Avaya ERS 5600, ERS 5500, ERS 4500, ERS 2400 Technical Configuration Manual
> Device Authentication using Identity
Engines Ignition Server Technical
Configuration Guide
Enterprise Solutions Engineering
Document Date: April 2010
Document Number: NN48500-586
Document Version: 2.0
Identify Engines Ignition Server
Ethernet Routing Switch
5500 5600 4500 2500
Engineering
1
avaya.com
No
Date
Version
Revised by
Remarks
1
09/09/2009
1.0
JVE
Modifications to Software Baseline section
2
27/04/2010
2.0
JVE
Added Internal Device configuration
Abstract
This Technical Configuration Guide outlines the configuration steps required to create an
authenticated network infrastructure for biomedical devices that are Ethernet attached. The main
components include both the Ethernet edge switches and the Network Access Control
infrastructure provided by Avaya’s Identity Engines portfolio.
The audience for this Technical Configuration Guide is intended to be Avaya Sales teams,
Partner Sales teams and end-user customers.
Revision Control
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
2
avaya.com
Table of Contents
Conventions ................................................................................................................................... 3
1. Overview: Medical Device Authentication using Identify Engines ................................... 4
1.1 Access Layer ................................................................................................................... 4
1.2 Ignition Server – Biomedical Device Authentication ........................................................ 4
1.3 Configuration Examples .................................................................................................. 5
1.4 Biomedical Device Authentication using Identify Engines Ignition Server and ERS5500 5
2. Software Baseline ................................................................................................................ 50
3. Reference Documentation .................................................................................................. 51
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
3
avaya.com
Tip – Highlights a configuration or technical tip.
Note – Highlights important information to the reader.
Warning – Highlights important information about an action that may result in equipment
damage, configuration or data loss.
Bold text indicates emphasis.
Italic text in a Courier New font indicates text the user must enter or select in a menu item, button
or command:
ERS5520-48T# show running-config
Output examples from Avaya devices are displayed in a Lucinda Console font:
ERS5520-48T# show running-config
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 5520-24T-PWR
! Software version = v5.0.0.011
enable
configure terminal
Conventions
This section describes the text, image, and command conventions used in this document.
Symbols:
Text:
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
4
avaya.com
Prefix
Vendor
00095C
Philips Medical System – Cardiac and Monitoring System
00251B
Philips CareServant
001865
Siemens Medical Solutions Diagnostics Manufacturing
(formerly Bayer Diagnostics Sudbury Ltd)
0030E6
Draeger Medical Systems, Inc. (was: SIEMENS MEDICAL SYSTEMS)
0003B1
Hospira Inc. (was: Abbott Laboratories)
001AFA
Welch Allyn, Inc.
1. Overview: Medical Device Authentication
using Identify Engines
This document provides the framework for implementing device level authentication controls.
Future documents will build on this as a base to further define pre-canned solutions that utilize
device level authentication.
1.1 Access Layer
Any of the following access layer switches that can be used with Ignition Server for device
authentication. However, only the ERS5500 or ERS5600 series can be used if User Access
Policies are also required allowing the RADIUS server to tell the switch what policy to apply for a
specific user or device.
ERS5500
ERS5600
ERS4500
ERS2400
1.2 Ignition Server – Biomedical Device Authentication
For the Ignition Server to authenticate biomedical devices from an EAP authenticator, it must
know the device identity (typically the MAC address). In an existing network consisting of many
biomedical devices, most likely each device identity will not be known, thus making it very difficult
to authorize each device based solely on the full MAC address. Avaya’s Ignition Server can be
configured for device authentication using just the prefix of the biomedical manufacturer’s vendor
MAC. In turn, the Ignition Server can keep a data base of the full MAC address of each device
once it is authenticated by the Ignition Server.
The following is a list of top biomedical manufacturers vendor MAC’s.
Avaya Inc. – Proprietary & Confidential.
Use pursuant to the terms of your signed agreement or Avaya policy.
5
avaya.com
1.3 Configuration Examples
Although any Avaya switch as shown in Section 1.1 could be used, for this example, we will use
an ERS5520 for allow for both device authentication with or without policy.
1.4 Biomedical Device Authentication using Identify
Engines Ignition Server and ERS5500
For this example, we will demonstrate how to configure the Ethernet Routing Switch 5500 and
Ignition Server to allow for device authentication based on the biomedical manufacturer vendor
MAC address. This will allow authentication and VLAN separation of manufacturer traffic. All that
is required is the first three digits of the vendor MAC address for the Ignition Server to
authenticate the device and then tell the EAP authenticator (ERS 5520 in this example) what
VLAN to place the biomedical device in (we will use Philips and Siemens for this example).
The Ethernet Routing Switch 5500 can be configured to accept both EAP and non-EAP (NEAP)
on the same port. In regards to non-EAP, the switch can be configured to accept a password
format using any combination of IP address and MAC address with or without port number. By
default, the password format is set for IP address, MAC address, and port number. For this
example, Ignition Server will be configured for device authentication so it is not important how the
password format is configured on the ERS 5520. However, it is suggested to use a password
format of MAC address so that if the complete MAC address is known, we can use user
authentication versus device authentication on Ignition server.
Overall, we will configured the following
Enable NEAP on ports 14 to 20 of ERS5520 using the non-EAP password format of MAC
address only
Add VLAN 1500 for the Philips devices
Add VLAN 1600 for the Siemens devices
Add VLAN 3000 as the default VLAN everyone connects to until authenticated by Ignition
Server
Configure the Ethernet Routing Switch 5520 and Ignition server with shared key set to
nortel
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
6
avaya.com
ERS5520-1 Step 1 - Enter configuration mode
5520-24T-PWR> enable
5520-24T-PWR# configure terminal
5520-24T-PWR(config)# cmd-interface cli
5520-24T-PWR(config)# banner disable
5520-24T-PWR(config)# snmp-server name 5520-24T-1
ERS5520-1 Step 1 – Create VLAN‟s 201, 1500, 1600, and 3000
5520-24T-1(config)# vlan create 201 name mgmt type port
5520-24T-1(config)# vlan create 1500 name philips type port
5520-24T-1(config)# vlan create 1600 name siemens type port
5520-24T-1(config)# vlan create 3000 name general type port
ERS5520-1 Step 2 – Enable VLAN tagging on all appropriate ports
5520-24T-1(config)# vlan port 23-24 tagging tagall
ERS5520-1 Step 3 – Set VLAN configuration control to automatic, add VLAN port
members, and set the management VLAN to VLAN 201
5520-24T-1(config)# vlan configcontrol automatic
5520-24T-1(config)# vlan members add 201 23-24
5520-24T-1(config)# vlan members add 1500 23-24
5520-24T-1(config)# vlan members add 1600 23-24
5520-24T-1(config)# vlan members add 3000,14-20,23-24
5520-24T-1(config)# vlan mgmt 201
ERS5520-1 Step 4 – Remove port members from the default VLAN
5520-24T-1(config)# vlan members remove 1 14-20,23-24
Please note that the non-EAP devices must be a member of a VLAN for the switch to
authenticate the devices. You can either leave port member 14-20 in VLAN 1 or create
a separate VLAN and add the port members as we have done by creating VLAN 3000.
Add the recommended settings for connectivity to an SMLT Cluster – VLACP and
Multilink Trunking (MLT) with Spanning Tree disabled on the uplink core ports 23 and 24
1.4.1 ERS Switch Configuration
1.4.1.1 Go to configuration mode.
1.4.1.2 Create VLAN‟s
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
7
avaya.com
ERS5520-1: Step 1 – Create MLT 1
5520-1(config)# mlt 1 member 23-24 learning disable
5520-1(config)# mlt 1 enable
ERS5520-1: Step 1 – Enable VLACP
5520-1(config)# vlacp macaddress 180.c200.f
5520-1(config)# vlacp enable
5520-1(config)# interface fastEthernet 23-24
5520-1(config-if)# vlacp timeout short
5520-1(config-if)# vlacp timeout-scale 5
5520-1(config-if)# vlacp enable
5520-1(config-if)# exit
ERS5520-1: Step 1 – Enable Discard Untagged Frames
5520-1(config)# vlan ports 23-24 filter-untagged-frame enable
ERS5520-1 Step 1 – Enable STP Fast Start and BPDU filtering on access port 14-20
5520-24T-1(config)# interface fastEthernet 14-20
5520-24T-1(config-if)# spanning-tree learning fast
5520-24T-1(config-if)# spanning-tree bpdu-filtering timeout 0
5520-24T-1(config-if)# spanning-tree bpdu-filtering enable
5520-24T-1(config-if)# exit
ERS5520-1 Step 1 – Set the IP address of the switch
5520-24T-1(config)# interface vlan 201
5520-24T-1(config-if)# ip address 47.133.56.66 netmask 255.255.255.0
5520-24T-1(config-if)# exit
1.4.1.3 Create MLT
1.4.1.4 VLACP
1.4.1.5 Discard Untagged Frames on port uplink ports
1.4.1.6 Enable Spanning Tree Fast Start and BPDU Filtering on access ports
1.4.1.7 Configure Management IP address on switch
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
8
avaya.com
ERS5520-1 Step 1 – Add the default route
5520-24T-1(config)# ip routing
5520-24T-1(config)# ip route 0.0.0.0 0.0.0.0 47.133.56.1 1
ERS5520-1 Step 1 – Add RADIUS server using key „nortel‟
5520-24T-1(config)# radius-server host 47.133.56.101 key
Enter key: ******
Confirm key: ******
Please note that at this time, non-EAP MAC RADIUS accounting is not supported.
Hence this example does not include the step to enable RADIUS accounting. If you
wish, you can enable RADIUS accounting using the command radius accounting
enable.
ERS5520-1 Step 1 – Enable non-EAP (NEAP)
5520-24T-1(config)# eap multihost allow-non-eap-enable
ERS5520-1 Step 2 – Enable RADIUS authentication for non-EAP (NEAP)
5520-24T-1(config)# eap multihost radius-non-eap-enable
ERS5520-1 Step 3 – Enable RADIUS non-EAP (NEAP) RADIUS assigned VLAN
5520-24T-1(config)# eapol multihost non-eap-use-radius-assigned-vlan
ERS5520-1 Step 2 – Remove the default NEAP password format of
IpAddr.MACAddr.PortNumber
5520-24T-1(config)# no eapol multihost non-eap-pwd-fmt
ERS5520-1 Step 3 – Enable NEAP password format of MAC address only
5520-24T-1(config)# eapol multihost non-eap-pwd-fmt mac-addr
ERS5520-1 Step 4 – Enable EAP globally
5520-24T-1(config)# eapol enable
1.4.1.8 Configure RADIUS server
1.4.1.9 Enable EAP globally
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
9
avaya.com
ERS5520-1 Step 1 – Enable EAP on port 14-20 with NEAP, set the maximum allowable EAP
and NEAP clients to 1, enable EAP multihost and enable RADIUS NEAP phone
5520-24T-1(config)# interface fastEthernet 14-20
5520-24T-1(config-if)# eapol status auto
5520-24T-1(config-if)# eapol multihost allow-non-eap-enable
5520-24T-1(config-if)# eapol multihost eap-mac-max 1
5520-24T-1(config-if)# eapol multihost non-eap-mac-max 1
5520-24T-1(config-if)# eapol multihost radius-non-eap-enable
5520-24T-1(config-if)# eapol multihost non-eap-use-radius-assigned-vlan
5520-24T-1(config-if)# eapol multihost enable
5520-24T-1(config-if)# exit
1.4.1.10 Enable EAP at interface level
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
10
avaya.com
Step 1 – Verify that EAP has been enabled globally and the correct port members:
5520-24T-1# show eapol port 14-20
Result:
EAPOL Administrative State: Enabled
Port-mirroring on EAP ports: Disabled
EAPOL User Based Policies: Disabled
EAPOL User Based Policies Filter On MAC Addresses: Disabled
Port: 14
Admin Status: Auto
Auth: No
Admin Dir: Both
Oper Dir: Both
ReAuth Enable: No
ReAuth Period: 3600
Quiet Period: 60
Xmit Period: 30
Supplic Timeout: 30
Server Timeout: 30
Max Req: 2
RDS DSE: No
|
|
Port: 20
Admin Status: Auto
Auth: No
Admin Dir: Both
Oper Dir: Both
ReAuth Enable: No
ReAuth Period: 3600
Quiet Period: 60
Xmit Period: 30
Supplic Timeout: 30
Server Timeout: 30
Max Req: 2
RDS DSE: No
Option
Verify
EAPOL Administrative
State
Verify that the EAPOL is Enabled globally.
EAPOL User Based
Policies
Verify that EAPOL policies are Enabled globally.
Admin Status
Verify that the EAP is enabled on ports 14 to 20 by verifying that the
Admin Status is set to Auto.
1.4.2 ERS 5520 Switch: Verify Operations
1.4.2.1 Verify EAP Global and Port Configuration
On the ERS5520 verify the following information:
Avaya Inc. – Proprietary & Confidential.
Use pursuant to the terms of your signed agreement or Avaya policy.
11
avaya.com
Auth
The value will be No even if the IP Phone has successfully
authenticated. Only if there a Supplicant attached to the IP Phone and it
has successfully authenticated will this value change to Yes.
Step 1 – Verify that EAP multihost has been globally configured correctly:
5520-24T-1#show eapol multihost
Result:
Allow Non-EAPOL Clients: Enabled
Use RADIUS To Authenticate Non-EAPOL Clients: Enabled
Allow Non-EAPOL Clients After Single Auth (MHSA): Disabled
Allow Non-EAPOL VoIP Phone Clients: Disabled
EAPOL Request Packet Generation Mode: Multicast
Allow Use of RADIUS Assigned VLANs: Disabled
Allow Use of Non-Eapol RADIUS Assigned VLANs: Enabled
Non-EAPOL RADIUS Password Attribute Format: MACAddr
Non-EAPOL User Based Policies: Enabled
Non-EAPOL User Based Policies Filter On MAC Addresses: Disabled
Use most recent RADIUS VLAN: Disabled
Step 2 – Verify that EAP multihost has been configured correctly at interface level:
5520-24T-1#show eapol multihost interface 14-20
Result:
Port: 14
MultiHost Status: Enabled
Max Eap Clients: 1
Allow Non-EAP Clients: Enabled
Max Non-EAP Client MACs: 1
Use RADIUS To Auth Non-EAP MACs: Enabled
Allow Auto Non-EAP MHSA: Disabled
Allow Non-EAP Phones: Disabled
RADIUS Req Pkt Send Mode: Multicast
Allow RADIUS VLANs: Disabled
Allow Non-EAP RADIUS VLANs: Enabled
Use most recent RADIUS VLAN: Disabled
|
|
Port: 20
MultiHost Status: Enabled
Max Eap Clients: 1
Allow Non-EAP Clients: Enabled
Max Non-EAP Client MACs: 1
Use RADIUS To Auth Non-EAP MACs: Enabled
Allow Auto Non-EAP MHSA: Disabled
Allow Non-EAP Phones: Disabled
RADIUS Req Pkt Send Mode: Multicast
Allow RADIUS VLANs: Disabled
Allow Non-EAP RADIUS VLANs: Enabled
1.4.2.2 Verify EAP Multihost Configuration
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
12
avaya.com
Use most recent RADIUS VLAN: Disabled
Option
Verify
Allow Non-EAPOL
Clients:
Verify that non-EAPOL (NEAP) is Enabled globally and at interface
level.
Use RADIUS To
Authenticate NonEAPOL Clients:
Verify the use RADUIS to authenticate non-EAPOL option is Enabled
globally and at interface level.
Non-EAPOL RADIUS
Password Attribute
Format:
Verify that the non-EAP password format is set for MACAddr. Please
note, some of the older software releases required a leading period “.”
before and after the MAC address.
Allow Non-EAP
RADIUS VLANs:
Verity that non-EAPOL RADIUS VLANs is Enabled globally and at
interface level.
Step 1 – Assuming Siemens devices on ports 14 & 15 and Philips devices on ports19 & 20, verify
device MAC addressses:
5520-24T-1# show eapol multihost non-eap-mac status
Result:
Port Client MAC Address State
---- ------------------ -----------------------------14 00:18:65:00:02:01 Authenticated By RADIUS
15 00:18:65:00:02:02 Authenticated By RADIUS
19 00:09:5C:00:02:03 Authenticated By RADIUS
20 00:09:5C:00:02:04 Authenticated By RADIUS
Step 2 – Assuming Siemens devices on ports 14 & 15 and Philips devices on ports19 & 20, verify
VLAN membership:
5520-24T-1# show vlan interface info 14-20
Result:
Filter Filter
Untagged Unregistered
Port Frames Frames PVID PRI Tagging Name
---- -------- ------------ ---- --- ------------- ----------------
14 No Yes 1600 0 UntagAll Port 14
15 No Yes 1600 0 UntagAll Port 15
16 No Yes 3000 0 UntagAll Port 16
17 No Yes 3000 0 UntagAll Port 17
18 No Yes 3000 0 UntagAll Port 18
19 No Yes 1500 0 UntagAll Port 19
On the ERS5520 verify the following information:
1.4.2.3 Verify EAP Multihost Status
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
13
avaya.com
20 No Yes 1500 0 UntagAll Port 20
5520-24T-1# show vlan
Result:
Id Name Type Protocol User PID Active IVL/SVL Mgmt
--- -------------------- -------- ---------------- -------- ------ ------- ---1 VLAN #1 Port None 0x0000 Yes IVL No
Port Members: 1-19,21-22
201 mgmt Port None 0x0000 Yes IVL No
Port Members: 23-24
1500 philips Port None 0x0000 Yes IVL No
Port Members: 19-20,23-24
1600 siemens Port None 0x0000 Yes IVL No
Port Members: 14-15,23-24
3000 general Port None 0x0000 Yes IVL No
Port Members: 14-20,23-24
Total VLANs: 5
Option
Verify
Port
Display the ports where the device has successfully been
authenticated.
Client MAC Address
If the IP phone has successfully authenticated via NEAP, its MAC
address should be shown.
State
Verity that Authenticated By RADIUS is displayed
PVID
Port Members
Assuming that we have two Philips devices on ports 19 & 20 and two
Siemens devices on ports 14 & 15. Ports 14 & 15 should be members
of VLAN 1600 with PVID of 1600. Ports 19 & 20 should be members of
VLAN 1500 with PVID of 1500.
On ERS5520-1, verify the following information:
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
14
avaya.com
IDE Step 1 – Go to Site Configuration ->Provisioning -> Vendor/VSA’s -> Nortel -> Device
Template -> New
IDE Step 2 – Name the new Nortel device template (Nortel-VLAN in this example), set the
VLAN Method to Use VLAN ID, set the MAC Address Source: to Inbound-User-Name, and
click on OK
1.4.3 IDE Setup
1.4.3.1 Create a new Nortel device template
Avaya Inc. – Proprietary & Confidential.
Use pursuant to the terms of your signed agreement or Avaya policy.
15
avaya.com
IDE Step 3 – Click on Done to complete configuration
Please note that you must change the Avaya switch device template MAC Address
Source from the default setting of Inbound-Calling-Station-Id to Inbound-User-Name for
device authentication to work when using a Avaya ERS switch as an EAP authenticator.
This only applies to device authentication and not user authentication.
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Inc. – Proprietary & Confidential.
Loading...