manualshive.com logo in svg

Avaya ERS 1600, Technical Configuration Manual

Share
Download
Avaya ERS 1600 Technical Configuration Manual Download Page 7

 

 

Authentication, Authorization and Accounting (AAA) for ERS and ES 

Technical Configuration Guide 

November 2010

 

avaya.com 

2.1.1  RADIUS Authentication 

With RADIUS authentication, a remote RADIUS client can authenticate users attempting to log in. The 
RADIUS server also provides access authority. RADIUS assists network security and authorization by 
managing a database of users. The switch can use the database to verify user names and passwords, as 
well as information about the type of access priority available to the user. 

When the RADIUS client sends an authentication request, if the RADIUS server requires additional 
information, such as a SecurID number, it sends a 

challenge-response

. Along with the challenge-

response, a reply-message attribute is sent. The reply-message is a text string, such as "Please enter the 
next number on your SecurID card". The maximum length of each reply-message attribute is 253 
characters (as defined by the RFC). If you have multiple instances of reply-message attributes that 
together form a large message which can be displayed to the user, the maximum total length is 2000 
characters. 

 

 

 

802.1x (EAP), if enabled, has a mandatory requirement to authenticate users by Radius. 
Hence, Layer two switches supporting 802.1x (EAP) support RADIUS authentication. 

RADIUS 

SERVER 

Authentication 

Service 

RADIUS 

CLIENT 

AUTHENTICATION 

USER LOGIN 

(Console/Telnet/SSH) 

ACCESS REQUEST 

USER NAME 

(User Password : 

128bits keyed MD5) 

CLIENT ID 

PORT ID 

ACCESS CHALLENGE 

STATE (1) 

ACCESS ACCEPT 

CONFIG VALUES 

(1) Used when Radius server requires additional information such as 

SecurID number. 

Summary of Contents for ERS 1600

Page 1: ...for ERS and ES Technical Configuration Guide E M E A IP Core Sales Engineering Document Date November 2010 Document Number NN48500 558 Document Version 1 1 Ethernet Routing Switch 1600 8300 8600 2500...

Page 2: ...E BY INSTALLING DOWNLOADING OR USING THE SOFTWARE OR AUTHORIZING OTHERS TO DO SO YOU ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING DOWNLOADING OR USING THE SOFTWARE HEREINAFTER REFE...

Page 3: ...IUS TACACS on the ERS 1600 8300 8600 2500 4500 5500 and ES 460 470 This document covers some of the more popular Radius TACACS commands and attributes how to configure server and client side It gives...

Page 4: ...erver Client Log Files 17 2 6 Sniffer Traces on RADIUS Server 32 3 TACACS 39 3 1 Terminology 39 3 2 Feature Operation 40 3 3 Avaya Switches TACACS Support 43 3 4 TACACS Server Configuration Using tac_...

Page 5: ...lights important information about an action that may result in equipment damage configuration or data loss Text Bold text indicates emphasis Italic text in a Courier New font indicates text the user...

Page 6: ...he database within the RADIUS server stores information about clients users passwords and access privileges protected with a shared secret RADIUS is a fully open and standard protocol defined by RFCs...

Page 7: ...g with the challenge response a reply message attribute is sent The reply message is a text string such as Please enter the next number on your SecurID card The maximum length of each reply message at...

Page 8: ...lling Station Id 32 NAS Identifier 33 Proxy State 34 Login LAT Service 35 Login LAT Node 36 Login LAT Group 37 Framed AppleTalk Link 38 Framed AppleTalk Network 39 Framed AppleTalk Zone 60 CHAP Challe...

Page 9: ...AS IP address for a session is the address of the switch interface to which the remote session is connected over the network For a console session modem session and sessions running on debug ports thi...

Page 10: ...Failed UDP frame official port number is 1813 not 1646 conflicts with the sa msg port service 0 8 31 16 Code Identifier Length Response Authenticator Attributes RADIUS Attributes 40 Acct Status Type...

Page 11: ...twork administrator you can override a user s access to specific CLI commands by configuring the RADIUS server for user authentication You must still give access based on the existing six access level...

Page 12: ...GT PWR 2 3 2 etc raddb dictionary This file contains the dictionary file for all clients You have to create a specific dictionary file dictionary nortel for user access level and add an include statem...

Page 13: ...y for 802 1x EAP clients please see eap user shown below as an example which defines VLAN ID 51 and port priority 3 bsro Auth Type Local User Password bsro Service Type NAS Prompt User bsrw Auth Type...

Page 14: ...adiusd X can be 2 3 or 5 depending on your run level Also check that radiusd is started with y flag You will write details about every authentication request in the radius log file When you modify the...

Page 15: ...0 Port 1812 Time out 2 Key Radius Accounting is Enabled AcctPort 1813 4548GT PWR config show cli password type Console Switch Password Type None Console Stack Password Type None Telnet WEB Switch Pass...

Page 16: ...US configuration 8600A 6 show radius info Sub Context clear config dump monitor show test trace wsm asfm sam Current Context acct attribute value 193 acct enable true acct include cli commands true ac...

Page 17: ...can change the RADIUS source IP address by using the following command 8000A 6 config radius server create ipaddr secret value usedby value port value priority value retry value timeout value enable...

Page 18: ...ail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb 21 15 52 09 2008 NAS IP Address 10 10 44 5 Service Type Administrative User User Name bsro Client IP Address 10 10 44 5 Time...

Page 19: ...4 2008 Auth Login OK bsrw from client 4548GT PWR port 0 Log file on RADIUS server var log radius radacct 10 10 44 5 auth detail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb...

Page 20: ...10 10 44 5 auth detail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb 21 17 17 22 2008 NAS IP Address 10 10 44 5 NAS Port Type Ethernet Service Type Framed User Message Authen...

Page 21: ...08 NAS IP Address 10 10 44 5 NAS Port Type Ethernet NAS Port 1 User Name eap Acct Session Id 85000001 Acct Status Type Stop Acct Input Octets 11722 Acct Output Octets 7387 Acct Input Packets 100 Acct...

Page 22: ...lient 8600 port 1 Log file on RADIUS server var log radius radacct 10 10 50 1 auth detail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb 21 18 08 07 2008 User Name ro NAS IP A...

Page 23: ...1871 Acct Input Packets 0 Acct Output Packets 94 Cli Commands show date Cli Commands config Cli Commands exit Client IP Address 10 10 50 1 Acct Unique Session Id fae1055b429ca034 Timestamp 1203613769...

Page 24: ...600A 6 config Sub Context atm atmcard bootconfig cli cluster diag r module ethernet fdb filter ip ipv6 ipx lacp log mlt naap ntp pos poscard qos radius rmon slot slpp snmp server snmp v3 stg sv lan sy...

Page 25: ...203614656 Thu Feb 21 18 24 28 2008 Acct Status Type Stop Acct Session Id 59e000000014 User Name rwa NAS IP Address 10 10 50 1 Acct Session Time 11 Acct Input Octets 0 Acct Output Octets 549 Acct Input...

Page 26: ...er Name eap Calling Station Id 00 12 3F 1A 1B 68 EAP Message 0x0201000801656170 Service Type Framed User Client IP Address 10 10 50 1 Timestamp 1203615838 Thu Feb 21 18 43 58 2008 NAS IP Address 10 10...

Page 27: ...tate of Port 3 46 Recd Respose from supplicant CPU6 02 21 08 18 43 59 EAP INFO Bkend state of Port 3 46 Recd accept from server CPU6 02 21 08 18 43 59 EAP INFO User eap on Port 3 46 is authenticated 2...

Page 28: ...et using read write user Telnet to ERS 8600 with read write user rwa type some commands 8600A 6 config ip Permission denied 8600A 6 config Sub Context atm atmcard bootconfig cli cluster diag r module...

Page 29: ...mand Access statement is unique you cannot mix True and False You can have several commands use syntax for first line then use for following lines always add comma at the end of the line except last l...

Page 30: ...the number of packets octets received for this session If the session continues for a long period then periodically after every hour non configurable an interim accounting message will be sent contai...

Page 31: ...ctets 11 Acct Output Octets 27 Acct Input Packets 1 Acct Output Packets 1 Client IP Address 10 10 50 1 Acct Unique Session Id d265f560f26b031e Timestamp 1204643453 Tue Mar 4 16 26 23 2008 Acct Status...

Page 32: ...tive User 6 AVP l 6 t User Name 1 bsro Frame 2 68 bytes on wire 68 bytes captured Ethernet II Src DellComp_38 57 5b 00 06 5b 38 57 5b Dst NortelNe_0f 8e 04 00 04 38 0f 8e 04 Internet Protocol Src 10 1...

Page 33: ...Src Port 1025 1025 Dst Port radius 1812 Radius Protocol Code Access Request 1 Packet identifier 0x1e 30 Length 102 Authenticator 000000070BE401AA001B25E96800001E Attribute Value Pairs AVP l 6 t NAS I...

Page 34: ...bytes captured Ethernet II Src DellComp_38 57 5b 00 06 5b 38 57 5b Dst NortelNe_0f 8e 04 00 04 38 0f 8e 04 Internet Protocol Src 10 10 50 40 10 10 50 40 Dst 10 10 44 5 10 10 44 5 User Datagram Protoc...

Page 35: ...Protocol Src Port 1024 1024 Dst Port radacct 1813 Radius Protocol Code Accounting Request 4 Packet identifier 0xa 10 Length 95 Authenticator 226B10B0F24DC2AAA1CA673E3EC7517C The response to this reque...

Page 36: ...0 10 50 1 User Datagram Protocol Src Port radius 1812 Dst Port 1366 1366 Radius Protocol Code Access Accept 2 Packet identifier 0xf3 243 Length 32 Authenticator 656E2696110131703FC73E3B059FE5BE This i...

Page 37: ...5 t User Name 1 rwa AVP l 6 t NAS IP Address 4 10 10 50 1 AVP l 6 t Acct Session Time 46 18 AVP l 6 t Acct Input Octets 42 0 AVP l 6 t Acct Output Octets 43 619 AVP l 6 t Acct Input Packets 47 0 AVP l...

Page 38: ...captured Ethernet II Src DellComp_38 57 5b 00 06 5b 38 57 5b Dst NortelNe_0f 8e 04 00 04 38 0f 8e 04 Internet Protocol Src 10 10 50 40 10 10 50 40 Dst 10 10 50 1 10 10 50 1 User Datagram Protocol Src...

Page 39: ...e disabled when TACACS is enabled The TACACS protocol is a draft standard available at ftp ietf org internetdrafts draft grant tacacs 02 TACACS is not compatible with any previous versions of TACACS 3...

Page 40: ...password dialog and response The authentication session provides username password functionality 0 8 31 16 Version Type Session ID Length Version 0xC0 0xC1 Type 0x01 Authentication 0x02 Authorization...

Page 41: ...access to a requested command only if the information in the user profile allows it TACACS authorization is not mandatory for all privilege levels When authorization is requested by the NAS the entir...

Page 42: ...a part of the encryption and it is used by both ends to distinguish between packets belonging to multiple sessions Multiple sessions may be supported simultaneously and or consecutively on a single TC...

Page 43: ...5510 config level 5 tacacs switch back To support runtime switching of users to a particular privilege level you must preconfigure a dummy user for that level on the daemon The format of the user name...

Page 44: ...for ERS and ES Technical Configuration Guide 44 November 2010 avaya com The following table shows the scheme used to map the access levels to TACACS privilege levels Access Level ERS 1600 8300 ERS 55...

Page 45: ...tacacs tac_plus cfg This file contains all configuration parameters for TACACS Tacacs configuration file key Dda Accounting records log file accounting file var log tac_acc log All services are alowe...

Page 46: ...be 2 3 or 5 depending on your run level Also check that tac_plus is started with d flag you will write details about every request into var log tac_plus log file The values represent bits so they can...

Page 47: ...plicity and readability we will document command line interface CLI commands assuming the TACACS server IP address is 10 10 50 40 and the client key is Dda for telnet access authentication To configur...

Page 48: ...onfig monitor show test trace Current Context create IP address Status Key Port Prio Timeout Single Source SourceEnabled 10 10 50 40 NotConn Dda 49 1 10 false 0 0 0 0 The source IP address sent by the...

Page 49: ...ad Only User Connect to the device with telnet using read only user ro With the ERS 1600 and 8300 you can change the TACACS source IP address by using the following command Config tacacs server create...

Page 50: ...pends on debug value configured etc rc5 d S99tac_plus Tue Feb 26 14 30 10 2008 16403 verify login access for user ro to port Telnet Session 1 on 10 10 55 6 from 10 10 50 10 Tue Feb 26 14 30 10 2008 16...

Page 51: ...ser ro found Tue Feb 26 14 30 23 2008 16406 authorize_cmd enable Tue Feb 26 14 30 23 2008 16406 line 93 compare enable permit match Tue Feb 26 14 30 23 2008 16406 enable permitted by line 93 Tue Feb 2...

Page 52: ...using read only user bsrw Telnet to Switch with read write user bsrw type some commands 5510 level 5 en 5510 level 5 show clock Current SNTP time 2008 02 26 14 35 28 GMT 01 00 Daylight saving time is...

Page 53: ...08 16436 do_author user bsrw found Tue Feb 26 14 35 12 2008 16436 exec authorization request for bsrw Tue Feb 26 14 35 12 2008 16436 exec is explicitly permitted by line 59 Tue Feb 26 14 35 12 2008 16...

Page 54: ...exist permitted by default Tue Feb 26 14 35 32 2008 16441 authorization query for bsrw unknown from 10 10 55 6 accepted Tue Feb 26 14 35 45 2008 16442 Start authorization request Tue Feb 26 14 35 45 2...

Page 55: ...ccess to switch configuration Log file on TACACS server var log tac_acc log NO ENTRY Please note that ERS 1600 and 8300 does not support TACACS accounting Log file on TACACS server var log tac_plus lo...

Page 56: ...ed 1 args Tue Feb 26 16 49 21 2008 16477 author_svc out_args 0 service shell input copy discarded Tue Feb 26 16 49 21 2008 16477 author_svc out_args 1 cmd input copy discarded Tue Feb 26 16 49 21 2008...

Page 57: ...elay seconds info load encryption module 3DES DES AES setdate MMddyyyyhhmmss 8300 5 exit Read write user in this example does have access to switch configuration Log file on TACACS server var log tac_...

Page 58: ...lvl 6 add priv lvl 6 k Tue Feb 26 17 27 24 2008 16485 author_svc added 1 args Tue Feb 26 17 27 24 2008 16485 author_svc out_args 0 service shell input copy discarded Tue Feb 26 17 27 24 2008 16485 aut...

Page 59: ...Source Destination Protocol Info 4 0 001953 10 10 55 6 10 10 50 40 TACACS Q Authentication Frame 4 115 bytes on wire 115 bytes captured Ethernet II Src NortelNe_0f 8e 04 00 04 38 0f 8e 04 Dst DellCom...

Page 60: ...57 5b 00 06 5b 38 57 5b Internet Protocol Src 10 10 55 6 10 10 55 6 Dst 10 10 50 40 10 10 50 40 Transmission Control Protocol Src Port 1190 1190 Dst Port 49 49 Seq 50 Ack 29 Len 25 TACACS Major versi...

Page 61: ...40 10 10 55 6 TCP 49 1191 SYN ACK Seq 0 Ack 1 Win 5792 Len 0 MSS 1460 TSV 3143898088 TSER 3264254 WS 0 No Time Source Destination Protocol Info 15 0 007083 10 10 55 6 10 10 50 40 TCP 1190 49 FIN ACK S...

Page 62: ...n ID 2408421135 Packet length 5 Encrypted Reply No Time Source Destination Protocol Info 20 0 010148 10 10 50 40 10 10 55 6 TCP 49 1191 FIN ACK Seq 18 Ack 73 Win 5792 Len 0 TSV 3143898088 TSER 3264254...

Page 63: ...0x00 Encrypted payload Multiple Connections 0 Unencrypted Not set 0 Single Connection Not set Session ID 308467491 Packet length 56 Encrypted Request No Time Source Destination Protocol Info 29 0 0157...

Page 64: ...Info 36 3 109326 10 10 55 6 10 10 50 40 TCP 1193 49 SYN Seq 0 Len 0 MSS 1460 WS 0 TSV 3264260 TSER 0 No Time Source Destination Protocol Info 37 3 109370 10 10 50 40 10 10 55 6 TCP 49 1193 SYN ACK Seq...

Page 65: ...tions 0 Unencrypted Not set 0 Single Connection Not set Session ID 845883376 Packet length 6 Encrypted Reply No Time Source Destination Protocol Info 42 3 113047 10 10 50 40 10 10 55 6 TCP 49 1193 FIN...

Page 66: ...en 86 TACACS Major version TACACS Minor version 0 Type Authorization 2 Sequence number 1 Flags 0x00 Encrypted payload Multiple Connections 0 Unencrypted Not set 0 Single Connection Not set Session ID...

Page 67: ...TSER 3264277 No Time Source Destination Protocol Info 58 14 996946 10 10 55 6 10 10 50 40 TCP 1195 49 SYN Seq 0 Len 0 MSS 1460 WS 0 TSV 3264284 TSER 0 No Time Source Destination Protocol Info 59 14 9...

Page 68: ...ctions 0 Unencrypted Not set 0 Single Connection Not set Session ID 3031640525 Packet length 6 Encrypted Reply No Time Source Destination Protocol Info 64 15 000511 10 10 50 40 10 10 55 6 TCP 49 1195...

Page 69: ...n TACACS Minor version 0 Type Accounting 3 Sequence number 1 Flags 0x00 Encrypted payload Multiple Connections 0 Unencrypted Not set 0 Single Connection Not set Session ID 1349224772 Packet length 93...

Page 70: ...ACK Seq 106 Ack 18 Win 8192 Len 0 TSV 3264284 TSER 3143899588 No Time Source Destination Protocol Info 77 15 008090 10 10 55 6 10 10 50 40 TCP 1196 49 FIN ACK Seq 106 Ack 18 Win 8192 Len 0 TSV 3264284...

Page 71: ...Getting product training Ongoing product training is available For more information or to register you can access the Web site at www avaya com support From this Web site you can locate the Training...

Reviews:

No comments

Brands by name

Popular brands

Load more brands