Nortel Networks 4050 User Manual

Download

Part No. 320818-A December 2005

4655 Great America Parkway Santa Clara, CA 95054

Nortel Secure Network Access Switch 4050 User Guide

Nortel Secure Network Access Switch Software Release 1.0

*320818-A*

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc.

The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document.

Trademarks

*Nortel, Nortel Networks, the Nortel logo, the Globemark, Passport, BayStack, and Contivity are trademarks of Nortel Networks.

All other products or services may be trademarks or registered trademarks of their respective owners.

The asterisk after a name denotes a trademarked item.

Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

Export

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.

Statement of conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice.

Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

320818-A

In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

Licensing

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

Portions of the TunnelGuard code include software licensed from The Legion of the Bouncy Castle.

See Appendix H, “Software licensing information,” on page 905 for more information.

Nortel Networks Inc. software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software.

2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,

Nortel Secure Network Access Switch 4050 User Guide

BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.

4. General

a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks

Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections

12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to

comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.

c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s

use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.

d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.

e. The terms and conditions of this License Agreement form the complete and exclusive agreement between

Customer and Nortel Networks.

f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the

Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.

320818-A

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

The Nortel SNA solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Elements of the NSNA solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Supported users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Role of the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Nortel SNAS 4050 clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

One-armed and two-armed configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Nortel SNA configuration and management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Nortel SNAS 4050 configuration roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Nortel SNAS 4050 functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Nortel SNA VLANs and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Groups and profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

TunnelGuard host integrity check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Communication channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

One-armed configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Two-armed configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 2: Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

About the IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Nortel Secure Network Access Switch 4050 User Guide

6 Contents

Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Applying and saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 3: Managing the network access devices . . . . . . . . . . . . . . . . . . . 71

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Managing network access devices using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Managing network access devices using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Management IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Portal Virtual IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Real IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Setting up a single Nortel SNAS 4050 device or the first in a cluster . . . . . . . . . . 52

Settings created by the quick setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Adding a Nortel SNAS 4050 device to a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Joining a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Applying and saving the configuration using the CLI . . . . . . . . . . . . . . . . . . . . . . . 68

Applying and saving the configuration using the SREM . . . . . . . . . . . . . . . . . . . . 68

Roadmap of domain commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Adding a network access device using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Using the quick switch setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Manually adding a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Deleting a network access device using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring the network access devices using the CLI . . . . . . . . . . . . . . . . . . . . . 80

Mapping the VLANs using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Managing SSH keys using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Generating SSH keys for the domain using the CLI . . . . . . . . . . . . . . . . . . . . 85

Managing SSH keys for Nortel SNA communication using the CLI . . . . . . . . 88

Reimporting the network access device SSH key using the CLI . . . . . . . . . . 89

Monitoring switch health using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Controlling communication with the network access devices using the CLI . . . . . 90

Adding a network access device using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 91

Deleting a network access device using the SREM . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring the network access devices using the SREM . . . . . . . . . . . . . . . . . . 93

Mapping the VLANs using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

320818-A

Contents 7

Mapping VLANs by domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Mapping VLANs by switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Managing SSH keys using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Generating SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . 105

Exporting SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . . 106

Managing SSH keys for Nortel SNA communication using the SREM . . . . . 109

Reimporting the network access device SSH key using the SREM . . . . . . . 110

Monitoring switch health using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Viewing a connected client list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 113

Controlling communication with the network access devices using the SREM . . 115

Chapter 4: Configuring the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring the domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Roadmap of domain commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Creating a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Manually creating a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Using the Nortel SNAS 4050 domain quick setup wizard in the CLI . . . . . . . 123

Deleting a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Configuring domain parameters using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Configuring the TunnelGuard check using the CLI . . . . . . . . . . . . . . . . . . . . . . . 132

Using the quick TunnelGuard setup wizard in the CLI . . . . . . . . . . . . . . . . . 134

Configuring the SSL server using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Tracing SSL traffic using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Configuring SSL settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Configuring traffic log settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 142

Configuring HTTP redirect using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Configuring advanced settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Configuring RADIUS accounting using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Managing RADIUS accounting servers using the CLI . . . . . . . . . . . . . . . . . 147

Configuring Nortel SNAS 4050-specific attributes using the CLI . . . . . . . . . 149

Configuring the domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Creating a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Manually creating a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 152

Using the SREM Domain Quick Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Deleting a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Nortel Secure Network Access Switch 4050 User Guide

8 Contents

Chapter 5: Configuring groups and profiles . . . . . . . . . . . . . . . . . . . . . . . 191

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Configuring groups and extended profiles using the CLI . . . . . . . . . . . . . . . . . . . . . . 196

Configuring groups and extended profiles using the SREM . . . . . . . . . . . . . . . . . . . 208

Configuring domain parameters using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 164

Additional domain configuration in the SREM . . . . . . . . . . . . . . . . . . . . . . . . 166

Configuring the TunnelGuard check using the SREM . . . . . . . . . . . . . . . . . . . . . 168

Using the TunnelGuard Quick Setup in the SREM . . . . . . . . . . . . . . . . . . . . 172

Configuring the SSL server using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Configuring SSL settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring traffic log settings using the SREM . . . . . . . . . . . . . . . . . . . . . . 178

Tracing SSL traffic using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Configuring HTTP redirect using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Configuring RADIUS accounting using the SREM . . . . . . . . . . . . . . . . . . . . . . . 183

Configuring Nortel SNAS 4050-specific attributes using the SREM . . . . . . . 184

Managing RADIUS accounting servers using the SREM . . . . . . . . . . . . . . . 186

Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Default group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Linksets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

TunnelGuard SRS rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Extended profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Roadmap of group and profile commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Configuring groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Configuring client filters using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Configuring extended profiles using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Mapping linksets to a group or profile using the CLI . . . . . . . . . . . . . . . . . . . . . . 206

Creating a default group using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Configuring groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Using the guide for creating groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Adding a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Modifying a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Configuring client filters using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Adding a client filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

320818-A

Contents 9

Modifying a client filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring extended profiles using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Adding an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Modifying an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Mapping linksets to a group or profile using the SREM . . . . . . . . . . . . . . . . . . . . 223

Mapping linksets to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Mapping linksets to a profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Creating a default group using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Chapter 6: Configuring authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Configuring authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Roadmap of authentication commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring authentication methods using the CLI . . . . . . . . . . . . . . . . . . . . . . . 239

Configuring advanced settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Configuring RADIUS authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . 242

Adding the RADIUS authentication method using the CLI . . . . . . . . . . . . . . 243

Modifying RADIUS configuration settings using the CLI . . . . . . . . . . . . . . . . 245

Managing RADIUS authentication servers using the CLI . . . . . . . . . . . . . . . 247

Configuring session timeout using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Configuring LDAP authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 249

Adding the LDAP authentication method using the CLI . . . . . . . . . . . . . . . . 250

Modifying LDAP configuration settings using the CLI . . . . . . . . . . . . . . . . . . 252

Managing LDAP authentication servers using the CLI . . . . . . . . . . . . . . . . . 256

Managing LDAP macros using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Managing Active Directory passwords using the CLI . . . . . . . . . . . . . . . . . . 260

Configuring local database authentication using the CLI . . . . . . . . . . . . . . . . . . 261

Adding the local database authentication method using the CLI . . . . . . . . . 261

Managing the local database using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 264

Specifying authentication fallback order using the CLI . . . . . . . . . . . . . . . . . . . . 267

Configuring authentication using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Configuring authentication methods using the SREM . . . . . . . . . . . . . . . . . . . . . 270

Configuring RADIUS authentication using the SREM . . . . . . . . . . . . . . . . . . . . . 271

Adding the RADIUS method and server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Nortel Secure Network Access Switch 4050 User Guide

10 Contents

Modifying RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Managing additional RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Configuring LDAP authentication using the SREM . . . . . . . . . . . . . . . . . . . . . . . 282

Adding the LDAP method and server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Modifying LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Managing additional LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Managing LDAP macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Configuring local database authentication using the SREM . . . . . . . . . . . . . . . . 298

Adding the Local method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Populating the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Modifying Local database configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Exporting the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Specifying authentication fallback order using the SREM . . . . . . . . . . . . . . . . . . 314

Saving authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

320818-A

Chapter 7: TunnelGuard SRS Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring SRS rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

The TunnelGuard user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Software Definition menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Software Definition Entry menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

TunnelGuard Rule menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Tool menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

SRS definition toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Software Definition — Available SRS list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

SRS Components table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Customizing a component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Memory snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

TunnelGuard Rule Definition screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

SRS Rule toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

SRS Rule list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Contents 11

SRS Rule Expression Constructor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Managing TunnelGuard rules and expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Creating a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Adding entries to a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Selecting modules or files from running processes . . . . . . . . . . . . . . . . . . . . 328

Selecting file on disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Creating logical expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Registry-based rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Registry-only SRS entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Creating a registry entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Registry-based File/Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Manually creating SRS entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Manually creating an OnDisk file entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Manually creating a Memory Module entry . . . . . . . . . . . . . . . . . . . . . . . . . . 345

File age check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Adding comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Adding a TunnelGuard rule comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Adding a software definition comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Deleting SRS rules and their components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Deleting a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Deleting a software definition entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Deleting a TunnelGuard rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Deleting an expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

TunnelGuard support for API calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Making API calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Chapter 8: Managing system users and groups . . . . . . . . . . . . . . . . . . . . 353

User rights and group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Managing system users and groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Roadmap of system user management commands . . . . . . . . . . . . . . . . . . . . . . 355

Managing user accounts and passwords using the CLI . . . . . . . . . . . . . . . . . . . 356

Managing user settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Managing user groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

CLI configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Adding a new user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Nortel Secure Network Access Switch 4050 User Guide

12 Contents

Managing system users and groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 370

Chapter 9: Customizing the portal and user logon . . . . . . . . . . . . . . . . . 385

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Customizing the portal and logon using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Changing a user’s group assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Deleting a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Managing user accounts using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Adding new user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Removing existing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Setting password expiry using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Changing your password using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Changing another user’s password using the SREM . . . . . . . . . . . . . . . . . . . . . 377

Setting the certificate export passphrase using the SREM . . . . . . . . . . . . . . . . . 379

Managing user groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Adding a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Removing a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Captive portal and Exclude List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Exclude List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Portal display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Portal look and feel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Language localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Linksets and links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Automatic redirection to internal sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Examples of redirection URLs and links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Managing the end user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Automatic JRE upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Windows domain logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Roadmap of portal and logon configuration commands . . . . . . . . . . . . . . . . . . . 398

Configuring the captive portal using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Configuring the Exclude List using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Changing the portal language using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Configuring language support using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 402

320818-A

Contents 13

Setting the portal display language using the CLI . . . . . . . . . . . . . . . . . . . . . 404

Configuring the portal display using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Changing the portal colors using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Configuring custom content using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Configuring linksets using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Configuring links using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Configuring external link settings using the CLI . . . . . . . . . . . . . . . . . . . . . . 415

Configuring FTP link settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 415

Customizing the portal and logon using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Configuring the captive portal using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Enabling DNS capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Configuring the DNS Exclude List using the SREM . . . . . . . . . . . . . . . . . . . 418

Changing the portal language using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 419

Configuring language support using the SREM . . . . . . . . . . . . . . . . . . . . . . 420

Importing and exporting language definitions . . . . . . . . . . . . . . . . . . . . . . . . 422

Setting the portal display language using the SREM . . . . . . . . . . . . . . . . . . 424

Configuring the portal display using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Configuring content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Importing banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Changing the portal colors using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Configuring custom content using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Viewing basic information about custom content . . . . . . . . . . . . . . . . . . . . . 434

Importing custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Exporting custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Configuring linksets using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Creating a linkset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Modifying a linkset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Configuring links using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Creating an external link using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Creating an FTP link using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Modifying external link settings using the SREM . . . . . . . . . . . . . . . . . . . . . 450

Modifying FTP link settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 452

Reordering links using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Nortel Secure Network Access Switch 4050 User Guide

14 Contents

Chapter 10: Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . 457

Configuring the cluster using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Configuring the cluster using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Roadmap of system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Configuring system settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

Configuring the Nortel SNAS 4050 host using the CLI . . . . . . . . . . . . . . . . . . . . 465

Viewing host information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Configuring host interfaces using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Configuring static routes using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Configuring host ports using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Managing interface ports using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Configuring the Access List using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Configuring date and time settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 475

Managing NTP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Configuring DNS servers and settings using the CLI . . . . . . . . . . . . . . . . . . . . . 477

Managing DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Configuring RSA servers using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Configuring syslog servers using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Configuring administrative settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 483

Enabling TunnelGuard SRS administration using the CLI . . . . . . . . . . . . . . . . . . 485

Configuring Nortel SNAS 4050 host SSH keys using the CLI . . . . . . . . . . . . . . . 485

Managing known hosts SSH keys using the CLI . . . . . . . . . . . . . . . . . . . . . . 487

Configuring RADIUS auditing using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

About RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

About the vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Configuring RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Managing RADIUS audit servers using the CLI . . . . . . . . . . . . . . . . . . . . . . 490

Configuring authentication of system users using the CLI . . . . . . . . . . . . . . . . . 492

Managing RADIUS authentication servers using the CLI . . . . . . . . . . . . . . . 493

Configuring system settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Configuring a Nortel SNAS 4050 host using the SREM . . . . . . . . . . . . . . . . . . . 497

Viewing host information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Viewing and configuring TCP/IP properties . . . . . . . . . . . . . . . . . . . . . . . . . 499

Viewing and installing host licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Configuring host interfaces using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508

320818-A

Contents 15

Adding a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Configuring an existing host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Removing a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

Configuring static routes using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

Viewing static routes for a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Viewing static routes for a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Viewing static routes for an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Managing static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Configuring host ports using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Managing interface ports using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

Adding interface ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

Removing interface ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

Configuring the access list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Adding an access list entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Removing an Access List entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Managing date and time settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 528

Configuring the date and time settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Adding an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Removing an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Configuring DNS settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

Configuring servers using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Managing syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Managing DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Managing RSA servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

Configuring administrative settings using the SREM . . . . . . . . . . . . . . . . . . . . . . 546

Configuring SRS control settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 547

Configuring Nortel SNAS 4050 host SSH keys using the SREM . . . . . . . . . . . . 548

Showing SSH keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Managing Nortel SNAS 4050 and known host SSH keys . . . . . . . . . . . . . . . 551

Adding an SSH key for a known host using the SREM . . . . . . . . . . . . . . . . . . . . 553

Managing RADIUS audit settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 554

About RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

About the vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Configuring RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Configuring RADIUS audit settings using the SREM . . . . . . . . . . . . . . . . . . 557

Nortel Secure Network Access Switch 4050 User Guide

16 Contents

Chapter 11: Managing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570

Managing private keys and certificates using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 575

Managing private keys and certificates using the SREM . . . . . . . . . . . . . . . . . . . . . . 597

Managing RADIUS audit servers using the SREM . . . . . . . . . . . . . . . . . . . . 559

Managing RADIUS authentication of system users using the SREM . . . . . . . . . 562

Configuring RADIUS authentication of system users using the SREM . . . . . 563

Managing RADIUS authentication servers using the SREM . . . . . . . . . . . . . 565

Key and certificate formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

Creating certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Installing certificates and keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Saving or exporting certificates and keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Updating certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Roadmap of certificate management commands . . . . . . . . . . . . . . . . . . . . . . . . 576

Managing and viewing certificates and keys using the CLI . . . . . . . . . . . . . . . . . 577

Generating and submitting a CSR using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 579

Adding a certificate to the Nortel SNAS 4050 using the CLI . . . . . . . . . . . . . . . . 584

Adding a private key to the Nortel SNAS 4050 using the CLI . . . . . . . . . . . . . . . 587

Importing certificates and keys into the Nortel SNAS 4050 using the CLI . . . . . 588

Displaying or saving a certificate and key using the CLI . . . . . . . . . . . . . . . . . . . 591

Exporting a certificate and key from the Nortel SNAS 4050 using the CLI . . . . . 594

Generating a test certificate using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

Viewing certificates using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

Creating a certificate using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Generating and submitting a CSR using the SREM . . . . . . . . . . . . . . . . . . . . . . 601

Importing a certificate or key using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Displaying or saving a certificate and key using the SREM . . . . . . . . . . . . . . . . . 605

Exporting a certificate and key from the Nortel SNAS 4050 using the SREM . . . 607

Viewing certificate information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 610

Viewing configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Viewing general information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

Viewing certificate subject settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614

320818-A

Contents 17

Chapter 12: Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Configuring SNMP using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618

Roadmap of SNMP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619

Configuring SNMP settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

Configuring the SNMP v2 MIB using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Configuring the SNMP community using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 622

Configuring SNMPv3 users using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

Configuring SNMP notification targets using the CLI . . . . . . . . . . . . . . . . . . . . . 626

Configuring SNMP events using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Configuring SNMP settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631

Configuring SNMP using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632

Configuring SNMP targets using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

Adding SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Managing SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Removing SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

Configuring SNMPv3 users using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

Adding SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641

Managing SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644

Removing SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646

Configuring SNMP events using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

Managing monitor events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

Managing notification events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655

Chapter 13: Viewing system information and performance statistics . . 659

Viewing system information and performance statistics using the CLI . . . . . . . . . . . 660

Roadmap of information and statistics commands . . . . . . . . . . . . . . . . . . . . . . . 660

Viewing system information using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661

Viewing alarm events using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666

Viewing log files using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Viewing AAA statistics using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Viewing all statistics using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670

Viewing system information and performance statistics using the SREM . . . . . . . . . 670

Viewing local information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670

Viewing cluster information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

Viewing the controller list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 673

Nortel Secure Network Access Switch 4050 User Guide

18 Contents

Viewing SONMP topology information using the SREM . . . . . . . . . . . . . . . . 675

Viewing switch distribution using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 677

Viewing port information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 678

Viewing license information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 680

Viewing session details using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 684

Viewing alarms using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691

Managing log files using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695

Viewing AAA statistics using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698

Viewing AAA statistics for a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

Viewing License statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

Viewing RADIUS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

Viewing Local database statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Viewing LDAP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705

Viewing AAA statistics for the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

Viewing License statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

Viewing RADIUS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711

Viewing Local database statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

Viewing LDAP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

Viewing Ethernet statistics using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716

Viewing Rx statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718

Viewing Tx statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720

320818-A

Chapter 14: Maintaining and managing the system . . . . . . . . . . . . . . . . . 723

Managing and maintaining the system using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 724

Roadmap of maintenance and boot commands . . . . . . . . . . . . . . . . . . . . . . . . . 725

Performing maintenance using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726

Backing up or restoring the configuration using the CLI . . . . . . . . . . . . . . . . . . . 730

Managing Nortel SNAS 4050 devices using the CLI . . . . . . . . . . . . . . . . . . . . . . 733

Managing software for a Nortel SNAS 4050 device using the CLI . . . . . . . . . . . 734

Managing and maintaining the system using the SREM . . . . . . . . . . . . . . . . . . . . . . 736

Performing maintenance using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736

Dumping logs and status information using the SREM . . . . . . . . . . . . . . . . . 737

Starting and stopping a trace using the SREM . . . . . . . . . . . . . . . . . . . . . . . 738

Checking configuration using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

Backing up or restoring the configuration using the SREM . . . . . . . . . . . . . . . . . 742

Contents 19

Managing Nortel SNAS 4050 devices and software using the SREM . . . . . . . . . 743

Managing software versions using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 744

Downloading images using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748

Rebooting or deleting a Nortel SNAS 4050 device using the SREM . . . . . . 750

Downloading files using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752

Running Nortel SNAS 4050 diagnostics using the SREM . . . . . . . . . . . . . . . . . . 754

Chapter 15: Upgrading or reinstalling the software . . . . . . . . . . . . . . . . . 757

Upgrading the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757

Performing minor and major release upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . 758

Downloading the software image using the CLI . . . . . . . . . . . . . . . . . . . . . . 759

Activating the software upgrade package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760

Reinstalling the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763

Reinstalling the software from an external file server . . . . . . . . . . . . . . . . . . . . . 765

Reinstalling the software from a CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767

Chapter 16: The Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . 769

Connecting to the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770

Establishing a console connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771

Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771

Establishing a Telnet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772

Enabling and restricting Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772

Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773

Establishing a connection using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773

Enabling and restricting SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773

Running an SSH client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774

Accessing the Nortel SNAS 4050 cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775

CLI Main Menu or Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Command line history and editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Chapter 17: Configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779

Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779

Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782

Nortel Secure Network Access Switch 4050 User Guide

20 Contents

Configure the network DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782

Configure the network DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783

Configure the network core router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789

Configure the Ethernet Routing Switch 8300 using the CLI . . . . . . . . . . . . . . . . 790

Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790

Enabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791

Configuring the Nortel SNAS 4050 pVIP subnet . . . . . . . . . . . . . . . . . . . . . . 791

Creating port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791

Configuring the VoIP VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791

Configuring the Red, Yellow, and Green VLANs . . . . . . . . . . . . . . . . . . . . . . 791

Configuring the NSNA uplink filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

Configuring the NSNA ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

Enabling NSNA globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

Configure the Ethernet Routing Switch 5510 . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

Setting the switch IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794

Configuring the Nortel SNAS 4050 pVIP subnet . . . . . . . . . . . . . . . . . . . . . . 794

Creating port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794

Configuring the VoIP VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794

Configuring the Red, Yellow, and Green VLANs . . . . . . . . . . . . . . . . . . . . . . 794

Configuring the login domain controller filters . . . . . . . . . . . . . . . . . . . . . . . . 795

Configuring the NSNA ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

Enabling NSNA globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

Configure the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

Performing initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

Completing initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797

Adding the network access devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798

Mapping the VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800

Enabling the network access devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801

320818-A

Appendix A: CLI reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803

Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804

Global commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804

Command line history and editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806

Contents 21

CLI shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

Command stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

Command abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808

Tab completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808

Using a submenu name as a command argument . . . . . . . . . . . . . . . . . . . . 809

Using slashes and spaces in commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810

IP address and network mask formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810

IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810

Network masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810

Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811

CLI Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812

CLI command reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812

Information menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814

Statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815

Configuration menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816

Boot menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835

Maintenance menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836

Chapter 18: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837

Troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837

Cannot connect to the Nortel SNAS 4050 using Telnet or SSH . . . . . . . . . . . . . 838

Verify the current configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838

Enable Telnet or SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838

Check the Access List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838

Check the IP address configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839

Cannot add the Nortel SNAS 4050 to a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 841

Cannot contact the MIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841

Check the Access List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842

Add Interface 1 IP addresses and the MIP to the Access List . . . . . . . . . . . 842

The Nortel SNAS 4050 stops responding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843

Telnet or SSH connection to the MIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843

Console connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843

A user password is lost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844

Administrator user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844

Operator user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844

Nortel Secure Network Access Switch 4050 User Guide

22 Contents

Trace tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845

System diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847

Appendix B: Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851

Syslog messages by message type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851

Syslog messages in alphabetical order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865

Root user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844

Boot user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845

A user fails to connect to the Nortel SNAS 4050 domain . . . . . . . . . . . . . . . . . . 845

Installed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847

Network diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847

Active alarms and the events log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849

Error log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849

Operating system (OS) messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852

System Control Process messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853

About alarm messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854

About event messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856

Traffic Processing Subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857

Start-up messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860

AAA subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861

NSNAS subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863

320818-A

Appendix C: Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875

Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875

Supported traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879

Appendix D: Supported ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881

Appendix E: Adding User Preferences attribute to Active Directory . . . 883

Install All Administrative Tools

(Windows 2000 Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883

Add the Active Directory Schema Snap-in

(Windows 2000 Server and Windows Server 2003) . . . . . . . . . . . . . . . . . . . . . 884

Create a shortcut to the console window . . . . . . . . . . . . . . . . . . . . . . . . . . . 886

Permit write operations to the schema (Windows 2000 Server) . . . . . . . . . . . . . 886

Contents 23

Create a new attribute

(Windows 2000 Server and Windows Server 2003) . . . . . . . . . . . . . . . . . . . . . 887

Create the new class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888

Add isdUserPrefs attribute to nortelSSLOffload class . . . . . . . . . . . . . . . . . 888

Add the nortelSSLOffload Class to the User Class . . . . . . . . . . . . . . . . . . . . 889

Appendix F: Configuring DHCP to auto-configure IP Phones. . . . . . . . . 891

Configuring IP Phone auto-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892

Creating the DHCP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892

Configuring the Call Server Information and VLAN Information options . . . . . . . 896

Setting up the IP Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899

Appendix G: Using a Windows domain logon script to launch the Nortel

SNAS 4050 portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901

Configuring the logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901

Creating a logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902

Creating the script as a batch file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902

Creating the script as a VBScript file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903

Assigning the logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903

Appendix H: Software licensing information . . . . . . . . . . . . . . . . . . . . . . 905

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911

Nortel Secure Network Access Switch 4050 User Guide

24 Contents

320818-A

Preface

Nortel* Secure Network Access (Nortel SNA) is a clientless solution that provides seamless, secure access to the corporate network from inside or outside that network. The Nortel SNA solution combines multiple hardware devices and software components to support the following features:

• partitions the network resources into access zones (authentication, remediation, and full access)

• provides continual device integrity checking using TunnelGuard

• supports both dynamic and static IP clients

The Nortel Secure Network Access Switch 4050 (Nortel SNAS 4050) controls operation of the Nortel SNA solution.

This user guide covers the process of implementing the Nortel SNA solution using the Nortel SNAS 4050 for Nortel Secure Network Access Switch Software Release 1.0. The document includes the following information:

• overview of the role of the Nortel SNAS 4050 in the Nortel SNA solution

• initial setup

• configuring authentication, authorization, and accounting (AAA) features

• managing system users

• customizing the portal

• upgrading the software

• logging and monitoring

• troubleshooting installation and operation

Nortel Secure Network Access Switch 4050 User Guide

26 Preface

The document provides instructions for initializing and customizing the features using the Command Line Interface (CLI). To learn the basic structure and operation of the Nortel SNAS 4050 CLI, refer to “CLI reference” on page 803. This reference guide provides links to where the function and syntax of each CLI command are described in the document. For information on accessing the CLI, see “The Command Line Interface” on page 769.

Security & Routing Element Manager (SREM) is a graphical user interface (GUI) that runs in an online, interactive mode. SREM allows the management of multiple devices (for example, the Nortel SNAS 4050) from one application. To use SREM, you must have network connectivity to a management station running SREM in one of the supported environments. For instructions on installing and starting SREM, refer to Installing and Using the Security & Routing Element Manager (320199-A).

Before you begin

This guide is intended for network administrators who have the following background:

• basic knowledge of networks, Ethernet bridging, and IP routing

• familiarity with networking concepts and terminology

• experience with windowing systems or GUIs

• basic knowledge of network topologies

Before using this guide, you must complete the following procedures. For a new switch:

1 Install the switch.

For installation instructions, see Nortel Secure Network Access Switch 4050 Installation Guide (320846-A).

2 Connect the switch to the network.

For more information, see “The Command Line Interface” on page 769.

Ensure that you are running the latest version of Nortel SNAS 4050 software. For information about upgrading the Nortel SNAS 4050, see “Upgrading or

reinstalling the software” on page 757.

320818-A

Text conventions

This guide uses the following text conventions:

angle brackets (< >) Enter text based on the description inside the brackets.

bold text Objects such as window names, dialog box names, and

bold Courier text Command names, options, and text that you must enter.

braces ({}) Required elements in syntax descriptions where there is

Preface 27

Do not type the brackets when entering the command. Example: If the command syntax is

ping <ip_address>, you enter

ping 192.32.10.12

icons, as well as user interface objects such as buttons, tabs, and menu items.

Example: Use the Example: Enter

dinfo command.

show ip {alerts|routes}.

more than one option. You must choose only one of the options. Do not type the braces when entering the command.

Example: If the command syntax is

show ip {alerts|routes}, you must enter either show ip alerts or show ip routes, but not both.

brackets ([ ]) Optional elements in syntax descriptions. Do not type

the brackets when entering the command. Example: If the command syntax is

show ip interfaces [-alerts], you can enter

show ip interfaces or

either

show ip interfaces -alerts.

ellipsis points (. . . ) Repeat the last element of the command as needed.

Example: If the command syntax is

ethernet/2/1 [<parameter> <value>]... ,

you enter

ethernet/2/1 and as many

parameter-value pairs as needed.

Nortel Secure Network Access Switch 4050 User Guide

28 Preface

italic text Variables in command syntax descriptions. Also

indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore.

Example: If the command syntax is

show at <valid_route>, valid_route is one variable and you substitute one

value for it.

plain Courier text

separator ( > ) Menu paths.

vertical line (

| ) Options for command keywords and arguments. Enter

Related information

This section lists information sources that relate to this document.

Publications

Command syntax and system output, for example, prompts and system messages.

Example:

Example: Protocols > IP identifies the IP command on the Protocols menu.

only one of the options. Do not type the vertical line when entering the command.

Example: If the command syntax is

show ip {alerts|routes}, you enter either show ip alerts or show ip routes, but not

both.

Set Trap Monitor Filters

320818-A

Refer to the following publications for information on the Nortel SNA solution:

• Nortel Secure Network Access Solution Guide (320817-A)

• Nortel Secure Network Access Switch 4050 Installation Guide (320846-A)

• Nortel Secure Network Access Switch 4050 User Guide (320818-A)

• Installing and Using the Security & Routing Element Manager (SREM) (320199-B)

Online

Preface 29

• Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 4.3 (217468-B)

• Release Notes for the Ethernet Routing Switch 8300, Software Release

2.2.8 (316811-E)

• Release Notes for the Nortel Secure Network Access Solution, Software Release 1.0 (320850-A)

• Release Notes for Enterprise Switch Manager (ESM), Software Release

5.1 (209960-H)

• Using Enterprise Switch Manager Release 5.1 (208963-F)

To access Nortel technical documentation online, go to the Nortel web site:

www.nortel.com/support

You can download current versions of technical documentation. To locate documents, browse by category or search using the product name or number.

You can print the technical manuals and release notes free, directly from the Internet. Use Adobe* Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to the Adobe Systems site at www.adobe.com to download a free copy of Adobe Reader.

How to get help

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nortel service program, use the www.nortel.com/help web page to locate information to contact Nortel for assistance:

• To obtain Nortel Technical Support contact information, click the CONTACT US link on the left side of the page.

Nortel Secure Network Access Switch 4050 User Guide

30 Preface

• To call a Nortel Technical Solutions Center for assistance, click the CALL US link on the left side of the page to find the telephone number for your

region.

An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to the www.nortel.com/help web page and follow these links:

1 Click CONTACT US on the left side of the HELP web page.

2 Click Technical Support on the CONTACT US web page.

3 Click Express Routing Codes on the TECHNICAL SUPPORT web page.

320818-A

Chapter 1 Overview

This chapter includes the following topics:

Topic Pa ge

The Nortel SNA solution

Elements of the NSNA solution

Supported users

Role of the Nortel SNAS 4050

Nortel SNAS 4050 clusters

One-armed and two-armed configurations

Nortel SNA configuration and management tools

Nortel SNAS 4050 configuration roadmap

The Nortel SNA solution

Nortel Secure Network Access (Nortel SNA) solution is a protective framework to completely secure the network from endpoint vulnerability. The Nortel SNA solution addresses endpoint security and enforces policy compliance. Nortel SNA delivers endpoint security by enabling only trusted, role-based access privileges premised on the security level of the device, user identity, and session context. Nortel SNA enforces policy compliance, such as for Sarbanes-Oxley and COBIT, ensuring that the required anti-virus applications or software patches are installed before users are granted network access.

Nortel Secure Network Access Switch 4050 User Guide

32 Chapter 1 Overview

For Nortel, success is delivering technologies providing secure access to your information using security-compliant systems. Your success is measured by increased employee productivity and lower network operations costs. Nortel’s solutions provide your organization with the network intelligence required for success.

Elements of the NSNA solution

The following devices are essential elements of the Nortel SNA solution:

• Nortel Secure Network Access Switch 4050 (Nortel SNAS 4050), which acts as the Policy Decision Point

• network access device, which acts as the Policy Enforcement Point

— Ethernet Routing Switch 8300

— Ethernet Routing Switch 5510, 5520, or 5530

• DHCP and DNS servers

The following devices are additional, optional elements of the Nortel SNA solution:

• remediation server

• corporate authentication services such as LDAP or RADIUS services

Each Nortel SNAS 4050 device can support up to five network access devices.

Supported users

The Nortel SNAS 4050 supports the following types of users:

• PCs using the following operating systems:

— Windows 2000 SP4

— Windows XP SP2

The Nortel SNAS 4050 supports the following browsers:

— Internet Explorer version 6.0 or later

— Netscape Navigator version 7.3 or later

— Mozilla Firefox version 1.0.6 or later

320818-A

Chapter 1 Overview 33

Java Runtime Environment (JRE) for all browsers:

— JRE 1.5.0_04 or later

• VoIP phones

— Nortel IP Phone 2002

— Nortel IP Phone 2004

— Nortel IP Phone 2007

See Release Notes for the Nortel Secure Network Access Solution, Software Release 1.0 (320850-A) for the minimum firmware versions required for the IP Phones operating with different call servers.

Each NSNA-enabled port on a network access device can support one PC (untagged traffic) and one IP Phone (tagged traffic). Softphone traffic is considered to be the same as PC traffic (untagged).

Note: Where there is both an IP Phone and a PC, the PC must be connected through the 3-port switch on the IP Phone.

Role of the Nortel SNAS 4050

The Nortel SNAS 4050 helps protect the network by ensuring endpoint compliance for devices that connect to the network.

Before allowing a device to have full network access, the Nortel SNAS 4050 checks user credentials and host integrity against predefined corporate policy criteria. Through tight integration with network access devices, the Nortel SNAS 4050 can:

• dynamically move the user into a quarantine VLAN

• dynamically grant the user full or limited network access

• dynamically apply per port firewall rules that apply to a device’s connection

Once a device has been granted network access, the Nortel SNAS 4050 continually monitors the health status of the device to ensure continued compliance. If a device falls out of compliance, the Nortel SNAS 4050 can dynamically move the device into a quarantine or remediation VLAN.

Nortel Secure Network Access Switch 4050 User Guide

34 Chapter 1 Overview

Nortel SNAS 4050 functions

The Nortel SNAS 4050 performs the following functions:

• Acts as a web server portal, which is accessed by users in clientless mode for authentication and host integrity check and which sends remediation instructions and guidelines to endpoint clients if they fail the host integrity check.

• Communicates with backend authentication servers to identify authorized users and levels of access.

• Acts as a policy server, which communicates with the TunnelGuard applet that verifies host integrity.

• Instructs the network access device to move clients to the appropriate VLAN and, if applicable, to apply additional filters.

• Can be a DNS proxy in the Red VLAN when the Nortel SNAS 4050 functions as a captive portal

• Performs session management.

• Monitors the health of clients and switches.

• Performs logging and auditing functions.

• Provides High Availability (HA) through IPmig protocol.

320818-A

Nortel SNA VLANs and filters

There are four types of Layer 2 or Layer 3 VLANs in a Nortel SNA network:

• Red — extremely restricted access. If the default filters are used, the user can communicate only with the Nortel SNAS 4050 and the Windows domain controller network. There is one Red VLAN for each network access device.

• Yellow — restricted access for remediation purposes if the client PC fails the host integrity check. Depending on the filters and TunnelGuard rules configured for the network, the client may be directed to a remediation server participating in the Yellow VLAN. There can be up to five Yellow VLANs for each network access device. Each user group is associated with only one Yellow VLAN.

• Green — full access, in accordance with the user’s access privileges. There can be up to five Green VLANs for each network access device.

Chapter 1 Overview 35

• VoIP — automatic access for VoIP traffic. The network access device places VoIP calls in a VoIP VLAN without submitting them to the Nortel SNAS 4050 authentication and authorization process.

When a client attempts to connect to the network, the network access device places the client in its Red VLAN. The Nortel SNAS 4050 authenticates the client and then downloads a TunnelGuard applet to check the integrity of the client host. If the integrity check fails, the Nortel SNAS 4050 instructs the network access device to move the client to a Yellow VLAN, with its associated filter. If the integrity check succeeds, the Nortel SNAS 4050 instructs the network access device to move the client to a Green VLAN, with its associated filter. The network access device applies the filters when it changes the port membership.

The VoIP filters allow IP Phone traffic into one of the preconfigured VoIP VLANs for VoIP communication only.

The default filters can be modified to accommodate network requirements, such as Quality of Service (QoS) or specific workstation boot processes and network communications.

For information about configuring VLANs and filters on the network access device, see Release Notes for Nortel Ethernet Routing Switch 5500 Series,

Software Release 4.3 (217468-B) or Release Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8 (316811-E).

Groups and profiles

Users are organized in groups. Group membership determines:

• user access rights

Within the group, extended profiles further refine access rights depending on the outcome of the TunnelGuard checks.

• number of sessions allowed

• the TunnelGuard SRS rule to be applied

• what displays on the portal page after the user has been authenticated

For information about configuring groups and extended profiles on the Nortel SNAS 4050, see “Configuring groups and profiles” on page 191.

Nortel Secure Network Access Switch 4050 User Guide

36 Chapter 1 Overview

Authentication methods

You can configure more than one authentication method within a Nortel SNAS 4050 domain. Nortel Secure Network Access Switch Software Release 1.0 supports the following authentication methods:

• external database

— Remote Authentication Dial-In User Service (RADIUS)

— Lightweight Directory Access Protocol (LDAP)

The Nortel SNAS 4050 authenticates the user by sending a query to an external RADIUS or LDAP server. This makes it possible to use authentication databases already existing within the intranet. The Nortel SNAS 4050 device includes username and password in the query and requires the name of one or more access groups in return. The name of the RADIUS and LDAP access group attribute is configurable.

• local database

The Nortel SNAS 4050 itself can store up to 1,000 user authentication entries, each defining a username, password, and relevant access group. You can populate the database by manually adding entries on the Nortel SNAS 4050, or you can import a database from a TFTP/FTP/SCP/SFTP server.

320818-A

Use the local authentication method if no external authentication databases exist, for testing purposes, for speedy deployment, or as a fallback for external database queries. You can also use the local database for authorization only, if an external server provides authentication services but cannot be configured to return a list of authorized groups.

For information about configuring authentication on the Nortel SNAS 4050, see

“Configuring authentication” on page 233.

For more information about the Nortel SNA solution and the way the Nortel SNAS 4050 controls network access, see Nortel Secure Network Access Solution Guide (320817-A).

Chapter 1 Overview 37

TunnelGuard host integrity check

The TunnelGuard application checks client host integrity by verifying that the components you have specified are required for the client’s personal firewall (executables, DLLs, configuration files, and so on) are installed and active on the client PC. You specify the required component entities and engineering rules by configuring a Software Requirement Set (SRS) rule and mapping the rule to a user group.

After a client has been authenticated, the Nortel SNAS 4050 downloads a TunnelGuard agent as an applet to the client PC. The TunnelGuard applet fetches the SRS rule applicable for the group to which the authenticated user belongs, so that TunnelGuard can perform the appropriate host integrity check. The TunnelGuard applet reports the result of the host integrity check to the Nortel SNAS 4050.

If the required components are present on the client machine, TunnelGuard reports that the SRS rule check succeeded. The Nortel SNAS 4050 then instructs the network access device to permit access to intranet resources in accordance with the user group’s access privileges. The Nortel SNAS 4050 also requests the TunnelGuard applet to redo a DHCP request in order to renew the client’s DHCP lease with the network access device.

If the required components are not present on the client machine, TunnelGuard reports that the SRS rule check failed. You configure behavior following host integrity check failure: The session can be torn down, or the Nortel SNAS 4050 can instruct the network access device to grant the client restricted access to the network for remediation purposes.

The TunnelGuard applet repeats the host integrity check periodically throughout the client session. If the check fails at any time, the client is either evicted or quarantined, depending on the behavior you have configured. The recheck interval is configurable.

For information about configuring the TunnelGuard host integrity check, see

“Configuring the TunnelGuard check using the CLI” on page 132 or “Configuring the TunnelGuard check using the SREM” on page 168. For information about

configuring the SRS rules, see “TunnelGuard SRS Builder” on page 317. For information about mapping an SRS rule to a group, see “Configuring groups using

the CLI” on page 198 or “Configuring groups using the SREM” on page 208.

Nortel Secure Network Access Switch 4050 User Guide

38 Chapter 1 Overview

Communication channels

Communications between the Nortel SNAS 4050 and key elements of the Nortel SNA solution are secure and encrypted. Table 1 shows the communication channels in the network.

Table 1

Communication Communication protocol

Between Nortel SNAS 4050 and edge switches

Between Nortel SNAS 4050 devices in a cluster

Between Nortel SNAS 4050 and client PC (TunnelGuard applet)

Between Nortel SNAS 4050 and SREM SSH

From edge switch to EPM SNMPv3 Inform

From EPM to edge switch Telnet over SSH

From authorized endpoint to DHCP server UDP

Communication channels in the Nortel SNA network

SSH

TCP and UDP

SSL/TLS

Telnet or SSH can be used for management communications between remote PCs and the Nortel SNAS 4050 devices.

About SSH

The Secure Shell (SSH) protocol provides secure and encrypted communication between the Nortel SNAS 4050 and the network access devices, and between Nortel SNAS 4050 devices and remote management PCs not using Telnet.

320818-A

SSH uses either password authentication or public key authentication. With public key authentication, pairs of public/private SSH host keys protect against “man in the middle” attacks by providing a mechanism for the SSH client to authenticate the server. SSH clients keep track of the public keys to be used to authenticate different SSH server hosts.

SSH clients in the Nortel SNA network do not silently accept new keys from previously unknown server hosts. Instead, they refuse the connection if the key does not match their known hosts.

Chapter 1 Overview 39

The Nortel SNAS 4050 supports the use of three different SSH host key types:

•RSA1

•RSA

•DSA

SSH protocol version 1 always uses RSA1 keys. SSH protocol version 2 uses either RSA or DSA keys.

For management communications in the Nortel SNA solution, the Nortel SNAS 4050 can act both as SSH server (when a user connects to the CLI using an SSH client) and as SSH client (when the Nortel SNAS 4050 initiates file or data transfers using the SCP or SFTP protocols).

For information about managing SSH keys for communication between the Nortel SNAS 4050 and the network access devices, see “Managing SSH keys using the

CLI” on page 84 or “Managing SSH keys using the SREM” on page 102.

For information about managing SSH keys for Nortel SNAS 4050 management communications, see “Configuring Nortel SNAS 4050 host SSH keys using the

CLI” on page 485 or “Configuring Nortel SNAS 4050 host SSH keys using the SREM” on page 548.

Nortel SNAS 4050 clusters

A cluster is a group of Nortel SNAS 4050 devices that share the same configuration parameters. Nortel Secure Network Access Switch Software Release 1.0 supports two Nortel SNAS 4050 devices, or nodes, in a cluster. A Nortel SNA network can contain multiple clusters.

Clustering offers the following benefits:

• manageability — The cluster is a single, seamless unit that automatically pushes configuration changes to its members.

• scalability — The Nortel SNAS 4050 nodes in a cluster share the burden of resource-intensive operations. The cluster distributes control of the network access devices between the Nortel SNAS 4050 nodes and distributes handling of session logon. As a result, Nortel SNAS 4050 devices in a cluster can control more switches and handle more user sessions.

Nortel Secure Network Access Switch 4050 User Guide

40 Chapter 1 Overview

• fault tolerance — If a Nortel SNAS 4050 device fails, the failure is detected by the other node in the cluster, which takes over the switch control and session handling functions of the failed device. As long as there is one running Nortel SNAS 4050, no sessions will be lost.

The devices in the cluster can be located anywhere in the network and do not have to be physically connected to each other. All the Nortel SNAS 4050 devices in the cluster must be in the same subnet. The cluster is created during initial setup of the second node, when you specify that the setup is a join operation and you associate the node with an existing Management IP address (MIP).

For more information about Nortel SNAS 4050 IP addresses, see “About the IP

addresses” on page 51. For information about adding a node to a cluster, see “Adding a Nortel SNAS 4050 device to a cluster” on page 61.

One-armed and two-armed configurations

The Nortel SNAS 4050 must interface to two kinds of traffic: client and management. The interface to the client side handles traffic between the TunnelGuard applet on the client and the portal. The interface to the management side handles Nortel SNAS 4050 management traffic (traffic connecting the Nortel SNAS 4050 to internal resources and configuring the Nortel SNAS 4050 from a management station).

320818-A

There are two ways to configure the Nortel SNAS 4050 interfaces:

• one-armed configuration (see “One-armed configuration” on page 41)

• two-armed configuration (see “Two-armed configuration” on page 41)

You specify whether the Nortel SNAS 4050 will function in a one-armed or two-armed configuration during initial setup (see “Initial setup” on page 49).

Chapter 1 Overview 41

One-armed configuration

In a one-armed configuration, the Nortel SNAS 4050 has only one interface, which acts as both the client portal interface and the management traffic interface.

Figure 1 illustrates a one-armed configuration.

Figure 1

One-armed configuration

NSNAS

Internet

Endpoint

device

Management

Management/client portal interface (1)

192.168.128.11 (MIP [management])

192.168.128.12 (RIP [host])

192.168.128.100 (pVIP [portal])

Default gateway

192.168.128.1

Network access device

station

Two-armed configuration

In a two-armed configuration, there are two separate interfaces. Interface 1 handles management traffic. Interface 2 handles client portal traffic.

Nortel Secure Network Access Switch 4050 User Guide

42 Chapter 1 Overview

Figure 2 illustrates a two-armed configuration.

Figure 2

Two-armed configuration

Client portal interface (2)

192.168.128.11 (RIP 2 [host])

192.168.128.100 (pVIP [portal])

Internet

Endpoint

device

NSNAS

Management interface (1)

10.1.0.11 (MIP [management])

10.1.0.12 (RIP 1 [host])

Default gateway

192.168.128.1

Network access device

Management

station

Nortel SNA configuration and management tools

You can use a number of device and network management tools to configure the Nortel SNAS 4050 and manage the Nortel SNA solution:

320818-A

• Command Line Interface (CLI)

You must use the CLI to perform initial setup on the Nortel SNAS 4050 and to set up the Secure Shell (SSH) connection between the Nortel SNAS 4050 and the network access devices, and between the Nortel SNAS 4050 and the GUI management tool. You can then continue to use the CLI to configure and manage the Nortel SNAS 4050, or you can use the GUI.

The configuration chapters in this User Guide describe the specific CLI commands used to configure the Nortel SNAS 4050. For general information about using the CLI, see Chapter 16, “The Command Line Interface,” on

page 769.

Chapter 1 Overview 43

• Security & Routing Element Manager (SREM)

The SREM is a GUI application you can use to configure and manage the Nortel SNAS 4050.

The configuration chapters in this User Guide describe the specific steps to configure the Nortel SNAS 4050 using the SREM. For general information about installing and using the SREM, see Installing and Using the Security & Routing Element Manager (SREM) (320199-B).

• Enterprise Policy Manager (EPM) release 4.2

Enterprise Policy Manager (EPM) is a security policy and quality of service provisioning application. You can use EPM to provision filters on the Nortel SNA network access devices. EPM 4.2 supports preconfiguration of Red, Yellow, and Green VLAN filters prior to enabling the NSNA feature. In future releases of the Nortel SNAS 4050 and EPM software, users will have the additional ability to add and modify security and quality of service filters while Nortel SNA is enabled on the device.

For general information about installing and using EPM, see Installing Nortel Enterprise Policy Manager (318389).

• Simple Network Management Protocol (SNMP) agent

For information about configuring SNMP for the Nortel SNAS 4050, see

“Configuring SNMP” on page 617.

Nortel SNAS 4050 configuration roadmap

The following task list is an overview of the steps required to configure the Nortel SNAS 4050 and the Nortel SNA solution.

1 Configure the network DNS server to create a forward lookup zone for the

Nortel SNAS 4050 domain.

For an example, see “Configuration example” on page 779.

2 Configure the network DHCP server.

For an example, see “Configuration example” on page 779.

Nortel Secure Network Access Switch 4050 User Guide

44 Chapter 1 Overview

For each VLAN:

a Create a DHCP scope.

b Specify the IP address range and subnet mask for that scope.

c Configure the following DHCP options:

— Specify the default gateway.

— Specify the DNS server to be used by endpoints in that scope.

— If desired, configure DHCP so that the IP Phones learn their VLAN

configuration data automatically from the DHCP server. For more information, see Appendix F, “Configuring DHCP to auto-configure

IP Phones,” on page 891.

Note: For the Red VLANs, the DNS server setting is one of the Nortel SNAS 4050 portal Virtual IP addresses (pVIP).

While the endpoint is in the Red VLAN, there are limited DNS server functions to be performed, and the Nortel SNAS 4050 itself acts as the DNS server. When the endpoint is in one of the other VLANs, DNS requests are forwarded to the corporate DNS servers.

320818-A

The DNS server setting is required for the captive portal to work.

3 Configure the network core router:

a Create the Red, Yellow, Green, VoIP, and Nortel SNAS 4050 management

VLANs.

b If the edge switches are operating in Layer 2 mode, enable 802.1q tagging

on the uplink ports to enable them to participate in multiple VLANs, then add the ports to the applicable VLANs.

Note: The uplink ports must participate in all the VLANs.

c Configure IP addresses for the VLANs.

These IP interfaces are the default gateways the DHCP Relay will use.

d If the edge switches are operating in Layer 2 mode, configure DHCP relay

agents for the Red, Yellow, Green, and VoIP VLANs.

Chapter 1 Overview 45

Use the applicable show commands on the router to verify that DHCP relay has been activated to reach the correct scope for each VLAN.

For more information about performing these general configuration steps, see the regular documentation for the type of router used in your network.

4 Configure the network access devices:

a Configure static routes to all the networks behind the core router.

b Configure the switch management VLAN, if necessary.

c Configure and enable SSH on the switch.

d Configure the Nortel SNAS 4050 portal Virtual IP address (pVIP)/subnet.

e Configure port tagging, if applicable.

For a Layer 2 switch, the uplink ports must be tagged to allow them to participate in multiple VLANs.

f Create the port-based VLANs.

These VLANs are configured as VoIP, Red, Yellow, and Green VLANs in step i and step j.

g Configure DHCP relay and IP routing if the switch is used in Layer 3

mode.

h (Optional) Configure the Red, Yellow, Green, and VoIP filters.

The filters are configured automatically as predefined defaults when you configure the Red, Yellow, and Green VLANs (step j). Configure the filters manually only if your particular system setup requires you to modify the default filters. You can modify the filters after NSNA is enabled.

i Configure the VoIP VLANs.

j Configure the Red, Yellow, and Green VLANs, associating each with the

applicable filters.

k Configure the NSNA ports.

Nortel Secure Network Access Switch 4050 User Guide

46 Chapter 1 Overview

l Enable NSNA globally.

For more information about configuring an Ethernet Routing Switch 5510, 5520, or 5530 in a Nortel SNA network, see Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 4.3 (217468-B).

For more information about configuring an Ethernet Routing Switch 8300 in a Nortel SNA network, see Release Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8 (316811-E).

For an example of the commands used to create a Nortel SNA configuration, see “Configuration example” on page 779.

5 Perform the initial setup on the Nortel SNAS 4050 (see “Initial setup” on

page 52). Nortel recommends running the quick setup wizard during initial

setup, in order to create and configure basic settings for a fully functional portal.

Identify switch ports as either uplink or dynamic. When you configure the uplink ports, you associate the NSNA VLANs with those ports. Clients are connected on the dynamic ports. You can configure NSNA ports (both dynamic and uplink) after NSNA is enabled globally.

320818-A

6 Enable SSH and SRS Admin to allow communication with the SREM (see

“Configuring administrative settings using the CLI” on page 483).

7 Generate and activate the SSH key for communication between the Nortel

SNAS 4050 and the network access devices (see “Managing SSH keys using

the CLI” on page 84 or “Managing SSH keys using the SREM” on page 102).

8 Specify the Software Requirement Set (SRS) rule for the default

tunnelguard group (see “Configuring groups using the CLI” on page 198

or “Configuring groups using the SREM” on page 208).

9 Add the network access devices and export the SSH key (see “Addi n g a

network access device using the CLI” on page 75 or “Adding a network access device using the SREM” on page 91).

10 Specify the VLAN mappings (see “Mapping the VLANs using the CLI” on

page 82 or “Mapping the VLANs using the SREM” on page 96).

11 Test NSNA connectivity by using the

/maint/chkcfg command in the CLI

(see “Performing maintenance using the CLI” on page 726) or checking the

Chapter 1 Overview 47

configuration in the SREM (see “Checking configuration using the SREM”

on page 741).

12 Configure groups (see “Configuring groups and profiles” on page 191).

13 Configure client filters (see “Configuring client filters using the CLI” on

page 201).

14 Configure extended profiles (see “Configuring extended profiles using the

CLI” on page 203).

15 Specify the authentication mechanisms (see “Configuring authentication” on

page 233).

16 Configure system users (see “Managing system users and groups” on

page 353).

17 Configure the end user experience (see “Customizing the portal and user

logon” on page 385).

Nortel Secure Network Access Switch 4050 User Guide

48 Chapter 1 Overview

320818-A

Chapter 2 Initial setup

This chapter includes the following topics:

Topic Pa ge

Before you begin

About the IP addresses

Initial setup

Setting up a single Nortel SNAS 4050 device or the first in a cluster

Adding a Nortel SNAS 4050 device to a cluster

Next steps

Applying and saving the configuration

Applying and saving the configuration using the CLI

Applying and saving the configuration using the SREM

Nortel Secure Network Access Switch 4050 User Guide

50 Chapter 2 Initial setup

Before you begin

Before you can set up the Nortel SNAS 4050, you must complete the following tasks:

1 Plan the network. For more information, see Nortel Secure Network Access

Solution Guide (320817-A).

In order to configure the Nortel SNAS 4050, you require the following information:

•IP addresses

— Nortel SNAS 4050 Management IP address (MIP), portal Virtual IP

— default gateway

— DNS server

— NTP server (if applicable)

— external authentication servers (if applicable)

— network access devices

— remediation server (if applicable)

address (pVIP), Real IP address (RIP)

320818-A

For more information about the Nortel SNAS 4050 MIP, pVIP, and RIP, see “About the IP addresses” on page 51.

• VLAN IDs

— Nortel SNAS 4050 management VLAN

— Red VLANs

— Yellow VLANs

— Green VLANs

— VoIP VLANs

• Groups and profiles to be configured

2 Configure the network DNS server, DHCP server, core router, and network

access devices, as described in “Nortel SNAS 4050 configuration roadmap”

on page 43, steps 1 through 4.

3 Install the Nortel SNAS 4050 device. For more information, see Nortel Secure

Network Access Switch 4050 Installation Guide (320846-A).

4 Establish a console connection to the Nortel SNAS 4050 (see “Establishing a

console connection” on page 770).

About the IP addresses

Management IP address

The Management IP address (MIP) identifies the Nortel SNAS 4050 in the network. In a multi-Nortel SNAS 4050 solution, the MIP is an IP alias to one of the Nortel SNAS 4050 devices in the cluster and identifies the cluster. The MIP always resides on a master Nortel SNAS 4050 device. If the master Nortel SNAS 4050 that currently holds the MIP fails, the MIP automatically migrates to a functional master Nortel SNAS 4050. In order to configure the Nortel SNAS 4050 or Nortel SNAS 4050 cluster remotely, you connect to the MIP using Telnet (for the CLI) or SSH (for the CLI or the SREM).

Portal Virtual IP address

Chapter 2 Initial setup 51

The portal Virtual IP address (pVIP) is the address assigned to the Nortel SNAS 4050 device’s web portal server. The pVIP is the address to which clients connect in order to access the Nortel SNA network. While the client is in the Red VLAN and the Nortel SNAS 4050 is acting as DNS server, the pVIP is the DNS server IP address. Although it is possible to assign more than one pVIP to a Nortel SNAS 4050 device, Nortel recommends that each Nortel SNAS 4050 have only one pVIP. When the Nortel SNAS 4050 portal is configured as a captive portal, the pVIP is used to load balance logon requests.

Nortel Secure Network Access Switch 4050 User Guide

52 Chapter 2 Initial setup

Real IP address

The Real IP address (RIP) is the Nortel SNAS 4050 device host IP address for network connectivity. The RIP is the IP address used for communication between Nortel SNAS 4050 devices in a cluster. The RIP must be unique on the network and must be within the same subnet as the MIP. In a two-armed configuration, the Nortel SNAS 4050 device has two RIPs: one for the client portal interface and one for the management traffic interface (see “One-armed and two-armed

configurations” on page 40).

Note: Nortel recommends that you always use the MIP for remote configuration, even though it is possible to configure the Nortel SNAS 4050 device remotely by connecting to its RIP. Connecting to the MIP allows you to access all the Nortel SNAS 4050 devices in a cluster. The MIP is always up, even if one of the Nortel SNAS 4050 devices is down and therefore not reachable at its RIP.

Initial setup

The initial setup is a guided process that launches automatically the first time you power up the Nortel SNAS 4050 and log on. You must use a console connection in order to perform the initial setup.

• For a standalone Nortel SNAS 4050 or the first Nortel SNAS 4050 in a

• To add a Nortel SNAS 4050 to a cluster, see “Adding a Nortel SNAS 4050

Setting up a single Nortel SNAS 4050 device or the first in a cluster

1 Log on using the following username and password:

cluster, see “Setting up a single Nortel SNAS 4050 device or the first in a

cluster” on page 52.

device to a cluster” on page 61.

320818-A

Chapter 2 Initial setup 53

The Setup Menu displays.

Alteon iSD NSNAS Hardware platform: 4050 Software version: x.x

------------------------------------------------------[Setup Menu]

join - Join an existing cluster new - Initialize host as a new installation boot - Boot menu info - Information menu exit - Exit [global command, always available]

>> Setup#

2 Select the option for a new installation.

>> Setup# new

Setup will guide you through the initial configuration.

3 Specify the management interface port number. This port will be assigned to

Interface 1.

Enter port number for the management interface [1-4]:

<port>

In a one-armed configuration, you are specifying the port you want to use for all network connectivity, since Interface 1 is used for both management traffic (Nortel SNAS 4050 management and connections to intranet resources) and client portal traffic (traffic between the TunnelGuard applet on the client and the portal).

Nortel Secure Network Access Switch 4050 User Guide

54 Chapter 2 Initial setup

In a two-armed configuration, you are specifying the port you want to use for Nortel SNAS 4050 management traffic.

Note: You can later convert a one-armed configuration into a two-armed one by adding a new interface to the cluster and assigning an unused port to that interface. The new interface will be used exclusively for client portal traffic. For information about adding a new interface, see

“Configuring host interfaces using the CLI” on page 469 or “Configuring host interfaces using the SREM” on page 508. For

information about assigning ports to an interface, see “Configuring host

ports using the CLI” on page 472 or “Configuring host ports using the SREM” on page 520.

4 Specify the RIP for this device. This IP address will be assigned to

Interface 1.

Enter IP address for this machine (on management interface): <IPaddr>

320818-A

The RIP must be unique on the network and must be within the same subnet as the MIP.

5 Specify the network mask for the RIP on Interface 1.

Enter network mask [255.255.255.0]: <mask>

6 If the core router attaches VLAN tag IDs to incoming packets, specify the

VLAN tag ID used.

Enter VLAN tag id (or zero for no VLAN) [0]:

If you do not specify a VLAN tag id (in other words, you accept the default value of zero), the traffic will not be VLAN tagged. When configuring the network access devices in Layer 2 configurations, ensure that you add the uplink ports to the Nortel SNAS 4050 management VLAN, for traffic between the Nortel SNAS 4050 and the network access device.

Chapter 2 Initial setup 55

7 Specify whether you are setting up a one-armed or a two-armed configuration.

Setup a two armed configuration (yes/no) [no]:

If you are setting up a one-armed configuration, press Enter to accept the default value (

no). Go to step 8.

If you are setting up a two-armed configuration, enter

yes. Go to step 9.

8 Specify the default gateway IP address.

Enter default gateway IP address (or blank to skip):

The default gateway is the IP address of the interface on the core router that will be used if no other interface is specified. The default gateway IP address must be within the same network address range as the RIP.

Go to step 10.

9 Configure the interface for client portal traffic (Interface 2).

a Specify a port number for the client portal interface. This port will be

assigned to Interface 2. The port number must not be the same as the port number for the management interface (Interface 1).

b Specify the RIP for Interface 2.

c Specify the network mask for the RIP on Interface 2.

d If the core router attaches VLAN tag IDs to incoming packets, specify the

VLAN tag ID used.

e Specify the default gateway IP address for Interface 2. The default

gateway is the IP address of the interface on the core router that will be

Nortel Secure Network Access Switch 4050 User Guide

56 Chapter 2 Initial setup

used if no other interface is specified. The default gateway IP address on Interface 2 must be within the same subnet as the RIP for Interface 2.

Enter port number for the traffic interface [1-4]:

<port>

Enter IP address for this machine (on traffic interface):

Enter network mask [255.255.255.0]: <mask> Enter VLAN tag id (or zero for no VLAN) [0]:

Enter default gateway IP address (on the traffic interface): <IPaddr>

10 Specify the MIP for this device or cluster.

Enter the Management IP (MIP) address: <IPaddr> Making sure the MIP does not exist...ok Trying to contact gateway...ok

The MIP must be unique on the network and must be within the same subnet as the RIP and the default gateway for Interface 1.

320818-A

Note: If you receive an error message that the iSD (the Nortel SNAS 4050 device) cannot contact the gateway, verify your settings on the core router. Do not proceed with the initial setup until the connectivity test succeeds.

11 Specify the time zone.

Enter a timezone or 'select' [select]: <timezone>

If you do not know the time zone you need, press

<CR> to access the selection

menus:

Select a continent or ocean: <Continent or ocean by number>

Select a country: <Country by number> Select a region: <Region by number, if applicable> Selected timezone: <Suggested timezone, based on your

selections>

Chapter 2 Initial setup 57

12 Configure the time settings.

Enter the current date (YYYY-MM-DD) [2005-05-02]: Enter the current time (HH:MM:SS) [19:14:52]:

13 Specify the NTP server, if applicable.

Enter NTP server address (or blank to skip): <IPaddr>

Note: If you do not have access to an NTP server at this point, you can configure this item after the initial setup is completed. See “Configuring

date and time settings using the CLI” on page 475 or “Managing date and time settings using the SREM” on page 528.

14 Specify the DNS server, if applicable.

Enter DNS server address (or blank to skip): <IPaddr>

15 Generate the SSH host keys for secure management and maintenance

communication from and to Nortel SNAS 4050 devices.

Generate new SSH host keys (yes/no) [yes]: This may take a few seconds...ok

If you do not generate the SSH host keys at this stage, generate them later when you configure the system (see “Configuring Nortel SNAS 4050 host

SSH keys using the CLI” on page 485 or “Configuring Nortel SNAS 4050 host SSH keys using the SREM” on page 548).

For communication between the Nortel SNAS 4050 and the network access devices, generate the SSH key after you have completed the initial setup (see

“Managing SSH keys using the CLI” on page 84 or “Managing SSH keys using the SREM” on page 102).

Nortel Secure Network Access Switch 4050 User Guide

58 Chapter 2 Initial setup

16 Change the admin user password, if desired.

Enter a password for the "admin" user: Re-enter to confirm:

Make sure you remember the password you define for the admin user. You will need to provide the correct admin user password when logging in to the Nortel SNAS 4050 (or the Nortel SNAS 4050 cluster) for configuration purposes.

17 Run the Nortel SNAS 4050 quick setup wizard. This creates all the settings

required to enable a fully functional portal, which you can customize later (see “Configuring the domain” on page 117).

For information about the default settings created by the wizard, see “Settings

created by the quick setup wizard” on page 60.

a Start the quick setup wizard.

Run NSNAS quick setup wizard [yes]: yes

Creating default networks under /cfg/domain 1/aaa/ network

320818-A

b Specify the pVIP of the Nortel SNAS 4050 device.

Enter NSNAS Portal Virtual IP address(pvip): <IPaddr>

c Specify a name for the Nortel SNAS 4050 domain.

Enter NSNAS Domain name: <name>

d Specify any domain names you wish to add to the DNS search list, as a

convenience to clients. If the domain name is in the DNS search list, clients can use a shortened form of the domain name in the address fields on the Nortel SNAS 4050 portal.

Enter comma separated DNS search list (eg company.com,intranet.company.com):

Chapter 2 Initial setup 59

For example, if you entered company.com in the DNS search list, users can type

nsnas to connect to nsnas.company.com from the portal

page.

e If you want to enable HTTP to HTTPS redirection, create a redirect

server.

Create http to https redirect server [no]:

f Specify the action to be performed when an SRS rule check fails. The

options are:

—

restricted. The session remains intact, but access is restricted in

accordance with the rights specified in the access rules for the group.

—

teardown. The SSL session is torn down.

The default is

Use restricted (teardown/restricted) action for TunnelGuard failure? [yes]:

restricted.

g Create the default user and group.

The wizard creates a default user (

tg) within a group (tunnelguard),

which you can subsequently reuse. The wizard also creates the default client filters, profiles, and linksets to be applied when the user passes (

tg_passed) or fails (tg_failed) the TunnelGuard check. The wizard

prompts you to specify the VLAN IDs to associate with the respective profiles.

Nortel Secure Network Access Switch 4050 User Guide

60 Chapter 2 Initial setup

The action to be performed when the TunnelGuard check fails depends on your selection in step f on page 59.

Create default tunnel guard user [no]: yes Using 'restricted' action for TunnelGuard failure. User name: tg User password: tg

Enter green vlan id [110]: <VID>

tg_failed Enter yellow vlan id [120]: <VID>

Initializing system......ok

Setup successful. Relogin to configure.

Creating client filter 'tg_passed'. Creating client filter 'tg_failed'. Creating linkset 'tg_passed'. Creating linkset 'tg_failed'. Creating group 'tunnelguard' with secure access. Creating extended profile, full access when tg_passed

Creating extended profile, remediation access when

Creating user 'tg' in group 'tunnelguard'.

320818-A

Settings created by the quick setup wizard

The quick setup wizard creates the following basic Nortel SNAS 4050 settings:

1 A Nortel SNAS 4050 domain (Domain 1). A Nortel SNAS 4050 domain

encompasses all switches, authentication servers, and remediation servers associated with that Nortel SNAS 4050.

2 A virtual SSL server. A portal IP address, or pVIP, is assigned to the virtual

SSL server. Clients connect to the pVIP in order to access the portal.

3 A test certificate has been installed and mapped to the Nortel SNAS 4050

portal.

4 The authentication method is set to Local database.

5 One test user is configured. You were prompted to set a user name and

password during the quick setup wizard (in this example, user name and password are both set to tunnelguard. There are two profiles within the group:

tg_failed. Each profile has a client filter and a linkset associated with it.

tg). The test user belongs to a group called

tg_passed and

Chapter 2 Initial setup 61

The profiles determine the VLAN to which the user will be allocated. Tab le 2 shows the extended profiles that have been created.

Table 2

Index Client filter name VLAN ID Linkset name

1 tg_failed yellow tg_failed

2 tg_passed green tg_passed

Extended profile details

6 One or several domain names have been added to the DNS search list,

depending on what you specified at the prompt in the quick setup wizard. This means that the client can enter a short name in the portal’s various address fields (for example, inside instead of inside.example.com if example.com was added to the search list).

7 If you selected the option to enable http to https redirection, an additional

server of the http type was created to redirect requests made with http to https, since the Nortel SNAS 4050 portal requires an SSL connection.

Adding a Nortel SNAS 4050 device to a cluster

After you have installed the first Nortel SNAS 4050 in a cluster (see “Setting up a

single Nortel SNAS 4050 device or the first in a cluster” on page 52), you can add

another Nortel SNAS 4050 to the cluster by configuring the second Nortel SNAS 4050 setup to use the same MIP. When you set up the Nortel SNAS 4050 to join an existing cluster, the second Nortel SNAS 4050 gets most of its configuration from the existing Nortel SNAS 4050 device in the cluster. The amount of configuration you need to do at setup is minimal.

You can later modify settings for the cluster, the device, and the interfaces using the

/cfg/sys/[host <host ID>/interface] commands.

Nortel Secure Network Access Switch 4050 User Guide

62 Chapter 2 Initial setup

Before you begin

Log on to the existing Nortel SNAS 4050 device to check the software version and system settings. Use the installed software version (for more information, see “Managing software for a

Nortel SNAS 4050 device using the CLI” on page 734). Use the

accesslist/list

information, see “Configuring the Access List using the CLI” on page 474).

Do not proceed with the join operation until the following requirements are met.

• Verify that the IP addresses you will assign to the new Nortel SNAS 4050 device conform to Nortel SNA network requirements. For more information, see “About the IP addresses” on page 51 and “One-armed and two-armed

configurations” on page 40.

• The Access List has been updated, if necessary.

The Access List is a system-wide list of IP addresses for hosts authorized to access the Nortel SNAS 4050 devices by Telnet and SSH.

/boot/software/cur command to check the currently

/cfg/sys/

command to view settings for the Access List (for more

If the

/info/sys command executed on the existing Nortel SNAS 4050

shows no items configured for the Access List, no action is required. However, if the Access List is not empty before the new Nortel SNAS 4050 joins the cluster, you must add to the Access List the cluster’s MIP, the existing Nortel SNAS 4050 RIP on Interface 1, and the new Nortel SNAS 4050 RIP on Interface 1. You must do this before you perform the join operation, or the devices will not be able to communicate with each other.

For information about adding entries to the Access List, see “Configuring the

Access List using the CLI” on page 474.

• The existing Nortel SNAS 4050 and the new Nortel SNAS 4050 must run the same version of software. If the versions are different, decide which version you want to use and then do one of the following:

• To change the version on the new NSNAS, download the desired software

image and reinstall the software (see “Reinstalling the software” on

page 763).

320818-A

Chapter 2 Initial setup 63

• To change the version on the existing NSNAS, download the desired

software image and upgrade the software on the existing cluster (see

“Upgrading the Nortel SNAS 4050” on page 757).

Note: Nortel recommends always using the most recent software version.

Joining a cluster

1 Log on using the following username and password:

The Setup Menu displays.

Alteon iSD NSNAS Hardware platform: 4050 Software version: x.x

------------------------------------------------------[Setup Menu]

join - Join an existing cluster new - Initialize host as a new installation boot - Boot menu info - Information menu exit - Exit [global command, always available]

>> Setup#

2 Select the option to join an existing cluster.

>> Setup# join

Setup will guide you through the initial configuration.

3 Specify the management interface port number. This port will be assigned to

Interface 1.

Enter port number for the management interface [1-4]:

<port>

Nortel Secure Network Access Switch 4050 User Guide

64 Chapter 2 Initial setup

In a two-armed configuration, you are specifying the port you want to use for Nortel SNAS 4050 management traffic.

Note: For consistency, Nortel recommends that you specify the same port number for the management interface port on all Nortel SNAS 4050 devices in the cluster.

4 Specify the RIP for this device. This IP address will be assigned to

Interface 1.

Enter IP address for this machine (on management interface): <IPaddr>

320818-A

The RIP must be unique on the network and must be within the same subnet as the MIP.

5 Specify the network mask for the RIP on Interface 1.

Enter network mask [255.255.255.0]: <mask>

6 If the core router attaches VLAN tag IDs to incoming packets, specify the

VLAN tag ID used.

Enter VLAN tag id (or zero for no VLAN) [0]:

7 Specify whether you are setting up a one-armed or a two-armed configuration.

Setup a two armed configuration (yes/no) [no]:

If you are setting up a one-armed configuration, press Enter to accept the default value (

If you are setting up a two-armed configuration, enter

no). Go to step 9.

yes. Go to step 8.

Chapter 2 Initial setup 65

8 Configure the interface for client portal traffic (Interface 2).

a Specify a port number for the client portal interface. This port will be

assigned to Interface 2. The port number must not be the same as the port number for the management interface (Interface 1).

b Specify the RIP for Interface 2.

c Specify the network mask for the RIP on Interface 2.

d If the core router attaches VLAN tag IDs to incoming packets, specify the

VLAN tag ID used.

Enter port number for the traffic interface [1-4]:

<port>

Enter IP address for this machine (on traffic interface):

Enter network mask [255.255.255.0]: <mask> Enter VLAN tag id (or zero for no VLAN) [0]:

9 Specify the MIP of the existing cluster.

The system is initialized by connecting to the management server on an existing iSD, which must be operational and initialized. Enter the Management IP (MIP) address: <IPaddr>

10 Specify the default gateway IP address for Interface 2. The default gateway is

the IP address of the interface on the core router that will be used if no other interface is specified. The default gateway IP address on Interface 2 must be within the same subnet as the RIP for Interface 2.

Enter default gateway IP address (on the traffic interface): <IPaddr>

11 Provide the correct admin user password configured for the existing cluster.

Enter the existing admin user password: <password>

Nortel Secure Network Access Switch 4050 User Guide

66 Chapter 2 Initial setup

12 Wait while the Setup utility finishes processing. When processing is complete,

you will see

The new Nortel SNAS 4050 automatically picks up all other required configuration data from the existing Nortel SNAS 4050 in the cluster. After a short while, you receive the

Setup successful.

Next steps

1 To enable the SREM connection to the Nortel SNAS 4050:

Setup successful.

a Use the

/cfg/sys/adm/ssh on command to enable SSH access to the

Nortel SNAS 4050 (for more information, see “Configuring

administrative settings using the CLI” on page 483).

b Use the

/cfg/sys/adm/srsadmin ena command to enable

TunnelGuard SRS administration (for more information, see “Enabling

TunnelGuard SRS administration using the CLI” on page 485 or “Configuring SRS control settings using the SREM” on page 547).

Note: For greater security, you may want to restrict access to the Nortel SNAS 4050 to those machines specified in an Access List. In this case, ensure that you add an IP address for the SREM to the Access List. For more information about using the Access List to control Telnet and SSH access, see “Configuring the Access List using the CLI” on page 474 or

“Configuring the access list using the SREM” on page 525.

From this point on, you can configure the Nortel SNAS 4050 using either the CLI or the SREM.

2 To enable remote management using Telnet, use the

telnet on

command to enable Telnet access to the Nortel SNAS 4050 (for

/cfg/sys/adm/

more information, see “Configuring administrative settings using the CLI” on

page 483).

320818-A

Chapter 2 Initial setup 67

3 To finish connecting the Nortel SNAS 4050 to the rest of the network,

complete the following tasks:

a Generate and activate the SSH keys for communication between the

Nortel SNAS 4050 and the network access devices (see “Managing SSH

keys using the CLI” on page 84 or “Managing SSH keys using the SREM” on page 102).

b Specify the SRS rule for the

groups using the CLI” on page 198 or “Configuring groups using the SREM” on page 208).

c Add the network access devices (see “Adding a network access device

using the CLI” on page 75 or “Adding a network access device using the SREM” on page 91).

d Specify the VLAN mappings (see “Mapping the VLANs using the CLI”

on page 82 or “Mapping the VLANs using the SREM” on page 96).

e If you did not run the quick setup wizard during the initial setup,

configure the following:

— Create the domain (see “Creating a domain using the CLI” on

page 121 or “Creating a domain using the SREM” on page 151).

— Create at least one group.

— Specify the VLANs to be used when the TunnelGuard check succeeds

and when it fails (see “Configuring extended profiles using the CLI”

on page 203 or “Configuring extended profiles using the SREM” on page 219).

4 Save the configuration (see “Applying and saving the configuration” on

page 67).

tunnelguard group (see “Configuring

Applying and saving the configuration

On both the CLI and the SREM, you must enter explicit commands in order to make configuration changes permanent and in order to create a backup configuration file.

Nortel Secure Network Access Switch 4050 User Guide

68 Chapter 2 Initial setup

Applying and saving the configuration using the CLI

If you have not already done so after each sequence of configuration steps, confirm your changes using the

To view your configuration on the screen, for copy and paste into a text file, use the following command:

/cfg/dump

To save your configuration to a TFTP, FTP, SCP, or SFTP server, use the following command:

/cfg/ptcfg

For more information, see “Backing up or restoring the configuration using

the CLI” on page 730.

apply command.

Applying and saving the configuration using the SREM

In the SREM, there are two steps to saving configuration changes, described below:

1 Click Apply after each change, to send the change to the Nortel SNAS 4050

device.

Changes that have been applied are not yet permanent. To cancel changes that have been applied, click Revert to remove all unconfirmed changes.

2 Click Commit once your changes are complete, to change the permanent

configuration on the Nortel SNAS 4050.

Committed changes take effect immediately.

320818-A

Chapter 2 Initial setup 69

Figure 3 on page 69 shows the location of the Apply and Commit buttons.

Figure 3

Apply and Commit buttons

For more information about the Apply and Commit functions, see Installing and Using the Security & Routing Element Manager (SREM) (320199-B).

Nortel Secure Network Access Switch 4050 User Guide

70 Chapter 2 Initial setup

320818-A

Chapter 3 Managing the network access devices

This chapter includes the following topics:

Topic Pa ge

Before you begin

Managing network access devices using the CLI

Roadmap of domain commands

Adding a network access device using the CLI

Deleting a network access device using the CLI

Configuring the network access devices using the CLI

Mapping the VLANs using the CLI

Managing SSH keys using the CLI

Monitoring switch health using the CLI

Controlling communication with the network access devices using the CLI

Managing network access devices using the SREM

Adding a network access device using the SREM

Deleting a network access device using the SREM

Configuring the network access devices using the SREM

Mapping the VLANs using the SREM

Managing SSH keys using the SREM

Nortel Secure Network Access Switch 4050 User Guide

102

72 Chapter 3 Managing the network access devices

Topic Pa ge

Monitoring switch health using the SREM

Controlling communication with the network access devices using the SREM

Before you begin

In Trusted Computing Group (TCG) terminology, the edge switches in a Nortel SNA solution function as the Policy Enforcement Point. In this document, the term network access device is used to refer to the edge switch once it is configured for the Nortel SNA network.

The following edge switches can function as network access devices in the Nortel SNA solution:

• Ethernet Routing Switch 8300

• Ethernet Routing Switch 5510, 5520, and 5530

Before you can configure the edge switches as network access devices in the Nortel SNAS 4050 domain, you must complete the following:

• Create the domain, if applicable. If you ran the quick setup wizard during initial setup, Domain 1 has been created. For more information about creating a domain, see “Configuring the domain” on page 117.

• Configure the edge switches for Nortel SNA (see “Nortel SNAS 4050

configuration roadmap”, step 4 on page 45). For detailed information about

configuring the edge switches for Nortel SNA, see Release Notes for the

Ethernet Routing Switch 8300, Software Release 2.2.8 (316811-E) or Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release

4.3 (217468-B).

111

115

320818-A

For secure communication between the Nortel SNAS 4050 and the network access device, each must have knowledge of the other’s public SSH key. After you have added the network access device to the Nortel SNAS 4050 domain, you must exchange the necessary SSH keys (see “Managing SSH keys using the CLI” on

page 84 or “Managing SSH keys using the SREM” on page 102).

Chapter 3 Managing the network access devices 73

You require the following information for each network access device:

• IP address of the switch

• VLAN names and VLAN IDs for the Red, Yellow, and Green VLANs

• the TCP port to be used for Nortel SNA communication

• for Ethernet Routing Switch 8300 switches, a valid rwa user name

Managing network access devices using the CLI

The Nortel SNAS 4050 starts communicating with the network access device as soon as you enable the switch on the Nortel SNAS 4050 by using the

/cfg/domain #/switch #/ena command.

You cannot configure the VLAN mappings for a network access device in the Nortel SNAS 4050 domain if the switch is enabled. When you add a network access device to the domain, it is disabled by default. Do not enable the network access device until you have completed the configuration. To reconfigure the VLAN mappings for an existing network access device, first disable it by using the

/cfg/domain #/switch #/dis command.

Roadmap of domain commands

The following roadmap lists the CLI commands to configure the network access devices in a Nortel SNA deployment. Use this list as a quick reference or click on any entry for more information:

Command Parameter

/cfg/domain #/switch <switch ID>

/cfg/domain #/switch #/delete

/cfg/domain #/switch <switch ID> name <name>

type ERS8300|ERS5500

ip <IPaddr>

port <port>

rvid <VLAN ID>

Nortel Secure Network Access Switch 4050 User Guide

74 Chapter 3 Managing the network access devices

Command Parameter

reset

ena

dis

delete

/cfg/domain #/vlan add <name> <VLAN ID>

del <index>

list

/cfg/domain #/switch #/vlan add <name> <VLAN ID>

del <index>

list

/cfg/domain #/sshkey generate

show

export

/cfg/domain #/switch #/sshkey import

add

del

show

export

user <user>

/cfg/domain #/switch #/hlthchk interval <interval>

deadcnt <count>

sq-int <interval>

/cfg/domain #/switch #/dis

/cfg/domain #/switch #/ena

320818-A

Chapter 3 Managing the network access devices 75

Adding a network access device using the CLI

You can add a network access device to the configuration in two ways. You must repeat the steps for each switch that you want to add to the domain configuration.

• “Using the quick switch setup wizard” on page 75

• “Manually adding a switch” on page 78

Using the quick switch setup wizard

To add a network access device to the Nortel SNAS 4050 domain using the quick switch setup wizard, use the following command:

/cfg/domain 1/quick

You can later modify all settings created by the quick switch setup wizard (see

“Configuring the network access devices using the CLI” on page 80).

1 Launch the quick switch setup wizard.

>> Main# cfg/domain 1/quick

2 Specify the type of switch. Valid options are:

ERS8300 (for an Ethernet Routing Switch 8300)

•

ERS5500 or ERS55 (for an Ethernet Routing Switch 5510, 5520, or

5530).

The default is

ERS8300.

Note: The input is case sensitive.

Enter the type of the switch (ERS8300/ERS5500) [ERS8300]

3 Specify the IP address of the network access device.

IP address of Switch: <IPaddr>

Nortel Secure Network Access Switch 4050 User Guide

76 Chapter 3 Managing the network access devices

4 Specify the TCP port for communication between the Nortel SNAS 4050 and

the network access device. The default is port 5000.

NSNA communication port[5000]:

5 The SSH fingerprint of the switch is automatically picked up if the switch is

reachable. If the fingerprint is successfully retrieved, go to step 7 on page 77.

If the fingerprint is not successfully retrieved, you will receive an error message and be prompted to add the SSH key.

Trying to retrieve fingerprint...failed.

Error: “Failed to retrieve host key” Do you want to add ssh key? (yes/no) [no]:

Choose one of the following:

a To paste in a public key you have downloaded from the switch, enter

Go to step 6 on page 76.

b To continue adding the switch to the configuration without adding its

public SSH key at this time, press Enter to accept the default value ( After you have added the switch, add or import the SSH public key for the switch (see “Managing SSH keys for Nortel SNA communication using

the CLI” on page 88).

Go to step 7 on page 77.

6 To add the switch public key:

a At the prompt to add the SSH key, enter

Yes.

b When prompted, paste in the key from a text file, then press Enter.

c Enter an ellipsis (

...) to signal the end of the key.

Yes.

no).

320818-A

Chapter 3 Managing the network access devices 77

z K W T G R

d To continue, go to step 7 on page 77.

Do you want to add ssh key? (yes/no) [no]: yes

Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > 47.80.18.98 ssh-dss

AAAAB3NzaC1kc3MAAABRAJfEJJvYic9yOrejtZ88prdWdRWBF8Qkm9iJ 3I6t6O1nzymt1Z1DVMXxCSb2InPcjq3o7WfPKa3VnUNUgTpESrFlH7oo +Zys8iEUbmJ3kpAAAAFQCUE/74fr6ACaxJpMcz0TlWwahdzwAAAFEAgP Vrk0VOOXQmfLhutwaTrxltIDkJzOEIXPfAIEpvDsvnlNkFE/i2vVdq/G KmAghfN3BYjRIQT0PAwUKOS5gkyfLG9I5rKqJ/hFWJThR4YAAABQI9yJ 5Q7q+2Pnk+tx1Kd44nCD6/9j7L4RIkIEnrDbgsVxvMcsNdI+HLnN+vmB 5wd+vrW5Bq/ToMvPspwI+WbV8TjycWeC7nk/Tg++X53hc=

> ...

7 Specify the VLAN ID of the Red VLAN, as configured on the network access

device. The network access devices in the domain can share a common Red VLAN or can each have a separate Red VLAN.

Red vlan id of Switch: <VLAN ID>

8 Wait while the wizard completes processing to add the network access device,

then enter Apply to activate the changes. The system automatically assigns the lowest available switch ID to the network access device.

The switch is disabled when it is first added to the configuration. Do not enable the switch until you have completed configuring the system. For more information, see “Configuring the network access devices using the CLI” on

page 80.

Creating Switch 1 Use apply to activate the new Switch.

>> Domain 1#

Nortel Secure Network Access Switch 4050 User Guide

78 Chapter 3 Managing the network access devices

Manually adding a switch

To add a network access device and configure it manually, use the following command:

/cfg/domain #/switch <switch ID>

where switch ID is an integer in the range 1 to 255 that uniquely identifies the network access device in the Nortel SNAS 4050 domain.

When you first add the network access device, you are prompted to enter the following information:

• switch name — a string that identifies the switch on the Nortel SNAS 4050. The maximum length of the string is 255 characters. After you have defined a name for the switch, you can use either the switch name or the switch ID to access the Switch menu.

• type of switch — valid options are sensitive.

• IP address of the switch.

• NSNA communication port — the TCP port for communication between the Nortel SNAS 4050 and the network access device. The default is port 5000.

• Red VLAN ID — the VLAN ID of the Red VLAN configured on the switch.

• username — the user name for an rwa user on the switch (required for Ethernet Routing Switch 8300 only).

ERS8300 and ERS5500. The input is case

320818-A

The SSH fingerprint of the switch is automatically picked up if the switch is reachable. If the fingerprint is not successfully retrieved, you receive an error message (

Error: Failed to retrieve host key). After you have added

the switch, you must add or import the SSH public key for the switch (see

“Managing SSH keys for Nortel SNA communication using the CLI” on page 88).

The Switch menu displays.

Figure 4 on page 79 shows sample output for the

/cfg/domain #/switch

command and commands on the Switch menu. For more information about the Switch menu commands, see “Configuring the network access devices using the

CLI” on page 80.

Chapter 3 Managing the network access devices 79

Figure 4 Adding a switch manually

>> Domain 1# switch 1 Creating Switch 3 Enter name of the switch: Switch1_ERS8300 Enter the type of the switch (ERS8300/ERS5500): ERS8300 Enter IP address of the switch: <IPaddr> NSNA communication port[5000]: Enter VLAN Id of the Red VLAN: <VLAN ID> Entering: SSH Key menu Enter username: rwa Leaving: SSH Key menu

---------------------------------------------------------[Switch 3 Menu]

name - Set Switch name type - Set Type of the switch ip - Set IP address port - Set NSNA communication port hlthchk - Health check intervals for switch vlan - Vlan menu rvid - Set Red VLAN Id sshkey - SSH Key menu reset - Reset all the ports on a switch ena - Enable switch dis - Disable switch delete - Remove Switch

Error: Failed to retrieve host key

>> Switch 3#..

Deleting a network access device using the CLI

To remove a network access device from the domain configuration, first disable the switch then delete it. Use the following commands:

/cfg/domain #/switch #/dis

/cfg/domain #/switch #/delete

The disable and delete commands log out all clients connected through the switch.

Nortel Secure Network Access Switch 4050 User Guide

80 Chapter 3 Managing the network access devices

The delete command removes the current switch from the control of the Nortel SNAS 4050 cluster.

Configuring the network access devices using the CLI

When you first add a network access device to the Nortel SNAS 4050 domain, the switch is disabled by default. Do not enable the switch until you have completed configuring it. In particular, do not enable the switch until you have mapped the VLANs (see “Mapping the VLANs using the CLI” on page 82) and exchanged the necessary SSH keys (see “Managing SSH keys using the CLI” on page 84).

If you want to reconfigure the VLAN mappings or delete a VLAN for an existing network access device, use the disable the switch first.

Note: Remember to enable the network access device after completing the configuration in order to activate the network access device in the Nortel SNA network.

/cfg/domain #/switch #/dis command to

320818-A

To configure a network access device in the Nortel SNAS 4050 domain, use the following command:

/cfg/domain #/switch <switch ID>

where switch ID is the ID or name of the switch you want to configure.

The Switch menu displays.

Chapter 3 Managing the network access devices 81

The Switch menu includes the following options:

/cfg/domain #/switch <switch ID>

followed by:

name <name>

type ERS8300|ERS5500

ip <IPaddr>

port <port>

hlthchk

vlan

rvid <VLAN ID>

sshkey

reset

ena

Names or renames the switch. After you have defined a name for the switch, you can use either the switch name or the switch ID to access the Switch menu.

•

name is a string that must be unique in the domain.

The maximum length of the string is 255 characters.

Specifies the type of network access device. Valid options are:

• ERS8300 — an Ethernet Routing Switch 8300

• ERS5500 — an Ethernet Routing Switch 5510,

5520, or 5530

The default is ERS8300.

Specifies the IP address of the switch.

Specifies the TCP port used for Nortel SNA communication. The default is port 5000.

Accesses the Healthcheck menu, in order to configure settings for the Nortel SNAS 4050 to monitor the health of the switch (see “Monitoring switch health using the

CLI” on page 89).

Accesses the Switch Vlan menu, in order to map the Green and Yellow VLANs configured on switch (see

“Mapping the VLANs using the CLI” on page 82).

Identifies the Red VLAN for the network access device.

• VLAN ID is the ID of the Red VLAN, as configured on the switch

Accesses the SSH Key menu, in order to manage the exchange of public keys between the switch and the Nortel SNAS 4050 (see “Managing SSH keys for Nortel

SNA communication using the CLI” on page 88)

Resets all the Nortel SNA-enabled ports on the switch. Clients connected to the ports are moved into the Red VLAN.

Enables the network access device. As soon as you enable the switch, the Nortel SNAS 4050 begins communicating with the switch and controlling its Nortel SNA clients.

Nortel Secure Network Access Switch 4050 User Guide

82 Chapter 3 Managing the network access devices

/cfg/domain #/switch <switch ID>

followed by:

dis

delete

Disables the switch for Nortel SNA operation.

Removes the switch from the Nortel SNAS 4050 domain configuration.

Mapping the VLANs using the CLI

The VLANs are configured on the network access devices. You specify the Red VLAN for each network access device when you add the switch (see “Ad ding a

network access device using the CLI” on page 75). After adding the switch, you

must identify the Yellow and Green VLANs to the Nortel SNAS 4050.

You can perform the VLAN mapping in two ways:

• for all switches in a domain (by using the

/cfg/domain #/vlan/add

command)

• switch by switch (by using the

/cfg/domain #/switch #/vlan/add

command)

Nortel recommends mapping the VLANs by domain. In this way, if you later add switches which use the same VLAN IDs, their VLAN mappings will automatically be picked up.

If you map the VLANs by domain, you can modify the mapping for a particular network access device by using the switch-level

vlan command. Switch-level

settings override domain settings.

To manage the VLAN mappings for all the network access devices in the Nortel SNAS 4050 domain, first disable all the switches in the domain, then use the following command:

/cfg/domain #/vlan

To manage the VLAN mappings for a specific network access device, first disable the switch in the domain, then use the following command:

/cfg/domain #/switch #/vlan

320818-A

Chapter 3 Managing the network access devices 83

The Nortel SNAS 4050 maintains separate maps for the domain and the switch. If you add a VLAN from the domain-level

vlan command, you must use the

domain-level command for all future management of that mapping. Similarly, if you add a VLAN from the switch-level

vlan command, you must use the

switch-level command for all future management of that mapping.

The Domain vlan or Switch vlan menu displays.

The Domain vlan or Switch vlan menu includes the following options:

/cfg/domain #[/switch #]/vlan

followed by:

add <name> <VLAN ID>

del <index>

list

Adds the specified VLAN to the domain or switch VLAN map. You are prompted to enter the required parameters if you do not include them in the command.

name is the name of the VLAN, as configured on

• the switch

VLAN ID is the ID of the VLAN, as configured on

• the switch

The system automatically assigns an index number to the VLAN entry when you add it. If you are executing the command from the Domain vlan menu, the index number indicates the position of the new entry in the domain map. If you are executing the command from the Switch vlan menu, the index number indicates the position of the new entry in the switch map.

Repeat this command for each Green and Yellow VLAN configured on the network access devices.

Removes the specified VLAN entry from the applicable VLAN map.

• index is an integer indicating the index number automatically assigned to the VLAN mapping when you created it

The index numbers of the remaining entries adjust accordingly.

To view the index numbers for all VLAN entries in the map, use the

/cfg/domain #[/switch #]/vlan/list

command.

Displays the index number, name, and VLAN ID for all VLAN entries in the map.

Nortel Secure Network Access Switch 4050 User Guide

84 Chapter 3 Managing the network access devices

Managing SSH keys using the CLI

The Nortel SNAS 4050 and the network access devices controlled by the Nortel SNAS 4050 domain exchange public keys so that they can authenticate themselves to each other in future SSH communications.

To enable secure communication between the Nortel SNAS 4050 and the network access device, do the following:

1 Generate an SSH public key for the Nortel SNAS 4050 domain (see

“Generating SSH keys for the domain using the CLI” on page 85), if

necessary. Apply the change immediately.

If you created the domain manually, the SSH key was generated automatically (see “Manually creating a domain using the CLI” on page 121).

Note: The SSH key for the Nortel SNAS 4050 domain is not the same as the SSH key generated during initial setup for all Nortel SNAS 4050 hosts in the cluster (see “Initial setup”, step 15 on page 57).

320818-A

2 Export the Nortel SNAS 4050 public key to each network access device.

• For an Ethernet Routing Switch 8300:

Use the

/cfg/domain #/switch #/sshkey/export command to

export the key directly to the switch (see “Managing SSH keys for Nortel

SNA communication using the CLI” on page 88).

• For an Ethernet Routing Switch 5510, 5520, or 5530:

Use the

/cfg/domain #/sshkey/export command to upload the key

to a TFTP server, for manual retrieval from the switch (see “Generating

SSH keys for the domain using the CLI” on page 85). For information

about downloading the key from the server to the switch, see Release

Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release

4.3 (217468-B).

Chapter 3 Managing the network access devices 85

If you regenerate the key at any time, you must re-export the key to each network access device.

Note: If you export the key after the network access device has been enabled, you may need to disable and re-enable the switch in order to activate the change.

3 For each network access device, import its public key into the Nortel

SNAS 4050 domain, if necessary (see “Managing SSH keys for Nortel SNA

communication using the CLI” on page 88).

• For an Ethernet Routing Switch 8300, you can retrieve the key in two ways:

—Use the

/cfg/domain #/switch #/sshkey/import command

to import the key directly from the network access device.

—Use the

/cfg/domain #/switch #/sshkey/add command to

paste in the key.

• For an Ethernet Routing Switch 5510, 5520, or 5530:

—Use the

/cfg/domain #/switch #/sshkey/import command

to import the key directly from the network access device.

If the network access device was reachable when you added it to the domain configuration, the SSH key was automatically retrieved.

If the network access device defaults, it generates a new public key. You must reimport the key whenever the switch generates a new public key (see

“Reimporting the network access device SSH key using the CLI” on page 89).

Note: In general, enter Apply to apply the changes immediately after you execute any of the SSH commands.

Generating SSH keys for the domain using the CLI

To generate, view, and export the public SSH key for the domain, use the following command:

/cfg/domain #/sshkey

The NSNAS SSH key menu displays.

Nortel Secure Network Access Switch 4050 User Guide

86 Chapter 3 Managing the network access devices

The NSNAS SSH key menu includes the following options:

/cfg/domain #/sshkey

followed by:

generate Generates an SSH public key for the domain. There

can be only one key in effect for the Nortel SNAS 4050 domain at any one time. If a key already exists, you are prompted to confirm that you want to replace it.

Enter Apply to apply the change immediately and create the key.

show Displays the SSH public key generated for the domain.

export Exports the Nortel SNAS 4050 domain public key to a

file exchange server. You are prompted to enter the following information:

• protocol — options are The default is

Note: Use TFTP to export to an Ethernet Routing Switch 5500 Series switch. Ethernet Routing Switch 5500 Series switches do not support the other protocols.

• host name or IP address of the server

• file name of the key (file type .pub) you are exporting

• for FTP, SCP, and SFTP, user name and password to access the file exchange server

To export the key directly to an Ethernet Routing Switch 8300, use the

/cfg/domain #/switch #/sshkey/export

command (see “Managing SSH keys for Nortel SNA

communication using the CLI” on page 88).

tftp|ftp|scp|sftp.

tftp.

320818-A

Chapter 3 Managing the network access devices 87

Figure 5 shows sample output for the /cfg/domain #/sshkey command.

Figure 5

>> Main# /cfg/domain 1/sshkey

---------------------------------------------------------[NSNAS SSH key Menu]

>> NSNAS SSH key# generate Key already exists, overwrite? (yes/no) [no]: yes Generating new SSH key, this operation takes a few seconds... done. Apply to activate.

>> NSNAS SSH key# apply >> NSNAS SSH key# show

Type: DSA Fingerprint: 4c:7c:b6:b4:47:5f:ae:6e:65:f1:b3:b1:7a:f0:59:d3

---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAACBANWNQJzGnZ7lqIUZw5VkjseaR0dcgPhx/CA6Zl JPZlRkY/USzJmZLoXpWuhAiByMPJ/69BLWCHTQUI/+FqNPzEXnjBBKHSw0 smb3OKfCJMfv4OfF7YQyfQP6KiKjsdNdHYH1ErHqNe1G8q8KIKinlG35z3 Bc7Yi9BxK84suWm3jdAAAAFQDg5ohEvhYoDlYhal3zMkgq0+t33wAAAIBh Sa+J/5SxwYfnE/ltdwlOgcMk4eomP03M4BsI8vylsvHt4THD3typTtqjWo jQG0vDBt7a/4hcHQ55LTrC81/u/+ep5NVlTjxlmczCz6C1wOq4Ab1iiQub gRRL7DnZSghjNAU8JqzcEbU7g0VKorlxwt/M9P17ZmBdhkgwsdgArAAAAI BtMdI1Q5eNq/yRmRuvinEwVjbQNVaywDkQljLvY4wnHjj+OjWpxVyLvzHI Qs3IRBSzTCXGOqmmTNYXeDkHANPGl5RkfyldEq4/pJpUIMPBEj/C4H34Eq WTkZvCaHRG3HH6QsJj3Wreskh574t/ubybhmzDw5Ubl42AxUJbDMVbZg==

---- END SSH2 PUBLIC KEY ----

Generating an SSH key for the domain

generate -Generate new SSH key for the NSNAS domain show - Show NSNAS domain public SSH key

>> NSNAS SSH key# export Select protocol (tftp/ftp/scp/sftp) [tftp]: Enter hostname or IP address of server: localhost Enter filename on server: key.pub

Trying to export NSNAS public key to tftp://localhost/key.pub

. sent 590 bytes >> NSNAS SSH key#

Nortel Secure Network Access Switch 4050 User Guide

88 Chapter 3 Managing the network access devices

Managing SSH keys for Nortel SNA communication using the CLI

To retrieve the public key for the network access device and export the public key for the domain, use the following command:

/cfg/domain #/switch #/sshkey

The SSH Key menu displays.

The SSH Key menu includes the following options:

/cfg/domain #/switch #/sshkey

followed by:

import

add

del

show

export

user <user>

Retrieves the SSH public key from the network access device, if it is reachable.

Allows you to paste in the contents of a key file you have downloaded from the Ethernet Routing Switch 8300 network access device.

When prompted, paste in the key, then press Enter. Enter an elllipsis (...) to signal the end of the key.

Deletes the SSH public key for the network access device in the domain.

Displays the SSH public key for the network access device.

Exports the SSH public key for the Nortel SNAS 4050 domain to the network access device.

Note: You cannot use this command to export the key to an Ethernet Routing Switch 5500 series switch. Instead, use the

/cfg/domain#1/sshkey/export command to

upload the key to a file exchange server.

Specifies the user name for the network access device (required for Ethernet Routing Switch 8300 only).

user is the user name of an administrative user

• (rwa) on the switch.

320818-A

Chapter 3 Managing the network access devices 89

Reimporting the network access device SSH key using

the CLI

Whenever the network access device generates a new public SSH key, you must import the new key into the Nortel SNAS 4050 domain.

1 Use the

/cfg/domain #/switch #/sshkey/del command to delete the

original key.

2 Enter

3 Use the

Apply to apply the change immediately.

/cfg/domain #/switch #/sshkey/import command to import

the new key.

4 Enter

Apply to apply the change immediately.

For more information about the commands, see “Managing SSH keys for Nortel

SNA communication using the CLI” on page 88.

Monitoring switch health using the CLI

The Nortel SNAS 4050 continually monitors the health of the network access devices. At specified intervals, a health check daemon sends queries and responses to the switch as a heartbeat mechanism. If no activity (heartbeat) is detected, the daemon will retry the health check for a specified number of times (the dead count). If there is still no heartbeat, then after a further interval (the status-quo interval) the network access device moves all its clients into the Red VLAN. When connectivity is re-established, the Nortel SNAS 4050 synchronizes sessions with the network access device.

The health check interval, dead count, and status-quo interval are configurable.

To configure the interval and dead count parameters for the Nortel SNAS 4050 health checks and status-quo mode, use the following command:

/cfg/domain #/switch #/hlthchk

The HealthCheck menu displays.

Nortel Secure Network Access Switch 4050 User Guide

90 Chapter 3 Managing the network access devices

The HealthCheck menu includes the following options:

/cfg/domain #/switch #/hlthchk

followed by:

interval <interval>

deadcnt <count>

sq-int <interval>

Sets the time interval between checks for switch activity.

• interval is an integer that indicates the time interval in seconds ( The valid range is 60s (1m) to 64800s (18h). The default is 1m (1 minute).

Specifies the number of times the Nortel SNAS 4050 will repeat the check for switch activity when no heartbeat is detected.

•

count is an integer in the range 1–65535 that

indicates the number of retries. The default is 3.

If no heartbeat is detected after the specified number of retries, the Nortel SNAS 4050 enters status-quo mode.

Sets the time interval for status-quo mode, after which the network access device moves all clients into the Red VLAN.

interval is an integer that indicates the time

• interval in seconds ( The valid range is 0 to 64800s (18h). The default is 1m (1 minute).

s), minutes (m), or hours (h).

320818-A

Controlling communication with the network access devices using the CLI

To stop communication between the Nortel SNAS 4050 and a network access device, use the following command:

/cfg/domain #/switch #/dis

Enter apply to apply the change immediately.

Note: If the switch is not going to be used in the Nortel SNA network, Nortel recommends deleting the switch from the Nortel SNAS 4050 domain, rather than just disabling it.

Chapter 3 Managing the network access devices 91

To restart communication between the Nortel SNAS 4050 and a network access device, use the following command:

/cfg/domain #/switch #/ena

Enter apply to apply the change immediately.

Managing network access devices using the SREM

The Nortel SNAS 4050 starts communicating with the network access device as soon as you enable the switch on the Nortel SNAS 4050.

You cannot configure the VLAN mappings for a network access device in the Nortel SNAS 4050 domain if the switch is enabled. When you add a network access device to the domain, it is disabled by default. Do not enable the network access device until you have completed the configuration. For information about enabling and disabling the network access device, see “Controlling

communication with the network access devices using the SREM” on page 115.

Note: Remember to enable the network access device after completing the configuration, or it will not be active.

Adding a network access device using the SREM

To add a network access device, use the following steps:

1 Select the Secure Access Domain > domain > Switches > Switches tab.

Nortel Secure Network Access Switch 4050 User Guide

92 Chapter 3 Managing the network access devices

The Switches screen appears (see “Switch Configuration screen” on

page 116).

2 Click Add.

The Add a Switch dialog box appears (see Figure 6).

Figure 6

Add a Switch

3 Enter the network access device information in the applicable fields. Tabl e 3

describes the Add a Switch fields.

Table 3

Field Description

Index Specifies an integer that uniquely identifies the network

Name Specifies a string that identifies the switch on the Nortel

Type Specifies the type of network access device. The options

IP Address Specifies the network access device IP address.

Red VLAN ID Specifies the VLAN ID of the Red VLAN configured on the

Add a Switch fields

access device in the Nortel SNAS 4050 domain.

SNAS 4050. The maximum length of the string is 255 characters. After

you have defined a name for the switch, you can use either the switch name or the switch ID to access the network access device.

are ERS8300 and ERS5500.

network access device

320818-A

Chapter 3 Managing the network access devices 93

4 Click Apply.

The network access device appears in the list of Switches.

5 Click Commit on the toolbar to save the changes permanently.

Deleting a network access device using the SREM

To remove an existing network access device from the domain configuration, you must first disable it (see “Managing network access devices using the SREM” on

page 91). Once the network access device is disabled, complete the following

steps:

1 Select the Secure Access Domain > domain > Switches > switch >

Configuration tab.

The network access device Configuration screen appears (see Figure 16 on

page 116).

2 Select the network access device from the Switches list.

3 Click Delete.

A dialog box appears to confirm that you want to delete this network access device.

4 Click Yes.

The network access device disappears from the Switches list.

5 Click Commit on the toolbar to save the changes permanently.

Configuring the network access devices using the SREM

When you first add a network access device to the Nortel SNAS 4050 domain, the switch is disabled by default. Do not enable the switch until you have completed configuring it. In particular, do not enable the switch until you have mapped the VLANs (see “Mapping the VLANs using the SREM” on page 96) and exchanged the necessary SSH keys (see “Managing SSH keys using the SREM” on

page 102).

Nortel Secure Network Access Switch 4050 User Guide

94 Chapter 3 Managing the network access devices

To reconfigure the VLAN mappings for an existing network access device, you must first disable it (see “Controlling communication with the network access

devices using the SREM” on page 115). Once the network access device is

disabled, complete the following steps:

1 Select the Secure Access Domain > domain > Switches > switch >

Configuration tab.

The Switch Configuration screen appears (see Figure 7).

Figure 7

Switch Configuration screen

320818-A

Chapter 3 Managing the network access devices 95

2 Enter the network access device information in the applicable fields. Tabl e 4

describes the Switch Configuration fields.

Table 4

Field Description

Index An integer that uniquely identifies the network access

Name Names or renames the switch. After you have defined a

IP Address Specifies the IP address of the switch.

NSNA Communication Port Specifies the TCP port for communication between the

Type Specifies the type of network access device. Valid options

Red VLAN ID Identifies the Red VLAN ID for the network access device,

Enable Switch Enables or disables the switch. As soon as you enable the

User Name on Switch The name of an administrative user (rwa) on the network

Reset Switch Ports Resets all the Nortel SNA-enabled ports on the switch.

Switch Configuration fields

device in the Nortel SNAS 4050 domain.

name for the switch, you can use either the switch name or the switch ID to access the network access device.

Accepts a string that must be unique in the domain. The maximum length of the string is 255 characters.

Nortel SNAS 4050 and the network access device. The default value is 5000

are:

• ERS8300 — an Ethernet Routing Switch 8300

• ERS5500 — an Ethernet Routing Switch 5510, 5520, or 5530

as configured on the switch

switch, the Nortel SNAS 4050 begins communicating with the switch and controlling its Nortel SNA clients.

access device (required for Ethernet Routing Switch 8300 only).

Clients connected to the ports are moved into the Red VLAN.

3 Click Apply on the toolbar to send the current changes to the Nortel

SNAS 4050. Click Commit on the toolbar to save the changes permanently.

Nortel Secure Network Access Switch 4050 User Guide

96 Chapter 3 Managing the network access devices

Mapping the VLANs using the SREM

The VLANs are configured on the network access devices. You specify the Red VLAN for each network access device when you add the switch (see “Ad ding a

network access device using the SREM” on page 91). After adding the switch,

you must identify the Yellow and Green VLANs to the Nortel SNAS 4050.

You can perform the VLAN mapping in two ways:

• for all switches in a domain (see “Mapping VLANs by domain” on page 97)

• switch by switch (see “Mapping VLANs by switch” on page 100)

Nortel recommends mapping the VLANs by domain. In this way, if you later add switches which use the same VLAN IDs, their VLAN mappings will automatically be picked up.

If you map the VLANs by domain, you can modify the mapping for a particular network access device at the switch level. Switch-level settings override domain settings.

320818-A

The Nortel SNAS 4050 maintains separate maps for the domain and the switch. If you add a domain-level VLAN, then you must use the domain-level command for all future management of that mapping. Similarly, if you add a switch-level VLAN, then you must use the switch-level command for all future management of that mapping.

Chapter 3 Managing the network access devices 97

Mapping VLANs by domain

To map VLANs in a domain, select the Secure Access Domain > domain > VLANs tab.

The domain VLANs screen appears (see Figure 8), listing all current VLANs applied to the domain.

Figure 8

Domain VLANs screen

This screen allows you to manage VLANs on the domain by adding or deleting entries to the VLAN Table. For detailed steps on adding or removing VLANs, see:

• “Adding VLANs to a domain” on page 98

• “Removing VLANs from a domain” on page 99

Nortel Secure Network Access Switch 4050 User Guide

98 Chapter 3 Managing the network access devices

Adding VLANs to a domain

To add VLANs to a domain, complete the following steps:

1 Select the Secure Access Domain > domain > VLANs tab.

The domain VLANs screen appears (see Figure 8 on page 97).

2 Click Add.

The Add a new VLAN dialog box appears (see Figure 6).

Figure 9

Add a new VLAN

3 Enter the VLAN information in the applicable fields. Table 5 describes the

Add a new VLAN fields.

Table 5

Field Description

Name The name of the VLAN, as configured on the domain.

ID The ID of the VLAN, as configured on the domain.

Add a new VLAN fields

4 Click Add.

The new VLAN appears in the VLAN Table.

5 Repeat this step for each Green and Yellow VLAN configured on the domain.

320818-A

6 Click Apply on the toolbar to send the current changes to the Nortel

SNAS 4050. Click Commit on the toolbar to save the changes permanently.

Chapter 3 Managing the network access devices 99

Removing VLANs from a domain

To remove existing VLANs from the domain, complete the following steps:

1 Select the Secure Access Domain > domain > VLANs tab.

The domain VLANs screen appears (see Figure 8).

2 Select a VLAN entry from the VLAN Table.

3 Click Delete.

A dialog box appears to confirm that you want to delete this VLAN.

4 Click Yes.

The VLAN disappears from the VLAN Table.

5 Click Apply on the toolbar to send the current changes to the Nortel

SNAS 4050. Click Commit on the toolbar to save the changes permanently.

Nortel Secure Network Access Switch 4050 User Guide

100 Chapter 3 Managing the network access devices

Mapping VLANs by switch

To map VLANs by switch, you must first disable the network access device (see

“Managing network access devices using the SREM” on page 91). Once the

network access device is disabled, select the Secure Access Domain > domain > Switches > switch > VLANs tab.

The switch VLANs screen appears (see Figure 10), listing all current VLANs applied to the switch.

Figure 10

Switch VLANs screen

320818-A

This screen allows you to manage VLANs on the switch by adding or deleting entries in the VLAN Table. For detailed steps on adding or removing switch VLANs, see:

• “Adding VLANs to a switch” on page 101

Nortel Networks 4050 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Nortel Secure Network Access Switch 4050 User Guide

Contents

Preface

Before you begin

Text conventions

Related information

Publications

Online

How to get help

The Nortel SNA solution

Elements of the NSNA solution

Supported users

Role of the Nortel SNAS 4050

Nortel SNAS 4050 clusters

One-armed and two-armed configurations

Nortel SNA configuration and management tools

Nortel SNAS 4050 configuration roadmap

Initial setup

Before you begin

About the IP addresses

Initial setup

Setting up a single Nortel SNAS 4050 device or the first in a cluster

Adding a Nortel SNAS 4050 device to a cluster

Next steps

Applying and saving the configuration

Applying and saving the configuration using the CLI

Applying and saving the configuration using the SREM

Before you begin

Managing network access devices using the CLI

Roadmap of domain commands

Adding a network access device using the CLI

Deleting a network access device using the CLI

Configuring the network access devices using the CLI

Mapping the VLANs using the CLI

Managing SSH keys using the CLI

Monitoring switch health using the CLI

Controlling communication with the network access devices using the CLI

Managing network access devices using the SREM

Adding a network access device using the SREM

Deleting a network access device using the SREM

Configuring the network access devices using the SREM

Mapping the VLANs using the SREM