Manualshelf

Troubleshooting guide

ManualsBrandsAlcatel ManualsComputer equipmentSecurity Management Server (SMS) Release 9.4
61626364656667686970
3 — NE user and device security
3-2 Alcatel-Lucent 5620 Service Aware Manager
5620 SAM
System Administrator Guide
3.1 NE user and device security overview
You can use the 5620 SAM to configure security for managed-device access that
includes the following:
device user accounts, profiles, and passwords
RADIUS, TACACS+, and LDAP authentication for 5620 SAM user accounts
MAFs
CPM filters
DoS protection
DDoS protection
X.509 authentication
A 5620 SAM site user profile specifies which CLI commands or command groups
are permitted or denied on a managed device. A profile can be associated with
multiple 5620 SAM user accounts, and each user account can have up to eight
associated profiles.
The following general rules apply to 5620 SAM security management for devices.
The authentication settings on a device override any settings distributed by the
5620 SAM. For example, if you use the 5620 SAM to configure a user account
with SHA authentication, and then distribute the account to a device that uses
MD5 authentication, the account authentication type changes to MD5.
MAFs and CPM filters must be manually distributed to a managed device.
An operator can limit the type of managed device access per user, for example,
allowing FTP access, but denying console, Telnet, and SNMP access.
A user profile is independent of a user account, and is not in effect until associated
with a user account.
3.2 RADIUS, TACACS+, and LDAP
RADIUS is an access server AAA protocol. The protocol provides a standardized
method of exchanging information between a RADIUS client, which is located on a
device and managed by the 5620 SAM, and a RADIUS server, which is located
externally from the device and the 5620 SAM.
RADIUS provides an extra layer of login security. The RADIUS client relays user
account information to the RADIUS server, which authenticates the user and returns
user privilege information. The information defines the device access of the user. For
example, a user may not be allowed to FTP information to or from the device.
Caution — The 5620 SAM cannot obtain a secret value from an NE
during resynchronization. Alcatel-Lucent recommends that you use
only the 5620 SAM to configure a shared authentication secret. Do
not configure a shared authentication secret directly on a managed NE
using another interface, for example, a CLI, or the 5620 SAM cannot
synchronize the security policy with the NE.
Release 12.0 R6 | November 2014 | 3HE 08861 AAAF TQZZA Edition 01