NSP user authentication
Basic elements
The NSP user-authentication mechanism, OAUTH2, provides the following single sign-on (SSO) functions:
The NSP System Administrator Guide describes NSP SSO functions and parameters.
OAUTH2
OAUTH2 is an implementation of the Keycloak open-source identity and access-management solution that employs the standard OAuth 2.0 protocol. OAUTH2 maintains a local user database, supports remote users, and can temporary or permanently lock out users to prevent brute-force or random-guess attacks.
Migrating from CAS to OAUTH2
In NSP Release 24.4, user management changed from NFM-P/CAS to OAUTH2. When upgrading from an older release that uses NFM-P/CAS to a current release that uses OAUTH2, you must import local users and user groups provisioned in the NFM-P to NSP. Remote users do not need to be imported, as they are created automatically when they log in.
Following the upgrade, NFM-P user security must be used only to manage XML API users. Users and Security in NSP must be used to manage all other user types.
See the NSP System Administrator Guide for more information about importing users and groups from NFM-P.
Local user authentication
NSP local user authentication uses robust password encryption, and has rules that govern the password change and complexity requirements.
Password encryption
A one-way cryptographic hash is applied to all NSP user passwords stored in the local database. The encryption protects against an accidental or intentional database disclosure, as the password cannot be decrypted. To further mitigate against password attacks, a randomized salt is added to each user password before the one-way cryptographic hash is applied.
Password complexity
User password complexity rules are configurable; the following are the defaults, which state that a password must:
Password changes
One administrator account is created by default during NSP system installation. During the initial administrator login using the default password, the user is prompted to change the password. The creation of additional local users includes an option to force the user to change the password during the initial login.
Note: Nokia recommends that you enable the initial password-change option.
Remote user authentication
NSP supports LDAP/S, RADIUS, and TACACS+ remote user access.
When RADIUS remote authentication is configured, multi-factor authentication (MFA) can be used for added protection. NSP supports MFA through the RADIUS access-challenge packet from the Radius server. When NSP receives the access-challenge from the RADIUS server, the user is prompted for one-time verification code.
See the NSP System Administrator Guide for information about configuring remote users.
Note: If LDAP is used for remote access, it is strongly recommended that you use LDAPS to secure the LDAP communication.
Note: If RADIUS is used for remote access, it is strongly recommended that you configure MFA via the access-challenge from the RADIUS server.
Login protection
You cannot enable both temporary and permanent user lockout; if user lockout is to be enforced, only one mechanism can be active at any time.
Note: Temporary user lockout is enabled by default.
Note: Nokia recommends deploying NSP with brute-force protection enabled and the parameters configured in accordance with your security policy.
Session controls
To enhance security, an idle session timeout and token lifespan can be applied. The timeout and lifespan apply to NSP SSO and REST sessions:
Note: Functions that require near-real-time event updates communicate continuously with NSP, so do not time out from inactivity.
You are encouraged to assess the number of concurrent sessions that your deployment requires, and to set the maximum allowed number to the lowest value that meets the requirement.