cc/td/doc/product/voice/bts10200/bts3_0
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Security Functions and Activity Summary

Security Functions and Activity Summary

Overview of Security Management


Note   See the Cisco BTS 10200 Command Line Inerface Reference Guide for specific command line interface (CLI) commands and parameters.

The security management system controls and monitors access to the Cisco BTS 10200 Softswitch from outside sources. This security system is important in preventing:

Internal security functions include:

The first time a user logs in to the Cisco BTS 10200 Softswitch, he/she will be prompted to establish a password.

Security Classes and User Privilege Levels

Each command (verb-noun combination) is preassigned a security class of 1 through 10, with 1 being the lowest and 10 the highest level. The security class indicates the minimum privilege level required for an operator to complete the command. The system administrator can assign an alphanumeric description with each of these security classes, if desired.


Note   The security classes are preassigned for each command, but can be changed by the system administrator.

When a new user is entered by the system administrator, the user is assigned a privilege level from 1 through 10 (level 10 is typically reserved for the system administrator). Each time a user enters a command, the system compares the user's privilege level to the security class of the specific command. The command will be denied if the user has a privilege level less than the command level.

The user interface of the security management system allows users with the highest privilege levels to perform the following security tasks:

Adding Descriptions to Security Classes

Each of the ten security levels can be assigned an alphanumeric description using the following command. This procedure is optional.

change command-level id=<#>; description=<alphanumeric description>
Note   <#> = 1 to 10 and <alphanumeric description> can have up to 64 ASCII characters.

Adding/Changing/Deleting Users

Users with privilege level 10 can add, change, delete and show data for a user identified as "UserABC". Note that change user allows the privilege level of the user to be changed—but not the identity of the user. The days-valid and warn tokens specify the number of days a user's password is valid, and the number of days warning the user will receive before their password expires. Typical command examples (and system responses) are shown below:

CLI>add user name=UserABC; command-level=9; warn=10; days-valid=30; workgroups=somegroup; Executing command, please wait... Reply: Request was successfully completed
Note   warn, days-valid, and workgroups are optional.

CLI>show user name=UserABC; Executing command, please wait... Reply: Request was successful. name=UserABC command-level=9 workgroups=somegroup CLI>change user name=UserABC; command-level=1; workgroups=somegroup; Executing command, please wait... Reply: Request was successfully completed
Note   The change user command changes only the privilege level of the user, and not the identity of the user.


Note   command-level and workgroups are optional, however one of them must be changed.

CLI>delete user name=UserABC; Executing command, please wait... Reply: Request was successfully completed

The following example illustrates what happens when a user with a privilege level less than 9 attempts to enter a add/show/change/delete user command:

CLI>change user name=UserABC;command-level=6; Not authorized to execute change user: User command-level: 2 level needed: 10
Caution   Never add, change or delete the user name root, because this will affect proper acces to the system.

Default User (Optiuser) and Password For CLI Administrator

The system default user/password combination for the CLI administrator is optiuser/optiuser. The user name optiuser can never be deleted from the system. As a security measure, the system administrator should change the password for user optiuser on each system before deployment. This is done by performing the following steps.


Step 1   Log on (SSH) to one EMS unit with the username optiuser and the current password for optiuser.

ssh -1 <username> <ipaddress>

Step 2   At the CLI prompt, enter the reset command:

reset password name=optiuser; days-valid=<number of days the new password will be valid>; warn=<number of days before password expiration to warn user>;
reset password name=optiuser; days-valid=45; warn=10;

Step 3   Exit the CLI shell.

exit

Step 4   Log on (SSH) to the same EMS with user name optiuser and password optiuser.

Step 5   The system will prompt you for the password again. Enter optiuser.

Step 6   The system will prompt you for the password again. This time, enter the new password you want to use.

Step 7   The system will prompt you to enter the new password again for confirmation. Enter the new password again.

Step 8   At this point the password for user optiuser has been changed. The CLI prompt will appear. You can continue with the CLI session if desired, or exit again.


Using Security Commands

Use the commands listed in Table 17-1 to manage security settings and display security information.


Table 17-1: Security Command Summary
Command Noun Examples Purpose Of the Command

COMMAND-LEVEL

show command-level id=10; change command-level id=10; description=This is the highest level administration access; help command-level

Identifies the ten security levels and their descriptions. Allows provisioning of command level descriptions.

COMMAND-TABLE

show command-table noun=mgw; verb=add; change command-table noun=mgw; verb=add; work-groups; sec-level=9; help command-table

Allows the system administrator to change and reset the security level for each verb-noun pair.

Option parameter for add and change user is work-groups

USER

show user name=John Smith; work-groups=somegroup; add user name=John Smith; work-groups=somegroup; command-level=1; days-valid=45; warn=10; change user name=John Smith; work-groups=somegroup; command-level=5; delete user name=John Smith; help user

Identifies each user along with their designated command level. The system administrator enters these for each user.

The add user command also allows provisioning the number of days a user's password will be valid, and the number of days before password expiration to start warning the user to change their password. The tokens for this function are days-valid and warn.

Note   The days-valid and warn tokens can be used with the add user command, but not with the change user command. To change the settings on a user's password, use the reset password command (see below).

work-groups=somegroup replaces value(s) with this value

work-groups=+somegroup add somegroup to list of groups

work-groups=-somegroup removes somegroupfrom list

PASSWORD

(reset password)

reset password name=JohnSmith; days-valid=45; warn=10; help password

Provisions the number of days a password will be valid, and the number of days before password expiration to start warning the user to change password. This can be entered by the system administrator on any user. It can be entered by the individual user only on their own password.

SECURITY-SUMMARY

report security-summary start-time=2000-03-27 00:00:00; end-time=2000-03-27 00:00:00; source=all;

NoteIf this command is entered without any tokens, the report will show all security infractions.

help security-summary

Requests a summary report of security infractions by source and start/stop times.

Infractions are attempts by users to enter commands for which they do not have the proper privilege level.

Security-Summary Example

The following example illustrates the security-summary report, which provides a list of security infractions—commands entered by users who do not have the required user privilege level for the given command. In the report security-summary command, any number of tokens (source, start-time, end-time) can be added. Tokens must be separated by semicolons. For a detailed discussion of the security command syntax and logging activities, see the Cisco BTS 10200 Command Line Interface Reference Guide.

CLI>report security-summary source=UserABC; start-time=2000-04-19 00:00:00;
end-time=2000-04-21 00:00:00; Executing command, please wait... Reply: Request was successful. user=UserABC verb=change noun=user date=20000420133335 CLI>

Using Activity Summaries

The activity summary report lists all the commands entered by each user, and the time the command was entered. This information is useful in identifying the sequence of events that took place on the system, and serves as an aid in troubleshooting. Each of the following parameters can be requested when entering the command:

A typical command is shown below.

report activity-summary start-time=2000-03-27 00:00:00; end-time=2000-03-27 10:00:00; verb=control; user=operator002;

Sample system outputs are shown below. Note that the time is shown in the format yyyymmddhhmmss.

time=20000626130908 noun=isdn_trunk_grp verb=status adapter=CLI user=optiuser user-domain=pts/0 user-input=ID=isdn_tg_1@CA167.itn.ipcell.com;CALL_AGENT_ID=CA167.itn.ipcell.com; result=CONFIGURATION COMMAND EXECUTED: isdn_tg_1@CA167.itn.ipcell.com ADMIN STATUS: ADMIN_OOS OPER STATUS: N/A time=20000628111941 noun=mgw verb=status adapter=CLI user=optiuser user-domain=pts/2 user-input=ID=190.101.100.199; result=CONFIGURATION COMMAND EXECUTED: 190.101.100.199 ADMIN STATUS: ADMIN_INS OPER STATUS: MGW_STATUS_UP


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Oct 16 21:42:41 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.