In NSX-T Data Center 3.1, you can log in to NSX Manager using a local user account, a user account managed by VMware Identity Manager (vIDM), or a user account managed by a directory service such as Active Directory over LDAP or OpenLDAP. You can also assign roles to user accounts managed by vIDM or a directory service to implement role-based access control.
In addition, starting in NSX-T Data Center 3.1.1, two guest users have been introduced and can be used with the NSX Manager UI.
NSX Manager recognizes only system-generated session identifiers and invalidates session identifiers upon administrator logout or other session termination. Upon successful login, the NSX Manager uses a random number generator to create a random session ID and stores that ID in memory. When clients make requests to the NSX Manager, it only allows clients to authenticate if the session ID they present matches one of the IDs generated by the server. When any user logs out of NSX Manager, the session identifier is immediately destroyed and cannot be reused.
Access to NSX Manager via UI, API and CLI is subject to authentication and authorization. In addition, such access will generate audit logs. This logging is enabled by default and cannot be disabled. Auditing of sessions is initiated at system startup. Audit log messages include the text
audit="true" in the structured data part of the log message.
Local user passwords on NSX appliances are secured using the default Linux/PAM libraries which store the hashed and salted representation in /etc/shadow. NSX Manager uses the SHA512 cryptographic hash algorithm to hash the local user passwords. During authentication, the password entered by the user is obfuscated. Other passwords are encrypted using a random key that is stored in the local file system. For more details, see the VMware Security Hardening Guides or review the SHA512 Ubuntu MAN pages and the Internet FAQ titled "Understanding /etc/shadow file format on Linux."