Identity Engines Ignition Server Ethernet Routing Switch 8600 8300 1600 5500 5600 4500 2500 Engineering > Switch User Authentication using Identity Engines Ignition Server Technical Configuration Guide Enterprise Networking Solutions Document Date: October 2009 Document Number: NN48500-589 Document Version: 1.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 Nortel is a recognized leader in delivering communications capabilities that enhance the human experience, ignite and power global commerce, and secure and protect the world’s most critical information.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 Abstract Revision Control No Date Version Revised by Remarks 1 10/09/2009 1.0 JVE Initial release ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 TABLE OF CONTENTS CONVENTIONS .......................................................................................................................................... 4 1. OVERVIEW: RADIUS USER AUTHENTICATION USING IDENTIFY ENGINES................. 5 1.1 1.2 1.3 2. RADIUS SUPPORT ON NORTEL SWITCHES ....................................................................................
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 Conventions This section describes the text, image, and command conventions used in this document. Symbols: & L 1 Tip – Highlights a configuration or technical tip. Note – Highlights important information to the reader. Warning – Highlights important information about an action that may result in equipment damage, configuration or data loss. Text: Bold text indicates emphasis.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 1. Overview: RADIUS User Authentication using Identify Engines This document provides the framework for implementing user Authentication, Authorization, and Accounting for Nortel switches. 1.1 RADIUS Support on Nortel Switches RADIUS authentication ERS 8600 ERS 8300 ERS 1600 ES 460/470 ERS 2500 ERS 4500 ERS 5500 ERS 5600 Yes Yes Yes Yes Yes Yes Yes Yes 802.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 1.3 User Authentication using ERS5600, ERS5500, ERS4500, or ERS2500 The ERS5600, ERS5500, ERS4500, and ERS2500 each support two different user access levels which are read-only or read-write. RADIUS attribute type 6, Service-Type, is used to determine the access level.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2. ERS8600 Switch Configuration Example For this configuration example, we will enable RADIUS user authentication on ERS8600-1 using the out-of-band management port.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2.1 Part 1: Basic AAA Configuation 2.1.1 ERS8600 Configuration Assuming we are using the out-of-band management port. 2.1.1.1 Add out-of-band IP address ERS8600-1 Step 1 – Add out-of-band IP address and route ERS-8606:5# config bootconfig net mgmt ip 47.133.60.25/24 ERS-8606:5# config bootconfig net mgmt route add 47.0.0.0/8 47.133.60.1 2.1.1.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2.1.2 ERS 8600 Switch: Verify Operations 2.1.2.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2.1.3 IDE Setup 2.1.3.1 Configure an Outbound Attribute on Ignition Server for VLAN The following chart displays the outbound attribute values required by the ERS8600 for each access level for RADIUS vendor identifier 1584 (Bay Networks) attribute type 192. For this example, we will configure IDE with attribute values of 1, 5, and 6.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Go to Site Configuration -> Provisioning -> Outbound Attributes -> New IDE Step 3 – Via the Outbound Attribute window, type in a name for the attribute to be used for access priority (i.e. ERS8600-Access-Priority as used in this example), click the VSA radio button, select Bay-Networks via Vendor and ERS8xxx-Access-Priority via VSA.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 4 – Go to Site Configuration -> Provisioning -> Outbound Values -> New IDE Step 5 – Using the Outbound Attribute created in Step 3, we will first add an attribute value of 1 for read-only-access. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 6 – Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 1 (i.e. value of 1 signifies read-onlyaccess). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 7 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to create the outbound attribute for read-write-access. Using the Outbound Attribute created in Step 3, we will add an attribute value of 5 for read-write-access. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 8 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 5 (i.e. value of 5 signifies read-writeaccess). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 9 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to create the outbound attribute for read-write-all-access. Using the Outbound Attribute created in Step 3, we will add an attribute value of 6 for read-write-all-access. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 10 –Select the Outbound Attributes name created in Step 3 (i.e. ERS8600-AccessPriority as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 6 (i.e. value of 6 signifies read-write-allaccess). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide 2.1.3.2 v1.0 NN48500-589 Add Users For this configuration example, we will add the following users.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Enter the user name for read-only-access via User Name: (i.e. 8600ro as used in this example) and enter the password for this user via Password and Confirm Password. Click on OK when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – Repeat step 2 again by clicking on New to add the read-write-access user. Enter the user name for read-write-access via User Name: (i.e. 8600rw as used in this example) and enter the password for this user via Password and Confirm Password. Click on OK when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 4 – Repeat step 2 for the final time by clicking on New to add the read-write-allaccess user. Enter the user name for read-write-all-access via User Name: (i.e. 8600rwa as used in this example) and enter the password for this user via Password and Confirm Password. Click on OK when done.
Nortel Switch User Authentication Technical Configuration Guide 2.1.3.3 v1.0 NN48500-589 Add an Access Policy IDE Step 1 – Go to Site Configuration -> Access Policies -> RADIUS. Right-click RADIUS and select New Access Policy. Enter a policy name (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Click on the policy we just created, i.e. ERS8600-Access, and click on Edit via the Authentication Policy tab ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – Under Edit Authentication Policy window, select NONE -> PAP ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 4 – Go to the Identity Routing tab and click on Edit ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 5 – Check off the Enable Default Directory Set and click on OK when done. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 6 – Go to the Authorization Policy tab and click on Edit ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 7 – Once the Edit Authorization Policy window pops up, click on Add. First, we will add a rule for read-only-access. When the New Rule window pops up, we will name the rule read-only-access as shown below ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 8 – Click on New to add a new constraint ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 9 – For this example, we are simply going to look for the read-only-user user-id. From Attribute Category, select User and scroll down and select user-id. Select Equal To with Format of None and enter the read-only-access user id, i.e. 8600ro as used in this example, in the Static Value window as shown below.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 10 – Via Actions, select Allow. From the All Outbound Values window, select the output attribute we created previously named 8600ro and click on the less-than arrow key to move the attribute to the Provision With window ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 11 – Next, we will add a rule for read-write-access. Start by clicking on Add and when the New Rule window pops up, add an appropriate name for this rule, i.e. read-writeaccess as used in this example ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 12 – Click on New to add a new constraint ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 13 – For this example, we are simply going to look for the read-write-access userid. From Attribute Category, select User and scroll down and select user-id. Select Equal To with Format of None and enter the read-only-access user id, i.e. 8600rw as used in this example, in the Static Value window as shown below.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 14 – Via Action, select Allow. From the All Outbound Values window, select the output attribute we created previously named 8600rw and click on the less-than arrow key to move the attribute to the Provision With window ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 15 – Finally, we will add a rule for read-write-all-access. Start by clicking on Add and when the New Rule window pops up, add an appropriate name for this rule, i.e. readwrite-all-access as used in this example ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 16 – Click on New to add a new constraint ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 17 – For this example, we are simply going to look for the read-write-all-access user-id. From Attribute Category, select User and scroll down and select user-id. Select Equal To with Format of None and enter the read-only-access user id, i.e. 8600rwa as used in this example, in the Static Value window as shown below.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 18 – Via Action, select Allow. From the All Outbound Values window, select the output attribute we created above named 8600rwa and click on the less-than arrow key to move the attribute to the Provision With window ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 19 – When completed, you can view the complete policy by clicking on the Access Policy Summary button ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide 2.1.3.4 v1.0 NN48500-589 Add the Nortel ERS8600-1 switch as an RADIUS Authenticator For Ignition Server to process the Nortel switch RADIUS requests, each switch must be added as an Authenticator. IDE Step 1 – Go to Site Configuration -> Authenticators -> default.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Go to Site Configuration -> Authenticators -> default -> Nortel Switch and click on New. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – Enter the settings as shown below making sure you select the policy we created previously named ERS8600-Access via Access Policy. Leave Enable Authenticator and Enable RADIUS Access checked. Click on OK when done. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2.1.4 Verification 2.1.4.1 Verify User Authentication You can test user authentication for the ERS8600 users configured on IDE by entering the user name and password. Step 1 – Via Ignition Dashboard, select the IP address of the Ignition Server, click on the Troubleshoot tab, go to Directory Service Debugger and select the Auth User tab.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 Via Dashboard, verify the following information: Option Verify Results If successful, Authentication successful should be displayed 2.1.4.2 Verify user authentication from ERS switch You can view the authentication details via Ignition Dashboard which provides extensive details about the device or user.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 At minimum, verify the following items: Option Verify Authentication Result If successful, Authenticated should be displayed. If not, verify the device using the previous step and if this also fails, verify the Ignition Server configuration. Authorization Result If successful, Allow should be displayed. If not, verify the device using the previous step and if this also fails, verify the Ignition Server configuration.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2.2 Part 2: ERS8600 Configuration with Specific Commands Disabled In this part, we will use the same configuration used in the previous example, but, we will restrict the read-write ERS8600 user (user name = 8600rw) to deny access to the CLI QoS and Filter configuration (“config qos” or “config filter”). 2.2.1 ERS8600 Configuration Enable the user access profile parameter on the ERS8600.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2.2.2 IDE Setup 2.2.2.1 Configure Outbound attributes to deny ERS8600 CLI commands Using the same base configuration from the previous step, we will simple add the CLI commands we wish to deny to the read-write user. In this example, this will apply only to the user 8600rw.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – Via the Outbound Attribute window, type in a name for the attribute to be used to restrict CLI commands (i.e. 8600-Command-Access as used in this example), click the VSA radio button, select Bay-Networks via Vendor and ERS8xxx-Command-Access via VSA. Click on OK when done IDE Step 4 – Go to Site Configuration -> Provisioning -> Outbound Attributes -> New one more time.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 5 – Go to Site Configuration -> Provisioning -> Outbound Values -> New IDE Step 6 – Using the Outbound Attribute created in Step 3, we will add a value of 0 to restrict CLI command access. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 7 – Select the Outbound Attributes name created in Step 3 (i.e. ERS8600Command-Access as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 0 (i.e. value of 0 signifies CLI command restriction). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 8 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to create the outbound attribute for deny access to the CLI command ‘config qos’. Using the Outbound Attribute created in Step 4, we will add a string value of “config qos”. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 9 – Select the Outbound Attributes name created in Step 4 (i.e. ERS8600Command-List as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the String window, enter config qos (i.e. this is the CLI command we wish to restrict). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 10 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to create the outbound attribute for deny access to the CLI command ‘config filter’. Using the Outbound Attribute created in Step 4, we will add a string value of “config filter”. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 11 – Select the Outbound Attributes name created in Step 4 (i.e. ERS8600Command-List as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the String window, enter config filter (i.e. this is the CLI command we wish to restrict). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide 2.2.2.2 v1.0 NN48500-589 Modify the Authorization Policy for the ERS8600 read-write user IDE Step 1 – Click on the policy created from the previous example, i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Make sure the read-write-access rule is selected and move all three RADIUS attribute values we just created from the previous step from the All Outbound Values window to the Provision With window ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – When completed, you can view the complete policy by clicking on the Access Policy Summary button ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 2.2.3 Verification Connect to ERS8600 by using telnet with the read-write user account. ERS8600-1 – Verify operation by typing in some commands ERS-8606:5# config qos Permission denied. ERS-8606:5# config filter Permission denied. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3. ERS5600 Switch Configuration Example For this configuration example, we will enable RADIUS user authentication on ERS500-1 using the switch management port.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3.1 ERS5600 Configuration 3.1.1 Enable RADIUS Up to two RADIUS servers are supported on the ERS5600, 5500, 4500, or 2500 series switches. For this configuration example we will simply configure one RADIUS server. ERS5698-1 Step 1 – Add RADIUS server, enable RADIUS, and enable RADIUS accounting 5698TFD-1-PWR(config)#radius-server host 47.133.56.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3.2 IDE Setup 3.2.1 Configure an Outbound Attribute on Ignition Server for Service-Type The following chart displays the outbound attribute values required by the ERS5600, ERS5500, ERS4500, or ERS2500 for each access level using RADIUS attribute type 6 (Service-Type).
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Via the Outbound Attribute window, type in a name for the attribute to be used for access priority (i.e. Service-type-ERS as used in this example), click the RADIUS Attribute radio button and select Service-Type.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 5 – Using the Outbound Attribute created in Step 2, we will first add a value of 7 (NAS Prompt) for read-only-access. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 6 – Select the Outbound Attributes name created in Step 3 (i.e. Service-type-ERS as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 7 (i.e. value of 7 signifies NAS Prompt for read-onlyaccess). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 7 – Go to Site Configuration -> Provisioning -> Outbound Values -> New again to create the outbound attribute for read-write-access. Using the Outbound Attribute created in Step 2, we will add a value of 6 for read-write-access. Start by entering a name via the Outbound Value Name: window (i.e.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 8 –Select the Outbound Attributes name created in Step 2 (i.e. Service-type-ERS as used in this example) via the Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 6 (i.e. value of 6 signifies Administrative for readwrite-access). Click on OK twice when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3.2.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Enter the user name for read-only-access via User Name: (i.e. 5600ro as used in this example) and enter the password for this user via Password and Confirm Password. Click on OK when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – Repeat step 2 again by clicking on New to add the read-write-access user. Enter the user name for read-write-access via User Name: (i.e. 5600rw as used in this example) and enter the password for this user via Password and Confirm Password. Click on OK when done.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3.2.3 Add Access Policy IDE Step 1 – Go to Site Configuration -> Access Policies -> RADIUS. Right-click RADIUS and select New Access Policy. Enter a policy name, i.e. ERS-access as used in this example and click on OK when done ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Click on the policy we just created, i.e. ERS-access, and click on Edit via the Authentication Policy tab ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – Under Edit Authentication Policy window, select NONE -> PAP ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 4 – Go to the Identity Routing tab and click on Edit ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 5 – Check off the Enable Default Directory Set and click on OK when done. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 6 – Go to the Authorization Policy tab and click on Edit ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 7 – Once the Edit Authorization Policy window pops up, click on Add. First, we will add a rule for read-only. When the New Rule window pops up, we will name the rule read-only as shown below ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 8 – Click on New to add a new constraint ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 8 – For this example, we are simply going to look for the read-only-user user-id. From Attribute Category, select User and scroll down and select user-id. Select Equal To with Format of None and enter the read-only-access user id, i.e. 5600ro as used in this example, in the Static Value window as shown below.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 9 – Via Action, select Allow. From the All Outbound Values window, select the output attribute we created above named ERSro and click on the less-than arrow key to move the attribute to the Provision With window ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 10 – Next, we will add a rule for read-write-access. Start by clicking on Add and when the New Rule window pops up, add an appropriate name for this rule, i.e. read-write as used in this example ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 11 – Click on New to add a new constraint ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 12 – For this example, we are simply going to look for the read-write user-id. From Attribute Category, select User and scroll down and select user-id. Select Equal To with Format of None and enter the read-write user id, i.e. 5600rwa as used in this example, in the Static Value window as shown below.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 13 – Via Actions, select Allow. From the All Outbound Values window, select the output attribute we created above named 5600rwa and click on the less-than arrow key to move the attribute to the Provision With window ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 18 – When completed, you can view the complete policy by clicking on the Access Policy Summary button ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3.2.4 Add the Nortel ERS5600-1 switch as an RADIUS Authenticator For Ignition Server to process the Nortel switch RADIUS requests, each switch must be added as an Authenticator. IDE Step 1 – Go to Site Configuration -> Authenticators -> default. For example, we will create new container named Nortel Switch by right clicking default and selecting Add Container.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 2 – Go to Site Configuration -> Authenticators -> default -> Nortel Switch and click on New. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 IDE Step 3 – Enter the settings as shown below making sure you select the policy we created above named ERS-access via Access Policy. Leave Enable Authenticator and Enable RADIUS Access checked. Click on OK when done. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3.3 Verification 3.3.1 Verify User Authentication You can test user authentication for the ERS5600 users configured on IDE by entering the user name and password. Step 1 – Via Ignition Dashboard, select the IP address of the Ignition Server, click on the Troubleshoot tab, go to Directory Service Debugger and select the Process Request tab.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 3.3.2 Verify user authentication from ERS switch You can view the authentication details via Ignition Dashboard which provides extensive details about the device or user. Step 1 – In Dashboard, select the IP address of the Ignition Server and click on the Monitor tab, go to Log Viewer, and select the Access tab. Via the message of a valid user, right-click the message and select Access Record Details.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2009 Nortel Networks. All Rights Reserved.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 At minimum, verify the following items: Option Verify Authentication Result If successful, Authenticated should be displayed. If not, verify the device using the previous step and if this also fails, verify the Ignition Server configuration. Authorization Result If successful, Allow should be displayed. If not, verify the device using the previous step and if this also fails, verify the Ignition Server configuration.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 4. Software Baseline Product Identity Engines Minimum Software Level 6.0 . 5. Reference Documentation Document Title Identity Engines Ignition Server, Release 6.0 – Document Collection Nortel Ethernet Routing Switch 2500 Series Release 4.1 Document Collection Nortel Ethernet Routing Switch 4500 Series Release 5.1 Document Collection Nortel Ethernet Routing Switch 5500 Series Release 5.
Nortel Switch User Authentication Technical Configuration Guide v1.0 NN48500-589 Contact us If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nortel Networks service program, contact Nortel Technical Support. To obtain contact information online, go to www.nortel.com/contactus.
