Securid support, Secure storage of authentication data – Nortel Networks OPTera Metro 3500 User Manual
Page 166
2-128 Operation, administration, and maintenance (OAM) features
OPTera Metro 3500 Multiservice Platform NTRN10AN Rel 12.1 Standard Iss 1 Apr 2004
Users are able to provision on the SPx:
•
a network processor as the primary authentication gateway (on the network
element)
•
optionally, a network processor as the secondary authentication gateway
(on the network element)
Note: A secondary authentication server is supported only if the shelf
processor using this server is a member of the spans of control of both
network processors acting as authentication gateways (primary and
secondary).
•
state of the CSA feature (enabled / disabled) (on the gateway network
processor and the network element)
•
alternate login method on the network element
The centralized authentication provisioning data on the network processor and
shelf processors is included in database save and restore operations. The
centralized authentication provisioning data on the network processor and
shelf processors will survive circuit pack restarts and replacements.
Note: It is possible for the network elements in a span of control to be the
gateway network processor to have its CSA feature enabled but for a
network element in the span of control provisioned for local authentication
only. This will allow a network element to interwork with other network
elements running a software release that does not support CSA.
SecurID support
To log in to a network processor or shelf processor using remote
authentication, you must have a valid user identifier (UID) and password
identifier (PID). You can use RSA Security's SecurID system to generate
dynamic passwords. SecurID uses a token card to generate a pseudo-random
number called the token code every 60 seconds. To log in to a network
processor or shelf processor, use the 4-digit alphanumeric PIN and the 6-digit
token code as the PID. The information is verified by an RSA Security
ACE/Server authentication server. This ACE server must be the backend to the
network processor/shelf processor Radius server or the Radius server itself.
You must send the authentication request to the ACE server during the 60
second interval when the token code displayed on the SecurID token card is
valid. This feature allows for clock drift between the SecurID token card and
the ACE server.
Secure storage of authentication data
All local storage of authentication data is on the network element. The network
element can store authentication information for up to 100 accounts. All
passwords are stored in a one-way encrypted form. The network element does