Managing system users and groups. Nortel Networks Nortel Secure Network Access Switch 4050

Chapter 8

Managing system users and groups

This chapter includes the following topics:

Topic

User rights and group membership

Managing system users and groups using the CLI

Roadmap of system user management commands

Managing user accounts and passwords using the CLI

Managing user settings using the CLI

Managing user groups using the CLI

CLI configuration examples

Managing system users and groups using the SREM

Managing user accounts using the SREM

Setting password expiry using the SREM

Changing your password using the SREM

Changing another user’s password using the SREM

Setting the certificate export passphrase using the SREM

Managing user groups using the SREM

370

370

374

376

377

379

381

356

358

359

360

Page

354

355

355

353

Nortel Secure Network Access Switch 4050 User Guide

354 Chapter 8 Managing system users and groups

User rights and group membership

There are three groups of system users who routinely access the system for configuration and management:

• admin (administrator)

• certadmin (certificate administrator)

• oper (operator)

Note: There are two additional types of users with specialized

functions: boot and root. For more information, see “Accessing the

Nortel SNAS 4050 cluster” on page 775 .

Group membership dictates user rights, as shown in Table 68 on page 354 . When

a user is a member of more than one group, user rights accumulate. The admin user, who by default is a member of all three groups, therefore has the same user rights as granted to members in the certadmin and oper group, in addition to the specific user rights granted by the admin group membership. The most permissive user rights become the effective user rights when a user is a member of more than one group. For more information about default user groups and related access

levels, see “Accessing the Nortel SNAS 4050 cluster” on page 775

.

Table 68 Group membership and user rights

Group

Account

User account admin certadmin oper admin admin oper admin

Rights

Group System Password

Add user Delete user Add user Delete user Change own Change others

Yes

No

Yes

No

Yes, to own group

Yes Yes

Yes

Yes, if Admin is a member of the other user’s first group

No

No No

Yes, to own group

No

Yes, to own group

No Yes No

320818-A

Chapter 8 Managing system users and groups 355

Managing system users and groups using the CLI

To manage system users and groups, access the User menu by using the following command:

/cfg/sys/user

From the User menu, you can configure and manage the following:

• add new users (for a detailed example, see

“Adding a new user” on page 360

)

• reassign users (for a detailed example, see

“Changing a user’s group assignment” on page 365

)

• change passwords (for a detailed example, see

“Changing passwords” on page 366 )

•

delete users (for a detailed example, see “Deleting a user” on page 369

)

For detailed information about the CLI commands, see “CLI configuration examples” on page 360 .

Roadmap of system user management commands

The following roadmap lists all the CLI commands to configure and manage system users for the Nortel SNAS 4050 cluster. Use this list as a quick reference or click on any entry for more information:

Command

/cfg/sys/user

/cfg/sys/user/edit <username>

Parameter

password <old password> <new password> <confirm new password> expire <time> list

del <username> add <username>

caphrase

password <own password> <user password> <confirm user password> cur



Command

/cfg/sys/user/edit

<username>/groups

Parameter

list del <group index> add admin|oper|certadmin

Managing user accounts and passwords using the CLI

To change the password for the currently logged on user and to add or delete user accounts, access the User menu by using the following command:

/cfg/sys/user

The User menu displays.

The User menu includes the following options:

/cfg/sys/user followed by: password <old

password> <new

password> <confirm

new password> expire <time> list

Allows you to change your own password. Passwords can contain spaces and are case sensitive. The change takes effect as soon as you execute the command.

Sets an expiration time for system user passwords. The time applies to all system users. The counter starts from when the password was last set. The first time the system user logs on after the specified time has expired, the user is prompted for a new password.

• time is the length of time in days (d), hours (h), minutes (m), or seconds (s or unspecified). The default unit is seconds. The default expiration time is 0 seconds (no expiry).

If the time you specify combines time units, the format is DDdHHhMMmSS. For example, to make all passwords expire in 30 days, 2 hours, and 45 minutes, enter 30d2h45m ..

Lists all user accounts. The three built-in users (admin, oper, and root) are always listed.

320818-A


/cfg/sys/user followed by: del <username> add <username>

Removes the specified user account from the system.

Of the three built-in users (admin, oper, and root), only the oper user can be deleted.

You must have administrator rights in order to delete user accounts.

Note: When you delete a user, the user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group. Existing users can only be added to a group by a user who is already a member of that group.

Before deleting a user, verify that the user is not the sole member of a group.

Adds a user account to the system. The maximum length of the user name is 255 characters. No spaces are allowed.

After adding a user account, you must also assign the

user account to a group (see “Managing user groups using the CLI” on page 359 ).

You must have administrator rights in order to add user accounts.



/cfg/sys/user followed by: edit <username> caphrase

Accesses the User < username > menu, in order

change user settings (see “Managing user settings using the CLI” on page 358 ).

You must have administrator rights in order to change a user’s settings. You must also be a member of the first group listed for the other user.

Sets the certificate administrator’s passphrase for encrypted private keys in a configuration backup, if the certificate administrator role has been separated from the administrator role.

If the admin user is a member of the certadmin group

(the default setting), the admin user is prompted for an export passphrase to protect the private keys in the configuration dump each time the /cfg/ptcfg command is used.

Set a certificate administrator export passphrase only if the admin user has removed himself or herself from the certadmin group and added a certificate administrator user with certadmin group rights. When a configuration backup is performed using the /cfg/ptcfg command, the certadmin export passphrase is automatically used (without prompting the user) to protect the encrypted private keys. When the

/cfg/gtcfg command is used to restore a configuration backup from a file exchange server, the user is prompted for the correct certadmin passphrase, as defined using the caphrase command.

Note: The caphrase menu command is displayed only when the logged on user is a member of the certadmin group.

Managing user settings using the CLI

You must have administrator rights in order to change a user’s settings. You must also be a member of the other user’s first group (the first group listed for the other user when you use the /cfg/sys/user/edit <username>/groups/list command).

320818-A


To set or change the login password for a specified user and to view and manage group assignments, access the User < username > menu by using the following command:

/cfg/sys/user/edit <username>

The User < username > menu displays.

The User < username > menu includes the following options:

/cfg/sys/user/edit <username> followed by: password <own

password> <user

password> <confirm

user password>

Sets the login password for the specified user.

Passwords can contain spaces and are case sensitive.

groups cur

Accesses the Groups menu, in order to manage user group assignments (see

“Managing user groups using the CLI” on page 359 ).

Displays the current group settings for the specified user.

Managing user groups using the CLI

All users must belong to at least one group. Only an administrator user can add a new user account to the system, but any user can grant an existing user membership in a group to which the granting user belongs.

By default, the administrator user is a member of all three built-in groups (admin, oper, certadmin) and can therefore add a new user to any of these groups.

However, a certificate administrator, who is a member of the certadmin group only, can add an existing user to the certadmin group only.

If a user belongs to only one group and you want to change the user’s group membership, add the user to the new group first, and then remove the user from the old one.



To set or change a user’s group assignment, access the Groups menu by using the following command:

/cfg/sys/user/edit <username>/groups

The Groups menu displays.

The Groups menu includes the following options:

/cfg/sys/user/edit <username>/groups followed by: list del <group index> add admin|oper|certadmin

Lists all groups to which the user is currently assigned, by group index number.

Removes the user from the specified group.

• group index is an integer indicating the group index number

You must have administrator rights in order to remove other users from groups.

Assigns the user to one of the built-in groups (admin, oper, certadmin).

CLI configuration examples

This section includes the following detailed examples:

•


•

“Changing a user’s group assignment” on page 365

•

“Changing passwords” on page 366

•

“Changing your own password” on page 366

•

“Changing another user’s password” on page 367

•

“Deleting a user” on page 369

Adding a new user

To add a new user to the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

320818-A


In this configuration example, a certificate administrator user is added to the system, and then assigned to the certadmin group. The certificate administrator specializes in managing certificates and private keys, without the possibility to change system parameters or configure virtual SSL servers. A user who is a member of the certadmin group can therefore access the Certificate menu

( /cfg/cert ), but not the SSL Server 1001 menu ( /cfg/domain

#/server/ssl ). On the System menu ( /cfg/sys ), the certadmin user has access only to the User submenu ( /cfg/sys/user ).

1 Log on to the Nortel SNAS 4050 cluster as the admin user.

login: admin

Password: (admin user password)

2 Access the User Menu.

>> Main# /cfg/sys/user

------------------------------------------------------------

[User Menu]

passwd - Change own password

list - List all users

del - Delete a user

add - Add a new user

edit - Edit a user

caphrase - Certadmin export passphrase

>> User#

3 Add the new user and designate a user name.

The maximum length for a user name is 255 characters. No spaces are allowed. Each time the new user logs in to the Nortel SNAS 4050 cluster, the user must enter the name you designate as the user name in this step.

>> User# add

Name of user to add: cert_admin (maximum 255 characters, no spaces)

4 Assign the new user to a user group.

You can only assign a user to a group in which you yourself are a member.

When this criterion is met, users can be assigned to one or more of the following three groups:



— oper

— admin

— certadmin

By default, the admin user is a member of all groups above, and can therefore assign a new or existing user to any of these groups. The group assignment of a user dictates the user rights and access levels to the system.

>> User# edit cert_admin

>> User cert_admin# groups/add

Enter group name: certadmin

5 Verify and apply the group assignment.

When you enter the list command, the current and pending group assignment of the user being edited is listed by index number and group name.

Because the cert_admin user is a new user, the current group assignment listed by Old: is empty.

>> Groups# list

Old:

Pending:

1: certadmin

>> Groups# apply

Changes applied successfully.

6 Define a login password for the user.

When the user logs in to the Nortel SNAS 4050 cluster the first time, the user will be prompted for the password you define in this step. When successfully logged on, the user can change his or her own password. The login password is case sensitive and can contain spaces.

>> Groups# /cfg/sys/user

>> User# edit cert_admin

>> User cert_admin# password

Enter admin's current password: (admin user password)

Enter new password for cert_admin: (cert_admin user password)

Re-enter to confirm: (reconfirm cert_admin user password)

320818-A


7 Apply the changes.

>> User cert_admin# apply


8 Let the Certificate Administrator user define an export passphrase.

This step is only necessary if you want to fully separate the Certificate

Administrator user role from the Administrator user role. If the admin user is

removed from the certadmin group (as in <z_blue>Step 9), a Certificate

Administrator export passphrase (caphrase) must be defined.

As long as the admin user is a member of the certadmin group (the default configuration), the admin user is prompted for an export passphrase each time a configuration backup that contains private keys is sent to a

TFTP/FTP/SCP/SFTP server (command: /cfg/ptcfg ). When the admin user is not a member of the certadmin group, the export passphrase defined by the Certificate Administrator is used instead to encrypt private keys in the configuration backup. The encryption of private keys using the export passphrase defined by the Certificate Administrator is performed transparently to the user, without prompting. When the configuration backup is restored, the Certificate Administrator must enter the correct export passphrase.

Note: If the export passphrase defined by the Certificate Administrator is lost, configuration backups made by the admin user while he or she was not a member of the certadmin group cannot be restored.

The export passphrase defined by the Certificate Administrator remains the same until changed by using the /cfg/sys/user/caphrase command. For users who are not members of the certadmin group, the caphrase command in the User menu is hidden. Only users who are members of the certadmin group should know the export passphrase. The export passphrase can contain spaces and is case sensitive.

>> User cert_admin# ../caphrase

Enter new passphrase:

Re-enter to confirm:

Passphrase changed.



9 Remove the admin user from the certadmin group.

Again, this step is only necessary if you want to fully separate the Certificate

Administrator user role from the Administrator user role. Note however, that once the admin user is removed from the certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group membership anew.

When the admin user is removed from the certadmin group, only the

Certificate Administrator user can access the Certificate menu ( /cfg/cert ).

>> User# edit admin

>> User admin# groups/list

1: admin

2: oper

3: certadmin

>> Groups# del 3

Note: It is critical that a Certificate Administrator user is created and assigned certadmin group membership before the admin user is removed from the certadmin group. Otherwise there is no way to assign certadmin group membership to a new user, or to restore certadmin group membership to the admin user, should it become necessary.

10 Verify and apply the changes.

>> Groups# list

Old:

1: admin

2: oper

3: certadmin

Pending:

1: admin

2: oper


320818-A


Changing a user’s group assignment

Only users who are members of the admin group can remove other users from a group. All users can add an existing user to a group, but only to a group in which the “granting” user is already a member. The admin user, who by default is a member of all three groups (admin, oper, and certadmin) can therefore add users to any of these groups.

1 Log on to the Nortel SNAS 4050 cluster.

In this example the cert_admin user, who is a member of the certadmin group, will add the admin user to the certadmin group. The example assumes that the admin user previously removed himself or herself from the certadmin group, in order to fully separate the Administrator user role from the Certificate

Administrator user role.

login: cert_admin

Password: (cert_admin user password)



------------------------------------------------------------

[User Menu]



del - Delete a user


edit - Edit a user


>> User#

3 Assign the admin user certadmin user rights by adding the admin user to the certadmin group.

>> User# edit admin

>> User admin# groups/add

Enter group name: certadmin



Note: A user must be assigned to at least one group at any given time. If you want to replace a user’s single group assignment, you must therefore always first add the user to the desired new group, then remove the user from the old group.


>> Groups# list

Old:

1: admin

2: oper

Pending:

1: admin

2: oper

3: certadmin


Changing passwords

Changing your own password

All users can change their own password. Login passwords are case sensitive and can contain spaces.

1 Log on to the Nortel SNAS 4050 cluster by entering your user name and current password.

login: cert_admin

Password: (cert_admin user password)

320818-A




------------------------------------------------------------

[User Menu]



del - Delete a user


edit - Edit a user


>> User#

Type the passwd command to change your current password.

When your own password is changed, the change takes effect immediately without having to use the apply command.

>> User# passwd

Enter cert_admin's current password: (current cert_admin user password)

Enter new password: (new cert_admin user password)

Re-enter to confirm: (reconfirm new cert_admin user password)

Password changed.

Changing another user’s password

Only the admin user can change another user’s password, and then only if the admin user is a member of the other user’s first group (the group that is listed first for the user with the /cfg/sys/user/edit <username>/groups/list command). Login passwords are case sensitive and can contain spaces.


login: admin






------------------------------------------------------------

[User Menu]



del - Delete a user


edit - Edit a user


>> User#

3 Specify the user name of the user whose password you want to change.

>> User# edit

Name of user to edit: cert_admin

4 Type the password command to initialize the password change.

>> User cert_admin# password

Enter admin's current password: (admin user password)

Enter new password for cert_admin: (new password for user being edited)

Re-enter to confirm: (confirm new password for user being edited)

5 Apply the changes.

>> User cert_admin# apply


320818-A


Deleting a user

To delete a user from the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

Note: Remember that when a user is deleted, that user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group. Existing users can only be added to a group by a user who is already a member of that group. Before deleting a user, you may therefore want to verify that the user is not the sole member of a group.


login: admin




------------------------------------------------------------

[User Menu]



del - Delete a user


edit - Edit a user

>> User#

3 Specify the user name of the user you want to remove from the system configuration.

In this example, the cert_admin user is removed from the system. To list all users currently added to the system configuration, use the list command.

>> User# del cert_admin




The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the revert command.

>> User# list

root

admin

oper

-cert_admin

>> User# apply

Managing system users and groups using the SREM

To manage users, choose from one of the following tasks:

•

“Managing user accounts using the SREM” on page 370

•

“Setting password expiry using the SREM” on page 374

•

“Changing your password using the SREM” on page 376

•

“Changing another user’s password using the SREM” on page 377

•

“Setting the certificate export passphrase using the SREM” on page 379

•

“Managing user groups using the SREM” on page 381

Managing user accounts using the SREM

To manage user accounts, select the System > Manage Users > User Table tab.

320818-A


The User Table appears (see Figure 96

), displaying a list of user accounts that have been added to the Nortel SNAS 4050.

Figure 96 User Table

Only the admin user can add users to the system. After adding a user, you must assign the user to a group (see

“Managing user groups using the SREM” on page 381 ).



Only the admin user can delete users from the system. Of the three built-in users

(admin, oper, and root), only the oper user can be deleted.

Note: When you delete a user, the user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group. Existing users can only be added to a group by a user who is already a member of that group. Before deleting a user, verify that the user is not the sole member of a group.

To manage Nortel SNAS 4050 users, select from the following tasks:

•


•

“Removing existing user accounts” on page 373

Adding new user accounts

To add additional user accounts, perform the following steps:

1 Select the System > Manage Users > User Table tab.

The User Table appears (see Figure 96

).

2 Click Add.

The Add a User dialog box appears (see Figure 97 ).

Figure 97 Add a User

320818-A


3 Enter the user information in the applicable fields.

Table 69

describes the Add a User fields.

Table 69 Add a User fields

Field

Name

Description

The user name for the new user. The maximum length of the user name is 255 characters. No spaces are allowed.

4 Click Apply.

The new user entry appears in the User Table.

5 Click Apply on the toolbar to send the current changes to the Nortel

SNAS 4050. Click Commit on the toolbar to save the changes permanently.

Removing existing user accounts

To remove an existing user, perform the following steps:

1 Select the System > Manage Users > User Table tab.

The User Table appears (see Figure 96 on page 371 ).

2 Select a user entry to remove from the User Table.

3 Click Delete.

A dialog box appears to confirm the deletion of this user account.

4 Click Yes.

The entry is immediately removed from the User Table.





Setting password expiry using the SREM

To set a password expiry date for all passwords in the system, perform the following steps:

1 Select the System > Manage Users > Password Setting tab.

The Password Setting screen appears (see

Figure 98

).

Figure 98 Password Setting

320818-A


2

Enter the Password Setting information in the applicable fields. Table 70

describes the Password Settings fields.

Table 70 Password Settings fields

Field Description

Password Expiration Interval Sets the password expiration interval, in days (d).

A value of 0 indicates that the password never expires.





Changing your password using the SREM

Only the admin user can change the passwords of other users. Logged on users can change their own passwords.

To change the password for the logged on user, perform the following steps:

1 Select the System > Manage Users > Change Your Password tab.

The Change Your Password screen appears (see

Figure 99

).

Figure 99 Change Your Password

320818-A


2

Enter the password information in the applicable fields. Table 71

describes the

Change Your Password fields.

Table 71 Change Your Password fields

Field

Current Password

Enter New Password

Re-enter New Password

Description

The current password.

Sets the new password. The password must be at least four characters and can contain spaces. The password is case sensitive.

Confirms the new password.

3 Click Change Password.

A dialog box appears for confirmation.

4 Click Yes.

5 Click Apply to send the changes to the device. To make the changes permanent, click Commit.

Changing another user’s password using the SREM

Only the admin user can change the passwords of other users.



To change the password for another user, perform the following steps:

1 Select the System > Manage Users > user > Change User Password tab.

The Change User Password screen appears (see

Figure 100 ).

Figure 100 Change User Password

320818-A


2

Enter the password information in the applicable fields. Table 71

describes the

Change User Password fields.

Table 72 Change User Password fields

Field

Current Administrator

Password

Enter New Password

Re-enter New Password

Description

The current password of the admin user performing the change.

Sets the new password. The password must be at least four characters and can contain spaces. The password is case sensitive.

Confirms the new password.

3 Click Change Password.

A dialog box appears for confirmation.

4 Click Yes.

5 Click Apply to send the changes to the device. To make the changes permanent, click Commit.

Setting the certificate export passphrase using the SREM

You can set a certificate administrator’s passphrase for encrypted private keys in a configuration backup, if the certificate administrator role has been separated from the administrator role.

If the admin user is a member of the certadmin group (the default setting), the admin user must provide an export passphrase to protect the private keys in the configuration dump each time the configuration is backed up to an external file server.

Set a certificate administrator export passphrase only if the admin user has removed himself or herself from the certadmin group and added a certificate administrator user with certadmin group rights. When a configuration backup is performed, the certificate export passphrase is automatically used to protect the encrypted private keys. When the configuration is restored from the file exchange server, the user is prompted for the correct certificate export passphrase.



To set a certificate export pass phrase, perform the following steps:

1 Select the System > Manage Users > Set Certificate Export PassPhrase tab.

The Set Certificate Export PassPhrase screen appears (see

Figure 101 ).

Figure 101 Set Certificate Export PassPhrase

320818-A


2 Enter the PassPhrase information in the applicable fields.

Table 73

describes the Set Certificate Export PassPhrase fields.

Table 73 Set Certificate Export PassPhrase fields

Field Description

Enter New Pass Phrase Sets the pass phrase. Must be at least four characters.

Re-enter New Pass Phrase Confirms the pass phrase.

3 Click Set Pass Phrase.



Managing user groups using the SREM

All users must belong to at least one group. Only an administrator user can add a new user account to the system, but any user can grant an existing user membership in a group to which the granting user belongs.

By default, the administrator user is a member of all three built-in groups (admin, oper, certadmin) and can therefore add a new user to any of these groups.

However, a certificate administrator, who is a member of the certadmin group only, can add an existing user to the certadmin group only.

If a user belongs to only one group and you want to change the user’s group membership, add the user to the new group first, and then remove the user from the old one.



To manage the group to which a user belongs, select the System > Manage

Users > user > User Groups tab. The User Groups screen appears, displaying the

user’s current group membership (see Figure 102

).

Figure 102 User Groups

320818-A

Choose from the following tasks to manage users groups:

•

“Adding a user group” on page 382

•

“Removing a user group” on page 383

Adding a user group

To add a new user group, perform the following steps:

1 Select the System > Manage Users > user > User Groups tab.

The User Groups screen appears (see

Figure 102 on page 382

).


2 Click Add.

The Add a User Group dialog box appears (see Figure 103

).

Figure 103 Add a User Group

3

Enter the User Group information in the applicable fields. Table 74 describes

the Add a User Group fields.

Table 74 Add a User Group fields

Field

Name

Description

Specifies the name of the group to which you are adding the user. Options are oper, admin, certadmin.

4 Click Add.

The new user group appears in the table.



Removing a user group

To remove an existing user group from the User Group Table, perform the following steps:

1 Select the System > Manage Users > user > User Groups tab.

The User Groups screen appears (see

Figure 102 on page 382

).

2 Select the group to remove from the User Group Table.

3 Click Delete.

A confirmation dialog appears.

4 Click Yes.



The user group is immediately removed from the User Group Table.



320818-A

Managing system users and groups. Nortel Networks Nortel Secure Network Access Switch 4050

Chapter 8

Managing system users and groups

User rights and group membership

Managing system users and groups using the CLI

Roadmap of system user management commands

Managing user accounts and passwords using the CLI

Managing user settings using the CLI

Managing user groups using the CLI

CLI configuration examples

Adding a new user

Changing a user’s group assignment

Changing passwords

Changing your own password

Changing another user’s password

Deleting a user

Managing system users and groups using the SREM

Managing user accounts using the SREM

Adding new user accounts

Removing existing user accounts

Setting password expiry using the SREM

Changing your password using the SREM

Changing another user’s password using the SREM

Setting the certificate export passphrase using the SREM

Managing user groups using the SREM

Adding a user group

Removing a user group

Related manuals

Table of contents

Managing system users and groups. Nortel Networks Nortel Secure Network Access Switch 4050

Chapter 8

Managing system users and groups

User rights and group membership

Managing system users and groups using the CLI

Roadmap of system user management commands

Managing user accounts and passwords using the CLI

Managing user settings using the CLI

Managing user groups using the CLI

CLI configuration examples

Adding a new user

Changing a user’s group assignment

Changing passwords

Changing your own password

Changing another user’s password

Deleting a user

Managing system users and groups using the SREM

Managing user accounts using the SREM

Adding new user accounts

Removing existing user accounts

Setting password expiry using the SREM

Changing your password using the SREM

Changing another user’s password using the SREM

Setting the certificate export passphrase using the SREM

Managing user groups using the SREM

Adding a user group

Removing a user group

Related manuals

Nortel Networks

4500 Series

Strix Systems

RFM-ACCESS-ONE-32

Nortel Networks

NN47230-301

Westbrass

D302-1-26

Cisco Systems

OL-7064-01

Nortel

Quality Monitoring

Nortel

4050

Panasonic

Router NN46240-501

Nortel Networks

4050

Table of contents