Troubleshooting guide
2 — 5620 SAM user security tasks
2-12 Alcatel-Lucent 5620 Service Aware Manager
5620 SAM
System Administrator Guide
2.6 Remote authentication and authorization
The 5620 SAM uses a JAAS security framework to provide authentication and
authorization services. When a user logs in to the 5620 SAM, the authentication
method used depends on the 5620 SAM login module configuration. The 5620 SAM
supports the following remote authentication login modules:
• RadiusJaasLoginModule
• TacacsPlusJaasLoginModule
The JAAS security framework integrates the login modules with the 5620 SAM.
During startup, the 5620 SAM reads a file that contains the JAAS login module
configuration. Depending on the VSA configuration in the file, one of the following
authentication and authorization methods is available for remote users that do not
have a 5620 SAM user account:
• The remote server authenticates the user and the 5620 SAM assigns a user group.
• The remote server authenticates the user and assigns a user group.
When the 5620 SAM assigns a user group to a remote user, a default external user
group must be present in the 5620 SAM. User authentication succeeds when the
remote authentication server validates the user password. User authorization
succeeds and the user is provided with access rights when the default external user
group is associated with the user. The 5620 SAM then creates a remote user account
for the login session. In this scenario, when the default external user group is not
specified, authorization fails and the user is denied access.
When the remote authentication server assigns a user group to a remote user, VSA
support must be enabled in the JAAS login module configuration. In this scenario, a
user group must be defined on the remote authentication server, and the remote
server administrator must load the 5620 SAM RADIUS dictionary on the RADIUS
server. The Sam-security-group-name VSA in the dictionary is used to configure a
RADIUS remote user on the RADIUS server. The user group that is defined in the
VSA must exist in the 5620 SAM. The remote authentication server administrator
must specify the user group in the user configuration on the authentication server.
When the remote user logs in to the 5620 SAM, authentication succeeds when the
remote authentication server validates the user password. Authorization succeeds
and the user is provided with access rights when the user group defined on the remote
server is sent to the 5620 SAM and validated. If the user group name matches a user
group name in the 5620 SAM, the 5620 SAM creates a remote user account for the
login session. Otherwise, authorization fails and user access is not granted.
See Procedure 2-34 for information about how to configure remote authentication
and authorization for remote-only users.
In RADIUS, the authentication success message that is sent to the 5620 SAM
contains the user group name. In TACACS+, authentication must succeed before an
authorization message containing the user group name is sent to the 5620 SAM.
Successful remote authentication for an OSS user requires that the remote server and
the 5620 SAM use the same password format. The OSS users can log in using a clear
text password or an MD5-hashed password if the remote authentication server
supports MD5-hashed password. See “Secure communication” in the
5620 SAM XML OSS Interface Developer Guide for more information.
Release 12.0 R6 | November 2014 | 3HE 08861 AAAF TQZZA Edition 01