|
|
 |
Note See the Cisco BTS 10200 Command Line Inerface Reference Guide for specific command line interface (CLI) commands and parameters. |
The security management system controls and monitors access to the Cisco BTS 10200 Softswitch from outside sources. This security system is important in preventing:
Internal security functions include:
The first time a user logs in to the Cisco BTS 10200 Softswitch, he/she will be prompted to establish a password.
Each command (verb-noun combination) is preassigned a security class of 1 through 10, with 1 being the lowest and 10 the highest level. The security class indicates the minimum privilege level required for an operator to complete the command. The system administrator can assign an alphanumeric description with each of these security classes, if desired.
|
Note The security classes are preassigned for each command, but can be changed by the system administrator. |
When a new user is entered by the system administrator, the user is assigned a privilege level from 1 through 10 (level 10 is typically reserved for the system administrator). Each time a user enters a command, the system compares the user's privilege level to the security class of the specific command. The command will be denied if the user has a privilege level less than the command level.
The user interface of the security management system allows users with the highest privilege levels to perform the following security tasks:
Each of the ten security levels can be assigned an alphanumeric description using the following command. This procedure is optional.
change command-level id=<#>; description=<alphanumeric description>
|
Note <#> = 1 to 10 and <alphanumeric description> can have up to 64 ASCII characters. |
Users with privilege level 10 can add, change, delete and show data for a user identified as "UserABC". Note that change user allows the privilege level of the user to be changed—but not the identity of the user. The days-valid and warn tokens specify the number of days a user's password is valid, and the number of days warning the user will receive before their password expires. Typical command examples (and system responses) are shown below:
CLI>add user name=UserABC; command-level=9; warn=10; days-valid=30; workgroups=somegroup;
Executing command, please wait...
Reply: Request was successfully completed
|
Note warn, days-valid, and workgroups are optional. |
CLI>show user name=UserABC;
Executing command, please wait...
Reply: Request was successful.
name=UserABC
command-level=9
workgroups=somegroup
CLI>change user name=UserABC; command-level=1; workgroups=somegroup;
Executing command, please wait...
Reply: Request was successfully completed
|
Note The change user command changes only the privilege level of the user, and not the identity of the user. |
|
Note command-level and workgroups are optional, however one of them must be changed. |
CLI>delete user name=UserABC;
Executing command, please wait...
Reply: Request was successfully completed
The following example illustrates what happens when a user with a privilege level less than 9 attempts to enter a add/show/change/delete user command:
CLI>change user name=UserABC;command-level=6;
Not authorized to execute change user:
User command-level: 2 level needed: 10
 |
Caution Never add, change or delete the user name root, because this will affect proper acces to the system. |
The system default user/password combination for the CLI administrator is optiuser/optiuser. The user name optiuser can never be deleted from the system. As a security measure, the system administrator should change the password for user optiuser on each system before deployment. This is done by performing the following steps.
Step 1 Log on (SSH) to one EMS unit with the username optiuser and the current password for optiuser.
ssh -1 <username> <ipaddress>
Step 2 At the CLI prompt, enter the reset command:
reset password name=optiuser; days-valid=<number of days the new password will be valid>;
warn=<number of days before password expiration to warn user>;
reset password name=optiuser; days-valid=45; warn=10;
Step 3 Exit the CLI shell.
exit
Step 4 Log on (SSH) to the same EMS with user name optiuser and password optiuser.
Step 5 The system will prompt you for the password again. Enter optiuser.
Step 6 The system will prompt you for the password again. This time, enter the new password you want to use.
Step 7 The system will prompt you to enter the new password again for confirmation. Enter the new password again.
Step 8 At this point the password for user optiuser has been changed. The CLI prompt will appear. You can continue with the CLI session if desired, or exit again.
Use the commands listed in Table 17-1 to manage security settings and display security information.
| Command Noun | Examples | Purpose Of the Command |
|---|---|---|
COMMAND-LEVEL | show command-level id=10;
change command-level id=10;
description=This is the
highest level administration
access;
help command-level
| Identifies the ten security levels and their descriptions. Allows provisioning of command level descriptions.
|
COMMAND-TABLE | show command-table noun=mgw;
verb=add;
change command-table
noun=mgw; verb=add;
work-groups; sec-level=9;
help command-table
| Allows the system administrator to change and reset the security level for each verb-noun pair. Option parameter for add and change user is work-groups |
USER | show user name=John Smith;
work-groups=somegroup;
add user name=John Smith;
work-groups=somegroup;
command-level=1;
days-valid=45; warn=10;
change user name=John Smith;
work-groups=somegroup;
command-level=5;
delete user name=John Smith;
help user
| Identifies each user along with their designated command level. The system administrator enters these for each user. The add user command also allows provisioning the number of days a user's password will be valid, and the number of days before password expiration to start warning the user to change their password. The tokens for this function are days-valid and warn. Note The days-valid and warn tokens can be used with the add user command, but not with the change user command. To change the settings on a user's password, use the reset password command (see below). work-groups=somegroup replaces value(s) with this value work-groups=+somegroup add somegroup to list of groups work-groups=-somegroup removes somegroupfrom list |
PASSWORD (reset password) | reset password
name=JohnSmith;
days-valid=45; warn=10;
help password
| Provisions the number of days a password will be valid, and the number of days before password expiration to start warning the user to change password. This can be entered by the system administrator on any user. It can be entered by the individual user only on their own password. |
SECURITY-SUMMARY | report security-summary
start-time=2000-03-27
00:00:00;
end-time=2000-03-27
00:00:00; source=all;
NoteIf this command is entered without any tokens, the report will show all security infractions. help security-summary
| Requests a summary report of security infractions by source and start/stop times. Infractions are attempts by users to enter commands for which they do not have the proper privilege level. |
The following example illustrates the security-summary report, which provides a list of security infractions—commands entered by users who do not have the required user privilege level for the given command. In the report security-summary command, any number of tokens (source, start-time, end-time) can be added. Tokens must be separated by semicolons. For a detailed discussion of the security command syntax and logging activities, see the Cisco BTS 10200 Command Line Interface Reference Guide.
CLI>report security-summary source=UserABC; start-time=2000-04-19 00:00:00;
end-time=2000-04-21 00:00:00;
Executing command, please wait...
Reply: Request was successful.
user=UserABC
verb=change
noun=user
date=20000420133335
CLI>
The activity summary report lists all the commands entered by each user, and the time the command was entered. This information is useful in identifying the sequence of events that took place on the system, and serves as an aid in troubleshooting. Each of the following parameters can be requested when entering the command:
A typical command is shown below.
report activity-summary start-time=2000-03-27 00:00:00; end-time=2000-03-27 10:00:00;
verb=control; user=operator002;
Sample system outputs are shown below. Note that the time is shown in the format yyyymmddhhmmss.
time=20000626130908
noun=isdn_trunk_grp
verb=status
adapter=CLI
user=optiuser
user-domain=pts/0
user-input=ID=isdn_tg_1@CA167.itn.ipcell.com;CALL_AGENT_ID=CA167.itn.ipcell.com;
result=CONFIGURATION COMMAND EXECUTED: isdn_tg_1@CA167.itn.ipcell.com
ADMIN STATUS: ADMIN_OOS
OPER STATUS: N/A
time=20000628111941
noun=mgw
verb=status
adapter=CLI
user=optiuser
user-domain=pts/2
user-input=ID=190.101.100.199;
result=CONFIGURATION COMMAND EXECUTED: 190.101.100.199
ADMIN STATUS: ADMIN_INS
OPER STATUS: MGW_STATUS_UP
Posted: Wed Oct 16 21:42:41 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.