13-7
Cisco ONS 15454 DWDM Reference Manual, R8.5
78-18343-02
Chapter 13 Security Reference
13.2.2 Security Policies
13.2.2.1 Superuser Privileges for Provisioning Users
Superusers can grant permission to Provisioning users to perform a set of tasks. The tasks include
retrieving audit logs, restoring databases, clearing PMs, and activating and reverting software loads.
These privileges can be set only through CTC network element (NE) defaults, except the PM clearing
privilege, which can be granted to Provisioning users using CTC Provisioning> Security > Access tabs.
For more information on setting up Superuser privileges, refer to the Cisco ONS 15454 DWDM
Procedure Guide.
13.2.2.2 Idle User Timeout
Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of
time before the CTC window is locked. The lockouts prevent unauthorized users from making changes.
Higher-level users have shorter default idle periods and lower-level users have longer or unlimited
default idle periods, as shown in Table 13-3.
13.2.2.3 User Password, Login, and Access Policies
Superusers can view real-time lists of users who are logged into CTC or TL1 user logins by node.
Superusers can also provision the following password, login, and node access policies:
• Password length, expiration and reuse—Superusers can configure the password length by using NE
defaults. The password length, by default, is set to a minimum of six and a maximum of 20
characters. You can configure the default values in CTC node view with the Provisioning > NE
Defaults > Node > security > password Complexity tabs. The minimum length can be set to eight,
ten or twelve characters, and the maximum length to 80 characters. The password must be a
combination of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two
characters are nonalphabetic and at least one character is a special character. Superusers can specify
when users must change their passwords and when they can reuse them.
• Locking out and disabling users—Superusers can provision the number of invalid logins that are
allowed before locking out users and the length of time before inactive users are disabled. The
number of allowed lockout attempts is set to the number of allowed login attempts.
• Node access and user sessions—Superusers can limit the number of CTC sessions one user can have,
and they can prohibit access to the ONS 15454 using the LAN or TCC2/TCC2P RJ-45 connections.
In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning >
Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It
provides authentication and secure communication over unsecure channels. Port 22 is the default
port and cannot be changed.
Table 13-3 ONS 15454 Default User Idle Times
Security Level Idle Time
Superuser 15 minutes
Provisioning 30 minutes
Maintenance 60 minutes
Retrieve Unlimited
To Next Page
Loading...
Need help?
General
