Manualshelf

Troubleshooting guide

ManualsBrandsAlcatel ManualsComputer equipment2.2-R02
31323334353637383940
2 — 5620 SAM user security
2-10 Alcatel-Lucent 5620 Service Aware Manager
5620 SAM
System Administrator Guide
Assigning remote users to 5620 SAM user groups
User authorization is the assignment of a user to a user group after successful user
authentication. By default, the 5620 SAM assigns a remote user to a default user
group, if one is specified. Optionally, you can configure the 5620 SAM to assign a
group specified by a remote server. If no default group is specified, and remote group
assignment is not configured, the authorization fails and the user is denied access.
After a remote server authenticates a user, if the name of the user group sent by the
remote server matches a 5620 SAM user group name, the 5620 SAM creates a user
account for the login session and grants the appropriate access rights. Otherwise,
authorization fails and the 5620 SAM denies user access.
RADIUS or TACACS+ user authorization
In order for a remote RADIUS or TACACS+ server to assign a 5620 SAM user
group, you must preconfigure the 5620 SAM and the remote server. See
Procedure 2-34 for information about enabling authorization for RADIUS users, and
Procedure 2-35 for information about enabling authorization for TACACS+ users.
LDAP user authorization
For each LDAP server that you specify using the 5620 SAM Remote Authentication
Manager, you can include LDAP group lookup criteria. The group name that the
LDAP server returns in an authentication success message must match an existing
5620 SAM group name.
One-time password use
For increased security, a GUI user can provide an authentication token to an LDAP,
RADIUS or TACACS+ server that is validated only once. You can enable one-time
password use during 5620 SAM remote authentication policy configuration, as
described in Procedure 2-36.
Note 1 — A RADIUS authentication success message that is sent to
the 5620 SAM contains the user group name.
Note 2 — For TACACS+, authentication must succeed before an
authorization message containing the user group name is sent to the
5620 SAM.
Note 3 — If an LDAP user password is MD5-hashed, only local user
authorization is supported.
Note — If an LDAP user password is MD5-hashed, only local user
authorization is supported.
Note 1 — The one-time password function is not available to OSS
clients.
Note 2 — To change the one-time password setting in a remote
authentication policy, you require a scope of command that has
Update/Execute access to the srmrmtauth package.
Release 13.0 R2 | May 2015 | 3HE 09815 AAAB TQZZA Edition 01