Cisco Cisco ONS 15454 M6 Multiservice Transport Platform (MSTP)
Superuser Privileges for Provisioning Users
Superusers can grant permission to Provisioning users to perform a set of tasks. The tasks include retrieving audit logs, restoring
databases, clearing PMs, and activating and reverting software loads. These privileges can be set only through CTC network element
(NE) defaults, except the PM clearing privilege, which can be granted to Provisioning users using CTC Provisioning > Security >
Access tabs. For more information on setting up Superuser privileges, refer to the Cisco ONS 15454 DWDM Network Configuration
Guide .
databases, clearing PMs, and activating and reverting software loads. These privileges can be set only through CTC network element
(NE) defaults, except the PM clearing privilege, which can be granted to Provisioning users using CTC Provisioning > Security >
Access tabs. For more information on setting up Superuser privileges, refer to the Cisco ONS 15454 DWDM Network Configuration
Guide .
Idle User Timeout
Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of time before the CTC window
is locked. The lockouts prevent unauthorized users from making changes. Higher-level users have shorter default idle periods and
lower-level users have longer or unlimited default idle periods, as shown in
is locked. The lockouts prevent unauthorized users from making changes. Higher-level users have shorter default idle periods and
lower-level users have longer or unlimited default idle periods, as shown in
Table 3: Default User Idle Times, on page 10
.
Table 3: Default User Idle Times
Idle Time
Security Level
15 minutes
Superuser
30 minutes
Provisioning
60 minutes
Maintenance
Unlimited
Retrieve
User Password, Login, and Access Policies
Superusers can view real-time lists of users who are logged into CTC or TL1 user logins by node. Superusers can also provision the
following password, login, and node access policies:
following password, login, and node access policies:
• Password length, expiration and reuse—Superusers can configure the password length by using NE defaults. The password
length, by default, is set to a minimum of six and a maximum of 20 characters. You can configure the default values in CTC
node view with the Provisioning > NE Defaults > Node > security > password Complexity tabs. The minimum length can be
set to eight, ten or twelve characters, and the maximum length to 80 characters. The password must be a combination of
alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are non alphabetic and at least one
character is a special character. Superusers can specify when users must change their passwords and when they can reuse them.
node view with the Provisioning > NE Defaults > Node > security > password Complexity tabs. The minimum length can be
set to eight, ten or twelve characters, and the maximum length to 80 characters. The password must be a combination of
alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are non alphabetic and at least one
character is a special character. Superusers can specify when users must change their passwords and when they can reuse them.
• Locking out and disabling users—Superusers can provision the number of invalid logins that are allowed before locking out
users and the length of time before inactive users are disabled. The number of allowed lockout attempts is set to the number of
allowed login attempts.
allowed login attempts.
• Node access and user sessions—Superusers can limit the number of CTC sessions one user can have, and they can prohibit
access to the ONS 15454 using the LAN or TCC2/TCC2P/TCC3 RJ-45 connections
In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning > Security > Access tabs. SSH is a
terminal-remote host Internet protocol that uses encrypted links. It provides authentication and secure communication over unsecure
channels. Port 22 is the default port and cannot be changed.
terminal-remote host Internet protocol that uses encrypted links. It provides authentication and secure communication over unsecure
channels. Port 22 is the default port and cannot be changed.
10