avaya integrated management 3.1 secure access administration

Avaya Integrated Management 3.1 Secure Access

Administration

Document # 14-300537Issue 2

February 2006

© 2006 Avaya Inc.All Rights Reserved.

NoticeWhile reasonable efforts were made to ensure that the information in this document was complete and accurate at the time of printing, Avaya Inc. can assume no liability for any errors. Changes and corrections to the information in this document may be incorporated in future releases.

For full legal page information, please see the complete document, Avaya Legal Page for Software Documentation, Document number 03-600758.To locate this document on the website, simply go to http://www.avaya.com/support and search for the document number in the search box.

Documentation disclaimerAvaya Inc. is not responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. Customer and/or End User agree to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation to the extent made by the Customer or End User.

Link disclaimerAvaya Inc. is not responsible for the contents or reliability of any linked Web sites referenced elsewhere within this documentation, and Avaya does not necessarily endorse the products, services, or information described or offered within them. We cannot guarantee that these links will work all of the time and we have no control over the availability of the linked pages.

WarrantyAvaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language, as well as information regarding support for this product, while under warranty, is available through the following Web site:http://www.avaya.com/support

Copyright Except where expressly stated otherwise, the Product is protected by copyright and other laws respecting proprietary rights. Unauthorized reproduction, transfer, and or use can be a criminal, as well as a civil, offense under the applicable law.

Avaya supportAvaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site:http://www.avaya.com/support

http://www.avaya.com/support

http://www.avaya.com/support

http://www.avaya.com/support/

Avaya Secure Access Administration User Guide 3

Table of Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

The Purpose of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Who Should Use This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Organization of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Chapter 1 — Avaya Secure Access Administration Overview . . . . . . 7

Logging In to Avaya Secure Access Administration . . . . . . . . . . . . . .7Working with Avaya Secure Access Administration when Avaya Integrated Management is Installed in HP Open View Mode . . . . . .8Using the On-Line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Opening the Help to a Topic of Interest . . . . . . . . . . . . . . . . . . .9Opening the Help to the Contents Page . . . . . . . . . . . . . . . . . . .9

Chapter 2 — Configuring User Administration Parameters . . . . . . . 11

Accessing Avaya Secure Access Administration . . . . . . . . . . . . . . . .12The User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13User List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Understanding User Types and Roles . . . . . . . . . . . . . . . . . . . . . . . .15User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Security Parameters by User Type . . . . . . . . . . . . . . . . . . . . . . .17Viewing User Role Definitions . . . . . . . . . . . . . . . . . . . . . . . . . .17Access to Secure Access Administration Functions . . . . . . . . . .19

Creating the Initial Administrator User . . . . . . . . . . . . . . . . . . . . . .19Changing Network Management Login Mode . . . . . . . . . . . . . . . . .22Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Creating New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24Assigning Devices to a Device User . . . . . . . . . . . . . . . . . . . . . .26

Adding Devices to the User’s Privileges List . . . . . . . . . . . .28Removing Devices from the User’s Privileges List . . . . . . .29Filtering the Available Devices List . . . . . . . . . . . . . . . . . . .29

Changing User Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30Modifying a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Changing a User’s Passwords . . . . . . . . . . . . . . . . . . . . . . .31Synchronizing User Passwords . . . . . . . . . . . . . . . . . . . . . .33

Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Finding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

4 Avaya Secure Access Administration User Guide

Table of Contents

Viewing the Log Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Creating a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Managing SSH Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Enabling or Disabling SSH Device Authentication . . . . . . . . . .38Learning SSH Keys Directly from Devices . . . . . . . . . . . . . . . . .38Importing SSH Keys from a Known Host File . . . . . . . . . . . . . .38Clearing SSH Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Configuring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Appendix A — Secure Access Administration Menus. . . . . . . . . . . . 41

File Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Edit Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41View Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Action Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Help Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43


Preface

Welcome to Avaya Secure Access Administration. This chapter provides an introduction to the structure and assumptions of this guide. It includes the following sections:

• The Purpose of This Guide - A description of the goals of this guide.

• Who Should Use This Guide - The intended audience of this guide.

• Organization of This Guide - A brief description of the subjects contained in the various sections of this guide.

The Purpose of This Guide

This guide contains information needed to use Avaya Secure Access Administration efficiently and effectively.

Who Should Use This Guide

This guide is intended for network managers familiar with network management and its fundamental concepts.

Preface


Organization of This Guide

This guide is structured to reflect the following conceptual divisions:

• Preface - A description of the guide’s purpose, intended audience, and organization.

• Avaya Secure Access Administration Overview - An overview of Avaya Network Management User Administration.

• Configuring User Administration Parameters - Instructions on how to configure User Administration parameters and login mode.

• Secure Access Administration Menus - Provides the full structure of the menus in the User Administration window.


1 Avaya Secure Access Administration Overview

The Avaya Integrated Management Secure Access Administration application (SAA) is a centralized application for defining users and assigning their privileges for access to network management applications and device configuration applications, and for enabling and disabling Avaya Network Management login.

SAA can be used to perform the following administrative tasks:

• Enable and disable login authentication in Avaya Network Management Console.

• Define and manage users in Avaya Network Management applications.

• Define device users and create instances of device users on devices, with or without SNMPv3 management access.

Once defined, a user without administrator privileges can use Secure Access Administration to change the user’s own passwords.

Logging In to Avaya Secure Access Administration

The first time you enter SAA, there is no login. On all subsequent times you enter the application, the Login dialog box opens.

Figure 1-1. Login Dialog Box

Chapter 1


The following table provides a list of the fields in the Login dialog box.

After you enter your user name and password, SAA opens.

Working with Avaya Secure Access Administration when Avaya Integrated Management is Installed in HP Open View Mode

When working with Avaya Integrated Management in HP OpenView mode, install SNMP Research Security Pack in order to enable discovery of SNMPv3 devices in the HP Open View Network Node Manager (NNM) map.

* Note: Avaya Secure Access Administration does not share any user information with HP NNM or with the Security Pack components.

Avaya Secure Access Administration receives the list of SNMPv3 devices from HP Open View NNM map. The SNMPv3 devices you want to administrate with the Avaya Secure Access Administration must appear in the HP Open View NNM map before you start to work with the Avaya Secure Access Administration. Refer to the Security Pack documentation for instructions on how to discover SNMPv3 devices in the HP NNM map.

Using the On-Line Help

This section explains how to use the on-line help in Avaya Secure Access Administration. The on-line help can be opened directly to a topic of interest or to the contents page.

Table 1-1. Login Dialog Box Fields

Field Name Description

Name The name of the user.

Password The password used to authenticate the user. The password must contain at least eight characters. When you begin entering the password, the field is shaded red until you have entered a minimum of eight characters.


Avaya Secure Access Administration Overview

Opening the Help to a Topic of Interest

To open the help directly to a topic of interest:

1. Click

Or

Select Help > Help On. The cursor changes to the shape of an arrow with a question mark.

2. Click a point of interest in Avaya Secure Access Administration. The help opens to a topic explaining the clicked feature.

Opening the Help to the Contents Page

To open the help to the contents page:

Select Help > Help Contents. The online help opens to the contents page.

Chapter 1



2 Configuring User Administration Parameters

This chapter describes how to perform all administrative tasks in Secure Access Administration (SAA).

* Note: If you are not an administrator, and you want to use SAA to change your own passwords, refer to “Changing a User’s Passwords” on page 31. You can also view a log of your own operations in SAA. For more information, refer to “Viewing the Log Window” on page 35.

This chapter contains the following sections:

• Accessing Avaya Secure Access Administration - Describes how to launch the Avaya SAA application.

• The User Interface - Describes the elements of the user interface.

• Understanding User Types and Roles - Describes the user types and roles that can be assigned to users in SAA.

• Creating the Initial Administrator User - Describes how to create the mandatory initial administrator user when you enter SAA for the first time.

• Changing Network Management Login Mode - Describes how to control Avaya Network Management login mode.

• Managing Users - Describes how to define, modify, find, and and delete users.

• Viewing the Log Window - Describes how to view a log of the last 100 user operations in SAA.

• Managing SSH Keys - Describes how to manage the repository of SSH public keys and control device authentication using SSH.

• Configuring Options - Describes how to configure optional configuration policies.

Chapter 2


Accessing Avaya Secure Access Administration

To access Avaya Secure Access Administration:

Select Tools > Avaya > Avaya Secure Access Administration in the NNM menu bar. If this is the first time SAA is accessed, the Create Administrator User dialog box opens (refer to “Creating the Initial Administrator User” on page 19). If this is not the first time SAA is accessed, the Login dialog box opens (refer to “Logging In to Avaya Secure Access Administration” on page 7).

The User Interface

The Secure Access Administration user interface consists of the following elements:

• Menu Bar - Menus for accessing Secure Access Administration functions. For the complete menu structure, refer to Appendix A, Secure Access Administration Menus.

• Toolbar - Toolbar buttons for accessing Secure Access Administration functions.

• User List - A list of users defined in SAA.

• Dialog Box Area - The right part of the window where all the dialog boxes and the User Role and Device Table are opened.

• Status Bar - Shows the communication status between the application and a device.


Configuring User Administration Parameters

Figure 2-1. The User Interface

Toolbar

The table below describes the buttons on the toolbar and provides the equivalent menu options.

* Note: If you do not have administrator privileges, some of the toolbar options are disabled.

Dialog Box Area

Status Bar

User List

Toolbar

Menu Bar

Table 2-1. Toolbar Buttons

Button Description Menu Item

Refreshes the list of devices that appear in the Available Devices tree in the Add/Remove Device User Roles dialog box that opens from the New User and Modify User dialog boxes. The refresh function is required only if you are launching SAA from HP Openview. If you are launching SAA from Avaya Network Management Console, the device list is automatically updated.

File > Refresh

Opens the New User dialog box to create a new user.

Action > New > New User

Chapter 2


User List

The user list is a list of all users defined in SAA.

Status Bar

The Status Bar shows the communication status between the application and the device. The Status Bar displays a status message and an appropriate graphic. The table below shows the possible statuses with their corresponding graphics.

Opens the Modify User dialog box.

Edit > Modify User

Opens the Delete User dialog box. Edit > Delete User

Opens the Find User dialog box. Edit > Find

Opens the User Roles dialog box. View > User Roles

Activates context-sensitive help. Help > Help On...

Table 2-1. Toolbar Buttons (Continued)

Button Description Menu Item

Table 2-2. Communication Statuses

Status Graphic

Ready

Operation in Progress



Understanding User Types and Roles

In Avaya SAA, a user’s type denotes the type of application the user can access. The user’s role denotes the user’s privileges within the applications.

User Types

SAA supports the following types of users:

• Network Management users - these users can access the following applications:

— Avaya Software Update Manager

— Avaya SMON Manager

— Avaya Device Manager

— Avaya QoS Manager

— Avaya VLAN Manager

— Avaya Network Configuration manager

— Avaya Address Manager

— Extreme EPICenter

— Provisioning and Installation Manager (PIM)

• Device users - these users can access specific devices, which must be assigned to them. When a device is assigned to a device user, SAA creates an instance of the user on that device. There are three types of device users:

— CLI users - these users can manage devices that do not require SNMPv3 management.

— SNMPv3 users - these users can manage devices with SNMPv3 management.

— CLI & SNMPv3 users - these users are created as both CLI users and SNMPv3 users.

Each user can be defined as either as an Network Management user or as a Device user, or as both an Network Management user and a Device user.

Chapter 2


User Roles

For each type of user, there is a set of predefined user roles. A user role is a privilege level. Every user must be assigned a user role in association with each type included in the user’s definition. In the case of a Device User, the user is assigned a user role for each device assigned to the user. This means that the user can have different privileges on different devices.

For example, if a user is an Network Management user and a Device user, and is assigned to multiple devices, the user is assigned an Network Management user role once and is assigned a Device user role for each device assigned to the user.

There are two Network Management user roles:

• administrator - an administrator Network Management user has full access to the following applications:

— Avaya Software Update Manager

— Avaya SMON Manager

— Avaya Device Manager

— Avaya QoS Manager

— Avaya VLAN Manager

— Avaya Network Configuration manager

— Avaya Address Manager

— Extreme EPICenter

— Provisioning and Installation Manager (PIM)

• regular - a regular Network Management user has partial access to these applications.

The following table lists the Device user roles and describes how the Device user roles map to CLI access levels and SNMPv3 groups:

Table 2-3. Mapping of Device User Roles to CLI Access Levels and SNMPv3 Groups

Device User Role SNMPv3 Group CLI Access Level

admin V3AdminViewG admin

read-write V3ReadWriteG read-write



For information about these SNMPv3 groups, refer to “Viewing User Role Definitions” on page 17.

Security Parameters by User Type

When you create a user, you specify security parameters for the user. Some security parameters are only required for SNMPv3 Device users. The following table shows which security parameters must be supplied for each type of user:

Viewing User Role Definitions

The User Roles dialog box enables you to see the definition of each user role. The User Roles dialog box is divided into two tabs:

• Device User Role tab - shows how each Device User role maps to a CLI access level and SNMPV3 groups.

• Network Management user Role tab - describes the functions accessible to each Network Management user role.

read-only V3ReadOnlyG read-only

Table 2-3. Mapping of Device User Roles to CLI Access Levels and SNMPv3 Groups

Device User Role SNMPv3 Group CLI Access Level

Table 2-4. Required Security Parameters by User Type

Security Parameter

Network Management User

SNMPV3 Device User

CLI Device User

User Name Required Required Required

Authentication Password

Required Required Required

Authorization Type

- Required -

Privacy Type - Required -

Privacy Password

- Required if Privacy Type is DES

-

Chapter 2


To open the User Roles dialog box:

Click .

OR

Select View > User Roles. The User Roles dialog box opens.

Figure 2-2. User Roles Dialog Box - Network Management user Roles Tab

Figure 2-3. User Roles Dialog Box - Device User Roles Tab

The following table describes the fields displayed in the SNMPv3 Group Definitions table in the Device User Roles tab:

Table 2-5. SNMPv3 Group Definitions Fields

Field Description

Security Model The security strategy.

Security Level The type of security algorithm performed on each SNMP packet. Possible values:

• AuthPriv - Authenticates a packet using the SHA or MD5 protocol and encrypts the packet using the DES algorithm.

• AuthNoPriv - Authenticates a packet using the SHA or MD5 protocol and does not encrypt the packet.



Access to Secure Access Administration Functions

All functions performed in Avaya Secure Access Administration require the logged-in user to be an Network Management user. All functions except the changing of the logged-in user’s authentication and privacy passwords also require that the logged-in user is assigned the role of administrator.

Creating the Initial Administrator User

Avaya SAA requires that you create at least one administrator level user. The Create Administrator User dialog box, which opens when you launch Secure Access Administration for the first time, enables you to define this mandatory initial administrator. When you have created the initial administrator, the name of the initial administrator and the root user appear in the User list. You can create and manage other users while logged in as either the root user or the initial administrator that you create.

Read View The name of the list of objects that are accessible for reading to users in the group.

Write View The name of the list of objects that are accessible for creating and modifying by users in the group.

Notify View The name of the list of notifications that can be sent to each user in the group.

Table 2-5. SNMPv3 Group Definitions Fields

Field Description

Chapter 2


To create the initial administrator user:

1. Open Avaya SAA. The Create Administrator User dialog box opens.

Figure 2-4. Create Administrator User Dialog Box

2. Fill in the fields. Refer to Table 2-6 for information about the fields.

3. Click Apply. The Enable Secure Mode dialog box opens:

Figure 2-5. Enable Secure Mode Dialog Box

4. Click OK if you want to enable Avaya Network Management login. Click Cancel if you do not want to enable Avaya Network Management login. The administrator is created and now appears in the User list.



You can enable or disable Avaya Network Management login at any time (refer to “Changing Network Management Login Mode” on page 22). If you chose to enable Avaya Network Management login and Network Management Console is running, restart Network Management Console now.

The following table describes the fields in the Create Administrator User dialog box. For definitions of Network Management users and Device users, refer to “User Types” on page 15.

Table 2-6. Create Administrator User Fields


Name The name of the user. Use alphanumeric characters. The name must contain at least one character.

Authorization Type

The authentication protocol used to authenticate the source of traffic from an SNMPv3 user. Possible values are:

• MD5

• SHA (default)

Authorization Type is only required for a SNMPv3 user.

Authorization Password

The password used to authenticate the user. Passwords must consist of at least eight characters. The Authorization Password field value is shaded red until eight characters have been entered.

Confirm Authorization Password

Re-enter the authentication password for confirmation.

Privacy Type The encryption policy for an SNMPv3 user. Possible values are:

• DES - Use DES encryption for traffic from this user.

• No Privacy - Do not encrypt traffic for this user.

Privacy Type is only required for a SNMPv3 user.

Privacy Password The password used to enable DES encryption, if DES is selected as the Privacy Type. Passwords must consist of at least eight characters. The Privacy Password field value is shaded red until eight characters have been entered.

Chapter 2


Changing Network Management Login Mode

From SAA, you can enable or disable Avaya Network Management login, the login authentication of Network Management users in Avaya Network Management Console.

When the login mode is enabled, SAA supports SNMPv1 and SNMPv3 devices. When the login mode is disabled, AIM only supports SNMPv1 devices.

Changing the login mode from enabled to disabled causes the devices using SNMPv3 to be inaccessible to AIM applications. To enable continued access via AIM applications, change the SNMP community for those devices in the Network Map SNMP Configuration to SNMPv3 and enable Avaya Network Management Login in the application.

Avaya Network Management Console is accessible across the network without login authentication in two situations:

• Before any Network Management users are created in SAA.

• After users have been created in SAA, whenever Avaya Network Management login is disabled.

Confirm Privacy Password

Re-enter the privacy password for confirmation.

Network Management user

This field is read-only, since the initial administrator user that you must create must be an Network Management user and an administrator.

The role of administrator is selected.

Device User Check to define the user as a device user.

If Device User is checked, select one of the following types:

• CLI & SNMPV3

• CLI

• SNMPV3

Table 2-6. Create Administrator User Fields (Continued)


CAUTION



To enable Avaya Network Management login if disabled:

Select Actions > Enable Avaya Network Management Login. The Enable Secure Mode dialog box opens.

Figure 2-6. Enable Secure Mode Dialog Box

To disable Avaya Network Management login if enabled:

Select Actions > Disable Avaya Network Management Login. The Disable Secure Mode dialog box opens.

Figure 2-7. Disable Secure Mode Dialog Box

Managing Users

This section describes what you can do to manage users and contains the following topics:

• Creating New Users

• Assigning Devices to a Device User

• Changing User Definitions

• Deleting Users

• Finding Users

Chapter 2


Creating New Users

The New User dialog box enables you to create new users.

To create a new user:

Click .

OR

Select Action > New > New User. The New User dialog box opens.

Figure 2-8. New User Dialog Box

The following table provides a list of the fields in the New User dialog box. For definitions of Network Management users and Device users, refer to “User Types” on page 15.



Table 2-7. New User Dialog Box Fields


Name The name of the new user.

Auth Password The password used to authenticate the user. The password must contain at least eight characters. When you begin entering the password, the field is shaded red until you’ve entered a minimum of eight characters.

Confirm Auth Password Re-enter the authentication password for confirmation.

Network Management user

Check to define the user as a Network Management user.

If Network Management user is checked, select one of the following roles for the user:

• administrator

• regular

Device User Check to define the user as a device user. When you check Device User, the Add/Remove Device User Roles dialog box opens alongside the New User dialog box. For information about the Add/Remove Device User Roles dialog box, refer to “Assigning Devices to a Device User” on page 26.

If Device User is checked, select one of the following types:

• CLI & SNMPV3

• CLI

• SNMPV3

Auth Type The authentication protocol used to authenticate the source of traffic from an SNMPv3 user. Possible values are:

• MD5

• SHA (default)

Auth Type is only required for a SNMPv3 user.

Chapter 2


Assigning Devices to a Device User

When you check Device User in the New User dialog box, the Add/Remove Device User Roles dialog box opens alongside the New User dialog box. The Add/Remove Device User Roles dialog box enables you to assign devices to a device user and set the user’s role on each assigned device.

Priv Type The encryption policy for an SNMPv3 user. Possible values are:

• DES - Use DES encryption for traffic from this user.

• No Privacy - Do not encrypt traffic for this user.

Priv Type is only required for a SNMPv3 user.

Priv Password The password used to enable encryption, if DES is selected as the Priv Type. The password must contain at least eight characters. When you begin entering the password, the field is shaded red until you’ve entered a minimum of eight characters.

Confirm Priv Password Re-enter the password you entered in the Priv Password field.

Select Action Type The Select Action Type combo box enables you to select how changes are applied when you click Apply:

• Apply changes - Applies your configuration according to the difference between the previous state of the SAA database and the required changes.

• Apply all - Applies your configuration by replenishing the database with all data that should be stored. Using this option ensures data integrity.

Table 2-7. New User Dialog Box Fields (Continued)




* Note: Some network devices are configured to obtain CLI user definitions from a RADIUS server. SAA can check for RADIUS configuration on devices before creating instances of CLI users on the devices, and/or warn you about RADIUS configuration and/or avoid configuring CLI users on devices configured to use RADIUS. You can set the policy regarding RADIUS configuration in the Options dialog box. For information about how to set this policy, refer to “Configuring Options” on page 39.

Figure 2-9. The Add/Remove User Roles Dialog Box

The devices available on the network are listed in the Available Devices tree. The available devices are grouped according to device type. If you are running SAA from HP Openview, you can click to refresh the list of devices that appear in the Available Devices tree. If you are launching SAA from Avaya Network Management Console, the device list is automatically updated.

The filter field enables you to filter the devices listed in the Available Devices, according to IP address. See “Filtering the Available Devices List” on page 29.

Chapter 2


The Privileges list lists the IP address of each device assigned to the user, with the user role that will be assigned to the user when the user is created on the device. The privileges are ordered in the list according to user role and IP address.

You can:

• Add devices to the Privileges list. Refer to “Adding Devices to the User’s Privileges List” on page 28.

• Remove devices from the Priviliges list. Refer to “Removing Devices from the User’s Privileges List” on page 29.

• Filter the devices displayed in the Available Devices List. Refer to “Filtering the Available Devices List” on page 29.

In order to configure an instance of a user on a W310 device, SAA communicates with the device via telnet, which is not secure. This means that the user’s password is exposed. For all other devices beside W310, SAA communicates via SSH, which does not expose the user’s password. Therefore, it is not recommended to assign a W310 device to a user in addition to other devices. Configuring a user on W310 and on other device types violates the security of the other devices.

Adding Devices to the User’s Privileges List

To add devices to the Privileges list:

1. Select a device or multiple devices in the list of Available Devices. You can filter the list of Available Devices (see “Filtering the Available Devices List” on page 29).

2. From the User Roles combo box, select the user role that you want to assign to the user for the selected devices.

3. Click to add the selected devices with the selected user role to the user’s Privileges list.

OR

Click to add all the devices now showing in the Available Devices list at once to the user’s Privileges list, with the selected user role.

The devices you added appear in the Privileges list.

CAUTION



Removing Devices from the User’s Privileges List

To remove devices from the Privileges list:

1. Select the device(s) you want to remove from the Privileges list (unless you want to remove all devices).

2. Click to remove the selected device(s) from the Privileges list.

OR

Click to deselect all devices from the Privileges list.

* Note: When you remove devices from the user “root,” the devices are removed from the SAA database, but are not deconfigured on the devices.

Filtering the Available Devices List

To filter the Available Devices list:

In the Filter field, type an expression in the format of an IP address, substituting an asterisk (*) as a wildcard in place of any octet in the IP address that you want to leave unrestricted. For example, the expression 149.49.70.* filters the list in Figure 2-10 to display all available devices with IP addresses in the range 149.49.70.0 to 149.49.70.255, as shown in Figure 2-11:

Chapter 2


Figure 2-10. The Available Devices List Before Filtering

Figure 2-11. The Available Devices List After Filtering

A wildcard may be used in place of any octet in the IP address. A wildcard cannot replace part of an octet. Table 2-8 shows examples of expressions that may and may not be used for filtering.

Changing User Definitions

You can make the following changes to existing users:

• Change the user’s type, role, and, for a Device user, the devices assigned to the user. Refer to “Modifying a User” on page 31.

• Change the user’s Authentication, and, where applicable, Privacy, passwords. Refer to “Changing a User’s Passwords” on page 31.

Table 2-8. Available Devices List Filtering Expressions

Permitted Not Permitted

149.49.70.1 149.49.70.*1

149.*.70.0 149.4*.70.0

149.*.70.* 149.**.70.*



* Note: You cannot change a user’s Authorization type or Privacy Type.

Modifying a User

The Modify User dialog box enables you to modify a user’s type, roles, and, if you define the user as a Device user, to add and remove devices. The changes are updated in SAA and on the devices.

To modify a user:

1. Select a user in the User List.

2. Click .

OR

Select Edit > Modify User. The Modify User dialog box opens.

Figure 2-12. Modify User Dialog Box

For information about fields in this dialog box, refer to Table 2-7.“New User Dialog Box Fields” on page 25. For information about assigning devices to the user, or modifying the devices and associated user roles assigned to the user, refer to “Assigning Devices to a Device User” on page 26.

Changing a User’s Passwords

The Change Password dialog box enables you to change the authentication and privacy passwords of a user. To change the logged-in user’s password, you do not need to be an administrator.

* Note: It is recommended to change the password of the default user “root.” The new password must contain at least eight characters.

Chapter 2


To change a user’s password:

1. In the User List, select the user whose password you want to change.

2. Select Action > Change Password. The Change Password dialog box opens.

Figure 2-13. Change Password Dialog Box

The following table provides a list of the fields in the Change Password dialog box.

Table 2-9. Change Password Dialog Box Fields


Name Displays the name of the user.

Auth Password Enter the new password for authenticating the user. The password must contain at least eight characters. When you begin entering the password, the field is shaded red until you’ve entered a minimum of eight characters.

Confirm Auth Password Re-enter the authentication password.

Priv Password Enter the new password for enabling DES encryption. The password must contain at least eight characters. When you begin entering the password, the field is shaded red until you’ve entered a minimum of eight characters.

This field only appears if the user’s Privacy Type is set as DES.

Confirm Priv Password Re-enter the privacy password for confirmation.

This field only appears if the user’s Privacy Type is set as DES.



If SAA fails to communicate with one of the devices, SAA disables the use of the disconnected user. To restore the user, restore communication with the device and call the synchronize function (refer to “Synchronizing User Passwords” on page 33).

Synchronizing User Passwords

The Synchronize Password operation updates changes to the password of a user to devices that failed to receive the password changes.

To synchronize user passwords:

Select Action > Synchronize Password. The synchronize operation starts.

Deleting Users

The Delete User dialog box enables you to delete a user.

When you delete a user, the user is deleted from SAA and the user instances are deleted from all associated devices. If SAA fails to connect to an associated device to delete a user instance on that device, the result of the error depends on the setting of the Delete User and Ignore Errors setting in the Options dialog box. For more information, refer to “Configuring Options” on page 39.

If you want to remove the user only from some of the devices, use the Modify Users dialog box (refer to “Modifying a User” on page 31).

To delete a user:

1. Select a user in the User List.

2. Click .

OR

Select Edit > Delete User. The Delete User warning appears.

Figure 2-14. Delete User Warning

3. Click OK. The user is deleted.

Chapter 2


Finding Users

The Find User dialog box enables you to locate a user in the User List. The found user is marked in the User List.

To find a user:

1. Click .

OR

Select Edit > Find. The Find User dialog box opens.

Figure 2-15. Find User Dialog Box

2. Enter the name of the user you want to locate.

3. Click search.



Viewing the Log Window

The Log window displays the last 100 operations performed by users in SAA.

If the logged-in user is not an administrator, the log shows only the logged-in user’s own operations.

To open the Log window:

1. Select View > Log. The Log window opens at the bottom of the SAA window.

Figure 2-16. Log Window

2. Click to save the logged data to a text file.

3. Click to delete the log. This operation does not remove the logged operations, but deletes them from the view shown by the Log window. If you save the data, all logged data is saved.

Creating a Report

You can create a report of all the users defined in SAA.

The format of the report may be an xml or csv file. The type of the default report is XML.

Chapter 2


To create a report:

1. Select File > Report. The Security Manager Report dialog box opens.

Figure 2-17. Security Manager Report Dialog Box

2. Browse to the location in which you want to save the report.

3. Enter the File Name you want to give to the report.

4. Click Save to generate and save the report.

Managing SSH Keys

SAA can perform SSH device authentication before communication with each device to perform an action such as creating or deleting an instance of a user on the device. To perform the authentication, SAA uses the device’s SSH public key to decrypt a message received from the device.

The SSH Key Management dialog box allows you to enable or disable SSH device authentication and manage the repository of SSH public keys known to SAA for all available network devices.



To open the SSH Key Management dialog box:

Select Action > SSH Key Management.

Figure 2-18. SSH Key Management Dialog Box

The following table provides a list of the fields in the SSH Key Management dialog box:

You can:

• Enable or disable SSH device authentication. Refer to “Enabling or Disabling SSH Device Authentication” on page 38.

• Tell SAA to obtain each device’s SSH public key using either of the following methods:

— Learn the key directly from the device. Refer to “Learning SSH Keys Directly from Devices” on page 38.

Table 2-10. SSH Key Management Dialog Box Fields

Field Description

Host IP Address The IP address of each available device.

Host Name The host name of each available device.

Type The type of each available device.

Host Key Fingerprint A fingerprint value derived from each device’s SSH public key, provided the key has been learned. The fingerprint is used in the display for convenience in place of the lengthy public key.

Chapter 2


— Import the key from a specified Known Host File. Refer to “Importing SSH Keys from a Known Host File” on page 38.

• Clear known SSH public keys. Refer to “Clearing SSH Keys” on page 39.

Enabling or Disabling SSH Device Authentication

To enable SSH device authentication:

Check the Check host key against known host files checkbox.

SAA will authenticate network devices using the SSH protocol.

Learning SSH Keys Directly from Devices

This method of learning SSH public keys is insecure. Use this method only if you know that your connection to devices is secure (for example, to learn keys from devices in a secure local network while the network is disconnected from the WAN).

To learn SSH public keys directly from a selection of devices:

1. Select the devices whose SSH public keys you want SAA to learn:

— To select all devices, click .

— To select adjacent multiple devices, click on each device while holding the SHIFT key.

— To select non-adjacent multiple devices, click on each device while holding the CTRL key.

— To clear your selection, click .

2. Click . The keys are learned and their fingerprints appear in the Host Key Fingerprint column.

Importing SSH Keys from a Known Host File

You can import SSH public keys from a Known Host File.

To import SSH public keys from a specified Known Host File:

1. Select the devices whose SSH public keys you want SAA to import from a Known Host File:







2. Click .

3. Browse to the Known Host File from which you want to import the keys.

4. Click OK. The keys are imported and their fingerprints appear in the Host Key Fingerprint column.

Clearing SSH Keys

You can clear known SSH keys.

To clear a selection of keys:

1. Select the devices whose keys you want to clear:





2. Click . The selected keys are cleared.

Configuring Options

The Options dialog box enables you to control:

• How SAA handles errors in connecting to devices to delete user instances

• How SAA interacts with RADIUS configuration on devices when creating CLI users.

Chapter 2


To configure options:

Select File > Options. The Options dialog box opens.

Figure 2-19. Options Dialog Box

The following table provides a list of the fields in the Options dialog box.

Table 2-11. Options Dialog Box Fields


Delete User and Ignore Errors

If this option is checked and you delete a user, SAA deletes the user from the SAA database even if SAA fails to connect to a device assigned to the user in order to delete an instance of the user on that device. This includes cases in which the user was never successfully configured on the device.

Do not detect whether a device is configured to use RADIUS

If this option is checked and you assign a device to a user, SAA creates an instance of the user on the assigned device without checking if the device is configured to obtain users from a RADIUS server.

Warn about devices configured to use RADIUS

If this option is checked, SAA will warn if a device is configured to use RADIUS for CLI user definition before configuring CLI users on the device.

Do not configure CLI users on devices configured to use RADIUS

If this option is checked, SAA will not configure CLI users on devices which are configured to use RADIUS for CLI user definition.


A Secure Access Administration Menus

This appendix lists the full structure of the menus in the Secure Access Administration window. These menus include:

• File Menu

• Edit Menu

• View Menu

• Action Menu

• Help Menu

File Menu

Edit Menu

Table 2-12. File Menu

Item Description

Report Creates a report of all the users defined in SAA.

Options Opens the Options dialog box.

Refresh Refreshes the list of devices that appear in the Available Devices tree in the Add/Remove Device User Roles dialog box.

Exit Closes the SAA window.

Table 2-13. Edit Menu

Item Description

Modify User Opens the Modify User dialog box.

Delete User Opens the Delete User dialog box.

Find Opens the Find User dialog box.

Appendix A


View Menu

Action Menu

Help Menu

Table 2-14. View Menu

Item Description

User Roles Opens the User Roles dialog box.

Log Opens the Log window.

Table 2-15. Action Menu

Item Description

New > New User Opens the New User dialog box.

Change Password Opens the Change Password dialog box.

Synchronize Password Performs a synchronize passwords operation.

Disable Avaya Network Management Login

Opens the Disable Avaya Network Management Login Window.

Enable Avaya Network Management Login

Opens the Enable Avaya Network Management Login Window.

SSH Key Management Opens the SSH Key Management dialog box.

Table 2-16. Help Menu

Item Description

Help On Activates context sensitive help.

Help Contents Opens the on-line help contents page.

About Avaya Secure Access Administration

Copyright information about the Avaya Secure Access Administration.


Index

AAction menu 42Add/Remove User Roles dialog box 26Adding devices to privileges list 28Administration tasks 11Administrator user

creating initial 19definition 16

Application overview 7Applications accessible to Network

Management users 16Assigning devices to users 26Available Devices list

description 27filtering 29

BButtons, toolbar 13

CChange Password dialog box

31Changing user definitions 30CLI access levels, mapped to Device user

roles 16CLI user

description 15security parameters for 17

Communication failure 32Communication statuses 14Configuration tasks 11Create Administrator User dialog box 19

DData, logged 35Delete User dialog box 33Deleting a user 33Device user roles 16Devices

adding to privileges list 28removing from privileges list 29

Dialog boxAdd/Remove User Roles 26Change Password 31Create Administrator User 19Delete User 33

Dialog box, (continued)Disable Secure Mode 23Enable Secure Mode 23Find User 34Login 7Modify User 31New User 24Options 39Security Manager Report 35SSH Key Management 36User roles 17

Disable Secure Mode dialog box 23Disabling Network Management Login

Mode 22

EEdit menu 41Enable Secure Mode dialog box 23Enabling Network Management Login

Mode 22

FFigure

Add/Remove User Roles dialog box 27Available Devices List After Filtering 30Available Devices List Before Filtering 29Change Password dialog box 32Create Administrator User dialog box 20Delete User Warning 33Disable Secure Mode dialog box 23Enable Secure Mode dialog box 20, 23Find User Dialog box 34Log Window 35Modify User dialog box 31New User dialog box 24Options dialog box 40Security Manager Report dialog box 36SSH Key Management dialog box 37User interface 12User Roles dialog box, device user tab 18User Roles dialog box, network

management user tab 18File menu 41Filtering the Available Devices list 29Find User dialog box 34Finding a user 34


Index

HHelp 8Help menu 42

IInitial administrator user 19Introduction to SAA 7

KKnown Host File, importing SSH keys from

38

LLevels, privilege 16Log window 35Login 7

MManaging SSH Keys 36Menu structure

Action menu 42appendix 41Edit menu 41File menu 41Help menu 42View menu 42

Modify User dialog box 31Modifying a user 31

NNetwork Management Login Mode 22Network Management user

roles 16security parameters for 17

New User dialog box 24New user, creating 24

OOn-line help 8Options dialog box 39Organization of this manual 6Overview of SAA 7

PPasswords

changing user’s 31synchronizing 33

Privileges 16Privileges list 27Public keys, learning SSH 36Purpose of this manual 5

RRADIUS options 39Regular Network Management user

changing own passwords 31definition 16

Removing devices from privileges list 29Report, Security Manager 35Roles, user 16

SSecurity Manager Report dialog box 35Security parameters by user type 17SNMPv3

Notify View 19Read View 19Security Level 18Security Model 18Write View 19

SNMPv3 groupsdefinitions 18mapped to Device user roles 16

SNMPv3 userdescription 15security parameters for 17

SSH device authenticationdescription 36enabling and disabling 38

SSH Key Management dialog box 36SSH Keys

clearing 39importing from Known Host File 38learning from devices 38managing 36

Status bar 14Synchronize password operation 33Synchronizing user passwords 33

TTable

Available Devices list filtering expressions 30

Change Password dialog box fields 32Communication Statuses 14Create Administrator User Fields 21Mapping of Device User Roles to CLI

Access Levels and SNMPv3 Groups 16New User dialog box fields 24Options dialog box fields 40Required security parameters by user

type 17SNMPv3 Group definitions fields 18SSH Key Management dialog box fields 37Toolbar buttons 13


Index

Toolbar 13Topic, in Help 9Types, user 15

UUser

changing definition 30creating new 24deleting 33finding 34modifying 31

User interface 12User list 14User passwords

changing 31synchronizing 33

User privileges 16User role and type, modifying 31User role definitions, viewing 17User roles dialog box 17User types and roles 15Using on-line Help 8

VView menu 42

WW310 device, exceptions 28Who should use this manual 5


Index

avaya integrated management 3.1 secure access administration

Documents