Settings

The Settings area of the Admin Console is the location to store and update settings required for various features of SCI.

Controller Settings

Figure 1. Controller Settings

To add a controller, click the Add button in the upper right of the Settings screen; a drop-down menu appears for you to select the controller type, as shown in the figure below.

Figure 2. Adding a New Controller Popup
Note: For instructions on adding the different types of controllers as well as instructions on deleting or editing controllers, refer to the SmartCell Insight Installation Guide, "Configuring SCI" chapter, "Adding and Managing Controllers" section.

SMTP Settings

SCI requires certain settings to enable different areas of the functionality. These settings are listed in this section.

Figure 3. SMTP Settings

You can configure the SMTP mail server to send or receive e-mail messages to or from SCI. The SMTP settings section contains the configuration details:

  • Host: Enter the name of the host. The system now checks the SMTP connectivity and displays an error if the authentication is not successful.
  • Port: Enter the port number.
  • Username: Enter the user name required to access the SMTP mail server.
  • Password: Enter the password required to access the SMTP mail server.
  • Encryption: Select the encryption method from the drop down list. You can also disable the encryption by selecting Disabled from the drop down list.
  • From email: Enter the email ID that the messages are sent from.

To save your changes, click Update.

You can test your settings by sending a test email. Follow these steps:

  1. After you have configured SMTP and saved your changes, click Send Test Email. The following popup should appear:
    Figure 4. Send Test Email Popup
  2. Click Send.
  3. Check that you receive an email to confirm that SMTP is working properly. The subject of the email that you receive should be: "Test email from your Ruckus SmartCell Insight." The body of the email should be: " Hi there, this is a test email."
Note: You should receive the email almost instantly. The email will be sent to the email address that is configured in the My Account screen > Profile section, which you open by clicking on the admin icon in the upper right of the SCI user interface, as shown in the following figure:
Figure 5. Email Address to Receive SMTP Test Email Reply from Ruckus

Data Retention

You can configure the time, in months, that you want SCI to retain all your raw and indexed data.

By default, this setting is 12 months, as shown in the screen below:

Figure 6. Data Retention section of Admin Dashboard

This means that SCI will delete any data older than 12 months. This action takes place on the 1st of each month.

If you want to change the data-retention time, follow example the steps below:

  1. Slide the bar to the desired time in months (from 1 to 60) for which you want to retain data. For example, if you want to retain data for 22 months, slide the bar as follows:
    Figure 7. Retaining Data for 22 Months
  2. Click Update. A confirmation popup appears:
    Figure 8. Data Retention Confirmation Popup window
  3. Click Confirm. SCI will now flush data every 22 months, starting on the first of the upcoming month.
Note: Once data is deleted from SCI, the data cannot be recovered.

Instantly Pruning Old Data

If you need to purge data immediately instead of waiting until the first of the month, run the following script as root user:

sudo /root/cronscripts/prune-data.sh

The length of time that the script runs depends of the amount of data to remove. Any data older than the data-retention period specified in Admin > Settings of the SCI user interface is immediately purged.

Authentication Tab on the SCI UI

The Authentication tab of the Admin > Settings screen lets you set whether you want local SCI users or external AAA server users to authenticate to SCI. You can also add new external servers from the Authentication tab. The following figure shows this tab if there are already some configured external servers (the IP addresses are just example values) :

Figure 9. Authentication Tab Main Page Example

By default, only users local to the SCI are authenticated.

Before you add external servers, there are certain steps you need to perform on the external server. Depending on whether the external server is RADIUS, TACACS+, or Cisco ACS, see the subsections below for how to add users, roles, and resource groups.
Note: If you add users and roles via external server configuration, this is indicated in the Figure 2.

Configuration to Perform on External AAA RADIUS Server:

  1. Add the SCI server as a RADIUS client, specifying the AAA client name, IP address, shared secret, and other parameters.
  2. If you are using the Ruckus dictionary file for vendor-specific attributes, install a new Ruckus dictionary file (or update the existing file) with the following attributes:
    • ATTRIBUTE, Ruckus-SCI-Role, 200, string
    • ATTRIBUTE, Ruckus-SCI-Resource-Group, 201, string
  3. Configure an authentication policy with the following objectives:
    • Allow authentication from the SCI server.
    • Define the valid users and user groups.
    • Configure vendor-specific return attributes for the Ruckus-SCI-Role and Ruckus-SCI-Resource-Group, which maps the RADIUS user into SCI privilege sets.
Note: As with SCI, one user is associated with one resource group and one role only. There are three roles.

Sample Configuration Using FreeRADIUS for External AAA RADIUS Authentication:

  1. Using SSH, log in to the FreeRADIUS server.
  2. Enter CLI mode.
  3. AAA admin should add two new attributes to dictionary.ruckus as shown below:
    vi /usr/share/freeradius/dictionary.ruckus
    
    ATTRIBUTE   Ruckus-SCI-Role               200    string
    ATTRIBUTE   Ruckus-SCI-Resource-Group     201    string
    
  4. Add all users, their roles and their resource groups:
    vi /etc/freeradius/3.0/users
    
    aaaadmin Cleartext-Password := "admin123"
    	  Reply-Message = "Hello Admin",
    	  Ruckus-SCI-Role = admin,
    	  Ruckus-SCI-Resource-Group = Default
    
    aaagroupadmin Cleartext-Password := "admin123"
    	  Reply-Message = "Hello Group Admin",
    	  Ruckus-SCI-Role = groupadmin,
    	  Ruckus-SCI-Resource-Group = AAA_MLISA
    
    aaaview Cleartext-Password := "admin123"
              Reply-Message = "Hello User",
              Ruckus-SCI-Role = view-only,
              Ruckus-SCI-Resource-Group = AAA_VIDEO54
    
  5. Configure the SCI server IP that you wish to authenticate with the FreeRADIUS server:
    
    vi /etc/freeradius/3.0/clients.conf
    
    client all {
            ipaddr = 0.0.0.0/0
    	   secret = testing123
    }
    
  6. After adding the above configuration, restart FreeRADIUS by running the following command:
    service freeradius restart

Configuration to Perform on External AAA TACACS+ Server:

  1. Identify the TACACS administrators who need SCI administration privileges, and then create an admin group (or reuse an existing group).
  2. Assign the SCI administrators to the SCI admin group on the TACACS server.
  3. Within the TACACS SCI admin group, configure the SCI service (service = sci-resource-group) and map the Ruckus RBAC attributes (e.g. Ruckus-SCI-Role = admin; Ruckus-SCI-Resource-Group = Default).

Sample Configuration For External AAA TACACS+ Authentication:

  1. Using SSH, log in to the TACACS+ server.
  2. Enter CLI mode.
  3. Open vi and type:
    /etc/tacacs+/tac_plus.conf
  4. Create a group:
    group = admins {
            
    }
    
  5. Add a service, role, and mgmt-devicegroups to the group you created above, as follows:
    service = sci-resource-group {
                Ruckus-SCI-Role = admin
                Ruckus-SCI-Resource-Group = Default
            }
    
  6. If needed, create additional groups and add a service, role, and mgmt-devicegroups to the group, as you did previously.
  7. Create a user, associate the user with the correct group, and create a user password, as shown below:
    user = aaaadmin {
           member = admins
           global = cleartext admin123
    }
    
  8. The final configuration should now appear as follows:
    vi /etc/tacacs+/tac_plus.conf
    
    group = admins {
            service = sci-resource-group {
                Ruckus-SCI-Role = admin
                Ruckus-SCI-Resource-Group = Default
            }
    }
    
    user = aaaadmin {
           member = admins
           global = cleartext admin123
    }
    
    group = groupadmins {
            service = sci-resource-group {
                Ruckus-SCI-Role = groupadmin
                Ruckus-SCI-Resource-Group = AAA_MLISA
            }
    }
    
    user = aaagroupadmin {
           member = groupadmins
           global = cleartext admin123
    }
    
    group = view-only {
            service = sci-resource-group {
                Ruckus-SCI-Role = view-only
    	      Ruckus-SCI-Resource-Group = AAA_VIDEO54
            }
    }
    
    user = aaaview {
    	member = view-only
    	global = cleartext admin123
    }
    
  9. Restart the TACACS+ server by running the command:
    service tacacs+ restart

Configuration to Perform on Cisco ACS Server:

  1. To configure ACS to accept connections from SCI, click Network Devices and AAA Clients on the Cisco ACS configuration screen shown below:
    Figure 10. Invoking Network Devices and AAA Clients Configuration
  2. In the Network Devices and Clients screen (shown below):
    1. Enter the name.
    2. Enter the IP address of the SCI.
    3. Select either RADIUS or TACACS+ from the drop-down list.
    4. Click Submit.
    Figure 11. Network Devices and Clients Configuration Screen
  3. To create AAA users, click Users in the left pane of the Create Users screen (shown below), and do the following:
    1. Enter the Name.
    2. Enter the password.
    3. Confirm the password.
    4. Click Submit.
    5. Repeat the preceding steps to add more users.
    Figure 12. Creating Users Configuration Screen
  4. Install a new Ruckus dictionary file or update an existing dictionary with the following attributes to create the Ruckus-SCI-Role (see figure below):
    1. Attribute: Ruckus-SCI-Role
    2. Vendor Attribute ID: 25053
    3. Attribute Type: String
    4. Click OK.
    Figure 13. Creating the Ruckus-SCI-Role
  5. Install a new Ruckus dictionary file or update an existing dictionary with the following attributes to create the Ruckus-SCI-Resource-Group (see figure below):
    1. Attribute: Ruckus-SCI-Resource-Group
    2. Vendor Attribute ID: 25053
    3. Attribute Type: String
    4. Click OK.
    Figure 14. Creating the Ruckus-SCI-Resource-Group
  6. Go to the Create RADIUS Authorization Profiles screen (shown below).
    Figure 15. Create RADIUS Authorization Profiles Screen
    1. Enter RadiusAdmin in the Name field.
    2. In the RADIUS Attributes tab, select RADIUS-RUCKUS from the Dictionary Type drop-down list, then, for the RADIUS Attribute, select Ruckus-SCI-Role (see screen below), and enter admin for the Attribute Value.
      Figure 16. Selecting Ruckus-SCI-Role
    3. Still in the RADIUS Attributes tab, for the RADIUS Attribute, select Ruckus-SCI-Resource-Group (see screen below), and enter Default for the Attribute Value.
      Figure 17. Selecting Ruckus-SCI-Resource-Group
    4. Check that the Create RADIUS Authorization Profiles screen now shows the added attributes:
      Figure 18. Added Attributes Now Appearing on Authorization Profiles Screen
    5. Click Submit.
    6. Repeat the steps you followed when you created the RadiusAdmin authorization profile to create profiles for RadiusGroupAdmin and RadiusView, listed on the screen below:
      Figure 19. RadiusGroupAdmin and RadiusView Profiles Must Also Be Created
  7. Create access policies for RADIUS:
    1. Go to Authorization, click the Customize button on the far right, then select System:Username, and click OK:
      Figure 20. Selecting System:Username Customization
    2. Click the Create button (just to the left of the popup shown below), then configure the popup with the values shown ("Name" can be anything you want), then click OK:
      Figure 21. Configuring a Rule
    3. Repeat the steps that you followed for creating aaaadmin to create policies for aaagroupadmin and aaaview, which are listed on the screen below:
      Figure 22. Authorization Policy Screen
  8. Create TACACS+ shell profiles:
    1. Go to Shell Profiles (shown below):
      Figure 23. Creating Shell Profiles
    2. In the Attribute field, enter Ruckus-SCI-Role.
    3. For the Attribute value, enter admin.
    4. Click Add.
    5. In the Attribute field, enter Ruckus-SCI-Resource-Group.
    6. For the Attribute value, enter Default.
    7. Click Add.
    8. Check that both shell profiles have been added to the Shell Profile Create screen, shown below, then click Submit.
      Figure 24. Shell Profile Create Screen
  9. Configure access policies to enable TACACS+:
    1. Go to Default Device Admin > Authorization (see the highlighted areas on the left pane of the screen below):
      Figure 25. Configuring Access Policies
    2. Click the Customize button in the lower right of the screen to invoke the popup that is shown above, then select System:Username, then click OK.
  10. Create an authorization rule:
    1. Still in the Authorization area, click Create to invoke the popup shown below:
      Figure 26. Creating an Authorization Rule
    2. Enter a descriptive name of your choice in the Name field, and configure the settings with the values shown above to create a rule for aaaadmin.
    3. Click OK.
    4. Create rules for aaagroupadmin and aaaview by repeating the steps you just performed for aaaadmin.
  11. Enable the AAA server by performing the steps listed below the figure:
    Figure 27. Enabling the AAA Server
    1. Click Service Selection Rules (highlighted above in the left pane).
    2. For Service, select either:
      • "Default Device Admin" to enable TACACS+
      • "Default Network Access" to enable RADIUS
    3. Click Save Changes.

Adding an External Server:

  1. To add an external AAA server for user authentication, navigate to Admin > Settings in the SCI UI, and click the Authentication tab:
    Figure 28. Authentication Tab
    Note: Config Name (in the figure above) is not used by SCI, but is a descriptive name that the administrator of the external server configured to help identify the server.
  2. Click Create.
  3. Configure the external server information, an example of which is shown below:
    Figure 29. Creating an External Server
    • Name: The name of the external AAA server that you can choose to activate.
    • Type: RADIUS or TACACS+. Select the proper value for the external server.
    • Protocol: For a RADIUS server, this value can be either PAP or CHAP. For a TACACS+ server, the only choice for protocol is ASCII. Make sure the value matches that of the external server.
      Note: The protocol must be the same for the secondary server as for the primary server.
    • Server: The IP address of the external server.
    • Port: Must match the port being used for authentication on the external server. Default is 1812 for RADIUS and 49 for TACACS+.
    • Secret: The secret key that has been configured on the server to allow communication between the server and SCI; must match exactly the secret that has been configured on the external server.

    Test AAA Server Connection:

    To test the AAA configuration, perform the following steps:

    1. Enter the username and password (used only for test-connection purpose) that are configured on the AAA server (RADIUS or TACACS+).

    2. Select "Primary" for validating the connection with primary-server details, then click Test.

    3. If secondary server details are provided, then select "Secondary" for validating the connection with secondary-server details, then click Test.

    Note: The secondary server is an optional standby server, which is tried only when the primary server is not reachable after 3 retries.

Selecting an External Server for User Authentication:

To select one specific external AAA server for SCI user authentication, follow these steps:

  1. From the Authentication Type drop-down list, select External:
    Figure 30. Selecting the External Authentication Type
  2. Click the External Server(s) drop-down list to view all configured external servers. The figure below shows such an example:
    Figure 31. Configured External Servers in the Drop-Down List
  3. From this drop-down list, select the external server from which users must be authenticated. You can select only one such server. If a user is not associated with that server, that user cannot be authenticated and will not be able to log in to SCI.
    Figure 32. Selecting the External Server from the Drop-Down List
  4. Once you have selected the desired external server ("Radius" in the example above), click Update. You will need to confirm a pop-up message that you wish to continue because all active sessions will be invalidated. At next login, the status "ACTIVE" appears for the corresponding external server, as shown below:
    Figure 33. "ACTIVE" Appears in Status Column for Selected External Server
  5. (Optional) To edit or delete an external server, check the box for the server, then use the Edit or Delete buttons as desired.
Note: If you want to revert to only local SCI users being authenticated, select "Local" from the Authentication Type drop-down list, then click Update. You will need to confirm a pop-up message that you wish to continue because all active sessions will be invalidated.

Notes about the "admin" user:

The "admin" user is always authenticated locally and is a fallback user if the external server is not reachable for the admin to log in and make changes. The "admin" user cannot be deleted or renamed.