Procedure 5-4.10: User accounts, logins, and authentication

- Overview

Use this procedure to:

  • Create new user accounts or reconfigure an existing account.

  • Configure user authentication lists to validate switch or port access.

  • Assign users to login lists used for authentication.

Each configured user is assigned to a login list that specifies how the user should be authenticated when attempting to access the switch or a port on the switch. After creating a new user account on the User Account screen, you should assign that user to a login list for the switch and, if necessary, to a login list for the ports using the Port Access Control User Login Configuration screen.

Step
 
1

Login to the VLNC4x/VLNC6x.

2

Refer to the following as required for configuration:

End of steps

User Accounts

The system has two default users: admin and guest. The admin user can view and configure system settings, and the guest user can only view settings. The admin user cannot be deleted, and there is only one user (admin) allowed with read/write privileges. By default, both of these accounts have blank passwords. The names are not case sensitive. There can be up to five read-only users on the system.

Step
 
1

From the Navigation menu, select System → Configuration → User Accounts.

Result:

The User Accounts window displays the current configuration.

2

In the User drop-down box, select Create to create a new user. Or, select an existing user you want to delete or change.

You can use this screen to reconfigure an existing account, or to create a new one. Use this drop-down menu to select one of the existing accounts, or select 'Create' to add a new one, provided the maximum of five 'Read Only' accounts has not been reached.

3

Enter/Select the following parameters as required, then click Submit to create or change an existing account. Click Delete to delete a user account.

Parameters:

  • User Name — Enter the name you want to give to the new account if you are creating a new account. User names are up to eight characters in length and are not case sensitive. Valid characters include all the alphanumeric characters as well as the dash ('-') and underscore ('_') characters. User name "default" is not valid.

    Up to six user names can be defined. The user name is not case sensitive when you add and delete users, or when a user logs in. However, when you use the user name to set the user password, authentication, or encryption, you must enter the user name in the same case that was used when it was created.

  • Password — Enter the optional new or changed password for the account. It will not display as it is typed, only asterisks (*) will show. Passwords are up to eight alphanumeric characters in length, and are case sensitive.

  • Confirm Password — Enter the password again, to confirm that you entered it correctly. This field will not display, but will show asterisks (*).

  • Access Mode — Display only. Indicates the user's access mode. The admin account always has 'Read/Write' access, and all other accounts have 'Read Only' access.

SNMP v3 User Configuration — You should use this menu if you are using the SNMPv3 protocol for access to the switch. If you want to use SNMPv1 and SNMPv2c you should use the SNMP menu.

  • SNMP v3 Access Mode — Display only. Indicates the SNMPv3 access privileges for the user account. The admin account always has 'Read/Write' access, and all other accounts have 'Read Only' access.

  • Authentication Protocol — Specifies the SNMPv3 Authentication Protocol setting for the selected user account. The valid Authentication Protocols are None, MD5 or SHA. If you select None, the user will be unable to access the SNMP data from an SNMP browser. If you select MD5 or SHA, the user login password will be used as the SNMPv3 authentication password, and you must therefore specify a password, and it must be eight characters long.

  • Encryption Protocol — Specifies the SNMPv3 Encryption Protocol setting for the selected user account. The valid Encryption Protocols are None or DES. If you select the DES Protocol you must enter a key in the Encryption Key field. If None is specified for the Protocol, the Encryption Key is ignored.

  • Encryption Key — If you selected DES in the Encryption Protocol field enter the SNMPv3 Encryption Key here. Otherwise this field is ignored. Valid keys are 8 to 64 characters long. The Apply checkbox must be checked in order to change the Encryption Protocol and Encryption Key.

Equivalent CLI commands

See User account commands under Management commands in the Alcatel-Lucent 1850 Transport Service Switch (TSS-5) Command Line Interface Guide.

Equivalent CLI commands from the Global Config Mode:

  • users name <username>

  • users passwd <username>.

  • users snmpv3 authentication <username> {none | md5 | sha}.

  • users snmpv3 encryption <username> {none | des [key]}.

End of steps

Authentication List Configuration

Used to configure login lists. A login list specifies the authentication method(s) you want used to validate switch or port access for the users associated with the list. The pre-configured users, admin and guest, are assigned to a pre-configured list named defaultList, which you may not delete or change. All newly created users are also assigned to the defaultList until you specifically assign them to a different list. Up to 10 Authentication lists can be configured in the system.

Equivalent CLI command: authentication login <listname> | method1 | method2 | method3.

Step
 
1

From the Navigation menu, select System → Configuration → Authentication List Configuration.

Result:

The Authentication List Configuration window displays the current configuration.

2

From the Authentication List dropdown box, select Create to define a new login list or select the authentication login list you want to configure or delete.

3

If you are creating a new login list, enter the name you want to assign in the Authentication List Name box, then click Submit. The name can be up to 15 alphanumeric characters long and is not case sensitive. When you create a new login list, local is set as the initial authentication method.

If you are deleting a login list, click Delete. The delete will fail if the selected login list is assigned to any user (including the default user) for system login or IEEE 802.1x port access control. You can only use this button if you have Read/Write access. The change will not be retained across a power cycle unless you perform a save.

4

To configure a new or existing login list, select the list from the Authentication List dropdown box.

Result:

Three authentication method boxes display.

5

For each of the methods displayed, select the authentication methods as follows:

  • Method 1 — Use the dropdown menu to select the method that should appear first in the selected authentication login list. If you select a method that does not time out as the first method, such as 'local', no other method will be tried, even if you have specified more than one method. Note that this parameter will not appear when you first create a new login list.

    The options are:

    • Local- The user's locally stored ID and password will be used for authentication.

    • Radius- The user's ID and password will be authenticated using the RADIUS server instead of locally.

    • Reject - The user is never authenticated.

    • Undefined- The authentication method is unspecified (this may not be assigned as the first method).

  • Method 2 — Use the dropdown menu to select the method, if any, that should appear second in the selected authentication login list. This is the method that will be used if the first method times out. If you select a method that does not time out as the second method, the third method will not be tried. Note that this parameter will not appear when you first create a new login list. Options are the same as for Method 1.

  • Method 3 — Use the dropdown menu to select the method, if any, that should appear third in the selected authentication login list. Note that this parameter will not appear when you first create a new login list. Options are the same as for Method 1.

End of steps

Login Session

This command displays current Telnet, HTTP, and serial port connections to the switch.

Step
 
1

From the Navigation menu, select System → Configuration → Login Session.

Equivalent CLI command: show loginsession.

Result:

The Login Sessions window displays the current configuration.

  • ID - The Login Session ID

  • User Name - Shows the user name of the login session.

  • Connection From - The IP address of the Telnet or HTTP client machine or EIA-232 for the serial port connection.

  • Idle Time - Time this session has been idle.

  • Session Time - Total time this session has been connected.

  • Session Type - Shows the type of session: telnet, serial, SSH, HTTP or HTTPS.

End of steps

Authentication List Summary

Displays the ordered authentication methods for all authentication login lists.

Step
 
1

From the Navigation menu, select System → Configuration → Authentication List Summary.

Equivalent CLI command: show authentication.

Result:

The Authentication List Summary window displays the current configuration.

  • Authentication List - Identifies the authentication login list.

  • Method 1, 2,3 - The ordered list of methods configured for this login list.

  • Login Users - The users you assigned to this login list on the User Login Configuration screen. This list is used to authenticate the users for system login access.

End of steps

User Login

This command assigns the specified user to the specified authentication login list for system login. The user must be a configured user and the list must be a configured login list. The login list associated with the admin user can not be changed to prevent accidental lockout from the switch.

Each configured user is assigned to a login list that specifies how the user should be authenticated when attempting to access the switch or a port on the switch. After creating a new user account on the User Accounts screen, you should assign that user to a login list for the switch using this screen and, if necessary, to a login list for the ports using Security → Port Access Control → Login configuration screen. If you need to create a new login list for the user, you would do so on the Authentication List Configuration page.

The pre-configured users, admin and guest, are assigned to a pre-configured list named defaultList, which you may not delete. All newly created users are also assigned to the defaultList until you specifically assign them to a different list.

A user that does not have an account configured on the switch is termed the default or Non-configured user. If you assign the Non-configured user to a login list that specifies authentication via the RADIUS server, you will not need to create an account for all users on each switch. However, by default the Non-configured user is assigned to defaultList, which by default uses local authentication.

Step
 
1

From the Navigation menu, select System → Configuration → User Login.

Result:

The User Login Configuration window displays the current configuration.

2

Select the user from the User dropdown box.

Note:

You must always associate the admin user with the defaultList. This forces the admin user to always be authenticated locally to prevent full lockout from switch configuration.

If you assign a user to a login list that requires remote authentication, the user's access to the switch from all CLI, web, and telnet sessions will be blocked until the authentication is complete.

3

Select the login list from the Authentication List dropdown box. Click Submit.

Equivalent CLI command: If the user selection is Non-configured user, then the CLI command is users defaultlogin <listname>. Otherwise, use users login <user> <listname>.

End of steps

Authentication Login List Summary

This command displays information about the users assigned to the specified authentication login list. If the login is assigned to non-configured users, the user default will appear in the user column.

Step
 
1

From the Navigation menu, select System → Configuration → Authentication Login List Summary.

Equivalent CLI command: show users authentication.

Result:

The Authentication Login List Summary window displays the current configuration.

  • User Name - Lists every user that has an authentication login list assigned.

  • System Login - Displays the authentication login list assigned to the user for system login.

End of steps

Copyright © 2011 Alcatel-Lucent. All rights reserved.