Configuring Security on Avaya Virtual Services

Configuring Security on Avaya Virtual
Services Platform 8200
Release 4.0
NN47227-601
Issue 01.03
February 2015
© 2015 Avaya Inc.
All Rights Reserved.
Notice
While reasonable efforts have been made to ensure that the
information in this document is complete and accurate at the time of
printing, Avaya assumes no liability for any errors. Avaya reserves
the right to make changes and corrections to the information in this
document without the obligation to notify any person or organization
of such changes.
Documentation disclaimer
“Documentation” means information published by Avaya in varying
mediums which may include product information, operating
instructions and performance specifications that Avaya may generally
make available to users of its products and Hosted Services.
Documentation does not include marketing materials. Avaya shall not
be responsible for any modifications, additions, or deletions to the
original published version of documentation unless such
modifications, additions, or deletions were performed by Avaya. End
User agrees to indemnify and hold harmless Avaya, Avaya's agents,
servants and employees against all claims, lawsuits, demands and
judgments arising out of, or in connection with, subsequent
modifications, additions or deletions to this documentation, to the
extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked
websites referenced within this site or documentation provided by
Avaya. Avaya is not responsible for the accuracy of any information,
statement or content provided on these sites and does not
necessarily endorse the products, services, or information described
or offered within them. Avaya does not guarantee that these links will
work all the time and has no control over the availability of the linked
pages.
Warranty
Avaya provides a limited warranty on Avaya hardware and software.
Refer to your sales agreement to establish the terms of the limited
warranty. In addition, Avaya’s standard warranty language, as well as
information regarding support for this product while under warranty is
available to Avaya customers and other parties through the Avaya
Support website: http://support.avaya.com or such successor site as
designated by Avaya. Please note that if You acquired the product(s)
from an authorized Avaya Channel Partner outside of the United
States and Canada, the warranty is provided to You by said Avaya
Channel Partner and not by Avaya.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA
WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO OR
SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, ARE
APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR
INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC.,
ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (AS
APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH
AVAYA OR AN AVAYA CHANNEL PARTNER. UNLESS
OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES
NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS
OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA
AFFILIATE OR AN AVAYA CHANNEL PARTNER; AVAYA
RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU
AND ANYONE ELSE USING OR SELLING THE SOFTWARE
WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR
USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO,
YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM
YOU ARE INSTALLING, DOWNLOADING OR USING THE
SOFTWARE (HEREINAFTER REFERRED TO
INTERCHANGEABLY AS “YOU” AND “END USER”), AGREE TO
THESE TERMS AND CONDITIONS AND CREATE A BINDING
CONTRACT BETWEEN YOU AND AVAYA INC. OR THE
APPLICABLE AVAYA AFFILIATE (“AVAYA”).
Avaya grants You a license within the scope of the license types
described below, with the exception of Heritage Nortel Software, for
which the scope of the license is detailed below. Where the order
documentation does not expressly identify a license type, the
applicable license will be a Designated System License. The
applicable number of licenses and units of capacity for which the
license is granted will be one (1), unless a different number of
licenses or units of capacity is specified in the documentation or other
materials available to You. “Software” means computer programs in
object code, provided by Avaya or an Avaya Channel Partner,
whether as stand-alone products, pre-installed on hardware products,
and any upgrades, updates, patches, bug fixes, or modified versions
thereto. “Designated Processor” means a single stand-alone
computing device. “Server” means a Designated Processor that
hosts a software application to be accessed by multiple users.
“Instance” means a single copy of the Software executing at a
particular time: (i) on one physical machine; or (ii) on one deployed
software virtual machine (“VM”) or similar deployment.
Licence types
Designated System(s) License (DS). End User may install and use
each copy or an Instance of the Software only on a number of
Designated Processors up to the number indicated in the order.
Avaya may require the Designated Processor(s) to be identified in
the order by type, serial number, feature key, Instance, location or
other specific designation, or to be provided by End User to Avaya
through electronic means established by Avaya specifically for this
purpose.
Heritage Nortel Software
“Heritage Nortel Software” means the software that was acquired by
Avaya as part of its purchase of the Nortel Enterprise Solutions
Business in December 2009. The Heritage Nortel Software currently
available for license from Avaya is the software contained within the
list of Heritage Nortel Products located at http://support.avaya.com/
LicenseInfo under the link “Heritage Nortel Products” or such
successor site as designated by Avaya. For Heritage Nortel
Software, Avaya grants You a license to use Heritage Nortel
Software provided hereunder solely to the extent of the authorized
activation or authorized usage level, solely for the purpose specified
in the Documentation, and solely as embedded in, for execution on,
or for communication with Avaya equipment. Charges for Heritage
Nortel Software may be based on extent of activation or use
authorized as specified in an order or invoice.
Copyright
Except where expressly stated otherwise, no use should be made of
materials on this site, the Documentation, Software, Hosted Service,
or hardware provided by Avaya. All content on this site, the
documentation, Hosted Service, and the product provided by Avaya
including the selection, arrangement and design of the content is
owned either by Avaya or its licensors and is protected by copyright
and other intellectual property laws including the sui generis rights
relating to the protection of databases. You may not modify, copy,
reproduce, republish, upload, post, transmit or distribute in any way
any content, in whole or in part, including any code and software
unless expressly authorized by Avaya. Unauthorized reproduction,
transmission, dissemination, storage, and or use without the express
written consent of Avaya can be a criminal, as well as a civil offense
under the applicable law.
Third Party Components
“Third Party Components” mean certain software programs or
portions thereof included in the Software or Hosted Service may
contain software (including open source software) distributed under
third party agreements (“Third Party Components”), which contain
terms regarding the rights to use certain portions of the Software
(“Third Party Terms”). As required, information regarding distributed
Linux OS source code (for those products that have distributed Linux
OS source code) and identifying the copyright holders of the Third
Party Components and the Third Party Terms that apply is available
in the products, Documentation or on Avaya’s website at: http://
support.avaya.com/Copyright or such successor site as designated
by Avaya. You agree to the Third Party Terms for any such Third
Party Components.
Preventing Toll Fraud
“Toll Fraud” is the unauthorized use of your telecommunications
system by an unauthorized party (for example, a person who is not a
corporate employee, agent, subcontractor, or is not working on your
company's behalf). Be aware that there can be a risk of Toll Fraud
associated with your system and that, if Toll Fraud occurs, it can
result in substantial additional charges for your telecommunications
services.
Avaya Toll Fraud intervention
If You suspect that You are being victimized by Toll Fraud and You
need technical assistance or support, call Technical Service Center
Toll Fraud Intervention Hotline at +1-800-643-2353 for the United
States and Canada. For additional support telephone numbers, see
the Avaya Support website: http://support.avaya.com or such
successor site as designated by Avaya. Suspected security
vulnerabilities with Avaya products should be reported to Avaya by
sending mail to: securityalerts@avaya.com.
Downloading Documentation
For the most current versions of Documentation, see the Avaya
Support website: http://support.avaya.com, or such successor site as
designated by Avaya.
Contact Avaya Support
See the Avaya Support website: http://support.avaya.com for product
or Hosted Service notices and articles, or to report a problem with
your Avaya product or Hosted Service. For a list of support telephone
numbers and contact addresses, go to the Avaya Support website:
http://support.avaya.com (or such successor site as designated by
Avaya), scroll to the bottom of the page, and select Contact Avaya
Support.
Trademarks
The trademarks, logos and service marks (“Marks”) displayed in this
site, the Documentation, Hosted Service(s), and product(s) provided
by Avaya are the registered or unregistered Marks of Avaya, its
affiliates, or other third parties. Users are not permitted to use such
Marks without prior written consent from Avaya or such third party
which may own the Mark. Nothing contained in this site, the
Documentation, Hosted Service(s) and product(s) should be
construed as granting, by implication, estoppel, or otherwise, any
license or right in and to the Marks without the express written
permission of Avaya or the applicable third party.
Avaya is a registered trademark of Avaya Inc.
All non-Avaya trademarks are the property of their respective owners.
Linux® is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Contents
Chapter 1: Introduction............................................................................................................ 6
Purpose of this document......................................................................................................... 6
Related Resources.................................................................................................................. 6
Training............................................................................................................................ 6
Support.................................................................................................................................. 7
Chapter 2: New in this release................................................................................................. 8
Chapter 3: Security fundamentals........................................................................................... 9
Security overview.................................................................................................................... 9
hsecure mode....................................................................................................................... 10
ACLI passwords.................................................................................................................... 11
Port Lock feature................................................................................................................... 11
Access policies for services.................................................................................................... 11
User-based policy support...................................................................................................... 12
Denial-of-service attack prevention......................................................................................... 12
Configuration considerations.................................................................................................. 13
Interoperability configuration.................................................................................................. 14
Security configuration using ACLI........................................................................................... 14
Enabling hsecure............................................................................................................ 14
Changing an invalid-length password................................................................................ 15
Changing passwords....................................................................................................... 16
Configuring directed broadcast......................................................................................... 18
Preventing certain types of DOS attacks........................................................................... 19
Configuring port lock........................................................................................................ 20
Security configuration using Enterprise Device Manager........................................................... 21
Enabling port lock............................................................................................................ 22
Locking a port................................................................................................................. 22
Changing passwords....................................................................................................... 23
Chapter 4: RADIUS................................................................................................................. 25
RADIUS configuration using ACLI........................................................................................... 27
Configuring RADIUS attributes......................................................................................... 28
Configuring RADIUS profile.............................................................................................. 31
Enabling RADIUS authentication...................................................................................... 32
Enabling the source IP flag for the RADIUS server............................................................. 32
Enabling RADIUS accounting........................................................................................... 33
Enabling RADIUS-SNMP accounting................................................................................ 34
Configuring RADIUS accounting interim request................................................................ 35
Configuring RADIUS authentication and RADIUS accounting attributes............................... 36
Adding a RADIUS server................................................................................................. 39
Modifying RADIUS server settings.................................................................................... 40
4
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Contents
Showing RADIUS information........................................................................................... 42
Displaying RADIUS server information.............................................................................. 42
Showing RADIUS SNMP configurations............................................................................ 43
RADIUS configuration using Enterprise Device Manager.......................................................... 43
Enabling RADIUS authentication...................................................................................... 44
Enabling RADIUS accounting........................................................................................... 45
Disabling RADIUS accounting.......................................................................................... 46
Enabling RADIUS accounting interim request.................................................................... 47
Configuring the source IP option for the RADIUS server..................................................... 48
Adding a RADIUS server................................................................................................. 50
Reauthenticating the RADIUS SNMP server session.......................................................... 51
Configuring RADIUS SNMP............................................................................................. 52
Modifying a RADIUS configuration.................................................................................... 53
Deleting a RADIUS configuration...................................................................................... 54
Chapter 5: Simple Network Management Protocol (SNMP)................................................ 55
SNMPv3............................................................................................................................... 55
SNMP community strings....................................................................................................... 60
SNMPv3 support for VRF....................................................................................................... 61
SNMP configuration using ACLI.............................................................................................. 62
Downloading the software................................................................................................ 63
Loading the SNMPv3 encryption module........................................................................... 64
Configuring SNMP settings.............................................................................................. 65
Creating a user............................................................................................................... 68
Creating a new user group............................................................................................... 70
Creating a new entry for the MIB in the view table.............................................................. 72
Creating a community...................................................................................................... 72
Adding a user to a group.................................................................................................. 74
Blocking SNMP............................................................................................................... 75
Displaying SNMP system information................................................................................ 76
SNMP configuration using Enterprise Device Manager............................................................. 76
Creating a user............................................................................................................... 77
Creating a new group membership................................................................................... 79
Creating access for a group............................................................................................. 80
Creating access policies for SNMP groups........................................................................ 81
Assigning MIB view access for an object........................................................................... 82
Creating a community...................................................................................................... 83
Viewing all contexts for an SNMP entity............................................................................ 84
Glossary................................................................................................................................... 85
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
5
Chapter 1: Introduction
Purpose of this document
Security documentation provides procedures and conceptual information that you can use to
administer and configure the security features for the Avaya Virtual Services Platform 8200.
The security function includes tasks related to product security; for example, the management and
protection of resources from unauthorized or detrimental access and use. Security documents
include information that supports the configuration and ongoing management of
• communications
• data security
• user security
• access
Related Resources
Documentation
See the Documentation Reference for Avaya Virtual Services Platform 8200, NN47227-100 for a list
of the documentation for this product.
Training
Ongoing product training is available. For more information or to register, you can access the Web
site at http://avaya-learning.com/.
Viewing Avaya Mentor videos
Avaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avaya
products.
6
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Support
About this task
Videos are available on the Avaya Support website, listed under the video document type, and on
the Avaya-run channel on YouTube.
Procedure
• To find videos on the Avaya Support site, go to http://support.avaya.com and perform one of
the following actions:
- In Search, type Avaya Mentor Videos to see a list of the available videos.
- In Search, type the product name. On the Search Results page, select Video in the
Content Type column on the left.
• To find the Avaya Mentor videos on YouTube, go to http://www.youtube.com/AvayaMentor and
perform one of the following actions:
- Enter a key word or key words in the Search Channel to search for a specific product or
topic.
- Scroll down Playlists, and click the name of a topic to see the available list of videos posted
on the site.
Note:
Videos are not available for all products.
Support
Go to the Avaya Support site at http://support.avaya.com for the most up-to-date documentation,
product notices, and knowledge articles. You can also search for release notes, downloads, and
resolutions to issues. Use the online service request system to create a service request. Chat with
live agents to get answers to questions, or request an agent to connect you to a support team if an
issue requires additional expertise.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
7
Chapter 2: New in this release
Configuring Security on Avaya Virtual Services Platform 8200, NN47227-601 is a new document for
Release 4.0 so all the features are new in this release. See Release Notes for Avaya Virtual
Services Platform 8284XSQ, NN47227-401 for a full list of features.
8
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Chapter 3: Security fundamentals
This section provides conceptual content to help you configure and customize the security services
on Avaya Virtual Services Platform 8200.
Security overview
Security is a critical attribute of networking devices such as the Avaya Virtual Services Platform
8200. Security features are split into two main areas:
• Control path—protects the access to the device from a management perspective.
• Data path—protects the network from malicious users by controlling access authorization to the
network resources (such as servers and stations). This protection is primarily accomplished by
using filters or access lists.
You can protect the control path using
• logon and passwords
• access policies, in which you specify the network and address that can use a service or
daemon
• secure protocols, such as Secure Shell (SSH), Secure Copy (SCP), and the Simple Network
Management Protocol version 3 (SNMPv3)
• the Message Digest 5 Algorithm (MD5), which protects routing updates
You can protect the data path using
• Media Access Control (MAC) address filtering
• Layer 3 filtering, such as Internet Protocol (IP) and User Datagram Protocol (UDP)/
Transmission Control Protocol (TCP) filtering
• routing policies, which prevent users from accessing restricted areas of the network
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
9
Security fundamentals
hsecure mode
Avaya Virtual Services Platform 8200 supports a flag called high secure (hsecure). hsecure
introduces the following behaviors for passwords:
• 10-character enforcement
• aging time
• limitation of failed logon attempts
• protection mechanism to filter certain IP addresses.
After you enable the hsecure flag, the software enforces the 10-character rule for all passwords.
This password must contain a minimum of two uppercase characters, two lowercase characters, two
numbers, and two special characters.
After you enable hsecure, the system requires you to save the configuration file and reboot the
system for hsecure to take effect. If the existing password does not meet the minimum requirements
for hsecure, the system prompts you to change the password during the first login.
The default username is rwa and the default password is rwa. In hsecure, the system prompts you
to change these during first login because they do not meet the minimum requirements for hsecure.
When you enable hsecure, the system disables Simple Network Management Protocol (SNMP) v1,
SNMPv2 and SNMPv3. If you want to use SNMP, you must re-enable SNMP, using the command
no boot config flag block-snmp.
Aging enforcement
After you enable the hsecure flag, you can configure a duration after which you must change your
password. You configure the duration by using the aging parameter.
For SNMP and File Transfer Protocol (FTP), after a password expires, access is denied. Before you
access the system, you must change a community string to a new string consisting of more than
eight characters.
Important:
Consider the following after you enable the hsecure flag:
• You cannot enable the Web server for Enterprise Device Manager (EDM) access.
• You cannot enable the Secure Shell (SSH) password authentication.
For more information, see Administering Avaya Virtual Services Platform 8200, NN47227-600.
Filtering mechanism
Incorrect IP source addresses as network or broadcast addresses are filtered at the virtual router
interface. Source addresses 192.168.168.0 and 192.168.168.255 are discarded.
This change is valid for all IP subnets, not only for /24.
You can filter addresses only if you enable the hsecure mode.
10
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
ACLI passwords
ACLI passwords
Avaya Virtual Services Platform 8200 ships with default passwords assigned for access to Avaya
Command Line Interface (ACLI) through a console or management session. If you have read/
write/all access authority, and you are using SNMPv3, you can change passwords that are in an
encrypted format. If you are using Enterprise Device Manager (EDM), you can also specify the
number of available Telnet sessions and rlogin sessions.
Important:
The default passwords are documented and well known. Avaya strongly recommends that you
change the default passwords and community strings immediately after you first log on.
Port Lock feature
You can use the Port Lock feature to administratively lock a port or ports to prevent other users from
changing port parameters or modifying port action. You cannot modify locked ports until the ports
are first unlocked.
Access policies for services
You can control access to Avaya Virtual Services Platform 8200 by creating an access policy. An
access policy specifies the hosts or networks that can access the device through various services,
such as Telnet, SNMP, Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), Hypertext
Transfer Protocol (HTTP), Remote Shell (RSH), and remote login (rlogin). You can enable or disable
access services by setting flags from ACLI.
You can define network stations that can explicitly access VSP 8200 or stations that cannot access
it. For each service you can also specify the level of access, such as read-only or read-write-all.
Important:
A third-party security scan shows VSP 8200 service ports open and in the listen state. No
connections are accepted on these ports unless you enable the particular daemon. Avaya does
not dynamically start and stop the daemons at runtime and needs to keep them running from
system startup.
For more information about configuring access policies, see Administering Avaya Virtual Services
Platform 8200, NN47227-600.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
11
Security fundamentals
User-based policy support
You can set up a user-based policy (UBP) system by using Avaya Enterprise Policy Manager
(EPM), a RADIUS server.
EPM is an application designed to manage the traffic prioritization and network access security for
business applications. It provides centralized control of advanced packet classification and the
ability to priority mark, police, meter, or block traffic.
EPM 5.0 supports UBPs, which allow security administrators to establish and enforce roles and
conditions for each user for all access ports in the network. The UBP feature in EPM works in
conjunction with Extensible Access Protocol (EAP) technology to enhance the security of the
network. Users log on to the networks and are authenticated as the network connection is
established.
The UBP feature works as an extension to the Roles feature in EPM. In a UBP environment, role
objects are linked directly to specific users (as RADIUS attributes), as opposed to being linked
simply to device interfaces. The role object then links the user to specific policies that control the
user's access to the network.
When the RADIUS server successfully authenticates a user, the device sends an EAP session start
event to the EPM policy server. The policy server then sends user-based policy configuration
information for the new user roles to the interface, based on the role attribute that was assigned to
that user on the RADIUS server.
Denial-of-service attack prevention
Avaya Virtual Services Platform 8200 supports a configurable flag, called high secure (hsecure).
High secure mode introduces a protection mechanism to filter certain IP addresses, and two
restrictions on passwords: 10-character enforcement and aging time.
If the device starts in hsecure mode with default factory settings, and no previously configured
password, the system will prompt you to change the password. The new password must follow the
rules mandated by high secure mode. After you enable hsecure and restart the system, if you have
an invalid-length password you must change the password.
If you enable hsecure for the first time and the password file does not exist, then the device creates
a normal default username (rwa) and password (rwa). In this case, the password does not meet the
minimum requirements for hsecure and as a result the system prompts you to change the password.
The following information describes hsecure mode operations:
• When you enable the hsecure flag, after a certain duration you are asked to change your
password. If not configured, the aging parameter defaults to 90 days.
• For SNMP and FTP, access is denied when a password expires. You must change the
community strings to a new string made up of more than eight characters before accessing the
system.
12
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Configuration considerations
• You cannot enable the Web server at any time.
• You cannot enable the SSH password-authentication feature at any time.
Hsecure is disabled by default. When you enable hsecure, the desired behavior applies to all ports.
Configuration considerations
Use the information in this section to understand the limitations of some security functions such as
BSAC RADIUS servers and Layer 2 protocols before you attempt to configure security.
Single profile enhancement for BSAC RADIUS servers
Before enabling Remote Access Dial-In User Services (RADIUS) accounting on the device, you
must configure at least one RADIUS server.
Avaya Virtual Services Platform 8200 software supports BaySecure Access Control (BSAC) and the
Merit Network servers. To use these servers, you must first obtain the software for the server. You
must also make changes to one or more configuration files for these servers.
Single Profile is a feature that is specific to BSAC RADIUS servers. In a BSAC RADIUS server,
when you create a client profile, you can specify all the returnable attributes. When you use the
same profile for different products (VSP 8200 and Baystack 450, for example) you specify all the
returnable attributes in the single profile.
Attribute format for a third-party RADIUS server
If you use a third-party RADIUS server and need to modify the dictionary files, you must use the
following vendor-specific attribute format for ACLI commands:
1
1
2
2+x +----+----+---------------+----------------------------------------+ |type|len | Vendor-Id
|
value
(string)
| |
|
|
|
| +----+----+---------------+---------------------------------------+
|
|
1
1
v
x
+----+----+-----------------------------+
|type|len |
value (cli-command)
|
|
|
|
|
+----+----+------------------------------+
RADIUS on management ports
The management port supports the RADIUS protocol. When RADIUS packets are sent out of the
management port, the SRC-IP address is properly entered in the RADIUS header.
For more information about the supported RADIUS servers, see the documentation of the RADIUS
server.
SNMP cloned user considerations
If the user from which you are cloning has authentication, you can choose for the new user to either
have the same authentication protocol as the user from which it was cloned, or no authentication. If
you choose authentication for the new user, you must provide a password for that user. If you want
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
13
Security fundamentals
a new user to have authentication, you must indicate that at the time you create the new user. You
can assign a privacy protocol only to a user that has authentication.
If the user from which you are cloning has no authentication, then the new user has no
authentication.
Interoperability configuration
VSP 8200 is compatible with RADIUS servers.
You can search the InSite Knowledge Base on the Avaya Support site at www.avaya.com/support.
Use the Advanced Search option to narrow your search to specific categories (products) and
document types.
Security configuration using ACLI
Configure security information used on the control and data paths to protect the network from
uncontrolled access to network resources.
For more information about how to configure passwords and access policies, see Administering
Avaya Virtual Services Platform 8200, NN47227-600.
Enabling hsecure
About this task
The hsecure flag is disabled by default. When you enable it, the software enforces the 10 character
rule for all passwords.
When you upgrade from a previous release, if the password does not have at least 10 characters,
you receive a prompt to change your password to the mandatory 10-character length.
If you enable hsecure for the first time and the password file does not exist, then the device creates
a normal default username (rwa) and password (rwa). In this case, the password does not meet the
minimum requirements for hsecure and as a result the system prompts you to change the password.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable or disable hsecure mode:
boot config flags hsecure
14
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Security configuration using ACLI
The following warning messages appear:
Warning: For security purposes, all unsecure services - TFTP, FTP, Rlogin, Telnet,
SNMP are disabled. Individually enable the required services.
Warning: Please save boot configuration and reboot the switch for this to take
effect.
3. Save the configuration and restart the device for the change to take effect.
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Enable hsecure mode:
VSP-8284XSQ(config)# boot config flags hsecure
Warning: For security purposes, all unsecure services - TFTP, FTP,
Rlogin, Telnet, SNMP are disabled. Individually enable the required
services. Warning: Please save boot configuration and reboot the switch
for this to take effect.
Save the configuration:
VSP-8284XSQ(config)# save config
Restart the switch:
VSP-8284XSQ(config)# reset
Are you sure you want to reset the switch (y/n)? y
Changing an invalid-length password
Before you begin
Important:
When you enable hsecure, passwords must contain a minimum of 10 characters or numbers
with a maximum of 20. The password must contain a minimum of: two uppercase characters,
two lowercase characters, two numbers, and two special characters.
About this task
After you enable hsecure and restart the system, change your password if you have an invalidlength password.
Procedure
1. At the ACLI prompt, log on to the system.
2. Enter the password.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
15
Security fundamentals
When you have an invalid-length password, the following message appears:
Your password is valid but less than mandatory 10 characters.
Please change the password to continue.
3. When prompted, enter the new password.
4. When prompted, reenter the new password.
Example
Log on to the switch:
Login: rwa
Enter the password:
Password: ***
Your password is valid but less than mandatory 10 characters. Please
chnage the password to continue.
Enter the new password:
Enter the new password: **********
Re-enter the new password:
Re-enter the new password: **********
Password successfully changed.
Changing passwords
Before you begin
• You must use an account with read-write-all privileges to change passwords. For security, the
switch saves passwords to a hidden file.
About this task
Configure new passwords for each access level, or change the logon or password for the different
access levels of the switch. After you receive Avaya Virtual Services Platform 8200, use default
passwords to initially access ACLI. If you use Simple Network Management Protocol version 3
(SNMPv3), you can change encrypted passwords.
If you enable the hsecure flag, after the aging time expires, the system prompts you to change your
password. If you do not configure the aging time, the default is 90 days.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Change a password:
16
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Security configuration using ACLI
cli password WORD<1–20> {layer1|layer2|layer3|read-only|read-write|
read-write-all}
3. Enter the old password.
4. Enter the new password.
5. Enter the new password a second time.
6. Configure password options:
password [access-level WORD<2–8>] [aging-time day <1-365>] [defaultlockout-time <60-65000>] [lockout WORD<0–46> time <60-65000>] [minpasswd-len <10-20>] [password-history <3-32>]
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Change a password:
VSP-8284XSQ password smith read-write-all
Enter the old password:
VSP-8284XSQ
Enter the new password:
VSP-8284XSQ
Enter the new password a second time:
VSP-8284XSQ
Set password to an access level of read-write-all and the expiration period for the password to 60
days:
VSP-8284XSQ access-level rwa aging-time 60
Variable definitions
Use the data in the following table to use the cli password command.
Table 1: Variable definitions
Variable
Value
layer1|layer2|layer3|read-only|read-write|read-writeall
Changes the password for the specific access level.
WORD<1–20>
Specifies the user logon name.
Use the data in the following table to use the password command.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
17
Security fundamentals
Table 2: Variable definitions
Variable
Value
access level WORD<2–8>
Permits or blocks this access level. The available
access level values are as follows:
• l1
• l2
• l3
• ro
• rw
• rwa
aging-time day <1-365>
Configures the expiration period for passwords in
days, from 1–365. The default is 90 days.
default-lockout-time <60-65000>
Changes the default lockout time after three invalid
attempts. Configures the lockout time, in seconds,
and is in the 60–65000 range. The default is 60
seconds.
To configure this option to the default value, use the
default operator with the command.
lockout WORD<0–46> time <60-65000>
Configures the host lockout time.
• WORD<0–46> is the host IP address in the format
a.b.c.d.
• <60-65000> is the lockout-out time, in seconds, in
the 60–65000 range. The default is 60 seconds.
min-passwd-len <10-20>
Configures the minimum length for passwords in
high-secure mode. The default is 10 characters.
To configure this option to the default value, use the
default operator with the command.
password-history <3-32>
Specifies the number of previous passwords the
switch stores. You cannot reuse a password that is
stored in the password history. The default is 3.
To configure this option to the default value, use the
default operator with the command.
Configuring directed broadcast
About this task
A directed broadcast is a frame sent to the subnet broadcast address on a remote IP subnet. When
you disable (or suppress) directed broadcasts on an interface, all frames sent to the subnet
broadcast address for a local router interface are dropped. Disabling directed broadcasts protects
18
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Security configuration using ACLI
hosts from possible denial-of-service (DOS) attacks. By default, this feature is enabled on the
device.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4084>
2. Configure Avaya Virtual Services Platform 8200 to forward directed broadcasts for a VLAN:
ip directed-broadcast enable
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
VSP-8284XSQ(config)# interface vlan 2
VSP-8284XSQ(config-if)# ip directed-broadcast enable
Variable definitions
Use the data in the following table to use the ip directed-broadcast command.
Table 3: Variable definitions
Variable
Value
enable
Enables the device to forward directed broadcast frames to the specified VLAN. The
default setting for this feature is enabled.
Preventing certain types of DOS attacks
Before you begin
• You must log on to GigabitEthernet Interface Configuration mode in ACLI.
About this task
Protect VSP 8200 against IP packets with illegal IP addresses such as loopback addresses or a
source IP address of ones, or Class D or Class E addresses from being routed. VSP 8200 supports
high-secure configurable flag.
Important:
After you enable this flag, the desired behavior (not routing source packets with an IP address
of 255.255.255.255) applies to all ports that belong to the same port.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
19
Security fundamentals
Important:
The setting to enable hsecure only takes effect for packets going to the CP; not to datapath
traffic.
Procedure
Enable high-secure mode:
high-secure [port {slot/port[-slot/port][,...]}] enable
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
VSP-8284XSQ(config)# interface GigabitEthernet 1/16
VSP-8284XSQ(config-if)# high-secure enable
Variable definitions
Use the data in the following table to use the high-secure command.
Table 4: Variable definitions
Variable
Value
port {slot/port[-slot/port]
[,...]}
Specifies the port on which you want to enable high-secure mode.
enable
Enables the high-secure feature that blocks packets with illegal IP addresses.
This flag is disabled by default. Use the no operator to remove this
configuration. To configure this option to the default value, use the default
operator with the command.
Configuring port lock
About this task
Configure port lock to administratively lock a port or ports to prevent other users from changing port
parameters or modifying port action. You cannot modify a locked port until you unlock the port.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable port lock globally:
portlock enable
3. Log on to the GigabitEthernet Interface Configuration mode:
20
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Security configuration using Enterprise Device Manager
interface gigabitethernet {slot/port[-slot/port][,...]}
4. Lock a port:
lock [port {slot/port[-slot/port][,...]}] enable
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Log on to GigabitEthernet Interface Configuration mode:
VSP-8284XSQ(config)# interface GigabitEthernet 1/1
Lock port 1/1:
VSP-8284XSQ(config-if)# lock port 1/1 enable
Unlock port 1/1:
VSP-8284XSQ(config-if)# no lock port 1/1 enable
Variable definitions
Use the data in the following table to use the interface gigabitethernet command.
Table 5: Variable definitions
Variable
Value
{slot/port[-slot/port][,...]}
Specifies the port you want to configure.
Use the data in the following table to use the lock port command.
Table 6: Variable definitions
Variable
Value
{slot/port[-slot/port][,...]}
Specifies the port you want to lock. Use the no form
of this command to unlock a port: no lock port
{slot/port[-slot/port][,...]}. The default
is disabled.
Security configuration using Enterprise Device Manager
Configure security information used on the control and data paths to protect the network from
uncontrolled access to network resources.
For more information about how to configure passwords and access policies, see Administering
Avaya Virtual Services Platform 8200, NN47227-600.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
21
Security fundamentals
Enabling port lock
About this task
Use the port lock feature to administratively lock a port or ports to prevent other users from changing
port parameters or modifying port action. You cannot modify locked ports until you first unlock the
port.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click General.
3. Click the Port Lock tab.
4. To enable port lock, select the Enable check box.
5. Click Apply.
Port Lock field descriptions
Use the data in the following table to use the Port Lock tab.
Name
Description
Enable
Activates the port lock feature. Clear this check box to unlock
ports. The default is disabled.
LockedPorts
Lists the locked ports. Click the ellipsis (...) button to select the
ports you want to lock or unlock.
Locking a port
Before you begin
• You must enable port lock before you lock or unlock a port.
About this task
Use the port lock feature to administratively lock a port or ports to prevent other users from changing
port parameters or modifying port action. You cannot modify locked ports until you first unlock the
port.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click General.
3. Click the Port Lock tab.
4. In the LockedPorts box, click the ellipsis (...) button.
5. Click the desired port or ports.
22
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Security configuration using Enterprise Device Manager
6. Click Ok.
7. In the Port Lock tab, click Apply.
Port Lock field descriptions
Use the data in the following table to use the Port Lock tab.
Name
Description
Enable
Activates the port lock feature. Clear this check box to unlock
ports. The default is disabled.
LockedPorts
Lists the locked ports. Click the ellipsis (...) button to select the
ports you want to lock or unlock.
Changing passwords
About this task
Configure new passwords for each access level, or change the logon or password for the different
access levels of the system to prevent unauthorized access. After you receive an VSP 8200, use
default passwords to initially access CLI. If you use Simple Network Management Protocol version 3
(SNMPv3), you can change passwords in encrypted format.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click General.
3. Click the CLI tab.
4. Specify the username and password for the appropriate access level.
5. Click Apply.
CLI field descriptions
Use the data in the following table to use the CLI tab.
Name
Description
RWAUserName
Specifies the user name for the read-write-all CLI
account.
RWAPassword
Specifies the password for the read-write-all CLI
account.
RWEnable
Activates the read-write access level.
RWUserName
Specifies the user name for the read-write CLI
account.
RWPassword
Specifies the password for the read-write CLI
account.
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
23
Security fundamentals
24
Name
Description
RWL3Enable
Activates the read-write Layer 3 access level.
RWL3UserName
Specifies the user name for the Layer 3 read-write
CLI account.
RWL3Password
Specifies the password for the Layer 3 read-write
CLI account.
RWL2Enable
Activates the read-write Layer 2 access level.
RWL2UserName
Specifies the user name for the Layer 2 read-write
CLI account.
RWL2Password
Specifies the password for the Layer 2 read-write
CLI account.
RWL1Enable
Activates the read-write Layer 1 access level.
RWL1UserName
Specifies the user name for the Layer 1 read-write
CLI account.
RWL1Password
Specifies the password for the Layer 1 read-write
CLI account.
ROEnable
Activates the read/only CLI account level.
ROUserName
Specifies the user name for the read-only CLI
account.
ROPassword
Specifies the password for the read-only CLI
account.
MaxTelnetSessions
Indicates the maximum number of concurrent Telnet
sessions (0–8). The default is 8.
MaxRloginSessions
Indicates the maximum number of concurrent Rlogin
sessions (0–8). The default is 8.
Timeout
Indicates the number of seconds of inactivity for a
Telnet or Rlogin session before automatic timeout
and disconnect (30–65535 seconds). The default is
900.
NumAccessViolations
Indicates the number of CLI access violations
detected by the system. This field is a read-only field.
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Chapter 4: RADIUS
Remote Access Dial-In User Services (RADIUS) is a distributed client/server system that assists in
securing networks against unauthorized access, allowing a number of communication servers and
clients to authenticate users identity through a central database. The database within the RADIUS
server stores information about clients, users, passwords, and access privileges including the use of
shared secret.
RADIUS is a fully open and standard protocol, defined by two Requests for Comments (RFC)
(Authentication: RFC2865, Accounting: RFC2866). With Avaya Virtual Services Platform 8200, you
use RADIUS authentication to get secure access to the system (console/Telnet/SSH/EDM), and
RADIUS accounting to track the management sessions (ACLI only).
How RADIUS works
A RADIUS application has two components:
• RADIUS server
A computer equipped with server software (for example, a UNIX
workstation) that is located at a central office or campus. The
server has authentication and access information in a form that
is compatible with the client. Typically, the database in the
RADIUS server stores client information, user information,
password, and access privileges, including the use of a shared
secret. A network can have one server for both authentication
and accounting, or one server for each service.
• RADIUS client
A device, router, or a remote access server, equipped with client
software, that typically resides on the same local area network
(LAN) segment as the server. The client is the network access
point between the remote users and the server.
The two RADIUS processes are
• RADIUS authentication—Identifies remote users before you give them access to a central
network site.
• RADIUS accounting—Performs data collection on the server during a remote user's dial-in
session with the client.
Configuration of the RADIUS server and client
For more information about how to configure a RADIUS server, see the documentation that came
with the server software.
VSP 8200 software supports BaySecure Access Control (BSAC) and the Merit Network servers. To
use these servers, you must first obtain the software for the server you will use. Also, you must
make changes to one or more configuration files for these servers.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
25
RADIUS
RADIUS authentication
You can use RADIUS authentication to use a remote server to authenticate logons. The RADIUS
server also provides access authority. RADIUS assists network security and authorization by
managing a database of users. The device uses this database to verify user names and passwords
as well as information about the type of access priority available to the user.
When the RADIUS client sends an authentication request requesting additional information such as
a SecurID number, it sends it as a challenge-response. Along with the challenge-response, it sends
a reply-message attribute. The reply-message is a text string, such as "Please enter the next
number on your SecurID card:". The RFC defined maximum length of each reply-message attribute
is 253 characters. If you have multiple instances of reply-message attributes that together form a
large message that displays to the user, the maximum length is 2000 characters.
You can use additional user names to access the device, in addition to the six existing user names
of ro, L1, L2, L3, rw, and rwa. The RADIUS server authenticates the user name and assigns one of
the existing access priorities to that name. Unauthenticated user names are denied access to the
device. You must add user names ro, L1, L2, L3, rw, and rwa to the RADIUS server if you enable
authentication. Users not added to the server are denied access.
The following list shows the user configurable options of the RADIUS feature:
• Up to 10 RADIUS servers in each device for fault tolerance (each server is assigned a priority
and is contacted in that order).
• A secret key for each server to authenticate the RADIUS client
• The server UDP port
• Maximum retries allowed
• Time-out period for each attempt
Use of RADIUS to modify user access to ACLI commands
VSP 8200 provides ACLI command access based on a user’s configured access level. However,
you can use RADIUS to override ACLI command access provided by VSP 8200.
To override user access to ACLI commands, you must configure the command-access-attribute
onVSP 8200 and on the RADIUS server. (VSP 8200 uses decimal value 194 as the default for this
parameter.) On the RADIUS server, you can then define the commands that the user can or cannot
access.
Regardless of the RADIUS server configuration, you must configure the user’s access onVSP 8200
based on the six platform access levels.
RADIUS accounting
RADIUS accounting logs all of the activity of each remote user in a session on the centralized
RADIUS accounting server.
Session-IDs for each RADIUS account generate as 12-character strings. The first four characters in
the string form a random number in hexadecimal format. The last eight characters in the string
indicate the number of user sessions started since the last restart, in hexadecimal format.
The Network Address Server (NAS) IP address for a session is the address of the device interface
to which the remote session is connected over the network. For a console session, modem session,
and sessions running on debug ports, this value is set to 0.0.0.0, as is the case with RADIUS
authentication.
26
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
The following table summarizes the events and associated accounting information logged at the
RADIUS accounting server.
Table 7: Accounting events and logged information
Event
Accounting information logged at server
Accounting is turned on at router
• Accounting on request: NAS IP address
Accounting is turned off at router
• Accounting off request: NAS IP address
User logs on
• Accounting start request: NAS IP address
• Session ID
• User name
More than 40 ACLI commands are executed
• Accounting interim request: NAS IP address
• Session ID
• ACLI commands
• User name
User logs off
• Accounting stop request: NAS IP address
• Session ID
• Session duration
• User name
• Number of input octets for session
• Number of octets output for session
• Number of packets input for session
• Number of packets output for session
• ACLI commands
When the device communicates with the RADIUS accounting server, the following actions occur:
1. If the server sends an invalid response, the response is silently discarded and the server
does not make an attempt to resend the request.
2. User-specified number of attempts are made if the server does not respond within the userconfigured timeout interval. If a server does not respond to any of the retries, requests are
sent to the next priority server (if configured). You can configure up to 10 RADIUS servers
for redundancy.
RADIUS configuration using ACLI
You can configure Remote Access Dial-In User Services (RADIUS) to secure networks against
unauthorized access, and allow communication servers and clients to authenticate users identity
through a central database.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
27
RADIUS
The database within the RADIUS server stores client information, user information, password, and
access privileges, including the use of shared secret.
RADIUS supports IPv4 addresses.
RADIUS is a fully open and standard protocol, defined by RFCs (Authentication: RFC2865,
accounting RFC2866). With Avaya Virtual Services Platform 8200, you use RADIUS authentication
to secure access to the device (console/Telnet/SSH), and RADIUS accounting to track the
management sessions for Avaya Command Line Interface (ACLI) only.
RADIUS authentication allows the remote server to authenticate logons. RADIUS accounting logs all
of the activity of each remote user in a session on the centralized RADIUS accounting server.
Configuring RADIUS attributes
About this task
Configure RADIUS to authenticate user identity through a central database.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure RADIUS access priority:
radius access-priority-attribute <192-240>
3. Configure RADIUS accounting:
radius accounting {attribute-value <192-240>|enable|include-clicommands}
4. Configure the RADIUS authentication info attribute value:
radius auth-info-attr-value <0-255>
5. Clear RADIUS statistics:
radius clear-stat
6. Configure the value of the CLI commands:
radius cli-commands-attribute <192-240>
7. Configure the value of the command access attribute:
radius command-access-attribute <192-240>
8. Configure the maximum number of servers allowed:
radius maxserver <1-10>
9. Configure the multicast address attribute:
28
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
radius mcast-addr-attr-value <0-255>
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Configure RADIUS access priority:
VSP-8284XSQ(config)# radius access-priority-attribute 192
Configure RADIUS accounting to include CLI commands:
VSP-8284XSQ(config)# radius accounting include-cli-commands
Variable definitions
Use the data in the following table to use the radius command.
Table 8: Variable definitions
Variable
Value
access-priority-attribute <192-240>
Specifies the value of the access priority attribute in the range of
192 to 240. The default is 192.
accounting {attribute-value <192-240>|
enable|include-cli-commands}
Configures the accounting attribute value, enable accounting, or
configure if accounting includes CLI commands. The default is
false. Use the no option to disable the accounting attribute
value: no radius accounting enable.
auth-info-attr-value <0-255>
Specifies the value of the authentication information attribute in
the range of 0 to 255.The default is 91.
clear-stat
Clears RADIUS statistics.
cli-cmd-count <1–40>
Specifies how many ACLI commands, from 1 to 40, before the
system sends a RADIUS accounting interim request. The
default value is 40.
cli-commands-attribute <192-240>
Specifies the value of ACLI commands attribute in the range of
192 to 240. The default is 195.
cli-profile
Enable RADIUS CLI profiling. ACLI profiling grants or denies
access to users being authenticated by way of the RADIUS
server. You can add a set of ACLI commands to the
configuration on the RADIUS server, and you can specify the
command-access more for these commands. The default is
false.
command-access-attribute <192-240>
Specifies the value of the command access attribute in the
range of 192 to 240. The default is 194.
enable
Enable RADIUS authentication globally on VSP 8200.
maxserver <1-10>
Specific to RADIUS authentication, configures the maximum
number of servers allowed for the device. The range is between
1 and 10. The default is 10.
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
29
RADIUS
Variable
Value
mcast-addr-attr-value <0-255>
Specifies the value of the multicast address attribute in the
range of 0 to 255. The default is 90.
server host WORD<0–46> key
WORD<0–32> [used-by {cli|snmp|web}
[acct-enable] [acct-port <1–65536> ]
[enable] [port <1–65536> ] [priority <1–
10> ] [retry <0–6> ] [source-ip WORD<0–
46> ] [timeout <1–60> ]
• host WORD<0–46>
Creates a host server. WORD<0–46> signifies an IP address.
• key WORD<0–32>
Specifies a secret key in the range of 0–32 characters.
• used-by {cli|snmp|web}
Specifies how the server functions. Configures the server for
authentication for
- cli
- snmp
- web
• acct-enable
Enables RADIUS accounting on this server. The system
enables RADIUS accounting by default.
• acct-port <1–65536>
Specifies a UDP port of the RADIUS accounting server (1 to
65536). The default value is 1816. The UDP port value set for
the client must match the UDP value set for the RADIUS
server.
• enable
Enables the server. The default is true.
• port <1–65536>
Specifies a UDP port of the RADIUS server. The default value
is 1812.
• priority <1–10>
Specifies the priority value for this server. The default is 10.
• retry <0–6>
Specifies the maximum number of authentication retires. The
default is 3.
• source-ip WORD<0–46>
Specifies a configured IP address as the source address
when transmitting RADIUS packets. WORD<0–46> signifies
an IP address.
• timeout <1–60>
Table continues…
30
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
Variable
Value
Specifies the number of seconds before the authentication
request times out. The default is 3.
sourceip-flag
Enable the source IP so VSP 8200 uses a configured source IP
address. If the outgoing interface on Avaya Virtual Services
Platform fails, a different source IP address is used — requiring
that you make configuration changes to define the new RADIUS
client on the RADIUS server. To simplify RADIUS server
configuration, you can configure VSP 8200 to use a Circuitless
IP (CLIP) address as the source IP and NAS IP address when
transmitting RADIUS packets. A CLIP is not associated with a
physical interface and is always in an active and operational
state. You can configure Avaya Virtual Services Platform with
multiple CLIP interfaces.
By default, Avaya Virtual Services Platform uses the IP address
of the outgoing interface as the source IP, and the NAS Ip
address for RADIUS packets that it transmits.
Configuring RADIUS profile
About this task
Use RADIUS ACLI profiling to grant or deny ACLI command access to users being authenticated by
way of the RADIUS server. You can add a set of ACLI commands to the configuration file on the
radius server, and you can specify the command-access mode for these commands. The default is
false.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS ACLI profiling:
radius cli-profile
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
VSP-8284XSQ(config)# radius cli-profile
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
31
RADIUS
Enabling RADIUS authentication
About this task
Enable or disable RADIUS authentication globally on the device to allow further configuration to take
place. Use the no option to disable RADIUS authentication globally. The default is false or disabled.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS authentication globally on Avaya Virtual Services Platform 8200:
radius enable
no radius enable
default radius enable
Enabling the source IP flag for the RADIUS server
Before you begin
• To configure the CLIP as the source IP address, you must enable the global RADIUS sourceipflag. You can then configure the source-ip address parameter while defining the RADIUS
server on Avaya Virtual Services Platform 8200. The source IP address must be a CLIP
address, and that you can configure a different CLIP address for each RADIUS server.
Important:
Use the source IP option only for the RADIUS servers connected to the in-band network.
About this task
By default, VSP 8200 uses the IP address of the outgoing interface as the source IP, and the NAS
IP address for RADIUS packets that it transmits. Enable the source IP so VSP 8200 uses a
configured source IP address instead. Therefore, if the outgoing interface on VSP 8200 fails, a
different source IP address is used—requiring that you make configuration changes to define the
new RADIUS Client on the RADIUS server.
RADIUS supports IPv4 addresses.
To simplify RADIUS Server configuration, you can configure VSP 8200 to use a Circuitless IP
Address (CLIP) as the source IP and NAS IP address when transmitting RADIUS packets. A CLIP is
not associated with a physical interface and is always in an active and operational state. You can
configure VSP 8200 with multiple CLIP interfaces.
The default for radius sourceip-flag is false.
32
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable the RADIUS packet source IP flag:
radius sourceip-flag
Enabling RADIUS accounting
Before you begin
• You must configure a RADIUS server before you can enable RADIUS accounting.
About this task
Enable Remote Access Dial-in User Services (RADIUS) accounting to log all of the activity of each
remote user in a session on the centralized RADIUS accounting server.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS accounting globally:
radius accounting enable
3. Include or exclude CLI commands in RADIUS accounting updates:
radius accounting include-cli-commands
4. Specify the integer value of the CLI commands attribute:
radius accounting attribute-value <192–240>
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
VSP-8284XSQ(config)# radius accounting enable
VSP-8284XSQ(config)# radius accounting include-cli-commands
Variable definitions
Use the data in the following table to use the radius accounting command.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
33
RADIUS
Table 9: Variable definitions
Variable
Value
enable
Enable RADIUS globally.
include-cli-commands
Include or exclude CLI commands in RADIUS accounting updates.
attribute-value <192–240>
Specify the integer value of the CLI commands attribute.
Enabling RADIUS-SNMP accounting
Before you begin
• You must configure a RADIUS server before you can enable RADIUS-SNMP accounting.
About this task
Enable Remote Access Dial-in User Services (RADIUS) Simple Network Managing Protocol
(SNMP) accounting globally. Use SNMP to remotely collect management data. An SNMP agent is a
software process that monitors the UDP port 161 for SNMP messages. Each SNMP message sent
to the agent contains a list of management objects.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS Simple Network Management Protocol (SNMP) accounting globally:
radius-snmp acct-enable
3. Set a timer to send a stop accounting message for RADIUS Simple Network Management
Protocol (SNMP):
radius-snmp abort-session-timer <30–65535>
4. Set the timer for re-authentication of the SNMP session:
radius-snmp re-auth-timer <30–65535>
5. Specify the user name for SNMP access:
radius-snmp user WORD <0–20>
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
VSP-8284XSQ(config)# radius-snmp acct-enable
VSP-8284XSQ(config)# radius-snmp abort-session-timer 30
34
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
Variable definitions
Use the data in the following table to use the radius-snmp command.
Table 10: Variable definitions
Variable
Value
acct-enable
Enables RADIUS accounting globally. You cannot enable RADIUS
accounting before you configure a valid server. The system disables
RADIUS accounting by default. The default is false. Use the no option to
disable RADIUS accounting globally: no radius-snmp acct-enable
abort-session-timer <30–
65535>
Set the timer, in seconds, to send a stop accounting message. The default is
180.
re-auth-timer <30–65535>
Sets timer for re-authentication of the SNMP session. The timer value
ranges from 30 to 65535 seconds. The default is 180.
user WORD <0–20>
Specifies the user name for SNMP access. WORD <0–20> specifies the
user name in a range of 0 to 20 characters. The default is snmp_user.
Configuring RADIUS accounting interim request
About this task
Configure RADIUS accounting interim requests to create a log whenever a user executes more than
the number of ACLI commands you specify.
If the packet size equals or exceeds 1.8 KB, an interim request packet is sent even if the configured
limit is not reached. Therefore, the trigger to send out the interim request is either the configured
value or a packet size greater than, or equal to 1.8 KB, whichever happens first.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure RADIUS accounting interim requests:
radius cli-cmd-count <1-40>
3. Include or exclude CLI commands in RADIUS accounting:
radius accounting include-cli-commands
Important:
You must configure the radius accounting include-cli-commands command
for accounting interim requests to function.
Example
VSP-8284XSQ> enable
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
35
RADIUS
VSP-8284XSQ# configure terminal
VSP-8284XSQ(config)# radius cli-cmd-count 30
VSP-8284XSQ(config)# radius accounting include-cli-commands
Variable definitions
Use the data in the following table to use the radius cli-cmd-count command.
Table 11: Variable definitions
Variable
Value
<1-40>
Specifies how many ACLI commands, from 1 to 40, before the system
sends a RADIUS accounting interim request. The default value is 40.
Configuring RADIUS authentication and RADIUS accounting
attributes
About this task
Configure RADIUS authentication and RADIUS accounting attributes to determine the size of the
packets received.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the RADIUS authentication attribute value:
radius command-access-attribute <192-240>
3. Configure the RADIUS accounting attribute value:
radius accounting attribute-value <192-240>
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
VSP-8284XSQ(config)# radius command-access-attribute 192
VSP-8284XSQ(config)# radius accounting attribute-value 192
Variable definitions
Use the data in the following table to use the radius command.
36
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
Table 12: Variable definitions
Variable
Value
access-priority-attribute <192-240>
Specifies the value of the access priority attribute in the range of
192 to 240. The default is 192.
accounting {attribute-value <192-240>|
enable|include-cli-commands}
Configures the accounting attribute value, enable accounting, or
configure if accounting includes CLI commands. The default is
false. Use the no option to disable the accounting attribute
value: no radius accounting enable.
auth-info-attr-value <0-255>
Specifies the value of the authentication information attribute in
the range of 0 to 255.The default is 91.
clear-stat
Clears RADIUS statistics.
cli-cmd-count <1–40>
Specifies how many ACLI commands, from 1 to 40, before the
system sends a RADIUS accounting interim request. The
default value is 40.
cli-commands-attribute <192-240>
Specifies the value of ACLI commands attribute in the range of
192 to 240. The default is 195.
cli-profile
Enable RADIUS CLI profiling. ACLI profiling grants or denies
access to users being authenticated by way of the RADIUS
server. You can add a set of ACLI commands to the
configuration on the RADIUS server, and you can specify the
command-access more for these commands. The default is
false.
command-access-attribute <192-240>
Specifies the value of the command access attribute in the
range of 192 to 240. The default is 194.
enable
Enable RADIUS authentication globally on VSP 8200.
maxserver <1-10>
Specific to RADIUS authentication, configures the maximum
number of servers allowed for the device. The range is between
1 and 10. The default is 10.
mcast-addr-attr-value <0-255>
Specifies the value of the multicast address attribute in the
range of 0 to 255. The default is 90.
server host WORD<0–46> key
WORD<0–32> [used-by {cli|snmp|web}
[acct-enable] [acct-port <1–65536> ]
[enable] [port <1–65536> ] [priority <1–
10> ] [retry <0–6> ] [source-ip WORD<0–
46> ] [timeout <1–60> ]
• host WORD<0–46>
Creates a host server. WORD<0–46> signifies an IP address.
• key WORD<0–32>
Specifies a secret key in the range of 0–32 characters.
• used-by {cli|snmp|web}
Specifies how the server functions. Configures the server for
authentication for
- cli
- snmp
- web
• acct-enable
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
37
RADIUS
Variable
Value
Enables RADIUS accounting on this server. The system
enables RADIUS accounting by default.
• acct-port <1–65536>
Specifies a UDP port of the RADIUS accounting server (1 to
65536). The default value is 1816. The UDP port value set for
the client must match the UDP value set for the RADIUS
server.
• enable
Enables the server. The default is true.
• port <1–65536>
Specifies a UDP port of the RADIUS server. The default value
is 1812.
• priority <1–10>
Specifies the priority value for this server. The default is 10.
• retry <0–6>
Specifies the maximum number of authentication retires. The
default is 3.
• source-ip WORD<0–46>
Specifies a configured IP address as the source address
when transmitting RADIUS packets. WORD<0–46> signifies
an IP address.
• timeout <1–60>
Specifies the number of seconds before the authentication
request times out. The default is 3.
sourceip-flag
Enable the source IP so VSP 8200 uses a configured source IP
address. If the outgoing interface on Avaya Virtual Services
Platform fails, a different source IP address is used — requiring
that you make configuration changes to define the new RADIUS
client on the RADIUS server. To simplify RADIUS server
configuration, you can configure VSP 8200 to use a Circuitless
IP (CLIP) address as the source IP and NAS IP address when
transmitting RADIUS packets. A CLIP is not associated with a
physical interface and is always in an active and operational
state. You can configure Avaya Virtual Services Platform with
multiple CLIP interfaces.
By default, Avaya Virtual Services Platform uses the IP address
of the outgoing interface as the source IP, and the NAS Ip
address for RADIUS packets that it transmits.
38
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
Adding a RADIUS server
About this task
Add a RADIUS server to allow RADIUS service on Avaya Virtual Services Platform 8200.
RADIUS supports IPv4 addresses.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Add a RADIUS server:
radius server host WORD <0–46> key WORD<0-32> [used-by {cli|snmp|
web}] [acct-enable][acct-port <1-65536>] [enable] [port <1-65536>]
[priority <1-10>][retry <0-6>] [source-ip WORD <0–46>] [timeout
<1-60>]
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Add a RADIUS server:
VSP-8284XSQ(config)# radius server host
4717:0000:0000:0000:0000:0000:7933:0001 key testkey1 used-by snmp port 12
retry 5 timeout 10 enable
Variable definitions
Use the data in the following table to use the radius server command.
Table 13: Variable definitions
Variable
Value
host WORD <0–46>
Creates a host server. WORD <0–46> signifies an
IPv4 address in the format A.B.C.D.
key WORD<0-32>
Specifies a secret key in the range of 0–32 characters.
used-by {cli|snmp|web}
Specifies how the server functions
• cli—configure the server for CLI authentication.
• snmp—configure the server for SNMP
authentication.
• web—configure the server for http(s) authentication
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
39
RADIUS
Variable
Value
Use the no option to remove a host server: no
radius server host WORD<0–46> used-by
{cli|snmp|web}. The default is cli. The default
command is: default radius server host
WORD<0–46> used-by {cli|snmp|web}
acct-enable
Enables RADIUS accounting on this server. The
system enables RADIUS accounting by default.
acct-port <1-65536>
Specifies a UDP port of the RADIUS accounting
server (1 to 65536). The default value is 1816.
Important:
The UDP port value set for the client must match
the UDP value set for the RADIUS server.
enable
Enables this server. The default is true.
port <1-65536>
Specifies a UDP port of the RADIUS server. The
default value is 1812.
priority <1-10>
Specifies the priority value for this server. The default
is 10.
retry <0-6>
Specifies the maximum number of authentication
retries. The default is 3.
source-ip WORD <0–46>
Specifies a configured IP address as the source
address when transmitting RADIUS packets. WORD
<0–46>signifies an IPv4 address in the format
A.B.C.D.
timeout <1-60>
Specifies the number of seconds before the
authentication request times out. The default is 3.
Modifying RADIUS server settings
About this task
Change a specified RADIUS server value without having to delete the server and recreate it again.
RADIUS supports IPv4 addresses.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Modify a RADIUS server:
radius server host WORD <0–46> [used-by {cli|snmp|web}] [key
WORD<0-20>] [port 1-65536] [priority <1-10>] [retry <0-6>] [timeout
40
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using ACLI
<1-20>] [enable] [acct-port <1-65536>] [acct-enable] [source-ip WORD
<0–46>]
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Modify a RADIUS server:
VSP-8284XSQ(config)# radius server host
4717:0000:0000:0000:0000:0000:7933:0001 used-by snmp port 12 retry 5
timeout 10 enable
Variable definitions
Use the data in the following table to use the radius server host command.
Table 14: Variable definitions
Variable
Value
used-by {cli|snmp| web}
Specifies how the server functions
• cli—configure the server for CLI authentication.
• snmp—configure the server for SNMP authentication.
• web—configure the server for Web authentication.
Use the no option to remove a host server: no radius server
host WORD<0–46> used-by {cli|snmp|web}. The default is
cli. The default command is: default radius server host
WORD<0–46> used-by {cli|snmp|web}.
host WORD <0–46>
Configures a host server. WORD <0–46> signifies an IPv4 address
in the format A.B.C.D.
acct-enable
Enables RADIUS accounting on this server. The system enables
RADIUS accounting by default.
acct-port <1-65536>
Configures the UDP port of the RADIUS accounting server (1 to
65536). The default value is 1813.
Important:
The UDP port value set for the client must match the UDP value
set for the RADIUS server.
enable
Enables the RADIUS server. The default is true.
key WORD <0–20>
Configures the secret key of the authentication client.
port <1-65536>
Configures the UDP port of the RADIUS authentication server (1 to
65536). The default value is 1812.
priority <1–10>
Configures the priority value for this server (1 to 10). The default is
10.
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
41
RADIUS
Variable
Value
retry <0–6>
Configures the number of authentication retries the server will accept
(0 to 6). The default is 3.
source-ip WORD <0–46>
Specifies a configured IP address as the source address when
transmitting RADIUS packets. To use this option, you must have the
global RADIUS sourceip-flag set to true. RADIUS supports IPv4
addresses.
timeout <1–20>
Configures the number of seconds before the authentication request
times out (1 to 20). The default is 3.
Showing RADIUS information
About this task
Display the global status of RADIUS information to ensure you configured the RADIUS feature
according to the needs of the network.
Procedure
Display the global status of RADIUS information:
show radius
Example
VSP-8284XSQ>show radius
acct-attribute-value
acct-enable
acct-include-cli-commands
access-priority-attribute
auth-info-attr-value
command-access-attribute
cli-commands-attribute
cli-cmd-count
cli-profile-enable
enable
maxserver
mcast-addr-attr-value
sourceip-flag
:
:
:
:
:
:
:
:
:
:
:
:
:
193
false
false
192
91
194
195
40
false
false
10
90
false
Displaying RADIUS server information
About this task
If your system is configured with a RADIUS server you can display the RADIUS server information.
Procedure
To display the RADIUS server information enter the following command:
show radius-server
42
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using Enterprise Device Manager
Note:
If no RADIUS server is configured, the system displays the following message:
no RADIUS server configured
Example
VSP-8284XSQ>show radius-server
==================================================================================
Radius Server Entries
==================================================================================
ACCT
Name
USED
TIME EN- ACCT ENSOURE
BY SECRET PORT PRIO RETRY OUT ABLED PORT ABLED IP
1.1.1.1
cli ****** 1812 10
1
3
true 1813 true 0.0.0.0
1000:0:0:0:0:0:0:1 cli ****** 1812 10
1
3
true 1813 true 0:0:0:0:0:0:0:0
10.10.10.10
cli ****** 1812 10
1
3
true 1813 true 0.0.0.0
4000:0:0:0:0:0:0:1 cli ****** 1812 10
1
3
true 1813 true 0:0:0:0:0:0:0:0
Showing RADIUS SNMP configurations
About this task
Display current RADIUS SNMP configurations.
Procedure
Display the current RADIUS server SNMP configurations:
show radius snmp
Example
VSP-8284XSQ>show radius snmp
abort-session-timer
acct-enable
user
enable
re-auth-timer
:
:
:
:
:
180
false
snmp_user
false
180
RADIUS configuration using Enterprise Device Manager
You can configure Remote Access Dial-In User Services (RADIUS) to assist in securing networks
against unauthorized access, and allow communication servers and clients to authenticate the
identity of users through a central database.
The database within the RADIUS server stores client information, user information, password, and
access privileges, including the use of shared secret.
RADIUS supports IPv4 addresses.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
43
RADIUS
RADIUS is a fully open and standard protocol, defined by RFCs (Authentication: RFC2865,
accounting RFC2866). With Avaya Virtual Services Platform 8200, you use RADIUS authentication
to secure access to the device (console/Telnet/SSH), and RADIUS accounting to track the
management sessions for Avaya Command Line Interface (ACLI) only.
RADIUS authentication allows the remote server to authenticate logons. RADIUS accounting logs all
of the activity of each remote user in a session on the centralized RADIUS accounting server.
Enabling RADIUS authentication
About this task
Enable RADIUS authentication globally to allow all features and functions of RADIUS to operate
with the RADIUS server.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. In the RADIUS Global tab, select the Enable check box.
4. In the MaxNumberServer field, type a value for the maximum number of servers.
5. In the AccessPriorityAttrValue field, type an access policy value (by default, this value is
192).
6. Configure the rest of the parameters in the RADIUS global tab.
7. Click Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. Avaya recommends the default setting
of 192 for Avaya Virtual Services Platform 8200.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value configured
Table continues…
44
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using Enterprise Device Manager
Name
Description
for authentication. The valid values are 192 through 240. The
default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid values
are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or invalid
RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in RADIUS
packets. The default is false. RADIUS supports IPv4 addresses.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
Enabling RADIUS accounting
Before you begin
• You must set up a RADIUS server and add it to the configuration file of the device before you
can enable RADIUS accounting on the device. Otherwise, the system displays an error
message.
About this task
Enable RADIUS accounting to log all of the activity of each remote user in a session on the
centralized RADIUS accounting server.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. In the RADIUS Global tab, select the AcctEnable check box.
4. In the AcctAttrValue field, type an access policy value (by default, this value is 193).
5. Click Apply.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
45
RADIUS
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. Avaya recommends the default setting
of 192 for Avaya Virtual Services Platform 8200.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value configured
for authentication. The valid values are 192 through 240. The
default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid values
are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or invalid
RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in RADIUS
packets. The default is false. RADIUS supports IPv4 addresses.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
Disabling RADIUS accounting
Before you begin
• You cannot globally disable RADIUS accounting unless a server entry exists.
46
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using Enterprise Device Manager
About this task
Disabling RADIUS accounting removes the accounting function from the RADIUS server.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. In the RADIUS Global tab, disable RADIUS accounting by clearing the AcctEnable check
box.
4. Click Apply.
Enabling RADIUS accounting interim request
About this task
Enable the RADIUS accounting interim request feature to create a log whenever more than the
specified number of CLI commands are executed.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. In the RADIUS Global tab, type the number of CLI commands in the CliCmdCount field.
4. Click Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. Avaya recommends the default setting
of 192 for Avaya Virtual Services Platform 8200.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value configured
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
47
RADIUS
Name
Description
for authentication. The valid values are 192 through 240. The
default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid values
are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or invalid
RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in RADIUS
packets. The default is false. RADIUS supports IPv4 addresses.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
Configuring the source IP option for the RADIUS server
Before you begin
• To configure the CLIP as the source IP address, you must configure the global RADIUS
sourceip-flag parameter as true. You can configure the source-ip address parameter while
you define the RADIUS Server on Avaya Virtual Services Platform 8200. The source IP
address must be a CLIP address, and you can configure a different CLIP address for each
RADIUS server. For more information about configuring the source IP address, see Adding a
RADIUS server on page 50.
Important:
Use the source IP option only for the RADIUS servers connected to the in-band network.
About this task
By default, VSP 8200 uses the IP address of the outgoing interface as the source IP and NAS IP
address for RADIUS packets that it transmits. When you configure the RADIUS server, this IP
address is used when defining the RADIUS Clients that communicate with it. Therefore, if the
outgoing interface on VSP 8200 fails, a different source IP address is used—requiring that you
make configuration changes to define the new RADIUS client on the RADIUS server.
To simplify RADIUS Server configuration, you can configure VSP 8200 to use a Circuitless IP
Address (CLIP) as the source IP and NAS IP address when transmitting RADIUS packets. A CLIP is
48
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using Enterprise Device Manager
not associated with a physical interface and is always in an active and operational state. You can
configure VSP 8200 with multiple CLIP interfaces.
RADIUS supports IPv4 addresses.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. In the RADIUS Global tab, select the SourceIpFlag check box.
4. Click Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. Avaya recommends the default setting
of 192 for Avaya Virtual Services Platform 8200.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value configured
for authentication. The valid values are 192 through 240. The
default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid values
are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or invalid
RADIUS servers.
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
49
RADIUS
Name
Description
SourceIpFlag
Includes a configured IP address as the source address in RADIUS
packets. The default is false. RADIUS supports IPv4 addresses.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
Adding a RADIUS server
About this task
Add a RADIUS server to allow RADIUS service on Avaya Virtual Services Platform 8200.
Remote Dial-In User Services (RADIUS) supports IPv4 addresses.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. Click the RADIUS Servers tab.
4. Click Insert.
5. In the AddressType box, select IPv4.
6. In the Address box, type the IP address of the RADIUS server that you want to add.
7. In the UsedBy box, select an option for the user logon.
8. In the SecretKey box, type a secret key.
9. In the SourceIpAddr box, type the IP address to use as the source address in RADIUS
packets.
10. Click Insert.
RADIUS Servers field descriptions
Use the data in the following table to use the RADIUS Servers tab.
Name
Description
AddressType
Specifies an IPv4 address. RADIUS supports IPv4 addresses.
Address
Specifies the IP address of the RADIUS server. RADIUS supports IPv4
addresses.
UsedBy
Specifies the user logon.
• cli: for cli logon
• snmp: for snmp logon
• web: for HTTP(s) access authentication
Table continues…
50
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using Enterprise Device Manager
Name
Description
The default is cli.
Priority
Specifies the priority of each server, or the order of servers to send
authentication (1 to 10). The default is 10.
TimeOut
Specifies the time interval in seconds before the client retransmits the
packet (1 to 20).
Enable
Enables or disables authentication on the server. The default is true.
MaxRetries
Specifies the maximum number of retransmissions allowed (1 to 6). The
default is 1.
UdpPort
Specifies the UDP port that the client uses to send requests to the server
(1 to 65536). The default value is 1812.
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SecretKey
Specifies the RADIUS server secret key, which is the password used by
the client to be validated by the server.
AcctEnable
Enables or disable RADIUS accounting. The default is true.
AcctUdpPort
Specifies the UDP port of the RADIUS accounting server (1 to 65536).
The default value is 1813.
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SourceIpAddr
Specifies the IP address to use as the source address in RADIUS
packets. To use this option, you must set the global RADIUS
SourceIpFlag to true. RADIUS supports IPv4 addresses.
Reauthenticating the RADIUS SNMP server session
About this task
Specify the number of challenges that you want the RADIUS SNMP server to send to authenticate a
given session.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. Click the RADIUS SNMP tab.
The RADIUS SNMP tab appears.
4. Select the Enable check box.
5. In the ReauthenticateTimer field, enter a value to specify the interval between RADIUS
SNMP server reauthentications.
The timer for reauthentication of the RADIUS SNMP server session is enabled.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
51
RADIUS
Important:
To abort the RADIUS SNMP server session, enter a value for the AbortSessionTimer,
and then click Enable.
6. Select the AcctEnable check box if desired.
7. Click Apply.
RADIUS SNMP field descriptions
Use the data in the following table to use the RADIUS SNMP tab.
Name
Description
Enable
Enables or disables timer authentication on the server. The default is true.
AbortSessionTImer
Specifies the allowable time, in seconds, before aborting the RADIUS
SNMP server session (30 to 65535). The default is 180.
ReAuthenticateTimer
Specifies the time, in seconds, between reauthentications of the RADIUS
SNMP server (30 to 65535). The default is 180.
AcctEnable
Enables or disables the RADIUS SNMP session timer.
UserName
Specifies the user name for the RADIUS SNMP accounting.
Configuring RADIUS SNMP
About this task
Configure RADIUS SNMP parameters for authentication and session times.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. Select the RADIUS SNMP tab.
4. Select the Enable check box to enable RADIUS SNMP.
5. In the AbortSessionTimer field, enter the period after which the session expires in seconds.
6. In the ReAuthenticateTimer field, enter the period of time the system waits before
reauthenticating in seconds.
7. Select the AcctEnable check box to enable RADIUS accounting for SNMP.
8. In the UserName field, type the RADIUS SNMP user name.
9. Click Apply.
RADIUS SNMP field descriptions
Use the data in the following table to use the RADIUS SNMP tab.
52
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
RADIUS configuration using Enterprise Device Manager
Name
Description
Enable
Enables or disables timer authentication on the server. The default is true.
AbortSessionTImer
Specifies the allowable time, in seconds, before aborting the RADIUS
SNMP server session (30 to 65535). The default is 180.
ReAuthenticateTimer
Specifies the time, in seconds, between reauthentications of the RADIUS
SNMP server (30 to 65535). The default is 180.
AcctEnable
Enables or disables the RADIUS SNMP session timer.
UserName
Specifies the user name for the RADIUS SNMP accounting.
Modifying a RADIUS configuration
About this task
Modify an existing RADIUS configuration or single function such as retransmissions and RADIUS
accounting.
RADIUS supports IPv4 addresses.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. Click the RADIUS Servers tab.
4. In the row and field to modify, type the information or use the lists to make a selection.
Access the lists by double-clicking in a field.
5. When you are done with modifying the RADIUS configuration, click Apply.
RADIUS Servers field descriptions
Use the data in the following table to use the RADIUS Servers tab.
Name
Description
AddressType
Specifies an IPv4 address. RADIUS supports IPv4 addresses.
Address
Specifies the IP address of the RADIUS server. RADIUS supports IPv4
addresses.
UsedBy
Specifies the user logon.
• cli: for cli logon
• snmp: for snmp logon
• web: for HTTP(s) access authentication
The default is cli.
Priority
Specifies the priority of each server, or the order of servers to send
authentication (1 to 10). The default is 10.
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
53
RADIUS
Name
Description
TimeOut
Specifies the time interval in seconds before the client retransmits the
packet (1 to 20).
Enable
Enables or disables authentication on the server. The default is true.
MaxRetries
Specifies the maximum number of retransmissions allowed (1 to 6). The
default is 1.
UdpPort
Specifies the UDP port that the client uses to send requests to the server
(1 to 65536). The default value is 1812.
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SecretKey
Specifies the RADIUS server secret key, which is the password used by
the client to be validated by the server.
AcctEnable
Enables or disable RADIUS accounting. The default is true.
AcctUdpPort
Specifies the UDP port of the RADIUS accounting server (1 to 65536).
The default value is 1813.
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SourceIpAddr
Specifies the IP address to use as the source address in RADIUS
packets. To use this option, you must set the global RADIUS
SourceIpFlag to true. RADIUS supports IPv4 addresses.
Deleting a RADIUS configuration
About this task
Delete an existing RADIUS configuration.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click RADIUS.
3. Click the RADIUS Servers tab.
4. Identify the configuration to delete by clicking anywhere in the row.
5. Click Delete.
54
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Chapter 5: Simple Network Management
Protocol (SNMP)
You can use the Simple Network Management Protocol (SNMP) to remotely collect management
data and configure devices.
An SNMP agent is a software process that monitors the UDP port 161 for SNMP messages. Each
SNMP message sent to the agent contains a list of management objects to retrieve or modify.
SNMPv3
The SNMP version 3 (v3) is the third version of the Internet Standard Management Framework and
is derived from and builds upon both the original Internet Standard Management Framework SNMP
version 1 (v1) and the second Internet Standard Management Framework SNMP version 2 (v2).
The SNMPv3 is not a stand-alone replacement for SNMPv1 or SNMPv2. The SNMPv3 defines
security capabilities you must use in conjunction with SNMPv2 (preferred) or SNMPv1. The
following figure shows how SNMPv3 specifies a user-based security model (USM) that uses a
payload of either an SNMPv1 or an SNMPv2 Protocol Data Unit (PDU).
Figure 1: SNMPv3 USM
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
55
Simple Network Management Protocol (SNMP)
SNMPv3 is an SNMP framework that supplements SNMPv2 by supporting the following:
• new SNMP message formats
• security for messages
• access control
• remote configuration of SNMP parameters
The recipient of a message can use authentication within the USM to verify the message sender
and to detect if the message is altered. According to RFC2574, if you use authentication, the USM
checks the entire message for integrity.
An SNMP entity is an implementation of this architecture. Each SNMP entity consists of an SNMP
engine and one or more associated applications.
SNMP engine
An SNMP engine provides services for sending and receiving messages, authenticating and
encrypting messages, and controlling access to managed objects. A one-to-one association exists
between an SNMP engine and the SNMP entity, which contains the SNMP engine.
EngineID
Within an administrative domain, an EngineID is the unique identifier of an SNMP engine. Because
there is a one-to-one association between SNMP engines and SNMP entities, the ID also uniquely
and unambiguously identifies the SNMP entity within that administrative domain. The system
generates an EngineID during the startup process. The SNMP engine contains a
• Dispatcher on page 56
• Message processing subsystem on page 56
• Security subsystem on page 56
• Access control subsystem on page 57
Dispatcher
The dispatcher is part of an SNMP engine. You can use the dispatcher for concurrent support of
multiple versions of SNMP messages in the SNMP engine through the following ways:
• To send and receive SNMP messages to and from the network
• To determine the SNMP message version and interact with the corresponding message
processing model
• To provide an abstract interface to SNMP applications for delivery of a PDU to an application
• To provide an abstract interface for SNMP applications to send a PDU to a remote SNMP
entity
Message processing subsystem
The message processing subsystem prepares messages for sending and extracts data from
received messages. The subsystem can contain multiple message processing models.
Security subsystem
The security subsystem provides the following features:
• authentication
56
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMPv3
• privacy
• security
Authentication
You can use authentication within the SNMPv3 to verify the message sender and whether the
message is altered. If you use authentication, the integrity of the message is verified. The supported
SNMPv3 authentication protocols are HMAC-MD5 and HMAC-SHA-96.
Privacy
SNMPv3 is an encryption protocol for privacy. Only the data portion of a message is encrypted; the
header and the security parameters are not. The privacy protocol that SNMPv3 supports is CBCDES Symmetric Encryption Protocol.
Security
The SNMPv3 security protects against the following:
• modification of information—protects against altering information in transit
• masquerade—protects against an unauthorized entity assuming the identity of an authorized
entity
• message Stream Modification—protection against delaying or replaying messages
• disclosure—protects against eavesdropping
• discovery procedure—finds the EngineID of an SNMP entity for a given transport address or
transport endpoint address.
• time synchronization procedure—facilitates authenticated communication between entities
The SNMPv3 does not protect against the following:
• denial-of-service—prevention of exchanges between manager and agent
• traffic analysis—general pattern of traffic between managers and agents
Access control subsystem
SNMPv3 provides a group option for access policies.
The access policy feature in Avaya Virtual Services Platform 8200 determines the access level for
the users connecting to the device with different services like File Transfer Protocol (FTP), Trivial
FTP (TFTP), Telnet, and rlogin. The system access policy feature is based on the user access
levels and network address. This feature covers services, such as TFTP, HTTP, SSH, rlogin, and
SNMP. However, with the SNMPv3 engine, the community names do not map to an access level.
The View-based Access Control Model (VACM) determines the access privileges.
Use the configuration feature to specify groups for the SNMP access policy. You can use the access
policy services to cover SNMP. Because the access restriction is based on groups defined through
the VACM, the synchronization is made using the SNMPv3 VACM configuration. The administrator
uses this feature to create SNMP users (USM community) and associate them to groups. You can
configure the access policy for each group and network.
The following are feature specifications for the group options:
• After you enable SNMP service, this policy covers all users associated with the groups configured
under the access policy. The access privileges are based on access allow or deny. If you select
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
57
Simple Network Management Protocol (SNMP)
allow, the VACM configuration determines the management information base (MIB)-views for
access.
• The SNMP service is disabled by default for all access policies.
• The access level configured under access-policy policy <id> does not affect SNMP
service. The VACM configuration determines the SNMP access rights.
User-based security model
In a USM system, the security model uses a defined set of user identities for any authorized user on
a particular SNMP engine. A user with authority on one SNMP engine must also have authorization
on all SNMP engines with which the original SNMP engine communicates.
The USM provides the following levels of communication:
• NoAuthNoPriv
communication without authentication and privacy
• AuthNoPriv
communication with authentication and without privacy
• AuthPriv
communication with authentication and privacy
The following figure shows the relationship between USM and VACM.
Figure 2: USM association with VACM
58
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMPv3
View-based Access Control
View-based Access Control Model (VACM) provides group access, group security levels, and
context based on a predefined subset of MIB objects. These MIB objects define a set of managed
objects and instances.
VACM is the standard access control mechanism for SNMPv3, and it provides the following:
• authorization service to control access to MIB objects at the PDU level
• alternative access control subsystems
The access is based on principal, security level, MIB context, object instance, and type of access
requested (read or write). You can use the VACM MIB to define the policy and control remote
management.
SNMPv3 encryption
A user-based security port for SNMPv3 is defined as a security subsystem within an SNMP engine.
Currently Avaya Virtual Services Platform 8200 USM uses HMAC-MD5-96 and HMAC-SHA-96 as
the authentication protocols, and CBC-DES as the privacy protocol. Use USM to use other protocols
instead of, or concurrently with, these protocols. CFB128-AES-128, an AES-based Symmetric
Encryption Protocol, is an alternative privacy protocol for the USM.
The AES standard is the current encryption standard (FIPS-197) intended to be used by the U.S.
Government organizations to protect sensitive information. The AES standard is also becoming a
global standard for commercial software and hardware that uses encryption or other security
features.
Important:
Due to export restrictions, the SNMPv3 encryption capability is separate from the main image.
For more information about downloading and enabling the SNMPv3 encryption image, see
Downloading the software on page 63 and Loading the SNMPv3 encryption module on
page 64. SNMPv3 does not function properly without the use of this image.
The AES-based symmetric encryption protocol
This symmetric encryption protocol provides support for data confidentiality. The system encrypts
the designated portion of the SNMP message and includes it as part of the transmitted message.
The USM specifies that the scoped PDU is the portion of the message that requires encryption. An
SNMP engine that can legitimately originate messages on behalf of the appropriate user shares a
secret value, in combination with a timeliness value and a 64-bit integer, used to create the
(localized) encryption/decryption key and the initialization vector.
The AES encryption key and Initialization Vector
The AES encryption key uses the first 128 bits of the localized key. The 128-bit Initialization Vector
(IV) is the combination of the authoritative SNMP engine 32-bit snmpEngineBoot, the SNMP engine
32-bit snmpEngineTime, and a local 64-bit integer. The system initializes the 64-bit integer to a
pseudo-random value at startup time.
Data encryption
Avaya Virtual Services Platform 8200 handles data encryption in the following manner:
1. The system treats data as a sequence of octets.
2. The system divides the plaintext into 128-bit blocks.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
59
Simple Network Management Protocol (SNMP)
The first input block is the IV, and the forward cipher operation is applied to the IV to produce
the first output block.
3. The system produces the first cipher text block by executing an exclusive-OR function on the
first plaintext block with the first output block.
4. The system uses the cipher text block as the input block for the subsequent forward cipher
operation.
5. The system repeats the forward cipher operation with the successive input blocks until it
produces a cipher text segment from every plaintext segment.
6. The system produces the last cipher text block by executing an exclusive-OR function on the
last plaintext segment of r bits (r is less than or equal to 128) with the segment of the r most
significant bits of the last output block.
Data decryption
Avaya Virtual Services Platform 8200 handles data decryption in the following manner:
1. In CFB decryption, the IV is the first input block, the system uses the first cipher text for the
second input block, the second cipher text for the third input block, and this continues until
the system runs out of blocks to decrypt.
2. The system applies the forward cipher function to each input block to produce the output
blocks.
3. The system passes the output blocks through an exclusive-OR function with the
corresponding cipher text blocks to recover the plaintext blocks.
4. The system sends the last cipher text block (whose size r is less than or equal to 128)
through an exclusive-OR function with the segment of the r most significant bits of the last
output block to recover the last plaintext block of r bits.
Trap notifications
You configure traps by creating SNMPv3 trap notifications, creating a target address to which you
want to send the notifications, and specifying target parameters. For more information about how to
configure trap notifications, see Troubleshooting Avaya Virtual Services Platform 8200,
NN47227-700.
SNMP community strings
For security reasons for SNMPv1 and SNMPv2, the SNMP agent validates each request from an
SNMP manager before responding to the request by verifying that the manager belongs to a valid
SNMP community. An SNMP community is a logical relationship between an SNMP agent and one
or more SNMP managers (the manager software implements the protocols used to exchange data
with SNMP agents). You define communities locally at the agent level.
The agent establishes one community for each combination of authentication and access control
characteristics that you choose. You assign each community a unique name (community string),
and all members of a community have the same access privileges, either read-only or read-write:
• Read-only: members can view configuration and performance information.
60
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMPv3 support for VRF
• Read-write: members can view configuration and performance information, and change the
configuration.
By defining a community, an agent limits access to its MIB to a selected set of management
stations. By using more than one community, the agent can provide different levels of MIB access to
different management stations.
SNMP community strings are used when a user logs on to the device over SNMP, for example,
using an SNMP-based management software. You set the SNMP community strings using ACLI . If
you have read/write/all access authority, you can modify the SNMP community strings for access to
the device through Enterprise Device Manager (EDM).
Avaya provides community strings for SNMPv1 and SNMPv2. If you want to use SNMPv3 only, you
must disable SNMPv1 and SNMPv2 access by deleting the default community string entries and
create the SNMPv3 user and group.SNMPv3 on page 55.
The following table lists the default community strings for SNMPv1 and SNMPv2.
VRF
Default community string
Access
GlobalRouter VRF
public
Read access
private
Write access
public:512
Read access
private:512
Write access
ManagementRouter VRF
Community strings are encrypted using the blowfish algorithm. Community strings do not appear on
the device and are not stored in the configuration file.
Caution:
Security risk
For security reasons, Avaya recommends that you set the community strings to values other
than the factory defaults.
Avaya Virtual Services Platform 8200 handles community string encryption in the following manner:
• When the device starts up, community strings are restored from the hidden file.
• When the SNMP community strings are modified, the modifications are updated to the hidden
file.
Hsecure with SNMP
If you enable hsecure, the system disables SNMPv1, SNMPv2 and SNMPv3. If you want to use
SNMP, you must use the command no boot config flag block-snmp to re-enable SNMP.
SNMPv3 support for VRF
Use Virtual Router Forwarding (VRF) to offer networking capabilities and traffic isolation to
customers that operate over the same node (Avaya Virtual Services Platform 8200). Each virtual
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
61
Simple Network Management Protocol (SNMP)
router emulates the behavior of a dedicated hardware router and is treated by the network as a
separate physical router. You can use VRF Lite to perform the functions of many routers using a
single router running VRF Lite. This substantially reduces the cost associated with providing routing
and traffic isolation for multiple clients.
SNMP configuration using ACLI
Configure the SNMP engine to provide services to send and receive messages, authenticate and
encrypt messages, and control access to managed objects. A one-to-one association exists
between an SNMP engine and the SNMP entity.
• Before you can use SNMPv3 with Data Encryption Standard (DES) or Advanced Encryption
Standard (AES) to access the device, you must load the appropriate SNMPv3 encryption
module. For more information, see Loading the SNMPv3 encryption module on page 64.
• To perform the procedures in this section, you must log on to the Global Configuration mode in
ACLI. For more information about how to use ACLI, see Using ACLI and EDM on Avaya Virtual
Services Platform 8200, NN47227-103.
This task flow shows you the sequence of procedures you perform to configure basic elements of
SNMP when using ACLI.
62
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using ACLI
Figure 3: SNMP configuration procedures
Downloading the software
Download new software to upgrade the Avaya Virtual Services Platform 8200. Software downloads
can include encryption module and software images.
Before you begin
• You must have access to the new software from the Avaya support site: www.avaya.com/
support. You need a valid user or site ID and password.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
63
Simple Network Management Protocol (SNMP)
About this task
Download the Advanced Encryption Standard (AES) and Data Encryption Standard (DES) software
before you enable the encryption algorithms and use SNMPv3. The AES and DES encryption
module exist in a single file and you can enable them when the file is stored on flash.
Download the SSH encryption software before you enable the 3DES encryption module and use
SSH.
Due to export restrictions, the encryption capability is separate from the main software image.
SNMPv3 and the SSH server do not function properly without the use of this image.
For more information about file names for the current release, see Release Notes for Avaya Virtual
Services Platform 8284XSQ, NN47227-401.
Important:
You must load the security encryption ports on the device before you can use the protocol.
Procedure
1. From an Internet browser, browse to www.avaya.com/support.
2. Click DOWNLOADS & DOCUMENTS.
3. In the product search field, type Avaya Virtual Services Platform 8200.
4. In the Choose Release field, click a release number.
5. Select Downloads.
6. Click ENTER.
7. Click the download title to view the selected information.
8. Click the file you want to download.
9. Login to download the required software file.
10. Use an FTP client in binary mode to transfer the file to the Avaya Virtual Services Platform
8200, or transfer it using an external USB device.
Loading the SNMPv3 encryption module
Before you begin
• Download the file containing the SNMPv3 encryption software. For more information about
downloading the SNMPv3 encryption software, see Downloading the software on page 63.
Important:
Due to export restrictions, the SNMPv3 encryption capability is separate from the main
image. You must copy the SNMPv3 encryption software to Avaya Virtual Services Platform
8200 before you can load the SNMPv3 encryption module. SNMPv3 does not function
properly without this image.
64
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using ACLI
About this task
Before you can use SNMPv3 with Data Encryption Standard (DES) or Advanced Encryption
Standard (AES) to access the device, you must load the appropriate SNMPv3 encryption module.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Load the encryption port file on the device:
load-encryption-module <DES|AES>
Important:
You must load the AES and DES encryption routines by issuing two separate loadencryption-module commands. If you issue the load-encryption-module command for
AES, the image is loaded into memory and only the AES routines are enabled; the DES
routines are not enabled. To enable the DES routines, you must issue a separate loadencryption-module command for DES.
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Load the Advanced Encryption Standard security encryption image:
VSP-8284XSQ(config)# load-encryption-module AES
Variable definitions
Use the data in the following table to use the load-encryption-module command.
Table 15: Variable definitions
Variable
Value
{3DES|DES|AES}
Loads the AES or DES SNMPv3 encryption port.
Configuring SNMP settings
About this task
Configure Simple Network Management Protocol (SNMP) to define or modify the SNMP settings,
and specify how secure you want SNMP communications.
Procedure
1. Enter Global Configuration mode:
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
65
Simple Network Management Protocol (SNMP)
enable
configure terminal
2. Enable the generation of authentication traps:
snmp-server authentication-trap enable
3. Create an initial set of SNMPv3 configuration data:
snmp-server bootstrap {min-secure|semi-secure|very-secure}
4. Configure the contact information for the system:
snmp-server contact WORD<0-255>
5. Configure the SNMP and IP sender flag to the same value:
snmp-server force-iphdr-sender enable
6. Send the configured source address (sender IP) as the sender network in the notification
message:
snmp-server force-trap-sender enable
7. Create an SNMPv1 server host:
snmp-server host WORD<1-256> [port <1-65535>] v1 WORD<1-32> [filter
WORD<1-32>]
8. Create an SNMPv2 server host:
snmp-server host WORD<1-256> [port <1-65535>] v2c WORD<1-32> [inform
[timeout <1-2147483647>][retries <0-255>][mms <0-2147483647>]]
[filter WORD<1-32>]
9. Create an SNMPv3 server host:
snmp-server host WORD<1-256> [port <1-65535>] v3 {noAuthNoPriv|
authNoPriv|authPriv WORD<1-32> [inform [timeout <1-2147483647>]
[retries <0-255>]] [filter WORD<1-32>]
10. Configure the system location:
snmp-server location WORD<0-255>
11. Configure the system name:
snmp-server name WORD<0-255>
12. Create a new entry in the notify filter table:
snmp-server notify-filter WORD<1-32> WORD<1-32>
13. Configure the SNMP trap receiver and source IP addresses:
snmp-server sender-ip {A.B.C.D} {A.B.C.D}
Example
VSP-8284XSQ> enable
66
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using ACLI
VSP-8284XSQ# configure terminal
Enable the generation of authentication traps:
VSP-8284XSQ(config)# snmp-server authentication-trap enable
Create an initial set of SNMPv3 configuration data to very-secure:
VSP-8284XSQ(config)# snmp-server bootstrap very-secure
VSP-8284XSQ(config)# snmp-server contact xxxx@avaya.com
VSP-8284XSQ(config)# snmp-server force-iphdr-sender enable
Configure hosts to receive SNMP notifications
VSP-8284XSQ(config)# snmp-server host 45.16.149.128 port 1 v1 SNMPv1
filter SNMPfilterv1
Variable definitions
Use the data in the following table to use the snmp-server command.
Table 16: Variable definitions
Variable
Value
bootstrap {min-secure|semi-secure|
very-secure}
Creates an initial set of configuration data for SNMPv3. This
configuration data follows the conventions described in the SNMPv3
standard (see RFC3515, Appendix A). This command creates a set
of initial users, groups, and views.
• min-secure—a minimum security configuration that gives read
access and notify access to all processes (MIB view restricted) with
noAuth-noPriv and read, write, and notify access to all processes
(MIB view internet) using Auth-Priv.
In this configuration, restricted MIB view matches internet MIB view.
• semi-secure—a security configuration that gives read access and
notify access to all processes (MIB view restricted) with noAuthnoPriv and read, write, and notify access to all processes (MIB view
Internet) using Auth-Priv.
In this configuration, restricted MIB view contains a smaller subset
of views than Internet MIB view. For more information, see
RFC3515 Appendix A for details.
• very-secure—a maximum security configuration that allows no
access to the users.
With this command all existing SNMP configurations in the SNMPv3
MIB tables are removed and replaced with entries as described in the
RFC.
contact WORD<0-255>
Changes the sysContact information for Avaya Virtual Services
Platform 8200. WORD<0-255> is an ASCII string from 0–255
characters (for example a phone extension or e-mail address).
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
67
Simple Network Management Protocol (SNMP)
Variable
Value
host WORD<1-256> [port
<1-65535>] {v1 WORD<1-32>|v2c
WORD<1-32> [inform [timeout
<1-2147483647>][retries <0-255>]
[mms <0-2147483647>]]|v3
{noAuthPriv|authNoPriv|authPriv}
WORD<1-32> [inform [timeout
<1-2147483647>][retries <0-255>]]}
[filter WORD<1-32>]
Configures hosts to receive SNMP notifications.
• host WORD<1-256> specifies the IPv4 host address
• port <1-65535> specifies the port number
• v1 WORD<1-32> specifies the SNMP v1 security name
• v2c WORD<1-32> specifies the SNMPv2 security name
• inform specifies the notify type
• timeout <1-2147483647> specifies the timeout value
• retries <0-255> specifies the number of retries
• mms <1-2147483647> specifies the maximum message size
• v3 specifies SNMPv3
• noAuthPriv|authNoPriv|authPriv specifies the security level
• WORD<1-32> specifies the user name
• filter specifies a filter profile name
location WORD<0-255>
Configures the sysLocation information for the system. <WORD
0-255> is an ASCII string from 0–255 characters.
name WORD<0-255>
Configures the sysName information for the system. <WORD 0-255>
is an ASCII string from 0–255 characters.
notify-filter WORD<1-32>
WORD<1-32>
Creates a new entry in the notify filter table. The first WORD<1-32>
specifies the filter profile name, and the second WORD<1-32>
specifies the subtree OID.
sender-ip {A.B.C.D} {A.B.C.D}
The first {A.B.C.D} configures the SNMP trap receiver and source IP
addresses. Specify the IP address of the destination SNMP server
receives the SNMP trap notification in the first IP address.
The second {A.B.C.D} specifies the source IP address of the SNMP
trap notification packet that is transmitted in the second IP address. If
you set this to 0.0.0.0, the system uses the IP address of the local
interface that is closest (from an IP routing table perspective) to the
destination SNMP server.
Creating a user
Before you begin
• You must log on to Global Configuration mode in ACLI.
• Before you can use SNMPv3 with Data Encryption Standard (DES) or Advanced Encryption
Standard (AES) to access the device, you must load the appropriate SNMPv3 encryption port.
For more information, see Loading the SNMPv3 encryption module on page 64.
About this task
Create a new user in the USM table to authorize a user on a particular SNMP engine
68
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using ACLI
Procedure
1. Create a user on a remote system:
snmp-server user WORD<1-32> [engine-id WORD<1-32>] [{md5|sha}
WORD<1-32>] [{aes|des} WORD<1-32>]
2. Create a user on the local system:
snmp-server user WORD<1-32> [read-view WORD<1-32>] [write-view
WORD<1-32>] [notify-view WORD<1-32>] [[{md5|sha} WORD<1-32>] [readview WORD<1-32>] [write-view WORD<1-32>] [notify-view WORD<1-32>]
[{aes|des|3des} WORD<1-32> [read-view WORD<1-32>] [write-view
WORD<1-32>] [notify-view WORD<1-32>]]
3. Add the user to a group:
snmp-server user WORD<1-32> group WORD<1-32> [{md5|sha} WORD<1-32>]
[{aes|des} WORD<1-32>]
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Create a local user test1 with MD5:
VSP-8284XSQ(config)# snmp-server user test1 md5 auth-password
Variable definitions
Use the data in the following table to use the snmp-server user command.
Table 17: Variable definitions
Variable
Value
{aes|des} WORD<1-32>
Specifies a privacy protocol. If no value is entered, no
authentication capability exists. The choices are aes, des, or
3des.
WORD<1-32> assigns a privacy password. If no value is
entered, no privacy capability exists. The range is 1–32
characters.
Important:
You must set authentication before you can set the privacy
option.
engine-id WORD<1-32>
Assigns an SNMPv3 engine ID. The range is 10–64 characters.
Use the no operator to remove this configuration.
group WORD<1-32>
Specifies the group access name.
{md5|sha} WORD<1-32>
Specifies an authentication protocol. If no value is entered, no
authentication capability exists. The protocol choices are: MD5
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
69
Simple Network Management Protocol (SNMP)
Variable
Value
and SHA. WORD<1-32> specifies an authentication password.
If no value is entered, no authentication capability exists. The
range is 1–32 characters.
notify-view WORD<1-32>
Specifies the view name in the range of 0–32 characters. The
first instance is a noAuth view. The second instance is an auth
view and the last instance is an authPriv view.
read-view WORD<1-32>
Specifies the view name in the range of 0–32 characters. The
first instance is a noAuth view. The second instance is an auth
view and the last instance is an authPriv view.
write-view WORD<1-32>
Specifies the view name in the range of 0–32 characters. The
first instance is a noAuth view. The second instance is an auth
view and the last instance is an authPriv view.
user WORD<1-32>
Creates the new entry with this security name. The name is
used as an index to the table. The range is 1–32 characters.
Use the no operator to remove this configuration.
Creating a new user group
Create a new user group to logically group users who require the same level of access. Create new
access for a group in the View-based Access Control Model (VACM) table to provide access to
managed objects.
Note:
Avaya created several default groups (public and private) that you can use. To see the list of
default groups and their associated security names (secnames), enter show snmp-server
group. If you use one of these groups, there is no need to create a new group.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a new user group:
snmp-server group WORD <1-32> WORD<1-32> {auth-no-priv|auth-priv|noauth-no-priv} [notify-view WORD<1-32>] [read-view WORD<1-32>]
[write-view WORD<1-32>]
Example
This example uses the following variable names:
• The new group name is lan6grp.
• The context of the group is "", which represents the Global Router (VRF 0).
• The security level is no-auth-no-priv.
70
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using ACLI
• The access view name is v1v2only for all three views: notify-view, read-view, and
write-view.
Switch:1>enable
Switch:1#configure terminal
Create a new user group:
Switch:1(config)#snmp-server group lan6grp "" no-auth-no-priv notify-view
v1v2only read-view v1v2only write-view v1v2only
Variable definitions
Use the data in the following table use the snmp-server group command.
Table 18: Variable definitions
Variable
Value
auth-no-priv
Assigns the minimum level of security required to gain the access
rights allowed by this conceptual row. If the auth-no-priv parameter is
included, it creates one entry for SNMPv3 access.
auth-priv
Assigns the minimum level of security required to gain the access
rights allowed by this conceptual row. If the auth-priv parameter is
included, it creates one entry for SNMPv3 access.
group WORD<1-32> WORD<1-32>
The first WORD<1–32> specifies the group name for data access.
The range is 1–32 characters. Use the no operator to remove this
configuration.
The second WORD<1–32> specifies the context name. The range is
1–32 characters. If you use a particular group name value but with
different context names, you create multiple entries for different
contexts for the same group. You can omit the context name and use
the default. If the context name value ends in the wildcard character
(*), the resulting entries match a context name that begins with that
context. For example, a context name value of foo* matches contexts
starting with foo, such as foo6 and foofofum. Use the no operator to
remove this configuration.
no-auth-no-priv
Assigns the minimum level of security required to gain the access
rights allowed by this conceptual row. If the no-auth-no-priv
parameter is included, it creates 3 entries, one for SNMPv1 access,
one for SNMPv2c access, and one for SNMPv3 access.
notify-view WORD<1-32>
Specifies the view name in the range of 0–32 characters.
read-view WORD<1-32>
Specifies the view name in the range of 0–32 characters.
write-view WORD<1-32>
Specifies the view name in the range of 0–32 characters.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
71
Simple Network Management Protocol (SNMP)
Creating a new entry for the MIB in the view table
About this task
Create a new entry in the MIB view table. The default Layer 2 MIB view cannot modify SNMP
settings. However, a new MIB view created with Layer 2 permission can modify SNMP settings.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a new entry:
snmp-server view WORD<1-32> WORD<1-32>
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Create MIB views:
VSP-8284XSQ(config)# snmp-server view 2 1.3.8.7.1.4
Variable definitions
Use the data in the following table to use the snmp-server view command.
Table 19: Variable definitions
Variable
Value
The first WORD<1-32>
Specifies the prefix that defines the set of MIB objects
accessible by this SNMP entity. The range is 1–32 characters.
The second WORD<1-32>
Specifies a new entry with this group name. The range is 1–32
characters.
Creating a community
Create a community to use in forming a relationship between an SNMP agent and one or more
SNMP managers. You require SNMP community strings to access the system using an SNMPbased management software.
Procedure
1. Enter Global Configuration mode:
enable
72
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using ACLI
configure terminal
2. Create a community:
snmp-server community WORD<1-32> [group WORD<1-32>] [index
WORD<1-32>] [secname WORD<1-32>]
Important:
• The group parameter is only required if you created a new user group using the
procedure in Creating a new user group on page 70. If you use any of the default
groups, the secname automatically links the community to its associated group so
there is no need specify the group in this command.
• If you do create a new group, use the snmp-server community command to
create an SNMP community with a new security name and link it to the new group you
created. There is no separate command to create a security name (secname). You
use the snmp-server community command. The security name is the key to link
the community name to a group.
• You cannot use the @ character or the string :: when you create community strings.
Example
In the following example, the community name is anewcommunity, the index is third, and the
secname is readview. There is no group specified because this is a default public/read only group.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#snmp-server community anewcommunity index third secname
readview
Variable definitions
Use the data in the following table to use the snmp-server community command.
Table 20: Variable definitions
Variable
Value
community
WORD<1-32>
Specifies a community string. The range is 1–32 characters.
group
WORD<1-32>
Specifies the group name. The range is 1–32 characters.
index
WORD<1-32>
Specifies the unique index value of a row in this table. The range is 1–32 characters.
secname
WORD<1-32>
Maps the community string to the security name in the VACM Group Member Table.
The range is 1-32 characters.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
73
Simple Network Management Protocol (SNMP)
Adding a user to a group
About this task
Add a user to a group to logically group users who require the same level of access.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a new user group:
snmp-server user WORD<1-32> group WORD<1-32> [{md5 WORD<1-32>|sha
WORD<1-32>) [{aes WORD<1-32>|des WORD<1-32>}]]
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Add a user to a group to logically group users who require the same level of access:
VSP-8284XSQ(config)# snmp-server user test1 group Grouptest1 md5 winter
aes summer
Variable definitions
Use the data in the following table to use the snmp-server user command.
Table 21: Variable definitions
Variable
Value
{aes|des} WORD<1-32>
Specifies a privacy protocol. If no value is entered, no
authentication capability exists. The choices are aes, des, or
3des.
WORD<1-32> assigns a privacy password. If no value is
entered, no privacy capability exists. The range is 1–32
characters.
Important:
You must set authentication before you can set the privacy
option.
engine-id WORD<1-32>
Assigns an SNMPv3 engine ID. The range is 10–64 characters.
Use the no operator to remove this configuration.
group WORD<1-32>
Specifies the group access name.
Table continues…
74
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using ACLI
Variable
Value
{md5|sha} WORD<1-32>
Specifies an authentication protocol. If no value is entered, no
authentication capability exists. The protocol choices are: MD5
and SHA. WORD<1-32> specifies an authentication password.
If no value is entered, no authentication capability exists. The
range is 1–32 characters.
notify-view WORD<1-32>
Specifies the view name in the range of 0–32 characters. The
first instance is a noAuth view. The second instance is an auth
view and the last instance is an authPriv view.
read-view WORD<1-32>
Specifies the view name in the range of 0–32 characters. The
first instance is a noAuth view. The second instance is an auth
view and the last instance is an authPriv view.
write-view WORD<1-32>
Specifies the view name in the range of 0–32 characters. The
first instance is a noAuth view. The second instance is an auth
view and the last instance is an authPriv view.
user WORD<1-32>
Creates the new entry with this security name. The name is
used as an index to the table. The range is 1–32 characters.
Use the no operator to remove this configuration.
Blocking SNMP
About this task
Disable SNMP by using the SNMP block flag. By default, SNMP access is enabled.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Disable SNMP:
boot config flags block-snmp
Example
VSP-8284XSQ> enable
VSP-8284XSQ# configure terminal
Disable SNMP:
VSP-8284XSQ(config)# boot config flags block-snmp
Variable definitions
Use the data in the following table to use the boot config flags command.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
75
Simple Network Management Protocol (SNMP)
Table 22: Variable definitions
Variable
Value
block-snmp
Configures the block SNMP flag as active. Use the no operator to remove
this configuration. The default is off. To set this option to the default value,
use the default operator with the command.
Displaying SNMP system information
About this task
Display SNMP system information to view trap and authentication profiles. For a comprehensive set
of SNMP-related show commands, see ACLI Commands Reference for Avaya Virtual Services
Platform 8200, NN47227-104.
Procedure
Display SNMP system information:
show snmp-server
Example
VSP-8284XSQ>show snmp-server
trap-sender
force-trap-sender
force-iphdr-sender
agent-conformance
contact
location
name
AuthenticationTrap
LoginSuccessTrap
bootstrap
:
:
:
:
:
:
:
:
:
:
FALSE
FALSE
DISABLED
http://support.avaya.com/
211 Mt. Airy Road,Basking Ridge,NJ 07920
VSP-8284XSQ
false
false
unknown level
SNMP configuration using Enterprise Device Manager
Configure SNMP to provide services to send and receive messages, authenticate and encrypt
messages, and control access to managed objects with Enterprise Device Manager (EDM).
The following task flow shows you the sequence of procedures you perform to configure basic
elements of SNMP using EDM.
76
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using Enterprise Device Manager
Figure 4: SNMP configuration using Enterprise Device Manager procedures
Creating a user
About this task
Create a new user in the USM table to authorize a user on a particular SNMP engine.
Note:
In EDM, to create new SNMPv3 users you must use the CloneFromUser option. However, you
cannot clone the default user, named initial. As a result, you must first use ACLI to configure at
least one user, and then you can use EDM to create subsequent users with the
CloneFromUser option.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
77
Simple Network Management Protocol (SNMP)
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click USM Table.
3. Click Insert.
4. In the EngineID box, use the default Engine ID provided or type an administratively-unique
identifier to an SNMP engine.
5. In the User Name box, type a name.
6. From the CloneFromUser list, select a security name from which the new entry copies
authentication data and private data, if required.
7. From the Auth Protocol list, select an authentication protocol.
8. In the Cloned User's Auth Password box, type the authentication password of the cloned
user.
9. In the New User's Auth Password box, type an authentication password for the new user.
10. From the Priv Protocol list, select a privacy protocol.
11. In the Cloned User's Priv Password box, type the privacy password of the cloned user.
12. In the New User's Priv Password box, type a privacy password for the new user.
13. Click Insert.
Caution:
Security risk
To ensure security, change the GroupAccess table default view after you set up a new
user in the USM table. This prevents unauthorized people from accessing the system
using the default user logon. Also, change the Community table defaults, because the
community name is used as a community string in SNMPv1/v2 PDU.
USM Table field descriptions
Use the data in the following table to use the USM Table tab and the Insert USM Table dialog box.
Some fields appear only on the Insert USM Table dialog box.
Name
Description
EngineID
Specifies an administratively-unique identifier to an SNMP engine.
UserName
Creates the new entry with this security name. The name is used as an
index to the table. The range is 1–32 characters.
SecurityName
Identifies the name on whose behalf SNMP messages are generated.
Clone From User
Specifies the security name from which the new entry must copy privacy
and authentication parameters. The range is 1–32 characters. This option
appears only in the Insert USM Table dialog box.
Table continues…
78
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using Enterprise Device Manager
Name
Description
Auth Protocol
Assigns an authentication protocol (or no authentication) from a list. If you
select an authentication protocol, you must enter an old AuthPass and a
new AuthPass.
(Optional)
Cloned User's Auth
Password
Specifies the current authentication password of the cloned user. This
option appears only in the Insert USM Table dialog box.
New User's Auth Password
Specifies the authentication password of the new user. This option appears
only in the Insert USM Table dialog box.
Priv Protocol
Assigns a privacy protocol (or no privacy) from a list.
(Optional)
If you select a privacy protocol, you must enter an old PrivPass and a new
PrivPass.
Cloned User's Priv
Password
Specifies the current privacy password of the cloned user. This option
appears only in the Insert USM Table dialog box.
New User's Priv Password
Specifies the privacy password of the new user. This option appears only
in the Insert USM Table dialog box.
Creating a new group membership
About this task
Create a new group membership to logically group users who require the same level of access.
Note:
Avaya created several default groups (public and private) that you can use. To see the list of
default groups and their associated security names (secnames), enter show snmp-server
group. If you use one of these groups, there is no need to create a new group.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. Click the Group Membership tab.
4. Click Insert.
5. From the SecurityModel options, select a security model.
6. In the SecurityName box, type a security name.
7. In the GroupName box, type a group name.
8. Click Insert.
Group Membership field descriptions
Use the data in the following table to use the Group Membership tab.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
79
Simple Network Management Protocol (SNMP)
Name
Description
SecurityModel
Specifies the security model to use with this group membership.
SecurityName
Specifies the security name assigned to this entry in the View-based
Access Control Model (VACM) table. The range is 1–32 characters.
GroupName
Specifies the name assigned to this group in the VACM table. The range is
1–32 characters.
Creating access for a group
About this task
Create access for a group in the View-based Access Control Model (VACM) table to provide access
to managed objects.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. Click the Group Access Right tab.
4. Click Insert.
5. In the GroupName box, type a VACM group name.
6. In the ContextPrefix box, select a VRF instance. This is an optional step.
7. From the SecurityModel options, select a model.
8. From the SecurityLevel options, select a security level.
9. In the ContextMatch option, select a value to match the context name. This value is exact
by default.
10. In the ReadViewName box, type the name of the MIB view that forms the basis of
authorization when reading objects. This is an optional step.
11. In the WriteViewName box, type the name of the MIB view that forms the basis of
authorization when writing objects. This is an optional step.
12. In the NotifyViewName box, type MIB view that forms the basis of authorization for
notifications. This is an optional step.
13. Click Insert.
Group Access Right field descriptions
Use the data in the following table to use the Group Access Right tab.
80
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using Enterprise Device Manager
Name
Description
GroupName
Specifies the name of the new group in the VACM table. The range is 1–32
characters.
ContextPrefix
Specifies if the contextName must match the value of the instance of this
object exactly or partially. The range is an SnmpAdminString, 1–32
characters.
SecurityModel
Specifies the authentication checking to communicate to the switch. The
security models are:
• SNMPv1
• SNMPv2
• USM
SecurityLevel
Specifies the minimum level of security required to gain the access rights
allowed. The security levels are:
• noAuthNoPriv
• authNoPriv
• authpriv
ContextMatch
Specifies if the prefix and the context name must match. If the value is
exact, all rows where the contextName exactly matches
vacmAccessContextPrefix are selected. If you do not select exact, all rows
where the contextName with starting octets that exactly match
vacmAccessContextPrefix are selected.
ReadViewName
Identifies the MIB view of the SNMP context to which this conceptual row
authorizes read access. The default is the empty string.
WriteViewName
Identifies the MIB view of the SNMP context to which this conceptual row
authorizes write access. The default is the empty string.
NotifyViewName
Identifies the MIB view of the SNMP context to which this conceptual row
authorizes access for notifications. The default is the empty string.
Creating access policies for SNMP groups
About this task
Create an access policy to determine the access level for the users who connect to Avaya Virtual
Services Platform 8200 with different services like File Transfer Protocol (FTP), Trivial FTP (TFTP),
Telnet, and rlogin.
You only need to create access policies for SNMP groups if you have the access policy feature
enabled. For more information about access policies, see Administering Avaya Virtual Services
Platform 8200, NN47227-600.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control Path.
2. Click Access Policies.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
81
Simple Network Management Protocol (SNMP)
3. Click the Access Policies-SNMP Groups tab.
4. Click Insert.
5. Beside the ID box, click the ellipsis (...) button.
6. Select a policy ID from the ID list, and then click Ok.
7. In the Name box, type a name.
8. From the Model options, select a security model.
9. Click Insert.
Access Policies — SNMP Groups field descriptions
Use the data in the following table to use the Access Polices-SNMP Groups tab.
Name
Description
Id
Specifies the ID of the group policy.
Name
Specifies the name assigned to the group policy. The range is 1–32 characters.
Model
Specifies the security model {SNMPv1|SNMPv2c|USM}.
Assigning MIB view access for an object
About this task
Create a new entry in the MIB View table.
You cannot modify SNMP settings with the default Layer 2 MIB view. However, you can modify
SNMP settings with a new MIB view created with Layer 2 permissions.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. In the VACM Table tab, click the MIB View tab.
4. Click Insert.
5. In the ViewName box, type a view name.
6. In the Subtree box, type a subtree.
7. In the Mask box, type a mask.
8. From the Type options, select whether access to the MIB object is granted.
9. Click Insert.
MIB View field descriptions
Use the data in the following table to use the MIB View tab.
82
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
SNMP configuration using Enterprise Device Manager
Name
Description
ViewName
Creates a new entry with this group name. The range is 1–
32 characters.
Subtree
Specifies a valid object identifier that defines the set of
MIB objects accessible by this SNMP entity, for example,
1.3.6.1.1.5.
Mask (optional)
Specifies a bit mask with vacmViewTreeFamilySubtree to
determine whether an OID falls under a view subtree.
Type
Determines whether access to a MIB object is granted
(included) or denied (excluded). The default is included.
Creating a community
About this task
Create a community to use in forming a relationship between an SNMP agent and one or more
SNMP managers. You require SNMP community strings for access to the system using an SNMPbased management software.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click Community Table.
3. Click Insert.
4. In the Index box, type an index.
5. In the Name box, type a name that is a community string.
6. In the SecurityName box, type a security name.
7. In the ContextName box, type the context name.
8. Click Insert.
Community Table field descriptions
Use the data in the following table to use the Community Table tab.
Name
Description
Index
Specifies the unique index value of a row in this table. The range is 1–32
characters.
Name
Specifies the community string for which a row in this table represents a
configuration.
SecurityName
Specifies the security name in the VACM group member table to which the
community string is mapped. The range is 1–32 characters.
Table continues…
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
83
Simple Network Management Protocol (SNMP)
Name
Description
ContextEngineID
Indicates the location of the context in which management information is
accessed when using the community string specified in Name.
ContextName
Specifies the context in which management information is accessed when
you use the specified community string.
Viewing all contexts for an SNMP entity
About this task
View contexts to see the contents of the context table in the View-based Access Control Model
(VACM). This table provides information to SNMP command generator applications so that they can
properly configure the VACM access table to control access to all contexts at the SNMP entity.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. In the VACM Table tab, click the Contexts tab.
Contexts field descriptions
Use the data in the following table to use the Contexts tab.
84
Variable
Value
ContextName
Shows the name identifying a particular context at a particular SNMP
entity. The empty contextName (zero length) represents the default
context.
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Glossary
American Standard
Code for Information
Interchange (ASCII)
A code to represent characters in computers. ASCII uses uppercase and
lowercase alphabetic letters, numeric digits, and special symbols.
authentication server
A RADIUS server that provides authorization services to the authenticator,
which is software that authorizes or rejects a supplicant attached to the
other end of the LAN segment.
Authentication,
Authorization, and
Accounting (AAA)
Authentication, Authorization, and Accounting (AAA) is a framework used to
control access to a network, limit network services to certain users, and
track what users do. Authentication determines who a user is before
allowing the user to access the network and network services. Authorization
allows you to determine what you allow a user to do. Accounting records
what a user is doing or has done.
Avaya command line
interface (ACLI)
A textual user interface. When you use ACLI, you respond to a prompt by
typing a command. After you enter the command, you receive a system
response.
Challenge
Handshake
Authentication
Protocol (CHAP)
An access protocol that exchanges a random value between the server and
the client and is encrypted with a challenge password.
controlled port
In relation to EAPoL, any port on the device with EAPoL enabled.
daemon/server
A daemon is a program that services network requests for authentication
and authorization, verifies identities, grants or denies authorizations, and
logs accounting records.
Data Encryption
Standard
(DES)access control
entry (ACE)
A cryptographic algorithm that protects unclassified computer data. The
National Institute of Standards and Technology publishes the DES in the
Federal Information Processing Standard Publication 46-1.
Global routing
engine (GRE)
The base router or routing instance 0 in the Virtual Routing and Forwarding
(VRF).
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
85
Glossary
Institute of Electrical
and Electronics
Engineers (IEEE)
An international professional society that issues standards and is a member
of the American National Standards Institute, the International Standards
Institute, and the International Standards Organization.
Internet Engineering
Task Force (IETF)
A standards organization for IP data networks.
Layer 2
Layer 2 is the Data Link Layer of the OSI model. Examples of Layer 2
protocols are: Ethernet and Frame Relay.
Layer 3
Layer 3 is the Network Layer of the OSI model. An example of a Layer 3
protocol is Internet Protocol (IP).
Local Area Network
(LAN)
A data communications system that lies within a limited spatial area, uses a
specific user group and topology, and can connect to a public switched
telecommunications network (but is not one).
management
information base
(MIB)
The MIB defines system operations and parameters used for the Simple
Network Management Protocol (SNMP).
mask
A bit string that the device uses along with an IP address to indicate the
number of leading bits in the address that correspond with the network part.
Media Access
Control (MAC)
Arbitrates access to and from a shared medium.
Message Digest 5
(MD5)
A one-way hash function that creates a message digest for digital
signatures.
MultiLink Trunking
(MLT)
A method of link aggregation that uses multiple Ethernet trunks aggregated
to provide a single logical trunk. A multilink trunk provides the combined
bandwidth of multiple links and the physical layer protection against the
failure of a single link.
network access
server (NAS)
A network access server (NAS) is a single point of access to a remote
device. The NAS acts as a gateway to guard the remote device. A client
connects to the NAS and then the NAS connects to another device to verify
the credentials of the client. Once verified the NAS allows or disallows
access to the device. Network access servers are almost exclusively used
with Authentication, Authorization, and Accounting (AAA) servers.
next hop
The next hop to which a packet can be sent to advance the packet to the
destination.
Packet Capture Tool
(PCAP)
A data packet capture tool that captures ingress and egress (on Ethernet
modules only) packets on selected ports. You can analyze captured
packets for troubleshooting purposes.
86
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Point-to-Point Protocol (PPP)
Point-to-Point
Protocol (PPP)
Point-to-Point Protocol is a basic protocol at the data link layer that provides
its own authentication protocols, with no authorization stage. PPP is often
used to form a direct connection between two networking nodes.
port
A physical interface that transmits and receives data.
Port Access Entity
(PAE)
Software that controls each port on the switch. The PAE, which resides on
the device, supports authenticator functionality. The PAE works with the
Extensible Authentication Protocol over LAN (EAPoL).
Protocol Data Units
(PDUs)
A unit of data that is specified in a protocol of a specific layer and that
consists of protocol-control information of the specific layer and possibly
user data of that layer.
quality of service
(QoS)
QoS features reserve resources in a congested network, allowing you to
configure a higher priority to certain devices. For example, you can
configure a higher priority to IP deskphones, which need a fixed bit rate,
and, split the remaining bandwidth between data connections if calls in the
network are more important than the file transfers.
Read Write All (RWA)
An access class that lets users access all menu items and editable fields.
Remote Access DialIn User Services
(RADIUS)
Remote Access Dial-In User Services (RADIUS) can secure networks
against unauthorized access, and allow communication servers and clients
to authenticate the identity of users through a central database. You can
use RADIUS to secure access to the device (console/Telnet/SSH), and
RADIUS accounting to track the management sessions for ACLI only.
RADIUS authentication allows the remote server to authenticate logons.
RADIUS accounting logs all of the activity of each remote user in a session
on the centralized RADIUS accounting server. RADIUS uses UDP.
remote login (rlogin)
An application that provides a terminal interface between hosts (usually
UNIX) that use the TCP/IP network protocol. Unlike Telnet, rlogin assumes
the remote host is, or behaves like, a UNIX host.
Routing Information
Protocol (RIP)
A distance vector protocol in the IP suite, used by IP network-layer protocol,
that enables routers in the same AS to exchange routing information by
means of periodic updates. You often use RIP as a very simple interior
gateway protocol (IGP) within small networks.
Secure Copy (SCP)
Secure Copy securely transfers files between the switch and a remote
station.
Simple Network
Management
Protocol (SNMP)
SNMP administratively monitors network performance through agents and
management stations.
supplicant
A device, such as a PC, that applies for access to the network.
February 2015
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
87
Glossary
User Datagram
Protocol (UDP)
In TCP/IP, a packet-level protocol built directly on the Internet Protocol
layer. TCP/IP host systems use UDP for application-to-application
programs.
user-based policies
(UBP)
Establishes and enforces roles and conditions on an individual user basis
for access ports in the network.
view-based access
control model
(VACM)
Provides context, group access, and group security levels based on a
predefined subset of management information base (MIB) objects.
virtual router
forwarding (VRF)
Provides traffic isolation between customers operating over the same node.
Each virtual router emulates the behavior of a dedicated hardware router by
providing separate routing functionality, and the network treats each VRF
as a separate physical router.
88
Configuring Security on Avaya VSP 8200
Comments? infodev@avaya.com
February 2015
Download PDF
Similar pages
What is Power over Ethernet(POE)?
Avaya Aura Communication Manager Maintenance and
Avaya 5V User's Manual
Avaya Aura® Messaging Administration, Maintenance
Avaya 12xx User's Manual
Avaya 4610SW User's Manual