Bay Networks | Radius | Switch User Authentication using Identity Engines

Identity Engines Ignition Server
Ethernet Routing Switch
8600 8300 1600 5500 5600 4500 2500
Engineering
> Switch User Authentication using
Identity Engines Ignition Server
Technical Configuration Guide
Enterprise Networking Solutions
Document Date: October 2009
Document Number: NN48500-589
Document Version: 1.0
Nortel is a recognized leader in delivering communications capabilities that enhance the human
experience, ignite and power global commerce, and secure and protect the world’s most critical
information. Serving both service provider and enterprise customers, Nortel delivers innovative
technology solutions encompassing end-to-end broadband, Voice over IP, multimedia services
and applications, and wireless broadband designed to help people solve the world’s greatest
challenges. Nortel does business in more than 150 countries. For more information, visit Nortel
on the Web at www.nortel.com.
Copyright © 2009 Nortel Networks. All Rights Reserved.
While the information in this document is believed to be accurate and reliable, except as
otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS"
WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The
information and/or products described in this document are subject to change without
notice. Nortel Networks, the Nortel Networks logo and the Globemark are trademarks of
Nortel Networks.
___________________________________________________________________________________________________________________________
1
Abstract
Revision Control
No
Date
Version
Revised by
Remarks
1
10/09/2009
1.0
JVE
Initial release
___________________________________________________________________________________________________________________________
2
1.1
1.2
1.3
RADIUS SUPPORT ON NORTEL SWITCHES .................................................................................... 5
USER AUTHENTICATION USING ERS1600, ERS8300, OR ERS8600............................................... 5
USER AUTHENTICATION USING ERS5600, ERS5500, ERS4500, OR ERS2500.............................. 6
2.1
PART 1: BASIC AAA CONFIGUATION............................................................................................. 8
2.2
2.1.1.1
2.1.1.2
Add out-of-band IP address............................................................................................................. 8
Enable RADIUS.............................................................................................................................. 8
2.1.2.1
Verify RADIUS Global Settings..................................................................................................... 9
2.1.3.1
2.1.3.2
2.1.3.3
2.1.3.4
Configure an Outbound Attribute on Ignition Server for VLAN .................................................. 10
Add Users...................................................................................................................................... 18
Add an Access Policy.................................................................................................................... 22
Add the Nortel ERS8600-1 switch as an RADIUS Authenticator................................................. 41
2.1.4.1
2.1.4.2
Verify User Authentication ........................................................................................................... 44
Verify user authentication from ERS switch................................................................................. 45
PART 2: ERS8600 CONFIGURATION WITH SPECIFIC COMMANDS DISABLED................................ 48
2.2.2.1
2.2.2.2
Configure Outbound attributes to deny ERS8600 CLI commands................................................ 49
Modify the Authorization Policy for the ERS8600 read-write user .............................................. 57
3.1
ERS5600 CONFIGURATION .......................................................................................................... 62
3.2
IDE SETUP ................................................................................................................................... 63
3.3
VERIFICATION.............................................................................................................................. 90
___________________________________________________________________________________________________________________________
3
Conventions
This section describes the text, image, and command conventions used in this document.
Symbols:
Tip – Highlights a configuration or technical tip.
Note – Highlights important information to the reader.
Warning – Highlights important information about an action that may result in equipment
damage, configuration or data loss.
Text:
Bold text indicates emphasis.
text in a Courier New font indicates text the user must enter or select in a menu item, button
or command:
ERS5520-48T#
Output examples from Nortel devices are displayed in a Lucinda Console font:
ERS5520-48T#
___________________________________________________________________________________________________________________________
4
1. Overview: RADIUS User Authentication
using Identify Engines
This document provides the framework for implementing user Authentication, Authorization, and
Accounting for Nortel switches.
1.1 RADIUS Support on Nortel Switches
RADIUS
authentication
ERS 8600
ERS 8300
ERS 1600
ES 460/470
ERS 2500
ERS 4500
ERS 5500
ERS 5600
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
802.1x
(EAP)
RADIUS
authentication
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
RADIUS
accounting
Yes
Yes
Yes
No
No
No
No
No
802.1x
(EAP)
RADIUS
accounting
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
RADIUS
accounting for CLI
commands
RADIUS
user
access
profile
Yes
Yes
Yes
No
No
No
No
No
Yes
Yes
Yes
No
No
No
No
No
RADIUS
SNMP
accounting
Yes
No
No
No
No
No
No
No
1.2 User Authentication using ERS1600, ERS8300, or
ERS8600
The ERS1600, ERS8300, and ERS8600 each support six different user access levels. The
access level is determined by the RADIUS attribute value sent back to the switch. The switch
uses RADIUS Vendor-Specific Attributes (IETF Attribute 26) to support its own extended
attributes. Vendor identifier 1584 (Bay Networks) attribute type 192 is used where the value is a
number from 0 to 6. The following chart displays the RADIUS attribute values and corresponding
access level.
Access Level
None-Access
Read-Only-Access
Layer 1-Read-Write-Access
Layer 2-Read-Write-Access
Layer 3-Read-Write-Access
Read-Write-Access
Read-Write-All-Access
VSA Attribute 26 – Vendor Identifier 1584
Type 192 value
0
1
2
3
4
5
6
In addition, on the ERS8600 only, via vendor identifier 1584 attribute type 194, if is set to a value
of 0, you can enter a list of CLI commands not allowed for a user. The CLI command is entered
using the RADIUS string value configured via RADIUS vendor identifier 1584 attribute type 195.
___________________________________________________________________________________________________________________________
5
1.3 User Authentication using ERS5600, ERS5500,
ERS4500, or ERS2500
The ERS5600, ERS5500, ERS4500, and ERS2500 each support two different user access levels
which are read-only or read-write. RADIUS attribute type 6, Service-Type, is used to determine
the access level. The following displays the complete list of RADIUS attribute values for the
RADIUS Service-Type attribute where value 6 (Administrative) is used for read-write access and
value 7 (NAS Prompt) is used for read-only access
___________________________________________________________________________________________________________________________
6
2. ERS8600 Switch Configuration Example
For this configuration example, we will enable RADIUS user authentication on ERS8600-1 using
the out-of-band management port. We will configure the Identity Engines RADIUS server with the
following three users:
User name with read-only access: 8600ro
User name with read-write access: 8600rw
User name with read-write-all access: 8600rwa
For this example, we will break down the configuration into two parts. In part one, we will simply
add AAA services for the three users shown above. Part two is a continuation of part one with the
addition of showing how to restrict certain CLI commands. In part two, we will pick the read-write
user and deny access to QoS and filter configuration for this user.
___________________________________________________________________________________________________________________________
7
2.1 Part 1: Basic AAA Configuation
2.1.1 ERS8600 Configuration
Assuming we are using the out-of-band management port.
2.1.1.1
Add out-of-band IP address
ERS8600-1 Step 1 – Add out-of-band IP address and route
2.1.1.2
Enable RADIUS
ERS8600-1 Step 1 – Add RADIUS server, enable RADIUS, and enable RADIUS accounting
When configuring the RADIUS server on the ERS8600, you can configure the switch
with a RADIUS source-IP address which in turn will be the IP address used for RADIUS
requests. The RADIUS source-IP address must be a circuit-less IP address (CLIP) or
otherwise known as a loopback address. If you do not enable a RADIUS source-IP
address, by default, the ERS8600 uses the IP address of the outgoing interface as the
source IP address for RADIUS. Unfortunately, although you can create and enable a
RADIUS source-IP when using the out-of-band management port, this feature is not
supported on the out-of-band management port. Hence, if you have two CP cards, you
will have to configure two RADIUS Authenticators on the RADIUS server.
___________________________________________________________________________________________________________________________
8
2.1.2 ERS 8600 Switch: Verify Operations
2.1.2.1
Verify RADIUS Global Settings
Step 1 – Verify that RADIUS has been enabled globally
Result:
Via 8600-1, verify the following information:
Option
Verify
Acct-enable
Verify that the CLI accounting is set to
globally
acct-include-clicommands
enable
Verify that enable is set to
enabled
globally telling us that RADIUS is
___________________________________________________________________________________________________________________________
9
2.1.3 IDE Setup
2.1.3.1
Configure an Outbound Attribute on Ignition Server for VLAN
The following chart displays the outbound attribute values required by the ERS8600 for each
access level for RADIUS vendor identifier 1584 (Bay Networks) attribute type 192. For this
example, we will configure IDE with attribute values of 1, 5, and 6.
Access Level
None-Access
Read-Only-Access
L1-Read-Write-Access
L2-Read-Write-Access
L3-Read-Write-Access
Read-Write-Access
Read-Write-All-Access
Attribute Value
0
1
2
3
4
5
6
User Name
8600ro
8600rw
8600rwa
IDE Step 1 – IDE already has the vendor specific attributes defined (Bay Networks vendor
code 1584 using attribute type 192) for the ERS8600 which can be viewed by going to
___________________________________________________________________________________________________________________________
10
IDE Step 2 – Go to
IDE Step 3 – Via the
window, type in a name for the attribute to be used
for access priority (i.e. ERS8600-Access-Priority as used in this example), click the
radio button, select via
and
via
. Click
on
when done
___________________________________________________________________________________________________________________________
11
IDE Step 4 – Go to
IDE Step 5 – Using the Outbound Attribute created in Step 3, we will first add an attribute
value of 1 for read-only-access. Start by entering a name via the
window (i.e. as used in this example) and click on
___________________________________________________________________________________________________________________________
12
IDE Step 6 – Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the
pull down
menu. In the
window, enter 1 (i.e. value of 1 signifies read-onlyaccess). Click on
twice when done.
___________________________________________________________________________________________________________________________
13
IDE Step 7 – Go to
again to
create the outbound attribute for read-write-access. Using the Outbound Attribute created
in Step 3, we will add an attribute value of 5 for read-write-access. Start by entering a name
via the
window (i.e. 8600-rw as used in this example) and click on
___________________________________________________________________________________________________________________________
14
IDE Step 8 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the
pull down
menu. In the
window, enter 5 (i.e. value of 5 signifies read-writeaccess). Click on
twice when done.
___________________________________________________________________________________________________________________________
15
IDE Step 9 – Go to
again to
create the outbound attribute for read-write-all-access. Using the Outbound Attribute
created in Step 3, we will add an attribute value of 6 for read-write-all-access. Start by
entering a name via the
window (i.e. 8600-rwa as used in this
example) and click on
___________________________________________________________________________________________________________________________
16
IDE Step 10 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the
pull down
menu. In the
window, enter 6 (i.e. value of 6 signifies read-write-allaccess). Click on
twice when done.
___________________________________________________________________________________________________________________________
17
2.1.3.2
Add Users
For this configuration example, we will add the following users.
User Name
8600ro
8600rw
8600rwa
Access Level
Read-Only-Access
Read-Write-Access
Read-Write-All-Access
IDE Step 1 – Start by going to
and click on
___________________________________________________________________________________________________________________________
18
IDE Step 2 – Enter the user name for read-only-access via
(i.e. 8600ro as used
in this example) and enter the password for this user via
and
.
Click on
when done. If you wish, you can also change the expiry date via
if you do not wish to use the default setting of one year
___________________________________________________________________________________________________________________________
19
IDE Step 3 – Repeat step 2 again by clicking on New to add the read-write-access user.
Enter the user name for read-write-access via (i.e. 8600rw as used in this
example) and enter the password for this user via
and . Click
on
when done. If you wish, you can also change the expiry date via
if you do not wish to use the default setting of one year
___________________________________________________________________________________________________________________________
20
IDE Step 4 – Repeat step 2 for the final time by clicking on New to add the read-write-allaccess user. Enter the user name for read-write-all-access via
(i.e. 8600rwa as
used in this example) and enter the password for this user via and
. Click on
when done. If you wish, you can also change the expiry date via
if you do not wish to use the default setting of one year
___________________________________________________________________________________________________________________________
21
2.1.3.3
Add an Access Policy
IDE Step 1 – Go to
and select
example) and click on
Right-click R
. Enter a policy name (i.e. ERS8600-Access as used in this
when done
___________________________________________________________________________________________________________________________
22
IDE Step 2 – Click on the policy we just created, i.e. ERS8600-Access, and click on
the
tab
via
___________________________________________________________________________________________________________________________
23
IDE Step 3 – Under window, select
___________________________________________________________________________________________________________________________
24
IDE Step 4 – Go to the
and click on
___________________________________________________________________________________________________________________________
25
IDE Step 5 – Check off the
and click on
when done.
___________________________________________________________________________________________________________________________
26
IDE Step 6 – Go to the
tab and click on
___________________________________________________________________________________________________________________________
27
IDE Step 7 – Once the window pops up, click on
will add a rule for read-only-access. When the
rule
as shown below
First, we
window pops up, we will name the
___________________________________________________________________________________________________________________________
28
IDE Step 8 – Click on
to add a new constraint
___________________________________________________________________________________________________________________________
29
IDE Step 9 – For this example, we are simply going to look for the read-only-user user-id.
From
, select
and scroll down and select
. Select
with
of
and enter the read-only-access user id, i.e. 8600ro as used in this
example, in the
window as shown below. Click on
when done
___________________________________________________________________________________________________________________________
30
IDE Step 10 – Via
, select
. From the
window, select the
output attribute we created previously named and click on the less-than arrow key
to move the attribute to the
window
___________________________________________________________________________________________________________________________
31
IDE Step 11 – Next, we will add a rule for read-write-access. Start by clicking on
and
when the
window pops up, add an appropriate name for this rule, i.e. read-writeaccess as used in this example
___________________________________________________________________________________________________________________________
32
IDE Step 12 – Click on
to add a new constraint
___________________________________________________________________________________________________________________________
33
IDE Step 13 – For this example, we are simply going to look for the read-write-access userid. From
, select
and scroll down and select
. Select
with
of
and enter the read-only-access user id, i.e.
as used in this
example, in the
window as shown below. Click on
when done
___________________________________________________________________________________________________________________________
34
IDE Step 14 – Via
, select
. From the
window, select the
output attribute we created previously named and click on the less-than arrow key
to move the attribute to the
window
___________________________________________________________________________________________________________________________
35
IDE Step 15 – Finally, we will add a rule for read-write-all-access. Start by clicking on
and when the
window pops up, add an appropriate name for this rule, i.e.
as used in this example
___________________________________________________________________________________________________________________________
36
IDE Step 16 – Click on
to add a new constraint
___________________________________________________________________________________________________________________________
37
IDE Step 17 – For this example, we are simply going to look for the read-write-all-access
user-id. From
, select
and scroll down and select . Select
with
of
and enter the read-only-access user id, i.e.
as used
in this example, in the
window as shown below. Click on
when done
___________________________________________________________________________________________________________________________
38
IDE Step 18 – Via
, select
. From the
window, select the
output attribute we created above named
and click on the less-than arrow key to
move the attribute to the
window
___________________________________________________________________________________________________________________________
39
IDE Step 19 – When completed, you can view the complete policy by clicking on the
button
___________________________________________________________________________________________________________________________
40
2.1.3.4
Add the Nortel ERS8600-1 switch as an RADIUS Authenticator
For Ignition Server to process the Nortel switch RADIUS requests, each switch must be added as
an Authenticator.
IDE Step 1 – Go to
create new container named
->
by right clicking
For this example, we will
and selecting
___________________________________________________________________________________________________________________________
41
IDE Step 2 – Go to
click on
->
->
and
___________________________________________________________________________________________________________________________
42
IDE Step 3 – Enter the settings as shown below making sure you select the policy we
created previously named
via
. Leave
and
checked. Click on
when done.
___________________________________________________________________________________________________________________________
43
2.1.4 Verification
2.1.4.1
Verify User Authentication
You can test user authentication for the ERS8600 users configured on IDE by entering the user
name and password.
Step 1 – Via Ignition Dashboard, select the IP address of the Ignition Server, click on the
tab, go to
and select the
tab. Make you select
and
and the enter a valid user name and password configured for the
ERS8600 and click on
For more details, repeat the same steps but via the
tab instead
___________________________________________________________________________________________________________________________
44
Via Dashboard, verify the following information:
Option
Verify
Results
If successful,
2.1.4.2
should be displayed
Verify user authentication from ERS switch
You can view the authentication details via Ignition Dashboard which provides extensive details
about the device or user.
Step 1 – In Dashboard, select the IP address of the Ignition Server and click on the
tab, go
to and select the
tab. Via the message of a valid user, right-click the message
and select
. Shown before are the results for the read-write-all-access user.
Please note you should also see RADIUS accounting records upon a user logging onto and
disconnecting from the ERS8600
Result:
___________________________________________________________________________________________________________________________
45
___________________________________________________________________________________________________________________________
46
At minimum, verify the following items:
Option
Verify
Authentication Result
If successful,
should be displayed. If not, verify the
device using the previous step and if this also fails, verify the Ignition
Server configuration.
Authorization Result
If successful,
should be displayed. If not, verify the device using
the previous step and if this also fails, verify the Ignition Server
configuration.
User-Name
Displays the name of the user id, in this example, a user id of
was used for the user with read-write-all-access rights.
Access Policy
This field displays the Ignition Server policy used for this user which
should be
as configured for this example.
Policy Rule Used
For this user, the Policy rule
as configured above
should be used which sends an outbound vendor specific attribute
value of to the ERS8600 telling the switch this user has read-write-allaccess
Outbound Attribute
___________________________________________________________________________________________________________________________
47
2.2 Part 2: ERS8600 Configuration with Specific
Commands Disabled
In this part, we will use the same configuration used in the previous example, but, we will restrict
the read-write ERS8600 user (user name = 8600rw) to deny access to the CLI QoS and Filter
configuration (“config qos” or “config filter”).
2.2.1 ERS8600 Configuration
Enable the user access profile parameter on the ERS8600.
ERS8600-1 Step 1 – Enable the RADIUS cli-profile by setting the value to true
___________________________________________________________________________________________________________________________
48
2.2.2 IDE Setup
2.2.2.1
Configure Outbound attributes to deny ERS8600 CLI commands
Using the same base configuration from the previous step, we will simple add the CLI commands
we wish to deny to the read-write user. In this example, this will apply only to the user
.
IDE Step 1 – IDE already has the vendor specific attributes defined, Bay Networks vendor
code 1584 using attribute types 194 and 195 for the ERS8600 which can be viewed by
going to
IDE Step 2 – Go to
___________________________________________________________________________________________________________________________
49
IDE Step 3 – Via the
window, type in a name for the attribute to be used
to restrict CLI commands (i.e. 8600-Command-Access as used in this example), click the
radio button, select via
and
via
. Click on
when done
IDE Step 4 – Go to
one
more time Via the
window, type in a name for the attribute to be used
to list the CLI commands (i.e. 8600-Command-List as used in this example), click the
radio button, select
via
and
via
. Click
on
when done
___________________________________________________________________________________________________________________________
50
IDE Step 5 – Go to
IDE Step 6 – Using the Outbound Attribute created in Step 3, we will add a value of 0 to
restrict CLI command access. Start by entering a name via the
window (i.e. ERS8600-Command-Access as used in this example) and click on
___________________________________________________________________________________________________________________________
51
IDE Step 7 – Select the Outbound Attributes name created in Step 3 (i.e. ERS8600Command-Access as used in this example) via the
pull
down menu. In the window, enter 0 (i.e. value of 0 signifies CLI
command restriction). Click on
twice when done.
___________________________________________________________________________________________________________________________
52
IDE Step 8 – Go to
again to
create the outbound attribute for deny access to the CLI command ‘config qos’. Using the
Outbound Attribute created in Step 4, we will add a string value of “config qos”. Start by
entering a name via the
window (i.e. 8600-Command-no-QoS as
used in this example) and click on
___________________________________________________________________________________________________________________________
53
IDE Step 9 – Select the Outbound Attributes name created in Step 4 (i.e. ERS8600Command-List as used in this example) via the
pull
down menu. In the window, enter
(i.e. this is the CLI command we wish
to restrict). Click on
twice when done.
___________________________________________________________________________________________________________________________
54
IDE Step 10 – Go to
again to
create the outbound attribute for deny access to the CLI command ‘config filter’. Using the
Outbound Attribute created in Step 4, we will add a string value of “config filter”. Start by
entering a name via the
window (i.e. 8600-Command-no-filter as
used in this example) and click on
___________________________________________________________________________________________________________________________
55
IDE Step 11 – Select the Outbound Attributes name created in Step 4 (i.e. ERS8600Command-List as used in this example) via the
pull
down menu. In the
window, enter
(i.e. this is the CLI command we wish
to restrict). Click on
twice when done.
___________________________________________________________________________________________________________________________
56
2.2.2.2
Modify the Authorization Policy for the ERS8600 read-write user
IDE Step 1 – Click on the policy created from the previous example, i.e. ERS8600-Access,
click on the
tab, select the
via the
window, and click on Edit
___________________________________________________________________________________________________________________________
57
IDE Step 2 – Make sure the read-write-access rule is selected and move all three RADIUS
attribute values we just created from the previous step from the
window to the
window
___________________________________________________________________________________________________________________________
58
IDE Step 3 – When completed, you can view the complete policy by clicking on the
button
___________________________________________________________________________________________________________________________
59
2.2.3 Verification
Connect to ERS8600 by using telnet with the read-write user account.
ERS8600-1 – Verify operation by typing in some commands
___________________________________________________________________________________________________________________________
60
3. ERS5600 Switch Configuration Example
For this configuration example, we will enable RADIUS user authentication on ERS500-1 using
the switch management port. We will configure the Identity Engines RADIUS server with the
following two users:
User name with read-only access: 5600ro
User name with read-write access: 5600rw
___________________________________________________________________________________________________________________________
61
3.1 ERS5600 Configuration
3.1.1 Enable RADIUS
Up to two RADIUS servers are supported on the ERS5600, 5500, 4500, or 2500 series switches.
For this configuration example we will simply configure one RADIUS server.
ERS5698-1 Step 1 – Add RADIUS server, enable RADIUS, and enable RADIUS accounting
ERS5698-1 Step 1 – Optional, enabling password fallback
___________________________________________________________________________________________________________________________
62
3.2 IDE Setup
3.2.1 Configure an Outbound Attribute on Ignition Server for Service-Type
The following chart displays the outbound attribute values required by the ERS5600, ERS5500,
ERS4500, or ERS2500 for each access level using RADIUS attribute type 6 (Service-Type).
Registry Value
6
7
Description
Administrative
NAS Prompt
ERS Access Level
Read-Write-All-Access
Read-Only-Access
IDE Step 1 – Go to
___________________________________________________________________________________________________________________________
63
IDE Step 2 – Via the
window, type in a name for the attribute to be used
for access priority (i.e. Service-type-ERS as used in this example), click the
radio button and select
. Click on
when done
IDE Step 4 – Go to
___________________________________________________________________________________________________________________________
64
IDE Step 5 – Using the Outbound Attribute created in Step 2, we will first add a value of 7
(NAS Prompt) for read-only-access. Start by entering a name via the
window (i.e. ERSro as used in this example) and click on
___________________________________________________________________________________________________________________________
65
IDE Step 6 – Select the Outbound Attributes name created in Step 3 (i.e. Service-type-ERS
as used in this example) via the
pull down menu. In the
window, enter 7 (i.e. value of 7 signifies NAS Prompt for read-onlyaccess). Click on
twice when done.
___________________________________________________________________________________________________________________________
66
IDE Step 7 – Go to
again to
create the outbound attribute for read-write-access. Using the Outbound Attribute created
in Step 2, we will add a value of 6 for read-write-access. Start by entering a name via the
window (i.e. ERSrwa as used in this example) and click on
___________________________________________________________________________________________________________________________
67
IDE Step 8 –Select the Outbound Attributes name created in Step 2 (i.e. Service-type-ERS
as used in this example) via the
pull down menu. In the
window, enter 6 (i.e. value of 6 signifies Administrative for readwrite-access). Click on
twice when done.
___________________________________________________________________________________________________________________________
68
3.2.2 Add Users
For this configuration example, we will add the following users
User Name
5600ro
5600rwa
Access Level
Read-Only-Access
Read-Write-All-Access
IDE Step 1 – Start by going to
and click on
___________________________________________________________________________________________________________________________
69
IDE Step 2 – Enter the user name for read-only-access via
(i.e. 5600ro as used
in this example) and enter the password for this user via
and
.
Click on
when done. If you wish, you can also change the expiry date via
if you do not wish to use the default setting of one year
___________________________________________________________________________________________________________________________
70
IDE Step 3 – Repeat step 2 again by clicking on New to add the read-write-access user.
Enter the user name for read-write-access via (i.e. 5600rw as used in this
example) and enter the password for this user via
and . Click
on
when done. If you wish, you can also change the expiry date via
if you do not wish to use the default setting of one year
___________________________________________________________________________________________________________________________
71
3.2.3 Add Access Policy
IDE Step 1 – Go to
Right-click R
and select. Enter a policy name, i.e. ERS-access as used in this
example and click on
when done
___________________________________________________________________________________________________________________________
72
IDE Step 2 – Click on the policy we just created, i.e. ERS-access, and click on
tab
via the
___________________________________________________________________________________________________________________________
73
IDE Step 3 – Under window, select
___________________________________________________________________________________________________________________________
74
IDE Step 4 – Go to the
and click on
___________________________________________________________________________________________________________________________
75
IDE Step 5 – Check off the
and click on
when done.
___________________________________________________________________________________________________________________________
76
IDE Step 6 – Go to the
tab and click on
___________________________________________________________________________________________________________________________
77
IDE Step 7 – Once the window pops up, click on
First, we
will add a rule for read-only. When the
window pops up, we will name the rule
as shown below
___________________________________________________________________________________________________________________________
78
IDE Step 8 – Click on
to add a new constraint
___________________________________________________________________________________________________________________________
79
IDE Step 8 – For this example, we are simply going to look for the read-only-user user-id.
From
, select
and scroll down and select
. Select
with
of
and enter the read-only-access user id, i.e. 5600ro as used in this
example, in the
window as shown below. Click on
when done
___________________________________________________________________________________________________________________________
80
IDE Step 9 – Via
, select
. From the
window, select the
output attribute we created above named and click on the less-than arrow key to
move the attribute to the
window
___________________________________________________________________________________________________________________________
81
IDE Step 10 – Next, we will add a rule for read-write-access. Start by clicking on
when the window pops up, add an appropriate name for this rule, i.e.
as used in this example
and
___________________________________________________________________________________________________________________________
82
IDE Step 11 – Click on
to add a new constraint
___________________________________________________________________________________________________________________________
83
IDE Step 12 – For this example, we are simply going to look for the read-write user-id.
From
, select
and scroll down and select
. Select
with
of
and enter the read-write user id, i.e. 5600rwa as used in this example,
in the
window as shown below. Click on
when done
___________________________________________________________________________________________________________________________
84
IDE Step 13 – Via
, select
. From the
window, select the
output attribute we created above named
and click on the less-than arrow key to
move the attribute to the
window
___________________________________________________________________________________________________________________________
85
IDE Step 18 – When completed, you can view the complete policy by clicking on the
button
___________________________________________________________________________________________________________________________
86
3.2.4 Add the Nortel ERS5600-1 switch as an RADIUS Authenticator
For Ignition Server to process the Nortel switch RADIUS requests, each switch must be added as
an Authenticator.
IDE Step 1 – Go to
create new container named
.
->
by right clicking
For example, we will
and selecting
___________________________________________________________________________________________________________________________
87
IDE Step 2 – Go to
click on
->
->
and
___________________________________________________________________________________________________________________________
88
IDE Step 3 – Enter the settings as shown below making sure you select the policy we
created above named
via
. Leave
and
checked. Click on
when done.
___________________________________________________________________________________________________________________________
89
3.3 Verification
3.3.1 Verify User Authentication
You can test user authentication for the ERS5600 users configured on IDE by entering the user
name and password.
Step 1 – Via Ignition Dashboard, select the IP address of the Ignition Server, click on the
tab, go to
and select the
tab. You can
also simple test user authentication as we did for the ERS8600 via the
tab. Enter a valid
user name and password configured for the ERS5600 and click on
Via Dashboard, verify the following information:
Option
Verify
Results
If successful, you should get several messages indicating the internal
user lookup and authentication was successful providing you entered
the correct user name and password.
___________________________________________________________________________________________________________________________
90
3.3.2 Verify user authentication from ERS switch
You can view the authentication details via Ignition Dashboard which provides extensive details
about the device or user.
Step 1 – In Dashboard, select the IP address of the Ignition Server and click on the
tab, go
to and select the
tab. Via the message of a valid user, right-click the message
and select
. Shown before are the results for the read-write-all-access user.
Please note you should also see RADIUS accounting records upon a user logging onto and
disconnecting from the ERS5600
Result:
___________________________________________________________________________________________________________________________
91
___________________________________________________________________________________________________________________________
92
At minimum, verify the following items:
Option
Verify
Authentication Result
If successful,
should be displayed. If not, verify the
device using the previous step and if this also fails, verify the Ignition
Server configuration.
Authorization Result
If successful,
should be displayed. If not, verify the device using
the previous step and if this also fails, verify the Ignition Server
configuration.
User-Name
Displays the name of the user id, in this example, a user id of
was used for the user with read-write-all-access rights.
Access Policy
This field displays the Ignition Server policy used for this user which
should be
as configured for this example.
Policy Rule Used
For this user, the Policy rule
as configured above should be
used which sends an outbound vendor specific attribute value of to
the ERS8600 telling the switch this user has read-write-all-access
Outbound Attribute
___________________________________________________________________________________________________________________________
93
4. Software Baseline
Product
Identity Engines
Minimum Software Level
6.0
.
5. Reference Documentation
Document Title
Identity Engines Ignition
Server, Release 6.0 –
Document Collection
Nortel Ethernet Routing
Switch
2500
Series
Release 4.1 Document
Collection
Nortel Ethernet Routing
Switch
4500
Series
Release 5.1 Document
Collection
Nortel Ethernet Routing
Switch
5500
Series
Release 5.1 Document
Collection
Nortel Ethernet Routing
Switch 8600, Release
5.1
Documentation
Collection
Nortel Ethernet Routing
Switch 8300, Release
4.2
Documentation
Collection
Nortel Ethernet Routing
Switch 1600, Release
2.1
Documentation
Collection
Publication Number
Description
NIEIS_6.0_Doc_Collection_20090706, Rev 02
Ignition
Server
Release 6.0
Software
ERS2500_4.2_Doc_Collection_20090302
Ethernet Routing Switch 2500
Software Release 4.2
ERS4500_5.3_Doc_Collection_20090731
Ethernet Routing Switch 4500
Software Release 5.3
ERS5500_6.1_Doc_Collection_20090525
Ethernet Routing Switch 5000
Software Release 6.1
ERS8600_5.1_Doc_Collection_20090603
Ethernet Routing Switch 8600
Software Release 5.1
ERS8300_4.2_DOC_COLLECTION_20090702,
Rev 04
Ethernet Routing Switch 8300
Software Release 4.2
ERS1600_2.1_DOC_COLLECTION_20061128
Ethernet Routing Switch 1600
Software Release 2.1
___________________________________________________________________________________________________________________________
94
Contact us
If you purchased a service contract for your Nortel product from a distributor or authorized
reseller, contact the technical support staff for that distributor or reseller for assistance.
If you purchased a Nortel Networks service program, contact Nortel Technical Support. To obtain
contact information online, go to www.nortel.com/contactus.
From the Technical Support page, you can open a Customer Service Request online or find the
telephone number for the nearest Technical Solutions Center. If you are not connected to the
Internet, call 1-800-4NORTEL (1-800-466-7835) to learn the telephone number for the nearest
Technical Solutions Center.
An Express Routing Code (ERC) is available for many Nortel products and services. When you
use an ERC, your call is routed to a technical support person who specializes in supporting that
product or service. To locate an ERC for your product or service, go to www.nortel.com/erc.
___________________________________________________________________________________________________________________________
95
Download PDF