3 three levels of security, 4 feature access level configuration – CANOGA PERKINS 9145EMP NID Software Version 4.0 User Manual

9145EMP NID Software User’s Manual

Introduction

Three Levels of Security

2

username or password is not valid, the RADIUS server sends a message to the 9145EMP to
disallow the login and reject the user.

Secure Shell version 2 (SSH-2) SSH-2 provides authentication and encryption for a secure
remote Telnet connection. SSH can be configured to provide unique User Accounts.

Secure File Transfer Protocol (SFTP) SFTP adds encryption to protect uploaded files during
the file transfer process, such as for a software update.

1.3 Three Levels of Security

Most Service Provider management networks provision certain access levels to technicians,
network administrators, and managers. Offering different access levels to critical applications
allows network administrators to keep closer watch on the entire network.

The 9145EMP allows view-based access to be set up for user interface features and SNMP
access. A capabilities file allows views to be defined in an ASCII file and downloaded to the NID.
A three-level security system on the 9145EMP controls all user interface and SNMPv3 access.

All 9145EMP features require that the user have a certain access level. The logged in user or
SNMPv3 manager’s access level is used to validate and control access to the 9145EMP
features. When accessing a menu item or an SNMP object, the user’s access level is checked
against the access level required for the feature. If the user’s access level is sufficient, then the
access is granted. If the user’s access level is not sufficient, an error message is displayed in the
status area, or an SNMP error is returned.

The three access levels are supervisor, operator, and observer.

•

In the default configuration, the supervisor access level is allowed complete access to all

9145EMP features including configuring the security system.

•

The operator access level is allowed access to the 9145EMP features except those relat-

ing to the 9145EMP’s security system. This level can be configurable by the administra-
tor.

•

The observer access level is allowed access to the 9145EMP features that do not modify

the 9145EMP’s configuration. This level can be configurable by the administrator.

1.4 Feature Access Level Configuration

The 9145EMP has a default assignment of access levels. Creating and downloading a text file
called 9145EMP.cap to the 9145EMP can change this assignment. This file contains mappings
between module features and the access level required to access the feature.

As an example the entry that controls access to the Maximum Frame Size setting looks like
maxFrameSize=operator. This entry indicates that to change the Maximum Frame Size, a user’s
account must have “operator” access level or greater.

The default 9145EMP.cap file containing the 9145EMP built-in security rules is provided with the
9145EMP release. To modify the security rules, simply modify the provided 9145EMP.cap file
and download this modified file to the 9145EMP. The 9145EMP.cap file is downloaded to the
9145EMP via the normal FTP/SFTP/TFTP in the same manner as downloading a firmware file to
the 9145EMP. The same file may be downloaded to multiple 9145EMPs to ensure the same
security rules.