Configuring Li Administrators - Cisco ASR 5000 Series Administration Manual
Staros release 21.4
Hide thumbs
Also See for ASR 5000 Series:
- Product overview (992 pages) ,
- Installation manual (317 pages) ,
- Administration manual (234 pages)
Table of Contents
Advertisement
System Settings
• Additional keyword options are available that identify active administrators or place time thresholds on
the administrator. Refer to the Command Line Interface Reference for more information about the
inspector command.
• The nopassword option allows you to create an inspector without an associated password. Enable this
option when using ssh public keys (authorized key command in SSH Configuration mode) as a sole
means of authentication. When enabled this option prevents someone from using an inspector password
to gain access to the user account.
Save the configuration as described in the Verifying and Saving Your Configuration chapter.
Configuring LI Administrators
For security reasons, li-administration accounts must be restricted for use only with Lawful Intercept
Important
(LI) functionality and not for general system administration. Only security administrators and administrators
can provision LI privileges. To ensure security in accordance with Law Enforcement Agency (LEA)
standards, LI administrative users must access the system using the Secure Shell (SSH) protocol only. LI
privileges can be optionally configured for use within a single context system-wide. For additional
information, see the Lawful Intercept Configuration Guide and
57.
Use the example below to configure a context-level LI administrator:
configure
context context_name
administrator user_name { [ encrypted ] [ nopassword ] password password li-administrator}
end
LI Administrators and non-LI Administrators can configure Lawful-Intercept CLI commands. However, only
LI Administrators can view the encrypted Lawful-Intercept CLI commands in Trusted Builds and in Normal
builds, if the Global Configuration mode require segregated li-configuration command is enabled. For
additional information, see the Lawful Intercept Configuration Guide and
Configurations, on page 53
Segregating System and LI Configurations
Lawful Intercept (LI) configuration includes sensitive information. By default in a Normal build, an
administrator without li-administration privilege can view the LI configuration commands. However, display
of the LI configuration commands can be restricted or segregated from the rest of the system configuration.
The Global Configuration mode require segregated li-configuration command permanently segregates
display of System and Lawful Intercept CLI. The CLI commands with Lawful-Intercept keyword are encrypted
and can only be viewed by an administrator with li-administration privilege.
Important
In a Trusted build, LI segregation is turned on and cannot be disabled. The require segregated
li-configuration command is invisible.
Segregating LI configuration from system configuration has the following impacts on StarOS:
.
ASR 5500 System Administration Guide, StarOS Release 21.4
Configuring Context-level Administrative Users
Provisioning Lawful Intercept, on page
Segregating System and LI
53
Advertisement
Table of Contents
Troubleshooting
