Alcatel OmniVista 2500-2700 User Manual

Getting Started with OmniVista Security

The Users and User Groups application enables you to control user access to OmniVista and to network switches. Access to OmniVista is controlled through the definition of user logins and passwords. Access to network switches is controlled through the use of security groups, which have specified levels of access to switches. All OmniVista users must be assigned to at least one security group, which defines the access rights for its members. Security groups and user logins are configured from the Users and User Groups application, and constitute one level of network security. Other levels of security are summarized in the table below.

Overview of Security Types

Security Type Configured From

SNMP Get and Set Community Names Get and Set Community names act as read and write passwords that define whether any OmniVista user is allowed to read or write the switch's configuration information. Get and Set Community names are configurable only from the switch itself.

The "Seen By" Parameter This parameter makes individual switches visible to users in a specified OmniVista security group.

OmniVista Security Groups Security groups in OmniVista provide different levels of access to switches. An OmniVista user's access rights are based on the access rights of his/her assigned security group.

Switch console port or CLI command.

OmniVista Topology application. The Seen By parameter setting is specified in the Discovery Wizard when switches are discovered. After discovery, you can edit entries in the list of All Discovered Devices to redefine this parameter.

OmniVista Users and User Groups application.

Default Users, Groups, and Passwords

OmniVista security uses a combination of user logins and security groups to control access to OmniVista and to network switches. OmniVista is shipped with the pre-configured user logins, passwords, and security groups described below. The Users and User Groups application enables you to modify these users, passwords, and security groups, or create new ones. Note that initially the pre-configured user admin is the only user that has permission to change the user logins and security groups defined by the Users and User Groups application. The pre-configured users and security groups shipped with OmniVista are as follows:

User user in security group Default

User user belongs to the Default security group and therefore has read-only access to switches that can be seen by the Default security group. The default password for this user is switch. User user can view the information for a switch, but cannot modify the information. This is because the only group right assigned to the Default security group is Read.

User writer in security group Writers

User writer belongs to the Writers security group and has both read and write access to switches that can be seen by the Writers security group. The default password for this user is switch. User writer can view and modify switch information. However, user writer cannot use the Discovery Wizard to discover network switches and cannot manually add, delete, or modify entries in the list of All Discovered Devices also. User writer does not have access to the functions provided by the Audit application and the Control Panel application. This is because the only group rights assigned to the Writers security group are Read and Write.

User netadmin in security group Network Administrators

User netadmin belongs to the Network Administrators security group and therefore has full administrative rights to all the switches in the network. The default password for this user is switch. User netadmin has read and write access to all the switches known to OmniVista. In addition, user netadmin can use the Discovery Wizard to discover network switches and can manually add, delete, or modify entries in the list of All Discovered Devices also. User netadmin has full access to the functions provided by the Audit , Control Panel application, and Notifications application. User netadmin can do everything EXCEPT edit the security groups and users defined in the Users and User Groups security application. The group rights assigned to the Network Administrators group are Read, Write, and Network Admin.

Getting Started with OmniVista Security

User admin in security group Administrators

User admin belongs to the Administrators security group and therefore has full administrative rights to all the switches in the network -- as described above for user netadmin -- AND full administrative rights to edit the security groups and users defined in the Users and User Groups security application. The default password for this user is

switch.

Selecting the Authentication Server

You can select local or remote LDAP, RADIUS, and ACE servers using the Authentication Server pane. You can configure these servers using the Configure Servers... button in the Authentication Server pane.

Using Security the First Time

1. Create new security groups, edit pre-configured groups, or use pre-configured groups as they are. The

Groups pane enables you to add new security groups, edit existing security groups, add or remove users from existing security groups, and delete security groups. Click here for more information.

2. Create new users or edit pre-configured users. Note that all pre-configured users have the same default password, switch. At a minimum, it is recommended that you redefine the passwords. The Local Users pane enables you to add new users, delete users, edit existing users, add or remove users from existing security groups, and change user passwords. Click here for more information.

Getting Started with OmniVista Security

Sample Security Configurations

OmniVista users with Administrators or Network Administrators security rights can view and manage every switch in the network. However, selected switches can be "walled off" from users that have Writers or Default (read) security rights. The "walled off " switches can be made visible to, and manageable from, a single OmniVista security group. This is accomplished by creating a new security group and setting the can be seen by parameter, so that relevant switches can be seen by that security group only. (Note that, if problems arise, switches are always visible to, and can be managed by, users in the Administrators or Network Administrators security group.)

For example, first you create a security group named Marketing with Writers access rights. You also create a single user named Marketing Writer, who is the sole member of security group Marketing. The Marketing department contains five switches, and you set the can be seen by parameter for each switch to security group Marketing only.

The effect of this security configuration is that the five switches in the Marketing department will be visible to, and manageable by, the user Marketing Writer only. OmniVista's list of All Discovered Devices will display the five Marketing switches only when user Marketing Writer is logged in. Since the switches will not be visible in the list of All Discovered Devices when other users with Write or Read permission are logged in, they cannot be managed by other users. (Note that users with Administrators or Network Administrators security rights are an exception to this. Users with Administrators or Network Administrators security rights will always be able to see and manage the five Marketing switches.)

You could also create a second security group, perhaps named Marketing Monitor, that has read access rights only. You create a user that belongs to this security group named Marketing Reader. If you set the can be seen by parameter for each Marketing switch to security group Marketing Monitor and security group Marketing, user Marketing Reader will be able to view and monitor the five Marketing switches, but only user Marketing Writer will be able to configure the switches.

Creating and Managing Security Groups

The Groups pane, shown below, enables you to add new security groups, edit existing security groups, add or remove users from existing security groups, and delete security groups. OmniVista is shipped with four pre-configured security groups, which are listed and described below.

Default group. This security group has read-only access to switches in the list of All Discovered Devices that can be seen by the Default security group.

Writers group. This security group has both read and write access to switches in the list of All Discovered Devices that can be seen by the Writers security group. However, members of the Writers security group cannot run discovery or manually add, delete, or modify entries in the list of All Discovered Devices.

Network Administrators group. This security group has full administrative access rights to all switches on the network. Members of this security group can run discovery and can manually add, delete, and modify entries in the list of All Discovered Devices. Members of the Network Administrators security group also have full read and right access to entries in the Audit Application and the Control Panel Application. Members of the network administrators security group can do everything EXCEPT edit the groups and users defined in the Users and Groups Application.

Administrators group. This security group has all administrative access rights described above for the network administrators group AND full administrative rights to edit the groups and users defined in the Users and Groups Application.

+ 7 hidden pages