Nortel Networks 450, 325, 4500, 425, 5500 User Manual

Nortel Secure Network Access Switch

Using the Command Line Interface

Release: 2.0 Document Revision: 03.01

www.nortel.com

NN47230-100

320818-D

Nortel Secure Network Access Switch Release: 2.0 Publication: NN47230-100 Document status: Standard Document release date: 28 July 2008

Sourced in Canada, the United States of America, and India

LEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS "WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice.

Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

Contents

Software license 11 New in this release 15

Features 15 Other changes 16

Introduction 17

Before you begin 18 Text conventions 18 Related information 20

How to get help 21

Overview 23

The Nortel SNAS 24

Nortel SNAS configuration and management tools 36 Nortel SNAS configuration roadmap 37

Publications 20 Online 21

Elements of the Nortel SNAS 25 Supported users 25 Supporting additional users with the software license file 26 Role of the Nortel SNAS 27 Nortel SNAS clusters 35 Interface configuration 35

Initial setup 41

Before you begin 41

About the IP addresses 42

Initial setup 43

Setting up a single Nortel SNAS device or the first in a cluster 43

Adding a Nortel SNAS device to a cluster 50 Next steps 54 Applying and saving the configuration 55

Managing the network access devices 57

Before you begin 57

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Managing network access devices 58

Roadmap of domain switch commands 58

Adding a network access devices 60

Deleting a network access devices 64

Configuring the network access devices 64

Mapping the VLANs 66

Managing SSH keys 68

Monitoring switch health 73

Controlling communication with the network access devices 74 Configuring SSCPLite 74 Configuring SNMP Profiles 75 Configuring SNMP Versions 76 Configuring SSCPLite Community 77 Configuring SNMP Templates 77

Configuring the domain 79

Roadmap of domain commands 81

Creating a domain 83

Deleting a domain 89

Configuring domain parameters 89

Configuring the Nortel Health Agent check 92

Configuring the SSL server 97

Configuring HTTP redirect 107

Browser-Based Management Configuration 108

Browser-Based Management Configuration with SSL 108

Configuring advanced settings 109

Configuring RADIUS accounting 110

Configuring local DHCP services 115

Creation of the location 123

Configuring Lumension PatchLink integration 124

Configuration of the RADIUS server 127

Overview of RADIUS server 127

802.1x functionality 127 Roadmap of RADIUS server configuration commands 128 Configuration of the RADIUS server 129 Configuration of the client 130 Configuration of the realms 131 Configuration of the dictionary 133 Configuration of the RADIUS accounting 134 Configuration of the RADIUS authentication methods 134 Configuration of the EAP authentication methods 136 Select the server certificate 137 Select the CA certificate 138

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Configuration of Microsoft NAP Interoperability 139

Roadmap of NAP configuration commands 139 Configuration of NAP Interoperability 140

Probation Settings 141 Remote Network Policy Servers 142 System Health Validators 143 Configuration of Windows System Health Validator 144

Configuring groups and profiles 149

Overview 149

Groups 150 Linksets 151 SRS rule 151

Extended profiles 151 Before you begin 152 Configuring groups and extended profiles 153

Roadmap of group and profile commands 153

Configuring groups 156

Configuring client filters 162

Configuring extended profiles 164

Creating RADIUS attributes to a group 166

Mapping linksets to a group or profile 167

Creating a default group 169

Configuring authentication 171

Overview 171 Before you begin 172 Configuring authentication 174

Roadmap of authentication commands 174

Configuring authentication methods 177

Configuring advanced settings 179

Configuring RADIUS authentication 180

Configuring LDAP authentication 187

Configuring local database authentication 200

Specifying authentication fallback order 209

Managing system users and groups 211

User rights and group membership 211 Managing system users and groups 212

Roadmap of system user management commands 212

Managing user accounts and passwords 213

Managing user settings 216

Managing user groups 217

CLI configuration examples 218

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Customizing the portal and user logon 227

Overview 227

Captive portal and Exclude List 228

Portal display 230

Managing the end user experience 237 Customizing the portal and logon 238

Roadmap of portal and logon configuration commands 238

Configuring the captive portal 240

Configuring the Exclude List 240

Changing the portal language 241

Configuring the portal display 244

Changing the portal colors 249

Configuring custom content 250

Configuring linksets 251

Configuring links 253

Configuring system settings 257

Configuring the cluster 257

Roadmap of system commands 258

Configuring system settings 262

Configuring the Nortel SNAS host 264

Configuring host interfaces 268

Configuring static routes 270

Configuring host ports 271

Managing interface ports 272

Configuring the Access List 273

Configuring date and time settings 274

Configuring DNS servers and settings 276

Configuring RSA servers 279

Configuring syslog servers 279

Configuring administrative settings 281

Enabling TunnelGuard SRS administration 284

Configuring Nortel SNAS host SSH keys 284

Configuring RADIUS auditing 286

Configuring authentication of system users 290

Configuration of auto blacklisting 293

Configuration of harden password 295

Managing certificates 297

Overview 297

Key and certificate formats 298

Creating certificates 299

Installing certificates and keys 299

Saving or exporting certificates and keys 300

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Updating certificates 300 Managing private keys and certificates 301

Roadmap of certificate management commands 301

Managing and viewing certificates and keys 302

Generating and submitting a CSR 305

Adding a certificate to the Nortel SNAS 310

Adding a private key to the Nortel SNAS 312

Importing certificates and keys into the Nortel SNAS 314

Displaying or saving a certificate and key 316

Exporting a certificate and key from the Nortel SNAS 318

Generating a test certificate 320

Configuring SNMP 323

Configuring SNMP 324

Roadmap of SNMP commands 324

Configuring SNMP settings 325

Configuring the SNMP v2 MIB 326

Configuring the SNMP community 327

Configuring SNMPv3 users 328

Configuring SNMP notification targets 331

Configuring SNMP events 332

Viewing system information and performance statistics 337

Roadmap of information and statistics commands 337

Viewing system information 339

Viewing alarm events 344

Viewing log files 345

Viewing AAA statistics 346

Viewing all statistics 348

Kicking by username or address 349

Nortel SNAS TPS Interface 349

Maintaining and managing the system 351

Managing and maintaining the system 352

Roadmap of maintenance and boot commands 352

Performing maintenance 353

Backing up or restoring the configuration 356

Configuring the Nortel SNAS scheduler 359

Managing Nortel SNAS devices 361

Managing software for a Nortel SNAS device 363

Upgrading or reinstalling the software 367

Upgrading the Nortel SNAS 367

Performing minor and major release upgrades 368

Activating the software upgrade package 369

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Reinstalling the software 372

Before you begin 372

Reinstalling the software from an external file server 373

Reinstalling the software from a CD 375

The Command Line Interface 377

Connecting to the Nortel SNAS 378

Establishing a console connection 378

Establishing a Telnet connection 379

Establishing a connection using SSH 380 Accessing the Nortel SNAS cluster 381 CLI Main Menu or Setup 383 Command line history and editing 383 Idle timeout 383

Configuration example 385

Scenario 385 Steps 387

Configure the network DNS server 388

Configure the network DHCP server 388

Configure the network core router 392

Configure the Ethernet Routing Switch 8300 393

Configure the Ethernet Routing Switch 5510 395

Configure the Nortel SNAS 397

Troubleshooting 403

Troubleshooting tips 403

Cannot connect to the Nortel SNAS using Telnet or SSH 403

Cannot add the Nortel SNAS to a cluster 405

Cannot contact the MIP 406

The Nortel SNAS stops responding 407

A user password is lost 408

A user fails to connect to the Nortel SNAS domain 409 Trace tools 409 System diagnostics 410

Installed certificates 410

Network diagnostics 410

Active alarms and the events log file 412

Error log files 412 Using the CLI 413

Global commands 414

Command line history and editing 416

CLI shortcuts 417

Using slashes and spaces in commands 419

IP address and network mask formats 420

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Variables 420 CLI Main Menu 421 CLI command reference 422

Information menu 422

Statistics menu 423

Configuration menu 424

Boot menu 448

Maintenance menu 449 Syslog messages by message type 451

Operating system (OS) messages 452

System Control Process messages 453

Traffic Processing Subsystem messages 457

Start-up messages 461

AAA subsystem messages 461

NSNAS subsystem messages 463 Syslog messages in alphabetical order 465 Supported MIBs 477 Supported traps 481

485

Install All Administrative Tools (Windows 2000 Server) 485

Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows

Server 2003) 486 Permit write operations to the schema (Windows 2000 Server) 488 Create a new attribute(Windows 2000 Server and Windows Server 2003) 489 Create the new class 489

Configuring IP Phone auto-configuration 494

Creating the DHCP options 494 Configuring the Call Server Information and VLAN Information options 497 Setting up the IP Phone 500

Configuring the logon script 501 Creating a logon script 502

Creating the script as a batch file 502 Creating the script as a VBScript file 503

Assigning the logon script 503

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Software license

This section contains the Nortel Networks software license.

Nortel Networks software license agreement

This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel Networks Corporation and its subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

"Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer a

nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

12 Software license

2. Warranty. Except as may be otherwise expressly agreed to in

uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software.

writing between Nortel Networks and Customer, Software is provided "AS IS" without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.

Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.

4. General

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Nortel Networks software license agreement 13

a. If Customer is the United States Government, the following

paragraph shall apply: All Nortel Networks Software available

under this License Agreement is commercial computer software

and commercial computer software documentation and, in the

event Software is licensed for or on behalf of the United States

Government, the respective rights to the software and software

documentation are governed by Nortel Networks standard

commercial license in accordance with U.S. Federal Regulations

at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R.

227.7202 (for DoD entities).

b. Customer may terminate the license at any time. Nortel Networks

may terminate the license if Customer fails to comply with the terms

and conditions of this license. In either event, upon termination,

Customer must either return the Software to Nortel Networks or

certify its destruction.

c. Customer is responsible for payment of any taxes, including

personal property taxes, resulting from Customer’s use of the

Software. Customer agrees to comply with all applicable laws

including all applicable export and import laws and regulations.

Neither party may bring an action, regardless of form, more than

two years after the cause of the action arose.

The terms and conditions of this License Agreement form the

complete and exclusive agreement between Customer and Nortel

Networks.

This License Agreement is governed by the laws of the country in

which Customer acquires the Software. If the Software is acquired

in the United States, then this License Agreement is governed by

the laws of the state of New York.

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

14 Software license

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

New in this release

The following sections detail what’s new in Nortel Secure Network Access Using the Command Line Interface, (NN47230-100) for Release 2.0.

•

“Features” (page 15)

•

“Other changes” (page 16)

Features

This is the second standard release of the document. See the following sections for information, which are added in this Release.

•

“Configuring SSCPLite” (page 74)

•

“Configuring SNMP Profiles” (page 75)

• “Creation of the location” (page 123)

•

“Configuring Lumension PatchLink integration ” (page 124)

•

“Creation of the location” (page 123)

•

“Configuration of the RADIUS server” (page 127)

• “Configuration of Microsoft NAP Interoperability” (page 139)

•

“Configuration of auto blacklisting” (page 293)

•

“Configuration of harden password” (page 295)

•

“Kicking by username or address” (page 349)

• “Nortel SNAS TPS Interface” (page 349)

• “Self service portal” (page 233)

• “Configuring the Nortel SNAS scheduler” (page 359)

On-the-fly SRS Policy Change—When a security policy is modified on the SNAS using the administrative tool the policy is updated on the Nortel Health Agent running on the logged in operating systems. For more information, See the “Configuring the Nortel Health Agent check” (page

92).

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

16 New in this release

Multi-OS Applet Support—The Nortel Health captive portal applet

supports Windows and non-Windows operating systems. For non-Windows operating systems the applet supports collecting operating systems information and VLAN transition. for more information, see the

“Multi-OS Applet Support” (page 32).

Other changes

No changes.

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Introduction

Nortel* Secure Network Access (Nortel SNAS ) is a clientless solution that provides seamless, secure access to the corporate network from inside or outside that network. The Nortel SNAS combines multiple hardware devices and software components to support the following features:

•

partitions the network resources into access zones (authentication, remediation, and full access)

•

provides continual device integrity checking using Nortel Health Agent

•

supports both dynamic and static IP clients

The Nortel Secure Network Access Switch 4050or 4070 (Nortel SNAS 4050 or 4070) controls operation of the Nortel SNAS.

This user guide covers the process of implementing the Nortel SNAS using the Nortel SNAS 4050 or 4070 for Nortel Secure Network Access Switch Software Release 2.0. The document includes the following information:

•

overview of the role of the Nortel SNAS 4050 or 4070 in the Nortel SNAS

•

initial setup

•

configuring authentication, authorization, and accounting (AAA) features

•

managing system users

• customizing the portal

• upgrading the software

• logging and monitoring

• troubleshooting installation and operation

The document provides instructions for initializing and customizing the features using the Command Line Interface (CLI). To learn the basic structure and operation of the Nortel SNAS CLI, refer to “CLI reference”

(page 413). This reference guide provides links to where the function

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

18 Introduction

and syntax of each CLI command are described in the document. For information on accessing the CLI, see “The Command Line Interface”

(page 377).

BBI is a graphical user interface (GUI) that runs in an online, interactive mode. BBI allows the management of multiple devices (for example, the Nortel SNAS) from one application. For information about using BBI to configure and manage Nortel SNAS, see Switch Configuration — Using the BBI, (NN47230-500).

Before you begin

This guide is intended for network administrators who have the following background:

•

basic knowledge of networks, Ethernet bridging, and IP routing

• familiarity with networking concepts and terminology

•

experience with windowing systems or GUIs

•

basic knowledge of network topologies

Nortel Secure Network Access

Before using this guide, you must complete the following procedures. For a new switch:

Step Action 1 Install the switch.

2 Connect the switch to the network.

Ensure that you are running the latest version of Nortel SNAS software. For information about upgrading the Nortel SNAS, see “Upgrading or

reinstalling the software” (page 367).

Text conventions

This guide uses the following text conventions:

For installation instructions, see Nortel Secure Network Access Switch 4050 Installation Guide , (NN47230-300).

For more information, see “The Command Line Interface” (page

377).

--End--

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Text conventions 19

angle brackets (< >)

Enter text based on the description inside the brackets. Do not type the brackets when entering the command.

Example: If the command syntax is

ping <ip_address>, you enter

ping 192.32.10.12

bold text Objects such as window names, dialog box names,

and icons, as well as user interface objects such as buttons, tabs, and menu items.

bold Courier text

Command names, options, and text that you must enter.

Example: Use the dinfo command.

Example: Enter show ip {alerts|routes}.

braces ({})

Required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.

Example: If the command syntax is show ip {alerts|routes}, you must enter either show ip alerts or show ip routes, but not both.

brackets ([ ])

ellipsis points (. . . )

Optional elements in syntax descriptions. Do not type the brackets when entering the command.

Example: If the command syntax is show ip interfaces [-alerts], you can enter either show ip interfaces or show ip interfaces -alerts.

Repeat the last element of the command as needed.

Example: If the command syntax is ethernet/2/1 [ <parameter> <value> ]..., you enter ethernet/2/1 and as many parameter-value pairs as needed.

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

20 Introduction

italic text

plain Courier text

separator ( > )

vertical line ( | ) Options for command keywords and arguments.

Variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore.

Example: If the command syntax is

show at <valid_route>, valid_route is one variable and you substitute

one value for it. Command syntax and system output, for example,

prompts and system messages.

Example: Set Trap Monitor Filters Menu paths.

Example: Protocols > IP identifies the IP command on the Protocols menu.

Enter only one of the options. Do not type the vertical line when entering the command.

Example: If the command syntax is

show ip {alerts|routes}, you enter either show ip alerts or show ip routes, but not

both.

Related information

This section lists information sources that relate to this document.

Publications

Refer to the following publications for information on the Nortel SNAS:

• Nortel Secure Network Access Solution Guide, (NN47230-200)

•

Nortel Secure Network Access Switch 4050 Installation Guide , (NN47230-300).

• Nortel Secure Network Access Switch 4050 User Guide for the CLI

(NN47230-100),

• Installing and Using the Security,

• Release Notes for Nortel Ethernet Routing Switch 5500 Series,

Software Release 5.0.1,

• Release Notes for the Ethernet Routing Switch 8300, Software

Release 2.2.8 ,

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Online

How to get help 21

• Release Notes for the Nortel Secure Network Access Solution,

Software Release 1.6.1 (NN47230-400),

• Release Notes for Enterprise Switch Manager (ESM), Software

Release 5.2 (209960-H),

• Using Enterprise Switch Manager Release 5.1 (208963-F),

• Nortel Secure Network Access Switch Configuration — Using the BBI,

(NN47230-500).

To access Nortel technical documentation online, go to the Nortel web site:

ttp://www.nortel.com/support

You can download current versions of technical documentation. To locate documents, browse by category or search using the product name or number.

You can print the technical manuals and release notes free, directly from the Internet. Use Adobe* Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to the Adobe Systems site at h download a free copy of Adobe Reader.

ttp://www.adobe.com to

How to get help

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nortel service program, use the h

elp web page to locate information to contact Nortel for assistance:

•

• To call a Nortel Technical Solutions Center for assistance, click the

An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to the h page and follow these links:

ttp://www.nortel.com/h

To obtain Nortel Technical Support contact information, click the

CALL US link on the left side of the page to find the telephone number

for your region.

ttp://www.nortel.com/helpweb

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

22 Introduction

Step Action 1 Click CONTACT US on the left side of the HELP web page.

2 Click Technical Support on the CONTACT US web page. 3 Click Express Routing Codes on the TECHNICAL SUPPORT

web page.

--End--

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Overview

The Nortel Secure Network Access Solution Release 2.0 features are mapped to the relevant section(s) in this guide in the following table. For information on the Nortel SNAS Release 1.6.1 see Nortel Secure Network Access Solution Release 1.6.1, NN47230-400, (formerly 320850).

Table 1 Features on NSNA

Release Notes for

Feature

Performance and scalability enhancements: 20,000 concurrent users

Support for hubs “Configuring local DHCP services” (page 115), “Hub

Support for Nortel Ethernet Switch models

- 325 / 425 / 450 / 470 and 2500 series and Ethernet Routing Switch models 4500 series, 5500 series, 8300 and 8600.

Support for WLAN Controller “Configuring local DHCP services” (page 115), “Hub

Support of RADIUS server “Configuration of the RADIUS server” (page 127) Support of Microsoft NAP Interoperability “Configuration of Microsoft NAP Interoperability” (page

Nortel Health Agent Run-Once, Continuous and Never modes

Support for MAC OSX, Linux OS, and non-interactive devices

MAC address policy services “Configuring groups” (page 156), “Managing the local

Section

Not applicable.

DHCP subnet type” (page 118) “Configuring local DHCP services” (page 115), “Hub

DHCP subnet type” (page 118)

139)

“Configuring groups” (page 156), “Managing the local MAC database” (page 206)

“Configuring groups” (page 156)

MAC database” (page 206)

Flexible deployment: Filter only and VLAN and filters deployment

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

“Nortel SNAS enforcement types” (page 28), “Configuring groups” (page 156)

28 July 2008

24 Overview

ATTENTION

Switches that support the Switch to Nortel SNAS Communication Protocol (SSCP) are referred to as NSNA network access devices in this document. Generally, NSNA network access devices are the Ethernet Routing Switch 5500 Series and the Ethernet Routing Switch 8300. Specifically, Release 1.6.1 features are supported by the Ethernet Routing Switch 5500 Series, Release

5.0.2 and later.

ATTENTION

The character combination "<" appears instead of the character "<" in several command strings in this document. For example, <DN> rather than <DN>. Resolution is under investigation.

This chapter includes the following topics:

Topic

“The Nortel SNAS ” (page 24)

“Elements of the Nortel SNAS ” (page 25) “Supported users” (page 25) “Role of the Nortel SNAS ” (page 27)

“Nortel SNAS configuration and management tools” (page 36) “Nortel SNAS configuration roadmap” (page 37)

The Nortel SNAS

Nortel Secure Network Access Solution (Nortel SNAS ) is a protective framework to completely secure the network from endpoint vulnerability. The Nortel SNAS addresses endpoint security and enforces policy compliance. Nortel SNAS delivers endpoint security by enabling only trusted, role-based access privileges premised on the security level of the device, user identity, and session context. Nortel SNAS enforces policy compliance, such as for Sarbanes-Oxley and COBIT, ensuring that the required anti-virus applications or software patches are installed before users are granted network access.

For Nortel, success is delivering technologies providing secure access to your information using security-compliant systems. Your success is measured by increased employee productivity and lower network operations costs. Nortel’s solutions provide your organization with the network intelligence required for success.

“Nortel SNAS clusters” (page 35) “Interface configuration” (page 35)

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Elements of the Nortel SNAS

The following devices are essential elements of the Nortel SNAS:

•

Nortel Secure Network Access Switch 4050or 4070 (Nortel SNAS 4050 or 4070), which acts as the Policy Decision Point

• network access devices, which acts as the Policy Enforcement Point

—

Ethernet Routing Switch 8300

— Ethernet Routing Switch 4500, 5510, 5520, or 5530

ATTENTION

NSNA Release 1.6.1 does not currently support the Ethernet Routing Switch 8300 as a Policy Enforcement Point.

• RADIUS, DHCP, and DNS servers

The following devices are additional, optional elements of the Nortel SNAS:

•

remediation server

•

corporate authentication services such as LDAP or RADIUS services

The Nortel SNAS 25

Each Nortel SNAS device can support up to five network access devices.

Supported users

The Nortel SNAS supports the following types of users:

•

PCs using the following operating systems:

— Windows 2000 SP4 —

Windows XP SP2

—

Linux

—

MAC OS

—

Vista

The Nortel SNAS supports the following browsers:

—

Internet Explorer version 6.0 or later

— Netscape Navigator version 7.3 or later — Mozilla Firefox version 1.0.6 or later

Java Runtime Environment (JRE) for all browsers:

— JRE 1.6.0_04 or later

• VoIP phones

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

26 Overview

Supporting additional users with the software license ﬁle

— Nortel IP Phone 2002 —

Nortel IP Phone 2004

—

Nortel IP Phone 2007

See Release Notes for the Nortel Secure Network Access Solution, Software Release 1.6.1 (NN47230-400), for the minimum firmware versions required for the IP Phones operating with different call servers.

Each Nortel SNAS -enabled port on a network access devices can support one PC (untagged traffic) and one IP Phone (tagged traffic). Softphone traffic is considered to be the same as PC traffic (untagged).

ATTENTION

Where there is both an IP Phone and a PC, the PC must be connected through the 3-port switch on the IP Phone.

The standard Nortel SNAS 4050 implementation can support up to 200 authenticated user sessions. To support additional users on your Nortel SNAS 4050 switch, you must obtain a Nortel SNA software license file. The software license file contains a software license key that you must enter into the Nortel SNAS 4050 switch to activate support for the additional users. The file can support an additional 100, 250, 500, or 1000 users.

ATTENTION

An authenticated IP Phone is considered to be a licensed user.

Your unique software license key is based on your switch MAC address. Before you obtain your software license file, first record the MAC address for the Nortel Secure Network Access Switch to be upgraded. To find the MAC address in the Command Line Interface, use the command.

To obtain your software license file, contact Nortel to order the Nortel SNA Software License Certificate. Follow the instructions on this certificate to obtain your software license file.

After you obtain the software license file from Nortel, you must copy the entire license key to the switch using the CLI or the BBI. When you copy the license key, ensure you include the BEGIN LICENSE and END LICENSE lines.

To copy the license key using the CLI, use the following command:

/cfg/sys/host <host ID> license <key>

/info/local

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

The Nortel SNAS 27

The following shows a sample display of the CLI interface when copying the license key:

>> Main# cfg/sys/host Enter Host number: 1 >> iSD host 1# license

Paste the license, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > -----BEGIN LICENSE----> U4GsdGVkX36AJpnd8KL4iImtRzBvZy+iANDzxog22+vq6Qx4aawSl4FVQo > lXYlsNNFJpYW/vl3osvNPXhzcLV2E9hNHlqirkzc5aLDJ+2xYpK/BRDrMZ > 86OQvdBMyer53xgq8Kk/5BvoFcQYvEC/yWrFyrmZr4XPtAr3qmuZ8UxLqJ > 0x7PUrp6tVI= > -----END LICENSE----> ... License loaded

For more information, see “Configuring the Nortel SNAS host” (page 264). To copy the license key using the BBI, use the Install New License screen

(System > Hosts > host > Install New License). To view the license using BBI, in the cluster select Cluster > Hosts >

License from the menu. For more information, see Nortel Secure Network Access Switch Configuration — Using the BBI, (NN47230-500).

Role of the Nortel SNAS

The Nortel SNAS helps protect the network by ensuring endpoint compliance for devices that connect to the network.

Before allowing a device to have full network access, the Nortel SNAS checks user credentials and host integrity against predefined corporate policy criteria. Through tight integration with network access devices, the Nortel SNAS can:

• dynamically move the user into a quarantine VLAN

• dynamically grant the user full or limited network access

• dynamically apply per port firewall rules that apply to a device’s

connection

Once a device has been granted network access, the Nortel SNAS continually monitors the health status of the device to ensure continued compliance. If a device falls out of compliance, the Nortel SNAS can dynamically move the device into a quarantine or remediation VLAN.

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

28 Overview

Nortel SNAS functions

The Nortel SNAS performs the following functions:

•

Acts as a web server portal, which is accessed by users in clientless mode for authentication and host integrity check and which sends remediation instructions and guidelines to endpoint clients if they fail the host integrity check.

•

Communicates with backend authentication servers to identify authorized users and levels of access.

• Acts as a policy server, which communicates with the Nortel Health

Agent applet that verifies host integrity.

• Instructs the network access devices to move clients to the appropriate

enforcement zones.

• Can be a DNS proxy in the Red VLAN when the Nortel SNAS functions

as a captive portal

•

Supports the RADIUS server

•

Supports Microsoft NAP Interoperability.

•

Performs session management.

•

Monitors the health of clients and switches.

•

Performs logging and auditing functions.

•

Provides High Availability (HA) through IPmig protocol.

Nortel SNAS enforcement types

Nortel SNAS provides several enforcement types for restricting access to the network.

• VLANs and filters uses a combination of VLANs and filters to provide

enforcement. It is available with NSNA network access devices; that is, devices that support SSCP (Switch-SNAS Communication Protocol), SSCP-Lite, and 802.1x switches.

• Filters only uses only filters to provide enforcement. It is available with

NSNA network access devices.

• NSNA network access devices including Nortel Ethernet Switch

models - 325, 425, 450, 470 and 2500 series and Ethernet Routing Switch models - 4500 series, 5500 series, 8300 and 8600 as well as third-party switches.

VLANs and filters

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

The Nortel SNAS 29

Four type of Layer 2 or Layer 3 VLANs are configured for VLANs and filters enforcement:

•

Red—extremely restricted access. If the default filters are used, the user can communicate only with the Nortel SNAS and the Windows domain controller network. There is one Red VLAN for each network access devices.

•

Yellow—restricted access for remediation purposes if the client PC fails the host integrity check. Depending on the filters and Nortel Health Agent rules configured for the network, the client may be directed to a remediation server participating in the Yellow VLAN. There can be up to five Yellow VLANs for each network access devices. Each user group is associated with only one Yellow VLAN.

• Green—full access, in accordance with the user’s access privileges.

There can be up to five Green VLANs for each network access devices.

•

VoIP—automatic access for VoIP traffic. The network access devices places VoIP calls in a VoIP VLAN without submitting them to the Nortel SNAS authentication and authorization process.

When a client attempts to connect to the network, the network access devices places the client in its Red VLAN. The Nortel SNAS authenticates the client. By default, the Nortel SNAS then downloads a Nortel Health Agent applet to check the integrity of the client host. If the integrity check fails, the Nortel SNAS instructs the network access devices to move the client to a Yellow VLAN, with its associated filter. If the integrity check succeeds, the Nortel SNAS instructs the network access devices to move the client to a Green VLAN, with its associated filter. The network access devices applies the filters when it changes the port membership.

The VoIP filters allow IP phone traffic into preconfigured VoIP VLANs, for VoIP communication only.

The default filters can be modified to accommodate network requirements, such as Quality of Service (QoS) or specific workstation boot processes and network communications.

For information about configuring VLANs and filters on the network access devices, see Release Notes for Nortel Ethernet Routing Switch 5500

Series, Software Release 5.0.1,orRelease Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8 ,.

To configure the Nortel SNAS for VLANs and filters enforcement, see

“Configuring groups” (page 156), enftype.

Filters only

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

30 Overview

Filters only enforcement uses two VLANs: Red and VoIP. A client

computer is placed in the Red VLAN where it is held pending successful authentication. If successful, Nortel Health Agent integrity checking can be used to determine if remediation is required. Filters are applied to direct the client to the appropriate network resources but the client remains in the same VLAN regardless of its status. This contrasts with VLANs and filters where the client is moved to another VLAN in addition to applying filters. Filters only handles IP phones in the same manner as VLANs and filters.

With Filters only, there is less network configuration than with VLANs and filters because there are only two VLANs (Red and VoIP) to configure. However, the double layer of protection afforded with VLANs and filters is not provided.

To configure the Nortel SNAS for Filters only enforcement, see

“Configuring groups” (page 156), enftype. Though configuring for Filters

only can result in higher DNS demands on the Nortel SNAS, using the filter DHCP subnet type maintains these demands at the same level as with VLANs and filters: for more information, see “Configuring local

DHCP services” (page 115).

DHCP hub subnet DHCP hub subnet enforcement allows the Nortel SNAS to operate with

a broader range of Nortel ethernet switches as well as third party network access devices. Unlike VLANs and filters and Filters only enforcement, DHCP hub subnet enforcement does not require SSCP support on the network access device.

The DHCP hub subnet configuration is an integral component of the DHCP services provided by the Nortel SNAS. For more information, see

“Configuring local DHCP services” (page 115).

Groups and profiles

Users are organized in groups. In the user gorup we can specify Locaion also. Group membership determines:

• user access rights

Within the group, extended profiles further refine access rights depending on the outcome of the Nortel Health Agent checks.

• number of sessions allowed

• the Nortel Health Agent SRS rule to be applied

• what on the portal page after the user has been authenticated

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

+ 496 hidden pages