Local Authentication Management

1	Introduction
2	Functions and Concepts
2.1	Types of Operations
3	Managed Object Model
4	Configuration Management
5	Fault Management

1 Introduction

This document provides an overview of the management model and concepts associated with the Local Authentication managed area.

A managed area is represented by a group of Managed Object Classes (MOCs) within the Managed Object Model (MOM).

2 Functions and Concepts

Local Authentication provides a management interface to manage a standalone authentication service for Operation and Maintenance (O&M) access in the Managed Element (ME) that does not rely on a data store external to the ME.

Local Authentication Administrator role, or a similar customer-specific role, is required for the operations described in this document.

Basic Concepts

O&M User Account
The association of an O&M User with an identity. It includes the username and password for identification and authentication.
O&M User
One who interacts with the ME. It is either a human or an automated process, for example, in the Management System. In Access Control terminology, this is called Subject.
Role
A role is a set of authorization rules to define access permissions.
Local Authentication Administrator
The administrator of the Local Authentication managed area. A role of an O&M user that is allowed to manage the O&M user accounts.

O&M Accounts

The Local Authentication model classifies O&M user accounts in the following two categories:

User account
This account type is used for users that operate normal O&M activities and commands.
Administrator account
This account type is used for creating Local Authentication users and for giving them sufficient roles to continue system recovery from a fault situation. The ME raises alarm Local Authentication, Authentication Failure Limit Reached when wrong password is repeatedly given for example during malicious attack.

Password Policy

Password management policies help to achieve secure and strong passwords. Several password policy instances are supported, thus giving possibility to create different O&M user account types, based on operator policies. Password policy helps to lock an account if the configured limits indicate a possible threat of password cracking. Selection of strong passwords is also important to improve the resistance of passwords against guessing and brute-force attacks. The same password quality setting is applied to all accounts.

For protection against old passwords, the policies lock an account that has expired credentials. Password expiry is followed by a grace period when the user is enforced to change password. If the grace period is over and the password is not changed, an automatic operational lock is placed on the account.

The O&M user account state diagram for password policy is shown in Figure 1. The states are described in Table 1 and the transitions in Table 2.

Figure 1 Password Policy State Transitions

Table 1 States for Password Policy Transitions
State	Description
AccountState = LOCKED	The account is locked. The user cannot authenticate to this account.
AccountState = UNLOCKED	The account is unlocked. The user can authenticate to this account.
adminState = LOCKED	Locked administrative state.
adminState = UNLOCKED	Unlocked administrative state.
pwState = uninitialized	The password is not initialized by action `resetPassword` after creating the account. Thus, no password is set.
pwState = VALID	The password is valid based on system time, password changed time, and aging policy.
pwState = MUSTCHANGE	The password has expired based on system time, password changed time, and aging policy. The user is forced to change password at next logon. After a grace period, the state turns to `EXPIRED` and `accountState` becomes `LOCKED`.
pwState = EXPIRED	The password has expired based on system time, password changed time, and aging policy. The password must be reset by action `resetPassword`.

Table 2 Password Policy Transitions
Transition	Description
admin lock	According to the procedure in Lock User Account Administratively.
admin unlock	According to the procedure in Unlock Administrative Lock for User Account.
failure threshold	The account becomes locked because of too many failed logon attempts.
oper unlock, unlock timer	According to the procedure in Unlock Operational Lock for User Account.
pw expiry, resetPw	The password has expired. The user is forced to change password at the next logon.
pw grace period expiry	The account becomes locked because the user did not change the password before the grace period expired.
resetPw	According to the procedure in Reset Password for User Account.
user pw change	The user changes password.

Account Policy

Account policy holds non-password related properties of the O&M user accounts.

If an account has not been used for a long time, the system determines the account to be dormant and locks the account, based on the settings in the account policy. To enable such an account, action unlockOperationalLock is required.

The O&M user account state diagram for password policy is shown in Figure 2. The states are described in Table 3 and the transitions in Table 4.

Figure 2 Account Policy State Transitions

Table 3 States for Account Policy Transitions
State	Description
AccountState = LOCKED	The account is locked. The user cannot authenticate to this account.
AccountState = UNLOCKED	The account is unlocked. The user can authenticate to this account.
adminState = LOCKED	Locked administrative state.
adminState = UNLOCKED	Unlocked administrative state.
UsageState = UNUSED	The account is unused. No successful authentication has been performed to the account.
UsageState = ACTIVE	The account is active based on the configured account policy threshold. At least one successful authentication has been made to the account.
UsageState = DORMANT	The account is dormant based on the configured account policy threshold. The system time passes the value of attribute `lastLoginTime` plus the value of attribute `dormantTimer`, thus indicating lock because of account inactivity. The account gets locked by changing attribute `AccountState` to `LOCKED`.

Table 4 Account Policy Transitions
Transition	Description
admin lock	According to the procedure in Lock User Account Administratively.
admin unlock	According to the procedure in Unlock Administrative Lock for User Account.
dormant timer expiry	The account has not been used for a long time, the account becomes dormant, and the account becomes locked.
logon	The user logs on to the account.
oper unlock	According to the procedure in Unlock Operational Lock for User Account.

2.1 Types of Operations

Local Authentication supports the following operations:

Manage O&M User Accounts

Create, change, and delete user account
An O&M user account can be created and modified. It includes username and password used for identification and authorization. The procedures in Create User Account, Change User Account, and Delete User Account provide further details on how to perform these operations.
Create, change, and delete account policy
An account policy for a user account can be created and modified. All non-password related properties of user account are associated with account policy. The procedures in Create Account Policy, Change Account Policy, and Delete Account Policy provide further details on how to perform these operations.
Create, change, and delete password policy
Security and usability with passwords are achieved by password management policies and the possibility to enforce strong passwords. The procedures in Create Password Policy, Change Password Policy, and Delete Password Policy provide further details on how to perform these operations. Strong passwords must be selected to prevent from brutal password attacks. The procedure in Change Password Quality Configuration provides further details on how to perform this operation.
Reset password for user account
A reset password operation must be performed by the administrator when the user account is locked because of the password expiry. The procedure in Reset Password for User Account provides further details on how to perform this operation.
Set user roles for user account
A user account is assigned with roles to provide the access to control the node resources. The procedure in Set User Roles for User Account provides further details on how to perform this operation.
Lock and unlock user account
The administrator can lock and unlock the user account. The procedures in Lock User Account Administratively and Unlock Administrative Lock for User Account provide further details on how to perform these operations. A user account can also be locked by system, which can be unlocked by administrator. The procedure in Unlock Operational Lock for User Account provides further details on how to perform this operation.

Manage O&M Administrator Account

Change administrator account
Administrator account attributes can be updated when authentication to regular O&M accounts is not accessible. The procedure in Change Administrator Account provides further details on how to perform this operation.

3 Managed Object Model

The Local Authentication managed area is represented in the Managed Object Model (MOM) as follows:

ManagedElement
   +-SystemFunctions
      +-SecM
         +-UserManagement
            +-LocalAuthenticationMethod
               +-AccountPolicy
               +-AdministratorAccount
               +-PasswordPolicy
               +-PasswordQuality
               +-UserAccountM
                  +-UserAccount

For general information about the MOM, MOCs, Managed Objects (MOs), cardinality, and related concepts, refer to Managed Object Model User Guide.

The Local Authentication MOCs are described in Table 5.

Table 5 Local Authentication Managed Object Class Descriptions
Managed Object Class	Description
LocalAuthenticationMethod	The root MOC of Local Authentication.
AccountPolicy	Handles properties of account policy.
AdministratorAccount	Used for initial and recovery scenarios when authentication to regular O&M accounts is inaccessible.
PasswordPolicy	Handles properties of password policy.
PasswordQuality	Handles the criteria of password quality checking.
UserAccountM	Defines and handles the management of O&M user accounts.
UserAccount	Represents a user account. The O&M users must authenticate to a `UserAccount` MO to access the ME.

4 Configuration Management

Local Authentication is accessed using NETCONF or the Ericsson Command-Line Interface (ECLI) to manipulate the Management Information Base (MIB).

The following operations can be performed by the UserAccount and are described in Operating Instructions using the ECLI:

Manage O&M User Accounts

Manage O&M Administrator Account

Change Administrator Account

5 Fault Management

The Local Authentication alarm is described in Table 6.

Table 6 Local Authentication Alarm
Alarm	Description
Local Authentication, Authentication Failure Limit Reached	The number of failed logon attempts on the administrator account exceed the threshold `passwordMaxFailure` within the time interval `passwordFailureCountInterval`.