Panasonic 5500 User Manual
Identity Engines Ignition Server
Ethernet Routing Switch
8600 8300 1600 5500 5600 4500 2500
Engineering
> Switch User Authentication using
Identity Engines Ignition Server
Technical Configuration Guide
Enterprise Networking Solutions
Document Date: October 2009
Document Number: NN48500-589
Document Version: 1.0
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
Nortel is a recognized leader in delivering communications capabilities that enhance the human
experience, ignite and power global commerce, and secure and protect the world’s most critical
information. Serving both service provider and enterprise customers, Nortel delivers innovative
technology solutions encompassing end-to-end broadband, Voice over IP, multimedia services
and applications, and wireless broadband designed to help people solve the world’s greatest
challenges. Nortel does business in more than 150 countries. For more information, visit Nortel
on the Web at www.nortel.com
.
Copyright © 2009 Nortel Networks. All Rights Reserved.
While the information in this document is believed to be accurate and reliable, except as
otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS"
WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The
information and/or products described in this document are subject to change without
notice. Nortel Networks, the Nortel Networks logo and the Globemark are trademarks of
Nortel Networks.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
1
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
Abstract
Revision Control
No Date Version Revised by Remarks
1 10/09/2009 1.0 JVE Initial release
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
2
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
TABLE OF CONTENTS
CONVENTIONS.......................................................................................................................................... 4
1. OVERVIEW: RADIUS USER AUTHENTICATION USING IDENTIFY ENGINES................. 5
1.1 RADIUS SUPPORT ON NORTEL SWITCHES.................................................................................... 5
1.2 USER AUTHENTICATION USING ERS1600, ERS8300, OR ERS8600............................................... 5
1.3 USER AUTHENTICATION USING ERS5600, ERS5500, ERS4500, OR ERS2500.............................. 6
2. ERS8600 SWITCH CONFIGURATION EXAMPLE...................................................................... 7
2.1 PART 1: BASIC AAA CONFIGUATION............................................................................................. 8
2.1.1 ERS8600 Configuration............................................................................................................ 8
2.1.1.1 Add out-of-band IP address.............................................................................................................8
2.1.1.2 Enable RADIUS.............................................................................................................................. 8
2.1.2 ERS 8600 Switch: Verify Operations........................................................................................ 9
2.1.2.1 Verify RADIUS Global Settings..................................................................................................... 9
2.1.3 IDE Setup................................................................................................................................ 10
2.1.3.1 Configure an Outbound Attribute on Ignition Server for VLAN.................................................. 10
2.1.3.2 Add Users...................................................................................................................................... 18
2.1.3.3 Add an Access Policy....................................................................................................................22
2.1.3.4 Add the Nortel ERS8600-1 switch as an RADIUS Authenticator.................................................41
2.1.4 Verification............................................................................................................................. 44
2.1.4.1 Verify User Authentication........................................................................................................... 44
2.1.4.2 Verify user authentication from ERS switch................................................................................. 45
2.2 PART 2: ERS8600 CONFIGURATION WITH SPECIFIC COMMANDS DISABLED................................ 48
2.2.1 ERS8600 Configuration.......................................................................................................... 48
2.2.2 IDE Setup................................................................................................................................ 49
2.2.2.1 Configure Outbound attributes to deny ERS8600 CLI commands................................................49
2.2.2.2 Modify the Authorization Policy for the ERS8600 read-write user.............................................. 57
2.2.3 Verification............................................................................................................................. 60
3. ERS5600 SWITCH CONFIGURATION EXAMPLE.................................................................... 61
3.1 ERS5600 CONFIGURATION.......................................................................................................... 62
3.1.1 Enable RADIUS...................................................................................................................... 62
3.2 IDE SETUP................................................................................................................................... 63
3.2.1 Configure an Outbound Attribute on Ignition Server for Service-Type.................................. 63
3.2.2 Add Users ............................................................................................................................... 69
3.2.3 Add Access Policy................................................................................................................... 72
3.2.4 Add the Nortel ERS5600-1 switch as an RADIUS Authenticator........................................... 87
3.3 VERIFICATION.............................................................................................................................. 90
3.3.1 Verify User Authentication ..................................................................................................... 90
3.3.2 Verify user authentication from ERS switch........................................................................... 91
4. SOFTWARE BASELINE................................................................................................................. 94
5. REFERENCE DOCUMENTATION............................................................................................... 94
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
3
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
Conventions
This section describes the text, image, and command conventions used in this document.
Symbols:
&
L
1
Tip – Highlights a configuration or technical tip.
Note – Highlights important information to the reader.
Warning – Highlights important information about an action that may result in equipment
damage, configuration or data loss.
Text:
Bold text indicates emphasis.
Italic text in a Courier New font indicates text the user must enter or select in a menu item, button
or command:
ERS5520-48T# show running-config
Output examples from Nortel devices are displayed in a Lucinda Console font:
ERS5520-48T# show running-config
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 5520-24T-PWR
! Software version = v5.0.0.011
enable
configure terminal
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
4
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
1. Overview: RADIUS User Authentication using Identify Engines
This document provides the framework for implementing user Authentication, Authorization, and
Accounting for Nortel switches.
1.1 RADIUS Support on Nortel Switches
ERS 8600 Yes Yes Yes Yes Yes Yes Yes
ERS 8300 Yes Yes Yes Yes Yes Yes No
ERS 1600 Yes Yes Yes Yes Yes Yes No
ES 460/470 Yes Yes No No No No No
ERS 2500 Yes Yes No Yes No No No
ERS 4500 Yes Yes No Yes No No No
ERS 5500 Yes Yes No Yes No No No
ERS 5600 Yes Yes No Yes No No No
RADIUS
authentication
802.1x
(EAP)
RADIUS
authentication
RADIUS
accounting
802.1x
(EAP)
RADIUS
accounting
RADIUS
accounting for CLI
commands
RADIUS
user
access
profile
RADIUS
SNMP
accounting
1.2 User Authentication using ERS1600, ERS8300, or ERS8600
The ERS1600, ERS8300, and ERS8600 each support six different user access levels. The
access level is determined by the RADIUS attribute value sent back to the switch. The switch
uses RADIUS Vendor-Specific Attributes (IETF Attribute 26) to support its own extended
attributes. Vendor identifier 1584 (Bay Networks) attribute type 192 is used where the value is a
number from 0 to 6. The following chart displays the RADIUS attribute values and corresponding
access level.
Access Level VSA Attribute 26 – Vendor Identifier 1584
Type 192 value
None-Access 0
Read-Only-Access 1
Layer 1-Read-Write-Access 2
Layer 2-Read-Write-Access 3
Layer 3-Read-Write-Access 4
Read-Write-Access 5
Read-Write-All-Access 6
In addition, on the ERS8600 only, via vendor identifier 1584 attribute type 194, if is set to a value
of 0, you can enter a list of CLI commands not allowed for a user. The CLI command is entered
using the RADIUS string value configured via RADIUS vendor identifier 1584 attribute type 195.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
5
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
1.3 User Authentication using ERS5600, ERS5500, ERS4500, or ERS2500
The ERS5600, ERS5500, ERS4500, and ERS2500 each support two different user acce ss levels
which are read-only or read-write. RADIUS attribute type 6, Service-Type, is used to determine
the access level. The following displays the complete list of RADIUS attribute values for the
RADIUS Service-Type attribute where value 6 (Administrative) is used for read-write access and
value 7 (NAS Prompt) is used for read-only access
Sub-registry: Values for RADIUS Attribute 6, Service-Type
Reference: [RFC2865][RFC3575]
Registration Procedures: IETF Consensus
Registry:
Value Description Reference
----- ------------------------------- --------1 Login
2 Framed
3 Callback Login
4 Callback Framed
5 Outbound
6 Administrative
7 NAS Prompt
8 Authenticate Only
9 Callback NAS Prompt
10 Call Check
11 Callback Administrative
12 Voice [Chiba]
13 Fax [Chiba]
14 Modem Relay [Chiba]
15 IAPP-Register [IEEE 802.11f][Kerry]
16 IAPP-AP-Check [IEEE 802.11f][Kerry]
17 Authorize Only [RFC3576]
18 Framed-Management [RFC5607]
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
6
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
2. ERS8600 Switch Configuration Example
For this configuration example, we will enable RADIUS user authentication on ERS8600-1 using
the out-of-band management port. We will configure the Identity Engines RADIUS server with the
following three users:
• User name with read-only access: 8600ro
• User name with read-write access: 8600rw
• User name with read-write-all access: 8600rwa
For this example, we will break down the configuration into two parts. In part one, we will simply
add AAA services for the three users shown above. Part two is a continuation of part one with the
addition of showing how to restrict certain CLI commands. In part two, we will pick the read-write
user and deny access to QoS and filter configuration for this user.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
7
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
2.1 Part 1: Basic AAA Configuation
2.1.1 ERS8600 Configuration
Assuming we are using the out-of-band management port.
2.1.1.1 Add out-of-band IP address
ERS8600-1 Step 1 – Add out-of-band IP address and route
ERS-8606:5# config bootconfig net mgmt ip 47.133.60.25/24
ERS-8606:5# config bootconfig net mgmt route add 47.0.0.0/8 47.133.60.1
2.1.1.2 Enable RADIUS
ERS8600-1 Step 1 – Add RADIUS server, enable RADIUS, and enable RADIUS accounting
ERS-8606:5# config radius server create 47.133.56.101 secret nortel priority 1
ERS-8606:5# config radius enable true
ERS-8606:5# config radius acct-enable true
ERS-8606:5# config radius acct-include-cli-commands true
L
When configuring the RADIUS server on the ERS8600, you can configure the switch
with a RADIUS source-IP address which in turn will be the IP address used for RADIUS
requests. The RADIUS source-IP address must be a circuit-less IP address (CLIP) or
otherwise known as a loopback address. If you do not enable a RADIUS source-IP
address, by default, the ERS8600 uses the IP address of the outgoing interface as the
source IP address for RADIUS. Unfortunately, although you can create and enable a
RADIUS source-IP when using the out-of-band management port, this feature is not
supported on the out-of-band management port. Hence, if you have two CP cards, you
will have to configure two RADIUS Authenticators on the RADIUS server.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
8
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
2.1.2 ERS 8600 Switch: Verify Operations
2.1.2.1 Verify RADIUS Global Settings Step 1 – Verify that RADIUS has been enabled globally
ERS-8606:5# show radius info
Result:
Sub-Context: clear config dump monitor mplsping mplstrace peer show
switchover test trace
Current Context:
acct-attribute-value : 193
acct-enable : true
acct-include-cli-commands : true
access-priority-attribute : 192
auth-info-attr-value : 91
command-access-attribute : 194
cli-commands-attribute : 195
cli-cmd-count : 40
cli-profile-enable : false
enable : true
igap-passwd-attr : standard
igap-timeout-log-fsize : 512
maxserver : 10
mcast-addr-attr-value : 90
sourceip-flag : false
Via 8600-1, verify the following information:
Option Verify
Acct-enable
Verify that the CLI accounting is set to true globally
acct-include-clicommands
enable Verify that enable is set to true globally telling us that RADIUS is
enabled
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
9
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
2.1.3 IDE Setup
2.1.3.1 Configure an Outbound Attribute on Ignition Server for VLAN
The following chart displays the outbound attribute values required by the ERS8600 for each
access level for RADIUS vendor identifier 1584 (Bay Networks) attribute type 192. For this
example, we will configure IDE with attribute values of 1, 5, and 6.
Access Level Attribute Value User Name
None-Access 0
Read-Only-Access 1 8600ro
L1-Read-Write-Access 2
L2-Read-Write-Access 3
L3-Read-Write-Access 4
Read-Write-Access 5 8600rw
Read-Write-All-Access 6 8600rwa
IDE Step 1 – IDE already has the vendor specific attributes defined (Bay Networks vendor
code 1584 using attribute type 192) for the ERS8600 which can be viewed by going to Site
Configuration -> Provisioning -> Vendors/VSAs -> Bay-Networks -> VSA Definitions.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
10
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 2 – Go to Site Configuration -> Provisioning -> Outbound Attributes -> New
IDE Step 3 – Via the Outbound Attribute window, type in a name for the attribute to be used
for access priority (i.e. ERS8600-Access-Priority as used in this example), click the VSA
radio button, select Bay-Networks via Vendor and ERS8xxx-Access-Priority via VSA. Click
on OK when done
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
11
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 4 – Go to Site Configuration -> Provisioning -> Outbound Values -> New
IDE Step 5 – Using the Outbound Attribute created in Step 3, we will first add an attribute
value of 1 for read-only-access. Start by entering a name via the Outbound Value Name:
window (i.e. 8600-ro as used in this example) and click on New
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
12
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 6 – Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the Choose Global Outbound Attribute: pull down
menu. In the Value Unsigned – 32 bit window, enter 1 (i.e. value of 1 signifies read-onlyaccess). Click on OK twice when done.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
13
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 7 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to
create the outbound attribute for read-write-access. Using the Outbound Attribute created
in Step 3, we will add an attribute value of 5 for read-write-access. Start by entering a name
via the Outbound Value Name: window (i.e. 8600-rw as used in this example) and click on
New
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
14
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 8 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the Choose Global Outbound Attribute: pull down
menu. In the Value Unsigned – 32 bit window, enter 5 (i.e. value of 5 signifies read-writeaccess). Click on OK twice when done.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
15
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 9 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to
create the outbound attribute for read-write-all-access. Using the Outbound Attribute
created in Step 3, we will add an attribute value of 6 for read-write-all-access. Start by
entering a name via the Outbound Value Name: window (i.e. 8600-rwa as used in this
example) and click on New
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
16
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 10 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the Choose Global Outbound Attribute: pull down
menu. In the Value Unsigned – 32 bit window, enter 6 (i.e. value of 6 signifies read-write-all-
access). Click on OK twice when done.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
17
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
2.1.3.2 Add Users
For this configuration example, we will add the following users.
User Name Access Level
8600ro Read-Only-Access
8600rw Read-Write-Access
8600rwa Read-Write-All-Access
IDE Step 1 – Start by going to Site Configuration -> Directories -> Internal Store -> Internal
Users and click on New
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
18
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 2 – Enter the user name for read-only-access via User Name: (i.e. 8600ro as used
in this example) and enter the password for this user via Password and Confirm Password.
Click on OK when done. If you wish, you can also change the expiry date via Password
Expires if you do not wish to use the default setting of one year
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
19
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 3 – Repeat step 2 again by clicking on New to add the read-write-access user.
Enter the user name for read-write-access via User Name: (i.e. 8600rw as used in this
example) and enter the password for this user via Password and Confirm Password. Click
on OK when done. If you wish, you can also change the expiry date via Password Expires
if you do not wish to use the default setting of one year
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
20
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 4 – Repeat step 2 for the final time by clicking on New to add the read-write-allaccess user. Enter the user name for read-write-all-access via User Name: (i.e. 8600rwa as
used in this example) and enter the password for this user via Password and Confirm
Password. Click on OK when done. If you wish, you can also change the expiry date via
Password Expires if you do not wish to use the default setting of one year
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
21
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
2.1.3.3 Add an Access Policy
IDE Step 1 – Go to Site Configuration -> Access Policies -> RADIUS. Right-click RADIUS
and select New Access Policy. Enter a policy name (i.e. ERS8600-Access as used in this
example) and click on OK when done
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
22
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 2 – Click on the policy we just created, i.e. ERS8600-Access, and click on Edit via
the Authentication Policy tab
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
23
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 3 – Under Edit Authentication Policy window, select NONE -> PAP
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
24
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 4 – Go to the Identity Routing tab and click on Edit
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
25
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 5 – Check off the Enable Default Directory Set and click on OK when done.
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
26
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 6 – Go to the Authorization Policy tab and click on Edit
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
27
Nortel Switch User Authentication
Technical Configuration Guide v1.0 NN48500-589
IDE Step 7 – Once the Edit Authorization Policy window pops up, click on Add. First, we
will add a rule for read-only-access. When the New Rule window pops up, w e w ill na me t he
rule read-only-access as shown below
______________________________ _______________________________ _______________________________ _______________________________
External Distribution
Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
28
Loading...