Alcatel-Lucent 8950 AAA User Manual Download Page 392 | Manualshive

Page: 392 / 476

background image

............................................................................................................................................................................................................................................................

How to Configure for a TLS Demo Out of the Box

8950 AAA Certificate Manager

22-24

365-360-001R6.0

Issue 1, December 2008

............................................................................................................................................................................................................................................................

Create a small tuple file using notepad:

->cat tuple.txt

User-Name = steve

NAS-IP-Address = 127.0.0.1

NAS-Port = 1

And launch the RADIUS test tool in EAP-TLS mode to check:

->..\bin\nrtest -f tuple.txt -cbc EapTls$SimpleCallback -id steve

-cfclient.pem -cp test-client -tf trusted.pem -v

Xmit: Access-Request

User-Name = "steve"

NAS-IP-Address = 127.0.0.1

NAS-Port = 1

EAP-Message = "Response/Identity(1): data=steve"

Message-Authenticator = "00000000000000000000000000000000"

Packet authenticator is valid

Recv: Access-Challenge after 1953 ms.

Message-Authenticator = "60B6D929DFE86EE6C1BA69C0F267EFD9"

State = "1"

Session-Timeout = 180

EAP-Message = "Request/EAP-TLS(2): flags=20(S) "

Sending a 0 byte message to the EAP TLS client:

Received a 108 byte message from the EAP TLS client:

Handshake,v3.1

ClientHello

version 3.1

random =

404431C306BC65BFD2EDC94DF4D768528F6F1A0F86BAA9D00CF94E100187

6D70

session_id =

cipher_suites

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DH_DSS_WITH_AES_256_CBC_SHA

TLS_DH_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

«
...
390
391
392
393
394
...
»

Summary of Contents for 8950 AAA

Page 1: ...Alcatel Lucent 8950 AAA Authorization Authentication Accounting User s Guide Release 6 0 365 360 001R6 0 ISSUE 1 DEC 2008...

Page 2: ...s of Alcatel Lucent All other trademarks are the property of their respective owners The information presented is subject to change without notice Alcatel Lucent assumes no responsibility for inaccura...

Page 3: ...ew Purpose of the Server Management Tool 2 1 Starting the Server Management Tool 2 2 The Server Management Tool User Interface 2 4 3 Server Management Tool Command Set SMT menus and their commands 3 1...

Page 4: ...ement Tool Understanding PolicyFlow the PolicyAssistant and the Policy Wizard 9 2 Installing the PolicyAssistant 9 2 Preparing to Create Your First Policy 9 3 Using the Policy Wizard 9 4 Understanding...

Page 5: ...orts Panel 15 1 Part III Logging Tools Navigation Pane 16 Message Logging 8950 AAA Message Overview 16 1 Logging Tools 16 2 Server Log Messages 16 3 Log Channels 16 6 Log Channel Configuration Panel T...

Page 6: ...he SMT User Files Panel 19 3 Creating an Attribute Set File 19 16 20 8950 AAA Dictionary Editor Accessing the Dictionary Editor Panel 20 1 Vendors Tab 20 2 Attributes Tab 20 4 Diameter Applications Ta...

Page 7: ...files 23 3 Understanding Database SQL Tool 23 19 Managing Hypersonic Database Users 23 22 Part VII Other chapters 24 Server Diagnostics and Control Commands Server Diagnostics and Control 24 1 List of...

Page 8: ...Contents v i i i 365 360 001R6 0 Issue 1 December 2008...

Page 9: ...ur access criteria will be allowed access to a resource The 8950 AAA server provides this functionality within an extensible easy to use environment This manual introduces you to 8950 AAA through its...

Page 10: ...on about installing 8950 AAA and general software and hardware requirements read the 8950 AAA Quick Start Guide If you are new to 8950 AAA the links below should help determine where to go first Ready...

Page 11: ...the steps necessary to set up your 8950 AAA server clients and user profiles to process user requests for network access The manual is organized as follows Chapter 1 Introduction to 8950 AAA This sect...

Page 12: ...scusses the process of configuring the 8950 AAA USSv2 functionality Chapter 11 Configuring 8950 AAA Operators This chapter provides information about defining administrator access to 8950 AAA It defin...

Page 13: ...8950 AAA Data Dictionary and some of the terms that you will encounter when working with the 8950 AAA product Chapter 21 Managing files This chapter discusses 8950 AAA files and how to create and mana...

Page 14: ...ute another value http server IP address or name where server IP address or name is the address of name of the 8950 AAA server italics Names of manuals or the first occurrence of a glossary term Refer...

Page 15: ...pressions 2nd ed Jeffrey E F Friedl O Reilly Associates Inc July 2002 ISBN 0 59600 289 0 RADIUS Securing Public Access to Private Resources Jonathan Hassell O Reilly Associates Inc October 2002 ISBN 0...

Page 16: ...er OR if you have not yet registered your 8950 AAA service contract contact LWS Support Channel 3 If you are evaluating 8950 AAA for purchase or need sales information or technical support but do not...

Page 17: ...er Management Tool Command Set 3 1 Chapter 4 Managing 8950 AAA Servers 4 1 Chapter 5 Configuring 8950 AAA Client Properties 5 1 Chapter 6 Configuring 8950 AAA Realm Routing Table Properties 6 1 Chapte...

Page 18: ...1 2 365 360 001R6 0 Issue 1 December 2008...

Page 19: ...client might be a network access server NAS a Wi Fi access point or even a Web page 8950 AAA is a tool that promotes system integrity not only for the network server but also for the client server re...

Page 20: ...ect to the RADIUS client A user profile contains information about a user that 8950 AAA uses to process a RADIUS request The information usually includes the user name and password and might include o...

Page 21: ...and then returning configuration information necessary for the client to deliver service to the user The RADIUS client controls the access protocols that are used Within the protocol RADIUS Attributes...

Page 22: ...in publicly available RADIUS servers SQL databases such as Oracle Sybase MySQL or the built in database An LDAP Lightweight Directory Access Protocol server or a server that supports LDAP queries for...

Page 23: ...service that is a part of Windows 2000 Windows XP and Window 2003 Servers using an LDAP interface Windows SAM Windows Security Accounts Manager server that sits on top of the Windows 2000 Windows XP a...

Page 24: ...RADIUS Terms Explained Introduction to 8950 AAA 1 6 365 360 001 R6 0 Issue 1 December 2008...

Page 25: ...nfiguring and managing 8950 AAA servers It utilizes a graphical user interface or GUI that interfaces to the 8950 AAA server It can be used to manage all aspects of server operation The SMT also displ...

Page 26: ...nd windows that provide the means to make server requests The following sections describe how to start the application and a basic overview of the GUI tools and commands Starting the Server Management...

Page 27: ...aa smt Result The 8950 AAA SMT Window opens and the login panel appears as shown in Figure 2 2 Figure 2 2 SMT Login Panel 2 Enter the appropriate 8950 AAA User Name and Password Important This can be...

Page 28: ...ect to the appropriate 8950 AAA server 5 Click Connect to connect to the mentioned host or 8950 AAA server Important Appropriate certificates are installed during the initial installation of 8950 AAA...

Page 29: ...R6 0 Issue 1 December 2008 2 5 Figure 2 4 The SMT User Interface Default screen The main frame of the window located below the taskbar is called the Data pane The following screen shows an example of...

Page 30: ...as tabs text fields buttons and panes Panels can be resized minimized and maximized within the SMT On the left side of the SMT window beneath the toolbar the Navigation pane lists 5 groups of configu...

Page 31: ...tive panel Revert to Last Saved Restore changes that have been saved for active panel Reload Files Re read modified 8950 AAA files into the running 8950 AAA server Close Remove the active panel from t...

Page 32: ...ive panel Use the Next Window command to activate and display other open panels Tile Horizontal Display a top down list of all open panels Tile Vertical Display all open panels from left to right Arra...

Page 33: ...ns are available the name of the Policy Server Start Server Shutdown Server Restart Server Pause Server and Resume Server Show the status of the 8950 AAA Configuration server When the server is runnin...

Page 34: ...rs asking if the changes should be saved If no panel is displayed then this option is not available Display a print panel box that provides print options for the user Reload the files in the current p...

Page 35: ...a list of panel names categorized according to the functionality as shown in Figure 2 8 Displays System Information Displays SMT help Displays Technical Support File Packager window for gathering fil...

Page 36: ...and each tool can be accessed by selecting the panel name The Navigation pane provides ease of use for the SMT user because it allows quick access to any of the listed panels Important Your navigatio...

Page 37: ...erface 8950 AAA Server Management Tool Overview 365 360 001 R6 0 Issue 1 December 2008 2 13 Figure 2 9 SMT Data Pane without panels Figure 2 10 SMT Data Pane with panel SMT Log Pane SMT Data pane with...

Page 38: ...are described in Table 2 3 SMT Server Log Pane The Server log pane appears at the bottom of the SMT user interface when you click on the Server Log tab in the screen The Server Log pane is used for d...

Page 39: ...in the application The commands are described in Table 2 4 Table 2 4 SMT Server Pane Buttons Buttons Description Starts monitoring the Log files To pause the monitoring process Clears the SMT Server l...

Page 40: ...The Server Management Tool User Interface 8950 AAA Server Management Tool Overview 2 16 365 360 001 R6 0 Issue 1 December 2008 E N D O F S T E P S...

Page 41: ...sistant and lists a procedure on how to use the commands to install it The following topics are included in this chapter SMT menus and their commands SMT Menus As described in the section SMT Menu Bar...

Page 42: ...ver select Server on the menu bar and then click Disconnect from Server As a result the GUI disappears from the screen except for the title bar and menu bar and is replaced by the 8950 AAA logo icon T...

Page 43: ...values that were saved before any modifications were entered If the modifications have been saved then this command will not restore the fields to any previous values The Reload Files command provides...

Page 44: ...aves the output to a PDF file created in the 8950 AAA run subdirectory The Save to Web Page HTML option saves the output to an HTML file created in the 8950 AAA run subdirectory The Print Preview opti...

Page 45: ...mmands as well as server preferences and data pane management options To display the Edit menu select Edit on the menu bar Most of the commands on the Edit menu perform operations that are the same as...

Page 46: ...ols display fonts font size and color schemes UI Theme Choice of color scheme used for SMT user interface appearance Use System Fonts Choose Yes to keep the default options Choose No to edit the requi...

Page 47: ...of the main window Used for displaying messages and errors Show Tool Bar Show Pop up Tips Confirm Operations Specifies the questions that are asked throughout the SMT Confirm Server shutdown for the p...

Page 48: ...the secure remote connections when the SMT is in Local Mode Choose No to not use the secure remote connections when SMT is in Local Mode File for Trusted Certificates Enter the filename that needs to...

Page 49: ...various SMT panels You may select an attribute from the full dictionary attribute list labeled Attributes on the left side of the pane or enter your own attribute name in the custom attribute text bo...

Page 50: ...s to find or find once again the word item you want to search Find The find message screen is shown in Figure 3 6 Find again Figure 3 6 Find Menu options Other Edit Menu Commands Under the Edit menu o...

Page 51: ...Restore Windows control as shown in Figure 3 8 Figure 3 8 Panel Restore Button Clicking this control resizes the panel to its previous form Minimizing a panel converts it to an icon The Arrange Icons...

Page 52: ...end of the table or list Clicking this button typically displays a panel to enter information Edit Edit data for an existing record Clicking this button typically displays a panel to enter informatio...

Page 53: ...ate that data has been truncated Installing the PolicyAssistant and the Policy Flow Editor Installing PolicyAssistant You can choose to install and work on either the Policy Flow Editor or the Policy...

Page 54: ...istant and click the Install Policy Flow button The following message appears Figure 3 11 SMT Policy Flow Installation warning message 4 Click Yes to continue Important If the Policy Flow Assistant is...

Page 55: ...steps 2 In the PolicyAssistant panel click Install PolicyFlow to open the PolicyFlow Installation page The PolicyFlow Installation page is displayed as shown in Figure 3 10 3 Select Build Your Own Po...

Page 56: ...and click the Install Policy Flow button A warning message as shown Figure 3 15 appears Figure 3 15 SMT Policy Flow already existing warning message 4 Click Yes to continue It will take a few seconds...

Page 57: ...gured for your local environment and specific policy needs 8950 AAA allows the user to control the behavior of the 8950 AAA RADIUS server by setting configuration options The various configuration opt...

Page 58: ...and clients The Server properties panel display 3 tabs as follows Policy Server Universal State Server Configuration Server Each of these tabs allow you to configure different types of interface Polic...

Page 59: ...s of this panel Admin Interface Configuration Panel To go to the Admin Interface Configuration panel click on the Admin Interface option from the Policy Server data pane menu options on the left side...

Page 60: ...When assigning a port to this interface make sure you do not have any conflicting services using this port Table 4 2 lists the configurable entities of this panel SSH Interface Configuration Panel To...

Page 61: ...f this panel Table 4 3 SSH Interface Properties Configurable Properties Description SSH Address Specifies the address and port the server listens to default is 9022 and port number 0 means do not star...

Page 62: ...to the RMI Registry Configuration panel click on the RMI Registry option from the Policy Server data pane menu options on the left side The RMI Registry Configuration panel is displayed as shown in Fi...

Page 63: ...his panel SMT and Server Certificates Panel To go to the SMT and Server Certificates panel click on the Certificates option from the Policy Server data pane menu options on the left side The SMT and S...

Page 64: ...Table 4 5 lists the configurable entities of this panel Lawful Intercept Properties Panel To go to the Lawful Intercept Properties panel click on the Lawful Intercept option from the Policy Server da...

Page 65: ...rocess and receiving proper authorization from competent authorities Various countries have different rules with regards to lawful interception In the United states the law is known as CALEA in CIS co...

Page 66: ...the SNMP clients to retrieve statistical information about request processing from the policy server through a Radius MIB If the SNMP address is set to a valid non zero address port combination the po...

Page 67: ...2 C If enabled the policy server SNMP agent accepts version 2 C Allow SNMP Version 3 If enabled the policy server SNMP agent accepts version 3 SNMP Version 3 Engine ID This value must be globally uni...

Page 68: ...sing this port This panel also specifies the configuration values for the built in Hypersonic database The Hypersonic database is no longer enabled by default It is only available for backward compati...

Page 69: ...erby Severity Sets the level of the Derby messages that Derby will output to our logging system These messages are logged at the Derby log level in the AAA logging system Enable Driver Trace If enable...

Page 70: ...this panel Radius Properties Panel To go to the RADIUS Properties panel click on the Radius Properties option from the Policy Server data pane menu options on the left side The Radius properties panel...

Page 71: ...esses for authentication requests This value is a comma separated list of address port values If address is omitted it is assumed to be If the port is omitted it defaults to 1812 Default value is 1645...

Page 72: ...ination of the Source IP Source Port and Packet Authenticator The default setting is true This property can be set on a per client basis in the Client properties Check Authenticators If enabled the po...

Page 73: ...The Diameter properties panel specifies the configuration values for the Policy server when processing Diameter requests Response Cache Timeout When responding to the RADIUS requests the policy serve...

Page 74: ...chine Timeout event as defined in RFC 3588 paragraph 5 6 during connection establishment with a remote peer As an example when an initiating peer attempts to connect to a remote peer in the Closed sta...

Page 75: ...DICATION If Redirect Max Cache Time is less than this value the redirect indication is treated the same as a DONT CACHE Redirect Host Usage indication Default Advertised Redirect Cache Time Specifies...

Page 76: ...e Terminal Access Controller Access Control System Plus TACACS Properties panel specifies the configuration values for the policy server TACACS service TACACS is a remote authentication protocol that...

Page 77: ...iguration values that control how the policy server handles RADIUS attributes Place the mouse over each option to display how it is used by the server Table 4 13 lists the configurable entities of thi...

Page 78: ...s the configuration values that control how the policy server handles RADIUS requests packets Place the mouse over each option to display how it is used by the server Table 4 14 lists the configurable...

Page 79: ...the User Name attribute into the Base Name and Realm attributes Automatically Check Leftovers Yes or No option If enabled the policy server rejects a request if there are check items left to be check...

Page 80: ...the configurable entities of this panel Timeout Properties Panel To go to the Timeout Properties panel click on the Timeouts option from the Policy Server data pane menu options on the left side The T...

Page 81: ...meout Properties Panel Properties Configurable Properties Description Client Timeout Time in milliseconds to specify the amount of time the policy server will wait before it discards the requests This...

Page 82: ...reflects the advanced configuration properties In most circumstances you will not need to change these values Default Challenge Timeout Default Challenge Timeout Duration with default timeunit in sec...

Page 83: ...haracter set to use to encode string attributes in requests Cache Data File Specifies the file that contains the cache data when using the ReadCache and WriteCache plugins If specified the contents of...

Page 84: ...tion option The Universal State Server properties tab is displayed as shown in Figure 4 18 Send Error Ratio Sets a simulated transmit error ratio for server When set to a non zero value RADIUS packets...

Page 85: ...ists the configurable entities of this panel Table 4 18 Universal State Server Panel Properties Configurable Properties Description Accounting Start Timeout Specifies the time in milliseconds the Univ...

Page 86: ...r should not appear in the values used to construct the key that is the NAS IP Address and NAS Port Session State Data File Specifies a file to store the session state information If specified the sta...

Page 87: ...Configurable Properties Description Replication Role Specifies the role of the stateserver on this server Primary Address Specifies the host and address of the state server the embedded registry On t...

Page 88: ...nicates with the primary state server Discovery Retries Specifies the number of times to attempt to find the primary state server Discovery Retry Time Specifies the time in milliseconds to wait betwee...

Page 89: ...s of this panel Table 4 20 Universal State Server Replication panel Advanced tab properties Configurable Properties Description Minimum Update Threads Specifies the minimum number of worker threads pe...

Page 90: ...that the Universal State Server counts Each attribute is either counted when an authentication packet is received or when an accounting start packet is received To specify that the attribute be counte...

Page 91: ...he table that allows you to perform the actions specified in Table 4 21 Indices Panel To go to the Indices panel click on the Indices option from the Universal State Server panel menu options on the l...

Page 92: ...ffects the performance and memory usage of the USS The Indices panel shows the existing Attributes in the Universal State Server in one side of the panel and allows you to select and add any of these...

Page 93: ...2 panel properties Configurable Properties Description Replicated Server Timeout Specifies the amount of time the replication queue is kept active after a replicated server has gone down Heartbeat Ti...

Page 94: ...Configuration Server tab in the Server Properties navigation option The Configuration Server panel is displayed as shown in Figure 4 24 Idle Ack Rate When remote ack rate per heartbeat interval drops...

Page 95: ...anel specifies the properties used by the configuration server The configuration server is used by the Server Management Tool to configure a server from a remote location These properties are loaded e...

Page 96: ...he address and port the server listens to default is 9021 and a port number of 0 means do not start SSH at all Registry Port Defines the port to be used when creating an RMI registry Normally an RMI r...

Page 97: ...are included in this chapter Introduction Upon receiving a RADIUS request 8950 AAA must first determine that the request is from an authorized RADIUS client The source of the request is validated befo...

Page 98: ...ot add entries for remote servers that will receive requests provided from the 8950 AAA server unless requests are also received directly from this remote server Using the SMT to Configure Clients Thi...

Page 99: ...the other tabs like the Diameter Peers tab the TACACS Clients tab and the Client Classes tab to display information related to that screen The following sections in this chapter explain each of these...

Page 100: ...tabs The Radius Client Properties tab that allows to add a record The Client Classes and Attributes tab that allows to select the required client option The Comment tab that allows to enter necessary...

Page 101: ...ties Field Name Description Client IP Address or Host Specifies the Domain name IP Address range of IP addresses or a CIDR block of addresses Shared Secret Shared secret between Policy server and clie...

Page 102: ...in requests Truncate Attributes at First NUL Yes or No option If enabled attributes are truncated at the first NUL found in the value If disabled the attribute values are not truncated This enables s...

Page 103: ...tons 1 The Insert Row Wizard action button displays the Alcatel Lucent Clients dialog as displayed in Figure 5 5 Figure 5 5 The Lucent Clients Dialog Add record panel This panel allows you to select t...

Page 104: ...u to perform the other required actions on the record s Using the Comment tab in Radius Client Properties panel The Comment tab is one of the tabs in the Radius Client Properties Panel This tab allows...

Page 105: ...ng the Peer Properties tab to Add a record The Peer Properties tab allows you to add a record and enter information in the required fields as shown in Figure 5 7 Admin State The state of the diameter...

Page 106: ...for the peer TLS Yes or No option Select Yes to encrypt the packets Dictionary Specifies the dictionary name to use for this client class definition Diameter Charset Specifies the default character se...

Page 107: ...ributes from either a list of Predefined Client Class or allows you to add a Custom Client Class or allows you to select add the Attribute and value from the list 2 The other action buttons in this pa...

Page 108: ...TACACS Client Properties tab to Add a record The TACACS Client Properties tab allows you to add a record and enter information in the required fields as shown in Figure 5 9 Shared Secret The secret k...

Page 109: ...ties Panel This panel allows you to perform the following actions using the action buttons Insert a record Edit selected record Delete selected record Delete all records Make a copy of selected record...

Page 110: ...Panel This tab allows you to add any comments about the TACACS Client Properties panel The Client Classes tab Client Classes tab The Client Classes tab displays information about Client Classes in di...

Page 111: ...Properties tab is used to configure the properties of a Client Class The label on the right side indicates the value to be used if the client property is not specified These values are from the Serve...

Page 112: ...specified is Delimiters for realm on right hand side List of characters that mean the realm is the right hand value and the user is the left hand value of the parsed user name This list should be a su...

Page 113: ...ty is not specified These values are from the Server Properties panel Table 5 14 explains each of the fields and field descriptions that are displayed in the Protocol Specific tab Figure 5 14 The Clie...

Page 114: ...e time specified in the corresponding timeout property If not enabled responses are not cached Response Cache Timeout When responding to RADIUS requests the Policy server can remember cache the respon...

Page 115: ...actions using the action buttons Insert a record Edit selected record Delete selected record Delete all records Make a copy of selected record Move selected record up Move selected record down You ca...

Page 116: ...ws you to specify an Product Family attribute and it s value Select the attribute then specify a value Use the description to help with the specifying the value Using the Comment tab in the Client Cla...

Page 117: ...t type of the Diameter request to match Realm Route entries Once a match is found the request is routed locally proxied or redirected based on the Action in the entry Using the SMT to Configure Realm...

Page 118: ...8950 AAA SMT Realm Routing Table panel The Realm Routing Table panel Figure 6 2 contains a menu bar that consists of a set of Action Buttons that appear at the top of the 8950 AAA Realm Routing Table...

Page 119: ...record click on the action button The Route Entry panel is displayed as shown in Figure 6 4 This panel allows you to add a record and enter information in the required fields to the Realm Routing Tab...

Page 120: ...he vendor specific application id for which this route entry is valid when combined with the application ID Valid values are any of the predefined from the list or a numeric value Type Specifies the t...

Page 121: ...Configuration Server Using the SMT to retrieve files from a remote server This section describes how to configure a 8950 AAA to retrieve files from a remote server This is typically used to have one...

Page 122: ...on panel Figure 7 2 contains two sections that consists of 2 sets of Action buttons that appear in the 8950 AAA Remote Configuration panel as shown in Figure 7 2 The action buttons that are in the top...

Page 123: ...elected record Delete selected record Delete all records Make a copy of selected record Move selected record up Move selected record down You can perform any of the required actions using these action...

Page 124: ...try to retrieve files for this entry Typically you would only specify one host However you can specify multiple hosts to be used to be used as fail over hosts Separate each host by a comma User Speci...

Page 125: ...elete selected record Delete all records Make a copy of selected record Move selected record up Move selected record down Assigns a file format to the selected entry in the file table Click on this to...

Page 126: ...Row Wizard click on the action button The File Selection Wizard panel is displayed as shown in Figure 7 9 Figure 7 8 File Entry Properties Field Name Description Remote File Specifies the name of the...

Page 127: ...ber 2008 7 7 Figure 7 9 The File Selection Wizard panel This panel displays a list of the servers you have previously configured Select a server from the list and click Next to be able to select the R...

Page 128: ...st of that will be added Select a file from the Remote File list and click the arrow buttons to add it to the Selected Files list You can also double click to add If the Configuration Server is not ru...

Page 129: ...he 8950 AAA installation process If you see the PolicyAssistant in the Navigation Pane and do not see the PolicyFlow Editor then the PolicyFlow Editor is not installed The procedure for installing the...

Page 130: ...e authorize users and deal with session accounting and information This is the second step you need to perform The top section which is the Method Dispatch section is used to determine how to route re...

Page 131: ...played just below this section after another set of action buttons in the bottom section The PolicyFlow Files section has two action buttons as shown in Figure 8 3 Figure 8 3 PolicyFlow Editor Action...

Page 132: ...igure 8 4 are in this section of the panel that are used to create and define the Method Dispatch properties Figure 8 4 PolicyFlow Editor Action buttons in the Method Configuration section These actio...

Page 133: ...sections The first section that has two tabs the Method Configuration tab and the Advanced tab Both these tabs allow you to define the properties for the method configuration fields that are displayed...

Page 134: ...igure 8 6 Method Configuration pane Advanced tabl Use the Control tab allows you to control the methods during the progress of plug in as shown in the Figure 8 6 Use the Method On Success of Control t...

Page 135: ...e properties of the method chosen as shown in the Figure 8 7 Advanced tab allows you to specify additional properties of the some of the methods methods which have additional attributes as shown in th...

Page 136: ...icy Flow Editor 8 8 365 360 001R6 0 Issue 1 December 2008 Figure 8 9 Method Configuration pane Success Msg tabl PolicyFlow Topics tab describes in general about the plug ins methods and the policyflow...

Page 137: ...e requests to the PolicyFlows that are defined in the bottom section One set of action buttons as shown in Figure 8 11 are in the Method Dispatch section of the panel that are used to define the Metho...

Page 138: ...12 This panel allows you to add or insert records to the Method Dispatch Properties Figure 8 12 PolicyFlow Editor Method Dispatch Properties panel The Method Dispatch Properties panel as shown in Figu...

Page 139: ...d and displays the selected record details in the Method Dispatch Properties panel and allows you to change any details too if necessary and make a copy of that record 6 The Move selected record UP or...

Page 140: ...Method Dispatch Section Using the 8950 AAA Policy Flow Editor 8 12 365 360 001R6 0 Issue 1 December 2008...

Page 141: ...Wizard to create and access Policies The following topics are included in this chapter Understanding PolicyFlow the PolicyAssistant and the Policy Wizard 9 2 Installing the PolicyAssistant 9 2 Prepar...

Page 142: ...o create policies and populate this table The first time you run the PolicyAssistant the table panel will not appear instead the Policy Wizard will start automatically so you can create your first pol...

Page 143: ...is section chapter to toggle between these two functions If you elect to work with the Policy Assistant panel and take the necessary actions the Policy Assistant item is displayed in the Navigation pa...

Page 144: ...res user profiles user source authenticates users authentication source applies access rules set session parameters and processes accounting data You must create a policy for each unique set these com...

Page 145: ...the Policy Wizard Enter a Policy Name for this policy that is descriptive of the configuration that it represents A policy name helps you organize multiple policies Examples of good policy names migh...

Page 146: ...t the Policy Wizard may require additional information later in the Policy Wizard The sections below provide additional information for the following supported user profile sources RADIUS User Files D...

Page 147: ...AA technical support team Use the User Profiles panel under the Database Tools folder to manage the user profiles stored in the built in 8950 AAA database Important If you do not see the Database Tool...

Page 148: ...e server Radius Server Proxy Use the RADIUS Server Proxy option if your users are stored in a remote server Proxy services allow a RADIUS server to forward a request received from a client to a second...

Page 149: ...ernal Authentications Automatic Authentications EAP Authentication The actual options available in this panel are dependent on the choice you made for your user profile source Table 9 1 lists the opti...

Page 150: ...matches with the passwords in the user request Passwords must be in Salted MD5 format MD4 Verifies the password in the user profile matches with the passwords in the user request Passwords must be in...

Page 151: ...sed on UNIX platforms this option can be used to read users from a UNIX password style file on any platform RSA ACE Server SecurID Uses an RSA Ace Server to verify the one time password from a SecurID...

Page 152: ...atically rejects the request Typically used to disable access for a Policy EAP Authentication EAP Authentications are typically used in conjunction with the Ethernet 802 1x standard Typical applicatio...

Page 153: ...ation to be proxied to another server The panel describes each selection within the right pane If you choose to send accounting data to a database or proxy server the Policy Wizard helps you configure...

Page 154: ...7 User Session and Policy Limits Panel in the Policy Wizard The User Session Limits setting sets the maximum number of concurrent sessions that a user may have The Policy Limits setting indicates the...

Page 155: ...ed at the end of this chapter After completing these panels the Policy Wizard will display the Attributes Set for Policy panel This configuration option of the Policy Wizard enables you to assign attr...

Page 156: ...on attributes also called check items stored in an attribute set or possibly a user s profile By including appropriate verification attributes in a policy a variety of rules can be enforced For exampl...

Page 157: ...re commonly used as reply attributes Time Of Day Define allowed access times by day of week and or hour of day Time Of Day Wk0800 1700 Table 9 2 List of Attributes allowed in an Access Accept availabl...

Page 158: ...trator Changing authorization checks and session provisioning can be accomplished by editing the attribute set This eliminates the need to edit numerous user profiles each time policy changes Reply Me...

Page 159: ...ing storage for accounting data and setting session limits You should now see the Attribute Set for Policy panel as shown in Figure 9 10 Figure 9 10 Attribute Set Panel in the Policy Wizard If you do...

Page 160: ...ing an attribute set the panel will be populated with information about the attribute set you chose Figure 9 11 Add or Edit Attribute Sets Panel 1 If you are defining a new attribute set enter a name...

Page 161: ...those attributes that support data input entered from the keyboard Click Show All Attributes to display all attributes included in the server dictionary otherwise the list of attributes is limited to...

Page 162: ...you can limit the session time to one hour select the Session Timeout attribute and enter 3600 in the Value field or identify a specific IP address pool from which addresses are assigned select the As...

Page 163: ...Use the options in the Attribute Set Lookup Failure frame to define the action the PolicyAssistant should take in the event an Attribute Set cannot be found Such a failure might be caused by an error...

Page 164: ...Lookup Failure frame 3 Click Attribute Set Name is defined in the User Profile to identify the user profile as a source for your attribute sets Use this option if your user profile source is one of t...

Page 165: ...attribute set using the User Name attribute If the packet passes the Items to Verify checks in this case if the deactivation date is not exceeded the request is authorized and accepted 4 Click Next to...

Page 166: ...tains four tabs that allows you to manage a selected policy Policy Selection Realm and DNIS Limits USS Settings Cisco PEAP Figure 9 16 Policy Assistant Panel Using the Policy Selection tab The Policy...

Page 167: ...o select an attribute to the Rule and specify the value of it It also allows you to choose if the rule has to match all the conditions or just match any of the conditions and define the rule The Rule...

Page 168: ...with the realm foo net and a user eileen gato com dials 555 1212 to connect to the network the 8950 AAA server treats the user as though they were in the foo net realm ignoring the gato com realm The...

Page 169: ...er Access or Specific Limit If you choose Specific Limit provide the Limit Click OK The Realm or DNIS value you added will now be displayed in the main screen Figure 9 16 3 The Edit delete delete all...

Page 170: ...r change the values of these fields appropriately and click on Save to save the changes Saving Your Policies How to save your policies This concludes the use of the PolicyAssistant to create policies...

Page 171: ...d from the Auth Type attribute in the user s profile Tunneled EAP Defines tunneled EAP types that the PolicyAssistant can process if EAP tunneling is enabled Transports Defines password transport type...

Page 172: ...Detect MD4 passwords EAP MS CHAP V2 Detection Automatically detect passwords stored separately from the user profile or using an external service for authentication EAP MS CHAP V2 NT password Detect N...

Page 173: ...ords within Secure Computing SafeWord Server EAP Authentication Use information from EAP source as specified in Auth Type attribute EAP MDS Detect MDS passwords EAP TLS Detect TLS passwords EAP LEAP D...

Page 174: ...MS CHAP Response Allow Plain Text Password MS CHAP transport MS CHAP2 Response Allow Plain Text Password MS CHAP2 transport Salted MD5 Password Allow Salted MD5 transport UNIX Linux DES Password Allo...

Page 175: ...types by deselecting any check box that corresponds to a undesirable format type On the Authenticating Access Requests panel if you selected any option other than Allow Any of the Following then afte...

Page 176: ...cember 2008 Figure 9 21 Advanced Authentications Options Tunneled EAP tab Options Transports tab option Click on the Transports tab and the following panel is displayed as shown in Figure 9 22 This di...

Page 177: ...allow an attribute set name to be specified in the users profile By default this option is enabled to disable the Attribute Set name from being read from the user profile Attribute Sets click in the...

Page 178: ...001R6 0 Issue 1 December 2008 User Profile is read first then the policy set is read If an attribute is defined in both Attribute Sets the first assignment read takes precedence That is the attribute...

Page 179: ...within the network The Universal State Server version 2 USSv2 Configuration feature is an advanced feature of the USS feature The USSv2 is a brand new design and in many ways different from the USS fe...

Page 180: ...o process the AAA request Use the StateServer section below to configure the types of resources you want to track Use the Replicated Server section to automatically serve a copy of the resource data i...

Page 181: ...tons that are in the top section are used to configure State Servers The action buttons that are in the bottom section are used to configure the Replicated servers The Top set of action buttons are as...

Page 182: ...iguration panel Figure 10 4 has two tabs the Properties tab and the Replication tab The Properties tab displays the properties of the StateServer Type that you decide to select For example if you sele...

Page 183: ...ttom section are used to configure Replicated Servers The Top set of action buttons are as shown in Figure 10 3 and are as explained earlier Table 10 2 USSv2 StateServer Configuration Replication tab...

Page 184: ...wn You can perform any of the required actions using these action buttons To Insert a record click on the action button The Replicated Server Configuration panel is displayed as shown in Figure 10 7 T...

Page 185: ...ecifies the amount of time between heartbeat transmissions Heartbeat Skip Specifies the number of missing heartbeats before a connection to a replicated server is considered down Bucket Load Factor Sp...

Page 186: ...USSv2 Configuration Configuring 8950 AAA USSv2 10 8 365 360 001R6 0 Issue 1 December 2008...

Page 187: ...ors panel The following topics are included in this chapter Administering the 8950 AAA System Administrators for a 8950 AAA System 8950 AAA provides administrative security control over access to the...

Page 188: ...or this user are stored in the Operators file Please refer to Operators Tab on page 5 for more information about Operators Universal State Server User This user is used for communication within the Hi...

Page 189: ...n Figure 11 1 Figure 11 1 Navigation Pane 8950 AAA Operators option Result The 8950 AAA Operators panel is displayed as shown in Figure 11 2 Figure 11 2 Navigation Pane 8950 AAA Operators panel The 89...

Page 190: ...server to communication internally See the tooltip for more information This specifies the Identifier like a user name used for authenticating communications between the various 8950 AAA scripts in t...

Page 191: ...le 3 2 on page 12 In the 8950 AAA Operators Panel Figure 11 2 click on the Operators tab The 8950 AAA Operators Operators tab panel is displayed as shown in Figure 11 3 Administrator Password Indicate...

Page 192: ...or control buttons on the top side of the panel Important Panel Control functions are described in Table 3 2 on page 12 In the 8950 AAA Operators Panel Figure 11 2 click on the SNMP V3 Users tab The 8...

Page 193: ...e 11 4 8950 AAA Operators SNMP V3 Users tab panel 1 There are a set of action buttons on the top of this panel as shown in Figure 11 5 Figure 11 5 Action buttons panel 2 To add a record click the butt...

Page 194: ...iption User Name The name of the user whose secret keys were used to possibly authenticate and encrypt the packet Security Transforms This indicates whether or not messages sent or received on behalf...

Page 195: ...must specify an address and secret of the RADIUS server The RADIUS Authentication tab panel allows you to do this In the 8950 AAA Operators Panel Figure 11 2 click on the RADIUS Authentication tab The...

Page 196: ...sed to authenticate System Operators The default is the RFC defined Authentication port on the local server 127 0 0 1 1812 Authentication Secret Specifies the shared secret used to authenticate System...

Page 197: ...ing Operator properties 2 Enter the name for this System Operator in the User Name field 3 Enter a password in the Password field To hash a one way encryption the password click the encrypt button whi...

Page 198: ...t No password is needed Crypt Authenticate passwords encrypted with the UNIX crypt algorithm Crypt DES Authenticate passwords encrypted with the DES algorithm Crypt MD5 Authenticate passwords encrypte...

Page 199: ...ines the type of access this System Operator has to the objects To add an access rule perform the following steps From the Operator Properties panel Figure 11 8 on page 11 click the button that has or...

Page 200: ...would match auth_methods and acct_methods You may also click the File Pattern button at the right of the field to select a commonly used name for the selected Access Type Select from the File Pattern...

Page 201: ...e following field as shown in Figure 11 12 Enter a value for the Rule Pattern in the same way as described for File Pattern and Command Pattern Figure 11 12 Access Item Configuration Dialog Role Acces...

Page 202: ...he list of rules Modifying a System Operator How to modify a System Operator The following procedure lists the steps for changing the attributes of a System Operator 1 From the Operators tab on the 89...

Page 203: ...name Password or Authentication Type 4 Modify any rule by selecting it and double clicking on the rule or by clicking the Edit selected record action button that appears to the top of the list of acce...

Page 204: ...Modifying a System Operator Configuring 8950 AAA Operators 11 18 365 360 001R6 0 Issue 1 December 2008...

Page 205: ...n Simple Address Manager Panel The Simple Address Manager configures and manages the address pool It supports multiple pools Each pool in a Simple Address Manager contains a range of IP addresses Addr...

Page 206: ...s Pool Configuration tab The Simple Address Manager panel with the Pool configuration tab selected is shown in Figure 12 4 selected A set of action buttons as shown in the Figure 12 4 are also present...

Page 207: ...igure 12 4 This screen allows you to add records to the Address Pool Configuration Using the Pool Configuration tab to add a record The Pool Configuration panel allows you to add a record and enter in...

Page 208: ...d Addresses tab Table 12 1 describes the different attributes properties of the leased IP address Click Refresh to update the table and Release the Selected Address to remove it from the list by sendi...

Page 209: ...h pool Figure 12 7 Simple Address Manager Pool Statistics tab Table 12 2 describes details of the pool to which the leased IP address belongs Click Refresh to update the table E N D O F S T E P S Tabl...

Page 210: ...Simple Address Manager Configuration Configuring Simple Address Manager 12 6 365 360 001R6 0 Issue 1 December 2008...

Page 211: ...luded in this chapter USS Address Manager Configuration USS Address Manager Panel The USS Address Manager provides dynamic address pool management using the Universal State Server To display the USS A...

Page 212: ...gure 13 3 are also present in the USS Address Monitor panel Figure 13 3 USS Address Manager Action Buttons These action buttons allow you to perform the following actions Insert a record Edit a record...

Page 213: ...Manager panel click the Pool Configuration tab Click on the action button Pool Configuration panel is displayed as shown in Figure 13 2 This panel allows you to add or insert record to the Pool Confi...

Page 214: ...of IP addresses On the Range panel click on the action button Enter Pool Range screen is displayed as shown in Figure 13 6 Figure 13 6 USS Address Manager Enter Pool Range Panell Select the required...

Page 215: ...7 selected Figure 13 7 USS Address Manager Pool Selector Panell On the USS Address Manager panel click the Pool Selector tab Click on the action button Pool Configuration panel is displayed as shown...

Page 216: ...USS Address Manager Pool Configuration Panell Enter the Pool Selector Name and select the required allocation scheme The pool name is displayed in the Pool Name field Click OK to add the record The re...

Page 217: ...Collecting Navigation Pane Overview Purpose This part consolidates the chapters related to Configuration Tools in the SMT Navigation pane Contents This part includes the following chapters Chapter 14...

Page 218: ...II 2 365 360 001R6 0 Issue 1 December 2008...

Page 219: ...sted on the left Each group contains a list of statistics that you can enable To start the collecting select the desired group from the list on the left then enable the parts of the group you want to...

Page 220: ...ervals for selected instances To display the Stats Collector panel use the SMT Navigation Pane and select Stats Collector under Stats Collecting as shown in Figure 14 1 Figure 14 1 Navigation Pane Sta...

Page 221: ...nformation on Radius Acct Server and information on the variables for the Radius Acct Server Use the action buttons in the top of the right section to modify the contents of the statistical informatio...

Page 222: ...lector information select the required entry in the desired group that you want to edit and click the Edit button The Collector Definition screen as shown in Figure 14 3 appears with the existing valu...

Page 223: ...ies in the group Choose the required option The instance s will be disabled as selected 7 To change the interval time for the selected instance or for all the existing instances in the selected group...

Page 224: ...Stats Collector Panel Stats Collector 14 6 365 360 001R6 0 Issue 1 December 2008...

Page 225: ...ity to configure and generate reports from the statistical data collected by the 8950 AAA The Reports Configurator is the part of 8950 AAA that allows you to create reports for data collected by the 8...

Page 226: ...appear at the top of the screen as shown in Figure 15 3 Figure 15 3 Configure Reports Panel Action buttons These action buttons allow you to perform the following actions Insert a record Edit selecte...

Page 227: ...e field descriptions There are two sets of properties that you need to specify in this screen Table 15 1 Configure Reports Panel Properties Field Name Description Name The name of the Report Report Da...

Page 228: ...ction button A confirmation dialog is displayed asking you to confirm to delete all the records Click Yes to delete all the records or click No to exit the action and come out of the dialog 6 To make...

Page 229: ...ort in graphical format as shown in Figure 15 5 The Raw Sample Data tab shows the report in the sequenced format as shown in Figure 15 6 Figure 15 6 Report Panel Raw Sample Data tab 10 Click Run Repor...

Page 230: ...The Configure Reports Panel Configuring Reports 15 6 365 360 001R6 0 Issue 1 December 2008...

Page 231: ...er 2008 Part III Logging Tools Navigation Pane Overview Purpose This part consolidates the chapters related to Logging Tools in the SMT Navigation pane Contents This part includes the following chapte...

Page 232: ...III 2 365 360 001R6 0 Issue 1 December 2008...

Page 233: ...and writes messages for actions that occur during initial startup while running and while shutting down These messages have the basic form shown below Important The contents of log messages can be hig...

Page 234: ...ific conditions are met These conditions may be tied to the occurrence of a small set of common request processing actions request accept request reject etc or to custom user defined conditions Log me...

Page 235: ...following sections provide more information on the panels their components and their functionality Server Log Messages About Log Messages Select Server Log Messages from the Logging Tools section on t...

Page 236: ...e message in the file Action buttons in the Server Log Messages section The Server Log Messages panel Figure 16 2 contains a set of Action buttons that appear in the top of the list of the server log...

Page 237: ...ick on a selected record or select a record and click on the action button The Message Entry panel is displayed as shown in Figure 16 3 with the existing values This panel allows you to edit the conte...

Page 238: ...n to provide a description of the channel For example LogToOracle access errors NOC Syslog Server etc Displaying Log Channel Information Select Log Channels from the Logging Tools section on the Navig...

Page 239: ...in the list to display its configuration characteristics In Figure 16 4 there is only one item in the list The Log Channels panel contains a set of Action buttons that appear in the top of the list of...

Page 240: ...wing the first screen of the configuration panel as shown in Figure 16 6 This screen prompts to enter the name of the Log Channel Figure 16 6 Log Channel Configuration Panel Channel name 2 Enter a Log...

Page 241: ...Configuration Properties panel that allows you to define the properties is displayed as shown in Figure 16 8 The properties in this screen will appear as per the Output types selected in Figure 16 7 T...

Page 242: ...of an alternate channel to use if an error is encountered while writing to this channel 8950 AAA cannot determine if a Syslog server is responding If syslog is your default output channel you might wi...

Page 243: ...llowing message 2003 01 21 13 45 30 870 nr setup 8950 AAA Starting server initialization Format Area This checkbox controls whether 8950 AAA includes the log area in the log message The log area is th...

Page 244: ...n MEDIUM Include a full description about the exception LONG Include a full description about the exception with a JAVA stacktrace Format Unchecked Exceptions Unchecked exception Error conditions for...

Page 245: ...ure 16 9 Log Channel Configuration Panel Default and Error Channel Processing 5 You can choose to specify that this channel is the default channel The default channel is used when logging messages and...

Page 246: ...uration is complete 7 Click Back to modify any values or Finish to return to the Log Channels panel 8 Click Save to store your channel configurations to the server Click Close to remove the panel Log...

Page 247: ...this section shows the Properties and Advanced tab for each log channel destination output type with descriptions of each field Exec The Exec destination executes an external process Log data is writ...

Page 248: ...ll continue to write to the same file There is an option to delete the contents of the file each time 8950 AAA is started The properties tab for this destination type is shown in Figure 16 12 Table 16...

Page 249: ...with Size Based File Switching The 8950 AAA writes the log messages to a file 8950 AAA switches the log file it writes when a user specified file size is reached The contents of the 8950 AAA log file...

Page 250: ...e prefix beginning portion of the log file name Important For more information please see Notes on the Naming of Time Based Files on page 21 Suffix Specifies the suffix ending portion of the log file...

Page 251: ...his format with examples Naming of Size based files Format Using the example above suppose the file nractive log the currently open file is named If this file is switched January 1 2006 at noon then t...

Page 252: ...terval There are 5 options for this field HOURLY The file is switched every hour The timestamp portion is in format yyyyMMddHH DAILY The file is switched every day The timestamp portion is in format y...

Page 253: ...g URL http java sun com j2se 1 4 2 docs api java text SimpleDateFormat html HLR OmLog The HlrOmlog Channel cause the 8950 AAA server to inject log messages into the OMLOG subsystem This channel is a t...

Page 254: ...to more than one output This can be used instead of using multiple channels with log rules The log message is sent to all listed channels The properties tab for this destination type is shown in Figur...

Page 255: ...og messages to an SNMP version 1 management system The messages are sent as SNMP Traps The Properties tab is shown in Figure 16 18 The Advanced tab is shown in Figure 16 19 Table 16 10 Multiple Log Ou...

Page 256: ...eration The operation to be performed Timeout Amount of time to wait for the response after which you can retry Retry The number of time you can retry SNMP V3 User Name The SNMP V3 user name SNMP V3 S...

Page 257: ...le 16 12 Server Address Defines the host IP of the SNMP management system The Server Address is in format host port Example 127 0 0 1 162 Table 16 12 SNMP Trap Advanced tab fields Field Description Cl...

Page 258: ...Important The use of the Database channel and the following discussion assumes you are familiar with SQL and general database issues have an SQL compliant database running on an assessable system and...

Page 259: ...lumn Sequence value typically not used unless identity type columns are used in your database This is an optional field the data type is long Timestamp Column Column time that the log action occurred...

Page 260: ...ges are actually received by the syslog server or if errors occur while the syslog server is processing the log messages Because of this the log channel defined in the On Error will only be used for e...

Page 261: ...lds Field Name Description Server Address Defines the host IP of the syslog server The Server Address is in format host port Example 192 168 1 4 514 The default is 127 0 0 1 514 A Syslog server runnin...

Page 262: ...OR and higher will be sent to the Syslog server The default is INFO Process Name Defines the application name of the messages sent to the syslog server Example 8950 AAA The default is NR Format Host N...

Page 263: ...message The Trash destination is typically used for excluding certain log output by temporarily dropping output that results from a Log Rule For more information please refer to Log Rules on page 32 T...

Page 264: ...ted wildcard pattern see note below used to indicate a program area 8950 AAA is divided into several program areas Each 8950 AAA program area performs a specific function For example accessing externa...

Page 265: ...m Log Rules determine the Log Channel that is the destination of the log message Important The asterisk provides limited wildcard matching capabilities for Log Area and RADIUS Request Expressions It m...

Page 266: ...ce cannot be selected when the 8950 AAA server is not running Startup Log Rules A set of Log Rules that are loaded automatically whenever 8950 AAA starts Other Log Rule set files Other sets of Log Rul...

Page 267: ...27 This screen assists you in creating or editing a Log Rule Table 16 17 Parts of a Log Rule Log Rule Field Description Area 8950 AAA server program area for which this log rule is used Request Indic...

Page 268: ...950 AAA Log Area to which this rule will apply Pick one of the following three options Match All Areas If selected this rule will apply in all 8950 AAA Log Areas Predefined Server Log Area Groups Prog...

Page 269: ...in Radius with Expression Only those RADIUS requests that match the limited wildcard expression will be considered for logging Further logging will only occur at those times when the expression is va...

Page 270: ...0 Log Rule Configuration Wizard Log Level Select a log level that will determine messages to be sent Only messages logged at this or a more severe level will be output Important Log Level Blither is t...

Page 271: ...Expression Pattern Match indicates that only messages that contain the entered pattern are logged Important The following examples show Regular Expressions San Francisco abc def i The first example us...

Page 272: ...finds a Log Rule that matches all of its criteria Log Area Expressions Log Level etc After a matching rule has been executed and the log messages have been sent to the appropriate Log Channels no addi...

Page 273: ...r more items may be selected from the list as follows 16 When done click Next Result The Log Rule Configuration Summary panel appears as shown in Figure 16 34 Table 16 18 Log Channel Selection To sele...

Page 274: ...isted in the Log Rule Set Display as shown in the example in Figure 16 35 Figure 16 35 Log Rule Configuration New Log Rule Reordering Log Rules Use the reorder buttons to arrange the order of the Log...

Page 275: ...ules Click the Save As Startup Rules button to preserve the current set of Log Rules Click the Save As button to write the current set of Log Rules to a new file Click the Make Rule Set Active button...

Page 276: ...Log Rules Message Logging 16 44 365 360 001R6 0 Issue 1 December 2008...

Page 277: ...ing Tools Navigation Pane Overview Purpose This part consolidates the chapters related to Monitoring Tools in the SMT Navigation pane Contents This part includes the following chapters Chapter 17 Serv...

Page 278: ...IV 2 365 360 001R6 0 Issue 1 December 2008...

Page 279: ...ver Statistics There are two panels that are used for viewing activity of the 8950 AAA Server They are located under the SMT Navigation Area under Monitoring Tools They are The Server Statistics Panel...

Page 280: ...sponses from the 8950 AAA server Requests and responses to 8950 AAA from other servers State Server USS activity PolicyFlow program execution To display the Server Statistics panel use the SMT Navigat...

Page 281: ...essed Memory Usage on page 10 Amount of memory used by 8950 AAA and the Java Virtual Machine JVM Proxy Authentication on page 12 Counts percentages based on request status for Access Requests forwarde...

Page 282: ...s As shown in Figure 17 3 authentication requests are categorized according to status or disposition Figure 17 3 Server Statistics Authentication Requests This screen displays two groups of columns la...

Page 283: ...sents the average number of requests per second since the last server reset Table 17 3 Interval Values Column Description Requests Current value of the counter Ratio of count to total number of reques...

Page 284: ...isplays a columnar information and a performance monitor graph organized in the same manner as the Authentication Request screen Duplicate The number of Access Request packets that matched another req...

Page 285: ...t type 4 Responses The number of Accounting Acknowledgment packets sent Packet type 5 Dropped The number of Accounting Request packets that were dropped no response was sent Duplicate The number of Ac...

Page 286: ...h in an organized manner Figure 17 5 Server Statistics Packet Statistics There are two columns The Total column displays count and time statistics for all requests and responses processed since the se...

Page 287: ...onitoring diameter statistics It displays a columnar information and a performance monitor graph Figure 17 6 Server Statistics Diameter Statistics There are two columns Total and Interval which keeps...

Page 288: ...Figure 17 7 shows the screen Table 17 7 Diameter Items Tabulated Items Diameter Item Description Requests In Number of request received by the diameter server Requests Out Number of requests sent by t...

Page 289: ...nterval The screen also displays a graph showing the amount of memory usage vertical scale over time in update intervals horizontal scale The monitor can show total JVM memory size and the amount of m...

Page 290: ...alues as follows The Total columns display statistics about all packet types received by other servers The Interval columns display disposition statistics for requests received during the last update...

Page 291: ...an Access Reject Packet Type 3 being returned to the RADIUS client Dropped Access Request packets that resulted in the original request being dropped no response was sent to the client Timeouts Access...

Page 292: ...l The columns are used in the same way as with authentication requests Categories of proxy accounting requests are described in Table 17 9 Table 17 9 Categories of Proxy Accounting requests Category D...

Page 293: ...ta is expressed both in tabular form and through performance monitors one for proxy authentication requests and one for proxy accounting requests The screen contains two columns as follows Pending Req...

Page 294: ...s or graphs that display the number of packet samples horizontal scale against wait time in seconds vertical scale Proxy Roundtrip Times This screen is used to track the time required for proxy authen...

Page 295: ...stem initialization Interval Change Total time spent waiting for responses to proxy authentication and proxy accounting requests since the last interval update Each column contains an entry for proxy...

Page 296: ...RADIUS requests that pertain to the particular port and client The performance monitor displays graphical data for monitoring up to three types of sessions Active Sessions Sessions that are currently...

Page 297: ...described in Table 17 10 Requests The State Server Requests window is shown in the Figure 17 14 Table 17 10 State Server Sessions Tab properties Column Name Description Total Total number of sessions...

Page 298: ...are described in Table 17 11 Replication The Replication screen displays the status of replicated sessions Table 17 11 State Server Request Tab properties Request Types Description Total Requests Amou...

Page 299: ...ssions since the last interval update The categories of replication are described in the Table 17 12 The performance monitor displays the number of samples horizontal scale per count vertical scale Ta...

Page 300: ...s the state change which occurred in the last interval Every session consists of three basic stages Active State Inactive State or Waiting for Start Figure 17 16 Server Statistics State Changes State...

Page 301: ...e ability to monitor the methods that are called during PolicyFlow processing Methods are monitored in four ways as shown in Table 17 13 Table 17 13 Types of Methods Measurement Description Processing...

Page 302: ...med in the Method Next control property Fail Method failed to complete its task and execution passed to the method if any named in the Method On Fail control property Error Method encountered an error...

Page 303: ...nt One method invocation can produce entries in more than one column For example a method that results in a Time out also counts as an Error as well as being counted in the Total column The following...

Page 304: ...0 001R6 0 Issue 1 December 2008 Methods auto Figure 17 18 Server Statistics Methods auto Methods aaa Figure 17 19 Server Statistics Methods aaa Screens that Monitor Internal Server Processing This sec...

Page 305: ...code segment that can be executed simultaneously with other threads At any given time the 8950 AAA server executes multiple threads The Server Threads screen Figure 17 21 displays information about t...

Page 306: ...Counters Indices Panel The Ports Counters panel monitors three properties of the 8950 AAA Universal State Server USS sessions counters and indices Table 17 16 Server Treads Attribute Description Name...

Page 307: ...ons Counters Indices panel use the SMT Navigation Pane to select Sessions Counters Indices under Monitoring Tools as shown in Figure 17 22 Figure 17 22 Navigation Pane Sessions Counters Indices The Se...

Page 308: ...in the Table 17 18 The Indices tab is shown in Figure 17 24 It displays a list of indices with which the USS has active sessions Select the index from the list and click Get Values to display the corr...

Page 309: ...tors the address statistics of 8950 AAA Universal State Server USS The USS addresses are created and maintained by the USS The Address Pool is configured using the USS Address Manager panel USS Addres...

Page 310: ...te Description Pool Name Name of the Pool Active State of the pool active or not Total Total addresses in the pool Free Number of free addresses in the pool Used Number of used addresses in the pool H...

Page 311: ...t you will encounter when working with the 8950 AAA product The following topics are included in this chapter 8950 AAA LiveAdministrator 18 2 Accessing the LiveAdministrator Panel 18 2 General Info 18...

Page 312: ...lay of server settings Modification of server settings Display server statistics Display and modify some stored data Pause and resume server operations Control logging operations Capture server settin...

Page 313: ...nect to the Policy server Configuration server or to any other port Click the Disconnect button to disconnect from the server s or port General Info About General Information Select General Info optio...

Page 314: ...se Information option to display the License information work area as shown in Figure 18 3 Version The Version number of 8950 AAA Server Management Tool SMT Host Name of host system Running Since Time...

Page 315: ...veAdministrator panel Click the Connect button to connect to the Policy server Configuration server or to any other port Click the Disconnect button to disconnect from the server s or port System Info...

Page 316: ...to memory Open a text file and paste the clipboard contents into the text file There are three buttons in the bottom of the panel Click the Close button to remove the LiveAdministrator panel Click the...

Page 317: ...ick the Update Java Memory Stats button to refresh the displayed information Important Garbage collection is automatically managed by the Java Virtual Machine JVM You should normally not need to run g...

Page 318: ...e read and cached at server initialization or when the file is first referenced If an open file has been modified it must be reloaded before 8950 AAA will see the changes Click the Reload button to up...

Page 319: ...nnot execute shell scripts PERL scripts DOS batch files and so on However the LiveAdministrator panel is unable to determine the contents of a file from its name Therefore when you tell the LiveAdmini...

Page 320: ...text file Properties About Properties Select Properties to display the corresponding work areas shown in Figure 18 8 This work area displays a list of server properties presently in effect and their...

Page 321: ...the Edit button A dialog box appears in which modifications can be made To remove the selected entry click Remove button Important Decide carefully about removing an entry There is no confirmation re...

Page 322: ...entry to the cache click the Add button To remove the selected entry click the Remove button To update the list of cache entries click the Refresh button Important Adding cache entries will only affec...

Page 323: ...lows you to set the Activity State as required To set the Activity State to Down click the Set Down button To set the Activity State to Auto click the Set Auto button To set the Activity State to Up c...

Page 324: ...ndow as shown in Figure 18 12 To display the Admin Commands window click the that is on the right side of the text field The Admin commands window is displayed as shown in Figure 18 12 After selecting...

Page 325: ...of Figure 18 11 The Clear button removes all information from the text area window The History button displays a pop up window Figure 18 13 containing commands that have been entered through this int...

Page 326: ...Advanced Using LiveAdministrator 18 16 365 360 001R6 0 Issue 1 December 2008...

Page 327: ...nsolidates the chapters related to File Tools in the SMT Navigation pane Contents This part includes the following chapters Chapter 19 Creating and Managing User Profiles with Files 19 1 Chapter 20 89...

Page 328: ...V 2 365 360 001R6 0 Issue 1 December 2008...

Page 329: ...s usually done with Attribute Sets The information used in 8950 AAA for authentication and authorization may come from a single source or may contain data collected from several sources combined toget...

Page 330: ...rofiles with user names as the index key are commonly referred to as user profiles while entries indexed by some other attribute are often referred to as attributes sets In 8950 AAA all user files are...

Page 331: ...ser Files Panel The SMT User Files panel allows you to access and create user files and to create and maintain profiles for individual users The following steps illustrate how to create and edit user...

Page 332: ...mply User Files and no file name is listed when the User Files panel is first opened no user file is loaded 2 If you have defined a user file using the PolicyAssistant then that file will be listed Cl...

Page 333: ...all files in the run directory click the drop list at the top of the box and select All Files as illustrated in Figure 19 5 If you have standard RADIUS formatted user files that you have created using...

Page 334: ...ppears as shown in Figure 19 7 Figure 19 7 New User Profile Dialog 2 Enter the User Name for this profile You must enter the user s name exactly as the user will enter it when logging on to your netwo...

Page 335: ...esulting hashes match then the two passwords must have been the same Note that use of hashed passwords in a user s profile requires the use of the PAP Password Authentication Protocol in the PPP sessi...

Page 336: ...ided for backwards compatibility with user files imported from older RADIUS servers If you set password hashing in Step 4 above the Authentication Type is preset for you do not change it Important Set...

Page 337: ...ser Profiles with Files 365 360 001R6 0 Issue 1 December 2008 19 9 Figure 19 10 User Files List of User Names 3 Double click the user name that corresponds to the desired User Profile Result The User...

Page 338: ...ides a list of attributes that you can use for all users using the same policy For example if all your users must dial the same access number you must enter the Called Station Id attribute in all your...

Page 339: ...the format used by your local telephone company to send the information to your NAS The Description field which is below the Value field provides guidelines on the format for those attributes that su...

Page 340: ...ecessary If you use the PolicyAssistant to create policies you can assign an attribute set that can provide the same functionality as reply attributes If a conflict occurs the attributes in the user s...

Page 341: ...eply attributes for this user as depicted in Figure 19 14 Figure 19 14 User Profile Items Sent back to NAS 2 Click Insert a record to open the Attribute Properties dialog as shown in Figure 19 15 Figu...

Page 342: ...keyboard Select the Show All Attributes checkbox to display all attributes included within the dictionary selected in the server profile Important To change the attributes that appear in this list se...

Page 343: ...the session is limited in length to one hour Click OK to close this dialog and return to the User Files panel Figure 19 17 User Profile Panel with selected user profile Saving Changes to the User Pro...

Page 344: ...r Files panel appears as depicted in Figure 19 18 Figure 19 18 SMT Navigation Pane and an empty User Files panel Note that the panel title is simply User Files and no file name is listed when the User...

Page 345: ...ollowing topics are included in this chapter Accessing the Dictionary Editor Panel About accessing the Dictionary Editor Using the SMT select Dictionary Editor under File Tools from within the Navigat...

Page 346: ...r Applications of 8950 AAA By default the details of the Vendors tab is displayed when the Dictionary Editor panel is opened The Dictionary Editor panel contains 3 tabs as follows Vendors Attributes D...

Page 347: ...s tab panel as shown in Figure 20 2 The Vendors tab action buttons are as shown in Figure 20 3 Figure 20 3 Vendors tab Action buttons These action buttons allow you to perform the following actions In...

Page 348: ...in the dictionary 3 The Delete selected record action button allows you to delete the selected vendor information 4 The Delete all records action button allows you to delete all the vendor records 5...

Page 349: ...op of the 8950 AAA Dictionary Editor s Attributes tab panel as shown in Figure 20 5 The Attributes tab action buttons are as shown in Figure 20 6 Table 20 2 Dictionary Editor Attributes tab properties...

Page 350: ...b Action buttons These action buttons allow you to perform the following actions Insert a record Edit selected record Delete selected record Delete all records Make a copy of selected record Move sele...

Page 351: ...lues Overrides Aliases and Subattributes The Attribute tab is the default tab Table 20 2 explains the attributes of the Attribute panel Table 20 3 Dictionary Editor Attributes of Attributes tab Attrib...

Page 352: ...nd allows you to edit the attribute information in the dictionary 3 The Delete selected record action button allows you to delete the selected attribute information 4 The Delete all records action but...

Page 353: ...Diameter Applications tab click on the Diameter Applications tab in the Dictionary Editor panel The details about the Diameter Applications dialog or panel is displayed as shown in Figure 20 8 Figure...

Page 354: ...actions Insert a record Edit selected record Delete selected record Delete all records Make a copy of selected record Move selected record up Move selected record down You can perform any of the requ...

Page 355: ...cted record action button allows you to delete the selected application information 4 The Delete all records action button allows you to delete all the application information 5 The Make a copy of the...

Page 356: ...Diameter Applications Tab 8950 AAA Dictionary Editor 20 12 365 360 001R6 0 Issue 1 December 2008...

Page 357: ...ile Manager panel enables the user to perform a variety of operations on 8950 AAA files These operations include Create a new file Copy the contents of an existing file to a new file Edit the contents...

Page 358: ...Pane File Manager Viewing File Attributes and File Content As shown in Figure 21 1 the File Manager panel displays the following attributes of a file Filename File size Date last modified NR Access Le...

Page 359: ...ame File Description acct_methods The PolicyFlow to be executed for processing accounting requests You may also use the PolicyFlow editor in the SMT to manage this data auth pf The PolicyFlow to be ex...

Page 360: ...operations A GUI editor is available in the SMT for managing this data You may also use the Log rule in SMT to manage this data method_dispatch Selects the initial method invoked for a RADIUS request...

Page 361: ...may not be used at your location A GUI editor is available in the SMT for managing this data You may also use the User File Editor in the SMT to manage this data users templates Templates Attribute se...

Page 362: ...r panel showing the contents of the selected file The file contents may be modified Click Open As to edit a file A pop up list appears with three editing selections asking the user how to edit the sel...

Page 363: ...erty file which opens the file in a Property File Editor panel This GUI editor displays a set of properties and values Selecting a value and clicking the edit button or double clicking the property na...

Page 364: ...le which opens the file in a User File panel This editor option opens a file as a user file and uses the 8950 AAA SMT User Files GUI editor to edit the file An example is shown in Figure 21 6 Figure 2...

Page 365: ...Select a file you want to be renamed from the File Manager Panel Figure 21 1 and click Rename to name or change the name of an existing file The Rename File dialog appears Figure 21 8 requesting the n...

Page 366: ...he user to use or perform the Tail action similar to the UNIX tail option on the 8950 AAA files When you perform the tail option on a selected file the standard output is put in this selected file at...

Page 367: ...en an existing file from the list of 8950 AAA files 2 To open existing file s click Open Result The Configuration File List dialog is displayed as shown in Figure 21 12 Figure 21 12 Configuration File...

Page 368: ...iles 21 12 365 360 001R6 0 Issue 1 December 2008 Figure 21 13 Tail Panel with opened file 4 You can Start or Stop Pause Clear or Close the tail Select the desired option 5 Select Close to close the ta...

Page 369: ...all the root certificates as a trusted certificate authorities The following topics are included in this chapter Types of Certificates About Types of certificates The aaa cert tool generates three typ...

Page 370: ...ent Client certificates are used by clients to authenticate themselves to 8950 AAA Client certificates are signed by a root certificate In order to sign the server certificate aaa cert needs access to...

Page 371: ...le Content As shown in Figure 22 2 the Certificate File Manager panel displays the following attributes of a file File Name File Size Date last modified NR Access Level Figure 22 2 File Manager Panel...

Page 372: ...asking the user how to edit the selected file The editing methods are Plain text file which opens the file in a Configuration File Editor panel This option provides a simple text editing window simil...

Page 373: ...File Property file which opens the file in a Property File Editor panel This GUI editor displays a set of properties and values Selecting a value and clicking the edit button or double clicking the p...

Page 374: ...ile User file which opens the file in a User File panel This editor option opens a file as a user file and uses the 8950 AAA SMT User Files GUI editor to edit the file An example is shown in Figure 22...

Page 375: ...le you want to be renamed from the File Manager Panel Figure 22 2 and click Rename to name or change the name of an existing file The Rename File dialog appears Figure 22 8 requesting the new name of...

Page 376: ...cate before you can create server or client certificates You only need to create one root certificate for your site If your application uses protocols such as EAP TTLS EAP PEAP etc you will need a Roo...

Page 377: ...to validate certificates signed by this root Server Certificate Generates a key pair and a server certificate which can be used to identify a server The server certificate must be signed by a root ce...

Page 378: ...to create a Certificate file in the 8950 AAA run directory Result The New Certificate dialog appears as shown in Figure 22 10 Table 22 3 Certificate Manager Types of Certificate Additional Properties...

Page 379: ...Certificate Type Subject and Duration 3 Use this screen to specify the subject information about the certificate The fields Common Name and the Country are mandatory fields Also specify the length of...

Page 380: ...gure 22 12 Figure 22 12 Root Certificate Type Certificate Complete 5 Click Finish to go back to the File Manager panel as shown in Figure 22 2 Creating a New File for the Server and Client Certificate...

Page 381: ...ificate The fields Common Name and the Country are mandatory fields Also specify the length of time the certificate is valid and specify the advanced properties of the certificate Click Next Result Th...

Page 382: ...fy the certificate files and passwords For the Root file and password enter the file name and password you specified when creating the root certificate Click Next Result The Server or Client Certifica...

Page 383: ...l use its root certificate to sign the server certificate The certificate request contains extensions suitable for server authentication 1 Click the Create Certificate action button Result The New Cer...

Page 384: ...Password dialog 4 Specify the password to use to encrypt the certificate request Optionally specify a file name to save the private key Click Next Result The Certificate Request Complete dialog is di...

Page 385: ...ificate File is displayed as shown in Figure 22 20 Figure 22 20 View Existing Certificate Certificate File 3 Specify the name of the file of the certificate that you want to view The file must exist i...

Page 386: ...ot Certificate and click Next 3 Enter a Common Name for your Root certificate for example MyRootCert 4 Enter your country if it is other than the US 5 Add any additional information and click Next 6 E...

Page 387: ...certificate private key Important Record the password in a safe place You will need it to generate server and client certificates 10 Click Next 11 Enter the name of the root certificate file See Gener...

Page 388: ...ficate authority and the encrypted private key matching the public key in the root certificate A password is used to encrypt the private key and protect it from public access Root certificates are sig...

Page 389: ...t any prompt to exit the setup program Using Java version Java TM 2 Runtime Environment Standard Edition Sun Microsystems Inc Version 1 5 0 From C Program Files Java j2re1 5 0 8950AAA PolicyAssistant...

Page 390: ...t_properties Copying File readme txt Copying File users Copying File users templates Copying File uss_counters Updating Server Properties Updating Security Properties Updating SMT Properties Setting U...

Page 391: ...olicy PolicyName MyPolicy User Source UserFile Default AuthType EAP TLS Asserted Auth Type FALSE Connection Limit 1 Policy Limit 1 User Limit Scope Policy UserFileName users Proxy Acct Enabled FALSE U...

Page 392: ...hallenge after 1953 ms Message Authenticator 60B6D929DFE86EE6C1BA69C0F267EFD9 State 1 Session Timeout 180 EAP Message Request EAP TLS 2 flags 20 S Sending a 0 byte message to the EAP TLS client Receiv...

Page 393: ...T_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA compression_methods NULL Xmit Access Request User Name steve NAS IP Address 12...

Page 394: ...2844835F197242365A832C2F5D4B7060E46C55C B session_id 4617932DD7F525296FCADC70844DD701 cipher_suite TLS_RSA_WITH_3DES_EDE_CBC_SHA compression_method NULL Certificate CertificateRequest ServerHelloDone...

Page 395: ...ms Message Authenticator 136C3CE06532EB5D3787339DADEB32DC State 5 Session Timeout 180 EAP Message Request EAP TLS 6 flags 80 L msg length 51frag length 51 Sending a 51 byte message to the EAP TLS cli...

Page 396: ...age Success 6 requests 6 access request 6 with State 5 without State 1 accounting request 0 other request 0 replies 6 access accept 1 with state 0 without state 1 access reject 0 access challenge 5 wi...

Page 397: ...613F55C951DB46E298647818E8771E04392FEA91E62337C6315332A36C484 F6 2874 engine worker 9 Reply attribute dump Service Type Framed User Framed Protocol PPP Framed IP Address 192 168 10 6 Framed IP Netmask...

Page 398: ...How to Configure for a TLS Demo Out of the Box 8950 AAA Certificate Manager 22 30 365 360 001R6 0 Issue 1 December 2008 E N D O F S T E P S...

Page 399: ...Tools Navigation Pane Overview Purpose This part consolidates the chapter s related to Database Tools in the SMT Navigation pane Contents This part includes the following chapter s Chapter 23 Creating...

Page 400: ...VI 2 365 360 001R6 0 Issue 1 December 2008...

Page 401: ...n applies ONLY to the built in database If you are using a third party database consult the vendor s documentation about creating a database administrative user The built in database like any other da...

Page 402: ...into the Database To launch the Database Tools click the Database button from the SMT toolbar that appears at the top of the SMT interface This is available in the row of buttons as displayed in Figur...

Page 403: ...s This section discusses use of the built in 8950 AAA database for creating and managing user profiles for network users Important The Database Table Tool provides access to all tables in the built in...

Page 404: ...ure 23 4 User Profiles Tool Panel options Understanding the User Profiles Tool Panel The User Profiles Tool panel contains the following sections A Table View that is a predefined presentation of data...

Page 405: ...e 6 Opening the Database Table Tool To open the database table tool 1 Click the Database button and select the Database Table Tool option The Database Table Tool connection panel is displayed as shown...

Page 406: ...Table is a database file that contains rows of information Each row in a table represents a record and each row contains one or more columns or fields The example 8950 AAA supported schema shown in th...

Page 407: ...d the record is inserted at the end of the table or list Edit Edit the values for the selected record Delete Removes the selected row from the active table or view Delete All Removes all records from...

Page 408: ...a cannot be used in your policies 8950 AAA supports a predefined database schema for storage of user profiles However it is possible for you to edit this schema to remove unneeded columns fields and r...

Page 409: ...DB Table Too Insert Edit Record 2 Enter information into the required fields User Name User Realm Enter information into the non required fields as desired 3 Select OK or Cancel Click OK to accept the...

Page 410: ...Revert to undo the modifications that have not been saved After selecting OK or Cancel return is made to the previous screen after selecting Revert the Insert Edit Record window continues to be displa...

Page 411: ...ueness of the new record Modify any of the non required fields as desired 4 Select OK Cancel or Revert Click OK to accept the modified record data A confirmation prompt appears indicating that the tab...

Page 412: ...o create filtering criteria The data will be used for a record search by matching field values within the existing table 3 Select OK Cancel or Revert Click OK to accept the filter Return is made to th...

Page 413: ...isable the current filter perform the following steps 1 Click the Query all records action button Result The table with its original set of records appears Import User File This procedure allows you t...

Page 414: ...lute directory path that may be typed within the field or selected using the browse button that follows the field Set the value of File Type by choosing one of the list items of this field as shown in...

Page 415: ...o undo the modifications that have not been saved After selecting OK or Cancel return is made to the previous screen after selecting Revert the Import Information window continues to be displayed Conf...

Page 416: ...Table Name for the table You may select a Table Name by clicking the folder button that appears after the Table Name field In this case a list of allowable table names is displayed as shown in Figure...

Page 417: ...o determine the table columns to be displayed To do this select a name from the Table Columns list and click the Add button The name appears within the Selected Columns list To select all table column...

Page 418: ...s Enable button This ensures that all records are queried and displayed as soon as you login to the database To prevent the display disable the checkbox by selecting No The remaining fields on this wi...

Page 419: ...ck the Move Up button or click the Move Down button To delete all records click the Delete all records When done click Next on the Database Preferences window Result The Database Preferences window ap...

Page 420: ...e SQL Tool connection panel is displayed as shown in Figure 23 21 Figure 23 21 Accessing the Database SQL Tool Panel 2 Select the appropriate DB Name enter a User Name and Password 3 Click Connect The...

Page 421: ...on buttons Name Description Icon Execute Command Executes the SQL command that is typed in the SQL Command area of the Database SQL Tool panel The shortcut key F4 can also be used to execute the comma...

Page 422: ...database users As pexplained earlier a database is used to hold different type of user profiles This section discusses use of the Hypersonic database for creating and managing user profiles for networ...

Page 423: ...se Users connection panel is displayed as shown in Figure 23 24 Figure 23 24 Manage Hypersonic Database Users connection Panel 2 Specify appropriate Host IP Address Port User Name and Password 3 Click...

Page 424: ...Managing Hypersonic Database Users Creating and Managing User Profiles with the Built in Database 23 24 365 360 001R6 0 Issue 1 December 2008...

Page 425: ...ssue 1 December 2008 Part VII Other chapters Overview Purpose This part contains the other chapters related to SMT Contents This part includes the following chapter s Chapter 24 Server Diagnostics and...

Page 426: ...VII 2 365 360 001R6 0 Issue 1 December 2008...

Page 427: ...inistrator interface through the LiveAdministrator panel of the Server Management Tool From the LiveAdministrator panel click the Advanced option to access the RADIUS and state server commands You can...

Page 428: ...epresent an appropriate value Arguments separated by a pipe symbol indicate that only one of the arguments can be used for each execution of the command cache The cache command is used to add count de...

Page 429: ...dump key cache list Description Lists entries matching the key may use trailing wild cards Command Format cache list key cache load Description Loads the cache contents from a file Command Format cach...

Page 430: ...up Description Backup for an internal derby database Command Format derby backup database directory derby connect Description Connect to derby database Command Format derby connect database derby crea...

Page 431: ...mand Format derby info There are no arguments for this command derby list Description Lists internal derby databases Command Format derby list database timestamp derby login Description Cache security...

Page 432: ...diagnostics Command Format diag chrono dump list engine active state stats fuse list method stats normal list stats queue list reset resetstats diag atfile dump Description Dumps the AtFileProperty In...

Page 433: ...timer thread paranoia Command Format diag chrono kick There are no arguments for this command diag chrono list Description Lists the chronograph entries hi res timers Command Format diag chrono list T...

Page 434: ...guments for this command diag field stats Description Lists the field statistics Command Format diag field stats There are no arguments for this command diag fuse The following section lists the diag...

Page 435: ...ere are no arguments for this command notrim Specifies to include all statistics When not specified only statistics with non zero values are retrieved sort Specifies to sort the statistics by key name...

Page 436: ...r arguments diag queue list Description Lists the queues Command Format diag queue list There are no arguments for this command diag queue reset Description Resets the queue content Command Format dia...

Page 437: ...his command diag watch The following section lists the diag watch commands and their arguments diag watch list Description Lists the chronograph entries hi res timers Command Format diag watch list Th...

Page 438: ...ts eap sim cache count Description Counts fast reauth entries by permanent username Command Format eap sim cache count permanent_user_name eap sim cache delete Description Deletes fast reauth entries...

Page 439: ...rmat file close fileName file delete Description Deletes a file Command Format file delete fileName file list Description Lists files in the run directory Command Format file list There are no argumen...

Page 440: ...Displays ipam leases matching the given IP address Command Format ipam lease selector address ipam pool Description Dumps ipam pool prefixes Command Format ipam pool pool name all used free filename j...

Page 441: ...java memory There are no arguments for this command java properties Description Lists java properties Command Format java properties java thread dump Description Displays java lock information Comman...

Page 442: ...mat java threads There are no arguments for this command java version Description Lists JVM version Command Format java version There are no arguments for this command login This command establishes i...

Page 443: ...s for this command logrule delete Description Deletes a logging rule Command Format logrule delete num logrule insert Description Inserts a logging rule rule areaCondition itemCondition logLevel patte...

Page 444: ...le load Description Loads logging rules from a file Command Format logrule load fileName logrule move Description Moves a logging rule Command Format logrule move num num logrule remove Description De...

Page 445: ...r commands and their arguments peer auto Description Sets peer auto Command Format peer auto peerName peer down Description Sets peer down Command Format peer down peerName peer list Description Lists...

Page 446: ...ommands and their arguments server kill Description forcibly terminates the server without any warning Command Format server kill There are no arguments for this command server pause Description Pause...

Page 447: ...no arguments for this command server shutdown Description Performs an orderly server shutdown Command Format server shutdown There are no arguments for this command server status Description Displays...

Page 448: ...exec filename session info Description Lists information about this session Command Format session info There are no arguments for this command stat This command displays output statistics variable D...

Page 449: ...tats group list There are no arguments for this command stats inst list Description Lists instances of a group Command Format stats inst list group stats list Description Prints the statistics associa...

Page 450: ...t stats var list group system This command displays a list of system properties Command Format system PROPERTY The following section lists the system commands and their arguments system hostaddr Descr...

Page 451: ...ounts Description Displays output counter information Command Format uss counts counter attribute uss entry Description Lists a state database entry Command Format uss entry key key mod ev state compl...

Page 452: ...uss load Description Restores a state database from a file Command Format uss load fileName uss naslist Description Lists the NASs Command Format uss naslist There are no arguments for this command u...

Page 453: ...reset Description Resets state database statistics Command Format state stats reset There are no arguments for this command uss status Description Displays the state server replication state Command F...

Page 454: ...om one or all entries Command Format uss2 entry list model key uss2 load Description Reloads session state from the given file key The key associated with the state entry to be stopped model Name of t...

Page 455: ...ats model name uss2 node list Description Displays one or all nodes Command Format uss2 node list node name uss2 node stats Description Displays statistics of one or all nodes Command Format uss2 node...

Page 456: ...resource There are no arguments for this command uss2 resource dump Description Displays selected or all data from one or all resources Command Format uss2 resource dump model name value uss2 resourc...

Page 457: ...ostics and Control Commands 365 360 001R6 0 Issue 1 December 2008 24 31 uss2 save Description Saves all session state to thgiven file Command Format uss2 save model file E N D O F S T E P S model Name...

Page 458: ...List of Server Commands Server Diagnostics and Control Commands 24 32 365 360 001R6 0 Issue 1 December 2008...

Page 459: ...001R6 0 Issue 1 December 2008 Part VIII Appendix Overview Purpose This part contains the Appendix chapter s related to SMT Contents This part includes the following chapter s Chapter A Supplementary I...

Page 460: ...VIII 2 365 360 001R6 0 Issue 1 December 2008...

Page 461: ...n Web Interface To display the built in Web interface perform the following procedure 1 Open a browser window 2 Using the IP address of the 8950 AAA server set the URL field to the following http IP a...

Page 462: ...lowing procedure to display the RADIUS server Admin interface 1 Using the IP address of the 8950 AAA server open a Telnet window using the following command telnet IP address 9023 Result A Telnet scre...

Page 463: ...Use the following procedure to display the configuration server administration interface 1 Using the IP address of the 8950 AAA server open a Telnet window by executing the following command telnet I...

Page 464: ...Displaying the Configuration Server Administration Interface Supplementary Information A 4 365 360 001 R6 0 Issue 1 December 2008 Figure A 3 Telnet Session Configuration Server Administration Address...

Page 465: ...es and access the network ACCOUNTING Process of recording information about a user session ACCOUNTING REQUEST Request to the server for information in order to charge and track resource usage ACCOUNTI...

Page 466: ...ministrator to a specific user account See NAI and REALM C CHAP Challenge Handshake Authentication Protocol CGI Common Gateway Interface a means of transferring data between a Web server and a CGI app...

Page 467: ...manage text server preferences and the use of data panes F FQDN Fully Qualified Domain Name Identifier such as www vitalaaa com which is comprised of a host www and domain name vitalaaa com The domai...

Page 468: ...make them available whether on the Internet or a corporate intranet LDAP DIRECTORY Authentication source used by LDAP directory service LIMITED WILDCARD Placing an asterisk only at the beginning or en...

Page 469: ...a list of panel names used for displaying each SMT panel NUL A null character is a binary value with all its bits set to 0 It has a numeric value of 0 NULs can be used to mark the end of a character...

Page 470: ...hentication and optionally authorization R RADIUS Acronym that stands for Remote Authentication Dial In User Services See RADIUS SERVER RADIUS DETAIL FILE Text file used for storing session and billin...

Page 471: ...ER MENU List of SMT commands that manage server connections SHARED SECRET A character string specified on both a server and another device or server that establishes mutual identification A shared sec...

Page 472: ...application for database commands and updates TOOLBAR Row of buttons used for invoking commands to a GUI based application U UI User Interface application This application is responsible for providin...

Page 473: ...ers to any type of 802 11 network WINDOW MENU List of SMT commands that manage SMT panels WINDOWS SAM Windows Security Accounts Manager a user source supported by 8950 AAA WRITE COMMUNITY Character st...

Page 474: ...Glossary GL 10 365 360 001R6 0 Issue 1 December 2008...

Page 475: ...u 5 Collapse all 5 copy 5 cut 5 Expand all 5 find 5 find again 5 paste 5 Preferences 5 select all 5 External Authentications 9 F File Manager panel 1 H History 15 I Interval Change 11 J Java Database...

Page 476: ...RADIUS servers 3 RADIUS User File 4 RADIUS User Files 6 reply attributes 1 Reply Items 1 rolled over file 19 run directory 2 run subdirectory 4 S Search by Typing 10 Server Connection 2 Server Managem...

Reviews:

No comments

Related manuals for 8950 AAA

DEVICE FILTER MAC

Brand: FARONICS Pages: 4

MultiRack SoundGrid

Brand: Waves Pages: 39

FLASH 8-LEARNING ACTIONSCRIPT 2.0 IN FLASH

Brand: MACROMEDIA Pages: 830

Brand: AMX Pages: 16

3CR15800 - Intelligent Management Center Enterprise...

Brand: 3Com Pages: 4

Configuring Arrays

Brand: HP Pages: 132

Brand: HP Pages: 26

Brand: HP Pages: 35

460C - Deskjet Color Inkjet Printer

Brand: HP Pages: 24

Brand: HP Pages: 201

BB118BV - StorageWorks Data Protector Express Package

Brand: HP Pages: 365

BB118BV - StorageWorks Data Protector Express Package

Brand: HP Pages: 35

2605dtn - Color LaserJet Laser Printer

Brand: HP Pages: 372

e-diagtools 4.0

Brand: HP Pages: 74

Brand: PNY Pages: 15

Brand: LinPlug Pages: 46

[email protected]/DOS Version 7.xx

Brand: Amanda Pages: 84

Amanda Portal CallQ Agent

Brand: Amanda Pages: 61

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands