Part No. 320818-A
December 2005
4655 Great America Parkway
Santa Clara, CA 95054
*320818-A*
Nortel Secure Network Access
Switch 4050 User Guide
Nortel Secure Network Access Switch
Software Release 1.0
2
320818-A
Copyright © Nortel Networks Limited 2005. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
*Nortel, Nortel Networks, the Nortel logo, the Globemark, Passport, BayStack, and Contivity are trademarks of
Nortel Networks.
All other products or services may be trademarks or registered trademarks of their respective owners.
The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Export
This product, software and related technology is subject to U.S. export control and may be subject to export or import
regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or
reexport may be required by the U.S. Department of Commerce.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
3
Nortel Secure Network Access Switch 4050 User Guide
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Licensing
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
This product includes software developed by the Apache Software Foundation (http://www.apache.org/).
This product includes a TAP-Win32 driver derived from the CIPE-Win32 kernel driver, Copyright © Damion K. Wilson,
and is licensed under the GPL.
Portions of the TunnelGuard code include software licensed from The Legion of the Bouncy Castle.
See Appendix H, “Software licensing information,” on page 905 for more information.
Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software
on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”),
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks
or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine
Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel
Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
4
320818-A
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to
comply with the terms and conditions of this license. In either event, upon termination, Customer must either
return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s
use of the Software. Customer agrees to comply with all applicable laws including all applicable export and
import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the
Software is acquired in the United States, then this License Agreement is governed by the laws of the state of
New York.
5
Nortel Secure Network Access Switch 4050 User Guide
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Nortel SNA solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Elements of the NSNA solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Supported users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Role of the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nortel SNAS 4050 functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Nortel SNA VLANs and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Groups and profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
TunnelGuard host integrity check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Communication channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Nortel SNAS 4050 clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
One-armed and two-armed configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
One-armed configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Two-armed configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Nortel SNA configuration and management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Nortel SNAS 4050 configuration roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 2: Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
About the IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6 Contents
320818-A
Management IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Portal Virtual IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Real IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Setting up a single Nortel SNAS 4050 device or the first in a cluster . . . . . . . . . . 52
Settings created by the quick setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Adding a Nortel SNAS 4050 device to a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Joining a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Applying and saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Applying and saving the configuration using the CLI . . . . . . . . . . . . . . . . . . . . . . . 68
Applying and saving the configuration using the SREM . . . . . . . . . . . . . . . . . . . . 68
Chapter 3: Managing the network access devices . . . . . . . . . . . . . . . . . . . 71
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Managing network access devices using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Roadmap of domain commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Adding a network access device using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Using the quick switch setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Manually adding a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Deleting a network access device using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring the network access devices using the CLI . . . . . . . . . . . . . . . . . . . . . 80
Mapping the VLANs using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Managing SSH keys using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Generating SSH keys for the domain using the CLI . . . . . . . . . . . . . . . . . . . . 85
Managing SSH keys for Nortel SNA communication using the CLI . . . . . . . . 88
Reimporting the network access device SSH key using the CLI . . . . . . . . . . 89
Monitoring switch health using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Controlling communication with the network access devices using the CLI . . . . . 90
Managing network access devices using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Adding a network access device using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 91
Deleting a network access device using the SREM . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring the network access devices using the SREM . . . . . . . . . . . . . . . . . . 93
Mapping the VLANs using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Contents 7
Nortel Secure Network Access Switch 4050 User Guide
Mapping VLANs by domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Mapping VLANs by switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Managing SSH keys using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Generating SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . 105
Exporting SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . . 106
Managing SSH keys for Nortel SNA communication using the SREM . . . . . 109
Reimporting the network access device SSH key using the SREM . . . . . . . 110
Monitoring switch health using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Viewing a connected client list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 113
Controlling communication with the network access devices using the SREM . . 115
Chapter 4: Configuring the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring the domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Roadmap of domain commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Creating a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Manually creating a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Using the Nortel SNAS 4050 domain quick setup wizard in the CLI . . . . . . . 123
Deleting a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuring domain parameters using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring the TunnelGuard check using the CLI . . . . . . . . . . . . . . . . . . . . . . . 132
Using the quick TunnelGuard setup wizard in the CLI . . . . . . . . . . . . . . . . . 134
Configuring the SSL server using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Tracing SSL traffic using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring SSL settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Configuring traffic log settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 142
Configuring HTTP redirect using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring advanced settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Configuring RADIUS accounting using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Managing RADIUS accounting servers using the CLI . . . . . . . . . . . . . . . . . 147
Configuring Nortel SNAS 4050-specific attributes using the CLI . . . . . . . . . 149
Configuring the domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Creating a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Manually creating a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 152
Using the SREM Domain Quick Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Deleting a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
8 Contents
320818-A
Configuring domain parameters using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 164
Additional domain configuration in the SREM . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring the TunnelGuard check using the SREM . . . . . . . . . . . . . . . . . . . . . 168
Using the TunnelGuard Quick Setup in the SREM . . . . . . . . . . . . . . . . . . . . 172
Configuring the SSL server using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configuring SSL settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring traffic log settings using the SREM . . . . . . . . . . . . . . . . . . . . . . 178
Tracing SSL traffic using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring HTTP redirect using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring RADIUS accounting using the SREM . . . . . . . . . . . . . . . . . . . . . . . 183
Configuring Nortel SNAS 4050-specific attributes using the SREM . . . . . . . 184
Managing RADIUS accounting servers using the SREM . . . . . . . . . . . . . . . 186
Chapter 5: Configuring groups and profiles . . . . . . . . . . . . . . . . . . . . . . . 191
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Default group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Linksets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
TunnelGuard SRS rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Extended profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Configuring groups and extended profiles using the CLI . . . . . . . . . . . . . . . . . . . . . . 196
Roadmap of group and profile commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Configuring groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configuring client filters using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Configuring extended profiles using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Mapping linksets to a group or profile using the CLI . . . . . . . . . . . . . . . . . . . . . . 206
Creating a default group using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Configuring groups and extended profiles using the SREM . . . . . . . . . . . . . . . . . . . 208
Configuring groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Using the guide for creating groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Adding a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Modifying a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Configuring client filters using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Adding a client filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Contents 9
Nortel Secure Network Access Switch 4050 User Guide
Modifying a client filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Configuring extended profiles using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Adding an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Modifying an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Mapping linksets to a group or profile using the SREM . . . . . . . . . . . . . . . . . . . . 223
Mapping linksets to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Mapping linksets to a profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Creating a default group using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Chapter 6: Configuring authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Configuring authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Roadmap of authentication commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configuring authentication methods using the CLI . . . . . . . . . . . . . . . . . . . . . . . 239
Configuring advanced settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configuring RADIUS authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . 242
Adding the RADIUS authentication method using the CLI . . . . . . . . . . . . . . 243
Modifying RADIUS configuration settings using the CLI . . . . . . . . . . . . . . . . 245
Managing RADIUS authentication servers using the CLI . . . . . . . . . . . . . . . 247
Configuring session timeout using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configuring LDAP authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 249
Adding the LDAP authentication method using the CLI . . . . . . . . . . . . . . . . 250
Modifying LDAP configuration settings using the CLI . . . . . . . . . . . . . . . . . . 252
Managing LDAP authentication servers using the CLI . . . . . . . . . . . . . . . . . 256
Managing LDAP macros using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Managing Active Directory passwords using the CLI . . . . . . . . . . . . . . . . . . 260
Configuring local database authentication using the CLI . . . . . . . . . . . . . . . . . . 261
Adding the local database authentication method using the CLI . . . . . . . . . 261
Managing the local database using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 264
Specifying authentication fallback order using the CLI . . . . . . . . . . . . . . . . . . . . 267
Configuring authentication using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Configuring authentication methods using the SREM . . . . . . . . . . . . . . . . . . . . . 270
Configuring RADIUS authentication using the SREM . . . . . . . . . . . . . . . . . . . . . 271
Adding the RADIUS method and server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
10 Contents
320818-A
Modifying RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Managing additional RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configuring LDAP authentication using the SREM . . . . . . . . . . . . . . . . . . . . . . . 282
Adding the LDAP method and server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Modifying LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Managing additional LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Managing LDAP macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Configuring local database authentication using the SREM . . . . . . . . . . . . . . . . 298
Adding the Local method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Populating the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Modifying Local database configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Exporting the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Specifying authentication fallback order using the SREM . . . . . . . . . . . . . . . . . . 314
Saving authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Chapter 7: TunnelGuard SRS Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuring SRS rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
The TunnelGuard user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Software Definition menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Software Definition Entry menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
TunnelGuard Rule menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Tool menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
SRS definition toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Software Definition — Available SRS list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
SRS Components table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Customizing a component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Memory snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
TunnelGuard Rule Definition screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
SRS Rule toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
SRS Rule list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Contents 11
Nortel Secure Network Access Switch 4050 User Guide
SRS Rule Expression Constructor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Managing TunnelGuard rules and expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Creating a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Adding entries to a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Selecting modules or files from running processes . . . . . . . . . . . . . . . . . . . . 328
Selecting file on disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Creating logical expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Registry-based rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Registry-only SRS entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Creating a registry entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Registry-based File/Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Manually creating SRS entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Manually creating an OnDisk file entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Manually creating a Memory Module entry . . . . . . . . . . . . . . . . . . . . . . . . . . 345
File age check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Adding comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Adding a TunnelGuard rule comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Adding a software definition comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Deleting SRS rules and their components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Deleting a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting a software definition entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting a TunnelGuard rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting an expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
TunnelGuard support for API calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Making API calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Chapter 8: Managing system users and groups . . . . . . . . . . . . . . . . . . . . 353
User rights and group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Managing system users and groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Roadmap of system user management commands . . . . . . . . . . . . . . . . . . . . . . 355
Managing user accounts and passwords using the CLI . . . . . . . . . . . . . . . . . . . 356
Managing user settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Managing user groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CLI configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Adding a new user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
12 Contents
320818-A
Changing a user’s group assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Deleting a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Managing system users and groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 370
Managing user accounts using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Adding new user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Removing existing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Setting password expiry using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Changing your password using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Changing another user’s password using the SREM . . . . . . . . . . . . . . . . . . . . . 377
Setting the certificate export passphrase using the SREM . . . . . . . . . . . . . . . . . 379
Managing user groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Adding a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Removing a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Chapter 9: Customizing the portal and user logon . . . . . . . . . . . . . . . . . 385
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Captive portal and Exclude List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Exclude List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Portal display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Portal look and feel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Language localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Linksets and links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Automatic redirection to internal sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Examples of redirection URLs and links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Managing the end user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Automatic JRE upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Windows domain logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Customizing the portal and logon using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Roadmap of portal and logon configuration commands . . . . . . . . . . . . . . . . . . . 398
Configuring the captive portal using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Configuring the Exclude List using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Changing the portal language using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Configuring language support using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 402
Contents 13
Nortel Secure Network Access Switch 4050 User Guide
Setting the portal display language using the CLI . . . . . . . . . . . . . . . . . . . . . 404
Configuring the portal display using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Changing the portal colors using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Configuring custom content using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Configuring linksets using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Configuring links using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Configuring external link settings using the CLI . . . . . . . . . . . . . . . . . . . . . . 415
Configuring FTP link settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 415
Customizing the portal and logon using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Configuring the captive portal using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Enabling DNS capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Configuring the DNS Exclude List using the SREM . . . . . . . . . . . . . . . . . . . 418
Changing the portal language using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuring language support using the SREM . . . . . . . . . . . . . . . . . . . . . . 420
Importing and exporting language definitions . . . . . . . . . . . . . . . . . . . . . . . . 422
Setting the portal display language using the SREM . . . . . . . . . . . . . . . . . . 424
Configuring the portal display using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Configuring content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Importing banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Changing the portal colors using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Configuring custom content using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Viewing basic information about custom content . . . . . . . . . . . . . . . . . . . . . 434
Importing custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Exporting custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Configuring linksets using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Creating a linkset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Modifying a linkset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Configuring links using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Creating an external link using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Creating an FTP link using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Modifying external link settings using the SREM . . . . . . . . . . . . . . . . . . . . . 450
Modifying FTP link settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 452
Reordering links using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
14 Contents
320818-A
Chapter 10: Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . 457
Configuring the cluster using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Roadmap of system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Configuring system settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Configuring the Nortel SNAS 4050 host using the CLI . . . . . . . . . . . . . . . . . . . . 465
Viewing host information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configuring host interfaces using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configuring static routes using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Configuring host ports using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Managing interface ports using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Configuring the Access List using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configuring date and time settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 475
Managing NTP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Configuring DNS servers and settings using the CLI . . . . . . . . . . . . . . . . . . . . . 477
Managing DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Configuring RSA servers using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Configuring syslog servers using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Configuring administrative settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 483
Enabling TunnelGuard SRS administration using the CLI . . . . . . . . . . . . . . . . . . 485
Configuring Nortel SNAS 4050 host SSH keys using the CLI . . . . . . . . . . . . . . . 485
Managing known hosts SSH keys using the CLI . . . . . . . . . . . . . . . . . . . . . . 487
Configuring RADIUS auditing using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
About RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
About the vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configuring RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Managing RADIUS audit servers using the CLI . . . . . . . . . . . . . . . . . . . . . . 490
Configuring authentication of system users using the CLI . . . . . . . . . . . . . . . . . 492
Managing RADIUS authentication servers using the CLI . . . . . . . . . . . . . . . 493
Configuring the cluster using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Configuring system settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Configuring a Nortel SNAS 4050 host using the SREM . . . . . . . . . . . . . . . . . . . 497
Viewing host information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Viewing and configuring TCP/IP properties . . . . . . . . . . . . . . . . . . . . . . . . . 499
Viewing and installing host licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Configuring host interfaces using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Contents 15
Nortel Secure Network Access Switch 4050 User Guide
Adding a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Configuring an existing host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Removing a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configuring static routes using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Viewing static routes for a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Viewing static routes for a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Viewing static routes for an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Managing static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Configuring host ports using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Managing interface ports using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Adding interface ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Removing interface ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Configuring the access list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Adding an access list entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Removing an Access List entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Managing date and time settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 528
Configuring the date and time settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Adding an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Removing an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Configuring DNS settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Configuring servers using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Managing syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Managing DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Managing RSA servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Configuring administrative settings using the SREM . . . . . . . . . . . . . . . . . . . . . . 546
Configuring SRS control settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 547
Configuring Nortel SNAS 4050 host SSH keys using the SREM . . . . . . . . . . . . 548
Showing SSH keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Managing Nortel SNAS 4050 and known host SSH keys . . . . . . . . . . . . . . . 551
Adding an SSH key for a known host using the SREM . . . . . . . . . . . . . . . . . . . . 553
Managing RADIUS audit settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 554
About RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
About the vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Configuring RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Configuring RADIUS audit settings using the SREM . . . . . . . . . . . . . . . . . . 557
16 Contents
320818-A
Managing RADIUS audit servers using the SREM . . . . . . . . . . . . . . . . . . . . 559
Managing RADIUS authentication of system users using the SREM . . . . . . . . . 562
Configuring RADIUS authentication of system users using the SREM . . . . . 563
Managing RADIUS authentication servers using the SREM . . . . . . . . . . . . . 565
Chapter 11: Managing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Key and certificate formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Creating certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Installing certificates and keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Saving or exporting certificates and keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Updating certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Managing private keys and certificates using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 575
Roadmap of certificate management commands . . . . . . . . . . . . . . . . . . . . . . . . 576
Managing and viewing certificates and keys using the CLI . . . . . . . . . . . . . . . . . 577
Generating and submitting a CSR using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 579
Adding a certificate to the Nortel SNAS 4050 using the CLI . . . . . . . . . . . . . . . . 584
Adding a private key to the Nortel SNAS 4050 using the CLI . . . . . . . . . . . . . . . 587
Importing certificates and keys into the Nortel SNAS 4050 using the CLI . . . . . 588
Displaying or saving a certificate and key using the CLI . . . . . . . . . . . . . . . . . . . 591
Exporting a certificate and key from the Nortel SNAS 4050 using the CLI . . . . . 594
Generating a test certificate using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Managing private keys and certificates using the SREM . . . . . . . . . . . . . . . . . . . . . . 597
Viewing certificates using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Creating a certificate using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Generating and submitting a CSR using the SREM . . . . . . . . . . . . . . . . . . . . . . 601
Importing a certificate or key using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Displaying or saving a certificate and key using the SREM . . . . . . . . . . . . . . . . . 605
Exporting a certificate and key from the Nortel SNAS 4050 using the SREM . . . 607
Viewing certificate information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 610
Viewing configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Viewing general information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Viewing certificate subject settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Contents 17
Nortel Secure Network Access Switch 4050 User Guide
Chapter 12: Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Configuring SNMP using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Roadmap of SNMP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Configuring SNMP settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Configuring the SNMP v2 MIB using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Configuring the SNMP community using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 622
Configuring SNMPv3 users using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Configuring SNMP notification targets using the CLI . . . . . . . . . . . . . . . . . . . . . 626
Configuring SNMP events using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Configuring SNMP settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Configuring SNMP using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Configuring SNMP targets using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Adding SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Managing SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Removing SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Configuring SNMPv3 users using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Adding SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Managing SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Removing SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Configuring SNMP events using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Managing monitor events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Managing notification events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Chapter 13: Viewing system information and performance statistics . . 659
Viewing system information and performance statistics using the CLI . . . . . . . . . . . 660
Roadmap of information and statistics commands . . . . . . . . . . . . . . . . . . . . . . . 660
Viewing system information using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Viewing alarm events using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
Viewing log files using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Viewing AAA statistics using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Viewing all statistics using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Viewing system information and performance statistics using the SREM . . . . . . . . . 670
Viewing local information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Viewing cluster information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Viewing the controller list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 673
18 Contents
320818-A
Viewing SONMP topology information using the SREM . . . . . . . . . . . . . . . . 675
Viewing switch distribution using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 677
Viewing port information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Viewing license information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 680
Viewing session details using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Viewing alarms using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Managing log files using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Viewing AAA statistics using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Viewing AAA statistics for a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Viewing License statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Viewing RADIUS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Viewing Local database statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Viewing LDAP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Viewing AAA statistics for the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Viewing License statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Viewing RADIUS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Viewing Local database statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Viewing LDAP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Viewing Ethernet statistics using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Viewing Rx statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
Viewing Tx statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
Chapter 14: Maintaining and managing the system . . . . . . . . . . . . . . . . . 723
Managing and maintaining the system using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 724
Roadmap of maintenance and boot commands . . . . . . . . . . . . . . . . . . . . . . . . . 725
Performing maintenance using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Backing up or restoring the configuration using the CLI . . . . . . . . . . . . . . . . . . . 730
Managing Nortel SNAS 4050 devices using the CLI . . . . . . . . . . . . . . . . . . . . . . 733
Managing software for a Nortel SNAS 4050 device using the CLI . . . . . . . . . . . 734
Managing and maintaining the system using the SREM . . . . . . . . . . . . . . . . . . . . . . 736
Performing maintenance using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Dumping logs and status information using the SREM . . . . . . . . . . . . . . . . . 737
Starting and stopping a trace using the SREM . . . . . . . . . . . . . . . . . . . . . . . 738
Checking configuration using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Backing up or restoring the configuration using the SREM . . . . . . . . . . . . . . . . . 742
Contents 19
Nortel Secure Network Access Switch 4050 User Guide
Managing Nortel SNAS 4050 devices and software using the SREM . . . . . . . . . 743
Managing software versions using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 744
Downloading images using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Rebooting or deleting a Nortel SNAS 4050 device using the SREM . . . . . . 750
Downloading files using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
Running Nortel SNAS 4050 diagnostics using the SREM . . . . . . . . . . . . . . . . . . 754
Chapter 15: Upgrading or reinstalling the software . . . . . . . . . . . . . . . . . 757
Upgrading the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Performing minor and major release upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . 758
Downloading the software image using the CLI . . . . . . . . . . . . . . . . . . . . . . 759
Activating the software upgrade package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Reinstalling the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Reinstalling the software from an external file server . . . . . . . . . . . . . . . . . . . . . 765
Reinstalling the software from a CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Chapter 16: The Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . 769
Connecting to the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Establishing a console connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Establishing a Telnet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Enabling and restricting Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Establishing a connection using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Enabling and restricting SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Running an SSH client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
Accessing the Nortel SNAS 4050 cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
CLI Main Menu or Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Command line history and editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Chapter 17: Configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782
20 Contents
320818-A
Configure the network DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
Configure the network DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
Configure the network core router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Configure the Ethernet Routing Switch 8300 using the CLI . . . . . . . . . . . . . . . . 790
Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Enabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the Nortel SNAS 4050 pVIP subnet . . . . . . . . . . . . . . . . . . . . . . 791
Creating port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the VoIP VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the Red, Yellow, and Green VLANs . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the NSNA uplink filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Configuring the NSNA ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Enabling NSNA globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Configure the Ethernet Routing Switch 5510 . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Setting the switch IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the Nortel SNAS 4050 pVIP subnet . . . . . . . . . . . . . . . . . . . . . . 794
Creating port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the VoIP VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the Red, Yellow, and Green VLANs . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the login domain controller filters . . . . . . . . . . . . . . . . . . . . . . . . 795
Configuring the NSNA ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Enabling NSNA globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Configure the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Performing initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Completing initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Adding the network access devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Mapping the VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
Enabling the network access devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Appendix A: CLI reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Global commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Command line history and editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Contents 21
Nortel Secure Network Access Switch 4050 User Guide
CLI shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Command stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Command abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Tab completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Using a submenu name as a command argument . . . . . . . . . . . . . . . . . . . . 809
Using slashes and spaces in commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
IP address and network mask formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Network masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
CLI Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
CLI command reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
Information menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815
Configuration menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Boot menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Maintenance menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Chapter 18: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Cannot connect to the Nortel SNAS 4050 using Telnet or SSH . . . . . . . . . . . . . 838
Verify the current configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Enable Telnet or SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Check the Access List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Check the IP address configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
Cannot add the Nortel SNAS 4050 to a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Cannot contact the MIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Check the Access List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
Add Interface 1 IP addresses and the MIP to the Access List . . . . . . . . . . . 842
The Nortel SNAS 4050 stops responding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Telnet or SSH connection to the MIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Console connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
A user password is lost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Administrator user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Operator user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
22 Contents
320818-A
Root user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Boot user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
A user fails to connect to the Nortel SNAS 4050 domain . . . . . . . . . . . . . . . . . . 845
Trace tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
System diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Installed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Network diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Active alarms and the events log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
Error log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
Appendix B: Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Syslog messages by message type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Operating system (OS) messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
System Control Process messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
About alarm messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
About event messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Traffic Processing Subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Start-up messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860
AAA subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
NSNAS subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Syslog messages in alphabetical order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Appendix C: Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Supported traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Appendix D: Supported ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Appendix E: Adding User Preferences attribute to Active Directory . . . 883
Install All Administrative Tools
(Windows 2000 Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
Register the Schema Management dll (Windows Server 2003) . . . . . . . . . . . . . 883
Add the Active Directory Schema Snap-in
(Windows 2000 Server and Windows Server 2003) . . . . . . . . . . . . . . . . . . . . . 884
Create a shortcut to the console window . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Permit write operations to the schema (Windows 2000 Server) . . . . . . . . . . . . . 886
Contents 23
Nortel Secure Network Access Switch 4050 User Guide
Create a new attribute
(Windows 2000 Server and Windows Server 2003) . . . . . . . . . . . . . . . . . . . . . 887
Create the new class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
Add isdUserPrefs attribute to nortelSSLOffload class . . . . . . . . . . . . . . . . . 888
Add the nortelSSLOffload Class to the User Class . . . . . . . . . . . . . . . . . . . . 889
Appendix F: Configuring DHCP to auto-configure IP Phones. . . . . . . . . 891
Configuring IP Phone auto-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
Creating the DHCP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
Configuring the Call Server Information and VLAN Information options . . . . . . . 896
Setting up the IP Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899
Appendix G: Using a Windows domain logon script to launch the Nortel
SNAS 4050 portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Configuring the logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Creating a logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
Creating the script as a batch file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
Creating the script as a VBScript file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Assigning the logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Appendix H: Software licensing information . . . . . . . . . . . . . . . . . . . . . . 905
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
24 Contents
320818-A
25
Nortel Secure Network Access Switch 4050 User Guide
Preface
Nortel* Secure Network Access (Nortel SNA) is a clientless solution that provides
seamless, secure access to the corporate network from inside or outside that
network. The Nortel SNA solution combines multiple hardware devices and
software components to support the following features:
• partitions the network resources into access zones (authentication,
remediation, and full access)
• provides continual device integrity checking using TunnelGuard
• supports both dynamic and static IP clients
The Nortel Secure Network Access Switch 4050 (Nortel SNAS 4050) controls
operation of the Nortel SNA solution.
This user guide covers the process of implementing the Nortel SNA solution using
the Nortel SNAS 4050 for Nortel Secure Network Access Switch
Software Release 1.0. The document includes the following information:
• overview of the role of the Nortel SNAS 4050 in the Nortel SNA solution
• initial setup
• configuring authentication, authorization, and accounting (AAA) features
• managing system users
• customizing the portal
• upgrading the software
• logging and monitoring
• troubleshooting installation and operation
26 Preface
320818-A
The document provides instructions for initializing and customizing the features
using the Command Line Interface (CLI). To learn the basic structure and
operation of the Nortel SNAS 4050 CLI, refer to “CLI reference” on page 803.
This reference guide provides links to where the function and syntax of each CLI
command are described in the document. For information on accessing the CLI,
see “The Command Line Interface” on page 769.
Security & Routing Element Manager (SREM) is a graphical user interface (GUI)
that runs in an online, interactive mode. SREM allows the management of
multiple devices (for example, the Nortel SNAS 4050) from one application. To
use SREM, you must have network connectivity to a management station running
SREM in one of the supported environments. For instructions on installing and
starting SREM, refer to Installing and Using the Security & Routing Element
Manager (320199-A).
Before you begin
This guide is intended for network administrators who have the following
background:
• basic knowledge of networks, Ethernet bridging, and IP routing
• familiarity with networking concepts and terminology
• experience with windowing systems or GUIs
• basic knowledge of network topologies
Before using this guide, you must complete the following procedures. For a new
switch:
1 Install the switch.
For installation instructions, see Nortel Secure Network Access Switch 4050
Installation Guide (320846-A).
2 Connect the switch to the network.
For more information, see “The Command Line Interface” on page 769.
Ensure that you are running the latest version of Nortel SNAS 4050 software. For
information about upgrading the Nortel SNAS 4050, see “Upgrading or
reinstalling the software” on page 757.
Preface 27
Nortel Secure Network Access Switch 4050 User Guide
Text conventions
This guide uses the following text conventions:
angle brackets (< >) Enter text based on the description inside the brackets.
Do not type the brackets when entering the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold text Objects such as window names, dialog box names, and
icons, as well as user interface objects such as buttons,
tabs, and menu items.
bold Courier text Command names, options, and text that you must enter.
Example: Use the
dinfo command.
Example: Enter
show ip {alerts|routes}.
braces ({}) Required elements in syntax descriptions where there is
more than one option. You must choose only one of the
options. Do not type the braces when entering the
command.
Example: If the command syntax is
show ip {alerts|routes}, you must enter either
show ip alerts or show ip routes, but not both.
brackets ([ ]) Optional elements in syntax descriptions. Do not type
the brackets when entering the command.
Example: If the command syntax is
show ip interfaces [-alerts], you can enter
either
show ip interfaces or
show ip interfaces -alerts.
ellipsis points (. . . ) Repeat the last element of the command as needed.
Example: If the command syntax is
ethernet/2/1 [<parameter> <value>]... ,
you enter
ethernet/2/1 and as many
parameter-value pairs as needed.
28 Preface
320818-A
Related information
This section lists information sources that relate to this document.
Publications
Refer to the following publications for information on the Nortel SNA solution:
• Nortel Secure Network Access Solution Guide (320817-A)
• Nortel Secure Network Access Switch 4050 Installation Guide (320846-A)
• Nortel Secure Network Access Switch 4050 User Guide (320818-A)
• Installing and Using the Security & Routing Element Manager
(SREM) (320199-B)
italic text Variables in command syntax descriptions. Also
indicates new terms and book titles. Where a variable is
two or more words, the words are connected by an
underscore.
Example: If the command syntax is
show at <valid_route>,
valid_route is one variable and you substitute one
value for it.
plain Courier
text
Command syntax and system output, for example,
prompts and system messages.
Example:
Set Trap Monitor Filters
separator ( > ) Menu paths.
Example: Protocols > IP identifies the IP command on
the Protocols menu.
vertical line (
| ) Options for command keywords and arguments. Enter
only one of the options. Do not type the vertical line
when entering the command.
Example: If the command syntax is
show ip {alerts|routes}, you enter either
show ip alerts or show ip routes, but not
both.
Preface 29
Nortel Secure Network Access Switch 4050 User Guide
• Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software
Release 4.3 (217468-B)
• Release Notes for the Ethernet Routing Switch 8300, Software Release
2.2.8 (316811-E)
• Release Notes for the Nortel Secure Network Access Solution,
Software Release 1.0 (320850-A)
• Release Notes for Enterprise Switch Manager (ESM), Software Release
5.1 (209960-H)
• Using Enterprise Switch Manager Release 5.1 (208963-F)
Online
To access Nortel technical documentation online, go to the Nortel web site:
www.nortel.com/support
You can download current versions of technical documentation. To locate
documents, browse by category or search using the product name or number.
You can print the technical manuals and release notes free, directly from the
Internet. Use Adobe* Reader* to open the manuals and release notes, search for
the sections you need, and print them on most standard printers. Go to the Adobe
Systems site at www.adobe.com to download a free copy of Adobe Reader.
How to get help
If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller for assistance.
If you purchased a Nortel service program, use the www.nortel.com/help web
page to locate information to contact Nortel for assistance:
• To obtain Nortel Technical Support contact information, click the
CONTACT US link on the left side of the page.
30 Preface
320818-A
• To call a Nortel Technical Solutions Center for assistance, click the CALL
US link on the left side of the page to find the telephone number for your
region.
An Express Routing Code (ERC) is available for many Nortel products and
services. When you use an ERC, your call is routed to a technical support person
who specializes in supporting that product or service. To locate the ERC for your
product or service, go to the www.nortel.com/help web page and follow these
links:
1 Click CONTACT US on the left side of the HELP web page.
2 Click Technical Support on the CONTACT US web page.
3 Click Express Routing Codes on the TECHNICAL SUPPORT web page.
31
Nortel Secure Network Access Switch 4050 User Guide
Chapter 1
Overview
This chapter includes the following topics:
The Nortel SNA solution
Nortel Secure Network Access (Nortel SNA) solution is a protective framework to
completely secure the network from endpoint vulnerability. The Nortel SNA
solution addresses endpoint security and enforces policy compliance. Nortel SNA
delivers endpoint security by enabling only trusted, role-based access privileges
premised on the security level of the device, user identity, and session context.
Nortel SNA enforces policy compliance, such as for Sarbanes-Oxley and COBIT,
ensuring that the required anti-virus applications or software patches are installed
before users are granted network access.
Topic Pa g e
The Nortel SNA solution
31
Elements of the NSNA solution
32
Supported users
32
Role of the Nortel SNAS 4050
33
Nortel SNAS 4050 clusters
39
One-armed and two-armed configurations
40
Nortel SNA configuration and management tools
42
Nortel SNAS 4050 configuration roadmap
43
32 Chapter 1 Overview
320818-A
For Nortel, success is delivering technologies providing secure access to your
information using security-compliant systems. Your success is measured by
increased employee productivity and lower network operations costs. Nortel’s
solutions provide your organization with the network intelligence required for
success.
Elements of the NSNA solution
The following devices are essential elements of the Nortel SNA solution:
• Nortel Secure Network Access Switch 4050 (Nortel SNAS 4050), which acts
as the Policy Decision Point
• network access device, which acts as the Policy Enforcement Point
— Ethernet Routing Switch 8300
— Ethernet Routing Switch 5510, 5520, or 5530
• DHCP and DNS servers
The following devices are additional, optional elements of the Nortel SNA
solution:
• remediation server
• corporate authentication services such as LDAP or RADIUS services
Each Nortel SNAS 4050 device can support up to five network access devices.
Supported users
The Nortel SNAS 4050 supports the following types of users:
• PCs using the following operating systems:
— Windows 2000 SP4
— Windows XP SP2
The Nortel SNAS 4050 supports the following browsers:
— Internet Explorer version 6.0 or later
— Netscape Navigator version 7.3 or later
— Mozilla Firefox version 1.0.6 or later
Chapter 1 Overview 33
Nortel Secure Network Access Switch 4050 User Guide
Java Runtime Environment (JRE) for all browsers:
— JRE 1.5.0_04 or later
• VoIP phones
— Nortel IP Phone 2002
— Nortel IP Phone 2004
— Nortel IP Phone 2007
See Release Notes for the Nortel Secure Network Access Solution,
Software Release 1.0 (320850-A) for the minimum firmware versions
required for the IP Phones operating with different call servers.
Each NSNA-enabled port on a network access device can support one PC
(untagged traffic) and one IP Phone (tagged traffic). Softphone traffic is
considered to be the same as PC traffic (untagged).
Role of the Nortel SNAS 4050
The Nortel SNAS 4050 helps protect the network by ensuring endpoint
compliance for devices that connect to the network.
Before allowing a device to have full network access, the Nortel SNAS 4050
checks user credentials and host integrity against predefined corporate policy
criteria. Through tight integration with network access devices, the Nortel
SNAS 4050 can:
• dynamically move the user into a quarantine VLAN
• dynamically grant the user full or limited network access
• dynamically apply per port firewall rules that apply to a device’s connection
Once a device has been granted network access, the Nortel SNAS 4050
continually monitors the health status of the device to ensure continued
compliance. If a device falls out of compliance, the Nortel SNAS 4050 can
dynamically move the device into a quarantine or remediation VLAN.
Note: Where there is both an IP Phone and a PC, the PC must be
connected through the 3-port switch on the IP Phone.
34 Chapter 1 Overview
320818-A
Nortel SNAS 4050 functions
The Nortel SNAS 4050 performs the following functions:
• Acts as a web server portal, which is accessed by users in clientless mode for
authentication and host integrity check and which sends remediation
instructions and guidelines to endpoint clients if they fail the host integrity
check.
• Communicates with backend authentication servers to identify authorized
users and levels of access.
• Acts as a policy server, which communicates with the TunnelGuard applet
that verifies host integrity.
• Instructs the network access device to move clients to the appropriate VLAN
and, if applicable, to apply additional filters.
• Can be a DNS proxy in the Red VLAN when the Nortel SNAS 4050 functions
as a captive portal
• Performs session management.
• Monitors the health of clients and switches.
• Performs logging and auditing functions.
• Provides High Availability (HA) through IPmig protocol.
Nortel SNA VLANs and filters
There are four types of Layer 2 or Layer 3 VLANs in a Nortel SNA network:
• Red — extremely restricted access. If the default filters are used, the user can
communicate only with the Nortel SNAS 4050 and the Windows domain
controller network. There is one Red VLAN for each network access device.
• Yellow — restricted access for remediation purposes if the client PC fails the
host integrity check. Depending on the filters and TunnelGuard rules
configured for the network, the client may be directed to a remediation server
participating in the Yellow VLAN. There can be up to five Yellow VLANs for
each network access device. Each user group is associated with only one
Yellow VLAN.
• Green — full access, in accordance with the user’s access privileges. There
can be up to five Green VLANs for each network access device.
Chapter 1 Overview 35
Nortel Secure Network Access Switch 4050 User Guide
• VoIP — automatic access for VoIP traffic. The network access device places
VoIP calls in a VoIP VLAN without submitting them to the Nortel
SNAS 4050 authentication and authorization process.
When a client attempts to connect to the network, the network access device
places the client in its Red VLAN. The Nortel SNAS 4050 authenticates the client
and then downloads a TunnelGuard applet to check the integrity of the client host.
If the integrity check fails, the Nortel SNAS 4050 instructs the network access
device to move the client to a Yellow VLAN, with its associated filter. If the
integrity check succeeds, the Nortel SNAS 4050 instructs the network access
device to move the client to a Green VLAN, with its associated filter. The network
access device applies the filters when it changes the port membership.
The VoIP filters allow IP Phone traffic into one of the preconfigured VoIP VLANs
for VoIP communication only.
The default filters can be modified to accommodate network requirements, such
as Quality of Service (QoS) or specific workstation boot processes and network
communications.
For information about configuring VLANs and filters on the network access
device, see Release Notes for Nortel Ethernet Routing Switch 5500 Series,
Software Release 4.3 (217468-B) or Release Notes for the Ethernet Routing
Switch 8300, Software Release 2.2.8 (316811-E).
Groups and profiles
Users are organized in groups. Group membership determines:
• user access rights
Within the group, extended profiles further refine access rights depending on
the outcome of the TunnelGuard checks.
• number of sessions allowed
• the TunnelGuard SRS rule to be applied
• what displays on the portal page after the user has been authenticated
For information about configuring groups and extended profiles on the Nortel
SNAS 4050, see “Configuring groups and profiles” on page 191.
36 Chapter 1 Overview
320818-A
Authentication methods
You can configure more than one authentication method within a Nortel
SNAS 4050 domain. Nortel Secure Network Access Switch Software Release 1.0
supports the following authentication methods:
• external database
— Remote Authentication Dial-In User Service (RADIUS)
— Lightweight Directory Access Protocol (LDAP)
The Nortel SNAS 4050 authenticates the user by sending a query to an
external RADIUS or LDAP server. This makes it possible to use
authentication databases already existing within the intranet. The Nortel
SNAS 4050 device includes username and password in the query and requires
the name of one or more access groups in return. The name of the RADIUS
and LDAP access group attribute is configurable.
• local database
The Nortel SNAS 4050 itself can store up to 1,000 user authentication entries,
each defining a username, password, and relevant access group. You can
populate the database by manually adding entries on the Nortel SNAS 4050,
or you can import a database from a TFTP/FTP/SCP/SFTP server.
Use the local authentication method if no external authentication databases
exist, for testing purposes, for speedy deployment, or as a fallback for external
database queries. You can also use the local database for authorization only, if
an external server provides authentication services but cannot be configured to
return a list of authorized groups.
For information about configuring authentication on the Nortel SNAS 4050, see
“Configuring authentication” on page 233.
For more information about the Nortel SNA solution and the way the Nortel
SNAS 4050 controls network access, see Nortel Secure Network Access Solution
Guide (320817-A).
Chapter 1 Overview 37
Nortel Secure Network Access Switch 4050 User Guide
TunnelGuard host integrity check
The TunnelGuard application checks client host integrity by verifying that the
components you have specified are required for the client’s personal firewall
(executables, DLLs, configuration files, and so on) are installed and active on the
client PC. You specify the required component entities and engineering rules by
configuring a Software Requirement Set (SRS) rule and mapping the rule to a user
group.
After a client has been authenticated, the Nortel SNAS 4050 downloads a
TunnelGuard agent as an applet to the client PC. The TunnelGuard applet fetches
the SRS rule applicable for the group to which the authenticated user belongs, so
that TunnelGuard can perform the appropriate host integrity check. The
TunnelGuard applet reports the result of the host integrity check to the Nortel
SNAS 4050.
If the required components are present on the client machine, TunnelGuard
reports that the SRS rule check succeeded. The Nortel SNAS 4050 then instructs
the network access device to permit access to intranet resources in accordance
with the user group’s access privileges. The Nortel SNAS 4050 also requests the
TunnelGuard applet to redo a DHCP request in order to renew the client’s DHCP
lease with the network access device.
If the required components are not present on the client machine, TunnelGuard
reports that the SRS rule check failed. You configure behavior following host
integrity check failure: The session can be torn down, or the Nortel SNAS 4050
can instruct the network access device to grant the client restricted access to the
network for remediation purposes.
The TunnelGuard applet repeats the host integrity check periodically throughout
the client session. If the check fails at any time, the client is either evicted or
quarantined, depending on the behavior you have configured. The recheck interval
is configurable.
For information about configuring the TunnelGuard host integrity check, see
“Configuring the TunnelGuard check using the CLI” on page 132 or “Configuring
the TunnelGuard check using the SREM” on page 168. For information about
configuring the SRS rules, see “TunnelGuard SRS Builder” on page 317. For
information about mapping an SRS rule to a group, see “Configuring groups using
the CLI” on page 198 or “Configuring groups using the SREM” on page 208.
38 Chapter 1 Overview
320818-A
Communication channels
Communications between the Nortel SNAS 4050 and key elements of the Nortel
SNA solution are secure and encrypted. Tab le 1 shows the communication
channels in the network.
Telnet or SSH can be used for management communications between remote PCs
and the Nortel SNAS 4050 devices.
About SSH
The Secure Shell (SSH) protocol provides secure and encrypted communication
between the Nortel SNAS 4050 and the network access devices, and between
Nortel SNAS 4050 devices and remote management PCs not using Telnet.
SSH uses either password authentication or public key authentication. With public
key authentication, pairs of public/private SSH host keys protect against “man in
the middle” attacks by providing a mechanism for the SSH client to authenticate
the server. SSH clients keep track of the public keys to be used to authenticate
different SSH server hosts.
SSH clients in the Nortel SNA network do not silently accept new keys from
previously unknown server hosts. Instead, they refuse the connection if the key
does not match their known hosts.
Table 1
Communication channels in the Nortel SNA network
Communication Communication protocol
Between Nortel SNAS 4050 and edge
switches
SSH
Between Nortel SNAS 4050 devices in a
cluster
TCP and UDP
Between Nortel SNAS 4050 and client PC
(TunnelGuard applet)
SSL/TLS
Between Nortel SNAS 4050 and SREM SSH
From edge switch to EPM SNMPv3 Inform
From EPM to edge switch Telnet over SSH
From authorized endpoint to DHCP server UDP
Chapter 1 Overview 39
Nortel Secure Network Access Switch 4050 User Guide
The Nortel SNAS 4050 supports the use of three different SSH host key types:
•RSA1
•RSA
•DSA
SSH protocol version 1 always uses RSA1 keys. SSH protocol version 2 uses
either RSA or DSA keys.
For management communications in the Nortel SNA solution, the Nortel
SNAS 4050 can act both as SSH server (when a user connects to the CLI using an
SSH client) and as SSH client (when the Nortel SNAS 4050 initiates file or data
transfers using the SCP or SFTP protocols).
For information about managing SSH keys for communication between the Nortel
SNAS 4050 and the network access devices, see “Managing SSH keys using the
CLI” on page 84 or “Managing SSH keys using the SREM” on page 102.
For information about managing SSH keys for Nortel SNAS 4050 management
communications, see “Configuring Nortel SNAS 4050 host SSH keys using the
CLI” on page 485 or “Configuring Nortel SNAS 4050 host SSH keys using the
SREM” on page 548.
Nortel SNAS 4050 clusters
A cluster is a group of Nortel SNAS 4050 devices that share the same
configuration parameters. Nortel Secure Network Access Switch
Software Release 1.0 supports two Nortel SNAS 4050 devices, or nodes, in a
cluster. A Nortel SNA network can contain multiple clusters.
Clustering offers the following benefits:
• manageability — The cluster is a single, seamless unit that automatically
pushes configuration changes to its members.
• scalability — The Nortel SNAS 4050 nodes in a cluster share the burden of
resource-intensive operations. The cluster distributes control of the network
access devices between the Nortel SNAS 4050 nodes and distributes handling
of session logon. As a result, Nortel SNAS 4050 devices in a cluster can
control more switches and handle more user sessions.
40 Chapter 1 Overview
320818-A
• fault tolerance — If a Nortel SNAS 4050 device fails, the failure is detected
by the other node in the cluster, which takes over the switch control and
session handling functions of the failed device. As long as there is one
running Nortel SNAS 4050, no sessions will be lost.
The devices in the cluster can be located anywhere in the network and do not have
to be physically connected to each other. All the Nortel SNAS 4050 devices in the
cluster must be in the same subnet. The cluster is created during initial setup of the
second node, when you specify that the setup is a join operation and you associate
the node with an existing Management IP address (MIP).
For more information about Nortel SNAS 4050 IP addresses, see “About the IP
addresses” on page 51. For information about adding a node to a cluster, see
“Adding a Nortel SNAS 4050 device to a cluster” on page 61.
One-armed and two-armed configurations
The Nortel SNAS 4050 must interface to two kinds of traffic: client and
management. The interface to the client side handles traffic between the
TunnelGuard applet on the client and the portal. The interface to the management
side handles Nortel SNAS 4050 management traffic (traffic connecting the Nortel
SNAS 4050 to internal resources and configuring the Nortel SNAS 4050 from a
management station).
There are two ways to configure the Nortel SNAS 4050 interfaces:
• one-armed configuration (see “One-armed configuration” on page 41)
• two-armed configuration (see “Two-armed configuration” on page 41)
You specify whether the Nortel SNAS 4050 will function in a one-armed or
two-armed configuration during initial setup (see “Initial setup” on page 49).
Chapter 1 Overview 41
Nortel Secure Network Access Switch 4050 User Guide
One-armed configuration
In a one-armed configuration, the Nortel SNAS 4050 has only one interface,
which acts as both the client portal interface and the management traffic interface.
Figure 1 illustrates a one-armed configuration.
Figure 1
One-armed configuration
Two-armed configuration
In a two-armed configuration, there are two separate interfaces. Interface 1
handles management traffic. Interface 2 handles client portal traffic.
Internet
NSNAS
1
Management/client portal interface (1)
192.168.128.11 (MIP [management])
192.168.128.12 (RIP [host])
192.168.128.100 (pVIP [portal])
Default gateway
192.168.128.1
Management
station
Endpoint
device
Network access device
42 Chapter 1 Overview
320818-A
Figure 2 illustrates a two-armed configuration.
Figure 2
Two-armed configuration
Nortel SNA configuration and management tools
You can use a number of device and network management tools to configure the
Nortel SNAS 4050 and manage the Nortel SNA solution:
• Command Line Interface (CLI)
You must use the CLI to perform initial setup on the Nortel SNAS 4050 and to
set up the Secure Shell (SSH) connection between the Nortel SNAS 4050 and
the network access devices, and between the Nortel SNAS 4050 and the GUI
management tool. You can then continue to use the CLI to configure and
manage the Nortel SNAS 4050, or you can use the GUI.
The configuration chapters in this User Guide describe the specific CLI
commands used to configure the Nortel SNAS 4050. For general information
about using the CLI, see Chapter 16, “The Command Line Interface,” on
page 769.
Internet
Management
station
Endpoint
device
Default gateway
192.168.128.1
NSNAS
1
Client portal interface (2)
192.168.128.11 (RIP 2 [host])
192.168.128.100 (pVIP [portal])
Management interface (1)
10.1.0.11 (MIP [management])
10.1.0.12 (RIP 1 [host])
2
Network access device
Chapter 1 Overview 43
Nortel Secure Network Access Switch 4050 User Guide
• Security & Routing Element Manager (SREM)
The SREM is a GUI application you can use to configure and manage the
Nortel SNAS 4050.
The configuration chapters in this User Guide describe the specific steps to
configure the Nortel SNAS 4050 using the SREM. For general information
about installing and using the SREM, see Installing and Using the Security &
Routing Element Manager (SREM) (320199-B).
• Enterprise Policy Manager (EPM) release 4.2
Enterprise Policy Manager (EPM) is a security policy and quality of service
provisioning application. You can use EPM to provision filters on the Nortel
SNA network access devices. EPM 4.2 supports preconfiguration of Red,
Yellow, and Green VLAN filters prior to enabling the NSNA feature. In future
releases of the Nortel SNAS 4050 and EPM software, users will have the
additional ability to add and modify security and quality of service filters
while Nortel SNA is enabled on the device.
For general information about installing and using EPM, see Installing Nortel
Enterprise Policy Manager (318389).
• Simple Network Management Protocol (SNMP) agent
For information about configuring SNMP for the Nortel SNAS 4050, see
“Configuring SNMP” on page 617.
Nortel SNAS 4050 configuration roadmap
The following task list is an overview of the steps required to configure the Nortel
SNAS 4050 and the Nortel SNA solution.
1 Configure the network DNS server to create a forward lookup zone for the
Nortel SNAS 4050 domain.
For an example, see “Configuration example” on page 779.
2 Configure the network DHCP server.
For an example, see “Configuration example” on page 779.
44 Chapter 1 Overview
320818-A
For each VLAN:
a Create a DHCP scope.
b Specify the IP address range and subnet mask for that scope.
c Configure the following DHCP options:
— Specify the default gateway.
— Specify the DNS server to be used by endpoints in that scope.
— If desired, configure DHCP so that the IP Phones learn their VLAN
configuration data automatically from the DHCP server. For more
information, see Appendix F, “Configuring DHCP to auto-configure
IP Phones,” on page 891.
3 Configure the network core router:
a Create the Red, Yellow, Green, VoIP, and Nortel SNAS 4050 management
VLANs.
b If the edge switches are operating in Layer 2 mode, enable 802.1q tagging
on the uplink ports to enable them to participate in multiple VLANs, then
add the ports to the applicable VLANs.
c Configure IP addresses for the VLANs.
These IP interfaces are the default gateways the DHCP Relay will use.
d If the edge switches are operating in Layer 2 mode, configure DHCP relay
agents for the Red, Yellow, Green, and VoIP VLANs.
Note: For the Red VLANs, the DNS server setting is one of the Nortel
SNAS 4050 portal Virtual IP addresses (pVIP).
While the endpoint is in the Red VLAN, there are limited DNS server
functions to be performed, and the Nortel SNAS 4050 itself acts as the
DNS server. When the endpoint is in one of the other VLANs, DNS
requests are forwarded to the corporate DNS servers.
The DNS server setting is required for the captive portal to work.
Note: The uplink ports must participate in all the VLANs.
Chapter 1 Overview 45
Nortel Secure Network Access Switch 4050 User Guide
Use the applicable show commands on the router to verify that DHCP
relay has been activated to reach the correct scope for each VLAN.
For more information about performing these general configuration steps, see
the regular documentation for the type of router used in your network.
4 Configure the network access devices:
a Configure static routes to all the networks behind the core router.
b Configure the switch management VLAN, if necessary.
c Configure and enable SSH on the switch.
d Configure the Nortel SNAS 4050 portal Virtual IP address (pVIP)/subnet.
e Configure port tagging, if applicable.
For a Layer 2 switch, the uplink ports must be tagged to allow them to
participate in multiple VLANs.
f Create the port-based VLANs.
These VLANs are configured as VoIP, Red, Yellow, and Green VLANs
in step i and step j.
g Configure DHCP relay and IP routing if the switch is used in Layer 3
mode.
h (Optional) Configure the Red, Yellow, Green, and VoIP filters.
The filters are configured automatically as predefined defaults when you
configure the Red, Yellow, and Green VLANs (step j). Configure the
filters manually only if your particular system setup requires you to
modify the default filters. You can modify the filters after NSNA is
enabled.
i Configure the VoIP VLANs.
j Configure the Red, Yellow, and Green VLANs, associating each with the
applicable filters.
k Configure the NSNA ports.
46 Chapter 1 Overview
320818-A
Identify switch ports as either uplink or dynamic. When you configure the
uplink ports, you associate the NSNA VLANs with those ports. Clients
are connected on the dynamic ports. You can configure NSNA ports (both
dynamic and uplink) after NSNA is enabled globally.
l Enable NSNA globally.
For more information about configuring an Ethernet Routing Switch 5510,
5520, or 5530 in a Nortel SNA network, see Release Notes for Nortel Ethernet
Routing Switch 5500 Series, Software Release 4.3 (217468-B).
For more information about configuring an Ethernet Routing Switch 8300 in a
Nortel SNA network, see Release Notes for the Ethernet Routing Switch 8300,
Software Release 2.2.8 (316811-E).
For an example of the commands used to create a Nortel SNA configuration,
see “Configuration example” on page 779.
5 Perform the initial setup on the Nortel SNAS 4050 (see “Initial setup” on
page 52). Nortel recommends running the quick setup wizard during initial
setup, in order to create and configure basic settings for a fully functional
portal.
6 Enable SSH and SRS Admin to allow communication with the SREM (see
“Configuring administrative settings using the CLI” on page 483).
7 Generate and activate the SSH key for communication between the Nortel
SNAS 4050 and the network access devices (see “Managing SSH keys using
the CLI” on page 84 or “Managing SSH keys using the SREM” on page 102).
8 Specify the Software Requirement Set (SRS) rule for the default
tunnelguard group (see “Configuring groups using the CLI” on page 198
or “Configuring groups using the SREM” on page 208).
9 Add the network access devices and export the SSH key (see “Addi ng a
network access device using the CLI” on page 75 or “Adding a network
access device using the SREM” on page 91).
10 Specify the VLAN mappings (see “Mapping the VLANs using the CLI” on
page 82 or “Mapping the VLANs using the SREM” on page 96).
11 Test NSNA connectivity by using the
/maint/chkcfg command in the CLI
(see “Performing maintenance using the CLI” on page 726) or checking the
Chapter 1 Overview 47
Nortel Secure Network Access Switch 4050 User Guide
configuration in the SREM (see “Checking configuration using the SREM”
on page 741).
12 Configure groups (see “Configuring groups and profiles” on page 191).
13 Configure client filters (see “Configuring client filters using the CLI” on
page 201).
14 Configure extended profiles (see “Configuring extended profiles using the
CLI” on page 203).
15 Specify the authentication mechanisms (see “Configuring authentication” on
page 233).
16 Configure system users (see “Managing system users and groups” on
page 353).
17 Configure the end user experience (see “Customizing the portal and user
logon” on page 385).
48 Chapter 1 Overview
320818-A
49
Nortel Secure Network Access Switch 4050 User Guide
Chapter 2
Initial setup
This chapter includes the following topics:
Topic Pa g e
Before you begin
50
About the IP addresses
51
Initial setup
52
Setting up a single Nortel SNAS 4050 device or the first in a cluster
52
Adding a Nortel SNAS 4050 device to a cluster
61
Next steps
66
Applying and saving the configuration
67
Applying and saving the configuration using the CLI
68
Applying and saving the configuration using the SREM
68
50 Chapter 2 Initial setup
320818-A
Before you begin
Before you can set up the Nortel SNAS 4050, you must complete the following
tasks:
1 Plan the network. For more information, see Nortel Secure Network Access
Solution Guide (320817-A).
In order to configure the Nortel SNAS 4050, you require the following
information:
•IP addresses
— Nortel SNAS 4050 Management IP address (MIP), portal Virtual IP
address (pVIP), Real IP address (RIP)
— default gateway
— DNS server
— NTP server (if applicable)
— external authentication servers (if applicable)
— network access devices
— remediation server (if applicable)
For more information about the Nortel SNAS 4050 MIP, pVIP, and RIP,
see “About the IP addresses” on page 51.
• VLAN IDs
— Nortel SNAS 4050 management VLAN
— Red VLANs
— Yellow VLANs
— Green VLANs
— VoIP VLANs
• Groups and profiles to be configured
2 Configure the network DNS server, DHCP server, core router, and network
access devices, as described in “Nortel SNAS 4050 configuration roadmap”
on page 43, steps 1 through 4.
3 Install the Nortel SNAS 4050 device. For more information, see Nortel Secure
Network Access Switch 4050 Installation Guide (320846-A).
Chapter 2 Initial setup 51
Nortel Secure Network Access Switch 4050 User Guide
4 Establish a console connection to the Nortel SNAS 4050 (see “Establishing a
console connection” on page 770).
About the IP addresses
Management IP address
The Management IP address (MIP) identifies the Nortel SNAS 4050 in the
network. In a multi-Nortel SNAS 4050 solution, the MIP is an IP alias to one of
the Nortel SNAS 4050 devices in the cluster and identifies the cluster. The MIP
always resides on a master Nortel SNAS 4050 device. If the master Nortel
SNAS 4050 that currently holds the MIP fails, the MIP automatically migrates to
a functional master Nortel SNAS 4050. In order to configure the Nortel
SNAS 4050 or Nortel SNAS 4050 cluster remotely, you connect to the MIP using
Telnet (for the CLI) or SSH (for the CLI or the SREM).
Portal Virtual IP address
The portal Virtual IP address (pVIP) is the address assigned to the Nortel
SNAS 4050 device’s web portal server. The pVIP is the address to which clients
connect in order to access the Nortel SNA network. While the client is in the Red
VLAN and the Nortel SNAS 4050 is acting as DNS server, the pVIP is the DNS
server IP address. Although it is possible to assign more than one pVIP to a Nortel
SNAS 4050 device, Nortel recommends that each Nortel SNAS 4050 have only
one pVIP. When the Nortel SNAS 4050 portal is configured as a captive portal,
the pVIP is used to load balance logon requests.
52 Chapter 2 Initial setup
320818-A
Real IP address
The Real IP address (RIP) is the Nortel SNAS 4050 device host IP address for
network connectivity. The RIP is the IP address used for communication between
Nortel SNAS 4050 devices in a cluster. The RIP must be unique on the network
and must be within the same subnet as the MIP. In a two-armed configuration, the
Nortel SNAS 4050 device has two RIPs: one for the client portal interface and one
for the management traffic interface (see “One-armed and two-armed
configurations” on page 40).
Initial setup
The initial setup is a guided process that launches automatically the first time you
power up the Nortel SNAS 4050 and log on. You must use a console connection in
order to perform the initial setup.
• For a standalone Nortel SNAS 4050 or the first Nortel SNAS 4050 in a
cluster, see “Setting up a single Nortel SNAS 4050 device or the first in a
cluster” on page 52.
• To add a Nortel SNAS 4050 to a cluster, see “Adding a Nortel SNAS 4050
device to a cluster” on page 61.
Setting up a single Nortel SNAS 4050 device or the first in a
cluster
1 Log on using the following username and password:
login: admin
Password: admin
Note: Nortel recommends that you always use the MIP for remote
configuration, even though it is possible to configure the Nortel
SNAS 4050 device remotely by connecting to its RIP. Connecting to the
MIP allows you to access all the Nortel SNAS 4050 devices in a cluster.
The MIP is always up, even if one of the Nortel SNAS 4050 devices is
down and therefore not reachable at its RIP.
Chapter 2 Initial setup 53
Nortel Secure Network Access Switch 4050 User Guide
The Setup Menu displays.
2 Select the option for a new installation.
3 Specify the management interface port number. This port will be assigned to
Interface 1.
In a one-armed configuration, you are specifying the port you want to use for
all network connectivity, since Interface 1 is used for both management traffic
(Nortel SNAS 4050 management and connections to intranet resources) and
client portal traffic (traffic between the TunnelGuard applet on the client and
the portal).
Alteon iSD NSNAS
Hardware platform: 4050
Software version: x.x
------------------------------------------------------[Setup Menu]
join - Join an existing cluster
new - Initialize host as a new installation
boot - Boot menu
info - Information menu
exit - Exit [global command, always available]
>> Setup#
>> Setup# new
Setup will guide you through the initial configuration.
Enter port number for the management interface [1-4]:
<port>
54 Chapter 2 Initial setup
320818-A
In a two-armed configuration, you are specifying the port you want to use for
Nortel SNAS 4050 management traffic.
4 Specify the RIP for this device. This IP address will be assigned to
Interface 1.
The RIP must be unique on the network and must be within the same subnet
as the MIP.
5 Specify the network mask for the RIP on Interface 1.
6 If the core router attaches VLAN tag IDs to incoming packets, specify the
VLAN tag ID used.
If you do not specify a VLAN tag id (in other words, you accept the default
value of zero), the traffic will not be VLAN tagged. When configuring the
network access devices in Layer 2 configurations, ensure that you add the
uplink ports to the Nortel SNAS 4050 management VLAN, for traffic
between the Nortel SNAS 4050 and the network access device.
Note: You can later convert a one-armed configuration into a two-armed
one by adding a new interface to the cluster and assigning an unused port
to that interface. The new interface will be used exclusively for client
portal traffic. For information about adding a new interface, see
“Configuring host interfaces using the CLI” on page 469 or
“Configuring host interfaces using the SREM” on page 508. For
information about assigning ports to an interface, see “Configuring host
ports using the CLI” on page 472 or “Configuring host ports using the
SREM” on page 520.
Enter IP address for this machine (on management
interface): <IPaddr>
Enter network mask [255.255.255.0]: <mask>
Enter VLAN tag id (or zero for no VLAN) [0]:
Chapter 2 Initial setup 55
Nortel Secure Network Access Switch 4050 User Guide
7 Specify whether you are setting up a one-armed or a two-armed configuration.
If you are setting up a one-armed configuration, press Enter to accept the
default value (
no). Go to step 8.
If you are setting up a two-armed configuration, enter
yes. Go to step 9.
8 Specify the default gateway IP address.
The default gateway is the IP address of the interface on the core router that
will be used if no other interface is specified. The default gateway IP address
must be within the same network address range as the RIP.
Go to step 10.
9 Configure the interface for client portal traffic (Interface 2).
a Specify a port number for the client portal interface. This port will be
assigned to Interface 2. The port number must not be the same as the port
number for the management interface (Interface 1).
b Specify the RIP for Interface 2.
c Specify the network mask for the RIP on Interface 2.
d If the core router attaches VLAN tag IDs to incoming packets, specify the
VLAN tag ID used.
e Specify the default gateway IP address for Interface 2. The default
gateway is the IP address of the interface on the core router that will be
Setup a two armed configuration (yes/no) [no]:
Enter default gateway IP address (or blank to skip):
<IPaddr>
56 Chapter 2 Initial setup
320818-A
used if no other interface is specified. The default gateway IP address on
Interface 2 must be within the same subnet as the RIP for Interface 2.
10 Specify the MIP for this device or cluster.
The MIP must be unique on the network and must be within the same subnet
as the RIP and the default gateway for Interface 1.
11 Specify the time zone.
If you do not know the time zone you need, press
<CR> to access the selection
menus:
Note: If you receive an error message that the iSD (the Nortel
SNAS 4050 device) cannot contact the gateway, verify your settings on
the core router. Do not proceed with the initial setup until the
connectivity test succeeds.
Enter port number for the traffic interface [1-4]:
<port>
Enter IP address for this machine (on traffic interface):
<IPaddr>
Enter network mask [255.255.255.0]: <mask>
Enter VLAN tag id (or zero for no VLAN) [0]:
Enter default gateway IP address (on the traffic
interface): <IPaddr>
Enter the Management IP (MIP) address: <IPaddr>
Making sure the MIP does not exist...ok
Trying to contact gateway...ok
Enter a timezone or 'select' [select]: <timezone>
Select a continent or ocean: <Continent or ocean by
number>
Select a country: <Country by number>
Select a region: <Region by number, if applicable>
Selected timezone: <Suggested timezone, based on your
selections>
Chapter 2 Initial setup 57
Nortel Secure Network Access Switch 4050 User Guide
12 Configure the time settings.
13 Specify the NTP server, if applicable.
14 Specify the DNS server, if applicable.
15 Generate the SSH host keys for secure management and maintenance
communication from and to Nortel SNAS 4050 devices.
If you do not generate the SSH host keys at this stage, generate them later
when you configure the system (see “Configuring Nortel SNAS 4050 host
SSH keys using the CLI” on page 485 or “Configuring Nortel SNAS 4050
host SSH keys using the SREM” on page 548).
For communication between the Nortel SNAS 4050 and the network access
devices, generate the SSH key after you have completed the initial setup (see
“Managing SSH keys using the CLI” on page 84 or “Managing SSH keys
using the SREM” on page 102).
Note: If you do not have access to an NTP server at this point, you can
configure this item after the initial setup is completed. See “Configuring
date and time settings using the CLI” on page 475 or “Managing date
and time settings using the SREM” on page 528.
Enter the current date (YYYY-MM-DD) [2005-05-02]:
Enter the current time (HH:MM:SS) [19:14:52]:
Enter NTP server address (or blank to skip): <IPaddr>
Enter DNS server address (or blank to skip): <IPaddr>
Generate new SSH host keys (yes/no) [yes]:
This may take a few seconds...ok
58 Chapter 2 Initial setup
320818-A
16 Change the admin user password, if desired.
Make sure you remember the password you define for the admin user. You
will need to provide the correct admin user password when logging in to the
Nortel SNAS 4050 (or the Nortel SNAS 4050 cluster) for configuration
purposes.
17 Run the Nortel SNAS 4050 quick setup wizard. This creates all the settings
required to enable a fully functional portal, which you can customize later
(see “Configuring the domain” on page 117).
For information about the default settings created by the wizard, see “Settings
created by the quick setup wizard” on page 60.
a Start the quick setup wizard.
b Specify the pVIP of the Nortel SNAS 4050 device.
c Specify a name for the Nortel SNAS 4050 domain.
d Specify any domain names you wish to add to the DNS search list, as a
convenience to clients. If the domain name is in the DNS search list,
clients can use a shortened form of the domain name in the address fields
on the Nortel SNAS 4050 portal.
Enter a password for the "admin" user:
Re-enter to confirm:
Run NSNAS quick setup wizard [yes]: yes
Creating default networks under /cfg/domain 1/aaa/
network
Enter NSNAS Portal Virtual IP address(pvip): <IPaddr>
Enter NSNAS Domain name: <name>
Enter comma separated DNS search list
(eg company.com,intranet.company.com):
Chapter 2 Initial setup 59
Nortel Secure Network Access Switch 4050 User Guide
For example, if you entered company.com in the DNS search list, users
can type
nsnas to connect to nsnas.company.com from the portal
page.
e If you want to enable HTTP to HTTPS redirection, create a redirect
server.
f Specify the action to be performed when an SRS rule check fails. The
options are:
—
restricted. The session remains intact, but access is restricted in
accordance with the rights specified in the access rules for the group.
—
teardown. The SSL session is torn down.
The default is
restricted.
g Create the default user and group.
The wizard creates a default user (
tg) within a group (tunnelguard),
which you can subsequently reuse. The wizard also creates the default
client filters, profiles, and linksets to be applied when the user passes
(
tg_passed) or fails (tg_failed) the TunnelGuard check. The wizard
prompts you to specify the VLAN IDs to associate with the respective
profiles.
Create http to https redirect server [no]:
Use restricted (teardown/restricted) action for
TunnelGuard failure? [yes]:
60 Chapter 2 Initial setup
320818-A
The action to be performed when the TunnelGuard check fails depends on
your selection in step f on page 59.
Settings created by the quick setup wizard
The quick setup wizard creates the following basic Nortel SNAS 4050 settings:
1 A Nortel SNAS 4050 domain (Domain 1). A Nortel SNAS 4050 domain
encompasses all switches, authentication servers, and remediation servers
associated with that Nortel SNAS 4050.
2 A virtual SSL server. A portal IP address, or pVIP, is assigned to the virtual
SSL server. Clients connect to the pVIP in order to access the portal.
3 A test certificate has been installed and mapped to the Nortel SNAS 4050
portal.
4 The authentication method is set to Local database.
5 One test user is configured. You were prompted to set a user name and
password during the quick setup wizard (in this example, user name and
password are both set to
tg). The test user belongs to a group called
tunnelguard. There are two profiles within the group:
tg_passed and
tg_failed. Each profile has a client filter and a linkset associated with it.
Create default tunnel guard user [no]: yes
Using 'restricted' action for TunnelGuard failure.
User name: tg
User password: tg
Creating client filter 'tg_passed'.
Creating client filter 'tg_failed'.
Creating linkset 'tg_passed'.
Creating linkset 'tg_failed'.
Creating group 'tunnelguard' with secure access.
Creating extended profile, full access when tg_passed
Enter green vlan id [110]: <VID>
Creating extended profile, remediation access when
tg_failed
Enter yellow vlan id [120]: <VID>
Creating user 'tg' in group 'tunnelguard'.
Initializing system......ok
Setup successful. Relogin to configure.
Chapter 2 Initial setup 61
Nortel Secure Network Access Switch 4050 User Guide
The profiles determine the VLAN to which the user will be allocated. Tab l e 2
shows the extended profiles that have been created.
6 One or several domain names have been added to the DNS search list,
depending on what you specified at the prompt in the quick setup wizard. This
means that the client can enter a short name in the portal’s various address
fields (for example, inside instead of inside.example.com if
example.com was added to the search list).
7 If you selected the option to enable http to https redirection, an additional
server of the http type was created to redirect requests made with http to https,
since the Nortel SNAS 4050 portal requires an SSL connection.
Adding a Nortel SNAS 4050 device to a cluster
After you have installed the first Nortel SNAS 4050 in a cluster (see “Setting up a
single Nortel SNAS 4050 device or the first in a cluster” on page 52), you can add
another Nortel SNAS 4050 to the cluster by configuring the second Nortel
SNAS 4050 setup to use the same MIP. When you set up the Nortel SNAS 4050 to
join an existing cluster, the second Nortel SNAS 4050 gets most of its
configuration from the existing Nortel SNAS 4050 device in the cluster. The
amount of configuration you need to do at setup is minimal.
You can later modify settings for the cluster, the device, and the interfaces using
the
/cfg/sys/[host <host ID>/interface] commands.
Table 2
Extended profile details
Index Client filter name VLAN ID Linkset name
1 tg_failed yellow tg_failed
2 tg_passed green tg_passed
62 Chapter 2 Initial setup
320818-A
Before you begin
Log on to the existing Nortel SNAS 4050 device to check the software version and
system settings. Use the
/boot/software/cur command to check the currently
installed software version (for more information, see “Managing software for a
Nortel SNAS 4050 device using the CLI” on page 734). Use the
/cfg/sys/
accesslist/list
command to view settings for the Access List (for more
information, see “Configuring the Access List using the CLI” on page 474).
Do not proceed with the join operation until the following requirements are met.
• Verify that the IP addresses you will assign to the new Nortel SNAS 4050
device conform to Nortel SNA network requirements. For more information,
see “About the IP addresses” on page 51 and “One-armed and two-armed
configurations” on page 40.
• The Access List has been updated, if necessary.
The Access List is a system-wide list of IP addresses for hosts authorized to
access the Nortel SNAS 4050 devices by Telnet and SSH.
If the
/info/sys command executed on the existing Nortel SNAS 4050
shows no items configured for the Access List, no action is required.
However, if the Access List is not empty before the new Nortel SNAS 4050
joins the cluster, you must add to the Access List the cluster’s MIP, the
existing Nortel SNAS 4050 RIP on Interface 1, and the new Nortel
SNAS 4050 RIP on Interface 1. You must do this before you perform the join
operation, or the devices will not be able to communicate with each other.
For information about adding entries to the Access List, see “Configuring the
Access List using the CLI” on page 474.
• The existing Nortel SNAS 4050 and the new Nortel SNAS 4050 must run the
same version of software. If the versions are different, decide which version
you want to use and then do one of the following:
• To change the version on the new NSNAS, download the desired software
image and reinstall the software (see “Reinstalling the software” on
page 763).
Chapter 2 Initial setup 63
Nortel Secure Network Access Switch 4050 User Guide
• To change the version on the existing NSNAS, download the desired
software image and upgrade the software on the existing cluster (see
“Upgrading the Nortel SNAS 4050” on page 757).
Joining a cluster
1 Log on using the following username and password:
login: admin
Password: admin
The Setup Menu displays.
2 Select the option to join an existing cluster.
3 Specify the management interface port number. This port will be assigned to
Interface 1.
Note: Nortel recommends always using the most recent software
version.
Alteon iSD NSNAS
Hardware platform: 4050
Software version: x.x
------------------------------------------------------[Setup Menu]
join - Join an existing cluster
new - Initialize host as a new installation
boot - Boot menu
info - Information menu
exit - Exit [global command, always available]
>> Setup#
>> Setup# join
Setup will guide you through the initial configuration.
Enter port number for the management interface [1-4]:
<port>
64 Chapter 2 Initial setup
320818-A
In a one-armed configuration, you are specifying the port you want to use for
all network connectivity, since Interface 1 is used for both management traffic
(Nortel SNAS 4050 management and connections to intranet resources) and
client portal traffic (traffic between the TunnelGuard applet on the client and
the portal).
In a two-armed configuration, you are specifying the port you want to use for
Nortel SNAS 4050 management traffic.
4 Specify the RIP for this device. This IP address will be assigned to
Interface 1.
The RIP must be unique on the network and must be within the same subnet
as the MIP.
5 Specify the network mask for the RIP on Interface 1.
6 If the core router attaches VLAN tag IDs to incoming packets, specify the
VLAN tag ID used.
7 Specify whether you are setting up a one-armed or a two-armed configuration.
If you are setting up a one-armed configuration, press Enter to accept the
default value (
no). Go to step 9.
If you are setting up a two-armed configuration, enter
yes. Go to step 8.
Note: For consistency, Nortel recommends that you specify the same
port number for the management interface port on all Nortel SNAS 4050
devices in the cluster.
Enter IP address for this machine (on management
interface): <IPaddr>
Enter network mask [255.255.255.0]: <mask>
Enter VLAN tag id (or zero for no VLAN) [0]:
Setup a two armed configuration (yes/no) [no]:
Chapter 2 Initial setup 65
Nortel Secure Network Access Switch 4050 User Guide
8 Configure the interface for client portal traffic (Interface 2).
a Specify a port number for the client portal interface. This port will be
assigned to Interface 2. The port number must not be the same as the port
number for the management interface (Interface 1).
b Specify the RIP for Interface 2.
c Specify the network mask for the RIP on Interface 2.
d If the core router attaches VLAN tag IDs to incoming packets, specify the
VLAN tag ID used.
9 Specify the MIP of the existing cluster.
10 Specify the default gateway IP address for Interface 2. The default gateway is
the IP address of the interface on the core router that will be used if no other
interface is specified. The default gateway IP address on Interface 2 must be
within the same subnet as the RIP for Interface 2.
11 Provide the correct admin user password configured for the existing cluster.
Enter port number for the traffic interface [1-4]:
<port>
Enter IP address for this machine (on traffic interface):
<IPaddr>
Enter network mask [255.255.255.0]: <mask>
Enter VLAN tag id (or zero for no VLAN) [0]:
The system is initialized by connecting to the management
server on an existing iSD, which must be operational and
initialized.
Enter the Management IP (MIP) address: <IPaddr>
Enter default gateway IP address (on the traffic
interface): <IPaddr>
Enter the existing admin user password: <password>
66 Chapter 2 Initial setup
320818-A
12 Wait while the Setup utility finishes processing. When processing is complete,
you will see
Setup successful.
The new Nortel SNAS 4050 automatically picks up all other required
configuration data from the existing Nortel SNAS 4050 in the cluster. After a
short while, you receive the
login prompt.
Next steps
1 To enable the SREM connection to the Nortel SNAS 4050:
a Use the
/cfg/sys/adm/ssh on command to enable SSH access to the
Nortel SNAS 4050 (for more information, see “Configuring
administrative settings using the CLI” on page 483).
b Use the
/cfg/sys/adm/srsadmin ena command to enable
TunnelGuard SRS administration (for more information, see “Enabling
TunnelGuard SRS administration using the CLI” on page 485 or
“Configuring SRS control settings using the SREM” on page 547).
From this point on, you can configure the Nortel SNAS 4050 using either the
CLI or the SREM.
2 To enable remote management using Telnet, use the
/cfg/sys/adm/
telnet on
command to enable Telnet access to the Nortel SNAS 4050 (for
more information, see “Configuring administrative settings using the CLI” on
page 483).
Note: For greater security, you may want to restrict access to the Nortel
SNAS 4050 to those machines specified in an Access List. In this case,
ensure that you add an IP address for the SREM to the Access List. For
more information about using the Access List to control Telnet and SSH
access, see “Configuring the Access List using the CLI” on page 474 or
“Configuring the access list using the SREM” on page 525.
Setup successful.
login:
Chapter 2 Initial setup 67
Nortel Secure Network Access Switch 4050 User Guide
3 To finish connecting the Nortel SNAS 4050 to the rest of the network,
complete the following tasks:
a Generate and activate the SSH keys for communication between the
Nortel SNAS 4050 and the network access devices (see “Managing SSH
keys using the CLI” on page 84 or “Managing SSH keys using the
SREM” on page 102).
b Specify the SRS rule for the
tunnelguard group (see “Configuring
groups using the CLI” on page 198 or “Configuring groups using the
SREM” on page 208).
c Add the network access devices (see “Adding a network access device
using the CLI” on page 75 or “Adding a network access device using the
SREM” on page 91).
d Specify the VLAN mappings (see “Mapping the VLANs using the CLI”
on page 82 or “Mapping the VLANs using the SREM” on page 96).
e If you did not run the quick setup wizard during the initial setup,
configure the following:
— Create the domain (see “Creating a domain using the CLI” on
page 121 or “Creating a domain using the SREM” on page 151).
— Create at least one group.
— Specify the VLANs to be used when the TunnelGuard check succeeds
and when it fails (see “Configuring extended profiles using the CLI”
on page 203 or “Configuring extended profiles using the SREM” on
page 219).
4 Save the configuration (see “Applying and saving the configuration” on
page 67).
Applying and saving the configuration
On both the CLI and the SREM, you must enter explicit commands in order to
make configuration changes permanent and in order to create a backup
configuration file.
68 Chapter 2 Initial setup
320818-A
Applying and saving the configuration using the CLI
If you have not already done so after each sequence of configuration steps,
confirm your changes using the
apply command.
To view your configuration on the screen, for copy and paste into a text file, use
the following command:
/cfg/dump
To save your configuration to a TFTP, FTP, SCP, or SFTP server, use the following
command:
/cfg/ptcfg
For more information, see “Backing up or restoring the configuration using
the CLI” on page 730.
Applying and saving the configuration using the SREM
In the SREM, there are two steps to saving configuration changes, described
below:
1 Click Apply after each change, to send the change to the Nortel SNAS 4050
device.
Changes that have been applied are not yet permanent. To cancel changes that
have been applied, click Revert to remove all unconfirmed changes.
2 Click Commit once your changes are complete, to change the permanent
configuration on the Nortel SNAS 4050.
Committed changes take effect immediately.
Chapter 2 Initial setup 69
Nortel Secure Network Access Switch 4050 User Guide
Figure 3 on page 69 shows the location of the Apply and Commit buttons.
Figure 3
Apply and Commit buttons
For more information about the Apply and Commit functions, see Installing and
Using the Security & Routing Element Manager (SREM) (320199-B).
70 Chapter 2 Initial setup
320818-A
71
Nortel Secure Network Access Switch 4050 User Guide
Chapter 3
Managing the network access devices
This chapter includes the following topics:
Topic Pa g e
Before you begin
72
Managing network access devices using the CLI
73
Roadmap of domain commands
73
Adding a network access device using the CLI
75
Deleting a network access device using the CLI
79
Configuring the network access devices using the CLI
80
Mapping the VLANs using the CLI
82
Managing SSH keys using the CLI
84
Monitoring switch health using the CLI
89
Controlling communication with the network access devices using
the CLI
90
Managing network access devices using the SREM
91
Adding a network access device using the SREM
91
Deleting a network access device using the SREM
93
Configuring the network access devices using the SREM
93
Mapping the VLANs using the SREM
96
Managing SSH keys using the SREM
102
72 Chapter 3 Managing the network access devices
320818-A
Before you begin
In Trusted Computing Group (TCG) terminology, the edge switches in a Nortel
SNA solution function as the Policy Enforcement Point. In this document, the
term network access device is used to refer to the edge switch once it is configured
for the Nortel SNA network.
The following edge switches can function as network access devices in the Nortel
SNA solution:
• Ethernet Routing Switch 8300
• Ethernet Routing Switch 5510, 5520, and 5530
Before you can configure the edge switches as network access devices in the
Nortel SNAS 4050 domain, you must complete the following:
• Create the domain, if applicable. If you ran the quick setup wizard during
initial setup, Domain 1 has been created. For more information about creating
a domain, see “Configuring the domain” on page 117.
• Configure the edge switches for Nortel SNA (see “Nortel SNAS 4050
configuration roadmap”, step 4 on page 45). For detailed information about
configuring the edge switches for Nortel SNA, see Release Notes for the
Ethernet Routing Switch 8300, Software Release 2.2.8 (316811-E) or Release
Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release
4.3 (217468-B).
For secure communication between the Nortel SNAS 4050 and the network access
device, each must have knowledge of the other’s public SSH key. After you have
added the network access device to the Nortel SNAS 4050 domain, you must
exchange the necessary SSH keys (see “Managing SSH keys using the CLI” on
page 84 or “Managing SSH keys using the SREM” on page 102).
Monitoring switch health using the SREM
111
Controlling communication with the network access devices using
the SREM
115
Topic Pa g e
Chapter 3 Managing the network access devices 73
Nortel Secure Network Access Switch 4050 User Guide
You require the following information for each network access device:
• IP address of the switch
• VLAN names and VLAN IDs for the Red, Yellow, and Green VLANs
• the TCP port to be used for Nortel SNA communication
• for Ethernet Routing Switch 8300 switches, a valid rwa user name
Managing network access devices using the CLI
The Nortel SNAS 4050 starts communicating with the network access device as
soon as you enable the switch on the Nortel SNAS 4050 by using the
/cfg/domain #/switch #/ena command.
You cannot configure the VLAN mappings for a network access device in the
Nortel SNAS 4050 domain if the switch is enabled. When you add a network
access device to the domain, it is disabled by default. Do not enable the network
access device until you have completed the configuration. To reconfigure the
VLAN mappings for an existing network access device, first disable it by using
the
/cfg/domain #/switch #/dis command.
Roadmap of domain commands
The following roadmap lists the CLI commands to configure the network access
devices in a Nortel SNA deployment. Use this list as a quick reference or click on
any entry for more information:
Command Parameter
/cfg/domain #/switch <switch ID>
/cfg/domain #/switch #/delete
/cfg/domain #/switch <switch ID> name <name>
type ERS8300|ERS5500
ip <IPaddr>
port <port>
rvid <VLAN ID>
74 Chapter 3 Managing the network access devices
320818-A
reset
ena
dis
delete
/cfg/domain #/vlan add <name> <VLAN ID>
del <index>
list
/cfg/domain #/switch #/vlan add <name> <VLAN ID>
del <index>
list
/cfg/domain #/sshkey generate
show
export
/cfg/domain #/switch #/sshkey import
add
del
show
export
user <user>
/cfg/domain #/switch #/hlthchk interval <interval>
deadcnt <count>
sq-int <interval>
/cfg/domain #/switch #/dis
/cfg/domain #/switch #/ena
Command Parameter
Chapter 3 Managing the network access devices 75
Nortel Secure Network Access Switch 4050 User Guide
Adding a network access device using the CLI
You can add a network access device to the configuration in two ways. You must
repeat the steps for each switch that you want to add to the domain configuration.
• “Using the quick switch setup wizard” on page 75
• “Manually adding a switch” on page 78
Using the quick switch setup wizard
To add a network access device to the Nortel SNAS 4050 domain using the quick
switch setup wizard, use the following command:
/cfg/domain 1/quick
You can later modify all settings created by the quick switch setup wizard (see
“Configuring the network access devices using the CLI” on page 80).
1 Launch the quick switch setup wizard.
2 Specify the type of switch. Valid options are:
•
ERS8300 (for an Ethernet Routing Switch 8300)
•
ERS5500 or ERS55 (for an Ethernet Routing Switch 5510, 5520, or
5530).
The default is
ERS8300.
Note: The input is case sensitive.
3 Specify the IP address of the network access device.
>> Main# cfg/domain 1/quick
Enter the type of the switch (ERS8300/ERS5500) [ERS8300]
IP address of Switch: <IPaddr>
76 Chapter 3 Managing the network access devices
320818-A
4 Specify the TCP port for communication between the Nortel SNAS 4050 and
the network access device. The default is port 5000.
5 The SSH fingerprint of the switch is automatically picked up if the switch is
reachable. If the fingerprint is successfully retrieved, go to step 7 on page 77.
If the fingerprint is not successfully retrieved, you will receive an error
message and be prompted to add the SSH key.
Choose one of the following:
a To paste in a public key you have downloaded from the switch, enter
Yes.
Go to step 6 on page 76.
b To continue adding the switch to the configuration without adding its
public SSH key at this time, press Enter to accept the default value (
no).
After you have added the switch, add or import the SSH public key for the
switch (see “Managing SSH keys for Nortel SNA communication using
the CLI” on page 88).
Go to step 7 on page 77.
6 To add the switch public key:
a At the prompt to add the SSH key, enter
Yes.
b When prompted, paste in the key from a text file, then press Enter.
c Enter an ellipsis (
...) to signal the end of the key.
NSNA communication port[5000]:
Trying to retrieve fingerprint...failed.
Error: “Failed to retrieve host key”
Do you want to add ssh key? (yes/no) [no]:
Chapter 3 Managing the network access devices 77
Nortel Secure Network Access Switch 4050 User Guide
d To continue, go to step 7 on page 77.
7 Specify the VLAN ID of the Red VLAN, as configured on the network access
device. The network access devices in the domain can share a common Red
VLAN or can each have a separate Red VLAN.
8 Wait while the wizard completes processing to add the network access device,
then enter Apply to activate the changes. The system automatically assigns
the lowest available switch ID to the network access device.
The switch is disabled when it is first added to the configuration. Do not
enable the switch until you have completed configuring the system. For more
information, see “Configuring the network access devices using the CLI” on
page 80.
Do you want to add ssh key? (yes/no) [no]: yes
Paste the key, press Enter to create a new line,
and then type "..." (without the quotation marks)
to terminate.
> 47.80.18.98 ssh-dss
AAAAB3NzaC1kc3MAAABRAJfEJJvYic9yOrejtZ88prdWdRWBF8Qkm9iJ
z
3I6t6O1nzymt1Z1DVMXxCSb2InPcjq3o7WfPKa3VnUNUgTpESrFlH7oo
K
+Zys8iEUbmJ3kpAAAAFQCUE/74fr6ACaxJpMcz0TlWwahdzwAAAFEAgP
W
Vrk0VOOXQmfLhutwaTrxltIDkJzOEIXPfAIEpvDsvnlNkFE/i2vVdq/G
T
KmAghfN3BYjRIQT0PAwUKOS5gkyfLG9I5rKqJ/hFWJThR4YAAABQI9yJ
G
5Q7q+2Pnk+tx1Kd44nCD6/9j7L4RIkIEnrDbgsVxvMcsNdI+HLnN+vmB
R
5wd+vrW5Bq/ToMvPspwI+WbV8TjycWeC7nk/Tg++X53hc=
> ...
Red vlan id of Switch: <VLAN ID>
Creating Switch 1
Use apply to activate the new Switch.
>> Domain 1#
78 Chapter 3 Managing the network access devices
320818-A
Manually adding a switch
To add a network access device and configure it manually, use the following
command:
/cfg/domain #/switch <switch ID>
where switch ID is an integer in the range 1 to 255 that uniquely identifies the
network access device in the Nortel SNAS 4050 domain.
When you first add the network access device, you are prompted to enter the
following information:
• switch name — a string that identifies the switch on the Nortel SNAS 4050.
The maximum length of the string is 255 characters. After you have defined a
name for the switch, you can use either the switch name or the switch ID to
access the Switch menu.
• type of switch — valid options are
ERS8300 and ERS5500. The input is case
sensitive.
• IP address of the switch.
• NSNA communication port — the TCP port for communication between the
Nortel SNAS 4050 and the network access device. The default is port 5000.
• Red VLAN ID — the VLAN ID of the Red VLAN configured on the switch.
• username — the user name for an rwa user on the switch (required for
Ethernet Routing Switch 8300 only).
The SSH fingerprint of the switch is automatically picked up if the switch is
reachable. If the fingerprint is not successfully retrieved, you receive an error
message (
Error: Failed to retrieve host key). After you have added
the switch, you must add or import the SSH public key for the switch (see
“Managing SSH keys for Nortel SNA communication using the CLI” on page 88).
The Switch menu displays.
Figure 4 on page 79 shows sample output for the
/cfg/domain #/switch
command and commands on the Switch menu. For more information about the
Switch menu commands, see “Configuring the network access devices using the
CLI” on page 80.
Chapter 3 Managing the network access devices 79
Nortel Secure Network Access Switch 4050 User Guide
Figure 4 Adding a switch manually
Deleting a network access device using the CLI
To remove a network access device from the domain configuration, first disable
the switch then delete it. Use the following commands:
/cfg/domain #/switch #/dis
/cfg/domain #/switch #/delete
The disable and delete commands log out all clients connected through the
switch.
>> Domain 1# switch 1
Creating Switch 3
Enter name of the switch: Switch1_ERS8300
Enter the type of the switch (ERS8300/ERS5500): ERS8300
Enter IP address of the switch: <IPaddr>
NSNA communication port[5000]:
Enter VLAN Id of the Red VLAN: <VLAN ID>
Entering: SSH Key menu
Enter username: rwa
Leaving: SSH Key menu
---------------------------------------------------------[Switch 3 Menu]
name - Set Switch name
type - Set Type of the switch
ip - Set IP address
port - Set NSNA communication port
hlthchk - Health check intervals for switch
vlan - Vlan menu
rvid - Set Red VLAN Id
sshkey - SSH Key menu
reset - Reset all the ports on a switch
ena - Enable switch
dis - Disable switch
delete - Remove Switch
Error: Failed to retrieve host key
>> Switch 3#..
80 Chapter 3 Managing the network access devices
320818-A
The delete command removes the current switch from the control of the Nortel
SNAS 4050 cluster.
Configuring the network access devices using the CLI
When you first add a network access device to the Nortel SNAS 4050 domain, the
switch is disabled by default. Do not enable the switch until you have completed
configuring it. In particular, do not enable the switch until you have mapped the
VLANs (see “Mapping the VLANs using the CLI” on page 82) and exchanged the
necessary SSH keys (see “Managing SSH keys using the CLI” on page 84).
If you want to reconfigure the VLAN mappings or delete a VLAN for an existing
network access device, use the
/cfg/domain #/switch #/dis command to
disable the switch first.
To configure a network access device in the Nortel SNAS 4050 domain, use the
following command:
/cfg/domain #/switch <switch ID>
where switch ID is the ID or name of the switch you want to configure.
The Switch menu displays.
Note: Remember to enable the network access device after completing
the configuration in order to activate the network access device in the
Nortel SNA network.
Chapter 3 Managing the network access devices 81
Nortel Secure Network Access Switch 4050 User Guide
The Switch menu includes the following options:
/cfg/domain #/switch <switch ID>
followed by:
name <name>
Names or renames the switch. After you have defined a
name for the switch, you can use either the switch
name or the switch ID to access the Switch menu.
•
name is a string that must be unique in the domain.
The maximum length of the string is 255
characters.
type ERS8300|ERS5500
Specifies the type of network access device. Valid
options are:
• ERS8300 — an Ethernet Routing Switch 8300
• ERS5500 — an Ethernet Routing Switch 5510,
5520, or 5530
The default is ERS8300.
ip <IPaddr>
Specifies the IP address of the switch.
port <port>
Specifies the TCP port used for Nortel SNA
communication. The default is port 5000.
hlthchk
Accesses the Healthcheck menu, in order to configure
settings for the Nortel SNAS 4050 to monitor the health
of the switch (see “Monitoring switch health using the
CLI” on page 89).
vlan
Accesses the Switch Vlan menu, in order to map the
Green and Yellow VLANs configured on switch (see
“Mapping the VLANs using the CLI” on page 82).
rvid <VLAN ID>
Identifies the Red VLAN for the network access device.
• VLAN ID is the ID of the Red VLAN, as configured
on the switch
sshkey
Accesses the SSH Key menu, in order to manage the
exchange of public keys between the switch and the
Nortel SNAS 4050 (see “Managing SSH keys for Nortel
SNA communication using the CLI” on page 88)
reset
Resets all the Nortel SNA-enabled ports on the switch.
Clients connected to the ports are moved into the Red
VLAN.
ena
Enables the network access device. As soon as you
enable the switch, the Nortel SNAS 4050 begins
communicating with the switch and controlling its Nortel
SNA clients.
82 Chapter 3 Managing the network access devices
320818-A
Mapping the VLANs using the CLI
The VLANs are configured on the network access devices. You specify the Red
VLAN for each network access device when you add the switch (see “Adding a
network access device using the CLI” on page 75). After adding the switch, you
must identify the Yellow and Green VLANs to the Nortel SNAS 4050.
You can perform the VLAN mapping in two ways:
• for all switches in a domain (by using the
/cfg/domain #/vlan/add
command)
• switch by switch (by using the
/cfg/domain #/switch #/vlan/add
command)
Nortel recommends mapping the VLANs by domain. In this way, if you later add
switches which use the same VLAN IDs, their VLAN mappings will
automatically be picked up.
If you map the VLANs by domain, you can modify the mapping for a particular
network access device by using the switch-level
vlan command. Switch-level
settings override domain settings.
To manage the VLAN mappings for all the network access devices in the Nortel
SNAS 4050 domain, first disable all the switches in the domain, then use the
following command:
/cfg/domain #/vlan
To manage the VLAN mappings for a specific network access device, first disable
the switch in the domain, then use the following command:
/cfg/domain #/switch #/vlan
dis
Disables the switch for Nortel SNA operation.
delete
Removes the switch from the Nortel SNAS 4050
domain configuration.
/cfg/domain #/switch <switch ID>
followed by:
Chapter 3 Managing the network access devices 83
Nortel Secure Network Access Switch 4050 User Guide
The Nortel SNAS 4050 maintains separate maps for the domain and the switch. If
you add a VLAN from the domain-level
vlan command, you must use the
domain-level command for all future management of that mapping. Similarly, if
you add a VLAN from the switch-level
vlan command, you must use the
switch-level command for all future management of that mapping.
The Domain vlan or Switch vlan menu displays.
The Domain vlan or Switch vlan menu includes the following options:
/cfg/domain #[/switch #]/vlan
followed by:
add <name> <VLAN ID>
Adds the specified VLAN to the domain or switch VLAN
map. You are prompted to enter the required
parameters if you do not include them in the command.
•
name is the name of the VLAN, as configured on
the switch
•
VLAN ID is the ID of the VLAN, as configured on
the switch
The system automatically assigns an index number to
the VLAN entry when you add it. If you are executing
the command from the Domain vlan menu, the index
number indicates the position of the new entry in the
domain map. If you are executing the command from
the Switch vlan menu, the index number indicates the
position of the new entry in the switch map.
Repeat this command for each Green and Yellow VLAN
configured on the network access devices.
del <index>
Removes the specified VLAN entry from the applicable
VLAN map.
• index is an integer indicating the index number
automatically assigned to the VLAN mapping when
you created it
The index numbers of the remaining entries adjust
accordingly.
To view the index numbers for all VLAN entries in the
map, use the
/cfg/domain #[/switch #]/vlan/list
command.
list
Displays the index number, name, and VLAN ID for all
VLAN entries in the map.
84 Chapter 3 Managing the network access devices
320818-A
Managing SSH keys using the CLI
The Nortel SNAS 4050 and the network access devices controlled by the Nortel
SNAS 4050 domain exchange public keys so that they can authenticate
themselves to each other in future SSH communications.
To enable secure communication between the Nortel SNAS 4050 and the network
access device, do the following:
1 Generate an SSH public key for the Nortel SNAS 4050 domain (see
“Generating SSH keys for the domain using the CLI” on page 85), if
necessary. Apply the change immediately.
If you created the domain manually, the SSH key was generated automatically
(see “Manually creating a domain using the CLI” on page 121).
2 Export the Nortel SNAS 4050 public key to each network access device.
• For an Ethernet Routing Switch 8300:
Use the
/cfg/domain #/switch #/sshkey/export command to
export the key directly to the switch (see “Managing SSH keys for Nortel
SNA communication using the CLI” on page 88).
• For an Ethernet Routing Switch 5510, 5520, or 5530:
Use the
/cfg/domain #/sshkey/export command to upload the key
to a TFTP server, for manual retrieval from the switch (see “Generating
SSH keys for the domain using the CLI” on page 85). For information
about downloading the key from the server to the switch, see Release
Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release
4.3 (217468-B).
Note: The SSH key for the Nortel SNAS 4050 domain is not the same
as the SSH key generated during initial setup for all Nortel SNAS 4050
hosts in the cluster (see “Initial setup”, step 15 on page 57).
Chapter 3 Managing the network access devices 85
Nortel Secure Network Access Switch 4050 User Guide
If you regenerate the key at any time, you must re-export the key to each
network access device.
3 For each network access device, import its public key into the Nortel
SNAS 4050 domain, if necessary (see “Managing SSH keys for Nortel SNA
communication using the CLI” on page 88).
• For an Ethernet Routing Switch 8300, you can retrieve the key in two
ways:
—Use the
/cfg/domain #/switch #/sshkey/import command
to import the key directly from the network access device.
—Use the
/cfg/domain #/switch #/sshkey/add command to
paste in the key.
• For an Ethernet Routing Switch 5510, 5520, or 5530:
—Use the
/cfg/domain #/switch #/sshkey/import command
to import the key directly from the network access device.
If the network access device was reachable when you added it to the domain
configuration, the SSH key was automatically retrieved.
If the network access device defaults, it generates a new public key. You must
reimport the key whenever the switch generates a new public key (see
“Reimporting the network access device SSH key using the CLI” on page 89).
Generating SSH keys for the domain using the CLI
To generate, view, and export the public SSH key for the domain, use the
following command:
/cfg/domain #/sshkey
The NSNAS SSH key menu displays.
Note: If you export the key after the network access device has been
enabled, you may need to disable and re-enable the switch in order to
activate the change.
Note: In general, enter Apply to apply the changes immediately after
you execute any of the SSH commands.
86 Chapter 3 Managing the network access devices
320818-A
The NSNAS SSH key menu includes the following options:
/cfg/domain #/sshkey
followed by:
generate Generates an SSH public key for the domain. There
can be only one key in effect for the Nortel SNAS 4050
domain at any one time. If a key already exists, you are
prompted to confirm that you want to replace it.
Enter Apply to apply the change immediately and
create the key.
show Displays the SSH public key generated for the domain.
export Exports the Nortel SNAS 4050 domain public key to a
file exchange server. You are prompted to enter the
following information:
• protocol — options are
tftp|ftp|scp|sftp.
The default is
tftp.
Note: Use TFTP to export to an Ethernet Routing
Switch 5500 Series switch. Ethernet Routing
Switch 5500 Series switches do not support the
other protocols.
• host name or IP address of the server
• file name of the key (file type .pub) you are
exporting
• for FTP, SCP, and SFTP, user name and password
to access the file exchange server
To export the key directly to an Ethernet Routing
Switch 8300, use the
/cfg/domain #/switch #/sshkey/export
command (see “Managing SSH keys for Nortel SNA
communication using the CLI” on page 88).
Chapter 3 Managing the network access devices 87
Nortel Secure Network Access Switch 4050 User Guide
Figure 5 shows sample output for the /cfg/domain #/sshkey command.
Figure 5
Generating an SSH key for the domain
>> Main# /cfg/domain 1/sshkey
---------------------------------------------------------[NSNAS SSH key Menu]
generate -Generate new SSH key for the NSNAS domain
show - Show NSNAS domain public SSH key
>> NSNAS SSH key# generate
Key already exists, overwrite? (yes/no) [no]: yes
Generating new SSH key, this operation takes a few seconds... done.
Apply to activate.
>> NSNAS SSH key# apply
>> NSNAS SSH key# show
Type: DSA Fingerprint:
4c:7c:b6:b4:47:5f:ae:6e:65:f1:b3:b1:7a:f0:59:d3
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAACBANWNQJzGnZ7lqIUZw5VkjseaR0dcgPhx/CA6Zl
JPZlRkY/USzJmZLoXpWuhAiByMPJ/69BLWCHTQUI/+FqNPzEXnjBBKHSw0
smb3OKfCJMfv4OfF7YQyfQP6KiKjsdNdHYH1ErHqNe1G8q8KIKinlG35z3
Bc7Yi9BxK84suWm3jdAAAAFQDg5ohEvhYoDlYhal3zMkgq0+t33wAAAIBh
Sa+J/5SxwYfnE/ltdwlOgcMk4eomP03M4BsI8vylsvHt4THD3typTtqjWo
jQG0vDBt7a/4hcHQ55LTrC81/u/+ep5NVlTjxlmczCz6C1wOq4Ab1iiQub
gRRL7DnZSghjNAU8JqzcEbU7g0VKorlxwt/M9P17ZmBdhkgwsdgArAAAAI
BtMdI1Q5eNq/yRmRuvinEwVjbQNVaywDkQljLvY4wnHjj+OjWpxVyLvzHI
Qs3IRBSzTCXGOqmmTNYXeDkHANPGl5RkfyldEq4/pJpUIMPBEj/C4H34Eq
WTkZvCaHRG3HH6QsJj3Wreskh574t/ubybhmzDw5Ubl42AxUJbDMVbZg==
---- END SSH2 PUBLIC KEY ----
>> NSNAS SSH key# export
Select protocol (tftp/ftp/scp/sftp) [tftp]:
Enter hostname or IP address of server: localhost
Enter filename on server: key.pub
Trying to export NSNAS public key to tftp://localhost/key.pub
.
sent 590 bytes
>> NSNAS SSH key#
88 Chapter 3 Managing the network access devices
320818-A
Managing SSH keys for Nortel SNA communication using
the CLI
To retrieve the public key for the network access device and export the public key
for the domain, use the following command:
/cfg/domain #/switch #/sshkey
The SSH Key menu displays.
The SSH Key menu includes the following options:
/cfg/domain #/switch #/sshkey
followed by:
import
Retrieves the SSH public key from the network access
device, if it is reachable.
add
Allows you to paste in the contents of a key file you
have downloaded from the Ethernet Routing
Switch 8300 network access device.
When prompted, paste in the key, then press Enter.
Enter an elllipsis (...) to signal the end of the key.
del
Deletes the SSH public key for the network access
device in the domain.
show
Displays the SSH public key for the network access
device.
export
Exports the SSH public key for the Nortel SNAS 4050
domain to the network access device.
Note: You cannot use this command to export the key
to an Ethernet Routing Switch 5500 series switch.
Instead, use the
/cfg/domain#1/sshkey/export command to
upload the key to a file exchange server.
user <user>
Specifies the user name for the network access device
(required for Ethernet Routing Switch 8300 only).
•
user is the user name of an administrative user
(rwa) on the switch.
Chapter 3 Managing the network access devices 89
Nortel Secure Network Access Switch 4050 User Guide
Reimporting the network access device SSH key using
the CLI
Whenever the network access device generates a new public SSH key, you must
import the new key into the Nortel SNAS 4050 domain.
1 Use the
/cfg/domain #/switch #/sshkey/del command to delete the
original key.
2 Enter
Apply to apply the change immediately.
3 Use the
/cfg/domain #/switch #/sshkey/import command to import
the new key.
4 Enter
Apply to apply the change immediately.
For more information about the commands, see “Managing SSH keys for Nortel
SNA communication using the CLI” on page 88.
Monitoring switch health using the CLI
The Nortel SNAS 4050 continually monitors the health of the network access
devices. At specified intervals, a health check daemon sends queries and
responses to the switch as a heartbeat mechanism. If no activity (heartbeat) is
detected, the daemon will retry the health check for a specified number of times
(the dead count). If there is still no heartbeat, then after a further interval (the
status-quo interval) the network access device moves all its clients into the Red
VLAN. When connectivity is re-established, the Nortel SNAS 4050 synchronizes
sessions with the network access device.
The health check interval, dead count, and status-quo interval are configurable.
To configure the interval and dead count parameters for the Nortel SNAS 4050
health checks and status-quo mode, use the following command:
/cfg/domain #/switch #/hlthchk
The HealthCheck menu displays.
90 Chapter 3 Managing the network access devices
320818-A
The HealthCheck menu includes the following options:
Controlling communication with the network access
devices using the CLI
To stop communication between the Nortel SNAS 4050 and a network access
device, use the following command:
/cfg/domain #/switch #/dis
Enter apply to apply the change immediately.
/cfg/domain #/switch #/hlthchk
followed by:
interval <interval>
Sets the time interval between checks for switch
activity.
• interval is an integer that indicates the time
interval in seconds (
s), minutes (m), or hours (h).
The valid range is 60s (1m) to 64800s (18h). The
default is 1m (1 minute).
deadcnt <count>
Specifies the number of times the Nortel SNAS 4050
will repeat the check for switch activity when no
heartbeat is detected.
•
count is an integer in the range 1–65535 that
indicates the number of retries. The default is 3.
If no heartbeat is detected after the specified number of
retries, the Nortel SNAS 4050 enters status-quo mode.
sq-int <interval>
Sets the time interval for status-quo mode, after which
the network access device moves all clients into the
Red VLAN.
•
interval is an integer that indicates the time
interval in seconds (
s), minutes (m), or hours (h).
The valid range is 0 to 64800s (18h). The default is
1m (1 minute).
Note: If the switch is not going to be used in the Nortel SNA network,
Nortel recommends deleting the switch from the Nortel SNAS 4050
domain, rather than just disabling it.
Chapter 3 Managing the network access devices 91
Nortel Secure Network Access Switch 4050 User Guide
To restart communication between the Nortel SNAS 4050 and a network access
device, use the following command:
/cfg/domain #/switch #/ena
Enter apply to apply the change immediately.
Managing network access devices using the SREM
The Nortel SNAS 4050 starts communicating with the network access device as
soon as you enable the switch on the Nortel SNAS 4050.
You cannot configure the VLAN mappings for a network access device in the
Nortel SNAS 4050 domain if the switch is enabled. When you add a network
access device to the domain, it is disabled by default. Do not enable the network
access device until you have completed the configuration. For information about
enabling and disabling the network access device, see “Controlling
communication with the network access devices using the SREM” on page 115.
Adding a network access device using the SREM
To add a network access device, use the following steps:
1 Select the Secure Access Domain > domain > Switches > Switches tab.
Note: Remember to enable the network access device after completing
the configuration, or it will not be active.
92 Chapter 3 Managing the network access devices
320818-A
The Switches screen appears (see “Switch Configuration screen” on
page 116).
2 Click Add.
The Add a Switch dialog box appears (see Figure 6).
Figure 6
Add a Switch
3 Enter the network access device information in the applicable fields. Tabl e 3
describes the Add a Switch fields.
Table 3
Add a Switch fields
Field Description
Index Specifies an integer that uniquely identifies the network
access device in the Nortel SNAS 4050 domain.
Name Specifies a string that identifies the switch on the Nortel
SNAS 4050.
The maximum length of the string is 255 characters. After
you have defined a name for the switch, you can use either
the switch name or the switch ID to access the network
access device.
Type Specifies the type of network access device. The options
are ERS8300 and ERS5500.
IP Address Specifies the network access device IP address.
Red VLAN ID Specifies the VLAN ID of the Red VLAN configured on the
network access device
Chapter 3 Managing the network access devices 93
Nortel Secure Network Access Switch 4050 User Guide
4 Click Apply.
The network access device appears in the list of Switches.
5 Click Commit on the toolbar to save the changes permanently.
Deleting a network access device using the SREM
To remove an existing network access device from the domain configuration, you
must first disable it (see “Managing network access devices using the SREM” on
page 91). Once the network access device is disabled, complete the following
steps:
1 Select the Secure Access Domain > domain > Switches > switch >
Configuration tab.
The network access device Configuration screen appears (see Figure 16 on
page 116).
2 Select the network access device from the Switches list.
3 Click Delete.
A dialog box appears to confirm that you want to delete this network access
device.
4 Click Yes.
The network access device disappears from the Switches list.
5 Click Commit on the toolbar to save the changes permanently.
Configuring the network access devices using the SREM
When you first add a network access device to the Nortel SNAS 4050 domain, the
switch is disabled by default. Do not enable the switch until you have completed
configuring it. In particular, do not enable the switch until you have mapped the
VLANs (see “Mapping the VLANs using the SREM” on page 96) and exchanged
the necessary SSH keys (see “Managing SSH keys using the SREM” on
page 102).
94 Chapter 3 Managing the network access devices
320818-A
To reconfigure the VLAN mappings for an existing network access device, you
must first disable it (see “Controlling communication with the network access
devices using the SREM” on page 115). Once the network access device is
disabled, complete the following steps:
1 Select the Secure Access Domain > domain > Switches > switch >
Configuration tab.
The Switch Configuration screen appears (see Figure 7).
Figure 7
Switch Configuration screen
Chapter 3 Managing the network access devices 95
Nortel Secure Network Access Switch 4050 User Guide
2 Enter the network access device information in the applicable fields. Tabl e 4
describes the Switch Configuration fields.
3 Click Apply on the toolbar to send the current changes to the Nortel
SNAS 4050. Click Commit on the toolbar to save the changes permanently.
Table 4
Switch Configuration fields
Field Description
Index An integer that uniquely identifies the network access
device in the Nortel SNAS 4050 domain.
Name Names or renames the switch. After you have defined a
name for the switch, you can use either the switch name or
the switch ID to access the network access device.
Accepts a string that must be unique in the domain. The
maximum length of the string is 255 characters.
IP Address Specifies the IP address of the switch.
NSNA Communication Port Specifies the TCP port for communication between the
Nortel SNAS 4050 and the network access device.
The default value is 5000
Type Specifies the type of network access device. Valid options
are:
• ERS8300 — an Ethernet Routing Switch 8300
• ERS5500 — an Ethernet Routing Switch 5510, 5520,
or 5530
Red VLAN ID Identifies the Red VLAN ID for the network access device,
as configured on the switch
Enable Switch Enables or disables the switch. As soon as you enable the
switch, the Nortel SNAS 4050 begins communicating with
the switch and controlling its Nortel SNA clients.
User Name on Switch The name of an administrative user (rwa) on the network
access device (required for Ethernet Routing Switch 8300
only).
Reset Switch Ports Resets all the Nortel SNA-enabled ports on the switch.
Clients connected to the ports are moved into the Red
VLAN.
96 Chapter 3 Managing the network access devices
320818-A
Mapping the VLANs using the SREM
The VLANs are configured on the network access devices. You specify the Red
VLAN for each network access device when you add the switch (see “Adding a
network access device using the SREM” on page 91). After adding the switch,
you must identify the Yellow and Green VLANs to the Nortel SNAS 4050.
You can perform the VLAN mapping in two ways:
• for all switches in a domain (see “Mapping VLANs by domain” on page 97)
• switch by switch (see “Mapping VLANs by switch” on page 100)
Nortel recommends mapping the VLANs by domain. In this way, if you later add
switches which use the same VLAN IDs, their VLAN mappings will
automatically be picked up.
If you map the VLANs by domain, you can modify the mapping for a particular
network access device at the switch level. Switch-level settings override domain
settings.
The Nortel SNAS 4050 maintains separate maps for the domain and the switch. If
you add a domain-level VLAN, then you must use the domain-level command for
all future management of that mapping. Similarly, if you add a switch-level
VLAN, then you must use the switch-level command for all future management
of that mapping.
Chapter 3 Managing the network access devices 97
Nortel Secure Network Access Switch 4050 User Guide
Mapping VLANs by domain
To map VLANs in a domain, select the Secure Access Domain > domain >
VLANs tab.
The domain VLANs screen appears (see Figure 8), listing all current VLANs
applied to the domain.
Figure 8
Domain VLANs screen
This screen allows you to manage VLANs on the domain by adding or deleting
entries to the VLAN Table. For detailed steps on adding or removing VLANs,
see:
• “Adding VLANs to a domain” on page 98
• “Removing VLANs from a domain” on page 99
98 Chapter 3 Managing the network access devices
320818-A
Adding VLANs to a domain
To add VLANs to a domain, complete the following steps:
1 Select the Secure Access Domain > domain > VLANs tab.
The domain VLANs screen appears (see Figure 8 on page 97).
2 Click Add.
The Add a new VLAN dialog box appears (see Figure 6).
Figure 9
Add a new VLAN
3 Enter the VLAN information in the applicable fields. Tab l e 5 describes the
Add a new VLAN fields.
4 Click Add.
The new VLAN appears in the VLAN Table.
5 Repeat this step for each Green and Yellow VLAN configured on the domain.
6 Click Apply on the toolbar to send the current changes to the Nortel
SNAS 4050. Click Commit on the toolbar to save the changes permanently.
Table 5
Add a new VLAN fields
Field Description
Name The name of the VLAN, as configured on the domain.
ID The ID of the VLAN, as configured on the domain.
Chapter 3 Managing the network access devices 99
Nortel Secure Network Access Switch 4050 User Guide
Removing VLANs from a domain
To remove existing VLANs from the domain, complete the following steps:
1 Select the Secure Access Domain > domain > VLANs tab.
The domain VLANs screen appears (see Figure 8).
2 Select a VLAN entry from the VLAN Table.
3 Click Delete.
A dialog box appears to confirm that you want to delete this VLAN.
4 Click Yes.
The VLAN disappears from the VLAN Table.
5 Click Apply on the toolbar to send the current changes to the Nortel
SNAS 4050. Click Commit on the toolbar to save the changes permanently.
100 Chapter 3 Managing the network access devices
320818-A
Mapping VLANs by switch
To map VLANs by switch, you must first disable the network access device (see
“Managing network access devices using the SREM” on page 91). Once the
network access device is disabled, select the Secure Access Domain > domain >
Switches > switch > VLANs tab.
The switch VLANs screen appears (see Figure 10), listing all current VLANs
applied to the switch.
Figure 10
Switch VLANs screen
This screen allows you to manage VLANs on the switch by adding or deleting
entries in the VLAN Table. For detailed steps on adding or removing switch
VLANs, see:
• “Adding VLANs to a switch” on page 101
Loading...