Avaya ERS 2400 Скачать руководство пользователя | Manualshive

Страница: 6 / 52

background image

Avaya Inc.

– Proprietary & Confidential.

Use pursuant to the terms of your signed agreement or Avaya policy.

5

avaya.com

1.3 Configuration Examples

Although any Avaya switch as shown in Section 1.1 could be used, for this example, we will use
an ERS5520 for allow for both device authentication with or without policy.

1.4 Biomedical Device Authentication using Identify

Engines Ignition Server and ERS5500

For  this  example,  we  will  demonstrate  how  to  configure  the  Ethernet  Routing  Switch  5500  and
Ignition  Server  to  allow  for  device  authentication  based  on  the  biomedical  manufacturer  vendor
MAC address. This will allow authentication and VLAN separation of manufacturer traffic. All that
is  required  is  the  first  three  digits  of  the  vendor  MAC  address  for  the  Ignition  Server  to
authenticate  the  device  and  then  tell  the  EAP  authenticator  (ERS  5520  in  this  example)  what
VLAN to place the biomedical device in (we will use Philips and Siemens for this example).

The Ethernet Routing Switch 5500 can be configured to accept both EAP and non-EAP (NEAP)
on  the  same  port.  In  regards  to  non-EAP,  the  switch  can  be  configured  to  accept  a  password
format  using  any  combination  of  IP  address  and  MAC  address  with  or  without  port  number.  By
default,  the  password  format  is  set  for  IP  address,  MAC  address,  and  port  number.  For  this
example, Ignition Server will be configured for device authentication so it is not important how the
password  format  is  configured  on  the  ERS  5520.  However,  it  is  suggested  to  use  a  password
format  of  MAC  address  so  that  if  the  complete  MAC  address  is  known,  we  can  use  user
authentication versus device authentication on Ignition server.

Overall, we will configured the following



Enable NEAP on ports 14 to 20 of ERS5520 using the non-EAP password format of MAC
address only



Add VLAN 1500 for the Philips devices



Add VLAN 1600 for the Siemens devices



Add VLAN 3000 as the default VLAN everyone connects to until authenticated by Ignition
Server



Configure the Ethernet Routing Switch 5520 and Ignition server with shared key set to

nortel

«
...
4
5
6
7
8
...
»

Содержание ERS 2400

Страница 1: ...s Ignition Server Technical Configuration Guide Enterprise Solutions Engineering Document Date April 2010 Document Number NN48500 586 Document Version 2 0 Identify Engines Ignition Server Ethernet Rou...

Страница 2: ...are Ethernet attached The main components include both the Ethernet edge switches and the Network Access Control infrastructure provided by Avaya s Identity Engines portfolio The audience for this Tec...

Страница 3: ...nts Conventions 3 1 Overview Medical Device Authentication using Identify Engines 4 1 1 Access Layer 4 1 2 Ignition Server Biomedical Device Authentication 4 1 3 Configuration Examples 5 1 4 Biomedica...

Страница 4: ...hts important information about an action that may result in equipment damage configuration or data loss Text Bold text indicates emphasis Italic text in a Courier New font indicates text the user mus...

Страница 5: ...Ignition Server to authenticate biomedical devices from an EAP authenticator it must know the device identity typically the MAC address In an existing network consisting of many biomedical devices mos...

Страница 6: ...s and Siemens for this example The Ethernet Routing Switch 5500 can be configured to accept both EAP and non EAP NEAP on the same port In regards to non EAP the switch can be configured to accept a pa...

Страница 7: ...g vlan create 1600 name siemens type port 5520 24T 1 config vlan create 3000 name general type port ERS5520 1 Step 2 Enable VLAN tagging on all appropriate ports 5520 24T 1 config vlan port 23 24 tagg...

Страница 8: ...s on port uplink ports ERS5520 1 Step 1 Enable Discard Untagged Frames 5520 1 config vlan ports 23 24 filter untagged frame enable 1 4 1 6 Enable Spanning Tree Fast Start and BPDU Filtering on access...

Страница 9: ...n enable RADIUS accounting using the command radius accounting enable 1 4 1 9 Enable EAP globally ERS5520 1 Step 1 Enable non EAP NEAP 5520 24T 1 config eap multihost allow non eap enable ERS5520 1 St...

Страница 10: ...and enable RADIUS NEAP phone 5520 24T 1 config interface fastEthernet 14 20 5520 24T 1 config if eapol status auto 5520 24T 1 config if eapol multihost allow non eap enable 5520 24T 1 config if eapol...

Страница 11: ...rt 14 Admin Status Auto Auth No Admin Dir Both Oper Dir Both ReAuth Enable No ReAuth Period 3600 Quiet Period 60 Xmit Period 30 Supplic Timeout 30 Server Timeout 30 Max Req 2 RDS DSE No Port 20 Admin...

Страница 12: ...Enabled Non EAPOL RADIUS Password Attribute Format MACAddr Non EAPOL User Based Policies Enabled Non EAPOL User Based Policies Filter On MAC Addresses Disabled Use most recent RADIUS VLAN Disabled St...

Страница 13: ...OL RADIUS VLANs is Enabled globally and at interface level 1 4 2 3 Verify EAP Multihost Status Step 1 Assuming Siemens devices on ports 14 15 and Philips devices on ports19 20 verify device MAC addres...

Страница 14: ...IVL No Port Members 14 15 23 24 3000 general Port None 0x0000 Yes IVL No Port Members 14 20 23 24 Total VLANs 5 On ERS5520 1 verify the following information Option Verify Port Display the ports where...

Страница 15: ...3 IDE Setup 1 4 3 1 Create a new Nortel device template IDE Step 1 Go to Site Configuration Provisioning Vendor VSA s Nortel Device Template New IDE Step 2 Name the new Nortel device template Nortel V...

Страница 16: ...complete configuration Please note that you must change the Avaya switch device template MAC Address Source from the default setting of Inbound Calling Station Id to Inbound User Name for device authe...

Страница 17: ...re an Outbound Attribute on Ignition Server for VLAN IDE Step 1 Go to Site Configuration Provisioning Outbound Attributes New IDE Step 2 Via the Outbound Attribute window enter a name for the attribut...

Страница 18: ...ya com IDE Step 3 Go to Site Configuration Provisioning Outbound Values New IDE Step 4 Using the Outbound Attribute created in Step 2 we will add the VLAN ID value for the Philips VLAN Start by enteri...

Страница 19: ...created in Step 2 i e VLAN as used in this example via the Choose Global Outbound Attribute pull down menu Make sure the Fixed Value radio button is selected Enter an name i e Philips VLAN 1500 as us...

Страница 20: ...p 3 to 5 to add the RADIUS attribute for the Siemens VLAN Go to Site Configuration Provisioning Outbound Values New IDE Step 7 Using the Outbound Attribute created in Step 2 we will add the VLAN ID va...

Страница 21: ...he correct VLAN number i e 1600 as used in this example in the VLAN ID window Click on OK twice when done 1 4 3 3 Add Access Policy The following is a list of top biomedical manufacturers vendor MAC s...

Страница 22: ...vaya policy 21 avaya com IDE Step 1 Go to Site Configuration Access Policies MAC Auth default radius device and click on Edit IDE Step 2 First we will create a rule for the Philips medical devices Sta...

Страница 23: ...the Constraint Details window under Attribute Category select Device and then scroll down and select device address Next via the right hand side plane select Starts With make sure Static Value is sel...

Страница 24: ...hentication Policy window click the Allow radio button via Action Provisioning and move the attribute we configured above named vlan 1500 philips from All Outbound Value box to the Provision With box...

Страница 25: ...the Constraint Details window under Attribute Category select Device and then scroll down and select device address Next via the right hand side plane select Starts With make sure Static Value is sel...

Страница 26: ...cation Policy window click the Allow radio button via Action Provisioning and move the attribute we configured above named vlan 1600 Siemens from All Outbound Value box to the Provision With box IDE S...

Страница 27: ...Avaya Inc Proprietary Confidential Use pursuant to the terms of your signed agreement or Avaya policy 26 avaya com...

Страница 28: ...s For Ignition Server to process the Avaya switch RADIUS requests each switch must be added as an Authenticator IDE Step 1 Go to Site Configuration Authenticators default For example we will create ne...

Страница 29: ...select the template we created in the section above titled Create a new Nortel device template Nortel VLAN as used in our example Make sure Enable MAC Auth is checked off and Do Not Use Password is s...

Страница 30: ...Avaya Inc Proprietary Confidential Use pursuant to the terms of your signed agreement or Avaya policy 29 avaya com...

Страница 31: ...nal Devices Next we will add the vendor MAC prefix via the Internal Store on Ignition Server IDE Step 1 Go to Site Configuration Directories Internal Store Internal Devices First we will add the MAC p...

Страница 32: ...greement or Avaya policy 31 avaya com IDE Step 2 Go to Site Configuration Directories Internal Store Internal Devices Next we will add the MAC prefix for Siemens Via the Internal Devices window Click...

Страница 33: ...Ignition Server Advanced Troubleshooting feature For example let s assume we wish to test a Philips device which starts with a vendor MAC of 00 09 5c Step 1 Via Ignition Dashboard select the IP addre...

Страница 34: ...the following information Option Verify Results First of all if successful Device lookup successful should be displayed Virtual Attributes Verify the following pertaining to the configuration used in...

Страница 35: ...witch and various details pertaining to the device such as RADIUS attributes and device details Knowing this information you could keep a database of all medical device identifiers and the switch and...

Страница 36: ...Avaya Inc Proprietary Confidential Use pursuant to the terms of your signed agreement or Avaya policy 35 avaya com Result...

Страница 37: ...Allow should be displayed If not verify the device using the previous step and if this also fails verify the Ignition Server configuration User Id This field displays the full MAC address of the devi...

Страница 38: ...ype Specify the ethertype classifier criteria eval order Specify the evaluation order flow id Specify the IPv6 flow identifier classifier criteria next header Specify the IPv6 next header classifier c...

Страница 39: ...T 1 config qos agent ubp high security local The default ubp classifier action non match action is for forward traffic In older software releases for the ERS5500 this was not the case and you had to e...

Страница 40: ...lips and UROLsiemens as per the policies configured on ERS5520 1 On Ignition Server the Nortel vendor VSA definitions are already defined and can be viewed by using Ignition Dashboard and going to Sit...

Страница 41: ...ement or Avaya policy 40 avaya com IDE Step 3 Go to Site Configuration Provisioning Outbound Values and click on New IDE Step 4 When the Outbound Value Details window pops up enter a name i e UROLphil...

Страница 42: ...bal Outbound Attribute and select the outbound attribute name from step 2 above Select Value of String and enter string name of UROLphilips for the UBP name of philips configured for the Philips devic...

Страница 43: ...ens as used in this example via the Outbound Value Name window and click on New IDE Step 8 When the Outbound Value instance window pops up under Choose Global Outbound Attribute and select the outboun...

Страница 44: ...43 avaya com IDE Step 9 Go to Site Configuration Access Policies MAC Auth default radius device and via the Authorization Policy tab select Philips and click on Edit IDE Step 10 Move the attribute we...

Страница 45: ...44 avaya com IDE Step 11 Go to Site Configuration Access Policies MAC Auth default radius device and via the Authorization Policy tab select Siemens and click on Edit IDE Step 12 Move the attribute we...

Страница 46: ...signed agreement or Avaya policy 45 avaya com IDE Step 13 Once complete we can go to Site Configuration Access Policy MAC Auth default radius device and clicking on Access Policy Summary to view the...

Страница 47: ...ore Destination L4 Port Max Ignore Source L4 Port Min Ignore Source L4 Port Max Ignore IPv6 Flow Id Ignore IP Flags Ignore TCP Control Flags Ignore IPv4 Options Ignore Destination MAC Addr Ignore Dest...

Страница 48: ...p No Action Update DSCP 0x10 Action Update 802 1p Priority Ignore Action Set Drop Precedence Low Drop Storage Type NonVolatile On the ERS5520 verify the following information Option Verify Name Verify...

Страница 49: ...owing command to view the UBP Policy 5520 24T 1 show qos ubp interface Result Id Unit Port Filter Set Name _____ ____ ____ _______________ 55001 1 14 siemens 55004 1 19 philips On the ERS5520 verify t...

Страница 50: ...to connect to ERS5520 1 is port 3 29 ERS8600 5 5 config ip ipfix state enable ERS8600 5 5 config ip ipfix port 3 29 all traffic enable ERS8600 6 5 show ip ipfix flows 3 IPFIX Flows Slot Number 3 Total...

Страница 51: ...ary Confidential Use pursuant to the terms of your signed agreement or Avaya policy 50 avaya com 2 Software Baseline Product Minimum Software Level Identity Engines 6 0 1 ERS2500 4 2 ERS4500 5 3 ERS55...

Страница 52: ...ollection ERS4500_5 3_Doc_Collection_20090731 Ethernet Routing Switch 4500 Software Release 5 3 Avaya Ethernet Routing Switch 5500 Series Release 5 1 Document Collection ERS5500_6 1_Doc_Collection_200...

Отзывы:

Нет отзывов

Похожие инструкции для ERS 2400

Бренд: E-Lins Страницы: 59

Бренд: E-Lins Страницы: 11

Бренд: E-Lins Страницы: 9

Бренд: E-Lins Страницы: 5

Network Video Recorders

Бренд: e-Line Technology Страницы: 34

Бренд: Konig Страницы: 73

Бренд: ZyXEL Communications Страницы: 485

Бренд: UfiSpace Страницы: 35

Бренд: HELVAR Страницы: 2

Бренд: 3Com Страницы: 32

SmartSTACK ELS100-24TXM

Бренд: Cabletron Systems Страницы: 117

Бренд: INNOSILICON Страницы: 11

Бренд: Alfa Network Страницы: 11

Бренд: ADTRAN Страницы: 2

Бренд: TRENDnet Страницы: 205

Бренд: QRS Страницы: 11

BiPAC 7404V series

Бренд: Billion Страницы: 165

PCNA EP OCe14102

Бренд: Fujitsu Страницы: 20

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды