Alcatel-Lucent 1665 DMX provides security capabilities to protect against unauthorized access to the system.
Five types of users (with tiered restriction levels) are allowed access to the system with a valid user ID and password:
An Administrator user has access to all the security functional capabilities. Only the privileged and administrator users have access to the security and access functions. These functions include assigning/changing user ID/passwords for other users, setting target identifier (TID) names, resetting the system, and system initialization functions.
Privileged users can execute all commands
A privileged user has access to all the system functional capabilities. Only the privileged and administrator users have access to the security and access functions. These functions include assigning/changing user ID/passwords for other users, setting target identifier (TID) names, resetting the system, and system initialization functions.
A privileged user can terminate the login session of other individual users (including other privileged users) or terminate all login sessions of non-privileged users.
General users have access to all the system functional capabilities except security, access, system initialization and software installation functions.
Maintenance users can only execute commands that access the system, extract reports and execute maintenance functions through a specific set of commands. No privileged commands may be executed by maintenance users.
Reports-only users can only execute commands that retrieve reports from the system.
Security can be set to a "lockout" state, which blocks non-privileged users from logging in to the system.
When the system is first initialized, three privileged default user IDs and passwords are provided. Up to 147 user IDs and passwords can be added, deleted, and/or changed by any of the privileged users. Timeouts are provisionable on a per-user basis.
The WaveStar® CIT always asks the user for the NE user ID and password with the first NE connection. The user ID and password can be saved for subsequent connections, but the user ID and password can not be saved past the current WaveStar® CIT session. User ID and password parameters must be administered on a per-NE basis. You may have a different user ID and/or password on one NE than you have on other NEs.
Each time the number of invalid sequential login attempts reach or exceed the provisionable user ID lockout threshold, the network element reports a Security Alert alarm.
The inactivity timeout period is the number of minutes after which a user with an inactive session is logged out. A provisionable inactivity timeout period is supported on a per-user basis.
The password aging interval is the number of days allowed before a user's password expires. When a user's password expires, the user is prompted to select a new password prior to login. The values for the password aging interval are zero (0) or a range from 7 to 999 days. A value of zero (0) disables password aging. The default value is 0. Password aging does not apply to privileged users' passwords.
Two default Privileged user IDs and passwords are initially installed in the WaveStar® CIT are LUC01 and LUC02 (LUC-zero-one, and LUC-zero-two). Their associated passwords are LUC+01, LUC+02, (LUC-plus sign-zero-one, LUC-plus sign-zero-two), respectively.
Three default Privileged user IDs and passwords are initially installed in the NE is LUC01, LUC02, or LUC03 (LUC-zero-one, LUC-zero-two, and LUC-zero-three). The default password is DMX2.5G10G.
When the network element is provisioned to use Remote Authentication Dial In User Service (RADIUS) authentication for user logins, any user login triggers the network element to query the designated RADIUS server(s) and act on the response.
The network element (RADIUS client) sends a RADIUS Access-Request packet to the RADIUS server via the IP network. The Access-Request packet contains the User-Name, User-Password, and the network element IP address. The User-Password is hidden (encrypted).
When the RADIUS server receives the Access-Request packet, it validates the sending RADIUS client. A RADIUS client and server must have a provisioned shared secret (the password shared between the RADIUS client and server). If the shared secret is not valid, the Access-Request packet is silently discarded without sending a response. If the shared secret is valid, the RADIUS server searches the user database. If the username is found and the password is correct, the RADIUS server returns an Access-Accept packet to the RADIUS client.
The Access-Accept packet informs the RADIUS client that the user’s login attempt is authenticated and authorized. No further local validation is required.
The Access-Reject packet informs the RADIUS client that the user’s login attempt is rejected due to invalid username and/or password.
If no response is returned within approximately 5 seconds to the RADIUS client, the Access-Request packet is re-sent one time. If the retry to the primary RADIUS server fails, the RADIUS client sends the Access-Request packet to the secondary RADIUS server (if provisioned).
If no response is received after retries to the primary and secondary RADIUS servers, the network element validates the user login using the local database.
Alcatel-Lucent 1665 DMX allows MAC locking on the LNW170. MAC locking prevents unauthorized users from gaining access to the network through an Ethernet port, thereby providing a level of security against intrusion attempts. MAC locking restricts access to a bridged Ethernet network by requiring that the source address of traffic entering a locked port be registered with that port. Any number of ports, LANs, VCG, or link aggregation groups (LAGs) can be locked. Alcatel-Lucent 1665 DMX permits registering of multiple addresses with a single entity.
| November 2011 | Copyright © 2011 Alcatel-Lucent. All rights reserved. |