NSP user authentication
Authentication modes
The NSP supports the following Single Sign-On, or SSO, authentication modes; you can enable only one during system deployment:
-
OAUTH2 mode: based on the Keycloak open-source identity and access management solution using standard OAuth 2.0 protocol
For authentication mode configuration information, see the NSP Installation and Upgrade Guide.
Note: Customers who currently use CAS are encouraged to migrate to OAUTH2, as described in the NSP Installation and Upgrade Guide.
OAUTH2 mode
OAUTH2 mode is based on the Keycloak open-source identity and access management solution using standard OAuth 2.0 protocol. OAUTH2 supports:
OAUTH2 mode is configurable using the parameters in the following section of the NSP configuration file:
## oauth2 (Keycloak) only SSO parameters
Login protection
OAUTH2 provides functions for temporarily or permanently locking out users for login failures. Login failure management is configured during NSP deployment.
You cannot enable both temporary and permanent user lockout. If user lockout is to be enforced, only one mechanism can be active at any time.
Note: Temporary user lockout is enabled by default.
Note: Nokia recommends deploying the NSP with brute-force protection enabled and the parameters configured in accordance with your security policy.
Local user authentication
OAUTH2 maintains a local user database.
Password storage for local users
A one-way cryptographic hash is applied to all NSP user passwords stored in the local database. The encryption protects against an accidental or intentional database disclosure, as the password cannot be decrypted. To further mitigate against password attacks, a randomized salt is added to each user password before the one-way cryptographic hash is applied.
Password complexity for local users
In an NSP system that uses local OAUTH2 authentication, user password complexity rules are configurable. The following are the default rules, which state that a password must:
Password changes
One administrator account is created by default during NSP system installation. During the initial administrator login using the default password, the user is prompted to change the password. The creation of additional local users includes an option to force the user to change the password during the initial login.
Note: Nokia recommends that you enable the initial password-change option.
OAUTH2 remote user authentication
OAUTH2 mode also supports remote user authentication using external LDAP/S, RADIUS, and TACACS+ servers. but does not support remote authentication via the NFM-P. An NSP operator can import NFM-P users to OAUTH2 as local users.
WS-NOC users are stored in a WS-NOC LDAP database, and are supported by OAUTH2. See the NSP Installation and Upgrade Guide for configuration information.
Note: If LDAP is used for remote access, it is strongly recommended that you use LDAPS to ensure that the LDAP communication is secured.
Session controls
To enhance security, an idle session timeout and token lifespan can be applied at install time. The values of these parameters apply to both REST and SSO sessions:
Note: Some applications continuously communicate with the NSP and do not time out from inactivity, such as Fault Management, which requires near-real-time event updates.
You are encouraged to assess the number of concurrent sessions required for your deployment, and set the maximum number to the lowest value that meets the requirement.
CAS mode
The legacy CAS mode uses an open-source, enterprise-grade Central Access Server solution. CAS provides the infrastructure for user authentication against multiple trusted sources.
CAS mode supports user authentication against an NFM-P local user database, if the deployment includes the NFM-P. CAS also supports external authentication agents such as LDAP, RADIUS, or TACACS+.
Note: CAS does not maintain a local user database for authentication.
CAS mode is configurable using the parameters in the following section of the NSP configuration file:
## CAS only SSO parameters
The NSP provides CAS user session management, user access control, and user activity-logging functions.
Brute-force password protection
A brute-force password attack consists of submitting passwords repeatedly in order to guess the correct password. The NSP in CAS mode implements a login throttling mechanism to help mitigate brute-force password attacks. User login throttling limits the number of failed login attempts.
It is recommended that you enable a user login throttling mechanism according to your security policy.
Note: Login throttling is enabled in an NFM-P-only deployment; however, the throttling parameters are not configurable.
Local user authentication in CAS mode
Local user authentication in CAS mode is not supported.
Remote user authentication with CAS mode
CAS mode supports remote user authentication through LDAP/LDAPS, RADIUS, and TACACS+. See the NSP Installation and Upgrade Guide for configuration information.
Note: If LDAP is used for remote access, it is strongly recommended that you use LDAPS to ensure that the LDAP communication is secured.
Note: CAS does not apply a password-change policy to remote users; if a password change is mandated, the user must contact the system administrator for information about the LDAP, RADIUS, or TACACS+ password requirements.
Session controls
An NSP administrator can limit the number of concurrent admin and non-admin user sessions using parameters in the NSP cluster configuration file.
During NSP deployment, you can limit the number of concurrent REST sessions, and specify the REST token expiry time. The configuration parameters are in the nsp—modules—nspos—rest section of the NSP configuration file. See the NSP Installation and Upgrade Guide for configuration information.
You are encouraged to assess the number of concurrent sessions required for your deployment, and set the maximum number to the lowest value that meets the requirement.
© 2023 Nokia. Nokia Confidential Information
Use subject to agreed restrictions on disclosure and use.