Nortel 4050 User Manual Download | Manualshive

Page: 195 / 922

background image

Chapter 5 Configuring groups and profiles

195

Nortel Secure Network Access Switch 4050 User Guide

Extended profiles

Passing or failing the SRS rule check is the only authorization control provided at
the group level. This is the base profile. In future releases of the Nortel
SNAS 4050 software, extended profiles will provide a mechanism to achieve
more granular authorization control, based on specific characteristics of the user's
connection. You can define up to 63 extended profiles for each group.

In Nortel Secure Network Access Switch Software Release 1.0, the data for an
extended profile include the following configurable parameters:

•

linksets

•

the VLAN which the user is authorized to access

Each extended profile references a client filter in a one-to-one relationship. With
Nortel Secure Network Access Switch Software Release 1.0, you can configure
the TunnelGuard check result as the criterion for the client filters, in order to
establish the user’s security status.

The client filter referenced in the extended profile determines whether the
extended profile data will be applied to the user. After the user has been
authenticated and the TunnelGuard host integrity check has been conducted, the
Nortel SNAS 4050 checks the group’s extended profiles in sequence, in order of
the profile IDs, for a match between the client filter conditions and the user’s
security status. When it finds a match, the Nortel SNAS 4050 applies that
particular extended profile’s data to the user. Data defined for the base profile (for
example, linksets) are appended to the extended profile’s data. If the Nortel
SNAS 4050 finds no match in any of the extended profiles, it applies the base
profile data.

For information about configuring client filters, see

“Configuring client filters

using the CLI” on page 201

or

“Configuring client filters using the SREM” on

page 213

.

For information about configuring extended profiles, see

“Configuring extended

profiles using the CLI” on page 203

or

“Configuring extended profiles using the

SREM” on page 219

.

«
...
193
194
195
196
197
...
»

Summary of Contents for 4050

Page 1: ...Part No 320818 A December 2005 4655 Great America Parkway Santa Clara CA 95054 320818 A Nortel Secure Network Access Switch 4050 User Guide Nortel Secure Network Access Switch Software Release 1 0 ...

Page 2: ...orth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Export This product software and related technology is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must strictly comply with all such laws and regulations A license to export or reexport may be required by the U S Department of Commerce Statement of c...

Page 3: ...u obtain no rights other than those granted to you under this License Agreement You are responsible for the selection of the Software and for the installation of use of and results obtained from the Software 1 Licensed Use of Software Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or author...

Page 4: ...ble under this License Agreement is commercial computer software and commercial computer software documentation and in the event Software is licensed for or on behalf of the United States Government the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U S Federal Regulations at 48 C F R Sections 12 212 for n...

Page 5: ... of the Nortel SNAS 4050 33 Nortel SNAS 4050 functions 34 Nortel SNA VLANs and filters 34 Groups and profiles 35 Authentication methods 36 TunnelGuard host integrity check 37 Communication channels 38 Nortel SNAS 4050 clusters 39 One armed and two armed configurations 40 One armed configuration 41 Two armed configuration 41 Nortel SNA configuration and management tools 42 Nortel SNAS 4050 configur...

Page 6: ...73 Adding a network access device using the CLI 75 Using the quick switch setup wizard 75 Manually adding a switch 78 Deleting a network access device using the CLI 79 Configuring the network access devices using the CLI 80 Mapping the VLANs using the CLI 82 Managing SSH keys using the CLI 84 Generating SSH keys for the domain using the CLI 85 Managing SSH keys for Nortel SNA communication using t...

Page 7: ...ng a domain using the CLI 121 Using the Nortel SNAS 4050 domain quick setup wizard in the CLI 123 Deleting a domain using the CLI 129 Configuring domain parameters using the CLI 130 Configuring the TunnelGuard check using the CLI 132 Using the quick TunnelGuard setup wizard in the CLI 134 Configuring the SSL server using the CLI 135 Tracing SSL traffic using the CLI 136 Configuring SSL settings us...

Page 8: ...unting servers using the SREM 186 Chapter 5 Configuring groups and profiles 191 Overview 192 Groups 192 Default group 193 Linksets 194 TunnelGuard SRS rule 194 Extended profiles 195 Before you begin 196 Configuring groups and extended profiles using the CLI 196 Roadmap of group and profile commands 197 Configuring groups using the CLI 198 Configuring client filters using the CLI 201 Configuring ex...

Page 9: ... method using the CLI 243 Modifying RADIUS configuration settings using the CLI 245 Managing RADIUS authentication servers using the CLI 247 Configuring session timeout using the CLI 249 Configuring LDAP authentication using the CLI 249 Adding the LDAP authentication method using the CLI 250 Modifying LDAP configuration settings using the CLI 252 Managing LDAP authentication servers using the CLI ...

Page 10: ...fying Local database configuration 305 Exporting the database 312 Next steps 313 Specifying authentication fallback order using the SREM 314 Saving authentication settings 316 Chapter 7 TunnelGuard SRS Builder 317 Configuring SRS rules 318 The TunnelGuard user interface 318 Menu commands 319 File menu 319 Software Definition menu 319 Software Definition Entry menu 320 TunnelGuard Rule menu 321 Too...

Page 11: ...a Memory Module entry 345 File age check 347 Adding comments 348 Adding a TunnelGuard rule comment 348 Adding a software definition comment 349 Deleting SRS rules and their components 349 Deleting a software definition 350 Deleting a software definition entry 350 Deleting a TunnelGuard rule 350 Deleting an expression 350 TunnelGuard support for API calls 351 Making API calls 351 Chapter 8 Managing...

Page 12: ... Removing a user group 383 Chapter 9 Customizing the portal and user logon 385 Overview 386 Captive portal and Exclude List 386 Exclude List 387 Portal display 389 Portal look and feel 389 Language localization 392 Linksets and links 394 Macros 395 Automatic redirection to internal sites 396 Examples of redirection URLs and links 396 Managing the end user experience 397 Automatic JRE upload 397 Wi...

Page 13: ...portal language using the SREM 419 Configuring language support using the SREM 420 Importing and exporting language definitions 422 Setting the portal display language using the SREM 424 Configuring the portal display using the SREM 425 Configuring content 426 Importing banners 429 Changing the portal colors using the SREM 431 Configuring custom content using the SREM 433 Viewing basic information...

Page 14: ...80 Configuring syslog servers using the CLI 481 Configuring administrative settings using the CLI 483 Enabling TunnelGuard SRS administration using the CLI 485 Configuring Nortel SNAS 4050 host SSH keys using the CLI 485 Managing known hosts SSH keys using the CLI 487 Configuring RADIUS auditing using the CLI 488 About RADIUS auditing 488 About the vendor specific attributes 488 Configuring RADIUS...

Page 15: ...527 Managing date and time settings using the SREM 528 Configuring the date and time settings 529 Adding an NTP server 530 Removing an NTP server 531 Configuring DNS settings using the SREM 532 Configuring servers using the SREM 534 Managing syslog servers 534 Managing DNS servers 537 Managing RSA servers 540 Configuring administrative settings using the SREM 546 Configuring SRS control settings u...

Page 16: ...ficate to the Nortel SNAS 4050 using the CLI 584 Adding a private key to the Nortel SNAS 4050 using the CLI 587 Importing certificates and keys into the Nortel SNAS 4050 using the CLI 588 Displaying or saving a certificate and key using the CLI 591 Exporting a certificate and key from the Nortel SNAS 4050 using the CLI 594 Generating a test certificate using the CLI 596 Managing private keys and c...

Page 17: ...ts 639 Configuring SNMPv3 users using the SREM 640 Adding SNMPv3 users 641 Managing SNMPv3 users 644 Removing SNMPv3 users 646 Configuring SNMP events using the SREM 647 Managing monitor events 647 Managing notification events 655 Chapter 13 Viewing system information and performance statistics 659 Viewing system information and performance statistics using the CLI 660 Roadmap of information and s...

Page 18: ... Viewing Local database statistics 713 Viewing LDAP statistics 715 Viewing Ethernet statistics using the SREM 716 Viewing Rx statistics 718 Viewing Tx statistics 720 Chapter 14 Maintaining and managing the system 723 Managing and maintaining the system using the CLI 724 Roadmap of maintenance and boot commands 725 Performing maintenance using the CLI 726 Backing up or restoring the configuration u...

Page 19: ...ng the CLI 759 Activating the software upgrade package 760 Reinstalling the software 763 Before you begin 763 Reinstalling the software from an external file server 765 Reinstalling the software from a CD 767 Chapter 16 The Command Line Interface 769 Connecting to the Nortel SNAS 4050 770 Establishing a console connection 770 Requirements 771 Procedure 771 Establishing a Telnet connection 772 Enab...

Page 20: ...2 Configure the Ethernet Routing Switch 5510 793 Steps 793 Setting the switch IP address 793 Configuring SSH 794 Configuring the Nortel SNAS 4050 pVIP subnet 794 Creating port based VLANs 794 Configuring the VoIP VLANs 794 Configuring the Red Yellow and Green VLANs 794 Configuring the login domain controller filters 795 Configuring the NSNA ports 795 Enabling NSNA globally 795 Configure the Nortel...

Page 21: ...enu 835 Maintenance menu 836 Chapter 18 Troubleshooting 837 Troubleshooting tips 837 Cannot connect to the Nortel SNAS 4050 using Telnet or SSH 838 Verify the current configuration 838 Enable Telnet or SSH access 838 Check the Access List 838 Check the IP address configuration 839 Cannot add the Nortel SNAS 4050 to a cluster 841 Cannot contact the MIP 841 Check the Access List 842 Add Interface 1 ...

Page 22: ...essages 856 Traffic Processing Subsystem messages 857 Start up messages 860 AAA subsystem messages 861 NSNAS subsystem messages 863 Syslog messages in alphabetical order 865 Appendix C Supported MIBs 875 Supported MIBs 875 Supported traps 879 Appendix D Supported ciphers 881 Appendix E Adding User Preferences attribute to Active Directory 883 Install All Administrative Tools Windows 2000 Server 88...

Page 23: ...gure IP Phones 891 Configuring IP Phone auto configuration 892 Creating the DHCP options 892 Configuring the Call Server Information and VLAN Information options 896 Setting up the IP Phone 899 Appendix G Using a Windows domain logon script to launch the Nortel SNAS 4050 portal 901 Configuring the logon script 901 Creating a logon script 902 Creating the script as a batch file 902 Creating the scr...

Page 24: ...24 Contents 320818 A ...

Page 25: ...ecking using TunnelGuard supports both dynamic and static IP clients The Nortel Secure Network Access Switch 4050 Nortel SNAS 4050 controls operation of the Nortel SNA solution This user guide covers the process of implementing the Nortel SNA solution using the Nortel SNAS 4050 for Nortel Secure Network Access Switch Software Release 1 0 The document includes the following information overview of ...

Page 26: ...one of the supported environments For instructions on installing and starting SREM refer to Installing and Using the Security Routing Element Manager 320199 A Before you begin This guide is intended for network administrators who have the following background basic knowledge of networks Ethernet bridging and IP routing familiarity with networking concepts and terminology experience with windowing ...

Page 27: ...and Example Enter show ip alerts routes braces Required elements in syntax descriptions where there is more than one option You must choose only one of the options Do not type the braces when entering the command Example If the command syntax is show ip alerts routes you must enter either show ip alerts or show ip routes but not both brackets Optional elements in syntax descriptions Do not type th...

Page 28: ...lso indicates new terms and book titles Where a variable is two or more words the words are connected by an underscore Example If the command syntax is show at valid_route valid_route is one variable and you substitute one value for it plain Courier text Command syntax and system output for example prompts and system messages Example Set Trap Monitor Filters separator Menu paths Example Protocols ...

Page 29: ... locate documents browse by category or search using the product name or number You can print the technical manuals and release notes free directly from the Internet Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to the Adobe Systems site at www adobe com to download a free copy of Adobe Reader How to get help If ...

Page 30: ...tel products and services When you use an ERC your call is routed to a technical support person who specializes in supporting that product or service To locate the ERC for your product or service go to the www nortel com help web page and follow these links 1 Click CONTACT US on the left side of the HELP web page 2 Click Technical Support on the CONTACT US web page 3 Click Express Routing Codes on...

Page 31: ...ing only trusted role based access privileges premised on the security level of the device user identity and session context Nortel SNA enforces policy compliance such as for Sarbanes Oxley and COBIT ensuring that the required anti virus applications or software patches are installed before users are granted network access Topic Page The Nortel SNA solution 31 Elements of the NSNA solution 32 Supp...

Page 32: ...ecision Point network access device which acts as the Policy Enforcement Point Ethernet Routing Switch 8300 Ethernet Routing Switch 5510 5520 or 5530 DHCP and DNS servers The following devices are additional optional elements of the Nortel SNA solution remediation server corporate authentication services such as LDAP or RADIUS services Each Nortel SNAS 4050 device can support up to five network ac...

Page 33: ...uring endpoint compliance for devices that connect to the network Before allowing a device to have full network access the Nortel SNAS 4050 checks user credentials and host integrity against predefined corporate policy criteria Through tight integration with network access devices the Nortel SNAS 4050 can dynamically move the user into a quarantine VLAN dynamically grant the user full or limited n...

Page 34: ...anagement Monitors the health of clients and switches Performs logging and auditing functions Provides High Availability HA through IPmig protocol Nortel SNA VLANs and filters There are four types of Layer 2 or Layer 3 VLANs in a Nortel SNA network Red extremely restricted access If the default filters are used the user can communicate only with the Nortel SNAS 4050 and the Windows domain controll...

Page 35: ... changes the port membership The VoIP filters allow IP Phone traffic into one of the preconfigured VoIP VLANs for VoIP communication only The default filters can be modified to accommodate network requirements such as Quality of Service QoS or specific workstation boot processes and network communications For information about configuring VLANs and filters on the network access device see Release ...

Page 36: ... configurable local database The Nortel SNAS 4050 itself can store up to 1 000 user authentication entries each defining a username password and relevant access group You can populate the database by manually adding entries on the Nortel SNAS 4050 or you can import a database from a TFTP FTP SCP SFTP server Use the local authentication method if no external authentication databases exist for testi...

Page 37: ...mit access to intranet resources in accordance with the user group s access privileges The Nortel SNAS 4050 also requests the TunnelGuard applet to redo a DHCP request in order to renew the client s DHCP lease with the network access device If the required components are not present on the client machine TunnelGuard reports that the SRS rule check failed You configure behavior following host integ...

Page 38: ...pairs of public private SSH host keys protect against man in the middle attacks by providing a mechanism for the SSH client to authenticate the server SSH clients keep track of the public keys to be used to authenticate different SSH server hosts SSH clients in the Nortel SNA network do not silently accept new keys from previously unknown server hosts Instead they refuse the connection if the key ...

Page 39: ...r Nortel SNAS 4050 management communications see Configuring Nortel SNAS 4050 host SSH keys using the CLI on page 485 or Configuring Nortel SNAS 4050 host SSH keys using the SREM on page 548 Nortel SNAS 4050 clusters A cluster is a group of Nortel SNAS 4050 devices that share the same configuration parameters Nortel Secure Network Access Switch Software Release 1 0 supports two Nortel SNAS 4050 de...

Page 40: ... addresses see About the IP addresses on page 51 For information about adding a node to a cluster see Adding a Nortel SNAS 4050 device to a cluster on page 61 One armed and two armed configurations The Nortel SNAS 4050 must interface to two kinds of traffic client and management The interface to the client side handles traffic between the TunnelGuard applet on the client and the portal The interfa...

Page 41: ...1 illustrates a one armed configuration Figure 1 One armed configuration Two armed configuration In a two armed configuration there are two separate interfaces Interface 1 handles management traffic Interface 2 handles client portal traffic Internet NSNAS 1 Management client portal interface 1 192 168 128 11 MIP management 192 168 128 12 RIP host 192 168 128 100 pVIP portal Default gateway 192 168...

Page 42: ...he network access devices and between the Nortel SNAS 4050 and the GUI management tool You can then continue to use the CLI to configure and manage the Nortel SNAS 4050 or you can use the GUI The configuration chapters in this User Guide describe the specific CLI commands used to configure the Nortel SNAS 4050 For general information about using the CLI see Chapter 16 The Command Line Interface on...

Page 43: ...Yellow and Green VLAN filters prior to enabling the NSNA feature In future releases of the Nortel SNAS 4050 and EPM software users will have the additional ability to add and modify security and quality of service filters while Nortel SNA is enabled on the device For general information about installing and using EPM see Installing Nortel Enterprise Policy Manager 318389 Simple Network Management ...

Page 44: ... 802 1q tagging on the uplink ports to enable them to participate in multiple VLANs then add the ports to the applicable VLANs c Configure IP addresses for the VLANs These IP interfaces are the default gateways the DHCP Relay will use d If the edge switches are operating in Layer 2 mode configure DHCP relay agents for the Red Yellow Green and VoIP VLANs Note For the Red VLANs the DNS server settin...

Page 45: ...P subnet e Configure port tagging if applicable For a Layer 2 switch the uplink ports must be tagged to allow them to participate in multiple VLANs f Create the port based VLANs These VLANs are configured as VoIP Red Yellow and Green VLANs in step i and step j g Configure DHCP relay and IP routing if the switch is used in Layer 3 mode h Optional Configure the Red Yellow Green and VoIP filters The ...

Page 46: ...recommends running the quick setup wizard during initial setup in order to create and configure basic settings for a fully functional portal 6 Enable SSH and SRS Admin to allow communication with the SREM see Configuring administrative settings using the CLI on page 483 7 Generate and activate the SSH key for communication between the Nortel SNAS 4050 and the network access devices see Managing SS...

Page 47: ...3 Configure client filters see Configuring client filters using the CLI on page 201 14 Configure extended profiles see Configuring extended profiles using the CLI on page 203 15 Specify the authentication mechanisms see Configuring authentication on page 233 16 Configure system users see Managing system users and groups on page 353 17 Configure the end user experience see Customizing the portal an...

Page 48: ...48 Chapter 1 Overview 320818 A ...

Page 49: ...ou begin 50 About the IP addresses 51 Initial setup 52 Setting up a single Nortel SNAS 4050 device or the first in a cluster 52 Adding a Nortel SNAS 4050 device to a cluster 61 Next steps 66 Applying and saving the configuration 67 Applying and saving the configuration using the CLI 68 Applying and saving the configuration using the SREM 68 ...

Page 50: ...server if applicable external authentication servers if applicable network access devices remediation server if applicable For more information about the Nortel SNAS 4050 MIP pVIP and RIP see About the IP addresses on page 51 VLAN IDs Nortel SNAS 4050 management VLAN Red VLANs Yellow VLANs Green VLANs VoIP VLANs Groups and profiles to be configured 2 Configure the network DNS server DHCP server co...

Page 51: ...o a functional master Nortel SNAS 4050 In order to configure the Nortel SNAS 4050 or Nortel SNAS 4050 cluster remotely you connect to the MIP using Telnet for the CLI or SSH for the CLI or the SREM Portal Virtual IP address The portal Virtual IP address pVIP is the address assigned to the Nortel SNAS 4050 device s web portal server The pVIP is the address to which clients connect in order to acces...

Page 52: ...log on You must use a console connection in order to perform the initial setup For a standalone Nortel SNAS 4050 or the first Nortel SNAS 4050 in a cluster see Setting up a single Nortel SNAS 4050 device or the first in a cluster on page 52 To add a Nortel SNAS 4050 to a cluster see Adding a Nortel SNAS 4050 device to a cluster on page 61 Setting up a single Nortel SNAS 4050 device or the first in...

Page 53: ...ace 1 is used for both management traffic Nortel SNAS 4050 management and connections to intranet resources and client portal traffic traffic between the TunnelGuard applet on the client and the portal Alteon iSD NSNAS Hardware platform 4050 Software version x x Setup Menu join Join an existing cluster new Initialize host as a new installation boot Boot menu info Information menu exit Exit global ...

Page 54: ...ations ensure that you add the uplink ports to the Nortel SNAS 4050 management VLAN for traffic between the Nortel SNAS 4050 and the network access device Note You can later convert a one armed configuration into a two armed one by adding a new interface to the cluster and assigning an unused port to that interface The new interface will be used exclusively for client portal traffic For informatio...

Page 55: ...thin the same network address range as the RIP Go to step 10 9 Configure the interface for client portal traffic Interface 2 a Specify a port number for the client portal interface This port will be assigned to Interface 2 The port number must not be the same as the port number for the management interface Interface 1 b Specify the RIP for Interface 2 c Specify the network mask for the RIP on Inte...

Page 56: ...ntact the gateway verify your settings on the core router Do not proceed with the initial setup until the connectivity test succeeds Enter port number for the traffic interface 1 4 port Enter IP address for this machine on traffic interface IPaddr Enter network mask 255 255 255 0 mask Enter VLAN tag id or zero for no VLAN 0 Enter default gateway IP address on the traffic interface IPaddr Enter the...

Page 57: ...page 548 For communication between the Nortel SNAS 4050 and the network access devices generate the SSH key after you have completed the initial setup see Managing SSH keys using the CLI on page 84 or Managing SSH keys using the SREM on page 102 Note If you do not have access to an NTP server at this point you can configure this item after the initial setup is completed See Configuring date and ti...

Page 58: ...y the wizard see Settings created by the quick setup wizard on page 60 a Start the quick setup wizard b Specify the pVIP of the Nortel SNAS 4050 device c Specify a name for the Nortel SNAS 4050 domain d Specify any domain names you wish to add to the DNS search list as a convenience to clients If the domain name is in the DNS search list clients can use a shortened form of the domain name in the a...

Page 59: ...ted in accordance with the rights specified in the access rules for the group teardown The SSL session is torn down The default is restricted g Create the default user and group The wizard creates a default user tg within a group tunnelguard which you can subsequently reuse The wizard also creates the default client filters profiles and linksets to be applied when the user passes tg_passed or fail...

Page 60: ...database 5 One test user is configured You were prompted to set a user name and password during the quick setup wizard in this example user name and password are both set to tg The test user belongs to a group called tunnelguard There are two profiles within the group tg_passed and tg_failed Each profile has a client filter and a linkset associated with it Create default tunnel guard user no yes U...

Page 61: ...tps since the Nortel SNAS 4050 portal requires an SSL connection Adding a Nortel SNAS 4050 device to a cluster After you have installed the first Nortel SNAS 4050 in a cluster see Setting up a single Nortel SNAS 4050 device or the first in a cluster on page 52 you can add another Nortel SNAS 4050 to the cluster by configuring the second Nortel SNAS 4050 setup to use the same MIP When you set up th...

Page 62: ...List is a system wide list of IP addresses for hosts authorized to access the Nortel SNAS 4050 devices by Telnet and SSH If the info sys command executed on the existing Nortel SNAS 4050 shows no items configured for the Access List no action is required However if the Access List is not empty before the new Nortel SNAS 4050 joins the cluster you must add to the Access List the cluster s MIP the e...

Page 63: ... displays 2 Select the option to join an existing cluster 3 Specify the management interface port number This port will be assigned to Interface 1 Note Nortel recommends always using the most recent software version Alteon iSD NSNAS Hardware platform 4050 Software version x x Setup Menu join Join an existing cluster new Initialize host as a new installation boot Boot menu info Information menu exi...

Page 64: ...and must be within the same subnet as the MIP 5 Specify the network mask for the RIP on Interface 1 6 If the core router attaches VLAN tag IDs to incoming packets specify the VLAN tag ID used 7 Specify whether you are setting up a one armed or a two armed configuration If you are setting up a one armed configuration press Enter to accept the default value no Go to step 9 If you are setting up a tw...

Page 65: ...s for Interface 2 The default gateway is the IP address of the interface on the core router that will be used if no other interface is specified The default gateway IP address on Interface 2 must be within the same subnet as the RIP for Interface 2 11 Provide the correct admin user password configured for the existing cluster Enter port number for the traffic interface 1 4 port Enter IP address fo...

Page 66: ...on see Enabling TunnelGuard SRS administration using the CLI on page 485 or Configuring SRS control settings using the SREM on page 547 From this point on you can configure the Nortel SNAS 4050 using either the CLI or the SREM 2 To enable remote management using Telnet use the cfg sys adm telnet on command to enable Telnet access to the Nortel SNAS 4050 for more information see Configuring adminis...

Page 67: ...e using the SREM on page 91 d Specify the VLAN mappings see Mapping the VLANs using the CLI on page 82 or Mapping the VLANs using the SREM on page 96 e If you did not run the quick setup wizard during the initial setup configure the following Create the domain see Creating a domain using the CLI on page 121 or Creating a domain using the SREM on page 151 Create at least one group Specify the VLANs...

Page 68: ...cfg ptcfg For more information see Backing up or restoring the configuration using the CLI on page 730 Applying and saving the configuration using the SREM In the SREM there are two steps to saving configuration changes described below 1 Click Apply after each change to send the change to the Nortel SNAS 4050 device Changes that have been applied are not yet permanent To cancel changes that have b...

Page 69: ...itch 4050 User Guide Figure 3 on page 69 shows the location of the Apply and Commit buttons Figure 3 Apply and Commit buttons For more information about the Apply and Commit functions see Installing and Using the Security Routing Element Manager SREM 320199 B ...

Page 70: ...70 Chapter 2 Initial setup 320818 A ...

Page 71: ...sing the CLI 79 Configuring the network access devices using the CLI 80 Mapping the VLANs using the CLI 82 Managing SSH keys using the CLI 84 Monitoring switch health using the CLI 89 Controlling communication with the network access devices using the CLI 90 Managing network access devices using the SREM 91 Adding a network access device using the SREM 91 Deleting a network access device using the...

Page 72: ... created For more information about creating a domain see Configuring the domain on page 117 Configure the edge switches for Nortel SNA see Nortel SNAS 4050 configuration roadmap step 4 on page 45 For detailed information about configuring the edge switches for Nortel SNA see Release Notes for the Ethernet Routing Switch 8300 Software Release 2 2 8 316811 E or Release Notes for Nortel Ethernet Rou...

Page 73: ...ou cannot configure the VLAN mappings for a network access device in the Nortel SNAS 4050 domain if the switch is enabled When you add a network access device to the domain it is disabled by default Do not enable the network access device until you have completed the configuration To reconfigure the VLAN mappings for an existing network access device first disable it by using the cfg domain switch...

Page 74: ... ID del index list cfg domain switch vlan add name VLAN ID del index list cfg domain sshkey generate show export cfg domain switch sshkey import add del show export user user cfg domain switch hlthchk interval interval deadcnt count sq int interval cfg domain switch dis cfg domain switch ena Command Parameter ...

Page 75: ...he Nortel SNAS 4050 domain using the quick switch setup wizard use the following command cfg domain 1 quick You can later modify all settings created by the quick switch setup wizard see Configuring the network access devices using the CLI on page 80 1 Launch the quick switch setup wizard 2 Specify the type of switch Valid options are ERS8300 for an Ethernet Routing Switch 8300 ERS5500 or ERS55 fo...

Page 76: ... have downloaded from the switch enter Yes Go to step 6 on page 76 b To continue adding the switch to the configuration without adding its public SSH key at this time press Enter to accept the default value no After you have added the switch add or import the SSH public key for the switch see Managing SSH keys for Nortel SNA communication using the CLI on page 88 Go to step 7 on page 77 6 To add t...

Page 77: ... not enable the switch until you have completed configuring the system For more information see Configuring the network access devices using the CLI on page 80 Do you want to add ssh key yes no no yes Paste the key press Enter to create a new line and then type without the quotation marks to terminate 47 80 18 98 ssh dss AAAAB3NzaC1kc3MAAABRAJfEJJvYic9yOrejtZ88prdWdRWBF8Qkm9iJz 3I6t6O1nzymt1Z1DVMX...

Page 78: ...tive IP address of the switch NSNA communication port the TCP port for communication between the Nortel SNAS 4050 and the network access device The default is port 5000 Red VLAN ID the VLAN ID of the Red VLAN configured on the switch username the user name for an rwa user on the switch required for Ethernet Routing Switch 8300 only The SSH fingerprint of the switch is automatically picked up if th...

Page 79: ...main 1 switch 1 Creating Switch 3 Enter name of the switch Switch1_ERS8300 Enter the type of the switch ERS8300 ERS5500 ERS8300 Enter IP address of the switch IPaddr NSNA communication port 5000 Enter VLAN Id of the Red VLAN VLAN ID Entering SSH Key menu Enter username rwa Leaving SSH Key menu Switch 3 Menu name Set Switch name type Set Type of the switch ip Set IP address port Set NSNA communicat...

Page 80: ...g the VLANs using the CLI on page 82 and exchanged the necessary SSH keys see Managing SSH keys using the CLI on page 84 If you want to reconfigure the VLAN mappings or delete a VLAN for an existing network access device use the cfg domain switch dis command to disable the switch first To configure a network access device in the Nortel SNAS 4050 domain use the following command cfg domain switch s...

Page 81: ...he default is port 5000 hlthchk Accesses the Healthcheck menu in order to configure settings for the Nortel SNAS 4050 to monitor the health of the switch see Monitoring switch health using the CLI on page 89 vlan Accesses the Switch Vlan menu in order to map the Green and Yellow VLANs configured on switch see Mapping the VLANs using the CLI on page 82 rvid VLAN ID Identifies the Red VLAN for the n...

Page 82: ...In this way if you later add switches which use the same VLAN IDs their VLAN mappings will automatically be picked up If you map the VLANs by domain you can modify the mapping for a particular network access device by using the switch level vlan command Switch level settings override domain settings To manage the VLAN mappings for all the network access devices in the Nortel SNAS 4050 domain first...

Page 83: ...he name of the VLAN as configured on the switch VLAN ID is the ID of the VLAN as configured on the switch The system automatically assigns an index number to the VLAN entry when you add it If you are executing the command from the Domain vlan menu the index number indicates the position of the new entry in the domain map If you are executing the command from the Switch vlan menu the index number i...

Page 84: ...he CLI on page 121 2 Export the Nortel SNAS 4050 public key to each network access device For an Ethernet Routing Switch 8300 Use the cfg domain switch sshkey export command to export the key directly to the switch see Managing SSH keys for Nortel SNA communication using the CLI on page 88 For an Ethernet Routing Switch 5510 5520 or 5530 Use the cfg domain sshkey export command to upload the key t...

Page 85: ...ain switch sshkey import command to import the key directly from the network access device If the network access device was reachable when you added it to the domain configuration the SSH key was automatically retrieved If the network access device defaults it generates a new public key You must reimport the key whenever the switch generates a new public key see Reimporting the network access devi...

Page 86: ...ports the Nortel SNAS 4050 domain public key to a file exchange server You are prompted to enter the following information protocol options are tftp ftp scp sftp The default is tftp Note Use TFTP to export to an Ethernet Routing Switch 5500 Series switch Ethernet Routing Switch 5500 Series switches do not support the other protocols host name or IP address of the server file name of the key file t...

Page 87: ...zaC1kc3MAAACBANWNQJzGnZ7lqIUZw5VkjseaR0dcgPhx CA6Zl JPZlRkY USzJmZLoXpWuhAiByMPJ 69BLWCHTQUI FqNPzEXnjBBKHSw0 smb3OKfCJMfv4OfF7YQyfQP6KiKjsdNdHYH1ErHqNe1G8q8KIKinlG35z3 Bc7Yi9BxK84suWm3jdAAAAFQDg5ohEvhYoDlYhal3zMkgq0 t33wAAAIBh Sa J 5SxwYfnE ltdwlOgcMk4eomP03M4BsI8vylsvHt4THD3typTtqjWo jQG0vDBt7a 4hcHQ55LTrC81 u ep5NVlTjxlmczCz6C1wOq4Ab1iiQub gRRL7DnZSghjNAU8JqzcEbU7g0VKorlxwt M9P17ZmBdhkgwsdgArAA...

Page 88: ...thernet Routing Switch 8300 network access device When prompted paste in the key then press Enter Enter an elllipsis to signal the end of the key del Deletes the SSH public key for the network access device in the domain show Displays the SSH public key for the network access device export Exports the SSH public key for the Nortel SNAS 4050 domain to the network access device Note You cannot use t...

Page 89: ...th using the CLI The Nortel SNAS 4050 continually monitors the health of the network access devices At specified intervals a health check daemon sends queries and responses to the switch as a heartbeat mechanism If no activity heartbeat is detected the daemon will retry the health check for a specified number of times the dead count If there is still no heartbeat then after a further interval the ...

Page 90: ...is 1m 1 minute deadcnt count Specifies the number of times the Nortel SNAS 4050 will repeat the check for switch activity when no heartbeat is detected count is an integer in the range 1 65535 that indicates the number of retries The default is 3 If no heartbeat is detected after the specified number of retries the Nortel SNAS 4050 enters status quo mode sq int interval Sets the time interval for ...

Page 91: ...appings for a network access device in the Nortel SNAS 4050 domain if the switch is enabled When you add a network access device to the domain it is disabled by default Do not enable the network access device until you have completed the configuration For information about enabling and disabling the network access device see Controlling communication with the network access devices using the SREM ...

Page 92: ...es an integer that uniquely identifies the network access device in the Nortel SNAS 4050 domain Name Specifies a string that identifies the switch on the Nortel SNAS 4050 The maximum length of the string is 255 characters After you have defined a name for the switch you can use either the switch name or the switch ID to access the network access device Type Specifies the type of network access dev...

Page 93: ...network access device Configuration screen appears see Figure 16 on page 116 2 Select the network access device from the Switches list 3 Click Delete A dialog box appears to confirm that you want to delete this network access device 4 Click Yes The network access device disappears from the Switches list 5 Click Commit on the toolbar to save the changes permanently Configuring the network access de...

Page 94: ...irst disable it see Controlling communication with the network access devices using the SREM on page 115 Once the network access device is disabled complete the following steps 1 Select the Secure Access Domain domain Switches switch Configuration tab The Switch Configuration screen appears see Figure 7 Figure 7 Switch Configuration screen ...

Page 95: ...imum length of the string is 255 characters IP Address Specifies the IP address of the switch NSNA Communication Port Specifies the TCP port for communication between the Nortel SNAS 4050 and the network access device The default value is 5000 Type Specifies the type of network access device Valid options are ERS8300 an Ethernet Routing Switch 8300 ERS5500 an Ethernet Routing Switch 5510 5520 or 5...

Page 96: ...tch by switch see Mapping VLANs by switch on page 100 Nortel recommends mapping the VLANs by domain In this way if you later add switches which use the same VLAN IDs their VLAN mappings will automatically be picked up If you map the VLANs by domain you can modify the mapping for a particular network access device at the switch level Switch level settings override domain settings The Nortel SNAS 40...

Page 97: ...s Domain domain VLANs tab The domain VLANs screen appears see Figure 8 listing all current VLANs applied to the domain Figure 8 Domain VLANs screen This screen allows you to manage VLANs on the domain by adding or deleting entries to the VLAN Table For detailed steps on adding or removing VLANs see Adding VLANs to a domain on page 98 Removing VLANs from a domain on page 99 ...

Page 98: ...ew VLAN 3 Enter the VLAN information in the applicable fields Table 5 describes the Add a new VLAN fields 4 Click Add The new VLAN appears in the VLAN Table 5 Repeat this step for each Green and Yellow VLAN configured on the domain 6 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 5 Add a new VLAN fiel...

Page 99: ...ect the Secure Access Domain domain VLANs tab The domain VLANs screen appears see Figure 8 2 Select a VLAN entry from the VLAN Table 3 Click Delete A dialog box appears to confirm that you want to delete this VLAN 4 Click Yes The VLAN disappears from the VLAN Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes perma...

Page 100: ... the network access device is disabled select the Secure Access Domain domain Switches switch VLANs tab The switch VLANs screen appears see Figure 10 listing all current VLANs applied to the switch Figure 10 Switch VLANs screen This screen allows you to manage VLANs on the switch by adding or deleting entries in the VLAN Table For detailed steps on adding or removing switch VLANs see Adding VLANs ...

Page 101: ...g box appears see Figure 11 Figure 11 Add a new VLAN 3 Enter the VLAN information in the applicable fields Table 5 describes the Add a new VLAN fields 4 Click Add The new VLAN appears in the VLAN Table 5 Repeat this step for each Green and Yellow VLAN configured on the network access device 6 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar...

Page 102: ...nges permanently Managing SSH keys using the SREM The Nortel SNAS 4050 and the network access devices controlled by the Nortel SNAS 4050 domain exchange public keys so that they can authenticate themselves to each other in future SSH communications To enable secure communication between the Nortel SNAS 4050 and the network access device do the following 1 Generate an SSH public key for the Nortel ...

Page 103: ...68 B If you regenerate the key at any time you must re export the key to each network access device 3 For each network access device import its public key into the Nortel SNAS 4050 domain if necessary You can retrieve the key in two ways see Managing SSH keys for Nortel SNA communication using the SREM on page 109 Use Import SSH Key from Switch to import the key directly from the network access de...

Page 104: ...ce defaults it generates a new public key You must reimport the key whenever the switch generates a new public key see Reimporting the network access device SSH key using the SREM on page 110 Note In general click Apply on the toolbar immediately after you change any of the SSH settings ...

Page 105: ...r Guide Generating SSH keys for the domain using the SREM To generate view and export the public SSH key for the domain complete the following steps 1 Select the Secure Access Domain domain SSH Key Key Generation tab The Key Generation screen appears see Figure 12 Figure 12 Key Generation screen ...

Page 106: ...er using the following export procedure To export the SSH public key for the domain complete the following steps 1 Select the Secure Access Domain domain SSH Key Export Key tab Table 7 Switch SSH Key fields Field Description Generate SSH Key Generates an SSH public key for the domain There can be only one key in effect for the Nortel SNAS 4050 domain at any one time If a key already exists you are...

Page 107: ...Chapter 3 Managing the network access devices 107 Nortel Secure Network Access Switch 4050 User Guide The Export Key screen appears see Figure 13 Figure 13 Export Key screen ...

Page 108: ...Specifies the export protocol to use The options are tftp ftp scp sftp Note Use TFTP to export to an Ethernet Routing Switch 5500 Series switch Ethernet Routing Switch 5500 Series switches do not support the other protocols Host Specifies the host name or IP address of the server you are exporting to Filename Specifies the file name of the key file type pub you are exporting Username Specifies the...

Page 109: ... for Nortel SNA communication using the SREM To retrieve the public key for the network access device and export the public key for the domain complete the following steps 1 Select the Secure Access Domain domain Switches switch SSH Key tab The switch SSH Key screen appears see Figure 14 Figure 14 Switch SSH Key screen ...

Page 110: ... on the network access device Required for Ethernet Routing Switch 8300 only Import SSH Key from Switch Retrieves the SSH public key from the network access device if it is reachable Export SSH Key to Switch Exports the SSH public key for the Nortel SNAS 4050 domain to the network access device Note You cannot use this command to export the key to an Ethernet Routing Switch 5500 series switch See ...

Page 111: ...ch health using the SREM The Nortel SNAS 4050 continually monitors the health of the network access devices At specified intervals a health check daemon sends queries and responses to the switch as a heartbeat mechanism If no activity heartbeat is detected the daemon will retry the health check for a specified number of times the dead count If there is still no heartbeat then after a further inter...

Page 112: ...112 Chapter 3 Managing the network access devices 320818 A The Health Check screen appears see Figure 15 Figure 15 Health Check screen ...

Page 113: ...rval between checks for switch activity Accepts an integer that indicates the time interval in seconds s minutes m or hours h The valid range is 60s 1m to 64800s 18h The default is 1m 1 minute Dead Count Specifies the number of times the Nortel SNAS 4050 will repeat the check for switch activity when no heartbeat is detected Accepts an integer in the range 1 65535 that indicates the number of retr...

Page 114: ...pecifies the interval in seconds before the screen is automatically refreshed Only applicable if Auto Refresh is selected Logging Specifies whether a log file is automatically created for the Controller List If selected you can click Browse to specify the log file name and location Controller List Lists details for each active controller Switch Connection Status Displays a brief description of the...

Page 115: ...le the switch Click Apply and Commit to apply the change immediately When you first add a network access device to the Nortel SNAS 4050 domain the switch is disabled by default Do not enable the switch until you have completed configuring it In particular do not enable the switch until you have mapped the VLANs see Mapping the VLANs using the SREM on page 96 and exchanged the necessary SSH keys se...

Page 116: ...guration tab The network access device Configuration screen appears see Figure 16 Figure 16 Switch Configuration screen 2 Ensure the Enable Switch setting is correct selected the network access device is enabled cleared the network access device is disabled 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently ...

Page 117: ...heck using the CLI 132 Configuring the SSL server using the CLI 135 Configuring HTTP redirect using the CLI 144 Configuring advanced settings using the CLI 145 Configuring RADIUS accounting using the CLI 146 Configuring the domain using the SREM 150 Creating a domain using the SREM 151 Deleting a domain using the SREM 163 Configuring domain parameters using the SREM 164 Configuring the TunnelGuard...

Page 118: ... the domain access the Domain menu by using the following command cfg domain From the Domain menu you can configure and manage the following domain parameters such as name and portal IP address pVIP see Configuring domain parameters using the CLI on page 130 Authentication Authorization and Accounting AAA features for authentication see Configuring authentication on page 233 for authorization see ...

Page 119: ...CLI on page 84 HTTP redirect settings see Configuring HTTP redirect using the CLI on page 144 advanced settings such as a backend interface and logging options see Configuring advanced settings using the CLI on page 145 Roadmap of domain commands The following roadmap lists the CLI commands to configure the domain in a Nortel SNA deployment Use this list as a quick reference or click on any entry ...

Page 120: ...t dnslookup host traceroute host cfg domain server ssl cert certificate index cachesize sessions cachettl ttl cacerts certificate index cachain certificate index list protocol ssl2 ssl3 ssl23 tls1 ciphers cipher list ena dis cfg domain server adv traflog sysloghost IPaddr udpport port protocol ssl2 ssl3 ssl23 tls1 priority debug info notice facility auth authpriv daemon local0 7 ena dis cfg domain...

Page 121: ... the CLI To create and configure a domain manually use the following command cfg domain domain ID where domain ID is an integer in the range 1 to 256 that uniquely identifies the domain in the Nortel SNAS 4050 cluster redir on off cfg domain adv interface interface ID log cfg domain aaa radacct ena dis cfg domain aaa radacct servers list del index number add IPaddr port shared secret insert index ...

Page 122: ... Nortel SNAS 4050 portal You can have more than one pVIP for a domain To specify more than one pVIP use a comma separator The pVIP is the address to which the client connects for authentication and host integrity check For more information see About the IP addresses on page 51 The Domain menu displays Figure 17 on page 123 shows sample output for the cfg domain domain ID command and commands on th...

Page 123: ...56 2 Creating Domain 2 Domain name MyDomain Enter Domain Portal Vips comma separated 10 40 40 100 Entering SSH key menu Generating new SSH key this operation takes a few seconds done Leaving SSH key menu Domain 2 Menu name Set Domain name pvips Set Portal VIP addr s for the domain aaa AAA menu server SSL server menu portal Portal look and feel menu linkset Portal linkset menu switch Switch menu vl...

Page 124: ...cify a name for the Nortel SNAS 4050 domain as a mnemonic aid 4 Specify the port on which the portal web server listens for SSL communications The default for HTTPS communications is port 443 5 Specify the certificate to be used by the portal server If certificates exist on the system the certificate numbers will be offered as valid input options Choose one of the following a To create a new certi...

Page 125: ...icate a At the prompt to create a test certificate enter No b When prompted paste in the certificate and key from a text file then press Enter c Enter an ellipsis to signal the end of the certificate d To continue go to step 8 on page 126 7 To create a test certificate a At the prompt to create a test certificate enter Yes b When prompted enter the required certificate information For more informa...

Page 126: ...fault value no Go to step 12 on page 127 Use existing certificate no 1 no Create a test certificate yes no yes The combined length of the following parameters may not exceed 225 bytes Country Name 2 letter code State or Province Name full name Locality Name eg city Organization Name eg company Organizational Unit Name eg section Common Name eg your name or your server s hostname Email Address Subj...

Page 127: ... default tunnelguard group If you do want to create a test user press Enter to accept the default value yes The wizard will create a test user named tg with password tg in the default tunnelguard group If you do not want to create a test user enter no 14 Wait while the wizard completes processing to create the domain then enter Apply to activate the changes Do you want to configure a switch yes no...

Page 128: ... see Configuring the network access devices using the CLI on page 80 You specify the Red VLAN when you add the network access device to the domain The components created by the wizard depend on the selections you made in the preceding steps For example the sample output illustrates the following options an existing certificate Certificate 1 is being used no network access device is being added the...

Page 129: ...ent Filter 1 Name tg_passed Creating Client Filter 2 Name tg_failed Creating Linkset 1 Name tg_passed This Linkset just prints the TG result Creating Linkset 2 Name tg_failed This Linkset just prints the TG result Creating Group 1 Name tunnelguard Creating Extended Profile 1 Giving full access when tg passed Creating green vlan with id 110 Creating Access rule 1 Giving remediation access when tg f...

Page 130: ...he pVIP for the domain The pVIP is the portal address to which clients connect in order to access the Nortel SNA network For more information see About the IP addresses on page 51 A domain can have more than one pVIP To configure multiple IP addresses for the portal use a comma to separate the IP address entries aaa Accesses the AAA menu in order to configure authentication authorization and accou...

Page 131: ...te and show the public SSH key for the Nortel SNAS 4050 domain see Generating SSH keys for the domain using the CLI on page 85 dnscapt Accesses the DNS capture menu in order to set the Nortel SNAS 4050 domain portal as a captive portal and to configure the Exclude List see Configuring the captive portal using the CLI on page 400 httpredir Accesses the HTTP Redir menu in order to configure HTTP to ...

Page 132: ...n of the quick setup wizard at any time by using the cfg domain aaa tg quick command see Using the quick TunnelGuard setup wizard in the CLI on page 134 To configure settings for the TunnelGuard host integrity check and the check result use the following command cfg domain aaa tg The TG menu displays The TG menu includes the following options cfg domain aaa tg followed by quick Launches the quick ...

Page 133: ...4050 domain operates in status quo mode Status quo mode determines the behavior of the Nortel SNAS 4050 if no client activity is detected after the inactivity interval heartbeat x hbretrycnt The options are on the client session continues indefinitely off the Nortel SNAS 4050 terminates the session immediately The default is off action teardown restricted Specifies the action to be performed if th...

Page 134: ...ayed on the portal page Valid options are on details will be displayed off details will not be displayed The default is off If set to on the client can click on the TG icon on the portal page to display details about which elements of the SRS rule check failed loglevel fatal error warning info debug Sets the log level for debug information from the TunnelGuard applet The options are fatal displays...

Page 135: ...1 To configure the portal server used in the domain use the following command cfg domain server The Server 1001 menu displays Main cfg domain aaa tg quick In the event that the TunnelGuard checks fails on a client the session can be teardown or left in restricted mode with limited access Which action do you want to use for TunnelGuard failure teardown restricted restricted Do you want to create a ...

Page 136: ...d domain name FQDN of the pVIP for example nsnas example com Generally you need to specify a DNS name only if your corporate DNS server is unable to perform reverse lookups of the portal IP address When you press Enter after specifying the DNS name the system performs a check against the DNS server included in the system configuration see cfg sys dns to verify that the FQDN is registered in DNS th...

Page 137: ...splays decrypted on the screen SSLDUMP cannot decrypt any traffic if it is started after the browser SSLDUMP must be running during the initial SSL handshake tftp ftp sftp the dump will be saved as a file to the file exchange server you specify using a destination file name you specify You are prompted to enter the required information You can specify the file exchange server using either the host...

Page 138: ...mount of captured information A sequence number is appended to the file name given in the CLI starting at 1 and incremented automatically for additional files For ftp and sftp you will also be prompted to specify a user name and password valid on the file exchange server You can read a saved TCP traffic dump file using the TCPDUMP or Ethereal application on a remote machine The default output mode...

Page 139: ...the backend interface To map a backend interface to the domain use the cfg domain adv interface command see Configuring advanced settings using the CLI on page 145 traceroute host Identifies the route used for station to station connectivity across the network host is the host name or IP address of the target station If a backend interface is mapped to the current Nortel SNAS 4050 domain the check...

Page 140: ...lling certificates and keys on page 573 cachesize sessions Sets the size of the SSL cache sessions is an integer less than or equal to 10000 indicating the number of cached sessions The default is 4000 If there are many cache misses increase the cachesize value for better performance cachettl ttl Specifies the maximum time to live TTL value for items in the SSL cache After the TTL has expired the ...

Page 141: ... ssl3 or ssl23 see cfg domain server ssl protocol protocol ssl2 ssl3 ssl23 tls1 Specifies the protocol to use when establishing an SSL session with a client Valid options are ssl2 accept SSL 2 0 only ssl3 accept SSL 3 0 and TLS 1 0 ssl23 accept SSL 2 0 SSL 3 0 and TLS 1 0 tls1 accept TLS 1 0 only The default value is ssl3 verify none optional required Specifies the level of client authentication t...

Page 142: ...og server might not be able to cope with the quantity of syslog messages generated within a cluster of Nortel SNAS 4050 devices Enable traffic logging with syslog messages in environments where laws or regulations require traffic logging to be performed on the SSL terminating device itself You can also enable it temporarily for debugging purposes Because of the amount of traffic generated Nortel r...

Page 143: ...ent Valid options are ssl2 accept SSL 2 0 only ssl3 accept SSL 3 0 and TLS 1 0 ssl23 accept SSL 2 0 SSL 3 0 and TLS 1 0 tls1 accept TLS 1 0 only The default value is ssl3 priority debug info notice Specifies the priority level of the syslog messages that are sent Valid options are debug information useful for debugging purposes only info informational messages notice information about conditions t...

Page 144: ...es traffic logging with syslog messages Traffic logging with syslog messages is disabled by default cfg domain httpredir followed by port port Specifies the port to which the portal server listens for HTTP communications port is an integer that indicates the TCP port number The default is 80 Note If you do not accept the default value and you specify a different port you must modify the Red and Ye...

Page 145: ...interface for the domain interface ID is an integer that indicates the interface number The default is 0 To configure the interface use the cfg sys host interface command see Configuring host interfaces using the CLI on page 469 log Specifies the type of requests and operations to log You are prompted to enter a comma separated list of log types Valid options are all logs all options login logs po...

Page 146: ... information client user name Nortel SNAS 4050 device Real IP address RIP session ID When the user session terminates the Nortel SNAS 4050 sends an accounting request stop packet to the accounting server The stop packet contains the following information session ID session time cause of termination Configure the RADIUS server in accordance with the recommendations in RFC 2866 Certain Nortel SNAS 4...

Page 147: ...ng menu includes the following options Managing RADIUS accounting servers using the CLI To configure the Nortel SNAS 4050 to use external RADIUS accounting servers use the following command cfg domain aaa radacct servers The Radius Accounting Servers menu displays cfg domain aaa radacct followed by servers Accesses the Radius Accounting Servers menu in order to configure external RADIUS accounting...

Page 148: ...ting The default is 1813 shared secret the password used to authenticate the Nortel SNAS 4050 to the accounting server The system automatically assigns the next available index number to the server insert index number IPaddr Inserts a server at a particular position in the list of RADIUS accounting servers in the configuration index number the index number you want the server to have IPaddr the IP...

Page 149: ...he RADIUS server will use to retrieve the attribute value The Vendor Type indicates the index number of the required entry in the dictionary file The Internet Assigned Numbers Authority IANA has designated SMI Network Management Private Enterprise Codes that can be assigned to the Vendor Id attribute see www iana org assignments enterprise numbers RFC 2866 describes usage of the Vendor Type attrib...

Page 150: ...hentication on page 233 for authorization see Configuring groups and profiles on page 191 and Configuring the TunnelGuard check using the SREM on page 168 for accounting see Configuring RADIUS accounting using the SREM on page 183 the SSL server used for the domain portal see Configuring the SSL server using the SREM on page 174 SSL trace commands SSL settings logging traffic with syslog messages ...

Page 151: ...naging the network access devices on page 71 the Nortel SNA VLANs see Managing the network access devices on page 71 SSH keys for the domain see Managing SSH keys using the SREM on page 102 HTTP redirect settings see Configuring HTTP redirect using the SREM on page 181 Creating a domain using the SREM You can create a domain in two ways Manually creating a domain using the SREM on page 152 Using t...

Page 152: ...g a domain using the SREM To create and configure a domain manually perform the following steps 1 Select the Secure Access Domain Secure Access Domain Table tab The Secure Access Domain Table screen appears see Figure 19 Figure 19 Secure Access Domain Table screen ...

Page 153: ...o save the changes permanently Table 12 Add a Secure Access Domain fields Field Description Index Specifies an integer in the range 1 to 256 that uniquely identifies the domain in the Nortel SNAS 4050 cluster Domain Name Specifies a string that identifies the domain on the Nortel SNAS 4050 as a mnemonic aid The maximum length of the string is 255 characters Portal VIP Address Specifies the IP addr...

Page 154: ...able during initial setup Depending on the options you select in connection with certificates and creating a test user the two wizards also create similar default settings see Settings created by the quick setup wizard on page 60 You can later modify all settings created by the domain quick setup wizard see Configuring domain parameters using the SREM on page 164 ...

Page 155: ...s Switch 4050 User Guide To create a domain using the Nortel SNAS 4050 quick setup wizard perform the following steps 1 Select the Secure Access Domain Domain Quick Wizard tab The Domain Quick Wizard screen appears see Figure 21 Figure 21 Domain Quick Wizard screen ...

Page 156: ...rmation in the applicable fields Table 13 describes the General Settings fields 4 Click Next Table 13 Domain Quick Wizard General Settings fields Field Description Domain IP Address Specifies the pVIP of the Nortel SNAS 4050 domain Domain Name Specifies a name for the Nortel SNAS 4050 domain Port Specifies the port on which the portal web server listens for SSL communications The default for HTTPS...

Page 157: ...s Table 14 Domain Quick Wizard Certificate fields Field Description Certificate Specifies an existing certificate from the list Test Certificate Specifies that a temporary test certificate will be created using information in the related fields Country Code Specifies the two letter ISO code for the country where the web server is located For current information about ISO country codes see http www...

Page 158: ...ot enter the protocol specifier http or any port numbers or pathnames in the common name Wildcards such as or and IP address are not allowed Email Address Specifies the user s e mail address Alternate Name Specifies alternate information if you did not provide a Common Name or e mail address Enter a comma separated list of URI uri DNS fqdn IP ip address email email address Valid Days Specifies the...

Page 159: ...ard Certificate Chain 7 Enter the certificate chain information in the applicable fields Table 15 describes the Certificate Chain fields 8 Click Next Table 15 Domain Quick Wizard Certificate Chain fields Field Description Certificate Chain Specifies whether the SSL server uses chain certificates Select additional certificates from the list to force the SSL server to use chain certificates ...

Page 160: ... 25 Domain Quick Wizard Server 9 Enter the server information in the applicable fields Table 16 describes the Server fields 10 Click Next Table 16 Domain Quick Wizard Server fields Field Description Create HTTP or HTTPS Redirect Server Specifies whether or not to create a redirect server for HTTP to HTTPS redirection ...

Page 161: ...onfigure a Switch Specifies whether or not to add a network access device to the domain Type of Switch Specifies the type of network access device from the list Valid options are ERS8300 and ERS5500 VlanId Specifies the Red VLAN ID for the network access device IP Address of Switch Specifies the IP address of the network access device NSNA Communication Port Specifies the TCP port used for communi...

Page 162: ...rd processing Click Back to correct the invalid information before continuing Table 18 Domain Quick Wizard Tunnel Guard fields Field Description Tunnel Guard Action Specifies the action performed when an SRS rules check fails The options are restricted the session remains intact but access is resticted in accordance with the rights specified in the access rules for the group teardown the SSL sessi...

Page 163: ... the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Deleting a domain using the SREM To delete a domain perform the following steps 1 Select the Secure Access Domain Secure Access Domain Table tab The Export Content screen appears see Secure Access Domain Table screen on page 152 2 Select the domain from the Secure Access Dom...

Page 164: ... Configuring domain parameters using the SREM To configure a domain perform the following steps 1 Select the Secure Access Domain domain Configuration tab The domain Configuration screen appears see Figure 28 Figure 28 Domain Configuration screen ...

Page 165: ... string is 255 characters Portal VIP Address Specifies the IP address of the Nortel SNAS 4050 portal The pVIP is the address to which the client connects for authentication and host integrity check For more information see About the IP addresses on page 51 You can have more than one pVIP for a domain For each pVIP enter the IP address and click Add To remove existing entries select the pVIP from t...

Page 166: ... on the Nortel SNAS 4050 domain see Mapping the VLANs using the SREM on page 96 SSH Key Accesses the domain SSH Key screens in order to generate show and export the public SSH key for the Nortel SNAS 4050 domain see Generating SSH keys for the domain using the SREM on page 105 DNS Capture Accesses the DNS Capture screen in order to set the Nortel SNAS 4050 domain portal as a captive portal and to ...

Page 167: ...es For authentication see Configuring authentication on page 233 For authorization see Configuring groups and profiles on page 191 and Configuring the TunnelGuard check using the SREM on page 168 For accounting see Configuring RADIUS accounting using the SREM on page 183 Server Accesses the Server screens in order to configure the portal SSL server see Configuring the SSL server using the SREM on ...

Page 168: ...re installed and active on the client PC For more information about how the TunnelGuard check operates in the Nortel SNA solution see TunnelGuard host integrity check on page 37 If you ran the quick setup wizard during the initial setup or to create the domain the TunnelGuard check has been configured with default settings and the check result you selected teardown or restricted You can rerun the ...

Page 169: ... To configure settings for the TunnelGuard host integrity check and the check result perform the following steps 1 Select the Secure Access Domain domain AAA Tunnel Guard Configuration tab The TunnelGuard Configuration screen appears see Figure 29 Figure 29 TunnelGuard Configuration screen ...

Page 170: ...for the group Tear Down the SSL session is torn down Heart Beat Interval Specifies the time interval between checks for client activity Accepts an integer that indicates the time interval in seconds s minutes m or hours h The valid range is 60s 1m to 86400s 24h The default is 1m 1 minute Heart Beat Retry Count Specifies the number of times the Nortel SNAS 4050 will repeat the check for client acti...

Page 171: ...om the TunnelGuard applet The options are fatal displays fatal errors only error displays all errors warning displays warning information about conditions that are not error conditions info displays high level information about processes debug displays detailed information about all processes The default is info The information displays in the client s Java Console window You can use the informati...

Page 172: ...SREM To configure settings for the TunnelGuard host integrity check and the check result perform the following steps 1 Select the Secure Access Domain domain AAA Tunnel Guard Quick Setup tab The TunnelGuard Quick Setup screen appears see Figure 30 Figure 30 TunnelGuard Quick Setup screen ...

Page 173: ...anently Table 23 TunnelGuard Quick Setup fields Field Description Action for Tunnel Guard check failure Specifies the action performed when an SRS rules check fails The options are restricted the session remains intact but access is resticted in accordance with the rights specified in the access rules for the group teardown the SSL session is torn down Create a Tunnel Guard test user Specifies whe...

Page 174: ...g the SSL server using the SREM To configure settings for the SSL server perform the following steps 1 Select the Secure Access Domain domain Server Configuration tab The server Configuration screen appears see Figure 31 Figure 31 Server Configuration screen ...

Page 175: ...er listens for HTTPS communications Accepts an integer in the range 1 65534 that indicates the TCP port number The default is 443 DNS Name Specifies a DNS name for the portal IP address Accepts the fully qualified domain name FQDN of the pVIP for example nsnas example com Generally you need to specify a DNS name only if your corporate DNS server is unable to perform reverse lookups of the portal I...

Page 176: ...settings using the SREM To configure SSL specific settings for the portal server perform the following steps 1 Select the Secure Access Domain domain Server SSL Settings tab The server SSL Settings screen appears see Figure 32 Figure 32 Server SSL Settings screen ...

Page 177: ...eparated by colons The default cipher list is ALL STRENGTH For more information about cipher lists see Appendix D Supported ciphers on page 881 Verify Specifies the level of client authentication to use when establishing an SSL session The options are none no client certificate is required optional a client certificate is requested but the client need not present one require a client certificate i...

Page 178: ... syslog messages generated within a cluster of Nortel SNAS 4050 devices Enable traffic logging with syslog messages in environments where laws or regulations require traffic logging to be performed on the SSL terminating device itself You can also enable it temporarily for debugging purposes Because of the amount of traffic generated Nortel recommends that you set up syslog on the backend server i...

Page 179: ...log server to receive UDP syslog messages for all HTTP requests handled by the portal server perform the following steps 1 Select the Secure Access Domain domain Server Traffic Log Syslog Settings tab The Traffic Log Syslog Settings screen appears see Figure 33 Figure 33 Traffic Log Syslog Settings screen ...

Page 180: ...rt number The default is 514 Priority Specifies the priority level of the syslog messages that are sent The options are debug information useful for debugging purposes only info informational messages notice information about conditions that are not error conditions but nevertheless warrant special attention The default value is info Facility Specifies the facility parameter of syslog messages The...

Page 181: ... about SSL and TCP traffic between clients and the portal server see Starting and stopping a trace using the SREM on page 738 Configuring HTTP redirect using the SREM You can configure the Nortel SNAS 4050 domain to automatically redirect HTTP requests to the HTTPS server For example a client request directed to http nsnas com is automatically redirected to https nsnas com ...

Page 182: ...the domain to automatically redirect HTTP requests to the HTTPS server specified for the domain perform the following steps 1 Select the Secure Access Domain domain HTTP Redirect tab The HTTP Redirect screen appears see Figure 34 Figure 34 HTTP Redirect screen ...

Page 183: ... user who successfully authenticates to the Nortel SNAS 4050 domain The start packet contains the following information client user name Nortel SNAS 4050 RIP session ID When the user session terminates the Nortel SNAS 4050 sends an accounting request stop packet to the accounting server The stop packet contains the following information session ID session time Table 27 HTTP Redirect fields Field D...

Page 184: ...050 specific attributes using the SREM The RADIUS accounting server uses Vendor Id and Vendor Type attributes in combination to identify the source of the accounting information The attributes are sent to the RADIUS accounting server together with the accounting information for the logged in user You can assign vendor specific codes to the Vendor Id and Vendor Type attributes for the Nortel SNAS 4...

Page 185: ...ic attributes used by the external RADIUS accounting server To configure vendor specific attributes in order to identify the Nortel SNAS 4050 domain perform the following steps 1 Select the Secure Access Domain domain AAA Radius Accounting Configuration tab The RADIUS accounting Configuration screen appears see Figure 34 Figure 35 RADIUS accounting Configuration screen ...

Page 186: ...er using the SREM on page 189 Adding a RADIUS accounting server using the SREM To configure the Nortel SNAS 4050 to use external RADIUS accounting servers perform the following steps 1 Select the Secure Access Domain domain AAA Radius Accounting Radius Accounting Servers tab Table 28 RADIUS accounting Configuration fields Field Description Enable Radius Accounting Specifies whether RADIUS accounti...

Page 187: ...ork Access Switch 4050 User Guide The Radius Accounting Servers screen appears see Figure 36 Figure 36 Radius Accounting Servers screen 2 Click Add The Add a Radius Accounting Server dialog box appears see Figure 37 Figure 37 Add a Radius Accounting Server ...

Page 188: ...counting Servers tab The Radius Accounting Servers screen appears see Figure 36 on page 187 listing all servers in the Radius Accounting Server Table 2 Select the RADIUS accounting server entry from the list 3 Click either the up or down arrows until the RADIUS accounting server entry is positioned correctly The index values do not update until you apply the changes 4 Click Apply on the toolbar to...

Page 189: ...ting Radius Accounting Servers tab The Radius Accounting Servers screen appears see Figure 36 on page 187 2 Select the RADIUS accounting server entry from the list 3 Click Delete A dialog box appears to confirm this entry is to be deleted 4 Click Yes The RADUIS accounting server disappears from the Radius Accounting Server Table 5 Click Apply on the toolbar to send the current changes to the Norte...

Page 190: ...190 Chapter 4 Configuring the domain 320818 A ...

Page 191: ...profiles using the CLI 196 Roadmap of group and profile commands 197 Configuring groups using the CLI 198 Configuring client filters using the CLI 201 Configuring extended profiles using the CLI 203 Mapping linksets to a group or profile using the CLI 206 Creating a default group using the CLI 208 Configuring groups and extended profiles using the SREM 208 Configuring groups using the SREM 208 Con...

Page 192: ...olution Guide 320817 A Groups The Nortel SNAS 4050 determines which VLANs users are authorized to access based on group membership When a user logs on to the Nortel SNAS 4050 domain the authentication method returns the group name associated with the user s credentials The Nortel SNAS 4050 then maps the user to groups defined on the Nortel SNAS 4050 You can define up to 1023 groups in the Nortel S...

Page 193: ...er display on the user s portal page see Linksets on page 194 TunnelGuard SRS rule The TunnelGuard host integrity check uses the criteria specified in the SRS rule assigned to the group extended profiles The Nortel SNAS 4050 checks the group to identify if there is an applicable extended profile see Extended profiles on page 195 For information about configuring a group see Configuring groups usin...

Page 194: ...roups see Mapping linksets to a group or profile using the CLI on page 206 or Mapping linksets to a group or profile using the SREM on page 223 TunnelGuard SRS rule The SRS rule specified for the group is the set of operating system and other software criteria that constitute the host integrity check performed by the TunnelGuard applet The SRS rule can be a composite of other rules but there is on...

Page 195: ... client filters in order to establish the user s security status The client filter referenced in the extended profile determines whether the extended profile data will be applied to the user After the user has been authenticated and the TunnelGuard host integrity check has been conducted the Nortel SNAS 4050 checks the group s extended profiles in sequence in order of the profile IDs for a match b...

Page 196: ... are 1 Configure the group see Configuring groups using the CLI on page 198 2 Configure the client filters that will be referenced in the extended profiles see Configuring client filters using the CLI on page 201 The client filters can be referenced by all extended profiles in the domain Table 30 Group names in the Nortel SNAS 4050 and authentication services Authentication method Group name on th...

Page 197: ...on page 208 Roadmap of group and profile commands The following roadmap lists all the CLI commands to configure groups client filters extended profiles and linkset mappings Use this list as a quick reference or click on any entry for more information Command Parameter cfg domain 1 aaa group group ID name name restrict tgsrs SRS rule name comment comment del cfg domain 1 aaa filter filter ID name n...

Page 198: ...roup you are prompted to enter the following parameters group name a string that uniquely identifies the group on the Nortel SNAS 4050 The maximum length of the string is 255 characters After you have defined a name for the group you can use either the group name or the group ID to access the Group menu The group name must match a group name used by the authentication services For more information...

Page 199: ...n the domain The maximum length of the string is 255 characters The group name must match a group name used by the authentication services For more information see Table 30 on page 196 restrict Sets the maximum number of simultaneous portal or Nortel SNAS 4050 sessions allowed for each member of the group For example if the value is set to 2 then a user can use two computers at the same time and h...

Page 200: ...es in the CLI comment comment Sets a comment for the group del Removes the group from the Nortel SNAS 4050 domain When you delete the group you also delete all extended profiles associated with that group ID cfg domain 1 aaa group followed by Main cfg domain 1 AAA group 2 Creating Group 2 Group name TestGroup Enter number of sessions 0 is unlimited Group 2 Menu name Set group name restrict Set num...

Page 201: ...t uniquely identifies the filter in the Nortel SNAS 4050 domain When you first create the filter you must enter the filter ID After you have created the filter you can use either the ID or the name to access the filter for configuration When you first create the filter you are prompted to enter the client filter name The Client Filter menu displays Note If you ran the quick setup wizard during ini...

Page 202: ...nnelGuard host integrity check triggers the filter true the client filter triggers when the TunnelGuard check succeeds false the client filter triggers when the TunnelGuard check fails ignore passing or failing the TunnelGuard check will not trigger the client filter The default is ignore For example in order to grant limited access rights to users who fail the TunnelGuard check set the tg value t...

Page 203: ...to 63 that uniquely identifies the profile in the group If you do not enter the profile ID as part of the command you are prompted to do so When you first create the extended profile you must enter the profile ID After you have created the extended profile you can use either the profile ID or the name of the associated client filter to access the extended profile for configuration Main cfg domain ...

Page 204: ...enu includes the following options Note If you ran the quick setup wizard during initial setup two extended profiles have been created profile ID 1 associated with client filter tg_failed and profile ID 2 associated with client filter tg_passed cfg domain 1 aaa group extend followed by filter name Specifies the predefined client filter that determines whether the Nortel SNAS 4050 will apply this e...

Page 205: ...ation about creating and configuring the linksets see Configuring linksets using the CLI on page 411 del Removes the extended profile from the group cfg domain 1 aaa group extend followed by Main cfg domain 1 aaa group 2 extend Enter profile number or filter reference name 1 63 1 Creating Extended Profile 1 Enter client filter name tg_failed 2 tg_passed 1 Enter client filter name tg_passed Enter V...

Page 206: ...by list Lists the currently configured linksets by index number del index number Removes the linkset entry represented by the specified index number The index numbers of the remaining entries adjust accordingly add linkset name Adds a linkset to the group or extended profile The linkset displays on the portal page after the user has been authenticated You can add as many linksets as you want The N...

Page 207: ... Menu list List all values del Delete a value by number add Add a new value insert Insert a new value move Move a value by number Linksets add linkset name example1 Linksets add example2 Linksets list Old Pending 1 example1 2 example2 Linksets insert 2 example3 Linksets list Old Pending 1 example1 2 example3 3 example2 Linksets move Index number to move 3 Destination index 1 Linksets list Old Pend...

Page 208: ...he group see Configuring groups using the SREM on page 208 2 Configure the client filters that will be referenced in the extended profiles see Configuring client filters using the SREM on page 213 The client filters can be referenced by all extended profiles in the domain 3 Configure the extended profiles for the group see Configuring extended profiles using the SREM on page 219 4 Map the linksets...

Page 209: ...ps 1 Click A Guide to Create a Group on the toolbar A dialog box appears prompting you to select a domain 2 Select the domain where this group is created 3 Click OK A Guide dialog appears and the screen displayed in the SREM changes to display the next screen used to add a group 4 Use Next and Previous to view the steps to create a group As each step follow the instructions provided before continu...

Page 210: ...g groups and profiles 320818 A Adding a group To create and configure a group perform the following steps 1 Select the Secure Access Domain domain AAA Groups tab The Groups screen appears see Figure 42 Figure 42 Groups screen ...

Page 211: ...rmanently Table 31 Add a Group fields Field Description Group ID Index An integer in the range 1 to 1023 that uniquely identifies the group in the Nortel SNAS 4050 domain Group Name A string that uniquely identifies the group on the Nortel SNAS 4050 The group name must match a group name used by the authentication services Maximum Login Sessions The maximum number of simultaneous portal or Nortel ...

Page 212: ...es 320818 A Modifying a group To configure a group perform the following steps 1 Select the Secure Access Domain domain AAA Groups group Configuration tab The group Configuration screen appears see Figure 44 Figure 44 Group Configuration screen ...

Page 213: ...ds Field Description Group ID Index An integer in the range 1 to 1023 that uniquely identifies the group in the Nortel SNAS 4050 domain This value cannot be changed after a group is created Group Name A string that uniquely identifies the group on the Nortel SNAS 4050 The group name must match a group name used by the authentication services Maximum Login Sessions The maximum number of simultaneou...

Page 214: ...0818 A Adding a client filter To create and configure a client filter perform the following steps 1 Select the Secure Access Domain domain AAA Filters Client Filters tab The Client Filters screen appears see Figure 45 Figure 45 Client Filters screen ...

Page 215: ...rs see Figure 46 Figure 46 Adding a Client Filter screen 3 Enter the Client Filter information in the applicable fields Table 33 describes the Add a Client Filter fields Table 33 Add a Client Filter fields Sheet 1 of 2 Field Description Filter ID Index An integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS 4050 domain ...

Page 216: ...e filter true the client filter triggers when the TunnelGuard check succeeds false the client filter triggers when the TunnelGuard check fails ignore passing or failing the TunnelGuard check will not trigger the client filter The default is ignore For example in order to grant limited access rights to users who fail the TunnelGuard check set the value to false create an extended profile that refer...

Page 217: ... 4050 User Guide Modifying a client filter To configure a client filter perform the following steps 1 Select the Secure Access Domain domain AAA Filters filter Configuration tab The client filter Configuration screen appears see Figure 47 Figure 47 Client filter Configuration screen ...

Page 218: ...d profile TunnelGuard Check Passed Specifies whether passing or failing the TunnelGuard host integrity check triggers the filter true the client filter triggers when the TunnelGuard check succeeds false the client filter triggers when the TunnelGuard check fails ignore passing or failing the TunnelGuard check will not trigger the client filter The default is ignore For example in order to grant li...

Page 219: ...d Profiles tab The Extended Profiles screen appears with a list of all profiles for that group When you select a profile in the list the extended profile configuration details and linksets become accessible from the tabs that display below the list You can view or edit details for an extended profile from these additional tabs This section contains the following topics Adding an extended profile o...

Page 220: ...ing an extended profile To create an extended profile for a group perform the following steps 1 Select the Secure Access Domain domain AAA Groups group Extended Profiles tab The Extended Profiles screen appears see Figure 48 Figure 48 Extended Profiles screen ...

Page 221: ... new extended profile The new extended appears appears in the list on the Extended Profiles tab Table 35 Add an Extended Profile fields Field Description Index An integer in the range 1 to 63 that uniquely identifies the profile in the group The default value for this field is the lowest unused index number available Filter Name The name of the predefined client filter that determines whether the ...

Page 222: ...file To modify an extended profile for a group perform the following steps 1 Select the Secure Access Domain domain AAA Groups group extended profile Configuration tab The extended profiles Configuration screen appears see Figure 50 Figure 50 Extended profiles Configuration screen ...

Page 223: ...ksets configured for the user s extended profile For information about configuring linksets see Configuring linksets using the SREM on page 439 Topics in this section include Mapping linksets to a group on page 224 Mapping linksets to a profile on page 227 Table 36 Extended Profile Configuration fields Field Description Index An integer in the range 1 to 63 that uniquely identifies the profile in ...

Page 224: ...sets tab The Linksets screen appears and displays the group Linkset Table see Figure 51 Figure 51 Linksets screen for a group The group Linkset Table allows you to manage linksets for the selected group by performing any of the following procedures Adding linksets to a group on page 225 Removing linksets from a group on page 226 Reordering linksets in a group on page 226 ...

Page 225: ...re 51 on page 224 2 Click Add The Add a Linkset dialog box appears see Figure 52 Figure 52 Adding a Linkset screen 3 Enter the linkset information in the applicable fields Table 37 describes the Add a Linkset fields 4 Click Add The new linkset appears in the Linkset Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the change...

Page 226: ... Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Reordering linksets in a group To adjust the order in which group linksets appear on the portal page perform the following steps 1 Select the Secure Access Domain domain AAA Groups group Linksets tab The Linksets screen appears and displays the Linkset Table see Fig...

Page 227: ...ofile Linksets tab The Linksets screen appears and displays the Linkset Table see Figure 53 Figure 53 Linksets screen for an extended profile The group Linkset Table allows you to manage linksets for the selected extended profile by performing any of the following procedures Adding linksets to an extended profile on page 228 Removing linksets from an extended profile on page 229 Reordering linkset...

Page 228: ...e 53 on page 227 2 Click Add The Add a Linkset dialog box appears see Figure 54 Figure 54 Adding a Linkset screen 3 Enter the linkset information in the applicable fields Table 38 describes the Add a Linkset fields 4 Click Add The new linkset appears in the Linkset Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes...

Page 229: ... Linkset Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Reordering linksets in an extended profile To adjust the order in which extended profile linksets appear on the portal page perform the following steps 1 Select the Secure Access Domain domain AAA Groups group extended profile Linksets tab The ...

Page 230: ... group with extended profiles mapped to a restrictive VLAN see Configuring groups using the SREM on page 208 and Configuring extended profiles using the SREM on page 219 Then perform the following steps 1 Select the Secure Access Domain domain AAA tab The AAA Configuration screen appears see Figure 55 Figure 55 AAA Configuration screen ...

Page 231: ...n the applicable fields Table 39 describes the AAA Configuration fields 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 39 AAA Configuration fields Field Description Default Group The name of the group you want to set as a default ...

Page 232: ...232 Chapter 5 Configuring groups and profiles 320818 A ...

Page 233: ...uring RADIUS authentication using the CLI 242 Configuring LDAP authentication using the CLI 249 Configuring local database authentication using the CLI 261 Specifying authentication fallback order using the CLI 267 Configuring authentication using the SREM 269 Configuring authentication methods using the SREM 270 Configuring RADIUS authentication using the SREM 271 Configuring LDAP authentication ...

Page 234: ...mes display on the portal login page see Configuring authentication methods using the CLI on page 239 or Configuring authentication methods using the SREM on page 270 You can then direct clients to select a specific authentication server for example for direction to a specific Windows domain If the client selects a Login Service name the authentication request is directed immediately to the specif...

Page 235: ... on the external server as required a A free RADIUS server may require specific settings in the clients conf file and the Users file to match group parameters you may have configured on the Nortel SNAS 4050 b A Steel belted RADIUS server requires specific settings in the vendor ini file master dictionary and vendor dictionary c An MS IAS RADIUS server may require vendor parameters to be configured...

Page 236: ...attributes such as group name and session timeout Each vendor has a specific dictionary The Vendor Id specified for an attribute identifies the dictionary the RADIUS server will use to retrieve the attribute value The Vendor Type indicates the index number of the required entry in the dictionary file The Internet Assigned Numbers Authority IANA has designated SMI Network Management Private Enterpr...

Page 237: ... 241 Configuring RADIUS authentication using the CLI on page 242 Configuring LDAP authentication using the CLI on page 249 Configuring local database authentication using the CLI on page 261 setting the order in which authentication methods will be applied see Specifying authentication fallback order using the CLI on page 267 Roadmap of authentication commands The following roadmap lists the CLI c...

Page 238: ...dr move index number new index number cfg domain 1 aaa auth radius sess iontim vendorid vendor ID vendortype vendor type ena dis cfg domain 1 aaa auth ldap searchbase DN groupattr names userattr names isdbinddn DN isdbindpas password enaldaps true false enauserpre true false timeout interval cfg domain 1 aaa auth ldap server s list del index number add IPaddr port insert index number IPaddr move i...

Page 239: ...n the Nortel SNAS 4050 domain cfg domain 1 aaa auth ldap ldapma cro list del index number add variable name LDAP attribute prefix suffix insert index number variable name move index number new index number cfg domain 1 aaa auth ldap active dire enaexpired true false expiredgro group cfg domain 1 aaa auth local add user name password group passwd user name password groups user name desired group de...

Page 240: ...e type selected determines which submenu option will display name name Names or renames the method After you have defined a name for the method you can use either the method name or the auth ID to access the Authentication menu name is a string that must be unique in the domain The maximum allowable length of the string is 255 characters but Nortel recommends a maximum of 32 characters In future r...

Page 241: ...listed them in the groupauth command to see if the user name can be matched against user groups defined in the authentication databases The first group matched is returned to the Nortel SNAS 4050 as the user s group and determines the user s access privileges for the session radius ldap local Accesses a method specific menu in order to configure settings for the method The option displayed depends...

Page 242: ...ate the method for the domain you must enter the authentication ID After you have created the method and defined a name for it you can use either the ID or the name to access the method for configuration cfg domain 1 aaa auth adv followed by groupauth auth IDs Specifies one or more preconfigured LDAP or Local database authentication schemes not including the current one that will be used to retrie...

Page 243: ... authentication method name auth name a string that specifies a name for the method After you have defined a name for the method you can use either the method name or the auth ID to access the Authentication menu In future releases of the Nortel SNAS 4050 software you will be able to reference this string in a client filter so that authentication to the server in question becomes a condition for a...

Page 244: ...default is 1 If you set the vendor ID to 0 in order to use a standard RADIUS attribute see vendor ID set the vendor type to a standard attribute type as defined in RFC 2865 For example to use the standard attribute Class set the vendor ID to 0 and the vendor type to 25 vendor ID for domain corresponds to the vendor specific attribute used by the RADIUS server to send domain names to the Nortel SNA...

Page 245: ...n use the following command cfg domain 1 aaa auth radius Main cfg domain 1 aaa auth Enter auth id 1 63 2 Creating Authentication 2 Select one of radius ldap or local radius Auth name radius Entering RADIUS settings menu Entering RADIUS servers menu IP Address to add IPaddr Port default is 1812 Enter shared secret secret Leaving RADIUS servers menu Enter vendor id for group alteon Enter vendor type...

Page 246: ...er belongs The group names to which the vendor specific attribute points must match names you define on the NSNAS The default is 1 If you set the vendor ID to 0 in order to use a standard RADIUS attribute see vendor ID set the vendor type to a standard attribute type as defined in RFC 2865 For example to use the standard attribute Class set the vendor ID to 0 and the vendor type to 25 domainid dom...

Page 247: ...ion fallback order using the CLI on page 267 To manage the RADIUS servers used for client authentication in the domain use the following command cfg domain 1 aaa auth radius servers The Radius servers menu displays timeout interval Sets the timeout interval for a connection request to a RADIUS server At the end of the timeout period if no connection has been established authentication will fail in...

Page 248: ...IUS authentication The default is 1813 shared secret the password used to authenticate the Nortel SNAS 4050 to the authentication server The system automatically assigns the next available index number to the server insert index number IPaddr Inserts a server at a particular position in the list of RADIUS authentication servers in the configuration index number the index number you want the server...

Page 249: ...ns Configuring LDAP authentication using the CLI To configure the Nortel SNAS 4050 domain to use an external LDAP server for authentication use the following command cfg domain 1 aaa auth auth ID cfg domain 1 aaa auth radius sessiontim followed by vendorid vendor ID Specifies the vendor specific attribute used by the RADIUS server to send a session timeout value to the Nortel SNAS 4050 The default...

Page 250: ...en prompted enter the following information For more information about the parameters see page 253 You can later modify all settings for the specific LDAP configuration see Configuring authentication methods using the CLI on page 239 and Modifying LDAP configuration settings using the CLI on page 252 authentication type options are radius ldap local Enter ldap authentication method name auth name ...

Page 251: ... s login name to search the DIT requires isdBindDN and isdBindPassword isdBindDN used to authenticate the Nortel SNAS 4050 to the LDAP server so that the LDAP DIT can be searched The isdBindDN corresponds to an entry created in the Schema Admins account for example cn ldap ldap cn Users dc example dc com An account must be created on the LDAP server to enable the Nortel SNAS 4050 to do the bind se...

Page 252: ...h ldap Main cfg domain 1 aaa auth Enter auth id 1 63 3 Creating Authentication 3 Select one of radius ldap or local ldap Auth name ldap Entering LDAP settings menu Entering LDAP servers menu IP Address to add IPaddr Port default is 389 Leaving LDAP servers menu Search Base Entry search base entry Group attribute name attribute User attribute name attribute isdBindDN DN isdBindPassword password Ena...

Page 253: ...luetail and dc com where uid is an example of a user attribute ou organization unit and dc domain component Do not use the isdbinddn and isdbindpas commands 2 if user entries are located in several places in the LDAP Dictionary Information Tree DIT or if the client s portal logon name is different from the user record identifier RDN the position in the DIT from where all user records can be found ...

Page 254: ...d as sAMAccountName the user record for Bill Smith will be found The isdbinddn and isdbindpas parameters are required so that the Nortel SNAS 4050 can authenticate itself to the LDAP server in order to search the DIT isdbinddn DN Specifies an entry in the LDAP server used to authenticate the Nortel SNAS 4050 to the LDAP server so that the LDAP DIT can be searched The isdBindDN corresponds to an en...

Page 255: ... through the portal the Nortel SNAS 4050 retrieves the LDAP attribute from the LDAP database false storage and retrieval of user preferences is disabled To support storage and retrieval of user preferences you must extend the LDAP server schema with one new ObjectClass and one new Attribute For more information see Appendix E Adding User Preferences attribute to Active Directory on page 883 The de...

Page 256: ...If the Nortel SNAS 4050 clients are dispersed in different LDAP server databases you can configure the LDAP servers as separate authentication methods with different authentication IDs If you include all LDAP authentication IDs in the authentication order each LDAP server will be used to authenticate client groups To enable LDAP authentication ensure that the authentication ID that represents the ...

Page 257: ...ult TCP port number used by the LDAP protocol is 389 If LDAPS is enabled change the port number to 636 insert index number IPaddr Inserts a server at a particular position in the list of LDAP servers in the configuration index number the index number you want the server to have IPaddr the IP address of the server you are adding The index number you specify must be in use The index numbers of exist...

Page 258: ...r record For more information about using macros in portal links see Macros on page 395 To configure LDAP macros use the following command cfg domain 1 aaa auth ldap ldapmacro The LDAP macro menu displays The LDAP macro menu includes the following options cfg domain 1 aaa auth ldap ldapmacro followed by list Lists all macros in the LDAP configuration in the Nortel SNAS 4050 domain by index number ...

Page 259: ...es at the end of the string that you want to ignore Combine with a prefix if the value you want is in the middle of the string The system automatically assigns the next available index number to the macro insert index number variable name Inserts a macro at a particular position in the list of LDAP macros in the configuration index number the index number you want the macro to have variable name t...

Page 260: ...he cfg domain 1 aaa auth ldap activedire command To manage clients whose passwords have expired or who need to change their passwords use the following command cfg domain 1 aaa auth ldap activedire The Active Directory Settings menu displays The Active Directory Settings menu includes the following options cfg domain 1 aaa auth ldap activedire followed by enaexpired true false Specifies whether th...

Page 261: ...command see Managing the local database using the CLI on page 264 4 Modify settings for the authentication method itself if desired see Configuring authentication methods using the CLI on page 239 5 Set the authentication order see Specifying authentication fallback order using the CLI on page 267 Adding the local database authentication method using the CLI To create the Local database authentica...

Page 262: ...re radius ldap local Enter local authentication method name auth name a string that specifies a name for the method After you have defined a name for the method you can use either the method name or the auth ID to access the Authentication menu In future releases of the Nortel SNAS 4050 software you will be able to reference this string in a client filter so that authentication to the database in ...

Page 263: ... multiple group names for a user but the Nortel SNAS 4050 does not allow membership in multiple groups If you enter multiple group names the first group name entered is the one that will be returned to the Nortel SNAS 4050 after authentication Main cfg domain 1 aaa auth Enter auth id 1 63 4 Creating Authentication 4 Select one of radius ldap or local local Auth name local4 Entering Local database ...

Page 264: ...authentication server has authenticated the user To do so use an asterisk for the user password in the local database For information about configuring the Nortel SNAS 4050 to perform external database authentication in conjunction with local database authorization see Configuring advanced settings using the CLI on page 241 To manage users and their passwords in the local database use the followin...

Page 265: ...t applies to the user you specified To use the local database for authorization only after an external authentication server has authenticated the user enter an asterisk group the name of the group to which the specified user belongs The group must exist in the NSNAS domain The group name is used for authorization To view available group names press TAB or use the cfg domain 1 aaa cur group comman...

Page 266: ...ds were protected with a key when the file was exported the key you must provide is the same as the password key provided at the time of export If the file is not protected with a key enter any characters a minimum of four when prompted FTP user name and password if applicable The file you import must be in ASCII format Each row entry consists of values for user name password and group separated b...

Page 267: ...d to provide the following information protocol is the export protocol Options are tftp ftp scp sftp server is the host name or IP address of the server filename is the name of the destination database file on the server for example db txt key is the password key for user password protection If you are not protecting the file with a key enter any characters a minimum of four when prompted FTP user...

Page 268: ...You want the Nortel SNAS 4050 to check the local database first then send requests to the LDAP server then to the RADIUS server Figure 59 shows the required command Figure 59 Authentication order command Note For best performance set the authentication order so that the method that supports the biggest proportion of users is applied first However if you use the Nortel SNAS 4050 local database as o...

Page 269: ... this step even if you define only one method on the Nortel SNAS 4050 4 Commit the configuration changes To configure authentication on the Nortel SNAS 4050 using the SREM refer to the following tasks Configuring authentication methods using the SREM on page 270 Configuring RADIUS authentication using the SREM on page 271 Configuring LDAP authentication using the SREM on page 282 Configuring local...

Page 270: ...thods using the SREM To create and configure an authentication method perform the following steps 1 Select the Secure Access Domain domain AAA Authentication Authentication Server Table tab The Authentication Server Table appears see Figure 60 Figure 60 Authentication Server Table ...

Page 271: ... go to Configuring RADIUS authentication using the SREM on page 271 For LDAP authentication go to Configuring LDAP authentication using the SREM on page 282 For Local authentication go to Configuring local database authentication using the SREM on page 298 Configuring RADIUS authentication using the SREM To configure the Nortel SNAS 4050 to use RADIUS authentication perform the following steps 1 A...

Page 272: ...0 to use an external RADIUS or Steel belted RADIUS server for authentication perform the following steps 1 In the Add an Authentication Server dialog box select Radius from the drop down list The display of the Add an Authentication Server dialog box refreshes see Figure 61 Figure 61 Add an Authentication Server Radius ...

Page 273: ...teger in the range 1 to 63 that uniquely identifies the authentication method on the Nortel SNAS 4050 Name Specifies a name for the authentication method as a mnemonic aid The maximum allowable length of the name string is 255 characters but Nortel recommends a maximum of 32 characters Future releases of the Nortel SNAS 4050 software will allow you to reference this name in a client filter so auth...

Page 274: ...settings on page 276 Modifying RADIUS method settings To modify settings for an existing RADIUS authentication method perform the following steps 1 Select the Secure Access Domain domain AAA Authentication radius Configuration tab The Configuration screen appears showing current settings for the method see Figure 62 Figure 62 Configuration ...

Page 275: ...re will allow you to reference this name in a client filter so authentication to this server becomes a condition for access rights for a group Mechanism Displays the authentication type for this method Display Name Specifies a name for the method to display in the Login Service list box on the portal login page together with the names of other authentication services available Secondary Authentica...

Page 276: ...configuration settings To modify the RADIUS method configuration perform the following steps 1 Select the Secure Access Domain domain AAA Authentication radius Radius Configuration tab The Radius Configuration screen appears see Figure 63 Figure 63 Radius Configuration ...

Page 277: ...n order to use a standard RADIUS attribute see vendor ID set the vendor type to a standard attribute type as defined in RFC 2865 For example to use the standard attribute Class set the vendor ID to 0 and the vendor type to 25 Vendor Id for Domain ID Attributes Specifies the vendor specific attribute used by the RADIUS server to send domain names to the Nortel SNAS 4050 The default Vendor Id is 187...

Page 278: ... The default is PAP Vendor ID Specifies the vendor specific attribute used by the RADIUS server to send a session timeout value to the Nortel SNAS 4050 The default Vendor Id is 0 With the Vendor Type also set to 0 the default value the RADIUS server sends the standard attribute for session timeout Vendor Type Specifies the Vendor Type value used in combination with the Vendor Id to identify the se...

Page 279: ...redundancy In the event that the preferred RADIUS server is not responding the first available server in the list will be used instead To manage additional RADIUS servers select the Secure Access Domain domain AAA Authentication radius Radius Servers tab The RADIUS Servers screen appears see Figure 64 displaying a list of the existing RADIUS servers Figure 64 Radius Servers ...

Page 280: ...l RADIUS servers for redundancy perform the following steps 1 Select the Secure Access Domain domain AAA Authentication radius Radius Servers tab The RADIUS Servers screen appears see Figure 64 on page 279 2 Click Add The Add a Radius Server dialog box appears see Figure 65 Figure 65 Add a Radius Server 3 Enter the RADIUS server information in the applicable fields Table 43 describes the Add a RAD...

Page 281: ... page 291 2 Select an RADIUS server entry from the RADIUS Server Table 3 Use the up and down arrows to reposition the selected entry 4 Click Apply on the toolbar to accept the new order and adjust index numbers for the RADIUS servers accordingly Click Commit on the toolbar to save the changes permanently Removing a RADIUS server To remove an existing RADIUS server from the RADIUS Server Table perf...

Page 282: ... SREM on page 282 or Configuring local database authentication using the SREM on page 298 2 Set the authentication order see Specifying authentication fallback order using the SREM on page 314 3 Commit the changes see Saving authentication settings on page 316 Configuring LDAP authentication using the SREM To configure the Nortel SNAS 4050 to use LDAP authentication perform the following steps 1 A...

Page 283: ...Add an Authentication Server LDAP 2 Enter the authentication server information in the applicable fields Table 44 describes the Add an Authentication Server LDAP fields Table 44 Add an Authentication Server LDAP fields Field Description Index Specifies an integer in the range 1 to 63 that uniquely identifies the authentication method on the Nortel SNAS 4050 Name Specifies a name for the authentica...

Page 284: ...hentication method itself see Modifying LDAP method settings on page 285 Modify settings for the specific LDAP configuration see Modifying LDAP configuration settings on page 287 Display Name Specifies a name for the method to display in the Login Service list box on the portal login page together with the names of other authentication services available IP Address Specifies the IP address of the ...

Page 285: ...LDAP method settings To modify settings for an existing LDAP authentication method perform the following steps 1 Select the Secure Access Domain domain AAA Authentication ldap Configuration tab The Configuration screen appears showing current settings for the method see Figure 67 Figure 67 Configuration ...

Page 286: ...re releases of the Nortel SNAS 4050 software will allow you to reference this name in a client filter so authentication to this server becomes a condition for access rights for a group Mechanism Displays the authentication type for this method Display Name Specifies a name for the method to display in the Login Service list box on the portal login page together with the names of other authenticati...

Page 287: ...ser Guide Modifying LDAP configuration settings To modify the LDAP method configuration perform the following steps 1 Select the Secure Access Domain domain AAA Authentication ldap LDAP Configuration tab The LDAP Configuration screen appears see Figure 68 Figure 68 LDAP Configuration ...

Page 288: ...Specifies the Distinguished Name DN that points to one of the following the entry that is one level up from the user entries does not require a Bind ISD DN and Bind ISD Password if user entries are located in several places in the LDAP Dictionary Information Tree DIT the position in the DIT from where all user records can be found with a subtree search requires Bind ISD DN and Bind ISD Password Gr...

Page 289: ...gin name is bill If the user attribute is defined as sAMAccountName the user record for Bill Smith will be found The Bind ISD DN and Bind ISD Password fields are required so that the Nortel SNAS 4050 can authenticate itself to the LDAP server in order to search the DIT Bind ISD DN Specifies an entry in the LDAP server used to authenticate the Nortel SNAS 4050 to the LDAP server so that the LDAP DI...

Page 290: ...ute For more information see Appendix E Adding User Preferences attribute to Active Directory on page 883 Cut Domain From User Name Specifies whether the domain is cut from user names Default is disabled LDAP Server Timeout Sets the timeout interval for a connection request to an LDAP server At the end of the timeout period if no connection has been established authentication will fail Accepted va...

Page 291: ... for redundancy In the event that the preferred LDAP server is not responding the first available server in the list will be used instead To manage additional LDAP servers select the Secure Access Domain domain AAA Authentication ldap LDAP Servers tab The LDAP Servers screen appears see Figure 69 displaying a list of the existing LDAP servers Figure 69 LDAP Servers ...

Page 292: ...lect the Secure Access Domain domain AAA Authentication ldap LDAP Servers tab The LDAP Servers screen appears see Figure 69 on page 291 2 Click Add The Add an LDAP Server dialog box appears see Figure 70 Figure 70 Add an LDAP Server 3 Enter the LDAP server information in the applicable fields Table 47 describes the Add an LDAP Server fields 4 Click Apply Table 47 Add an LDAP Server fields Field De...

Page 293: ... screen appears see Figure 69 on page 291 2 Select an LDAP server entry from the LDAP Server Table 3 Use the up and down arrows to reposition the selected entry 4 Click Apply on the toolbar to accept the new order and adjust index numbers for the LDAP servers accordingly Click Commit on the toolbar to save the changes permanently Removing an LDAP server To remove an existing LDAP server from the L...

Page 294: ... can create your own macros or variables to allow you to retrieve data from the LDAP database You can then map the variable to an LDAP user attribute in order to create user specific links on the portal Home tab When the client successfully logs on the variable expands to the value retrieved from the LDAP or Active Directory user record For more information about using macros in portal links see M...

Page 295: ... domain AAA Authentication ldap LDAP Macros tab The LDAP Macros screen appears see Figure 71 and displays a list of existing LDAP macros Figure 71 LDAP Macros The LDAP Macro Table allows you to manage LDAP macros by performing any of the following procedures Adding LDAP macros on page 296 Reordering LDAP macros on page 297 Removing LDAP macros on page 297 ...

Page 296: ...AP Macro fields Field Description Variable Name Specifies the name of the variable Attribute Name Specifies the LDAP user attribute whose value will be retrieved from the client s LDAP Active Directory user record Prefix Specifies values at the start of the string that you want to ignore if the value string of the LDAP attribute is long and you wish to extract only part of it Combine with a suffix...

Page 297: ...b The LDAP Macros screen appears see Figure 71 on page 295 2 Select an LDAP macro entry from the LDAP Macro Table 3 Use the up and down arrows to reposition the selected entry 4 Click Apply on the toolbar to accept the new order and adjust index numbers for the LDAP macros accordingly Click Commit on the toolbar to save the changes permanently Removing LDAP macros To remove existing LDAP macro var...

Page 298: ...abase authentication using the SREM To configure the Nortel SNAS 4050 to use a local database for authentication perform the following steps 1 Add the Local method to the domain and create the local database see Adding the Local method on page 299 2 Populate the database see Populating the database on page 301 3 Modify the local database settings if desired see Modifying Local database configurati...

Page 299: ...d To configure the Nortel SNAS 4050 to use the Local authentication method perform the following steps 1 In the Add an Authentication Server dialog box select Local from the drop down list The display of the Add an Authentication Server dialog box refreshes see Figure 73 Figure 73 Add an Authentication Server Local ...

Page 300: ...ient filter so authentication to this server becomes a condition for access rights for a group Display Name Specifies a name for the method to display in the Login Service list box on the portal login page together with the names of other authentication services available User Name Specifies a unique user login name This item creates the first entry in the local database To fully populate the data...

Page 301: ... manually see Adding users to the local database on page 301 importing a database see Importing a database on page 304 Adding users to the local database To manually add individual users to the database perform the following steps 1 Select the Secure Access Domain domain AAA Authentication local Local Users tab The Local Users screen appears see Figure 74 Figure 74 Local Users ...

Page 302: ...indows login name observe Windows username conventions for example keep the length to no more than 32 characters When the client attempts to log on to the Nortel SNAS 4050 domain and local database authentication is applied the client is prompted for the user name and password you define for the database User Password Specifies the password that applies to the new user To only use the local databa...

Page 303: ... 2 through step 4 for each user you want to add to the database 6 To remove users from the local users list a Select a user from the table b Click Delete A confirmation dialog appears c Click Yes The local user is removed from the list 7 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently ...

Page 304: ...rs perform the following steps 1 Select the Secure Access Domain domain AAA Authentication local Import Local User Database tab The Import Local User Database screen appears see Figure 67 Figure 76 Import Local User Database Note The imported database will overwrite existing entries in the local database ...

Page 305: ...al user passwords on page 309 Table 51 Import Local User Database fields Field Description Protocol Specifies the import protocol Options are ftp tftp sftp scp The default is ftp Host Specifies the host name or IP address of the server Filename Specifies the name of the database file on the server Pass Phrase Key Specifies the password key for user password protection For a database file whose pas...

Page 306: ...dify settings for an existing local or LDAP authentication method perform the following steps 1 Select the Secure Access Domain domain AAA Authentication local Configuration tab The Configuration screen appears showing current settings for the method see Figure 77 Figure 77 Configuration ...

Page 307: ...iquely identifies the authentication method on the Nortel SNAS 4050 Name Specifies a name for the authentication method as a mnemonic aid Future releases of the Nortel SNAS 4050 software will allow you to reference this name in a client filter so authentication to this server becomes a condition for access rights for a group Mechanism Displays the authentication type for this method Display Name S...

Page 308: ...0818 A 2 In the User Name list select the user you want to edit The Local Users screen refreshes to display an editing pane in the bottom half of the screen with the user Configuration tab active see Figure 78 Figure 78 Local Users Configuration ...

Page 309: ...escription User Name Specifies a unique user logon name There are no restrictions on the Nortel SNAS 4050 regarding acceptable user names However if you want the user name in the local database to mirror the Windows login name observe Windows username conventions for example keep the length to no more than 32 characters When the client attempts to log on to the Nortel SNAS 4050 domain and local da...

Page 310: ...reen refreshes to display an editing pane in the bottom half of the screen with the user Configuration tab active see Figure 78 on page 308 3 Select the Local User Configuration tab The Local Users screen refreshes to display the Local User Configuration tab active see Figure 79 Figure 79 Local Users Local User Configuration ...

Page 311: ...ly on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 54 Local Users Local User Configuration fields Field Description User Password Specifies the password that applies to the new user To only use the local database for authorization after an external authentication server has authenticated the user enter an asterisk...

Page 312: ...atabase To export the database of local users perform the following steps 1 Select the Secure Access Domain domain AAA Authentication local Export Local User Database tab The Export Local User Database screen appears see Figure 80 Figure 80 Export Local User Database ...

Page 313: ...tion settings on page 316 Table 55 Export Local User Database fields Field Description Protocol Specifies the export protocol Options are ftp tftp sftp scp The default is ftp Host Specifies the host name or IP address of the server Filename Specifies the name of the database file on the server Pass Phrase Key Specifies the password key for user password protection For a database file whose passwor...

Page 314: ... if there is only one method defined on the Nortel SNAS 4050 Note For best performance set the authentication order so that the method that supports the biggest proportion of users is applied first However if you use the Nortel SNAS 4050 local database as one of the authentication methods Nortel recommends that you set the Local method to be first in the authentication order The Local method is pe...

Page 315: ...re Access Domain domain AAA Authentication Authentication Server Table The Authentication Server Order screen appears see Figure 80 Figure 81 Authentication Server Order 2 In the Fallback Order section specify the authentication methods you wish to use by selecting the applicable check boxes An authentication method whose check box is clear will not be used in the domain ...

Page 316: ...wing procedures a Click Apply on the toolbar to immediately accept all changes b Click the Change Manager icon in the bottom right corner to view and confirm the list of change current changes The Change Manager allows you to review or remove specific changes before clicking Apply All 2 Click Diff to view pending changes on the Nortel SNAS 4050 3 Do one of the following to implement or remove pend...

Page 317: ...on Available SRS list 323 SRS Components table 323 Memory snapshot 325 TunnelGuard Rule Definition screen 325 Managing TunnelGuard rules and expressions 327 Creating a software definition 327 Adding entries to a software definition 328 Creating logical expressions 333 Registry based rules 338 Manually creating SRS entries 343 File age check 347 Adding comments 348 Deleting SRS rules and their comp...

Page 318: ...d in the CLI on page 134 or Using the TunnelGuard Quick Setup in the SREM on page 172 The test rule tests for the presence of the following file on the client host C tunnelguard tg txt To create an SRS rule perform the following steps 1 Create a software definition see Creating a software definition on page 327 2 Add entries to the software definition see Adding entries to a software definition on...

Page 319: ... on page 319 Software Definition Entry menu on page 320 TunnelGuard Rule menu on page 321 Tool menu on page 321 File menu Table 56 describes important items from the File menu Software Definition menu Table 57 describes important items from the Software Definition menu Table 56 File menu items Item Description Save Save the SRS definition in the Nortel SNAS 4050 LDAP database Table 57 Software Def...

Page 320: ...are Definition Entry menu items Sheet 1 of 2 Item Description Add OnDisk file as entry Select a file from the local file system a text configuration file for example and add it as one component of the SRS Add Selected memory module as entry Add the selected memory module from the current memory snapshot as a required entry Add Registry Key entry Add the registry key entry Delete Delete the selecte...

Page 321: ...y Default Hash Algorithm Select the default hash algorithm MD5 or SHA1 Table 59 TunnelGuard Rule menu items Item Description New TunnelGuard Rule Creates a new TunnelGuard rule Delete TunnelGuard Rule Deletes the selected TunnelGuard rule Clone TunnelGuard Rule Clones the selected TunnelGuard rule Table 60 Tool menu item descriptions Item Description Refresh memory snapshot Refreshes the list of p...

Page 322: ...ew SRS definition Delete an existing SRS definition Deletes the currently selected SRS definition Clone an SRS Creates a copy of the currently selected SRS definition Import an SRS definition from an XML file Imports an XML formatted SRS definition file Export an SRS definition to an XML file Exports SRS definitions to an XML formatted file Edit Software comments Adds a comment If the check fails ...

Page 323: ... components Table 62 SRS Components table items Item Description Path Shows the full directory path to the file location Process Shows the process name in which the component runs For files the only exist on disk this column does not apply Version Shows version information on the component Date Time Shows the last modified time of the component Registry Key Shows the registry key entry Registry Ex...

Page 324: ...lected memory module as entry Add the selected memory module from current memory snapshot Add registry key entry Add the registry key entry Delete entry Delete the selected component Copy entry Copy the selected component Paste entry Paste component from one SRS definition to another Customize path Replace part of the path with a string of system environment variables For example WINNT xxx dll Set...

Page 325: ... view descriptions of the information displayed see Table 64 TunnelGuard Rule Definition screen Select the TunnelGuard Rule Definition tab to access the rule definition screen You use this screen to create and manage rules The SRS Rule toolbar appears at the top of the screen SRS Rule toolbar The SRS rule toolbar icons allow you to Define a new SRS rule Delete the selected SRS rule Clone the selec...

Page 326: ...e 327 Available Expression list The Available Expression list contains the elements you need to construct the Boolean expression The expressions can be basic SRS definitions or expressions you construct Rule Expression Constructor You can group multiple SRS Rule expressions into more compound expressions using the AND OR or NOT operators Form TunnelGuard rule expression Select this option to put t...

Page 327: ...a process in the left pane of the Memory Snapshot section to display included files and modules on the right To manage TunnelGuard Rules and Expressions choose from one of the following tasks Creating a software definition on page 327 Adding entries to a software definition on page 328 Creating logical expressions on page 333 Registry based rules on page 338 Manually creating SRS entries on page 3...

Page 328: ...n about these methods select one of the following topics Selecting modules or files from running processes on page 328 Selecting file on disk on page 331 Selecting modules or files from running processes 1 On the Software Definition screen in the Process list bottom left select the application or process to include in the software definition All processes that are currently running on your local P...

Page 329: ...or module to the current software definition click Browse Local System and find the desired file 4 Select the Fetch Module Path from Registry Entry check box if the module name can be fetched from a local registry entry on the desktop PC Then enter the desired key path and key value in the fields Use this option if a module name varies in different setups and is available in a registry key 5 To ig...

Page 330: ... time range or specific date time Lets you specify a date time range or an exact date time referring to when the file was created or last modified 9 Select the Vendor API Call Check check box to invoke a 3rd party API call for doing additional checking on the software One of the features of TunnelGuard is the ability to specify an API that you want to use to check a file such as an executable Tunn...

Page 331: ...t of the TunnelGuard Rule Definition tab The TunnelGuard SRS rule can now be mapped to the desired user group If needed a new software definition can be created The expression created for this software definition can be used to form a new logical expression including both the new and the existing expression See Creating logical expressions on page 333 Selecting file on disk This method lets you ad...

Page 332: ... include the file in a new software definition first create the new software definition select New Software Definition on the Software Definition menu The Create New ON Disk SRS Entry window is displayed see Figure 86 Figure 86 The Create New ON Disk SRS Entry window 2 In the File or Module Path field enter the path to the file To add a file that exists on your system click the Browse Local System...

Page 333: ...he entry is saved but the Create New On Disk SRS Entry window remains open so you can add more entries to the current software definition The file is added as a software definition entry on the right pane Creating logical expressions To be able to specify an SRS rule that comprises a number of different requirements you may create a logical expression The logical expression should contain the cond...

Page 334: ... Definition tab see Figure 87 Figure 87 The TunnelGuard Rule Definition tab In the example above two TunnelGuard rules have been created each defining a unique application To create one TunnelGuard rule comprising both applications we should start by creating a new logical expression 3 Select the desired expression in the Available Expressions area and click the arrow right button The expression i...

Page 335: ...on where both conditions must be met for the TunnelGuard checks to pass The OR expression lets you construct an expression where either of the conditions must be met for the TunnelGuard checks to pass The NOT operand lets you construct an expression where the condition must not be met for the TunnelGuard checks to pass for example the file or files in the software definition must not be found on t...

Page 336: ...8 The Available Expressions screen 7 Create a new TunnelGuard Rule On the TunnelGuard Rule menu select New TunnelGuard Rule The New SRS Rule window appears see Figure 89 Figure 89 The New SRS Rule window 8 Enter a name for the TunnelGuard rule and click OK ...

Page 337: ...90 Figure 90 The TunnelGuard Rule Name screen 9 Click the TunnelGuard Rule Expression column This column converts to a drop down list Scroll through the list of expressions and choose the expression you would to associate with this rule Any logical expression that you create may be used in a new logical expression for example to construct more complex conditions ...

Page 338: ...stry keys and enforce their values on a desktop PC before allowing access to the network One SRS entry holds any number of registry key checks just as one SRS entry holds any number of file checks Contrary to file and process checks registry key checks do not have hash checking date and version number checking enabled However you can combine registry key checking entry with any other type of check...

Page 339: ... integer Registry Key values 20 matches integer values that are greater than or equal to 20 100 matches integer values that are exactly equal to 100 50 matches integer values that are less than 50 200 matches all integer values that are not equal to 200 Table 66 Supported integer operands Operand Description greater than or equal to less than or equal to equal to not equal to less than greater tha...

Page 340: ...digit 0 9 D A non digit 0 9 s A whitespace character t n x0B f r S A non whitespace character s w A word character a zA Z_0 9 W A non word character w abc a b or c abc not a b or c a z any character a through z a d m p a through d or m through p a dm p union a z def d e or f intersection a z bc a through z except for b and c ad z subtraction X X once or not at all X X zero or more times X X one or...

Page 341: ...not a z 2 _ d matching tg_2 0 0 does not match Tg_2 0 0 does not match tg_ does not match tg_two does not match tug_2 0 0 Creating a registry entry To create a registry entry 1 Click the Software Definition tab in the TunnelGuard Software and Rule Definition Tool page 2 Click the Software Definition Entry menu and select Add Registry Key Entry The Registry Entry page opens see Figure 91 on page 34...

Page 342: ...er window opens for you to create another Registry entry Registry based File Module If the File Module path or name is not known to the administrator or is not static for SRS rule creation the file name or module is sometimes available as Registry Key Value data Administrators can define a Registry Key to look for and derive a File Module path and name from the Registry Key Value data This path is...

Page 343: ... be checked Since these rules are created manually extra care is required to avoid any mistakes Choose from the following options Manually creating an OnDisk file entry on page 343 Manually creating a Memory Module entry on page 345 Manually creating an OnDisk file entry To manually create an OnDisk SRS file entry 1 Click the Software Definition tab in the TunnelGuard Software and Rule Definition ...

Page 344: ...he page is filled in automatically 4 Select the desired Min Version option If Any is selected the dates are deselected and the boxes are cleared 5 Select the desired Max Version option If Any is selected the dates are deselected and the boxes are cleared Note If you select Fetch Module Path from Registry Entry you must manually enter the Registry Entry and the Key Value The other fields on the pag...

Page 345: ...e Time enter the specific date and time in the From Date Time and To Date Time text boxes 7 To enable Hash Checking select the Enable Hash Checking box 8 Click OK If you want to create multiple entries click Save and More That saves this entry and another window will opens so that you can create another OnDisk SRS entry Manually creating a Memory Module entry To manually create a Memory Module ent...

Page 346: ...e Path appears in the text box and the rest of the information on the page is filled in automatically 4 Enter the process name in the Process Name text box 5 Click an option button for Min Version Note If you select Fetch Module Path from Registry Entry you must enter the Registry Entry and the Key Value The rest of the fields on the page must also be completed manually ...

Page 347: ...ndor API Call Check box 9 To enable hash checking click the Enable Hash Checking box 10 Click OK If you want to create multiple entries click Save and More That saves this entry and another window will pop up so that you can create another Memory Module SRS entry File age check Most desktop PCs have antivirus software with virus definition files that are updated weekly biweekly or monthly You can ...

Page 348: ...nt information to the user for example the reason the TunnelGuard checks failed and the recommended action The information is included in the var tgFailureReason variable along with the TunnelGuard rule expression name If teardown mode is used the comment is automatically displayed on the Portal Login page 1 Click the TunnelGuard Rule Definition tab 2 In the TunnelGuard Rule Comment column click t...

Page 349: ...splayed when the user clicks the details link on the Portal login page 1 Click the Software Definition tab 2 On the Software Definition menu select Edit Software Definition Comment The Software Definition Comment window is displayed 3 Type in the desired text and click OK Deleting SRS rules and their components You can delete SRS rules and their component elements Deleting a software definition on...

Page 350: ...ab 2 In the Software Definition column select the desired software definition 3 On the right pane select the desired software definition entry 4 Click the trash can symbol on the tool bar located below the right pane Deleting a TunnelGuard rule 1 Click the TunnelGuard Rule Definition tab 2 In the TunnelGuard Rule Name column select the desired rule 3 Click the trash can symbol on the tool bar loca...

Page 351: ... to use TunnelGuard to retrieve status from other software packages such as personal firewalls and virus checkers to make sure they are running properly Making API calls TunnelGuard requires a Windows Platform DLL that implements at least one common entry point as described below Windows include windows h return values define STATUS_SUCCESS 0 define STATUS _FAILURE 1 define STATUS_REQUIRES_UPDATE ...

Page 352: ...352 Chapter 7 TunnelGuard SRS Builder 320818 A ...

Page 353: ...ging user accounts and passwords using the CLI 356 Managing user settings using the CLI 358 Managing user groups using the CLI 359 CLI configuration examples 360 Managing system users and groups using the SREM 370 Managing user accounts using the SREM 370 Setting password expiry using the SREM 374 Changing your password using the SREM 376 Changing another user s password using the SREM 377 Setting...

Page 354: ...ted by the admin group membership The most permissive user rights become the effective user rights when a user is a member of more than one group For more information about default user groups and related access levels see Accessing the Nortel SNAS 4050 cluster on page 775 Note There are two additional types of users with specialized functions boot and root For more information see Accessing the N...

Page 355: ... for a detailed example see Changing passwords on page 366 delete users for a detailed example see Deleting a user on page 369 For detailed information about the CLI commands see CLI configuration examples on page 360 Roadmap of system user management commands The following roadmap lists all the CLI commands to configure and manage system users for the Nortel SNAS 4050 cluster Use this list as a q...

Page 356: ...e sensitive The change takes effect as soon as you execute the command expire time Sets an expiration time for system user passwords The time applies to all system users The counter starts from when the password was last set The first time the system user logs on after the specified time has expired the user is prompted for a new password time is the length of time in days d hours h minutes m or s...

Page 357: ...o is the sole member of a group none of the remaining users on the system can then be added to that group Existing users can only be added to a group by a user who is already a member of that group Before deleting a user verify that the user is not the sole member of a group add username Adds a user account to the system The maximum length of the user name is 255 characters No spaces are allowed A...

Page 358: ...ated from the administrator role If the admin user is a member of the certadmin group the default setting the admin user is prompted for an export passphrase to protect the private keys in the configuration dump each time the cfg ptcfg command is used Set a certificate administrator export passphrase only if the admin user has removed himself or herself from the certadmin group and added a certifi...

Page 359: ...lt the administrator user is a member of all three built in groups admin oper certadmin and can therefore add a new user to any of these groups However a certificate administrator who is a member of the certadmin group only can add an existing user to the certadmin group only If a user belongs to only one group and you want to change the user s group membership add the user to the new group first ...

Page 360: ...n password on page 366 Changing another user s password on page 367 Deleting a user on page 369 Adding a new user To add a new user to the system you must be a member of the admin group By default only the admin user is a member of the admin group cfg sys user edit username groups followed by list Lists all groups to which the user is currently assigned by group index number del group index Remove...

Page 361: ...ys user 1 Log on to the Nortel SNAS 4050 cluster as the admin user 2 Access the User Menu 3 Add the new user and designate a user name The maximum length for a user name is 255 characters No spaces are allowed Each time the new user logs in to the Nortel SNAS 4050 cluster the user must enter the name you designate as the user name in this step 4 Assign the new user to a user group You can only ass...

Page 362: ...roup assignment listed by Old is empty 6 Define a login password for the user When the user logs in to the Nortel SNAS 4050 cluster the first time the user will be prompted for the password you define in this step When successfully logged on the user can change his or her own password The login password is case sensitive and can contain spaces User edit cert_admin User cert_admin groups add Enter ...

Page 363: ... instead to encrypt private keys in the configuration backup The encryption of private keys using the export passphrase defined by the Certificate Administrator is performed transparently to the user without prompting When the configuration backup is restored the Certificate Administrator must enter the correct export passphrase The export passphrase defined by the Certificate Administrator remain...

Page 364: ...min user is removed from the certadmin group only the Certificate Administrator user can access the Certificate menu cfg cert 10 Verify and apply the changes User edit admin User admin groups list 1 admin 2 oper 3 certadmin Groups del 3 Note It is critical that a Certificate Administrator user is created and assigned certadmin group membership before the admin user is removed from the certadmin gr...

Page 365: ...mple the cert_admin user who is a member of the certadmin group will add the admin user to the certadmin group The example assumes that the admin user previously removed himself or herself from the certadmin group in order to fully separate the Administrator user role from the Certificate Administrator user role 2 Access the User Menu 3 Assign the admin user certadmin user rights by adding the adm...

Page 366: ...o the Nortel SNAS 4050 cluster by entering your user name and current password Note A user must be assigned to at least one group at any given time If you want to replace a user s single group assignment you must therefore always first add the user to the desired new group then remove the user from the old group Groups list Old 1 admin 2 oper Pending 1 admin 2 oper 3 certadmin Groups apply login c...

Page 367: ...rst group the group that is listed first for the user with the cfg sys user edit username groups list command Login passwords are case sensitive and can contain spaces 1 Log on to the Nortel SNAS 4050 cluster as the admin user Main cfg sys user User Menu passwd Change own password list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase User Us...

Page 368: ...ser Menu passwd Change own password list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase User User edit Name of user to edit cert_admin User cert_admin password Enter admin s current password admin user password Enter new password for cert_admin new password for user being edited Re enter to confirm confirm new password for user being edite...

Page 369: ...ently added to the system configuration use the list command 4 Verify and apply the changes Note Remember that when a user is deleted that user s group assignment is also deleted If you are deleting a user who is the sole member of a group none of the remaining users on the system can then be added to that group Existing users can only be added to a group by a user who is already a member of that ...

Page 370: ...ose from one of the following tasks Managing user accounts using the SREM on page 370 Setting password expiry using the SREM on page 374 Changing your password using the SREM on page 376 Changing another user s password using the SREM on page 377 Setting the certificate export passphrase using the SREM on page 379 Managing user groups using the SREM on page 381 Managing user accounts using the SRE...

Page 371: ...ide The User Table appears see Figure 96 displaying a list of user accounts that have been added to the Nortel SNAS 4050 Figure 96 User Table Only the admin user can add users to the system After adding a user you must assign the user to a group see Managing user groups using the SREM on page 381 ...

Page 372: ...accounts perform the following steps 1 Select the System Manage Users User Table tab The User Table appears see Figure 96 2 Click Add The Add a User dialog box appears see Figure 97 Figure 97 Add a User Note When you delete a user the user s group assignment is also deleted If you are deleting a user who is the sole member of a group none of the remaining users on the system can then be added to t...

Page 373: ...an existing user perform the following steps 1 Select the System Manage Users User Table tab The User Table appears see Figure 96 on page 371 2 Select a user entry to remove from the User Table 3 Click Delete A dialog box appears to confirm the deletion of this user account 4 Click Yes The entry is immediately removed from the User Table 5 Click Apply on the toolbar to send the current changes to ...

Page 374: ...etting password expiry using the SREM To set a password expiry date for all passwords in the system perform the following steps 1 Select the System Manage Users Password Setting tab The Password Setting screen appears see Figure 98 Figure 98 Password Setting ...

Page 375: ...le 70 describes the Password Settings fields 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 70 Password Settings fields Field Description Password Expiration Interval Sets the password expiration interval in days d A value of 0 indicates that the password never expires ...

Page 376: ... user can change the passwords of other users Logged on users can change their own passwords To change the password for the logged on user perform the following steps 1 Select the System Manage Users Change Your Password tab The Change Your Password screen appears see Figure 99 Figure 99 Change Your Password ...

Page 377: ...s 5 Click Apply to send the changes to the device To make the changes permanent click Commit Changing another user s password using the SREM Only the admin user can change the passwords of other users Table 71 Change Your Password fields Field Description Current Password The current password Enter New Password Sets the new password The password must be at least four characters and can contain spa...

Page 378: ...and groups 320818 A To change the password for another user perform the following steps 1 Select the System Manage Users user Change User Password tab The Change User Password screen appears see Figure 100 Figure 100 Change User Password ...

Page 379: ...assphrase to protect the private keys in the configuration dump each time the configuration is backed up to an external file server Set a certificate administrator export passphrase only if the admin user has removed himself or herself from the certadmin group and added a certificate administrator user with certadmin group rights When a configuration backup is performed the certificate export pass...

Page 380: ... A To set a certificate export pass phrase perform the following steps 1 Select the System Manage Users Set Certificate Export PassPhrase tab The Set Certificate Export PassPhrase screen appears see Figure 101 Figure 101 Set Certificate Export PassPhrase ...

Page 381: ...ut any user can grant an existing user membership in a group to which the granting user belongs By default the administrator user is a member of all three built in groups admin oper certadmin and can therefore add a new user to any of these groups However a certificate administrator who is a member of the certadmin group only can add an existing user to the certadmin group only If a user belongs t...

Page 382: ...splaying the user s current group membership see Figure 102 Figure 102 User Groups Choose from the following tasks to manage users groups Adding a user group on page 382 Removing a user group on page 383 Adding a user group To add a new user group perform the following steps 1 Select the System Manage Users user User Groups tab The User Groups screen appears see Figure 102 on page 382 ...

Page 383: ... the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Removing a user group To remove an existing user group from the User Group Table perform the following steps 1 Select the System Manage Users user User Groups tab The User Groups screen appears see Figure 102 on page 382 2 Select the group to remove from the User Group Table 3 Click Delete A co...

Page 384: ... users and groups 320818 A The user group is immediately removed from the User Group Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently ...

Page 385: ...ds 398 Configuring the captive portal using the CLI 400 Configuring the Exclude List using the CLI 401 Changing the portal language using the CLI 402 Configuring the portal display using the CLI 405 Changing the portal colors using the CLI 408 Configuring custom content using the CLI 409 Configuring linksets using the CLI 411 Configuring links using the CLI 413 Customizing the portal and logon usi...

Page 386: ...al sites on page 396 Examples of redirection URLs and links on page 396 Managing the end user experience on page 397 Captive portal and Exclude List When the Nortel SNAS 4050 is configured to function as a captive portal the Nortel SNAS 4050 acts as a DNS proxy while clients are in the Red VLAN The captive web portal accepts redirected HTTP HTTPS requests from the clients resolves unknown names to...

Page 387: ...sing the SREM on page 416 Exclude List The Exclude List is a configurable list of domain names that will not be captured by the Nortel SNAS 4050 The DNS server in the captive portal forwards requests for domain names in the Exclude List directly to the corporate DNS servers In order to speed up client logon add to the Exclude List any domain names for URLs that are routinely accessed during client...

Page 388: ...tches the literal character c see escape sequence Matches any character Matches the beginning of a string Matches the end of a string abc Character class which matches any of the characters abc Character ranges are specified by a pair of characters separated by a hyphen abc Negated character class which matches any character except abc r1 r2 Alternation matches either r1 or r2 r1r2 Concatenation m...

Page 389: ... icons and text used on the portal page You can also add custom content such as Java applets to the portal You can then add links to the portal page to make the content available to clients This section includes information about the following topics Default appearance on page 390 Colors on page 390 For information about the commands to configure the portal look and feel see Configuring the portal...

Page 390: ... tab Figure 104 Default appearance of the portal Home tab Colors There are four colors used on the portal page color1 the large background area below the tabs color2 the background area behind the tab labels Banner Active tab URL area and icon Background Tab background Area for links Color1 Color2 Color3 TunnelGuard icon ...

Page 391: ... the portal page If you change the portal colors use colors that are considered web safe Also consider how the applied colors fit with your company logo and brand The colors are specified using hexadecimal codes Table 76 lists the hexadecimal values for some commonly used web safe colors For additional color values use an Internet search engine to find web sites offering comprehensive listings Tab...

Page 392: ...buttons and field labels on the portal page The entries in the dictionary file can be translated into another language You can then set the portal to display the translated text The languages supported by the Nortel SNAS 4050 are configured for the system but the language selected for the portal is a domain parameter The Nortel SNAS 4050 uses ISO 639 language codes to track languages that have bee...

Page 393: ...ng There are useful Open Source software tools for translating po files Search for po files editor in your web search engine to find tools that run on Windows and Unix A translation tool is particularly useful when a new version of the Nortel SNAS 4050 software is released you can export the new template file supplied with the software and merge it with a previously translated language file so tha...

Page 394: ...s You can enable an autorun feature for a linkset so that all links defined for that linkset execute automatically after the client has been authenticated For example you can configure an autorun linkset to automatically link to the URL of the remediation server and then map this linkset to all extended profiles which filter for clients who fail the TunnelGuard host integrity check No links for th...

Page 395: ...g linksets to a group or profile using the CLI on page 206 or Mapping linksets to a group or profile using the SREM on page 223 The index number you assign to the link controls the order in which the links display within the linkset You assign the index number when you include the link in the linkset see Configuring links using the CLI on page 413 or Configuring links using the SREM on page 444 Ma...

Page 396: ...tal display using the CLI on page 405 or Configuring the portal display using the SREM on page 425 Examples of redirection URLs and links Table 77 shows example specifications for redirection URLs and associated links In these examples the portal address is nsnas example com the address to which you want to redirect clients is inside example com Table 77 Examples of redirection URLs and link text ...

Page 397: ...uard does not load the client will be presented with a logon screen to automatically download and install the required JRE To configure the portal to automate the process of updating the client s JRE version perform the following steps 1 Create the plugins html file with a link to the JRE installer that you want Redirect clients to different sites depending on their group membership deptA or deptB...

Page 398: ...ain logon script to automatically launch the end user s browser and present the Nortel SNA portal page on start up The exact requirements for the script depend on your particular network setup and usual modes of end user access For an example of a very simple script and instructions on assigning the script to all users in the domain see Appendix G Using a Windows domain logon script to launch the ...

Page 399: ...dex number cfg lang import protocol server filename code export protocol server filename list vlist letter del code cfg domain 1 portal lang setlang code charset list cfg domain 1 portal import protocol server filename restore banner redirect URL logintext text iconmode clean fancy linktext text linkurl on off linkcols columns linkwidth width companynam ieclear on off cfg domain 1 portal colors co...

Page 400: ...t protocol server filename export protocol server filename delete available ena dis cfg domain 1 linkset linkset ID name name text text autorun true false del cfg domain 1 linkset linkset ID link index move new index text text type external ftp del cfg domain 1 linkset linkset ID link index external quick cfg domain 1 linkset linkset ID link index ftp quick Command Parameter ...

Page 401: ...DNS Capture menu displays The DNS Capture menu includes the following options Configuring the Exclude List using the CLI The Exclude List is a list of domain names that will not be captured by the Nortel SNAS 4050 For more information about the Exclude List see Exclude List on page 387 To create and manage the Exclude List use the following command cfg domain 1 dnscapt exclude The DNS Exclude menu...

Page 402: ...lude followed by list Lists the currently configured Exclude List entries by index number del index name Removes the Exclude List entry represented by the specified index number The index numbers of the remaining entries adjust accordingly add domain name Adds an entry to the Exclude List domain name is a string identifying the domain names to be forwarded directly to the corporate DNS servers For...

Page 403: ...nd user logon 403 Nortel Secure Network Access Switch 4050 User Guide Configuring language support using the CLI To manage the language definition files in the system use the following command cfg lang The Language Support menu displays ...

Page 404: ...anguage codes use the cfg lang vlist command For more information about language support on the portal see Language localization on page 392 export protocol server filename Exports the language definition template to the specified TFTP FTP SCP SFTP file exchange server protocol is the export protocol Options are tftp ftp scp sftp server is the host name or IP address of the server filename is the ...

Page 405: ...language definition file for the specified language code You cannot delete a language file that is currently in use English en is the predefined language and cannot be deleted cfg domain 1 portal lang followed by setlang code Specifies the language to be used for the portal display code is the ISO 639 language code to identify the language Before you can set the preferred language you must import ...

Page 406: ... ftp scp sftp server is the host name or IP address of the server filename is the name of the graphics file gif When the download is complete and you apply the changes the new image replaces the existing banner image on the portal web page Clients who are currently logged on will not notice the change unless they reload the portal web page The maximum size of the banner image file is 16 MB If ther...

Page 407: ... see Macros on page 395 For more information about redirecting clients to internal sites see Automatic redirection to internal sites on page 396 logintext text Specifies custom text to be displayed on the portal logon page text is an ordinary text string or HTML code You can type in the text or paste it in at the prompt To signal the end of the string press Enter to create a new line type an ellip...

Page 408: ... CLI on page 413 linkurl on off Sets the display mode for the Enter URL field on the portal Home tab Display mode options are on the Enter URL field is displayed off the Enter URL field is not displayed The default is on linkcols columns Sets the number of columns for the link table on the portal Home tab columns is a positive integer The default value is 2 linkwidth width Sets the width of the li...

Page 409: ...e preferred language for the portal display see Setting the portal display language using the CLI on page 404 ieclear on off Controls use of the ClearAuthenticationCache feature available in Internet Explorer 6 SP 1 and later IE The feature is used to clear sensitive information such as passwords and cookies from the cache when a user logs out from a secure session on the cache is cleared for all ...

Page 410: ...color including the symbol not case sensitive The default value is ACCDD5 color2 code Specifies the color for the background area behind the labels code is the hexadecimal value for the color including the symbol not case sensitive The default value is D0E4E9 color3 code Specifies the color for the fields information area and clean icons on the active tab code is the hexadecimal value for the colo...

Page 411: ...is the name of the content file zip on the server The file is saved in the portal s root directory and is automatically unpacked export protocol server filename Exports a content file in ZIP format from the portal to the specified TFTP FTP SCP SFTP file exchange server protocol is the export protocol Options are tftp ftp scp sftp server is the host name or IP address of the server filename is the ...

Page 412: ...t uniquely identifies the linkset in the Nortel SNAS 4050 domain When you first create the linkset if you do not specify the ID in the command you will be prompted to enter the linkset ID or name You must enter the ID for the new linkset You will then be prompted to enter the linkset name After you have created the linkset you can use either the ID or the name to access the linkset for configurati...

Page 413: ...ccess to all the links contained in the linkset The links display on the portal Home tab text text Specifies text to display as a heading above the linkset links on the portal Home tab text is an ordinary text string or HTML code The heading text is optional autorun true false Specifies whether autorun support is enabled or disabled The options are true autorun is enabled false autorun is disabled...

Page 414: ...ter the index for the new link You will then be prompted to enter the following parameters link text a string that displays on the portal Home tab as the clickable link text You can later modify the text by using the text command on the Link menu type the link type external or ftp The default is external After you enter the link type you automatically enter a wizard to configure type specific sett...

Page 415: ...e descriptive text that clearly identifies the targeted resource The client sees only the link text not the URL contained in the link type external ftp Specifies the type of link The options are external directs the client to a web page The external link is not secured by the Nortel SNAS 4050 ftp directs the client to a directory on an FTP file exchange server The default is external The Link menu...

Page 416: ...n an FTP file exchange server use the following command cfg domain 1 linkset linkset ID link index ftp quick The wizard prompts you to enter the following settings FTP host the host name or IP address of the FTP server for example ftp example com or 10 1 10 1 initial path on host the path to the directory for example home share john manuals If you do not specify a path the FTP server root director...

Page 417: ...M on page 433 Configuring linksets using the SREM on page 439 Configuring links using the SREM on page 444 Configuring the captive portal using the SREM By default the Nortel SNAS 4050 is set up to function as a captive portal For more information about the captive portal in the Nortel SNAS 4050 domain see Captive portal and Exclude List on page 386 To configure the Nortel SNAS 4050 as a captive p...

Page 418: ...tal as a captive portal 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 78 DNS Capture fields Fields Description Enable DNS Capture When selected enables captive portal functionality DNS Exclude List Lists the currently configured DNS domains to exclude when using the Nortel SNAS 4050 portal as a cap...

Page 419: ...The DNS Capture screen appears see Figure 105 2 To add entries to the DNS Exclude List a Click Add The Add DNS Domain dialog box appears see Figure 106 Figure 106 Add DNS Domain b Enter the DNS domain information in the applicable fields Table 79 describes the Add DNS Domain fields c Click Add The entry appears in the DNS Exclude List Table 79 Add DNS Domain fields Field Description Domain Specifi...

Page 420: ...he current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Changing the portal language using the SREM To change the language displayed for tab names general text messages buttons and field labels on the portal page complete the following procedures 1 Export the language definition template see Importing and exporting language definitions on page 422 2 T...

Page 421: ...uage definition files in the system perform the following steps 1 Select the System Language tab The Languages sub tabs appear see Figure 107 Figure 107 Pre defined Languages 2 Choose from one of the following tasks Viewing predefined languages on page 421 Viewing and removing custom languages on page 421 Importing and exporting language definitions on page 422 ...

Page 422: ...he Pre defined Languages table appears see Figure 107 Viewing and removing custom languages To view custom languages use the following procedure 1 Select the System Language Custom Languages tab The Custom Added Languages table appears see Figure 108 Figure 108 Custom Added Languages 2 To delete a custom language a Select it from the table and click Delete ...

Page 423: ...rrent changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Importing and exporting language definitions To import or export a language definition use the following procedure 1 Click the Import Export Definition tab The Import Export Definition screen appears see Figure 109 Figure 109 Import Export Definition ...

Page 424: ...ion fields Field Description Action Specifies whether you are importing or exporting the language definition file Protocol Specifies the protocol used to import or export Options are tftp ftp scp sftp Host Specifies the host name or IP address of the server Filename Specifies the name of the language definition file ISO 639 Code Specifies the ISO 639 language code Username Specifies the FTP userna...

Page 425: ...witch 4050 User Guide Setting the portal display language using the SREM To set the preferred language for the portal display perform the following steps 1 Select the Secure Access Domain domain Portal Language tab The Language screen appears see Figure 110 Figure 110 Language screen ...

Page 426: ...f the portal page that displays in the client s web browser select one of the following options Configuring content on page 426 Importing banners on page 429 Table 81 Language fields Field Description Charset in use Specifies the character set in currently use To change or configure this character set refer to Language localization on page 392 Used Language Specifies the language to be used in the...

Page 427: ...ess Switch 4050 User Guide Configuring content To configure and modify portal content perform the following steps 1 Select the Secure Access Domain domain Portal navigation tree component The portal Configuration tab appears see Figure 111 Figure 111 Portal Configuration screen ...

Page 428: ...out linksets and links see Linksets and links on page 394 For more information about configuring links see Configuring links using the SREM on page 444 For information about customizing the colors used on the portal page see Changing the portal colors using the SREM on page 431 Number of Columns on Home Tab Specifies the number of columns for the link table on the portal Home tab Width of Link Col...

Page 429: ...redirection to internal sites on page 396 Text on Link Page Specifies static text to be displayed above the group links on the portal Home tab The static text displays for all clients but the links themselves may change depending on the client s group membership You can type in the text or paste it in at the prompt Press Enter to create a new line You can use the var user and var group macros in t...

Page 430: ...320818 A Importing banners To import a banner to display on the portal Home page perform the following steps 1 Select the Secure Access Domain domain Portal Import Banner tab The Import Banner screen appears see Figure 112 Figure 112 Import Banner screen ...

Page 431: ...al Nortel SNAS 4050 domains the total size of all imported banner image files must not exceed 16 MB For more information about the customizable elements on the portal web page see Portal look and feel on page 389 Table 83 Import Banner fields Field Description Protocol Specifies the protocol used to import Options are tftp ftp scp sftp Host Specifies the host name or IP address of the server Filen...

Page 432: ...anging the portal colors using the SREM To customize the colors used for portal display perform the following steps 1 Select the Secure Access Domain domain Portal Color Settings tab The Color Settings screen appears see Figure 113 Figure 113 Color Settings screen ...

Page 433: ...xadecimal value for the background area behind the labels The default value is d0e4e9 Active Tab Specifies the color in hexadecimal for the fields information area and clean icons on the active tab The default value is 2088a2 Non Active Tabs Specifies the color in hexadecimal for non active tabs The default value is accdd5 Color Themes Specifies the color values for the portal to a preset theme No...

Page 434: ...onfiguring custom content using the SREM To configure custom content such as Java applets on the portal perform the following steps Viewing basic information about custom content on page 434 Importing custom content on page 436 Exporting custom content on page 438 ...

Page 435: ...4050 User Guide Viewing basic information about custom content To view basic information about the existing custom content perform the following steps 1 Select the Secure Access Domain domain Portal Custom Content Basic tab The Basics screen appears see Figure 114 Figure 114 Basics screen ...

Page 436: ...s to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 85 Basics fields Field Description Custom Content State Specifies the custom content state When selected enables client access to custom content The default is disabled Available Space Specifies the remaining memory space available for custom content in kilobytes KB This field is informational and cannot be...

Page 437: ...k Access Switch 4050 User Guide Importing custom content To import custom content perform the following steps 1 Select the Secure Access Domain domain Portal Custom Content Import Content tab The Import Content screen appears see Figure 115 Figure 115 Import Content screen ...

Page 438: ...ck Commit on the toolbar to save the changes permanently Table 86 Import Content fields Field Description Protocol Specifies the import protocol Options are tftp ftp scp sftp The default is ftp Host Specifies the host name or IP address of the server Filename Specifies the name of the content file zip on the server Username Specifies the username used to connect to the FTP server Password Specifie...

Page 439: ...k Access Switch 4050 User Guide Exporting custom content To export custom content perform the following steps 1 Select the Secure Access Domain domain Portal Custom Content Export Content tab The Export Content screen appears see Figure 115 Figure 116 Export Content screen ...

Page 440: ...b For more information about linksets and links see Linksets and links on page 394 To create or modify a linkset select one of the following options Creating a linkset on page 440 Modifying a linkset on page 442 Table 87 Export Content fields Field Description Protocol Specifies the import protocol Options are tftp ftp scp sftp The default is ftp Host Specifies the host name or IP address of the s...

Page 441: ...Secure Network Access Switch 4050 User Guide Creating a linkset To create a linkset perform the following steps 1 Select the Secure Access Domain domain Portal Links Portal Links tab The Portal Links screen appears see Figure 117 Figure 117 Portal Links screen ...

Page 442: ...hanges permanently Table 88 Add a Linkset fields Field Description Index Specifies an integer in the range 1 to 1024 that uniquely identifies the linkset in the Nortel SNAS 4050 domain Name Specifies a name for the linkset The name must be unique in the domain The maximum length of the string is 255 characters You reference the linkset name when mapping the linkset to groups or extended profiles S...

Page 443: ... Access Switch 4050 User Guide Modifying a linkset To modify a linkset perform the following steps 1 Select the Secure Access Domain domain Portal Links linkset Configuration tab The linkset Configuration screen appears see Figure 119 Figure 119 Linkset Configuration screen ...

Page 444: ...ters You reference the linkset name when mapping the linkset to groups or extended profiles See Linksets and links on page 394 Link Text Specifies text to display as a heading above the linkset links on the portal Home tab Text can be an ordinary string or HTML code The heading text is optional Enable AutoRun Specifies whether the AutoRun feature is enable If enabled all links defined for the link...

Page 445: ...et For information about links refer to Linksets and links on page 394 Use the following procedures to create or modify the links included in the linkset Creating an external link using the SREM on page 445 Creating an FTP link using the SREM on page 447 Modifying external link settings using the SREM on page 450 Modifying FTP link settings using the SREM on page 452 Reordering links using the SRE...

Page 446: ... logon 320818 A Creating an external link using the SREM To create an external link perform the following steps 1 Select the Secure Access Domain domain Portal Links linkset Links tab The Links screen appears see Figure 120 Figure 120 Links screen ...

Page 447: ...ink 4 Enter the link information in the applicable fields Table 90 describes the Add a Portal Link fields Table 90 Add a Portal Link fields Field Description Index Specifies an integer in the range 1 to 256 that uniquely identifies the link within the linkset Link Text Specifies text to display as the clickable link text on the portal Home tab Text can be an ordinary string or HTML code The client...

Page 448: ...anges permanently Creating an FTP link using the SREM Host Specifies the host for this link This field can contain either an IP address or a domain name for the host being used Path Specifies the path on the web server You must specify a path A single slash indicates the web server document root Note Nortel Secure Network Access Switch Software Release 1 0 supports External links only Table 90 Add...

Page 449: ...s Domain domain Portal Links linkset Links tab The Links screen appears see Figure 120 on page 445 2 Click Add The Add a Portal Link dialog box appears see Figure 122 Figure 122 Add a Portal Link FTP 3 Ensure that FTP is selected from the list at the top of the dialog If external link fields were being displayed the dialog refreshes to display the fields required for an FTP link ...

Page 450: ...iquely identifies the link within the linkset Link Text Specifies text to display as the clickable link text on the portal Home tab Text can be an ordinary string or HTML code The client sees only the link text not the URL contained in the link FTP Host Specifies the FTP host for this link This field can contain either an IP address or a domain name for the FTP host being used Initial Host Path Sp...

Page 451: ...r Guide Modifying external link settings using the SREM To modify a link perform the following steps 1 Select the Secure Access Domain domain Portal Links linkset ext link Configuration tab The external link Configuration screen appears see Figure 123 Figure 123 External link Configuration screen ...

Page 452: ...links using the SREM on page 453 Link Text Specifies text to display as the clickable link text on the portal Home tab Text can be an ordinary string or HTML code The client sees only the link text not the URL contained in the link HREF Displays the full path for the external link You cannot edit this field directly Change the value displayed in this field by updating values in the Protocol Host a...

Page 453: ...4050 User Guide Modifying FTP link settings using the SREM To modify a link perform the following steps 1 Select the Secure Access Domain domain Portal Links linkset ftp link Configuration tab The FTP link Configuration screen appears see Figure 124 Figure 124 FTP link Configuration screen ...

Page 454: ... the range 1 to 256 that uniquely identifies the link within the linkset To change the index value of an existing link see Reordering links using the SREM on page 453 Link Text Specifies text to display as the clickable link text on the portal Home tab Text can be an ordinary string or HTML code The client sees only the link text not the URL contained in the link FTP Host Specifies the FTP host fo...

Page 455: ...94 describes the Re Order Links fields 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 94 Re Order Links fields Field Description Move to Index Specifies an integer in the range 1 to 256 that identifies the position of the link within the linkset The index number of existing link entries with this in...

Page 456: ...456 Chapter 9 Customizing the portal and user logon 320818 A ...

Page 457: ...I 471 Configuring host ports using the CLI 472 Managing interface ports using the CLI 473 Configuring the Access List using the CLI 474 Configuring date and time settings using the CLI 475 Configuring DNS servers and settings using the CLI 477 Configuring RSA servers using the CLI 480 Configuring syslog servers using the CLI 481 Configuring administrative settings using the CLI 483 Enabling Tunnel...

Page 458: ...c routes using the SREM 514 Configuring host ports using the SREM 520 Managing interface ports using the SREM 523 Configuring the access list using the SREM 525 Managing date and time settings using the SREM 528 Configuring DNS settings using the SREM 532 Configuring servers using the SREM 534 Configuring administrative settings using the SREM 546 Configuring SRS control settings using the SREM 54...

Page 459: ...g RSA servers using the CLI on page 480 not supported in Nortel Secure Network Access Switch Software Release 1 0 Syslog servers see Configuring syslog servers using the CLI on page 481 Access Lists see Configuring the Access List using the CLI on page 474 administrative applications including managing access for Telnet SSH and SONMP see Configuring administrative settings using the CLI on page 48...

Page 460: ... and the Nortel SNAS 4050 host within the cluster Use this list as a quick reference or click on any entry for more information Command Parameter cfg sys mip IPaddr distrace cfg sys host host ID ip IPaddr sysName name sysLocatio location license key gateway IPaddr ports hwplatform halt reboot delete cfg sys host host ID interface interface ID ip IPaddr netmask mask gateway IPaddr vlanid tag mode f...

Page 461: ...ce interface ID routes list del index number add IPaddr mask gateway cfg sys host port port autoneg on off speed speed mode full half cfg sys host interface interface ID ports list del port add port cfg sys accesslist list del index number add IPaddr mask cfg sys time date date time time tzone cfg sys time ntp list del index number add IPaddr cfg sys dns cachesize entries retransmit interval count...

Page 462: ...ndex number cfg sys rsa rsaname name import protocol server filename FTP user name FTP password rmnodesecr del cfg sys syslog list del index number add IPaddr facility insert index number IPaddr facility move index number new index number cfg sys adm sonmp on off clitimeout interval telnet on off ssh on off cfg sys adm srsadmin port port ena dis cfg sys adm sshkeys generate Command Parameter ...

Page 463: ...dit vendorid vendortype ena dis cfg sys adm audit servers list del index number add IPaddr port shared secret insert index number IPaddr move index number new index number cfg sys adm auth timeout interval fallback on off ena dis cfg sys adm auth servers list del index number add IPaddr port shared secret insert index number IPaddr move index number new index number Command Parameter ...

Page 464: ...050 host using the CLI on page 465 routes Accesses the Routes menu in order to manage static routes for the cluster when there is more than one interface see Configuring static routes using the CLI on page 471 time Accesses the Date and Time menu in order to configure date and time settings and to access Network Time Protocol NTP servers see Configuring date and time settings using the CLI on page...

Page 465: ... Nortel SNAS 4050 devices see Configuring the Access List using the CLI on page 474 adm Accesses the Administrative Applications menu in order to set the CLI timeout value manage Telnet SSH SNMP and SONMP access to Nortel SNAS 4050 devices enable SRS administration generate SSH host keys and configure the system for RADIUS auditing and authentication of system users see Configuring administrative ...

Page 466: ...icense is available for 100 250 500 and 1000 users key is text you paste in The license key text is supplied to you by Nortel Technical Support When pasting ensure you include the BEGIN LICENSE and END LICENSE lines To obtain a license key first use the info local command to find out the MAC address of the Nortel SNAS 4050 device Then provide the MAC address to Nortel Technical Support and request...

Page 467: ...on the same network as other listed ports appears after a colon For example Ports 1 2 3 hwplatform Displays the hardware platform of the Nortel SNAS 4050 device halt Stops Nortel SNAS 4050 processing Always use this command before turning off the device If the Nortel SNAS 4050 you want to halt has become isolated from the cluster you will receive an error message when executing the halt command In...

Page 468: ...mation for all Nortel SNAS 4050 devices in the cluster use the cfg sys cur command After you have removed the Nortel SNAS 4050 from the cluster you must use a console connection to access the device Log on as the admin user with the admin password to enter the Setup utility Note If there are other Nortel SNAS 4050 devices in the cluster configuration you cannot delete a device if it is the only No...

Page 469: ...imum of four interfaces on each Nortel SNAS 4050 host To configure an IP interface and the assignment of physical ports on a particular Nortel SNAS 4050 host use the following command cfg sys host host ID interface interface ID where interface ID is an integer in the range 1 to 252 that uniquely identifies the interface on the Nortel SNAS 4050 host To configure a new interface enter an unused inte...

Page 470: ...ing the CLI on page 471 vlanid tag Specifies the VLAN tag if packets received by the interface are tagged with a specific VLAN tag ID mode failover trunking Specifies the mode of operation for the port numbers assigned to this interface The options are failover only one link is active at any given time If the port with an active link fails the active link is immediately switched over to one of the...

Page 471: ...s the interface on the Nortel SNAS 4050 host primary port Specifies the primary port in the interface on which the active link is set up If the primary port fails the active link is immediately transferred to a remaining secondary port As soon as the primary port regains functionality the active link is transferred back to the primary port port is an integer indicating the port number of the physi...

Page 472: ... the physical port on the Nortel SNAS 4050 The port number is the number identifying the port on the back of the Nortel SNAS 4050 The Host Port menu displays cfg sys host interface routes followed by list Displays IP address information for all configured static routes by index number del index number Removes the specified route from the system host or interface configuration index number is the i...

Page 473: ... by autoneg on off Specifies the Ethernet auto negotiation setting for the host and NIC port The options are on the port is set to auto negotiate speed and mode This is the recommended setting off speed and mode are fixed at a specified setting The default is on When auto negotiation is on ensure that the device to which the port is connected is also set to auto negotiate speed speed Sets the spee...

Page 474: ...n order to control Telnet and SSH access to the Nortel SNAS 4050 cluster use the following command cfg sys accesslist cfg sys host interface interface ID ports followed by list Displays all ports assigned to the interface del port Removes the specified port from the interface port is the port number of the physical port on the device add port Adds a port to be used in the interface port is the por...

Page 475: ...ess List by index number del index number Removes the specified entry from the list index number is the identification number automatically assigned to the entry when you added the entry to the list To view the index numbers of all configured Access List entries use the list command add IPaddr mask Adds an entry to the Access List Only those machines listed will be allowed to access the Nortel SNA...

Page 476: ...lowing command cfg sys time ntp The NTP Servers menu displays cfg sys time followed by date date Sets the system date date is the date in YYYY MM DD format time time Sets the system time time is the time in HH MM SS format using a 24 hour clock tzone Specifies the time zone You are prompted to enter a continent or ocean area a country and a region if applicable To view available input options pres...

Page 477: ...ver from the system configuration index number is the identification number automatically assigned to the server when you added the server to the configuration To view the index numbers of all configured NTP servers use the list command add IPaddr Adds an NTP server to the system configuration IPaddr is the IP address of the NTP server An index number is automatically assigned to the server cfg sy...

Page 478: ... a measurement unit seconds is assumed The default is 3h 3 hours health interval Sets the interval for the Nortel SNAS 4050 to check the health of the DNS servers At the specified interval the Nortel SNAS 4050 performs a DNS query to each DNS server in the system configuration to determine its health status interval is an integer that indicates the time interval in seconds s minutes m or hours h I...

Page 479: ...ed DNS servers by index number del index number Removes the specified DNS server from the system configuration The index numbers of the remaining entries adjust accordingly To view the index numbers of all configured DNS servers use the list command add IPaddr Adds a DNS server to the system configuration IPaddr the IP address of the DNS server The system automatically assigns the next available i...

Page 480: ...es a server up or down the list of DNS servers in the configuration index number the original index number of the server you want to move new index number the index number representing the new position of the server in the list The index numbers of the remaining entries adjust accordingly To view the index numbers of all configured DNS servers use the list command Note This feature is not supporte...

Page 481: ...f the RSA server import protocol server filename FTP user name FTP password Imports a copy of the sdconf rec file from the specified TFTP FTP SCP SFTP server protocol is the import protocol Options are tftp ftp scp sftp server is the host name or IP address of the server filename is the name of the sdconf rec file on the server The sdconf rec file is a configuration file that contains critical RSA...

Page 482: ...em automatically assigns the next available index number to the server insert index number IPaddr facility Assigns a specific index number to the syslog server you add index number the index number you want the server to have IPaddr the IP address of the syslog server you are adding facility the local facility number to uniquely identify syslog entries For more information about the local facility...

Page 483: ...e following options cfg sys adm followed by snmp Accesses the SNMP menu in order to configure network management of the cluster see sonmp on off Enables or disables support for SynOptics Network Management Protocol SONMP network topology information The default is disabled off clitimeout interval Sets the timeout interval for user inactivity in the CLI At the end of the timeout period if there is ...

Page 484: ...e Access List see Configuring the Access List using the CLI on page 474 ssh on off Enables or disables SSH access for remote management of the system The options are on SSH access is enabled If there are no entries in the Access List all SSH connections are allowed If there are any entries in the Access List only the specified machines are allowed SSH access off all SSH connections are rejected in...

Page 485: ...figuring Nortel SNAS 4050 host SSH keys using the CLI The Nortel SNAS 4050 functions as both SSH client for importing and exporting logs using SFTP and SSH server for secure management communications between the Nortel SNAS 4050 devices in a cluster The SSH host keys are a set of keys to be used by all hosts in the cluster in accordance with the Single System Image SSI concept As a result connecti...

Page 486: ...ply the change immediately and create the key show Displays the current SSH host keys and corresponding fingerprints for the cluster The following formats are used RSA1 keys there is no standard format The format in the CLI output is the OpenSSH implementation except that the line is wrapped To fully conform to the OpenSSH implementation you may need to edit the output back into a single line for ...

Page 487: ...ote hosts by index number del index number Removes the specified known host SSH key To view the index numbers of all known host SSH keys use the list command add Allows you to paste in the contents of a key file you have downloaded from the remote host When prompted paste in the key then press Enter Enter an elllipsis to signal the end of the key Valid formats are as described for the cfg sys adm ...

Page 488: ...the configuration the server is automatically assigned an index number You can add several RADIUS audit servers for backup purposes Nortel SNAS 4050 auditing will be performed by an available server with the lowest index number You can control audit server usage by reassigning index numbers see Managing RADIUS audit servers using the CLI on page 490 For information about configuring a RADIUS accou...

Page 489: ...r log do the following 1 In the RADIUS server dictionary define a descriptive string for example NSNAS SSL Audit Trail 2 Map this string to the Vendor Type value Configuring RADIUS auditing To configure the Nortel SNAS 4050 to support RADIUS auditing use the following command cfg sys adm audit The Audit menu displays The Audit menu includes the following options cfg sys adm audit followed by serve...

Page 490: ...fy event log information from the Nortel SNAS 4050 cluster The default Vendor Type value is 2 Alteon ASA Audit Trail ena Enables RADIUS auditing The default is disabled dis Disables RADIUS auditing The default is disabled cfg sys adm audit servers followed by list Lists the IP addresses of currently configured RADIUS audit servers by index number del index number Removes the specified RADIUS audit...

Page 491: ...ddr Inserts a server at a particular position in the list of RADIUS audit servers in the configuration index number the index number you want the server to have IPaddr the IP address of the audit server you are adding The index number you specify must be in use The index numbers of existing servers with this index number and higher are incremented by 1 move index number new index number Moves a se...

Page 492: ... groups on page 353 When you add an external RADIUS authentication server to the configuration the server is automatically assigned an index number You can add several RADIUS authentication servers for backup purposes Nortel SNAS 4050 authentication will be performed by an available server with the lowest index number You can control authentication server usage by reassigning index numbers see Man...

Page 493: ... or hours h If you do not specify a measurement unit seconds is assumed The range is 1 10000 seconds The default is 10 seconds fallback on off Specifies the desired fallback mode Valid options are on if the RADIUS servers are unreachable the local passwords defined on the Nortel SNAS 4050 are used as fallback off if the RADIUS servers are unreachable the only way to access the system is to reinsta...

Page 494: ...entication The default is 1813 shared secret the password used to authenticate the Nortel SNAS 4050 to the authentication server The system automatically assigns the next available index number to the server insert index number IPaddr Inserts a server at a particular position in the list of RADIUS authentication servers in the configuration index number the index number you want the server to have...

Page 495: ...on page 520 Managing interface ports using the SREM on page 523 Configuring the access list using the SREM on page 525 Managing date and time settings using the SREM on page 528 Configuring DNS settings using the SREM on page 532 Configuring servers using the SREM on page 534 Configuring administrative settings using the SREM on page 546 Configuring SRS control settings using the SREM on page 547 ...

Page 496: ...8 A Configuring system settings using the SREM To view and configure cluster wide system settings perform the following steps 1 Select the System Configuration tab The system Configuration screen appears see Figure 126 Figure 126 System Configuration ...

Page 497: ...TCP IP properties on page 499 Viewing and installing host licenses on page 500 For details about configuring host interfaces see Configuring host interfaces using the SREM on page 508 For details about configuring host and interface ports using the SREM see Configuring host ports using the SREM on page 520 and Managing interface ports using the SREM on page 523 Table 95 System Configuration fields...

Page 498: ...of available Nortel SNAS 4050 hosts select the System Hosts Hosts tab The Hosts screen appears see Figure 127 listing all hosts currently in the Nortel SNAS 4050 configuration Figure 127 Hosts To view detailed host information select a particular host from the navigation tree or in the Hosts list ...

Page 499: ...tch 4050 User Guide Viewing and configuring TCP IP properties To configure basic TCP IP properties for a particular Nortel SNAS 4050 device in the cluster perform the following steps 1 Select the System Hosts host Host tab The Host screen appears see Figure 128 Figure 128 Host ...

Page 500: ...e device The RIP is the Nortel SNAS 4050 device host IP address for network connectivity and must be unique on the network For more information see About the IP addresses on page 51 Changing the RIP does not affect the MIP for the cluster System Name Assigns a name to the managed Nortel SNAS 4050 host The name is a useful mnemonic when managing the Nortel SNAS 4050 using SNMP System Location Ident...

Page 501: ...ar host as described in Installing a license for a particular host on page 506 Viewing global licenses for all hosts To view global licenses for all Nortel SNAS 4050 devices in the cluster perform the following steps 1 Select the System Hosts Licenses Global Licenses tab The Global Licenses screen appears see Figure 129 Figure 129 Global Licenses ...

Page 502: ...he host when you perform initial setup on the Nortel SNAS 4050 device Interval An integer used to specify the interval in seconds between log entries Logging Specifies if a log file of Global license details is created To specify a filename and location use the Browse button to select a path State of Global Licences A table that describes the available global licenses Fields include Type The type ...

Page 503: ...ide Viewing per domain licenses for all hosts To view licenses by domain for all Nortel SNAS 4050 devices in the cluster perform the following steps 1 Select the System Hosts Licenses Per Domain Licenses tab The Per Domain Licenses screen appears see Figure 130 Figure 130 Per Domain Licenses ...

Page 504: ...nteger automatically assigned to the host when you perform initial setup on the Nortel SNAS 4050 device Interval An integer used to specify the interval in seconds between log entries Logging Specifies if a log file of Global license details is created To specify a filename and location use the Browse button to select a path State of Licences Per Domain A table that describes the available license...

Page 505: ...articular host To view the licenses applied to a particular Nortel SNAS 4050 device in the cluster select the System Hosts host Installed Licenses tab The Installed Licenses screen appears see Figure 131 displaying a list of the type and value for each license installed on that Nortel SNAS 4050 host Figure 131 Installed Licenses ...

Page 506: ...el Technical Support in a text editor 2 Select and copy the entire license key When copying the license key ensure you include the BEGIN LICENSE and END LICENSE lines Note Before installing a new license you must first purchase a Nortel SNA SSL portal and Nortel SNAS 4050 domain client access license key from Nortel Technical Support To obtain a license key check the Information screen to find out...

Page 507: ...nse tab The Install New License screen appears see Figure 132 Figure 132 Install New License 4 Click Paste to insert the license key into the text box 5 Click Add to add the new license to this Nortel SNAS 4050 host 6 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently ...

Page 508: ...d to each interface If you assign more than one port to an interface you can choose whether the ports will operate in failover or trunking mode To view a list of interfaces on a particular Nortel SNAS 4050 host select the System Hosts host Interfaces tab as shown in Figure 133 Figure 133 Interfaces To continue choose one of the following procedures Adding a host interface on page 509 Configuring a...

Page 509: ...ars see Figure 133 on page 508 2 Click Add The Add an Interface dialog box appears see Figure 134 Figure 134 Add an Interface 3 Enter the interface information in the applicable fields Table 99 describes the Add an Interface fields Table 99 Add an Interface fields Field Description Index An integer in the range 1 to 252 that uniquely identifies the interface on the Nortel SNAS 4050 Ip Address Sets...

Page 510: ... of the other ports configured for the interface When you select failover mode you also have the option of specifying a primary port trunking active links are sustained on all configured ports simultaneously in order to increase network throughput The default is failover Primary Port Specifies the primary port in the interface on which the active link is set up If the primary port fails the active...

Page 511: ...ges to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Configuring an existing host interface To configure an existing host interface perform the following steps 1 Select the System Hosts host interface Interface tab The Interface configuration screen appears see Figure 135 Figure 135 Interface configuration screen ...

Page 512: ...erface For Interface 1 the network address is the RIP Gateway Sets the default gateway address for the interface The default gateway is the IP address of the interface on the core router that will be used for management traffic such as requests to private authentication servers and DNS servers The default gateway will be used only for Nortel SNAS 4050 domains that point to this interface If no dom...

Page 513: ...increase network throughput The default is failover Primary Port Specifies the primary port in the interface on which the active link is set up If the primary port fails the active link is immediately transferred to a remaining secondary port As soon as the primary port regains functionality the active link is transferred back to the primary port An integer indicating the port number of the physic...

Page 514: ...ick Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Configuring static routes using the SREM Static routes can be applied to a cluster a host or a particular interface To view or configure static routes at a particular level choose from the following sections Viewing static routes for a cluster on page 515 Viewing...

Page 515: ...ng static routes for a cluster To configure static routes for the cluster select the System IP Routes tab The IP Routes screen appears see Figure 136 displaying a list of the existing static routes on the Nortel SNAS 4050 cluster Figure 136 IP Routes To continue see Managing static routes on page 517 ...

Page 516: ... routes for a host To configure static routes for a host select the System Hosts host Routes tab The Routes screen appears see Figure 137 displaying a list of the existing static routes on this host Figure 137 Routes To continue see Managing static routes on page 517 ...

Page 517: ...e System Hosts host interface Interface Route tab The Interface Route screen appears see Figure 138 displaying a list of the existing static routes on this interface Figure 138 Interface Route To continue see Managing static routes on page 517 Managing static routes Select the static route tab for the appropriate level as described in Configuring static routes using the SREM on page 514 ...

Page 518: ...d Route 3 Enter the static route information in the applicable fields Table 101 describes the Add Route fields Table 101 Add Route fields Field Description Destination Address Specifies the static route destination IP address Netmask Specifies the network mask to apply to the IP address Gateway Specifies the IP address on the core router Note When you add a static route to the system host or inter...

Page 519: ...ick Commit on the toolbar to save the changes permanently Removing a static route To remove an existing static route perform the following steps 1 Select the static route from the table 2 Click Delete A confirmation dialog appears 3 Click Yes The static route is removed from the table 4 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to sa...

Page 520: ...m settings 320818 A Configuring host ports using the SREM To configure the connection properties for a port perform the following steps 1 Select the System Hosts host Ports tab The Ports screen appears see Figure 140 Figure 140 Ports ...

Page 521: ...system settings 521 Nortel Secure Network Access Switch 4050 User Guide 2 Select a port to configure from the list The Port screen appears see Figure 141 displaying configuration details for the selected port Figure 141 Port ...

Page 522: ...ate Specifies the Ethernet auto negotiation setting for the host and NIC port The options are on the port is set to auto negotiate speed and mode This is the recommended setting off speed and mode are fixed at a specified setting The default is on When auto negotiation is on ensure that the device to which the port is connected is also set to auto negotiate Speed Specifies the speed in megabits pe...

Page 523: ...e ports using the SREM To view and manage the ports assigned to an interface select the System Hosts host interface Port tab The Port screen appears see Figure 142 Figure 142 Port This screen allows you to complete any of the following tasks Adding interface ports on page 524 Removing interface ports on page 524 ...

Page 524: ...dd The new port appears in the Port Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Removing interface ports To remove ports assigned to an interface perform the following steps 1 Select the System Hosts host interface Port tab The Port screen appears see Figure 142 on page 523 2 Select the port from...

Page 525: ...a cluster wide list of IP addresses for hosts authorized to access the Nortel SNAS 4050 devices by Telnet SSH and SREM You can configure the list to allow access by individual machines or a range of machines on a specific network If the access list is empty then access is open to any machine For information about enabling Telnet and SSH access see Configuring administrative settings using the CLI ...

Page 526: ... manage the access list by choosing from the following tasks Adding an access list entry on page 526 Removing an Access List entry on page 527 Adding an access list entry To add an entry to the access list perform the following steps 1 Select the System Access List tab The Access List Table appears see Figure 143 on page 526 2 Click Add ...

Page 527: ...es to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Removing an Access List entry To remove an existing entry from the access list perform the following steps 1 Select the System Access List tab The Access List Table appears see Figure 143 on page 526 2 Select an entry from the Access List Table to remove 3 Click Delete A confirmation dialog appears Table 104 Add...

Page 528: ... changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Managing date and time settings using the SREM To manage system date and time settings select the System Date Time tab The Date and Time screen appears see Figure 145 allowing you to modify existing system settings and manage a list of NTP servers Figure 145 Date Time ...

Page 529: ...531 Configuring the date and time settings To configure the system date and time perform the following steps 1 Select the System Date Time tab The Date Time screen appears see Figure 145 on page 528 2 Enter the date and time information in the applicable fields Table 105 describes the Date Time fields 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on ...

Page 530: ...146 Figure 146 Add NTP Server 3 Enter the NTP Server information in the applicable fields Table 106 describes the Add NTP Server fields 4 Click Add The NTP server appears in the NTP Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 106 Add NTP Server fields Field Description IP Address Spe...

Page 531: ...System Date and Time tab The Date and Time screen appears see Figure 145 on page 528 2 Select the NTP server entry you wish to remove from the NTP Server Table 3 Click Delete A confirmation dialog box appears 4 Click Yes The NTP server entry disappears from the NTP Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the ...

Page 532: ...gs 320818 A Configuring DNS settings using the SREM To configure DNS client settings use the following procedure 1 Select the System DNS Client Settings tab The DNS Client Settings screen appears see Figure 147 Figure 147 DNS Client Settings ...

Page 533: ... maximum Time to live TTL value for entries in the DNS cache After the TTL has expired the entries are discarded Specify the TTL in seconds s minutes m hours h or days d You can enter compound values for example 2h30m If you do not specify a measurement unit seconds is assumed The default is 3h 3 hours Health Check Specifies the interval for the Nortel SNAS 4050 to check the health of the DNS serv...

Page 534: ...e following tasks Managing syslog servers on page 534 Managing DNS servers on page 537 Managing RSA servers on page 540 Managing syslog servers To manage syslog servers select the System Servers Syslog Servers tab The Syslog Servers table appears see Figure 148 displaying a list of active syslog servers Figure 148 Syslog Servers ...

Page 535: ...t the System Servers Syslog Servers tab The Syslog Servers table appears see Figure 148 2 Click Add The Add Syslog Server dialog box appears see Figure 149 Figure 149 Add Syslog Server 3 Enter the syslog server information in the applicable fields Table 108 describes the Add Syslog Server fields 4 Click Add The syslog server entry appears in the Syslog Server Table Table 108 Add Syslog Server fiel...

Page 536: ... to the correct position 4 Click Apply on the toolbar to automatically reindex all syslog server entries Click Commit on the toolbar to save the changes permanently Removing an existing syslog server To remove an existing syslog server entry from the Syslog Server Table perform the following steps 1 Select the System Servers Syslog Servers tab The Syslog Servers table appears see Figure 148 2 Sele...

Page 537: ...ries on the Exclude List For more information about the captive portal and the Exclude List see Captive portal and Exclude List on page 386 To manage DNS servers in the system configuration select the System Servers DNS Servers tab The DNS Server Table appears see Figure 150 Figure 150 DNS Server Table From this screen you can complete the following tasks as necessary Adding a DNS server on page 5...

Page 538: ...er dialog box appears see Figure 126 Figure 151 Add DNS Servers 3 Enter the DNS server information in the applicable fields Table 110 describes the Add DNS Server fields 4 Click Add The DNS server entry appears in the DNS Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 109 Add DNS Server...

Page 539: ...System Servers DNS Servers tab The DNS Server Table appears see Figure 150 on page 537 2 Select the DNS server to remove from the DNS Server Table 3 Click Delete A dialog box appears for confirmation 4 Click Yes The DNS server entry is immediately removed from the DNS Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save t...

Page 540: ...isting RSA servers that have already been configured on the Nortel SNAS 4050 Figure 152 RSA Server Table This screen allows you to view manage and configure RSA server entries by completing any of the following tasks Adding an RSA server on page 541 Removing an existing RSA server on page 542 Note This feature is not supported in Nortel Secure Network Access Switch Software Release 1 0 ...

Page 541: ...k Add The Add RSA Server dialog box appears see Figure 153 Figure 153 Add RSA Server 3 Enter the RSA server information in the applicable fields Table 110 describes the Add RSA Server fields 4 Click Apply The RSA server appears in the RSA Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 1...

Page 542: ...ears from the RSA Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Removing the RSA node secret You can remove the RSA node secret if necessary Authentication will then fail until the Node secret created check box is unchecked in the Edit Agent Host window on the RSA server To remove the RSA no...

Page 543: ...een displays the index number and symbolic name assigned to the RSA server when you added it Figure 154 RSA Server Table 111 describes the RSA Server fields Table 111 RSA Server fields Field Description Index Specifies the index value for the server entry This value cannot be changed once the RSA server has been created Symbolic Name Specifies the symbolic name of the RSA server ...

Page 544: ...ar to save the changes permanently Importing sdconf rec The sdconf rec file is a configuration file that contains critical RSA ACE Server information Contact your RSA ACE Server administrator to obtain the file and make it available on the specified TFTP FTP SCP SFTP server To import an sdconf rec file perform the following steps 1 Select the System Servers RSA Server Table tab 2 Select an RSA ser...

Page 545: ...ter 10 Configuring system settings 545 Nortel Secure Network Access Switch 4050 User Guide 3 Select the Import sdconf rec tab The Import sdconf rec screen appears see Figure 155 Figure 155 Import sdconf rec ...

Page 546: ...ative settings choose from one of the following tasks Configuring SRS control settings using the SREM on page 547 Configuring Nortel SNAS 4050 host SSH keys using the SREM on page 548 Managing RADIUS audit settings using the SREM on page 554 Managing RADIUS authentication of system users using the SREM on page 562 Table 112 Import sdconf rec fields Field Description Protocol Specifies the protocol...

Page 547: ...et SRS rules you must use the SREM see TunnelGuard SRS Builder on page 317 Before you can access the Rule Builder utility in the SREM you must enable support for SRS administration To configure support for managing the SRS rules perform the following steps 1 Select the System Administrative SRS Control Settings tab The SRS Control Settings screen appears see Figure 156 Figure 156 SRS Control Setti...

Page 548: ...e a set of keys to be used by all hosts in the cluster in accordance with the Single System Image SSI concept As a result connections to the MIP always appear to an SSH client to be to the same host During initial setup there is an option to generate the SSH host keys automatically To generate and manage the SSH keys used by Nortel SNAS 4050 hosts in the cluster perform the following steps 1 Selec...

Page 549: ... host SSH keys on page 551 Showing SSH keys To show or copy the existing SSH key use the following steps 1 Click the Show SSH Keys tab The Show SSH Keys screen appears see Figure 157 Figure 157 Show SSH Keys 2 To show the existing SSH key click Show The keys display in the following formats RSA1 keys the OpenSSH implementation except that the line is wrapped ...

Page 550: ...lic Key File Format as described in Internet Draft draft ietf secsh publickeyfile 3 To copy the existing SSH key click Copy To fully conform to the OpenSSH implementation for RSA1 keys you may need to edit the output back into a single line for use in the key storage of an SSH client ...

Page 551: ...ts as a convenience so that you do not get prompted to accept a new key during later use of SCP or SFTP for file or data transfer To achieve strict man in the middle protection verify the fingerprint before applying the changes To import the public SSH key of a known remote host use the following steps 1 Click the Hosts tab The Hosts screen appears see Figure 158 Figure 158 SSH Keys Hosts ...

Page 552: ...remove a known host SSH key a Select the SSH key from the Hosts Table b Click Delete 4 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 114 SSH Keys Hosts field Field Description SSH Key for IP Address Specifies the IP address for which you are generating an SSH key Hosts Table Displays a list of hosts ...

Page 553: ...as a convenience so that you do not get prompted to accept a new key during later use of SCP or SFTP for file or data transfer To achieve strict man in the middle protection verify the fingerprint before applying the changes To add the public SSH key of a known remote host use the following steps 1 Click the Add SSH Key tab The Add SSH Key screen appears see Figure 159 Figure 159 Add SSH Key ...

Page 554: ...configure the Nortel SNAS 4050 cluster to include a RADIUS server to receive log messages about commands executed in the CLI or the SREM for audit purposes About RADIUS auditing An event is generated whenever a system user logs on logs off or issues a command from a SREM session The event contains information about user name and session ID as well as the name of executed commands You can configure...

Page 555: ... the audit information The attributes are sent to the RADIUS audit server together with the event log information Each vendor has a specific dictionary The Vendor Id specified for an attribute identifies the dictionary the RADIUS server will use to retrieve the attribute value The Vendor Type indicates the index number of the required entry in the dictionary file The Internet Assigned Numbers Auth...

Page 556: ...8 A Configuring RADIUS auditing To configure the Nortel SNAS 4050 to support RADIUS auditing choose from one of the following tasks Configuring RADIUS audit settings using the SREM on page 557 Managing RADIUS audit servers using the SREM on page 559 ...

Page 557: ...ings using the SREM To configure RADIUS audit settings perform the following steps 1 Select the System Administrative Radius Audit Configuration tab The RADIUS audit Configuration screen appears see Figure 160 Figure 160 RADIUS audit Configuration 2 Enter the Audit Configuration information in the applicable fields Table 116 ...

Page 558: ... fields Field Description Vendor ID Specifies the vendor specific attribute used by the RADIUS audit server to identify event log information from the Nortel SNAS 4050 cluster The default Vendor Id is 1872 Alteon Vendor Type Specifies the Vendor Type value used in combination with the Vendor Id to identify event log information from the Nortel SNAS 4050 cluster The default Vendor Type value is 2 A...

Page 559: ...IUS audit servers select the System Administrative Radius Audit Audit Servers tab The Audit Server Table appears see Figure 161 displaying a list of available RADIUS audit servers Figure 161 Audit Servers Select from the following tasks to manage the audit servers Adding a new Audit Server on page 560 Removing an existing RADIUS audit server on page 561 ...

Page 560: ...r information in the fields provided Table 117 describes the Add Audit Server fields 4 Click Add The new audit server entry appears in the Audit Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 117 Add Audit Server fields Field Description IP Address Specifies the IP address of the RADIUS...

Page 561: ...adius Audit Audit Servers tab The Audit Server Table appears see Figure 161 on page 559 2 Select an audit server entry to remove from the Audit Server Table 3 Click Delete A dialog box appears asking for confirmation 4 Click Yes The audit server entry is immediately removed from the Audit Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on ...

Page 562: ...swords and group assignments for Nortel SNAS 4050 system users see Managing system users and groups on page 353 When you add an external RADIUS authentication server to the configuration the server is automatically assigned an index number You can add several RADIUS authentication servers for backup purposes Nortel SNAS 4050 authentication will be performed by an available server with the lowest i...

Page 563: ... RADIUS authentication of system users using the SREM To configure RADIUS authentication perform the following steps 1 Select the System Administrative Radius Authentication Configuration tab The RADIUS authentication Configuration screen appears see Figure 163 Figure 163 Radius Authentication Configuration ...

Page 564: ...erval in seconds s minutes m or hours h If you do not specify a measurement unit seconds is assumed The range is 1 10000 seconds The default is 10 seconds Use Local Password as Fallback Specifies the desired fallback mode Valid options are on if the RADIUS servers are unreachable the local passwords defined on the Nortel SNAS 4050 are used as fallback off if the RADIUS servers are unreachable the ...

Page 565: ...entication servers used by the Nortel SNAS 4050 select the System Administrative Radius Authentication Radius Servers tab The Radius Server Table appears see Figure 164 Figure 164 Radius Server Table Select from the following tasks to manage the RADIUS authentication servers Adding a RADIUS authentication server on page 566 Removing an existing RADIUS server on page 567 ...

Page 566: ...ADIUS server information in the applicable fields Table 119 describes the Add Radius Server fields 4 Click Add The RADIUS server appears in the table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 119 Add Radius Server fields Field Description IP Address Specifies the IP address of the RADIUS authen...

Page 567: ...entication Radius Servers tab The Radius Server Table appears see Figure 164 on page 565 2 Select the RADIUS server entry to remove from the Radius Server Table 3 Click Delete A dialog box appears asking for confirmation 4 Click Yes The authentication server entry is immediately removed from the Radius Server Table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Cl...

Page 568: ...568 Chapter 10 Configuring system settings 320818 A ...

Page 569: ...nt commands 576 Managing and viewing certificates and keys using the CLI 577 Generating and submitting a CSR using the CLI 579 Adding a certificate to the Nortel SNAS 4050 using the CLI 584 Adding a private key to the Nortel SNAS 4050 using the CLI 587 Importing certificates and keys into the Nortel SNAS 4050 using the CLI 588 Displaying or saving a certificate and key using the CLI 591 Exporting ...

Page 570: ...ter The Nortel SNAS 4050 can support the use of up to 1500 certificates However only one server certificate can be mapped to a portal server at any one time For information about mapping a certificate to the portal server see Configuring SSL settings using the CLI on page 139 or Configuring SSL settings using the SREM on page 176 If you ran the quick setup wizard during initial setup a test certif...

Page 571: ...rtel SNAS 4050 and is invisible to the user Table 120 Supported key and certificate formats Sheet 1 of 2 Format Import Add Export Save Comment PEM Yes Yes Encrypts the private key Combines the private key and certificate in the same file DER Yes Yes Does not encrypt the private key Allows you to store the private key and certificate in separate files NET Yes Yes Encrypts the private key Allows you...

Page 572: ...to get help on page 29 iPlanet Server Yes No Key only proprietary format Requires conversion For information about the conversion tool contact Nortel Technical Support see How to get help on page 29 Table 120 Supported key and certificate formats Sheet 2 of 2 Format Import Add Export Save Comment You must use the PEM format when you save keys and certificates by copying you add a key or certificat...

Page 573: ...6 Installing certificates and keys There are two ways to install a certificate and key in the Nortel SNAS 4050 cluster by pasting see Adding a certificate to the Nortel SNAS 4050 using the CLI on page 584 by importing from a TFTP FTP SCP SFTP server see Importing certificates and keys into the Nortel SNAS 4050 using the CLI on page 588 or Importing a certificate or key using the SREM on page 603 W...

Page 574: ...e SREM on page 605 by exporting to a TFTP FTP SCP SFTP server see Exporting a certificate and key from the Nortel SNAS 4050 using the CLI on page 594 or Exporting a certificate and key from the Nortel SNAS 4050 using the SREM on page 607 The copy and paste method saves the certificate and key in PEM format The export method allows you to choose from a variety of file formats Nortel recommends usin...

Page 575: ... to the portal server see Configuring SSL settings using the CLI on page 139 or Configuring SSL settings using the SREM on page 176 5 After testing to verify that the new certificate works as intended delete the old certificate In the CLI use the cfg cert old cert ID del command In the SREM use the Certificates Certificates screen to remove the old certificate Managing private keys and certificate...

Page 576: ...SNAS 4050 using the CLI on page 594 create a self signed certificate for testing purposes see Generating a test certificate using the CLI on page 596 Roadmap of certificate management commands The following roadmap lists the CLI commands to configure and manage server certificates for the Nortel SNAS 4050 cluster Use this list as a quick reference or click on any entry for more information Command...

Page 577: ...e in the system If you specify an unused certificate number the certificate is created The Certificate menu displays The Certificate menu includes the following options cfg cert cert ID followed by name name Names or renames the certificate as a mnemonic aid cert Lets you paste the contents of a certificate file from a text editor For more information see Adding a certificate to the Nortel SNAS 40...

Page 578: ...se the cfg cert show command client not supported in Nortel Secure Network Access Switch Software Release 1 0 request Generates a certificate signing request For more information see Generating and submitting a CSR using the CLI on page 579 sign Signs a CSR by using the private key associated with the currently selected certificate You are prompted to paste in the contents of a CSR Client certific...

Page 579: ...d show Displays detailed information about the certificate excluding the certificate name info Displays the serial number the expiration date and the values specified for the subject part of the current certificate subject Displays detailed information about the subject part of the current certificate For example C countryName 2 5 4 6 US where countryName is the mnemonic name 2 5 4 6 is the object...

Page 580: ...name of the state or province Locality Name e g city The name of the city where the head office of the organization is located Organization Name e g company The registered name of the organization The organization must own the domain name that appears in the common name of the web server Do not abbreviate the organization name and do not use any of the following characters Organizational Unit Name...

Page 581: ... Generate new key pair y n y Specifies whether you want to generate a new pair of private and public keys The default is y yes If you are creating a CSR for a new certificate accept the option to generate a new key pair If a configured certificate is approaching its expiration date and you want to renew it without replacing the existing key specify n no The CSR will be based on the existing key fo...

Page 582: ...024 Request a CA certificate y n n Specify challenge password y n n BEGIN CERTIFICATE REQUEST MIIB jCCAWMCAQAwgZQxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xD jAMBgNVBAcTBUtpc3RhMREwDwYDVQQKEwhCbHVldGFpbDENMAsGA1UECxMERG9jdT EZMBcGA1UEAxMQd3d3LmJsdWV0YWlsLmNvbTEkMCIGCSqGSIb3DQEJARYVdG9yYmp vcm5AYmx1ZXRhaWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX2rSY 81cgKJODuUreGF3ZnK7RvlRqSV TIMS4UerqXPKpTj...

Page 583: ...iate the private key with the new certificate by pasting or importing the contents of the key file see Installing certificates and keys on page 573 a Display the certificate and key see Displaying or saving a certificate and key using the CLI on page 591 b Copy the private key including the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines and paste it into a text editor c Save the text editor f...

Page 584: ...e certificate number as the certificate number you used to generate the CSR In this way the private key remains connected to the certificate number and you do not need to perform an additional step to add the private key If you obtained the certificate by means other than using the cfg cert request command to generate the CSR specify a certificate number not used by any other configured certificat...

Page 585: ...ert b Paste the certificate at the command prompt c Press Enter to create a new line and then enter an ellipsis to terminate d If you are pasting in the private key at the same time and if the key has been password protected you are prompted to enter the password phrase The password phrase required is the one specified when the key was created or exported 4 Apply the changes If you obtained the ce...

Page 586: ...0xGTAXBgkqhkiG9w0BCQEWCnR0dEBjY2MuZG4wHhcNMDAxMjI yMDkxOTI0WhcNMDExMjIyMDkxOTI0WjB9MQswCQYDVQQGEwJzZTEOMAw GA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9sbTEMMAoGA1UEChM DZG9jMQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5jb20xGTA XBgkqhkiG9w0BCQEWCnR0dEBjY2MuZG4wgZ8wDQYJKoZIhvcNAQEBBQA DgY0AMIGJAoGBALXym9cIVfHZUZFE1MFi xefDviIEvilnJAQSSPITnZ a69fzGcL3vpQv0NLxNffs1jEw4RPDMKu2rQ9N02EiiJcrCHnaSNZPdwG oX39IkEU...

Page 587: ...CA The public key contained in the certificate works in concert with the related private key to handle SSL transactions b In a text editor open the key file c Copy the entire contents including the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines 3 Add the private key a Enter the following command cfg cert key b Paste the contents of the key file at the command prompt c Press Enter to create a ...

Page 588: ...FEB57A853 MbbLDYlwdbNfXUGHFm10nfRlI KTnx2Bdx750EaG8HSVV7KrtnsNF Fs z1jFvO jnKhZfs4zsVrsstrVlqfP1uatg19VyJSEug1ZcCamH59Dcy U NocFWCzR56PHpyZKGXX66jS 6twYdiXQk58URIudkmGXGTYMvBRuVjV2 2ZRLyJk41Az5nA6HiDz6GGs6vkCaPFGm263KxmXjy okNgSJl9QTqJfS q7Eh1cIslBReAE9HXGl0Eubb6gVJu sRmGhS yGx4vMx98wiMjL37gRt XBfDWlu6u0HOPeJxs6fH05fYzmnpwAHj592TDFdsJi5pmrY0NhAeXfuG 8mF T9nEz02ZA8iQGJsaUPfkeBxbZS umY R65Okwt1k2RN4...

Page 589: ...e cfg cert show command 3 Import the certificate Enter the following command cfg cert import You are prompted to enter the certificate and private key import information If the private key has been password protected you are prompted for the correct password phrase as well Table 122 explains the required parameters Note You can arrange to include your private key in the certificate file When the N...

Page 590: ...and password to access the file exchange server The default is anonymous For anonymous mode the Nortel SNAS 4050 uses the following string as the password for logging purposes admin hostname isd Pass phrase If the key is password protected the password phrase specified when the key was created or exported Table 122 Certificate and key import information Parameter Description Certificate 3 import S...

Page 591: ... in one file with a PEM extension To save a certificate and key in another format use the cfg cert export command see Exporting a certificate and key from the Nortel SNAS 4050 using the CLI on page 594 To display the current certificate and key or save a copy perform the following steps 1 Access the Certificate menu by using the cfg cert cert id command where cert id is the certificate number of t...

Page 592: ...uired For the private key ensure that you include the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines For the certificate ensure that you include the BEGIN CERTIFICATE and END CERTIFICATE lines 6 Paste the private key certificate or both into a text editor 7 Save the file with a PEM extension ...

Page 593: ...BEGIN CERTIFICATE MIIEajCCA9OgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBvzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk NhbGlmb3JuaWExEDAOBgNVBAcTB1Rlc3RpbmcxKDAmBgNVBAoTH1Rlc3QgSW5jLiAxIDE1OjAyOjQ5 IDIwMDUtMDgtMTIxEjAQBgNVBAsTCXRlc3QgZGVwdDEgMB4GA1UEAxMXd3d3LmR1bW15c3NsdGVzdG luZy5jb20xKTAnBgkqhkiG9w0BCQEWGnRlc3RlckBkdW1teXNzbHRlc3RpbmcuY29tMB4XDTA1MDgx MjIyMDI0OVoXDTA2MDgxMjIyMDI0OVowgb8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEw...

Page 594: ... where cert id is the certificate number of the certificate you wish to export To view basic information about all configured certificates use the info certs command 2 Export the certificate Enter the following command cfg cert export You are prompted to enter the certificate and key export information The file is exported as soon as you have provided all the required information Table 123 explain...

Page 595: ... For more information about the formats see Key and certificate formats on page 571 Export pass phrase The password phrase to encrypt the private key Reconfirm export pass phrase Re enter the password phrase for confirmation Key and certificate file name The name of the file on the file exchange server If you are using a format that saves the private key and certificate in the same file you are pr...

Page 596: ... not activated until you apply the changes To generate a test certificate perform the following steps 1 Access the Certificate menu by using the cfg cert cert id command where cert id is an unused certificate number 2 Generate the test certificate Enter the following command cfg cert test Certificate 1 export Select protocol tftp ftp scp sftp tftp ftp Enter hostname or IP address of server ftp exa...

Page 597: ... can perform the following certificate management tasks in the SREM view existing certificates see Viewing certificates using the SREM on page 598 create a new certificate see Creating a certificate using the SREM on page 599 generate requests for signed certificates see Generating and submitting a CSR using the SREM on page 601 import certificates and private keys see Importing a certificate or k...

Page 598: ...AS 4050 cluster select the Certificates Certificates tab The Certificates screen appears see Figure 172 with a list of all certificates available on the Nortel SNA cluster Figure 172 Certificates screen To remove an existing certificate perform the following steps 1 Select the certificate from the Certificates list 2 Click Delete A confirmation dialog appears ...

Page 599: ...icates Certificates tab The Certificates screen appears see Figure 172 on page 598 2 Click Add The Add a Certificate Component dialog box appears see Figure 173 Figure 173 Add a Certificate Component 3 Enter the certificate information in the applicable fields Table 124 describes the Add a Certificate Component fields 4 Click Apply The new certificate appears in the Certificates list Table 124 Add...

Page 600: ... toolbar to save the changes permanently Before this certificate can be used a certificate signing request CSR must be generated submitted to a CA and imported into the Nortel SNAS 4050 For details on this process continue with Generating and submitting a CSR using the SREM on page 601 and Importing a certificate or key using the SREM on page 603 ...

Page 601: ...twork Access Switch 4050 User Guide Generating and submitting a CSR using the SREM To generate a CSR perform the following steps 1 Select the Certificates certificate CA Request tab The CA Request screen appears see Figure 174 Figure 174 CA Request screen ...

Page 602: ...ny of the following characters Organization Unit The name of the department or group that uses the secure web server Common Name The name of the web server as it appears in the URL The name must be the same as the domain name of the web server that is requesting a certificate If the web server name does not match the common name in the certificate some browsers will refuse a secure connection with...

Page 603: ...e CSR to a CA such as Entrust or VeriSign a In a text editor open the csr file you created in step 4 b Copy the entire CSR including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines c Use your web browser to access the CA web site and follow the online instructions The process for submitting the CSR varies with each CA When prompted paste the CSR as required in the CA online request...

Page 604: ...ect the Certificates certificate Import Certificate tab The Import Certificate screen appears see Figure 175 Figure 175 Import Certificate screen Note You can arrange to include your private key in the certificate file When the Nortel SNAS 4050 retrieves the specified certificate file from the file exchange server the Nortel SNAS 4050 software analyzes the contents and automatically adds the priva...

Page 605: ...adding a password phrase because this adds an extra layer of security Save the certificate and private key by copying and pasting into a text editor then saving the text file with a PEM extension Table 126 Import Certificate fields Field Description Protocol The file import protocol The options are TFTP FTP SCP SFTP The default is FTP Host The host name or IP address of the file exchange server Fi...

Page 606: ...8 A To display the current certificate and key or save a copy perform the following steps 1 Select the Certificates certificate Display Certificate tab The Display Certificate screen appears see Figure 176 Figure 176 Display Certificate screen ...

Page 607: ...private key and certificate into a text editor 6 Save the file with a PEM extension To save a certificate and key in another format use the Export Certificate screen see Exporting a certificate and key from the Nortel SNAS 4050 using the SREM on page 607 Exporting a certificate and key from the Nortel SNAS 4050 using the SREM You can export certificate files and key files from the Nortel SNAS 4050...

Page 608: ...818 A To export a certificate and key from the Nortel SNAS 4050 perform the following steps 1 Select the Certificates certificate Export Certificate tab The Export Certificate screen appears see Figure 177 Figure 177 Export Certificate screen ...

Page 609: ...combined key and certificate file in the PKCS12 format The formats have different capabilities regarding private key encryption and the ability to save the key and certificate in separate files For more information about the formats see Key and certificate formats on page 571 Certificate File The name of the certificate file on the file exchange server Key File The name of the key file on the file...

Page 610: ...istributed over three screens To view configuration details expiration dates subject settings or other details of a certificate choose from the following tasks Viewing configuration details on page 610 Viewing general information on page 612 Viewing certificate subject settings on page 614 Viewing configuration details To view configuration details about a certificate on the Nortel SNAS 4050 clust...

Page 611: ...ields Table 129 Certificate Configuration fields Field Description Index An integer in the range 1 to 1500 that uniquely identifies the certificate in the Nortel SNAS 4050 domain Certificate Name Names or renames the certificate as a mnemonic aid Key Info Displays information about how the private key associated with the currently selected certificate is protected For the Nortel SNAS 4050 private ...

Page 612: ...4050 cluster select the Certificates certificate Info tab Key Size Displays the key size of the private key in the current certificate Key Status Confirms whether the key and certificate match Details Displays detailed information about the subject part of the current certificate Table 129 Certificate Configuration fields Field Description ...

Page 613: ...cription Serial Number The serial number of the certificate Expiration Time The expiration time and date of the certificate Country The two letter ISO code for the country where the web server is located For current information about ISO country codes see http www iana org State Province The name of the state or province where the head office of the organization is located Enter the full name of t...

Page 614: ...bbreviate the organization name and do not use any of the following characters Organization Unit The name of the department or group that uses the secure web server Common Name The name of the web server as it appears in the URL The name must be the same as the domain name of the web server that is requesting a certificate If the web server name does not match the common name in the certificate so...

Page 615: ...bject fields Field Description Country The two letter ISO code for the country where the web server is located For current information about ISO country codes see http www iana org State Province The name of the state or province where the head office of the organization is located Enter the full name of the state or province Locality The name of the city where the head office of the organization ...

Page 616: ...ecure web server Common Name The name of the web server as it appears in the URL The name must be the same as the domain name of the web server that is requesting a certificate If the web server name does not match the common name in the certificate some browsers will refuse a secure connection with your site Do not enter the protocol specifier http or any port numbers or pathnames in the common n...

Page 617: ...Configuring the SNMP v2 MIB using the CLI 621 Configuring the SNMP community using the CLI 622 Configuring SNMPv3 users using the CLI 623 Configuring SNMP notification targets using the CLI 626 Configuring SNMP events using the CLI 627 Configuring SNMP settings using the SREM 631 Configuring SNMP using the SREM 632 Configuring SNMP targets using the SREM 634 Configuring SNMPv3 users using the SREM...

Page 618: ...ceiving trap messages sent by the agent can be configured to use SNMP v1 v2c and v3 The default is SNMP v2c You can specify any number of notification targets on the Nortel SNAS 4050 For information about the MIBs supported on the Nortel SNAS 4050 see Appendix C Supported MIBs on page 875 Configuring SNMP using the CLI To configure SNMP for the Nortel SNA network access the SNMP menu by using the ...

Page 619: ...ce or click on any entry for more information Command Parameter cfg sys adm snmp ena dis versions v1 v2c v3 cfg sys adm snmp snmpv2 mib sysContact contact snmpEnable disabled enabled cfg sys adm snmp community read name write name trap name cfg sys adm snmp users user ID name name seclevel none auth priv permission get set trap authproto md5 sha authpasswd password privproto des aes privpasswd pas...

Page 620: ... includes the following options cfg sys adm snmp event addmonitor options b name OID op value addmonitor options t name OID value and event addmonitor options x name OID present absent changed delmonitor name addevent c comment name notification OID delevent name list cfg sys adm snmp followed by ena Enables network management using SNMP The default is enabled dis Disables network management using...

Page 621: ...ameters in the standard SNMP v2 MIB for the system see Configuring the SNMP v2 MIB using the CLI on page 621 community Accesses the SNMP Community menu in order to configure the community aspects of SNMP monitoring see Configuring the SNMP community using the CLI on page 622 users Accesses the SNMP User menu in order to manage SNMPv3 users see Configuring SNMPv3 users using the CLI on page 623 tar...

Page 622: ...act this person snmpEnable disabled enabled Enables or disables generating authentication failure traps The default is disabled cfg sys adm snmp community followed by read name Specifies the monitor community name that grants read access to the MIB If you do not specify a monitor community name read access is not granted The default monitor community name is public write name Specifies the control...

Page 623: ...ame a string that uniquely identifies the USM user in the Nortel SNAS 4050 cluster The maximum length of the string is 255 characters After you have defined a name for the user you can use either the user name or the user ID to access the SNMP User menu security level the degree of SNMP USM security Valid options are none SNMP access is granted without authentication auth SNMP user must provide a ...

Page 624: ...the USM user Valid options are md5 sha The default is md5 auth password a string of at least eight characters specifying the password for USM user authentication The password is required if the security level is set to auth or priv privacy protocol the protocol used for encryption Valid options are des aes The default is des priv password a string of at least eight characters specifying the USM us...

Page 625: ...equired password auth password SNMP information is transmitted in plain text priv the SNMP user must provide a verified password before SNMP access is granted and all SNMP information is encrypted with the user s individual key You are later prompted to specify the required password auth password and encryption key priv password The default is priv permission get set trap Specifies the USM user s ...

Page 626: ...authpasswd password Specifies the password for USM user authentication The password is required if the security level is set to auth or priv password is a string that must be at least eight characters long privproto des aes Specifies the protocol used for encryption Valid options are des aes The default is des privpasswd password Specifies the USM user s individual encryption key The password is r...

Page 627: ...outside certain boundaries existence checks the condition of a monitored OID to determine if it is present absent or changed and triggers an event if the result matches the specified condition To configure monitors and events defined in the DISMAN EVENT MIB use the following command cfg sys adm snmp event The event menu displays cfg sys adm snmp target target ID followed by ip IPaddr Specifies the...

Page 628: ... minutes o OID additional objects to send in the event e EventName the name of a notification event d OID the delta discontinuity OID D timeTicks timeStamp dateAndTime the delta discontinuity type Other parameters are name a unique name you assign to the monitor for identification OID the object identifier or symbolic name to monitor op the operator Valid options are not equals equals less than or...

Page 629: ...he event d OID the delta discontinuity OID D timeTicks timeStamp dateAndTime the delta discontinuity type Other parameters are name a unique name you assign to the monitor for identification OID the object identifier or symbolic name to monitor value and event a combination of an integer and an event condition where the integer represents the event condition threshold that will trigger notificatio...

Page 630: ...ect identifier or symbolic name to monitor present absent changed indicates whether the object being monitored is present absent or has changed delmonitor name Removes the specified monitor from the configuration addevent c comment name notification OID Adds a notification event as defined in the DISMAN EVENT MIB c comment adds a comment optional name a unique name you assign to the event for iden...

Page 631: ...ring SNMP settings using the SREM This section contains information about the following topics Configuring SNMP using the SREM on page 632 Configuring SNMP targets using the SREM on page 634 Configuring SNMPv3 users using the SREM on page 640 Configuring SNMP events using the SREM on page 647 ...

Page 632: ... SNMP 320818 A Configuring SNMP using the SREM To configure SNMP perform the following steps 1 Select the System Administrative SNMP Configuration tab The Configuration screen appears see Figure 181 Figure 181 SNMP Configuration ...

Page 633: ...s generating authentication failure traps The default is disabled unchecked SNMP Enabled When checked enables network management using SNMP The default is enabled Versions Specifies the SNMP versions allowed Check one or more of the following options v1 SNMP version 1 v2c SNMP version 2c v3 SNMP version 3 The default is all versions v1 v2c v3 Read Specifies the monitor community name that grants r...

Page 634: ...s using the SREM SNMP managers function as the notification targets for SNMP monitoring To configure SNMP notification targets choose from one of the following tasks Adding SNMP targets on page 635 Managing SNMP targets on page 638 Removing SNMP targets on page 639 ...

Page 635: ...ork Access Switch 4050 User Guide Adding SNMP targets To add an SNMP target perform the following steps 1 Select the System Administrative SNMP SNMP Targets SNMP Target Table tab The SNMP Target Table appears see Figure 182 Figure 182 SNMP Target Table ...

Page 636: ...636 Chapter 12 Configuring SNMP 320818 A 2 Click Add The Add SNMP Target dialog box appears see Figure 183 Figure 183 Add SNMP Target ...

Page 637: ...identify this SNMP target on the Nortel SNAS 4050 This field cannot be modified after an SNMP Target is added IP Address Specifies the IP address of the SNMP manager to which trap messages are sent Port Specifies the TCP port number used by the SNMP manager The default value is port 162 Version Specifies the SNMP version used by the SNMP manager The options are v1 use SNMPv1 v2c use SNMPv2c v3 use...

Page 638: ...0818 A Managing SNMP targets To manage SNMP targets perform the following steps 1 Select the System Administrative SNMP SNMP Targets target Target Settings tab The Target Settings screen appears see Figure 184 Figure 184 Target Settings ...

Page 639: ...e SNMP target to remove from the SNMP Target Table 3 Click Delete Table 134 SNMP Target fields Field Description Index Specifies a unique integer to identify this SNMP target on the Nortel SNAS 4050 This field cannot be modified after an SNMP Target is added IP Address Specifies the IP address of the SNMP manager to which trap messages are sent Port Specifies the TCP port number used by the SNMP m...

Page 640: ... the toolbar to save the changes permanently Configuring SNMPv3 users using the SREM The Nortel SNAS 4050 manages SNMPv3 users based on the User based Security Model USM for SNMP version 3 For more information about USM see RFC2274 To configure SNMPv3 users choose from one of the following tasks Adding SNMPv3 users on page 641 Managing SNMPv3 users on page 644 Removing SNMPv3 users on page 646 ...

Page 641: ...ork Access Switch 4050 User Guide Adding SNMPv3 users To add an SNMPv3 user perform the following steps 1 Select the System Administrative SNMP SNMPv3 Users SNMPv3 User Table tab The SNMPv3 User Table appears see Figure 185 Figure 185 SNMPv3 User Table ...

Page 642: ...642 Chapter 12 Configuring SNMP 320818 A 2 Click Add The Add SNMPv3 User dialog box appears see Figure 186 Figure 186 Add SNMPv3 User ...

Page 643: ...word auth password SNMP information is transmitted in plain text priv the SNMP user must provide a verified password before SNMP access is granted and all SNMP information is encrypted with the user s individual key You are later prompted to specify the required password auth password and encryption key priv password The default is priv Authentication Password Specifies the password for USM user a...

Page 644: ...o the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Managing SNMPv3 users To manage SNMPv3 users or configure permission sets for a new SNMPv3 user perform the following steps 1 Select the System Administrative SNMP SNMPv3 Users user User Settings tab The User Settings screen appears see Figure 187 Figure 187 User Settings ...

Page 645: ...priv the SNMP user must provide a verified password before SNMP access is granted and all SNMP information is encrypted with the user s individual key You are later prompted to specify the required password auth password and encryption key priv password Permission Specifies the USM user s privileges Valid options are get USM user is authorized to perform SNMP get requests read access to the MIB se...

Page 646: ...ser Table appears see Figure 185 on page 641 2 Select a user from the SNMPv3 Users Table 3 Click Delete A dialog box appears for confirmation 4 Click Yes 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Authentication Protocol Specifies the protocol to be used to authenticate the USM user Valid options are ...

Page 647: ...nts select from the following tasks Adding monitor events on page 648 Viewing configuration details of monitor events on page 649 Removing monitor events on page 650 Once monitor events are added they cannot be modified To change the settings of an existing monitor first remove that monitor and then create a new monitor with the desired changes There are three different types of monitors that can ...

Page 648: ...guring SNMP 320818 A Adding monitor events To add monitor events perform the following steps 1 Select the System Administrative SNMP Event Monitor Table tab The Monitor Table appears see Figure 188 Figure 188 Monitor Table ...

Page 649: ...lbar to save the changes permanently Viewing configuration details of monitor events To view the configuration settings of an existing monitor event perform the following steps 1 Select the System Administrative SNMP Event Monitor Table tab The Monitor Table appears see Figure 188 on page 648 2 Select the monitor to view from the Monitor Table The Configuration sub tab appears displaying settings ...

Page 650: ...perform the following steps 1 Select the System Administrative SNMP Event Monitor Table tab The Monitor Table appears see Figure 188 2 Select the monitor event to be removed from the Monitor Table 3 Click Delete A confirmation dialog box appears 4 Click Yes 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently B...

Page 651: ...ing monitored Operation Specifies the operation used to create the boolean value Must be one of the following operations equals notEquals lessThanOrEquals greaterThanOrEquals lessThan greaterThan OID Value Specifies the OID used for comparison Trigger Event Specifies the event that is triggered if a successful comparison is made Comment Specifies a comment for this monitor Frequency Specifies the ...

Page 652: ...ents if the comparison determines that the OID value is rising too quickly falling too quickly or outside of certain boundaries Figure 190 Add a Monitor Threshold Delta Discontinuity OID Specifies an OID to monitor for discontinuity Delta Discontinuity OID type Specifies the type of discontinuity to monitor for The options are timeTicks timeStamp dateAndTime Table 138 Boolean monitor fields Sheet ...

Page 653: ... when an OID value is greater than the specified High Value Delta Low Value Specifies the greatest acceptable drop in value before an event is triggered Delta Falling Event Specifies the event triggered when an OID value decreases by more than the specified Delta Low Value Delta High Value Specifies the greatest acceptable increase in value before an event is triggered Delta Rising Event Specifies...

Page 654: ...monitor fields Sheet 1 of 2 Field Description Name Specifies the name of this monitor Monitor OID Specifies the OID value being monitored Condition Specifies the OID condition that will trigger an event Must be one of the following conditions present missing changed Trigger Event Specifies the event that is triggered if the condition matchs for the specified OID Comment Specifies a comment for thi...

Page 655: ...tification events on page 658 Once notification events are added they cannot be modified To change the settings of an existing notification event first remove that notification and then create a new notification event with the desired changes Delta Discontinuity OID Specifies an OID to monitor for discontinuity Delta Discontinuity OID type Specifies the type of discontinuity to monitor for The opt...

Page 656: ...18 A Adding notification events To add notification events perform the following steps 1 Select the System Administrative SNMP Event Notification Table tab The Notification Table screen appears see Figure 192 Figure 192 Notification Table ...

Page 657: ...escribes the Add a Notification fields 4 Click Apply The notification event appears in the table 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the changes permanently Table 141 Add a Notification Event fields Field Description Name Specifies the notification event name Notification OIDs Specifies the OID s that trigger this not...

Page 658: ...on Table appears see Figure 192 on page 656 2 Select the notification event to be removed The Configuration subtab appears displaying details for the selected notification event 3 Click Delete A dialog box appears for confirmation 4 In the confirmation dialog box click Yes 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 Click Commit on the toolbar to save the chang...

Page 659: ...system was started Topic Page Viewing system information and performance statistics using the CLI 660 Roadmap of information and statistics commands 660 Viewing system information using the CLI 661 Viewing alarm events using the CLI 666 Viewing log files using the CLI 667 Viewing AAA statistics using the CLI 667 Viewing all statistics using the CLI 670 Viewing system information and performance st...

Page 660: ...AS 4050 hosts access the Statistics menu by using the following command stats Roadmap of information and statistics commands The following roadmap lists the CLI commands to view information and statistics for the cluster Use this list as a quick reference or click on any entry for more information Command Parameter info certs sys sonmp licenses domain ID kick domain ID username domain domain ID sw...

Page 661: ...using the CLI To view current information about system status and the system configuration use the following command info The Information menu displays local ethernet ports info events alarms download protocol server filename info logs list download protocol server filename stats aaa total isdhost host ID domain ID dump stats dump Command Parameter ...

Page 662: ...time DNS settings Access List and administrative applications NTP DNS syslog audit and other servers For information about configuring the system see Configuring system settings on page 457 sonmp Displays SynOptics Network Management Protocol SONMP network topology information including the IP address MAC address chassis type and state of all Nortel SNAS 4050 and SONMP enabled network devices in t...

Page 663: ...mmand Note With Nortel Secure Network Access Switch Software Release 1 0 there is only one domain in the system switch domainid switchid Displays information about the network access devices in a domain by device Information includes the switch type IP address NSNA communication port Red VLAN ID health check settings SSH key and switch status The information is a subset of information displayed by...

Page 664: ...type the client s current VLAN membership and the portal IP address through which the client logged on The options for device type are phone or dynamic PC dn_pc To restrict the the display to a specific domain enter the domain ID as part of the command To restrict the the display to sessions originating from a specific network access device enter the domain ID and switch ID as part of the command ...

Page 665: ...rror due to lack of resources overruns error due to lack of resources frame error due to malformed packets carrier error due to lack of carrier collisions number of packet collisions RX bytes received packets in bytes TX packets transmitted packets in bytes Note A non zero collision value may indicate incorrect configuration of Ethernet auto negotiation For more information see the autoneg command...

Page 666: ...alarms Displays all alarms in the active alarm list by their main attributes severity level alarm ID number date and time when triggered alarm name sender and cause To alert the operator at system logon a notice is displayed if there are active alarms Alarms are also sent as syslog messages download protocol server filename Transmits the event log file from the Nortel SNAS 4050 cluster to a file o...

Page 667: ...ollowing information displays the number of authentication requests accepted and rejected for external LDAP and RADIUS servers the number of authentication requests timed out The external LDAP and RADIUS servers are listed by IP address and TCP port number info logs followed by list Displays a list of all log files download protocol server filename Transmits the log file from the Nortel SNAS 4050 ...

Page 668: ...cluster since the system was started isdhost host ID domain ID Displays authentication statistics for the specified Nortel SNAS 4050 host in the cluster since the system was started You are prompted to specify host ID the index number automatically assigned to the Nortel SNAS 4050 host when you performed the initial setup domain ID the index number automatically assigned to the Nortel SNAS 4050 do...

Page 669: ...imedout 10 0 0 1 389 1 0 0 0 RADIUS Servers DOMAIN Accepted Rejected Timedout 192 168 0 1 1645 1 18 3 1 Local DB DOMAIN Accepted Rejected 1 2 0 Licenses DOMAIN Accepted Rejected SSL 1 0 0 Local Auth Stats for host 1 LDAP Servers DOMAIN Accepted Rejected Timedout 10 0 0 1 389 1 0 0 0 RADIUS Servers DOMAIN Accepted Rejected Timedout 192 168 0 1 1645 1 14 3 0 Local DB DOMAIN Accepted Rejected 1 0 0 L...

Page 670: ...w configuration and status information for a particular Nortel SNAS 4050 host see Viewing local information using the SREM on page 670 To view configuration and status information for the Nortel SNAS 4050 cluster see Viewing cluster information using the SREM on page 672 To view AAA statistics see Viewing AAA statistics using the SREM on page 698 To view Ethernet statistics for an interface see Vi...

Page 671: ...igure 195 Information screen Table 142 describes the Information fields Table 142 Information fields Field Description Version The Nortel SNAS 4050 software version being used Up Time The length of time that the Nortel SNAS 4050 has been running IP Address The Real IP address RIP of the Nortel SNAS 4050 device MAC Address The MAC address of the Nortel SNAS 4050 device ...

Page 672: ...roller list using the SREM on page 673 Viewing SONMP topology information using the SREM on page 675 Viewing switch distribution using the SREM on page 677 Viewing port information using the SREM on page 678 Viewing license information using the SREM on page 680 Viewing session details using the SREM on page 684 Viewing alarms using the SREM on page 691 Managing log files using the SREM on page 69...

Page 673: ...e Network Access Switch 4050 User Guide Viewing the controller list using the SREM To view information about all the Nortel SNAS 4050 devices in the cluster select the Information Controller List tab The Controller List screen appears see Figure 196 Figure 196 Controller List screen ...

Page 674: ... is selected Logging Specifies whether a log file is automatically created for the Controller List If selected you can click Browse to specify the log file name and location Controller List Displays information for all Nortel SNAS 4050 controllers in the cluster Information includes the RIP CPU usage memory usage and operational status of each device An asterisk in the MIP column indicates which N...

Page 675: ... Network Access Switch 4050 User Guide Viewing SONMP topology information using the SREM To view SynOptics Network Management Protocol SONMP network topology information select the Information SONMP State tab The SONMP State screen appears see Figure 197 Figure 197 SONMP State screen ...

Page 676: ...es the interval in seconds before the screen is automatically refreshed Only applicable if Auto Refresh is selected Logging Specifies whether a log file is automatically created for the SONMP state If selected you can click Browse to specify the log file name and location SONMP State Table Displays information about the system topology including the IP address MAC address chassis type and state of...

Page 677: ... Access Switch 4050 User Guide Viewing switch distribution using the SREM To view current status information about network access devices in the cluster select the Information Switch Distribution tab The Switch Distribution screen appears see Figure 198 Figure 198 Switch Distribution screen ...

Page 678: ...MIP the information displayed relates to the Nortel SNAS 4050 device in the cluster that is currently in control of the MIP Table 145 Switch Distribution fields Field Description Switch Distribution Displays information about the Nortel SNAS 4050 hosts in the cluster and the network access devices they control Information for the Nortel SNAS 4050 host includes the Real IP address RIP portal Virtua...

Page 679: ...formation screen appears see Figure 199 Figure 199 Port Information screen Table 146 describes the Port Information fields Table 146 Port Information fields Sheet 1 of 2 Field Description Auto Refresh Specifies whether the information displayed is automatically refreshed Interval Specifies the interval in seconds before the screen is automatically refreshed Only applicable if Auto Refresh is selec...

Page 680: ...ng Specifies whether a log file is automatically created for the active ports If selected you can click Browse to specify the log file name and location Port Status For each port information includes link status up down and the Ethernet auto negotiation setting on off If the link is up the information also includes current values for speed 10 100 1000 and duplex mode half full If the link is down ...

Page 681: ...cs 681 Nortel Secure Network Access Switch 4050 User Guide Viewing global license information To view global license information select the Information Licenses Global Licenses tab The Global Licenses screen appears see Figure 200 Figure 200 Global Licenses screen ...

Page 682: ...rval Specifies the interval in seconds before the screen is automatically refreshed Only applicable if Auto Refresh is selected Logging Specifies whether a log file is automatically created for the global licenses If selected you can click Browse to specify the log file name and location State of Global Licenses Displays information about the global license pool and current usage by license type a...

Page 683: ...ortel Secure Network Access Switch 4050 User Guide Viewing license information for a domain To view license usage by domain select the Information Licenses Per Domain Licenses tab The Per Domain Licenses screen appears see Figure 201 Figure 201 Per Domain Licenses screen ...

Page 684: ...s on page 688 Viewing the number of active sessions using the SREM on page 690 Table 148 Per Domain Licenses fields Field Description Auto Refresh Specifies whether the information displayed is automatically refreshed Interval Specifies the interval in seconds before the screen is automatically refreshed Only applicable if Auto Refresh is selected Logging Specifies whether a log file is automatica...

Page 685: ...select the Information Sessions Sessions tab The Sessions screen appears see Figure 202 Figure 202 Sessions screen The Sessions list displays details for all active sessions To restrict the display to specific sessions click Find or Filter to set match criteria Find and Filter use regular expressions to specify the pattern to match Only sessions that match the set criteria will appear in the list ...

Page 686: ...lient s user name For an IP Phone the MAC address displays Source IP The client s current IP address Source MAC Address The MAC address for the client device VLAN ID The client s current VLAN membership Login Time The time the client logged on If logon was not today the date is reported Device Type The client device type Options are phone or dynamic PC Port ID The port on the network access device...

Page 687: ...r Guide Viewing details for a particular session To view details about active sessions select the Information Sessions session Session Properties tab The Session Properties screen appears see Figure 203 Figure 203 Session Properties screen The Session Properties screen displays details for all the selected session ...

Page 688: ...rs Parameter Description Domain ID The domain ID of the domain in which the session is occurring Switch ID The switch ID of the network access device User Name The client s user name For an IP Phone the MAC address displays Source IP The client s current IP address Source MAC Address The MAC address for the client device VLAN ID The client s current VLAN membership Login Time The time the client l...

Page 689: ... Figure 204 KickOut User screen 2 Ensure that information in the displayed fields specifies the user to kick out Table 151 describes the KickOut User fields 3 Click KickOut Table 151 KickOut User fields Field Description User Name Specifies the user name Domain ID Specifies which domain where the selected user resides in ...

Page 690: ...r of active sessions select the Information Sessions Number of Sessions tab The Number of Sessions screen appears see Figure 205 Figure 205 Number of Sessions screen Table 152 describes the Number of Sessions fields Table 152 Number of Sessions fields Field Description Total Number of Active Sessions Displays the number of currently active sessions ...

Page 691: ...w system alarms that have been activated You can also download the alarms as a log file To alert the operator at system logon a notice is displayed if there are active alarms Alarms are also sent as syslog messages To view system alarms select from the following tasks Viewing active alarms using the SREM on page 692 Downloading alarms using the SREM on page 694 ...

Page 692: ...ormance statistics 320818 A Viewing active alarms using the SREM To view the active alarms for the Nortel SNAS 4050 cluster select the Information Alarms Active Alarms tab The Active Alarms screen appears see Figure 206 Figure 206 Active Alarms screen ...

Page 693: ...cally refreshed Interval Specifies the interval in seconds before the screen is automatically refreshed Only applicable if Auto Refresh is selected Logging Specifies whether a log file is automatically created for the active alarms If selected you can click Browse to specify the log file name and location Active Alarms Table Displays all alarms in the active alarm list by their main attributes sev...

Page 694: ... and performance statistics 320818 A Downloading alarms using the SREM To download an alarm as a logged event select the Information Alarms Download Alarms tab The Download Alarms screen appears see Figure 207 Figure 207 Download Alarms screen ...

Page 695: ...sing the SREM on page 696 Downloading log files using the SREM on page 697 Table 154 Download Alarms fields Field Description Protocol The file export protocol The options are TFTP FTP SFTP The default is FTP Host The host name or IP address of the file exchange server Filename The name of the destination file on the file exchange server Username For FTP and SFTP the user name to access the file e...

Page 696: ...20818 A Viewing the log list using the SREM To view a list of all active logs select the Information Logs tab The Logs screen appears see Figure 208 listing the names of all log files To delete a log file select the file in the list and click Delete Figure 208 Logs screen ...

Page 697: ...ormation Logs tab select the log file you wish to download The Download screen appears see Figure 209 Figure 209 Download screen Table 154 describes the Download fields Table 155 Download fields Sheet 1 of 2 Field Description Protocol The file export protocol The options are TFTP FTP SFTP The default is FTP Host The host name or IP address of the file exchange server ...

Page 698: ...ntication methods configured in the cluster whether or not they have been included in the authentication order scheme see Specifying authentication fallback order using the SREM on page 314 If the statistics for a particular authentication method are always zeroes this might be because the method is not included in the authentication order scheme This section includes the following topics Viewing ...

Page 699: ...orm the following steps 1 Expand the Statistics AAA navigation tree components and select Host Statistics The Hosts table opens see Figure 210 Figure 210 The Hosts table 2 Select the host whose statistics you want to display Do one of the following a In the Statistics AAA Host Statistics Hosts table select the desired host Then in the Statistics AAA Host Statistics Hosts Domain Statistics table se...

Page 700: ...thentication methods are configured for that host some or all of the following tabs may be available License see Viewing License statistics on page 701 for details about license statistics Radius see Viewing RADIUS statistics on page 702 for details about RADIUS statistics Local DB see Viewing Local database statistics on page 704 for details about local database statistics LDAP see Viewing LDAP s...

Page 701: ...he License tab The License statistics appear see Figure 211 Figure 211 License statistics For a description of the fields seeTable 156 Table 156 License statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh Logging Enables or disables statistics logging in the specified location ...

Page 702: ... statistics appear see Figure 212 Figure 212 RADIUS statistics SSL Accepted Displays the sum of accepted connections by license type For the Nortel SNAS 4050 SSL is the only type of license SSL Rejected Displays the sum of connections rejected because they exceeded the allowed number of concurrent users Table 156 License statistics Sheet 2 of 2 Field Description ...

Page 703: ...esh Logging Enables or disables statistics logging in the specified location Server Statistics Table Displays statistics for each RADIUS server The fields displayed are IP Address Port Displays the RADIUS server IP address and TCP port Accepted Displays the number of accepted requests to the RADIUS server Rejected Displays the number of rejected requests to the RADIUS server Rejections occur for e...

Page 704: ...cal DB statistics appear see Figure 213 on page 704 Figure 213 Local DB statistics For a description of the fields seeTable 158 Table 158 Local DB statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh Logging Enables or disables statistics logging in the specified location ...

Page 705: ...ect the LDAP tab The LDAP statistics appear see Figure 214 on page 705 Figure 214 LDAP statistics Accepted Displays the number of accepted requests to the Local database Rejected Displays the number of rejected requests to the Local database Rejections occur for example when a user submits an incorrect password Table 158 Local DB statistics Sheet 2 of 2 Field Description ...

Page 706: ... disables statistics logging in the specified location Server Statistics Table Specifies statistics for each LDAP server The information displayed includes IP Address Port Displays theLDAP server IP address and TCP port Accepted Displays the number of accepted requests to the LDAP server Rejected Displays the number of rejected requests to the LDAP server Rejections occur for example when a user s...

Page 707: ...omain perform the following steps 1 Select the Statistics AAA Domain Statistics navigation tree component The Statistics table appears see Figure 215 on page 707 Figure 215 The Statistics table 2 In the navigation tree expand Domain Statistics and select a domain Depending on the authentication methods configured for the domain the following tabs may be available License Radius Local DB ...

Page 708: ...the following tasks Viewing License statistics see Viewing License statistics on page 709 Viewing RADIUS statistics see Viewing RADIUS statistics on page 711 Viewing Local DB statistics see Viewing Local database statistics on page 713 Viewing LDAP statistics see Viewing LDAP statistics on page 715 ...

Page 709: ...s To view License statistics select the License tab The License statistics appear see Figure 216 Figure 216 License statistics For a description of the fields seeTable 160 Table 160 License statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh ...

Page 710: ...in the specified location SSL Accepted Displays the sum of accepted connections by license type For the Nortel SNAS 4050 SSL is the only type of license SSL Rejected Displays the sum of connections rejected because they exceeded the allowed number of concurrent users Table 160 License statistics Sheet 2 of 2 Field Description ...

Page 711: ...o view RADIUS statistics select the Radius tab The RADIUS statistics appear see Figure 217 Figure 217 RADIUS statistics For a description of the fields see Table 161 Table 161 Viewing RADIUS Statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh ...

Page 712: ...layed are IP Address Port Specifies the RADIUS server IP address and TCP port Accepted Displays the number of accepted requests to the RADIUS server Rejected Displays the number of rejected requests to the RADIUS server Rejections occur for example when a user submits an incorrect password Timed Out Displays the number of requests to the RADIUS server that timed out Table 161 Viewing RADIUS Statis...

Page 713: ...iew Local database statistics select the Local DB tab The Local DB statistics screen appears see Figure 218 Figure 218 Local DB statistics For a description of the fields seeTable 162 Table 162 Local DB statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh ...

Page 714: ...tics logging in the specified location Accepted Displays the number of accepted requests to the Local database Rejected Displays the number of rejected requests to the Local database Rejections occur for example when a user submits an incorrect password Table 162 Local DB statistics Sheet 2 of 2 Field Description ...

Page 715: ...ics To view LDAP statistics select the LDAP tab The LDAP statistics appear see Figure 219 Figure 219 LDAP statistics For a description of the fields seeTable 163 Table 163 Viewing LDAP Statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh ...

Page 716: ... the MIP Logging Enables or disables statistics logging in the specified location Server Statistics Table Displays statistics for each LDAP server The information displayed includes IP Address Port Displays theLDAP server IP address and TCP port Accepted Displays the number of accepted requests to the LDAP server Rejected Displays the number of rejected requests to the LDAP server Rejections occur...

Page 717: ...lowing steps 1 Select the Statistics Interfaces navigation tree component The Ethernet Interface Table appears see Figure 220 Figure 220 The Ethernet Interface table 2 From the Ethernet Interface Table select an interface Select one of the following tasks Viewing Rx statistics see Viewing Rx statistics on page 718 Viewing Tx statistics see Viewing Tx statistics on page 720 ...

Page 718: ...e select the Rx Statistics tab The Rx Statistics screen appears see Figure 221 Figure 221 The Rx statistics screen For a description of the fields seeTable 164 Table 164 Viewing Rx statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh ...

Page 719: ...number of received packets incrementally Relative Displays the number of packets received since the last poll Rx Packets Displays the total number of received packets Rx Bytes Displays the total number of received packets in bytes Rx Errors Displays number of packets lost due to error Rx Packets Dropped Displays number of packets dropped due to lack of resources Rx Overruns Displays number of pack...

Page 720: ...ace select Tx Statistics tab The Tx statistics screen appears see Figure 222 Figure 222 The Tx statistics screen For a description of the fields seeTable 165 Table 165 Viewing Tx Statistics Sheet 1 of 2 Field Description Auto Refresh Enables or disables auto refresh of statistics Interval Specifies the interval at which to auto refresh ...

Page 721: ...ts Displays the total number of transmitted packets Tx Bytes Displays the total number of transmitted packets in bytes Tx Errors Displays number of packets lost due to error Tx Packets Dropped Displays number of packets dropped due to lack of resources Tx Overruns Displays number of packet errors due to lack of resources Tx Carriers Displays number of packet errors due to lack of carrier Tx Collis...

Page 722: ...722 Chapter 13 Viewing system information and performance statistics 320818 A ...

Page 723: ...6 Backing up or restoring the configuration using the CLI 730 Managing Nortel SNAS 4050 devices using the CLI 733 Managing software for a Nortel SNAS 4050 device using the CLI 734 Managing and maintaining the system using the SREM 736 Performing maintenance using the SREM 736 Backing up or restoring the configuration using the SREM 742 Managing Nortel SNAS 4050 devices and software using the SREM ...

Page 724: ... check You can use the trace feature as a debugging tool for example to find out why authentication fails For sample CLI outputs see Trace tools on page 845 configuration backup and restore see Backing up or restoring the configuration using the CLI on page 730 or Backing up or restoring the configuration using the SREM on page 742 software and device management see Managing Nortel SNAS 4050 devic...

Page 725: ... maintenance and boot commands The following roadmap lists the CLI commands to perform maintenance and software and device management activities Use this list as a quick reference or click on any entry for more information Command Parameter maint dumplogs protocol server filename all isds dumpstats protocol server filename all isds chkcfg starttrace tags domain ID output mode stoptrace cfg ptcfg p...

Page 726: ...ing maintenance using the CLI To check the applied configuration and to download log file and system status information for technical support purposes use the following command maint The Maintenance menu displays download protocol server filename del Command Parameter ...

Page 727: ... default is tftp server is the host name or IP address of the file exchange server filename is the name of the destination log file on the file exchange server The file is in gzip compressed tar format all isds specifies whether the information is to be collected from all Nortel SNAS 4050 devices in the cluster or only from the device to which you are connected Valid options are y yes all or n no ...

Page 728: ...r or only from the device to which you are connected Valid options are y yes all or n no single If you specify n no and you are connected to the MIP information will be collected for the Nortel SNAS 4050 device currently in control of the MIP for FTP and SFTP user name and password chkcfg Checks if the Nortel SNAS 4050 is able to contact gateways routers DNS servers and authentication servers in t...

Page 729: ...vents of Nortel SNA controlled switches Enter the desired tag or a comma separated list of tags for example enter aaa or aaa dns To trace all features press Enter to accept the default domain ID specifies the Nortel SNAS 4050 domain to which you want to limit tracing The default is all To trace all domains enter 0 or press Enter Note With Nortel Secure Network Access Switch Software Release 1 0 th...

Page 730: ...e server use the following command cfg ptcfg protocol server filename passphrase To restore the system configuration use the following command cfg gtcfg protocol server filename passphrase You can also dump the system configuration to the screen and then use copy and paste to save it to a text file To perform a configuration dump use the following command cfg dump passphrase ...

Page 731: ... IP address of the file exchange server filename is the name of the destination file on the file exchange server passphrase is a password phrase required to protect the private keys in the configuration If you later restore the configuration using the gtcfg command you will be prompted for this password phrase for FTP SCP and SFTP user name and password Note If you have fully separated the Adminis...

Page 732: ...ys user caphrase command see page 358 dump passphrase Dumps the current configuration on screen in a format that allows you to restore the configuration without downloading the configuration to a file server You are prompted to specify if you wish to include private keys in the configuration dump If you do then you are prompted to provide a password phrase in order to protect the private keys The ...

Page 733: ...s boot followed by software Accesses the Software Management menu in order to view download and activate software versions see Managing software for a Nortel SNAS 4050 device using the CLI on page 734 halt Stops the Nortel SNAS 4050 device to which you are connected using Telnet SSH or a console connection If you have a Telnet or SSH connection to the Management IP address MIP use the cfg sys host...

Page 734: ...elf remains intact After executing the delete command you can only access the device using a console connection Log on as the Admin user user name admin password admin to enter the Setup menu Note If you receive a warning that the device you are trying to delete has no contact with any other master Nortel SNAS 4050 device in the cluster also connect to the MIP using Telnet or SSH and delete the No...

Page 735: ...tivated If you activate a software version indicated as either unpacked or old the status of that version is propagated to permanent The software status change occurs after the Nortel SNAS 4050 device performs a reboot activate version Activates a downloaded software upgrade package that the cur command indicates as unpacked If serious problems occur when the new software version runs you can swit...

Page 736: ...e exchange server filename is the name of the software upgrade package Software upgrade packages typically have the pkg file name extension for FTP SCP and SFTP user name and password If you include a directory path and file name separated by a forward slash on the same line as the FTP server host name or IP address when you run the command make sure you put the combined directory path and file na...

Page 737: ...ng the SREM on page 741 Dumping logs and status information using the SREM You can dump logs and statistics about the current internal status of the system to a file exchange server The information can then be used for technical support purposes To dump logs or statistics perform the following steps 1 Select the System Maintenance Dumps tab The Dumps screen appears see Figure 223 Figure 223 Dumps ...

Page 738: ... SFTP The default is FTP Hostname IP Address Specifies the host name or IP address of the file exchange server Filename Specifies the name of the destination file on the file exchange server The file is in gzip compressed tar format Collect info for all iSDs Specifies whether the information is to be collected from all Nortel SNAS 4050 devices in the cluster or only from the device to which you ar...

Page 739: ...tem 739 Nortel Secure Network Access Switch 4050 User Guide To start or stop a trace perform the following steps 1 Select the System Maintenance Start Stop Trace tab The Start Stop Trace screen appears see Figure 224 Figure 224 Start Stop Trace ...

Page 740: ...elGuard check for example TunnelGuard session status and the SRS rule check result snas logs operations and events of Nortel SNA controlled switches To trace all available types choose the Select all available option Note If listed the following options are not supported in Nortel Secure Network Access Switch Software Release 1 0 pptp upref smb ftp Domain Specifies the Nortel SNAS 4050 domain to w...

Page 741: ...ion The command also checks if the Nortel SNAS 4050 can connect to web servers specified in group links The SREM displays the result of the connectivity check as well as the method used for the check for example ping To check the configuration perform the following steps 1 Select the System Maintenance Check Configuration tab The Check Configuration screen appears see Figure 225 Figure 225 Check C...

Page 742: ... and certificates to a file on the specified file exchange server as backup You can later use this backup file to restore the configuration To create a backup of your system or restore the configuration from an existing backup perform the following steps 1 Select the System Maintenance Backup Restore tab The Backup Restore screen appears see Figure 226 Figure 226 Backup Restore ...

Page 743: ...ns are TFTP FTP SFTP The default is TFTP Hostname Specifies the host name or IP address of the file exchange server Filename Specifies the name of the backup file on the file exchange server Private Key password Specifies a password phrase used to protect the private keys in the configuration Note If you have fully separated the Administrator user role from the Certificate Administrator user role ...

Page 744: ...50 Managing software versions using the SREM To manage software images and perform upgrades on the Nortel SNAS 4050 device to which you are connected select the System Boot Image List tab The Image List screen appears see Figure 227 listing a history of the Nortel SNAS 4050 software versions used on this device Figure 227 Image List ...

Page 745: ...version Name Displays the name of the Nortel SNAS 4050 device Status Displays the status of the software version on the particular device to which are connected The status options are permanent the software version that is currently operational old the software version that preceded the currently operational software version unpacked the software upgrade package has been downloaded but not yet act...

Page 746: ... connected perform the following steps 1 Select the System Boot Image List tab The Image List screen appears see Figure 227 on page 744 2 Select the image with a Status of permanent from the Image List The Image screen appears displaying information about the active image see Figure 228 For a description of each field that is displayed see Managing software versions using the SREM on page 744 Figu...

Page 747: ...lect the System Boot Image List tab The Image List screen appears see Figure 227 on page 744 2 Select an image with a Status of either old or unpacked from the Image List The Image screen appears displaying information about the selected image see Figure 229 For a description of each field that is displayed see Managing software versions using the SREM on page 744 Figure 229 Image 3 Click Activate...

Page 748: ...able Inactive images have a Status of old or unpacked in the Image List 3 Click Delete A confirmation dialog box appears 4 When prompted click Yes The image is removed from the Image List The active image cannot be removed from the Nortel SNAS 4050 device To remove the active image you must first select another available image to activate see Activating a software image on page 747 Downloading ima...

Page 749: ...49 Nortel Secure Network Access Switch 4050 User Guide To download an image from a file exchange server perform the following steps 1 Select the System Boot Download Image tab The Download Image screen appears see Figure 230 Figure 230 Download Image ...

Page 750: ...ory default configuration Table 171 Download Image fields Field Description Download Type Specifies the import protocol The options are TFTP FTP SCP SFTP The default is TFTP Host Specifies the host name or IP address of the file exchange server Filename Specifies the name of the software upgrade package Software upgrade packages typically have the pkg file name extension Username For FTP SCP and S...

Page 751: ... tab The Reboot Delete ISD Options screen appears see Figure 231 Figure 231 Reboot Delete ISD Options 2 To reboot the Nortel SNAS 4050 device to which you are connected click Reboot When prompted click Yes 3 To shut down the Nortel SNAS 4050 device to which you are connected click Halt When prompted click Yes Always use this command before turning off the device 4 To reset the Nortel SNAS 4050 dev...

Page 752: ... SNAS 4050 device in the cluster also connect to the MIP and delete the Nortel SNAS 4050 device from the cluster by using the delete command on the System Hosts screen The delete command on the Reboot Delete ISD Options tab is primarily intended for when you want to delete a Nortel SNAS 4050 device in one of the following situations The device has become isolated from the cluster The device has be...

Page 753: ... 172 describes the File Download fields Table 172 File Download fields Field Description Download Type The file download protocol The options are FTP SFTP and SCP The default is SFTP Host Name The host name or IP address of the file exchange server Username The user name and password to access the file exchange server Password The user name and password to access the file exchange server ...

Page 754: ... basic diagnostics on the Nortel SNAS 4050 select the Diagnostics tab The Diagnostics screen appears see Figure 233 Figure 233 Diagnostics screen Remote File Path The remote path where the file resides Local Directory The local directory used to save the downloaded file Table 172 File Download fields Field Description ...

Page 755: ...m The options are Ping verify station to station connectivity across the network TraceRoute identify the route used for station to station connectivity across the network NSLookup find the IP address or host name of a machine In order to use this command the Nortel SNAS 4050 must be configured use a DNS server The default operation is Ping IP Address or Host Name The IP address or Host name on whi...

Page 756: ...756 Chapter 14 Maintaining and managing the system 320818 A ...

Page 757: ... need to reinstall the software on the Nortel SNAS 4050 in order to return the device to its factory defaults Upgrading the Nortel SNAS 4050 There are two types of upgrades Minor release upgrade This is typically a bug fix release All configuration data is retained To perform a minor upgrade connect to the Management IP address MIP of the cluster you want to upgrade Topic Page Upgrading the Nortel...

Page 758: ...e To upgrade the Nortel SNAS 4050 you will need the following Access to one of your Nortel SNAS 4050 devices through a remote connection Telnet or SSH or a console connection The software upgrade package loaded on a TFTP FTP SCP SFTP server on your network The host name or IP address of the TFTP FTP SCP SFTP server If you choose to specify the host name note that the DNS parameters must have been ...

Page 759: ...Downloading images using the SREM on page 748 Downloading the software image using the CLI To download the software upgrade package using the CLI perform the following steps 1 Enter the following command at the Main menu prompt Then select whether to download the software upgrade package from a TFTP FTP SCP SFTP server For some TFTP servers files larger than 16 MB may cause the upgrade to fail 2 E...

Page 760: ...ware version is marked as permanent The software version previously marked as permanent will then be marked as old For minor and major releases the software upgrade occurs in synchronized fashion among the set of Nortel SNAS 4050 devices in a cluster If a Nortel SNAS 4050 device in a cluster is not operational when the software is upgraded it will automatically pick up the new version when it is s...

Page 761: ...t means that the software is operational and will survive a reboot of the system old means the software version has been permanent but is not currently operational If a software version marked old is available it is possible to switch back to this version by activating it again current means that a software version marked as old or unpacked has been activated As soon as the system has performed th...

Page 762: ...pgraded as well Therefore you will be logged out of the system and will have to log in again Wait until the login prompt appears This may take up to two minutes depending on your type of hardware platform and whether the system reboots Main boot software cur Version Name Status x x NSNAS permanent z z NSNAS old Note If you encounter serious problems while running the new software version you can r...

Page 763: ...eldom occurs You must perform the reinstall using a console connection Reinstalling the software resets the Nortel SNAS 4050 to its factory default configuration The reinstall erases all other configuration data and current software including old software image versions or upgrade packages that may be stored in the flash memory card or on the hard disk Before you begin To reinstall the software on...

Page 764: ...ates You can later restore the configuration including the installed keys and certificates by using the gtcfg command For more information about these CLI commands see Backing up or restoring the configuration using the CLI on page 730 For information about using the SREM to perform these functions see Backing up or restoring the configuration using the SREM on page 742 If you want to make separat...

Page 765: ...lues press Enter If the Nortel SNAS 4050 was not previously configured for network access or you deleted the Nortel SNAS 4050 from the cluster using the boot delete command no suggested values related to a previous configuration are presented within square brackets you must provide information about the network settings a Specify the port for network connectivity b If the core router attaches VLAN...

Page 766: ... initial setup of the Nortel SNAS 4050 device see Initial setup on page 49 Note For some TFTP servers files larger than 16 MB may cause the update to fail Select a network port 1 4 or i for info 1 Enter VLAN tag id or zero for no VLAN tag 0 Enter IP address for this iSD 192 168 128 185 Enter network mask 255 255 255 0 Enter gateway IP address 192 168 128 1 Select protocol tftp ftp scp sftp tftp pr...

Page 767: ...h 4050 User Guide Reinstalling the software from a CD To reinstall the software image from a CD perform the following steps 1 Boot the Nortel SNAS 4050 from the CD 2 Log on as the root user no password 3 Run install nsnas isd4050 4 When the installation is complete remove the CD and reboot ...

Page 768: ...768 Chapter 15 Upgrading or reinstalling the software 320818 A ...

Page 769: ...ing the built in text based command line interface and menu system you can access and configure the Nortel SNAS 4050 or cluster either through a local console connection using a computer running terminal emulation software or through a remote session using a Telnet client or a Secure Shell SSH client Topic Page Connecting to the Nortel SNAS 4050 770 Establishing a console connection 770 Establishi...

Page 770: ... connect to that Nortel SNAS 4050 with a console connection Connecting to the Nortel SNAS 4050 You can access the CLI in two ways using a console connection through the console port see Establishing a console connection on page 770 using a Telnet connection or SSH connection over the network see Establishing a Telnet connection on page 772 or Establishing a connection using SSH on page 773 Establi...

Page 771: ...rk Access Switch 4050 Installation Guide 320846 A Procedure 1 Connect the terminal to the Console port using the correct serial cable When connecting to a Nortel SNAS 4050 use a serial cable with a female DB 9 connector shipped with the Nortel SNAS 4050 2 Power on the terminal 3 To establish the connection press ENTER on your terminal You will next be required to log on by entering a user name and...

Page 772: ...he initial setup by selecting new or join in the Setup menu the assignment of IP addresses is complete When you are making configuration changes to a cluster of Nortel SNAS 4050 devices using Telnet Nortel recommends that you connect to the MIP However if you want to halt or reboot a particular Nortel SNAS 4050 in a cluster or reset all configuration to the factory default settings you must connec...

Page 773: ...a connection using SSH Using an SSH client to establish a connection over the network provides the following security benefits server host authentication encryption of passwords for user authentication encryption of all traffic that is transmitted over the network when configuring or collecting information from the Nortel SNAS 4050 Enabling and restricting SSH access SSH access to the Nortel SNAS ...

Page 774: ...guring or collecting information from the Nortel SNAS 4050 is encrypted For information about different user accounts and default passwords see Accessing the Nortel SNAS 4050 cluster on page 775 During the initial setup of the Nortel SNAS 4050 device or cluster you are provided with the choice to generate new SSH host keys Nortel recommends that you do so in order to maintain a high level of secur...

Page 775: ...y default only the Administrator user is a member of the certadmin group To separate the Certificate Administrator user role from the Administrator user role the Administrator user can add a new user account to the system assign the new user to the certadmin group and then remove himself or herself from the certadmin group For more information see Adding a new user on page 360 The Boot user can pe...

Page 776: ...out how to change a user account password see Changing passwords on page 366 Table 175 User access levels User Account User Group Access Level Description Default Password oper oper The Operator is allowed read access to some of the menus and information available in the CLI oper admin admin oper certadmin The Administrator is allowed both read and write access to all menus information and configu...

Page 777: ...Menu Command line history and editing For a description of global commands shortcuts and command line editing functions see Appendix A CLI reference on page 803 Idle timeout The Nortel SNAS 4050 will disconnect your local console connection or remote connection Telnet or SSH after 10 minutes of inactivity This value can be changed to a maximum value of 1 hour using the cfg sys adm clitimeout comma...

Page 778: ... save your configuration changes regularly by using the global apply command If you have unapplied configuration changes when you use the global exit command to log out from the CLI you will be prompted to use the global diff command to view the pending configuration changes After verifying the pending configuration changes you can either apply the changes or use the revert command to remove them ...

Page 779: ...tch 5510 functioning as network access devices an Ethernet Routing Switch 8600 functioning as the core router a BCM call server a DNS server a DHCP server and a remediation server The edge switches function in Layer 2 mode Figure 235 on page 780 illustrates the network configuration Topic Page Scenario 779 Steps 782 Configure the network DNS server 782 Configure the network DHCP server 783 Configu...

Page 780: ...rver DHCP Server Remediation Server BCM NSNAS Ethernet Routing Switch 8600 Ethernet Routing Switch 8300 Ethernet Routing Switch 5510 Telephone Telephone Computer Computer Computer Computer VLAN 20 VLAN 30 VLAN 50 VLAN 40 1 1 1 11 1 31 1 23 1 16 1 17 1 7 Port 3 Port 4 Port 5 1 48 1 48 10 200 200 10 10 200 200 5 10 200 200 20 Host IP 10 40 40 2 24 Gateway 10 40 40 1 MIP 10 40 40 3 Portal 10 40 40 10...

Page 781: ...20 1 10 120 120 2 1 31 Call server 50 10 11 11 1 10 11 11 254 1 23 Table 177 VLANs for the Ethernet Routing Switch 8300 VLAN VLAN ID Yellow subnet Red 110 N A Yellow 120 10 120 120 0 24 Green 130 N A VoIP 140 N A Table 178 VLANs for the Ethernet Routing Switch 5510 VLAN VLAN ID Yellow subnet Red 210 N A Yellow 220 10 120 120 0 24 Green 230 N A VoIP 240 N A Note The management VLAN ID is the defaul...

Page 782: ...89 4 Configure the Ethernet Routing Switch 8300 using the CLI on page 790 5 Configure the Ethernet Routing Switch 5510 on page 793 6 Adding the network access devices on page 798 Configure the network DNS server Create a forward lookup zone for the Nortel SNAS 4050 domain see Figure 236 In this example a lookup zone called sac com has been created Figure 236 DNS Forward Lookup configuration ...

Page 783: ...twork DHCP server To configure a DHCP scope using the New Scope Wizard Windows 2000 server 1 Log in to the server using the administrator username and password 2 Run the DHCP admin utility Start Programs Administrative Tools DHCP 3 Create a new DHCP scope see Figure 237 Figure 237 Creating a new DHCP scope ...

Page 784: ... are creating a DHCP scope for the Red VLAN on the Ethernet Routing Switch 8300 The scope start address for the VLAN is 10 110 110 5 and the end address is 10 110 110 25 The scope you create must have a range of IP addresses that is large enough to accommodate all endpoint devices in your network Figure 238 Naming the new DHCP scope ...

Page 785: ...Chapter 17 Configuration example 785 Nortel Secure Network Access Switch 4050 User Guide 5 Specify the IP address range for the DHCP scope see Figure 239 Figure 239 Specifying the IP address range ...

Page 786: ...ter 17 Configuration example 320818 A 6 Select the Yes I want to configure these options now option button on the Configure DHCP Options window see Figure 240 Figure 240 Choosing to configure additional options ...

Page 787: ...Chapter 17 Configuration example 787 Nortel Secure Network Access Switch 4050 User Guide 7 Enter the IP address of the default gateway see Figure 241 Figure 241 Specifying the default gateway ...

Page 788: ...through step 8 on page 788 for each Red Yellow and Green VLAN in the network Note In this configuration example the Nortel SNAS 4050 will function as a captive portal For the Red VLAN scope the DNS server must be the Nortel SNAS 4050 portal Virtual IP address pVIP For the Yellow and Green VLAN scopes enter the IP addresses for the regular DNS servers in your network ...

Page 789: ... use in this example Figure 243 After all DHCP scopes have been created Configure the network core router There are no special requirements for the core router in a Nortel SNA network Refer to the regular documentation for the type of router used in your network 1 Create the Red Yellow Green VoIP and Nortel SNAS 4050 management VLANs ...

Page 790: ...et Routing Switch 8300 using the CLI The configuration procedure is based on the following assumptions You are starting with an installed switch that is not currently configured as part of the network You have installed Software Release 2 2 8 You have configured basic switch connectivity You have initialized the switch and it is ready to accept configuration You have configured devices as describe...

Page 791: ...ing port based VLANs Passport 8310 5 config vlan 110 create byport 1 Passport 8310 5 config vlan 120 create byport 1 Passport 8310 5 config vlan 130 create byport 1 Passport 8310 5 config vlan 140 create byport 1 Configuring the VoIP VLANs Passport 8310 5 config vlan 140 nsna color voip Configuring the Red Yellow and Green VLANs Passport 8310 5 config vlan 110 nsna color red filter id 310 Passport...

Page 792: ...ilter acl 100 ace 1 protocol udp eq any Passport 8310 6 config filter acl 100 ace 1 port dst port bootpd dhcp Passport 8310 6 config filter acl 100 ace default action permit Passport 8310 6 config filter acg 100 create 100 acg name uplink Passport 8310 6 config ethernet slot port filter create 100 Configuring the NSNA ports Add the uplink port Passport 8310 6 config ethernet 1 48 nsna uplink uplin...

Page 793: ...es as described to this point Steps To configure the Ethernet Routing Switch 5510 for the Nortel SNA network perform the following steps 1 Setting the switch IP address on page 793 2 Configuring SSH on page 794 3 Configuring the Nortel SNAS 4050 pVIP subnet on page 794 4 Creating port based VLANs on page 794 5 Configuring the VoIP VLANs on page 794 6 Configuring the Red Yellow and Green VLANs on p...

Page 794: ...5510 48T config nsna nsnas 10 40 40 0 24 Creating port based VLANs 5510 48T config vlan create 210 type port 5510 48T config vlan create 220 type port 5510 48T config vlan create 230 type port 5510 48T config vlan create 240 type port Configuring the VoIP VLANs 5510 48T config nsna vlan 240 color voip Configuring the Red Yellow and Green VLANs 5510 48T config nsna vlan 210 color red filter red 551...

Page 795: ...10 48T config interface fastEthernet 20 5510 48T config if nsna uplink vlans 210 220 230 240 5510 48T config if exit Add the client ports 5510 48T config interface fastEthernet 3 5 5510 48T config if nsna dynamic voip vlans 240 5510 48T config if exit Enabling NSNA globally 5510 48T config nsna enable Configure the Nortel SNAS 4050 To configure the Nortel SNAS 4050 perform the following steps 1 Pe...

Page 796: ...l guide you through the initial configuration Enter port number for the management interface 1 4 1 Enter IP address for this machine on management interface 10 40 40 2 Enter network mask 255 255 255 0 mask Enter VLAN tag id or zero for no VLAN 0 Setup a two armed configuration yes no no Enter default gateway IP address or blank to skip 10 40 40 1 Enter the Management IP MIP address 10 40 40 3 Maki...

Page 797: ...e default tunnel guard user no yes Using restricted action for TunnelGuard failure User name tg User password tg Creating client filter tg_passed Creating client filter tg_failed Creating linkset tg_passed Creating linkset tg_failed Creating group tunnelguard with secure access Creating extended profile full access when tg_passed Enter green vlan id 110 130 Creating extended profile remediation ac...

Page 798: ...estricted Do you want to create a tunnelguard test user yes no yes no Using existing tg_passed filter Using existing tg_failed filter Using existing tg_passed linkset Using existing tg_failed linkset Adding test SRS rule srs rule test This rule check for the presence of the file C tunnelguard tg txt Using existing tg_passed filter Use diff to view pending changes and apply to commit TG group 1 tgs...

Page 799: ...ering SSH Key menu Enter username rwa Leaving SSH Key menu Switch 1 Menu name Set Switch name type Set Type of the switch ip Set IP address port Set NSNA communication port hlthchk Health check intervals for switch vlan Vlan menu rvid Set Red VLAN Id sshkey SSH Key menu reset Reset all the ports on a switch ena Enable switch dis Disable switch delete Remove Switch Error Failed to retrieve host key...

Page 800: ...hernet Routing Switch 5500 Main cfg domain 1 sshkey export tftp 10 20 20 20 sac_key 1 pub Import the public SSH key from the switch Main cfg domain 1 switch 2 sshkey import Mapping the VLANs This example assumes that the VLANs defined on the Ethernet Routing Switch 8300 Switch 1 will always be used exclusively by Switch 1 whereas the VLAN IDs for the VLANs defined on the Ethernet Routing Switch 55...

Page 801: ...801 Nortel Secure Network Access Switch 4050 User Guide Domain Vlan apply Changes applied successfully Enabling the network access devices Main cfg domain 1 switch 1 ena Switch 1 switch 2 ena Switch 2 apply Changes applied successfully ...

Page 802: ...802 Chapter 17 Configuration example 320818 A ...

Page 803: ...system software and individual devices in the system This appendix includes the following topics Topic Page Using the CLI 804 Global commands 804 Command line history and editing 806 CLI shortcuts 807 Using slashes and spaces in commands 810 IP address and network mask formats 810 Variables 811 CLI Main Menu 812 CLI command reference 812 Information menu 814 Statistics menu 815 Configuration menu ...

Page 804: ...nd in the command line interface Display the current menu print Display the current menu Advance one level in the menu structure up Advance one level in the menu structure Placed at the beginning of a command returns to the Main menu Placed within a command string the character separates multiple commands on the same line cd menu path Display the menu indicated within quotation marks TIP Type cd c...

Page 805: ...etstat Show the current network status of the Nortel Secure Network Access Switch 4050 The netstat command provides information about active TCP connections the state of all TCP IP servers and the sockets the servers use nslookup Find the IP address or host name of a machine TIP To use the nslookup command the Nortel Secure Network Access Switch 4050 must be configured to use a DNS server ping IPa...

Page 806: ...er level or command in the menu structure you can return to the bookmarked position by typing the popd command The pushd command can be combined with command stacking For example Information pushd cfg ssl server 1 ssl SSL Settings Execute the popd command to return immediately to the prompt where you issued the pushd command the Information prompt in this example oopd Return to a position in the m...

Page 807: ...so use the left arrow key Ctrl f Move the cursor forward one position to the right You can also use the right arrow key Backspace Erase one character to the left of the cursor position You can also use the Delete key Ctrl d Delete one character at the cursor position Ctrl k Kill erase all characters from the cursor position to the end of the command line Ctrl l Rewrite the most recent command Ctrl...

Page 808: ...abbreviate a command type the first characters which distinguish the command from the others in the same menu or submenu For example you can abbreviate the following command Main cfg sys time ntp list to Main c sy t n l Tab completion The Tab key can be used in the following ways To search for CLI commands or options At the menu prompt type the first character of a command TIP You can use addition...

Page 809: ... information at the Configuration menu prompt without descending into the System menu cfg sys use the following command Configuration cur sys Configuration cur sys System Management IP MIP address 192 168 128 211 iSD Host 1 Type of the iSD master IP address 192 168 128 213 License IPSEC user sessions 250 Secure Service Partitioning PortalGuard TPS unlimited SSL user sessions 250 Default gateway ad...

Page 810: ...ownload ftp 10 0 0 1 pub SSL 5 1 1 upgrade_complete pkg IP address and network mask formats IP addresses and network masks can be expressed in different ways in the CLI IP addresses IP addresses can be specified in the following ways Dotted decimal notation specify the IP address as is 10 0 0 1 According to the formats below A B C D A B C D the equivalent of dotted decimal notation A B D A B 0 D t...

Page 811: ...xpands to the domain name specified for the authentication method of the logged on user var method Expands to the access protocol used http or https var sslsid Expands to the SSL session ID in binary format md5 Expands the variable or variables for example md5 user password and computes an MD5 checksum which is Base 64 encoded TIP Can be used when creating dynamic HTTP headers base64 Expands the v...

Page 812: ...nds see Statistics menu on page 815 Configuration provides submenus for configuring the Nortel SNAS 4050 cluster Some of the commands in the Configuration menu are available only when logged on as Administrator For the Configuration menu commands see Configuration menu on page 816 Boot used for upgrading Nortel SNAS 4050 software and for rebooting Nortel SNAS 4050 devices The Boot menu is accessib...

Page 813: ...eference 813 Nortel Secure Network Access Switch 4050 User Guide Maintenance used for sending technical support information to an external file server For the Maintenance menu commands see Maintenance menu on page 836 ...

Page 814: ... to more detailed information Table 182 Information menu commands Sheet 1 of 2 Command Parameters Submenus Purpose Usage info certs sys sonmp licenses domain ID kick domain ID username domain domain ID switch domainid switchid dist hostid ip domain ID IPaddr mac MACaddr sessions domain ID switch ID username prefix contlist Exclude buffers cache from mem util yes no local ethernet ports events logs...

Page 815: ...page 666 info logs list download protocol server filename View and download log files page 667 Table 183 Statistics menu commands Command Parameters Submenus Purpose Usage stats View performance statistics for the cluster and for individual Nortel SNAS 4050 hosts page 660 stats aaa total isdhost host ID domain ID dump View authentication statistics for the Nortel SNAS 4050 cluster or for individua...

Page 816: ...der and provides cross references to more detailed information Table 184 Configuration menu commands Sheet 1 of 19 Command Parameters Submenus Purpose Usage cfg cert cert ID name name cert key revoke gensigned server client request sign test import export display pass phrase show info subject validate keysize keyinfo del Manage private keys and certificates and access the Certificate menu page 577...

Page 817: ...ay radius ldap local adv del Create and configure an authentication method page 239 cfg domain aaa auth adv groupauth auth IDs secondauth auth ID Configure the current authentication scheme to retrieve user group information from a different authentication scheme page 242 cfg domain aaa auth auth ID for LDAP Configure the Nortel SNAS 4050 domain to use an external LDAP server for authentication pa...

Page 818: ...e their passwords page 260 cfg domain aaa auth ldap ldapmacro list del index number add variable name LDAP attribute prefix suffix insert index number variable name move index number new index number Configure LDAP macros page 258 cfg domain aaa auth ldap servers list del index number add IPaddr port insert index number IPaddr move index number new index number Manage the LDAP servers used for cli...

Page 819: ... to use an external RADIUS server for authentication page 242 cfg domain aaa auth radius servers vendorid vendor ID vendortype vendor type domainid domain ID domaintype domain type authproto pap chapv2 timeout interval sessiontim Modify settings for the specific RADIUS configuration page 245 cfg domain aaa auth radius servers list del index number add IPaddr port shared secret insert index number ...

Page 820: ...authentication database page 208 cfg domain aaa filter filter ID name name tg true false ignore comment comment del Configure the client filters which determine whether extended profile data will be applied to a user page 201 cfg domain aaa group group ID name name restrict linkset extend profile ID tgsrs SRS rule name comment comment del Configure groups on the domain page 198 cfg domain aaa grou...

Page 821: ...defined linksets to a group page 206 cfg domain aaa radacct servers vpnattribu ena dis Configure the Nortel SNAS 4050 to support RADIUS accounting page 147 cfg domain aaa radacct servers list del index number add IPaddr port shared secret insert index number IPaddr move index number new index number Configure the Nortel SNAS 4050 to use external RADIUS accounting servers page 147 cfg domain aaa ra...

Page 822: ...face to the domain and configure logging options page 145 cfg domain del Remove the current domain from the system configuration page 129 cfg domain dnscapt exclude ena dis Configure the Nortel SNAS 4050 portal as a captive portal page 401 cfg domain dnscapt exclude list del index name add domain name insert index number domain name move index number new index number Create and manage the Exclude ...

Page 823: ... to configure settings for a link to an external web page page 416 cfg domain linkset link ftp quick Launch the wizard to configure settings for a link to a directory on an FTP file exchange server page 416 cfg domain portal import protocol server filename restore banner redirect URL logintext text iconmode clean fancy linktext text linkurl on off linkcols columns linkwidth width companynam colors...

Page 824: ...lable ena dis Add custom content such as Java applets to the portal page 410 cfg domain portal lang setlang code charset list Set the preferred language for the portal display page 405 cfg domain quick Launch the quick switch setup wizard to add network access devices to the domain page 75 cfg domain server port port interface interface ID dnsname name trace ssl adv Configure the portal server use...

Page 825: ...ns cachettl ttl cacerts certificate index cachain certificate index list protocol ssl2 ssl3 ssl23 tls1 verify none optional required ciphers cipher list ena dis Configure SSL specific settings for the portal server page 139 cfg domain server trace ssldump tcpdump ping host dnslookup host traceroute host Verify connectivity and capture information about SSL and TCP traffic between clients and the p...

Page 826: ...and a network access device page 91 cfg domain switch hlthchk interval interval deadcnt count sq int interval Configure the interval and dead count parameters for the Nortel SNAS 4050 health checks and status quo mode page 89 cfg domain switch sshkey import add del show export user user Retrieve the public key for the network access device and export the public key for the domain page 88 cfg domai...

Page 827: ...er filename code export protocol server filename list vlist letter del code Manage the language definition files in the system page 403 cfg ptcfg protocol server filename passphrase Save the system configuration to a file on a file exchange server page 730 cfg quick Create a domain using the Nortel SNAS 4050 quick setup wizard page 123 cfg sys mip IPaddr host host ID routes time dns rsa server ID ...

Page 828: ...audit servers vendorid vendortype ena dis Configure the Nortel SNAS 4050 to support RADIUS auditing page 489 cfg sys adm audit servers list del index number add IPaddr port shared secret insert index number IPaddr move index number new index number Configure the Nortel SNAS 4050 to use external RADIUS audit servers page 490 cfg sys adm auth servers timeout interval fallback on off ena dis Configur...

Page 829: ...ervers to authenticate system users page 493 cfg sys adm snmp Configure SNMP for the Nortel SNA network page 618 cfg sys adm snmp ena dis versions v1 v2c v3 snmpv2 mib community users target event Configure SNMP management of the Nortel SNAS 4050 cluster page 620 cfg sys adm snmp community read name write name trap name Configure the community aspects of SNMP monitoring page 622 Table 184 Configur...

Page 830: ...fication OID delevent name list Configure monitors and events defined in the DISMAN EVENT MIB page 627 cfg sys adm snmp snmpv2 mib sysContact contact snmpEnable disabled enabled Configure parameters in the standard SNMPv2 MIB page 621 cfg sys adm snmp target target ID ip IPaddr port port version v1 v2c v3 del Configure notification targets page 626 Table 184 Configuration menu commands Sheet 15 of...

Page 831: ...or managing the SRS rules page 485 cfg sys adm sshkeys generate show knownhosts Generate and view the SSH keys used by all hosts in the cluster for secure management communications page 486 cfg sys adm sshkeys knownhosts list del index number add import IPaddr Manage the public SSH keys of known remote hosts page 487 cfg sys dns servers cachesize entries retransmit interval count count ttl ttl hea...

Page 832: ...for a particular interface page 471 cfg sys host interface interface ID ip IPaddr netmask mask gateway IPaddr routes vlanid tag mode failover trunking ports primary port delete Configure an IP interface and assign physical ports on a particular Nortel SNAS 4050 host page 469 cfg sys host port port autoneg on off speed speed mode full half Configure the connection properties for a port page 472 cfg...

Page 833: ...age static routes on a cluster wide level when more than one interface is configured page 471 cfg sys rsa rsaname name import protocol server filename FTP user name FTP password rmnodesecr del Configure the symbolic name for the RSA server and import the sdconf rec configuration file page 480 cfg sys syslog list del index number add IPaddr facility insert index number IPaddr facility move index nu...

Page 834: ...rname edit username caphrase Change the password for the currently logged on user and add or delete user accounts page 356 cfg sys user edit username password own password user password confirm user password groups cur Set or change the login password for a specified user and view and manage group assignments page 359 cfg sys user edit username groups list del group index add admin oper certadmin ...

Page 835: ...phabetical order and provides cross references to more detailed information Table 185 Boot menu commands Command Parameters Submenus Purpose Usage boot software halt reboot delete Manage Nortel SNAS 4050 software and devices page 733 boot software cur activate version download protocol server filename del View download and activate software versions for the Nortel SNAS 4050 device to which you are...

Page 836: ...ntenance commands and provides a cross reference to more detailed information Table 186 Maintenance menu commands Command Parameters Submenus Purpose Usage maint dumplogs protocol server filename all isds dumpstats protocol server filename all isds chkcfg starttrace tags domain ID output mode stoptrace Check the applied configuration and download log file and system status information for technica...

Page 837: ...the following problems Cannot connect to the Nortel SNAS 4050 using Telnet or SSH page 838 Cannot add the Nortel SNAS 4050 to a cluster page 841 Cannot contact the MIP page 841 The Nortel SNAS 4050 stops responding page 843 A user password is lost page 844 A user fails to connect to the Nortel SNAS 4050 domain page 845 Topic Page Troubleshooting tips 837 Trace tools 845 System diagnostics 847 ...

Page 838: ...d cfg sys adm telnet to enable Telnet access or the command cfg sys adm ssh to enable SSH access Apply your configuration changes Check the Access List If you find that Telnet or SSH access is enabled but you still cannot connect to the Nortel SNAS 4050 using a Telnet or SSH client check whether any hosts have been added to the Access List Enter the command cfg sys accesslist list to view the curr...

Page 839: ...hat any host is allowed to access the Nortel SNAS 4050 over the network assuming that Telnet or SSH access is enabled If there are entries in the Access List but your host is not listed use the cfg sys accesslist add command to add the required host to the Access List Check the IP address configuration If your host is allowed to access the Nortel SNAS 4050 over the network according to the Access ...

Page 840: ...d or some other network analysis tool to locate the problem For more information about the tcpdump command see Tracing SSL traffic using the CLI on page 136 If this does not help you to solve the problem contact Nortel for technical support See How to get help on page 29 cfg cur sys System Management IP MIP address 192 168 128 211 iSD Host 1 Type of the iSD master IP address 10 1 82 145 License IP...

Page 841: ...evice already in the cluster You can verify software versions by typing the command boot software cur The active software version is indicated as permanent To adjust the software version on the Nortel SNAS 4050 device you want to add to the cluster you must either upgrade to a newer software version or revert to an older software version In either case perform the steps described in Reinstalling t...

Page 842: ... join Check the Access List On the existing Nortel SNAS 4050 device in the cluster check whether any hosts have been added to the Access List Enter the command cfg sys accesslist list to view the current Access List Add Interface 1 IP addresses and the MIP to the Access List Use the cfg cur sys command to view the Host Interface 1 IP address for the existing Nortel SNAS 4050 Then use the cfg sys a...

Page 843: ...ortel SNAS 4050 device press the Power button on the back panel to turn the machine off wait until the fan comes to a standstill and then press the Power button again to turn the machine on Log on as the Administrator user when the logon prompt appears and check the operational status again Console connection If you are connected to a particular Nortel SNAS 4050 device through a console connection...

Page 844: ...d If you have lost the Administrator user password the only way to regain access to the Nortel SNAS 4050 as the Administrator user is to reinstall the software using a console connection as the Boot user For more information see Reinstalling the software on page 763 Operator user password If you have lost the Operator user password log on as the Administrator user and define a new Operator user pa...

Page 845: ...n only access the Nortel SNAS 4050 with a console connection using a serial cable and it is assumed that the Nortel SNAS 4050 device is set up in a server room with restricted access A user fails to connect to the Nortel SNAS 4050 domain The following are common reasons why a user may have difficulty authenticating to the Nortel SNAS 4050 domain or why a client connection cannot be established The...

Page 846: ...groups for user john groups trusted base dns Logs failed DNS lookups made during a session Maintenance 13 00 09 868682 10 1 82 145 1 dns Failed to lookup www example com in DNS DNS domain name does not exist ssl Logs information related to the SSL handshake procedure for example the cipher used Maintenance 13 15 55 985432 Trace started 13 16 26 808831 10 1 82 145 1 ssl SSL accept done cipher is RC...

Page 847: ...ter the following command To view detailed information about a specific certificate access the Certificate menu and specify the desired certificate by its index number Network diagnostics To check if the Nortel SNAS 4050 is able to contact configured network access devices routers DNS servers authentication servers and IP addresses or domain names specified in group links use the following command...

Page 848: ...ntly active request sessions total completed request sessions and SSL statistics for configured virtual SSL servers To check statistics for the local Ethernet network interface card enter the following command The screen output provides information about the total number of received and transmitted packets the number of errors when receiving and transmitting packets and the type of error such as d...

Page 849: ...e FTP TFTP SFTP server and examine the contents of the file Error log files If you have configured the Nortel SNAS 4050 to use a syslog server the Nortel SNAS 4050 sends log messages to the specified syslog server For information about configuring a UNIX Syslog daemon see the Syslog manpages under UNIX For information about configuring the Nortel SNAS 4050 to use a syslog server see Configuring sy...

Page 850: ... server you specify The information can then be used for technical support purposes The file sent to the TFTP FTP SFTP server does not contain any sensitive information related to the system configuration such as certificates or private keys ...

Page 851: ... server to the system configuration see Configuring syslog servers using the CLI on page 481 or Configuring servers using the SREM on page 534 The syslog messages are presented in two ways Syslog messages by message type on page 851 Syslog messages in alphabetical order on page 865 Syslog messages by message type The following types of messages occur operating system OS see page 852 system control...

Page 852: ... Category Explanation Action Root filesystem corrupt EMERG The system cannot boot but stops with a single user prompt fsck failed Reinstall in order to recover Config filesystem corrupt beyond repair EMERG The system cannot boot but stops with a single user prompt Reinstall in order to recover Failed to write to config filesystem EMERG Probable hardware error Reinstall Table 189 Operating system m...

Page 853: ...ategory Explanation Action Config filesystem corrupt ERROR Possible loss of configuration Followed by the message Config filesystem re initialized reinstall required or Config filesystem restored from backup Missing files in config filesystem ERROR Possible loss of configuration Followed by the message Config filesystem re initialized reinstall required or Config filesystem restored from backup Lo...

Page 854: ... system or the Nortel SNAS 4050 device s IP address Cause cause of the alarm Extra additional information about the alarm When an alarm is cleared one of the following messages is sent Alarm Cleared Name Name Id ID Sender Sender Alarm Cleared Id ID Table 191 System control process messages INFO Message Category Explanation Action System started isdssl version INFO Sent whenever the system control ...

Page 855: ... critical ALARM Failed to make a new software release permanent after being activated The system automatically reverts to the previous version Name copy_software_release_failed Sender IP Cause copy_failed bad_release_package no_release_package unpack_failed Extra Detailed info Severity critical ALARM A Nortel SNAS 4050 failed to install a software release while trying to install the same version a...

Page 856: ... version VSN Status EVENT Indicates that release VSN version software status is Status unpacked installed permanent Name software_release_copying Sender IP Extra copy software release VSN from other cluster member EVENT Indicates that IP is copying the release VSN from another cluster member Name software_release_rebooting Sender IP Extra reboot with release version VSN EVENT Indicates that a Nort...

Page 857: ...es ERROR Sheet 1 of 3 Message Category Explanation Action internal error no ERROR An internal error occurred Contact support with as much information as possible to reproduce this message javascript error reason for host path ERROR JavaScript parsing error encountered when parsing content from host path The problem could be in the Nortel SNAS 4050 JavaScript parser but most likely it is a syntax e...

Page 858: ...m http header warning cli reason header ERROR The client sent a bad HTTP header http header warning srv reason header ERROR The server sent a bad HTTP header failed to parse Set Cookie header ERROR The Nortel SNAS 4050 got a malformed Set Cookie header from the backend web server Bad IP PORT data line in hc script ERROR Bad ip port found in health check script Reconfigure the health script Normall...

Page 859: ... cannot perform any DNS lookups TPS license limit limit exceeded WARNING The transactions per second TPS limit has been exceeded No PortalGuard license loaded domain id will use portal authentication WARNING The PortalGuard license has not been loaded on the Nortel SNAS 4050 but cfg domain server portal authenticate is set to off No Secure Service Partitioning loaded server id will not use interfa...

Page 860: ...el SNAS 4050 is overloaded The Nortel SNAS 4050 will start accepting connections once it has finished processing its current sessions No cert supplied by backend server INFO No certificate supplied by backend server when doing SSL connect Session terminated to backend server No CN supplied in server cert subject INFO No CN found in the subject of the certificate supplied by the backend server Bad ...

Page 861: ...essage Category Explanation Action Loaded ip port INFO Initializing virtual server ip port Since we use clicerts force adjust totalcache size to size per server that use clicerts INFO Generated if the size of the SSL session cache has been modified No TPS license limit INFO Unlimited TPS license used Found size meg of phys mem INFO Amount of physical memory found on system Table 200 AAA messages E...

Page 862: ...ethod ssl SrcIp ip User user TunIP inner tunnel ip INFO Source IP address for the connection between the Nortel SNAS 4050 and the destination address inner tunnel has been allocated NSNAS LoginFailed Domain id Method ssl SrcIp ip User user Error error INFO Logon to the Nortel SNAS 4050 domain failed The client s access method IP address and user name is shown NSNAS Logout Domain id SrcIp ip User u...

Page 863: ...led to access the specified web server requested from the portal PORTAL Rejected Domain id User user Proto proto Host host Share share Path path INFO The client failed to access the specified folder directory on the specified file server requested from the portal s Files tab SOCKS Rejected Domain id User user SrcIP ip Request request INFO The client failed to perform an operation by using one of t...

Page 864: ... LoginSucceeded Domain 1 SrcIp IPaddr Method ssl User user Groups group profile INFO On Domain 1 user user with IP IP and belonging to group group profile has logged in transferring user user on Switch 1 switchID IPaddr Port unit port to Vlan vlan vlanID INFO Client device on Domain 1 Switch switchID switch IP address IPaddr Unit unit Port port is being moved to the VLAN named vlan with VLAN ID vl...

Page 865: ...unnelguard user username pVIP SRS checks ok open session INFO TunnelGuard applet report The user with user name username logged on to the Nortel SNAS 4050 portal with portal Virtual IP address pVIP has passed the SRS rule check and is authorized to start a session in a Green VLAN Table 204 Syslog messages in alphabetical order Sheet 1 of 10 Message Severity Type Explanation A B C D NSNA portdown I...

Page 866: ...th check script Please reconfigure This should normally be captured earlier by the CLI Bad string found string ERROR Traffic Processing Bad load balancing string encountered This is normally verified by the CLI Can t bind to local address ip port reason ERROR Traffic Processing Problem encountered when trying to set up virtual server on ip port Config filesystem corrupt ERROR OS Possible loss of c...

Page 867: ...AS 4050 timed out Check connectivity between the switch and the Nortel SNAS 4050 failed to locate corresponding portal for portal authenticated http server ERROR Traffic Processing Portal authentication has been configured for an http server but no portal using the same xnet domain can be found Make sure that there is a portal running using the same xnet id Failed to log to CLI reason disabling CL...

Page 868: ... Processing The server sent a bad HTTP header HTTP NotLoggedIn Domain id Host host SrcIP ip Request method host path INFO AAA The user was not logged on to the specified web server requested from the Portal HTTP Rejected Domain id Host host User user SrcIP ip Request method host path INFO AAA The user failed to access the specified web server requested from the Portal HTTP Domain id Host host User...

Page 869: ...Control One or several Nortel SNAS 4050 devices in the cluster do not have the same SSL Nortel SNAS 4050 license with reference to number of concurrent users license ALARM WARNING System Control The demo license loaded to the local Nortel SNAS 4050 expires within 7 days Check loaded licenses using the cfg sys cur command license_expired EVENT System Control Indicates that the the demo license at h...

Page 870: ...fic Processing The PortalGuard license has not been loaded on the Nortel SNAS 4050 but cfg domain server portal authenticate is set to off No Secure Service Partitioning loaded server id will not use interface n WARNING Traffic Processing The Secure Service Partitioning license has not been loaded on the Nortel SNAS 4050 but the server is configured to use a specific interface No TPS license limit...

Page 871: ...ath INFO AAA The remote user has successfully accessed the specified folder directory on the specified file server requested from the Portal s Files tab Rebooting to revert to permanent OS version ERROR OS Happens after Config filesystem re initialized reinstall required or Config filesystem restored from backup if software upgrade is in progress i e if failure at first boot on new OS version relo...

Page 872: ...ion version rejected ERROR Traffic Processing Socks request of version version received and rejected Most likely a non standard socks client SOCKS Domain id User user SrcIP ip Request request INFO AAA The client has successfully performed an operation by using one of the features available under the portal s Advanced tab software_configuration_changed EVENT System Control Indicates that release VS...

Page 873: ...ule comment item reason INFO NSNAS TunnelGuard applet report The user with user name username logged on to the Nortel SNAS 4050 portal with portal Virtual IP address pVIP has failed the SRS rule check and access is restricted in accordance with the behavior configured for SRS rule failure To identify the rule the message includes the SRS rule name and additional comment information defined for the...

Page 874: ...eason for host path ERROR Traffic Processing VBScript parsing error encountered when parsing content from host path This could be a problem in the Nortel SNAS 4050 VBScript parser but most likely a syntactical error in the VBScript on that page www_authenticate bad credentials ERROR Traffic Processing The browser sent a malformed WWW Authenticate credentials header Most likely a broken client Tabl...

Page 875: ...Go to www nortel com support 2 Navigate to the Nortel SNAS 4050 Software page 3 Download the tar gz file for the Nortel SNAS 4050 MIBs 4 Unzip the tar file in order to access the file ALTEON SAC CAP mib ALTEON SAC CAP mib contains an AGENT CAPABILITIES statement which formally specifies which MIBs are implemented For information about configuring the SNMP agent in a cluster see Configuring SNMP on...

Page 876: ...MIB SNMP USER BASED SM MIB SNMPv2 MIB SNMP VIEW BASED ACM MIB SYNOPTICS ROOT MIB 5 ETH MULTISEG TOPOLOGY MIB Table 205 provides more information about some of the MIBs supported by the Nortel SNAS 4050 Table 205 Supported MIBs Sheet 1 of 3 MIB Description ALTEON ISD PLATFORM MIB Contains the following groups and objects isdClusterGroup isdResourceGroup isdAlarmGroup isdBasicNotificatioObjectsGroup...

Page 877: ...anEventObjectsGroup dismanEventEventGroup dismanEventNotificationObjectGroup ENTITY MIB The following groups are implemented entityPhysicalGroup entityPhysical2Group entityGeneralGroup entityNotificationsGroup Write access to snmpTargetParamsTable is turned off in VACM IF MIB The following groups are implemented ifPacketGroup ifStackGroup Limitations The agent does not implement the following obje...

Page 878: ...mp target command see Configuring SNMP notification targets using the CLI on page 626 or from the SREM see Configuring SNMP targets using the SREM on page 634 The following groups are implemented snmpTargetCommandResponderGroup snmpTargetBasicGroup snmpTargetResponseGroup Write access to snmpTargetParamsTable is turned off in VACM SNMP USER BASED SM MIB The following group is implemented usmMIBBas...

Page 879: ...t a Nortel SNAS 4050 device in the cluster is down and out of service isdLicense Sent when the Nortel SNAS 4050 devices in the cluster have different licenses and when a demo license has seven days left before expiration Defined in ALTEON ISD PLATFORM MIB isdLicenseExpired Sent when a license has expired isdMipMigration Signals that the master IP has migrated to another Nortel SNAS 4050 isdSingleM...

Page 880: ...880 Appendix C Supported MIBs 320818 A ...

Page 881: ... SSLv3 DH RSA AES 256 SHA1 AES256 SHA SSLv3 RSA RSA AES 256 SHA1 EDH RSA DES CBC3 SHA SSLv3 DH RSA 3DES 168 SHA1 DES CBC3 SHA SSLv3 RSA RSA 3DES 168 SHA1 DES CBC3 MD5 SSLv2 RSA RSA 3DES 168 MD5 DHE RSA AES128 SHA SSLv3 DH RSA AES 128 SHA1 AES128 SHA SSLv3 RSA RSA AES 128 SHA1 RC4 SHA SSLv3 RSA RSA RC4 128 SHA1 RC4 MD5 SSLv3 RSA RSA RC4 128 MD5 RC2 CBC MD5 SSLv2 RSA RSA RC2 128 MD5 RC4 MD5 SSLv2 RS...

Page 882: ...40 MD5 EXPORT EXP RC2 CBC MD5 SSLv2 RSA 512 RSA RC2 40 MD5 EXPORT EXP RC4 MD5 SSLv2 RSA 512 RSA RC4 40 MD5 EXPORT ADH AES256 SHA SSLv3 DH NONE AES 256 SHA1 ADH DES CBC3 SHA SSLv3 DH NONE 3DES 168 SHA1 ADH AES128 SHA SSLv3 DH NONE AES 128 SHA1 ADH RC4 MD5 SSLv3 DH None RC4 128 MD5 ADH DES CBC SHA SSLv3 DH NONE DES 56 SHA1 EXP ADH DES CBC SHA SSLv3 DH 512 None DES 40 SHA1 EXPORT EXP ADH RC4 MD5 SSLv...

Page 883: ...d Windows Server 2003 Make sure that your account is a member of the Schema Administrators group Install All Administrative Tools Windows 2000 Server 1 Open the Control Panel and double click Add Remove Programs 2 Select Windows 2000 Administrative Tools and click Change 3 Click Next and select Install All Administrative Tools 4 Follow the instructions on how to proceed with the installation Regis...

Page 884: ...nap in Windows 2000 Server and Windows Server 2003 1 Click Start and select Run 2 On Windows 2000 Server enter mmc in the Open field On Windows Server 2003 enter mmc a instead Note that there is a space between mmc and a 3 Click OK The Console window displays 4 On the File Console menu select Add Remove Snap in ...

Page 885: ...e The Add Remove Snap in window displays 5 Click Add The Add Standalone Snap in window displays 6 Under Snap in select Active Directory Schema and click Add Active Directory Schema is added to the Add Remove Snap in window 7 Click Close to close the Add Standalone Snap in window The Add Remove Snap in window redisplays ...

Page 886: ...ouble click the Programs and Administrative Tools folders 3 On the File menu point to New and then select Shortcut The Create Shortcut Wizard displays 4 In the Type the location of the item field type schmmgmt msc 5 Click Next The Select a Title for the Program page displays 6 In the Type a name for this shortcut field type Active Directory Schema 7 Click Finish Permit write operations to the sche...

Page 887: ...3 To create the isdUserPrefs attribute proceed as follows 1 In the Console window on the left pane expand Active Directory Schema by clicking the plus sign The Attributes and Classes folders display 2 Right click Attributes point to New and select Attribute You receive a warning that creating schema objects is a permanent operation and cannot be undone 3 Click Continue The Create New Attribute win...

Page 888: ...ning that creating schema classes is a permanent operation and cannot be undone 2 Click Continue The Create New Schema Class window displays 3 Create the nortelSSLOffload class as shown below 4 Click OK Add isdUserPrefs attribute to nortelSSLOffload class 1 In the Console window on the left pane expand Classes 2 Select the nortelSSLOffload class 3 Right click and select Properties The Properties w...

Page 889: ...ty tab set read write permissions for the group that should have permission to write user preferences to the attribute 7 Click OK Add the nortelSSLOffload Class to the User Class 1 In the Console window on the left pane expand Classes and select user 2 Right click and select Properties The Properties window is displayed 3 Select the Relationship tab 4 Next to Auxiliary Classes click Add Class Add ...

Page 890: ...as shown below 6 Click OK Once you have enabled the User Preferences feature on the Nortel SNAS 4050 using the CLI command cfg domain aaa auth ldap enauserpre or the BBI setting User Preferences under VPN Gateways Authentication Auth Servers LDAP Modify the remote user should now be able to store user preferences in Active Directory ...

Page 891: ...one to obtain its configuration data from a Windows 2000 Server DHCP server retrieve VLAN information required to take advantage of the Auto VLAN Discovery feature This appendix is not intended to be a primer on how to set up a DHCP server The reader is assumed to have a working knowledge of Windows 2000 Server DHCP servers The appendix also does not describe the process used by the IP Phone to in...

Page 892: ...erform the following steps 1 Create DHCP options see Creating the DHCP options on page 892 Call Server Information VLAN Information for auto discovery of the IP Phone VLAN ID 2 Configure the DHCP options see Configuring the Call Server Information and VLAN Information options on page 896 Repeat this step for the data or boot VLAN and the Phone VLAN 3 Set up the IP Phone see Setting up the IP Phone...

Page 893: ...Figure 245 The DHCP Management Console 2 Select the DHCP server you want to configure 3 From the DHCP Management Console toolbar select Action Set Predefined Options Note When you expand the DHCP server navigation tree component the scopes for that particular server are listed below the server name and IP address ...

Page 894: ...P to auto configure IP Phones 320818 A The Predefined Options and Values dialog box opens see Figure 246 Figure 246 The Predefined Options and Values dialog box 4 Click Add The Option Type dialog box opens see Figure 247 on page 895 ...

Page 895: ...nter the required information see Table 208 b Click OK 6 Create the DHCP option for the auto discovery of VLAN ID information a In the Predefined Options and Values dialog box click Add The Option Type dialog box opens see Figure 247 on page 895 Table 208 Option Type dialog box field values for Call Server Information Field Value Name Call Server Information Data type String Code 128 Call Server c...

Page 896: ...ions for both the data or boot VLAN and the Phone VLAN Configure the option for the data or boot VLAN first then repeat the steps to configure the option for the Phone VLAN To configure the options perform the following steps 1 In the DHCP Management Console expand the required VLAN first the data or boot VLAN used with the IP Phone when you repeat the steps the Phone VLAN 2 Right click Scope Opti...

Page 897: ...e IP Phones 897 Nortel Secure Network Access Switch 4050 User Guide The Scope Options dialog box displays see Figure 248 Figure 248 The Scope Options dialog box 3 Using the scroll bar scroll down the list to find the two DHCP options just created ...

Page 898: ...port by a colon The parameters for the Primary S1 and Secondary S2 are separated by a semicolon The string must end in a period c Click Apply Note The Nortel IP Phone 2002 IP Phone 2004 and IP Phone 2007 use the same signature Therefore the string value for Call Server Information is the same for all these IP Phones Table 210 Call Server Information string parameter values Parameter Description A ...

Page 899: ... rules apply A colon separates the hardware revision from the VLAN ID The string must end in a period c Click Apply 6 Click OK 7 Repeat step 1 on page 896 through step 6 to configure the options for the Phone VLAN Setting up the IP Phone In order for the IP Phone to take advantage of the DHCP auto configuration features set the IP Phone up as follows 1 Set the DHCP Option on the IP Phone to 1 to u...

Page 900: ...900 Appendix F Configuring DHCP to auto configure IP Phones 320818 A ...

Page 901: ...pt on page 902 Assigning the logon script on page 903 Configuring the logon script To configure the logon script to automatically launch an end user s browser perform the following steps 1 Create the logon script see Creating a logon script on page 902 Note This appendix provides an example of a very basic logon script to launch the Nortel SNAS 4050 portal page The simple script launches the end u...

Page 902: ...you will use the logon script The same script can be used in multiple domains to accomplish the same task GUID is a globally unique indentifier for associated group policy objects 3 Configure the default domain policy to assign the script to all users in the domain see Assigning the logon script on page 903 Creating a logon script To create a logon script for use on a Windows domain controller to ...

Page 903: ... InternetExplorer Application IE visible true IE Navigate https 10 10 10 1 where 10 10 10 1 is the portal Virtual IP address pVIP of the Nortel SNAS 4050 3 Save the file as a VBScript file vbs Assigning the logon script To assign the logon script for use perform the following steps Figure 249 on page 904 illustrates the steps 1 Click Start Administrative Tools Active Directory Users and Computers ...

Page 904: ...ick the Default Domain Policy and select Edit 6 Expand User Configuration Windows Settings and select Scripts Logon Logoff 7 In the right pane double click Logon 8 Click Add 9 Enter the file name of the script you want to assign and click OK 10 Click OK The logon script is now assigned and will take effect the next time users log on to the domain Figure 249 Assigning a logon script ...

Page 905: ...openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PR...

Page 906: ...L EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence...

Page 907: ...is not the intent of this section to claim rights or contest your rights to the work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution m...

Page 908: ...uce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent applicatio...

Page 909: ...documentation included with the redistribution if any must include the following acknowledgment This product includes software developed by the Apache Software Foundation http www apache org Alternately this acknowledgment may appear in the software itself if and wherever such third party acknowledgments normally appear 4 The names Apache and Apache Software Foundation must not be used to endorse ...

Page 910: ...nd to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE...

Page 911: ...hentication method 261 299 network access device 75 78 91 Nortel SNAS 4050 device to a cluster 61 private key 587 RADIUS authentication method 243 RADIUS authentication server 272 SNMP targets 635 users to local authentication database 301 Administrator user access level 775 allowed expressions and escape sequences in Exclude List 388 Apache software license 909 ASCII terminal for console connecti...

Page 912: ...te Signing Request See CSR certificates add 584 back up 591 605 copy 584 create 599 display 591 605 export 574 594 607 formats 571 import 588 603 install 573 manage 575 managing 569 save 574 591 605 test 596 update 574 view basic information 577 view information 598 610 view installed certificates 847 ciphers supported 881 CLI Command Line Interface command reference 812 in Nortel SNA 42 shortcuts...

Page 913: ...al authentication 298 305 logging options 145 network access device 80 93 Nortel SNAS Secure Network Access Switch 4050 roadmap 43 Nortel SNAS 4050 initial setup 52 portal page look and feel 389 RADIUS accounting 146 183 RADIUS authentication 271 273 session timeout 249 SNMP 618 620 633 SNMP community 622 SNMP events 627 647 SNMP notification targets 626 SNMP targets 634 SNMPv2 MIB 621 SNMPv3 user...

Page 914: ... 164 create 121 152 create using quick setup wizard 123 create using SREM domain quick wizard 154 delete 129 163 in Nortel SNAS 4050 118 quick setup wizard 123 status quo mode 133 170 domain quick wizard SREM 154 dump CLI global command 805 E edge switch as network access device 72 edge switch See network access device enable network access device 90 115 SSH access 773 Telnet access 772 encrypt pr...

Page 915: ...traceroute 805 up 804 verbose 806 GNU general public license 906 Green VLAN in Nortel SNA solution 34 groups add 210 add linkset 225 and extended profiles 195 configure 196 198 208 create 198 default group 193 guide for creating SREM 209 in Nortel SNA 35 192 map linksets 206 223 224 modify configuration 212 remove linksets 226 reorder linksets 206 226 guide for creating groups SREM 209 H health ch...

Page 916: ...05 SSLeay license original 905 Lightweight Directory Access Protocol See LDAP lines display option in CLI 805 links types on portal page 394 linksets 194 add to group 225 add to profile 228 autorun 394 map to group 224 map to group or profile 206 223 map to profile 227 on portal page 394 remove from group 226 remove from profile 229 reorder in group 206 226 reorder in profile 206 229 Local authent...

Page 917: ...ot contact 841 monitor switch health 89 111 N netstat CLI global command 805 network diagnostics 847 network access device add 75 78 91 configure 80 93 control communication 90 115 delete 79 93 disable 79 90 115 enable 90 115 manage 91 map the VLANs 96 monitor switch health 89 111 reimport public SSH key 89 SSH public key import 85 network access devices manage 73 Nortel Secure Network Access Swit...

Page 918: ...e display authentication methods 234 portal page change language 393 color themes 391 colors 390 default appearance 390 display 390 language 392 links 394 linksets 394 macros 395 portal server IP address pVIP 51 private keys add 587 back up 591 605 connected to certificate 583 584 display 591 605 encrypt 591 607 export 574 594 607 formats 571 import 588 603 install 573 manage 575 save 574 591 605 ...

Page 919: ...2 Root user access level 775 S save certificates and keys 574 591 605 configuration 67 script to launch browser at logon 398 Secure Shell SSH enable access 66 enable access for SREM 66 Secure Shell See SSH Security Routing Element Manager See SREM See also LDAP authentication Local authentication RADIUS authentication See also SRS rule servers add LDAP authentication 292 add RADIUS authentication ...

Page 920: ... 168 displaying failure details 134 171 SSH Secure Shell connect using 773 enable access 773 host keys 39 key types 39 restrict access 773 unable to connect using 838 SSH keys export Nortel SNAS 4050 public key 84 103 106 generate 85 105 import network access device public key 85 103 manage 84 88 102 109 reimport network access device public key 89 SSL configure server 135 174 settings configure 1...

Page 921: ...unable to add to cluster 841 unable to connect with SSH 838 unable to connect with Telnet 838 view certificates and SSL servers 847 TunnelGuard applet 37 TunnelGuard check configure 132 168 in Nortel SNA 37 two armed configuration 40 41 IP addresses 52 U up CLI global command 804 update certificates 574 upgrade activate software package 761 handling software versions 760 minor or major release upg...

Page 922: ... 34 mapping 82 96 VoIP phones supported in Nortel SNA 33 VoIP VLAN in Nortel SNA solution 35 W Windows domain logon script 398 wizards domain quick setup 123 quick setup 58 quick switch setup 75 quick TunnelGuard setup 134 172 SREM domain quick 154 Y Yellow VLAN in Nortel SNA solution 34 ...

Reviews:

No comments

Related manuals for 4050

TokenLink 3C359B

Brand: 3Com Pages: 4

TokenLink 3C359B

Brand: 3Com Pages: 8

TokenLink 3C339

Brand: 3Com Pages: 2

EtherLink 3C985B-SX

Brand: 3Com Pages: 44

Brand: 3Com Pages: 88

Brand: 3Com Pages: 2

Brand: 3Com Pages: 111

TokenLink 3C359

Brand: 3Com Pages: 4

Brand: 3Com Pages: 74

Brand: 3Com Pages: 6

Brand: B+B SmartWorx Pages: 4

Brand: Lanner Pages: 78

Brand: Juniper Pages: 190

Brand: Quectel Pages: 23

Brand: Net to Net Technologies Pages: 4

Brand: TP-Link Pages: 176

Brand: NKE Pages: 15

JetNet 3508-LVDC

Brand: Korenix Pages: 16

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands