How it Works
show menu
Avaya
Loading...
ERS 8600
Configuration Manual
420 pgs3.14 Mb0
Manual
61 pgs360.28 Kb0
Technical Configuration Manual
71 pgs1.06 Mb0

Avaya ERS 8600, ERS 5500, ERS 5600, ERS 8300, ERS 4500 Technical Configuration Manual

...
0 (0)
Switch User Authentication using
Identity Engines Ignition Server Technical Configuration Guide
Avaya Data Solutions
Document Date: July 2010 Document Number: NN48500-589 Document Version: 1.1
Identity Engines Ignition Server Ethernet Routing Switch 8600, 8300, 1600, 5500, 5600, 4500, 2500
Engineering
2
avaya.com
© 2010 Avaya Inc. All Rights Reserved.
Notices
While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes.
Documentation disclaimer
Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages.
Warranty
Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support
Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA").
Copyright
Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law.
Third Party Components
Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://support.avaya.com/Copyright.
Trademarks
The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks are the property of their respective owners.
Downloading documents
For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support.
Contact Avaya Support
Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http:// www.avaya.com/support.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
3
avaya.com
No
Date
Version
Revised by
Remarks
1
10/09/2009
1.0
JVE
Initial Release
Abstract
Revision Control
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
4
avaya.com
Table of Contents
Document Updates ..................................................................................................................................... 5
Conventions ................................................................................................................................................ 5
1. Overview: RADIUS User Authentication using Identify Engines .................................................... 6
1.1 RADIUS Support on Avaya Switches ........................................................................................... 6
1.2 User Authentication using ERS1600, ERS8300, or ERS8600 ..................................................... 6
1.3 User Authentication using ERS5600, ERS5500, ERS4500, or ERS2500 .................................... 7
2. ERS8600 Switch Configuration Example .......................................................................................... 8
2.1 Part 1: Basic AAA Configuation .................................................................................................... 8
2.2 Part 2: ERS8600 Configuration with Specific Commands Disabled ........................................... 38
3. ERS5600 Switch Configuration Example ........................................................................................ 47
3.1 ERS5600 Configuration .............................................................................................................. 47
3.2 IDE Setup .................................................................................................................................... 48
3.3 Verification ................................................................................................................................... 68
4. Software Baseline .............................................................................................................................. 72
5. Reference Documentation ................................................................................................................ 72
6. Customer service ............................................................................................................................... 73
6.1 Getting technical documentation ................................................................................................. 73
6.2 Getting product training ............................................................................................................... 73
6.3 Getting help from a distributor or reseller .................................................................................... 73
6.4 Getting technical support from the Avaya Web site .................................................................... 73
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
5
avaya.com
Tip – Highlights a configuration or technical tip.
Note – Highlights important information to the reader.
Warning – Highlights important information about an action that may result in equipment damage, configuration or data loss.
Bold text indicates emphasis.
Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command:
ERS5520-48T# show running-config
Output examples from Avaya devices are displayed in a Lucinda Console font:
ERS5520-48T# show running-config
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 5520-24T-PWR
! Software version = v5.0.0.011
enable
configure terminal
Document Updates
July 2010
Conventions
This section describes the text, image, and command conventions used in this document.
Symbols:
Text:
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
6
avaya.com
RADIUS authenti­cation
802.1x (EAP) RADIUS authenti­cation
RADIUS accoun­ting
802.1x (EAP) RADIUS account­ing
RADIUS account­ing for CLI commands
RADIUS user access profile
RADIUS SNMP account­ing
ERS 8600
Yes
Yes
Yes
Yes
Yes
Yes
Yes
ERS 8300
Yes
Yes
Yes
Yes
Yes
Yes
No
ERS 1600
Yes
Yes
Yes
Yes
Yes
Yes
No
ES 460/470
Yes
Yes
No
No
No
No
No
ERS 2500
Yes
Yes
No
Yes
No
No
No
ERS 4500
Yes
Yes
No
Yes
No
No
No
ERS 5500
Yes
Yes
No
Yes
No
No
No
ERS 5600
Yes
Yes
No
Yes
No
No
No
Access Level
VSA Attribute 26 – Vendor Identifier 1584 Type 192 value
None-Access
0
Read-Only-Access
1
Layer 1-Read-Write-Access
2
Layer 2-Read-Write-Access
3
Layer 3-Read-Write-Access
4
1. Overview: RADIUS User Authentication using Identify Engines
This document provides the framework for implementing user Authentication, Authorization, and Accounting for Avaya switches.
1.1 RADIUS Support on Avaya Switches
1.2 User Authentication using ERS1600, ERS8300, or ERS8600
The ERS1600, ERS8300, and ERS8600 each support six different user access levels. The access level is determined by the RADIUS attribute value sent back to the switch. The switch uses RADIUS Vendor­Specific Attributes (IETF Attribute 26) to support its own extended attributes. Vendor identifier 1584 (Bay Networks) attribute type 192 is used where the value is a number from 0 to 6. The following chart displays the RADIUS attribute values and corresponding access level.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
7
avaya.com
Read-Write-Access
5
Read-Write-All-Access
6
In addition, on the ERS8600 only, via vendor identifier 1584 attribute type 194, if is set to a value of 0, you can enter a list of CLI commands not allowed for a user. The CLI command is entered using the RADIUS string value configured via RADIUS vendor identifier 1584 attribute type 195.
1.3 User Authentication using ERS5600, ERS5500, ERS4500, or ERS2500
The ERS5600, ERS5500, ERS4500, and ERS2500 each support two different user access levels which are read-only or read-write. RADIUS attribute type 6, Service-Type, is used to determine the access level. The following displays the complete list of RADIUS attribute values for the RADIUS Service-Type attribute where value 6 (Administrative) is used for read-write access and value 7 (NAS Prompt) is used for read­only access
Sub-registry: Values for RADIUS Attribute 6, Service-Type Reference: [RFC2865][RFC3575] Registration Procedures: IETF Consensus
Registry: Value Description Reference
----- ------------------------------- --------­1 Login 2 Framed 3 Callback Login 4 Callback Framed 5 Outbound
6 Administrative 7 NAS Prompt
8 Authenticate Only 9 Callback NAS Prompt 10 Call Check 11 Callback Administrative 12 Voice [Chiba] 13 Fax [Chiba] 14 Modem Relay [Chiba] 15 IAPP-Register [IEEE 802.11f][Kerry] 16 IAPP-AP-Check [IEEE 802.11f][Kerry] 17 Authorize Only [RFC3576] 18 Framed-Management [RFC5607]
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
8
avaya.com
ERS8600-1 Step 1 – Add out-of-band IP address and route
ERS-8606:5# config bootconfig net mgmt ip 47.133.60.25/24
ERS-8606:5# config bootconfig net mgmt route add 47.0.0.0/8 47.133.60.1
ERS8600-1 Step 1 – Add RADIUS server, enable RADIUS, and enable RADIUS accounting
ERS-8606:5# config radius server create 47.133.56.101 secret nortel priority 1
ERS-8606:5# config radius enable true
ERS-8606:5# config radius acct-enable true
ERS-8606:5# config radius acct-include-cli-commands true
2. ERS8600 Switch Configuration Example
For this configuration example, we will enable RADIUS user authentication on ERS8600-1 using the out­of-band management port. We will configure the Identity Engines RADIUS server with the following three users:
User name with read-only access: 8600ro  User name with read-write access: 8600rw  User name with read-write-all access: 8600rwa
For this example, we will break down the configuration into two parts. In part one, we will simply add AAA services for the three users shown above. Part two is a continuation of part one with the addition of showing how to restrict certain CLI commands. In part two, we will pick the read-write user and deny access to QoS and filter configuration for this user.
2.1 Part 1: Basic AAA Configuation
2.1.1 ERS8600 Configuration
Assuming we are using the out-of-band management port.
2.1.1.1 Add out-of-band IP address
2.1.1.2 Enable RADIUS
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
9
avaya.com
When configuring the RADIUS server on the ERS8600, you can configure the switch with a RADIUS source-IP address which in turn will be the IP address used for RADIUS requests. The RADIUS source-IP address must be a circuit-less IP address (CLIP) or otherwise known as a loopback address. If you do not enable a RADIUS source-IP address, by default, the ERS8600 uses the IP address of the outgoing interface as the source IP address for RADIUS. Unfortunately, although you can create and enable a RADIUS source-IP when using the out-of-band management port, this feature is not supported on the out-of-band management port. Hence, if you have two CP cards, you will have to configure two RADIUS Authenticators on the RADIUS server.
Step 1 Verify that RADIUS has been enabled globally
ERS-8606:5# show radius info
Result:
Sub-Context: clear config dump monitor mplsping mplstrace peer show switchover test trace
Current Context:
acct-attribute-value : 193
acct-enable : true
acct-include-cli-commands : true
access-priority-attribute : 192
auth-info-attr-value : 91
command-access-attribute : 194
cli-commands-attribute : 195
cli-cmd-count : 40
cli-profile-enable : false
enable : true
igap-passwd-attr : standard
igap-timeout-log-fsize : 512
maxserver : 10
mcast-addr-attr-value : 90
sourceip-flag : false
2.1.2 ERS 8600 Switch: Verify Operations
2.1.2.1 Verify RADIUS Global Settings
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
10
avaya.com
Option
Verify
Acct-enable acct-include-cli-
commands
Verify that the CLI accounting is set to true globally
enable
Verify that enable is set to true globally telling us that RADIUS is enabled
Access Level
Attribute Value
User Name
None-Access
0 Read-Only-Access
1
8600ro
L1-Read-Write-Access
2 L2-Read-Write-Access
3
L3-Read-Write-Access
4
Read-Write-Access
5
8600rw
Read-Write-All-Access
6
8600rwa
Via 8600-1, verify the following information:
2.1.3 IDE Setup
2.1.3.1 Configure an Outbound Attribute on Ignition Server for VLAN
The following chart displays the outbound attribute values required by the ERS8600 for each access level for RADIUS vendor identifier 1584 (Bay Networks) attribute type 192. For this example, we will configure IDE with attribute values of 1, 5, and 6.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
11
avaya.com
IDE Step 1 – IDE already has the vendor specific attributes defined (Bay Networks vendor code 1584 using attribute type 192) for the ERS8600 which can be viewed by going to Site Configuration -> Provisioning -> Vendors/VSAs -> Bay-Networks -> VSA Definitions.
IDE Step 2 – Go to Site Configuration -> Provisioning -> Outbound Attributes -> New
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
12
avaya.com
IDE Step 3 – Via the Outbound Attribute window, type in a name for the attribute to be used for access priority (i.e. ERS8600-Access-Priority as used in this example), click the VSA radio button, select Bay-Networks via Vendor and ERS8xxx-Access-Priority via VSA. Click on OK when done
IDE Step 4 – Go to Site Configuration -> Provisioning -> Outbound Values -> New
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
13
avaya.com
IDE Step 5 – Using the Outbound Attribute created in Step 3, we will first add an attribute value of 1 for read-only-access. Start by entering a name via the Outbound Value Name: window (i.e. 8600-ro as used in this example) and click on New
IDE Step 6 – Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-Access­Priority as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 1 (i.e. value of 1 signifies read-only­access). Click on OK twice when done.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
14
avaya.com
IDE Step 7 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to create the outbound attribute for read-write-access. Using the Outbound Attribute created in Step 3, we will add an attribute value of 5 for read-write-access. Start by entering a name via the Outbound Value Name: window (i.e. 8600-rw as used in this example) and click on New
IDE Step 8 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-Access­Priority as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 5 (i.e. value of 5 signifies read-write­access). Click on OK twice when done.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
15
avaya.com
IDE Step 9 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to create the outbound attribute for read-write-all-access. Using the Outbound Attribute created in Step 3, we will add an attribute value of 6 for read-write-all-access. Start by entering a name via the Outbound Value Name: window (i.e. 8600-rwa as used in this example) and click on New
IDE Step 10 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-Access­Priority as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 6 (i.e. value of 6 signifies read-write-all­access). Click on OK twice when done.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
16
avaya.com
User Name
Access Level
8600ro
Read-Only-Access
8600rw
Read-Write-Access
8600rwa
Read-Write-All-Access
IDE Step 1 – Start by going to Site Configuration -> Directories -> Internal Store -> Internal Users and click on New
2.1.3.2 Add Users
For this configuration example, we will add the following users.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
17
avaya.com
IDE Step 2 – Enter the user name for read-only-access via User Name: (i.e. 8600ro as used in this example) and enter the password for this user via Password and Confirm Password. Click on OK when done. If you wish, you can also change the expiry date via Password Expires if you do not wish to use the default setting of one year
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
18
avaya.com
IDE Step 3 – Repeat step 2 again by clicking on New to add the read-write-access user. Enter the user name for read-write-access via User Name: (i.e. 8600rw as used in this example) and enter the password for this user via Password and Confirm Password. Click on OK when done. If you wish, you can also change the expiry date via Password Expires if you do not wish to use the default setting of one year
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
19
avaya.com
IDE Step 4 – Repeat step 2 for the final time by clicking on New to add the read-write-all­access user. Enter the user name for read-write-all-access via User Name: (i.e. 8600rwa as used in this example) and enter the password for this user via Password and Confirm
Password. Click on OK when done. If you wish, you can also change the expiry date via Password Expires if you do not wish to use the default setting of one year
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
20
avaya.com
IDE Step 1 – Go to Site Configuration -> Access Policies -> RADIUS. Right-click RADIUS and select New Access Policy. Enter a policy name (i.e. ERS8600-Access as used in this example) and click on OK when done
2.1.3.3 Add an Access Policy
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
21
avaya.com
IDE Step 2 – Click on the policy we just created, i.e. ERS8600-Access, and click on Edit via the Authentication Policy tab
IDE Step 3 – Under Edit Authentication Policy window, select NONE -> PAP
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
22
avaya.com
IDE Step 4 – Go to the Identity Routing tab and click on Edit
IDE Step 5 – Check off the Enable Default Directory Set and click on OK when done.
Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide
Loading...
+ 51 hidden pages
Privacy Policy Cookie Policy Terms of Use