Nortel Networks 4050 User Manual
Part No. 320818-A
December 2005
4655 Great America Parkway
Santa Clara, CA 95054
Nortel Secure Network Access Switch 4050 User Guide
Nortel Secure Network Access Switch
Software Release 1.0
*320818-A*
2
Copyright © Nortel Networks Limited 2005. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
*Nortel, Nortel Networks, the Nortel logo, the Globemark, Passport, BayStack, and Contivity are trademarks of
Nortel Networks.
All other products or services may be trademarks or registered trademarks of their respective owners.
The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Export
This product, software and related technology is subject to U.S. export control and may be subject to export or import
regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or
reexport may be required by the U.S. Department of Commerce.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
320818-A
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Licensing
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
This product includes software developed by the Apache Software Foundation (http://www.apache.org/).
This product includes a TAP-Win32 driver derived from the CIPE-Win32 kernel driver, Copyright © Damion K. Wilson,
and is licensed under the GPL.
Portions of the TunnelGuard code include software licensed from The Legion of the Bouncy Castle.
See Appendix H, “Software licensing information,” on page 905 for more information.
Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software
on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”),
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks
or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine
Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel
Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
3
Nortel Secure Network Access Switch 4050 User Guide
4
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to
comply with the terms and conditions of this license. In either event, upon termination, Customer must either
return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s
use of the Software. Customer agrees to comply with all applicable laws including all applicable export and
import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the
Software is acquired in the United States, then this License Agreement is governed by the laws of the state of
New York.
320818-A
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Nortel SNA solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Elements of the NSNA solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Supported users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Role of the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Nortel SNAS 4050 clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
One-armed and two-armed configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Nortel SNA configuration and management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Nortel SNAS 4050 configuration roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5
Nortel SNAS 4050 functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Nortel SNA VLANs and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Groups and profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
TunnelGuard host integrity check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Communication channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
One-armed configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Two-armed configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 2: Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
About the IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Nortel Secure Network Access Switch 4050 User Guide
6 Contents
Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Applying and saving the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 3: Managing the network access devices . . . . . . . . . . . . . . . . . . . 71
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Managing network access devices using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Managing network access devices using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Management IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Portal Virtual IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Real IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Setting up a single Nortel SNAS 4050 device or the first in a cluster . . . . . . . . . . 52
Settings created by the quick setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Adding a Nortel SNAS 4050 device to a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Joining a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Applying and saving the configuration using the CLI . . . . . . . . . . . . . . . . . . . . . . . 68
Applying and saving the configuration using the SREM . . . . . . . . . . . . . . . . . . . . 68
Roadmap of domain commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Adding a network access device using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Using the quick switch setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Manually adding a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Deleting a network access device using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring the network access devices using the CLI . . . . . . . . . . . . . . . . . . . . . 80
Mapping the VLANs using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Managing SSH keys using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Generating SSH keys for the domain using the CLI . . . . . . . . . . . . . . . . . . . . 85
Managing SSH keys for Nortel SNA communication using the CLI . . . . . . . . 88
Reimporting the network access device SSH key using the CLI . . . . . . . . . . 89
Monitoring switch health using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Controlling communication with the network access devices using the CLI . . . . . 90
Adding a network access device using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 91
Deleting a network access device using the SREM . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring the network access devices using the SREM . . . . . . . . . . . . . . . . . . 93
Mapping the VLANs using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
320818-A
Contents 7
Mapping VLANs by domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Mapping VLANs by switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Managing SSH keys using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Generating SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . 105
Exporting SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . . 106
Managing SSH keys for Nortel SNA communication using the SREM . . . . . 109
Reimporting the network access device SSH key using the SREM . . . . . . . 110
Monitoring switch health using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Viewing a connected client list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 113
Controlling communication with the network access devices using the SREM . . 115
Chapter 4: Configuring the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring the domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Roadmap of domain commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Creating a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Manually creating a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Using the Nortel SNAS 4050 domain quick setup wizard in the CLI . . . . . . . 123
Deleting a domain using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuring domain parameters using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring the TunnelGuard check using the CLI . . . . . . . . . . . . . . . . . . . . . . . 132
Using the quick TunnelGuard setup wizard in the CLI . . . . . . . . . . . . . . . . . 134
Configuring the SSL server using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Tracing SSL traffic using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring SSL settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Configuring traffic log settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 142
Configuring HTTP redirect using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring advanced settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Configuring RADIUS accounting using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Managing RADIUS accounting servers using the CLI . . . . . . . . . . . . . . . . . 147
Configuring Nortel SNAS 4050-specific attributes using the CLI . . . . . . . . . 149
Configuring the domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Creating a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Manually creating a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 152
Using the SREM Domain Quick Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Deleting a domain using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Nortel Secure Network Access Switch 4050 User Guide
8 Contents
Chapter 5: Configuring groups and profiles . . . . . . . . . . . . . . . . . . . . . . . 191
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Configuring groups and extended profiles using the CLI . . . . . . . . . . . . . . . . . . . . . . 196
Configuring groups and extended profiles using the SREM . . . . . . . . . . . . . . . . . . . 208
Configuring domain parameters using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 164
Additional domain configuration in the SREM . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring the TunnelGuard check using the SREM . . . . . . . . . . . . . . . . . . . . . 168
Using the TunnelGuard Quick Setup in the SREM . . . . . . . . . . . . . . . . . . . . 172
Configuring the SSL server using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configuring SSL settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring traffic log settings using the SREM . . . . . . . . . . . . . . . . . . . . . . 178
Tracing SSL traffic using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring HTTP redirect using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring RADIUS accounting using the SREM . . . . . . . . . . . . . . . . . . . . . . . 183
Configuring Nortel SNAS 4050-specific attributes using the SREM . . . . . . . 184
Managing RADIUS accounting servers using the SREM . . . . . . . . . . . . . . . 186
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Default group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Linksets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
TunnelGuard SRS rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Extended profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Roadmap of group and profile commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Configuring groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configuring client filters using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Configuring extended profiles using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Mapping linksets to a group or profile using the CLI . . . . . . . . . . . . . . . . . . . . . . 206
Creating a default group using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Configuring groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Using the guide for creating groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Adding a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Modifying a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Configuring client filters using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Adding a client filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
320818-A
Contents 9
Modifying a client filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Configuring extended profiles using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Adding an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Modifying an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Mapping linksets to a group or profile using the SREM . . . . . . . . . . . . . . . . . . . . 223
Mapping linksets to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Mapping linksets to a profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Creating a default group using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Chapter 6: Configuring authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Configuring authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Roadmap of authentication commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configuring authentication methods using the CLI . . . . . . . . . . . . . . . . . . . . . . . 239
Configuring advanced settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configuring RADIUS authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . 242
Adding the RADIUS authentication method using the CLI . . . . . . . . . . . . . . 243
Modifying RADIUS configuration settings using the CLI . . . . . . . . . . . . . . . . 245
Managing RADIUS authentication servers using the CLI . . . . . . . . . . . . . . . 247
Configuring session timeout using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configuring LDAP authentication using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 249
Adding the LDAP authentication method using the CLI . . . . . . . . . . . . . . . . 250
Modifying LDAP configuration settings using the CLI . . . . . . . . . . . . . . . . . . 252
Managing LDAP authentication servers using the CLI . . . . . . . . . . . . . . . . . 256
Managing LDAP macros using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Managing Active Directory passwords using the CLI . . . . . . . . . . . . . . . . . . 260
Configuring local database authentication using the CLI . . . . . . . . . . . . . . . . . . 261
Adding the local database authentication method using the CLI . . . . . . . . . 261
Managing the local database using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 264
Specifying authentication fallback order using the CLI . . . . . . . . . . . . . . . . . . . . 267
Configuring authentication using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Configuring authentication methods using the SREM . . . . . . . . . . . . . . . . . . . . . 270
Configuring RADIUS authentication using the SREM . . . . . . . . . . . . . . . . . . . . . 271
Adding the RADIUS method and server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Nortel Secure Network Access Switch 4050 User Guide
10 Contents
Modifying RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Managing additional RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configuring LDAP authentication using the SREM . . . . . . . . . . . . . . . . . . . . . . . 282
Adding the LDAP method and server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Modifying LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Managing additional LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Managing LDAP macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Configuring local database authentication using the SREM . . . . . . . . . . . . . . . . 298
Adding the Local method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Populating the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Modifying Local database configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Exporting the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Specifying authentication fallback order using the SREM . . . . . . . . . . . . . . . . . . 314
Saving authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
320818-A
Chapter 7: TunnelGuard SRS Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuring SRS rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
The TunnelGuard user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Software Definition menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Software Definition Entry menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
TunnelGuard Rule menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Tool menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
SRS definition toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Software Definition — Available SRS list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
SRS Components table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Customizing a component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Memory snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
TunnelGuard Rule Definition screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
SRS Rule toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
SRS Rule list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Contents 11
SRS Rule Expression Constructor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Managing TunnelGuard rules and expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Creating a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Adding entries to a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Selecting modules or files from running processes . . . . . . . . . . . . . . . . . . . . 328
Selecting file on disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Creating logical expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Registry-based rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Registry-only SRS entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Creating a registry entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Registry-based File/Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Manually creating SRS entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Manually creating an OnDisk file entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Manually creating a Memory Module entry . . . . . . . . . . . . . . . . . . . . . . . . . . 345
File age check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Adding comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Adding a TunnelGuard rule comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Adding a software definition comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Deleting SRS rules and their components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Deleting a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting a software definition entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting a TunnelGuard rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting an expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
TunnelGuard support for API calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Making API calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Chapter 8: Managing system users and groups . . . . . . . . . . . . . . . . . . . . 353
User rights and group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Managing system users and groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Roadmap of system user management commands . . . . . . . . . . . . . . . . . . . . . . 355
Managing user accounts and passwords using the CLI . . . . . . . . . . . . . . . . . . . 356
Managing user settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Managing user groups using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CLI configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Adding a new user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Nortel Secure Network Access Switch 4050 User Guide
12 Contents
Managing system users and groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 370
Chapter 9: Customizing the portal and user logon . . . . . . . . . . . . . . . . . 385
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Customizing the portal and logon using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Changing a user’s group assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Deleting a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Managing user accounts using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Adding new user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Removing existing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Setting password expiry using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Changing your password using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Changing another user’s password using the SREM . . . . . . . . . . . . . . . . . . . . . 377
Setting the certificate export passphrase using the SREM . . . . . . . . . . . . . . . . . 379
Managing user groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Adding a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Removing a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Captive portal and Exclude List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Exclude List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Portal display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Portal look and feel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Language localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Linksets and links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Automatic redirection to internal sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Examples of redirection URLs and links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Managing the end user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Automatic JRE upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Windows domain logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Roadmap of portal and logon configuration commands . . . . . . . . . . . . . . . . . . . 398
Configuring the captive portal using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Configuring the Exclude List using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Changing the portal language using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Configuring language support using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 402
320818-A
Contents 13
Setting the portal display language using the CLI . . . . . . . . . . . . . . . . . . . . . 404
Configuring the portal display using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Changing the portal colors using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Configuring custom content using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Configuring linksets using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Configuring links using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Configuring external link settings using the CLI . . . . . . . . . . . . . . . . . . . . . . 415
Configuring FTP link settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 415
Customizing the portal and logon using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Configuring the captive portal using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Enabling DNS capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Configuring the DNS Exclude List using the SREM . . . . . . . . . . . . . . . . . . . 418
Changing the portal language using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuring language support using the SREM . . . . . . . . . . . . . . . . . . . . . . 420
Importing and exporting language definitions . . . . . . . . . . . . . . . . . . . . . . . . 422
Setting the portal display language using the SREM . . . . . . . . . . . . . . . . . . 424
Configuring the portal display using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Configuring content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Importing banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Changing the portal colors using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Configuring custom content using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Viewing basic information about custom content . . . . . . . . . . . . . . . . . . . . . 434
Importing custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Exporting custom content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Configuring linksets using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Creating a linkset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Modifying a linkset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Configuring links using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Creating an external link using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Creating an FTP link using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Modifying external link settings using the SREM . . . . . . . . . . . . . . . . . . . . . 450
Modifying FTP link settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 452
Reordering links using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Nortel Secure Network Access Switch 4050 User Guide
14 Contents
Chapter 10: Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . 457
Configuring the cluster using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Configuring the cluster using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Roadmap of system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Configuring system settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Configuring the Nortel SNAS 4050 host using the CLI . . . . . . . . . . . . . . . . . . . . 465
Viewing host information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configuring host interfaces using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configuring static routes using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Configuring host ports using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Managing interface ports using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Configuring the Access List using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configuring date and time settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 475
Managing NTP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Configuring DNS servers and settings using the CLI . . . . . . . . . . . . . . . . . . . . . 477
Managing DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Configuring RSA servers using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Configuring syslog servers using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Configuring administrative settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 483
Enabling TunnelGuard SRS administration using the CLI . . . . . . . . . . . . . . . . . . 485
Configuring Nortel SNAS 4050 host SSH keys using the CLI . . . . . . . . . . . . . . . 485
Managing known hosts SSH keys using the CLI . . . . . . . . . . . . . . . . . . . . . . 487
Configuring RADIUS auditing using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
About RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
About the vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configuring RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Managing RADIUS audit servers using the CLI . . . . . . . . . . . . . . . . . . . . . . 490
Configuring authentication of system users using the CLI . . . . . . . . . . . . . . . . . 492
Managing RADIUS authentication servers using the CLI . . . . . . . . . . . . . . . 493
Configuring system settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Configuring a Nortel SNAS 4050 host using the SREM . . . . . . . . . . . . . . . . . . . 497
Viewing host information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Viewing and configuring TCP/IP properties . . . . . . . . . . . . . . . . . . . . . . . . . 499
Viewing and installing host licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Configuring host interfaces using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
320818-A
Contents 15
Adding a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Configuring an existing host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Removing a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configuring static routes using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Viewing static routes for a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Viewing static routes for a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Viewing static routes for an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Managing static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Configuring host ports using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Managing interface ports using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Adding interface ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Removing interface ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Configuring the access list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Adding an access list entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Removing an Access List entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Managing date and time settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 528
Configuring the date and time settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Adding an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Removing an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Configuring DNS settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Configuring servers using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Managing syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Managing DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Managing RSA servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Configuring administrative settings using the SREM . . . . . . . . . . . . . . . . . . . . . . 546
Configuring SRS control settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 547
Configuring Nortel SNAS 4050 host SSH keys using the SREM . . . . . . . . . . . . 548
Showing SSH keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Managing Nortel SNAS 4050 and known host SSH keys . . . . . . . . . . . . . . . 551
Adding an SSH key for a known host using the SREM . . . . . . . . . . . . . . . . . . . . 553
Managing RADIUS audit settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . 554
About RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
About the vendor-specific attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Configuring RADIUS auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Configuring RADIUS audit settings using the SREM . . . . . . . . . . . . . . . . . . 557
Nortel Secure Network Access Switch 4050 User Guide
16 Contents
Chapter 11: Managing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Managing private keys and certificates using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 575
Managing private keys and certificates using the SREM . . . . . . . . . . . . . . . . . . . . . . 597
Managing RADIUS audit servers using the SREM . . . . . . . . . . . . . . . . . . . . 559
Managing RADIUS authentication of system users using the SREM . . . . . . . . . 562
Configuring RADIUS authentication of system users using the SREM . . . . . 563
Managing RADIUS authentication servers using the SREM . . . . . . . . . . . . . 565
Key and certificate formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Creating certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Installing certificates and keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Saving or exporting certificates and keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Updating certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Roadmap of certificate management commands . . . . . . . . . . . . . . . . . . . . . . . . 576
Managing and viewing certificates and keys using the CLI . . . . . . . . . . . . . . . . . 577
Generating and submitting a CSR using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 579
Adding a certificate to the Nortel SNAS 4050 using the CLI . . . . . . . . . . . . . . . . 584
Adding a private key to the Nortel SNAS 4050 using the CLI . . . . . . . . . . . . . . . 587
Importing certificates and keys into the Nortel SNAS 4050 using the CLI . . . . . 588
Displaying or saving a certificate and key using the CLI . . . . . . . . . . . . . . . . . . . 591
Exporting a certificate and key from the Nortel SNAS 4050 using the CLI . . . . . 594
Generating a test certificate using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Viewing certificates using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Creating a certificate using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Generating and submitting a CSR using the SREM . . . . . . . . . . . . . . . . . . . . . . 601
Importing a certificate or key using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Displaying or saving a certificate and key using the SREM . . . . . . . . . . . . . . . . . 605
Exporting a certificate and key from the Nortel SNAS 4050 using the SREM . . . 607
Viewing certificate information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 610
Viewing configuration details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Viewing general information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Viewing certificate subject settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
320818-A
Contents 17
Chapter 12: Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Configuring SNMP using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Roadmap of SNMP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Configuring SNMP settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Configuring the SNMP v2 MIB using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Configuring the SNMP community using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 622
Configuring SNMPv3 users using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Configuring SNMP notification targets using the CLI . . . . . . . . . . . . . . . . . . . . . 626
Configuring SNMP events using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Configuring SNMP settings using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Configuring SNMP using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Configuring SNMP targets using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Adding SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Managing SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Removing SNMP targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Configuring SNMPv3 users using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Adding SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Managing SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Removing SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Configuring SNMP events using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Managing monitor events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Managing notification events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Chapter 13: Viewing system information and performance statistics . . 659
Viewing system information and performance statistics using the CLI . . . . . . . . . . . 660
Roadmap of information and statistics commands . . . . . . . . . . . . . . . . . . . . . . . 660
Viewing system information using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Viewing alarm events using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
Viewing log files using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Viewing AAA statistics using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Viewing all statistics using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Viewing system information and performance statistics using the SREM . . . . . . . . . 670
Viewing local information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Viewing cluster information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Viewing the controller list using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Nortel Secure Network Access Switch 4050 User Guide
18 Contents
Viewing SONMP topology information using the SREM . . . . . . . . . . . . . . . . 675
Viewing switch distribution using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 677
Viewing port information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Viewing license information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 680
Viewing session details using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Viewing alarms using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Managing log files using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Viewing AAA statistics using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Viewing AAA statistics for a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Viewing License statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Viewing RADIUS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Viewing Local database statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Viewing LDAP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Viewing AAA statistics for the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Viewing License statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Viewing RADIUS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Viewing Local database statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Viewing LDAP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Viewing Ethernet statistics using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Viewing Rx statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
Viewing Tx statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
320818-A
Chapter 14: Maintaining and managing the system . . . . . . . . . . . . . . . . . 723
Managing and maintaining the system using the CLI . . . . . . . . . . . . . . . . . . . . . . . . 724
Roadmap of maintenance and boot commands . . . . . . . . . . . . . . . . . . . . . . . . . 725
Performing maintenance using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Backing up or restoring the configuration using the CLI . . . . . . . . . . . . . . . . . . . 730
Managing Nortel SNAS 4050 devices using the CLI . . . . . . . . . . . . . . . . . . . . . . 733
Managing software for a Nortel SNAS 4050 device using the CLI . . . . . . . . . . . 734
Managing and maintaining the system using the SREM . . . . . . . . . . . . . . . . . . . . . . 736
Performing maintenance using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Dumping logs and status information using the SREM . . . . . . . . . . . . . . . . . 737
Starting and stopping a trace using the SREM . . . . . . . . . . . . . . . . . . . . . . . 738
Checking configuration using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Backing up or restoring the configuration using the SREM . . . . . . . . . . . . . . . . . 742
Contents 19
Managing Nortel SNAS 4050 devices and software using the SREM . . . . . . . . . 743
Managing software versions using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 744
Downloading images using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Rebooting or deleting a Nortel SNAS 4050 device using the SREM . . . . . . 750
Downloading files using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
Running Nortel SNAS 4050 diagnostics using the SREM . . . . . . . . . . . . . . . . . . 754
Chapter 15: Upgrading or reinstalling the software . . . . . . . . . . . . . . . . . 757
Upgrading the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Performing minor and major release upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . 758
Downloading the software image using the CLI . . . . . . . . . . . . . . . . . . . . . . 759
Activating the software upgrade package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Reinstalling the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Reinstalling the software from an external file server . . . . . . . . . . . . . . . . . . . . . 765
Reinstalling the software from a CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Chapter 16: The Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . 769
Connecting to the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Establishing a console connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Establishing a Telnet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Enabling and restricting Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Establishing a connection using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Enabling and restricting SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Running an SSH client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
Accessing the Nortel SNAS 4050 cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
CLI Main Menu or Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Command line history and editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Chapter 17: Configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782
Nortel Secure Network Access Switch 4050 User Guide
20 Contents
Configure the network DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
Configure the network DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
Configure the network core router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Configure the Ethernet Routing Switch 8300 using the CLI . . . . . . . . . . . . . . . . 790
Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Enabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the Nortel SNAS 4050 pVIP subnet . . . . . . . . . . . . . . . . . . . . . . 791
Creating port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the VoIP VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the Red, Yellow, and Green VLANs . . . . . . . . . . . . . . . . . . . . . . 791
Configuring the NSNA uplink filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Configuring the NSNA ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Enabling NSNA globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Configure the Ethernet Routing Switch 5510 . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Setting the switch IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the Nortel SNAS 4050 pVIP subnet . . . . . . . . . . . . . . . . . . . . . . 794
Creating port-based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the VoIP VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the Red, Yellow, and Green VLANs . . . . . . . . . . . . . . . . . . . . . . 794
Configuring the login domain controller filters . . . . . . . . . . . . . . . . . . . . . . . . 795
Configuring the NSNA ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Enabling NSNA globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Configure the Nortel SNAS 4050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Performing initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Completing initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Adding the network access devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Mapping the VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
Enabling the network access devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
320818-A
Appendix A: CLI reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Global commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Command line history and editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Contents 21
CLI shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Command stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Command abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Tab completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Using a submenu name as a command argument . . . . . . . . . . . . . . . . . . . . 809
Using slashes and spaces in commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
IP address and network mask formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Network masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
CLI Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
CLI command reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
Information menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815
Configuration menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Boot menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Maintenance menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Chapter 18: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Cannot connect to the Nortel SNAS 4050 using Telnet or SSH . . . . . . . . . . . . . 838
Verify the current configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Enable Telnet or SSH access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Check the Access List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Check the IP address configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
Cannot add the Nortel SNAS 4050 to a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Cannot contact the MIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Check the Access List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
Add Interface 1 IP addresses and the MIP to the Access List . . . . . . . . . . . 842
The Nortel SNAS 4050 stops responding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Telnet or SSH connection to the MIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Console connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
A user password is lost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Administrator user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Operator user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Nortel Secure Network Access Switch 4050 User Guide
22 Contents
Trace tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
System diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Appendix B: Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Syslog messages by message type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Syslog messages in alphabetical order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Root user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Boot user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
A user fails to connect to the Nortel SNAS 4050 domain . . . . . . . . . . . . . . . . . . 845
Installed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Network diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Active alarms and the events log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
Error log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
Operating system (OS) messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
System Control Process messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
About alarm messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
About event messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Traffic Processing Subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Start-up messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860
AAA subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
NSNAS subsystem messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
320818-A
Appendix C: Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Supported traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Appendix D: Supported ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Appendix E: Adding User Preferences attribute to Active Directory . . . 883
Install All Administrative Tools
(Windows 2000 Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
Register the Schema Management dll (Windows Server 2003) . . . . . . . . . . . . . 883
Add the Active Directory Schema Snap-in
(Windows 2000 Server and Windows Server 2003) . . . . . . . . . . . . . . . . . . . . . 884
Create a shortcut to the console window . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Permit write operations to the schema (Windows 2000 Server) . . . . . . . . . . . . . 886
Contents 23
Create a new attribute
(Windows 2000 Server and Windows Server 2003) . . . . . . . . . . . . . . . . . . . . . 887
Create the new class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
Add isdUserPrefs attribute to nortelSSLOffload class . . . . . . . . . . . . . . . . . 888
Add the nortelSSLOffload Class to the User Class . . . . . . . . . . . . . . . . . . . . 889
Appendix F: Configuring DHCP to auto-configure IP Phones. . . . . . . . . 891
Configuring IP Phone auto-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
Creating the DHCP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
Configuring the Call Server Information and VLAN Information options . . . . . . . 896
Setting up the IP Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899
Appendix G: Using a Windows domain logon script to launch the Nortel
SNAS 4050 portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Configuring the logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Creating a logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
Creating the script as a batch file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
Creating the script as a VBScript file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Assigning the logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Appendix H: Software licensing information . . . . . . . . . . . . . . . . . . . . . . 905
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Nortel Secure Network Access Switch 4050 User Guide
24 Contents
320818-A
Preface
25
Nortel* Secure Network Access (Nortel SNA) is a clientless solution that provides
seamless, secure access to the corporate network from inside or outside that
network. The Nortel SNA solution combines multiple hardware devices and
software components to support the following features:
• partitions the network resources into access zones (authentication,
remediation, and full access)
• provides continual device integrity checking using TunnelGuard
• supports both dynamic and static IP clients
The Nortel Secure Network Access Switch 4050 (Nortel SNAS 4050) controls
operation of the Nortel SNA solution.
This user guide covers the process of implementing the Nortel SNA solution using
the Nortel SNAS 4050 for Nortel Secure Network Access Switch
Software Release 1.0. The document includes the following information:
• overview of the role of the Nortel SNAS 4050 in the Nortel SNA solution
• initial setup
• configuring authentication, authorization, and accounting (AAA) features
• managing system users
• customizing the portal
• upgrading the software
• logging and monitoring
• troubleshooting installation and operation
Nortel Secure Network Access Switch 4050 User Guide
26 Preface
The document provides instructions for initializing and customizing the features
using the Command Line Interface (CLI). To learn the basic structure and
operation of the Nortel SNAS 4050 CLI, refer to “CLI reference” on page 803.
This reference guide provides links to where the function and syntax of each CLI
command are described in the document. For information on accessing the CLI,
see “The Command Line Interface” on page 769.
Security & Routing Element Manager (SREM) is a graphical user interface (GUI)
that runs in an online, interactive mode. SREM allows the management of
multiple devices (for example, the Nortel SNAS 4050) from one application. To
use SREM, you must have network connectivity to a management station running
SREM in one of the supported environments. For instructions on installing and
starting SREM, refer to Installing and Using the Security & Routing Element
Manager (320199-A).
Before you begin
This guide is intended for network administrators who have the following
background:
• basic knowledge of networks, Ethernet bridging, and IP routing
• familiarity with networking concepts and terminology
• experience with windowing systems or GUIs
• basic knowledge of network topologies
Before using this guide, you must complete the following procedures. For a new
switch:
1 Install the switch.
For installation instructions, see Nortel Secure Network Access Switch 4050
Installation Guide (320846-A).
2 Connect the switch to the network.
For more information, see “The Command Line Interface” on page 769.
Ensure that you are running the latest version of Nortel SNAS 4050 software. For
information about upgrading the Nortel SNAS 4050, see “Upgrading or
reinstalling the software” on page 757.
320818-A
Text conventions
This guide uses the following text conventions:
angle brackets (< >) Enter text based on the description inside the brackets.
bold text Objects such as window names, dialog box names, and
bold Courier text Command names, options, and text that you must enter.
braces ({}) Required elements in syntax descriptions where there is
Preface 27
Do not type the brackets when entering the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
icons, as well as user interface objects such as buttons,
tabs, and menu items.
Example: Use the
Example: Enter
dinfo command.
show ip {alerts|routes}.
more than one option. You must choose only one of the
options. Do not type the braces when entering the
command.
Example: If the command syntax is
show ip {alerts|routes}, you must enter either
show ip alerts or show ip routes, but not both.
brackets ([ ]) Optional elements in syntax descriptions. Do not type
the brackets when entering the command.
Example: If the command syntax is
show ip interfaces [-alerts], you can enter
show ip interfaces or
either
show ip interfaces -alerts.
ellipsis points (. . . ) Repeat the last element of the command as needed.
Example: If the command syntax is
ethernet/2/1 [<parameter> <value>]... ,
you enter
ethernet/2/1 and as many
parameter-value pairs as needed.
Nortel Secure Network Access Switch 4050 User Guide
28 Preface
italic text Variables in command syntax descriptions. Also
indicates new terms and book titles. Where a variable is
two or more words, the words are connected by an
underscore.
Example: If the command syntax is
show at <valid_route>,
valid_route is one variable and you substitute one
value for it.
plain Courier
text
separator ( > ) Menu paths.
vertical line (
| ) Options for command keywords and arguments. Enter
Related information
This section lists information sources that relate to this document.
Publications
Command syntax and system output, for example,
prompts and system messages.
Example:
Example: Protocols > IP identifies the IP command on
the Protocols menu.
only one of the options. Do not type the vertical line
when entering the command.
Example: If the command syntax is
show ip {alerts|routes}, you enter either
show ip alerts or show ip routes, but not
both.
Set Trap Monitor Filters
320818-A
Refer to the following publications for information on the Nortel SNA solution:
• Nortel Secure Network Access Solution Guide (320817-A)
• Nortel Secure Network Access Switch 4050 Installation Guide (320846-A)
• Nortel Secure Network Access Switch 4050 User Guide (320818-A)
• Installing and Using the Security & Routing Element Manager
(SREM) (320199-B)
Online
Preface 29
• Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software
Release 4.3 (217468-B)
• Release Notes for the Ethernet Routing Switch 8300, Software Release
2.2.8 (316811-E)
• Release Notes for the Nortel Secure Network Access Solution,
Software Release 1.0 (320850-A)
• Release Notes for Enterprise Switch Manager (ESM), Software Release
5.1 (209960-H)
• Using Enterprise Switch Manager Release 5.1 (208963-F)
To access Nortel technical documentation online, go to the Nortel web site:
www.nortel.com/support
You can download current versions of technical documentation. To locate
documents, browse by category or search using the product name or number.
You can print the technical manuals and release notes free, directly from the
Internet. Use Adobe* Reader* to open the manuals and release notes, search for
the sections you need, and print them on most standard printers. Go to the Adobe
Systems site at www.adobe.com to download a free copy of Adobe Reader.
How to get help
If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller for assistance.
If you purchased a Nortel service program, use the www.nortel.com/help web
page to locate information to contact Nortel for assistance:
• To obtain Nortel Technical Support contact information, click the
CONTACT US link on the left side of the page.
Nortel Secure Network Access Switch 4050 User Guide
30 Preface
• To call a Nortel Technical Solutions Center for assistance, click the CALL
US link on the left side of the page to find the telephone number for your
region.
An Express Routing Code (ERC) is available for many Nortel products and
services. When you use an ERC, your call is routed to a technical support person
who specializes in supporting that product or service. To locate the ERC for your
product or service, go to the www.nortel.com/help web page and follow these
links:
1 Click CONTACT US on the left side of the HELP web page.
2 Click Technical Support on the CONTACT US web page.
3 Click Express Routing Codes on the TECHNICAL SUPPORT web page.
320818-A
Loading...