Panasonic NN46110-600 User Manual
Version 7.00
Part No. NN46110-600
315897-F Rev 02
January 2008
Document status: Standard
600 Technology Park Drive
Billerica, MA 01821-4130
Nortel VPN Router Security —
Servers, Authentication, and
Certificates
2
Copyright © 2008 Nortel Networks. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel Networks, the Nortel Networks logo, and Nortel VPN Router are trademarks of Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Java is a trademark of Sun Microsystems.
Microsoft, Windows, Windows NT, and MS-DOS are trademarks of Microsoft Corporation.
NETVIEW is a trademark of International Business Machines Corp (IBM).
OPENView is a trademark of Hewlett-Packard Company.
SPECTRUM is a trademark of Cabletron Systems, Inc.
All other trademarks and registered trademarks are the property of their respective owners.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials,
and other materials related to such distribution and use acknowledge that such portions of the software were developed
by the University of California, Berkeley. The name of the University may not be used to endorse or promote products
derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
NN46110-600
Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on
only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To
the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer
is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade
secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer
uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that
anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use,
copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile,
reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly
authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are
beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated
hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its
destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software
activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include
additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such
third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
3
Nortel VPN Router Security — Servers, Authentication, and Certificates
4
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may te rminate the license at any time. Nortel Networks may terminate the license if Customer fail s
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusiv e agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
NN46110-600
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . . . 8
Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . . 9
Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . . . 9
New in this release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
LDAP proxy password management support for Active Directory . . . . . . . . . . . . . 11
LDAP 3DES password encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
LDAP user configurable encryption key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
LDAP optimization scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
RADIUS dynamic filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
CRL Retrieval Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Authentication services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Contents 1
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SSL and digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Tunnel certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Authentication servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Using IPsec client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
LDAP database servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
LDAP encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Nortel VPN Router Security — Servers, Authentication, and Certificates
2 Contents
RADIUS authentication service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring remote user IP address pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring DHCP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring SSL administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Using certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
External LDAP key information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Changing from DES to 3DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3DES external LDAP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3DES external LDAP proxy information . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Encrypting with 3DES password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring LDAP user encryption key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Optimizing LDAP scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring internal LDAP server authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring LDAP proxy server authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
LDAP proxy user authentication and password management . . . . . . . . . . . . . . . . 36
LDAP V3-compliant LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
LDAP server without LDAP control support . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Monitoring LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configuring RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
RADIUS authentication class attribute values . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
RADIUS-Assigned Framed-IP-Address attribute . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring IPsec authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Configuring RADIUS dynamic filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuring PPTP and RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring group-level RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Vendor-specific RADIUS attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring RADIUS accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Browser security checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring SSL/TLS and configuring HTTP services . . . . . . . . . . . . . . . . . . . . . 66
LDAP server SSL encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Installing LDAP certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
LDAP special characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
NN46110-600
Contents 3
External LDAP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configurable warning time for certificate expiration . . . . . . . . . . . . . . . . . . . . . . . . 74
VPN security using digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Setting up public key infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
CA and X.509 certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Loading certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Generating a server certificate request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Installing server certificates using cut and paste #7 and #10 . . . . . . . . . . . . . . . . 76
Installing server certificates using CMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Installing trusted CA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Setting certificate parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Trusted CA certificate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Group assignment by user identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Allow All policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Access control by Subject DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Group and certificate association configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
CA key update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configuring a certificate revocation list (CRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuring CRL servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring CRL Retrieval Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
CRL distribution points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
CRL retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Enabling certificate use for tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Identifying individual users with certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Identifying branch offices with certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
IPsec authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
L2TP/IPsec authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Nortel VPN Router Security — Servers, Authentication, and Certificates
4 Contents
NN46110-600
Figures
Figure 1 Authenticating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 2 Authentication servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 4 Enable 3DES window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 5 LDAP proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 6 LDAP proxy user authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 7 LDAP Proxy Server password management . . . . . . . . . . . . . . . . . . . . . . 39
Figure 8 RADIUS authentication class attribute values . . . . . . . . . . . . . . . . . . . . . 45
Figure 9 SSL administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 10 HTTPS services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 11 Select ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Figure 12 LDAP special characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Figure 13 Sample CMP environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 14 CA Key Update ready for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 15 CRL distribution points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Figures 1
Nortel VPN Router Security — Servers, Authentication, and Certificates
2 Figures
NN46110-600
Tables
Table 1 RADIUS class attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 2 RADIUS example details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 3 Syntax of attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Tables 1
Nortel VPN Router Security — Servers, Authentication, and Certificates
2 Tables
NN46110-600
Preface
This guide describes how to configure the Nortel VPN Router authentication
services and digital certificates.
Before you begin
This guide is for network managers who are responsible for setting up and
configuring the Nortel VPN Router. This guide assumes that you have experience
with windowing systems or graphical user interfaces (GUIs) and familiarity with
network management.
Text conventions
This guide uses the following text conventions:
3
angle brackets (< >) Indicate that you choose the text to enter based on the
description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold Courier text
Nortel VPN Router Security — Servers, Authentication, and Certificates
Indicates command names and options and text that
you need to enter.
Example: Use the
Example: Enter
show health command.
terminal paging {off | on}.
4 Preface
braces ({}) Indicate required elements in syntax descriptions where
there is more than one option. You must choose only
one of the options. Do not type the braces when
entering the command.
Example: If the command syntax is
source {external | internal}
ldap-server source external or
either
ldap-server source internal
ldap-server
, you must enter
, but not both.
brackets ([ ]) Indicate optional elements in syntax descriptions. Do
not type the brackets when entering the command.
Example: If the command syntax is
show ntp [associations], you can enter
show ntp or show ntp associations.
either
Example: If the command syntax is default rsvp
[token-bucket
default rsvp, default rsvp token-bucket
depth, or default rsvp token-bucket rate.
{depth | rate}], you can enter
ellipsis points (. . . ) Indicate that you repeat the last element of the
command as needed.
Example: If the command syntax is
more diskn:<directory>/...<file_name>,
you enter
more and the fully qualified name of the file.
NN46110-600
italic text Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
Example: If the command syntax is
ping <ip_address>, ip_address is one variable
and you substitute one value for it.
plain Courier
text
Indicates system output, for example, prompts and
system messages.
Example:
File not found.
separator ( > ) Shows menu paths.
Example: Choose Status > Health Check.
Preface 5
Acronyms
vertical line (
This guide uses the following acronyms:
AVPAIR Cisco's Vendor specific RADIUS Attribute Value Pair
CA Certification Authority
CDP CRL distribution points
CRL certificate revocation list
FTP File Transfer Protocol
IP Internet Protocol
IKE IPsec Key Exchange
| ) Separates choices for command keywords and
arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
Example: If the command syntax is
terminal paging {off | on}, you enter either
terminal paging off or terminal paging on,
but not both.
ISAKMP Internet Security Association and Key Management
Protocol
ISP Internet service provider
L2TP Layer2 Tunneling Protocol
LDAP Lightweight Directory Access Protocol
LAN local area network
PDN public data networks
POP point-of-presence
PPP Point-to-Point Protocol
PPTP Point-to-Point Tunneling Protocol
Nortel VPN Router Security — Servers, Authentication, and Certificates
6 Preface
UDP User Datagram Protocol
VPN virtual private network
WAN wide area network
Related publications
For more information about the Nortel VPN Router, refer to the following
publications:
• Release notes provide the latest information, including brief descriptions of
the new features, problems fixed in this release, and known problems and
workarounds.
• Nortel VPN Router Configuration—Basic Features (NN46220-500)
introduces the product and provides information about initial setup and
configuration.
• Nortel VPN Router Configuration—SSL VPN Services (NN46110-501)
provides instructions for configuring services on the SSL VPN Module 1000,
including authentication, networks, user groups, and portal links.
• Nortel VPN Router Security—Servers, Authentication, and Certificates
(NN46110-600) provides instructions for configuring authentication services
and digital certificates.
• Nortel VPN Router Security—Firewalls, Filters, NAT, and QoS
(NN46110-601) provides instructions for configuring the Stateful Firewall
and interface and tunnel filters.
• Nortel VPN Router Configuration—Tunneling Protocols (NN46110-503)
provides configuration information for the tunneling protocols IPsec, L2TP,
PPTP, and L2F.
• Nortel VPN Router Configuration—Routing (NN46110-504) provides
instructions for configuring BGP, RIP, OSPF, and VRRP, as well as
instructions for configuring ECMP, routing policy services, and client address
redistribution (CAR).
• Nortel VPN Router Troubleshooting (NN46110-602) provides information
about system administrator tasks such as backup and recovery, file
management, and upgrading software, and instructions for monitoring VPN
Router status and performance. This book also provides troubleshooting
information and inter operability considerations.
NN46110-600
• Nortel VPN Router Using the Command Line Interface (NN46110-507)
provides syntax, descriptions, and examples for the commands that you can
use from the command line interface.
• Nortel VPN Router Configuration—Client (NN46110-306) provides
information for setting up client software for the VPN Router.
• Nortel VPN Router Configuration—TunnelGuard (NN46110-307) provides
information about configuring and using the TunnelGuard feature.
Hard-copy technical manuals
You can print selected technical manuals and release notes free, directly from the
Internet. Go to www.nortel.com/documentation, find the product for which you
need documentation, then locate the specific category and model or version for
your hardware or software product. Use Adobe Reader to open the manuals and
release notes, search for the sections you need, and print them on most standard
printers. Go to Adobe Systems at www.adobe.com to download a free copy of the
Adobe Reader.
Preface 7
How to get help
This chapter explains how to get help for Nortel products and services.
Finding the latest updates on the Nortel Web site
The content of this documentation was current at the time the product was
released. To check for updates to the latest documentation and software for VPN
Router, click one of the following links:
Link to Takes you directly to the
Latest software Nortel page for VPN Router software located at:
www130.nortelnetworks.com/cgi-bin/eserv/cs/
main.jsp?cscat=SOFTWARE&resetFilter=1&poid
=12325
Nortel VPN Router Security — Servers, Authentication, and Certificates
8 Preface
Getting help from the Nortel Web site
Link to Takes you directly to the
Latest documentation Nortel page for VPN Client documentation
located at:
www130.nortelnetworks.com/cgi-bin/eserv/cs/
main.jsp?cscat=DOCUMENTATION&resetFilter=
1&poid=12325
The best way to get technical support for Nortel products is from the Nortel
Technical Support Web site:
www.nortel.com/support
This site provides quick access to software, documentation, bulletins, and tools to
address issues with Nortel products. From this site, you can:
• download software, documentation, and product bulletins
• search the Technical Support Web site and the Nortel Knowledge Base for
answers to technical issues
• sign up for automatic notification of new software and documentation for
Nortel equipment
• open and manage technical support cases
Getting help over the phone from a Nortel Solutions Center
NN46110-600
If you do not find the information you require on the Nortel Technical Support
Web site, and you have a Nortel support contract, you can also get help over the
phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following web site to obtain the phone number
for your region:
www.nortel.com/callus
Preface 9
Getting help from a specialist by using an Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express
Routing Code (ERC) to quickly route your call to a specialist in your Nortel
product or service. To locate the ERC for your product or service, go to:
www.nortel.com/erc
Getting help through a Nortel distributor or reseller
If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller.
Nortel VPN Router Security — Servers, Authentication, and Certificates
10 Preface
NN46110-600
New in this release
The following section details what is new in Nortel VPN Router Security —
Servers, Authentication, and Certificates for Release 7.0.
Features
See the following sections for information about feature changes:
• LDAP proxy password management support for Active Directory
• LDAP 3DES password encryption
• LDAP user configurable encryption key
• LDAP optimization scheduling
• RADIUS dynamic filtering
• CRL Retrieval Scheduling
11
LDAP proxy password management support for Active Directory
The Microsoft Active Directory is a server type that you select on the Servers >
LDAP Proxy window to manage passwords. With this option, if your password is
expired, a pop-up window appears, forcing you to change the password. You do
not receive a notification when the password is about to expire. To change the
password, you must have a Secure Sockets Layer (SSL) connection between the
VPN Router and Active Directory. This feature extends the Lightweight Directory
Access Protocol (LDAP) Proxy password management function to Active
Directory.
For more information about Microsoft Active Directory, see “LDAP server
without LDAP control support” on page 38.
Nortel VPN Router Security — Servers, Authentication, and Certificates
12 New in this release
LDAP 3DES password encryption
The VPN Router can store shared secrets that are encrypted with 3DES, but you
must first enable the feature. You enable 3DES by selecting Servers > LDAP and
clicking TripleDES.
For more information about encryption of shared secrets, see “Encrypting with
3DES password” on page 27.
LDAP user configurable encryption key
In previous releases, passwords stored in LDAP were encrypted with the same
encryption key across all VPN Routers. This enhancement provides more security
on the VPN Router by allowing you to enter a desired encryption key for
passwords.
For more information about the user encryption key, see “Configuring LDAP user
encryption key” on page 28.
LDAP optimization scheduling
NN46110-600
With the LDAP optimization scheduling option, the VPN Router administrator
can configure the time and day that the LDAP database is optimized.
LDAP optimization is a process that frees all unused memory blocks and deletes
any deleted LDAP data structures, making the LDAP database lookups faster and
more efficient. The disadvantages of the LDAP optimization process are that it
runs at the LDAP priority and is very CPU intensive. In environments with heavy
traffic and very large LDAP databases, the optimization can cause timeouts and
data drops.
For more information about LDAP optimization scheduling, see “Optimizing
LDAP scheduling” on page 29.
RADIUS dynamic filtering
You can set up and manage policy filters in the Remote Authentication Dial-In
User Service (RADIUS) server. If you use a RADIUS server to authenticate users,
the VPN Router can retrieve those policy filters from the server. IPsec user
tunnels are dynamically filtered based on attributes returned from the
authenticating RADIUS server. The returned dynamic filters are then prepended
to the groups filter to which the user is bound.
For more information about RADIUS dynamic filtering, see “Configuring
RADIUS dynamic filters” on page 51.
CRL Retrieval Scheduling
With CRL Retrieval Scheduling, the Nortel VPN Router administrator can
configure the time and day that a CRL request is sent to the CRL Server.
The CRL process has disadvantages because it is run at the LDAP priority and it is
very CPU intensive. In environments with heavy volume traffic and very large
LDAP CRLs, the CRL process can cause timeouts and data drops. The
administrator can use the CRL Update Specific Time to avoid these timeouts and
data drops.
New in this release 13
You can use the GUI or the CLI to configure CRL Retrieval Scheduling.
For more information about CRL Retrieval Scheduling, see “Configuring CRL
Retrieval Scheduling” on page 88.
Nortel VPN Router Security — Servers, Authentication, and Certificates
14 New in this release
NN46110-600
Chapter 1
Authentication services
The remote user attempting to dial in to the VPN Router must be authenticated
before gaining access to the corporate network. Authentication is one of the most
important functions that the VPN Router provides because it identifies users and
drives many other aspects of the user-centric functionality.
For authentication and access control, the VPN Router supports an internal or
external Lightweight Directory Access Protocol (LDAP) server and external
Remote Authentication Dial-In User Services (RADIUS) servers. External LDAP
proxy server support allows authentication of users against existing LDAP
databases.
Figure 1 shows how users are authenticated.
Figure 1 Authenticating users
15
The VPN Router uses a group profile mechanism to augment support for several
authentication services. When a remote user attempts to access the network, the
VPN Router references a particular group profile to determine encryption
strength, filtering profile, and quality of service attributes for that user.
Nortel VPN Router Security — Servers, Authentication, and Certificates
16 Chapter 1 Authentication services
With user- and group-specific profiles, you can group common attributes while
preserving the flexibility to make exceptions for individual users. The product
features and network access that apply to a user are controlled by the user identity,
rather than by the source IP address or another mechanism. This is necessary to
support mobile users and users coming from other organizations.
LDAP
The Lightweight Directory Access Protocol (LDAP) emerged from the X.500
directory service. LDAP is gaining acceptance as the directory model for the
Internet. Microsoft*, Netscape*, and Novell* all support LDAP in their directory
service strategies. LDAP is based on directory entries; it has an Internet person
schema that defines standard attributes and you can extend it to include other
attributes. A directory service is a central repository of user information; for
example, the VPN Router supports the following elements using LDAP:
•groups
•users
• filters
• services
RADIUS
NN46110-600
Remote Authentication Dial-In User Services (RADIUS) is a distributed security
system that uses an authentication server to verify dial-up connection attributes
and authenticate connections. RADIUS is commonly used for remote access
authentication.
Many security systems are configured with a RADIUS front end to facilitate
remote access authentication. RADIUS is also the most common authentication
mechanism used by ISPs. Novell NDS*, Microsoft Windows NT* Domains, and
Security Dynamics ACE Server* all support RADIUS authentication. Windows
NT Domain authentication controls access to NT file servers and other resources
on NT networks. The RADIUS server provides a place to store user passwords,
because users generally remember their file server passwords.
The X.509 digital certificates authentication mechanism works with public key
encryption to provide a level of assurance that users are who they say they are.
SSL and digital certificates
The Secure Socket Layer (SSL) protocol uses digital certificates to establish
secure, authenticated connections between SSL clients and servers.
The VPN Router uses a digital certificate sent from an SSL-capable LDAP server
to authenticate that server. In order for digital certificate authentication to succeed,
you must import a certificate from the authority certifying the LDAP server into
the VPN Router's certificate store. This type of certificate is often referred to as a
CA root certificate.
A single CA root certificate can certify the authenticity of multiple LDAP servers,
depending on the organization of your environment's certification hierarchy.
Chapter 1 Authentication services 17
Tunnel certificates
The VPN Router uses X.509 certificates for authentication to IPsec-based tunnel
connections. The VPN Router supports RSA* digital signature authentication in
the IPsec ISAKMP key management protocol. Remote users can authenticate
themselves to the VPN Router using a public key pair and a certificate as
credentials. In addition, the VPN Router uses its own key pair and certificate to
authenticate the VPN Router to the user. The VPN Router currently supports the
Entrust* product suite and Microsoft certificates.
The VPN Router supports retrieval of X.509v3 certificates from Microsoft
certificate storage through the Microsoft CryptoAPI (MS CAPI). Microsoft
certificate storage uses standard messages (PKCS #12) to import digital
certificates granted by third-party certificate authorities. This allows the VPN
Router and VPN Client to use CAs that are not tightly integrated with the client
and VPN Router.
Nortel VPN Router Security — Servers, Authentication, and Certificates
18 Chapter 1 Authentication services
Certificate payload transports certificates or other certificate-related information
through ISAKMP and can appear in any ISAKMP message. Certificate payloads
are included in an exchange whenever an appropriate directory service (such as
Secure DNS) is not available to distribute certificates. The VPN Router supports
Microsoft native client (L2TP/IPsec) PKCS #7 termination in chained
environments.
Using certificates for tunnel connections requires the creation of a public key
infrastructure (PKI) to issue and manage certificates for remote users and VPN
Router servers.
Authentication servers
The VPN Router supports LDAP and RADIUS authentication servers. The VPN
Router always attempts to authenticate a remote user against the internal or
external LDAP profiles.
Note: If you authenticate using RADIUS or LDAP authentication, you
must use unique names for the Group ID and User ID.
NN46110-600
Figure 2 shows a VPN Router and authentication servers.
Chapter 1 Authentication services 19
Figure 2 Authentication servers
RADIUS 3
Internal LDAP
10/100 LAN
VPN Router
RADIUS 2
RADIUS 1
External
LDAP 1
LDAP 2
LDAP 3
The user ID (UID) is checked against the LDAP profile database. If the UID is
found in the LDAP database, the user is assigned to a group and acquires that
group’s attributes. Next, the password is checked, and if it is correct, the VPN
Router forms a tunnel.
If the UID is not in the profile LDAP (internal or external) database, and if you
specified RADIUS as the next server to check, the UID and password is checked
against the RADIUS database. If the UID and password are correct, the VPN
Router checks to see if the RADIUS server returned a class attribute. The
RADIUS class attribute is treated as an LDAP group name. If a RADIUS class
attribute is returned, and it names an existing LDAP group, the VPN Router
applies the attributes of this group to this user’s session, and forms a tunnel. If the
group name does not exist, the user is given the RADIUS default group’s
attributes. If the UID and password are incorrect, the VPN Router rejects the user
request.
IPsec behaves the same as a PPTP session; the RADIUS server defines the group
for the user after authentication using the class attribute group identifier. The only
difference between IPsec and PPTP is that if the RADIUS server does not return a
class attribute, the group associated with the IPsec group ID is used instead of the
Nortel VPN Router Security — Servers, Authentication, and Certificates
20 Chapter 1 Authentication services
RADIUS default group. You configure the IPsec Group ID in the Authentication
section of the Profiles > Groups > Edit > Configure IPsec window. You configure
the PPTP default group on the Servers > RADIUS Auth window, RADIUS Users
Obtain Default Settings from the Group option.
Note: The group that the user is bound to must allow the authentication
method that is used when the session is started.
If the UID is not in the profile LDAP (internal or external) database and if you
specified LDAP proxy as the next server to check, the UID and password is
checked against the LDAP proxy database.
Figure 3 illustrates the steps in user validation.
NN46110-600
Loading...