Part No. 320818-A December 2005 4655 Great America Parkway Santa Clara, CA 95054 Nortel Secure Network Access Switch 4050 User Guide Nortel Secure Network Access Switch Software Release 1.
Copyright © Nortel Networks Limited 2005. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties). Licensing This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply. 3. Limitation of Remedies.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Management IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Portal Virtual IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Real IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 7 Mapping VLANs by domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Mapping VLANs by switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Managing SSH keys using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Generating SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . 105 Exporting SSH keys for the domain using the SREM . . . . . . . . . . . . . . . . . .
Contents Configuring domain parameters using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 164 Additional domain configuration in the SREM . . . . . . . . . . . . . . . . . . . . . . . . 166 Configuring the TunnelGuard check using the SREM . . . . . . . . . . . . . . . . . . . . . 168 Using the TunnelGuard Quick Setup in the SREM . . . . . . . . . . . . . . . . . . . . 172 Configuring the SSL server using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 9 Modifying a client filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Configuring extended profiles using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Adding an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Modifying an extended profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Mapping linksets to a group or profile using the SREM . . . . . . . . .
Contents Modifying RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Managing additional RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Configuring LDAP authentication using the SREM . . . . . . . . . . . . . . . . . . . . . . . 282 Adding the LDAP method and server . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 11 SRS Rule Expression Constructor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Managing TunnelGuard rules and expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Creating a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Adding entries to a software definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Selecting modules or files from running processes . . . . . . . . . .
Contents Changing a user’s group assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Deleting a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Managing system users and groups using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 370 Managing user accounts using the SREM . . . . . . . . . . . . . . . . . . . .
Contents 13 Setting the portal display language using the CLI . . . . . . . . . . . . . . . . . . . . . 404 Configuring the portal display using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Changing the portal colors using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Configuring custom content using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Configuring linksets using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Chapter 10: Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . 457 Configuring the cluster using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Roadmap of system commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Configuring system settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring the Nortel SNAS 4050 host using the CLI . . . . . . . . . . . . . .
Contents 15 Adding a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Configuring an existing host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Removing a host interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Configuring static routes using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Viewing static routes for a cluster . . . . . . . . . . . . . . . . . .
Contents Managing RADIUS audit servers using the SREM . . . . . . . . . . . . . . . . . . . . 559 Managing RADIUS authentication of system users using the SREM . . . . . . . . . 562 Configuring RADIUS authentication of system users using the SREM . . . . . 563 Managing RADIUS authentication servers using the SREM . . . . . . . . . . . . . 565 Chapter 11: Managing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 17 Chapter 12: Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Configuring SNMP using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Roadmap of SNMP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Configuring SNMP settings using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620 Configuring the SNMP v2 MIB using the CLI . . . . . . . . . . . . . . . . .
Contents Viewing SONMP topology information using the SREM . . . . . . . . . . . . . . . . 675 Viewing switch distribution using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . 677 Viewing port information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Viewing license information using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 680 Viewing session details using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 19 Managing Nortel SNAS 4050 devices and software using the SREM . . . . . . . . . 743 Managing software versions using the SREM . . . . . . . . . . . . . . . . . . . . . . . . 744 Downloading images using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748 Rebooting or deleting a Nortel SNAS 4050 device using the SREM . . . . . . 750 Downloading files using the SREM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configure the network DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 Configure the network DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 Configure the network core router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789 Configure the Ethernet Routing Switch 8300 using the CLI . . . . . . . . . . . . . . . . 790 Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 21 CLI shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 Command stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 Command abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 Tab completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 Using a submenu name as a command argument . .
Contents Root user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 Boot user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 A user fails to connect to the Nortel SNAS 4050 domain . . . . . . . . . . . . . . . . . . 845 Trace tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 System diagnostics . . . . . . . . . . . . . . . . . .
Contents 23 Create a new attribute (Windows 2000 Server and Windows Server 2003) . . . . . . . . . . . . . . . . . . . . . 887 Create the new class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888 Add isdUserPrefs attribute to nortelSSLOffload class . . . . . . . . . . . . . . . . . 888 Add the nortelSSLOffload Class to the User Class . . . . . . . . . . . . . . . . . . . . 889 Appendix F: Configuring DHCP to auto-configure IP Phones. . . . . . . . .
Contents 320818-A
Preface Nortel* Secure Network Access (Nortel SNA) is a clientless solution that provides seamless, secure access to the corporate network from inside or outside that network.
Preface The document provides instructions for initializing and customizing the features using the Command Line Interface (CLI). To learn the basic structure and operation of the Nortel SNAS 4050 CLI, refer to “CLI reference” on page 803. This reference guide provides links to where the function and syntax of each CLI command are described in the document. For information on accessing the CLI, see “The Command Line Interface” on page 769.
Preface 27 Text conventions This guide uses the following text conventions: angle brackets (< >) Enter text based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping , you enter ping 192.32.10.12 bold text Objects such as window names, dialog box names, and icons, as well as user interface objects such as buttons, tabs, and menu items. bold Courier text Command names, options, and text that you must enter.
Preface italic text Variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is show at , valid_route is one variable and you substitute one value for it. plain Courier text Command syntax and system output, for example, prompts and system messages. Example: Set Trap Monitor Filters separator ( > ) Menu paths.
Preface 29 • • • • • Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 4.3 (217468-B) Release Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8 (316811-E) Release Notes for the Nortel Secure Network Access Solution, Software Release 1.0 (320850-A) Release Notes for Enterprise Switch Manager (ESM), Software Release 5.1 (209960-H) Using Enterprise Switch Manager Release 5.
Preface • To call a Nortel Technical Solutions Center for assistance, click the CALL US link on the left side of the page to find the telephone number for your region. An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to the www.nortel.
Chapter 1 Overview This chapter includes the following topics: Topic Page The Nortel SNA solution 31 Elements of the NSNA solution 32 Supported users 32 Role of the Nortel SNAS 4050 33 Nortel SNAS 4050 clusters 39 One-armed and two-armed configurations 40 Nortel SNA configuration and management tools 42 Nortel SNAS 4050 configuration roadmap 43 The Nortel SNA solution Nortel Secure Network Access (Nortel SNA) solution is a protective framework to completely secure the network from endp
Chapter 1 Overview For Nortel, success is delivering technologies providing secure access to your information using security-compliant systems. Your success is measured by increased employee productivity and lower network operations costs. Nortel’s solutions provide your organization with the network intelligence required for success.
Chapter 1 Overview 33 Java Runtime Environment (JRE) for all browsers: • — JRE 1.5.0_04 or later VoIP phones — Nortel IP Phone 2002 — Nortel IP Phone 2004 — Nortel IP Phone 2007 See Release Notes for the Nortel Secure Network Access Solution, Software Release 1.0 (320850-A) for the minimum firmware versions required for the IP Phones operating with different call servers. Each NSNA-enabled port on a network access device can support one PC (untagged traffic) and one IP Phone (tagged traffic).
Chapter 1 Overview Nortel SNAS 4050 functions The Nortel SNAS 4050 performs the following functions: • • • • • • • • • Acts as a web server portal, which is accessed by users in clientless mode for authentication and host integrity check and which sends remediation instructions and guidelines to endpoint clients if they fail the host integrity check. Communicates with backend authentication servers to identify authorized users and levels of access.
Chapter 1 Overview 35 • VoIP — automatic access for VoIP traffic. The network access device places VoIP calls in a VoIP VLAN without submitting them to the Nortel SNAS 4050 authentication and authorization process. When a client attempts to connect to the network, the network access device places the client in its Red VLAN. The Nortel SNAS 4050 authenticates the client and then downloads a TunnelGuard applet to check the integrity of the client host.
Chapter 1 Overview Authentication methods You can configure more than one authentication method within a Nortel SNAS 4050 domain. Nortel Secure Network Access Switch Software Release 1.0 supports the following authentication methods: • external database — Remote Authentication Dial-In User Service (RADIUS) — Lightweight Directory Access Protocol (LDAP) The Nortel SNAS 4050 authenticates the user by sending a query to an external RADIUS or LDAP server.
Chapter 1 Overview 37 TunnelGuard host integrity check The TunnelGuard application checks client host integrity by verifying that the components you have specified are required for the client’s personal firewall (executables, DLLs, configuration files, and so on) are installed and active on the client PC. You specify the required component entities and engineering rules by configuring a Software Requirement Set (SRS) rule and mapping the rule to a user group.
Chapter 1 Overview Communication channels Communications between the Nortel SNAS 4050 and key elements of the Nortel SNA solution are secure and encrypted. Table 1 shows the communication channels in the network.
Chapter 1 Overview 39 The Nortel SNAS 4050 supports the use of three different SSH host key types: • • • RSA1 RSA DSA SSH protocol version 1 always uses RSA1 keys. SSH protocol version 2 uses either RSA or DSA keys. For management communications in the Nortel SNA solution, the Nortel SNAS 4050 can act both as SSH server (when a user connects to the CLI using an SSH client) and as SSH client (when the Nortel SNAS 4050 initiates file or data transfers using the SCP or SFTP protocols).
Chapter 1 Overview • fault tolerance — If a Nortel SNAS 4050 device fails, the failure is detected by the other node in the cluster, which takes over the switch control and session handling functions of the failed device. As long as there is one running Nortel SNAS 4050, no sessions will be lost. The devices in the cluster can be located anywhere in the network and do not have to be physically connected to each other. All the Nortel SNAS 4050 devices in the cluster must be in the same subnet.
Chapter 1 Overview 41 One-armed configuration In a one-armed configuration, the Nortel SNAS 4050 has only one interface, which acts as both the client portal interface and the management traffic interface. Figure 1 illustrates a one-armed configuration. Figure 1 One-armed configuration NSNAS 1 Management/client portal interface (1) 192.168.128.11 (MIP [management]) 192.168.128.12 (RIP [host]) 192.168.128.100 (pVIP [portal]) Default gateway 192.168.128.
Chapter 1 Overview Figure 2 illustrates a two-armed configuration. Figure 2 Two-armed configuration Client portal interface (2) 192.168.128.11 (RIP 2 [host]) 2 192.168.128.100 (pVIP [portal]) NSNAS 1 Management interface (1) 10.1.0.11 (MIP [management]) 10.1.0.12 (RIP 1 [host]) Default gateway 192.168.128.
Chapter 1 Overview 43 • Security & Routing Element Manager (SREM) The SREM is a GUI application you can use to configure and manage the Nortel SNAS 4050. The configuration chapters in this User Guide describe the specific steps to configure the Nortel SNAS 4050 using the SREM. For general information about installing and using the SREM, see Installing and Using the Security & Routing Element Manager (SREM) (320199-B). • Enterprise Policy Manager (EPM) release 4.
Chapter 1 Overview For each VLAN: a Create a DHCP scope. b Specify the IP address range and subnet mask for that scope. c Configure the following DHCP options: — Specify the default gateway. — Specify the DNS server to be used by endpoints in that scope. — If desired, configure DHCP so that the IP Phones learn their VLAN configuration data automatically from the DHCP server. For more information, see Appendix F, “Configuring DHCP to auto-configure IP Phones,” on page 891.
Chapter 1 Overview 45 Use the applicable show commands on the router to verify that DHCP relay has been activated to reach the correct scope for each VLAN. For more information about performing these general configuration steps, see the regular documentation for the type of router used in your network. 4 Configure the network access devices: a Configure static routes to all the networks behind the core router. b Configure the switch management VLAN, if necessary.
Chapter 1 Overview Identify switch ports as either uplink or dynamic. When you configure the uplink ports, you associate the NSNA VLANs with those ports. Clients are connected on the dynamic ports. You can configure NSNA ports (both dynamic and uplink) after NSNA is enabled globally. l Enable NSNA globally. For more information about configuring an Ethernet Routing Switch 5510, 5520, or 5530 in a Nortel SNA network, see Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 4.
Chapter 1 Overview 47 configuration in the SREM (see “Checking configuration using the SREM” on page 741). 12 Configure groups (see “Configuring groups and profiles” on page 191). 13 Configure client filters (see “Configuring client filters using the CLI” on page 201). 14 Configure extended profiles (see “Configuring extended profiles using the CLI” on page 203). 15 Specify the authentication mechanisms (see “Configuring authentication” on page 233).
Chapter 1 Overview 320818-A
Chapter 2 Initial setup This chapter includes the following topics: Topic Page Before you begin 50 About the IP addresses 51 Initial setup 52 Setting up a single Nortel SNAS 4050 device or the first in a cluster 52 Adding a Nortel SNAS 4050 device to a cluster 61 Next steps 66 Applying and saving the configuration 67 Applying and saving the configuration using the CLI 68 Applying and saving the configuration using the SREM 68 Nortel Secure Network Access Switch 4050 User Guide
Chapter 2 Initial setup Before you begin Before you can set up the Nortel SNAS 4050, you must complete the following tasks: 1 Plan the network. For more information, see Nortel Secure Network Access Solution Guide (320817-A).
Chapter 2 Initial setup 51 4 Establish a console connection to the Nortel SNAS 4050 (see “Establishing a console connection” on page 770). About the IP addresses Management IP address The Management IP address (MIP) identifies the Nortel SNAS 4050 in the network. In a multi-Nortel SNAS 4050 solution, the MIP is an IP alias to one of the Nortel SNAS 4050 devices in the cluster and identifies the cluster. The MIP always resides on a master Nortel SNAS 4050 device.
Chapter 2 Initial setup Real IP address The Real IP address (RIP) is the Nortel SNAS 4050 device host IP address for network connectivity. The RIP is the IP address used for communication between Nortel SNAS 4050 devices in a cluster. The RIP must be unique on the network and must be within the same subnet as the MIP.
Chapter 2 Initial setup 53 The Setup Menu displays. Alteon iSD NSNAS Hardware platform: 4050 Software version: x.x ------------------------------------------------------[Setup Menu] join - Join an existing cluster new - Initialize host as a new installation boot - Boot menu info - Information menu exit - Exit [global command, always available] >> Setup# 2 Select the option for a new installation. >> Setup# new Setup will guide you through the initial configuration.
Chapter 2 Initial setup In a two-armed configuration, you are specifying the port you want to use for Nortel SNAS 4050 management traffic. Note: You can later convert a one-armed configuration into a two-armed one by adding a new interface to the cluster and assigning an unused port to that interface. The new interface will be used exclusively for client portal traffic.
Chapter 2 Initial setup 55 7 Specify whether you are setting up a one-armed or a two-armed configuration. Setup a two armed configuration (yes/no) [no]: If you are setting up a one-armed configuration, press Enter to accept the default value (no). Go to step 8. If you are setting up a two-armed configuration, enter yes. Go to step 9. 8 Specify the default gateway IP address.
Chapter 2 Initial setup used if no other interface is specified. The default gateway IP address on Interface 2 must be within the same subnet as the RIP for Interface 2. Enter port number for the traffic interface [1-4]: Enter IP address for this machine (on traffic interface): Enter network mask [255.255.255.0]: Enter VLAN tag id (or zero for no VLAN) [0]: Enter default gateway IP address (on the traffic interface): 10 Specify the MIP for this device or cluster.
Chapter 2 Initial setup 57 12 Configure the time settings. Enter the current date (YYYY-MM-DD) [2005-05-02]: Enter the current time (HH:MM:SS) [19:14:52]: 13 Specify the NTP server, if applicable. Enter NTP server address (or blank to skip): Note: If you do not have access to an NTP server at this point, you can configure this item after the initial setup is completed.
Chapter 2 Initial setup 16 Change the admin user password, if desired. Enter a password for the "admin" user: Re-enter to confirm: Make sure you remember the password you define for the admin user. You will need to provide the correct admin user password when logging in to the Nortel SNAS 4050 (or the Nortel SNAS 4050 cluster) for configuration purposes. 17 Run the Nortel SNAS 4050 quick setup wizard.
Chapter 2 Initial setup 59 For example, if you entered company.com in the DNS search list, users can type nsnas to connect to nsnas.company.com from the portal page. e If you want to enable HTTP to HTTPS redirection, create a redirect server. Create http to https redirect server [no]: f Specify the action to be performed when an SRS rule check fails. The options are: — restricted.
Chapter 2 Initial setup The action to be performed when the TunnelGuard check fails depends on your selection in step f on page 59. Create default tunnel guard user [no]: yes Using 'restricted' action for TunnelGuard failure. User name: tg User password: tg Creating client filter 'tg_passed'. Creating client filter 'tg_failed'. Creating linkset 'tg_passed'. Creating linkset 'tg_failed'. Creating group 'tunnelguard' with secure access.
Chapter 2 Initial setup 61 The profiles determine the VLAN to which the user will be allocated. Table 2 shows the extended profiles that have been created. Table 2 Extended profile details Index Client filter name VLAN ID Linkset name 1 tg_failed yellow tg_failed 2 tg_passed green tg_passed 6 One or several domain names have been added to the DNS search list, depending on what you specified at the prompt in the quick setup wizard.
Chapter 2 Initial setup Before you begin Log on to the existing Nortel SNAS 4050 device to check the software version and system settings. Use the /boot/software/cur command to check the currently installed software version (for more information, see “Managing software for a Nortel SNAS 4050 device using the CLI” on page 734). Use the /cfg/sys/ accesslist/list command to view settings for the Access List (for more information, see “Configuring the Access List using the CLI” on page 474).
Chapter 2 Initial setup 63 • To change the version on the existing NSNAS, download the desired software image and upgrade the software on the existing cluster (see “Upgrading the Nortel SNAS 4050” on page 757). Note: Nortel recommends always using the most recent software version. Joining a cluster 1 Log on using the following username and password: login: admin Password: admin The Setup Menu displays. Alteon iSD NSNAS Hardware platform: 4050 Software version: x.
Chapter 2 Initial setup In a one-armed configuration, you are specifying the port you want to use for all network connectivity, since Interface 1 is used for both management traffic (Nortel SNAS 4050 management and connections to intranet resources) and client portal traffic (traffic between the TunnelGuard applet on the client and the portal). In a two-armed configuration, you are specifying the port you want to use for Nortel SNAS 4050 management traffic.
Chapter 2 Initial setup 65 8 Configure the interface for client portal traffic (Interface 2). a Specify a port number for the client portal interface. This port will be assigned to Interface 2. The port number must not be the same as the port number for the management interface (Interface 1). b Specify the RIP for Interface 2. c Specify the network mask for the RIP on Interface 2. d If the core router attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.
Chapter 2 Initial setup 12 Wait while the Setup utility finishes processing. When processing is complete, you will see Setup successful. The new Nortel SNAS 4050 automatically picks up all other required configuration data from the existing Nortel SNAS 4050 in the cluster. After a short while, you receive the login prompt. Setup successful.
Chapter 2 Initial setup 67 3 To finish connecting the Nortel SNAS 4050 to the rest of the network, complete the following tasks: a Generate and activate the SSH keys for communication between the Nortel SNAS 4050 and the network access devices (see “Managing SSH keys using the CLI” on page 84 or “Managing SSH keys using the SREM” on page 102). b Specify the SRS rule for the tunnelguard group (see “Configuring groups using the CLI” on page 198 or “Configuring groups using the SREM” on page 208).
Chapter 2 Initial setup Applying and saving the configuration using the CLI If you have not already done so after each sequence of configuration steps, confirm your changes using the apply command.
Chapter 2 Initial setup 69 Figure 3 on page 69 shows the location of the Apply and Commit buttons. Figure 3 Apply and Commit buttons For more information about the Apply and Commit functions, see Installing and Using the Security & Routing Element Manager (SREM) (320199-B).
Chapter 2 Initial setup 320818-A
Chapter 3 Managing the network access devices This chapter includes the following topics: Topic Page Before you begin 72 Managing network access devices using the CLI 73 Roadmap of domain commands 73 Adding a network access device using the CLI 75 Deleting a network access device using the CLI 79 Configuring the network access devices using the CLI 80 Mapping the VLANs using the CLI 82 Managing SSH keys using the CLI 84 Monitoring switch health using the CLI 89 Controlling communicat
Chapter 3 Managing the network access devices Topic Page Monitoring switch health using the SREM 111 Controlling communication with the network access devices using the SREM 115 Before you begin In Trusted Computing Group (TCG) terminology, the edge switches in a Nortel SNA solution function as the Policy Enforcement Point. In this document, the term network access device is used to refer to the edge switch once it is configured for the Nortel SNA network.
Chapter 3 Managing the network access devices 73 You require the following information for each network access device: • • • • IP address of the switch VLAN names and VLAN IDs for the Red, Yellow, and Green VLANs the TCP port to be used for Nortel SNA communication for Ethernet Routing Switch 8300 switches, a valid rwa user name Managing network access devices using the CLI The Nortel SNAS 4050 starts communicating with the network access device as soon as you enable the switch on the Nortel SNAS 4050 by
Chapter 3 Managing the network access devices Command Parameter reset ena dis delete /cfg/domain #/vlan add del list /cfg/domain #/switch #/vlan add del list /cfg/domain #/sshkey generate show export /cfg/domain #/switch #/sshkey import add del show export user /cfg/domain #/switch #/hlthchk interval deadcnt sq-int /cfg/domain #/switch #/dis /cfg/domain #/switch #/ena 320818-A
Chapter 3 Managing the network access devices 75 Adding a network access device using the CLI You can add a network access device to the configuration in two ways. You must repeat the steps for each switch that you want to add to the domain configuration.
Chapter 3 Managing the network access devices 4 Specify the TCP port for communication between the Nortel SNAS 4050 and the network access device. The default is port 5000. NSNA communication port[5000]: 5 The SSH fingerprint of the switch is automatically picked up if the switch is reachable. If the fingerprint is successfully retrieved, go to step 7 on page 77. If the fingerprint is not successfully retrieved, you will receive an error message and be prompted to add the SSH key.
Chapter 3 Managing the network access devices 77 d To continue, go to step 7 on page 77. Do you want to add ssh key? (yes/no) [no]: yes Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > 47.80.18.
Chapter 3 Managing the network access devices Manually adding a switch To add a network access device and configure it manually, use the following command: /cfg/domain #/switch where switch ID is an integer in the range 1 to 255 that uniquely identifies the network access device in the Nortel SNAS 4050 domain.
Chapter 3 Managing the network access devices 79 Figure 4 Adding a switch manually >> Domain 1# switch 1 Creating Switch 3 Enter name of the switch: Switch1_ERS8300 Enter the type of the switch (ERS8300/ERS5500): ERS8300 Enter IP address of the switch: NSNA communication port[5000]: Enter VLAN Id of the Red VLAN: Entering: SSH Key menu Enter username: rwa Leaving: SSH Key menu ---------------------------------------------------------[Switch 3 Menu] name - Set Switch name type - Set Type
Chapter 3 Managing the network access devices The delete command removes the current switch from the control of the Nortel SNAS 4050 cluster. Configuring the network access devices using the CLI When you first add a network access device to the Nortel SNAS 4050 domain, the switch is disabled by default. Do not enable the switch until you have completed configuring it.
Chapter 3 Managing the network access devices 81 The Switch menu includes the following options: /cfg/domain #/switch followed by: name Names or renames the switch. After you have defined a name for the switch, you can use either the switch name or the switch ID to access the Switch menu. • name is a string that must be unique in the domain. The maximum length of the string is 255 characters. type ERS8300|ERS5500 Specifies the type of network access device.
Chapter 3 Managing the network access devices /cfg/domain #/switch followed by: dis Disables the switch for Nortel SNA operation. delete Removes the switch from the Nortel SNAS 4050 domain configuration. Mapping the VLANs using the CLI The VLANs are configured on the network access devices. You specify the Red VLAN for each network access device when you add the switch (see “Adding a network access device using the CLI” on page 75).
Chapter 3 Managing the network access devices 83 The Nortel SNAS 4050 maintains separate maps for the domain and the switch. If you add a VLAN from the domain-level vlan command, you must use the domain-level command for all future management of that mapping. Similarly, if you add a VLAN from the switch-level vlan command, you must use the switch-level command for all future management of that mapping. The Domain vlan or Switch vlan menu displays.
Chapter 3 Managing the network access devices Managing SSH keys using the CLI The Nortel SNAS 4050 and the network access devices controlled by the Nortel SNAS 4050 domain exchange public keys so that they can authenticate themselves to each other in future SSH communications.
Chapter 3 Managing the network access devices 85 If you regenerate the key at any time, you must re-export the key to each network access device. Note: If you export the key after the network access device has been enabled, you may need to disable and re-enable the switch in order to activate the change. 3 For each network access device, import its public key into the Nortel SNAS 4050 domain, if necessary (see “Managing SSH keys for Nortel SNA communication using the CLI” on page 88).
Chapter 3 Managing the network access devices The NSNAS SSH key menu includes the following options: /cfg/domain #/sshkey followed by: generate Generates an SSH public key for the domain. There can be only one key in effect for the Nortel SNAS 4050 domain at any one time. If a key already exists, you are prompted to confirm that you want to replace it. Enter Apply to apply the change immediately and create the key. show Displays the SSH public key generated for the domain.
Chapter 3 Managing the network access devices 87 Figure 5 shows sample output for the /cfg/domain #/sshkey command. Figure 5 Generating an SSH key for the domain >> Main# /cfg/domain 1/sshkey ---------------------------------------------------------[NSNAS SSH key Menu] generate -Generate new SSH key for the NSNAS domain show - Show NSNAS domain public SSH key >> NSNAS SSH key# generate Key already exists, overwrite? (yes/no) [no]: yes Generating new SSH key, this operation takes a few seconds... done.
Chapter 3 Managing the network access devices Managing SSH keys for Nortel SNA communication using the CLI To retrieve the public key for the network access device and export the public key for the domain, use the following command: /cfg/domain #/switch #/sshkey The SSH Key menu displays. The SSH Key menu includes the following options: /cfg/domain #/switch #/sshkey followed by: 320818-A import Retrieves the SSH public key from the network access device, if it is reachable.
Chapter 3 Managing the network access devices 89 Reimporting the network access device SSH key using the CLI Whenever the network access device generates a new public SSH key, you must import the new key into the Nortel SNAS 4050 domain. 1 Use the /cfg/domain #/switch #/sshkey/del command to delete the original key. 2 Enter Apply to apply the change immediately. 3 Use the /cfg/domain #/switch #/sshkey/import command to import the new key. 4 Enter Apply to apply the change immediately.
Chapter 3 Managing the network access devices The HealthCheck menu includes the following options: /cfg/domain #/switch #/hlthchk followed by: interval Sets the time interval between checks for switch activity. • interval is an integer that indicates the time interval in seconds (s), minutes (m), or hours (h). The valid range is 60s (1m) to 64800s (18h). The default is 1m (1 minute).
Chapter 3 Managing the network access devices 91 To restart communication between the Nortel SNAS 4050 and a network access device, use the following command: /cfg/domain #/switch #/ena Enter apply to apply the change immediately. Managing network access devices using the SREM The Nortel SNAS 4050 starts communicating with the network access device as soon as you enable the switch on the Nortel SNAS 4050.
Chapter 3 Managing the network access devices The Switches screen appears (see “Switch Configuration screen” on page 116). 2 Click Add. The Add a Switch dialog box appears (see Figure 6). Figure 6 Add a Switch 3 Enter the network access device information in the applicable fields. Table 3 describes the Add a Switch fields. Table 3 Add a Switch fields 320818-A Field Description Index Specifies an integer that uniquely identifies the network access device in the Nortel SNAS 4050 domain.
Chapter 3 Managing the network access devices 93 4 Click Apply. The network access device appears in the list of Switches. 5 Click Commit on the toolbar to save the changes permanently. Deleting a network access device using the SREM To remove an existing network access device from the domain configuration, you must first disable it (see “Managing network access devices using the SREM” on page 91).
Chapter 3 Managing the network access devices To reconfigure the VLAN mappings for an existing network access device, you must first disable it (see “Controlling communication with the network access devices using the SREM” on page 115). Once the network access device is disabled, complete the following steps: 1 Select the Secure Access Domain > domain > Switches > switch > Configuration tab. The Switch Configuration screen appears (see Figure 7).
Chapter 3 Managing the network access devices 95 2 Enter the network access device information in the applicable fields. Table 4 describes the Switch Configuration fields. Table 4 Switch Configuration fields Field Description Index An integer that uniquely identifies the network access device in the Nortel SNAS 4050 domain. Name Names or renames the switch. After you have defined a name for the switch, you can use either the switch name or the switch ID to access the network access device.
Chapter 3 Managing the network access devices Mapping the VLANs using the SREM The VLANs are configured on the network access devices. You specify the Red VLAN for each network access device when you add the switch (see “Adding a network access device using the SREM” on page 91). After adding the switch, you must identify the Yellow and Green VLANs to the Nortel SNAS 4050.
Chapter 3 Managing the network access devices 97 Mapping VLANs by domain To map VLANs in a domain, select the Secure Access Domain > domain > VLANs tab. The domain VLANs screen appears (see Figure 8), listing all current VLANs applied to the domain. Figure 8 Domain VLANs screen This screen allows you to manage VLANs on the domain by adding or deleting entries to the VLAN Table.
Chapter 3 Managing the network access devices Adding VLANs to a domain To add VLANs to a domain, complete the following steps: 1 Select the Secure Access Domain > domain > VLANs tab. The domain VLANs screen appears (see Figure 8 on page 97). 2 Click Add. The Add a new VLAN dialog box appears (see Figure 6). Figure 9 Add a new VLAN 3 Enter the VLAN information in the applicable fields. Table 5 describes the Add a new VLAN fields.
Chapter 3 Managing the network access devices 99 Removing VLANs from a domain To remove existing VLANs from the domain, complete the following steps: 1 Select the Secure Access Domain > domain > VLANs tab. The domain VLANs screen appears (see Figure 8). 2 Select a VLAN entry from the VLAN Table. 3 Click Delete. A dialog box appears to confirm that you want to delete this VLAN. 4 Click Yes. The VLAN disappears from the VLAN Table.
Chapter 3 Managing the network access devices Mapping VLANs by switch To map VLANs by switch, you must first disable the network access device (see “Managing network access devices using the SREM” on page 91). Once the network access device is disabled, select the Secure Access Domain > domain > Switches > switch > VLANs tab. The switch VLANs screen appears (see Figure 10), listing all current VLANs applied to the switch.
Chapter 3 Managing the network access devices 101 • “Removing VLANs from a switch” on page 102 Adding VLANs to a switch To add VLANs to a switch, complete the following steps: 1 Select the Secure Access Domain > domain > Switches > switch > VLANs tab. The switch VLANs screen appears (see Figure 10 on page 100). 2 Click Add. The Add a new VLAN dialog box appears (see Figure 11). Figure 11 Add a new VLAN 3 Enter the VLAN information in the applicable fields.
Chapter 3 Managing the network access devices Removing VLANs from a switch To remove existing VLANs from the switch, complete the following steps: 1 Select the Secure Access Domain > domain > Switches > switch > VLANs tab. The switch VLANs screen appears (see Figure 10). 2 Select a VLAN entry from the VLAN Table. 3 Click Delete. A dialog box appears to confirm that you want to delete this VLAN. 4 Click Yes. The VLAN disappears from the VLAN Table.
Chapter 3 Managing the network access devices 103 If you created the domain manually, the SSH key was generated automatically (see “Manually creating a domain using the SREM” on page 152). Note: The SSH key for the Nortel SNAS 4050 domain is not the same as the SSH key generated during initial setup for all Nortel SNAS 4050 hosts in the cluster (see “Initial setup”, step 15 on page 57). 2 Export the Nortel SNAS 4050 public key to each network access device.
Chapter 3 Managing the network access devices If the network access device defaults, it generates a new public key. You must reimport the key whenever the switch generates a new public key (see “Reimporting the network access device SSH key using the SREM” on page 110). Note: In general, click Apply on the toolbar immediately after you change any of the SSH settings.
Chapter 3 Managing the network access devices 105 Generating SSH keys for the domain using the SREM To generate, view, and export the public SSH key for the domain, complete the following steps: 1 Select the Secure Access Domain > domain > SSH Key > Key Generation tab. The Key Generation screen appears (see Figure 12).
Chapter 3 Managing the network access devices Table 9 describes the fields and controls available from the switch SSH Key screen. Table 7 Switch SSH Key fields Field Description Generate SSH Key Generates an SSH public key for the domain. There can be only one key in effect for the Nortel SNAS 4050 domain at any one time. If a key already exists, you are prompted to confirm that you want to replace it. Click Apply and Commit on the toolbar to save the change immediately and create the key.
Chapter 3 Managing the network access devices 107 The Export Key screen appears (see Figure 13).
Chapter 3 Managing the network access devices 2 Enter the export information in the applicable fields. Table 8 describes the fields available from the Export Key screen. Table 8 Export Key fields Field Description Protocol Specifies the export protocol to use. The options are: • tftp • ftp • scp • sftp Note: Use TFTP to export to an Ethernet Routing Switch 5500 Series switch. Ethernet Routing Switch 5500 Series switches do not support the other protocols.
Chapter 3 Managing the network access devices 109 Managing SSH keys for Nortel SNA communication using the SREM To retrieve the public key for the network access device and export the public key for the domain, complete the following steps: 1 Select the Secure Access Domain > domain > Switches > switch > SSH Key tab. The switch SSH Key screen appears (see Figure 14).
Chapter 3 Managing the network access devices Table 9 describes the fields and controls available from the switch SSH Key screen. Table 9 Switch SSH Key fields Field Description User Name The user name of an administrative user (rwa) on the network access device. (Required for Ethernet Routing Switch 8300 only.) Import SSH Key from Switch Retrieves the SSH public key from the network access device, if it is reachable.
Chapter 3 Managing the network access devices 111 The switch SSH Key screen appears (see Figure 14 on page 109). 2 Click Delete Switch SSH Key. 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 4 Click Import SSH from Switch. 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently.
Chapter 3 Managing the network access devices The Health Check screen appears (see Figure 15).
Chapter 3 Managing the network access devices 113 2 Enter the health check information in the applicable fields. Table 10 describes the Health Check fields. Table 10 Health Check fields Field Description Interval Sets the time interval between checks for switch activity. Accepts an integer that indicates the time interval in seconds (s), minutes (m), or hours (h). The valid range is 60s (1m) to 64800s (18h). The default is 1m (1 minute).
Chapter 3 Managing the network access devices The Connected Clients screen appears, displaying information about the connection status and a list of all connected clients. describes the Connected Clients fields. Table 11 Connected Clients fields 320818-A Field Description Auto Refresh Specifies whether the information displayed is automatically refreshed. Interval Specifies the interval in seconds before the screen is automatically refreshed. Only applicable if Auto Refresh is selected.
Chapter 3 Managing the network access devices 115 Controlling communication with the network access devices using the SREM To stop communication between the Nortel SNAS 4050 and a network access device, disable the switch. Click Apply and Commit to apply the change immediately. Note: If the switch is not going to be used in the Nortel SNA network, Nortel recommends deleting the switch from the Nortel SNAS 4050 domain, rather than just disabling it.
Chapter 3 Managing the network access devices To disable or enable the network access device, perform the following steps: 1 Select the Secure Access Domain > domain > Switches > switch > Configuration tab. The network access device Configuration screen appears (see Figure 16). Figure 16 Switch Configuration screen 2 Ensure the Enable Switch setting is correct.
Chapter 4 Configuring the domain This chapter includes the following topics: Topic Page Configuring the domain using the CLI 118 Roadmap of domain commands 119 Creating a domain using the CLI 121 Deleting a domain using the CLI 129 Configuring domain parameters using the CLI 130 Configuring the TunnelGuard check using the CLI 132 Configuring the SSL server using the CLI 135 Configuring HTTP redirect using the CLI 144 Configuring advanced settings using the CLI 145 Configuring RADIUS
Chapter 4 Configuring the domain A Nortel SNAS 4050 domain encompasses all the switches, authentication servers, and remediation servers associated with that Nortel SNAS 4050 cluster. If you ran the quick setup wizard during initial setup, Domain 1 has been created. If you did not run the quick setup wizard, you must create at least one domain. For information about creating a domain, see “Creating a domain using the CLI” on page 121 or “Creating a domain using the SREM” on page 151.
Chapter 4 Configuring the domain 119 • • • • • • • logging traffic with syslog messages portal settings (see “Customizing the portal and user logon” on page 385) • captive portal • portal look and feel • linksets the network access devices (see “Managing the network access devices” on page 71) the Nortel SNA VLANs (see “Managing the network access devices” on page 71) SSH keys for the domain (see “Managing SSH keys using the CLI” on page 84) HTTP redirect settings (see “Configuring HTTP redirect using th
Chapter 4 Configuring the domain Command Parameter details on|off loglevel fatal|error|warning| info|debug /cfg/domain #/aaa/tg/quick /cfg/domain #/server port interface dnsname /cfg/domain #/server/trace ssldump tcpdump ping dnslookup traceroute /cfg/domain #/server/ssl cert cachesize cachettl cacerts cachain protocol ssl2|ssl3|ssl23|tls1 ciphers ena d
Chapter 4 Configuring the domain 121 Command Parameter redir on|off /cfg/domain #/adv interface log /cfg/domain #/aaa/radacct ena dis /cfg/domain #/aaa/radacct/servers list del add insert move /cfg/domain #/aaa/radacct/vpnattribu vendorid vendortype Creating a domain using the CLI You can create a domain in two ways: • • “Manually creating a domain using the CLI” on page 121 “Usi
Chapter 4 Configuring the domain When you first create the domain, you are prompted to enter the following parameters: • • domain name — a string that identifies the domain on the Nortel SNAS 4050, as a mnemonic aid. The maximum length of the string is 255 characters. portal Virtual IP address (pVIP) — the IP address of the Nortel SNAS 4050 portal. You can have more than one pVIP for a domain. To specify more than one pVIP, use a comma separator.
Chapter 4 Configuring the domain 123 Figure 17 Creating a domain >> Main# /cfg/domain Enter domain number (1-256): 2 Creating Domain 2 Domain name: MyDomain Enter Domain Portal Vips(comma separated): 10.40.40.100 Entering: SSH key menu Generating new SSH key, this operation takes a few seconds... done.
Chapter 4 Configuring the domain Depending on the options you select in connection with certificates and creating a test user, the two wizards also create similar default settings (see “Settings created by the quick setup wizard” on page 60). You can later modify all settings created by the domain quick setup wizard (see “Configuring domain parameters using the CLI” on page 130). 1 Launch the domain quick setup wizard. >> Main# cfg/quick 2 Specify the pVIP of the Nortel SNAS 4050 domain.
Chapter 4 Configuring the domain 125 c To use an existing certificate, enter the applicable certificate number. Go to step 8 on page 126. Use the /info/certs command to view the main attributes of all configured certificates. The certificate number is shown in the Certificate Menu line (for example, Certificate Menu 1:). For more information about certificates and keys, see “Managing certificates” on page 569. 6 To create a new certificate: a At the prompt to create a test certificate, enter No.
Chapter 4 Configuring the domain c To continue, go to step 8 on page 126. Use existing certificate (no/1) [no]: Create a test certificate? (yes/no): yes The combined length of the following parameters may not exceed 225 bytes.
Chapter 4 Configuring the domain 127 11 To add a network access device, enter the required information when prompted. For more information, see “Using the quick switch setup wizard” on page 75. Do you want to configure a switch? (yes/no) [no]: yes Enter the type of the switch (ERS8300/ERS5500) [ERS8300]: IP address of Switch: NSNA communication port[5000]: Red vlan id of Switch: To continue, go to step 12. 12 Specify the action to be performed when an SRS rule check fails.
Chapter 4 Configuring the domain The wizard assigns the following default VLAN IDs: • • Green VLAN = VLAN ID 110 Yellow VLAN = VLAN ID 120 You can change the VLAN mappings when you add or modify the network access devices (see “Configuring the network access devices using the CLI” on page 80). You specify the Red VLAN when you add the network access device to the domain. The components created by the wizard depend on the selections you made in the preceding steps.
Chapter 4 Configuring the domain 129 Creating Domain 2 Creating Client Filter 1 Name: tg_passed Creating Client Filter 2 Name: tg_failed Creating Linkset 1 Name: tg_passed This Linkset just prints the TG result Creating Linkset 2 Name: tg_failed This Linkset just prints the TG result Creating Group 1 Name: tunnelguard Creating Extended Profile 1 Giving full access when tg passed Creating "green" vlan with id 110 Creating Access rule 1 Giving remediation access when tg failed Creating Extended Profile 2 Cre
Chapter 4 Configuring the domain Configuring domain parameters using the CLI To configure the domain, use the following command: /cfg/domain where domain ID is an integer in the range 1 to 256 that uniquely identifies the domain in the Nortel SNAS 4050 cluster. The Domain menu displays. The Domain menu includes the following options: /cfg/domain followed by: 320818-A name Names or renames the domain. • name is a string that must be unique in the domain.
Chapter 4 Configuring the domain 131 /cfg/domain followed by: portal Accesses the Portal menu, in order to customize the portal page that displays in the client’s web browser (see “Customizing the portal and user logon” on page 385). linkset Accesses the Linkset menu, in order to configure the linksets to display on the portal Home tab (see “Configuring linksets using the CLI” on page 411).
Chapter 4 Configuring the domain Configuring the TunnelGuard check using the CLI Before an authenticated client is allowed into the network, the TunnelGuard application checks client host integrity by verifying that the components required for the client’s personal firewall (executables, DLLs, configuration files, and so on) are installed and active on the client PC.
Chapter 4 Configuring the domain 133 /cfg/domain #/aaa/tg followed by: heartbeat Sets the time interval between checks for client activity. • interval is an integer that indicates the time interval in seconds (s), minutes (m), or hours (h). The valid range is 60s (1m) to 86400s (24h). The default is 1m (1 minute). hbretrycnt Specifies the number of times the Nortel SNAS 4050 will repeat the check for client activity when no heartbeat is detected.
Chapter 4 Configuring the domain /cfg/domain #/aaa/tg followed by: details on|off Specifies whether SRS failure details can be displayed on the portal page. Valid options are: • on — details will be displayed • off — details will not be displayed The default is off. If set to on, the client can click on the TG icon on the portal page to display details about which elements of the SRS rule check failed.
Chapter 4 Configuring the domain 135 The TunnelGuard quick setup wizard creates a default SRS rule (srs-rule-test). This rule checks for the presence of a text file on the client’s machine (C:\tunnelguard\tg.txt). Figure 18 shows sample output for the TunnelGuard quick setup wizard. Figure 18 TunnelGuard quick setup wizard >> Main# /cfg/domain #/aaa/tg/quick In the event that the TunnelGuard checks fails on a client, the session can be teardown, or left in restricted mode with limited access.
Chapter 4 Configuring the domain The Server 1001 menu includes the following options: /cfg/domain #/server followed by: port Specifies the port to which the portal server listens for HTTPS communications. • port is an integer in the range 1–65534 that indicates the TCP port number. The default is 443. interface Specifies the backend interface used by the server. • interface ID is an integer that indicates the interface number. The default is 0.
Chapter 4 Configuring the domain 137 The Trace menu displays. The Trace menu includes the following options: /cfg/domain #/server/trace followed by: ssldump Creates a dump of the SSL traffic flowing between clients and the portal server. You are prompted to enter the following information: • ssldump flags and ssldump filter — for more information about the flags and filter expressions available for SSLDUMP using UNIX, see http://www.tcpdump.org/tcpdump_man.html.
Chapter 4 Configuring the domain /cfg/domain #/server/trace followed by: 320818-A tcpdump Creates a dump of the TCP traffic flowing between clients and the virtual SSL server. You are prompted to enter the following information: • tcpdump flags and tcpdump filter — for more information about the flags and filter expressions available for TCPDUMP using UNIX, see http://www.tcpdump.org/tcpdump_man.html.
Chapter 4 Configuring the domain 139 /cfg/domain #/server/trace followed by: dnslookup Finds the IP address for a machine whose host name you specify, or the host name of a machine whose IP address you specify. • host is the host name or IP address of the machine If a backend interface is mapped to the current Nortel SNAS 4050 domain, the check is made through the backend interface.
Chapter 4 Configuring the domain The SSL Settings menu includes the following options: /cfg/domain #/server/ssl followed by: 320818-A cert Specifies which server certificate the portal server will use. You cannot specify more than one server certificate for the server to use at any one time.
Chapter 4 Configuring the domain 141 /cfg/domain #/server/ssl followed by: cachain Specifies the CA certificate chain of the server certificate. • certificate index list is a comma-separated list of the certificate index numbers assigned to the certificates in the chain. The chain starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. The command explicitly constructs the server certificate chain.
Chapter 4 Configuring the domain /cfg/domain #/server/ssl followed by: ena Enables SSL on the portal server. SSL is enabled by default. dis Disables SSL on the portal server. SSL is enabled by default. Configuring traffic log settings using the CLI You can configure a syslog server to receive User Datagram Protocol (UDP) syslog messages for all HTTP requests handled by the portal server.
Chapter 4 Configuring the domain 143 To set up a syslog server to receive UDP syslog messages for all HTTP requests handled by the portal server, use the following command: /cfg/domain #/server/adv/traflog The Traffic Log Settings menu displays. The Traffic Log Settings menu includes the following options: /cfg/domain #/server/adv/traflog followed by: sysloghost Specifies the IP address of the syslog server. udpport Specifies the UDP port number of the syslog server.
Chapter 4 Configuring the domain /cfg/domain #/server/adv/traflog followed by: dis Disables traffic logging with syslog messages. Traffic logging with syslog messages is disabled by default. Configuring HTTP redirect using the CLI You can configure the Nortel SNAS 4050 domain to automatically redirect HTTP requests to the HTTPS server. For example, a client request directed to http://nsnas.com is automatically redirected to https://nsnas.com.
Chapter 4 Configuring the domain 145 Configuring advanced settings using the CLI You can configure the following advanced settings for the Nortel SNAS 4050 domain: • • a backend interface logging options To map a backend interface to the domain and to configure logging options, use the following command: /cfg/domain #/adv The Advanced menu displays.
Chapter 4 Configuring the domain Configuring RADIUS accounting using the CLI The Nortel SNAS 4050 can be configured to provide support for logging administrative operations and user session start and stop messages to a RADIUS accounting server. With RADIUS accounting enabled, the Nortel SNAS 4050 sends an accounting request start packet to the accounting server for each user who successfully authenticates to the Nortel SNAS 4050 domain.
Chapter 4 Configuring the domain 147 When you add an external RADIUS accounting server to the configuration, the server is automatically assigned an index number. Nortel SNAS 4050 accounting will be performed by an available server with the lowest index number. You can control accounting server usage by reassigning index numbers (see “Managing RADIUS accounting servers using the CLI” on page 147).
Chapter 4 Configuring the domain The Radius Accounting Servers menu includes the following options: /cfg/domain #/aaa/radacct/servers followed by: 320818-A list Lists the IP addresses of currently configured RADIUS accounting servers, by index number. del Removes the specified RADIUS accounting server from the current configuration. The index numbers of the remaining entries adjust accordingly.
Chapter 4 Configuring the domain 149 Configuring Nortel SNAS 4050-specific attributes using the CLI The RADIUS accounting server uses Vendor-Id and Vendor-Type attributes in combination to identify the source of the accounting information. The attributes are sent to the RADIUS accounting server together with the accounting information for the logged in user. You can assign vendor-specific codes to the Vendor-Id and Vendor-Type attributes for the Nortel SNAS 4050 domain.
Chapter 4 Configuring the domain The VPN Attribute menu includes the following options: /cfg/domain #/aaa/radacct/vpnattribu followed by: vendorid Corresponds to the vendor-specific attribute used by the RADIUS accounting server to identify accounting information from the Nortel SNAS 4050 domain. The default Vendor-Id is 1872 (Alteon). vendortype Corresponds to the Vendor-Type value used in combination with the Vendor-Id to identify accounting information from the Nortel SNAS 4050 domain.
Chapter 4 Configuring the domain 151 • • • • • portal settings (see “Customizing the portal and user logon” on page 385) • captive portal • portal look and feel • linksets the network access devices (see “Managing the network access devices” on page 71) the Nortel SNA VLANs (see “Managing the network access devices” on page 71) SSH keys for the domain (see “Managing SSH keys using the SREM” on page 102) HTTP redirect settings (see “Configuring HTTP redirect using the SREM” on page 181) Creating a domain
Chapter 4 Configuring the domain Manually creating a domain using the SREM To create and configure a domain manually, perform the following steps: 1 Select the Secure Access Domain > Secure Access Domain Table tab. The Secure Access Domain Table screen appears (see Figure 19).
Chapter 4 Configuring the domain 153 2 Click Add. The Add a Secure Access Domain dialog box appears (see Figure 20). Figure 20 Add a Secure Access Domain 3 Enter the domain information in the applicable fields. Table 12 describes the Add a Secure Access Domain fields. Table 12 Add a Secure Access Domain fields Field Description Index Specifies an integer in the range 1 to 256 that uniquely identifies the domain in the Nortel SNAS 4050 cluster.
Chapter 4 Configuring the domain Using the SREM Domain Quick Wizard The Nortel SNAS 4050 quick setup wizard is similar to the quick setup wizard available during initial setup. Depending on the options you select in connection with certificates and creating a test user, the two wizards also create similar default settings (see “Settings created by the quick setup wizard” on page 60).
Chapter 4 Configuring the domain 155 To create a domain using the Nortel SNAS 4050 quick setup wizard, perform the following steps: 1 Select the Secure Access Domain > Domain Quick Wizard tab. The Domain Quick Wizard screen appears (see Figure 21).
Chapter 4 Configuring the domain 2 Click Domain Quick Wizard. The Domain Quick Wizard — General Settings dialog box appears (see Figure 22). Figure 22 Domain Quick Wizard – General Settings 3 Enter the general domain information in the applicable fields. Table 13 describes the General Settings fields. Table 13 Domain Quick Wizard — General Settings fields Field Description Domain IP Address Specifies the pVIP of the Nortel SNAS 4050 domain.
Chapter 4 Configuring the domain 157 The Domain Quick Wizard — Certificate dialog box appears (see Figure 23). Figure 23 Domain Quick Wizard – Certificate 5 Enter the certificate information in the applicable fields. There are three ways to specify certificate information: specifying an existing certificate, creating a test certificate, or entering a new server certificate. Table 14 describes the Certificate fields.
Chapter 4 Configuring the domain Table 14 Domain Quick Wizard — Certificate fields (continued) Field Description Organization Name Specifies the registered name of the organization. The organization must own the domain name that appears in the common name of the web server. Do not abbreviate the organization name and do not use any of the following characters: <>~!@#$%^*/\()? Organization Unit Secifies the name of the department or group that uses the secure web server.
Chapter 4 Configuring the domain 159 The Domain Quick Wizard — Certificate Chain dialog box appears (see Figure 24). Figure 24 Domain Quick Wizard – Certificate Chain 7 Enter the certificate chain information in the applicable fields. Table 15 describes the Certificate Chain fields. Table 15 Domain Quick Wizard — Certificate Chain fields Field Description Certificate Chain Specifies whether the SSL server uses chain certificates.
Chapter 4 Configuring the domain The Domain Quick Wizard — Server dialog box appears (see Figure 25). Figure 25 Domain Quick Wizard – Server 9 Enter the server information in the applicable fields. Table 16 describes the Server fields. Table 16 Domain Quick Wizard — Server fields Field Description Create HTTP or HTTPS Redirect Server Specifies whether or not to create a redirect server for HTTP to HTTPS redirection. 10 Click Next.
Chapter 4 Configuring the domain 161 The Domain Quick Wizard — Switch dialog box appears (see Figure 26). Figure 26 Domain Quick Wizard – Switch 11 To configure a switch, enter the network access device information in the applicable fields. If you don’t want to add a switch at this time, continue with step 12. Table 17 describes the Switch fields. Table 17 Domain Quick Wizard — Switch fields Field Description Configure a Switch Specifies whether or not to add a network access device to the domain.
Chapter 4 Configuring the domain The Domain Quick Wizard — Tunnel Guard dialog box appears (see Figure 27). Figure 27 Domain Quick Wizard – Tunnel Guard 13 Enter the TunnelGuard information in the applicable fields. Table 18 describes the Tunnel Guard fields. Table 18 Domain Quick Wizard — Tunnel Guard fields Field Description Tunnel Guard Action Specifies the action performed when an SRS rules check fails.
Chapter 4 Configuring the domain 163 If there are no problems, then a dialog appears to indicate that the wizard is processing the information. The wizard creates the domain, and assigns the following default VLAN IDs: • • Green VLAN = VLAN ID 110 Yellow VLAN = VLAN ID 120 You can change the VLAN mappings when you add or modify the network access devices (see “Managing the network access devices” on page 71). 15 Click Close to exit the wizard.
Chapter 4 Configuring the domain Configuring domain parameters using the SREM To configure a domain, perform the following steps: 1 Select the Secure Access Domain > domain > Configuration tab. The domain Configuration screen appears (see Figure 28).
Chapter 4 Configuring the domain 165 2 Enter the domain information in the applicable fields. Table 19 describes the domain Configuration fields. Table 19 Domain Configuration fields Field Description Index Specifies an integer in the range 1 to 256 that uniquely identifies the domain in the Nortel SNAS 4050 cluster. This field cannot be modified after a domain is created. Domain Name Specifies a name for the domain on the Nortel SNAS 4050, as a mnemonic aid.
Chapter 4 Configuring the domain Additional domain configuration in the SREM To configure additional domain settings, there are tabs and tree components available beyond the Configuration tab. Table 20 describes the purpose of additional tabs from the Secure Access Domain > domain > Configuration screen.
Chapter 4 Configuring the domain 167 Table 21 describes the purpose of additional tree components found within the Secure Access Domain > domain component. Table 21 Additional domain tree components Component Description Portal Links Accesses the Portal Links screens, in order to configure links and linksets displayed after client authentication is completed. For more information, see “Linksets and links” on page 394.
Chapter 4 Configuring the domain Configuring the TunnelGuard check using the SREM Before an authenticated client is allowed into the network, the TunnelGuard application checks client host integrity by verifying that the components required for the client’s personal firewall (executables, DLLs, configuration files, and so on) are installed and active on the client PC.
Chapter 4 Configuring the domain 169 To configure settings for the TunnelGuard host integrity check and the check result, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Tunnel Guard > Configuration tab. The TunnelGuard Configuration screen appears (see Figure 29).
Chapter 4 Configuring the domain 2 Enter the TunnelGuard information in the applicable fields. Table 22 describes the TunnelGuard Configuration fields. Table 22 TunnelGuard Configuration fields 320818-A Field Description Recheck Interval Specifies the time interval between SRS rule rechecks made by the TunnelGuard applet on the client machine. Accepts an integer that indicates the time interval in seconds (s), minutes (m), or hours (h). The valid range is 60s (1m) to 86400s (24h).
Chapter 4 Configuring the domain 171 Table 22 TunnelGuard Configuration fields (continued) Field Description Display SRS Failure Details Specifies whether SRS failure details can be displayed. • If selected, then the details will be displayed. • If not selected, the details will not be displayed. The default is off (details are not be displayed). If set to on, the client can click on the TG icon on the portal page to display details about which elements of the SRS rule check failed.
Chapter 4 Configuring the domain Using the TunnelGuard Quick Setup in the SREM To configure settings for the TunnelGuard host integrity check and the check result, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Tunnel Guard > Quick Setup tab. The TunnelGuard Quick Setup screen appears (see Figure 30).
Chapter 4 Configuring the domain 173 2 Enter the TunnelGuard information in the applicable fields. Table 23 describes the TunnelGuard Configuration fields. Table 23 TunnelGuard Quick Setup fields Field Description Action for Tunnel Guard check failure Specifies the action performed when an SRS rules check fails.
Chapter 4 Configuring the domain Configuring the SSL server using the SREM To configure settings for the SSL server, perform the following steps: 1 Select the Secure Access Domain > domain > Server > Configuration tab. The server Configuration screen appears (see Figure 31).
Chapter 4 Configuring the domain 175 2 Enter the server information in the applicable fields. Table 24 describes the server Configuration fields. Table 24 Server Configuration fields Field Description Port Specifies the port to which the portal server listens for HTTPS communications. Accepts an integer in the range 1–65534 that indicates the TCP port number. The default is 443. DNS Name Specifies a DNS name for the portal IP address.
Chapter 4 Configuring the domain Configuring SSL settings using the SREM To configure SSL-specific settings for the portal server, perform the following steps: 1 Select the Secure Access Domain > domain > Server > SSL Settings tab. The server SSL Settings screen appears (see Figure 32).
Chapter 4 Configuring the domain 177 2 Enter the server information in the applicable fields. Table 25 describes the server SSL Settings fields. Table 25 Server SSL Settings fields Field Description Certificate Specifies which server certificate the portal server will use. You cannot specify more than one server certificate for the server to use at any one time. Status Specifies whether SSL is enabled on the portal server. The default is enabled.
Chapter 4 Configuring the domain Table 25 Server SSL Settings fields (continued) Field Description CA Chain List Specifies the CA certificate chain of the server certificate. Select certificates from the list to create the chain. The chain starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Note: The SSL server can use chain certificates only if the protocol version is set to ssl3 or ssl23.
Chapter 4 Configuring the domain 179 To set up a syslog server to receive UDP syslog messages for all HTTP requests handled by the portal server, perform the following steps: 1 Select the Secure Access Domain > domain > Server > Traffic Log Syslog Settings tab. The Traffic Log Syslog Settings screen appears (see Figure 33).
Chapter 4 Configuring the domain 2 Enter the traffic log information in the applicable fields. Table 26 describes the Traffic Log Syslog Settings fields. Table 26 Traffic Log Syslog Settings fields Field Description IP Address Specifies the IP address of the syslog server. UDP Port Specifies the UDP port number of the syslog server. Accepts an integer in the range 1–65534 that indicates the UDP port number. The default is 514.
Chapter 4 Configuring the domain 181 Tracing SSL traffic using the SREM To verify connectivity and to capture information about SSL and TCP traffic between clients and the portal server, see “Starting and stopping a trace using the SREM” on page 738. Configuring HTTP redirect using the SREM You can configure the Nortel SNAS 4050 domain to automatically redirect HTTP requests to the HTTPS server. For example, a client request directed to http://nsnas.com is automatically redirected to https://nsnas.com.
Chapter 4 Configuring the domain To configure the domain to automatically redirect HTTP requests to the HTTPS server specified for the domain, perform the following steps: 1 Select the Secure Access Domain > domain > HTTP Redirect tab. The HTTP Redirect screen appears (see Figure 34).
Chapter 4 Configuring the domain 183 2 Enter the redirection information in the applicable fields. Table 27 describes the HTTP Redirect fields. Table 27 HTTP Redirect fields Field Description Port Number Specifies the TCP port number on which the portal server listens for HTTP communications. The default value is 80. Note: If you do not accept the default value and you specify a different port, you must modify the Red and Yellow filters on the network access devices accordingly.
Chapter 4 Configuring the domain • cause of termination Configure the RADIUS server in accordance with the recommendations in RFC 2866. Certain Nortel SNAS 4050-specific attributes are sent to the RADIUS server when you enable accounting (see “Configuring Nortel SNAS 4050-specific attributes using the SREM” on page 184). In conjunction with custom plugins on RADIUS, these attributes can be used for more detailed monitoring of Nortel SNAS 4050 activity.
Chapter 4 Configuring the domain 185 Contact your RADIUS system administrator for information about the vendor-specific attributes used by the external RADIUS accounting server. To configure vendor-specific attributes in order to identify the Nortel SNAS 4050 domain, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Radius Accounting > Configuration tab. The RADIUS accounting Configuration screen appears (see Figure 34).
Chapter 4 Configuring the domain 2 Enter the RADIUS accounting information in the applicable fields. Table 27 describes the RADIUS accounting Configuration fields. Table 28 RADIUS accounting Configuration fields Field Description Enable Radius Accounting Specifies whether RADIUS accounting is enabled or not. Vendor ID Specifies the vendor-specific attribute used by the RADIUS accounting server to identify accounting information from the Nortel SNAS 4050 domain.
Chapter 4 Configuring the domain 187 The Radius Accounting Servers screen appears (see Figure 36). Figure 36 Radius Accounting Servers screen 2 Click Add. The Add a Radius Accounting Server dialog box appears (see Figure 37).
Chapter 4 Configuring the domain 3 Enter the RADIUS accounting server information in the applicable fields. Table 29 describes the Radius Accounting Server fields. Table 29 Radius Accounting Server fields Field Description IP Address Specifies the IP address of the accounting server Port Specifies the TCP port number used for RADIUS accounting. The default is 1813 Secret Specifies the password used to authenticate the Nortel SNAS 4050 to the accounting server. 4 Click Add.
Chapter 4 Configuring the domain 189 Deleting a RADIUS accounting server using the SREM To delete a RADIUS accounting server entry, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Radius Accounting > Radius Accounting Servers tab. The Radius Accounting Servers screen appears (see Figure 36 on page 187). 2 Select the RADIUS accounting server entry from the list. 3 Click Delete. A dialog box appears to confirm this entry is to be deleted. 4 Click Yes.
Chapter 4 Configuring the domain 320818-A
Chapter 5 Configuring groups and profiles This chapter includes the following topics: Topic Page Overview 192 Groups 192 Linksets 194 TunnelGuard SRS rule 194 Extended profiles 195 Before you begin 196 Configuring groups and extended profiles using the CLI 196 Roadmap of group and profile commands 197 Configuring groups using the CLI 198 Configuring client filters using the CLI 201 Configuring extended profiles using the CLI 203 Mapping linksets to a group or profile using the C
Chapter 5 Configuring groups and profiles Topic Page Mapping linksets to a group or profile using the SREM 223 Creating a default group using the SREM 230 Overview This section includes the following topics: • • • • “Groups” on page 192 “Linksets” on page 194 “TunnelGuard SRS rule” on page 194 “Extended profiles” on page 195 For more information about groups and extended profiles in the Nortel SNA solution, see Nortel Secure Network Access Solution Guide (320817-A).
Chapter 5 Configuring groups and profiles 193 Each group’s data include the following configurable parameters: • • • linksets TunnelGuard SRS rule extended profiles After the user has been authenticated, the Nortel SNAS 4050 checks the groups defined for the domain to match the group name returned from the authentication database. For the duration of the user’s login session, the Nortel SNAS 4050 maintains a record of the group matched to the user.
Chapter 5 Configuring groups and profiles Linksets A linkset is a set of links that display on the portal page, so that the user can easily access internal or external web sites, servers, or applications. After the user has been authenticated, the user’s portal page displays all the linksets associated with the group to which the user belongs. The user’s portal page also displays all the linksets associated with the user’s extended profile.
Chapter 5 Configuring groups and profiles 195 Extended profiles Passing or failing the SRS rule check is the only authorization control provided at the group level. This is the base profile. In future releases of the Nortel SNAS 4050 software, extended profiles will provide a mechanism to achieve more granular authorization control, based on specific characteristics of the user's connection. You can define up to 63 extended profiles for each group. In Nortel Secure Network Access Switch Software Release 1.
Chapter 5 Configuring groups and profiles Before you begin Before you configure groups, client filters, and extended profiles on the Nortel SNAS 4050, complete the following tasks: 1 Create the linksets, if desired (see “Linksets and links” on page 394). 2 Create the SRS rules (see “TunnelGuard SRS Builder” on page 317). 3 If authentication services have already been configured, ascertain the group names used by the authentication services.
Chapter 5 Configuring groups and profiles 197 3 Configure the extended profiles for the group (see “Configuring extended profiles using the CLI” on page 203). 4 Map the linksets to the group and extended profiles (see “Mapping linksets to a group or profile using the CLI” on page 206). 5 Create a default group, if desired (see “Creating a default group using the CLI” on page 208).
Chapter 5 Configuring groups and profiles Command Parameter insert move /cfg/domain 1/aaa/group #/extend #/linkset list del add insert move /cfg/domain 1/aaa/defgroup Configuring groups using the CLI To create and configure a group, use the following command: /cfg/domain 1/aaa/group where group ID is an integer in the
Chapter 5 Configuring groups and profiles 199 • number of sessions — the maximum number of simultaneous portal or Nortel SNAS 4050 sessions allowed for each member of the group. The default is 0 (unlimited). You can later modify the number of sessions by using the restrict command on the Group menu. The Group menu displays. Note: If you ran the quick setup wizard during initial setup, a group called tunnelguard has been created with group ID = 1.
Chapter 5 Configuring groups and profiles /cfg/domain 1/aaa/group # followed by: tgsrs Specifies the preconfigured TunnelGuard SRS rule to apply to the group. For information about configuring the SRS rules using the SREM, see “TunnelGuard SRS Builder” on page 317. You cannot configure SRS rules in the CLI. comment Sets a comment for the group. del Removes the group from the Nortel SNAS 4050 domain.
Chapter 5 Configuring groups and profiles 201 Configuring client filters using the CLI To create and configure a client filter, use the following command: /cfg/domain 1/aaa/filter where filter ID is an integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS 4050 domain. When you first create the filter, you must enter the filter ID. After you have created the filter, you can use either the ID or the name to access the filter for configuration.
Chapter 5 Configuring groups and profiles The Client Filter menu includes the following options: /cfg/domain 1/aaa/filter followed by: 320818-A name Names or renames the filter. After you have defined a name for the filter, you can use either the filter name or the filter ID to access the Client Filter menu. • name is a string that must be unique in the domain. The maximum length of the string is 255 characters.
Chapter 5 Configuring groups and profiles 203 Figure 39 shows sample output for the /cfg/domain 1/aaa/filter command and commands on the Client Filter menu.
Chapter 5 Configuring groups and profiles When you first create the profile, you are prompted to enter the following parameters: • • client filter name — the name of the predefined client filter that determines whether the Nortel SNAS 4050 will apply this extended profile to the user. To view available filters, press TAB at the prompt. You can later change the filter referenced by the profile by using the filter command on the Extended Profile menu.
Chapter 5 Configuring groups and profiles 205 /cfg/domain 1/aaa/group #/extend # followed by: linkset Accesses the Linksets menu, in order to map preconfigured linksets to the profile (see “Mapping linksets to a group or profile using the CLI” on page 206). For information about creating and configuring the linksets, see “Configuring linksets using the CLI” on page 411. del Removes the extended profile from the group.
Chapter 5 Configuring groups and profiles Mapping linksets to a group or profile using the CLI You can tailor the portal page for different users by mapping preconfigured linksets to groups and extended profiles. For more information about linksets, see “Linksets and links” on page 394. To map a linkset to a group, access the Linksets menu from the Group menu.
Chapter 5 Configuring groups and profiles 207 Figure 41 shows sample output for the /cfg/domain 1/aaa/group /linkset command and commands on the Linksets menu.
Chapter 5 Configuring groups and profiles Creating a default group using the CLI To create a default group, first create a group with extended profiles mapped to a restrictive VLAN (see “Configuring groups using the CLI” on page 198 and “Configuring extended profiles using the CLI” on page 203).
Chapter 5 Configuring groups and profiles 209 Using the guide for creating groups If you desire additional information before creating a group, there is a guide available that explains some of the prerequisites and details about creating groups. To access the guide to creating groups, complete the following steps: 1 Click A Guide to Create a Group on the toolbar. A dialog box appears, prompting you to select a domain. 2 Select the domain where this group is created. 3 Click OK.
Chapter 5 Configuring groups and profiles Adding a group To create and configure a group, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups tab. The Groups screen appears (see Figure 42).
Chapter 5 Configuring groups and profiles 211 2 Click Add. The Add a Group dialog box appears (see Figure 43). Figure 43 Adding a Group screen 3 Enter the Group information in the applicable fields. Table 31 describes the Add a Group fields. Table 31 Add a Group fields Field Description Group ID (Index) An integer in the range 1 to 1023 that uniquely identifies the group in the Nortel SNAS 4050 domain. Group Name A string that uniquely identifies the group on the Nortel SNAS 4050.
Chapter 5 Configuring groups and profiles Modifying a group To configure a group, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups > group > Configuration tab. The group Configuration screen appears (see Figure 44).
Chapter 5 Configuring groups and profiles 213 2 Enter the group information in the applicable fields. Table 32 describes the group Configuration fields. Table 32 Group Configuration fields Field Description Group ID (Index) An integer in the range 1 to 1023 that uniquely identifies the group in the Nortel SNAS 4050 domain. This value cannot be changed after a group is created. Group Name A string that uniquely identifies the group on the Nortel SNAS 4050.
Chapter 5 Configuring groups and profiles Adding a client filter To create and configure a client filter, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Filters > Client Filters tab. The Client Filters screen appears (see Figure 45).
Chapter 5 Configuring groups and profiles 215 2 Click Add. The Add a Client Filter dialog box appears (see Figure 46). Figure 46 Adding a Client Filter screen 3 Enter the Client Filter information in the applicable fields. Table 33 describes the Add a Client Filter fields. Table 33 Add a Client Filter fields (Sheet 1 of 2) Field Description Filter ID (Index) An integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS 4050 domain.
Chapter 5 Configuring groups and profiles Table 33 Add a Client Filter fields (Sheet 2 of 2) Field Description Name Names the filter. • name is a string that must be unique in the domain. You reference the client filter name when configuring the extended profile. TunnelGuard Check Passed Specifies whether passing or failing the TunnelGuard host integrity check triggers the filter. • true — the client filter triggers when the TunnelGuard check succeeds.
Chapter 5 Configuring groups and profiles 217 Modifying a client filter To configure a client filter, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Filters > filter > Configuration tab. The client filter Configuration screen appears (see Figure 47).
Chapter 5 Configuring groups and profiles 2 Enter the Client Filter information in the applicable fields. Table 34 describes the Client Filter configuration fields. Table 34 Client Filters configuration fields Field Description Filter ID (Index) An integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS 4050 domain. Name Names the filter. • name is a string that must be unique in the domain. You reference the client filter name when configuring the extended profile.
Chapter 5 Configuring groups and profiles 219 Configuring extended profiles using the SREM To view the extended profiles within a group, select the Secure Access Domain > domain > AAA > Groups > group > Extended Profiles tab. The Extended Profiles screen appears with a list of all profiles for that group. When you select a profile in the list, the extended profile configuration details and linksets become accessible from the tabs that display below the list.
Chapter 5 Configuring groups and profiles Adding an extended profile To create an extended profile for a group, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups > group > Extended Profiles tab. The Extended Profiles screen appears (see Figure 48).
Chapter 5 Configuring groups and profiles 221 2 Click Add. The Add an Extended Profile dialog box opens (see Figure 49). Figure 49 Add an Extended Profile screen 3 Enter the Extended Profile information in the applicable fields. Table 35 describes the Add an Extended Profile fields. Table 35 Add an Extended Profile fields Field Description Index An integer in the range 1 to 63 that uniquely identifies the profile in the group.
Chapter 5 Configuring groups and profiles Modifying an extended profile To modify an extended profile for a group, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups > group > extended profile > Configuration tab. The extended profiles Configuration screen appears (see Figure 50).
Chapter 5 Configuring groups and profiles 223 2 Enter the Extended Profile information in the applicable fields. Table 36 describes the Extended Profile Configuration fields. Table 36 Extended Profile Configuration fields Field Description Index An integer in the range 1 to 63 that uniquely identifies the profile in the group. The default value for this field is the lowest unused index number available. This value cannot be changed after the extended profile is created.
Chapter 5 Configuring groups and profiles Mapping linksets to a group To map a linkset to a group, select the Secure Access Domain > domain > AAA > Groups > group > Linksets tab. The Linksets screen appears and displays the group Linkset Table (see Figure 51).
Chapter 5 Configuring groups and profiles 225 Adding linksets to a group To add a linkset to a group, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups > group > Linksets tab. The Linksets screen appears and displays the Linkset Table (see Figure 51 on page 224). 2 Click Add. The Add a Linkset dialog box appears (see Figure 52). Figure 52 Adding a Linkset screen 3 Enter the linkset information in the applicable fields. Table 37 describes the Add a Linkset fields.
Chapter 5 Configuring groups and profiles Removing linksets from a group To remove a linkset from a group, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups > group > Linksets tab. The Linksets screen appears and displays the Linkset Table (see Figure 51 on page 224). 2 Select the linkset you want to remove from the Linkset Table. 3 Click Delete. A confirmation dialog appears. 4 Click Yes. The linkset disappears from the Linkset Table.
Chapter 5 Configuring groups and profiles 227 Mapping linksets to a profile To map a linkset to an extended profile, select the Secure Access Domain > domain > AAA > Groups > group > extended profile > Linksets tab. The Linksets screen appears and displays the Linkset Table (see Figure 53).
Chapter 5 Configuring groups and profiles Adding linksets to an extended profile To add a linkset to an extended profile, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups > group > extended profile > Linksets tab. The Linksets screen appears and displays the Linkset Table (see Figure 53 on page 227). 2 Click Add. The Add a Linkset dialog box appears (see Figure 54). Figure 54 Adding a Linkset screen 3 Enter the linkset information in the applicable fields.
Chapter 5 Configuring groups and profiles 229 Removing linksets from an extended profile To remove a linkset from an extended profile, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Groups > group > extended profile > Linksets tab. The Linksets screen appears and displays the Linkset Table (see Figure 51 on page 224). 2 Select the linkset you want to remove from the Linkset Table. 3 Click Delete. A confirmation dialog appears. 4 Click Yes.
Chapter 5 Configuring groups and profiles Creating a default group using the SREM To create a default group, first create a group with extended profiles mapped to a restrictive VLAN (see “Configuring groups using the SREM” on page 208 and “Configuring extended profiles using the SREM” on page 219). Then perform the following steps: 1 Select the Secure Access Domain > domain > AAA tab. The AAA Configuration screen appears (see Figure 55).
Chapter 5 Configuring groups and profiles 231 2 Enter the AAA information in the applicable fields. Table 39 describes the AAA Configuration fields. Table 39 AAA Configuration fields Field Description Default Group The name of the group you want to set as a default. 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently.
Chapter 5 Configuring groups and profiles 320818-A
Chapter 6 Configuring authentication This chapter includes the following topics: Topic Page Overview 234 Before you begin 235 Configuring authentication using the CLI 236 Roadmap of authentication commands 237 Configuring authentication methods using the CLI 239 Configuring advanced settings using the CLI 241 Configuring RADIUS authentication using the CLI 242 Configuring LDAP authentication using the CLI 249 Configuring local database authentication using the CLI 261 Specifying aut
Chapter 6 Configuring authentication Overview The Nortel SNAS 4050 controls authentication of clients when they log on to the network. The Nortel SNA solution supports the following authentication methods in Nortel Secure Network Access Switch Software Release 1.
Chapter 6 Configuring authentication 235 Before you begin Before you configure authentication on the Nortel SNAS 4050, you must complete the following tasks: 1 Create the Nortel SNAS 4050 domain, if applicable (see “Creating a domain using the CLI” on page 121 or “Creating a domain using the SREM” on page 151). If you ran the quick setup wizard during initial setup, Domain 1 has been created on the Nortel SNAS 4050. Note: With Nortel Secure Network Access Switch Software Release 1.
Chapter 6 Configuring authentication — Vendor-Type Note: You can assign vendor-specific codes to the Vendor-Id and Vendor-Type attributes. The RADIUS server uses Vendor-Id and Vendor-Type attributes in combination to identify what values it will assign and send for attributes such as group name and session timeout. Each vendor has a specific dictionary. The Vendor-Id specified for an attribute identifies the dictionary the RADIUS server will use to retrieve the attribute value.
Chapter 6 Configuring authentication 237 3 Specify the order in which the authentication methods will be applied. Perform this step even if you define only one method on the Nortel SNAS 4050.
Chapter 6 Configuring authentication Command Parameter domainid domaintype authproto pap|chapv2 timeout /cfg/domain 1/aaa/auth #/radius/serv list ers del add insert move /cfg/domain 1/aaa/auth #/radius/sess vendorid iontim vendortype ena dis /cfg/domain 1/aaa/auth #/ldap searchbase groupattr userattr isdbinddn
Chapter 6 Configuring authentication 239 Command Parameter /cfg/domain 1/aaa/auth #/ldap/ldapma list cro del add [] [] insert move /cfg/domain 1/aaa/auth #/ldap/active enaexpired true|false dire expiredgro /cfg/domain 1/aaa/auth #/local add passwd groups del list import
Chapter 6 Configuring authentication When you first create the method, you are prompted to specify the type. For Nortel Secure Network Access Switch Software Release 1.0, valid options are: • • • RADIUS LDAP local The selected method type determines the remainder of the parameters you are prompted to provide when you create the method, as well as the submenu options that are provided on the Authentication menu.
Chapter 6 Configuring authentication 241 /cfg/domain 1/aaa/auth followed by: radius|ldap|local Accesses a method-specific menu, in order to configure settings for the method. The option displayed depends on the method type.
Chapter 6 Configuring authentication To configure the current authentication scheme to retrieve user group information from a different authentication scheme, use the following command: /cfg/domain 1/aaa/auth #/adv The Advanced menu displays.
Chapter 6 Configuring authentication 243 You can perform the following configuration tasks: • • • • “Adding the RADIUS authentication method using the CLI” on page 243 “Modifying RADIUS configuration settings using the CLI” on page 245 “Managing RADIUS authentication servers using the CLI” on page 247 “Configuring session timeout using the CLI” on page 249 Adding the RADIUS authentication method using the CLI The command to create the authentication ID launches a wizard.
Chapter 6 Configuring authentication • vendor type for group — corresponds to the Vendor-Type value used in combination with the Vendor-Id to identify the groups to which the user belongs. The group names to which the vendor-specific attribute points must match names you define on the Nortel SNAS 4050 using the /cfg/domain 1/aaa/group command (see “Configuring groups using the CLI” on page 198). The default is 1.
Chapter 6 Configuring authentication 245 Figure 56 shows sample output for the RADIUS method for the /cfg/domain 1/aaa/auth command and commands on the Authentication menu.
Chapter 6 Configuring authentication The RADIUS menu displays. The RADIUS menu includes the following options: /cfg/domain 1/aaa/auth #/radius followed by: 320818-A servers Accesses the RADIUS servers menu, in order to manage the external RADIUS servers configured for the domain (see “Managing RADIUS authentication servers using the CLI” on page 247). vendorid Specifies the vendor-specific attribute used by the RADIUS server to send group names to the Nortel SNAS 4050.
Chapter 6 Configuring authentication 247 /cfg/domain 1/aaa/auth #/radius followed by: timeout Sets the timeout interval for a connection request to a RADIUS server. At the end of the timeout period, if no connection has been established, authentication will fail. • interval is an integer that indicates the time interval in seconds (s), minutes (m), or hours (h). If you do not specify a measurement unit, seconds is assumed. The range is 1–10000 seconds. The default is 10 seconds.
Chapter 6 Configuring authentication The Radius servers menu includes the following options: /cfg/domain 1/aaa/auth #/radius/servers followed by: 320818-A list Lists the IP address, port, and shared secret of currently configured RADIUS authentication servers, by index number. del Removes the specified RADIUS authentication server from the current configuration. The index numbers of the remaining entries adjust accordingly.
Chapter 6 Configuring authentication 249 Configuring session timeout using the CLI You can configure the Nortel SNAS 4050 to enable session timeout and to retrieve a session timeout value from the RADIUS server. With session timeout enabled, the session timeout value controls the length of the client’s Nortel SNA network session. When the time is up, the client is automatically logged out. Idle time has no effect on the session timeout.
Chapter 6 Configuring authentication where auth ID is an integer in the range 1 to 63 that uniquely identifies the authentication method in the Nortel SNAS 4050 domain. If you do not specify the auth ID in the command, you are prompted for it. When you first create the method for the domain, you must enter the authentication ID. After you have created the method and defined a name for it, you can use either the ID or the name to access the method for configuration.
Chapter 6 Configuring authentication 251 • • • • • • if user entries are located in several places in the LDAP Dictionary Information Tree (DIT), the position in the DIT from where all user records can be found with a subtree search (requires isdBindDN and isdBindPassword) group attribute name — the LDAP attribute that contains the names of the groups. You can specify more than one group attribute name.
Chapter 6 Configuring authentication Figure 57 shows sample output for the LDAP method for the /cfg/domain 1/aaa/auth command and commands on the Authentication menu.
Chapter 6 Configuring authentication 253 The LDAP menu displays. The LDAP menu includes the following options: /cfg/domain 1/aaa/auth #/ldap followed by: servers Accesses the LDAP servers menu, in order to manage the external LDAP servers configured for the domain (see “Managing LDAP authentication servers using the CLI” on page 256). searchbase Specifies the Distinguished Name (DN) that points to one of the following: 1.
Chapter 6 Configuring authentication /cfg/domain 1/aaa/auth #/ldap followed by: userattr Refers to one of the following: 1. the LDAP attribute that contains the user name used for authenticating a client in the domain The default user attribute name is uid. Do not use the isdbinddn and isdbindpas commands. 2.
Chapter 6 Configuring authentication 255 /cfg/domain 1/aaa/auth #/ldap followed by: enaldaps true|false If true, makes LDAP requests between the Nortel SNAS 4050 and the LDAP server occur over a secure SSL connection (LDAPS). The default is false. Retain the default value or reset to false. Note: The default TCP port number used by the LDAP protocol is 389. If LDAPS is enabled, change the port number to 636.
Chapter 6 Configuring authentication Managing LDAP authentication servers using the CLI You can configure additional LDAP servers for the domain, for redundancy. You can have a maximum of three LDAP authentication servers in the configuration. You can control the order in which the LDAP servers respond to authentication requests. If there is more than one LDAP server configured for the Nortel SNAS 4050 domain, the first accessible LDAP server in the list returns a reply to the query.
Chapter 6 Configuring authentication 257 /cfg/domain 1/aaa/auth #/ldap/servers followed by: del Removes the specified LDAP server from the current configuration. The index numbers of the remaining entries adjust accordingly. To view the index numbers of all configured LDAP servers, use the list command. add Adds an LDAP server to the configuration.
Chapter 6 Configuring authentication Managing LDAP macros using the CLI You can create your own macros (or variables), to allow you to retrieve data from the LDAP database. You can then map the variable to an LDAP user attribute in order to create user-specific links on the portal Home tab. When the client successfully logs on, the variable expands to the value retrieved from the LDAP or Active Directory user record. For more information about using macros in portal links, see “Macros” on page 395.
Chapter 6 Configuring authentication 259 /cfg/domain 1/aaa/auth #/ldap/ldapmacro followed by: Adds an LDAP macro to the configuration. You are add prompted to enter the following information: [] [] • variable name — the name of the variable. • LDAP attribute — the LDAP user attribute whose value will be retrieved from the client’s LDAP/Active Directory user record.
Chapter 6 Configuring authentication Managing Active Directory passwords using the CLI You can set up a mechanism for clients to change their passwords when the passwords expire. 1 Define a user group in the Local database for users whose passwords have expired. 2 Create a linkset and link to a site where the user can change the password (see “Configuring groups using the CLI” on page 198). 3 Map the linkset to the group (see “Mapping linksets to a group or profile using the CLI” on page 206).
Chapter 6 Configuring authentication 261 Configuring local database authentication using the CLI You can configure the Nortel SNAS 4050 domain to use a local database for authentication. To configure the Local database method, perform the following steps: 1 Create the Local database method (see “Adding the local database authentication method using the CLI” on page 261). Note: If you ran the quick setup wizard during initial setup, Local database authentication has been created with authentication ID = 1.
Chapter 6 Configuring authentication where auth ID is an integer in the range 1 to 63 that uniquely identifies the authentication method in the Nortel SNAS 4050 domain. If you do not specify the auth ID in the command, you are prompted for it.. When you first create the method for the domain, you must enter the authentication ID. After you have created the method and defined a name for it, you can use either the ID or the name to access the method for configuration.
Chapter 6 Configuring authentication 263 • group name — the name of the group to which the specified user belongs. The group must exist in the Nortel SNAS 4050 domain. To view available group names, press TAB. Note: The prompt implies that you can enter multiple group names for a user, but the Nortel SNAS 4050 does not allow membership in multiple groups. If you enter multiple group names, the first group name entered is the one that will be returned to the Nortel SNAS 4050 after authentication.
Chapter 6 Configuring authentication Managing the local database using the CLI You can add users to the database in two ways: • • manually, using the /cfg/domain 1/aaa/auth #/local/add command by importing a database, using the /cfg/domain 1/aaa/auth #/local/ import command Note: The imported database overwrites existing entries in the local database. You can use the local database for authorization only, after an external authentication server has authenticated the user.
Chapter 6 Configuring authentication 265 The Local database menu includes the following options: /cfg/domain 1/aaa/auth #/local followed by: add Adds a user to the local authentication database. You are prompted for the following information: • user name — a string that specifies a unique user logon name. There are no restrictions on the NSNAS regarding acceptable user names.
Chapter 6 Configuring authentication /cfg/domain 1/aaa/auth #/local followed by: import Imports a database from the specified TFTP/FTP/SCP/SFTP file exchange server. You are prompted to provide the following information: • protocol is the import protocol. Options are • tftp|ftp|scp|sftp. server is the host name or IP address of the server. • filename is the name of the database file on the • key is the password key for user password server. protection.
Chapter 6 Configuring authentication 267 /cfg/domain 1/aaa/auth #/local followed by: export Exports the local database to the specified TFTP/FTP/SCP/SFTP file exchange server. You are prompted to provide the following information: • protocol is the export protocol. Options are • tftp|ftp|scp|sftp. server is the host name or IP address of the server. • • filename is the name of the destination database file on the server (for example, db.txt).
Chapter 6 Configuring authentication Perform this step even if there is only one method defined on the Nortel SNAS 4050. Note: For best performance, set the authentication order so that the method that supports the biggest proportion of users is applied first. However, if you use the Nortel SNAS 4050 local database as one of the authentication methods, Nortel recommends that you set the Local method to be first in the authentication order.
Chapter 6 Configuring authentication 269 Configuring authentication using the SREM The basic steps for configuring and managing authentication are: 1 Create the authentication methods. 2 Configure specific settings for the methods. 3 Specify the order in which the authentication methods will be applied. Perform this step even if you define only one method on the Nortel SNAS 4050. 4 Commit the configuration changes.
Chapter 6 Configuring authentication Configuring authentication methods using the SREM To create and configure an authentication method, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > Authentication Server Table tab. The Authentication Server Table appears (see Figure 60).
Chapter 6 Configuring authentication 271 2 Click Add. The Add an Authentication Server dialog box opens (see Figure 61 on page 272). 3 In the list, select the authentication type you want to add. Available options are: — Radius — LDAP — Local The default value is Radius. Fields displayed on the Add an Authentication Server dialog change, depending on the method you select.
Chapter 6 Configuring authentication Adding the RADIUS method and server To configure the Nortel SNAS 4050 to use an external RADIUS or Steel-belted RADIUS server for authentication, perform the following steps: 1 In the Add an Authentication Server dialog box, select Radius from the drop-down list. The display of the Add an Authentication Server dialog box refreshes (see Figure 61).
Chapter 6 Configuring authentication 273 2 Enter the authentication server information in the applicable fields. Table 40 describes the Add an Authentication Server —Radius fields. Table 40 Add an Authentication Server — Radius fields Field Description Index Specifies an integer in the range 1 to 63 that uniquely identifies the authentication method on the Nortel SNAS 4050. Name Specifies a name for the authentication method, as a mnemonic aid.
Chapter 6 Configuring authentication • Modify settings for the specific RADIUS configuration (see “Modifying RADIUS configuration settings” on page 276). Modifying RADIUS method settings To modify settings for an existing RADIUS authentication method, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > radius > Configuration tab. The Configuration screen appears, showing current settings for the method (see Figure 62).
Chapter 6 Configuring authentication 275 2 Modify settings for the authentication method as necessary. Table 41 describes the Configuration fields. Table 41 Configuration fields Field Description Index Specifies an integer in the range 1 to 63 that uniquely identifies the authentication method on the Nortel SNAS 4050. Name Specifies a name for the authentication method, as a mnemonic aid.
Chapter 6 Configuring authentication Modifying RADIUS configuration settings To modify the RADIUS method configuration, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > radius > Radius Configuration tab. The Radius Configuration screen appears (see Figure 63).
Chapter 6 Configuring authentication 277 2 Modify settings for the RADIUS configuration as necessary. Table 42 describes the Radius Configuration fields. Table 42 Radius Configuration fields Field Description Vendor Id for Group Attributes Specifies the vendor-specific attribute used by the RADIUS server to send group names to the Nortel SNAS 4050. The default Vendor-Id is 1872 (Alteon).
Chapter 6 Configuring authentication Table 42 Radius Configuration fields (continued) Field Description Authentication Protocol Specifies the protocol used for communication between the Nortel SNAS 4050 and the RADIUS server. The options are: • PAP — Password Authentication Protocol (PAP) • CHAPv2 — Challenge Handshake Authentication Protocol (CHAP), version 2 The default is PAP.
Chapter 6 Configuring authentication 279 Managing additional RADIUS servers Additional RADIUS servers can be specified for redundancy. In the event that the preferred RADIUS server is not responding, the first available server in the list will be used instead. To manage additional RADIUS servers, select the Secure Access Domain > domain > AAA > Authentication > radius > Radius Servers tab. The RADIUS Servers screen appears (see Figure 64), displaying a list of the existing RADIUS servers.
Chapter 6 Configuring authentication The RADIUS Server Table allows you to manage additional RADIUS servers by performing any of the following procedures: • • • “Adding a RADIUS server” on page 280 “Reordering additional RADIUS servers” on page 281 “Removing a RADIUS server” on page 281 Adding a RADIUS server To add additional RADIUS servers for redundancy, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > radius > Radius Servers tab.
Chapter 6 Configuring authentication 281 Table 43 Add a Radius Server fields (continued) Field Description Port Specifies the port number configured for this server to use on the RADIUS server. The default is 1812. Secret Specifies a unique shared secret configured on the RADIUS server that authenticates the Nortel SNAS 4050 to the RADIUS server. 4 Click Apply. The new RADIUS server is automatically assigned a unique index number, and appears in the RADIUS Server Table.
Chapter 6 Configuring authentication The RADIUS Servers screen appears (see Figure 69 on page 291). 2 Select an RADIUS server entry from the RADIUS Server Table. 3 Click Delete. A confirmation dialog appears. 4 Click Yes. The RADIUS server is removed from the RADIUS Server Table. 5 Click Apply on the toolbar to accept the new order, and adjust index numbers for the RADIUS servers accordingly. Click Commit on the toolbar to save the changes permanently.
Chapter 6 Configuring authentication 283 Adding the LDAP method and server To configure the Nortel SNAS 4050 to use an external LDAP server for authentication, perform the following steps: 1 In the Add an Authentication Server dialog box, select LDAP from the drop-down list. The display of the Add an Authentication Server dialog box refreshes (see Figure 66). Figure 66 Add an Authentication Server — LDAP 2 Enter the authentication server information in the applicable fields.
Chapter 6 Configuring authentication Table 44 Add an Authentication Server — LDAP fields (continued) Field Description Display Name Specifies a name for the method, to display in the Login Service list box on the portal login page, together with the names of other authentication services available. IP Address Specifies the IP address of the RADIUS server. Port Specifies the port number configured for this server to use on the RADIUS server. The default is 1812. 3 Click Apply.
Chapter 6 Configuring authentication 285 Modifying LDAP method settings To modify settings for an existing LDAP authentication method, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > ldap > Configuration tab. The Configuration screen appears, showing current settings for the method (see Figure 67).
Chapter 6 Configuring authentication 2 Modify settings for the authentication method as necessary. Table 45 describes the Configuration fields. Table 45 Configuration fields Field Description Index Specifies an integer in the range 1 to 63 that uniquely identifies the authentication method on the Nortel SNAS 4050. Name Specifies a name for the authentication method, as a mnemonic aid.
Chapter 6 Configuring authentication 287 Modifying LDAP configuration settings To modify the LDAP method configuration, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Configuration tab. The LDAP Configuration screen appears (see Figure 68).
Chapter 6 Configuring authentication 2 Modify settings for the LDAP configuration as necessary. Table 46 describes the LDAP Configuration fields. Table 46 LDAP Configuration fields 320818-A Field Description Enable LDAPs If selected, makes LDAP requests between the Nortel SNAS 4050 and the LDAP server occur over a secure SSL connection (LDAPS). The default is not selected. Note: The default TCP port number used by the LDAP protocol is 389. If LDAPS is enabled, change the port number to 636.
Chapter 6 Configuring authentication 289 Table 46 LDAP Configuration fields (continued) Field Description User Attribute Refers to one of the following: 1. the LDAP attribute that contains the user name used for authenticating a client in the domain. The default user attribute name is uid. Do not use the Bind ISD DN and Bind ISD Password fields. 2.
Chapter 6 Configuring authentication Table 46 LDAP Configuration fields (continued) Field Description Enable User Preferences Enables or disables storage of user preferences in an external LDAP/Active Directory database. If selected, the storage and retrieval of user preferences is enabled. When the client logs out from a portal session, the Nortel SNAS 4050 saves any user preferences accumulated during the session in the isdUserPrefs attribute.
Chapter 6 Configuring authentication 291 Managing additional LDAP servers Additional LDAP servers can be specified for redundancy. In the event that the preferred LDAP server is not responding, the first available server in the list will be used instead. To manage additional LDAP servers, select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Servers tab. The LDAP Servers screen appears (see Figure 69), displaying a list of the existing LDAP servers.
Chapter 6 Configuring authentication The LDAP Server Table allows you to manage additional LDAP servers by performing any of the following procedures: • • • “Adding an LDAP server” on page 292 “Reordering additional LDAP servers” on page 293 “Removing an LDAP server” on page 293 Adding an LDAP server To add an additional LDAP server, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Servers tab.
Chapter 6 Configuring authentication 293 The new LDAP server is automatically assigned a unique index number, and appears in the LDAP Server Table. 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Reordering additional LDAP servers To adjust the order in which LDAP servers are used, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Servers tab.
Chapter 6 Configuring authentication 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Managing LDAP macros You can create your own macros (or variables), to allow you to retrieve data from the LDAP database. You can then map the variable to an LDAP user attribute in order to create user-specific links on the portal Home tab.
Chapter 6 Configuring authentication 295 To manage LDAP macro variables, select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Macros tab. The LDAP Macros screen appears (see Figure 71) and displays a list of existing LDAP macros.
Chapter 6 Configuring authentication Adding LDAP macros To create an LDAP macro variable, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Macros tab. The LDAP Macros screen appears (see Figure 71 on page 295). 2 Click Add. The Add an LDAP Macro dialog box appears (see Figure 72). Figure 72 Add an LDAP Macro 3 Enter the LDAP macro information in the applicable fields. Table 48 describes the Add an LDAP Macro fields.
Chapter 6 Configuring authentication 297 4 Click Apply. The new LDAP macro is automatically assigned a unique index number, and appears in the LDAP Macro Table. 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Reordering LDAP macros To change the order of existing LDAP macro variables, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Macros tab.
Chapter 6 Configuring authentication 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Next steps 1 Configure additional authentication methods, if desired (see “Configuring RADIUS authentication using the SREM” on page 271 or “Configuring local database authentication using the SREM” on page 298). 2 Set the authentication order (see “Specifying authentication fallback order using the SREM” on page 314).
Chapter 6 Configuring authentication 299 Adding the Local method To configure the Nortel SNAS 4050 to use the Local authentication method, perform the following steps: 1 In the Add an Authentication Server dialog box, select Local from the drop-down list. The display of the Add an Authentication Server dialog box refreshes (see Figure 73).
Chapter 6 Configuring authentication 2 Enter the authentication server information in the applicable fields. Table 49 describes the Add an Authentication Server —Local fields. Table 49 Add an Authentication Server — Local fields Field Description Index Specifies an integer in the range 1 to 63 that uniquely identifies the authentication method on the Nortel SNAS 4050. Name Specifies a name for the authentication method, as a mnemonic aid.
Chapter 6 Configuring authentication 301 Populating the database You can populate the Local database in two ways: • • adding users manually (see “Adding users to the local database” on page 301) importing a database (see “Importing a database” on page 304) Adding users to the local database To manually add individual users to the database, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > local > Local Users tab.
Chapter 6 Configuring authentication 2 Click Add. The Add a Local User dialog box appears (see Figure 75). Figure 75 Add a Local User 3 Enter the local user information in the applicable fields. Table 50 describes the Add a Local User fields. Table 50 Add a Local User fields 320818-A Field Description User Name Specifies a unique user logon name. There are no restrictions on the Nortel SNAS 4050 regarding acceptable user names.
Chapter 6 Configuring authentication 303 4 Click Apply. The new user entry appears in the list of local users. 5 Repeat step 2 through step 4 for each user you want to add to the database. 6 To remove users from the local users list: a Select a user from the table. b Click Delete. A confirmation dialog appears. c Click Yes. The local user is removed from the list. 7 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Chapter 6 Configuring authentication Importing a database Note: The imported database will overwrite existing entries in the local database. To import a database of local users, perform the following steps. 1 Select the Secure Access Domain > domain > AAA > Authentication > local > Import Local User Database tab. The Import Local User Database screen appears (see Figure 67).
Chapter 6 Configuring authentication 305 2 Enter the import information in the applicable fields. Table 45 describes the Import Local User Database fields. Table 51 Import Local User Database fields Field Description Protocol Specifies the import protocol. Options are: • ftp • tftp • sftp • scp The default is ftp. Host Specifies the host name or IP address of the server. Filename Specifies the name of the database file on the server.
Chapter 6 Configuring authentication Modifying Local method settings To modify settings for an existing local or LDAP authentication method, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > local > Configuration tab. The Configuration screen appears, showing current settings for the method (see Figure 77).
Chapter 6 Configuring authentication 307 2 Modify settings for the authentication method as necessary. Table 52 describes the Configuration fields. Table 52 Configuration fields Field Description Index Specifies an integer in the range 1 to 63 that uniquely identifies the authentication method on the Nortel SNAS 4050. Name Specifies a name for the authentication method, as a mnemonic aid.
Chapter 6 Configuring authentication 2 In the User Name list, select the user you want to edit. The Local Users screen refreshes to display an editing pane in the bottom half of the screen, with the user Configuration tab active (see Figure 78).
Chapter 6 Configuring authentication 309 3 Modify the local user information in the applicable fields, as necessary. Table 50 describes the Local Users — Configuration fields. Table 53 Local Users — Configuration fields Field Description User Name Specifies a unique user logon name. There are no restrictions on the Nortel SNAS 4050 regarding acceptable user names.
Chapter 6 Configuring authentication 2 In the User Name list, select the user you want to edit. The Local Users screen refreshes to display an editing pane in the bottom half of the screen, with the user Configuration tab active (see Figure 78 on page 308). 3 Select the Local User Configuration tab. The Local Users screen refreshes to display the Local User Configuration tab active (see Figure 79).
Chapter 6 Configuring authentication 311 4 Modify the local user information in the applicable fields, as necessary. Table 50 describes the Local Users — Configuration fields. Table 54 Local Users — Local User Configuration fields Field Description User Password Specifies the password that applies to the new user. To only use the local database for authorization after an external authentication server has authenticated the user, enter an asterisk (*). Confirm Confirms the user password.
Chapter 6 Configuring authentication Exporting the database To export the database of local users, perform the following steps: 1 Select the Secure Access Domain > domain > AAA > Authentication > local > Export Local User Database tab. The Export Local User Database screen appears (see Figure 80).
Chapter 6 Configuring authentication 313 2 Enter the export information in the applicable fields. Table 55 describes the Export Local User Database fields. Table 55 Export Local User Database fields Field Description Protocol Specifies the export protocol. Options are: • ftp • tftp • sftp • scp The default is ftp. Host Specifies the host name or IP address of the server. Filename Specifies the name of the database file on the server.
Chapter 6 Configuring authentication Specifying authentication fallback order using the SREM Authentication in the Nortel SNAS 4050 solution is performed by checking client credentials against available authentication databases until the first match is found. You specify the order in which the Nortel SNAS 4050 applies the methods configured for the Nortel SNAS 4050 domain. Perform this step even if there is only one method defined on the Nortel SNAS 4050.
Chapter 6 Configuring authentication 315 To specify authentication fallback order, perform these steps: 1 Expand the Secure Access Domain > domain > AAA > Authentication > Authentication Server Table. The Authentication Server Order screen appears (see Figure 80). Figure 81 Authentication Server Order 2 In the Fallback Order section, specify the authentication methods you wish to use by selecting the applicable check boxes.
Chapter 6 Configuring authentication 3 4 Rearrange the list so that the methods appear in the desired order. a Click on a method to select it. b Using the up and down arrows, move the method to the desired position in the list. c Repeat for the other methods until the list is in the desired order. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently.
Chapter 7 TunnelGuard SRS Builder This chapter includes the following topics: Topic Page Configuring SRS rules 318 The TunnelGuard user interface 318 Menu commands 319 SRS definition toolbar 322 Software Definition — Available SRS list 323 SRS Components table 323 Memory snapshot 325 TunnelGuard Rule Definition screen 325 Managing TunnelGuard rules and expressions 327 Creating a software definition 327 Adding entries to a software definition 328 Creating logical expressions 333
Chapter 7 TunnelGuard SRS Builder Configuring SRS rules The building blocks used to construct the Software Requirement Set (SRS) are files (or combinations of files) and registry key settings that must either be present or be absent on the client host. You can create different SRS rules for different groups. You must use the TunnelGuard SRS Builder in the SREM to create or modify SRS rules. You cannot create your own SRS rules using the CLI.
Chapter 7 TunnelGuard SRS Builder 319 • • • “Software Definition — Available SRS list” on page 323 “Memory snapshot” on page 325 “TunnelGuard Rule Definition screen” on page 325 Menu commands Most functions within the TunnelGuard SRS Builder tool are accessed through the following menus: • • • • • “File menu” on page 319 “Software Definition menu” on page 319 “Software Definition Entry menu” on page 320 “TunnelGuard Rule menu” on page 321 “Tool menu” on page 321 File menu Table 56 describes important i
Chapter 7 TunnelGuard SRS Builder Table 57 Software Definition menu items (Sheet 2 of 2) Item Description Clone Software Definition Clones the selected software definition. Import Software Definition Imports a software definition from an XML-formatted file. Export Software Definition Exports a software definition to an XML-formatted file. Edit Software Definition Comment Edits the comment for the selected software definition.
Chapter 7 TunnelGuard SRS Builder 321 Table 58 Software Definition Entry menu items (Sheet 2 of 2) Item Description Add Vendor-Customized API call check Implements a third party API call to do additional checking on the software. Modify Registry entry Modifies the registry entry Ignore Hash Checking Select this item to ignore the hash value checking for the selected SRS entry. Default Hash Algorithm Select the default hash algorithm, MD5 or SHA1.
Chapter 7 TunnelGuard SRS Builder SRS definition toolbar The buttons on the SRS definition toolbar allow you to create, delete, and manage software requirement sets. Figure 82 on page 322 describes the toolbar icons. For a description of each item see Table 61 on page 322.
Chapter 7 TunnelGuard SRS Builder 323 Software Definition — Available SRS list The available SRS list shown in the Software Definition section of the TunnelGuard SRS Builder main screen is initially retrieved from the Nortel SNAS 4050. The list is updated when you make changes and click Save while running the SRS Builder.
Chapter 7 TunnelGuard SRS Builder Customizing a component When an SRS component is selected by clicking on it, you can customize it using the toolbar below the component table, as shown in Figure 83. To learn more about available customizations, see Table 63.
Chapter 7 TunnelGuard SRS Builder 325 Memory snapshot The memory snapshot section in the lower half of the of the TunnelGuard SRS Builder Software Definition screen displays all processes currently running on the administrator’s system. You can select and add any process currently running and loaded into the memory snapshot to the SRS set by double-clicking on it or using the Add a selected memory module menu command. To view descriptions of the information displayed see Table 64.
Chapter 7 TunnelGuard SRS Builder SRS Rule list The SRS Rule list shows the existing SRS rules. These rules are retrieved from the Nortel SNAS 4050 at the TunnelGuard SRS Builder applet start-up time. For a description of the information provided, see Table 65. Table 65 SRS Rule information Item Description TunnelGuard Rule Name Shows the name of the rule. TunnelGuard Rule Expression Provides the rule expression. TunnelGuard Rule Comment Shows any comments related to the rule.
Chapter 7 TunnelGuard SRS Builder 327 Once the expression is formed, it is available for rule definitions. Any unused expressions will not be saved on the Nortel SNAS 4050 and hence will not be available after the TunnelGuard SRS Builder applet is closed. Managing TunnelGuard rules and expressions When the TunnelGuard applet is launched, all processes that are currently running on your local system are displayed in the memory snapshot section at the bottom.
Chapter 7 TunnelGuard SRS Builder Figure 84 The New SRS window 2 Enter a name for the software definition and click OK. For example, to create a software definition specifying the antivirus modules that must be present on the client system, enter the name “Antivirus”. The new software definition is added in the Software Definition area.
Chapter 7 TunnelGuard SRS Builder 329 Figure 85 The Create New Memory Module SRS window 3 In the File (or Module) Path field, verify that the correct file or module is selected. If you want to add another file or module to the current software definition, click Browse Local System and find the desired file. 4 Select the Fetch Module Path from Registry Entry check box, if the module name can be fetched from a local registry entry on the desktop PC.
Chapter 7 TunnelGuard SRS Builder If enabled, the client system will be searched for the specified file name, irrespective of path to folder. 6 In the Process Name field, enter the name of the process whose module you wish to add as a software definition entry. The name of the selected process is displayed by default. 7 In the Min and Max Version area, you can specify the minimum or maximum version of the file/module. If there are no restrictions as to version (minimum or maximum) select Any.
Chapter 7 TunnelGuard SRS Builder 331 The file/module is added as an entry in the selected software definition. By clicking the Save and More button, the entry is saved but the Create New Memory Module SRS window remains open so you can add more entries to the current software definition. 12 Select the TunnelGuard Rule Definition tab. A TunnelGuard SRS rule and expression with the same name as the software definition are automatically created and shown on the TunnelGuard Rule Definition tab.
Chapter 7 TunnelGuard SRS Builder To create a software definition entry for a file not shown in the memory snapshot, perform the following steps: 1 On the Software Definition Entry menu, select Add OnDisk File as entry. To include the file in a new software definition, first create the new software definition (select New Software Definition on the Software Definition menu). The Create New ON Disk SRS Entry window is displayed (see Figure 86).
Chapter 7 TunnelGuard SRS Builder 333 3 Select the Fetch Module Path from Registry Entry check box, if the file name can be fetched from a local registry entry on the desktop PC. Then enter the desired key path and key value in the fields. Use this option if a module name varies in different setups and available in a registry key. 4 Specify the desired limitations regarding version and file age. See the previous section for more detailed information about these options.
Chapter 7 TunnelGuard SRS Builder 2 Click the TunnelGuard Rule Definition tab. TunnelGuard rules and expressions with the same names as the software definitions have been created and appear on the TunnelGuard Rule Definition tab (see Figure 87). Figure 87 The TunnelGuard Rule Definition tab In the example above, two TunnelGuard rules have been created, each defining a unique application.
Chapter 7 TunnelGuard SRS Builder 335 4 Select another expression that you will use to form a new logical expression in combination with the first. 5 Using the radio buttons, select the type of expression you wish to construct, in this example an AND expression. The AND expression lets you construct a logical expression where both conditions must be met for the TunnelGuard checks to pass.
Chapter 7 TunnelGuard SRS Builder Figure 88 The Available Expressions screen 7 Create a new TunnelGuard Rule. On the TunnelGuard Rule menu, select New TunnelGuard Rule. The New SRS Rule window appears (see Figure 89). Figure 89 The New SRS Rule window 8 320818-A Enter a name for the TunnelGuard rule and click OK.
Chapter 7 TunnelGuard SRS Builder 337 The new rule name appears in the TunnelGuard Rule Name column (see Figure 90). Figure 90 The TunnelGuard Rule Name screen 9 Click the TunnelGuard Rule Expression column. This column converts to a drop down list. Scroll through the list of expressions and choose the expression you would to associate with this rule. Any logical expression that you create may be used in a new logical expression, for example to construct more complex conditions.
Chapter 7 TunnelGuard SRS Builder Registry-based rules TunnelGuard Agent supports checking of on-disk files, running processes, hash checking, and version numbers to verify installed software packages. Reading the registry settings on a client’s PC is another way of checking software packages and their installed state.
Chapter 7 TunnelGuard SRS Builder 339 Table 66 describes supported operands for integer values.
Chapter 7 TunnelGuard SRS Builder Table 67 describes supported constructs for string-based regular expressions. Table 67 Constructs for string based regular expressions (Sheet 1 of 2) 320818-A String regular expression Description x The character x .
Chapter 7 TunnelGuard SRS Builder 341 Table 67 Constructs for string based regular expressions (Sheet 2 of 2) String regular expression Description $ The end of a line \b A word boundary The following are examples of regular expressions for string-based Registry Key values: • • • ^Nortel .*Networks — matches anything that starts with Nortel and ends with Networks \w* — matches TunnelGuard_2; does not match TunnelGuard_2.0.0 (word definition includes_but not “.”) [a-z] {2}_[\.\d]+ — matching tg_2.0.
Chapter 7 TunnelGuard SRS Builder Figure 91 Registry Entry page 3 Select the Registry Key Path from the Registry Editor. 4 Select the Key Value type. 5 Enter the Key Value Data Expression. 6 Click OK. If you want to create multiple entries, click Save and More. That saves this entry and another window opens for you to create another Registry entry.
Chapter 7 TunnelGuard SRS Builder 343 Manually creating SRS entries The administrator tool applet provides OnDisk and Memory Module buttons to create custom SRS entries and rules without anything installed on a desktop PC. In order to create these rules, you must know the name of the executables or files to be checked. Since these rules are created manually, extra care is required to avoid any mistakes.
Chapter 7 TunnelGuard SRS Builder Figure 92 Create new OnDisk SRS Entry 3 Click Browse Local System to select the File or Module Path. The File (OR Module) Path appears in the text box and the rest of the information on the page is filled in automatically. Note: If you select Fetch Module Path from Registry Entry, you must manually enter the Registry Entry and the Key Value. The other fields on the page must also be completed manually. 4 Select the desired Min Version option.
Chapter 7 TunnelGuard SRS Builder 345 6 Click an option button for either Relative Date/Time Range or Specific Date/ Time Range. a If you select Relative Date/Time Range, enter the number of days in the Not Older Than (in days) text box. b If you select Specific Date/Time Range, click a radio button for either Any or Specify Date/Time from the From Date/Time and To Date/Time. — If you selected Specify Date/Time, enter the specific date and time in the From Date/Time and To Date/Time text boxes.
Chapter 7 TunnelGuard SRS Builder Figure 93 Create new Memory Module SRS entry 3 Click Browse Local System to select the File or Module Path. The File (OR Module) Path appears in the text box and the rest of the information on the page is filled in automatically. Note: If you select Fetch Module Path from Registry Entry, you must enter the Registry Entry and the Key Value. The rest of the fields on the page must also be completed manually.
Chapter 7 TunnelGuard SRS Builder 347 6 Click an option button for Max Version. 7 Click an option button for either Relative Date/Time Range or Specific Date/Time Range. a If you select Relative Date/Time Range, enter the number of days in the Not Older Than (in days) text box.
Chapter 7 TunnelGuard SRS Builder Figure 94 Date/Time Range Adding comments • • “Adding a TunnelGuard rule comment” on page 348 “Adding a software definition comment” on page 349 Adding a TunnelGuard rule comment By adding a TunnelGuard rule comment to a TunnelGuard rule, you can provide important information to the user (for example, the reason the TunnelGuard checks failed and the recommended action).
Chapter 7 TunnelGuard SRS Builder 349 3 Click the button to display the Rule Comment window (see Figure 95 on page 349). Figure 95 The Rule Comment window 4 Type the comment and click OK. Adding a software definition comment The software definition comment is shown in the message displayed when the user clicks the details link on the Portal login page. 1 Click the Software Definition tab. 2 On the Software Definition menu, select Edit Software Definition Comment.
Chapter 7 TunnelGuard SRS Builder Deleting a software definition 1 Click the Software Definition tab. 2 In the Software Definition column, select the desired software definition. 3 Click the trash can symbol on the tool bar located above the Software Definition column. Note: You cannot delete a software definition that is used in a TunnelGuard rule. Delete the TunnelGuard rule first.
Chapter 7 TunnelGuard SRS Builder 351 2 In the Available Expressions area, select the desired expression and click the Delete Expression button. Note: You cannot delete an expression that is used in a TunnelGuard rule. TunnelGuard support for API calls TunnelGuard can interact with other software vendor applications. In addition to its own checks, TunnelGuard can be configured to communicate with other applications and ask for their status.
Chapter 7 TunnelGuard SRS Builder 320818-A
Chapter 8 Managing system users and groups This chapter includes the following topics: Topic Page User rights and group membership 354 Managing system users and groups using the CLI 355 Roadmap of system user management commands 355 Managing user accounts and passwords using the CLI 356 Managing user settings using the CLI 358 Managing user groups using the CLI 359 CLI configuration examples 360 Managing system users and groups using the SREM 370 Managing user accounts using the SREM
Chapter 8 Managing system users and groups User rights and group membership There are three groups of system users who routinely access the system for configuration and management: • • • admin (administrator) certadmin (certificate administrator) oper (operator) Note: There are two additional types of users with specialized functions: boot and root. For more information, see “Accessing the Nortel SNAS 4050 cluster” on page 775. Group membership dictates user rights, as shown in Table 68 on page 354.
Chapter 8 Managing system users and groups 355 Managing system users and groups using the CLI To manage system users and groups, access the User menu by using the following command: /cfg/sys/user From the User menu, you can configure and manage the following: • • • • add new users (for a detailed example, see “Adding a new user” on page 360) reassign users (for a detailed example, see “Changing a user’s group assignment” on page 365) change passwords (for a detailed example, see “Changing passwords” on p
Chapter 8 Managing system users and groups Command Parameter /cfg/sys/user/edit /groups list del add admin|oper|certadmin Managing user accounts and passwords using the CLI To change the password for the currently logged on user and to add or delete user accounts, access the User menu by using the following command: /cfg/sys/user The User menu displays.
Chapter 8 Managing system users and groups 357 /cfg/sys/user followed by: del Removes the specified user account from the system. Of the three built-in users (admin, oper, and root), only the oper user can be deleted. You must have administrator rights in order to delete user accounts. Note: When you delete a user, the user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group.
Chapter 8 Managing system users and groups /cfg/sys/user followed by: edit Accesses the User menu, in order change user settings (see “Managing user settings using the CLI” on page 358). You must have administrator rights in order to change a user’s settings. You must also be a member of the first group listed for the other user.
Chapter 8 Managing system users and groups 359 To set or change the login password for a specified user and to view and manage group assignments, access the User menu by using the following command: /cfg/sys/user/edit The User menu displays. The User menu includes the following options: /cfg/sys/user/edit followed by: password Sets the login password for the specified user.
Chapter 8 Managing system users and groups To set or change a user’s group assignment, access the Groups menu by using the following command: /cfg/sys/user/edit /groups The Groups menu displays. The Groups menu includes the following options: /cfg/sys/user/edit /groups followed by: list Lists all groups to which the user is currently assigned, by group index number. del Removes the user from the specified group.
Chapter 8 Managing system users and groups 361 In this configuration example, a certificate administrator user is added to the system, and then assigned to the certadmin group. The certificate administrator specializes in managing certificates and private keys, without the possibility to change system parameters or configure virtual SSL servers. A user who is a member of the certadmin group can therefore access the Certificate menu (/cfg/cert), but not the SSL Server 1001 menu (/cfg/domain #/server/ssl).
Chapter 8 Managing system users and groups — oper — admin — certadmin By default, the admin user is a member of all groups above, and can therefore assign a new or existing user to any of these groups. The group assignment of a user dictates the user rights and access levels to the system. >> User# edit cert_admin >> User cert_admin# groups/add Enter group name: certadmin 5 Verify and apply the group assignment.
Chapter 8 Managing system users and groups 363 7 Apply the changes. >> User cert_admin# apply Changes applied successfully. 8 Let the Certificate Administrator user define an export passphrase. This step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. If the admin user is removed from the certadmin group (as in Step 9), a Certificate Administrator export passphrase (caphrase) must be defined.
Chapter 8 Managing system users and groups 9 Remove the admin user from the certadmin group. Again, this step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. Note however, that once the admin user is removed from the certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group membership anew.
Chapter 8 Managing system users and groups 365 Changing a user’s group assignment Only users who are members of the admin group can remove other users from a group. All users can add an existing user to a group, but only to a group in which the “granting” user is already a member. The admin user, who by default is a member of all three groups (admin, oper, and certadmin) can therefore add users to any of these groups. 1 Log on to the Nortel SNAS 4050 cluster.
Chapter 8 Managing system users and groups Note: A user must be assigned to at least one group at any given time. If you want to replace a user’s single group assignment, you must therefore always first add the user to the desired new group, then remove the user from the old group. 4 Verify and apply the changes. >> Groups# list Old: 1: admin 2: oper Pending: 1: admin 2: oper 3: certadmin >> Groups# apply Changing passwords Changing your own password All users can change their own password.
Chapter 8 Managing system users and groups 367 2 Access the User Menu. >> Main# /cfg/sys/user -----------------------------------------------------------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase >> User# Type the passwd command to change your current password. When your own password is changed, the change takes effect immediately without having to use the apply command.
Chapter 8 Managing system users and groups 2 Access the User Menu. >> Main# /cfg/sys/user -----------------------------------------------------------[User Menu] passwd - Change own password list - List all users del - Delete a user add - Add a new user edit - Edit a user caphrase - Certadmin export passphrase >> User# 3 Specify the user name of the user whose password you want to change. >> User# edit Name of user to edit: cert_admin 4 Type the password command to initialize the password change.
Chapter 8 Managing system users and groups 369 Deleting a user To delete a user from the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group. Note: Remember that when a user is deleted, that user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group.
Chapter 8 Managing system users and groups The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the revert command.
Chapter 8 Managing system users and groups 371 The User Table appears (see Figure 96), displaying a list of user accounts that have been added to the Nortel SNAS 4050. Figure 96 User Table Only the admin user can add users to the system. After adding a user, you must assign the user to a group (see “Managing user groups using the SREM” on page 381).
Chapter 8 Managing system users and groups Only the admin user can delete users from the system. Of the three built-in users (admin, oper, and root), only the oper user can be deleted. Note: When you delete a user, the user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group. Existing users can only be added to a group by a user who is already a member of that group.
Chapter 8 Managing system users and groups 373 3 Enter the user information in the applicable fields. Table 69 describes the Add a User fields. Table 69 Add a User fields Field Description Name The user name for the new user. The maximum length of the user name is 255 characters. No spaces are allowed. 4 Click Apply. The new user entry appears in the User Table. 5 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Chapter 8 Managing system users and groups Setting password expiry using the SREM To set a password expiry date for all passwords in the system, perform the following steps: 1 Select the System > Manage Users > Password Setting tab. The Password Setting screen appears (see Figure 98).
Chapter 8 Managing system users and groups 375 2 Enter the Password Setting information in the applicable fields. Table 70 describes the Password Settings fields. Table 70 Field Password Settings fields Description Password Expiration Interval Sets the password expiration interval, in days (d). A value of 0 indicates that the password never expires. 3 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently.
Chapter 8 Managing system users and groups Changing your password using the SREM Only the admin user can change the passwords of other users. Logged on users can change their own passwords. To change the password for the logged on user, perform the following steps: 1 Select the System > Manage Users > Change Your Password tab. The Change Your Password screen appears (see Figure 99).
Chapter 8 Managing system users and groups 377 2 Enter the password information in the applicable fields. Table 71 describes the Change Your Password fields. Table 71 Change Your Password fields Field Description Current Password The current password. Enter New Password Sets the new password. The password must be at least four characters and can contain spaces. The password is case sensitive. Re-enter New Password Confirms the new password. 3 Click Change Password.
Chapter 8 Managing system users and groups To change the password for another user, perform the following steps: 1 Select the System > Manage Users > user > Change User Password tab. The Change User Password screen appears (see Figure 100).
Chapter 8 Managing system users and groups 379 2 Enter the password information in the applicable fields. Table 71 describes the Change User Password fields. Table 72 Change User Password fields Field Description Current Administrator Password The current password of the admin user performing the change. Enter New Password Sets the new password. The password must be at least four characters and can contain spaces. The password is case sensitive. Re-enter New Password Confirms the new password.
Chapter 8 Managing system users and groups To set a certificate export pass phrase, perform the following steps: 1 Select the System > Manage Users > Set Certificate Export PassPhrase tab. The Set Certificate Export PassPhrase screen appears (see Figure 101).
Chapter 8 Managing system users and groups 381 2 Enter the PassPhrase information in the applicable fields. Table 73 describes the Set Certificate Export PassPhrase fields. Table 73 Set Certificate Export PassPhrase fields Field Description Enter New Pass Phrase Sets the pass phrase. Must be at least four characters. Re-enter New Pass Phrase Confirms the pass phrase. 3 Click Set Pass Phrase. 4 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Chapter 8 Managing system users and groups To manage the group to which a user belongs, select the System > Manage Users > user > User Groups tab. The User Groups screen appears, displaying the user’s current group membership (see Figure 102).
Chapter 8 Managing system users and groups 383 2 Click Add. The Add a User Group dialog box appears (see Figure 103). Figure 103 Add a User Group 3 Enter the User Group information in the applicable fields. Table 74 describes the Add a User Group fields. Table 74 Add a User Group fields Field Description Name Specifies the name of the group to which you are adding the user. Options are oper, admin, certadmin. 4 Click Add. The new user group appears in the table.
Chapter 8 Managing system users and groups The user group is immediately removed from the User Group Table. 5 320818-A Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently.
Chapter 9 Customizing the portal and user logon This chapter includes the following topics: Topic Page Overview 386 Captive portal and Exclude List 386 Portal display 389 Managing the end user experience 397 Customizing the portal and logon using the CLI 398 Roadmap of portal and logon configuration commands 398 Configuring the captive portal using the CLI 400 Configuring the Exclude List using the CLI 401 Changing the portal language using the CLI 402 Configuring the portal display
Chapter 9 Customizing the portal and user logon Topic Page Changing the portal colors using the SREM 431 Configuring custom content using the SREM 433 Configuring linksets using the SREM 439 Configuring links using the SREM 444 Overview The end user accesses the Nortel SNA network through the Nortel SNAS 4050 portal.
Chapter 9 Customizing the portal and user logon 387 • redirects client requests to an authentication page served by the portal The DHCP server must be configured to assign the portal Virtual IP address (pVIP) as the DNS server when the client is in the Red VLAN. The DHCP server is configured to specify the regular DNS servers for the scopes for the Green and Yellow VLANs.
Chapter 9 Customizing the portal and user logon Table 75 lists the regular expressions and escape sequences you can use in an Exclude List entry. The set of allowable regular expressions is a subset of the set found in egrep and in the AWK programming language. The escape sequences are allowed in Erlang strings. Table 75 Allowed regular expressions and escape sequences String Usage Expressions c Matches the non-metacharacter c. \c Matches the literal character c (see escape sequence). .
Chapter 9 Customizing the portal and user logon 389 Table 75 Allowed regular expressions and escape sequences (continued) \ddd the octal value ddd \ literal character For example: \c for literal character c, \\ for backslash, \” for double quotation marks (“) Portal display You can modify the following features of the portal display and behavior: • • • • portal look and feel (see “Portal look and feel” on page 389) language used (see “Language localization” on page 392) links (see “Linksets and links”
Chapter 9 Customizing the portal and user logon Default appearance Figure 104 shows the default portal Home tab.
Chapter 9 Customizing the portal and user logon 391 • • color3 — the fields, information area, and clean icons on the active tab color4 — not used There are five optional color themes. The themes are predefined sets of web-safe colors that complement each other. • • • • • aqua apple jeans cinnamon candy You can change the individual colors, but Nortel recommends using the color themes to change the look and feel of the portal page.
Chapter 9 Customizing the portal and user logon Table 76 Common colors, with hexadecimal codes (Sheet 2 of 2) Color Hexadecimal code Brown A52A2A Beige F5F5DC Lime green 32CD32 Light green 90EE90 Dark blue 00008B Navy 000080 Light skyblue 87CEFA Medium blue 0000CD Dark red 8B0000 For the commands to configure the colors used on the portal, see “Changing the portal colors using the CLI” on page 408 or “Changing the portal colors using the SREM” on page 431.
Chapter 9 Customizing the portal and user logon 393 To change the language displayed for tab names, general text, messages, buttons, and field labels on the portal page, do the following: 1 Export the language definition template (see “Configuring language support using the CLI” on page 402 or “Importing and exporting language definitions” on page 422). 2 Translate the language definition template file. a Open the file with a text editor such as Notepad.
Chapter 9 Customizing the portal and user logon Linksets and links You can add the following types of links to the portal Home tab: • • External — links directly to a web page. Suitable for external web sites. FTP — links to a directory on an FTP server. A linkset is a set of one or more links. Each linkset configured for the domain can be mapped to one or more groups and extended profiles in the domain.
Chapter 9 Customizing the portal and user logon 395 Planning the linksets Plan your configuration so that linksets containing common links are separate from linksets containing group-specific links. Also ensure that the links you are providing to resources do not contradict the client’s access rights. You can control the order in which links display on the portal Home tab. Consider the following in your planning: • • • Linksets for the group display after the linksets for the client’s extended profile.
Chapter 9 Customizing the portal and user logon Automatic redirection to internal sites You can configure the portal to automatically redirect authenticated clients to an internal site. Unlike the linkset autorun feature, automatic redirection does not open a new browser window. Rather, it replaces the default Home page in the internal frame on the portal browser page. As long as the browser remains open, the session remains logged in.
Chapter 9 Customizing the portal and user logon 397 Table 77 Examples of redirection URLs and link text (Sheet 2 of 2) Purpose Redirection URL or link text Redirect clients to different sites, depending on their Linktext (static text) entry: group membership (deptA or deptB).