Loader

User Administration and Security

User Account Security Levels

Craft user accounts support the following security roles and respective commands:

  • Admin - Provides access to all commands except certificate security controls.
  • Maintenance - Provides access to maintenance and diagnostic functions, including TurNup and upstream remote connection capability.
  • Read-Only - Provides read-only access to diagnostic functions.
  • Security Admin - Provides access to security controls for certificates

Local User Accounts

The Optical Lan Terminal (OLT) supports a user account database that can store up to 15 local user accounts. This feature is provided to allow craft interface access if connectivity to Panorama PON EMS is lost. Local user accounts have the same security policies as the rest of the system and have the following characteristics:

  • Local user accounts are authenticated at the OLT and can be authenticated with or without network connectivity.
  • Local user accounts are limited to one OLT and must be maintained on a per-OLT basis.
  • A Security Admin user can manage local user account security policies via Panorama PON EMS and is the preferred method for managing access (see the Local Craft User Account Management” section in the Tellabs 1100 Series Optical LAN Managing the PON Users Guide) or locally at the OLT (see adduser and deluser)
  • A local user can manage his or her personal password in the local OLT database. The password remains local to one OLT and is managed on a per-NE basis (see passwd) via the CLI.
  • Admin users can reset a user password in the local OLT database. The password remains local to that OLT and is managed on a per-OLT basis (see resetpasswd).

Remote User Accounts

Remote user accounts are validated using the (RADIUS) networking protocol that provides centralized authentication, authorization, and accounting management for computers that connect and use a network service (see the Remote Authentication Dial-In Services (RADIUS) Profiles section in the Tellabs 1100 Series Optical LAN Managing the PON Users Guide). When a user logs into the OLT, the OLT attempts to authenticate the user in the local (OLT) database first. If the user cannot be authenticated in the local database, the OLT attempts to authenticate using RADIUS. If the system cannot authenticate the user in the OLT or by RADIUS, logon is not permitted.

Remote user accounts have characteristics similar to local craft user accounts.

When a craft user attempts to log on, the following process occurs:

  1. The NE first attempts to authenticate the craft user in the local NE database.
  2. If the user cannot be authenticated and a RADIUS server is configured, the NE attempts to authenticate the user in the RADIUS server database.
  3. If the user cannot be authenticated, a rejection message is issued, and the user is denied access.

Tellabs Series Optical LAN OLTs communicate directly with the RADIUS server for craft user authentication. The local user account and RADIUS configuration for the OLT is managed by the Panorama PON via the OLT User Administration function or by a Security Admin level user accessing the NE through the craft user interface. For details on user administration (see adduser, or “NE User Administration” in the Tellabs 1100 Series Optical LAN Managing the PON User’s Guide).

Viewing Craft User Account Information

At the OLT, any craft user can view the information for his or her account, such as the last login, current access level, and days remaining until password expiration. An Admin, or Security Admin user can view information for all local user accounts, as well as the read-only craft/adsl2+ and the admin-level admin/tellabs static accounts.

 

 

Updating User Password
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.