Configuring Local and Remote System Administrators

The Device > Administrators page lists the appliance administrators. Here you can:

  • Create new local administrators.

  • Configure the session timeout.

  • Limit login failure attempts.

  • Regenerate keys.

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Note - This page is available from the Device and Users & Objects tabs.

Administrator Roles:

  • Super Administrator - All permissions. Super Administrators can create new locally defined administrators and change permissions for others.

  • Read Only Administrator - Limited permissions. Read Only Administrators cannot update appliance configuration but can change their own passwords or run a traffic monitoring report from the Tools page.

  • Networking Administrator - Limited permissions. Networking Administrators can update or modify operating system settings. They can select a service or network object but cannot create or modify it.

  • Mobile Administrator - Mobile administrators are allowed all networking operations on all interfaces. They can change their own passwords, generate reports, reboot, change events and mobile policy, active hosts operations and pairing. They cannot login from or access the WebUI.

  • Remote Access Administrator - Limited permissions. Remote access administrators can manage the VPN remote access configuration. They can add, edit and delete VPN remote access users and servers.

  • Access Policy Administrator - Limited permissions. Access policy administrators can manage the Firewall settings; Applications and URL filtering settings; and the Firewall access policy. They can also create, edit, and delete network objects, services and custom applications.

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

Local Administrators

Remote Administrators

Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access.

Configuring a RADIUS Server for non-local Quantum Spark Appliance users

Non-local users can be defined on a RADIUS server and not in the Quantum Spark Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Notes:

  • The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

  • If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

To log in as a Super User:

A user with super user permissions can use the Quantum Spark Appliance shell to do system-level operations, including working with the file system.

  1. Connect to the Quantum Spark Appliance platform over SSH or serial console.

  2. Log in to the Gaia ClishClosed The default shell of the Gaia CLI shell with your user name and password.

  3. Run: expert

  4. Enter the Expert mode password.

Important:

  • To configure the Expert mode (Bash) as the default shell, run this command (not recommended):

    bashUser on

  • To configure the Gaia Clish as the default shell, run this command (recommended):

    bashUser off