Alcatel-Lucent 1850 TSS-5 provides security capabilities to protect against unauthorized access to the system.
Two sets of capabilities are supported. One set of security capabilities is tied to the generic operating software on the SYSCTL circuit pack. A second set of security capabilities is tied to the software that supports the CLI on the VLNC40/VLNC42/VLNC42B/VLNC60/VLNC61/VLNC62/VLNC64 circuit packs.
The operating software on the SYSCTL circuit pack allows access for four types of users (with tiered restriction levels) with a valid user ID and password:
Privileged users can execute all commands
A privileged user has access to all the system functional capabilities. Only the privileged users have access to the security and access functions. These functions include assigning/changing user ID/passwords for other users, setting target identifier (TID) names, resetting the system, and system initialization functions.
A privileged user can terminate the login session of other individual users (including other privileged users) or terminate all login sessions of non-privileged users.
General users have access to all the system functional capabilities except security, access, system initialization and software installation functions.
Maintenance users can only execute commands that access the system, extract reports and execute maintenance functions through a specific set of commands. No privileged commands may be executed by maintenance users.
Reports-only users can only execute commands that retrieve reports from the system.
Security can be set to a lockout state, which blocks non-privileged users from logging in to the system.
When the system is first initialized, three privileged default user IDs and passwords are provided. Up to 147 user IDs and passwords can be added, deleted, and/or changed by any of the privileged users. Timeouts are provisionable on a per-user basis.
The WaveStar® CIT always asks the user for the NE user ID and password with the first NE connection. The user ID and password can be saved for subsequent connections, but the user ID and password can not be saved past the current WaveStar® CIT session. User ID and password parameters must be administered on a per-NE basis. You may have a different user ID and/or password on one NE than you have on other NEs.
Each time the number of invalid sequential login attempts reach or exceed the provisionable user ID lockout threshold, the network element reports a Security Alert alarm.
The inactivity timeout period is the number of minutes after which a user with an inactive session is logged out. A provisionable inactivity timeout period is supported on a per-user basis.
The password aging interval is the number of days allowed before a user's password expires. When a user's password expires, the user is prompted to select a new password prior to login. The values for the password aging interval are zero (0) or a range from 7 to 999 days. A value of zero (0) disables password aging. The default value is 0. Password aging does not apply to privileged users' passwords.
The two default Privileged user IDs and passwords initially installed in the WaveStar® CIT are LUC01 and LUC02 (LUC-zero-one, and LUC-zero-two). Their associated passwords are LUC+01, LUC+02, (LUC-plus sign-zero-one, LUC-plus sign-zero-two), respectively.
The three default Privileged user IDs and passwords initially installed in the NE are ALU01, ALU02, or ALU03 (ALU-zero-one, ALU-zero-two, and ALU-zero-three). The default password is 1850TSS-5.
When the network element is provisioned to use Remote Authentication Dial In User Service (RADIUS) authentication for user logins, any user login triggers the network element, if the maximum number of logins is not reached, to query the designated RADIUS server(s) and act on the response.
The network element (RADIUS client) sends a RADIUS Access-Request packet to the RADIUS server via the IP network. The Access-Request packet contains the User-Name, User-Password, and the network element IP address. The User-Password is hidden (encrypted).
When the RADIUS server receives the Access-Request packet, it validates the sending RADIUS client. A RADIUS client and server must have a provisioned shared secret (the password shared between the RADIUS client and server). If the shared secret is not valid, the Access-Request packet is silently discarded without sending a response. If the shared secret is valid, the RADIUS server searches the user database. If the username is found and the password is correct, the RADIUS server returns an Access-Accept packet to the RADIUS client.
The Access-Accept packet informs the RADIUS client that the user’s login attempt is authenticated and authorized. No further local validation is required.
The Access-Reject packet informs the RADIUS client that the user’s login attempt is rejected due to invalid username and/or password.
If no response is returned within approximately 5 seconds to the RADIUS client, the Access-Request packet is re-sent one time. If the retry to the primary RADIUS server fails, the RADIUS client sends the Access-Request packet to the secondary RADIUS server (if provisioned).
If no response is received after retries to the primary and secondary RADIUS servers, the network element validates the user login using the local database.
| Copyright © 2011 Alcatel-Lucent. All rights reserved. |