Troubleshooting guide

ManualsBrandsAlcatel ManualsComputer equipment2.2-R02

2 — 5620 SAM user security

2-14 Alcatel-Lucent 5620 Service Aware Manager

5620 SAM

System Administrator Guide

Consider the following:

• The 5620 SAM server acts as a network access server. A network access server

is considered a client of a remote access server.

• The sequence of activity between the 5620 SAM server, which is the

authentication client, and the remote server, which is the authentication server, is

the following:

• client requests authentication

• server replies to authentication request

• client requests logout and authentication stops

• When the remote authentication servers are down and local authentication is

used, the user must log in using 5620 SAM credentials, as described

in “Combined local and remote authentication”.

2.7 Workflow to configure and manage 5620 SAM user security

1 Assess the requirements for user access to the different 5620 SAM functional areas

and develop a strategy for implementing user security. See section 2.2 for more

information.

2 Reserve a client GUI session for the admin user to ensure that the admin user can

always log in; see Procedure 2-1.

1. Configure the

remote

authentication order

for all users

Choose Administration→Security→5620 SAM Remote User Authentication from the 5620 SAM

main menu.

Set the authentication order parameters to the following, and then specify the RADIUS and

TACACS+ servers on the RADIUS and TACACS tabs.

• Authentication Order 1—radius

• Authentication Order 2—tacplus

• Authentication Order 3—local

2. Create scope of

command profiles

Choose Administration→Security→5620 SAM User Security from the 5620 SAM main menu.

Create a CLI scope of command profile and assign the default CLI management role to the profile.

Create at least one scope of command profile that does not allow CLI access by assigning the

default scope of command role, which has no access permissions to CLI management.

3. Create and

configure user groups

Choose Administration→Security→5620 SAM User Security from the 5620 SAM main menu.

Create a CLI user group and at least one user group that does not allow CLI access. Assign the

scope of command profile with CLI management access to the CLI user group. Assign the scope of

command profile without CLI management access to the user group without CLI access.

Authorization is done using user groups, so each user must belong to a user group with a local

account on the 5620 SAM server.

4. Create and

configure user

accounts

You can create local users on the 5620 SAM by performing the following steps, or define remote

users using RADIUS and TACACS+. The local users are available when RADIUS or TACACS+

authentication is not available.

Choose Administration→Security→5620 SAM User Security from the 5620 SAM main menu.

Create users.

Assign the appropriate user group to each user: one with CLI access and one without CLI access.

5.Configure

notification

Choose Administration→Security→5620 SAM User Security from the 5620 SAM main menu.

Configure the authentication failure action parameters, including the parameters that allow the

e-mail account of the administrator to be notified after login failure.

Task Description

(2 of 2)

Release 13.0 R2 | May 2015 | 3HE 09815 AAAB TQZZA Edition 01