Nortel 425 series Cli Manual Download Page 48

Page: 48 / 526

Initial setup

•

restricted

. The session remains intact, but access is

restricted in accordance with the rights specified in the
access rules for the group.

•

teardown

. The SSL session is torn down.

The default is

restricted

Use restricted (teardown/restricted) action for Nortel

Health Agent check failure?

[yes]:

Create the default user and group.

The action to be performed when the Nortel Health Agent check
fails depends on your selection in

step f

Using ’restricted’ action for Nortel Health Agent check

failure.

Setting up user account policies...

Create default user account [yes]:

User name:

nha

User password:

nha

Creating SRS rule ’srs-rule-test’ for compliancy

check.

This rule check for the presence of the file

C:\tunnelguard\tg.txt

Creating client filter ’nha_passed’.

Creating client filter ’nha_failed’.

Creating linkset ’nha_passed’.

Creating linkset ’nha_failed’.

Creating group ’nhauser’ with secure access.

Associating group ’nhauser’ with srs rule ’srs-rule-te

st’.

Creating extended profile, full access when

nha_passed

Enter green vlan id [110]:

<VID>

Creating extended profile, remediation access when

nha_failed

Enter yellow vlan id [120]:

<VID>

Creating user ’nha’ in group ’nhauser’.

Setting up system account policies...

Create default system account [yes]:

System account name:

sys

System account password:

sys

Creating client filter ’nha_passed’.

Creating client filter ’nha_system_failed’.

Creating SRS rule ’srs-rule-syscred-test’ for

compliancy check.

This rule check for the presence of the file

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100

03.01

Standard

28 July 2008

Summary of Contents for 425 series

Page 1: ...Nortel Secure Network Access Switch Using the Command Line Interface Release 2 0 Document Revision 03 01 www nortel com NN47230 100 320818 D ...

Page 2: ... the information in this document is believed to be accurate and reliable except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OR CONDITION OF ANY KIND EITHER EXPRESS OR IMPLIED The information and or products described in this document are subject to change without notice Nortel the Nortel logo and the Globemark are trademarks of Nortel Networks ...

Page 3: ...l SNAS clusters 35 Interface configuration 35 Nortel SNAS configuration and management tools 36 Nortel SNAS configuration roadmap 37 Initial setup 41 Before you begin 41 About the IP addresses 42 Initial setup 43 Setting up a single Nortel SNAS device or the first in a cluster 43 Adding a Nortel SNAS device to a cluster 50 Next steps 54 Applying and saving the configuration 55 Managing the network...

Page 4: ... 107 Browser Based Management Configuration 108 Browser Based Management Configuration with SSL 108 Configuring advanced settings 109 Configuring RADIUS accounting 110 Configuring local DHCP services 115 Creation of the location 123 Configuring Lumension PatchLink integration 124 Configuration of the RADIUS server 127 Overview of RADIUS server 127 802 1x functionality 127 Roadmap of RADIUS server ...

Page 5: ...roup or profile 167 Creating a default group 169 Configuring authentication 171 Overview 171 Before you begin 172 Configuring authentication 174 Roadmap of authentication commands 174 Configuring authentication methods 177 Configuring advanced settings 179 Configuring RADIUS authentication 180 Configuring LDAP authentication 187 Configuring local database authentication 200 Specifying authenticati...

Page 6: ...aces 268 Configuring static routes 270 Configuring host ports 271 Managing interface ports 272 Configuring the Access List 273 Configuring date and time settings 274 Configuring DNS servers and settings 276 Configuring RSA servers 279 Configuring syslog servers 279 Configuring administrative settings 281 Enabling TunnelGuard SRS administration 284 Configuring Nortel SNAS host SSH keys 284 Configur...

Page 7: ...mation and performance statistics 337 Viewing system information and performance statistics 337 Roadmap of information and statistics commands 337 Viewing system information 339 Viewing alarm events 344 Viewing log files 345 Viewing AAA statistics 346 Viewing all statistics 348 Kicking by username or address 349 Nortel SNAS TPS Interface 349 Maintaining and managing the system 351 Managing and mai...

Page 8: ...h 8300 393 Configure the Ethernet Routing Switch 5510 395 Configure the Nortel SNAS 397 Troubleshooting 403 Troubleshooting tips 403 Cannot connect to the Nortel SNAS using Telnet or SSH 403 Cannot add the Nortel SNAS to a cluster 405 Cannot contact the MIP 406 The Nortel SNAS stops responding 407 A user password is lost 408 A user fails to connect to the Nortel SNAS domain 409 Trace tools 409 Sys...

Page 9: ...indows Server 2003 485 Add the Active Directory Schema Snap in Windows 2000 Server and Windows Server 2003 486 Permit write operations to the schema Windows 2000 Server 488 Create a new attribute Windows 2000 Server and Windows Server 2003 489 Create the new class 489 Configuring IP Phone auto configuration 494 Creating the DHCP options 494 Configuring the Call Server Information and VLAN Informat...

Page 11: ...le or partial copies Nortel Networks grants you a license to use the Software only in the country where you acquired the Software You obtain no rights other than those granted to you under this License Agreement You are responsible for the selection of the Software and for the installation of use of and results obtained from the Software 1 Licensed Use of Software Nortel Networks grants Customer a...

Page 12: ...arranties conditions of any kind NORTEL NETWORKS DISCLAIMS ALL WARRANTIES CONDITIONS FOR THE SOFTWARE EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON INFRINGEMENT Nortel Networks is not obligated to provide support of any kind for the Software Some jurisdictions do not allow exclusion of i...

Page 13: ... In either event upon termination Customer must either return the Software to Nortel Networks or certify its destruction c Customer is responsible for payment of any taxes including personal property taxes resulting from Customer s use of the Software Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations d Neither party may bring an acti...

Page 15: ...RADIUS server page 127 Configuration of Microsoft NAP Interoperability page 139 Configuration of auto blacklisting page 293 Configuration of harden password page 295 Kicking by username or address page 349 Nortel SNAS TPS Interface page 349 Self service portal page 233 Configuring the Nortel SNAS scheduler page 359 On the fly SRS Policy Change When a security policy is modified on the SNAS using t...

Page 16: ... non Windows operating systems the applet supports collecting operating systems information and VLAN transition for more information see the Multi OS Applet Support page 32 Other changes No changes Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 17: ...he Nortel SNAS using the Nortel SNAS 4050 or 4070 for Nortel Secure Network Access Switch Software Release 2 0 The document includes the following information overview of the role of the Nortel SNAS 4050 or 4070 in the Nortel SNAS initial setup configuring authentication authorization and accounting AAA features managing system users customizing the portal upgrading the software logging and monito...

Page 18: ... familiarity with networking concepts and terminology experience with windowing systems or GUIs basic knowledge of network topologies Before using this guide you must complete the following procedures For a new switch Step Action 1 Install the switch For installation instructions see Nortel Secure Network Access Switch 4050 Installation Guide NN47230 300 2 Connect the switch to the network For mor...

Page 19: ...u must choose only one of the options Do not type the braces when entering the command Example If the command syntax is show ip alerts routes you must enter either show ip alerts or show ip routes but not both brackets Optional elements in syntax descriptions Do not type the brackets when entering the command Example If the command syntax is show ip interfaces alerts you can enter either show ip i...

Page 20: ...ering the command Example If the command syntax is show ip alerts routes you enter either show ip alerts or show ip routes but not both Related information This section lists information sources that relate to this document Publications Refer to the following publications for information on the Nortel SNAS Nortel Secure Network Access Solution Guide NN47230 200 Nortel Secure Network Access Switch ...

Page 21: ...Reader How to get help If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased a Nortel service program use the http www nortel com h elp web page to locate information to contact Nortel for assistance To obtain Nortel Technical Support contact informat...

Page 22: ...P web page 2 Click Technical Support on the CONTACT US web page 3 Click Express Routing Codes on the TECHNICAL SUPPORT web page End Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 23: ... page 115 Hub DHCP subnet type page 118 Support for WLAN Controller Configuring local DHCP services page 115 Hub DHCP subnet type page 118 Support of RADIUS server Configuration of the RADIUS server page 127 Support of Microsoft NAP Interoperability Configuration of Microsoft NAP Interoperability page 139 Nortel Health Agent Run Once Continuous and Never modes Configuring groups page 156 Managing ...

Page 24: ...ration roadmap page 37 The Nortel SNAS Nortel Secure Network Access Solution Nortel SNAS is a protective framework to completely secure the network from endpoint vulnerability The Nortel SNAS addresses endpoint security and enforces policy compliance Nortel SNAS delivers endpoint security by enabling only trusted role based access privileges premised on the security level of the device user identi...

Page 25: ...al optional elements of the Nortel SNAS remediation server corporate authentication services such as LDAP or RADIUS services Each Nortel SNAS device can support up to five network access devices Supported users The Nortel SNAS supports the following types of users PCs using the following operating systems Windows 2000 SP4 Windows XP SP2 Linux MAC OS Vista The Nortel SNAS supports the following bro...

Page 26: ...the Nortel SNAS 4050 switch to activate support for the additional users The file can support an additional 100 250 500 or 1000 users ATTENTION An authenticated IP Phone is considered to be a licensed user Your unique software license key is based on your switch MAC address Before you obtain your software license file first record the MAC address for the Nortel Secure Network Access Switch to be u...

Page 27: ...ess Switch Configuration Using the BBI NN47230 500 Role of the Nortel SNAS The Nortel SNAS helps protect the network by ensuring endpoint compliance for devices that connect to the network Before allowing a device to have full network access the Nortel SNAS checks user credentials and host integrity against predefined corporate policy criteria Through tight integration with network access devices ...

Page 28: ...ms session management Monitors the health of clients and switches Performs logging and auditing functions Provides High Availability HA through IPmig protocol Nortel SNAS enforcement types Nortel SNAS provides several enforcement types for restricting access to the network VLANs and filters uses a combination of VLANs and filters to provide enforcement It is available with NSNA network access devi...

Page 29: ...in its Red VLAN The Nortel SNAS authenticates the client By default the Nortel SNAS then downloads a Nortel Health Agent applet to check the integrity of the client host If the integrity check fails the Nortel SNAS instructs the network access devices to move the client to a Yellow VLAN with its associated filter If the integrity check succeeds the Nortel SNAS instructs the network access devices ...

Page 30: ...S using the filter DHCP subnet type maintains these demands at the same level as with VLANs and filters for more information see Configuring local DHCP services page 115 DHCP hub subnet DHCP hub subnet enforcement allows the Nortel SNAS to operate with a broader range of Nortel ethernet switches as well as third party network access devices Unlike VLANs and filters and Filters only enforcement DHC...

Page 31: ...hod if no external authentication databases exist for testing purposes for speedy deployment or as a fallback for external database queries You can also use the local database for authorization only if an external server provides authentication services but cannot be configured to return a list of authorized groups MAC authentication The media access control MAC address of the end point device can...

Page 32: ...lient s DHCP lease with the network access devices If the required components are not present on the client machine Nortel Health Agent reports that the SRS rule check failed You configure behavior following host integrity check failure The session can be torn down or the Nortel SNAS can instruct the network access devices to grant the client restricted access to the network for remediation purpos...

Page 33: ...e supported Mac OS X Server v10 5 Leopard Mac OS X Server v10 4 Tiger Mac OS X v10 3 Panther Mac OS X v10 2 Mac OS 9 Communication channels Communications between the Nortel SNAS and key elements of the Nortel SNAS are secure and encrypted Table 2 Communication channels in the Nortel SNAS network page 33 shows the communication channels in the network Table 2 Communication channels in the Nortel S...

Page 34: ... server hosts SSH clients in the Nortel SNAS network do not silently accept new keys from previously unknown server hosts Instead they refuse the connection if the key does not match their known hosts The Nortel SNAS supports the use of three different SSH host key types RSA1 RSA DSA SSH protocol version 1 always uses RSA1 keys SSH protocol version 2 uses either RSA or DSA keys For management comm...

Page 35: ...an control more switches and handle more user sessions fault tolerance If a Nortel SNAS device fails the failure is detected by the other node in the cluster which takes over the switch control and session handling functions of the failed device As long as there is one running Nortel SNAS no sessions will be lost The devices in the cluster can be located anywhere in the network and do not have to ...

Page 36: ...n page 36 illustrates a one armed configuration Figure 1 One armed configuration Nortel SNAS configuration and management tools You can use a number of device and network management tools to configure and manage the Nortel SNAS Command Line Interface CLI You must use the CLI to perform initial setup on the Nortel SNAS and to set up the Secure Shell SSH connection between the Nortel SNAS and the ne...

Page 37: ...rovisioning application You can use EPM to provision filters on the Nortel SNAS network access devices EPM 4 2 supports preconfiguration of Red Yellow and Green VLAN filters prior to enabling the Nortel SNAS feature In future releases of the Nortel SNAS and EPM software users will have the additional ability to add and modify security and quality of service filters while Nortel SNAS is enabled on ...

Page 38: ... captive portal to work 3 Configure the network core router a Create the Red Yellow Green VoIP and Nortel SNAS management VLANs b If the edge switches are operating in Layer 2 mode enable 802 1q tagging on the uplink ports to enable them to participate in multiple VLANs then add the ports to the applicable VLANs ATTENTION The uplink ports must participate in all the VLANs c Configure IP addresses ...

Page 39: ... modify the filters after Nortel SNAS is enabled i Configure the VoIP VLANs j Configure the Red Yellow and Green VLANs associating each with the applicable filters k Configure the Nortel SNAS ports Identify switch ports as either uplink or dynamic When you configure the uplink ports you associate the Nortel SNAS VLANs with those ports Clients are connected on the dynamic ports You can configure No...

Page 40: ...s and export the SSH key see Adding a network access devices page 60 10 Specify the VLAN mappings see Mapping the VLANs page 66 11 Test Nortel SNAS connectivity by using the maint chkcfg command see Performing maintenance page 353 12 Configure groups see Configuring groups and profiles page 149 13 Configure client filters see Configuring client filters page 162 14 Configure extended profiles see C...

Page 41: ...tel SNAS you must complete the following tasks Step Action 1 Plan the network For more information see Nortel Secure Network Access Solution Guide NN47230 200 In order to configure the Nortel SNAS you require the following information IP addresses Nortel SNAS Management IP address MIP portal Virtual IP address pVIP Real IP address RIP default gateway DNS server NTP server if applicable external au...

Page 42: ... cluster and identifies the cluster The MIP always resides on a master Nortel SNAS device If the master Nortel SNAS that currently holds the MIP fails the MIP automatically migrates to a functional master Nortel SNAS In order to configure the Nortel SNAS or Nortel SNAS cluster remotely you connect to the MIP using Telnet for the CLI or SSH for the CLI the SREM or the BBI Portal Virtual IP address ...

Page 43: ...N If an IP address MIP VIP RIP or gateway is changed the Nortel SNAS must be rebooted for the change to take effect Initial setup The initial setup is a guided process that launches automatically the first time you power up the Nortel SNAS and log on You must use a console connection in order to perform the initial setup For a standalone Nortel SNAS or the first Nortel SNAS in a cluster see Settin...

Page 44: ...tal traffic traffic between the Nortel Health Agent applet on the client and the portal 4 Specify the RIP for this device This IP address will be assigned to Interface 1 Enter IP address for this machine on management interface IPaddr The RIP must be unique on the network and must be within the same subnet as the MIP 5 Specify the network mask for the RIP on Interface 1 Enter network mask 255 255 ...

Page 45: ...ateway verify your settings on the core router Do not proceed with the initial setup until the connectivity test succeeds 9 Configure the interface for client portal traffic Interface 2 a Specify a port number for the client portal interface This port will be assigned to Interface 2 The port number must not be the same as the port number for the management interface Interface 1 b Specify the RIP f...

Page 46: ...12 Enter the current time settings Enter the current time HH MM SS 00 04 10 13 Specify the NTP server if applicable Enter NTP server address or blank to skip IPaddr ATTENTION If you do not have access to an NTP server at this point you can configure this item after the initial setup is completed See Configuring date and time settings page 274 14 Specify the DNS server Enter DNS server address or b...

Page 47: ...ard yes yes Creating default networks under cfg doamin aaa network 19 Specify the portal virtual IP address pvip of the Nortel SNAS device Enter NSNAS Portal Virtual IP address pvip IPaddr 20 Specify a name for the Nortel SNAS domain Enter NSNAS Domain name name 21 Specify any domain names you wish to add to the DNS search list as a convenience to clients If the domain name is in the DNS search li...

Page 48: ...le C tunnelguard tg txt Creating client filter nha_passed Creating client filter nha_failed Creating linkset nha_passed Creating linkset nha_failed Creating group nhauser with secure access Associating group nhauser with srs rule srs rule te st Creating extended profile full access when nha_passed Enter green vlan id 110 VID Creating extended profile remediation access when nha_failed Enter yellow...

Page 49: ...e secure web based configuration management yes Enabling configuration management to https 192 168 0 62 4443 Loading default radius dictionaries Initializing system ok Setup successful Relogin to configure End Settings created by the quick setup wizard The quick setup wizard creates the following basic Nortel SNAS settings Step Action 1 A Nortel SNAS domain Doamin 1 A Nortel SNAS domain encompasse...

Page 50: ...quests made with http to https since the Nortel SNAS portal requires an SSL connection End Adding a Nortel SNAS device to a cluster After you have installed the first Nortel SNAS in a cluster see Setting up a single Nortel SNAS device or the first in a cluster page 43 you can add another Nortel SNAS to the cluster by configuring the second Nortel SNAS setup to use the same MIP When you set up the ...

Page 51: ...fore you perform the join operation or the devices will not be able to communicate with each other For information about adding entries to the Access List see Configuring the Access List page 273 The existing Nortel SNAS and the new Nortel SNAS must run the same version of software If the versions are different decide which version you want to use and then do one of the following To change the ver...

Page 52: ...AS management and connections to intranet resources and client portal traffic traffic between the Nortel Health Agent applet on the client and the portal ATTENTION For consistency Nortel recommends that you specify the same port number for the management interface port on all Nortel SNAS devices in the cluster 4 Specify the RIP for this device This IP address will be assigned to Interface 1 Enter ...

Page 53: ...isting iSD which must be operational and initialized Enter the Management IP MIP address IPaddr 9 Specify the default gateway IP address for Interface 2 The default gateway is the IP address of the interface on the core router that will be used if no other interface is specified The default gateway IP address on Interface 2 must be within the same subnet as the RIP for Interface 2 Enter default ga...

Page 54: ... Access List to control Telnet and SSH access see Configuring the Access List page 273 From this point on you can configure the Nortel SNAS using either the CLI or the BBI 2 To enable remote management using Telnet use the cfg sys adm telnet on command to enable Telnet access to the Nortel SNAS for more information see Configuring administrative settings page 281 3 To finish connecting the Nortel ...

Page 55: ...nter explicit commands in order to make configuration changes permanent and in order to create a backup configuration file If you have not already done so after each sequence of configuration steps confirm your changes using the apply command To view your configuration on the screen for copy and paste into a text file use the following command cfg dump To save your configuration to a TFTP FTP SCP ...

Page 57: ...egin In Trusted Computing Group TCG terminology the edge switches in a Nortel SNAS function as the Policy Enforcement Point In this document the term network access devices is used to refer to the edge switch once it is configured for the Nortel SNAS network The following edge switches can function as network access devices in the Nortel SNAS Ethernet Routing Switch 8300 Ethernet Routing Switch 55...

Page 58: ... and Green VLANs the TCP port to be used for Nortel SNAS communication for Ethernet Routing Switch 8300 switches a valid rwa user name Managing network access devices The Nortel SNAS starts communicating with the network access devices as soon as you enable the switch on the Nortel SNAS by using the cfg domain switch ena command You cannot configure the VLAN mappings for a network access devices i...

Page 59: ...index list cfg domain switch vlan add name VLAN ID del index list cfg domain sshkey generate show export cfg domain switch sshkey import add del show export user user cfg domain switch hlthchk interval interval deadcnt count sq int interval cfg domain switch dis cfg domain switch ena Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyri...

Page 60: ...k switch setup wizard Main cfg domain quick 2 Specify the IP address of the network access devices IP address of Switch IPaddr 3 Specify the SNMP profile of the network access devices If the quick setup of your domain is not completed in this case most likely there is no SNMP profile to select See Configuring SNMP Profiles page 75 for more information SNMP profile 4 It searches for the SNMP settin...

Page 61: ...he default is port 5000 NSNA communication port 5000 8 The SSH fingerprint of the switch is automatically picked up if the switch is reachable If the fingerprint is successfully retrieved go to step 7 If the fingerprint is not successfully retrieved you will receive an error message and be prompted to add the SSH key Trying to retrieve fingerprint failed Error Failed to retrieve host key Do you wa...

Page 62: ...W5Bq ToMv PspwI WbV8TjycWeC7nk Tg X53hc 10 Wait while the wizard completes processing to add the network access devices then enter Apply to activate the changes The system automatically assigns the lowest available switch ID to the network access devices The switch is disabled when it is first added to the configuration Do not enable the switch until you have completed configuring the system For m...

Page 63: ...igured on the switch username the user name for an rwa user on the switch required for Ethernet Routing Switch 8300 only The SSH fingerprint of the switch is automatically picked up if the switch is reachable If the fingerprint is not successfully retrieved you receive an error message Error Failed to retrieve host key After you have added the switch you must add or import the SSH public key for t...

Page 64: ...SNAS domain the switch is disabled by default Do not enable the switch until you have completed configuring it In particular do not enable the switch until you have mapped the VLANs see Mapping the VLANs page 66 and exchanged the necessary SSH keys see Managing SSH keys page 68 If you want to reconfigure the VLAN mappings or delete a VLAN for an existing network access devices use the cfg domain s...

Page 65: ...500 Specifies the type of network access devices Valid options are ERS8300 an Ethernet Routing Switch 8300 ERS5500 an Ethernet Routing Switch 5510 5520 or 5530 The default is ERS8300 mgmtproto mgmtproto Sets the Switch Management Protocol ip IPaddr Specifies the IP address of the switch port port Specifies the TCP port used for Nortel SNAS communication The default is port 5000 hlthchk Accesses th...

Page 66: ...in configuration Mapping the VLANs The VLANs are configured on the network access devices You specify the Red VLAN for each network access devices when you add the switch see Adding a network access devices page 60 After adding the switch you must identify the Yellow and Green VLANs to the Nortel SNAS You can perform the VLAN mapping in two ways for all switches in a domain by using the cfg domain...

Page 67: ...e Domain vlan or Switch vlan menu includes the following options cfg domain switch vlan followed by add name VLAN ID Adds the specified VLAN to the domain or switch VLAN map You are prompted to enter the required parameters if you do not include them in the command name is the name of the VLAN as configured on the switch VLAN ID is the ID of the VLAN as configured on the switch The system automati...

Page 68: ...To enable secure communication between the Nortel SNAS and the network access devices do the following Step Action 1 Generate an SSH public key for the Nortel SNAS domain see Generating SSH keys for the domain page 70 if necessary Apply the change immediately If you created the domain manually the SSH key was generated automatically see Manually creating a domain page 83 ATTENTION The SSH key for ...

Page 69: ...eys for Nortel SNAS communication page 71 For an Ethernet Routing Switch 8300 you can retrieve the key in two ways Use the cfg domain switch sshkey import command to import the key directly from the network access devices Use the cfg domain switch sshkey add command to paste in the key For an Ethernet Routing Switch 5510 5520 or 5530 Use the cfg domain switch sshkey import command to import the ke...

Page 70: ...rt Exports the Nortel SNAS domain public key to a file exchange server You are prompted to enter the following information protocol options are tftp ftp scp sftp The default is tftp ATTENTION Use TFTP to export to an Ethernet Routing Switch 5500 Series switch Ethernet Routing Switch 5500 Series switches do not support the other protocols host name or IP address of the server file name of the key f...

Page 71: ...Generating an SSH key for the domain Managing SSH keys for Nortel SNAS communication To retrieve the public key for the network access devices and export the public key for the domain use the following command Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 72: ...for the network access devices export Exports the SSH public key for the Nortel SNAS domain to the network access devices ATTENTION You cannot use this command to export the key to an Ethernet Routing Switch 5500 series switch Instead use the cfg domain 1 sshkey export command to upload the key to a file exchange server user user Specifies the user name for the network access devices required for ...

Page 73: ...val the network access devices moves all its clients into the Red VLAN When connectivity is re established the Nortel SNAS synchronizes sessions with the network access devices The health check interval dead count and status quo interval are configurable To configure the interval and dead count parameters for the Nortel SNAS health checks and status quo mode use the following command cfg domain sw...

Page 74: ...ication with the network access devices To stop communication between the Nortel SNAS and a network access devices use the following command cfg domain switch dis Enter apply to apply the change immediately ATTENTION If the switch is not going to be used in the Nortel SNAS network Nortel recommends deleting the switch from the Nortel SNAS domain rather than just disabling it To restart communicati...

Page 75: ...tion protocols sscp sscplite SSCP is selected by default Usage mgmtproto sscp sscplite SSCP SSCPLite The sscplite includes the following option cfg domain switch sscplite followed by profile Set SNMP profile to use Configuring SNMP Profiles To configure the snmp profiles use the following command cfg domain snmp profile Enter the SNMP profile number Creates the SNMP profile Enter the name of this ...

Page 76: ...erent versions of SNMP are the SNMPv1 SNMPv2c and SNMPv3 SNMPv1 is the standard version of SNMP SNMPv1 framework distinguishes between application entities and protocol entities The SNMPv2c was created as an update of SNMPv1 with several features The key enhancements of SNMPv2c are focused on the SMI Manager to manager capability and protocol operations SNMPv3 defines the secure version of the SNM...

Page 77: ...mmunity menu appears The SSCPLite Community menu includes the following options cfg domain snmp profile community followed by read Set Read Community string Read Public write Set Write Community string Write Private trap Set Trap Community string trap trap Configuring SNMP Templates To configure the SNMP templates use the following commands cfg device The SNMP templates includes the following opti...

Page 78: ... to the Tftp servers clear Delete command will delete the template entry from the list and can delete the whole list of Templates Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 79: ...on servers and remediation servers associated with that Nortel SNAS cluster If you ran the quick setup wizard during initial setup Domain 1 is created If you did not run the quick setup wizard you must create at least one domain For information about creating a domain see Creating a domain page 83 To delete a domain see Deleting a domain page 89 ATTENTION With Nortel Secure Network Access Switch S...

Page 80: ...e Configuration of Microsoft NAP Interoperability page 139 Location based security see Creation of the location page 123 the SSL server used for the domain portal see Configuring the SSL server page 97 SSL trace commands SSL settings logging traffic with syslog messages portal settings see Customizing the portal and user logon page 227 captive portal portal look and feel linksets the network acces...

Page 81: ...cnt count hbretrycnt count status quo on off onflysrs on off desktopnam Desktop agent shortcut name action teardown restricted list details on off custscript on off persistoob on off loglevel fatal error warning info debug cfg domain aaa nha quick cfg domain aaa nha desktopagent Usage desktopagent on off auto cfg domain server port port interface interface ID dnsname name cfg domain server trace s...

Page 82: ...g info notice facility auth authpriv daemon local0 7 ena dis cfg domain httpredir port port redir on off cfg domain adv interface interface ID log cfg domain aaa radacct ena dis cfg domain aaa radacct servers list ip port secret del index number add ip port secret insert position ip port secret move index number value new index number value cfg domain aaa radacct domainattr vendorid vendortype Nor...

Page 83: ...nemonic aid The maximum length of the string is 255 characters portal Virtual IP address pVIP the IP address of the Nortel SNAS portal You can have more than one pVIP for a domain To specify more than one pVIP use a comma separator The pVIP is the address to which the client connects for authentication and host integrity check For more information see About the IP addresses page 42 The Domain menu...

Page 84: ... during initial setup Depending on the options you select in connection with certificates and creating a test user the two wizards also create similar default settings see Settings created by the quick setup wizard page 49 You can later modify all settings created by the domain quick setup wizard see Configuring domain parameters page 89 Nortel Secure Network Access Switch Using the Command Line I...

Page 85: ...by pasting in the contents of a certificate file from a text editor press Enter to accept the default value no Go to step 6 b To create a test certificate press Enter to accept the default value no Go to step 7 c To use an existing certificate enter the applicable certificate number Go to Step 8 Use the info certs command to view the main attributes of all configured certificates The certificate n...

Page 86: ...g city Organization Name eg company Organizational Unit Name eg section Common Name eg your name or your server s hostname Email Address Subject alternative name blank or comma separated list of URI uri DNS fqdn IP ip address email email address Valid for days 365 Key size 512 1024 2048 4096 1024 8 Specify whether the SSL server uses chain certificates Do you require chain certificates yes no no 9...

Page 87: ... a client the session can be teardown or left in restricted mode with limited access Which action do you want to use for Health Agent check failure teardown restricted restricted 13 Specify whether you want to create a test local user nha in the default nhauser group Do you want to create a test local user yes no yes If you do want to create a test user press Enter to accept the default value yes ...

Page 88: ...d Creating Client Filter 4 Name nha_system_failed Creating Linkset 1 Name nha_passed This Linkset just prints the Health Agent result Creating Linkset 2 Name nha_failed This Linkset just prints the Health Agent result Creating Linkset 3 Name nha_system_passed This Linkset just prints the Health Agent result Creating Linkset 4 Name nha_system_failed This Linkset just prints the Health Agent result ...

Page 89: ...nges applied successfully Deleting a domain To delete a domain use the following command cfg domain del This command removes the current domain from the system configuration including all settings in menus and submenus for the portal groups authentication services linksets and network access devices configured for that domain Configuring domain parameters To configure the domain use the following ...

Page 90: ... address entries aaa Accesses the AAA menu in order to configure authentication authorization and accounting features For authentication see Configuring authentication page 171 For authorization see Configuring groups and profiles page 149 and Configuring the Nortel Health Agent check page 92 For accounting see Configuring RADIUS accounting page 110 location Accesses the Location menu for the loca...

Page 91: ...ain vlan menu in order to manage VLAN mappings on the Nortel SNAS domain see Mapping the VLANs page 66 dhcp Accesses the DHCP menu sshkey Accesses the NSNAS SSH key menu in order to generate and show the public SSH key for the Nortel SNAS domain see Generating SSH keys for the domain page 70 dnscapt Accesses the DNS capture menu in order to set the Nortel SNAS domain portal as a captive portal and...

Page 92: ... that the components required for the client s personal firewall executables DLLs configuration files and so on are installed and active on the client PC For more information about how the Nortel Health Agent check operates in the Nortel SNAS see Nortel Health Agent host integrity check page 32 If you ran the quick setup wizard during the initial setup or to create the domain the Nortel Health Age...

Page 93: ...specified in the action command see action teardown restricted page 94 heartbeat interval Sets the time interval between checks for client activity interval is an integer that indicates the time interval in seconds s minutes m hours h or days d The valid range is 60s 1m to 86400s 1d The default is 1m 1 minute hbretrycnt count Specifies the number of times the Nortel SNAS repeats the check for clie...

Page 94: ...ied on the SNAS using the administrative tool the policy is updated on the Nortel Health Agent running on the logged in operating systems Values on and off default off desktopage Enables or disables the desktop agent name Values on off and auto default off desktopnam Specifies the desktop agent shortcut name action teardown restric ted Specifies the action to be performed if the client fails the N...

Page 95: ...can be displayed on the portal page Valid options are on details will be displayed off details will not be displayed The default is off If set to on the client can click on the Nortel Health Agent icon on the portal page to display details about which elements of the SRS rule check failed custscript Allows the client script customization Values on and off persistoob Persists the out of bound conne...

Page 96: ... if the Nortel Health Agent check fails see step 12 whether you want to create a test user see step 13 The Nortel Health Agent quick setup wizard creates a default SRS rule srs rule test This rule checks for the presence of a text file on the client s machine C tunnelguard tg txt The following table shows the sample output for the Nortel Health Agent quick setup wizard Main cfg domain aaa nha quic...

Page 97: ..._system_failed linkset Using existing SRS Rule srs rule syscred test Creating Group 2 Group for system policies Name nhasystem Creating Extended Profile 1 Giving system access when system health passed Using existing green_system vlan Creating Extended Profile 2 Giving remediation access when system health failed Using existing yellow vlan Using SRS rule for system compliancy srs rule syscred test...

Page 98: ...DNS name to the portal IP address name is the fully qualified domain name FQDN of the pVIP for example nsnas example com Generally you need to specify a DNS name only if your corporate DNS server is unable to perform reverse lookups of the portal IP address When you press Enter after specifying the DNS name the system performs a check against the DNS server included in the system configuration see...

Page 99: ...traffic cfg domain server trace followed by ssldump Creates a dump of the SSL traffic flowing between clients and the portal server You are prompted to enter the following information ssldump flags and ssldump filter for more information about the flags and filter expressions available for SSLDUMP using UNIX see http www tcpd ump org tcpdump_man html output mode Options for the output mode are int...

Page 100: ...ore information about the flags and filter expressions available for TCPDUMP using UNIX see http www tcp dump org tcpdump_man html output mode Options for the output mode are interactive captured information on the screen tftp ftp sftp the dump will be saved as a file to the file exchange server you specify using a destination file name you specify You are prompted to enter the required informatio...

Page 101: ... able to use a host name the DNS parameters must be configured see Configuring DNS servers and settings page 276 dnslookup host Finds the IP address for a machine whose host name you specify or the host name of a machine whose IP address you specify host is the host name or IP address of the machine If a backend interface is mapped to the current Nortel SNAS domain the check is made through the ba...

Page 102: ...cfg domain server ssl The SSL Settings menu appears The SSL Settings menu includes the following options Table 8 Configuring SSL Settings cfg domain server ssl followed by cert certificate index Specifies which server certificate the portal server will use You cannot specify more than one server certificate for the server to use at any one time certificate index is an integer indicating the index ...

Page 103: ...lable CA certificates to use for client authentication Not supported in Nortel Secure Network Access Switch Software Release 1 6 1 cachain certificate index list Specifies the CA certificate chain of the server certificate certificate index list is a comma separated list of the certificate index numbers assigned to the certificates in the chain The chain starts with the issuing CA certificate of t...

Page 104: ...optional a client certificate is requested but the client need not present one required a client certificate is required The default value is none Not supported in Nortel Secure Network Access Switch Software Release 1 6 1 ciphers cipher list Specifies the list of preferred ciphers This information is sent to the backend servers The default cipher list provides for using lighter encryption algorit...

Page 105: ... all HTTP requests handled by the portal server Nortel does not recommend routinely enabling this functionality for the following reasons Logging traffic with syslog messages generates a substantial amount of network traffic Logging traffic places an additional CPU load on each Nortel SNAS device in the cluster In general syslog servers are not intended for the traffic type of log message Therefor...

Page 106: ...he following options cfg domain server adv traflog followed by sysloghost IPaddr Specifies the IP address of the syslog server udpport port Specifies the UDP port number of the syslog server port is an integer in the range 1 65534 that indicates the UDP port number The default is 514 priority debug info notice Specifies the priority level of the syslog messages that are sent Valid options are debu...

Page 107: ... domain to automatically redirect HTTP requests to the HTTPS server specified for the domain use the following command cfg domain httpredir The Http Redir menu appears The Http Redir menu includes the following options Table 9 Configuring HTTP redirect cfg domain httpredir followed by port port Specifies the port to which the portal server listens for HTTP communications port is an integer that in...

Page 108: ... Management Configuration cfg sys adm http followed by port Sets the port number to be used for browser based SNAS configuration using the BBI ena Enables the HTTP server used for browser based configuration on the SNAS dis Disables the HTTP server used for browser based configuration on the SNAS Browser Based Management Configuration with SSL The HTTPS menu is used for enabling disabling browser ...

Page 109: ...ration on the SNAS using SSL Configuring advanced settings You can configure the following advanced settings for the Nortel SNAS domain a backend interface logging options To map a backend interface to the domain and to configure logging options use the following command cfg domain adv The Advanced menu appears The Advanced menu includes the following options Table 12 Configuring advanced settings...

Page 110: ...ss reject logs rejected requests The default is login Each type of log generates its own set of syslog messages The syslog messages include date time type of request user source IP address and requested destination Configuring RADIUS accounting The Nortel SNAS can be configured to provide support for logging administrative operations and user session start and stop messages to a RADIUS accounting ...

Page 111: ...ormed by an available server with the lowest index number You can control accounting server usage by reassigning index numbers see Managing RADIUS accounting servers page 112 To configure the Nortel SNAS to support RADIUS accounting use the following command cfg domain aaa radacct The Radius Accounting menu appears The Radius Accounting menu includes the following options Table 13 Configuring RADI...

Page 112: ...ius Accounting Servers menu includes the following options Table 14 Managing RADIUS accounting servers cfg domain aaa radacct servers followed by list Lists the IP addresses of currently configured RADIUS accounting servers by index number del index number Removes the specified RADIUS accounting server from the current configuration The index numbers of the remaining entries adjust accordingly To ...

Page 113: ...erver at a particular position in the list of RADIUS accounting servers in the configuration index number the index number you want the server to have IPaddr the IP address of the accounting server you are adding The index number you specify must be in use The index numbers of existing servers with this index number and higher are incremented by 1 move index number new index number Moves a server ...

Page 114: ...et Assigned Numbers Authority IANA has designated SMI Network Management Private Enterprise Codes that can be assigned to the Vendor Id attribute see http www iana org assignments enterprise numbers RFC 2866 describes usage of the Vendor Type attribute Contact your RADIUS system administrator for information about the vendor specific attributes used by the external RADIUS accounting server To simp...

Page 115: ...s third party switches and support for multiple devices on a port for example when a hub is connected to the port DHCP subnet type hub DNS server redirect from Nortel SNAS to the corporate DNS server to optimize Nortel SNAS performance when Filters only enforcement is used For more information on Filters only enforcement see Nortel SNAS enforcement types page 28 DHCP subnet type filter a standard ...

Page 116: ...ach type has a set of configuration options associated with it For information on these options see Standard DHCP subnet type page 121 Filter DHCP subnet type page 120 or Hub DHCP subnet type page 118 name refers to a name you provide for the subnet The prompt is Set the subnet name address is the subnet address The prompt is Enter subnet network address netmask is the subnet mask The prompt is En...

Page 117: ...ndard DHCP subnet type page 121 Filter DHCP subnet type page 120 or Hub DHCP subnet type page 118 DHCP Settings menu The DHCP settings menu whenever you select an option that requires a range of IP addresses This occurs when configuring the settings for the standard DHCP subnet type the known and unknown ranges for the filter DHCP subnet type the red yellow and green ranges for the hub DHCP subnet...

Page 118: ...If you change the values here the new values only apply to the range s you are defining here number is a unique number between 1 and 254 that you provide that the system uses to identify the vendor options The prompt is Enter vendor options number 1 254 name refers to a name you provide for this set of vendor options The prompt is Set the vendor option name type can be ip ip_list u8 u16 u32 string...

Page 119: ...me the current name of the subnet and prompts you to change or reenter the name Enter a name address the current network address of the subnet and prompts you to change or reenter the address netmask the current network mask of the subnet and prompts you to change or reenter the network mask phone Specify a phone signature for each type of IP phone connected to the network Supported phone types an...

Page 120: ...client to the corporate DNS server when the network access points are NSNA network access devices and Filter only enforcement is used This section assumes you are familiar with the information in Configuring local DHCP services page 115 Background When the Nortel SNAS determines that a client can be moved from the Red enforcement zone it directs Nortel Health Agent to initiate an ipconfig release ...

Page 121: ... to the network domain name server unknown See DHCP Settings menu page 117 The client is automatically assigned unknown status when the connection is initiated This is the Red enforcement zone for the filter DHCP subnet type No configuration is required ena Enables the subnet dis Disables the subnet del Deletes the subnet Standard DHCP subnet type The standard DHCP subnet type provides DHCP servic...

Page 122: ...all leases The tabulated display has these columns Dom domain Snet Subnet number Type Standard Filter Hub Network subnet address Total total number of leases and the total number of leases in each zone Red Green Yellow Unknown Known info dhcp list addr subnet all Use addr together with an IP address or a MAC address to list the DHCP lease for the address Use subnet together with a subnet address a...

Page 123: ...ails add adds switch unit portr del deletes switch unit port list lists switch unit port del Removes location from the configuration Creation of the locations To create the locations use the following command cfg domain location locations The Location List menu appears The Location List menu includes the following options cfg domain location locations followed by add switch Ip unit port Adds locat...

Page 124: ...here an installed agent system service communicates to a central PatchLink server and updates the system as and when patches are available Patchlink solution is integrated to verify the compliance status of the client with Nortel SNAS To create the patchlink server use the following command cfg domain patchlink The PatchLink Servers menu appears The PatchLink Servers menu includes the following op...

Page 125: ...tomatically assigned to the patch link server when you added the patch link server to the configuration list Lists all patch link server added by user name password ena Enables the patch link server dis Disables the patch link server Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 127: ...Overview of RADIUS server The Nortel SNAS is integrated with full featured RADIUS server The RADIUS server is used to authenticate users through PAP or CHAP authentication methods It also works in a more complex 802 1x environment which supports EAP MD5 TLS PEAP and TTLS authentication methods Radius server configuration includes the RADIUS realms clients authentication methods EAP authentication ...

Page 128: ...ve index number destination index number cfg domain radius realms list del index number add realm name ip address authentica tion server id insert index number realm name ip address authentication server id move index number destination index number cfg domain radius dictionary default import protocol host filename export protocol host filename venderid view del vendor id clear list cfg domain rad...

Page 129: ...ation index number cfg domain radius cert current value select the certificate cfg domain radius cacert current value select the certificate Configuration of the RADIUS server To configure the RADIUS server use the following command cfg domain radius The RADIUS Server menu appears The RADIUS Server menu includes the following options Nortel Secure Network Access Switch Using the Command Line Inter...

Page 130: ...dresses of currently configured clients by index number del index number Removes the specified client from the current configuration The index numbers of the remaining entries adjust accordingly index number specify the index number To view the index numbers of all configured clients use the list command add client IP address shared secret Adds a client to the configuration list client IP address ...

Page 131: ...he list of clients in the configuration index number the original index number of the client you want to move destination index the index number representing the new position of the server in the list Configuration of the realms To configure the realms use the following command cfg domain radius realm The RADIUS Realms menu appears The RADIUS Realms menu includes the following options cfg domain r...

Page 132: ... the device insert index number realm name authentication server id Inserts a realm at a particular position in the list of clients in the configuration index number the index number you want the realms to have realm name is a string identifying the realm names authentication server id select the authentication server id It the list based on the authentication servers configured on the device move...

Page 133: ... of the database file on the server export protocol server filename vender id Exports dictionary to TFTP FTP SCP SFTP server protocol protocol is the export protocol Options are tftp ftp scp sftp Default value is tftp server specify the hostname or IP address of the server filename is a name of the database file on the server vender id corresponds to the vendor specific attribute used by the RADIU...

Page 134: ...tion for the following Time User name Status Type Terminate cause export protocol hostname or IP address filename Exports the accounting log to FTP FTP SCP SFTP server protocol is the export protocol Options are tftp ftp scp sftp hostname or IP address is the hostname or IP address of the server filename specify the filename on the server clear Clears the accounting log information Configuration o...

Page 135: ...numbers of the remaining entries adjust accordingly index number is the identification number automatically assigned to the method when you added the method to the configuration specify the index number to remove from the configuration add method name Adds a method to the configuration method name is a string that must be unique in the domain The maximum allowable length of the string is 255 chara...

Page 136: ...e list index number the original index number of the method you want to move destination index the index number representing the new position of the method in the list Configuration of the EAP authentication methods To configure the EAP authentication methods use the following command cfg domain radius eapmethods The EAP Authentication Methods menu appears The EAP Authentication Methods menu inclu...

Page 137: ...icular position in the list index number is the identification number automatically assigned to the EAP method when you added the method to the configuration Specify the index number method type Specify the method type method name is a string that must be unique in the domain The maximum allowable length of the string is 255 characters but Nortel recommends a maximum of 32 characters Specify the m...

Page 138: ... certificate Select the server certificate from the list use the following command cfg domain x radius cacert This includes the following options cfg domain radius cacert followed by current value The current CA certificate number appears select the CA certificate Specify the CA certificate number The value ranges from 1 to 1500 The CA certificate number refers to certificates stored in the certif...

Page 139: ...ommands The following roadmap lists the Command Line Interface CLI commands to configure Network Access Protection NAP Use this list as a quick reference Command Parameter cfg domain nap autorem cfg domain nap probation ena true false dis true false date date time time cfg domain nap moreinfo troubleshooting URL cfg domain nap pdp local remote cfg domain nap servers list ip port secret del add ser...

Page 140: ...a network client which attempts to connect to a network and restricts the access of the network client until the policy requirements for connecting to the network are met The NSNA NAP interoperability architecture allows you to deploy both the NSNA solution and the Network Access Protection NAP in a symbiotic manner It also allows you to enforce security policies for network access using NSNA and ...

Page 141: ...ngs moreinfo Troublshooting URL Set Troublshooting URL pdp Select the policy decision point Values local and remote default local servers Remote Network Policy Servers shvs System Health Validators wshv Windows System Health Validator Probation Settings To configure the probation settingsg use the following command cfg domain nap probation The Probation Settings menu includes the following options...

Page 142: ...numbers of all configured remote network policy servers use the list command add IP address port shared secret Adds a server to the configuration IP address specify the IP address of the server port the TCP port number shared secret specify the password insert index number IPaddr port shared secret Inserts a server at a particular position in the list of remote network policy server in the configu...

Page 143: ...se the following command cfg domain nap shvs The System Health Validators menu includes the following options cfg domain nap shvs followed by list vendor ID component ID module name Lists the vendor ID component ID and module name del index number Removes the specified system health validators from the current configuration The index numbers of the remaining entries adjust accordingly To view the ...

Page 144: ...m health validators up or down the list of System Health Validators in the configuration index number the original index number of the system health validators you want to move new index number the index number representing the new position of the system health validators in the list The index numbers of the remaining entries adjust accordingly Configuration of Windows System Health Validator To c...

Page 145: ...e Windows update patches that fix specific software security vulnerabilities Values true and false default false severity security Updates Severity instructs the Windows System Health Verifier WSHV to validate the minimum level of all Windows security update patches on the Windows endpoint For instance if the Security Updates Severity is set to critical the Windows endpoint must have all Microsoft...

Page 146: ...ill do so with respect to the security updates it knows about local copy and the source where it obtained its security updates Values true and false If set to true the WSHV considers WSUS as an acceptable source for the endpoint and accepts the endpoint s security update status This setting is only applicable when Security Updates Protection is true default false winupdate designates whether Micro...

Page 147: ... wshv followed by default false autoupdate Enables or disables the automatic updates Values on and off default on Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 148: ...148 Configuration of Microsoft NAP Interoperability Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 149: ...nt filters page 162 Configuring extended profiles page 164 Mapping linksets to a group or profile page 167 Creating a default group page 169 Overview This section includes the following topics Groups page 150 Linksets page 151 SRS rule page 151 Extended profiles page 151 For more information about groups and extended profiles in the Nortel SNAS see Nortel Secure Network Access Solution Guide NN472...

Page 150: ...identified the matching group it applies group data to the user as follows linksets All linksets configured for the group of which the user is a member display on the user s portal page see Linksets page 151 Nortel Health Agent SRS rule The Nortel Health Agent host integrity check uses the criteria specified in the SRS rule assigned to the group extended profiles The Nortel SNAS checks the group t...

Page 151: ...only one SRS rule for the group Each group can have a different SRS rule You cannot configure SRS rules using the CLI If you ran the quick setup wizard during the initial setup you specified the action to result if the SRS rule check fails You can rerun the wizard at any time by using the cfg doamin aaa nha quick command If you want to change the SRS rule check result use the cfg doamin aaa nha ac...

Page 152: ...y of the extended profiles it applies the base profile data For information about configuring client filters see Configuring client filters page 162 For information about configuring extended profiles see Configuring extended profiles page 164 Before you begin Before you configure groups client filters and extended profiles on the Nortel SNAS complete the following tasks Step Action 1 Create the l...

Page 153: ...igure groups and extended profiles on the Nortel SNAS using the CLI are Step Action 1 Configure the group see Configuring groups page 156 2 Configure the client filters that will be referenced in the extended profiles see Configuring client filters page 162 The client filters can be referenced by all extended profiles in the domain 3 Configure the extended profiles for the group see Configuring ex...

Page 154: ...l cfg doamin aaa filter filter ID name name srs true false ignore comment comment del cfg doamin aaa group group ID group name extend profile ID filter name vlan name linkset del cfg doamin aaa group linkset list del index number add linkset name insert index number linkset name move index number new index number cfg doamin aaa group extend linkset list del index number add linkset name Nortel Sec...

Page 155: ...achepass true false cfg doamin aaa group radattr list Usage list vendor id value Usage del index Usage add Usage add vendor id value Usage insert position vendor id value Usage move value value cfg domain aaa group cachepass Usage cachepass true false cfg domain aaa group syscredent cfg doamin aaa defgroup group name Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 ...

Page 156: ...s the Group menu The group name must match a group name used by the authentication services For more information see Table 22 Group names in the Nortel SNAS and authentication services page 153 number of sessions the maximum number of simultaneous portal or Nortel SNAS sessions allowed for each member of the group The default is 0 unlimited You can later modify the number of sessions by using the ...

Page 157: ...Nortel SNAS sessions allowed for each member of the group For example if the value is set to 2 then a user can use two computers at the same time and have two simultaneous sessions running The default is 0 unlimited Accesses the Linksets menu in order to map preconfigured linksets to the group see Mapping linksets to a group or profile page 167 For information about creating and configuring the li...

Page 158: ...king are bypassed the client is given access to the network Since Nortel Health Agent does not run the system automatically applies Filter_only enforcement see enftype below If a user belongs to several groups bypass occurs only when all groups are configured for bypass If bypass authentication fails the system invokes portal authentication and Nortel Health Agent integrity checking The bypass opt...

Page 159: ...ux The Nortel Health Agent integrity check is not performed on non Windows operating systems Nortel Health Agent does not run when never is selected and network access is determined by authentication only The system proceeds as if the device passed the Nortel Health Agent integrity check Filter_only enforcement is applied automatically for non Windows operating systems and when never is selected s...

Page 160: ...hen the vlan filter enforcement type applies Nortel Health Agent requires administrator privileges to the PC in order to change the IP address of the PC If the privileges Nortel Health Agent inherits from the username password of the user do not provide administrator privileges you can use admrights to raise the Nortel Health Agent privileges Enter an administrator username and password for user a...

Page 161: ...ey had never been configured comment comment Sets a comment for the group del Removes the group from the Nortel SNAS domain When you delete the group you also delete all extended profiles associated with that group ID Figure 5 Group menu commands page 161 shows sample output for the cfg doamin aaa group group ID command and commands on the Group menu Figure 5 Group menu commands Nortel Secure Netw...

Page 162: ...create and configure a client filter use the following command cfg doamin aaa filter filter ID where filter ID is an integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS domain When you first create the filter you must enter the filter ID After you have created the filter you can use either the ID or the name to access the filter for configuration When you first crea...

Page 163: ...l Health Agent host integrity check triggers the filter true the client filter triggers when the Nortel Health Agent check succeeds false the client filter triggers when the Nortel Health Agent check fails ignore passing or failing the Nortel Health Agent check will not trigger the client filter The default is ignore For example in order to grant limited access rights to users who fail the Nortel ...

Page 164: ...ded profile you can use either the profile ID or the name of the associated client filter to access the extended profile for configuration When you first create the profile you are prompted to enter the following parameters client filter name the name of the predefined client filter that determines whether the Nortel SNAS will apply this extended profile to the user To view available filters press...

Page 165: ...press TAB following the filter command name is a string that must be unique in the domain For information about configuring client filters see Configuring client filters page 162 vlan name Specifies the VLAN to which the Nortel SNAS will assign users with this profile name is a string that must be unique in the domain linkset Accesses the Linksets menu in order to map preconfigured linksets to the...

Page 166: ...tions Table 29 Configure RADIUS Attributes cfg doamin aaa group radattr followed by list vendor id value Lists the currently configured RADIUS attributes by index number del index Removes the RADIUS attribute entry represented by the specified index number The index numbers of the remaining entries adjust accordingly add vendor id value Adds a RADIUS attribute to the group You can add as many RADI...

Page 167: ...US Attribute menu commands shows a sample output for the cfg doamin aaa group group ID radattr command and commands on the Group RADIUS Attributes menu Figure 8 Group RADIUS Attribute menu commands Mapping linksets to a group or profile You can tailor the portal page for different users by mapping preconfigured linksets to groups and extended profiles For more information about linksets see Linkse...

Page 168: ...tended profile The linkset on the portal page after the user has been authenticated You can add as many linksets as you want The Nortel SNAS assigns an index number to the linkset name as you add the linkset to the list for the group The linksets display on the portal page in the order of the index numbers insert index number linkset name Inserts a linkset at a particular position in the list The ...

Page 169: ...d profiles mapped to a restrictive VLAN see Configuring groups page 156 and Configuring extended profiles page 164 Then use the following command to make this group the default group cfg doamin aaa defgroup group name Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 170: ...170 Configuring groups and profiles Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 171: ...ion page 200 Specifying authentication fallback order page 209 Overview The Nortel SNAS controls authentication of clients when they log on to the network The Nortel SNAS supports the following authentication methods in Nortel Secure Network Access Switch Software Release 1 6 1 external databases Remote Authentication Dial In User Service RADIUS Lightweight Directory Access Protocol LDAP local dat...

Page 172: ... For general information about authentication within the Nortel SNAS see Nortel Secure Network Access Solution Guide NN47230 200 Before you begin Before you configure authentication on the Nortel SNAS you must complete the following tasks Step Action 1 Create the Nortel SNAS domain if applicable see Creating a domain page 83 If you ran the quick setup wizard during initial setup doamin has been cr...

Page 173: ...trieve the attribute value The Vendor Type indicates the index number of the required entry in the dictionary file The Internet Assigned Numbers Authority IANA has designated SMI Network Management Private Enterprise Codes that can be assigned to the Vendor Id attribute see http www iana org assignments enterprise numbers RFC 2865 describes usage of the Vendor Type attribute If you specify Vendor ...

Page 174: ...uthentication methods page 177 Configuring advanced settings page 179 Configuring RADIUS authentication page 180 Configuring LDAP authentication page 187 Configuring local database authentication page 200 setting the order in which authentication methods will be applied see Specifying authentication fallback order page 209 Roadmap of authentication commands The following roadmap lists the CLI comm...

Page 175: ...ared secret insert index number IPaddr move index number new index number cfg doamin aaa auth radius sess iontim vendorid vendor ID vendortype vendor type ena dis cfg doamin aaa auth ldap searchbase DN groupattr names userattr names isdbinddn DN isdbindpas password enaldaps true false ldapscert enauserpre true false enacutdomain true false enashortgrp true false timeout interval cfg doamin aaa aut...

Page 176: ...a auth ldap adv enaxfilter true false xfilteratt filter attribute name xfilterval filter attribute value cfg doamin aaa auth local add user name password group passwd user name password groups user name desired group del user name list import protocol server filename key export protocol server filename key cfg doamin aaa auth local radat tr add user name vendor id attribute id attribute value del ...

Page 177: ...ss Switch Software Release 1 6 1 valid options are RADIUS LDAP local The selected method type determines the remainder of the parameters you are prompted to provide when you create the method as well as the submenu options that are provided on the Authentication menu appears The Authentication menu includes the following options Table 32 Configuring Authentication cfg doamin aaa auth auth ID follo...

Page 178: ...display in the Login Service list box on the portal login page together with the names of other authentication services available radius ldap local Accesses a method specific menu in order to configure settings for the method The option displayed depends on the method type radius accesses the RADIUS menu see Configuring RADIUS authentication page 180 ldap accesses the LDAP menu see Configuring LDA...

Page 179: ...up matched is returned to the Nortel SNAS as the user s group and determines the user s access privileges for the session To configure the current authentication scheme to retrieve user group information from a different authentication scheme use the following command cfg doamin aaa auth adv The Advanced menu appears The Advanced menu includes the following options Table 33 Configuring Advance Set...

Page 180: ...authentication method in the Nortel SNAS domain If you do not specify the auth ID in the command you are prompted for it When you first create the method for the domain you must enter the authentication ID After you have created the method and defined a name for it you can use either the ID or the name to access the method for configuration You can perform the following configuration tasks Adding ...

Page 181: ... the RADIUS server vendor ID for group corresponds to the vendor specific attribute used by the RADIUS server to send group names to the Nortel SNAS The default Vendor Id is 1872 Alteon To use a standard RADIUS attribute rather than the vendor specific one set the vendor ID to 0 see also vendor type vendor type for group corresponds to the Vendor Type value used in combination with the Vendor Id t...

Page 182: ...RADIUS Modifying RADIUS configuration settings To modify settings for the authentication method itself see Configuring authentication methods page 177 To modify settings for the specific RADIUS configuration use the following command cfg doamin aaa auth radius The RADIUS menu appears The RADIUS menu includes the following options Nortel Secure Network Access Switch Using the Command Line Interface...

Page 183: ... Type value used in combination with the Vendor Id to identify the groups to which the user belongs The group names to which the vendor specific attribute points must match names you define on the NSNAS The default is 1 If you set the vendor ID to 0 in order to use a standard RADIUS attribute see vendor ID set the vendor type to a standard attribute type as defined in RFC 2865 For example to use t...

Page 184: ...utes m or hours h If you do not specify a measurement unit seconds is assumed The range is 1 10000 seconds The default is 10 seconds sessiontim Accesses the Session Timeout menu in order to configure settings to control the length of client sessions see Configuring session timeout page 186 Managing RADIUS authentication servers You can configure additional RADIUS servers for the domain for redunda...

Page 185: ...guration The index numbers of the remaining entries adjust accordingly To view the index numbers of all configured RADIUS authentication servers use the list command add IPaddr port shared secret Adds a RADIUS authentication server to the configuration You are prompted to enter the following information IPaddr the IP address of the authentication server port the TCP port number used for RADIUS aut...

Page 186: ...er you want to move new index number the index number representing the new position of the server in the list The index numbers of the remaining entries adjust accordingly Configuring session timeout You can configure the Nortel SNAS to enable session timeout and to retrieve a session timeout value from the RADIUS server With session timeout enabled the session timeout value controls the length of...

Page 187: ...ntication To configure the Nortel SNAS domain to use an external LDAP server for authentication use the following command cfg doamin aaa auth auth ID where auth ID is an integer in the range 1 to 63 that uniquely identifies the authentication method in the Nortel SNAS domain If you do not specify the auth ID in the command you are prompted for it When you first create the method for the domain you...

Page 188: ...ry the Distinguished Name DN that points to one of the following the entry that is one level up from the user entries does not require isdBindDN and isdBindPassword if user entries are located in several places in the LDAP Dictionary Information Tree DIT the position in the DIT from where all user records can be found with a subtree search requires isdBindDN and isdBindPassword group attribute nam...

Page 189: ...the default value or reset to false The Authentication menu Figure 11 Authentication menu commands LDAP page 189 shows sample output for the LDAP method for the cfg doamin aaa auth auth ID command and commands on the Authentication menu Figure 11 Authentication menu commands LDAP Modifying LDAP configuration settings To modify settings for the authentication method itself see Configuring authentic...

Page 190: ... To specify more than one group attribute name enter the names separated by a comma userattr names Refers to one of the following 1 the LDAP attribute that contains the user name used for authenticating a client in the domain The default user attribute name is uid Do not use the isdbinddn and isdbindpas commands 2 if the client s portal logon name is different from the RDN for example when using L...

Page 191: ... for searchbase and userattr method 2 isdbindpas password Specifies the password used to authenticate the Nortel SNAS to the LDAP server The isdbindpas is the password configured in the Schema Admins account for the entry referenced in isdBindDN Required for searchbase and userattr method 2 ldapmacro Accesses the LDAP Macro menu in order to manage macros see Managing LDAP macros page 195 enaldaps ...

Page 192: ...ust extend the LDAP server schema with one new ObjectClass and one new Attribute For more information see Adding User Preferences attribute to Active Directory page 485 The default is false enacutdomain true false Enables or disables the cut domain from the user name timeout interval Sets the timeout interval for a connection request to an LDAP server At the end of the timeout period if no connect...

Page 193: ...query regardless of whether or not the client s credentials were matched If you add more than one LDAP server to the domain for redundancy ensure that each listed LDAP server contains the same SSL domain client database If the Nortel SNAS clients are dispersed in different LDAP server databases you can configure the LDAP servers as separate authentication methods with different authentication IDs ...

Page 194: ...u are prompted to enter the following information IPaddr the IP address of the authentication server port the TCP port number used for LDAP authentication The default is 389 The system automatically assigns the next available index number to the server ATTENTION The default TCP port number used by the LDAP protocol is 389 If LDAPS is enabled change the port number to 636 insert index number IPaddr...

Page 195: ...ables to allow you to retrieve data from the LDAP database You can then map the variable to an LDAP user attribute in order to create user specific links on the portal Home tab When the client successfully logs on the variable expands to the value retrieved from the LDAP or Active Directory user record For more information about using macros in portal links see Macros page 235 To configure LDAP ma...

Page 196: ... attribute is long and you wish to extract only part of it the values at the start of the string that you want to ignore Combine with a suffix if the value you want is in the middle of the string suffix if the value string of the LDAP attribute is long and you wish to extract only part of it the values at the end of the string that you want to ignore Combine with a prefix if the value you want is ...

Page 197: ... remaining entries adjust accordingly Group Search Configuration The LDAP Group Search menu lets you configure the NVG to find group information The Group Search menu includes the following options Table 40 Group Search Configuration cfg domain aaa auth ldap groupsearch followed by groupbase group searchbase entry Sets the group base search entry Assigns the DN Distinguished Name that points to th...

Page 198: ...eate a linkset and link to a site where the user can change the password see Configuring groups page 156 3 Map the linkset to the group see Mapping linksets to a group or profile page 167 4 Set the Active Directory settings using the cfg doamin aaa auth ldap activedire command End To manage clients whose passwords have expired or who need to change their passwords use the following command cfg doa...

Page 199: ...n change his her password Configure an access rule restricting access to the specified site recursivem true false Specifies the setting for recursive group membership true if the client belongs to an Active Directory group which in turn belongs to another group all groups are returned false if the client belongs to an Active Directory group which in turn belongs to another group only the first gro...

Page 200: ... the Nortel SNAS domain to use local databases for portal username password or MAC authentication To configure the local database method perform the following steps Step Action 1 Create the Local database method see Adding the local database authentication method page 201 ATTENTION If you ran the quick setup wizard during initial setup Local database authentication has been created with authentica...

Page 201: ...ng the local portal database page 202 authentication type options are radius ldap local Enter local authentication method name auth name a string that specifies a name for the method After you have defined a name for the method you can use either the method name or the auth ID to access the Authentication menu In future releases of the Nortel SNAS software you will be able to reference this string...

Page 202: ...oup names the first group name entered is the one that will be returned to the Nortel SNAS after authentication The Authentication menu Figure 10 Authentication menu commands RADIUS page 182 shows sample output for the Local method for the cfg doamin aaa auth auth ID command and commands on the Authentication menu Figure 12 Authentication menu commands local database Managing the local portal data...

Page 203: ... use the following command cfg doamin aaa auth local The Local database menu appears The Local database menu includes the following options Table 43 Managing the local portal database cfg doamin aaa auth local followed by add user name password group Adds a user to the local authentication database You are prompted for the following information user name a string that specifies a unique user logon...

Page 204: ...he specified user s password in the local database groups user name desired group Changes the specified user s group membership in the local database radattr add list del Configures the RADIUS attribute in the local database del user name Deletes the specified user from the local database list Lists all users added to the local database by user name password encrypted and group membership The comm...

Page 205: ... file was exported the key you must provide is the same as the password key provided at the time of export If the file is not protected with a key enter any characters a minimum of four when prompted FTP user name and password if applicable The file you import must be in ASCII format Each row entry consists of values for user name password and group separated by a colon for example username passwo...

Page 206: ...th a key enter any characters a minimum of four when prompted FTP user name and password if applicable The file is exported in ASCII format Each row entry consists of values for user name password encrypted and group separated by a colon The following is an example of an exported user record with the password encrypted john 2 7á yLs ßìöonž trusted where 2 indicates an encrypted password Managing t...

Page 207: ...t user name username of the host operator optional device type PC phone passive PC when the host is a computer phone when the host is a supported IP telephone passive when the device does not have an operator for examples a printer a video camera it is recommended that passive devices belong to their own unique group IP type dhcp static dhcp when the IP address of the host is provided by a DHCP se...

Page 208: ...passive 192 168 2 23 printers Room 314 printer The imported database overwrites the existing database export proto col server filename Exports the local database to the specified TFTP FTP SCP SFTP file exchange server You are prompted to provide the following information protocol is the export protocol Options are tftp ftp scp sftp server is the host name or IP address of the server filename is th...

Page 209: ...ned on the Nortel SNAS ATTENTION For best performance set the authentication order so that the method that supports the biggest proportion of users is applied first However if you use the Nortel SNAS local database as one of the authentication methods Nortel recommends that you set the Local method to be first in the authentication order The Local method is performed extremely fast regardless of t...

Page 210: ...authentication under auth ID 2 and LDAP authentication under auth ID 3 You want the Nortel SNAS to check the local database first then send requests to the LDAP server then to the RADIUS server Figure 13 Authentication order command page 210 shows the required command Figure 13 Authentication order command Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Stand...

Page 211: ...t and root For more information see Accessing the Nortel SNAS cluster page 381 Group membership dictates user rights as shown in Table 45 Group membership and user rights page 212 When a user is a member of more than one group user rights accumulate The admin user who by default is a member of all three groups therefore has the same user rights as granted to members in the certadmin and oper group...

Page 212: ...d manage the following add new users for a detailed example see Adding a new user page 218 reassign users for a detailed example see Changing a users group assignment page 221 change passwords for a detailed example see Changing passwords page 223 delete users for a detailed example see Deleting a user page 225 For detailed information about the CLI commands see CLI configuration examples page 218...

Page 213: ...the password for the currently logged on user and to add or delete user accounts access the User menu by using the following command cfg sys user The User menu appears The User menu includes the following options Table 47 Managing user accounts and passwords cfg sys user followed by password old password new password confirm new password Allows you to change your own password Passwords can contain...

Page 214: ...2 hours and 45 minutes enter 30d2h45m list Lists all user accounts The three built in users admin oper and root are always listed del username Removes the specified user account from the system Of the three built in users admin oper and root only the oper user can be deleted You must have administrator rights in order to delete user accounts ATTENTION When you delete a user the user s group assign...

Page 215: ...istrator role has been separated from the administrator role If the admin user is a member of the certadmin group the default setting the admin user is prompted for an export passphrase to protect the private keys in the configuration dump each time the cfg ptcfg command is used Set a certificate administrator export passphrase only if the admin user has removed himself or herself from the certadm...

Page 216: ...nd to view and manage group assignments access the User username menu by using the following command cfg sys user edit username The User username menu appears The User username menu includes the following options Table 48 Managing user settings cfg sys user edit username followed by password own password user password confirm user password Sets the login password for the specified user Passwords c...

Page 217: ... belongs to several groups the first group according to CLI numbering determines the enforcement filters and VLANs that are applied To set or change a user s group assignment access the Groups menu by using the following command cfg sys user edit username groups The Groups menu appears The Groups menu includes the following options Table 49 Managing user groups cfg sys user edit username groups fo...

Page 218: ...certificates and private keys without the possibility to change system parameters or configure virtual SSL servers A user who is a member of the certadmin group can therefore access the Certificate menu cfg cert but not the SSL Server 1001 menu cfg domain server ssl On the System menu cfg sys the certadmin user has access only to the User submenu cfg sys user Step Action 1 Log on to the Nortel SNA...

Page 219: ...user rights and access levels to the system User edit cert_admin User cert_admin groups add Enter group name certadmin 5 Verify and apply the group assignment When you enter the list command the current and pending group assignment of the user being edited is listed by index number and group name Because the cert_admin user is a new user the current group assignment listed by Old is empty Groups l...

Page 220: ...ssphrase defined by the Certificate Administrator is used instead to encrypt private keys in the configuration backup The encryption of private keys using the export passphrase defined by the Certificate Administrator is performed transparently to the user without prompting When the configuration backup is restored the Certificate Administrator must enter the correct export passphrase ATTENTION If...

Page 221: ...is created and assigned certadmin group membership before the admin user is removed from the certadmin group Otherwise there is no way to assign certadmin group membership to a new user or to restore certadmin group membership to the admin user should it become necessary 10 Verify and apply the changes Groups list Old 1 admin 2 oper 3 certadmin Pending 1 admin 2 oper Groups apply End Changing a us...

Page 222: ...sswd Change own password list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase User 3 Assign the admin user certadmin user rights by adding the admin user to the certadmin group User edit admin User admin groups add Enter group name certadmin ATTENTION A user must be assigned to at least one group at any given time If you want to replace a u...

Page 223: ...rd login cert_admin Password cert_admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase User Type the passwd command to change your current password When your own password is changed the change takes effect immediately without having to use the ...

Page 224: ...ups list command Login passwords are case sensitive and can contain spaces Step Action 1 Log on to the Nortel SNAS cluster as the admin user login admin Password admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase User 3 Specify the user name ...

Page 225: ... is the sole member of a group none of the remaining users on the system can then be added to that group Existing users can only be added to a group by a user who is already a member of that group Before deleting a user you may therefore want to verify that the user is not the sole member of a group Step Action 1 Log on to the Nortel SNAS cluster as the admin user login admin Password admin user p...

Page 226: ...and apply the changes The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign To cancel a configuration change that has not yet been applied use the revert command User list root admin oper cert_admin User apply End Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 No...

Page 227: ...rtal display page 244 Changing the portal colors page 249 Configuring custom content page 250 Configuring linksets page 251 Configuring links page 253 Overview The end user accesses the Nortel SNAS network through the Nortel SNAS portal You can customize the end user experience by configuring the following logon and portal features Captive portal and Exclude List page 228 Exclude List page 228 Por...

Page 228: ...the scopes for the Green and Yellow VLANs Once the client has been authenticated and is in a Green or Yellow VLAN DNS requests are forwarded in the regular way to the corporate DNS servers For information about configuring the captive portal see Configuring the captive portal page 240 Exclude List The Exclude List is a configurable list of domain names that will not be captured by the Nortel SNAS ...

Page 229: ...ge Expressions c Matches the non metacharacter c c Matches the literal character c see escape sequence Matches any character Matches the beginning of a string Matches the end of a string abc Character class which matches any of the characters abc Character ranges are specified by a pair of characters separated by a hyphen abc Negated character class which matches any character except abc r1 r2 Alt...

Page 230: ...c redirection to internal sites page 236 Portal look and feel You can customize the colors logos icons and text used on the portal page You can also add custom content such as Java applets to the portal You can then add links to the portal page to make the content available to clients This section includes information about the following topics Default appearance page 230 Colors page 231 For infor...

Page 231: ...ehind the tab labels color3 the fields information area and clean icons on the active tab color4 not used There are five optional color themes The themes are predefined sets of web safe colors that complement each other aqua apple jeans cinnamon candy Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 232: ...ues use an Internet search engine to find web sites offering comprehensive listings Table 51 Common colors with hexadecimal codes Color Hexadecimal code White FFFFFF Black 000000 Dark gray A9A9A9 Light gray D3D3D3 Red FF0000 Green 008000 Blue 0000FF Yellow FFFF00 Orange FFA500 Violet EE82EE Dark violet 9400D3 Pink FFC0CB Brown A52A2A Beige F5F5DC Lime green 32CD32 Light green 90EE90 Dark blue 0000...

Page 233: ... translated text The languages supported by the Nortel SNAS are configured for the system but the language selected for the portal is a domain parameter The Nortel SNAS uses ISO 639 language codes to track languages that have been added to the configuration English en is the predefined language and is always present To change the language displayed for tab names general text messages buttons and f...

Page 234: ...one or more groups and extended profiles in the domain After the client has been authenticated the client s portal page all the links included in the linksets associated with the client s group The client s portal page also all the linksets associated with the client s extended profile For information about mapping linksets to groups and extended profiles see Mapping linksets to a group or profile...

Page 235: ...he order in which the linksets display You assign the index number when you map the linkset to the group or extended profile see Mapping linksets to a group or profile page 167 The index number you assign to the link controls the order in which the links display within the linkset You assign the index number when you include the link in the linkset see Configuring links page 253 Macros Macros are ...

Page 236: ...52 Examples of redirection URLs and link text page 236 shows example specifications for redirection URLs and associated links In these examples the portal address is nsnas example com the address to which you want to redirect clients is inside example com Table 52 Examples of redirection URLs and link text Purpose Redirection URL or link text Redirect the client to an internal site Redirection URL...

Page 237: ...in logon script page 238 Automatic JRE upload The Nortel SNAS portal requires the client device to be running a minimum version of the Java Runtime Environment JRE in order for the Nortel Health Agent applet to load properly Nortel recommends adding the required JRE version and plugins html as custom content to the portal In this way if the client does not meet the Java requirement and Nortel Heal...

Page 238: ...simple script and instructions on assigning the script to all users in the domain see Using a Windows domain logon script to launch the Nortel SNAS portal page 501 Customizing the portal and logon The following section describes the CLI commands to customize the portal and user logon Roadmap of portal and logon configuration commands The following roadmap lists all the CLI commands to customize th...

Page 239: ...cfg doamin portal colors color1 code color2 code color3 code color4 code theme default aqua apple jeans cinnamon candy cfg doamin portal content import protocol server filename export protocol server filename delete available ena dis cfg doamin linkset linkset ID name name text text autorun true false del cfg doamin linkset linkset ID link index move new index text text Nortel Secure Network Acces...

Page 240: ...udes the following options cfg doamin dnscapt followed by exclude Accesses the DNS Exclude menu in order to configure the Exclude List see Configuring the Exclude List page 240 ena Enables captive portal functionality dis Disables captive portal functionality Configuring the Exclude List The Exclude List is a list of domain names that will not be captured by the Nortel SNAS For more information ab...

Page 241: ...rticular position in the list The index number you specify must be in use The index numbers of existing entries with this index number and higher are incremented by 1 move index number new index number Moves an entry up or down the list The index numbers of the remaining entries adjust accordingly Changing the portal language To change the language displayed for tab names general text messages but...

Page 242: ...rotocol is the import protocol Options are tftp ftp scp sftp server is the host name or IP address of the server filename is the name of the language definition file on the server code is the ISO 639 language code to identify the language When you import the file you are prompted to specify the ISO 639 language code The language code is saved to the configuration together with the imported languag...

Page 243: ...languages that have been added to the configuration by language code and description English en is the predefined language and is always present vlist letter Lists all valid language codes and their corresponding description To list all valid language codes beginning with a specific letter specify the letter in the command del code Deletes the language definition file for the specified language co...

Page 244: ...ges by language code and description Configuring the portal display To modify the look and feel of the portal page that in the client s web browser use the following command cfg doamin portal The Portal menu appears The Portal menu includes the following options cfg doamin portal followed by import protocol server filename Imports a graphics file for the banner in GIF format from the specified TFT...

Page 245: ...ores the default Nortel banner banner the file name of the banner image file currently in use redirect URL Sets the URL to which clients are automatically redirected after authentication by the portal URL is the URL to which to direct the client prefixed by the portal address For example if the portal address is nsnas example com and you want to redirect clients automatically to inside example com...

Page 246: ...rompt To signal the end of the string press Enter to create a new line type an ellipsis and then press Enter again iconmode clean fancy Specifies the mode for the icons representing portal links for example file server links clean simple icons using a single color color3 fancy multicolored shaded and animated icons The default value is fancy For more information about linksets and links see Linkse...

Page 247: ...a Java script linktext entry in order to configure group controlled redirection to internal sites see Table 52 Examples of redirection URLs and link text page 236 For more information about using macros in links see Macros page 235 For more information about configuring links see Configuring links page 253 linkurl on off Sets the display mode for the Enter URL field on the portal Home tab Display ...

Page 248: ...e Portal Custom Content menu in order to provide custom content for the portal page see Configuring custom content page 250 lang Accesses the Portal Language menu in order to set the preferred language for the portal display see Setting the portal display language page 243 ieclear on off Controls use of the ClearAuthenticationCa che feature available in Internet Explorer 6 SP 1 and later IE The fe...

Page 249: ...adecimal value for the color including the symbol not case sensitive The default value is ACCDD5 color2 code Specifies the color for the background area behind the labels code is the hexadecimal value for the color including the symbol not case sensitive The default value is D0E4E9 color3 code Specifies the color for the fields information area and clean icons on the active tab code is the hexadec...

Page 250: ...llowing command cfg doamin portal content The Portal Custom Content menu appears The Portal Custom Content menu includes the following options cfg doamin portal content followed by import protocol server filename Imports a content file in ZIP format from the specified TFTP FTP SCP SFTP file exchange server protocol is the import protocol Options are tftp ftp scp sftp The default is tftp server is ...

Page 251: ... The default is disabled dis Disables client access to custom content Configuring linksets A linkset is a set of links that display on the portal Home tab For more information about linksets and links see Linksets and links page 234 To create and configure a linkset use the following command cfg doamin linkset linkset ID where linkset ID is an integer in the range 1 to 1024 that uniquely identifie...

Page 252: ... name or the linkset ID to access the Linkset menu name is a string that must be unique in the domain The maximum length of the string is 255 characters You reference the linkset name when mapping the linkset to groups or extended profiles using the cfg doamin aaa group extend linkset command see Mapping linksets to a group or profile page 167 When you map the linkset to a group members of the gro...

Page 253: ... the linkset see Configuring links page 253 To view existing linksets press TAB following the link command del Removes the linkset from the current configuration Configuring links To create and configure the links included in the linkset use the following command cfg doamin linkset linkset ID link index where index is an integer in the range 1 to 256 that indicates the position of the link in the ...

Page 254: ...link to a new position in the linkset The index numbers of existing link entries with this index number and higher are incremented by 1 new index is an integer in the range 1 to 256 that indicates the position of the link in the linkset For example You have two portal links Link 1 and Link 2 To move Link 2 so it before Link 1 on the portal page enter the following command Link 3 move 1 Link 2 beco...

Page 255: ... links only external Accesses the External Settings menu in order to configure settings for the link see Configuring external link settings page 255 This command only if the link type is external ftp Accesses the FTP Settings menu in order to configure settings for the link This command only if the link type is ftp del Removes the link from the current configuration Configuring external link setti...

Page 256: ... HTTPS host the host name or IP address of the web server path the path on the web server You must specify a path A single slash indicates the web server document root Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 257: ...SA servers page 279 Configuring syslog servers page 279 Configuring administrative settings page 281 Enabling TunnelGuard SRS administration page 284 Configuring Nortel SNAS host SSH keys page 284 Configuring RADIUS auditing page 286 Configuring authentication of system users page 290 System settings apply to a cluster as a whole You can log on to either the Management IP address MIP or a Nortel S...

Page 258: ... Configuring administrative settings page 281 configuring system management using SNMP see Configuring SNMP page 323 enabling SRS administration see Enabling TunnelGuard SRS administration page 284 managing Nortel SNAS host SSH keys see Configuring Nortel SNAS host SSH keys page 284 managing RADIUS auditing see Configuring RADIUS auditing page 286 managing RADIUS authentication of system users see...

Page 259: ...king primary port delete cfg sys routes list del index number add IPaddr mask gateway cfg sys host host ID routes list del index number add IPaddr mask gateway cfg sys host interface interface ID routes list del index number add IPaddr mask gateway cfg sys host port port autoneg on off speed speed mode full half cfg sys host interface interface ID ports list del port Nortel Secure Network Access S...

Page 260: ...unt hup count cfg sys dns servers list del index number add IPaddr insert index number IPaddr move index number new index number cfg sys rsa rsaname name import protocol server filename FTP user name FTP password rmnodesecr del cfg sys syslog list del index number add IPaddr facility insert index number IPaddr facility move index number new index number Nortel Secure Network Access Switch Using th...

Page 261: ...na dis cfg sys adm audit servers list del index number add IPaddr port shared secret insert index number IPaddr move index number new index number cfg sys adm auth timeout interval fallback on off ena dis cfg sys adm auth servers list del index number add IPaddr port shared secret insert index number IPaddr move index number new index number cfg sys adm abl user_atmpt Nortel Secure Network Access ...

Page 262: ...th Minimum length lowercase Lower case uppercase Upper case digits Digits others other characters retry maximum retries ena dis Configuring system settings To view and configure cluster wide system settings use the following command cfg sys The System menu appears The System menu includes the following options Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 S...

Page 263: ...n order to configure date and time settings and to access Network Time Protocol NTP servers see Configuring date and time settings page 274 dns Accesses the DNS Settings menu in order to manage DNS servers and tune DNS settings see Configuring DNS servers and settings page 276 rsa server ID Accesses the RSA Servers menu in order to configure the RSA server see Configuring RSA servers page 279 ATTE...

Page 264: ...ace tcpdump commands see Tracing SSL traffic page 99 The distrace command is used to improve security The only way to reverse this command is to do a boot install Configuring the Nortel SNAS host To configure basic TCP IP properties for a particular Nortel SNAS device in the cluster use the following command cfg sys host host ID where host ID is an integer automatically assigned to the host when y...

Page 265: ...l SNAS SSL portal and Nortel SNAS domain client access license is available for 100 250 500 and 1000 users key is text you paste in The license key text is supplied to you by Nortel Technical Support When pasting ensure you include the BEGIN LICENSE and END LICENSE lines To obtain a license key first use the info local command to find out the MAC address of the Nortel SNAS device Then provide the ...

Page 266: ... failover or trunking are listed together separated by a comma A port that cannot exist on the same network as other listed ports appears after a colon For example Ports 1 2 3 hwplatform the hardware platform of the Nortel SNAS device halt Stops Nortel SNAS processing Always use this command before turning off the device If the Nortel SNAS you want to halt has become isolated from the cluster you ...

Page 267: ...ll Nortel SNAS devices in the cluster use the cfg sys cur command After you have removed the Nortel SNAS from the cluster you must use a console connection to access the device Log on as the admin user with the admin password to enter the Setup utility ATTENTION If there are other Nortel SNAS devices in the cluster configuration you cannot delete a device if it is the only Nortel SNAS in the clust...

Page 268: ...onfigure an IP interface and the assignment of physical ports on a particular Nortel SNAS host use the following command cfg sys host host ID interface interface ID where interface ID is an integer in the range 1 to 252 that uniquely identifies the interface on the Nortel SNAS host To configure a new interface enter an unused interface ID number To change the configuration of an existing interface...

Page 269: ...N tag if packets received by the interface are tagged with a specific VLAN tag ID mode failover trunking Specifies the mode of operation for the port numbers assigned to this interface The options are failover only one link is active at any given time If the port with an active link fails the active link is immediately switched over to one of the other ports configured for the interface When you s...

Page 270: ...ransferred even after the failed port regains functionality The primary port setting applies only when you have configured more than one port in the interface and the mode is failover delete Removes the interface from the system configuration Configuring static routes To manage static routes on a cluster wide level when more than one interface is configured use the following command cfg sys routes...

Page 271: ...d static routes by index number del index number Removes the specified route from the system host or interface configuration index number is the identification number automatically assigned to the route when you added the route to the configuration To view the index numbers of all configured static routes use the list command add IPaddr mask gateway Adds a static route to the system host or interf...

Page 272: ...is on ensure that the device to which the port is connected is also set to auto negotiate speed speed Sets the speed for the host and NIC port when auto negotiation is set to off speed the port speed in megabits per second The options are 10 100 1000 mode full half Sets the duplex mode for the host and NIC port when auto negotiation is set to off The options are full and half The default duplex mo...

Page 273: ...t to allow access by individual machines or a range of machines on a specific network If the Access List is empty then access is open to any machine ATTENTION Before you join a Nortel SNAS to the cluster if there are existing entries in the Access List you must add to the Access List the RIP host IP address for Interface 1 of all Nortel SNAS devices in the cluster You must do this before you perfo...

Page 274: ... is the IP address of the host to be allowed access mask is the subnet mask You can set the mask to specify a single machine or a range of machines on a specific network An index number is automatically assigned to the entry Configuring date and time settings To configure date and time settings for the cluster use the following command cfg sys time The Date and Time menu appears The Date and Time ...

Page 275: ...nage NTP servers used by the system use the following command cfg sys time ntp The NTP Servers menu appears The NTP Servers menu includes the following options cfg sys time ntp followed by list IP address information for all NTP servers configured for the system by index number del index number Removes the specified NTP server from the system configuration index number is the identification number...

Page 276: ... positive integer that indicates the time interval in seconds s minutes m hours h or days d If you do not specify a measurement unit seconds is assumed The default is 2 2 seconds count count Specifies the number of retries count is a non negative integer that indicates the maximum number of times a DNS query is retransmitted The default is 3 ttl ttl Specifies the maximum time to live TTL value for...

Page 277: ...r is down The default is 2 hup count Sets the health check up counter count is a positive integer that indicates the number of times a DNS server health check returns a positive response before the Nortel SNAS determines the DNS server is up The default is 2 Managing DNS servers You can add up to three DNS servers to the system configuration The DNS server is used by the captive portal when it for...

Page 278: ... position in the list of DNS servers in the configuration index number the index number you want the server to have IPaddr the IP address of the DNS server you are adding The index number you specify must be in use The index numbers of existing servers with this index number and higher are incremented by 1 move index number new index number Moves a server up or down the list of DNS servers in the ...

Page 279: ...name of the sdconf rec file on the server The sdconf rec file is a configuration file that contains critical RSA ACE Server information Contact your RSA ACE Server administrator to obtain the file and make it available on the specified TFTP FTP SCP SFTP server rmnodesecr Removes the RSA node secret if necessary Authentication will then fail until the Node secret created check box is unchecked in t...

Page 280: ...the IP address of the syslog server facility the local facility number to uniquely identify syslog entries For more information about the local facility number see the manual page for syslog conf under UNIX The system automatically assigns the next available index number to the server insert index number IPaddr facility Assigns a specific index number to the syslog server you add index number the ...

Page 281: ...slog servers use the list command Configuring administrative settings Administrative settings control the functioning of the CLI Important administrative settings include enabling Telnet access to the CLI enabling SSH access to the CLI required in order to use the SREM enabling SRS administration to configure the Nortel Health Agent SRS rules see Enabling TunnelGuard SRS administration page 284 se...

Page 282: ...t unit seconds is assumed The range is 300 604800 seconds 5 m 7 d The default is 600 10 m Changes to the timeout value do not take effect until the next logon When the user is automatically logged out any unapplied changes are lost Save your configuration changes regularly by using the global apply command audit Accesses the Audit menu in order to configure RADIUS auditing see Configuring RADIUS a...

Page 283: ... the Access List all SSH connections are allowed If there are any entries in the Access List only the specified machines are allowed SSH access off all SSH connections are rejected including connections from machines in the Access List The default is off For more information about the Access List see Configuring the Access List page 273 srsadmin Accesses the SRS Admin menu in order to configure th...

Page 284: ...ena Enables SRS administration for creating and managing SRS rules dis Disables SRS administration The default is disabled Configuring Nortel SNAS host SSH keys The Nortel SNAS functions as both SSH client for importing and exporting logs using SFTP and SSH server for secure management communications between the Nortel SNAS devices in a cluster ATTENTION SCP is not supported The SSH host keys are ...

Page 285: ...rage of an SSH client RSA and DSA keys the SECSH Public Ke y File Format as described in Internet Draft draft ietf secsh publickeyfile knownhosts Accesses the SSH Known Host Keys menu in order to manage the public SSH keys of remote hosts see Managing known hosts SSH keys page 285 Managing known hosts SSH keys You can paste or import public SSH keys from remote hosts as a convenience so that you d...

Page 286: ...format used by the OpenSSH implementation If the key has a valid format you will be prompted for the corresponding host name or IP address You can provide a comma separated list of names and IP addresses for the host The system automatically assigns the next available index number to the known host SSH key import IPaddr Allows you to import an SSH key from a remote host IPaddr the IP address of th...

Page 287: ...essions see Configuring RADIUS accounting page 110 About the vendor specific attributes The RADIUS audit server uses Vendor Id and Vendor Type attributes in combination to identify the source of the audit information The attributes are sent to the RADIUS audit server together with the event log information Each vendor has a specific dictionary The Vendor Id specified for an attribute identifies th...

Page 288: ...rvers for the cluster see Managing RADIUS audit servers page 289 vendorid Corresponds to the vendor specific attribute used by the RADIUS audit server to identify event log information from the Nortel SNAS cluster The default Vendor Id is 1872 Alteon vendortype Corresponds to the Vendor Type value used in combination with the Vendor Id to identify event log information from the Nortel SNAS cluster...

Page 289: ...vers use the list command add IPaddr port shared secret Adds a RADIUS audit server to the configuration You are prompted to enter the following information IPaddr the IP address of the audit server port the TCP port number used for RADIUS auditing The default is 1813 shared secret the password used to authenticate the Nortel SNAS to the audit server The system automatically assigns the next availa...

Page 290: ... password defined on the Nortel SNAS When the user logs on the RADIUS server authenticates the password The user group admin oper or certadmin is picked up from the local definition of the user For more information about specifying user names passwords and group assignments for Nortel SNAS system users see Managing system users and groups page 211 When you add an external RADIUS authentication ser...

Page 291: ...s s minutes m or hours h If you do not specify a measurement unit seconds is assumed The range is 1 10000 seconds The default is 10 seconds fallback on off Specifies the desired fallback mode Valid options are on if the RADIUS servers are unreachable the local passwords defined on the Nortel SNAS are used as fallback off if the RADIUS servers are unreachable the only way to access the system is to...

Page 292: ...rs menu appears The RADIUS Authentication Servers menu includes the following options cfg sys adm auth servers followed by list Lists the IP addresses of currently configured RADIUS authentication servers by index number del index number Removes the specified RADIUS authentication server from the current configuration The index numbers of the remaining entries adjust accordingly To view the index ...

Page 293: ...er the index number you want the server to have IPaddr the IP address of the authentication server you are adding The index number you specify must be in use The index numbers of existing servers with this index number and higher are incremented by 1 move index number new index number Moves a server up or down the list of RADIUS authentication servers in the configuration index number the original...

Page 294: ...a host from list specify the index number user_atmpt Specifies allowed number of failed attempts to a user account Default value is 10 1h attempts time period host_atmpt Specifies allowed number of failed login attempts from a host Default value is 10 1h attempts timeperiod user_purge Specify time period for purging failed user attempt record Default value is 2d host_purge Specify time period for ...

Page 295: ... sys adm hardenpass followed by length Specify the minimum length of the password The value ranges from 1 to 511 lowercase Specify the minimum number of lower case characters in the password The value ranges from 1 to 511 uppercase Specify the minimum number of upper case characters in the password The value ranges from 1 to 511 digits Specify the minimum number of digits in the password The value...

Page 296: ...assword The value ranges from 1 to 511 retry Specify the number of retries to enter the password The value ranges from 1 to 15 ena Enables harden password dis Disables harden password Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 297: ...l SNAS page 314 Displaying or saving a certificate and key page 316 Exporting a certificate and key from the Nortel SNAS page 318 Generating a test certificate page 320 Overview To use the encryption capabilities of the Nortel SNAS you must add a key and certificate that conforms to the X 509 standard The key and certificate apply to the cluster It does not matter whether you connect to the Manage...

Page 298: ...te keys and certificates in a number of standard formats Table 53 Supported key and certificate formats page 298 summarizes the supported formats Table 53 Supported key and certificate formats Format Import Add Export Save Comment PEM Yes Yes Encrypts the private key Combines the private key and certificate in the same file ATTENTION You must use the PEM format when you save keys and certificates ...

Page 299: ...rtificate on the Nortel SNAS cluster see Installing certificates and keys page 299 4 Map the installed certificate to the Nortel SNAS portal server see Configuring SSL settings page 102 End Installing certificates and keys There are two ways to install a certificate and key in the Nortel SNAS cluster by pasting see Adding a certificate to the Nortel SNAS page 310 by importing from a TFTP FTP SCP S...

Page 300: ...py and paste method saves the certificate and key in PEM format The export method allows you to choose from a variety of file formats Nortel recommends using the PKCS12 format also known as PFX Most web browsers accept importing a combined key and certificate file in the PKCS12 format For more information about the formats supported on the Nortel SNAS see Key and certificate formats page 298 Updat...

Page 301: ...e 302 generate requests for signed certificates see Generating and submitting a CSR page 305 add certificates by copy and paste see Adding a certificate to the Nortel SNAS page 310 add private keys by copy and paste see Adding a private key to the Nortel SNAS page 312 import certificates and private keys see Importing certificates and keys into the Nortel SNAS page 314 save certificates and privat...

Page 302: ... command To manage private keys and certificates access the Certificate menu by using the following command cfg cert cert id where cert id is an integer in the range 1 1500 representing an index number that uniquely identifies the certificate in the system If you specify an unused certificate number the certificate is created The Certificate menu appears The Certificate menu includes the following...

Page 303: ...on organizational unit common name e mail address validity period key size CA cert true false serial number pass phrase servergenerates a signed server certificate provided with key use options that are appropriate for server usage Set the CA cert value to true if you plan to issue your own chained server certificates generating them from the currently generated server certificate The CA cert valu...

Page 304: ...nd certificate to a TFTP FTP SCP SFTP server in a format you specify For more information see Exporting a certificate and key from the Nortel SNAS page 318 display pass phrase the current key and certificate in order to save copies as backup or for export to another device For more information see Displaying or saving a certificate and key page 316 The display command allows you to save private ke...

Page 305: ...te keys are protected by the cluster del Removes the current certificate and private key Generating and submitting a CSR To prepare a CSR for submission to a CA perform the following steps Step Action 1 Access the Certificate menu by using the cfg cert cert id command where to generate a CSR for a new certificate cert id is an unused certificate number to generate a CSR to renew an existing certif...

Page 306: ...ars in the common name of the web server Do not abbreviate the organization name and do not use any of the following characters Organizational Unit Name e g section The name of the department or group that uses the secure web server Common Name e g your name or your server s hostname The name of the web server as it appears in the URL The name must be the same as the domain name of the web server ...

Page 307: ...e is approaching its expiration date and you want to renew it without replacing the existing key specify n no The CSR will be based on the existing key for the specified certificate number Key size 1024 The length of the generated key in bits The default value is 1024 Request a CA certificate y n n Specifies whether to request a CA certificate to use for client authentication Request a CA certific...

Page 308: ...ommand For more information about the Certificate menu commands see Managing and viewing certificates and keys page 302 Figure 15 Generating a CSR 5 Save the CSR to a file a Copy the entire CSR including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines and paste it into a text editor Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 J...

Page 309: ...VATE KEY lines and paste it into a text editor c Save the text editor file with a pem extension Nortel recommends using the same file name that you defined for the csr file see step 5 so the connection between the two files is obvious 7 Submit the CSR to a CA such as Entrust or VeriSign a In a text editor open the csr file you created in step 5 b Copy the entire CSR including the BEGIN CERTIFICATE...

Page 310: ... to perform an additional step to add the private key If you obtained the certificate by means other than using the cfg cert request command to generate the CSR specify a certificate number not used by any other configured certificate If the private key and the certificate are not contained in the same file you will have to perform an additional step to add the private key see Adding a certificate...

Page 311: ...d If you obtained the certificate by means other than using the cfg cert request command to generate the CSR and are using a new certificate number you must now add the corresponding private key see Adding a private key to the Nortel SNAS page 312 Figure 16 Adding a certificate by pasting page 312 shows sample output for the cfg cert cert command For more information about the Certificate menu com...

Page 312: ...used when pasting the certificate 2 Copy the contents of the private key file a Locate the file containing the private key Make sure the key file corresponds with the certificate file you received from the CA The public key contained in the certificate works in concert with the related private key to handle SSL transactions Nortel Secure Network Access Switch Using the Command Line Interface NN472...

Page 313: ...ssword protected you are prompted to enter the password phrase The password phrase required is the one you specified when saving or exporting the private key 4 Apply the changes The certificate and private key are now fully installed Figure 17 Adding a private key by pasting page 314 shows sample output for the cfg cert key command For more information about the Certificate menu commands see Manag...

Page 314: ...e key into the Nortel SNAS perform the following steps Step Action 1 Upload the certificate file and key file to the file exchange server ATTENTION You can arrange to include your private key in the certificate file When the Nortel SNAS retrieves the specified certificate file from the file exchange server the Nortel SNAS software analyzes the contents and automatically adds the private key if pre...

Page 315: ...on Protocol The file import protocol The options are TFTP FTP SCP SFTP The default is TFTP Server host name or IP address The host name or IP address of the file exchange server File name The name of the file on the file exchange server FTP user name and password For FTP SCP and SFTP the user name and password to access the file exchange server The default is anonymous For anonymous mode the Norte...

Page 316: ...f security Save the certificate by copying the certificate section and pasting it into a text editor then saving the text file with a PEM extension Similarly save the private key by copying the key section and pasting it into a text editor then saving the text file with a PEM extension You can also save both the certificate and the private key in one file with a PEM extension To save a certificate...

Page 317: ...provided on all occasions in future when the private key file is accessed for example when adding importing or exporting private keys and certificates 5 Copy the private key certificate or both as required For the private key ensure that you include the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines For the certificate ensure that you include the BEGIN CERTIFICATE and END CERTIFICATE lines 6 ...

Page 318: ...e formats supported for export see Key and certificate formats page 298 To export a certificate and key from the Nortel SNAS perform the following steps Step Action 1 Access the Certificate menu by using the cfg cert cert id command where cert id is the certificate number of the certificate you wish to export Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 St...

Page 319: ...ificate format in which you want to export the key and certificate Valid options are PEM DER NET PKCS12 also known as PFX The PEM and PKCS12 formats always combine the private key and certificate in the same file Nortel recommends using the PKCS12 format Most web browsers accept importing a combined key and certificate file in the PKCS12 format The formats have different capabilities regarding pri...

Page 320: ...ss the file exchange server The default is anonymous Figure 20 Exporting a certificate and private key page 320 shows sample output for the cfg cert export command For more information about the Certificate menu commands see Managing and viewing certificates and keys page 302 Figure 20 Exporting a certificate and private key End Generating a test certificate You can generate a self signed certific...

Page 321: ...eters The combined length of the parameters cannot exceed 225 bytes country name 2 letter code state or province name locality name organization name organizational unit name common name e mail address subject alternative name validity period the default is 365 days key size the default is 1024 bits For more information about the parameters see Table 54 CSR information page 306 3 Apply the changes...

Page 323: ...gement Information Bases MIB and return this data to the SNMP requesters There is one SNMP agent on each Nortel SNAS device and the agent listens to the Real IP address RIP of that particular device On the Nortel SNAS that currently holds the cluster Management IP address MIP the SNMP agent also listens to the MIP The SNMP agent supports SNMP version 1 version 2c and version 3 Notification targets...

Page 324: ...cation targets page 331 SNMP monitors and events see Configuring SNMP events page 332 Roadmap of SNMP commands The following roadmap lists the CLI commands to configure SNMP Use this list as a quick reference or click on any entry for more information Command Parameter cfg sys adm snmp ena dis versions v1 v2c v3 cfg sys adm snmp snmpv2 mib sysContact contact snmpEnable disabled enabled cfg sys adm...

Page 325: ... c comment name notification OID delevent name list Configuring SNMP settings To configure SNMP management of the Nortel SNAS cluster use the following command cfg sys adm snmp The SNMP menu appears The SNMP menu includes the following options cfg sys adm snmp followed by ena Enables network management using SNMP The default is enabled dis Disables network management using SNMP Nortel Secure Netwo...

Page 326: ...unity page 327 users Accesses the SNMP User menu in order to manage SNMPv3 users see Configuring SNMPv3 users page 328 target Accesses the Notification Target menu in order to configure the notification target aspects of SNMP monitoring see Configuring SNMP notification targets page 331 event Accesses the Event menu in order to create custom monitoring definitions for the objects in the DISMAN EVE...

Page 327: ...g options cfg sys adm snmp community followed by read name Specifies the monitor community name that grants read access to the MIB If you do not specify a monitor community name read access is not granted The default monitor community name is public write name Specifies the control community name that grants read and write access to the MIB If you do not specify a control community name neither re...

Page 328: ... The maximum length of the string is 255 characters After you have defined a name for the user you can use either the user name or the user ID to access the SNMP User menu security level the degree of SNMP USM security Valid options are none SNMP access is granted without authentication auth SNMP user must provide a verified password before SNMP access is granted You are later prompted to specify ...

Page 329: ...th or priv privacy protocol the protocol used for encryption Valid options are des aes The default is des priv password a string of at least eight characters specifying the USM user s individual encryption key The password is required if the security level is set to priv The SNMP User menu appears The SNMP User menu includes the following options cfg sys adm snmp users user ID followed by name nam...

Page 330: ...with the user s individual key You are later prompted to specify the required password auth password and encryption key priv password The default is priv permission get set trap Specifies the USM user s privileges Valid options are get USM user is authorized to perform SNMP get requests read access to the MIB set USM user is authorized to perform SNMP set requests write access to the MIB Write acc...

Page 331: ...des privpasswd password Specifies the USM user s individual encryption key The password is required if the security level is set to priv password is a string that must be at least eight characters long del Removes the USM user from the configuration Configuring SNMP notification targets SNMP managers function as the notification targets for SNMP monitoring To configure notification targets use the...

Page 332: ... SNMP monitors as defined in the DISMAN EVENT MIB boolean checks the value of a monitored object identifier OID against a specific value and triggers an event if the result matches a specified operation threshold compares a monitored OID against a range of values and triggers events if the comparison determines that the OID value is rising too quickly falling too quickly or falls outside certain b...

Page 333: ...tification event d OID the delta discontinuity OID D timeTicks timeStamp dateAnd Time the delta discontinuity type Other parameters are name a unique name you assign to the monitor for identification OID the object identifier or symbolic name to monitor op the operator Valid options are not equals equals less than or equal to greater than or equal to less than greater than value an integer indicat...

Page 334: ...d Time the delta discontinuity type Other parameters are name a unique name you assign to the monitor for identification OID the object identifier or symbolic name to monitor value and event a combination of an integer and an event condition where the integer represents the event condition threshold that will trigger notification Valid combinations are LowVal FallingEvent HighVal RisingEvent Delta...

Page 335: ...que name you assign to the monitor for identification OID the object identifier or symbolic name to monitor present absent changed indicate s whether the object being monitored is present absent or has changed delmonitor name Removes the specified monitor from the configuration addevent c comment name notification OID Adds a notification event as defined in the DISMAN EVENT MIB c comment adds a co...

Page 336: ...rom the configuration list configured monitors and events For monitors the monitor name OID and type For events the event name notification OID and comment Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 337: ...or individual hosts in the cluster since the system was started Viewing system information and performance statistics To view current information about system status and the system configuration access the Information menu by using the following command info To view performance statistics for the cluster and for individual Nortel SNAS hosts access the Statistics menu by using the following command...

Page 338: ...D username prefix groupsessi domain switch login port type user vlan source IP portal IP source Mac session type snmp profi switch domainid switchid contlist Exclude buffers cache from mem util yes no local ethernet ports info dhcp list del and stats info events alarms download protocol server filename info logs list download protocol server filename stats aaa total isdhost host ID domain ID dump ...

Page 339: ...time DNS settings Access List and administrative applications NTP DNS syslog audit and other servers For information about configuring the system see Configuring system settings page 257 sonmp SynOptics Network Management Protocol SONMP network topology information including the IP address MAC address chassis type and state of all Nortel SNAS and SONMP enabled network devices in the system license...

Page 340: ... assigned index number Enter the index numbers corresponding to the users you wish to log out Kick group by name name a string that uniquely identifies the group The maximum length of the string is 255 characters For example to log out users corresponding to index numbers 1 2 3 and 5 enter 1 3 5 blacklist IPv4 Mac address blacklist duration Blacklists a device using ipv4 or MAC address and set the...

Page 341: ...the network access devices and pVIP distribution by domain ip IPaddr option Searches the session table based on the specified IP address and information about the client session You are prompted to provide the domain ID and the IP address The information includes the domain ID the switch ID and port in slot port format the client s user name MAC address for an IP Phone the client s current IP addr...

Page 342: ...e MAC address for an IP Phone the client s current IP address the source MAC address the date the client logged on time is reported if logon was today the client device type the client s current VLAN membership and the portal IP address through which the client logged on The options for device type are phone or dynamic PC dn_pc To restrict the display to a specific domain enter the domain ID as pa...

Page 343: ...have connected To exclude buffers and cache from the memory usage reported enter the command as info contlist yes To include buffers and cache in the memory usage reported enter the command as info contlist no The default is to include buffers and cache no local the current software version hardware platform up time since last boot IP address and Ethernet MAC address for the particular Nortel SNAS...

Page 344: ...formation displayed relates to the Nortel SNAS device in the cluster that is currently in control of the MIP For each port information includes link status up down and the Ethernet auto negotiation setting on off If the link is up the information also includes current values for speed 10 100 1000 and duplex mode half full If the link is down and auto negotiation is set to off the information inclu...

Page 345: ...mits the event log file from the Nortel SNAS cluster to a file on the specified TFTP FTP SFTP file exchange server You are prompted to provide the following information protocol is the export protocol Options are tftp ftp scp sftp The default is tftp server is the host name or IP address of the server filename is the name of the destination log file on the file exchange server Viewing log files To...

Page 346: ...n the number of authentication requests accepted and rejected for external LDAP and RADIUS servers the number of authentication requests timed out The external LDAP and RADIUS servers are listed by IP address and TCP port number The CLI reports statistics for all authentication methods configured in the cluster whether or not they have been included in the authentication order scheme see Specifyin...

Page 347: ...ter 0 ATTENTION With Nortel Secure Network Access Switch Software Release 1 6 1 there is only one domain in the system dump Dumps all authentication statistics in the CLI presenting them first by domain and then by Nortel SNAS host The display includes the number of accepted and rejected requests for all configured authentication methods as well as the number of accepted and rejected connections b...

Page 348: ...istics dump Viewing all statistics To view all available statistics for the Nortel SNAS cluster use the following command stats dump Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 349: ...onitored IPv4 or Mac Address specify IPv4 or Mac Address group name Kick group by name name a string that uniquely identifies the group The maximum length of the string is 255 characters Nortel SNAS TPS Interface This supports the blacklisting feature which allows to configure a time out value for which the specified user or device is not permitted to connect to the network You can blacklist a dev...

Page 350: ...s Specify the IPv4 or MAC Address to be blacklisted blacklist duration Specify the duration to blacklist the device Range 1 minute to 31 days for example 20m Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 351: ...d it to a file exchange server Check connectivity between the Nortel SNAS and all configured gateways routers and servers Start and stop tracing to log information about a client session You can limit the trace to specific features such as SSL handshake authentication method user name group and profile DNS lookups and the Nortel Health Agent check You can use the trace feature as a debugging tool ...

Page 352: ...y using the following command boot Roadmap of maintenance and boot commands The following roadmap lists the CLI commands to perform maintenance and software and device management activities Use this list as a quick reference or click on any entry for more information Command Parameter maint log start log stop log displaylog clearlog dumplogs protocol host name or IP address of server filename on s...

Page 353: ... technical support purposes use the following command maint The Maintenance menu appears The Maintenance menu includes the following options maint followed by logs in memory Displays the logging system menu start log starts logging messages into an internal buffer stop log stops logging messages into an internal buffer displaylog set to display last n messages where n is order of 10 clearlog clear...

Page 354: ...or the Nortel SNAS device currently in control of the MIP for FTP and SFTP user name and password The file sent to the file exchange server does not contain any sensitive information related to the system configuration such as private keys dumpstats protocol host name or IP address of server filename on server collect info from all cluster host Collects current system internal status information a...

Page 355: ...192 168 128 3 ping ok Testing cfg sys dns servers 192 168 128 1 dns ok All tests completed successfully starttrace tags domain ID output mode Logs information pertaining to a client session You are prompted to provide the following information tags specifies the specific features or subsystems to which you want to limit tracing The options are all logs all information The default is all aaa logs a...

Page 356: ...rompted to provide the server information For sample output from the starttrace command see Trace tools page 409 stoptrace Stops tracing If you selected interactive mode for the starttrace command and information is logged to the CLI press Enter to redisplay the CLI prompt Backing up or restoring the configuration To save the system configuration to a file on a file exchange server use the followi...

Page 357: ... prompted to provide the following information protocol is the export protocol Options are tftp ftp scp sftp The default is tftp server is the host name or IP address of the file exchange server filename is the name of the destination file on the file exchange server ATTENTION If you have fully separated the Administrator user role from the Certificate Administrator user role the export passphrase...

Page 358: ...iguration on screen in a format that allows you to restore the configuration without downloading the configuration to a file server You are prompted to specify if you wish to include private keys in the configuration dump If you do then you are prompted to provide a password phrase in order to protect the private keys The password phrase you specify applies to all private keys If you later restore...

Page 359: ...sts schedule time details for the following Id Task Scheduled Time Comments ena Enables the scheduler task dis Disables the scheduler task Addition of a scheduled task To add a scheduled task use the following command cfg scheduler add This includes the following fields cfg scheduler add followed by task Specifies the scheduled task Values ptcfg reboot starttrace stoptrace selftest upgrade export ...

Page 360: ...e Specify the filename password Password for private keys in cfg cfg scheduler add followed by starttrace day of week Select the day of the week You can select the multiple days in a week The value ranges from 0 to 6 Sunday 0 and 1 5 month s Select the month You can select the multiple months The value ranges from 1 to 12 Every Month day s Select the day of the month You can select the multiple da...

Page 361: ...e multiple months The value ranges from 1 to 12 day s Select the day of the month You can select the multiple days of a month The value ranges from 1 to 31 hour s Specify the hour The value ranges from 0 to 23 minute s Specify the minute The value ranges from 0 to 59 comments Specify comment for this scheduler protocol Select the Protocol tftp ftp hostname or IP address Specify hostname or IP addr...

Page 362: ... Management IP address MIP use the cfg sys host reboot command instead see reboot page 267 delete Resets the Nortel SNAS device to which you are connected using Telnet SSH or a console connection to its factory default configuration All IP configuration is lost The software itself remains intact After executing the delete command you can only access the device using a console connection Log on as ...

Page 363: ...following command boot software The Software Management menu appears The Software Management menu includes the following options boot software followed by cur the status of the software versions on the particular device to which are connected The status options are permanent the software version that is currently operational old the software version that preceded the currently operational software...

Page 364: ... them in the command protocol is the import protocol Options are tftp ftp scp sftp The default is tftp server is the host name or IP address of the file exchange server filename is the name of the software upgrade package Software upgrade packages typically have the pkg file name extension for FTP SCP and SFTP user name and password If you include a directory path and file name separated by a forw...

Page 365: ...ftware package that has been downloaded but not yet activated status is unpacked You cannot delete software versions with any other status see the cur command Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 366: ...366 Maintaining and managing the system Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 367: ...software on the Nortel SNAS in order to return the device to its factory defaults Upgrading the Nortel SNAS There are two types of upgrades Minor release upgrade This is typically a bug fix release All configuration data is retained To perform a minor upgrade connect to the Management IP address MIP of the cluster you want to upgrade Major release upgrade This kind of release may contain bug fixes...

Page 368: ... that the DNS parameters must have been configured For more information see Configuring DNS servers and settings page 276 The name of the software upgrade package upgrade packages are identified by the pkg file name extension The set of installed Nortel SNAS devices you are running in a cluster cooperate to give you a single system view Thus to perform an upgrade you only need to connect to the MI...

Page 369: ...e TFTP FTP SCP SFTP server If you are using anonymous mode when downloading the software package from an FTP server the following string is used as the password for logging purposes admin hostname IP isd Enter filename on server filename pkg FTP User anonymous username or press ENTER for anonymous mode Password password or press ENTER for default password in anonymous mode Received 28200364 bytes ...

Page 370: ...downloaded the software upgrade package you can inspect its status with the boot software cur command Step Action 1 At the Software Management prompt enter the following command Software Management cur Version Name Status x x NSNAS old z z NSNAS permanent The downloaded software upgrade package is indicated with the status unpacked The software versions can be marked with one out of four possible ...

Page 371: ...ng the unpacked software upgrade package may cause the command line interface CLI software to be upgraded as well Therefore you will be logged out of the system and will have to log in again Wait until the login prompt appears This may take up to two minutes depending on your type of hardware platform and whether the system reboots 3 Log in again and verify the new software version Main boot softw...

Page 372: ...e it is only in the case of serious malfunction that you might need to reinstall the software and this seldom occurs You must perform the reinstall using a console connection Reinstalling the software resets the Nortel SNAS to its factory default configuration The reinstall erases all other configuration data and current software including old software image versions or upgrade packages that may b...

Page 373: ...ware image downloaded to an external file server perform the following steps Step Action 1 Log on as the boot user The password for the boot user is ForgetMe login boot Password ForgetMe Reinstall Upgrade Procedure If you proceed beyond this point the active network configuration will be reset requiring a reboot to restore any current settings However no permanent changes will be done until the bo...

Page 374: ...erver does not support anonymous logon The default is anonymous Select protocol tftp ftp scp sftp tftp protocol Enter protocol server address IPaddr Enter file name of boot image NSNAS x x x boot img Enter FTP Username anonymous Password Downloading boot image Installing new boot image Done ATTENTION For some TFTP servers files larger than 16 MB may cause the update to fail 4 Wait for the Nortel S...

Page 375: ...g steps Step Action 1 Boot the Nortel SNAS from the CD 2 Log on as the root user no password 3 Run install nsnas isd4050 4 When the installation is complete remove the CD and reboot End Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 376: ...376 Upgrading or reinstalling the software Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 377: ...mand line interface and menu system you can access and configure the Nortel SNAS or cluster either through a local console connection using a computer running terminal emulation software or through a remote session using a Telnet client or a Secure Shell SSH client When using a Telnet or SSH client to connect to a cluster of Nortel SNAS devices always connect to the Management IP address MIP Confi...

Page 378: ...uirements To establish a console connection with the Nortel SNAS you need the following An ASCII terminal or a computer running terminal emulation software set to the parameters shown in Table 58 Console configuration parameters page 378 Table 58 Console configuration parameters Parameter Value Baud rate 9600 Data bits 8 Parity None Stop bits 1 Flow control None A serial cable with a female DB 9 c...

Page 379: ... for Telnet access you need to have a device with Telnet client software located on the same network as the Nortel SNAS device or cluster The Nortel SNAS must have a RIP and a MIP If you have already performed the initial setup by selecting new or join in the Setup menu the assignment of IP addresses is complete When you are making configuration changes to a cluster of Nortel SNAS devices using Te...

Page 380: ...f all traffic that is transmitted over the network when configuring or collecting information from the Nortel SNAS Enabling and restricting SSH access SSH access to the Nortel SNAS is disabled by default However depending on the severity of your security policy you may want to enable SSH access You may also restrict SSH access to one or more specific machines For more information on how to enable ...

Page 381: ...nistrator has read and write access to all menus information and configuration commands in the Nortel SNAS software A Certificate Administrator is a member of the certadmin group A Certificate Administrator has sufficient user rights to manage certificates and private keys By default only the Administrator user is a member of the certadmin group To separate the Certificate Administrator user role ...

Page 382: ...23 Table 59 User access levels User Account User Group Access Level Description Default Password oper oper The Operator is allowed read access to some of the menus and information available in the CLI oper admin admin oper certadmin The Administrator is allowed both read and write access to all menus information and configuration commands The Administrator can add users to all groups in which the ...

Page 383: ...e Nortel SNAS will disconnect your local console connection or remote connection Telnet or SSH after 10 minutes of inactivity This value can be changed to a maximum value of 1 hour using the cfg sys adm clitimeout command If you are automatically disconnected after the specified idle timeout interval any unapplied configuration changes are lost Therefore make sure to save your configuration change...

Page 385: ...age 397 Scenario The basic Nortel SNAS network in this example includes one Nortel SNAS device two edge switches one Ethernet Routing Switch 8300and one Ethernet Routing Switch 5510 functioning as network access devices an Ethernet Routing Switch 8600 functions only as the core router BCM call server a DNS server a DHCP server and a remediation server are connected to it The edge switches function...

Page 386: ...work devices Device Service VLAN ID VLAN IP address Device IP address Ethernet Routing Switch 8600 port DNS 20 10 20 20 1 10 20 20 2 1 1 ATTENTION 1 1 refers to port 1 of chasis component mounted on rack 1 1 1 unit 1 port 1 DHCP 30 10 30 30 1 10 30 30 2 1 11 Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Netwo...

Page 387: ... A Yellow 120 10 120 120 0 24 Green 130 N A VoIP 140 N A Table 62 VLANs for the Ethernet Routing Switch 5510 page 387 summarizes the VLANs for the Ethernet Routing Switch 5510 Table 62 VLANs for the Ethernet Routing Switch 5510 VLAN VLAN ID Yellow subnet Red 210 N A Yellow 220 10 120 120 0 24 Green 230 N A VoIP 240 N A ATTENTION The management VLAN ID is the default VLAN ID 1 Steps 1 Configure the...

Page 388: ...reated Figure 24 DNS Forward Lookup configuration Configure the network DHCP server To configure a DHCP scope using the New Scope Wizard Windows 2000 server Step Action 1 Log in to the server using the administrator username and password 2 Run the DHCP admin utility Start Programs Administrative Tools DHCP 3 Create a new DHCP scope see Figure 25 Creating a new DHCP scope page 389 Nortel Secure Net...

Page 389: ... the VLAN is 10 110 110 5 and the end address is 10 110 110 25 The scope you create must have a range of IP addresses that is large enough to accommodate all endpoint devices in your network Figure 26 Naming the new DHCP scope 5 Specify the IP address range for the DHCP scope see Figure 27 Specifying the IP address range page 390 Nortel Secure Network Access Switch Using the Command Line Interface...

Page 390: ... window see Figure 28 Choosing to configure additional options page 390 Figure 28 Choosing to configure additional options 7 Enter the IP address of the default gateway see Figure 29 Specifying the default gateway page 391 Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 391: ...rver must be the Nortel SNAS portal Virtual IP address pVIP For the Yellow and Green VLAN scopes enter the IP addresses for the regular DNS servers in your network 9 Repeat step 3 through step 8 for each Red Yellow and Green VLAN in the network Figure 31 After all DHCP scopes have been created page 392 shows the DHCP scopes created for use in this example Nortel Secure Network Access Switch Using ...

Page 392: ... VLANs 2 Assign the VLAN port members Since the edge switches in this example are operating in Layer 2 mode enable 802 1q tagging on the uplink ports to enable them to participate in multiple VLANs then add the ports to the applicable VLANs 3 Create IP interfaces for the VLANs 4 Since the edge switches are operating in Layer 2 mode configure DHCP relay agents for the Red Yellow Green and VoIP VLAN...

Page 393: ... Routing Switch 8300for the Nortel SNAS network perform the following steps 1 Enabling SSH page 393 2 Configuring the Nortel SNAS pVIP subnet page 394 3 Creating port based VLANs page 394 4 Configuring the VoIP VLANs page 394 5 Configuring the Red Yellow and Green VLANs page 394 6 Configuring the NSNA uplink filter page 394 7 Configuring the NSNA ports page 394 8 Enabling NSNA globally page 395 En...

Page 394: ...iguring the NSNA uplink filter Passport 8310 6 config filter acl 100 create ip acl name dhcp Passport 8310 6 config filter acl 100 ace 1 create Passport 8310 6 config filter acl 100 ace 1 action fwd2cpu precedence 1 Passport 8310 6 config filter acl 100 ace 1 ip ipfragment non fragments Passport 8310 6 config filter acl 100 ace 1 protocol udp eq any Passport 8310 6 config filter acl 100 ace 1 port...

Page 395: ... SNAS network perform the following steps 1 Setting the switch IP address page 395 2 Configuring SSH page 395 3 Configuring the Nortel SNAS pVIP subnet page 394 4 Creating port based VLANs page 396 5 Configuring the VoIP VLANs page 396 6 Configuring the Red Yellow and Green VLANs page 396 7 Configuring the login domain controller filters page 396 8 Configuring the NSNA ports page 396 9 Enabling NS...

Page 396: ...a vlan 230 color green filter green Configuring the login domain controller filters ATTENTION This step is optional The PC client must be able to access the login domain controller you configure that is clients using the login domain controller must be able to ping that controller 5510 48T config qos nsna classifier name RED dst ip 10 200 2 12 32 ethertype 0x0800 drop action disable block wins pri...

Page 397: ...ty launches automatically on startup Alteon iSD NSNAS Hardware platform 4050 Software version x x Setup Menu join Join an existing cluster new Initialize host as a new installation boot Boot menu info Information menu exit Exit global command always available Setup new Setup will guide you through the initial configuration Enter port number for the management interface 1 4 1 Enter IP address for t...

Page 398: ...t server no Use restricted teardown restricted action for Nortel Health Agent failure yes Create default tunnel guard user no yes Using restricted action for Nortel Health Agent failure User name nha User password nha Creating client filter nha_passed Creating client filter nha_failed Creating linkset nha_passed Creating linkset nha_failed Creating group nhauser with secure access Creating extende...

Page 399: ...ilter Using existing nha_failed filter Using existing nha_passed linkset Using existing nha_failed linkset Adding test SRS rule srs rule test This rule check for the presence of the file C tunnelguard tg txt Using existing nha_passed filter Use diff to view pending changes and apply to commit NHA group srs srs rule test Group 1 apply Adding the network access devices This example adds the Ethernet...

Page 400: ...d VLAN Id sshkey SSH Key menu reset Reset all the ports on a switch ena Enable switch dis Disable switch delete Remove Switch Error Failed to retrieve host key Switch 1 apply Changes applied successfully Export the Nortel SNAS public SSH key to the Ethernet Routing Switch 8300 Switch 1 sshkey export Import the public SSH key from the switch SSH Key import Adding the Ethernet Routing Switch 5510 Us...

Page 401: ... be used exclusively by Switch 1 whereas the VLAN IDs for the VLANs defined on the Ethernet Routing Switch 5510 Switch 2 may be used by other edge switches added to the domain in future Therefore the VLAN mappings for Switch 1 are made at the switch level command while the VLAN mappings for Switch 2 are made at the domain level Main cfg doamin switch 1 vlan add yellow 120 Switch Vlan add green 130...

Page 403: ...ding page 407 A user password is lost page 408 A user fails to connect to the Nortel SNAS domain page 409 Cannot connect to the Nortel SNAS using Telnet or SSH Verify the current configuration Connect with a console connection and check that Telnet or SSH access to the Nortel SNAS is enabled By default remote connections to the Nortel SNAS are disabled for security reasons Enter the command cfg sy...

Page 404: ...sts have been added to the Access List Enter the command cfg sys accesslist list to view the current Access List Main cfg sys accesslist list 1 192 168 128 78 255 255 255 0 When Telnet or SSH access is enabled only those hosts listed in the Access List are allowed to access the Nortel SNAS over the network If no hosts have been added to the Access List this means that any host is allowed to access...

Page 405: ...o solve the problem contact Nortel for technical support See How to get help page 21 Cannot add the Nortel SNAS to a cluster When you try to add a Nortel SNAS device to a cluster by selecting join in the Setup menu you may receive an error message stating that the system is running an incompatible software version The incompatible software version referred to in the error message is the software t...

Page 406: ... there are existing entries in the Access List When Telnet or SSH access is enabled only those hosts listed in the Access List are allowed to access the Nortel SNAS over the network If no hosts have been added to the Access List this means that any host is allowed to access the Nortel SNAS over the network assuming that Telnet or SSH access is enabled If the Access List contains entries add the In...

Page 407: ...chine on Log on as the Administrator user when the logon prompt appears and check the operational status again Console connection If you are connected to a particular Nortel SNAS device through a console connection and the device stops responding press the key combination Ctrl then press Enter This takes you back to the login prompt Log on as the Administrator user and check the operational status...

Page 408: ... user and define a new Root user password Only the Administrator user can change the Root user password For more information see Changing another users password page 224 Boot user password The default Boot user password cannot be changed and can therefore never really be lost If you have forgotten the Boot user password see Accessing the Nortel SNAS cluster page 381 The reason the Boot user passwo...

Page 409: ...starttrace command the tags you can specify for the trace and the available output modes see Performing maintenance page 353 Table 63 Sample output for the trace command page 409 shows sample output for the various tags Table 63 Sample output for the trace command Tag Description Sample output aaa Logs authentication method user name group and profile Maintenance 12 54 08 875111 Trace started 12 5...

Page 410: ...racing press Enter to display the Maintenance menu prompt then enter stoptrace System diagnostics The following are useful diagnostic display commands For more information about the commands use the alphabetical listings in CLI reference page 413 to cross reference to where the commands are described in more detail in this guide Installed certificates To view the currently installed certificates e...

Page 411: ...pleted request sessions and SSL statistics for configured virtual SSL servers To check statistics for the local Ethernet network interface card enter the following command Main info ethernet The screen output provides information about the total number of received and transmitted packets the number of errors when receiving and transmitting packets and the type of error such as dropped packets over...

Page 412: ...configuring a UNIX Syslog daemon see the Syslog manpages under UNIX For information about configuring the Nortel SNAS to use a syslog server see Configuring syslog servers page 279 You can also use the maint dumplogs command The command collects system log file information from the Nortel SNAS to which you are connected or optionally all Nortel SNAS devices in the cluster and sends the information...

Page 413: ...IP address and network mask formats page 420 Variables page 420 CLI Main Menu page 421 CLI command reference page 422 Information menu page 422 Statistics menu page 423 Configuration menu page 424 Boot menu page 448 Maintenance menu page 449 Using the CLI CLI commands are grouped into a series of menus and submenus see CLI Main Menu page 421 Each menu contains a list of available commands and a su...

Page 414: ...pply Apply pending configuration changes diff Show any pending configuration changes revert Remove pending configuration changes between apply commands TIP Use revert to restore configuration parameters set after the most recent apply command paste Restores a saved configuration that includes private keys TIP Before you paste the configuration you must provide the password phrase you specified whe...

Page 415: ...ectivity across the network TIP You can specify an IP address or host name in the command To specify host names you must configure the DNS parameters traceroute IPaddr or host name Identify the route used for station to station connectivity across the network TIP You can specify an IP address or host name of the target station in the command To specify host names you must configure the DNS paramet...

Page 416: ...Option Description history Display a numbered list of the 10 most recent commands Repeat the most recent command n Repeat the n th command shown on the history list popd Return to a position in the menu structure that was bookmarked using the pushd command Ctrl p Recall previous command from the history list TIP You can also use the up arrow key You can use this command to regress through the last...

Page 417: ...NTION Pressing Ctrl c does not abort screen output generated by the cur command Press q to abort the extensive screen output that may result from the cur command Ctrl u Clear the entire line Other keys Insert new characters at the cursor position CLI shortcuts You can use the following CLI command shortcuts Command stacking page 417 Command abbreviation page 418 Tab completion page 418 Using a sub...

Page 418: ...b key can be used in the following ways To search for CLI commands or options At the menu prompt type the first character of a command TIP You can use additional characters to refine the search Press Tab A list of commands that begin with the character you selected If only one command matches the character you typed that command on the command line when you press Tab Press ENTER to execute the com...

Page 419: ...255 255 255 0 VLAN tag id 0 Mode failover Primary port 0 Interface Ports 1 Host Port 1 Autonegotiation on If you use the cur command without the sys submenu argument information related to the Configuration menu and all submenus Using slashes and spaces in commands To include a forward slash or a space in a command string place the string containing the slash or space within double quotation marks...

Page 420: ...n also be expressed as 8 255 255 0 0 it can also be expressed as 16 255 255 255 0 it can also be expressed as 24 255 255 255 255 it can also be expressed as 32 Variables You can use variables in some commands and features in the Nortel SNAS software TIP Variables included in links are URL encoded Variables included in static texts are not URL encoded Table 66 Variables page 420 describes variables...

Page 421: ...FailureReason Expands to the Nortel Health Agent rule expression and the Nortel Health Agent rule comment specified for the current SRS rule when a Nortel Health Agent check has failed var nhaFailureDetail Expands to the software definition comment specified for the current SRS rule including additional failure details when a Nortel Health Agent check has failed Operator defined variables Custom v...

Page 422: ...or rebooting Nortel SNAS devices The Boot menu is accessible only when logged on as Administrator For the Boot menu commands see Boot menu page 448 Maintenance used for sending technical support information to an external file server For the Maintenance menu commands see Maintenance menu page 449 Information menu The Information menu contains commands used to display current information about the ...

Page 423: ...rnet ports info events alarms download protocol server filename View active alarms info logs list download protocol server filename View and download log files Statistics menu The Statistics menu contains commands used to view statistics for the Nortel SNAS cluster and individual hosts Table 68 Statistics menu commands page 424 lists the Statistics commands in alphabetical order Nortel Secure Netw...

Page 424: ...tains commands used to configure the Nortel SNAS Table 69 Configuration menu commands page 424 lists the configuration commands in alphabetical order Table 69 Configuration menu commands Command Parameters Submenus Purpose cfg cert cert ID name string cert key revoke gensigned request sign test import protocol server certfile export display encrypt private key yes no export pass phrase reconfirm e...

Page 425: ...nu cfg cert cert ID revoke auto matic url url authDN LDAP Distinguis hed Name passwd password interval time cacerts ena enabled disabled dis enabled disabled Access the Automatic CRL menu cfg domain domain ID name name pvips IPaddr aaa location patchlink server portal linkset Configure the domain Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 Jul...

Page 426: ...ame display radius ldap ntlm sitemi nder cleartrust cert r sa local adv del Create and configure an authentication method cfg domain aaa auth auth ID adv groupauth auth IDs Configure the current authent ication scheme to retrieve user group information from a different authentication scheme Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008...

Page 427: ...apscert enauserpre true false enacutdoma enashortgrp enable short group format auth ID groupsearc timeout interval activedire adv Modify settings for the specific LDAP configuration cfg domain aaa auth auth ID ldap activedire enaexpired true false expiredgro group exppasgrou group name recursivem true false Manage clients whose passwords have expired or who need to change their passwords Nortel Se...

Page 428: ... ip port move index number new index number Manage the LDAP servers used for client authentication in the domain cfg domain aaa auth auth ID ldap groupsearc groupbase distinguishe d name memberattr string ena enabled disabled dis enabled disabled cfg domain aaa auth auth ID ldap adv enaxfilter true false xfilteratt string xfilterval string cfg domain aaa auth auth ID for local portal database Crea...

Page 429: ...aaa auth auth ID for local MAC database add MAC address user name IP type dhcp static device type PC phone passive IP address switch IP address switch unit switch port group names comments del MAC address list show mac import protocol host filename export protocol host filename clear Manage the local MAC database cfg domain aaa auth auth ID for RADIUS Configure the domain to use an external RADIUS...

Page 430: ...cret move index number new index number Manage the RADIUS servers used for client authentication in the domain cfg domain aaa auth auth ID radius sessiontim vendorid vendor ID vendortype vendor type ena bool dis bool Configure the Nortel SNAS for session timeout cfg domain aaa authorder auth ID auth ID Specify the authentication fallback order cfg domain aaa defgroup group name Create a default gr...

Page 431: ... cfg domain aaa group group ID name name locations radattr restrict sessionttl linkset extend profile ID srs SRS rule name mactrust blacklist bypass none agentmode runonce continuous never macreg true false reguser enftype filter_only vlan_filter cachepass admrights user passwd action reset syscredent comment comment del Configure groups on the domain Nortel Secure Network Access Switch Using the ...

Page 432: ... predefined linksets to an extended profile cfg domain aaa group linkset list name del index number add name insert position name move index number new index number Map predefined Linksets to a group cfg domain aaa group radattr list vendor id value del index number add vendor id value insert position vendor id value move index number new index number Map predefined RADIUS attributes to a group No...

Page 433: ...ass Usage cachepass true false cfg domain aaa radacct servers domainattr ena dis Configure the Nortel SNAS to support RADIUS accounting cfg domain aaa radacct serve rs list ip port secret del index number add ip port secret insert position ip port secret move index number value new index number value Configure the Nortel SNAS to use external RADIUS accounting servers Nortel Secure Network Access S...

Page 434: ...n restric ted list details on off custscript on off persistoob on off loglevel fatal error warning info debug Configure settings for the Nortel Health Agent host integrity check and the check result cfg domain aaa nha quick Configure settings for the SRS rule check using the Nortel Health Agent quick setup wizard cfg domain adv interface integer log all login http portal reject Map a backend inter...

Page 435: ...netmask phone relaygreen vlan red ranges std opts vendopts yellow ranges stdopts vendo pts green ranges st dopts vendopts ena dis del filter type name address netmask known unknown ena dis del standard type name address netmask settings ena dis del name address netmask stdopts Enter the standard options menu vendopts Enter the standard options menu number name value del quick Configure local DHCP ...

Page 436: ... cfg domain dnscapt exclude ena dis Configure the Nortel SNAS portal as a captive portal cfg domain dnscapt exclude list del index name add domain name insert index number domain name move index number new index number Create and manage the Exclude List cfg domain httpredir port integer redir on off Configure the domain to automatically redirect HTTP requests to the HTTPS server specified for the ...

Page 437: ...external quick Launch the wizard to configure settings for a link to an external web page cfg domain portal import protocol server filename restore banner redirect URL logintext text iconmode clean fancy linktext text linkurl on off linkcols columns linkwidth width companynam string colors content lang ieclear on off Modify the look and feel of the portal page that in the client s web browser Nort...

Page 438: ...the portal cfg domain portal lang setlang lang charset list prefix beconv Set the preferred language for the portal display cfg domain portal lang beconv add protocol smb ftp host del number list Configures the backend conversion cfg domain quick Launch the quick switch setup wizard to add network access devices to the domain cfg domain server port port interface interface ID dnsname name trace ss...

Page 439: ...ate index list protocol ssl2 ssl3 ssl2 3 tls1 verify none optional re quired ciphers cipher list ena dis Configure SSL spe cific settings for the portal server cfg domain server trace ssldump tcpdump ping host dnslookup host traceroute host Verify connectivity and capture information about SSL and TCP traffic between clients and the portal server cfg domain sshkey generate show export protocol hos...

Page 440: ...main switch ena Restart communic ation between the Nortel SNAS and a network access devices cfg domain switch hlthchk interval seconds deadcnt count sq int seconds Configure the interval and dead count parameters for the Nortel SNAS health checks and status quo mode cfg domain switch sshkey import add del show export user user Retrieve the public key for the network access devices and export the p...

Page 441: ...n cfg lang import protocol server filename code export protocol server filename list vlist letter del code Manage the language definition files in the system cfg ptcfg protocol host filename Save the system configuration to a file on a file exchange server cfg quick Create a domain using the Nortel SNAS quick setup wizard cfg sys mip IPaddr host host ID routes time dns rsa server ID syslog accessl...

Page 442: ...st yes no Configure administrative settings for the system cfg sys adm audit servers vendorid vendorid vendortype vendortype ena dis Configure the Nortel SNAS to support RADIUS auditing cfg sys adm audit servers list ip port secret del index add ip port secret insert position ip port secret move index number value new index number value Configure the Nortel SNAS to use external RADIUS audit server...

Page 443: ...r value new index number value Configure the Nortel SNAS to use external RADIUS servers to authenticate system users cfg sys adm abl users list add delete host list add delete user_atmpt attempts ti meperiod host_atmpt attempts ti meperiod user_perge time period integer hd host_perge time period integer hd show clear ena true false dis true false Configure the Nortel SNAS to support auto blacklist...

Page 444: ...https port integer ena true false dis true false Configure the Nortel SNAS to support https settings cfg sys adm snmp Configure SNMP for the Nortel SNAS network cfg sys adm snmp ena true false dis true false versions v1 v2c v3 snmpv2 mib community users id target nr event Configure SNMP management of the Nortel SNAS cluster cfg sys adm snmp community read name write name trap name Configure the co...

Page 445: ...t version v1 v2c v3 del Configure notification targets cfg sys adm snmp users user ID name name seclevel none auth priv permission get set trap authproto md5 sha authpasswd password privproto des aes privpasswd password del Manage SNMPv3 users in the Nortel SNAS configuration cfg sys adm srsadmin port port ena dis Configure support for managing the SRS rules cfg sys adm sshkeys generate show known...

Page 446: ...er Configure the cluster to use external DNS servers cfg sys host interface ports list del port add port View and manage the ports assigned to an interface cfg sys host interface routes list del index number add IPaddr mask gateway Manage static routes for a particular interface cfg sys host interface interface ID ip IPaddr netmask mask gateway IPaddr routes vlanid tag mode failover trunking ports...

Page 447: ...routes interface interface number port nr ports hwplatform halt confirm reboot confirm delete Configure basic TCP IP properties for a particular Nortel SNAS device in the cluster cfg sys routes Manage static routes on a cluster wide level when more than one interface is configured cfg sys rsa rsaname name import protocol host filename rmnodesecr del Configure the symbolic name for the RSA server a...

Page 448: ...ame caphrase Change the password for the currently logged on user and add or delete user accounts cfg sys user edit username groups cur Set or change the login password for a specified user and view and manage group assignments cfg sys user edit username g roups list del group index add admin oper certadmi n Set or change a user s group assignment Boot menu The Boot menu contains commands for mana...

Page 449: ...idual Nortel SNAS devices Table 71 Maintenance menu commands page 449 lists the Maintenance commands Table 71 Maintenance menu commands Command Parameters Submenus Purpose maint log dumplogs protocol host filename all isds dumpstats protocol host filename all isds chkcfg list chkcfg all isds one isds item syslog starttrace tags all aa a dhcp dns ssl tg snas patchlink radius nap domain ID stoptrace...

Page 451: ... type page 451 Syslog messages in alphabetical order page 465 Syslog messages by message type The following types of messages occur operating system OS see Operating system OS messages page 452 system control see System Control Process messages page 453 traffic processing see Traffic Processing Subsystem messages page 457 start up see Start up messages page 461 AAA see AAA subsystem messages page ...

Page 452: ... order to recover Config filesystem corrupt beyond repair EMERG The system cannot boot but stops with a single user prompt Reinstall in order to recover Failed to write to config filesystem EMERG Probable hardware error Reinstall Table 73 Operating system messages CRITICAL page 452 lists the operating system CRITICAL messages Table 73 Operating system messages CRITICAL Message Category Explanation...

Page 453: ...S version ERROR Happens after Config filesystem re initialized reinstall required or Config filesystem restored from backup if software upgrade is in progress in other words if failure at first boot on new OS version System Control Process messages There are three categories of System Control Process messages INFO see Table 75 System control process messages INFO page 454 ALARM see Table 77 System...

Page 454: ...ITICAL MINOR ERROR WARNING WARNING ERROR Alarms are formatted according to the following pattern Id alarm sequence number Severity severity Name name of alarm Time date and time of the alarm Sender sender e g system or the Nortel SNAS device s IP address Cause cause of the alarm Extra additional information about the alarm When an alarm is cleared one of the following messages is sent Alarm Cleare...

Page 455: ...are_release_failed Sender IP Cause copy_failed bad_release _package no_release_package unpack_failed Extra Detailed info Severity critical ALARM A Nortel SNAS failed to install a software release while trying to install the same version as all other Nortel SNAS devices in the cluster The failing Nortel SNAS tries to catch up with the other cluster members because it was not up and running when the...

Page 456: ...n software status is Status unpacked installed permanent Name software_release_copying Sender IP Extra copy software release VSN from other cluster member EVENT Indicates that IP is copying the release VSN from another cluster member Name software_release_rebooting Sender IP Extra reboot with release version VSN EVENT Indicates that a Nortel SNAS IP is rebooting on a new release in other words a N...

Page 457: ...fic Processing messages ERROR page 457 lists the Traffic Processing ERROR messages Table 80 Traffic Processing messages ERROR Message Category Explanation Action internal error no ERROR An internal error occurred Contact support with as much information as possible to reproduce this message javascript error reason for host path ERROR JavaScript parsing error encountered when parsing content from h...

Page 458: ...ath ERROR A problem was encountered when parsing the HTTP traffic The problem indicates either a non standard client server or that the Nortel SNAS HTTP parser is out of sync because of an earlier non standard transaction from the client or server on this TCP stream http header warning cli reason header ERROR The client sent a bad HTTP header http header warning srv reason header ERROR The server ...

Page 459: ...R Problem encountered when trying to set up virtual server on ip port Ignoring DNS packet was not from any of the defined names server ip port ERROR Nortel SNAS received reply for non configured DNS server Table 81 Traffic Processing messages WARNING page 459 lists the Traffic Processing WARNING messages Table 81 Traffic Processing messages WARNING Message Category Explanation Action DNS alarm all...

Page 460: ...ason INFO Problem encountered when processing compressed content gzip warning reason INFO Problem encountered when processing compressed content accept turned off nr too many fds INFO The Nortel SNAS has temporarily stopped accepting new connections This happens when the Nortel SNAS is overloaded The Nortel SNAS will start accepting connections once it has finished processing its current sessions ...

Page 461: ...ize per server that use clicerts INFO Generated if the size of the SSL session cache has been modified No TPS license limit INFO Unlimited TPS license used Found size meg of phys mem INFO Amount of physical memory found on system AAA subsystem messages There are two categories of Authentication Authorization and Accounting AAA subsystem messages ERROR see Table 84 AAA messages ERROR page 461 INFO ...

Page 462: ...NAS and the destination address inner tunnel NSNAS AddressAssigned Domain id Method ssl SrcIp ip User user TunIP inner tunnel ip INFO Source IP address for the connection between the Nortel SNAS and the destination address inner tunnel has been allocated NSNAS LoginFailed Domain id Method ssl SrcIp ip User user Error error INFO Logon to the Nortel SNAS domain failed The client s access method IP a...

Page 463: ...ry on the specified file server requested from the portal s Files tab reject SOCKS Rejected Domain id User user SrcIP ip Request request INFO The client failed to perform an operation by using one of the features available under the portal s Advanced tab NSNAS subsystem messages There are two categories of NSNAS subsystem messages ERROR see Table 86 NSNAS ERROR page 463 INFO see Table 87 NSNAS INF...

Page 464: ...hID has been added to Domain 1 switch controller switch 1 switchID Deleted INFO Switch switchID has been deleted from Domain 1 nhauser user username pVIP SRS check failed restrictingSRS SRS rule comment item reason INFO Nortel Health Agent applet report The user with user name username logged on to the Nortel SNAS portal with portal Virtual IP address pVIP has failed the SRS rule check and access ...

Page 465: ...tem Control Sent when a CLI system administrator enters enters exits or updates the CLI if audit logging is enabled using the cfg sys adm audit ena command Bad CN supplied in server cert subject INFO Traffic Processing Malformed CN found in subject of the certificate supplied by the backend server Bad IP PORT data line in hc script ERROR Traffic Processing Bad ip port found in health check script ...

Page 466: ...nt configuration changes Connect failed reason ERROR Traffic Processing Connect to backend server failed with reason copy_software_release_failed ALARM CRITICAL System Control A Nortel SNAS failed to install a software release while trying to install the same version as all other Nortel SNAS devices in the cluster The failing Nortel SNAS tries to catch up with the other cluster members as it was n...

Page 467: ...e header from the backend web server Failed to syslog traffic reason disabling traf log ERROR Traffic Processing Problem occurred when the Nortel SNAS tried to send traffic logging syslog messages Traffic syslogging was disabled as a result Failed to write to config filesystem EMERG OS Probable hardware error Reinstall Found size meg of phys mem INFO Start up Amount of physical memory found on sys...

Page 468: ...st path INFO AAA The user failed to access the specified web server requested from the Portal HTTP Domain id Host ho st User user SrcIP ip Request method host path INFO AAA The user has successfully accessed the specified web server requested from the Portal Ignoring DNS packet was not from any of the defined namesserver ip port ERROR Traffic Processing Nortel SNAS received reply for non configure...

Page 469: ... Portal license ALARM WARNING System Control One or several Nortel SNAS devices in the cluster do not have the same SSL Nortel SNAS license with reference to number of concurrent users license ALARM WARNING System Control The demo license loaded to the local Nortel SNAS expires within 7 days Check loaded licenses using the cfg sys cur command license_expired EVENT System Control Indicates that the...

Page 470: ...er No CN supplied in server cert subject INFO Traffic Processing No CN found in the subject of the certificate supplied by the backend server No more than nr backend supported INFO Start up Generated when more than the maximum allowed backend servers have been configured No PortalGuard license loaded Domain id will use portal authentication WARNING Traffic Processing The PortalGuard license has no...

Page 471: ...p User user INFO AAA Client has logged out from the Nortel SNAS domain partitioned_network EVENT System Control Sent to indicate that a Nortel SNAS is recovering from a partitioned network situation PORTAL Rejected Domain id User user Proto proto Host host Share share Path path INFO AAA The remote user failed to access the specified folder directory on the specified file server requested from the ...

Page 472: ...pecific interface is configured to be used by the server but this interface is not configured on the Nortel SNAS Set CSWIFT as default INFO Start up Using CSWIFT SSL hardware acceleration Since we use clicerts force adjust totalcache size to size per server that use clicerts INFO Start up Generated if the size of the SSL session cache has been modified single_master ALARM WARNING System Control On...

Page 473: ... Nortel SNAS with the IP host IP address switch controller switch 1 switchID Added INFO NSNAS Switch switchID has been added to Domain 1 switch controller switch 1 switchID Deleted INFO NSNAS Switch switchID has been deleted from Domain 1 switch controller switch 1 switchID Disconnected INFO NSNAS Switch switchID of Domain 1 has disconnected from the NSNAS switch controller switch 1 switchID Modif...

Page 474: ... and the reason for example file not found nhauser user username p VIP SRS checks ok open session INFO NSNAS Nortel Health Agent applet report The user with user name username logged on to the Nortel SNAS portal with portal Virtual IP address pVIP has passed the SRS rule check and is authorized to start a session in a Green VLAN Unable to find client private key for server ERROR Traffic Processing...

Page 475: ...ontent from host path This could be a problem in the Nortel SNAS VBScript parser but most likely a syntactical error in the VBScript on that page www_authenticate bad credentials ERROR Traffic Processing The browser sent a malformed WWW Authenticate credentials header Most likely a broken client Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July...

Page 477: ... the tar gz file for the Nortel SNAS MIBs 4 Unzip the tar file in order to access the file ALTEON SAC CA P mib ALTEON SAC CAP mib contains an AGENT CAPABILITIES statement which formally specifies which MIBs are implemented End For information about configuring the SNMP agent in a cluster see Configuring SNMP page 323 Supported MIBs The following MIBs are supported by the Nortel SNAS ALTEON ISD PLA...

Page 478: ...MIB 5 ETH MULTISEG TOPOLOGY MIB Table 89 Supported MIBs page 478 provides more information about some of the MIBs supported by the Nortel SNAS Table 89 Supported MIBs MIB Description ALTEON ISD PLATFORM MIB Contains the following groups and objects isdClusterGroup isdResourceGroup isdAlarmGroup isdBasicNotificatioObjectsGroup isdEventNotificationGroup isdAlarmNotificationGroup Nortel Secure Networ...

Page 479: ...ismanEventTriggerGroup dismanEventObjectsGroup dismanEventEventGroup dismanEventNotificationObjectGroup ENTITY MIB The following groups are implemented entityPhysicalGroup entityPhysical2Group entityGeneralGroup entityNotificationsGroup Write access to snmpTargetParamsTable is turned off in VACM IF MIB The following groups are implemented ifPacketGroup ifStackGroup Limitations The agent does not i...

Page 480: ...d snmpMPDGroup SNMP NOTIFICATION MIB The following group is implemented snmpNotifyGroup Write access to all objects in this MIB is turned off in VACM SNMP TARGET MIB The SNMP TARGET MIB contains information about where to send traps You can configure and view trap information from the CLI using the cfg sys adm snmp target command see Configuring SNMP notification targets page 331 The following gro...

Page 481: ...in VACM Supported traps Table 90 Supported traps page 481 describes the traps supported by the Nortel SNAS Table 90 Supported traps Trap Name Description authenticationFailure Sent when the SNMP agent receives an SNMP message which is not properly authenticated This trap is disabled by default To enable the trap through SNMP set snmpEn ableAuthenTraps to enabled or use the CLI command cfg sys adm ...

Page 482: ...IP has migrated to another Nortel SNAS isdSingleMaster Signifies that only one master Nortel SNAS in the cluster is up and operational Only having one master in a cluster means that the fault tolerance level is severely degraded if the last master fails the system cannot be reconfigured linkDown Sent when the agent detects that one of the links interfaces has gone down Defined in IF MIB linkUp Sen...

Page 483: ...3 SHA SSLv3 DH RSA 3DES 168 SHA1 DES CBC3 SHA SSLv3 RSA RSA 3DES 168 SHA1 DES CBC3 MD5 SSLv2 RSA RSA 3DES 168 MD5 DHE RSA AES128 SHA SSLv3 DH RSA AES 128 SHA1 AES128 SHA SSLv3 RSA RSA AES 128 SHA1 RC4 SHA SSLv3 RSA RSA RC4 128 SHA1 RC4 MD5 SSLv3 RSA RSA RC4 128 MD5 RC2 CBC MD5 SSLv2 RSA RSA RC2 128 MD5 RC4 MD5 SSLv2 RSA RSA RC4 128 MD5 RC4 64 MD5 SSLv2 RSA RSA RC4 64 MD5 EXP1024 RC4 SHA SSLv3 RSA ...

Page 484: ...CBC MD5 SSLv3 RSA 512 RSA RC2 40 MD5 EXPO RT EXP RC4 MD5 SSLv3 RSA 512 RSA RC4 40 MD5 EXPO RT EXP RC2 CBC MD5 SSLv2 RSA 512 RSA RC2 40 MD5 EXPO RT EXP RC4 MD5 SSLv2 RSA 512 RSA RC4 40 MD5 EXPO RT ADH AES256 SHA SSLv3 DH NONE AES 256 SHA1 ADH DES CBC3 SHA SSLv3 DH NONE 3DES 168 SHA1 ADH AES128 SHA SSLv3 DH NONE AES 128 SHA1 ADH RC4 MD5 SSLv3 DH None RC4 128 MD5 ADH DES CBC SHA SSLv3 DH NONE DES 56 ...

Page 485: ...rs group Install All Administrative Tools Windows 2000 Server Step Action 1 Open the Control Panel and double click Add Remove Programs 2 Select Windows 2000 Administrative Tools and click Change 3 Click Next and select Install All Administrative Tools 4 Follow the instructions on how to proceed with the installation End Register the Schema Management dll Windows Server 2003 Step Action 1 Click St...

Page 486: ...ck Start and select Run 2 On Windows 2000 Server enter mmc in the Open field On Windows Server 2003 enter mmc a instead Note that there is a space between mmc and a 3 Click OK The Console window 4 On the File Console menu select Add Remove Snap in The Add Remove Snap in window Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 200...

Page 487: ...ick Add Active Directory Schema is added to the Add Remove Snap in window 7 Click Closeto close the Add Standalone Snap in window 8 Click OK The Console window appears Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 488: ...rd appears 4 In the Type the location of the item field type schmmgmt msc 5 Click Next The Select a Title for the Program page appears 6 In the Type a name for this shortcut field type Active Directory Schema 7 Click Finish End Permit write operations to the schema Windows 2000 Server To allow a domain controller to write to the schema you must set a registry entry that permits schema updates Step...

Page 489: ...Right click Attributes point to New and select Attribute You receive a warning that creating schema objects is a permanent operation and cannot be undone 3 Click Continue The Create New Attribute window appears 4 Create the isdUserPrefs attribute as shown below 5 Click OK End Create the new class To create the nortelSSLOffload class proceed as follows Nortel Secure Network Access Switch Using the ...

Page 490: ...eate the nortelSSLOffload class as shown below 4 Click OK End Add isdUserPrefs attribute to nortelSSLOffload class Step Action 1 In the Console window on the left pane expand Classes 2 Select the nortelSSLOffload class 3 Right click and select Properties The Properties window appears 4 Select the Attributes tab and click Add 5 Add the isdUserPrefs attribute as optional Nortel Secure Network Access...

Page 491: ... In the Console window on the left pane expand Classes and select user 2 Right click and select Properties The Properties window is displayed 3 Select the Relationship tab 4 Next to Auxiliary Classes click Add Class Add 5 Add the nortelSSLOffload class as an auxiliary class as shown below Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 C...

Page 492: ... cfg domain aaa auth ldap enauserpre or the BBI setting User Preferences under VPN Gateways Authentication Auth Servers LDAP Modify the remote user should now be able to store user preferences in Active Directory End Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 493: ...required to take advantage of the Auto VLAN Discovery feature This appendix is not intended to be a primer on how to set up a DHCP server The reader is assumed to have a working knowledge of Windows 2000 Server DHCP servers The appendix also does not describe the process used by the IP Phone to interact with the DHCP server or to boot itself into the Phone VLAN ATTENTION It is assumed that the nec...

Page 494: ...Server Information VLAN Information for auto discovery of the IP Phone VLAN ID 2 Configure the DHCP options see Configuring the Call Server Information and VLAN Information options page 497 Repeat this step for the data or boot VLAN and the Phone VLAN 3 Set up the IP Phone see Setting up the IP Phone page 500 End Creating the DHCP options Step Action 1 On the Windows 2000 Server Start menu select ...

Page 495: ...that particular server are listed below the server name and IP address 3 From the DHCP Management Console toolbar select Action Set Predefined Options The Predefined Options and Values dialog box opens see Figure 34 The Predefined Options and Values dialog box page 496 Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 N...

Page 496: ...on a In the Option Type dialog box enter the required information see Table 92 Option Type dialog box field values for Call Server Information page 496 Table 92 Option Type dialog box field values for Call Server Information Field Value Name Call Server Information Data type String Code 128 Call Server configuration Description Comments Optional Nortel Secure Network Access Switch Using the Comman...

Page 497: ...eturn to the DCHP Management Console End Configuring the Call Server Information and VLAN Information options For the Auto VLAN Discovery feature you must configure the options for both the data or boot VLAN and the Phone VLAN Configure the option for the data or boot VLAN first then repeat the steps to configure the option for the Phone VLAN To configure the options perform the following steps St...

Page 498: ...el IP Phone 2002 IP Phone 2004 and IP Phone 2007 use the same signature Therefore the string value for Call Server Information is the same for all these IP Phones Table 94 Call Server Information string parameter values page 498 describes the parameters Table 94 Call Server Information string parameter values Parameter Description A The hardware revision of the IP Phone iii iii iii iii The IP Addr...

Page 499: ...lly each time the option is added to a scope c Click Apply 5 Configure VLAN Information a In the Scope Options dialog box see Figure 36 The Scope Options dialog box page 498 select 191 VLAN Information b In the String value field enter the following string VLAN A vvvv Table 95 VLAN ID Information string parameter values page 499 describes the parameters Table 95 VLAN ID Information string paramete...

Page 500: ...one In order for the IP Phone to take advantage of the DHCP auto configuratio n features set the IP Phone up as follows Step Action 1 Set the DHCP Option on the IP Phone to 1 to use DHCP 2 Select 0 to set the phone to use FULL DHCP 3 Select 2 for Automatic to set the phone to learn its VLAN ID from the DHCP server End Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100...

Page 501: ...es the end user s browser every time the user logs on regardless of connection method It is beyond the scope of this document to show additional examples of scripts that accommodate different modes of connecting to a Nortel SNAS port Configuring the logon script To configure the logon script to automatically launch an end user s browser perform the following steps Step Action 1 Create the logon sc...

Page 502: ...n controller to automatically launch an end user s browser choose one of the following Creating the script as a batch file page 502 Creating the script as a VBScript file page 503 Creating the script as a batch file Step Action 1 Using Windows open a plain text editor such as Notepad 2 Compose the script using the following sample format explorer exe https 10 10 10 1 where 10 10 10 1 is the portal...

Page 503: ...es the steps Step Action 1 Click Start Administrative Tools Active Directory Users and Computers 2 Right click the domain to which you want to add the script and select Properties 3 On the Group Policy tab click Open 4 Double click Default Domain Policy 5 Right click the Default Domain Policy and select Edit 6 Expand User Configuration Windows Settings and select Scripts Logon Logoff 7 In the righ...

Page 504: ...logon script to launch the Nortel SNAS portal Figure 37 Assigning a logon script End Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 Nortel Networks ...

Page 505: ...utions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit...

Page 506: ...n by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscape SSL This library is free for commercial and non commercial use as long as the following conditions are adhered to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is cove...

Page 507: ... DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for ...

Page 508: ...er to this License and to the absence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program a...

Page 509: ...er work under the scope of this License 3 You may copy and distribute the Program or a work based on it under Section 2 in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following a Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium c...

Page 510: ...se Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to copy...

Page 511: ...in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is g...

Page 512: ...YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS Apache Software License Version 1 1 Copyright c 2000 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with or without modification are permitted prov...

Page 513: ... USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation For more information on the Apache Software Foundation please see http www apache org Portions of this software are based upon public domain software originally written at the National Center for Supercomputin...

Page 514: ... NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Nortel Secure Network Access Switch Using the Command Line Interface NN47230 100 03 01 Standard 28 July 2008 Copyright 2007 2008 N...

Page 515: ...Apache software license 512 ASCII terminal for console connection 378 attribute for user preferences 485 authentication configure 174 in Nortel SNA 31 methods 31 authentication methods create 177 display on portal login page 172 fallback order 209 LDAP 31 Local 31 RADIUS 31 secondary method as backup 180 supported 171 use different authorization method 179 view information 210 authorization method...

Page 516: ...e 416 CLI online help 414 client filter configure 162 create 162 client filters and extended profiles 152 cluster add Nortel SNAS device 50 and Access List 51 benefits 35 create 35 in Nortel SNA 35 IP addresses 42 43 set up first device in new cluster 43 software requirements 51 unable to join 405 color themes on portal page 231 colors on portal page 231 Command Line Interface See CLI 36 command r...

Page 517: ...SR Certificate Signing Request and associated private key 309 generate 305 information required 306 submit 309 cur CLI global command 415 curb CLI global command 415 customer support 21 D default entries in Exclude List 228 portal page appearance 230 default group create 169 in Nortel SNAS domain 150 default settings from quick setup wizard 49 delete domain 89 network access device 64 DHCP service...

Page 518: ...icates and keys 298 G generate SSH keys 70 test certificate 320 global commands CLI cur 415 curb 415 dump 415 exit 414 help 414 lines 416 netstat 415 nslookup 415 paste 414 ping 415 pwd 414 quit 414 traceroute 415 up 414 verbose 416 GNU general public license 507 Green VLAN in Nortel SNAS 29 Group Search Configuration 197 groups and extended profiles 151 configure 153 156 create 156 default group ...

Page 519: ...Filter DHCP subnet type 120 Hub DHCP subnet type 118 leases 122 Standard DHCP subnet type 121 subnet types 115 logging options 109 logon script to launch browser 238 M MAC database local manage 206 macros LDAP 195 used on portal page 235 major release upgrade 368 manage Active Directory passwords 198 certificates 297 certificates and keys 301 LDAP authentication servers 193 LDAP macros 195 local a...

Page 520: ...blic key export 68 Nortel SNAS Secure Network Access Switch 4050 configuration and management tools 36 MIP 42 role in Nortel SNAS 27 nslookup CLI global command 415 NSNA network access device 24 O one armed configuration 36 one armed configuration 35 online help CLI 414 OpenSSL license issues 505 operating system requirements for Nortel SNA 25 Operator user access level 381 P passwords 382 Active ...

Page 521: ... In User Service See RADIUS 31 remote management enable for SSH 54 enable for Telnet 54 remove network access device 64 reorder linksets in group 168 linksets in profile 168 restrict SSH access 380 Telnet access 379 RIP Real IP address 43 Root user access level 381 S save certificates and keys 300 316 configuration 55 script to launch browser at logon 238 Secure Shell SSH enable access 54 enable a...

Page 522: ...t access 380 unable to connect using 403 SSH keys export Nortel SNAS public key 68 generate 70 import network access device public key 69 manage 68 71 reimport network access device public key 72 SSL configure server 97 settings configure 102 trace traffic 99 view configured servers 410 SSLeay license original 506 Standard DHCP subnet type 121 status quo mode domain 94 submit CSR 309 subnet requir...

Page 523: ...bal command 414 update certificates 300 upgrade activate software package 370 handling software versions 369 minor or major release upgrade 368 user access levels 381 Boot user for reinstall 373 categories 381 passwords 382 preferences 485 user requirements for Nortel SNA browsers 25 JRE 25 237 operating systems 25 users supporting additional 26 V variables See macros 195 variables using in CLI 42...

Page 525: ......

Page 526: ...ortel com Sourced in Canada the United States of America and India LEGAL NOTICE While the information in this document is believed to be accurate and reliable except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OR CONDITION OF ANY KIND EITHER EXPRESS OR IMPLIED The information and or products described in this document are subject to change witho...

Search results

Summary of Contents for 425 series

Reviews:

Nortel 425 series, Cli Manual, Page: 48 / 526

Search results

Summary of Contents for 425 series

Reviews: