Page 1
Ethernet Routing Switch 2500, 4500, 5000 Engineering > Management Access Security for ERS 2500, ERS 4500, and ERS 5000 Technical Configuration Guide Avaya Data Solutions Document Date: May 31, 2010 Document Number: NN48500-594 Document Version: 1.0...
Page 2
2500, 4500, and 5000 securely for management purposes. This document covers accessing the switch using telnet, HTTP, SSL, SSH, and SNMP. Revision Control Date Version Revised by Remarks 05/19/2010 PRMGT Modifications to Software Baseline section Avaya Inc. – External Distribution...
Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Avaya devices are displayed in a Lucinda Console font: ERS5520-48T# show running-config ! Embedded ASCII Configuration Generator Script ! Model = Ethernet Routing Switch 5520-24T-PWR ! Software version = v5.0.0.011...
1. Overview On an ERS 2500, ERS 4500, or ERS 5000 series switch, there is no access security enabled by default. This allows a user to access the switch either via the local serial port, HTTP (WEB), or via Telnet without any user name or password protection.
By default all stackable switches will attempt to obtain an IP management address if one has not been configured. The ERS 4500 and ERS 5000 support both bootp and DHCP, while the ERS 2500 supports bootp. Layer 3 method assuming the Management VLAN is 200...
3. Local password protection CLI/WEB Password Protection By default, on the ERS 2500, ERS 4500, or ERS 5000 series switch, serial port and telnet/web access is allowed without any password protection. The following command displays the various password options available.
The switch can be configured to store up to 10 previously used passwords. The passwords stored in the password history until they pass out of the history table. Password update verification Any password change must be verified by typing the new Avaya Inc. – External Distribution...
Page 10
Any time a password is displayed or entered in NNCLI, each character of the password is displayed as an asterisk (*). Password security factory default By default, password security is enabled on the SSH software image and disabled on the non-SSH software image. Avaya Inc. – External Distribution...
Enable IP Manager control over SSH sessions. telnet Enable IP Manager control over TELNET sessions. Enable IP Manager control over WEB connections. ERS-Stackable(config)# ipmgr source-ip ? <1-50> Select which address/mask pair <51-100> Select which ipv6 address/prefix Avaya Inc. – External Distribution...
RADIUS server. The ERS 5000, ERS 4500, and ERS 2500 each support two different user access levels which are read-only and read-write with support for up to two RADIUS servers. RADIUS attribute type 6, Service-Type, is used to determine the access level.
Hence, it is recommended that you setup an account with the user name avaya and a blank password on your RADIUS server to avoid invalid RADIUS user login messages. The following command is used to configure the reachability setting: ...
IP address for all RADIUS requests independent of the out-going interface. To enable RADIUS Management IP, please enter the following command ERS-Stackable(config)# radius use-management-ip Avaya Inc. – External Distribution...
5.3 RADIUS Password Configuration Example 5.3.1 Ethernet Routing Switch Configuration Up to two RADIUS servers are supported on the ERS 5000, ERS 4500, or ERS 2500 series switches. For this configuration example we will simply configure one RADIUS server. ERS-STACKABLE: Step 1 – Add RADIUS server, enable RADIUS, and enable RADIUS accounting ERS-Stackable(config)# radius-server host 172.168.100.50 key avaya...
Assuming we are using Identity Engines Ignition Server as the RADIUS server, please follow the configuration steps below. The following chart displays the outbound attribute values required by the ERS 5000, ERS 4500, or ERS 2500 for each access level using RADIUS attribute type 6 (Service-Type).
Page 22
Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 6 (i.e. value of 6 signifies Administrative for read-write- access). Click on OK twice when done. Avaya Inc. – External Distribution...
Page 23
User Name: and enter the password for this user via Password and Confirm Password. Click on OK when done. If you wish, you can also change the expiry date via Password Expires if you do not wish to use the default setting of one year Avaya Inc. – External Distribution...
Page 24
All Outbound Values window, select the output attribute we created above named ERSrwa and click on the less-than arrow key to move the attribute to the Provision With window. When completed, you can view the complete policy by clicking on the Access Policy Summary button Avaya Inc. – External Distribution...
Page 26
Go to Site Configuration -> Authenticators -> default -> Nortel Switch and click on New. Enter the settings as shown below making sure you select the policy we created above named ERS-access via Access Policy. Leave Enable Authenticator and Enable RADIUS Access checked. Click on OK when done. Avaya Inc. – External Distribution...
6. TACACS+ The ERS 5000, ERS 4500, and ERS 2500 all support a TACACS+ client. TACACS+ provides management of users who access the switch through Telnet, serial, and SSHv2 (password authentication) connections using Transmission Control Protocol (TCP). TACACS+ supports users only on the CLI interface.
Non-Specified Argument of Allow as shown below for the access level 10 “user10” user. Click on OK when done. For the access 15 user, we will simply use the default all-commands Device Command Sets Avaya Inc. – External Distribution...
Page 31
Allow Commands in Set window. Next, click on the Session Values tab, check off Privilege Level and enter 15. Click on Ok when done. When completed, you can view the complete policy by clicking on the Access Policy Summary button Avaya Inc. – External Distribution...
Page 33
For example, we will create new container named Avaya Switch by right clicking default and selecting Add Container. Go to Site Configuration -> Authenticators -> default -> Avaya Switch and click on New Enter a name for the switch via Name, add the switch IP address via IP Address,. select Wired under Authenticator Type, select Nortel via Vendor, select ers-switches-nortel via Device Template and remove the default check via Enable RADIUS Access.
7. SSHv2 The ERS 2500, ERS 4500, and ERS 5000 support Secure Shell (SSH). SSH is a client/server protocol for secure remote login and other secure network services over an insecure network. It is essentially a replacement for telnet which is insecure because of its weak authentication method and unencrypted data exchange.
ERS-Stackable(config)# cli password stack read-write rwonlypasswd ERS-STACKABLE: Step 2 – Enable secure mode ERS-Stackable(config)# ssh secure Enable secure mode will cut off all remote access. Telnet, snmp and web will be disabled. Are you sure (y/n) ? y Avaya Inc. – External Distribution...
Page 36
Putty: Step 3 – Open up Putty and go to Session -> Host Name (or IP address), enter the IP address of the switch, select SSH, and click on Open when done Avaya Inc. – External Distribution...
Page 37
No to accept to accept this fingerprint, but, not save it. Putty: Step 3 – Enter login credentials, i.e. user name = RW or RO and appropriate password assuming the default user names are used Avaya Inc. – External Distribution...
Puttygen: Step 1 – Run Puttygen and select SSH-2 DSA key with 1024 bits and click on Generate to create both a public and private key. The public key will be uploaded to the switch. You will be prompted to move your mouse to create the key Avaya Inc. – External Distribution...
Page 40
ERS-STACKABLE: Step 3 – Copy the public key to the ERS switch using the public key name you entered in the step above, i.e. erskey.pub. SSH must first be disabled, if enabled, in order to download the key ERS-Stackable(config)# no ssh ERS-Stackable(config)# ssh download-auth-key address 47.132.2.13 key-name erskey.pub Avaya Inc. – External Distribution...
Page 41
ERS-STACKABLE: Step 4 – Disable SSH password authentication and then re-enable SSH again ERS-Stackable(config)# no ssh pass-auth ERS-Stackable(config)# ssh Putty: Step 4 – Open up Putty, scroll down to SSH -> Auth and enter select the private key generated above by clicking on the Browse icon Avaya Inc. – External Distribution...
Page 42
Putty: Step 5 – Go to Session -> Host Name (or IP address) , enter the IP address of the switch, select SSH, and click on Open when done Avaya Inc. – External Distribution...
Page 43
Putty: Step 6 – Enter any user name you like when prompted with the login as prompt and enter the DSA Key passphrase from the DSA key you generated above Avaya Inc. – External Distribution...
Also, TACACS+ cannot be enabled if you wish to enable HTTP access. Please see the section Telnet password protection section above, ether using local authentication or RADIUS authentication if you wish to provide WEB access user name and password protection. Avaya Inc. – External Distribution...
SSL certificates are issued and signed by a Certificate Authority (CA) such as VeriSign. Because the management and cost of purchasing a certificate from a CA is a client concern, Avaya issues and signs the SSL certificate with the understanding that it is not a recognized CA.
Page 47
To enable IP Manager control for WEB SSL access, enter the following command depending on if IPv4 or IPv6 addressing is used: ERS-Stackable(config)# ipmgr source-ip <1-50> <IPv4 address/mask> ERS-Stackable(config)# ipmgr source-ip <51-100> <IPv6 address/prefix> ERS-Stackable(config)# ipmgr web Avaya Inc. – External Distribution...
To change the SNMP read-only community string, enter the following command: ERS-Stackable(config)# snmp-server community <enter rw string> ro ERS-Stackable(config)# snmp-server community ro Enter community string: <enter ro string> Confirm community string: <enter ro string> Avaya Inc. – External Distribution...
Trap #4 IP Address: 0.0.0.0 Community String: *************** Authentication Trap: Enabled AutoTopology: Enabled 10.3 SNMP MIB View To add a new SNMP MIB view, enter the following command: ERS-Stackable(config)# snmp-server view <view name> <oid .. oid> Avaya Inc. – External Distribution...
SNMP server community string(s) should be defined first supporting a notify view using the NNCLI syntax: snmp- server community read-view <view name> write-view <view name> notify-view <view name> Avaya Inc. – External Distribution...
2526T-10(config)# default snmp-server name 2526T-PWR(config)# 10.6 Disable SNMPv1 and SNMPv2 SNMPv1 and SNMPv2 access can be disabled by entering the following commands: ERS-Stackable(config)# no snmp-server community rw ERS-Stackable(config)# no snmp-server community ro Avaya Inc. – External Distribution...
By default, there is a default authNoPriv account with a user name of initial and an MD5 password of initial. For security reasons, you may want to delete this user account by issuing the command no snmp-server user initial. Avaya Inc. – External Distribution...
Note: In this configuration, restricted contains a smaller subset of views than internet view. The subsets are defined according to RFC 3515 Appendix A. <very-secure> Specifies a maximum security configuration that allows no access to the users. Avaya Inc. – External Distribution...
ERS-Stackable(config)# snmp-server view no_ip +1.3 -1.3.6.1.4.1.2272.1.8 ERS-STACKABLE: Step 4 – Create an new community named noipreadwrite with the write- view created above named no_ip ERS-Stackable(config)# snmp-server community write-view noipreadwrite Enter community string: ***** (no_ip) Confirm community string: ***** (no_ip) Avaya Inc. – External Distribution...
RO AC +1.3.6.1.6.3.10 RO AC +1.3.6.1.6.3.12 RO AC +1.3.6.1.6.3.13 RO AC +1.3.6.1.6.3.1.1.4 RO AC +1.3.6.1.6.3.1.1.5 -------------------------------- -- -- ------------------------------------- webSnmpObjs RO AC +1.3 RO AC +1.0.8802.1.1.1 RO AC +1.0.8802.1.1.2 RO AC +1.2.840.10006.300.43 -------------------------------- -- -- ------------------------------------- Avaya Inc. – External Distribution...
Page 56
If using EDM, you can use it to perform a MIB walk as shown below. Open up a browser connection and enter the management IP address of your switch. The result shown below shows the MIB object ID for IP. Result: Avaya Inc. – External Distribution...
Confirm 3Des pass-phrase: *********** (despasswdrw) The SNMP view name used in this example is one of the default MIB view on the Ethernet Routing Switch which can be viewed by entering the CLI command show snmp-server view. Avaya Inc. – External Distribution...
Storage Type: Non Volatile (NVRAM) Status: Active Views for Unauthenticated Access: Read View: restricted Write View: Notify View: restricted Views for Authenticated Access: Read View: internet Write View: internet Notify View: internet --------------------------------------------------------------------------- User Name: templateMD5 Avaya Inc. – External Distribution...
Page 59
SNMP Engine ID: Local Authentication Protocol: Privacy Protocol: None Storage Type: Non Volatile (NVRAM) Status: Active Views for Unauthenticated Access: Read View: Write View: Notify View: Views for Authenticated Access: Read View: Write View: Notify View: --------------------------------------------------------------------------- Avaya Inc. – External Distribution...
10.10 SNMP Trap Notification Control SNMP Trap functionality on the ERS 4500 5.4, ERS 2500 4.3, and ERS 5000 6.2 is changed to align all SNMP trap control to the new „notification control‟ method. Previously on the Ethernet Routing Switch the following functions used this new method: DHCP Snooping, Dynamic ARP Inspection (DAI) and IP Source Guard (IPSG).
Page 61
To add a notification filter and apply it to a SNMP trap host, enter the following commands assuming a SNMPv1 trap receiver is used ERS-Stackable(config)# snmp-server notify-filter <filter name> <notification name or OID> ERS-Stackable(config)# snmp-server host <IPv4 or IPv6 address> v1 <SNMPv1 community string> filter <filter name> Avaya Inc. – External Distribution...