Cisco Systems 15454-FTF2 9.2.2.2 Idle User Timeout, 9.2.2.3 User Password, Login, and Access Policies

9-7

Cisco ONS 15454 Reference Manual, R8.5.x

78-18106-01

Chapter 9 Security

9.2.2 Security Policies

9.2.2.2 Idle User Timeout

Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of

time before the CTC window is locked. The lockouts prevent unauthorized users from making changes.

Higher-level users have shorter default idle periods and lower-level users have longer or unlimited

default idle periods, as shown in Table 9-3. The user idle period can be modified by a Superuser; refer

to the Cisco ONS 15454 Procedure Guide for instructions.

9.2.2.3 User Password, Login, and Access Policies

Superusers can view real-time lists of users who are logged into CTC or TL1 by node. Superusers can

also provision the following password, login, and node access policies:

• Password length, expiration and reuse—Superusers can configure the password length using NE

defaults. The password length, by default, is set to a minimum of six and a maximum of 20

characters. You can configure the default values in CTC node view with the Provisioning > Defaults

> Node > security > password Complexity tabs. The minimum lengt h can be set to eight, ten or

twelve characters, and the maximum length to 80 characters. The password must be a combination

of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are

nonalphabetic and at least one character is a special character. Superusers can specify when users

must change and when they can reuse their passwords.

• Locking out and disabling users—Superusers can provision the num ber of invalid logins that are

allowed before locking out users and the length of time before inactive users are disabled.

• Node access and user sessions—Superusers can limit the number of CTC sessions a user login ca n

have to just one session. Superusers can also prohibit access to the ONS 15454 us ing the LAN or

TCC2/TCC2P RJ-45 connections.

In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning >

Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It

provides authentication and secure communication over unsecure channels. Port 22 is the default

port and cannot be changed. Port 22 is only for VxWorks access. To use secure TL-1 you need a

secure shell program and you need to use port 4083. Superu ser can also configure EMS and TL1

access states to secure and non-secure modes.

Note The superuser cannot modify the privilege level of an active user. The CTC displays a warning message

when the superuser attempts to modify the privilege level of an active user.

Table 9-3 ONS 15454 Default User Idle Times

Security Level Idle Time

Superuser 15 minutes

Provisioning 30 minutes

Maintenance 60 minutes

Retrieve Unlimited