Configuring groups and extended profiles using the SREM. Nortel Networks Nortel Secure Network Access Switch 4050

208 Chapter 5 Configuring groups and profiles

Creating a default group using the CLI

To create a default group, first create a group with extended profiles mapped to a restrictive VLAN (see

“Configuring groups using the CLI” on page 198

and

“Configuring extended profiles using the CLI” on page 203 ). Then use the

following command to make this group the default group:

/cfg/domain 1/aaa/defgroup <group name>

Configuring groups and extended profiles using the SREM

The basic steps to configure groups and extended profiles on the Nortel

SNAS 4050 using the SREM are:

1

Configure the group (see “Configuring groups using the SREM” on page 208 ).

2 Configure the client filters that will be referenced in the extended profiles (see

“Configuring client filters using the SREM” on page 213 ).

The client filters can be referenced by all extended profiles in the domain.

3

Configure the extended profiles for the group (see “Configuring extended profiles using the SREM” on page 219

).

4

Map the linksets to the group and extended profiles (see “Mapping linksets to a group or profile using the SREM” on page 223

).

5 Create a default group, if desired (see

“Creating a default group using the

SREM” on page 230 ).

Configuring groups using the SREM

This section contains the following topics:

•

“Using the guide for creating groups” on page 209

•

“Adding a group” on page 210

•

“Modifying a group” on page 212

320818-A

Chapter 5 Configuring groups and profiles 209

Using the guide for creating groups

If you desire additional information before creating a group, there is a guide available that explains some of the prerequisites and details about creating groups.

To access the guide to creating groups, complete the following steps:

1 Click A Guide to Create a Group on the toolbar.

A dialog box appears, prompting you to select a domain.

2 Select the domain where this group is created.

3 Click OK.

A Guide dialog appears, and the screen displayed in the SREM changes to display the next screen used to add a group.

4 Use Next and Previous to view the steps to create a group.

As each step, follow the instructions provided before continuing with the next configuration step.

5 Click Finish to exit the guide after completing all of the steps, or click Cancel to exit the guide any time before finishing.

Nortel Secure Network Access Switch 4050 User Guide


Adding a group

To create and configure a group, perform the following steps:

1 Select the Secure Access Domain > domain > AAA > Groups tab.

The Groups screen appears (see

Figure 42

).

Figure 42 Groups screen

320818-A


2 Click Add.

The Add a Group dialog box appears (see Figure 43 ).

Figure 43 Adding a Group screen

3 Enter the Group information in the applicable fields.

Table 31 describes the

Add a Group fields.

Table 31 Add a Group fields

Field

Group ID (Index)

Group Name

Maximum Login Sessions

Tunnel Guard SRS Rule

Description

An integer in the range 1 to 1023 that uniquely identifies the group in the Nortel SNAS 4050 domain.

A string that uniquely identifies the group on the Nortel

SNAS 4050. The group name must match a group name used by the authentication services.

The maximum number of simultaneous portal or Nortel

SNAS 4050 sessions allowed for each member of the group. The default is 0 (unlimited).

Specifies the preconfigured TunnelGuard SRS rule to apply to the group.

For information about configuring the SRS rules using the SREM, see

“TunnelGuard SRS Builder” on page 317 .

4 Click Apply.

The new group appears in the list of groups.

5 Click Apply on the toolbar to send the current changes to the Nortel

SNAS 4050. Click Commit on the toolbar to save the changes permanently.



Modifying a group

To configure a group, perform the following steps:

1 Select the Secure Access Domain > domain > AAA > Groups > group >

Configuration tab.

The group Configuration screen appears (see

Figure 44 ).

Figure 44 Group Configuration screen

320818-A


2

Enter the group information in the applicable fields. Table 32 describes the

group Configuration fields.

Table 32 Group Configuration fields

Field

Group ID (Index)

Group Name

Maximum Login Sessions

Tunnel Guard SRS Rule

Comment

Description

An integer in the range 1 to 1023 that uniquely identifies the group in the Nortel SNAS 4050 domain.

This value cannot be changed after a group is created.

A string that uniquely identifies the group on the Nortel

SNAS 4050. The group name must match a group name used by the authentication services.

The maximum number of simultaneous portal or Nortel

SNAS 4050 sessions allowed for each member of the group.

The default is 0 (unlimited).

Specifies the preconfigured TunnelGuard SRS rule to apply to the group.

For information about configuring the SRS rules using the SREM, see

“TunnelGuard SRS Builder” on page 317 .

A comment related to this group.



Configuring client filters using the SREM


•

“Adding a client filter” on page 214

•

“Modifying a client filter” on page 217



Adding a client filter

To create and configure a client filter, perform the following steps:

1 Select the Secure Access Domain > domain > AAA > Filters > Client

Filters tab.

The Client Filters screen appears (see

Figure 45

).

Figure 45 Client Filters screen

320818-A


2 Click Add.

The Add a Client Filter dialog box appears (see Figure 46 ).

Figure 46 Adding a Client Filter screen

3 Enter the Client Filter information in the applicable fields.

Table 33 describes

the Add a Client Filter fields.

Table 33 Add a Client Filter fields (Sheet 1 of 2)

Field

Filter ID (Index)

Description

An integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS 4050 domain.



Table 33 Add a Client Filter fields (Sheet 2 of 2)

Field Description

Name Names the filter.

• name is a string that must be unique in the domain.

You reference the client filter name when configuring the extended profile.

TunnelGuard Check Passed Specifies whether passing or failing the TunnelGuard host integrity check triggers the filter.

• true — the client filter triggers when the

TunnelGuard check succeeds.

•

• false — the client filter triggers when the

TunnelGuard check fails.

ignore — passing or failing the TunnelGuard check will not trigger the client filter.

The default is ignore .

For example, in order to grant limited access rights to users who fail the TunnelGuard check, set the value to false , create an extended profile that references this client filter, and then map the extended profile to a restrictive VLAN.

For information about configuring the TunnelGuard

checks, see “Configuring the TunnelGuard check using the CLI” on page 132

or

“Configuring the TunnelGuard check using the SREM” on page 168 .

4 Click Apply.

The new client filter now appears in the Client Filters table.



320818-A


Modifying a client filter

To configure a client filter, perform the following steps:

1 Select the Secure Access Domain > domain > AAA > Filters > filter >

Configuration tab.

The client filter Configuration screen appears (see

Figure 47 ).

Figure 47 Client filter Configuration screen



2 Enter the Client Filter information in the applicable fields.

Table 34 describes

the Client Filter configuration fields.

Table 34 Client Filters configuration fields

Field Description

Filter ID (Index)

Name

An integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS 4050 domain.

Names the filter.

• name is a string that must be unique in the domain.

You reference the client filter name when configuring the extended profile.

TunnelGuard Check Passed Specifies whether passing or failing the TunnelGuard host integrity check triggers the filter.

•

• true — the client filter triggers when the

TunnelGuard check succeeds.

false — the client filter triggers when the

TunnelGuard check fails.

• ignore — passing or failing the TunnelGuard check will not trigger the client filter.

The default is ignore .

For example, in order to grant limited access rights to users who fail the TunnelGuard check, set the value to false , create an extended profile that references this client filter, and then map the extended profile to a restrictive VLAN.

For information about configuring the TunnelGuard

checks, see “Configuring the TunnelGuard check using the CLI” on page 132

or

“Configuring the TunnelGuard check using the SREM” on page 168 .

Comment Creates a comment about the client filter.



320818-A


Configuring extended profiles using the SREM

To view the extended profiles within a group, select the Secure Access Domain >

domain > AAA > Groups > group > Extended Profiles tab. The Extended

Profiles screen appears with a list of all profiles for that group.

When you select a profile in the list, the extended profile configuration details and linksets become accessible from the tabs that display below the list. You can view or edit details for an extended profile from these additional tabs.


•

“Adding an extended profile” on page 220

•

“Modifying an extended profile” on page 222



Adding an extended profile

To create an extended profile for a group, perform the following steps:

1 Select the Secure Access Domain > domain > AAA > Groups > group >

Extended Profiles tab.

The Extended Profiles screen appears (see

Figure 48

).

Figure 48 Extended Profiles screen

320818-A


2 Click Add.

The Add an Extended Profile dialog box opens (see

Figure 49

).

Figure 49 Add an Extended Profile screen

3 Enter the Extended Profile information in the applicable fields.

Table 35

describes the Add an Extended Profile fields.

Table 35 Add an Extended Profile fields

Field

Index

Filter Name

VLAN Name

Description

An integer in the range 1 to 63 that uniquely identifies the profile in the group.

The default value for this field is the lowest unused index number available.

The name of the predefined client filter that determines whether the Nortel SNAS 4050 will apply this extended profile to the user.

The name of the VLAN to which the Nortel SNAS 4050 will assign users with this profile.

4 Click Apply to create the new extended profile.

The new extended appears appears in the list on the Extended Profiles tab.



Modifying an extended profile

To modify an extended profile for a group, perform the following steps:


extended profile > Configuration tab.

The extended profiles Configuration screen appears (see

Figure 50

).

Figure 50 Extended profiles Configuration screen

320818-A


2 Enter the Extended Profile information in the applicable fields.

Table 36

describes the Extended Profile Configuration fields.

Table 36 Extended Profile Configuration fields

Field

Index

Filter Name

VLAN Name

Description

An integer in the range 1 to 63 that uniquely identifies the profile in the group.

The default value for this field is the lowest unused index number available. This value cannot be changed after the extended profile is created.

The name of the predefined client filter that determines whether the Nortel SNAS 4050 will apply this extended profile to the user.

The name of the VLAN to which the Nortel SNAS 4050 will assign users with this profile.

3 Click Apply to create the new extended profile.

The new extended appears appears in the list on the Extended Profiles tab.

Mapping linksets to a group or profile using the SREM

You can tailor the portal page for different users by mapping preconfigured linksets to groups and extended profiles. Linksets configured for a group display on the portal page after the linksets configured for the user’s extended profile.

For information about configuring linksets, see

“Configuring linksets using the

SREM” on page 439 .

Topics in this section include:

•

“Mapping linksets to a group” on page 224

•

“Mapping linksets to a profile” on page 227



Mapping linksets to a group

To map a linkset to a group, select the Secure Access Domain > domain >

AAA > Groups > group > Linksets tab.

The Linksets screen appears and displays the group Linkset Table (see

Figure 51

).

Figure 51 Linksets screen for a group

320818-A

The group Linkset Table allows you to manage linksets for the selected group, by performing any of the following procedures:

•

“Adding linksets to a group” on page 225

•

“Removing linksets from a group” on page 226

•

“Reordering linksets in a group” on page 226


Adding linksets to a group

To add a linkset to a group, perform the following steps:


Linksets tab.

The Linksets screen appears and displays the Linkset Table (see

Figure 51 on page 224 ).

2 Click Add.

The Add a Linkset dialog box appears (see Figure 52

).

Figure 52 Adding a Linkset screen

3 Enter the linkset information in the applicable fields.


Add a Linkset fields.

Table 37 Add a Linkset fields

Field

Name

Description

The name of the preconfigured linkset you want to add.

4 Click Add.

The new linkset appears in the Linkset Table.





Removing linksets from a group

To remove a linkset from a group, perform the following steps:


Linksets tab.



2 Select the linkset you want to remove from the Linkset Table.

3 Click Delete.

A confirmation dialog appears.

4 Click Yes.

The linkset disappears from the Linkset Table.



Reordering linksets in a group

To adjust the order in which group linksets appear on the portal page, perform the following steps:


Linksets tab.



2 Select the linkset you want to move from the Linkset Table.

3 Adjust the linkset position with the up and down arrows.



320818-A


Mapping linksets to a profile

To map a linkset to an extended profile, select the Secure Access Domain >

domain > AAA > Groups > group > extended profile > Linksets tab.

The Linksets screen appears and displays the Linkset Table (see Figure 53 ).

Figure 53 Linksets screen for an extended profile

The group Linkset Table allows you to manage linksets for the selected extended profile, by performing any of the following procedures:

•

“Adding linksets to an extended profile” on page 228

•

“Removing linksets from an extended profile” on page 229

•

“Reordering linksets in an extended profile” on page 229



Adding linksets to an extended profile

To add a linkset to an extended profile, perform the following steps:


extended profile > Linksets tab.



2 Click Add.

The Add a Linkset dialog box appears (see Figure 54

).

Figure 54 Adding a Linkset screen

3 Enter the linkset information in the applicable fields.


Add a Linkset fields.

Table 38 Add a Linkset fields

Field

Name

Description

The name of the preconfigured linkset you want to add.

4 Click Add.

The new linkset appears in the Linkset Table.



320818-A


Removing linksets from an extended profile

To remove a linkset from an extended profile, perform the following steps:





2 Select the linkset you want to remove from the Linkset Table.

3 Click Delete.

A confirmation dialog appears.

4 Click Yes.

The linkset disappears from the Linkset Table.



Reordering linksets in an extended profile

To adjust the order in which extended profile linksets appear on the portal page, perform the following steps:





2 Select the linkset you want to move from the Linkset Table.

3 Adjust the linkset position with the up and down arrows.





Creating a default group using the SREM

To create a default group, first create a group with extended profiles mapped to a restrictive VLAN (see

“Configuring groups using the SREM” on page 208

and

“Configuring extended profiles using the SREM” on page 219

). Then perform the following steps:

1 Select the Secure Access Domain > domain > AAA tab.

The AAA Configuration screen appears (see Figure 55 ).

Figure 55 AAA Configuration screen

320818-A


2

Enter the AAA information in the applicable fields. Table 39

describes the

AAA Configuration fields.

Table 39 AAA Configuration fields

Field

Default Group

Description

The name of the group you want to set as a default.





320818-A

Chapter 6

Configuring authentication

This chapter includes the following topics:

Topic

Overview

Before you begin

Configuring authentication using the CLI

Roadmap of authentication commands

Configuring authentication methods using the CLI

Configuring advanced settings using the CLI

Configuring RADIUS authentication using the CLI

Configuring LDAP authentication using the CLI

Configuring local database authentication using the CLI

Specifying authentication fallback order using the CLI

Configuring authentication using the SREM

Configuring authentication methods using the SREM

Configuring RADIUS authentication using the SREM

Configuring LDAP authentication using the SREM

Configuring local database authentication using the SREM

Specifying authentication fallback order using the SREM

Saving authentication settings

270

271

282

298

249

261

267

269

314

316

237

239

241

242

Page

234

235

236

233


Configuring groups and extended profiles using the SREM. Nortel Networks Nortel Secure Network Access Switch 4050

Creating a default group using the CLI

Configuring groups and extended profiles using the SREM

Configuring groups using the SREM

Using the guide for creating groups

Adding a group

Modifying a group

Configuring client filters using the SREM

Adding a client filter

Modifying a client filter

Configuring extended profiles using the SREM

Adding an extended profile

Modifying an extended profile

Mapping linksets to a group or profile using the SREM

Mapping linksets to a group

Adding linksets to a group

Removing linksets from a group

Reordering linksets in a group

Mapping linksets to a profile

Adding linksets to an extended profile

Removing linksets from an extended profile

Reordering linksets in an extended profile

Creating a default group using the SREM

Chapter 6

Configuring authentication

Related manuals

Table of contents

Configuring groups and extended profiles using the SREM. Nortel Networks Nortel Secure Network Access Switch 4050

Creating a default group using the CLI

Configuring groups and extended profiles using the SREM

Configuring groups using the SREM

Using the guide for creating groups

Adding a group

Modifying a group

Configuring client filters using the SREM

Adding a client filter

Modifying a client filter

Configuring extended profiles using the SREM

Adding an extended profile

Modifying an extended profile

Mapping linksets to a group or profile using the SREM

Mapping linksets to a group

Adding linksets to a group

Removing linksets from a group

Reordering linksets in a group

Mapping linksets to a profile

Adding linksets to an extended profile

Removing linksets from an extended profile

Reordering linksets in an extended profile

Creating a default group using the SREM

Chapter 6

Configuring authentication

Related manuals

Nortel Networks

4500 Series

Strix Systems

RFM-ACCESS-ONE-32

Nortel Networks

NN47230-301

Westbrass

D302-1-26

Cisco Systems

OL-7064-01

Nortel

Quality Monitoring

Nortel

4050

Panasonic

Router NN46240-501

Nortel Networks

4050

Table of contents