manualshive.com logo in svg

Avaya ERS 1600, Техническое конфигурационное руководство

Поделиться
Скачать
Avaya ERS 1600 Скачать руководство пользователя страница 39

 

 

Authentication, Authorization and Accounting (AAA) for ERS and ES 

Technical Configuration Guide 

39 

November 2010

 

avaya.com 

3.   

Ethernet Routing Switch 5500, 1600 and 8300  Series all support the Terminal Access Controller Access 
Control System plus () client.  is a security application implemented as a 
client/server-based protocol that provides centralized validation of users attempting to gain access to a 
router or network access server. 

 differs from RADIUS in two important ways: 

 

 is a TCP-based protocol using port 49 

 

 uses full packet encryption, rather than just encrypting the password (RADIUS 
authentication request) 

 
 
 
 
 

 separates authentication, authorization, and accounting services. This means that you can 
selectively implement one or more  services. 

 provides management of users who access the switch through Telnet, serial, and SSH v2 
connections.  supports users only on the CLI. 

Access to the console interface, SNMP, and Web management are disabled when  is enabled. 

The  protocol is a draft standard available at: 

ftp://ietf.org/internetdrafts/ 

draft-grant-tacacs-02 

 

 is not compatible with any previous versions of TACACS.   

3.1  Terminology 

The following terms are used in connection with : 

 

AAA - Authentication, Authorization, Accounting 

o

 

Authentication is the action of determining who a user (or entity) is, before allowing the 
user to access the network and network services. 

o

 

Authorization is the action of determining what an authenticated user is allowed to do. 

o

 

Accounting is the action of recording what a user is doing or has done. 

 

Network Access Server (NAS)

—any client, such as an Ethernet Routing Switch 1600, 5500 and 

8300 Series switches, that makes  authentication and authorization requests, or 
generates  accounting packets. 

 

daemon/server

—a program that services network requests for authentication and authorization, 

verifies identities, grants or denies authorizations, and logs accounting records. 

 

AV pairs

—strings of text in the form "attribute=value" sent between a NAS and a  

daemon as part of the  protocol. 

 

  encrypts  the  entire  body  of  the  packet  and  uses  a  standard   
header 

Содержание ERS 1600

Страница 1: ...for ERS and ES Technical Configuration Guide E M E A IP Core Sales Engineering Document Date November 2010 Document Number NN48500 558 Document Version 1 1 Ethernet Routing Switch 1600 8300 8600 2500...

Страница 2: ...E BY INSTALLING DOWNLOADING OR USING THE SOFTWARE OR AUTHORIZING OTHERS TO DO SO YOU ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING DOWNLOADING OR USING THE SOFTWARE HEREINAFTER REFE...

Страница 3: ...IUS TACACS on the ERS 1600 8300 8600 2500 4500 5500 and ES 460 470 This document covers some of the more popular Radius TACACS commands and attributes how to configure server and client side It gives...

Страница 4: ...erver Client Log Files 17 2 6 Sniffer Traces on RADIUS Server 32 3 TACACS 39 3 1 Terminology 39 3 2 Feature Operation 40 3 3 Avaya Switches TACACS Support 43 3 4 TACACS Server Configuration Using tac_...

Страница 5: ...lights important information about an action that may result in equipment damage configuration or data loss Text Bold text indicates emphasis Italic text in a Courier New font indicates text the user...

Страница 6: ...he database within the RADIUS server stores information about clients users passwords and access privileges protected with a shared secret RADIUS is a fully open and standard protocol defined by RFCs...

Страница 7: ...g with the challenge response a reply message attribute is sent The reply message is a text string such as Please enter the next number on your SecurID card The maximum length of each reply message at...

Страница 8: ...lling Station Id 32 NAS Identifier 33 Proxy State 34 Login LAT Service 35 Login LAT Node 36 Login LAT Group 37 Framed AppleTalk Link 38 Framed AppleTalk Network 39 Framed AppleTalk Zone 60 CHAP Challe...

Страница 9: ...AS IP address for a session is the address of the switch interface to which the remote session is connected over the network For a console session modem session and sessions running on debug ports thi...

Страница 10: ...Failed UDP frame official port number is 1813 not 1646 conflicts with the sa msg port service 0 8 31 16 Code Identifier Length Response Authenticator Attributes RADIUS Attributes 40 Acct Status Type...

Страница 11: ...twork administrator you can override a user s access to specific CLI commands by configuring the RADIUS server for user authentication You must still give access based on the existing six access level...

Страница 12: ...GT PWR 2 3 2 etc raddb dictionary This file contains the dictionary file for all clients You have to create a specific dictionary file dictionary nortel for user access level and add an include statem...

Страница 13: ...y for 802 1x EAP clients please see eap user shown below as an example which defines VLAN ID 51 and port priority 3 bsro Auth Type Local User Password bsro Service Type NAS Prompt User bsrw Auth Type...

Страница 14: ...adiusd X can be 2 3 or 5 depending on your run level Also check that radiusd is started with y flag You will write details about every authentication request in the radius log file When you modify the...

Страница 15: ...0 Port 1812 Time out 2 Key Radius Accounting is Enabled AcctPort 1813 4548GT PWR config show cli password type Console Switch Password Type None Console Stack Password Type None Telnet WEB Switch Pass...

Страница 16: ...US configuration 8600A 6 show radius info Sub Context clear config dump monitor show test trace wsm asfm sam Current Context acct attribute value 193 acct enable true acct include cli commands true ac...

Страница 17: ...can change the RADIUS source IP address by using the following command 8000A 6 config radius server create ipaddr secret value usedby value port value priority value retry value timeout value enable...

Страница 18: ...ail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb 21 15 52 09 2008 NAS IP Address 10 10 44 5 Service Type Administrative User User Name bsro Client IP Address 10 10 44 5 Time...

Страница 19: ...4 2008 Auth Login OK bsrw from client 4548GT PWR port 0 Log file on RADIUS server var log radius radacct 10 10 44 5 auth detail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb...

Страница 20: ...10 10 44 5 auth detail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb 21 17 17 22 2008 NAS IP Address 10 10 44 5 NAS Port Type Ethernet Service Type Framed User Message Authen...

Страница 21: ...08 NAS IP Address 10 10 44 5 NAS Port Type Ethernet NAS Port 1 User Name eap Acct Session Id 85000001 Acct Status Type Stop Acct Input Octets 11722 Acct Output Octets 7387 Acct Input Packets 100 Acct...

Страница 22: ...lient 8600 port 1 Log file on RADIUS server var log radius radacct 10 10 50 1 auth detail 20080221 Optional file need to configure etc raddb radiusd conf Thu Feb 21 18 08 07 2008 User Name ro NAS IP A...

Страница 23: ...1871 Acct Input Packets 0 Acct Output Packets 94 Cli Commands show date Cli Commands config Cli Commands exit Client IP Address 10 10 50 1 Acct Unique Session Id fae1055b429ca034 Timestamp 1203613769...

Страница 24: ...600A 6 config Sub Context atm atmcard bootconfig cli cluster diag r module ethernet fdb filter ip ipv6 ipx lacp log mlt naap ntp pos poscard qos radius rmon slot slpp snmp server snmp v3 stg sv lan sy...

Страница 25: ...203614656 Thu Feb 21 18 24 28 2008 Acct Status Type Stop Acct Session Id 59e000000014 User Name rwa NAS IP Address 10 10 50 1 Acct Session Time 11 Acct Input Octets 0 Acct Output Octets 549 Acct Input...

Страница 26: ...er Name eap Calling Station Id 00 12 3F 1A 1B 68 EAP Message 0x0201000801656170 Service Type Framed User Client IP Address 10 10 50 1 Timestamp 1203615838 Thu Feb 21 18 43 58 2008 NAS IP Address 10 10...

Страница 27: ...tate of Port 3 46 Recd Respose from supplicant CPU6 02 21 08 18 43 59 EAP INFO Bkend state of Port 3 46 Recd accept from server CPU6 02 21 08 18 43 59 EAP INFO User eap on Port 3 46 is authenticated 2...

Страница 28: ...et using read write user Telnet to ERS 8600 with read write user rwa type some commands 8600A 6 config ip Permission denied 8600A 6 config Sub Context atm atmcard bootconfig cli cluster diag r module...

Страница 29: ...mand Access statement is unique you cannot mix True and False You can have several commands use syntax for first line then use for following lines always add comma at the end of the line except last l...

Страница 30: ...the number of packets octets received for this session If the session continues for a long period then periodically after every hour non configurable an interim accounting message will be sent contai...

Страница 31: ...ctets 11 Acct Output Octets 27 Acct Input Packets 1 Acct Output Packets 1 Client IP Address 10 10 50 1 Acct Unique Session Id d265f560f26b031e Timestamp 1204643453 Tue Mar 4 16 26 23 2008 Acct Status...

Страница 32: ...tive User 6 AVP l 6 t User Name 1 bsro Frame 2 68 bytes on wire 68 bytes captured Ethernet II Src DellComp_38 57 5b 00 06 5b 38 57 5b Dst NortelNe_0f 8e 04 00 04 38 0f 8e 04 Internet Protocol Src 10 1...

Страница 33: ...Src Port 1025 1025 Dst Port radius 1812 Radius Protocol Code Access Request 1 Packet identifier 0x1e 30 Length 102 Authenticator 000000070BE401AA001B25E96800001E Attribute Value Pairs AVP l 6 t NAS I...

Страница 34: ...bytes captured Ethernet II Src DellComp_38 57 5b 00 06 5b 38 57 5b Dst NortelNe_0f 8e 04 00 04 38 0f 8e 04 Internet Protocol Src 10 10 50 40 10 10 50 40 Dst 10 10 44 5 10 10 44 5 User Datagram Protoc...

Страница 35: ...Protocol Src Port 1024 1024 Dst Port radacct 1813 Radius Protocol Code Accounting Request 4 Packet identifier 0xa 10 Length 95 Authenticator 226B10B0F24DC2AAA1CA673E3EC7517C The response to this reque...

Страница 36: ...0 10 50 1 User Datagram Protocol Src Port radius 1812 Dst Port 1366 1366 Radius Protocol Code Access Accept 2 Packet identifier 0xf3 243 Length 32 Authenticator 656E2696110131703FC73E3B059FE5BE This i...

Страница 37: ...5 t User Name 1 rwa AVP l 6 t NAS IP Address 4 10 10 50 1 AVP l 6 t Acct Session Time 46 18 AVP l 6 t Acct Input Octets 42 0 AVP l 6 t Acct Output Octets 43 619 AVP l 6 t Acct Input Packets 47 0 AVP l...

Страница 38: ...captured Ethernet II Src DellComp_38 57 5b 00 06 5b 38 57 5b Dst NortelNe_0f 8e 04 00 04 38 0f 8e 04 Internet Protocol Src 10 10 50 40 10 10 50 40 Dst 10 10 50 1 10 10 50 1 User Datagram Protocol Src...

Страница 39: ...e disabled when TACACS is enabled The TACACS protocol is a draft standard available at ftp ietf org internetdrafts draft grant tacacs 02 TACACS is not compatible with any previous versions of TACACS 3...

Страница 40: ...password dialog and response The authentication session provides username password functionality 0 8 31 16 Version Type Session ID Length Version 0xC0 0xC1 Type 0x01 Authentication 0x02 Authorization...

Страница 41: ...access to a requested command only if the information in the user profile allows it TACACS authorization is not mandatory for all privilege levels When authorization is requested by the NAS the entir...

Страница 42: ...a part of the encryption and it is used by both ends to distinguish between packets belonging to multiple sessions Multiple sessions may be supported simultaneously and or consecutively on a single TC...

Страница 43: ...5510 config level 5 tacacs switch back To support runtime switching of users to a particular privilege level you must preconfigure a dummy user for that level on the daemon The format of the user name...

Страница 44: ...for ERS and ES Technical Configuration Guide 44 November 2010 avaya com The following table shows the scheme used to map the access levels to TACACS privilege levels Access Level ERS 1600 8300 ERS 55...

Страница 45: ...tacacs tac_plus cfg This file contains all configuration parameters for TACACS Tacacs configuration file key Dda Accounting records log file accounting file var log tac_acc log All services are alowe...

Страница 46: ...be 2 3 or 5 depending on your run level Also check that tac_plus is started with d flag you will write details about every request into var log tac_plus log file The values represent bits so they can...

Страница 47: ...plicity and readability we will document command line interface CLI commands assuming the TACACS server IP address is 10 10 50 40 and the client key is Dda for telnet access authentication To configur...

Страница 48: ...onfig monitor show test trace Current Context create IP address Status Key Port Prio Timeout Single Source SourceEnabled 10 10 50 40 NotConn Dda 49 1 10 false 0 0 0 0 The source IP address sent by the...

Страница 49: ...ad Only User Connect to the device with telnet using read only user ro With the ERS 1600 and 8300 you can change the TACACS source IP address by using the following command Config tacacs server create...

Страница 50: ...pends on debug value configured etc rc5 d S99tac_plus Tue Feb 26 14 30 10 2008 16403 verify login access for user ro to port Telnet Session 1 on 10 10 55 6 from 10 10 50 10 Tue Feb 26 14 30 10 2008 16...

Страница 51: ...ser ro found Tue Feb 26 14 30 23 2008 16406 authorize_cmd enable Tue Feb 26 14 30 23 2008 16406 line 93 compare enable permit match Tue Feb 26 14 30 23 2008 16406 enable permitted by line 93 Tue Feb 2...

Страница 52: ...using read only user bsrw Telnet to Switch with read write user bsrw type some commands 5510 level 5 en 5510 level 5 show clock Current SNTP time 2008 02 26 14 35 28 GMT 01 00 Daylight saving time is...

Страница 53: ...08 16436 do_author user bsrw found Tue Feb 26 14 35 12 2008 16436 exec authorization request for bsrw Tue Feb 26 14 35 12 2008 16436 exec is explicitly permitted by line 59 Tue Feb 26 14 35 12 2008 16...

Страница 54: ...exist permitted by default Tue Feb 26 14 35 32 2008 16441 authorization query for bsrw unknown from 10 10 55 6 accepted Tue Feb 26 14 35 45 2008 16442 Start authorization request Tue Feb 26 14 35 45 2...

Страница 55: ...ccess to switch configuration Log file on TACACS server var log tac_acc log NO ENTRY Please note that ERS 1600 and 8300 does not support TACACS accounting Log file on TACACS server var log tac_plus lo...

Страница 56: ...ed 1 args Tue Feb 26 16 49 21 2008 16477 author_svc out_args 0 service shell input copy discarded Tue Feb 26 16 49 21 2008 16477 author_svc out_args 1 cmd input copy discarded Tue Feb 26 16 49 21 2008...

Страница 57: ...elay seconds info load encryption module 3DES DES AES setdate MMddyyyyhhmmss 8300 5 exit Read write user in this example does have access to switch configuration Log file on TACACS server var log tac_...

Страница 58: ...lvl 6 add priv lvl 6 k Tue Feb 26 17 27 24 2008 16485 author_svc added 1 args Tue Feb 26 17 27 24 2008 16485 author_svc out_args 0 service shell input copy discarded Tue Feb 26 17 27 24 2008 16485 aut...

Страница 59: ...Source Destination Protocol Info 4 0 001953 10 10 55 6 10 10 50 40 TACACS Q Authentication Frame 4 115 bytes on wire 115 bytes captured Ethernet II Src NortelNe_0f 8e 04 00 04 38 0f 8e 04 Dst DellCom...

Страница 60: ...57 5b 00 06 5b 38 57 5b Internet Protocol Src 10 10 55 6 10 10 55 6 Dst 10 10 50 40 10 10 50 40 Transmission Control Protocol Src Port 1190 1190 Dst Port 49 49 Seq 50 Ack 29 Len 25 TACACS Major versi...

Страница 61: ...40 10 10 55 6 TCP 49 1191 SYN ACK Seq 0 Ack 1 Win 5792 Len 0 MSS 1460 TSV 3143898088 TSER 3264254 WS 0 No Time Source Destination Protocol Info 15 0 007083 10 10 55 6 10 10 50 40 TCP 1190 49 FIN ACK S...

Страница 62: ...n ID 2408421135 Packet length 5 Encrypted Reply No Time Source Destination Protocol Info 20 0 010148 10 10 50 40 10 10 55 6 TCP 49 1191 FIN ACK Seq 18 Ack 73 Win 5792 Len 0 TSV 3143898088 TSER 3264254...

Страница 63: ...0x00 Encrypted payload Multiple Connections 0 Unencrypted Not set 0 Single Connection Not set Session ID 308467491 Packet length 56 Encrypted Request No Time Source Destination Protocol Info 29 0 0157...

Страница 64: ...Info 36 3 109326 10 10 55 6 10 10 50 40 TCP 1193 49 SYN Seq 0 Len 0 MSS 1460 WS 0 TSV 3264260 TSER 0 No Time Source Destination Protocol Info 37 3 109370 10 10 50 40 10 10 55 6 TCP 49 1193 SYN ACK Seq...

Страница 65: ...tions 0 Unencrypted Not set 0 Single Connection Not set Session ID 845883376 Packet length 6 Encrypted Reply No Time Source Destination Protocol Info 42 3 113047 10 10 50 40 10 10 55 6 TCP 49 1193 FIN...

Страница 66: ...en 86 TACACS Major version TACACS Minor version 0 Type Authorization 2 Sequence number 1 Flags 0x00 Encrypted payload Multiple Connections 0 Unencrypted Not set 0 Single Connection Not set Session ID...

Страница 67: ...TSER 3264277 No Time Source Destination Protocol Info 58 14 996946 10 10 55 6 10 10 50 40 TCP 1195 49 SYN Seq 0 Len 0 MSS 1460 WS 0 TSV 3264284 TSER 0 No Time Source Destination Protocol Info 59 14 9...

Страница 68: ...ctions 0 Unencrypted Not set 0 Single Connection Not set Session ID 3031640525 Packet length 6 Encrypted Reply No Time Source Destination Protocol Info 64 15 000511 10 10 50 40 10 10 55 6 TCP 49 1195...

Страница 69: ...n TACACS Minor version 0 Type Accounting 3 Sequence number 1 Flags 0x00 Encrypted payload Multiple Connections 0 Unencrypted Not set 0 Single Connection Not set Session ID 1349224772 Packet length 93...

Страница 70: ...ACK Seq 106 Ack 18 Win 8192 Len 0 TSV 3264284 TSER 3143899588 No Time Source Destination Protocol Info 77 15 008090 10 10 55 6 10 10 50 40 TCP 1196 49 FIN ACK Seq 106 Ack 18 Win 8192 Len 0 TSV 3264284...

Страница 71: ...Getting product training Ongoing product training is available For more information or to register you can access the Web site at www avaya com support From this Web site you can locate the Training...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды