2-128Operation, administration, and maintenance (OAM) features

Users are able to provision on the SPx:

a network processor as the primary authentication gateway (on the network element)

optionally, a network processor as the secondary authentication gateway (on the network element)

Note: A secondary authentication server is supported only if the shelf processor using this server is a member of the spans of control of both network processors acting as authentication gateways (primary and secondary).

state of the CSA feature (enabled / disabled) (on the gateway network processor and the network element)

alternate login method on the network element

The centralized authentication provisioning data on the network processor and shelf processors is included in database save and restore operations. The centralized authentication provisioning data on the network processor and shelf processors will survive circuit pack restarts and replacements.

Note: It is possible for the network elements in a span of control to be the gateway network processor to have its CSA feature enabled but for a network element in the span of control provisioned for local authentication only. This will allow a network element to interwork with other network elements running a software release that does not support CSA.

SecurID support

To log in to a network processor or shelf processor using remote authentication, you must have a valid user identifier (UID) and password identifier (PID). You can use RSA Security's SecurID system to generate dynamic passwords. SecurID uses a token card to generate a pseudo-random number called the token code every 60 seconds. To log in to a network processor or shelf processor, use the 4-digit alphanumeric PIN and the 6-digit token code as the PID. The information is verified by an RSA Security ACE/Server authentication server. This ACE server must be the backend to the network processor/shelf processor Radius server or the Radius server itself.

You must send the authentication request to the ACE server during the 60 second interval when the token code displayed on the SecurID token card is valid. This feature allows for clock drift between the SecurID token card and the ACE server.

Secure storage of authentication data

All local storage of authentication data is on the network element. The network element can store authentication information for up to 100 accounts. All passwords are stored in a one-way encrypted form. The network element does

OPTera Metro 3500 Multiservice Platform NTRN10AN Rel 12.1 Standard Iss 1 Apr 2004

Page 165 Page 167
Page 166
Image 166
Nortel Networks NTRN10AN, 3500 manual SecurID support, Secure storage of authentication data
Page 165 Page 167
Top Page Image Contents