Authentication and Authorization

Authentication is the process of confirming the alleged identity of a service requester; while several authentication methods are in use, authentication is most often performed by simple password verification.

Authorization, a process performed after authentication, determines the access or privilege level accorded an authenticated requester. Authorization answers two questions. Does this requester have access to a specific system resource (for example, a file or a configuration object)? If so, what kind of access (for example, create, destroy, or modify)? While there are several authorization methods, authorization is usually accomplished by assigning an authenticated requester to one of a number of pre-defined authorization classes. Conceptually, each class lists available objects, along with an associated object-access type (often expressed as read-only, write-only, or read-write).

Local Authentication and Authorization

This section describes user authentication and authorization performed locally by a Oracle OCSBC that has either the Admin Security or JITC feature set provisioned.

The feature sets provide two pre-defined user names

user
admin

Each of the two user names is associated with an eponymous authorization class which defines the access/privilege level for that user.

user (authorization class)

provides read-only access to non-security configurations
provides read access to visible files
login to user mode
cannot switch to admin mode

admin (authorization class)

provides read-write access to all configuration
provides read/write access to a sub-set of file system elements
login to admin mode
cannot switch to user mode

Console Login

With the addition of the Admin Security feature, local login to the OCSBC is restricted to the two previously described usernames (user and admin) via the console/serial connection. The following table summarizes default authentication and authorization for local logins.

User Name

Logins into/prompt

Authentication

Authorization

user

user mode

authenticated locally by OCSBC via password

authorized locally by OCSBC

assigned to user class

inherits access/privilege defined by that class

admin

admin mode

authenticated locally by OCSBC via password

authorized locally by OCSBC

assigned to admin class

inherits access/privilege defined by that class

Serial Port Control

With the addition of the Admin Security feature, you may enable or disable access to the serial (console) port. In the absence of this feature, access to the serial is generally available. The ACLI command console-io functions as a switch that you set to enabled to allow serial port access and to disabled to keep the serial port from being used.

If you remove the administrative management feature after disabling the serial port, the OCSBC reverts to its default behavior by providing serial port access.

To turn off access to the serial port:

At the system prompt, type console-io followed by a Space. Then type disabled and press Enter.
```
ORACLE# console-io disabled
```
If you want to re-enable the serial port, use the same command with the enabled argument.

Initial Login

Upon initial login user and admin are required to change the respective password. Initial login is completed only after password change and acknowledgment of the login banner.

The following figure shows the initial login screen for the admin role (the user role views a nearly identical screen).

To complete initial login:

Enter one of the recognized user name (user or admin) in response to the Username: prompt.
Enter the factory default password in response to the Password: prompt.

The factory default user password is acme; the factory default admin password is packet.

Initial admin Login (Console Access)
Enter a new password in response to the Enter New Password: prompt.

Passwords must meet the following length/strength requirements.
- user password must contain at least 9 characters
- admin password must contain at least 15 characters
- passwords must contain at least 2 lower case alphabetic characters
- passwords must contain at least 2 upper case alphabetic characters
- passwords must contain at least 2 numeric characters
- passwords must contain at least 2 special characters
- passwords must differ from the prior password by at least 4 characters
- passwords cannot contain, repeat, or reverse the user name
- passwords cannot contain three consecutive identical characters
Re-enter the new password in response to the Confirm New Password: prompt.
Enter y to acknowledge reading the login banner to complete initial login.

Remote SSH Login with Password

With the addition of the Admin Security feature, remote access, via the management interface (also referred to as wancom0), is available using SSH Version 2.

The following figure shows remote SSH access for both user and admin)

This screenshot shows remote SSH access for both user and admin.

Remote SSH Login

The following table summarizes default authentication and authorization for remote SSH logins.

User Name	Logins into/prompt	Authentication	Authorization
user	user mode >	authenticated locally by OCSBC via password	authorized locally by OCSBC assigned to user class inherits access/privilege defined by that class
admin	admin mode #	authenticated locally by OCSBC via password	authorized locally by OCSBC assigned to admin class inherits access/privilege defined by that class

Remote SSH Login with Public Key

The previous section described password-based SSH authentication. Alternatively, with the addition of the Admin Security feature, you can authenticate using SSH public keys.

Prior to using SSH-public-key-based authentication you must import a copy of the public key of each user who will authenticate using this method. The public key identifies the user as a trusted entity when the Oracle OCSBC performs authentication.

During the SSH login, the user presents its public key to the OCSBC, which validates the offered public key against the previously obtained trusted copy of the key to identify and authenticate the user.

Importing a public key requires access to the device on which the public key was generated, or on which it is currently stored with its associated private key. Access is generally attained with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.

Use a terminal emulation program to access the system from which the public key will be obtained.
Copy the base64 encoded public key making sure in include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.
Use the ssh-pub-key command to import the public key to the OCSBC.
For importing a public key which will be used to authorize a user, this command takes the format:
```
ssh-pub-key import authorized-key <name> <authorizationClass>
```
- where name is an alias or handle assigned to the imported public key, often the user’s name.
- where authorizationClass designates the authorization class assigned to this user, and takes the value user (the default) or admin.
To import a public key for Dwight who will be authorized for user privileges, use the following command
```
ORACLE# ssh-pub-key import authorized-key Dwight
ORACLE# 
```
To import a public key for Matilda who will be authorized for admin privileges, use the following command
```
ORACLE# ssh-pub-key import authorized-key Matilda admin
ORACLE# 

IMPORTANT:
    Please paste ssh public key in the format defined in RFC 4716. 
    Terminate the key with ";" to exit....... 
```
Paste the public key with the bracketing Begin and End markers at the cursor point.
Enter a semi-colon (;) to signal the end of the imported host key.

Follow directions to save and activate the configuration.

The entire import sequence is shown below.

ORACLE# ssh-pub-key import authorized-key Matilda admin 

IMPORTANT: 
    Please paste ssh public key in the format defined in RFC 4716.
    Terminate the key with ";" to exit....... 

---- BEGIN SSH2 PUBLIC KEY ---- 
Comment: "1024-bit RSA, converted from OpenSSH by abhat@acme74" 
AAAAB3NzaC1yc2EAAAABIwAAAIEAxcYTV595VqdHy12P+mIZBlpeOZx9sX/mSAFihDJYdL
qJIWdiZuSmny8HZIxTIC6na62iD25mlEdyLhlYOuknkYBCU7UsLwmx4dLDyHTbrQHz3b1q
3Tb8auz97/J1p4pw39PT42CoRODzPBrXJV+OglNE/83C1y0SSJ8BjC9LEwE= 
---- END SSH2 PUBLIC KEY ----; 
SSH public key imported successfully.... 
WARNING: Configuration changed, run "save-config" command to save it 
and run "activate-config" to activate the changes 
ORACLE# save-config 
checking configuration 
---------------------------------------------------------------------
... 
... 
... 
---------------------------------------------------------------------
Save-Config received, processing.
waiting for request to finish
Request to 'SAVE-CONFIG' has Finished, 
Save complete 
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.
ORACLE# activate-config 
Activate-Config received, processing.
waiting for request to finish
SD is not QOS-capable
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete 
ORACLE#

If necessary, repeat the above procedure to import additional user-specific public keys.

Note:

Imported SSH public keys are subject to the same expiration policies and procedures as passwords. An SSH public key’s lifetime is the same as a password, and it is subject to the same notifications and grace intervals. If an SSH public key expires, the admin user must import a new SSH public key for the user. To ensure continuity of access, the admin should import a new SSH public key prior to the key expiration.

The following figure shows the successful SSH-public-key based authentication of Matilda, who has logged in with admin privileges, and Dwight who has logged in with user privileges.

The following screenshot of the CLI shows the successful SSH-public-key based authentication of Matilda, who has logged in with admin privileges, and Dwight who has logged in with user privileges.

Note in the figure above that the login banner refers to the admin and user login by the aliases used when the trusted copies of their SSH public keys were imported. In all respects, however, Dwight is a user instance, and Matilda is a admin instance.

The following table summarizes default authentication and authorization for remote SSH logins.

User Name	Logins into/prompt	Authentication	Authorization
not relevant	user mode > or admin mode #	authenticated locally by OCSBC via SSH public key	authorized locally by OCSBC authorization determined by authorizationClass command argument (user or admin) inherits access/privilege defined by the specified class

User Name

Logins into/prompt

Authentication

Authorization

not relevant

user mode

admin mode

authenticated locally by OCSBC via SSH public key

authorized locally by OCSBC authorization determined by authorizationClass command argument (user or admin) inherits access/privilege defined by the specified class

Two-Factor Authentication

Two-factor authentication provides an extra level of security for the Oracle Communications Session Border Controller (OCSBC) by requiring users to enter a Passcode during login, in addition to their Username and Password credentials. Two-factor authentication applies to the Super User for both local and SSH login to the ACLI, and for HTTPS login to the Web GUI.

The two-factor authentication option requires the Admin Security feature be provisioned, and you must enable the option by setting login-auth-method to "two-factor" and saving the configuration. After you set "two-factor" and save the configuration, the OCSBC prompts you to set the Passcode.

The following illustration shows the configuration workflow on the ACLI.

SBC(configure)# security
SBC(security)# admin-security
SBC(admin-security)# login-config
SBC(login-config)# login-auth-method two-factor
SBC# save-config
Checking configuration.
*********************************************************
Admin passcode has not been set. Please set passcode now.
*********************************************************
Enter New Passcode:
Confirm New Passcode:
Save-Config received, processing.
Waiting for request to finish.
Request to Save-Config has finished.
Save complete.

The following illustration shows the user login experience on the ACLI after you enable two-factor authentication.

Username: ABCDEF
Password: *****
Two Factor authentication mode enabled
Passcode: 

--------------------------------------------------------------------------------
Last login : 2017-03-28 11:07:27
System last accessed by "admin", 2017-03-28 11:07:36
WARNING: Unsuccessful login attempts were made for 'admin'
on 2017-03-28 11:12:24
--------------------------------------------------------------------------------
Confirm reading the above message [y/n]?: y

Passcodes must conform to the length and strength requirements specified in "Enable Two-Factor Authentication."

When you want to change the Passcode in the future, use the secret command that you also use for changing the Username and Password.

You can enable two-factor authentication only from the ACLI.

Two-factor authentication does not support RADIUS, TACACS, and HTTP.

Enable Two-Factor Authentication

To enable two-factor authentication for local or SSH login, you must set two-factor as the login authentication method and set the Passcode.

Import the local certificate and the local certificate CA into the OCSBC.
Configure the Web server for HTTPS.
Provision the Admin Security feature.

The passcode must meet the following length and strength requirements:

Must contain only upper and lower case alphabetical letters, numbers, and punctuation characters
Must contain a minimum of fifteen characters
Must contain two lower-case alphabetical letters
Must contain two upper-case alphabetical letters
Must contain two numerals
Must contain two special characters
Cannot contain, repeat, or reverse the user name
Can not contain three of the same characters used consecutively
Must differ from the previous passcode by at least four characters
Must differ from the last three previous passcodes
Cannot change more than once every 24 hours

Access the login-config configuration element.

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# admin-security
ORACLE(admin-security)# login-config

Press Enter.
The system displays the ORACLE (login-config) prompt.
Type # login-auth-method two-factor.
Save the configuration.
The system prompts you to set the passcode.
Enter the passcode.
Confirm the passcode.
Type done to save the configuration.

RADIUS Authentication and Authorization

As an alternative to the local authentication/authorization described in previous sections, users may prefer to use a RADIUS server or server group for authentication and authorization.

For information on configuring between RADIUS servers and the OCSBC refer to RADIUS Authentication in the ACLI Configuration Guide .

A RADIUS users file (shown below), stored on the RADIUS server, provides the basis for server authentication and authorization decisions.

RADIUS Users File

Upon receiving a login request, the OCSBC sends a RADIUS Access Request message to the RADIUS server. The request message contains, among other things, the username:password requesting access to OCSBC resources. Upon receiving the request, the RADIUS server checks its user file for the username:password pair. If its finds a congruent match, the requestor is authenticated.

Successful authentication generates a Access Accept message to the OCSBC; the message also contains the contents of two Oracle Vendor Specific Attributes (VSAs). Acme-User-Class specifies the configuration privileges accorded the authenticated user. Acme-User-Privilege specifies the log file access accorded to the authenticated user. Together these two VSAs provide the authorization function. Consequently, the RADIUS server functions as an authentication and authorization decision point, while the OCSBC functions as an enforcement point.

RADIUS Authorization Classes

The RADIUS authorization classes, as specified by the Acme-User-Class VSA, do not coincide directly with those used to authorize the two pre-defined local usernames (user and admin). The RADIUS authorization classes are as follows:

user (RADIUS Acme-User-Class = user)

provides read-only for all system configuration (including cryptographic keys and certificates)
The login prompt for this user is ORACLE>

SystemAdmin (RADIUS Acme-User-Class = SystemAdmin)

provides read-write access for system configuration (not including cryptographic keys and certificates)
The login prompt for this user is ORACLE$

Admin (RADIUS Acme-User-Class = admin)

provides read-write access for all system configuration (including cryptographic keys and certificates.
The login prompt for this user is ORACLE#

RADIUS and SSH

When logging in via SSH and authenticating with RADIUS, username/password authentication for the two pre-defined user names (user, admin) is disabled. Attempts to login via SSH are rejected as shown in the following figure.

This screenshot of the CLI shows the rejection message when a user attempts to login via SSH and authenticating with RADIUS.

Local User Login with SSH (RADIUS Enabled)

If you want to enable user and admin access via SSH with RADIUS configured, you must explicitly define users on the RADIUS server with appropriate Acme-User-Class.

RADIUS and Password Policies

With RADIUS enabled, passwords are stored and controlled on the remote RADIUS server or servers. Consequently, none of the length/strength, re-use, history, or expiration requirements mandated by the local password policy are applicable to RADIUS passwords. Most RADIUS servers, however, do enforce password policies of their own.

TACACS+ Support

As an alternative to the local authentication/authorization described in previous sections, the OCSBC supports TACACS+ in both Admin Security mode and JITC. The OCSBC allows HTTPS, SSH, and SFTP logins with TACACS+ credentials, honoring the privilege level returned by the TACACS+ server and, if tacacs-authorization is enabled, validates commands via TACACS+ when the user has privileges.

Note:

For SFTP, only TACACS+ users with admin privileges have permission to login.

When TACACS+ is configured and a Public Key Infrastructure (PKI) user logs into the OCSBC, the OCSBC performs the authentication locally against the locally stored public RSA key, but performs authorization and accounting with TACACS+. This means that, instead of adhering to the permissions configured when importing the public key, the OCSBC queries the TACACS+ server and generates start/stop accounting records using TACACS+ settings.