Nortel 2526T Configuration Download Page 29 | Manualshive

Page: 29 / 228

Nortel 2526T Configuration Download Page 29

Advanced EAPOL features

29

Only unicast packets are sent to a specific port so that the packets
reach the correct destination.

•

Receiving EAPOL packets

The EAPOL packets are directed to the correct logical port for state
machine action.

•

Traffic on an authorized port

Only a set of authorized MAC addresses is allowed access to a port.

MHMA support for EAP clients includes the following features:

•

A port remains on the Guest VLAN when no authenticated hosts exist
on it. Until the first authenticated host, both EAP and non EAP clients
are allowed on the port.

•

After the first successful authentication, only EAPOL packets and data
from the authenticated MAC addresses are allowed on a particular port.

•

Only a predefined number of authenticated MAC users are allowed on
a port.

•

When RADIUS VLAN assignment is disabled for ports in MHMA mode,
only preconfigured VLAN assignment for the port is used. Upon
successful authentication, untagged traffic is put it in a VLAN configured
for the port.

•

When RADIUS VLAN assignment is enabled for ports in MHMA mode,
upon successful RADIUS authentication, the port gets a VLAN value in
a RADIUS Attribute with EAP success. The port is added and the PVID
is set to the first such VLAN value from the RADIUS server.

•

Configuration of timer parameters is per physical port, not per user
session. However, the timers are used by the individual sessions on
the port.

•

Reauthenticate Now, when enabled, causes all sessions on the port to
reauthenticate.

•

Reauthentication timers are used to determine when a MAC is
disconnected so as to enable another MAC to log in to the port.

•

Configuration settings are saved across resets.

Radius-assigned VLAN use in MHMA mode

Radius-assigned VLAN use in the MHMA mode is allowed to give you
greater flexibility and a more centralized assignment than existed. This
feature is also useful in an IP Phone set up, when the phone traffic can
be directed to the Voice over IP (VoIP) VLAN and the PC Data traffic can
be directed to the assigned VLAN. When Radius-assigned VLAN values
are allowed, the port behaves as follows: the first authenticated EAP MAC

Nortel Ethernet Routing Switch 2500 Series

Security — Configuration and Management

NN47215-505 (323165-B)

02.01

Standard

4.1

19 November 2007

Copyright © 2007, Nortel Networks

.

«
...
27
28
29
30
31
...
»

Summary of Contents for 2526T

Page 1: ...Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B...

Page 2: ...ny the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Right...

Page 3: ...E is no longer in use Customer promptly returns the Software to Nortel Networks or certify its destruction Nortel Networks can audit by remote polling or other reasonable means to determine Customer s...

Page 4: ...ty can bring an action regardless of form more than two years after the cause of the action arose e The terms and conditions of this License Agreement form the complete and exclusive agreement between...

Page 5: ...Configuration 17 Username and password 17 Logging on 18 Configuring Security options 18 RADIUS based network security 20 MAC address based security 21 EAPOL based security 21 EAPoL with Guest VLAN 23...

Page 6: ...I commands 58 CLI commands specific to SNMPv3 69 Securing your network 80 Configuring MAC address filter based security 80 Configuring EAPOL based security 87 Configuring advanced EAPOL features 94 Co...

Page 7: ...management information view 202 Configuring an SNMPv3 system notification entry 205 Configuring an SNMPv3 management target address 208 Configuring an SNMPv3 management target parameter 211 Configurin...

Page 8: ...8 Contents Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...

Page 9: ...h 2500 Release 4 1 supports advanced EAPOL security features For more information see the following sections Advanced EAPOL features page 28 Configuring multihost support page 95 Configuring support f...

Page 10: ...10 New in this release Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...

Page 11: ...ribe the features common to the switches mentioned above A switch is referred to by its specific name when a feature is described that is exclusive to the switch Before you begin This guide is intende...

Page 12: ...how ip routes but not both brackets Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example If the command syntax is show ip interfaces alerts you...

Page 13: ...gement interfaces and how to use them to configure basic switching features for the Nortel Ethernet Routing Switch 2500 Series Nortel Ethernet Routing Switch 2500 Series Configuration VLANs Spanning T...

Page 14: ...to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting help through a Nortel distributor or resel...

Page 15: ...hen you use an ERC your call is routed to a technical support person who specializes in supporting that product or service To locate the ERC for your product or service go to www nortel com erc Nortel...

Page 16: ...16 Introduction Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...

Page 17: ...f the console terminal were directly connected to the Switch You can establish up to four active Telnet or Web sessions at one time in addition to one active Console connection for a total of five pos...

Page 18: ...or your LAN RADIUS based security limits administrative access to the switch through user authentication MAC address based security limits access to the switch based on allowed source MAC addresses EA...

Page 19: ...s MAC addresses access to one or more switch ports see MAC address based security page 21 The switch is located in a locked closet accessible only by authorized Technical Services personnel Student do...

Page 20: ...ts you set up network access control by using the Remote Authentication Dial In User Services RADIUS security protocol The RADIUS based security feature uses the RADIUS protocol to authenticate local...

Page 21: ...e stack configuration Specify which of your switch ports each MAC address is allowed to access The options for allowed port access include NONE ALL and single or multiple ports that are specified in a...

Page 22: ...software with the main purpose of authorizing the supplicant who is attached at the other end of the LAN segment Authentication server a Radius server that provides authorization services to an authe...

Page 23: ...n the port has access to that port for traffic Any tagging of ingress packets are to the PVID of that port This remains the default configuration With Software Release 4 1 EAP also allows Guest VLANs...

Page 24: ...mpts the switch resets the logon process The number of failed logon attempts is configurable and the default is three Password history The switch keeps a history of the last three passwords You cannot...

Page 25: ...isplay and verification restrictions to the following passwords RADIUS Shared Secret Read Only community string Read Write community string Enabling and disabling password security Password security c...

Page 26: ...and also is saved across reboots of the switch For more information see Changing the http port number page 43 Simple Network Management Protocol The Nortel Ethernet Routing Switch 2500 Series support...

Page 27: ...introduces a standards based GetBulk retrieval capability using SNMPv1 communities SNMPv3 support in the Nortel Ethernet Routing Switch 2500 Series introduces industrial grade user authentication and...

Page 28: ...he port Each user must complete EAP authentication before the port allows traffic from the corresponding MAC address Only traffic from the authorized hosts is allowed on that port Radius assigned VLAN...

Page 29: ...in MHMA mode upon successful RADIUS authentication the port gets a VLAN value in a RADIUS Attribute with EAP success The port is added and the PVID is set to the first such VLAN value from the RADIUS...

Page 30: ...t authenticated client In this way a permanent bounce between different VLANs of the switch port is avoided Following are the steps to enable the enhancement Enable Radius assigned VLANs in Global Con...

Page 31: ...on For more information about the generated credentials see Non EAPOL MAC RADIUS authentication page 32 If the MAC address is authenticated by RADIUS the host is allowed If the MAC address does not ma...

Page 32: ...ormation about configuring non EAPOL host support see Configuring support for non EAPOL hosts on EAPOL enabled ports Non EAPOL MAC RADIUS authentication For RADIUS authentication of a non EAPOL host M...

Page 33: ...n After the first EAPOL client successfully authenticates EAPOL packets and data from that client are allowed on the port No other clients are allowed to negotiate EAPOL authentication The port is set...

Page 34: ...port is 32 However Nortel expects that the usual maximum value configured for a port is 2 This translates to around 200 for a box and 800 for a stack Nortel Ethernet Routing Switch 2500 Series Securi...

Page 35: ...ADIUS based management password authentication page 56 Setting SNMP parameters page 58 Setting the username and password This section contains information about the following topics username command p...

Page 36: ...applies to the read only mode ATTENTION After you configure the username and password with the username command if you then update the password using the cli password command or through Web based man...

Page 37: ...nd Web based management access none local radiu s Specifies the password that you are modifying none disables the password local use the locally defined password for serial console or Telnet access ra...

Page 38: ...tax for the command is show password security The following shows a sample output for this command 2550T config show password security Password security is enabled The show password security command h...

Page 39: ...e IP manager list When enabled the IP manager list determines which source IP addresses are allowed access to the switch No other source IP addresses have access to the switch You configure the IP man...

Page 40: ...nmp web source ip 1 10 XXX XXX XXX XXX mask XXX XXX XXX XXX The ipmgr command for the management systems is executed in the Global Configuration command mode Table 3 ipmgr command for system managemen...

Page 41: ...The syntax for the no ipmgr command for the management systems is no ipmgr telnet snmp web The no ipmgr command is executed in the Global Configuration command mode Table 4 no ipmgr command for manage...

Page 42: ...he source IP address from which access is allowed Enter the IP address either as an integer or in dotted decimal notation mask XXX XXX XXX X XX Specifies the subnet mask from which access is allowed e...

Page 43: ...re you can change the HTTP port You can configure this feature by using the following commands show http port command page 43 http port command page 44 default http port page 44 show http port command...

Page 44: ...or the HTTP port to the default value of 80 The syntax for the default http port command is default http port The default http port command is executed in the Global Configuration command mode The def...

Page 45: ...mmand page 45 telnet access command page 46 no telnet access command page 47 default telnet access command page 48 show telnet access command The show telnet access command displays the current settin...

Page 46: ...cess command Table 8 telnet access command parameters and variables Parameters and variables Description enable disable Enables or disables Telnet connections login timeout 1 10 Specifies the time in...

Page 47: ...t connection attempts are saved in the event log source ip 1 10 XX X XXX XXX XXX mask XXX XXX XXX XXX Specifies up to 10 source IP addresses from which connections are allowed Enter the IP address eit...

Page 48: ...ring the IP manager list page 39 default telnet access command The default telnet access command sets the Telnet settings to the default values The syntax for the default telnet access command is defa...

Page 49: ...mmand page 54 show ssh global command The show ssh global command displays the secure shell configuration information The syntax for the show ssh global command is show ssh global The show ssh global...

Page 50: ...show ssh session command output show ssh download auth key command The show ssh download auth key command displays the results of the most recent attempt to download the DSA public key from the TFTP s...

Page 51: ...e no ssh dsa host key command is executed in the Global Configuration command mode There are no parameters or variables for the no ssh dsa host key command ssh command The ssh command enables the SSH...

Page 52: ...cation The syntax of the ssh timeout command is ssh timeout 1 120 The ssh timeout command executed in the Global Configuration command mode Table 10 ssh timeout command parameters and variables page 5...

Page 53: ...and no ssh pass auth command The no ssh pass auth command disables password authentication The syntax of the no ssh pass auth command is no ssh pass auth The no ssh pass auth command executed in the G...

Page 54: ...key command Table 12 ssh download auth key command parameters and variables Parameters and variables Description address XXX XXX XXX XXX The IP address of the TFTP server key name file The name of the...

Page 55: ...ssion authentication to the default Default is 60 Setting server for Web based management You can enable or disable the Web server to use for the Web based management system This section discusses the...

Page 56: ...configure this authentication by using the CLI system you can use the following commands show radius server command page 56 radius server command page 57 no radius server command page 58 default radiu...

Page 57: ...the parameters and variables for the radius server command Table 15 radius server command parameters and variables Parameters and variables Description primary host address Specifies the primary RADI...

Page 58: ...gure password fallback as an option when you use RADIUS authentication for login and password When both RADIUS servers are unreachable the user can log in using the local passwords The syntax for the...

Page 59: ...e 65 no snmp server location command page 65 default snmp server location command page 66 snmp server name command page 66 no snmp server name command page 66 default snmp server name command page 67...

Page 60: ...command enables or disables the generation of SNMP authentication failure traps The syntax for the snmp server authentication trap command is snmp server authentication trap enable disable The snmp se...

Page 61: ...rver authentication trap command has no parameters or variables snmp server community for read write command The snmp server community command for read write modifies the community strings for SNMP v1...

Page 62: ...ations with rw access can retrieve and modify MIB objects ATTENTION If neither ro nor rw is specified ro is assumed default no snmp server community command The no snmp server community command clears...

Page 63: ...on to the default settings The syntax for the default snmp server community command is default snmp server community ro rw The default snmp server community command is executed in the Global Configura...

Page 64: ...ameters and variables for the snmp server contact command Table 21 snmp server contact command parameters and variables Parameters and variables Description text Specifies the SNMP sysContact value en...

Page 65: ...les Description text Specifies the SNMP sysLocation value enter an alphanumeric string of up to 255 characters no snmp server location command The no snmp server location command clears the SNMP sysLo...

Page 66: ...r name command parameters and variables page 66 describes the parameters and variables for the snmp server name command Table 24 snmp server name command parameters and variables Parameters and variab...

Page 67: ...default snmp server name command Table 26 default snmp server name command parameters and variables Parameters and variables Description text Specifies the SNMP sysName value enter an alphanumeric st...

Page 68: ...mand is no snmp trap link status port portlist The no snmp trap link status command is executed in the Interface Configuration command mode Table 28 no snmp trap link status command parameters and var...

Page 69: ...ENTION If you omit this parameter the system uses the port number specified with the interface command CLI commands specific to SNMPv3 This section describes the unique CLI commands for configuring SN...

Page 70: ...sha parameter is included Likewise you can specify authenticated and encrypted access only if the des aes or 3des parameter is included If you omit the authenticated view parameters authenticated acce...

Page 71: ...is enabled in which case the switch prompts you to enter and confirm the new password read view view name Specifies the read view to which the new user has access view name specifies the view name en...

Page 72: ...NTION This parameter is not available when Password Security is enabled in which case the switch prompts you to enter and confirm the new password no snmp server user command The no snmp server user c...

Page 73: ...parameters and variables page 73 describes the parameters and variables for the snmp server view command Table 32 snmp server view command parameters and variables Parameters and variables Description...

Page 74: ...he system group except for sysDescr no snmp server view command The no snmp server view command deletes the specified view The syntax for the no snmp server view command is no snmp server view viewnam...

Page 75: ...command Table 34 snmp server host for the new style table command parameters and variables Parameters and variables Description host ip Enter a dotted decimal IP address of a host to be the trap desti...

Page 76: ...d variables page 76 describes the parameters and variables for the no snmp server for the new style table command Table 35 no snmp server host for the new style command parameters and variables Parame...

Page 77: ...name write view view name notify view view name The snmp server community command is executed in the Global Configuration command mode Table 36 snmp server community command parameters and variables p...

Page 78: ...alphanumeric string notify view view name Changes the notify view settings used by the new community string for different types of SNMP operations view name specifies the name of the view that is a se...

Page 79: ...e data consists of a set of initial users groups and views This snmp server bootstrap command deletes all existing SNMP configurations so use the command with caution The syntax for the snmp server bo...

Page 80: ...ss table address command page 83 mac security security list command page 83 no mac security command page 84 no mac security mac address table command page 84 no mac security security list command page...

Page 81: ...mmand Figure 10 show mac security command output mac security command The mac security command modifies the BaySecure configuration The syntax for the mac security command is mac security disable enab...

Page 82: ...rusion is detected enter the number of seconds to specify learning enable disable Specifies MAC address learning enable enables learning by ports disable disables learning by ports ATTENTION The MAC a...

Page 83: ...ust specify only a single port The mac security mac address table address command is executed in the Global Configuration command mode Table 41 mac security mac address table address parameters and va...

Page 84: ...o mac security command has no parameters or values no mac security mac address table command The no mac security mac address table command clears entries from the MAC address security table The syntax...

Page 85: ...4 no mac security security list command parameters and variables Parameters and variables Description 1 32 Enter the number of the security list that you want to clear mac security command for specifi...

Page 86: ...ac da filter command you can filter packets from up to 10 specified MAC DAs You also can use this command to delete such a filter and then receive packets from the specified MAC DA The syntax for the...

Page 87: ...difying parameters page 91 eapol guest vlan command page 93 no eapol guest vlan command page 93 default eapol guest vlan command page 93 show eapol command The show eapol command displays the status o...

Page 88: ...he port Force Unauthorized Port is always unauthorized Auto Port authorization status depends on the result of the EAP authentication Force Authorized Port is always authorized Auth Displays the curre...

Page 89: ...r response from supplicant for EAP Request or Identity packets the range is 1 65535 Supplicant Timeout Specifies a waiting period for response from supplicant for all EAP packets the range is 1 65535...

Page 90: ...uth stats interface The show eapol auth stats interface command is executed in the Privileged EXEC command mode Figure 13 show eapol auth stats interface command output page 90 displays sample output...

Page 91: ...pol port portlist init status authorized unauthor ized auto traffic control in out in re authentication enable disable re authentication period 1 604800 re authenticate quiet interval num transmit int...

Page 92: ...authentication enable disable Enables or disables reauthentication re authentication period 1 604800 Enter the number of seconds that you want between re authentication attempts Use either this varia...

Page 93: ...he Global Configuration command mode and Interface Configuration command mode Table 50 eapol guest vlan command parameters and variables page 93 describes the parameters and variables for the eapol gu...

Page 94: ...gure 14 show eapol guest vlan command output page 94 displays sample output from the eapol guest vlan command Figure 14 show eapol guest vlan command output Configuring advanced EAPOL features Etherne...

Page 95: ...non eap mhsa enable radius non eap enable use radius assigned vlan non eap pwd fmt ip addr mac addr port number This command is executed in the Global Configuration command mode eapol multihost param...

Page 96: ...OL password format default eapol multihost command The default eapol multihost command sets the EAPoL multihost feature to default This command is executed in the global configuration mode The syntax...

Page 97: ...the parameters and variables for the eapol multihost command eapol multihost command parameters and variables Parameters and variables Description allow non eap enable Enables MAC addresses of non EAP...

Page 98: ...clients MAC addresses port Displays port number on which to apply EAPOL multihost settings radius non eap enable Disables Radius authentication of non EAP clients use radius assigned vlan Disallows us...

Page 99: ...umber on which to disable EAPOL radius non eap enable Enables Radius authentication of non EAP clients use radius assigned vlan Allows use of RADIUS assigned VLAN values non eap mac H H H port Resets...

Page 100: ...ge 100 describes the parameters and variables for the show eapol multihost command show eapol multihost command parameters and variables Parameters and variables Description interface Displays EAPOL m...

Page 101: ...les Description portList List of ports show eapol multihost interface command output page 101 displays sample output from the show eapol multihost interface command show eapol multihost interface comm...

Page 102: ...n To configure support for non EAPOL hosts on EAPOL enabled ports do the following 1 Enable non EAPOL support globally on the switch and locally for the desired interface ports using one or both of th...

Page 103: ...ll ports on the interface To discontinue local authentication of non EAPOL hosts on EAPOL enabled ports use the no or default keywords at the start of the commands in both the Global and Interface con...

Page 104: ...authentication on the desired interface or on a specific port for non EAPOL hosts The default for this feature is disabled To discontinue RADIUS authentication of non EAPOL hosts on EAPOL enabled por...

Page 105: ...ll If you do not specify a port parameter the command sets the value for all ports on the interface value is an integer in the range 1 32 that specifies the maximum number of non EAPOL clients allowed...

Page 106: ...terface configuration mode show eapol multihost The display shows whether local and RADIUS authentication of non EAPOL clients is enabled or disabled Viewing port settings for non EAPOL hosts To view...

Page 107: ...multihost status command displays the multihost status of eapol clients on EAPOL enabled ports The syntax for the show eapol multihost status command is show eapol multihost status interface type inte...

Page 108: ...settings for a specific port or for all ports on an interface use the following command in Interface configuration mode eapol multihost port portlist where portlist is the list of ports to which you...

Page 109: ...ed maximum will be approximately 200 for each box and 800 for a stack Viewing MHSA settings and activity For information about the commands to view MHSA settings and non EAPOL host activity see Viewin...

Page 110: ...tatus tab page 119 AuthViolation tab page 122 SSH tab page 122 SSH Sessions tab page 124 Radius Server tab page 125 Configuring EAPOL on ports page 126 Configuring SNMP page 141 Working with SNMPv3 pa...

Page 111: ...procedure Step Action 1 From the Device Manager menu bar select Edit Security The Security dialog box appears with the EAPOL tab displayed 2 Click the General tab The General tab appears The following...

Page 112: ...curity configuration Entries also include other notlocked AuthCtlPartTime This value indicates the duration of the time for port partitioning in seconds The default is zero When the value is zero the...

Page 113: ...trap partitionPort Port is partitioned partitionPortAndsendTrap Port is partitioned and traps are sent to the trap receiver daFiltering Port filters out the frames where the destination address field...

Page 114: ...in the SecurityList tab SecurityList tab The SecurityList tab contains a list of Security port fields To view the SecurityList tab use the following procedure Step Action 1 From the Device Manager men...

Page 115: ...ct Edit Security The Security window appears with the EAPOL tab displayed EAPOL tab 2 Click the SecurityList tab The SecurityList tab appears SecurityList tab 3 Click Insert The Security Insert Securi...

Page 116: ...that have the security configuration An SNMP SET PDU for a row in the tab requires the entire sequence of the MIB objects in each entry to be stored in one PDU Otherwise the GENERR return value is re...

Page 117: ...ly if BrdIndx and PortIndx values are set to zero For other board and port index values this index must also have the value of zero The corresponding MAC Address of this entry is allowed or blocked on...

Page 118: ...corresponds to the index of the last manageable port on the board but only if the index is greater than zero A zero index is a wild card MACIndx An index of MAC addresses that are either designated a...

Page 119: ...le port a single port all the ports on a single board a particular port on all the boards all the ports on all the boards To view the AuthStatus tab use the following procedure Step Action 1 From the...

Page 120: ...tains the board if the index is greater than zero AuthStatusPortIndx The index of the port on the board This corresponds to the index of the last manageable port on the board if the index is greater t...

Page 121: ...of the unauthorized station Traps are sent to the trap receiver sendTrap A trap is sent to the trap receiver s partitionPortAnddaFiltering Port is partitioned and filters out the frames where the des...

Page 122: ...e Security window appears with the EAPOL tab displayed 2 Click the AuthViolation tab The AuthViolation tab appears The following figure displays the AuthViolation tab Figure 23 AuthViolation tab End S...

Page 123: ...enables SSH Securely enable turns off other daemon flag and it takes effect after a reboot Version Indicates the SSH version Port Indicates the SSH connection port Timeout Indicates the SSH connection...

Page 124: ...es the retrieved value of the TFTP transfer SSH Sessions tab The SSH Sessions tab displays the currently active SSH sessions To view the SSH Sessions tab use the following procedure Step Action 1 From...

Page 125: ...dius Server tab use the following procedure Step Action 1 From the Device Manager menu bar select Edit Security Select the Radius Server tab 2 Click the Radius Server tab The Radius Server tab appears...

Page 126: ...s before the client retransmit the packet to RADIUS server SharedSecret Key Specifies the value of the shared secret key ATTENTION The shared secret key has a maximum of 16 characters ConfirmedSharedS...

Page 127: ...one of the following From the shortcut menu choose Edit From the Device Manager main menu choose Edit Port From the toolbar click Edit The Port dialog box appears with the Interface tab displayed 3 C...

Page 128: ...status is always unauthorized Auto The authorization status depends on the EAP authentication results BackendAuthState The current state of the Backend Authentication state for the switch AdminContro...

Page 129: ...od Time interval between successive reauthentications When the ReAuthenticationEnabled field see the following field is enabled you can specify the time period between successive EAPOL authentications...

Page 130: ...s Ctrl left click the ports that you want to edit A yellow outline appears around the selected ports 2 Do one of the following From the shortcut menu choose Edit From the Device Manager main menu choo...

Page 131: ...Clie nt Enables or disables non EAPOL on the port MultiHostNonEapMaxNum Macs Specifies the maximum number of allowed non EAPOL clients on the port MultiHostSingleAuthEnable d Enables or disables EAPOL...

Page 132: ...MACAddr The MAC address of the client PaeState The current state of the authenticator PAE state machin BackendAuthState The current state of the Backend Authentication state machine Reauthenticate The...

Page 133: ...session termination UserName The username representing the identity of the supplicant PAE End Non EAPOL host support settings From the EAPOL Advance tab on the Port screen it is possible to view non E...

Page 134: ...ss to the list of allowed non EAPOL clients a Click the Insert button The Insert Allowed non EAP MAC screen appears The following figure illustrates this tab Figure 32 Insert Allowed non EAP MAC scree...

Page 135: ...escribes the fields on this screen Non EAPOL MAC screen Non EAP Status tab Field Description PortNumber The port number in use ClientMACAddr The MAC address of the client State The authentication stat...

Page 136: ...t or ports you want to graph To select multiple ports press Ctrl left click the ports that you want to configure A yellow outline appears around the selected ports 2 Do one of the following From the D...

Page 137: ...this authenticator EapolLogoffFramesRx The number of EAPOL Logoff frames that are received by this authenticator EapolRespIdFramesRx The number of EAPOL Resp Id frames that are received by this authen...

Page 138: ...s you want to graph To select multiple ports press Ctrl left click the ports that you want to configure A yellow outline appears around the selected ports 2 Do one of the following From the Device Man...

Page 139: ...ing as a result of receiving an EAPOL Logoff message EntersAuthenticating Counts the number of times that the state machine transitions from connecting to authenticating as a result of an EAP Response...

Page 140: ...ng received from the Supplicant AuthReauthsWhile Authenticated Counts the number of times that the state machine transitions from authenticated to connecting as a result of a reauthentication request...

Page 141: ...ndicates that the Supplicant has successfully authenticated to the Authentication Server BackendAuthFails Counts the number of times that the state machine receives an EAP Failure message from the Aut...

Page 142: ...ries TrpRcvrCurEnt The current number of trap receiver entries TrpRcvrNext The next trap receiver entry to be created Trap Receivers tab The Trap Receivers tab lists the devices that receive SNMP trap...

Page 143: ...wing Community field description in this table NetAddr The address or DNS hostname for the trap receiver Community Community string used for trap messages to this trap receiver Adding a Trap Receiver...

Page 144: ...information about the addresses that the agent software uses to identify the switch To open the SNMP tab use the following procedure Step Action 1 Select the chassis 2 Choose Graph Chassis The Graph...

Page 145: ...etVars The total number of MIB objects altered successfully by the SNMP protocol as the result of receiving valid SNMP Set Request PDUs InGetRequests The total number of SNMP Get Request PDUs that are...

Page 146: ...ity Names The total number of SNMP messages delivered to the SNMP protocol that used an unknown SNMP community name InBadCommunity Uses The total number of SNMP messages delivered to the SNMP protocol...

Page 147: ...and SNMPv2c It supports better authentication and data encryption than SNMPv1 and SNMPv2c SNMPv3 provides protection against the following security threats modification of SNMP messages by a third par...

Page 148: ...To log on to the Ethernet Routing Switch 2500 Series Device Manager as an SNMPv3 user use the following procedure Step Action 1 On the Device Manager menu bar select Device Open 2 In the Device Name...

Page 149: ...n method page 149 describes the ways in which an SNMPv3 user can be configured Table 67 SNMPv3 user configuration method SNMPv3 Configuration Method Description NoAuthNoPriv The user cannot use an aut...

Page 150: ...acters AuthProtocol Identifies the authentication protocol used PrivProtocol Identifies the privacy protocol used StorageType Specifies whether the table entry row will be stored in volatile or nonvol...

Page 151: ...hat you assign both an authentication and encryption protocol to the first user you create through the CLI or Web interface 5 From the Auth Protocol pull down list select an authentication protocol fo...

Page 152: ...n old AuthPass and a new AuthPass Cloned User s Auth Password Specifies the current authentication password New User s Auth Password Specifies the new authentication password to use for this user Priv...

Page 153: ...subtrees or objects For more detailed information on VACM see RFC 3415 Defining Group Membership with VACM To add members to a group in the View based Access Control Model VACM table use the followin...

Page 154: ...memory it does not persist if the switch loses power 2 Click Insert The VACM Insert Group Membership dialog box appears The following figure displays the VACM Insert Group Membership dialog box 3 Sel...

Page 155: ...ity model assigned to users in the Group Membership table Options are SNMPv1 SNMPv2c or USM SecurityLevel The security level assigned to users in the Group Membership table Options are noAuthNoPriv au...

Page 156: ...Insert Group Access Right dialog box Figure 44 VACM Insert Group Access Right dialog box 4 Enter the name of a group 5 Enter the context prefix 6 Select the security model 7 Select the security level...

Page 157: ...From the Device Manager menu bar choose Edit SnmpV3 VACM table The VACM dialog box appears Figure 42 VACM dialog Group Membership tab page 153 2 Select the MIB View tab The MIB View tab appears The fo...

Page 158: ...determine whether an OID falls under a view subtree Type Determines whether access to a MIB object is granted Included or denied Excluded The default is Included StorageType Specifies whether this ta...

Page 159: ...nity table contains objects for mapping between community strings and the security name created in VACM Group Member To create a community use the following procedure Step Action 1 From the Device Man...

Page 160: ...ble dialog box fields Table 74 Community Table dialog box fields Field Description Index The unique index value of a row in this table The SnmpAdminString range is 1 32 characters Name The community s...

Page 161: ...points StorageType The storage type for this conceptual row in the snmpCommunityTable Conceptual rows that have the value permanent do not allow write access to any columnar object in the row Manageme...

Page 162: ...Field Description Name Specifies the name for this target table entry TDomain Specifies the domain of the management target The default is snmpUDPDomain TAddress Specifies the IP address and destinati...

Page 163: ...ck Insert The Target Table Insert Target Address Table dialog box appears The following figure displays the Target Table Insert Target Address Table dialog box Figure 50 Target Table Insert Target Add...

Page 164: ...t Address Table displayed Figure 49 Target Table dialog box Target Address Table tab page 162 2 Select the Target Params Table tab The Target Params Table tab appears The following figure displays the...

Page 165: ...rams Table tab fields page 165 describes the Target Params Table dialog box fields Table 77 Target Params Table tab fields Field Description Name Specifies the name of the target parameters table MPMo...

Page 166: ...use the following procedure Step Action 1 From the Device Manager menu bar choose Edit SnmpV3 Notify The Notify Table dialog box appears Figure 53 NotifyTable dialog box page 166 Notify Table dialog...

Page 167: ...y it does not persist if the switch loses power 2 Click Insert The Notify Table Insert dialog box appears The following figure displays the Notify Table Insert dialog box Figure 54 Notify Table Insert...

Page 168: ...nfiguring Security using the CLI End Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Net...

Page 169: ...urity by using the Web based management interface ATTENTION When you install the switch Nortel recommends that you set the initial system usernames and passwords by using the Command Line Interface Fo...

Page 170: ...ATTENTION The title of the page corresponds to the menu selection you choose In the network administrator selected Administration Security Console Figure 55 Console password setting page The following...

Page 171: ...rd setting for the read only access user Console Switch Password Setting Read Write Swit ch Password 1 15 Type the read write password setting for the read write access user Console Stack Password Typ...

Page 172: ...sword for remote dial up If you select this password type you must also set up RADIUS authentication from the Radius management page 5 Type the password for read only and read write user access 6 Clic...

Page 173: ...port for the RADIUS server The default value is 1645 4 Type the number of seconds for the RADIUS timeout period The range is 1 to 60 seconds 5 Type a character string for the RADIUS Shared Secret This...

Page 174: ...for read only access or RW uppercase for read write access 2 In the Password text box type your password 3 Click Log On The System Information page appears ATTENTION For information about modifying e...

Page 175: ...urce Addresses SAs of the authorized stations You can specify a list of up to 448 MAC SAs that are authorized to access the switch You can also specify the ports that each MAC SA is allowed to access...

Page 176: ...feature and specify the appropriate system responses to any unauthorized network access to your switch To configure MAC address based security by using the Web based management system use the followin...

Page 177: ...d 1 Enabled 2 Disabled After this field is set to enabled the MAC address security screens cannot be modified by using SNMP MAC Address Security Setting Partition Port on Intrusion Detected 1 Forever...

Page 178: ...on in the MAC address security features Port List Blank MAC Security Table Clear by Ports Current Learning Mode Blank Action Lets you identify ports that learn incoming MAC addresses All source MAC ad...

Page 179: ...elete ports from a list use the following procedure Step Action 1 From the main menu choose Application MAC Address Security Port Lists The Port Lists page appears The following figure displays the Po...

Page 180: ...st page Figure 61 Port List View Port List page a Click the ports you want to add to the selected list or click All b To delete a port from a list clear the box by clicking it c Click Submit 3 From th...

Page 181: ...MAC addresses You can use the Security Table page to specify the ports that each MAC address is allowed to access You must also include the MAC addresses of any routers that are connected to any secu...

Page 182: ...ys the entry through which the MAC address is allowed MAC Address Lets you specify up to 448 MAC addresses that are authorized to access the switch You can specify the ports that each MAC address is a...

Page 183: ...C address for the default LAN router as an allowed source MAC address End Clearing ports You can clear all information from the specified port s in the list of ports that learn MAC addresses If Learn...

Page 184: ...clear all the allowed Source Ports field leaving a blank field for an entry the associated MAC address for that entry is also cleared End Enabling security on ports To enable or disable MAC address b...

Page 185: ...em Range Description Port 1 to 52 Lists each port on the unit Trunk Blank 1 to 6 Displays the MultiLink Trunk to which the port belongs to Security 1 Enabled 2 Disabled Enables MAC address based secur...

Page 186: ...figuration page page 185 click Disabled to remove that port from the MAC address based security system this action disables all MAC address based security on that port Filtering MAC destination addres...

Page 187: ...u want to filter You can list up to 10 MAC DAs to filter 3 Click Submit The system returns you to the DA MAC Filtering page Figure 65 DA MAC Filtering page page 186 with the new DA listed in the table...

Page 188: ...t of which deal with security Configuring SNMPv1 You can configure SNMPv1 read write and read only community strings enable or disable trap mode settings and or enable or disable the autotopology feat...

Page 189: ...to confirm the community string for the SNMPv1 read only community The default value is public Commu nity String Setting Read Write Commu nity Strin g 1 32 Type a character string to identify the com...

Page 190: ...the steps to build and manage SNMPv3 in the Web based management user interface Viewing SNMPv3 system information You can view information about the SNMPv3 engine that exists and the private protocol...

Page 191: ...Time The number of seconds because the SNMP engine last incremented the snmpEngineBoots object SNMP Engine Maximum Message Size The maximum length in octets of an SNMP message that this SNMP engine c...

Page 192: ...n the SNMPv3 Counters section of the SNMPv3 System Information page Table 90 SNMPv3 Counters section fields Item Description Unavailable Contexts The total number of packets dropped by the SNMP engine...

Page 193: ...ropped by the SNMP engine because they could not be decrypted End Configuring user access to SNMPv3 You can view a table of all current SNMPv3 user security information such as authentication privacy...

Page 194: ...letes the row User Name usmUser SecurityName The name of an existing SNMPv3 user Authentication Protocol usmUser AuthProtocol Indicates whether the message sent on behalf of this user to from the SNMP...

Page 195: ...from the SNMP engine identified by the UserEngineID can be authenticated with the MD5 or SHA protocol Authentication Passphrase usm UserAuthPassword 1 32 Type a string of characters to create a passph...

Page 196: ...o one of the following Click Yes to delete the SNMPv3 user configuration Click Cancel to return to the User Specification page without making changes End Configuring an SNMPv3 system user group member...

Page 197: ...on the Group Membership page Table 93 Group Membership page items Item and MIB association Range Description Deletes the row Nortel Ethernet Routing Switch 2500 Series Security Configuration and Mana...

Page 198: ...n off the power Selecting Non Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Group Membership Creation section type the required information in the text boxes...

Page 199: ...s rights page 199 End Configuring SNMPv3 group access rights You can view a table of existing SNMPv3 group access rights configurations and you can create or delete a SNMPv3 system level access rights...

Page 200: ...cription Deletes the row Group Name vacm AccessToGroup Status 1 32 Type a character string to specify the group name to which access is granted Security Model vacm AccessSecurity Model l 1 SNMPv1 2 SN...

Page 201: ...his entry authorizes access to notifications Entry Storage vacm SecurityToGroup StorageType 1 Volatile 2 Non Volatile Choose your storage preference Selecting Volatile requests information to be dropp...

Page 202: ...agement Information View page End Configuring an SNMPv3 management information view You can view a table of existing SNMPv3 management information view configurations and you can create or delete SNMP...

Page 203: ...igure 71 Management Information View page The following table describes the fields on the Management Information View page Nortel Ethernet Routing Switch 2500 Series Security Configuration and Managem...

Page 204: ...sisting of 1s is recognized View Mask vacmVi ew TreeFamilyMask Octet String 0 16 Type the bit mask that in combination with the corresponding instance of vacmViewFamilySubtree defines a family of view...

Page 205: ...le click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following Click Yes to delete the management information view configur...

Page 206: ...he following table describes the items on the Notification page Table 96 Notification page items Item and MIB association Range Description Deletes the row Notify Name snmpNo tify RowStatus 1 32 Type...

Page 207: ...Non Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Notification Creation section type the required information in the text boxes or select from a list 3 Click...

Page 208: ...anagement target address configurations that associate notifications with particular recipients and delete SNMPv3 target address configurations Creating an SNMPv3 target address configuration To creat...

Page 209: ...e is not received for a generated message An application can provide its own retry count in which case the value of this object is ignored Target Tag List snmpTarget AddrTagList 1 20 Type the space se...

Page 210: ...SNMPv3 target address configuration To delete an SNMPv3 target address configuration use the following procedure Step Action 1 From the main menu choose Configuration SNMPv3 Target Address The Target...

Page 211: ...t parameter configurations Creating an SNMPv3 target parameter configuration To create an SNMPv3 target parameter configuration use the following procedure Step Action 1 From the main menu choose Conf...

Page 212: ...sts information to be dropped lost when you turn off the power Selecting Non Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Target Parameter Creation section t...

Page 213: ...r Table However only SNMPv1 traps are configurable using this table Creating an SNMP trap receiver configuration To create an SNMP trap receiver configuration use the following procedure Step Action 1...

Page 214: ...ect from a list 3 Click Submit The new entry is displayed in the Trap Receiver Table End Deleting an SNMP trap receiver configuration To delete SNMP trap receiver configurations use the following proc...

Page 215: ...Configuring SNMPv3 215 End Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...

Page 216: ...uring Security using web based management Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Norte...

Page 217: ...attempt or changes in the operating status of a port Table 100 SNMP MIB support page 217 lists the supported SNMP MIBs Table 100 SNMP MIB support Application Standard MIBs Proprietary MIBs S5 Chassis...

Page 218: ...ion Modules that support MIB are Standard MIBs MIB II RFC 1213 Bridge MIB RFC 1493 and proposed VLAN extensions 802 1Q Bridge MIB 802 1p Ethernet MIB RFC 1643 RMON MIB RFC 1757 SMON MIB High Capacity...

Page 219: ...trUnitUp Always on A unit is added to an operational stack s5CtrUnitDown Always on A unit is removed from an operational stack s5CtrHotSwap Always on A unit is hot swapped in an operational stack s5Ct...

Page 220: ...mu nity String Setting field 189 community strings configuring 188 Community Table dialog box 159 ContextEngineID field 161 ContextName field 161 Index field 160 Name field 160 SecurityName field 160...

Page 221: ...olFramesRx field 137 EapolFramesTx Field 137 EapolLogoffFramesRx field 137 EapolReqFramesTx field 137 EapolReqIdFramesTx field 137 EapolRespFramesRx field 137 EapolRespldFramesRx 137 EapolStartFramesR...

Page 222: ...ecurity list 179 security table 181 MAC Address Security field 177 MAC Address Security SNMP Locked field 177 MAC address based network security 21 21 MAC DA filtering 80 186 MAC security DA filtering...

Page 223: ...page 179 Primary RADIUS Server field 173 product support 14 R RADIUS access 36 RADIUS authentication 56 Radius page 172 RADIUS password fallback 20 RADIUS Shared Secret field 173 RADIUS Timeout Perio...

Page 224: ...ars field 145 InTotalSetVars field 145 OutBadValues field 146 OutGenErrs field 146 OutNoSuchNames field 146 Outpkts field 145 OutTooBigs field 146 OutTraps field 146 SNMP tab 141 141 LastUnauthenticat...

Page 225: ...11 system information viewing 190 system notification entries 205 user access 193 user group membership 196 trap mode settings 188 switches supported 11 System Information page 190 T Target Address pa...

Page 226: ...152 USM Insert USM Table dialog box Auth Protocol field 152 Clone From User field 152 V VACM dialog box 153 VACM tables 153 vacmGroupName field 155 View Mask field 204 View Name field 204 View Subtree...

Page 227: ......

Page 228: ...dia and the United States of America The information in this document is subject to change without notice Nortel Networks reserves the right to make changes in design or components as progress in engi...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands