub-group are removed to
the Ungrouped group.
You cannot delete the following types of device user groups:
The TAM pre-defined device user group Ungrouped.
The device user groups that contain sub-groups.
The device user groups being used by LDAP synchronization policies.
Deleting a device user group/sub-group does not affect the shell profiles that have been authorized to the
online users. If deleting a device user group/sub-group results in an authorization policy change, the
new authorization policy applies to the online users.
TAM determines the authorization scenario to which a device user belongs according to the new
authorization policy. The command set configured for the new scenario applies to the device user when
the device user executes commands.
To delete a device user group or sub-group:
1.
Click the User tab.
2.
3.
for the device user group/sub-group you want to delete.
4.
Click OK in the dialog box that appears.
Viewing device users in a device user group or sub-group

To view device users in a device user group/sub-group:
1.
Click the User tab.
2.
3.
Click the User List icon
for a device user group/sub-group.
The Device User List page appears. In the Query Device Users area, TAM automatically sets the
selected device user group/sub-group as the query criteria and displays all device users contained
in the device user group/sub-group on the device user list.
Modifying operator privileges for device user groups

To change the device user groups that an operator can manage or view:
1.
Click the User tab.
2.
59
3.
4.
Click the Operator Privileges button.

The Operator List only displays all TAM maintainers and viewers. The administrator can manage
all device user groups and cancelling the management privileges of the administrator is not
allowed.
5.
for an operator.
6.
To expand all device user groups, click the Expand All icon
on the top of the device user group
list. To expand a specific device user group, click the Expand icon
next to the group name.
7.
Select the boxes next to the groups that you want to add the operator to, or clear the boxes of the
selected groups to remove the operator from the groups. The operator can manage or view the
groups that you finally selected.
8.
Click OK.
Configuring device users

Device users refer to the network maintainers who log in and manage devices.
When adding a device user to TAM, perform the following operations:
Add the device user to a device user group for hierarchical management.
Select an authorization policy for the device user. When the device user logs in and manages the
device, the device user is controlled by the authorization policy.
TAM provides to device user query function to facilitate device user management. Using the query
function, operators can quickly find desired device users. TAM supports the batch import and batch
modify functions, relieving operators from repeated operations.
Device users include a special type of usersLDAP users. LDAP users refer to the device users
synchronized from the LDAP server to TAM. LDAP users are authenticated by the LDAP server. For more
information about LDAP users, see "Managing LDAP users."
Viewing the device user list

To view device users:
1.
Click the User tab.
2.
Select Device User View > All Device Users from the navigation tree.
The Device User List displays all device users. Hover the mouse over the All Device Users link in the
navigation tree. A sub-menu appears and displays level-1 device user groups. Click the Expand
icon
of a level-1 group to display the sub-groups. Click a group name to enter the device user
list page, which lists all device users contained in the group.
Device user list contents
Account NameAccount name of a device user. Click the account name link to view the device
user details. Account names with the
"Managing LDAP users."
icon are LDAP users. For LDAP user management, see
Device User GroupDevice user group to which the device user belongs.
Created atDate when the device user was created.
Expired atDate when the device user will expire and become invalid. The device user cannot log
in to the device from 00:00 of this day. An empty field indicates that the device user never expires.
60
StatusStatus of the device user. Options include Normal and Cancelled. Cancelled device users
cannot log in to the devices.
to modify the device user settings.
Navigating the device user list
Click the Next Page icon
Click the Last Page icon
Click the Previous Page icon
Click the First Page icon
to page forward in the device user list.

to page forward to the end of the device user list.
to page backward in the device user list.
to page backward to the front of the device user list.
Querying device users

TAM provides basic query and advanced query. Basic query criteria include several key parameters for
quick search. Advanced query offers various query criteria for precise match.
Basic query
To query device users by using the basic query mode:
1.
Click the User tab.
2.
The Device User List displays all device users.
3.
Click Basic Query at the upper right of the page.

If Advanced Query is at the upper right of the page, you are already in basic query mode.
4.
Account NameEnter an account name string. TAM supports for fuzzy matching for this field.
For example, if you enter Sam, TAM displays all device users whose account names include
Sam.
Device User GroupClick the Select User Group icon
. In the window that appears,
expand the device user group list, select a device user group, and click OK. To unselect a
group, click the Clear icon .
Query fields kept empty are not used as query criteria.

5.
Click Query.
The Device User List displays the device users that match the query criteria.
To reset the query criteria, click Reset. The Device User List displays all device users.
Advanced query
To query device users by using the advanced query mode:
1.
Click the User tab.
2.
Select Device User View > All Device Users from the navigation tree.The Device User List displays
all device users.
3.
Click Advanced Query at the upper right of the page.

If Basic Query is at the upper right of the page, you are already in advanced query mode.
4.

61
Account NameEnter an account name string.

TAM supports for fuzzy matching for this field. For example, If you enter Sam, TAM displays all
device users whose account names include Sam.

Max. Online UsersEnter the maximum number of device users allowed to use the same
account name to log in to the device.
TAM supports only exact matching for this field.
StatusSelect a device user status from the list.

Options include Normal and Cancelled. Normal represents the device users that can normally
log in to devices. Cancelled represents the device users that have been cancelled by operators.
Cancelled device users cannot log in to devices.
Creation Date From/ToSet an account creation date range in the format of YYYY-MM-DD, or
click the Calendar icon
to select one.
This field matches the device users with an account created during the specified date range.
If you set or select only a start date, the query range is from the start date to 2038-01-01.
If you set or select only an end date, the query range is from 2000-01-01 to the end date.
If you set or select both a start date and an end date, the query range is from the start date to
the end date.
Last Logoff From/ToSet a last offline time range in the format of YYYY-MM-DD hh:mm, or
to select one.
This field matches the device users who logged off during the specified time range. After you
select a date, you also need to enter a time at the bottom of the calendar window. A date and
a time together determines an offline time.
If you set or select only a start time, the query range is from the start time to 9999-01-01 00:00.
If you set or select only an end time, the query range is from 2000-01-01 00:00 to the end
time.
If you set or select both a start time and an end time, the query range is from the start time to
the end time.
Expiration Date From/ToSet an account expiration date range in the format of

YYYY-MM-DD, or click the Calendar icon
to select one.
This field matches the device users with the account expiration time in the specified date range.
If you set or select only a start date, the query range is from the start date to 9999-01-01.
If you set or select only an end date, the query range is from 2000-01-01 to the end date.
If you set or select both a start date and an end date, the query range is from the start date to
the end date.
LDAP Synchronization PolicySelect an LDAP policy.

This field matches the LDAP users bound with the selected LDAP synchronization policy. For
more information about LDAP users, see "Managing LDAP users."
LDAP User StatusSelect an LDAP user status from the list.

Options include Unknown, Inexistent, and Existent. This field matches the LDAP users in the
selected status. For more information about LDAP users, see "Managing LDAP users."
62
Privilege-Increase PasswordSelect the status of this function.

Options include Enabled and Disabled.

5.
Click Query.
The Device User List displays the device users that match the query criteria.
To reset the query criteria, click Reset. The Device User List displays all device users.
Viewing device user details

To view device user details:
1.
Click the User tab.
2.
3.
Click the account name link for a device user to view the device user details.
Device user parameters
Account NameAccount name of the device user. If the account has been added to the
blacklist,
is displayed next to the account name. If the device user is an
LDAP user,
is displayed next to the account name. For more information about
LDAP users, see "Managing LDAP users."
User NameName of the device user.
StatusStatus of the device user. Options include Normal and Cancelled. Normal represents
that the device user can normally log in to the device. Cancelled represents that the device user
has been cancelled by an operator and cannot log in to the device.
Group Authorization PolicyName of the authorization policy used by the device user group.
Click the authorization policy name to view the authorization policy details (see "Viewing
authorization policy details").
If the device user in the device user group can only log in to the device but cannot execute
commands on the device, this field displays CLI Access Not Supported.
If no authorization policy is configured for the device user group, the device user group inherits
the authorization policy of its parent group, and this field displays the authorization policy of
its parent group.
User Authorization PolicyName of the authorization policy used by the device user.
Click the authorization policy name to view the authorization policy details (see "Viewing
authorization policy details").
If the device user can only log in to the device but cannot execute commands on the device, this
field displays CLI Access Not Supported.
If no authorization policy is configured for the device user, this field displays nothing.
If both the device user and its device user group are configured with an authorization policy,
the authorization policy configured for the device user is used.
If no authorization policy is configured the device user, the device user uses the authorization
policy of the device user group.
Creation DateDate when the device user was created, in the format of YYYY-MM-DD.
63
Last LogoffLast time the device user logged off, in the format of YYYY-MM-DD hh:mm. If the
device user never logs in to the device, the last offline time is the time when the device user was
created.
Expiration DateDate when the device user will expire and become invalid, in the format of
YYYY-MM-DD. If the device user never expires, this field displays nothing.
Max. Online UsersEnter the maximum number of device users allowed to use the same
account name to log in to the device. If no limit is set, this field displays nothing.
Enable Privilege-Increase PasswordThis field indicates whether the Privilege-Increase
Password has been enabled for the device user. With this function enabled, the device user can
use the password to increase the operation privilege.
The Action menu is located to the right of the Device User Details pane, offering the following
actions:
RefreshClick this link to obtain the updated device user information.
ModifyClick this link to enter the device user modification page.
4.
Cancel AccountClick this link and then click OK on the confirmation dialog box to cancel the
device user account.
Add to BlacklistClick this link and then click OK on the confirmation dialog box to add the
device user to the blacklist. This link is available only for device users not in the blacklist.
Remove from BlacklistClick this link and then click OK on the confirmation dialog box to
remove the device user from the blacklist. This link is available only for blacklisted device users.
Authentication LogClick this link to enter the authentication log list of the device user. For
more information about authentication logs, see "Managing authentication logs."
Authorization LogClick this link to enter the authorization log list of the device user. For more
information about authorization logs, see "Managing authorization logs."
Audit LogClick this link to enter the audit log list of the device user. For more information
about audit logs, see "Managing audit logs."
Click Back to return to the Device User List page.
Adding a device user

To add a device user:
1.
Click the User tab.
2.
3.
Click Add.
4.
Enter the account name for the device user.

The device user uses the account name to log in to the device. The account name must be unique
in TAM.
5.
Enter the user name for the device user.

The user name of a device user is a name that identifies the device user in TAM.
6.
Enter the login password.

The device user uses the password to log in to the device.
7.
Enter the same login password again for confirmation.
64
8.
Click the Select User Group icon

and then click OK.
, expand the device user group list, select a device user group,
9.
View the authorization policy of the device user group in the Group Authorization Policy field.
This field is automatically populated after a device user group is selected.
10.
Select an authorization policy from the User Authorization Policy list.

Options include CLI Access Not Supported and specific authorization policies:
11.
If you select CLI Access Not Supported, the device user can only log in to the device but cannot
execute commands on the device.
If you select an authorization policy, the device user uses the selected authorization policy.
If you keep this field empty, the device user uses the authorization policy of the device user
group (see step 9).
Enter the online user limit.

This limit specifies the maximum number of device users allowed to use the same account name to
log in to the device. If you keep this parameter blank, no limit will be applied to the number of
concurrent device users.
12.
Enter an expiration date in the format of YYYY-MM-DD, or click the Calendar icon
one.
to select
The device user cannot log in to the device from the expiry date on. If you keep this field empty, the
device user never expires.
13.
To enable the privilege-increase password function, select the Enable Privilege-Increase Password
box and then specify the password.
To enable the privilege-increase password function, you must also permit execution of the privilege
increase command in the command set that is associated with the authorization policy. For more
information about the command set configuration, see "Command set."
After this function is enabled, the device user can increase the user privilege level to the highest by
executing the privilege increase command and then entering the password you specified here. For
information about the privilege increase command on the device, see the configuration guide for
the device.
14.
Click OK.
Importing device users

With the batch import function, you can add device users to TAM in bulk by importing a .txt file that saves
the user information instead of adding the device users one by one.
To batch import device users:
1.
Click the User tab.
2.
3.
Click Batch Import.
4.
Click Browse next to the Import File field to select the .txt file that saves the device user
information.TAM supports importing only the .txt files.
5.
Select a column separator from the File Column Separator list.

Options include space, tab, dot (,), colon(:), pound sign (#), and dollar sign ($).
6.
Click Next.
65
TAM automatically resolves the columns in the file and displays the result in the list of each
parameter.
Account NameSelect a column number. TAM will read account names from the specified
column in the file. You cannot manually enter account names.
User NameSelect a column number for TAM to read user name information, or select Not
import from file and then manually enter a user name. If you manually enter a user name, all
imported device users will use this user name. Usually, user names are read from a file.
Login PasswordSelect a column number for TAM to read login password information, or
select Not import from file and then manually enter a login password. If you manually enter a
login password, all imported device users will use this login password.
Confirm Login PasswordEnter the login password again. This field appears only after you
select Not import from file for the Login Password field.
, expand the device user group list,
select a device user group, and then click OK. All imported device users belong to the device
user group you selected. You can only manually configure this parameter.
User Authorization PolicySpecify an authorization policy for users. You can select a specific
authorization policy or CLI Access Not Supported from the User Authorization Policy list or keep
the list empty. If you select CLI Access Not Supported, a device user can only log in to the device
but cannot execute commands on the device.
If you select an authorization policy, the device user uses the selected authorization policy. If
you keep this parameter empty, the device user uses the authorization policy of the device user
group.
Expiration DateSelect a column number for TAM to read the expiration date, or select Not
import from file and then manually enter an expiry date in the format of YYYY-MM-DD, or click
the Calendar icon
to select one. The device users cannot log in to the devices from the
expiry date on. If you keep this parameter empty, the device users never expire.
Max. Online UsersSelect a column number for TAM to read online user limit information, or
select Not import from file and then manually enter an online user limit value. If you enter a
value, all imported devices users use this value as the online user limit. If you keep this
parameter empty, no limit will be applied to the number of concurrent device users.
Enable Privilege-Increase PasswordSelect a column number for TAM to read the privilege
increase password configuration, or select Not import from file and then manually select an
option (Yes or No) from the list. If you select Yes or No, all imported device users enable or
disable the privilege increase password function.
Privilege-Increase PasswordSelect a column number for TAM to read the password
information, or select Not import from file and then manually enter a password. If you enter a
password, you must confirm the password by entering the same password twice, and this
password will be used by all imported device users. This parameter is not displayed when you
select Not import from file and then select option No for the Enable Privilege-Increase
Password parameter.
IMPORTANT:
To successfully import device users from a file, make sure the contents in the file satisfy the format and
value range requirements of the corresponding parameters. For example, the column that corresponds to
the account name can contain only blank spaces, uppercase and lowercase letters [A, Z] and [a, z], digits
[0, 9], hyphens (-), dots (.), and underscores (_). Any other character, if contained in the column, will result
in an import failure of the line that contains the invalid character.
66
7.
Click Preview.
The import result preview page appears, which contains the first 10 records. You can see whether
the import result is that you expected.
8.
If yes, click Close to return to the device user importing page.
9.
Click OK.
TAM starts to import device users. If the number of device users to be imported is large, the import
process will take a while. Wait for TAM to finish the import operation. Then, the import result page
appears, showing the number of device users successfully imported and that failed to be imported.
If a failure occurs, click the Download link. You can download or directly view the operation logs
to identify the reason for the failure.
Modifying a device user

After you change the authorization policy of a device user, TAM controls the online device user as
follows:
TAM still applies the shell profile configured in the original authorization policy to the online user.
TAM applies the authorization scenario and command set in the new authorization policy to the
online user.
TAM determines the authorization scenario to which the device user belongs according to the new
authorization policy. The command set configured for the new scenario applies to the device user
when the device user executes commands.
To modify a device user:

1.
Click the User tab.
2.
3.
for the device user that you want to modify.
4.
The account name is not allowed to be changed.
5.
Enter a user name for the device user.

The user name of a device user is a name that identifies the device user in TAM.
6.
Enter a login password.

The device user uses the password to log in to the device.
7.
Enter the same login password again.
8.

and then click OK.
9.
View the authorization policy of the device user group. This field is automatically populated after
a device user group is selected.
10.
Select an authorization policy from the User Authorization Policy list.
, expand the device user group list, select a device user group,
Options include CLI Access Not Supported and specific authorization policies. You can also keep
this field empty. If you select CLI Access Not Supported, the device user can only log in to the device
but cannot execute commands on the device. If you select an authorization policy, the device user
uses the selected authorization policy. If you keep this field empty, the device user uses the
authorization policy of the device user group (see step 9).
11.
Enter an online user limit.
67
log in to the device. If you keep this field empty, no limit will be applied to the number of concurrent
device users.
12.
Enter an expiration date in the format of YYYY-MM-DD, or click the Calendar icon
one.
to select
The device user cannot log in to the device once the expiration date is reached. If you keep this
field empty, the device user never expires.
13.
To enable the privilege-increase password function, select the Privilege-Increase Password box
and then specify the password.
After this function is enabled, the device user can increase the user privilege level to the highest by
executing the privilege increase command and then entering the password you specified here. For
information about the privilege increase command on the device, see the configuration guide for
the device.
14.
Click OK.
Batch modifying device users

You can batch modify these parameters: login password, user authorization policy, expiry date, online
user limit, and whether to enable Privilege-Increase Password.
Batch modifying device users does not affect the shell profiles that have been authorized to the online
users. If the authorization policy of a device user is changed, the device user is controlled by the new
authorization policy. TAM determines the authorization scenario to which the device user belongs
according to the new authorization policy. The command set configured for the new scenario applies to
the device user when the device user executes commands.
To batch modify device users:
1.
Click the User tab.
2.
3.
Select the boxes to the left of the account names of the device users that you want to modify, or
select all device users by selecting the box before Account Name, and then click Batch Modify.
Modifiable parameters include: login password, user authorization policy, expiration date, online
user count limit, and whether to enable Privilege-Increase Password. If you do not want to modify
a parameter, leave the parameter as it is.
4.
Select the login password box, and then enter a password twice.
5.
Select the User Authorization Policy box, and then select CLI Access Not Supported or a specific
authorization policy from the list, or keep the parameter empty.
If you select CLI Access Not Supported, a device user can only log in to the device but cannot
execute commands on the device. If you select an authorization policy, the device user uses the
selected authorization policy. If you keep this field empty, the device user uses the authorization
policy of the device user group.
6.
Select the Expiration Date box, and then enter an expiration date in the format of YYYY-MM-DD or
to select one.
The device user cannot log in to the device from the expiry date on. If you keep this field empty, the
device user never expires.
7.
Select the Max. Online Users box, and then enter a limit.
68
log in to the device. If you keep this field blank, no limit will be applied to the number of concurrent
device users.
8.
Select the Privilege Increase Password box, and then select Enable or Disable from the list. If you
select Enable, you must enter a password twice to set the privilege increase password.
9.
Click OK.
The operation result page displays the number of device users successfully modified and that failed
to be modified. If there is a modification failure, click Download to view or save the error logs. An
error log records the reason for a user modification failure.
Regrouping device users

Regrouping a device user may change the authorization policy of the device user. No modification
affects the shell profiles that have been authorized to the online users. If the authorization policy of a
device user is changed, the device user is controlled by the new authorization policy.
TAM determines the authorization scenario to which the device user belongs according to the new
authorization policy. The command set configured for the new scenario applies to the device user when
the device user executes commands.
To regroup device users:
1.
Click the User tab.
2.
3.
Select the boxes to the left of the account names of the device users that you want to regroup, or
click the box before Account Name to select all device users, and then click Regroup.
The Regroup page displays the following information of the device users to be regrouped:
Account NameAccount name the device user uses to log in to the device.
User NameName that identifies the device user in TAM.
Device User GroupCurrent device user group to which the device user belongs.
Created atDate when the device user was created, in the format of YYYY-MM-DD.
4.
In the Target Group area, click the Select User Group icon
for the target device user group. In
the window that appears, expand the device user group list, select a new device user group, and
click OK.
5.
Click OK.
The operation result page displays the number of device users successfully regrouped and that
failed to be regrouped. If there is a failure, click Download to view or save the error logs. An error
log records the reason for a user regrouping failure.
Batch cancelling device users

You can batch cancel device users at a time. Cancelled device users cannot log in to the devices any
more. Online device usersthe device users already logged in to the devices, cannot be cancelled.
Cancelling a device user does not immediately delete the device user from TAM. Cancelled device users
are still kept in TAM for a period of time for auditing purpose.
69
The period of time is determined by the TAM system parameter Cancelled User Lifetime. After the
specified period elapses, the device user information is completely deleted from the TAM. For more
information about TAM system parameters, see "Configuring system parameters."
To view cancelled device users in TAM, go to the advanced query page of device users, and then select
Cancelled from the Status list, use the default setting of other parameters, and click Query.For more
information about advanced query for device users, see "Querying device users."
To batch cancel device users:
1.
Click the User tab.
2.
3.
Select the boxes to the left of the account names of the device users that you want to cancel, or click
the box before Account Name to select all device users, and then click Batch Cancel.
4.
Click OK.
The operation result page displays the number of device users successfully cancelled and that
failed to be cancelled. If there is a failure, click Download to view or save the error logs. An error
log records the reason for a user cancelling failure.
Configuring the blacklist user function

To protect valid users and avoid invalid logins, TAM provides the blacklist user function.
Blacklist users are not allowed login to devices. A device user can be added to the blacklist in the
following ways:
Manually blacklistedWhen an operator finds that a device user may bring risks to the device by
analyzing the user logs, the operator can manually add the device user to blacklist. Manually
blacklisted users cannot be automatically removed from the blacklist. They can only be removed
from the blacklist manually by operators.
Automatically blacklistedIf a user consecutively uses the same account name but wrong
passwords to log in to a device, TAM considers the user is trying to crack the account and adds the
user to the blacklist. Such blacklist users can be automatically removed from the blacklist the next
morning, or be removed from the blacklist manually by operators.
NOTE:
The maximum number of consecutive authentication attempts permitted for a device user with incorrect
passwords is determined by the TAM system parameter Max. Authentication Attempts. For more
information about TAM system parameters, see "Configuring system parameters."
You can perform the following blacklist operations:
View the blacklist user list and key information about blacklist users.
Query blacklist users by specific criteria.
View detailed information about blacklist users.
Add device users to the blacklist.
Remove device users from the blacklist.
70
Viewing blacklist users

To view blacklist users:
1.
Click the User tab.
2.
Select Device User View > Blacklisted Users from the navigation tree.
The Blacklisted User List displays all blacklist users.
Blacklisted user list contents
Account NameAccount name of the blacklist user.

Click the account name link to view the device user details. For more information about device user
details, see "Viewing device user details."
Reason for BlacklistWhy the device user is blacklisted: Locked by Operator or Malicious Login
Attempts.
Blacklisted atTime when the device user was blacklisted, in the format of YYYY-MM-DD
hh:mm:ss.
User IPIP address used by the device user when the user is blacklisted.
This field is empty in the following cases:
The user is blacklisted manually by an operator.
The system cannot get the IP address of the user when automatically blacklisting the user.
DetailsClick the Details icon
to enter the blacklist details page.
Navigating the blacklist user list
to page forward in the blacklist user list.

to page forward to the end of the blacklist user list.
to page backward in the blacklist user list.
to page backward to the front of the blacklist user list.
Querying blacklist users

Basic query
To query blacklist users by using the basic query mode:
1.
Click the User tab.
2.
3.
Click Basic Query at the upper right of the page.

If Advanced Query is at the upper right of the page, you are already in basic query mode.
4.

71
For example, If you enter Sam, TAM displays all blacklist users whose account names include
Sam.
Reason for BlacklistSelect a reason why the device user is blacklisted. Options include
Locked by Operator and Malicious Login Attempts.

5.
Click Query.
The Blacklisted User List displays the blacklist device users that match the query criteria.
To reset the query criteria, click Reset. The Blacklisted User List displays all blacklist users.
Advanced query
To query blacklist users by using the advanced query mode:
1.
Click the User tab.
2.
3.
Click Advanced Query at the upper right of the page.

If Basic Query is at the upper right of the page, you are already in advanced query mode.
4.
For example, If you enter Sam, TAM displays all blacklist users whose account names include
Sam.
Reason for BlacklistSelect a reason why the device user is blacklisted. Options include
Locked by Operator and Malicious Login Attempts.
Blacklisted Time From/ToSet a blacklist time range in the format of YYYY-MM-DD hh:mm, or
to select one. This field matches the device users who were
blacklisted during the specified time range.
User IP Range From/ToSet a blacklist IP address range. You must enter complete IPv4
addresses, such as 192.168.1.1.

5.
Click Query.
The Blacklisted User List displays the blacklist device users that match the query criteria.
To reset the query criteria, click Reset. The Blacklisted User List displays all blacklist users.
Viewing blacklist user details

To view blacklist user details:
1.
Click the User tab.
2.
72

3.
Click the Details icon
for a blacklist user to view the blacklist user details.
Blacklisted user parameters
Account NameAccount name of the blacklist user.
User NameName of the blacklist user.
Device User GroupDevice user group to which the blacklist user belongs.
Reason for BlacklistWhy the device user is blacklisted. Options include Locked by Operator and
Malicious Login Attempts.
Operator NameIf the device user was blacklisted by an operator, this field displays the name of
the operator who blacklisted the device user. If the device user is blacklisted for malicious login, this
field displays nothing.
Blacklisted atTime when the device user was blacklisted, in the format of YYYY-MM-DD
hh:mm:ss.
Adding device users to the blacklist

You can add device users to the blacklist in the following ways:
Blacklisting device users on the device user list

1.
Click the User tab.
2.
3.
Select the boxes to the left of the account names.
4.
Click Add to Blacklist.
5.

The operation result page displays the number of device users successfully blacklisted and that
failed to be blacklisted. If there is a failure, click Download to view or save the error logs. An error
log records the reason for a blacklist failure.
Blacklisting a device user on the device user details page

1.
Click the User tab.
2.
3.
Click the account name link for a device user to enter the device user details page.
4.
On the action menu of the page, click Add to Blacklist.
5.
Removing device users from the blacklist

You can remove device users from the blacklist in the following ways:
Unblacklisting device users on the blacklist user list

1.
Click the User tab.
2.
73

3.
Select the boxes to the left of the account names of the device users you want to unblacklist.
4.
Click Unblacklist.
5.

The operation result page displays the number of device users successfully unblacklisted and that
failed to be unblacklisted. If there is a failure, click Download to view or save the error logs. An
error log records the reason for an unblacklist failure.
Unblacklisting a device user on the device user details page

1.
Click the User tab.
2.
3.
Click the account name link for a device user to enter the device user details page.
4.
On the action menu of the page, click Remove from Blacklist.
5.

The device user is removed from the blacklist.
74
8 LDAP authentication
LDAP Overview
IMC TAM can work with an LDAP server to provide authentication service for device users.
In TAM authentication, user data is stored in the TAM database, as shown in Figure 17.
Figure 17 TAM authentication
In LDAP authentication, user data is stored in the LDAP server. In a network that uses an LDAP server for
user management, you can synchronize user accounts from the LDAP server to TAM instead of manually
adding them.
Users that use these accounts are called LDAP users. When the authentication request from a device user
arrives, TAM looks up the user in the local user database.
If the user is an LDAP user, TAM forwards the request to the LDAP server.
If the user is not an LDAP user, TAM directly authenticates the user.
Figure 18 shows the authentication process.

Figure 18 LDAP authentication
To save user licenses, TAM supports On-Demand Sync, which allows it to synchronize a new user from
the LDAP server only after the user passes authentication.
The on-demand synchronization process works as follows: when a device user initiates an authentication
request, TAM looks up the user in the local user database.
If no entry is found for the user, TAM forwards the authentication request to the LDAP server.
If the user is found in the LDAP server and passes the authentication, TAM synchronizes the user to
its local user database.
TAM can work with these LDAP servers in the market: Microsoft Windows Active Directory, Open LDAP,
Sun ONE LDAP Server, and Novell eDirectory Server.
75
Managing LDAP servers

An LDAP server stores user data and verifies user identities in LDAP authentication.
Viewing the LDAP server list

To view the LDAP server list:
1.
2.
Select TACACS+ AuthN Manager > LDAP Service > LDAP Servers from the navigation tree.
The LDAP Server List displays all LDAP servers.
LDAP Server List contents
Server NameLDAP server name. Click the name link of an LDAP server to view its details.
VersionVersion of the LDAP protocol running on the LDAP server. TAM supports LDAPv2 and
LDAPv3.
IP AddressIP address of the LDAP server.
Server TypeType of the LDAP server: Microsoft AD or General.
TestClick the Test link to test connectivity to the LDAP server. Connection failures may be
caused by network problems or LDAP server configuration errors in TAM.
StatusConnectivity state of the LDAP server,
Connected or
Unconnected.
For an LDAP server in the Connected state, TAM forwards authentication requests from LDAP
users to the server. Operators can click the Connected icon
for the server to manually
disconnect it from TAM.
For an LDAP server in the Unconnected state, TAM rejects all authentication requests from LDAP
users, and prompts the users that the server is disconnected. Operators can click the
Unconnected icon
for the server to manually connect TAM to the server.
Manually connecting TAM to an LDAP server is mainly used in the following scenario: when an
LDAP server is down and disconnects from TAM, TAM starts regularly checking the availability
the server, and will automatically connects to the server after the server becomes available.
However, the checking interval is long, which may indicate that LDAP users cannot be
authenticated for a long time. In this case, after fixing the problems on the server, the operator
can manually connect TAM to the server so that it can provide authentication service for LDAP
users.
to enter the page for modifying the LDAP server settings.

to delete the LDAP server.
Navigating the LDAP server list
to page forward in the LDAP server list.

to page forward to the end of the LDAP server list.
to page backward in the LDAP server list.
to page backward to the front of the LDAP server list.
Click 8, 15, 50, 100, or 200 on the upper right side of the main pane to configure how many items
per page you want to display.
3.
Click Refresh in the LDAP Server List area to update to the LDAP Server List.
76
Viewing LDAP server details

To view detailed information about an LDAP server:
1.
2.
3.
Click the name link of an LDAP server to enter the LDAP server details page.
Basic Information
Server NameLDAP server name.

VersionVersion of the LDAP protocol running on the LDAP server. TAM supports LDAPv2 and
LDAPv3.
IP AddressIP address of the LDAP server.
PortTCP port on which the LDAP server listens for packets sent by TAM.
Server TypeType of the LDAP server: Microsoft AD or General.
Real-Time AuthNDisplays whether authentication is performed by the LDAP server.

YesLDAP users are authenticated on the LDAP server.
NoLDAP users are authenticated on TAM.
If TAM cannot synchronize passwords from some LDAP server (for example, the Microsoft
Active Directory), bound users are authenticated on the LDAP server even if you do not specify
real time authentication for the LDAP server.
Reconnect IntervalTime that TAM must wait before retrying to connect to the LDAP server
after a connection failure. As shown in Figure 19, without Reconnect Interval, a requesting
LDAP user must wait for a time specified by Connection Wait Timeout before being told the user
has been rejected because the LDAP server cannot be reached. With this parameter
configured, each time TAM fails to connect the LDAP server, the Reconnect Interval takes effect.
During this interval, TAM does not try to connect to the LDAP server and directly rejects all
authentication requests from LDAP users. After the Reconnect Interval expires, TAM retries to
connect to the LDAP server. This helps to reduce the time that LDAP users must wait for
authentication and delivers improved user experience.
77
Figure 19 How Reconnect Interval works
Connection Wait TimeoutTime period within which if TAM fails to connect to the LDAP server,
the connection attempt is considered failed.
Sync Wait TimeoutMaximum duration of each synchronization. The sync wait timer starts
when TAM starts synchronizing user data from the LDAP server. When this timer expires, TAM
stops the synchronization, regardless of whether the synchronization is complete or not. If no
time limit is specified, this field displays 0.
Server information
Base DNAbsolute path of the directory that stores user data on the LDAP server.
Admin DNAdministrator on the LDAP server, displayed as the absolute path on the LDAP
server.
User Attribute NameAttribute description used on the LDAP server for user names.
Password AttributeAttribute description used on the LDAP server for user passwords.
Backup server information
IP AddressIP address of the backup LDAP server. An empty field indicates that no backup
LDAP server is configured.
Server in UseLDAP server being used for authenticating LDAP users, Primary or Backup.
Auto Back to PrimaryWhen the primary LDAP server becomes unavailable, TAM switches to
the backup server and starts regularly checking the availability of the primary server. If the
78
Auto Back to Primary setting is Yes, TAM automatically switches back to the primary server
after the server becomes available. If the setting is No, TAM continues to use the backup server.
4.
IntervalMinimum interval (in hours) between a primary-to-backup switchover and an

automatic backup-to-primary switchover. This setting takes effect only when auto back to
primary is enabled. TAM can automatically switch back to the primary server only if the
backup server has been working for a period equal to or longer than this interval since the
primary-to-backup switchover. This feature helps avoid frequent primary and backup
switchovers caused by the instability of the primary server.
Click Back to return to LDAP Server List.
Adding an LDAP server

To add an LDAP server to TAM is to establish the association between TAM and the LDAP server.
1.
2.
3.
Click Add in the LDAP Server List area to enter the Add LDAP Server page.
4.
Configure basic LDAP server information:
Server NameEnter an LDAP server name, which must be unique in TAM.

VersionSelect an LDAP protocol version, 2 or 3 from the list. Make sure the LDAP server
supports the selected protocol version. Otherwise, TAM cannot communicate with the LDAP
server.
IP AddressEnter the IP address of the LDAP server. If the LDAP server has more than one NIC,
enter the IP address of the NIC used for communicating with TAM.
PortEnter the TCP port number on which the LDAP server listens for the packets from TAM. The
default port number is 389, which is used by most LDAP servers.
Server TypeSelect an LDAP server type, Microsoft AD or General from the list. To use
Microsoft Windows AD-specific functions, set the server type to Microsoft AD. In any other
cases, set the server type to General.
Real-Time AuthNSelect whether the authentication is performed by the LDAP server, Yes or
No.
YesLDAP users are authenticated on the LDAP server.
NoLDAP users are authenticated on TAM.
If TAM cannot synchronize passwords from some LDAP server (for example, the Microsoft
Active Directory), bound users are authenticated on the LDAP server even if you do not specify
real time authentication for the LDAP server.
Reconnect IntervalSelect the time that TAM must wait before retrying to connect to the LDAP
server after a connection failure. Options include some specific time intervals and Disable Auto
Connect. As shown in Figure 19, without Reconnect Interval, a requesting LDAP user must wait
for a time specified by Connection Wait Timeout before being told the user has been rejected
because the LDAP server cannot be reached. With this parameter configured, each time TAM
fails to connect the LDAP server, the specified Reconnect Interval takes effect. During this
interval, TAM directly rejects all authentication requests that must be forwarded to the LDAP
server. Select Disable Auto Connect to disable TAM from automatically retrying to connect to
the LDAP server after a connection failure. In this case, an operator must manually connect the
79
LDAP server to TAM. This operation is available on the LDAP Server List page. For more
information, see "Viewing the LDAP server list."
5.
Connection Wait TimeoutEnter the maximum duration of each connection attempt. If TAM
fails to connect to the LDAP server within this period, the connection attempt is considered
failed.
Sync Wait TimeoutEnter the maximum duration of each synchronization process. The sync
wait timer starts when TAM starts synchronizing user data from the LDAP server. When this timer
expires, TAM stops the synchronization, regardless of whether the synchronization is complete
or not. If you do not want to set a time limit, set the timer to 0.
Configure server information:
Base DNEnter the absolute path of the directory that stores user data on the LDAP server.
Admin DNEnter the absolute path that locates the administrator on the LDAP server.
Admin PasswordEnter the administrator password.
User Attribute Name Enter the attribute description used on the LDAP server for usernames.
Password AttributeEnter the attribute description used on the LDAP server for user passwords.
This parameter cannot be configured when the server type is Microsoft AD, whose user
passwords cannot be synchronized to TAM.
The base DN, administrator DN, username, and password attribute descriptions vary with LDAP
servers. You can get their attribute descriptions on the LDAP server you are working with by using
tools such as Softerra LDAP Administrator.
6.
Configure backup server information:

To provide non-stop services, configure a backup server to provide authentication for the LDAP
users when the primary server is unavailable. The primary to backup switchover takes about one
minute. During this period, all requesting LDAP users are rejected and told that they have another
connection being authenticated and must retry later. The switchover does not affect any online
user.
IP AddressEnter the IP address of the backup LDAP server. If you do not want to configure a
backup server, leave this field empty.
Server in UseSelect the LDAP server to authenticate LDAP users, Primary or Backup. To select
the backup server, the IP address of the backup server must have been configured.
Auto Back to PrimarySelect the option to enable Auto Back to Primary. When the primary
LDAP server becomes unavailable, TAM switches to the backup server and starts regularly
checking the availability of the primary server. If the Auto Back to Primary setting is Yes, TAM
automatically switches over to the primary server after the server becomes available. If the
setting is No, TAM continues to use the backup server. This parameter does not take effect if
Server in Use is set to Backup.
IntervalEnter the minimum interval (in hours) between a primary-to-backup switchover and an
primary is enabled. TAM can automatically switch back to the primary server only if the backup
server has been working for a period equal to or longer than this interval since the
primary-to-backup switchover. This feature helps avoid frequent primary and backup changes
caused by primary server instability.
7.
Click Test to test connectivity to the LDAP server. If the connection attempt fails, follow the displayed
tips to check for configuration errors.
8.
Click OK.
80
Testing connectivity to an LDAP server

To test the connectivity to an LDAP server:
1.
2.
3.
Click the Test link for the LDAP server.

The test result appears at the top of the page. If the LDAP server fails to be connected, follow the
displayed tips to check for LDAP server configuration errors.
Modifying LDAP server settings

To modify the settings of an LDAP server:
1.
2.
3.
for the LDAP server you want to modify.
The page for modifying LDAP servers appears.

4.
Modify basic information about the LDAP server:
Server NameCannot be modified.

VersionSelect an LDAP protocol version, 2 or 3 from the list. Make sure that the LDAP server
supports the selected protocol version. Otherwise, TAM cannot communicate with the LDAP
server.
IP AddressEnter the IP address of the LDAP server. If the LDAP server has more than one NIC,
enter the IP address of the NIC used for communicating with TAM.
PortEnter the TCP port number on which the LDAP server listens for the packets from TAM. The
default port number is 389, which is used by most LDAP servers.
Server TypeCannot be modified.
Service Sync TypeCannot be modified.
Reconnect IntervalSelect the time that TAM must wait before retrying to connect to the LDAP
server after a connection failure. As shown in Figure 19, without Reconnect Interval, a
requesting LDAP user must wait for a time specified by Connection Wait Timeout before being
told they have been rejected because the LDAP server cannot be reached. With this parameter
configured, each time TAM fails to connect the LDAP server, the specified Reconnect Interval
takes effect. During this interval, TAM directly rejects all authentication requests that must be
forwarded to the LDAP server. Select Disable Auto Connect to disable TAM from automatically
retrying to connect to the LDAP server after a connection failure. In this case, an operator must
manually connect the LDAP server to TAM. This operation is available on the LDAP Server List
page. For more information, see "Viewing the LDAP server."
Connection Wait TimeoutEnter the maximum duration of each connection attempt. If TAM
fails to connect to the LDAP server within this period, the connection attempt is considered
failed.
Sync Wait TimeoutEnter the maximum duration of each synchronization process. The sync
wait timer starts when TAM starts synchronizing user data from the LDAP server. When this timer
81
expires, TAM stops the synchronization, regardless of whether the synchronization is complete
or not. If you do not want to set a time limit, set the timer to 0.
5.
Modify backup server information:
Base DNEnter the absolute path of the directory that stores user data on the LDAP server.
Admin DNEnter the absolute path that locates the administrator on the LDAP server.
Admin PasswordEnter the administrator password.
User Attribute Name Enter the attribute description used on the LDAP server for usernames.
Password AttributeEnter the attribute description used on the LDAP server for user passwords.
This parameter is not required when the Server Type is Microsoft AD, whose user passwords
cannot be read by TAM.
The base DN, administrator DN, username, and password attribute descriptions vary with LDAP
servers. You can get their attribute descriptions on the LDAP server you are working with by using
tools such as Softerra LDAP Administrator.
6.
Modify backup server information:

To provide non-stop services, configure a backup server to provide authentication for the LDAP
users when the primary server is unavailable. The primary to backup switchover takes about one
minute. During this period, all requesting LDAP users are rejected and told that they have another
connection being authenticated and must retry later. The switchover does not affect any online
user.
IP AddressEnter the IP address of the backup LDAP server. If you do not want to configure a
backup server, leave this field empty.
Server in UseSelect the LDAP server to authenticate LDAP users, Primary or Backup. To select
the backup server, the IP address of the backup server must have been configured.
Auto Back to PrimarySelect the option to enable Auto Back to Primary. When the primary
LDAP server becomes unavailable, TAM switches over to the backup server and starts regularly
checking the availability of the primary server. If the Auto Back to Primary setting is Yes, TAM
automatically switches over to the primary server after the server becomes available. If the
setting is No, TAM continues to use the backup server. This parameter does not take effect if
Server in Use is set to Backup.
IntervalEnter the minimum interval (in hours) between a primary-to-backup switchover and an
primary is enabled. TAM can automatically switch back to the primary server only if the backup
server has been working for a period equal to or longer than this interval since the
primary-to-backup switchover. This feature helps avoid frequent primary and backup changes
caused by primary server instability.
7.
Click Test to test the connectivity to the LDAP server. If the connection attempt fails, follow the
displayed tips to check for configuration errors.
8.
Click OK.
NOTE:
If the LDAP server has been associated with an on-demand synchronization policy and you have changed
the password or username attribute description, click On-Demand Sync on the synchronization policy
page to validate the changes.
82
Deleting an LDAP server

Deleting an LDAP server removes the association between TAM and the LDAP server. You cannot delete
LDAP servers that are assigned to synchronization policies.
To delete an LDAP server:
1.
2.
3.
for the LDAP server you want to delete.

4.
Click OK.
Managing LDAP synchronization policies

An LDAP synchronization policy specifies the way you synchronize user data from an LDAP server to TAM,
the scope of user data to be synchronized, and the way user data is handled on TAM. Users
synchronized from the LDAP server become device users in TAM.
Viewing the LDAP synchronization policy list

To view the LDAP synchronization policy list:
1.
2.
Select TACACS+ AuthN Manager > LDAP Service > Sync Policies from the navigation tree.
The Sync Policy List displays all LDAP synchronization policies.
Sync Policy List contents
Policy NameLDAP synchronization policy name. Click the name link of a policy to enter the
policy details page. For more information, see "Viewing LDAP synchronization policy details."
Server NameName of the LDAP server that is associated with the synchronization policy.
Click the name link of an LDAP server to view its details. For more information, see "Viewing
LDAP server details."
Device User GroupDevice user group to which users bound with the synchronization policy
are assigned.
Auto SynchronizationIf this option is enabled (Yes), TAM automatically executes the
synchronization policy every day as scheduled (3:00 am by default according to the IMC
server time). If this option is disabled (No), TAM performs synchronization on an as needed
basis. The automatic execution time depends on the system parameter LDAP Synchronization
Time. For more information about configuring system parameters, see "Configuring system
parameters."
On-Demand SyncIf this option is enabled (Yes), TAM synchronizes a new user from the LDAP
server only after the user passes authentication. If this option is disabled (No), TAM
synchronizes all matching users from the LDAP server. You can enable this option to save user
account licenses and to improve synchronization efficiency.
LDAP UserClick the icon
for a synchronization policy to view users bound to the policy.
For more information about LDAP users, see "Viewing LDAP user details."
83
3.
SynchronizeClick the Synchronize link to execute the synchronization policy.
to modify the synchronization policy.

to delete the synchronization policy.
Click Refresh in the Sync Policy List area to update the Sync Policy List.
Viewing LDAP synchronization policy details

To view detailed information about an LDAP synchronization policy:
1.
2.
3.
Click the name link of a synchronization policy to enter the synchronization policy details page.
Sync Policy Basic Information
Policy NameLDAP synchronization policy name.

Server NameName of the LDAP server that is associated with the synchronization policy. An
LDAP synchronization policy can be associated with only one LDAP server. One LDAP server
can be associated with multiple synchronization policies.
Base DNAbsolute path of the base directory that stores user data on the LDAP server.
Sub-Base DNAbsolute path of the subdirectory that stores user data on the LDAP server. TAM
synchronizes the user data under sub-base DN rather than base DN.
The Base DN specifies the base directory that stores user information for the whole
organization. The sub-base DNs specify the directories that store user information of specific
departments within the organization. Users in different departments (identified by their
respective sub-base DNs) may need to be controlled by different authorization policies, and to
be assigned to different user groups. You can create department-specific synchronization
policies by referencing their respective sub-base DNs in each policy.
Filter ConditionCriteria used for filtering users. Only users that match these criteria can be
synchronized to TAM.
Auto SynchronizationIf this option is enabled (Yes), TAM automatically executes the
synchronization policy every day at a specified time (3:00 am by default). If this option is
disabled (No), TAM performs synchronization on an as needed basis. The automatic execution
time depends on the system parameter LDAP Synchronization Time. For more information
about configuring system parameters, see "Configuring system parameters."
On-Demand SyncIf this option is enabled (Yes), TAM synchronizes a new user from the LDAP
server only after the user passes authentication. If this option is disabled (No), TAM
synchronizes all matching users from the LDAP server. You can enable this option to save user
account licenses and improve efficiency. If both Auto Synchronization and On-Demand Sync
are enabled, only LDAP users that have been synchronized to TAM can be synchronized from
the LDAP server during automatic synchronization.
Synchronize New Device UsersIf this option is enabled (Yes), TAM synchronizes users that
are not in the TAM user database from the LDAP server. If this option is disabled (No), TAM
does not synchronize users that are not in the TAM user database.
Synchronize Users in Current NodeIf this option is enabled (Yes), TAM synchronizes users
under the specified sub-base DN, but does not synchronize users in any OU under the sub-base
DN. If this option is disabled (No), TAM synchronizes all users in the sub-base DN, including
users in the OUs in the sub-base DN.
84
Device User Information
4.
Account NameAttribute description used on the LDAP server for user account names. TAM
gets the values of this attribute as the account names of the device users.
User NameUsername attribute description used on the LDAP server. TAM gets the values of
this attribute as the usernames of the device users. An empty field indicates that user names are
not synchronized from the LDAP server.
Expiration DateAttribute description used on the LDAP server for user account expiration
dates. TAM gets the values of this attribute as the expiration date of the device users. An empty
field indicates that expiration dates are not synchronized from the LDAP server.
Max. Online UsersAttribute description used on the LDAP server for the maximum number of
online users with the same user account. TAM gets the values of this attribute as the maximum
number of online users with the same user account settings of device users. An empty field
indicates that the settings are not synchronized from the LDAP server.
Device User GroupDevice user group to which users bound with the synchronization policy
are assigned to.
User Authorization PolicyName of the authorization policy used by the device users, or CLI
Access Not Supported. With the CLI Access Not Supported option, the device users can only
log in to a device but cannot execute any command on it. An empty field indicates that no
authorization policy is specified for the device users and that the users will use the authorization
policy assigned to the device user group to which the user belongs. If different authorization
policies are assigned to a device user and the device user group, the policy configured for the
device user takes effect.
Click Back to return to the Sync Policy List.
Adding an LDAP synchronization policy

To add an LDAP synchronization policy:
1.
2.
3.
Click Add in the Sync Policy List area.
4.
Configure basic information for the synchronization policy:
Policy NameEnter a unique name for the synchronization policy.

Server NameSelect the LDAP server to which you want to assign the policy. Available options
are all LDAP servers that have been configured in TAM.
Base DNThe system automatically populates this field with the absolute path of the directory
that stores user data on the LDAP server.
Sub-Base DNEnter the absolute path of the subdirectory that stores user data on the LDAP
server. Make sure it is in the base DN directory or is the same as the base DN directory. TAM
synchronizes the user data under sub-base DN rather than base DN. The DNs attributes vary
with LDAP servers. To get the correct sub-base DN path, use tools such as Softerra LDAP
Administrator.
Filter ConditionEnter a filter to match the user data you want to synchronize to TAM. The most
basic filter takes the form (attribute=value), where you can use the wildcard asterisk (*) in the
value pattern to match any character or character string. For example, the filter (cn=He*)
matches any entry that has a cn attribute value that starts with He.
85
You can also use a complex filter in the form (operator(attribute1=value)(attribute2=value)) or

(operator(attribute1=value)(operator(attribute2=value))) for advanced filtering. The operator
can be & (AND), | (OR), or ! (NOT). For example, the filter (&(objectclass=a*)(!(cn=b*))) enables
TAM to synchronize any entry that has an objectclass attribute value starting with a and a cn
attribute value not starting with b.
The default filter varies with the LDAP server type. If the server type is Microsoft AD, the default
filter is (&(objectclass=user)(sAMAccountName=*)). If the server type is General, the default
filter is (&(objectclass=*)(cn=*)).
Sync Options-Auto synchronizationSelect this option to execute the policy every day to
synchronize all matching users to TAM. The automatic execution time depends on the system
parameter LDAP Synchronization Time. For more information about configuring system
parameters, see "Configuring system parameters."
Sync Options-On-Demand SyncSelect this option to have TAM synchronize a new user from
the LDAP server only after the user passes authentication. This option and the Synchronize New
Device Users option are mutually exclusive. If you have a limited number of licenses, use this
option to save user licenses. If you enable both the Auto Synchronization and On-Demand Sync
options, only LDAP users that have been synchronized to TAM can be synchronized from the
LDAP server during automatic synchronization.
Sync Options-Synchronize New Device UsersSelect this option to have TAM synchronize all
new users from the LDAP server. If this option is not selected, TAM does not synchronize any new
user from the LDAP server. This option and the On-Demand Sync option are mutually exclusive.
Sync Options-Synchronize Users in Current NodeSelect this option to have TAM synchronize
users under the specified sub-base DN, but not synchronize users in any OU under the sub-base
DN. If this option is not selected, TAM synchronizes all users in the sub-base DN, including users
in the OUs in the sub-base DN.
5.
Click Next to enter the page for configuring device user parameters.
6.
Configure the device user parameters associations with attribute descriptions on the LDAP server.
Account NameThe system automatically populates this field with the attribute description
used on the LDAP server for user account names, which cannot be modified.
User NameSelect the username attribute description used on the LDAP server from the list.
TAM gets the values for this attribute as the usernames of LDAP users. Or select Do Not Sync to
enter a unified username for all LDAP users.
User PasswordSelect the corresponding attribute description used on the LDAP server for user
passwords from the list. TAM gets the values of this attribute as user passwords of LDAP users.
Or select Do Not Sync to enter a unified user password for all users.
Expiration DateSelect the corresponding attribute description used on the LDAP server for
user account expiration dates from the list. TAM gets the values of this attribute as the expiration
date of LDAP users. Or select Do Not Sync to set a unified expiration date for all LDAP users. You
can either select a date by clicking the Calendar icon
YYYY-MM-DD.
, or enter a date in the format of
Max. Online UsersSelect the corresponding attribute description used on the LDAP server for
the maximum number of online users with the same user account. TAM gets the values for this
attribute as the maximum number of online users with the same user account. Or select Do Not
Sync to manually set a unified setting for all device users.
Device User GroupSelect a device user group for users bound with the synchronization policy.
. The Select Device User Group window appears. Select a
group and click OK. This parameter cannot be synchronized from the LDAP server.
86
7.
User Authorization PolicySelect an existing authorization policy, or CLI Access Not Supported
from the list. If you select a specific authorization policy, the device users are controlled by the
policy. If you select CLI Access Not Supported, the device users can log in to the device but
cannot execute any command. If you leave this field empty, the device users use the
authorization policy assigned to the device user group to which the user belongs. If you assign
different authorization policies to a device user and the device user group the user belongs to,
the policy configured for the device users takes effect. This parameter cannot be synchronized
from the LDAP server.
Click OK.
Modifying an LDAP synchronization policy

To modify an LDAP synchronization policy:
1.
2.
3.
for the LDAP synchronization policy you want to modify.
The page for modifying the LDAP synchronization policy appears.

4.
Modify basic information for the synchronization policy:
Policy NameEnter the synchronization policy name, which must be unique in TAM.
Server NameSelect the LDAP server to which you want to assign the policy. Options include
all LDAP servers that have been configured in TAM.
Base DNCannot be modified.
server and make sure it is in the base DN directory or be the same as the base DN directory.
TAM synchronizes the user data under sub-base DN rather than base DN. The DNs attributes
vary with LDAP servers. To get the correct sub-base DN path, use tools such as Softerra LDAP
Administrator.
Filter ConditionEnter a filter to match user data you want to synchronize to the TAM. The most
You may also use a complex filter in the form (operator(attribute1=value)(attribute2=value)) or
can be & (AND), | (OR), or ! (NOT). For example, the filter (&(objectclass=a*)(!(cn=b*)))
enables the TAM to synchronize any entry that has an objectclass attribute value starting with
a and a cn attribute value not starting with b.
The default filter varies with LDAP server type. If the server type is Microsoft AD, the default filter
is (&(objectclass=user)(sAMAccountName=*)). If the server type is General, the default filter is
(&(objectclass=*)(cn=*)).
Sync Options-Auto synchronizationSelect this option to execute the policy every day to
synchronize all matching users to TAM. The automatic execution time depends on the system
parameter LDAP Synchronization Time. For more information configuring system parameters,
see "Configuring system parameters."
Sync Options-On-Demand SyncSelect this option to have TAM synchronize a new
policy-matching user from the LDAP server only after the user passes authentication. This option
87
and the Synchronize New Device Users option are mutually exclusive. If you have a limited
number of licenses, use this option to save user licenses.
Sync Options-Synchronize New Device UsersSelect this option to have TAM synchronize all
the new policy-matching users from the LDAP server. If this option is not selected, TAM does not
synchronize any new user from the LDAP server. This option and the On-Demand Sync option
are mutually exclusive.
Sync Options-Synchronize Users in Current NodeSelect this option to have TAM synchronize
users under the specified sub-base DN, but not synchronize users in any OU under the sub-base
DN. If this option is not selected, TAM synchronizes all users in the sub-base DN, including users
in the OUs in the sub-base DN.
5.
Click Next to enter the page for configuring device user parameters.
6.
Modify the device user parameters associations with attribution descriptions on the LDAP server.
7.
Account NameThe system automatically populates this field with the attribute description
used on the LDAP server for user account names, which cannot be modified.
User NameSelect the username attribute description used on the LDAP server from the list.
TAM gets the values for this attribute as the usernames of LDAP user. Or select Do Not Sync to
enter a unified username for all LDAP users.
User PasswordSelect the corresponding attribute description used on the LDAP server for user
passwords from the list. TAM gets the values of this attribute as user passwords of LDAP users.
Or select Do Not Sync to enter a unified user password for all LDAP users.
Expiration DateSelect the corresponding attribute description used on the LDAP server for
user account expiration dates from the list. TAM gets the values of this attribute as the expiration
date of LDAP users. Or select Do Not Sync to set a unified expiration date for all LDAP users. You
can select a date by clicking the Calendar icon
, or enter a date in the format of
YYYY-MM-DD.
Max. Online UsersSelect the corresponding attribute description used on the LDAP server for
the maximum number of concurrent logins with the same user account. TAM gets the values for
this attribute as the maximum concurrent logins settings of LDAP users. Or select Do Not Sync to
manually set a unified maximum concurrent logins for all LDAP users.
Device User GroupSelect a device user group for users bound with the synchronization policy.
. The Select Device User Group window appears. Select a
group and click OK. This parameter cannot be synchronized from the LDAP server.
User Authorization PolicySelect an existing authorization policy, or CLI Access Not Supported
from the list. If you select a specific authorization policy, the device users are controlled by the
policy. If you select CLI Access Not Supported, the device users can log in to the device but
cannot execute any command. If you leave this field empty, the device users use the
authorization policy assigned to the device user group to which the user belongs. If you assign
different authorization policies to a device user and the device user group the user belongs to,
the policy configured for the device users takes effect. This parameter cannot be synchronized
from the LDAP server.
Click OK.
Deleting an LDAP synchronization policy

If the LDAP synchronization policy to be deleted has been bound to any user, remove the binding first. For
unbinding an LDAP user with a synchronization policy, see "Unbinding users with an LDAP
synchronization policy."
88
To delete an LDAP synchronization policy:

1.
2.
3.
for the synchronization policy you want to delete.

4.
Click OK.
Executing an LDAP synchronization policy

An LDAP synchronization policy specifies the way you synchronize user data from an LDAP server to TAM,
the scope of user data to be synchronized, and the way user data is handled on TAM. During user
synchronization, the following rules apply: for users that do not exist in TAM, user synchronization will be
performed according to the configured synchronization policy; for users that already exist in TAM, TAM
does not synchronize any manually entered or selected settings in the synchronization policy.
TAM automatically executes an LDAP synchronization policy every morning (at 3:00 am by default
according to IMC server time). The automatic execution time depends on the system parameter setting
for LDAP Synchronization Time. For more information about configuring system parameters, see
"Configuring system parameters."
You can also manually execute an LDAP synchronization policy by clicking the Synchronize link.
To manually execute an LDAP synchronization policy:
1.
2.
3.
Click the Synchronize link for the policy to start synchronization.

This process may take a few minutes or hours, depending on the amount of user data.
When the synchronization stops, TAM displays the synchronization results, including the number
of user accounts successfully synchronized to TAM and the number of failures. If failures exist, click
Download to download or view the reasons for the failure in the operation log.
4.
Click Back to return to Sync Policy List page.
5.
Click the Synchronized Result link on the upper right side of the page to view the results of the last
synchronization.
Managing users bound to an LDAP synchronization policy

To manage users bound to an LDAP synchronization policy:
1.
2.
3.
Click the icon
for the target synchronization policy.
The Bound User List appears, displaying all LDAP users bound to the policy. For more information
about managing LDAP users, see "Managing LDAP users."
89
Validating on-demand synchronization policies

TAM allows you to validate all newly added or modified on-demand synchronization policies in bulk.
To validate an on-demand synchronization policy:
1.
2.
3.
Click On-Demand Sync in the Sync Policy List area.

4.
Click OK.
All the on-demand synchronization policies are validated.
Managing LDAP users

An LDAP user is a device user in TAM that is bound with an LDAP synchronization policy.
The following rules apply during user synchronization from LDAP to TAM:
For LDAP users in TAM that exist on the LDAP server, user information in TAM will be overwritten by
that stored on the LDAP server.
For LDAP users in TAM that do not exist on the LDAP server, TAM will mark the user status as
Inexistent.
For users on the LDAP server that do not exist in TAM, user synchronization will be carried out
according to the configured synchronization policy.
Viewing LDAP users

TAM offers you the following methods for viewing LDAP users:
Viewing LDAP users in the device user list
Viewing LDAP users in the all bound user list
Viewing LDAP users in the bound user list of a specific synchronization policy
Viewing LDAP users in the device user list

To view LDAP users in the device user list:
1.
Click the User tab.
2.
The Device User List displays all device users. Account names with the icon
are LDAP users.
Device User List contents
Account NameAccount name of the LDAP user.
Device User GroupDevice user group to which the LDAP user belongs.
Created AtDate when the LDAP user was created.
Expired AtDate when the LDAP user expires and becomes invalid. The user cannot log in to
any device since 0:00 on the specified date. An empty field indicates that the LDAP user never
expires.
90
StatusDevice user account state: Normal, or Cancelled. Normal indicates that the user
account can be used for device login. Cancelled indicates that the user account is already
deleted and cannot be used for device login.
user information.
for an LDAP user to enter the page for modifying the LDAP
Navigating the device user list
to page forward in the device user list.

to page forward to the end of the device user list.
to page backward in the device user list.
to page backward to the front of the device user list.
Click 8, 15, 50, 100, or 200 on the upper right side of the main pane to configure how many
items per page you want to view.
Viewing LDAP users in the all bound user list

To view LDAP users in the All Bound User List:
1.
Click the User tab.
2.
Select Device User View > LDAP Users from the navigation tree.
The All Bound User List displays all LDAP users.
All Bound User List contents
Policy NameName of the LDAP synchronization policy the LDAP user is bound with. Click the
name link of a policy to view its details. For more information about LDAP synchronization
policy details, see "Viewing LDAP synchronization policy details."
Status in LDAP ServerState of the LDAP user during last synchronization, Existent or
Inexistent. If the user exists on the LDAP server, the field displays Existent. If not, the field
displays Inexistent. To learn the current state of an LDAP user, synchronize the user
immediately. For more information, see "Executing an LDAP synchronization policy."
Navigating the all bound user list
to page forward in the all bound user list.

to page forward to the end of the all bound user list.
to page backward in the all bound user list.
to page backward to the front of the all bound user list.
per page you want to view.
Viewing LDAP users in the bound user list

To view LDAP users bound with an LDAP synchronization policy:
1.
Click the User tab.
2.
Select Device User View > LDAP Users > Target Policy Name from the navigation tree.
The Bound User List displays all LDAP users bound with the policy.
Bound Users List contents

91
Policy NameName of the LDAP synchronization policy the LDAP user is bound with. Click the
name link of a policy to view its details. For more information about LDAP synchronization
policy details, see "Viewing LDAP synchronization policy details."
Status in LDAP ServerState of the LDAP user during last synchronization, Existent or
Inexistent. If the user exists on the LDAP server, the field displays Existent. Otherwise the field
displays Inexistent. To learn the current state of an LDAP user, synchronize the user
immediately. For specific procedures, see "Executing an LDAP synchronization policy."
Navigating the bound user list
to page forward in the bound user list.

to page forward to the end of the bound user list.
to page backward in the bound user list.
to page backward to the front of the bound user list.
Querying LDAP users

You can follow the same procedures to query LDAP users in the all bound user list and the bound user list
of a specific synchronization policy. The following information uses the all bound user list as an example.
To query LDAP users in the all bound user list:
1.
Click the User tab.
2.
3.
Account NameEnter the account name of an LDAP user. TAM supports fuzzy matching for this
field. For example, if you enter sam, all LDAP user accounts with names containing sam are
queried.
Device User GroupClick the Select User Group icon . The Select Device User Group
window appears. Select a group and click OK. Click the Clear icon
Status in LDAP ServerSelect an LDAP user state from the list. Options include Unknown,
Existent, and Inexistent. TAM queries LDAP users according to the user state during last
synchronization. To query the users based on their current state, synchronize the users first. For
more information, see "Synchronizing LDAP users."

4.
Click Query.
All LDAP users matching the query conditions are displayed in the All Bound User List.
To clear the query criteria, click Reset. The All Bound User List displays all LDAP users.
Viewing LDAP user details

You can follow the same procedure to view LDAP user details in the all bound user list and the bound user
list of a specific synchronization policy. The following information uses the all bound user list as an
example.
92
To view an LDAP user details in the all bound user list:

1.
Click the User tab.
2.
3.
Click the account name of an LDAP user whose detailed information you want to view.
Device user details contents
Account NameAccount name of the LDAP user. When an LDAP user is blacklisted, the account
name of the user is followed by Blacklisted Users.
User NameReal name of the LDAP user.
StatusLDAP user account state: Normal, or Cancelled. Normal indicates that the user account
can be used for device login. Cancelled indicates that the user account is already deleted and
cannot be used for device login.
Group Authorization PolicyAuthorization policy used by the device user group to which the user
belongs: an existing authorization policy, or CLI Access Not Supported. The former indicates the
user is controlled by the specified authorization policy. Click the name link of the policy to view its
details (see "Viewing authorization policy details" for more information). The latter indicates device
users of the group can only log in to a device but cannot execute any command. If no authorization
policy is specified for the device user group, this field displays the authorization policy assigned to
its parent group.
User Authorization PolicyName of the authorization policy used by the user. Click the name link
of the policy to view its details (see "Viewing authorization policy details" for more information). If
this field displays CLI Access Not Supported, the user can log in to the device but cannot execute
any command. If no authorization policy is specified for the user, the user will use the authorization
policy assigned to the device user group. If different authorization policies are assigned to the user
and the device user group to which the user belongs, the policy configured for the device user takes
effect.
Creation DateDate when the LDAP user was created, in the format of YYYY-MM-DD.
Last LogoffDate and time when the LDAP user last logged off, in the format of YYYY-MM-DD
hh:mm. If the user has never logged in to a device, this field displays the time when the user account
was created.
Expiration DateDate when the LDAP user expires and becomes invalid, in the format of
YYYY-MM-DD. An empty field indicates that the user will never be expired.
Max. Online UsersMaximum number of online users allowed by an LDAP user account.
Enable Privilege-Increase PasswordWhether privilege-increase password is enabled, Yes or No.
Action
The Action menu is located on the upper right corner of the LDAP User Information page, and offers the
following options:
RefreshClick the link to refresh the LDAP User Information page.
ModifyClick Modify to enter the page for modifying the LDAP user.
Cancel AccountClick Cancel Account. A confirmation dialog box appears. Click OK to cancel the
LDAP user account.
93
Add to BlacklistThis link appears only when the LDAP user is not blacklisted. Click Add to
Blacklist. A confirmation dialog box appears. Click OK to add the LDAP user to the blacklist.
Remove from BlacklistThis link appears only when the LDAP user is blacklisted. Click Remove
from Blacklist. A confirmation dialog box appears. Click OK to remove the LDAP user from the
blacklist.
Authentication LogClick the link to view the authentication log list of the LDAP user. For more
information about authentication logs, see "Managing authentication logs."
Authorization LogClick the link to view the authorization log list of the LDAP user. For more
information about authorization logs, see "Managing authorization logs."
Audit LogClick the link to view the audit log list of the LDAP user. For more information about audit
logs, see "Managing audit logs."
4.
Click Back to return to the All Bound User List.
Binding device users with an LDAP synchronization policy

A device user can be bound with an LDAP synchronization policy in the following ways:
AutomaticThe system automatically synchronizes user data from an LDAP server to TAM and
creates corresponding LDAP users during synchronization. These users are automatically bound
with the synchronization policy. For more information, see "Executing an LDAP synchronization
policy."
ManualYou can also manually bind a device user with an LDAP synchronization policy. In The
following information, we will explore manually binding a device user with an LDAP
synchronization policy.
To manually bind device users with an LDAP synchronization policy:

1.
Click the User tab.
2.
The Bound User List displays all device users bound with the policy.
3.
Click Add in the Bound User List area.

The Unbound User List window appears, displaying all device users that are not bound to any
LDAP synchronization policy.
4.
Account NameEnter the account name of an LDAP user. TAM supports fuzzy matching for this
field. For example, if you enter sam, all unbound users with names containing sam are queried.
. The Select Device User Group
window appears. Select a group and click OK. Click the Clear icon

5.
Click Query.
The Unbound User List displays all device users matching the query conditions.
6.
Select one or multiple users.
7.
Click OK.
The operation result page appears, displaying the number of uses that have been successfully
bound with the synchronization and the number of failures. If failures exist, click Download to
download or view the reasons for the failure in the operation log.
8.
Click Back to return to Bound User List.

94
The newly bound users appear in the Bound User List, with a state of Unknown.
9.
Click the Sync All link to start synchronization.

When the synchronization stops, if the newly bound user exists on the LDAP server, the user status
will change from Unknown to Existent. Otherwise, the user status will change to Inexistent.
Unbinding users with an LDAP synchronization policy

To unbind users with an LDAP synchronization policy:
1.
Click the User tab.
2.
3.
Select one or more users to be unbound from the policy.
4.
Click Unbind in the Bind Users List area
5.
Click OK.
The operation result page appears, displaying the number of uses that have been successfully
unbound with the synchronization and the number of failures. If failures exist, click Download to
download or view the reasons for failure in the operation log.
6.
Click Back to return to Bound User List.

An LDAP user becomes a common device user after being unbound with the synchronization
policy, and will not be displayed in the Bound User List.
Synchronizing LDAP users

A synchronization operation synchronizes users bound with an LDAP synchronization policy as follows:
If an LDAP user in TAM exists on the LDAP server, user information stored in TAM will be overwritten
by that stored on the LDAP server.
If an LDAP user in TAM does not exist on the LDAP server, TAM will mark the user status as
Inexistent.
If a new user has been added to the LDAP server, TAM synchronizes the user from the LDAP server
to its database according to the synchronization policy.
To synchronize LDAP users bound to a synchronization policy:

1.
Click the User tab.
2.
3.
Click the Sync All in the Bound User List area to start executing the policy.
When the synchronization stops, TAM displays the synchronization results, including the total
number of synchronized usersnumber of successfully synchronized users and the number of
failures. If failures exist, click Download to download or view the reasons for the failure in the
operation log.
4.
Click Back to return to Bound Users list.
95
Modifying LDAP user information

Modifying the device user information does not affect the shell profile that has applied to the device user,
but affects the command set to be applied. If, after the modification, the device user is controlled by a
different authorization policy, the user will be controlled by command set of the scenario that the user
matches in the new authorization policy.
If a user parameter is synchronized from an LDAP server, modifications to this parameter cannot survive
the next synchronization process, during which user information in TAM will be overwritten by that stored
on the LDAP server.
To modify LDAP user information:
1.
Click the User tab.
2.
3.
Account NameCannot be modified.
User NameEnter the real name of the LDAP user for identification.
4.
for an LDAP user to enter the page for modifying the user information.
are LDAP users.

window appears. Select a group and click OK.
. The Select Device User Group
Group Authorization PolicyThe system automatically populates this field with the
authorization policy configured for the selected device user group.
User Authorization PolicySelect an authorization policy for the user. Options include any
existing authorization policy configured in TAM, or CLI Access Not Supported. If you select CLI
Access Not Supported, the user can only log in to the device but cannot execute any command.
If you leave this field empty, the user uses the authorization policy of the device user group to
which the user belongs.
Max. Online UsersEnter the upper limit of online users that an LDAP user is allowed to have.
An empty field indicates that the maximum number of online users with the same user account
is not limited.
Expiration DateClick the Calendar icon
to select an expiration date, or manually enter a
date in the format of YYYY-MM-DD. The LDAP user becomes invalid since the expiration date.
An empty field indicates that the LDAP user never expires.
Enable Privilege-Increase PasswordTo enable privilege-increase password for the user, click
the box next to this field, and enter the same password twice in the Privilege-Increase Password
field and Confirm the Password field. With this feature enabled, a user can execute related
command to raise the user privilege to the highest level after logging in to the device. The
commands used for increasing user privilege vary with devices. For more information, see
related configuration guide.
Click OK.
Cancelling LDAP users

TAM allows you to cancel LDAP users in bulk. An LDAP user cannot log in to any device after being
cancelled. You cannot cancel an online LDAP user.
96
TAM retains the information of a cancelled user for a specified time for audit. The lifetime of a cancelled
user is determined by the system parameter Cancelled User Lifetime. For information about system
Operators can view the list of cancelled users through advanced query: set the query criterion Status to
Cancelled, keep the default settings for other criteria, and then click Query. All cancelled users whose
lifetime has not exceeded the Cancelled User Lifetime are displayed. For more information about using
the advanced query function, see "Configuring system parameters."
To delete an LDAP user:
1.
Click the User tab.
2.
3.
Select one or multiple LDAP users you want to cancel.
4.
Click Batch Cancel in the Device User List area.
5.
Click OK.
are LDAP users.
The operation result page appears, displaying the number of successfully cancelled LDAP
accounts and the number of failures. If failures exist, click Download Log to download or view the
reasons for failure in the operation log.
Adding an LDAP user to the blacklist

A blacklisted user cannot log in to manage any devices.
Adding LDAP users to the blacklist on the device user list page
1.
Click the User tab.
2.
3.
Select one or multiple LDAP users.
4.
Click Add to Blacklist in the Device User List area.
are LDAP users.

5.
Click OK.
The operation result page appears, displaying the number of successfully blacklisted users and the
number of failures. If failures exist, click Download to download or view the reasons for failure in
the operation log.
Adding LDAP users to the blacklist on the LDAP user details page
You can follow the same procedures to add an LDAP user to the blacklist in the device user list, all bound
user list, and the bound user list of a specific synchronization policy. The following information uses the
all bound user list as an example.
1.
Click the User tab.
2.
The All Bound User List displays all LDAP users. Account names with the icon
3.
Click the account name of the LDAP user whom you want to add to the blacklist.
The LDAP user details page appears.
4.
Click Add to Blacklist in the Action menu.

97
are LDAP users.

5.
Click OK.
Releasing an LDAP user from the blacklist

A blacklisted user can log in to and manage a device after being released from the blacklist.
You can follow the same procedures to release a blacklisted LDAP user from the blacklist in the device
user list, all bound user list, and the bound user list of a specific synchronization policy. The following
information uses the all bound user list as an example.
To release an LDAP user from the blacklist:
1.
Click the User tab.
2.
The All Bound User List displays all LDAP users. Account names with the icon
3.
are LDAP users.
Click the account name of a blacklisted LDAP user.

The LDAP User Details page appears.
4.
Click Remove from Blacklist in the Action menu.

5.
Click OK.
Exporting LDAP users

In some cases, an LDAP synchronization policy may fail to synchronize users as precisely as needed,
which causes the synchronization of redundant user information and a waste of user licenses. To address
this problem, you can use the following method:
1.
Use the user export function to export user data on the LDAP server to a text file.
2.
Edit the text file to remove the unnecessary user information.
3.
Use the batch user import function to import the user data in the text file to TAM. For more
information, see "Importing device users."
4.
Create a synchronization policy, and clear the Synchronize New Device Users option in the policy.
For more information about adding an LDAP synchronization policy, see "Adding an LDAP
synchronization policy."
5.
Bind the imported users with the synchronization policy created in the previous step. For more
information about binding a user with an LDAP synchronization policy, see "Binding device users
with an LDAP synchronization policy."
The above operations allow you to synchronize only the filtered users when you execute a
synchronization policy.
To export LDAP users:

6.
7.
Select TACACS+ AuthN Manager > LDAP Service > User Export from the navigation tree.
The page for querying users appears.
8.
Enter or select one or more of the following query criteria:
LDAP ServerSelect an existing LDAP server from the list.
98
Base DNThis field is automatically populated with the absolute path of the directory that
stores user data in the selected LDAP server.
server and make sure it is in the base DN directory or be the same as the base DN directory.
TAM synchronizes the user data under sub-base DN rather than base DN.
The DNs of attributes vary with LDAP servers. To get the correct sub-base DN path, use tools
such as Softerra LDAP Administrator.
Filter ConditionEnter a filter to match user data you want to synchronize to the TAM. The most
You may also use a complex filter in the form (operator(attribute1=value)(attribute2=value)) or
can be & (AND), | (OR), or ! (NOT). For example, the filter (&(objectclass=a*)(!(cn=b*)))
enables the TAM to synchronize any entry that has an objectclass attribute value starting with
a and a cn attribute value not starting with b.
The default filter varies with LDAP server type. If the server type is Microsoft AD, the default filter
is (&(objectclass=user)(sAMAccountName=*)). If the server type is General, the default filter is
(&(objectclass=*)(cn=*)).
9.
Click Query.
The window for configuring export file settings appears. Specify the following parameters:
AttributeClick the box next to the Attribute Name field for the attributes you want to export.
SampleThis field displays the sample values for the attribute.
10.
SeparatorSelect a column separator to separate user attributes in the export file. Available
options include Space, TAB, comma (,), colon (:), pound sign (#) and dollar sign ($).
Export Column HeaderSelect this option to export the attribute names as the column titles in
the text file. If you do not select this option, the text file has no column titles.
Click Export.
When the export process is complete, TAM displays the export result, including the name and
location of the file that saves the exported user data.
11.
Click Download the Export File to view the exported user data.
12.
Click Back to return to Query Users page.
Batch operations for LDAP users

Batch operations for LDAP users are the same as those for common device users. For more information,
see "Batch modifying device users" and "Batch cancelling device users."
99
9 Managing online users

An online user is a device user that has passed the TAM authentication and logged in to the device.
Operators can view, trace, and maintain online users in the online user list.
Viewing the online user list

To view the online user list:
1.
Click the User tab.
2.
Select Device User View > All Online Users from the navigation tree.
The Online User List displays all online users. If you hover your mouse over All Online Users, the
Online User List window appears, which displays level 1 device user groups. To view the
sub-group of a device user group, click the Expand button
to the left of the user group. Click the
name link of a user group to view its details.
Online user list contents
Account NameName of the account. Click the name to view its details. For more information
about device users, see "Viewing device user details."
Login NameUsername sent by the device to TAM. It is not the username that a device user
entered when logging in to the device. Redundant information exists in the login name. TAM
excludes the redundant information according to predefined rules, and then matches the
simplified login name against the account name and authenticates the device user. Assume the
username a device user entered at login is HP\Jack001. The user is required to use domain opt
for authentication and the TACACS+ scheme in domain opt authentication requires that the
username carry domain, so the username that the device sends to TAM is HP\Jack001@opt.
TAM changes the login name to Jack001 according to predefined rules and matches Jack001
against the account name in TAM. The rules for excluding redundant information in a login
name are configured in system parameter configuration. For more information, see
Device User GroupDevice user group to which an online user belongs.
Authorization PolicyAuthorization policy being used by an online user. Click the name to
view its details. For more information about authorization policies, see "Viewing authorization
policy details."
Login TimeTime when an online user logs in to the device, in the format of YYYY-MM-DD
hh:mm:ss.
Online Duration (sec.)Online duration of an online user. If the device to which the user logs
in sends a Watchdog packet to TAM, TAM updates the online duration of the user accordingly.
If the device does not support sending Watchdog packets to TAM or sending Watchdog
packets is disabled, the online duration of the user is always 0.
Device IPIP address of the device to which an online user logs in. Click the name link to view
its details. For more information, see "Viewing device details."
OperationClick the Operation link
to open the Operation menu. For an online user not
added to the blacklist, the actions Add to Blacklist and Details are available in the menu. For
a blacklisted user, the actions Remove from Blacklist and Details are available in the menu.
Blacklisting an online user does not affect other logged-in users. However, the blacklisted
100
online user cannot log in to any other devices. Remove from Blacklist releases an online user
from the blacklist. Details opens the Online User Details page.
Navigating the online user list
Click
to page forward in the online user list.
Click
Click
to page backward in the online user list.
Click
to page backward to the front of the online user list.
to page forward to the end of the online user list.
Querying online users

Basic query
To perform a basic query:
1.
Click the User tab.
2.
The Online User List displays all online users.
3.
Click the Basic Query link on the upper right side of the All Online Users area. You can perform a
basic query if you see Advanced Query on the upper right side of the All Online Users area.
4.
Account NameEnter the account name. TAM supports fuzzy matching for this field. For
example, if you enter Sam, all online users with the account name containing Sam are queried.
Device User GroupClick the
icon. The Select User Group window appears. Select a
group and click OK. To delete a user group, click .

5.
Click Query.
The Online User List displays all online users matching the query criteria. To clear the query
criteria, click Reset. The Online User List displays all online users in TAM.
Advanced query
To perform an advanced query:
1.
Click the User tab.
2.
3.
Click the Advanced Query link on the upper right side of the All Online Users area. You can
perform an advanced query if you see Basic Query on the upper right side of the All Online Users
area.
4.
101
Account NameEnter the account name. TAM supports fuzzy matching for this field. For
example, if you enter Sam, all online users with the account name containing Sam are queried.
Device User GroupClick the
icon. The Select User Group window appears. Select a
group and click OK. To delete a user group, click .
Authorization PolicySelect the authorization policy that the online user is using or select CLI
Access Not Supported from the list.
Login NameEnter the login name. TAM supports fuzzy matching for this field. For example,
if you enter Sam, all online users with the login name containing Sam are queried.
Device IP Address Range From/ToEnter an IP address range for the device. You must enter a
complete IPv4 address in each field. If you only enter the start IP address, the range is from the
start IP address to 255.255.255.255. If you only enter the end IP address, the range is from
0.0.0.0 to the end IP address. If you enter both the start IP address and end IP address, the
range is from the start IP address to the end IP address. The end IP address must be higher than
the start IP address.
User IP Address Range From/ToEnter an IP address range for an online user. You must enter
a complete IPv4 address in each field. If you only enter the start IP address, the range is from
the start IP address to 255.255.255.255. If you only enter the end IP address, the range is from
0.0.0.0 to the end IP address. If you enter both the start IP address and end IP address, the
range is from the start IP address to the end IP address. The end IP address must be higher than
the start IP address.
Login Time From/ToEnter a login time range for an online user, in the format of
YYYY-MM-DD hh:mm, and select a login time range. Click the
icon on the left. On the
upper part of the window that appears, select the date, and on the lower part, enter the time.
The date and time determine the start time of the user login. Click the
icon on the right. On
the upper part of the window that appears, select the date, and on the lower part, enter the
time. The date and time determine the end time of the user login. If you only select the start time,
the login time range is from the start time to 9999-01-01 00:00. If you only select the end time,
the login time range is from 2000-01-01 00:00 to the end time. If you select both the start time
and end time, the login time range is from the start time to the end time.
TerminalEnter the terminal that an online user uses to log in to the device. For example, when
a user Telnets to the device, this field displays VTY 0 through VTY 15. When a user logs in to
the device through the console port, this field displays AUX 0, AUX 1, and so on. TAM supports
fuzzy matching for this field. For example, if you enter vty, all online users using VTY to log in
to the device are queried.

5.
Click Query.
The Online User List displays all online users matching the query criteria. To clear the query
criteria, click Reset. The Online User List displays all online users in TAM.
Viewing online user details

To view detailed information about an online user:
1.
Click the User tab.
2.
3.
Click the Operation link
for an online user to open the Operation menu and select Details.
102
The Online User Details page appears.

Online user details
Account NameName of the account.
UsernameReal name of the online user.
Device User GroupDevice user group to which the online user belongs.
Authorization PolicyAuthorization policy that is being used by the online user.
Device IPIP address of the device to which the online user logs in.
User IP AddressIP address of the online user.
4.
Login NameUsername sent by the device to TAM. It is not the username that a device user
entered when logging in to the device. Redundant information exists in the login name. TAM
excludes the redundant information according to predefined rules, and then matches the
simplified login name against the account name and authenticates the device user. Assume the
username a device user entered at login is HP\Jack001. The user is required to use domain opt
for authentication and the TACACS+ scheme in domain opt authentication requires that the
username carry domain, so the username that the device sends to TAM is HP\Jack001@opt.
TAM simplifies the login name to Jack001 according to predefined rules and matches Jack001
against the account name in TAM. The rules for excluding redundant information in a login
name are configured in system parameter configuration. For more information, see
TerminalTerminal that the online user uses to log in to the device. For example, when a user
Telnets to the device, this field displays VTY 0 through VTY 15. When a user logs in to the
device through the console port, this field displays AUX 0, AUX 1, and so on.
Login TimeTime when the online user logs in to the device, in the format of YYYY-MM-DD
hh:mm:ss.
Online Duration (sec.)Online duration of the user. If the device where the user logs in sends
a Watchdog packet to TAM, TAM updates the online duration of the user accordingly. If the
device does not support sending Watchdog packets to TAM or sending Watchdog packets is
disabled, the online duration of the user is always 0.
To return to the online user list, click Back.
Clearing online user information

A device user that has logged out of the device but is displayed as online in TAM is called a halted user.
Halted users can appear in the following cases:
The device is powered off and rebooted. All online users log out, but the device does not send
offline requests to TAM.
When a device user logs out, the offline request sent by the device to TAM is lost.
TAM provides the following methods to clear online information about halted users:
TAM automatically clears the online information about a halted user when the duration that the user
is halted exceeds the predefined time.
The time is controlled by the system parameter Aging Time. For more information about
configuring system parameters, see "Configuring system parameters." When you add or modify a
device in TAM, if you select Not Supported for the Watchdog field, TAM cannot automatically
clear online users that log in to the device. For how to configure a device, see "Configuring a
device."
103
You can manually clear the online information about halted users in the online user list.
When you manually clear online information about a user, make sure the user has logged out. If
you clear the online information about a user that has not logged out, the user can still manage the
device, and TAM records the command line authorization and audit logs of the user. For more
information about audit logs, see "Managing audit logs."
To manually clear online user information:

1.
Click the User tab.
2.
3.
Click the boxes to the left of the target account names.
4.
Click Clear Online Info in the Online User List area.

5.
Click OK.
Adding an online user to the blacklist

Operators can add a user to the blacklist if they find any abnormality. Blacklisting an online user does
not affect other logged-in users. However, the blacklisted online user cannot log in to any other devices.
You must manually release a blacklisted user.
To add an online user to the blacklist:
1.
Click the User tab.
2.
3.

Blacklist.
for the online user to open the Operation menu and select Add to

4.
Click OK.
Releasing a blacklisted user

Operators can release a blacklisted use so the user can log in to manage other devices.
To release a blacklisted user:
1.
Click the User tab.
2.
3.
4.

from Blacklist.
for the online user to open the Operation menu and select Remove

Click OK.
104
10 Managing logs
TAM records the following types of logs when a device user logs in to manage a device:
Authentication logRecords device user login successes and failures. An authentication failure log
also provides the reason for the failure.
Authorization logIncludes login authorization logs and CLI authorization logs. After a device is
enabled with the login authorization function, TAM authorizes login privilege levels for login users
and records login authorization logs. After a device is enabled with CLI authorization, each time a
user executes a command, TAM checks whether the user has the right to execute the command and
records a CLI authorization log. An authorization log result can be Permit or Deny. An authorization
Deny log also provides the reason for the deny action.
Audit logRecords device user login/logoff information as well as user online behaviors.
Managing authentication logs

Authentication logs record device user login successes and failures. An authentication failure log also provides
the reason for the failure. Authentication logs can be exported to a file for future audit.
Viewing the authentication log list

To view the authentication log list:
1.
Click the User tab.
2.
Select Device User View > Log Management > AuthN Logs from the navigation tree.
The Authentication Log List displays all authentication logs.
Authentication log list contents
ResultAuthentication result, Succeeded or Failed.

Failure ReasonIf the authentication result is Failed, this field displays the reason for the
failure. If the authentication result is Succeeded, this field is empty.
Login NameUsername sent by the device to TAM, which is not the username that a device
user entered when logging in to the device. Login name of a device user contains redundant
information, and needs to be extracted. TAM matches the extracted login name against the
account name and authenticates the user. The rules for extracting the login name are
configured in system parameter configuration. For more information, see "Configuring system
parameters."
Account NameAccount name of the device user. Accounts with the name followed by
#delete0# are cancelled accounts. Click the account name of a device user to view the user
details. For more information about device user details, see "Viewing device user details."
Authentication TimeDate and time when the device user was authenticated, in the format of
YYYY-MM-DD hh:mm:ss.
Device IPIP address of the device to which the device user logs in.
for an authentication log to view its details.
Navigating the authentication log list

105
Click
to page forward in the authentication log list.
Click
Click
to page backward in the authentication log list.
Click
to page backward to the front of the authentication log list.
to page forward to the end of the authentication log list.
Click 8, 15, 50, 100, or 200 on the upper right corner of the main pane to configure how many
Querying authentication logs

TAM provides basic query and advanced query for authentication logs. Basic query criteria include
several key parameters for quick search. Advanced query offers various query criteria for precise match.
Basic query
To perform basic query for authentication logs:
1.
Click the User tab.
2.
3.
Click the Basic Query link on the upper right side of the Query Authentication Logs area.
You can perform a basic query if you see Advanced Query on the upper right side of the Query
Authentication Logs area.
4.
Account NameEnter the account name of the device user. TAM supports fuzzy matching for
this field. For example, if you enter sam, all authentication logs with account names containing
sam are queried.
ResultSelect an authentication result, Succeeded or Failed from the list.
Authentication Time From/ToEnter an authentication time range for a device user, in the
format of YYYY-MM-DD hh:mm. Or select an authentication time range. Click the Calendar
icon
on the left. On the upper part of the window that appears, select the date, and on the
lower part, enter the time. The date and time determine the start time of the authentication time
range. Click the Calendar icon
on the right. On the upper part of the window that
appears, select the date, and on the lower part, enter the time. The date and time determine the
end time of the authentication time range. If you only specify the start time, the authentication
time range is from the start time to 9999-01-01 00:00. If you only specify the end time, the
authentication time range is from 2000-01-01 00:00 to the end time. If you select both the start
time and end time, the authentication time range is from the start time to the end time.

5.
Click Query.
The Authentication Log List displays all authentication logs matching the query criteria. To clear the
query criteria, click Reset. The Authentication Log List displays all authentication logs.
Advanced query
To perform advanced query for authentication logs:
1.
Click the User tab.
2.
106
3.
Click the Advanced Query link on the upper right side of the Query Authentication Logs area.
4.
You can perform an advanced query if you see Basic Query on the upper right side of the Query
Authentication Logs area.
5.
this field. For example, if you enter sam, all authentication logs with account names containing
sam are queried.
ResultSelect an authentication result, Succeeded or Failed from the list.
Authentication Time From/ToEnter an authentication time range for a device user, in the
format of YYYY-MM-DD hh:mm. Or select an authentication time range. Click the Calendar
icon
on the left. On the upper part of the window that appears, select the date, and on the
lower part, enter the time. The date and time determine the start time of the authentication time
range. Click the Calendar icon
on the right. On the upper part of the window that
appears, select the date, and on the lower part, enter the time. The date and time determine the
end time of the authentication time range. If you only specify the start time, the authentication
time range is from the start time to 9999-01-01 00:00. If you only specify the end time, the
authentication time range is from 2000-01-01 00:00 to the end time. If you select both the start
time and end time, the authentication time range is from the start time to the end time.
Device User GroupClick the Select User Group

icon. The Select Device User Group
window appears. Select a group and click OK. To clear your selection, click the Clear icon
.
User StatusSelect a user state, Normal or Cancelled from the list. Normal indicates the user
is in normal state. Cancelled indicates the user is already cancelled.
Device IP From/ToEnter an IP address range for the device. If you only enter the start IP
address, the range is from the start IP address to 255.255.255.255. If you only enter the end
IP address, the range is from 0.0.0.0 to the end IP address. If you enter both the start IP address
and end IP address, the range is from the start IP address to the end IP address. The end IP
address must be no smaller than the start IP address. You must enter a complete IPv4 address
in each field.
User IP From/ToEnter an IP address range for the device user. If you only enter the start IP
in each field.
Privilege LevelEnter a privilege level of the device user. TAM queries authentication logs of
the specified level. If a device user has a privilege level of 3, TAM records the authentication
logs of the device user as level 3 authentication logs.
Session IDEnter the session ID used for packet exchanges between the device and TAM for
the authentication. TAM only supports exact matching for this field.
ActionSelect an action for the authentication. Actions can be Login Authentication, Change
Password, and Send Authentication. TAM only supports Login Authentication.
Authentication TypeSelect an authentication type used by the device and TAM to
authenticate the device user. Options include ASCII, PAP, and CHAP. The authentication type
is configured on the device. Most devices only support ASCII.
Service TypeSelect a service type for the authentication. Options include Login, Enable, and
None. Login indicates the user is authenticated for device login. Enable indicates the user is
107
authenticated for increasing user privilege level. None indicates any other authentication
service. TAM only supports Login and Enable.
6.
Click Query.
The Authentication Log List displays all authentication logs matching the query criteria. To clear the
query criteria, click Reset. The Authentication Log List displays all authentication logs.
Viewing authentication log details

To view detailed information about an authentication log:
1.
Click the User tab.
2.
3.
for the authentication log whose detailed information you want to view.
Authentication log details contents
configured in system parameter configuration. For more information about configuring system
#delete0# are cancelled accounts
ResultAuthentication result, Succeeded or Failed.
Failure ReasonReason for the authentication failure. If the device user passed the
authentication, this field is empty.
User IPIf the service type is Login, this field displays the IP address of the device user. If the
service type is Enable, this field displays 0.0.0.0.
TerminalIf the Service Type is Login, this field displays the terminal that a device user uses to
log in to the device. For example, when a user Telnets to the device, this field displays VTY 0,
VTY 2, and so on. When a user logs in to the device through the console port, this field displays
AUX 0, AUX 1, and so on. If the Service Type is Enable, this field is empty.
Authentication TimeDate and time when the device user was authenticated, in the format of
ActionAction corresponding to the authentication. TAM only supports Login Authentication,
so this field always displays Login Authentication.
Privilege LevelPrivilege level the device user applied for. If a device user requesting for
authentication applied for privilege level 3, TAM records the authentication logs of the user as
level 3 authentication logs.
Authentication TypeType of authentication performed for the device user, ASCII, PAP, or
CHAP. This parameter is configured on the device. Most devices only support ASCII.
Service TypeType of service provided in the authentication. Options include None, Login,
and Enable. Login indicates the user is authenticated for device login. Enable indicates the user
108
is authenticated for increasing user privilege level. None indicates the user is authenticated for
other purposes. TAM only supports Login and Enable.
4.
Session IDSession ID used for packet exchanges between the device and TAM. For one
authentication action, the device and TAM use the same session ID.
Sequence NumberSequence number of the packets exchanged between the device and
TAM in the same session ID.
Click Back to return to Authentication Log List.
Exporting authentication logs

The authentication log export function allows operators to get a list of authentication logs to be exported
through the query function, and then export all authentication logs in the authentication log list to an
export file.
To export authentication logs to a file:
1.
Click the User tab.
2.
3.
Filter the authentication logs through basic query or advanced query.

For more information about querying authentication logs, see "Querying authentication logs."
4.
Click Export in the Authentication Log List area.

The page for configuring log export appears.
5.
Select a target File Format, TXT (text file) or CSV (CSV file).
Windows uses Excel to open CSV files by default. Excel automatically adjusts the display format
according to the contents. For example, 123456789123456789 will be displayed as
1.23457E+17 (scientific notation). In this case, you can select to display the data in text format.
6.
Select a Separator for the text file.

Available options include Space, Tab, comma (,), colon (:), pound sign (#) and dollar sign ($). This
parameter appears only when you select TXT for File Format.
7.
Click OK.
This process may take a few minutes or longer, depending on the amount of authentication logs to
be exported.
After export, the operation result pages show the total number of exported logs and the number of
failures. If failure exists, click Download to download or view the reasons for failure in the
operation log.
8.
Click Back to return to Authentication Log List.
9.
(Optional) To view the operation result of the last export operation, click Last Export Result.
Managing authorization logs

Authorization logs fall into the following types:
Login authorization logsAfter a device is enabled with the login authorization function, TAM
authorizes login privilege levels for login users and records login authorization logs.
109
CLI authorization logsAfter a device is enabled with the CLI authorization function, each time a
user executes a command, TAM checks whether the user has the right to execute the command and
records a CLI authorization log.
An authorization log result can be Permit or Deny. An authorization Deny log also provides the reason
for the deny action.
Authorization logs can be exported to a file for future audit.
Viewing the authorization log list

To view the authorization log list:
1.
Click the User tab.
2.
Select Device User View > Log Management > AuthZ Logs from the navigation tree.
The Authorization Log List displays all authorization logs.
Authorization log list contents
ResultAuthorization result, Permit or Deny.

Failure ReasonReason for the deny action. If the authorization result is Permit, this field is
empty.
parameters."
#delete0# are cancelled accounts. Click the account name of a device user to view its details.
For more information about device user details, see "Viewing device user details."
Authorization TypeType of the authorization, Login Authorization or CLI Authorization. Login
Authorization indicates TAM authorizes a device user using the shell profile at user login. CLI
Authorization indicates TAM determines whether to permit or deny a device user to execute a
command according to the command set that the device user matches.
Authorization Policy NameName of the authorization policy used by the device user. Click
the name link of an authorization policy to view its details. For more information about
authorization policy details, see "Viewing authorization policy details."
Authorization TimeDate and time when TAM performed the authorization, in the format of
for an authorization log to view its details.
Navigating the authorization log list
Click
to page forward in the authorization log list.
Click
to page forward to the end of the authorization log list.
Click
to page backward in the authorization log list.
Click
to page backward to the front of the authorization log list.
110
Querying authorization logs

TAM provides basic query and advanced query for authorization logs. Basic query criteria include
several key parameters for quick search. Advanced query offers various query criteria for precise match.
Basic query
To perform basic query for authorization logs:
1.
Click the User tab.
2.
3.
Click the Basic Query link on the upper right side of the Query Authorization Logs area.
Authorization Logs area.
4.
this field. For example, if you enter sam, all authorization logs with account names containing
sam are queried.
ResultSelect an authorization result, Permit or Deny from the list.
Authorization Time From/ToEnter an authorization time range for a device user, in the format
of YYYY-MM-DD hh:mm. Or select an authorization time range. Click the Calendar icon
on
the left. On the upper part of the window that appears, select the date, and on the lower part,
enter the time. The date and time determine the start time of the authorization time range. Click
the Calendar icon
on the right. On the upper part of the window that appears, select the
date, and on the lower part, enter the time. The date and time determine the end time of the
authorization time range. If you only specify the start time, the authorization time range is from
the start time to 9999-01-01 00:00. If you only specify the end time, the authorization time
range is from 2000-01-01 00:00 to the end time. If you select both the start time and end time,
the authorization time range is from the start time to the end time.

5.
Click Query.
The Authorization Log List displays all authorization logs matching the query criteria. To clear the
query criteria, click Reset. The Authorization Log List displays all authorization logs.
Advanced query
To perform advanced query for authorization logs:
1.
Click the User tab.
2.
3.
Click the Advanced Query link on the upper right side of the Query Authorization Logs area.
Authorization Logs area.
4.

111
this field. For example, if you enter sam, all authorization logs with account names containing
sam are queried.
ResultSelect an authorization result, Permit or Deny from the list.
Authorization Time From/ToEnter an authorization time range for a device user, in the format
of YYYY-MM-DD hh:mm. Or select an authorization time range. Click the Calendar icon
on
the left. On the upper part of the window that appears, select the date, and on the lower part,
enter the time. The date and time determine the start time of the authorization time range. Click
the Calendar icon
on the right. On the upper part of the window that appears, select the
date, and on the lower part, enter the time. The date and time determine the end time of the
authorization time range. If you only specify the start time, the authorization time range is from
the start time to 9999-01-01 00:00. If you only specify the end time, the authorization time
range is from 2000-01-01 00:00 to the end time. If you select both the start time and end time,
the authorization time range is from the start time to the end time.

.
CLIEnter the command executed by the device user at CLI. TAM supports fuzzy matching for
this field. For example, if you enter dis, all authorization logs with command lines containing
dis are queried. This query criterion is used to query CLI authorization logs only.
Authorization PolicySelect an authorization policy or select CLI Access Not Supported from
the list.
Profile AttributeEnter the attribute value of the shell profile that applies to the device user at
login. TAM supports fuzzy matching for this field. For example, if you enter timeout, all
authorization logs with shell profiles containing timeout are queried. This query criterion is
used to query Login authorization logs only.
Privilege LevelEnter the privilege level of the device user. TAM queries authorization logs of
device users of the specified level.
in each field.
in each field.
Session IDEnter a session ID used by the device and TAM for packet exchanges. TAM only
supports exact matching for this field.

5.
Click Query.
112
The Authorization Log List displays all authorization logs matching the query criteria. To clear the
query criteria, click Reset. The Authorization Log List displays all authorization logs.
Viewing authorization log details

To view detailed information about an authorization log:
1.
Click the User tab.
2.
3.
for the authorization log whose detailed information you want to view.
Authorization log details contents
parameters."
#delete0# are cancelled accounts.
ResultAuthorization result, Permit or Deny.
Failure ReasonReason for the deny action. If the authorization result is Permit, this field is
empty.
Profile AttributeAttribute that TAM assigns to the shell profile that applies to the device user.
A profile attribute consists of multiple attributes in the form (attribute=value). Different attributes
are separated by a semicolon (;).
Privilege LevelEnter the privilege level of the device user. TAM queries authorization logs of
device users of the specified level.
CLICommand executed by the device user at the CLI. If the authorization log is a login
authorization log, this field is empty.
Authorization Policy NameAuthorization policy used by the device user.
User IPIP address of the device user.
4.
Authorization TimeDate and time when TAM performed the authorization, in the format of
TerminalTerminal that a device user uses to log in to the device. For example, when a user
Telnets to the device, this field displays VTY 0, VTY 2, and so on. When a user logs in to the
Session IDSession ID used for this authorization. For one authorization action, the device and
TAM use the same session ID for packet exchanges.
Click Back to return to Authorization Log List.
113
Exporting authorization logs

The authorization log export function allows operators to get a list of authorization logs to be exported
through the query function, and then export all authorization logs in the authorization log list to an export
file.
To export authorization logs:
1.
Click the User tab.
2.
3.
Filter the authorization logs through basic query or advanced query.

For more information about querying authorization logs, see "Querying authorization logs."
4.
5.

parameter is available when you select TXT for File Format.
6.
Click OK.
This process may take a few minutes or longer, depending on the amount of authorization logs to
be exported.
operation log.
7.
Click Back to return to Authorization Log List.
8.
(Optional) To view the operation result the last export operation, click Last Export Result.
Managing audit logs

Audit logs record user login/logoff and user online behaviors.
Audit logs fall into the following types:
Audit start logTAM records an audit start log when a user logs in to a device.
Audit end logTAM records an audit end log when a user logs off a device.
Audit update logTAM records an audit update log when receiving a watchdog packets from the
device. Watchdog packets are periodically sent by the device to TAM to declare that it is still online.
Enter-command-at-CLI logTAM records an enter-command-at-CLI log each time a device user

executes a command.
Clear-online-data logTAM records a clear-online-data log when an operator manually clears

online user information. For more information, see "Configuring system operation log parameters."
Age-online-data logTAM records an age-online-data log when TAM clears aged online users
according to the Aging Time specified in the system parameter configuration.
114
Viewing the audit log list

To view the audit log list:
1.
Click the User tab.
2.
Select Device User View > Log Management > Audit Logs from the navigation tree. The Audit Log
List displays all audit logs.
Audit log list contents
parameters."
#delete0# are cancelled accounts. Click the account name of a device user to view the user
details. For more information about device user details, see "Viewing device user details."
CLICommand executed by the device user.
Audit TypeType of the audit. Audit types include Start, Update, End, Enter Command At CLI,
Clear Online Data, and Age Online Data.
Start indicates the log was generated when a user successfully logged in to a device. End
indicates the log was generated when a user logged off a device. Update indicates the log
was generated when TAM received a watchdog packet periodically sent by an online user to
declare that the user is still online. Enter Command At CLI indicates the log was generated
when a user executed a command at the CLI. Clear Online Data indicates the log was
generated when an operator manually cleared online user information. Age Online Data
indicates the log was generated when TAM periodically cleared aged online users according
to the Aging Time specified in the system parameter configuration.
Audit TimeDate and time when the audit was performed, in the format of YYYY-MM-DD
hh:mm:ss.
for an audit log to view its details.
Navigating the audit log list
Click
to page forward in the audit log list.
Click
to page forward to the end of the audit log list.
Click
to page backward in the audit log list.
Click
to page backward to the front of the audit log list.
Querying audit logs

TAM provides basic query and advanced query for audit logs. Basic query criteria include several key
parameters for quick search. Advanced query offers various query criteria for precise match.
115
Basic query
To perform basic query for audit logs:
1.
Click the User tab.
2.
Select Device User View > Log Management > Audit Logs from the navigation tree.
The Audit Log List displays all audit logs.
3.
Click the Basic Query link on the upper right side of the Query Audit Logs area.
Audit Logs area.
4.
this field. For example, if you enter sam, all audit logs with account names containing sam are
queried.
Audit TypeSelect an audit from the list. Audit types include Start, Update, End, Enter
Command At CLI, Clear Online Data, and Age Online Data.
Audit Time From/ToEnter an audit time range for a device user, in the format of
YYYY-MM-DD hh:mm. Or select an audit time range. Click the Calendar icon
on the left.
On the upper part of the window that appears, select the date, and on the lower part, enter the
time. The date and time determine the start time of the audit time range. Click the Calendar
icon
on the right. On the upper part of the window that appears, select the date, and on
the lower part, enter the time. The date and time determine the end time of the audit time
range. If you only specify the start time, the audit time range is from the start time to
9999-01-01 00:00. If you only specify the end time, the audit time range is from 2000-01-01
00:00 to the end time. If you select both the start time and end time, the audit time range is
from the start time to the end time.

5.
Click Query.
The Audit Log List displays all audit logs matching the query criteria. To clear the query criteria,
click Reset. The Audit Log List displays all audit logs.
Advanced query
To perform advanced query for audit logs:
1.
Click the User tab.
2.
3.
Click the Advanced Query link on the upper right side of the Query Audit Logs area.
Audit Logs area.
4.
this field. For example, if you enter sam, all audit logs with account names containing sam are
queried.
Audit TypeSelect an audit from the list. Audit types include Start, Update, End, Enter
116
Audit Time From/ToEnter an audit time range for a device user, in the format of
YYYY-MM-DD hh:mm. Or select an audit time range. Click the Calendar icon
on the left.
On the upper part of the window that appears, select the date, and on the lower part, enter the
time. The date and time determine the start time of the audit time range. Click the Calendar
icon
on the right. On the upper part of the window that appears, select the date, and on
the lower part, enter the time. The date and time determine the end time of the audit time
range. If you only specify the start time, the audit time range is from the start time to
9999-01-01 00:00. If you only specify the end time, the audit time range is from 2000-01-01
00:00 to the end time. If you select both the start time and end time, the audit time range is
from the start time to the end time.

.
CLIEnter the command line executed by the device user. TAM supports fuzzy matching for
this field. For example, if you enter dis, all audit logs with command lines containing dis are
queried.
Privilege LevelEnter the privilege level of the device user. TAM queries audit logs of device
users of the specified level.
in each field.
in each field.
Session IDEnter the session ID used by the device and TAM for packet exchanges. TAM only
supports exact matching for this field.

5.
Click Query.
The Audit Log List displays all audit logs matching the query criteria. To clear the query criteria,
click Reset. The Audit Log List displays all audit logs.
Viewing audit log details

To view detailed information about an audit log:
1.
Click the User tab.
2.
3.
for the audit log whose detailed information you want to view.
117
Audit log details contents
#delete0# are cancelled accounts.
Privilege LevelPrivilege level of the device user.
CLICommand executed by the device user. This field displays a value only when the Audit
Type is Enter Command At CLI.
Audit TimeDate and time when the audit was performed, in the format of YYYY-MM-DD
hh:mm:ss.
Audit TypeSelect an audit type from the list. Audit types include Start, Update, End, Enter
Start indicates the log was generated when a user successfully logged in to a device. End
indicates the log was generated when a user logged off a device. Update indicates the log
was generated when TAM received a watchdog packet periodically sent by an online user to
declare that the user is still online. Enter Command At CLI indicates the log was generated
when a user executed a command at CLI. Clear Online Data indicates the log was generated
when an operator manually cleared online user information. Age Online Data indicates the log
was generated when TAM periodically cleared aged online users according to the Aging Time
specified in the system parameter configuration.
User IPIP address of the device user.
4.
parameters."
TerminalTerminal that a device user uses to log in to the device. For example, when a user
Telnets to the device, this field displays VTY 0, VTY 2, and so on. When a user logs in to the
Session IDSession ID used for this audit. For one audit, the device and TAM use the same
session ID for packet exchanges.
Click Back to return to Audit Log List.
Exporting audit logs

The audit log export function allows operators to get a list of audit logs to be exported through the query
function, and then export all audit logs in the audit log list to an export file.
To export audit logs:
1.
Click the User tab.
2.
3.
Filter the audit logs through basic query or advanced query.

118
For more information about querying audit logs, see "Querying audit logs."
4.
5.

parameter is available when you select TXT for File Format.
6.
Click OK to start the export.

This process may take a few minutes or longer, depending on the amount of audit logs to be
exported.
operation log.
7.
Click Back to return to Audit Log List.

(Optional) To view the operation result of the last export operation, click Last Export Result.
119
11 Configuring global system settings

The global system settings determine the operation of the TAM system and its services.
Global system settings include:
System parameters
System operation log parameters
System configuration validation
Configuring system parameters

System parameters are related to all services in TAM, and must be properly configured to guarantee
normal operation of services.
To configure the system parameters:
1.
2.
Select TACACS+ AuthN Manager > Service Parameters > System Configuration from the
navigation tree.
The System Configuration list displays all system configurations.
3.
Click the Configure icon
4.
Configure the system parameters:
for the System Parameters entry.
Aging TimeSet the time interval at which TAM checks the status of each online user. If the
duration since the Watchdog packet of a user was received exceeds the aging time, TAM
considers that the user is offline and removes the user from the online user list. HP recommends
that you set the value to at least three times the sending interval of Watchdog packets. The
sending interval of Watchdog packets is configured on the device. When you add or modify
a device in TAM, if you set the Watchdog field to Not Supported, TAM cannot automatically
clear online users that log in to the device.
Max. Authentication AttemptsSet the maximum number of consecutive authentication
attempts permitted for a device user with incorrect passwords. If the maximum authentication
attempts are exceeded, TAM adds the user to the blacklist. Blacklisting an online user does not
affect other logged-in users. However, the blacklisted online user cannot log in to any other
devices. The user is released from the blacklist at 00:00 the next day. If you do not want to
restrict the authentication attempts, set the parameter to 0.
Cancelled User LifetimeSpecify how long TAM keeps the account information and related
authentication, authorization, and audit logs of a device user in the system after the user is
cancelled. When the time expires, TAM permanently deletes the account information and logs
of the device user. You can query users that have been cancelled but whose lifetime is not
expired by using the advanced query function for device users and setting the user status to
Cancelled. For more information about the advanced query function, see "Querying device
users." You can query logs for cancelled users by using the advanced query function for logs
and setting the user status to Cancelled. For more information about the advanced query
function, see "Querying authentication logs," "Querying authorization logs," and "Querying
audit logs."
120
5.
Estimated Authorized Time RangeSet the estimated authorized time range for authorized
time range policies. TAM computes at every 00:00 the permitted access period in the
estimated time range for each authorized time range policy, and stores the result in a
temporary table. Then TAM checks the authorization policy used by each authenticating device
user for the authorized time range policy, and searches the table to determine whether or not
the user can log in to the device in the current period. A large value can affect system
performance. HP recommends that you use the default value of 3 days.
LDAP Synchronization TimeSet the time when TAM starts to synchronize the LDAP users every
day. Use 24-hour time, for example, 15 representing 3 p.m.
Log LifetimeSpecify how long TAM keeps the user authentication, authorization, and audit
logs in TAM. TAM automatically deletes the logs that exceed the log lifetime at 00:00 every
day.
LDAP User Move Between ServersSelect Enable from the list to allow the synchronized LDAP
users to move between different LDAP servers. Select Disable from the list to disable the
function. Enable the function if user data must be moved to a new LDAP server due to job
reallocation or similar reasons.
LDAP Pre-Synchronization Time (O'clock)Select one or multiple time points to execute
pre-synchronization every day. Pre-synchronizing users from the LDAP server to IMC can
improve on-demand synchronization efficiency. HP recommends that you set the time to a time
when the system is relatively idle, for example, 06:00 to 08:00 every day.
Prompt for User NameSet the message sent to users for entering the username when the
users log in to the device.
Prompt for PasswordSet the message sent to users for entering the password when the users
log in to the device.
Account name excluded the last separator and the previous contentsIn some cases, the
account name that a device user enters at login has a prefix (such as LDAP domain name). If
you select this option, TAM excludes the last separator and the previous contents and compares
it with the local account name when verifying the account name. For example, if a user enters
the account name hp\test\tom and separator \, TAM uses tom for account name verification.
Account name excluded the first separator and the subsequent contentsIn some cases, the
account name that a device user enters at login has a suffix (such as TACACS domain name).
If you select this option, TAM excludes the first separator and the subsequent contents and
compares it with the local account name when verifying the account name. For example, if a
user enters the account name user@test@hp and separator @, TAM uses tom for account
name verification. If you enable both this option and the above option, the first option applies
first, and then this option applies.
Click OK.
Configuring system operation log parameters

TAM system operation log files are stored in the tam\log directory of the IMC installation path. TAM
generates one operation log file yyyymmdd.log every day. The yyyymmdd portion in the file names
represents the date when the log file is created. If an operation log file exceeds 2 GB, TAM creates
another operation log file with a sequence number appended to the name, for example,
yyyymmdd-1.log.
The file yyyymmdd.log records all logs generated during TAM operation.
You can adjust the log level and log lifetime in TAM system operation log parameters.
121
To configure the TAM system operation log parameters:

1.
2.
Select TACACS+ AuthN Manager > System Parameters > System Configuration from the
navigation tree.
The System Configuration list displays all system configurations.
3.
Click the Configure icon
4.
Configure the system operation log parameters:
5.
for the System Operation Log Parameters entry.
Log LevelSelect a level from the list for the TAM system operation logs. Log levels in
descending order of severity include Fatal, Error, Warning, Info, and Debugging. With the log
level configured, TAM records system operation logs of the specified level and all above levels.
Do not use the debugging level except for troubleshooting, because it greatly consumes system
resources.
Log LifetimeSpecify how long TAM keeps the log files. TAM automatically deletes the log
files that exceed the log lifetime at 00:00 every day.
Click OK.
Validating the system configuration

After you change the system parameters, the TAM console informs the daemon threads to immediately
validate the configuration. If the request fails, you can manually validate the system configuration.
To manually validate the system configuration:
1.
2.
Select TACACS+ AuthN Manager > Service Parameters > Validate from the navigation tree.
If the validation fails, the system prompts the failure reason.
122
12 Support and other resources

Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you receive email notification of product enhancements, new driver versions, firmware
updates, and other product resources.
Related information
Refer to the following related information.
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
For related documentation, navigate to the Networking section, and select a networking category.
For a complete list of acronyms and their definitions, see HP A-Series Acronyms.
Websites
HP.com http://www.hp.com
HP Networking http://www.hp.com/go/networking
HP manuals http://www.hp.com/support/manuals
HP download drivers and software http://www.hp.com/support/downloads
HP software depot http://www.software.hp.com
123
Conventions
The following information describes the conventions used in this documentation set.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the Select Devices window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, User Access Manager >
Portal Service > Server.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that that provides clarifying information or specific instructions.
NOTE
TIP
An alert that contains additional or supplementary information.

An alert that contains helpful hints for completing a task.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
About HP IMC documents

The following are the documents available for HP IMC:
Documents
Purposes
Hardware specifications and installation

HP IMC Getting Started Guide
Quickly guides you through the IMC main features

and troubleshooting common problems.
HP IMC Installation Guide
Provides a complete guide to IMC platform and

component installation and deployment.
HP IMC Probe Installation Guide
Provides a complete guide to IMC Probe installation

and deployment.
SQL Server 2005 Installation and Configuration Guide
Guides you through installing SQL Server 2005 for

IMC.
SQL Server 2008 Installation and Configuration Guide
Guides you through installing SQL Server 2008 for

IMC.
SQL Server 2008 R2 Installation and Configuration

Guide
Guides you through installing SQL Server 2008 R2

for IMC.
124
Documents
Purposes
Oracle 11g Installation and Configuration Guide(for

Linux)
Guides you through installing Oracle 11g on Linux

for IMC.
Oracle 11g R2 Installation and Configuration Guide(for

Linux)
Guides you through installing Oracle 11g R2 on

Linux for IMC.
MySQL 5.5 Installation and Configuration Guide (for

Linux)
Guides you through installing MySQL 5.5 on Linux

for IMC.
MySQL 5.5 Installation and Configuration Guide (for

Windows)
Guides you through installing MySQL 5.5 on

Windows for IMC.
Red Hat Enterprise Linux 5 Installation Guide
Guides you through installing Red Hat Enterprise

Linux 5 for IMC
Red Hat Enterprise Linux 6.1 Installation Guide
Guides you through installing Red Hat Enterprise

Linux 6.1 for IMC
Software configuration
HP IMC Base Platform Administrator Guide
Describes operation procedures on the IMC base

platform.
HP IMC Network Traffic Analyzer Administrator Guide
Describes operation procedures on the IMC Network

Traffic Analyzer.
HP IMC TACACS+ Authentication Manager

Administrator Guide
Describes operation procedures on the IMC

TACACS+ Authentication Manager.
Online Help
Helps you properly use IMC.
Operations and maintenance

Readme
Provides latest IMC release information.
125
Index
ABCDEILMOQRSTUVW
Configuring an LDAP server,13
Configuring authorized time range policies,35
Configuring device user groups,55
Configuring device users,60
Configuring LDAP authentication + TAM local
authorization,12
Configuring system operation log parameters,121
Configuring system parameters,120
Configuring TAM,13
Configuring TAM local authentication and
authorization,7
Configuring the blacklist user function,70
Configuring the PC of the device user,18
Configuring the PC of the device user,12
Contacting HP,123
Conventions,124
Copying a command set,47
A
About HP IMC documents,124
Adding a command set,45
Adding
Adding
Adding
Adding
Adding
Adding
Adding
Adding
Adding
Adding
a device,21
a device area,30
a device type,34
a device user,64
a device user group,56
a shell profile,41
a sub-area,31
a sub-group,57
a sub-type,34
an authorization policy,50
Adding an authorized time range policy,37

Adding an LDAP server,79
Adding an LDAP synchronization policy,85
Adding an LDAP user to the blacklist,97
Adding an online user to the blacklist,104
Adding device users to the blacklist,73
Advanced query,101
D
Deleting a command set,48
Deleting a device area or a sub-area,31
Deleting a device type or a sub-type,35
Deleting a device user group or a sub-group,59
Deleting a shell profile,43
Deleting an authorization policy,54
Deleting an authorized time range policy,39
B
Basic query,101
Batch cancelling device users,69
Batch deleting devices,27
Batch modifying device users,68
Batch modifying devices,26
Deleting an LDAP server,83

Deleting an LDAP synchronization policy,88
Documents,123
Batch operations for LDAP users,99

Binding device users with an LDAP synchronization
policy,94
E
Executing an LDAP synchronization policy,89
Exporting audit logs,118
Exporting authentication logs,109
C
Cancelling LDAP users,96
Clearing online user information,103
Command set,43
Comparing the authentication-authorization
methods,18
Configuring a device,17
Configuring a device,11
Exporting authorization logs,114

Exporting LDAP users,98
I
Importing device users,65
Importing devices,24
126
Querying online users,101
LDAP authentication + TAM local authorization,5

LDAP Overview,75
R
Regrouping device users,69
Related information,123
Releasing a blacklisted user,104
Log management,4
Login authorization and command authorization,3
Login methods and authentication-authorization
methods,4
Releasing an LDAP user from the blacklist,98

Removing device users from the blacklist,73
Managing audit logs,114

Managing authentication logs,105
Managing authorization logs,109
Managing device areas,29
Managing device types,32
Managing LDAP servers,76
Managing LDAP synchronization policies,83
Managing LDAP users,90
Managing users bound to an LDAP synchronization
policy,89
Modifying a command set,46
Modifying a device,25
Modifying a device area or a sub-area,31
Modifying a device type or a sub-type,34
Modifying a device user,67
Modifying
Modifying
Modifying
Modifying
Modifying
Modifying
Modifying
Modifying
groups,59
Modifying
Scenario-based authorization,3
Shell profile,40
Subscription service,123
Support and other resources,123
Synchronizing LDAP users,95
T
TAM,8
TAM features,1
TAM functional structure,2
TAM local authentication and authorization,4
TAM user types,3
Testing connectivity to an LDAP server,81
U
Unbinding users with an LDAP synchronization
policy,95
a device user group or a sub-group,58

a shell profile,42
an authorization policy,52
an authorized time range policy,38
an LDAP synchronization policy,87
LDAP server settings,81
LDAP user information,96
operator privileges for device user
V
Validating on-demand synchronization policies,90
Validating the system configuration,122
Viewing audit log details,117
Viewing authentication log details,108
Viewing authorization log details,113
Viewing authorization policy details,49
the device area and type,27
Viewing
Viewing
Viewing
Viewing
Viewing
O
Online user management,4
Q
Querying
Querying
Querying
Querying
Querying
Querying
Querying
audit logs,115
authentication logs,106
authorization logs,111
blacklist users,71
device users,61
devices,20
LDAP users,92
authorized time range policy details,37

blacklist user details,72
blacklist users,71
command set details,44
device area details,30
Viewing device details,20

Viewing device type details,33
Viewing device user details,63
Viewing device user group details,56
Viewing device users in a device user group or
sub-group,59
Viewing devices in a device area or sub-areas,32
127
Viewing
Viewing
Viewing
Viewing
devices of a device type or sub-types,35

LDAP server details,77
LDAP synchronization policy details,84
LDAP user details,92
Viewing
Viewing
Viewing
Viewing
the
the
the
the
device
device
device
device
Viewing
Viewing
Viewing
Viewing
LDAP users,90
online user details,102
shell profile details,41
the audit log list,115
Viewing
Viewing
Viewing
Viewing
the
the
the
the
device user list,60

LDAP server list,76
LDAP synchronization policy list,83
online user list,100
Viewing the authentication log list,105

Viewing the authorization log list,110
area list,29
list,19
type list,33
user group list,55
Viewing the shell profile list,40

W
Viewing the authorization policy list,49

Viewing the authorized time range policy list,36
Websites,123
Viewing the command set list,44
128

HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide

Cargado por

Copyright:

Formatos disponibles

HP Intelligent Management Center

TACACS+ Authentication Manager Administrator

Part number: 5998-3316

Copyright 2012 Hewlett-Packard Development Company, L.P.

2 Device user authentication configuration guide 7

3 Performing device-related configuration 19

Modifying a device area or a sub-area 31

7 Managing device users 55

Binding device users with an LDAP synchronization policy 94

9 Managing online users 100

10 Managing logs 105

11 Configuring global system settings 120

12 Support and other resources 123

1 TACACS+ Authentication Manager overview

AuthorizationAssigns different device management privileges to different maintainers, so they

AuditAudits maintainers by monitoring and recording their online behaviors.

CollaborationCooperates with the mainstream TACACS+ supporting devices, such as HP

Authentication by account name and password.

Simple user management

Batch operationSupports abundant batch operations, such as batch open/cancel/modify

BlacklistAdds suspicious device users to the blacklist to prevent attacks.

Strict and refined user privilege control

Scenario-based authorizationAuthorizes device users according to different access scenarios.

Login authorization and command authorizationLogin authorization controls login behaviors of

Limit on the number of concurrent users of one account.

High-performance, expansible deployment solutions

TAM functional structure

TAM user types

Login authorization and command authorization

Online user management

Login methods and authentication-authorization

TAM local authentication and authorization

LDAP authentication + TAM local authorization.

TAM local authentication and authorization

authentication-authorization exchange process is performed over the TACACS+ protocol.

Figure 2 TAM local authentication and authorization

LDAP authentication + TAM local authorization

Figure 3 LDAP authentication and TAM authorization

2 Device user authentication configuration

TAM supports the following authentication and authorization methods:

A login method and an authentication-authorization method work together to implement user

Configuring TAM local authentication and

Figure 4 Recommended TAM local authentication and authorization configuration procedure

Add an authorization scenario.

Add authorization command.

Add an authorization policy.

Add a device user.

Device is an element in an authorization scenario. Adding devices is a must to configure an

Figure 5 Entering the page for configuring devices

Adding an authorization scenario

Adding authorization command

Adding an authorization policy

Adding a device user

Figure 9 Entering the page for configuring a device user

Creating a TACACS+ scheme.

Creating a TACACS+ scheme

Configuring the PC of the device user

Configuring LDAP authentication + TAM local

Configuring an LDAP server

Add an authorization scenario.

Add authorization command.

Add an authorization policy.

Add an LDAP user.

Add an LDAP synchronization policy.