9-6
Cisco ONS 15454 Reference Manual, R7.0
78-17191-01
Chapter 9 Security
9.2 9.2.2 Security Policies
9.2.2 Security Policies
Users with Superuser security privileges can provision security policies on the ONS 15454. These
security policies include idle user timeouts, password changes, password aging, and user lockout
parameters. In addition, a Superuser can access the ONS 15454 through the TCC2/TCC2P RJ-45 port,
the backplane LAN connection, or both.

9.2.2.1 Superuser Privileges for Provisioning Users

Superusers can grant permission to Provisioning users to retrieve audit logs, restore databases, clear
performance monitoring (PM) parameters, activate software loads, and revert software loads. These
privileges can only be set using CTC network element (NE) defaults, except the PM clearing privilege,
which can be granted to a Provisioning user using the CTC Provisioning> Security > Access tabs. For
more information about setting up Superuser privileges, refer to the Cisco ONS 15454 Procedure Guide.

9.2.2.2 Idle User Timeout

Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of
time before the CTC window is locked. The lockouts prevent unauthorized users from making changes.
Higher-level users have shorter default idle periods and lower-level users have longer or unlimited
default idle periods, as shown in Table 9-3. The user idle peri od can be modified by a Superuser; refer
to the Cisco ONS 15454 Procedure Guide for instructions.

9.2.2.3 User Password, Login, and Access Policies

Superusers can view real-time lists of users who are logged into CTC or TL1 by node. Superusers can
also provision the following password, login, and node access policies:
Password expirations and reuse—Superusers can specify when users must change and when they can
reuse their passwords.
Locking out and disabling users—Superusers can provision the number of invalid logins that are
allowed before locking out users and the length of time before inactive users are disabled.
Node access and user sessionsSuperusers can limit the number of CTC sessions a user login can
have to just one session. Superusers can also prohibit access to the ONS 15454 using the LAN or
TCC2/TCC2P RJ-45 connections.
In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning >
Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It
provides authentication and secure communication over unsecure channels. Port 22 is the default
port and cannot be changed. Superuser can also configure EMS and TL1 access states to secure and
non-secure modes.
Table 9-3 ONS 15454 Default User Idle Times
Security Level Idle Time
Superuser 15 minutes
Provisioning 30 minutes
Maintenance 60 minutes
Retrieve Unlimited