Network Configuration Manager has a sophisticated, flexible mechanism for assigning credentials used for communicating with devices. Credentials include:

  • The device local username

  • The device local password

  • The device local privilege-access password

  • The device username and password(s) from TACACS

  • SNMP community strings (Read-Only and Read-Write)

  • Telnet and SSH terminal access

  • Out-of-band terminal access (for example, modem pools and terminal servers)

  • FTP and SCP file transfer access

Credentials can be created and managed independently from the devices they apply to. Multiple credentials can then be applied to an individual device, or groups of devices. This way, if a credential changes, the change can be propagated quickly and efficiently to all devices within a specific credential class.

Credentials can be created at the following levels:

  • Global, product level . These credentials are created and managed globally, and are available for assignment to any device that is managed by Network Configuration Manager on any Device Server, in any network.

  • Network level . These credentials are created and managed at the network level, and are available for assignment to any device within a specific network.  

here are four types of credentials:

  • Account. This credential specifies how to log into a device, for either a terminal session or a file transfer session. It contains a username, and a password.

  • Privilege Password . This credential specifies the password used to provide privileged access to a device.

  • SNMP v1/v2c . This credential is used to provide Read-Only and Read-Write access to SNMP.

  • SNMP v3 . This credential specifies the version of SNMP.

Each device can have four account credentials and a community string credential assigned to it. All access to the device (such as telnet, ftp, and SNMP) use these credentials. Additionally, the Account credential can have a privilege credential associated with it, which specifies additional validation necessary for privilege access.

Credentials are assigned to devices by selecting a group of devices (either a single device, an entire network, site, or view of devices, or some subset of devices), and applying a credential to those devices. Once the credential is assigned, changing any of the values in the credential (such as the username or password) applies that change to all assigned devices.

Out-of-Band Communications

In addition to the normal credentials, a separate set of credentials can be applied to Out-of-Band communications. If a device has an Out-of-Band communications mechanism that requires authentication (such as using a terminal server), then a separate account credential can be assigned to the device for use in this authentication. This is a separate credential used to connect to the terminal server , and is different than the device credential.

Cut-Through Communications

Finally, you can configure credentials to use for devices when cut-through communications is used. Cut-through communication is the ability to establish a telnet or SSH session directly with the device; running a telnet client on your client machine. This allows you to communicate directly with the device with standard auditing and traceability.

When you establish the Cut-through connection, the system automatically logs you onto the selected device, either in privileged or non-privileged mode. To do this, an account credential (with optionally, an associated privilege credential) must be available.

You can choose different credentials to authenticate the Cut-through session - depending on the Jobs Credentials Configuration selected.

  • Primary device credential. This causes Cut-through to connect to the device using the primary account credential (with optionally, an associated privileged credential). Permission to complete this action is provided within the security subsystem of Network Configuration Manager. This mode allows a device to have a single user configured that is used for all communications, and allows Network Configuration Manager to provide the per-user authentication needed.  

  • User Account. This causes Cut-Through to use the credentials assigned to the user themselves (the credentials they use to log into the Network Configuration Manager system) to authenticate to the device. This mode is very convenient if both the device and Network Configuration Manager are configured to use an authentication server, such as TACACS. This allows the device to better provide controlled access during the Cut-through session to internal capabilities, based on the user's TACACS credentials.  

  • User Prompted .This prompts you for credentials (Username, Password and Privilege Password) when accessing the device.

Auto Discovery

 

When auto discovery is configured, a series of credentials can be assigned to the auto discovery job.

When auto discovery finds a new device , it attempts to authenticate the credentials, one-by-one, in order, until a credential is found that communicates to the device. This credential is then automatically assigned to that device. A device may associate either an account credential, an SNMP credential, or both to each device during an auto discovery job.