Page 1 Instruction Manual Console server NS-2250 Before using this console server, carefully read this instruction manual so you can use the console server correctly. After reading this manual, store it in a safe place so can be accessed easily when necessary.
Page 2 Ethernet is a registered trademark of Fuji Xerox Co., Ltd. Seiko Solutions Inc. is not responsible for damages caused by this manual or the use of products described in this manual or the expenses necessary to compensate for such damages.
Page 3 Introduction Thank you for purchasing the SmartCS NS-2250 console server (hereinafter referred to as the NS-2250). This document is the instruction manual for the NS-2250. This manual describes the specifications, operation methods, maintenance methods, and other information of the NS-2250, for IT professionals who must remotely configure/manage the network equipments with serial port.
Page 4: Safety Precautions
Safety precautions Before using the NS-2250, carefully read these safety precautions so you can use the console server safely. In this manual, the following symbols are used to call your attention to precautions so that you can use the NS-2250 safely and prevent damage to equipment. The following table shows the meaning of these symbols.
Page 5 Warning Do not disassemble or modify the NS-2250. Doing so can result in heat generation, fire, electric shock, or malfunction. Do not remove the metal cover of the NS-2250. There are no user-serviceable parts inside. Doing so can result in heat generation, fire, electric shock, or malfunction. Never use this console server in a location of extremely high humidity or a location in which it may be exposed to water or other liquids.
Page 6 Caution Never perform the following actions. These actions can cause fire, electric shock, accident, or malfunction. ◆ Do not place objects on the NS-2250. ◆ Do not apply impact to the NS-2250 with blows or other similar actions. ◆ Do not place the NS-2250 in an unstable location. ◆...
Page 7: Handling Precautions
Handling precautions ● Never perform the following actions. They can result in malfunction of the NS-2250 or USB memory or corrupt the contents of the USB memory. ・ While the STATUS 4 light is on, do not remove the USB memory. If the USB memory is removed during operation, the operation of the NS-2250 is not guaranteed.
Page 8 Third-party software licenses Parts of the software of the NS-2250 use the following software. For details of the licenses of the following software, see Appendix D, “Third-party software licenses”. SysVinit SysVinit-tools bootlogd busybox dropbear e2fsprogs eglibc ethtool freeradius kernel libcap libgcc libpcap linux...
Page 9: Table Of Contents
Table of contents Chapter 1 Overview of the NS-2250 Features and main functions 1.1.1 Features 1.1.2 Main functions Part names 1.2.1 Front of NS-2250 1.2.2 Rear of NS-2250 1-11 Interface specifications 1-13 Chapter 2 Functions Port server functions 2.1.1 Overview of port server functions 2.1.2 Connect to a port server (Direct mode) 2.1.3...
Page 10 Chapter 3 Configuration procedures Start, check, and stop the NS-2250 3.1.1 Insert an USB memory 3.1.2 Connect a device management terminal 3.1.3 Start the NS-2250 3.1.4 Check the NS-2250 3.1.5 Stop the NS-2250 Set up the NS-2250 3-10 3.2.1 Log in and log out 3-11 3.2.2 Use the CLI...
Page 11 4.6.1 Register and delete users 4-27 4.6.2 Configure user passwords 4-28 4.6.3 Configure the RADIUS authentication / accounting function 4-29 4.6.4 Configure the TACACS+ function 4-38 4.6.5 Configure the telnet server 4-42 4.6.6 Configure the SSH server 4-42 4.6.7 Control access to servers 4-44 Configure operation management 4-45...
Page 12 5.2.7 Transfer startup files via FTP server 5-11 5.2.8 Transfer startup files via FTP client 5-15 5.2.9 Transfer startup files via TFTP client 5-16 View console logs 5-17 Manage the NS-2250 via SNMP 5-18 Manage system software 5-19 5.5.1 Switch the system software to be started 5-19 5.5.2 Copy system software...
Page 13 Appendix A User privileges A.1 User privileges list Appendix B Examples of attributes and RADIUS authentication / accounting server settings RADIUS authentication client / accounting client function Attributes sent to the RADIUS authentication server Attributes of the RADIUS authentication server processed by the NS-2250 Attributes sent to the RADIUS accounting server Examples of RADIUS authentication/accounting server settings...
Page 15: Chapter 1 Overview Of The Ns-2250
Chapter 1 Overview of the NS-2250 Chapter 1 describes the main functions and part names of the NS-2250. Read this chapter before starting work. Chapter content Features and main functions 1.1.1 Features 1.1.2 Main functions Part names 1.2.1 Front of NS-2250 1.2.2 Rear of NS-2250 Interface specifications...
Page 16: Features And Main Functions
Features and main functions This chapter provides an overview of the features and main functions of the NS-2250. For details of each function, see Chapter 2, “Functions”. 1.1.1 Features The NS-2250 console server is equipped with up to 48 RS232-compliant RJ-45 (8-contact modular connector) serial ports.
Page 17 (1) Aggregate the console ports of monitored equipment The NS-2250 aggregates the console ports of multiple units of monitored equipment and offers a unified, maintainable environment. Instead of connecting terminals to the console ports of monitored equipment, by connecting to the NS-2250, you can access the console ports of monitored equipment from a telnet/SSH client on the network.
Page 18 Furthermore, the NS-2250 is equipped with a port selection function that allows you to access monitored equipment easily by simply selecting a number from a menu displaying a list of monitored equipment. By using this function, you can centrally control monitored equipment.
Page 19 (2) Save, display, and send messages that monitored equipment have output The NS-2250 saves and manages messages that monitored equipment have output as port logs. You can view saved port logs when accessing monitored equipment via the NS-2250 from a telnet/SSH client. You can also use the following methods to export port logs to external equipment.
Page 20 (3) Encrypt communication and prevent unauthorized access To provide safe access to the NS-2250 and monitored equipment that has been connected to the NS-2250, the NS-2250 is equipped with the SSHv2 (Secure Shell version 2)/SFTP (Secure File Transfer Protocol) encryption protocol and public key authentication. Because communication is concealed, you can use the NS-2250 with peace of mind from a security perspective.
Page 21: Main Functions
1.1.2 Main functions This section provides an overview of the main functions of the NS-2250. Port server functions The port server functions receive connection requests from telnet/SSH clients and connect telnet/SSH sessions to the specified serial ports. By using the port server menu included in the port server functions, you can view the logs of monitored equipment connected to a serial port and send Break signals to monitored equipment.
Page 22 (3) Security functions With the security function, you can restrict the users who log into the NS-2250 and specify the serial ports that can be accessed by each user. With a RADIUS/TACACS+ function, you can centrally manage users who log into the NS-2250 and users who access the serial port of the NS-2250 and save accounting logs to the RADIUS/TACACS+ server.
Page 23: Part Names
Part names This section describes the part names and functions of the NS-2250. For detailed hardware specifications, connector connections, and other details, see the Installation Manual. 1.2.1 Front of NS-2250 NS-2250-16/32/48 are generally referred to as SmartCS models. The following figure shows the front side of the SmartCS.
Page 24 (4) POWER switch Switch the power of the NS-2250 on or off. When the switch is switched to the ( | ) side or (O) side, the power is switched on or off, respectively. (5) AC inlet Connect the AC power cable. Before you pull out the AC power cable, carry out the “shutdown”...
Page 25: Rear Of Ns-2250
1.2.2 Rear of NS-2250 The following figure shows the rear side of the SmartCS. [NS-2250-16] LINK/ACT light Speed light LAN1 port LAN2 port CONSOLE port Serial ports 1-16 RX light Heat vents TX light Figure 1-12 Part names (Rear of NS-2250-16) [NS-2250-32] Link/ACT light Speed light...
Page 26 [NS-2250-48] Link/ACT light Speed light LAN1 port LAN2 port CONSOLE port Serial ports 1-48 RX light Heat vents TX light Figure 1-14 Part names (Rear of NS-2250-48) (1) Interface ports Port Functions Serial port to configure the initial settings of the NS-2250 and CONSOLE port perform other operations.
Page 27: Interface Specifications
Interface specifications This section describes the interface specifications of the NS-2250. The default settings are underlined. (1) LAN port Functions Description Number of ports Speed Auto, 10 Mbps, 100 Mbps, 1000Mbps Duplex Auto, Full duplex, Half duplex (2) CONSOLE port Functions Description Number of ports...
Page 29: Chapter 2 Functions
Chapter 2 Functions Chapter 2 describes the functions of the NS-2250 in detail. Read this chapter before starting work. Chapter content Port server functions 2.1.1 Overview of port server functions 2.1.2 Connect to a port server (Direct mode) 2.1.3 Connect to a port server (Select mode) 2.1.4 Port selection menu 2.1.5...
Page 30: Port Server Functions
Port server functions 2.1.1 Overview of port server functions The port server functions receive connection requests from telnet/SSH clients and connect telnet/SSH sessions to the specified serial port. You can use a telnet/SSH client as a remote console of monitored equipment. There are two supported methods to access monitored equipment: Normal mode (rw) and Monitoring mode (ro).
Page 31 The following table shows the number of connections of the entire device when combining Normal mode and Monitoring mode. Model Maximum number of sessions Telnet only SSH only NS-2250-16 NS-2250-32 NS-2250-48 The following tables show the telnet and SSH protocol and servers supported by the port server.
Page 32: Connect To A Port Server (Direct Mode)
2.1.2 Connect to a port server (Direct mode) In Direct mode, assign a TCP port number to each serial port, and then specify the TCP port number of the serial port to which the target device is connected from the telnet/SSH client to connect to the device directly.If you know the TCP port number to access the monitored equipment, it is easier to access the monitored equipment using Direct mode.
Page 33 To connect in Direct mode, use the port numbers in the following table for access. Mode Privileges Default port number Notes Enable bidirectional communication with monitored Normal Telnet (8101 to 8148) equipment connected to the RW(Read/Write) mode SSH (8301 to 8348) serial port.
Page 34: Connect To A Port Server (Select Mode)
2.1.3 Connect to a port server (Select mode) In Select mode, you can enable connections to monitored equipment simply by accessing the NS-2250 from a telnet/SSH client and selecting the number of the serial port you want to access from the “Port selection menu”. (For details, see 2.1.4, “Port selection menu”.) This function is also referred to as a port selection function.
Page 35: Port Selection Menu
Note that, in Select mode, the same telnet server (TCP:23)/SSH server (TCP:22) is used to access monitored equipment and log into the NS-2250. In Select mode, when a normal user requests access, it is regarded as a login to the NS-2250.
Page 36 2.1.4 Port selection menu The port selection menu appears when Select mode was selected, and a port user accesses the NS-2250. The port selection menu shows the label information of the serial ports the user can access and the usage status of serial ports. If you use this menu, you can grasp of the usage status of monitored equipment and more easily access monitored equipment.
Page 37 The port selection menu shows the information in the following table. Output Display content information Serial ports numbers to which connections are possible. Label Label information configured to each port. Current Normal mode connection information. Numbers The number of port users currently connected. Full The number of sessions has reached the maximum.
Page 38 The following table shows the commands that can be used in the port selection menu. Command Description Example entry tty> 1 <ttyno> Connect to the specified serial port in Normal mode. tty> 24 tty> 1r <ttyno>r Connect to the specified serial port in Monitoring mode. tty>...
Page 39 (Connection example for Select mode) To connect to serial port 1 of the NS-2250 in Normal mode from a telnet client, access the telnet server (TCP:23) of the NS-2250, and then select “1” in the port selection menu. # telnet NS-2250↲ Console Server Authentication.
Page 40 To connect to serial port 1 of the NS-2250 in Normal mode from a SSH client, access the SSH server (TCP:22) of the NS-2250, and then select “1” in the port selection menu. # ssh portuser01@NS-2250↲ Console Server Authentication. portuser01@192.168.1.1’s password: ↲ : The port selection menu appears tty>...
Page 41: Port Server Menu
2.1.5 Port server menu The port server menu appears when you access a serial port from a telnet/SSH client. In the port server menu, you can manage port logs, access monitored equipment, send Break signals to monitored equipment, and carry out other operations. By configuring in advance the substitute character code (session suspension character code) to return to the port server menu, you can display the port server menu after accessing monitored equipment.
Page 42 To carry out commands in the port server menu, enter the numbers displayed in the menu. # telnet NS-2250 8101↲ -- RW1 ------------------------ Host : "SmartCS-No1" Label : "Switch-Tokyo-6F-00001" ------------------------------- 1 : display Port Log 2 : display Port Log (LAST) If you access the port server of the NS-2250, 3 : start tty connection the port server menu is displayed.
Page 43 To refresh the port server menu, enter either “?” or a <TAB>. tty-1:rw> ? -- RW1 ------------------------ Host : "SmartCS-No1" Label : "Switch-Tokyo-6F-00001" ------------------------------- 1 : display Port Log 2 : display Port Log (LAST) 3 : start tty connection 4 : close telnet/ssh session 5 : show all commands 6 : display &...
Page 44: Port User Authentication
2.1.6 Port user authentication With the port user authentication function, users are authenticated when they access monitored equipment. When a user accesses the port server from a telnet/SSH client, this function requests entry of a user name and password to prevent unauthorized access to monitored equipment connected to the serial port.
Page 45 If port user authentication is on, a prompt requesting login is displayed for all serial ports. To use the port selection function (Select mode), enable this function. When port user authentication is on and the port server menu is off # telnet NS-2250 8101↲...
Page 46 To use port user authentication, you must register port users, and then configure the serial ports to which the registered port users are permitted access. With the default settings (port user authentication is off), users can access all serial ports. If port user authentication is on, serial ports cannot be accessed until you configure the serial ports to which the registered users are permitted access.
Page 47: Other Port Server Functions
2.1.7 Other port server functions The port server functions support the following functions. Function Description Break signal Transmit a Break signal to monitored equipment connected to a processing serial port when a Break request has arrived from a telnet/SSH client. The default setting is off.
Page 48: Port Log Functions
Port log functions 2.2.1 Overview of the port log function The port log function saves data received from monitored equipment connected to a serial port to a FLASH memory or the internal memory (RAM) of the NS-2250. This function works even when a telnet/SSH client is not connected to the monitored equipment. You can view saved port logs when accessing monitored equipment via the NS-2250 from a telnet/SSH client.
Page 49: Port Log Save Function
2.2.2 Port log save function The port log save function saves logs output by monitored equipment connected to a serial port to an FLASH memory inserted in the NS-2250 or the RAM of the NS-2250. The free space in which port logs can be saved to the NS-2250 depends on such factors as your model.
Page 50: Time Stamp Function
2.2.3 Time stamp function The time stamp function for port logs adds a time to a port log. When the time stamp function is on, the time is added to the port log in accordance with the time stamp interval specified for each port.
Page 51: Login Stamp Function
2.2.4 Login stamp function The login stamp function for port logs adds the login and logout times of the user who accessed the serial port. This function can be configured for each serial port, and the default setting is off. If this function is enabled, a login stamp like the one shown in the following box is added to the port log.
Page 52 To delete the port logs displayed at the port log menu, select “6: display & erase Port Log” or “7: erase Port Log”. When this operation is carried out, port logs saved to the FLASH memory or internal memory of the NS-2250 are not deleted. This operation simply hides the logs displayed by “1: display Port Log”.
Page 53: Port Log Sending Function (Syslog/Nfs/Ftp/Mail)
2.2.6 Port log sending function (syslog/NFS/FTP/mail) The port log sending function sends port logs stored in the NS-2250 to the specified send destination server. You can save port logs to a syslog or NFS server and send the logs to a FTP server or mail address specified for each port.
Page 54 Port log send condition Setting range Notes Send interval 0 to 65535 Send port logs at the specified send interval. If (minutes) the send interval is set to “0”, the send interval setting is disabled, and logs are sent according to the usage rate.
Page 55: Security Functions
Security functions As security functions, the NS-2250 is equipped with a user management/authentication function and access control functions for various servers. 2.3.1 User management/authentication function The NS-2250 is equipped with functions to manage and authenticate users, including registration and deletion functions. With the default settings, users are registered to the NS-2250 using the group names and user IDs in the following table.
Page 56 An administrator can register the following users and passwords in accordance with intended usage and security policies. User name User ID Group Class Notes <Normal user> 100 to 190 normal Normal user Can be registered by an administrator of the NS-2250.
Page 57: Radius Authentication Function/Radius Accounting Function
2.3.2 RADIUS authentication function/RADIUS accounting function The NS-2250 is equipped with a RADIUS authentication client to authenticate users by the RADIUS authentication server and a RADIUS accounting client to send login, logout, and other accounting information to the RADIUS accounting server. You can centrally manage user information and access history by registering users to the RADIUS authentication server/RADIUS accounting server.
Page 58 If you use this function, you can authenticate users by the RADIUS authentication server when there is a login from the console or access to monitored equipment from a telnet/SSH client. There are three types of users that can be authenticated by the RADIUS authentication server: normal users, device management users, and port users.
Page 59 (1) Order of user authentication When RADIUS authentication client settings have been configured in the NS-2250, user authentication is carried out in the following order: NS-2250 local authentication, and then RADIUS authentication. If local user authentication fails because the user in question has not been registered or because of a password mismatch after local authentication within the NS-2250, the NS-2250 sends an authentication request to the RADIUS authentication server.
Page 60 RADIUS authenticaion RADIUS authenticaion NS-2250 NS-2250 server 1 (primary) server 1 (primary) Authentication Request Authentication Request Access allowed Access refused RADIUS authentication success RADIUS authentication failure Figure 2-11 When there is a response from the RADIUS authentication server When the RADIUS authentication client of the NS-2250 sends an authentication-request packet to the RADIUS authentication server but there is no response from the RADIUS authentication server, NS-2250 waits the specified timeout period, and then carries out retries the specified number of times.
Page 61 The accounting START and accounting STOP packets sent by the RADIUS accounting client to the RADIUS accounting server are resent in the same manner. RADIUS authenticaion RADIUS authenticaion NS-2250 server 1 (primary) server 2 (secondary) Authentication request Retry = 1 Timeout time expired Authentication request...
Page 62: User Group Identification And Access Control Of Serial Ports By Radius
servers 2.3.3 User group identification and access control of serial ports by RADIUS On the NS-2250, you can use the RADIUS authentication server to identify user groups such as device management users, normal users, and port users, and centrally manage access to the serial ports by port users.
Page 63 (2) Use the access grouping function Before you use this function, carry out the following configuration. In the RADIUS server, set the group name to which the user belongs. In the NS-2250, set the group name for each user type. Configure the access privileges to serial ports for the port user group in the same manner.
Page 64: Tacacs+ Function
2.3.4 TACACS+ function The NS-2250 is equipped with a TACACS+ client function to authenticate users, approve user groups, and carry out accounting for user logins and logouts. You can centrally manage user information and access history by registering users to the TACACS+ server.
Page 65 If you use this function, you can authenticate users by the TACACS+ server when there is a login from the console or access to monitored equipment from a telnet/SSH client. There are three types of users that can be authenticated by the TACACS+ server: normal users, device management users, and port users.
Page 66 Order of user authentication When TACACS+ has been configured, user authentication is carried out in the following order: NS-2250 local authentication, and then TACACS+ authentication. If user authentication fails because the user in question has not been registered or because of a password mismatch after local authentication within the NS-2250, the NS-2250 sends an authentication request to the TACACS+ server.
Page 67 TACACS+ operation TACACS+ is made up of authentication, approval, and accounting. Function Content Authentication Authenticates users by user ID and password. Approval Approves service attributes sent by the NS-2250. Confirms that the service attribute is “smartcs”, and then responds with the user type (normal user, device management user, or port user) configured for the authenticated user.
Page 68 If there is one TACACS+ server registered to the NS-2250, and there is no response from the TACACS+ server within the timeout time, the connection request fails. If there are two TACACS+ servers registered, an authentication request is sent to TACACS+ server 1 (the TACACS+ server with ID number 1).
Page 69: User Group Identification And Access Control Of Serial Ports By Tacacs
2.3.5 User group identification and access control of serial ports by TACACS+ You can use the TACACS+ server and NS-2250 access grouping function to identify user groups such as device management users, normal users, and port users, and centrally manage access to the serial ports by port users. Before you use this function, carry out the following configuration.
Page 70: Control Access To Servers
2.3.6 Control access to servers You can register the network addresses and masks that are allowed connections for each server of the NS-2250. The following table shows the servers of the NS-2250 for which you can restrict access. Server Description Restrict clients that access the telnet server of the Access control of telnet server NS-2250.
Page 71: Operation Management Functions
Operation management functions The NS-2250 has the following operation management functions. DNS client function This function resolves names when applications, such as the “ping” and “telnet” commands, of the NS-2250 contact the DNS server. The number of DNS servers that can be registered to the NS-2250 is two.
Page 72 Syslog client function You can send syslog messages to external syslog servers. The NS-2250 can send syslog messages and port logs output by the NS-2250 to a syslog server. Syslog messages and port logs output by the NS-2250 are send to the same syslog server.
Page 73 (12) Temperature sensor function This function measures the temperature by using a temperature sensor. (13) Time zone This function configures the time zone to which the NS-2250 belongs. 2-45...
Page 75: Chapter 3 Configuration Procedures
Chapter 3 Configuration procedures Chapter 3 provides an overview of start, stop, and setup procedures. Read this chapter before starting work. Chapter content Start, check, and stop the NS-2250 3.1.1 Insert an USB memory 3.1.2 Connect a device management terminal 3.1.3 Start the NS-2250 3.1.4...
Page 76: Start, Check, And Stop The Ns-2250
Start, check, and stop the NS-2250 3.1.1 Insert an USB memory The setup information of the NS-2250 can be stored on a flash memory of the NS-2250 or the included USB memory. When the USB memory is set, setup information is read from the USB memory when the NS-2250 is started.
Page 77 Caution The USB memory is intended for the NS-2250. Do not use the USB memory with another device. If the USB memory has been inserted into a PC or another device, the NS-2250 may no longer recognize the USB memory normally or another malfunction may occur.
Page 78: Connect A Device Management Terminal
3.1.2 Connect a device management terminal To operate the NS-2250, you must configure the functions of the NS-2250 in advance. The functions settings of the NS-2250 are configured from a device management terminal, so connect a device management terminal before switching on the power of the NS-2250. The device management terminal can be connected to either the CONSOLE port of the NS-2250 or via the network to the LAN port of the NS-2250.
Page 79: Table Of
(2) Connect to a network Connect the device management terminal to the network, and then log into the NS-2250 from a telnet client via the LAN port of the NS-2250. Device management terminal NS-2250 LAN1 192.168.0.１ 192.168.0.2 Telnet protocol Figure 3-5 Connect the NS-2250 and the device management terminal via a network With the default settings of the NS-2250, the parameters in the following table of been set in advance so that the NS-2250 can be configured from a management terminal on the network.
Page 80: Start The Ns-2250
3.1.3 Start the NS-2250 For the NS-2250, connect either the AC power cable. At the rear of the NS-2250, flip the power switch to the “ | ” side to switch on the power and start the NS-2250. (The “O” side is off.) When you will use a NS-2250, see the Installation manual.
Page 81: Check The Ns-2250
3.1.4 Check the NS-2250 If the power of the NS-2250 is switched on, the boot process starts. Use the four STATUS lights on the front of the NS-2250 to check that the boot process is proceeding normally. While the NS-2250 is booting, the STATUS lights switch on in the following order. If an error occurs, the STATUS lights flash.
Page 82 If the power is switched on, a self-diagnostic test is run, and then the system software starts. If the system software starts, a start message and “NS-2250 login:” prompt appear on the device management terminal. Make sure that no error messages appeared during the start message.
Page 83: Stop The Ns-2250
3.1.5 Stop the NS-2250 To stop the NS-2250, save the settings of the NS-2250 to the startup file, and then use the following procedure to carry out the “shutdown” command. Next, either confirm that the “MON>” prompt is displayed on the console or wait for the STATUS 2 light on the front of the NS-2250 to switch on.
Page 84: Set Up The Ns-2250
Set up the NS-2250 Figure 3-10 shows the setup procedure for the NS-2250. For details of commands to configure functions, see the Command Reference. From a management terminal connected to the CONSOLE port or over the network, specify a user name and password registered to the NS-2250 to login.
Page 85: Log In And Log Out
3.2.1 Log in and log out This section describes how to log into and log out of the NS-2250 from a device management terminal connected to the CONSOLE port or a client terminal on the network. Users who can log in At the default settings, the following users are registered as users that can login to the NS-2250: normal user “somebody”...
Page 86 $ telnet 192.168.0.1↵ login: somebody↵ Password: ↵ (0)NS-2250> The first character of the prompt differs by the type of connection port. When logging in from a device management terminal connected to the CONSOLE port, a “(c)” is displayed. When logging in from a telnet client on the network, a “(0)” is displayed. The number of the prompt when you have logged in from the telnet client on the network is an open number assigned in order from zero for each connection.
Page 87: Use The Cli
3.2.2 Use the CLI This section describes how to use the CLI of the NS-2250. Command line editing function The following table lists the command line editing functions of the CLI. Edit key Operation [Backspace] Deletes one character just before the cursor. [Ctrl]+[H] [Delete] Deletes characters at the location of the cursor.
Page 88 Command abbreviation function If a single candidate command or a key word is determined from partially entered text, the remaining characters can be omitted. For example, the “show log console” command to display the console log can be abbreviated to “sh log con”. (c)NS-2250# show log console↵...
Page 89: Insert Configuration Commands
3.2.3 Insert configuration commands On the NS-2250, you can copy and paste configuration commands created in a text file in advance (insert configuration commands), and then configure the NS-2250. By using this function, you can minimize command entry errors, and carry out configuration work for the NS-2250 efficiently.
Page 90: Save Settings
3.2.4 Save settings When the settings of the NS-2250 have been changed, the changes are reflected in the running configuration. The running configuration is a file in the internal memory (RAM), so if the NS-2250 is stopped or restarted, the changed settings are discarded. To save the changed settings, carry out the “write”...
Page 91 Save settings normally (when a save destination for settings is not specified) Carry out the “write” command with no options. If the “write” command is carried out without specifying options, the settings are saved to the startup file that was imported at startup.
Page 92: Restart The Ns-2250
3.2.5 Restart the NS-2250 To restart the NS-2250, carry out the “reboot” command. Restart normally (when no particular options are specified) If the “reboot” command is carried out with no options, the default startup file is imported, and the NS-2250 restarts. (c)NS-2250# reboot↵...
Page 93: Chapter 4 Settings
Chapter 4 Settings Chapter 4 describes the settings of the functions of the NS-2250. Read this chapter before starting work. Chapter content Configure the network 4.1.1 Change the host name or IP address of the NS-2250 4.1.2 Configure the static routing function 4.1.3 Configure the DNS client Configure the CONSOLE port...
Page 94 4.6.6 Configure the SSH server 4.6.7 Control access to servers Configure operation management 4.7.1 Configure the SNTP client 4.7.2 Configure the SNMP agent 4.7.3 Configure the syslog client 4.7.4 Configure the temperature sensor 4.7.5 Configure the time zone Setting examples 4.8.1 Basic settings 4.8.2...
Page 95: Configure The Network
Configure the network 4.1.1 Change the host name or IP address of the NS-2250 The default host name of the NS-2250 is “NS-2250”. To change the host name, carry out the “set hostname” command. In the host name, you can use half-width alphanumeric characters, underbars “_”, hyphens “-”, and periods “.”.
Page 96: Configure The Static Routing Function
4.1.2 Configure the static routing function To configure the static route, carry out the “create ip route” command. (c)NS-2250# create ip route default gateway 192.168.0.254↵ (c)NS-2250# To configure the static route and default routing, carry out the “create ip route” command. (c)NS-2250# create ip route 172.16.1.0/24 gateway 192.168.0.2↵...
Page 97: Configure The Dns Client
4.1.3 Configure the DNS client To configure the DNS client, carry out the “set dns” command and “set dns localdomain” command. (c)NS-2250# set dns 1 192.168.0.21↵ (c)NS-2250# set dns localdomain example.co.jp↵ (c)NS-2250# You can check the DNS client information by using the “show dns” command. (c)NS-2250# show dns↵...
Page 98: Configure The Console Port
Configure the CONSOLE port The following table shows the configured values for the CONSOLE port of the NS-2250 at the default settings. Item Default value Transfer speed 9600 bps Data length 8 bit Parity None Stop bit 1 bit Flow control XON/XOFF To change the CONSOLE port settings, carry out the “set console”...
Page 99: Configure The Serial Ports
Configure the serial ports The following table shows the configured values for all serial ports of the NS-2250 at the default settings. Item Default value Transfer speed 9600 bps Data length 8 bit Parity None Stop bit 1 bit Flow control NONE DSR signal detection function To change the serial port settings, carry out the “set tty”...
Page 100 You can check the serial port information by using the “show tty” command. (c)NS-2250# show tty 1↵ tty : 1 baud : 9600 bitchar parity : none stop flow : none drhup : off detect_dsr : on (c)NS-2250# (c)NS-2250# show tty↵ ----------base---------- -dsr- baud bc parity st flow --------------------------------------...
Page 101: Configure The Port Server
Configure the port server 4.4.1 Configure the connection modes (Direct mode/Select mode) At the default settings, the connection mode of the port server is configured to Direct mode. If you want touse the port selection menu, carry out the “set portd connect select” command.
Page 102: Show The Port Server Menu
4.4.2 Show the port server menu The port server menu display setting is configured by the “set portd menu” command. There are three settings for the display of the port server menu: Auto, show, and hide. This display is dependent on the port log setting that determines whether port logs are saved. The following table shows the relationship of the settings.
Page 103: User Authentication Of The Port Server (Port User Authentication)
4.4.3 User authentication of the port server (port user authentication) Port user authentication runs when a telnet client accesses the port server of the NS-2250. The default setting is “No authentication” To switch on port user authentication, carry out the “set portd auth” command. If the port user authentication is set to on, the port user authentication function operates for all serial ports of the NS-2250.
Page 104: Change The Tcp Port Number Of The Port Server (Direct Mode)
4.4.6 Change the TCP port number of the port server (Direct mode) You can change the TCP port number of telnet/SSH Normal mode and Monitoring mode running at each serial port by using the “set portd telrw/telro/sshrw/sshro” commands. To change the service port number of telnet/SSH Normal mode and Monitoring mode, set an unused port number in the range from 1,025 through 65,000.
Page 105: Add A Port User
4.4.7 Add a port user To add a port user, carry out the “create user” command. Because you must configure the serial ports to which a port user can access, use the “port” option of the “create user” command or the “set user port” command to configure the serial ports that can be accessed.
Page 106: Configure Labeling Of Serial Ports
4.4.8 Configure labeling of serial ports You can set a device name or other label to a serial port so that you can identify the monitored equipment connected to the serial port. Up to 32 characters can be used for labels.
Page 107: Configure The Automatic Session Disconnection Function Of The Port Server
4.4.9 Configure the automatic session disconnection function of the port server The NS-2250 is equipped with two automatic session disconnection functions: one that operates according to an idle timer (idle monitoring time) and one that operates according to a session timer (continuous connection time). To enable this function, carry out the following commands.
Page 108 (c)NS-2250# configure↵ (c)NS-2250# set portd tty 1-16 brk _ char brk↵ (c)NS-2250# set portd tty 32 brk _ char brk↵ (c)NS-2250# Change line feed code The NS-2250 can convert line feed code received from a telnet client and send it to a serial port.
Page 109 You can configure the session suspension character code of the port server menu by carrying out the “set portd tty cmdchar” command. To configure the session suspension character code for the port server menu to “0 x 01” (Ctrl+A), carry out the following command.
Page 110: Configure Port Logs
Configure port logs 4.5.1 Enable and disable port log functions Enable port log functions At the default settings, the port log functions run using the following configuration. Port log save location : RAM (selectable from RAM, FLASH, and off) Port log setting of serial ports : On for all serial ports Port log size for serial ports : 500 Kbyte (default setting when RAM is set)
Page 111: Configure Port Log Size
To set the port log function to off for individual serial ports, carry out the “set logd tty log” command. (c)NS-2250# set logd tty 1-32 log off↵ (c)NS-2250# Caution If the port log function is changed from off to on for the entire device, the port log function is switched to on for all serial ports, and the setting is reflected in the running configuration automatically.
Page 112: Configure Login Stamps
4.5.4 Configure login stamps To set the port log login stamp function to on, carry out the “set logd lstamp” command. If the login stamp function is set to on, the login and logout times of a user who accessed the serial port are added to the port log.
Page 113: Configure Email Sending
4.5.5 Configure email sending To email for port logs periodically, carry out the “add logd tty mail” command and the “set logd tty sendlog” command. To send the port log of serial port 1 to “mgr@example.co.jp” of a mail server (192.168.1.1) at a 60-minute interval or when the port log reaches 80% capacity, carry out the following commands.
Page 114: Configure Ftp Sending
4.5.6 Configure FTP sending To send port logs by FTP periodically, carry out the “add logd tty ftp” command and the “set logd tty sendlog” command. To send the port log of serial port 5 to the FTP server (192.168.1.1) as user “loguser2” at a 60-minute interval or when the port log reaches 80% capacity, carry out the following commands.
Page 115: Configure Syslog Sending
4.5.7 Configure syslog sending To send port logs to the syslog server, carry out the “set logd tty syslog” command. With syslog sending, if the port logs that should be sent arrive, they are sent to the syslog server immediately. To send the port logs of serial port 1 through serial port 16 and serial port 32 to the syslog server, carry out the following commands.
Page 116 (c)NS-2250# show syslog↵ Syslog Status:enable No. Syslog Host Portlog-Facility Syslog-Facility --------------------------------------------------------- 10.1.1.1 local0 local1 (c)NS-2250# To configure the syslog server, see Section 4.7.3, “Configure the syslog client”. Caution In environments in which port log transfers are frequent, we recommend specifying and configuring the IP address directly and not resolving the name of the syslog server using the DNS server.
Page 117: Configure Nfs Sending
4.5.8 Configure NFS sending To save port logs to an NFS server, carry out the “set logd tty nfs” command. If data is received from monitored equipment, port logs are saved to the NFS server immediately. To save the port logs of serial port 1 through serial port 16 and serial port 32 to the NFS server, carry out the following command.
Page 118: Check Port Log Settings
4.5.9 Check port log settings You can check the configuration information of port logs by using the “show logd” command. (c)NS-2250# show logd↵ Log stored in : FLASH Total Log Size : 144000 KB (Free 0 KB / Total 144000 KB) Timestamp : off, Interval Time : 60 sec (c)NS-2250# show logd tty 1↵...
Page 119: Configure Security Settings
Configure security settings 4.6.1 Register and delete users On the NS-2250, you can add and delete users in accordance with objectives. To register a normal user (user1) and port user (port1) to the NS-2250, carry out the “create user” command. For details of the “create user” command, see the Command Reference.
Page 120: Configure User Passwords
4.6.2 Configure user passwords Users registered by default do not have passwords configured. To configure a password, use the “set user password” command as shown below. Use the same command when changing a password. (c)NS-2250# set user root password↵ New password: ↵ Retype new password: ↵...
Page 121: Configure The Radius Authentication / Accounting Function
4.6.3 Configure the RADIUS authentication / accounting function To authenticate users using the RADIUS authentication server or save accounting logs to the RADIUS accounting server, carry out the following commands. (1) Configure the RADIUS authentication client To change the authentication method to RADIUS, set RADIUS authentication server 1 to “172.31.1.1”, set the Radius authentication port to “1645”, and register a secret key (abcdef), carry out the following commands.
Page 122 (3) Configure the retry/timeout values for RADIUS authentication/accounting request packets. To configure the number of retries for RADIUS authentication/accounting request packets and the timeout time of authentication/accounting response packets, carry out the following commands. At the default settings, the number of retries is 3 times and the timeout value is 5 seconds. (c)NS-2250# set auth radius retry 5↵...
Page 123 ■RADIUS server setting User name Attribute setting somebody Filter-Id = NS2250_NORMAL RADIUS server root Filter-Id = NS2250_ROOT suzuki Filter-Id = NS2250_PORT1-10 tanaka Filter-Id = NS2250_PORT11-20 yamada Filter-Id = NS2250_PORT30-32 NS-2250 ■filter_id_head setting user type filter_id_head setting Device management user NS2250_ROOT Normal user NS2250_NORMAL Port user...
Page 124 1 can access serial port 1 through 10, and user 2 can access serial port 20 through 30, and so on) Caution The NS-2250 performs user authentication in the following order: 1) local authentication within the NS-2250 -> 2) RADIUS authentication. When normal users undergo RADIUS authentication, either delete normal users registered to the NS-2250 or configure a password different from the password registered to the RADIUS server.
Page 125 When the following settings have been configured, the Filter-Id attribute values of users registered to the RADIUS authentication server result in the following actions. When the Filter-Id attribute value is “admin_grp”, the user is treated as a device management user. When the Filter-Id attribute value is “normal_grp”, the user is treated as a normal user.
Page 126 For the action when the user group cannot be identified even when RADIUS authentication is successful, see (6), “Configure access methods for users for which a user group cannot be identified”. Priority during login is as follows: 1) device management user (root), 2) normal user (normal), and 3) port user (portusr).
Page 127 (c)NS-2250-1# create auth access _ group root radius filter _ id admin _ grp↵ (c)NS-2250-1# create auth access _ group normal radius filter _ id normal _ grp↵ (c)NS-2250-1# create auth access _ group portusr port 1-10 radius filter _ id port _ grp1↵ (c)NS-2250-1# create auth access _ group portusr port 31,32 radius filter _ id port _ grp2↵...
Page 128 (6) Configure access methods for users for which a user group cannot be identified In some cases, the user group of the user cannot be identified even when RADIUS authentication is successful. (Examples include when the Filter-Id attribute value was not sent from the RADIUS authentication server or when the Filter-Id attribute does not match the character string specified by either the “create auth access group”...
Page 129 (9) Configure the sending method of accounting STOP packets when user authentication has failed The sending method of accounting STOP packets when user authentication has failed is configured by using the “set acct radius auth_deny_stop” command. If the setting is configured to “off”...
Page 130: Configure The Tacacs+ Function
4.6.4 Configure the TACACS+ function To authenticate/approve users by using the TACACS+ authentication server or to save accounting logs, carry out the following commands. (1) Configure the TACACS+ function To change the user authentication and accounting methods to TACACS+, set the IP address of the TACACS+ authentication server to “172.31.1.1”, and configure the secret key to “abcdef”, carry out the following commands.
Page 131 (3) Configure user group identification and access control of serial ports (access grouping) To use the access grouping function, use the “create auth access_group” command to register the attribute and value pairs to identify device management users, normal users, and port users access groups in the NS-2250. Set the list of serial ports to which port users have access in the same manner.
Page 132 For the action when the user group cannot be identified even when TACACS+ authentication/approval is successful, see (4), “Configure access methods for users for which a user group cannot be identified”. The priority during login when multiple groups have been configured for a user is as follows: 1) device management user (root), 2) normal user (normal), and 3) port user (portusr).
Page 133 (4) Configure access methods for users for which a user group cannot be identified In some cases, the user group of the user cannot be identified even when TACACS+ authentication/approval is successful. (Examples include when the attribute to identify the user type was not sent from the TACACS+ server or when the attribute and value pair does not match the character string specified by the “create auth access group”...
Page 134: Configure The Telnet Server
4.6.5 Configure the telnet server To change the TCP port number of the telnet server, carry out the following commands. The port number of the telnet server can be set from 1,025 through 65,000, and the default setting is 23. (c)NS-2250# set telnetd port 2023↵...
Page 135 Change the TCP port number of the SSH server To change the TCP port number of the SSH server, carry out the following command. The port number of the SSH server can be set from 1,025 through 65,000, and the default setting is 22.
Page 136: Control Access To Servers
4.6.7 Control access to servers The following table shows the servers of the NS-2250 for which you can restrict access. You can control access from client terminals by specifying the network address of client terminals that are allowed to connect to each server running on the NS-2250. Server for which access control can Default access Network address allowed to...
Page 137: Configure Operation Management
Configure operation management 4.7.1 Configure the SNTP client To configure the SNTP client, carry out the “set sntp server” command and the “set sntp polltime” command as shown below. To synchronize the time of the NS-2250 with the SNTP server (172.16.1.1) with a polling timer of 900 seconds, carry out the following commands.
Page 138: Configure The Snmp Agent
4.7.2 Configure the SNMP agent To configure the SNMP agent, first configure the SNMP server, SNMP trap, and other settings, and then enable the SNMP agent. Configure the SNMP server and community To configure the SNMP server, carry out the “set community” command. To allow read (ro) access from the SNMP server at 172.16.1.1 with the community “public”, carry out the following commands.
Page 139 Change the traps to be monitored The following table shows the configuration values for the traps monitored by the SNMP agent at the default settings. Trap Setting Coldstart Trap Authentication Failure Trap Link Trap Power Trap Serial DSR Trap OFF(all serial ports are monitored) To change the traps to be monitored, carry out the command that corresponds to each trap as shown below.
Page 140 You can check the SNMP agent status by using the “show snmp” command. (c)NS-2250# show snmp↲ status : enable location : "Server Room in TOKYO" contact : "Administrator 03-1234-5678" linktrap : on powertrap : on authentrap : on coldstarttrap : off dsrtrap(tty1-8) : off off off off off off off off dsrtrap(tty9-16)
Page 141: Configure The Syslog Client
4.7.3 Configure the syslog client To configure the syslog client, carry out the “set syslog host” command. To carry out syslog transfer to the syslog server (172.16.1.1) with the syslog of the NS-2250 with the facility code “local1” and port logs with the facility code “local0”, carry out the following command.
Page 142: Configure The Temperature Sensor
4.7.4 Configure the temperature sensor The temperature sensor starts operating from the default status, and you can acquire the temperature without any particular configuration. To configure the correction value for the temperature sensor with the objective of measuring the approximate outdoor temperature, specify the correction value for adjustment in the “set temperature adjust”...
Page 143: Configure The Time Zone
4.7.5 Configure the time zone To configure the time zone, carry out the “set timezone” command. Specify a time zone name from the list displayed by the “show timezone list” command. The default time zone is “Tokyo”. (c)NS-2250# show timezone↲ Timezone is “Tokyo”...
Page 144: Setting Examples
Setting examples This section describes the following setting examples. (1) Basic settings (2) Configure the services (3) Configure port log transfer (4) Change the port log location and size (5) Stop the port log save function and control display of the port server menu (6) Port user authentication (7) SSH password (basic) authentication (8) SSH public key (public) authentication...
Page 145 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set tty 1-8 baud 19200 set portd tty 1-8 cmdchar 1 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”.
Page 146: Configure The Services
4.8.2 Configure the services This section describes the basic settings to access monitored equipment from a telnet client via the NS-2250 and the settings of the various services (SNMP agent, SNTP client, syslog client, and FTP server access control) to manage the NS-2250. Port server setting : Direct mode (default) Method of connection...
Page 147 set sntp server 192.168.1.252 set sntp polltime 1200 enable sntp create allowhost 192.168.2.0/24 service ftpd Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254...
Page 148 enable ftpd create allowhost 192.168.2.0/24 service ftpd 4-56...
Page 149: Configure Port Log Transfer
4.8.3 Configure port log transfer This section describes the settings to output port logs as syslog, settings to send to specified FTP servers and mail addresses for each serial port, and settings to add time stamps to port logs. Port server setting : Direct mode (default) Method of connection : Telnet Normal mode (default)
Page 150 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set syslog host 1 192.168.1.252 portlog_facility local0 syslog_facility local1 enable syslog set nfs server 1 addr 192.168.1.252 path /mnt/nfslog set nfs rotate 0 0 1 * * enable nfs set logd tstamp on interval 60 set logd tty 1 syslog on...
Page 151 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 152 of “smartcs@example.co.jp”. Emails sent to “user2@example.co.jp” have the subject of “Data-Center Server” and a sender of “smartcs@example.co.jp”. Port logs are stored in the body of the mail when they are sent. set logd tty 2 syslog on set logd tty 2 sendlog mail interval 180 ratio 70 add logd tty 2 mail 1 user1@example.co.jp 192.168.1.251 set logd tty 2 mail 1 type body set logd tty 2 mail 1 subject "Server Status"...
Page 153: Change The Port Log Location And Size
4.8.4 Change the port log location and size This section describes the settings to change the location and save space of port logs. Port server setting : Direct mode (default) Method of connection nt : Telnet Normal mode (default) Port user authentication : None (default) Port log location : FLASH (Change the port log size...
Page 154 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 155: Disable The Port Log Function And Control Display Of The Port Server Menu
4.8.5 Disable the port log function and control display of the port server menu Port server setting : Direct mode (default) Method of connection : Telnet Normal mode (default) Port server menu : OFF Port user authentication : None (default) Port log location : None Port log transfer function...
Page 156: Port User Authentication
4.8.6 Port user authentication This section describes the settings to increase the security of serial ports by switching on the port userauthentication function and limiting the serial ports that can be accessed by each port user. Port server setting : Direct mode (default) Method of connection : Telnet Normal mode (default) Port user authentication...
Page 157 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 158: Ssh Password (Basic) Authentication
4.8.7 SSH password (basic) authentication This section describes the basic settings to access monitored equipment from an SSH client via the NS-2250 using password (basic) authentication. In this configuration example, telnet clients are also covered. Port server setting : Direct mode (default) Method of connection : telnet/SSH Normal mode SSH authentication...
Page 159 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set sshd auth basic create allowhost all service portd sshrw all set portd auth basic create user user01 group portusr password (password entry) create user user02 group portusr password (password entry) create user user03 group portusr password...
Page 160 5. Configure the serial ports that can be accessed by a port user. Configure the privileges so that user01 to user03 can access serial port 1 through 32. set user user01 port 1-32 set user user02 port 1-32 set user user03 port 1-32 6.
Page 161: Ssh Public Key (Public) Authentication
4.8.8 SSH public key (public) authentication In this configuration example, telnet clients are also covered. Port server setting : Direct mode (default) Method of connection : Telnet/SSH Normal mode SSH server authentication : Public key (public) authentication Port user authentication : Yes Port log location : RAM(default)
Page 162 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set sshd auth public create allowhost all service portd sshrw all set portd auth basic create user user01 group portusr password (password entry) create user user02 group portusr password (password entry) create user user03 group portusr password...
Page 163 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 164 RHbVhUbkpdazOR9wtN265tPnmoDTHa3CHRzP17/6V4lmbHh0VNJjnDw730H Kp0gnSZj0Udq1JrHXbPrKwdpqcj7okZtlTxWHxPb2xmC8lu0= abcdef@test 4-72...
Page 165 7. Configure the settings of the SSH server of the NS-2250 to allow login to the NS-2250 from an SSH client. Enable the SSH server of the NS-2250, and then configure the settings to allow access to the SSH server of the NS-2250 from all network addresses. Finally, configure the passwords of login users registered to the NS-2250.
Page 166: Configure The Port Selection Function (Select Mode Of The Port Server)
4.8.9 Configure the port selection function (Select mode of the port server) This section describes the settings of the port selection function (Select mode of the port server). Port server setting : Select mode Method of connection : Telnet Normal mode (default) Port user authentication : Yes Port log location...
Page 167 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 168: Configure The Radius Authentication / Accounting Function (Basic Settings)
4.8.10 Configure the RADIUS authentication / accounting function (basic settings) This section describes the basic settings to centrally manage port users that access the serial ports of the NS-2250 by using the RADIUS authentication / accounting server. Port server setting : Direct mode (default) Method of connection : Telnet Normal mode (default)
Page 169 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set user root password (password entry) set user somebody password (password entry) set portd auth basic set auth mode radius set auth radius server 1 addr 192.168.1.252 set auth radius server 1 key password (Secret key entry) set auth radius server 2 addr 192.168.1.253...
Page 170 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 171 RADIUS server settings This section lists examples of attributes to be set to the user definition file of the RADIUS server. The maximum length of a RADIUS user name that can be authenticated by the NS-2250 is 64 characters. # Port user (user01) user01 Password = "user01", # Port user (user02) user02 Password = "user02",...
Page 172: Configure The Radius Authentication Client Function/Radius Accounting Client Function (Case 1: Filter_Id_Head)
4.8.11 Configure the RADIUS authentication client function/RADIUS accounting client function (case 1: filter_id_head) This section describes the settings to centrally manage users that access the NS-2250 by using the RADIUS authentication server/RADIUS accounting server. This example list settings to determine whether the user in question is a device management user, normal user, or port user by the Filter-Id attribute value to be sent from the authentication server after user authentication by the RADIUS authentication server.
Page 173 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set portd auth basic set auth mode radius set auth radius retry 5 set auth radius server 1 addr 192.168.1.252 set auth radius server 1 port 1645 set auth radius server 1 timeout 10 set auth radius server 1 key password (Secret key entry)
Page 174 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 175 To configure the serial ports to which a port user can access (1-16, 24), configure Filter-ID attribute value RADIUS authentication server “NS2250_PORT1-16,24”. If the number is not listed, as in “NS2250_PORT”, the NS-2250 gives access privileges to all serial ports. 8.
Page 176 RADIUS server settings This section lists examples of attributes to be set to the user definition file of the RADIUS authentication server. The maximum length of a RADIUS user name that can be authenticated by the NS-2250 is 64 characters. # Port user registration portuser01 Password = "portuser01", Filter-Id = “NS2250_PORT1-16”,...
Page 177 Note that of the attributes received by the NS-2250, only a Username and Filter-ID are interpreted. Accordingly, connection is possible with the following attributes as well. # Port user registration portuser01 Password = "portuser01", Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout = 600, Filter-Id = “NS2250_PORT1-16”...
Page 178: Configure The Radius Authentication Function/Radius Accounting Function (Case 2: Access Grouping Function)
4.8.12 Configure the RADIUS authentication function/RADIUS accounting function (case 2: access grouping function) This section describes the settings to centrally manage users that access the NS-2250 by using access grouping function with the RADIUS authentication / accounting server. This example lists settings to determine the access group to which the user in question belongs and whether the user is a device management user, normal user, or port user by the Filter-Id attribute value to be sent from the authentication server after user authentication by the RADIUS authentication server.
Page 179 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set portd auth basic set auth mode radius set auth radius retry 5 set auth radius server 1 addr 192.168.1.252 set auth radius server 1 port 1645 set auth radius server 1 timeout 10 set auth radius server 1 key password (Secret key entry)
Page 180 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 181 8. Configure authentication processing for users for which an access group cannot be identified. Carry out the “set auth radius def_user” command so that users for which an access group cannot be identified are refused access (for example, when the Filter-ID attribute is not sent from the RADIUS authentication server or when the Filter-ID attribute character string and the access group registered to the SmartCS do not match).
Page 182 RADIUS server settings This section lists examples of attributes to be set to the user definition file of the RADIUS authentication server. The maximum length of a RADIUS user name that can be authenticated by the NS-2250 is 64 characters. # Port user registration portuser01 Password = "portuser01", Filter-Id = “grp1”,...
Page 183: Configure The Tacacs+ Function (Basic Settings)
4.8.13 Configure the TACACS+ function (basic settings) This section describes the basic settings to centrally manage port users that access the serial ports of the NS-2250 by using the TACACS+ server. Port server setting : Direct mode (default) Method of connection : Telnet Normal mode (default) Port user authentication : Yes...
Page 184 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set user root password (password entry) set user somebody password (password entry) set portd auth basic set auth mode tacacs set auth tacacs server 1 addr 192.168.1.252 set auth tacacs server 1 key password (Secret key entry) set auth tacacs server 2 addr 192.168.1.253...
Page 185 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 186 TACACS+ server settings The following section lists a configuration example for the free TACACS+ server of Shrubbery Networks, Inc. (examples of attributes to be configured to the user definition file). After TACACS+ user authentication was successful, the NS-2250 sends an attribute (service=smartcs) to the TACACS+ server, and then carries out approval.
Page 187 # Port user (user02) login = cleartext “user02” service = smartcs { grp = port attr1 = def attr2 = xyz When the “create auth access_group” command, which identifies user groups, has not been configured to the NS-2250, user authentication processing is carried out according to the setting value of the “set auth tacacs def_user”...
Page 188: Configure The Tacacs+ Function (Access Grouping Function)
4.8.14 Configure the TACACS+ function (access grouping function) This section describes the settings to centrally manage users that access the NS-2250 by using access grouping function with the TACACS+ server. This example lists settings to determine the access group to which the user in question belongs (device management user, normal user, or port user) and the access privileges to serial ports of port users by the attribute and value pair to be sent from the TACACS+ server after user authentication by the TACACS+ server.
Page 189 Settings of the NS-2250 set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 set portd auth basic set auth mode tacacs set auth su_cmd username admin set auth tacacs server 1 addr 192.168.1.252 set auth tacacs server 1 timeout 10 set auth tacacs server 1 key password (Secret key entry) set auth tacacs server 2 addr 192.168.1.253...
Page 190 Explanation of settings 1. Set the name of the NS-2250 to the “SmartCS”, set the LAN1 IP address to “192.168.1.100”, and set the default route to “192.168.1.254”. set hostname SmartCS set ipaddr eth1 192.168.1.100/24 create ip route default gateway 192.168.1.254 2.
Page 191 6. Register the access group to identify port users. Carry out the “create auth access_group” command so that port users are identified and access is allowed to serial ports (1 to 16, 24) when the attribute (“grp” in this example) to be sent from the TACACS+ authentication server is “grp1”. In the same manner, configure to allow access to serial ports (20 to 32) when the attribute is “grp2”.
Page 192 TACACS+ server settings This section lists examples of attributes to be set to the user definition file of the TACACS+ server. The maximum length of a TACACS+ user name that can be authenticated by the NS-2250 is 64 characters. accounting file = /var/log/tac_plus.acct # Normal user registration user = somebody login = cleartext “network”...
Page 193 You can also configure multiple privileges to a single user. (For example, you can configure access privileges of device management users and port users). Note that if you use a TACACS+ server, such as server of the Shrubbery Networks, Inc., which cannot return multiple instances of the same attribute to the client, you must register attributes for each user group.
Page 194: Lan Redundant
4.8.15 LAN Redundant This section describes about setting of LAN redundant composition. Port server setting Direct mode (default) Method of connection Telnet Normal mode (default) Port user authentication None (default) Port log location RAM (default) Port log transfer function Off (default) Serial ports Transfer speed of serial port 1 through serial port 8 (9,600 bps)
Page 195: Chapter 5 Management And Maintenance
Chapter 5 Management and maintenance Chapter 5 describes management and maintenance of the NS-2250. Chapter content View information of the NS-2250 5.1.1 View hardware and software information 5.1.2 View a summary of the information of the NS-2250 Manage the configuration 5.2.1 View a list of startup files 5.2.2...
Page 196: View Information Of The Ns-2250
View information of the NS-2250 5.1.1 View hardware and software information To view information about the hardware configuration and system software of the NS-2250, carry out the “show version” command. This command shows the system software version, boot status, system up time, serial number, and other information. (c)NS-2250# show version↲...
Page 197: View A Summary Of The Information Of The Ns-2250
5.1.2 View a summary of the information of the NS-2250 To display settings, statistical information, logs, and other information of the NS-2250 together, carry out the “show support” command. The following table shows the NS-2250 information output by the “show support” command.
Page 198 The following section shows an actual output of the “show support” command. (c)NS-2250# show support↲ ===== start of show support ===== Fri Jul 03 19:32:04 JST 2015 ===== Version information System : System Software Ver 1.0 (Build 2015-XX-XX) Boot Status : Reboot (05:80:00) System Up Time : 2015/07/03 21:12:07...
Page 199: Manage The Configuration
Manage the configuration 5.2.1 View a list of startup files The NS-2250 stores and manages the settings in the startup file. The SmartCS has a maximum of eight startup files (four files on the USB memory and four files on the internal memory of the device).
Page 200 To view a list of startup files, carry out the “show config info” command. (c)NS-2250# show config info↲ boot startup : external startup1 internal startup files name date size default ------------------------------------------- startup1 Jul 3 19:28 startup2 Jul 2 09:35 startup3 Jul 2 09:35 startup4 Jul 2 09:35...
Page 201: View The Content Of Startup Files
5.2.2 View the content of startup files To view information of the startup file that the NS-2250 read at startup, carry out the “show config startup” command. (c)NS-2250# show config startup↲ === show external startup1 === echo "SYSTEM configuration..." set timezone Tokyo echo “IP configuration...”...
Page 202: Change The Startup File To Be Imported At Startup
5.2.3 Change the startup file to be imported at startup With regard to the startup file to be read at startup, the SmartCS stores files on both an USB memory and internally. At the default settings, the NS-2250 uses the “startup1” file as the default startup file.
Page 203: Copy A Startup File
5.2.4 Copy a startup file To copy a startup file, carry out the “copy startup” command. For example, to copy the “startup1” file of the USB memory to the “startup2” file of the USB memory, carry out the “copy startup” command while specifying the options shown below. (c)NS-2250# copy startup 1 external to startup 2 external↲...
Page 204: View The Running Configuration
5.2.6 View the running configuration The NS-2250 manages the configuration commands stored in the startup file read at startup, the configuration commands carried out by the device administrator after the NS-2250 has started, and other configuration commands as the running configuration in the internal memory of the NS-2250.
Page 205: Transfer Startup Files Via Ftp Server
5.2.7 Transfer startup files via FTP server You can access the FTP server of NS-2250 from a FTP client, and then store the startup files of the NS-2250 in the FTP client or save startup files managed by the FTP client to the NS-2250.
Page 206 After logging into the NS-2250 via FTP, carry out the “ls” command to check the startup file. The internal startup files (startup 1 to 4 files) are saved in the “internalfiles” directory and the startup files (startup 1 to 4 files) of the USB memory are saved in the “externalfiles” directory.
Page 207 (3) Save startup files managed by the FTP client to the NS-2250 To save startup files managed by the FTP client to the NS-2250, carry out the following operation using the FTP client. This section describes the procedure to save startup files managed by the FTP client to the “startup1”...
Page 208 Save the startup files managed by the FTP client to the “startup1” file of the USB memory, and then exit the FTP client. ftp> put CS1-startup1 startup1↵ local: startup1 remote: startup1 227 Entering Passive Mode (192.168.1.100,191,54) 150 Opening ASCII mode data connection for startup1 (720 bytes). 226 File send OK.
Page 209: Transfer Startup Files Via Ftp Client
5.2.8 Transfer startup files via FTP client You can access the FTP server from a FTP client of NS-2250, and then store the startup files of the NS-2250 in the FTP server or save startup files managed by the FTP server to the NS-2250.
Page 210: Transfer Startup Files Via Tftp Client
5.2.9 Transfer startup files via TFTP client You can save the startup files of the NS-2250 to the TFTP server and copy startup files managed by the TFTP server to the NS-2250. The procedure to manage startup files via TFTP is described using the following conditions: IP address of NS-2250: “192.168.1.100”, IP address of the TFTP server: “192.168.1.1”.
Page 211: View Console Logs
View console logs Console messages of the NS-2250 are displayed on a device management terminal connected to the CONSOLE port. In addition, displayed console messages are saved inside the NS-2250 as console logs. To view the console log (20 most recent lines) of the NS-2250, carry out the “show log console”...
Page 212: Manage The Ns-2250 Via Snmp
(2)Configure the information to manage the NS-2250 (IP address of the NS-2250, community, and access privileges) to the SNMP server. (3)Import the MIB file of the NS-2250 into the SNMP server, if necessary. Download file NS-2250 from website (http://www.seiko-sol.co.jp/). 5-18...
Page 213: Manage System Software
Manage system software This section describes the configuration of the system software of the NS-2250. The NS-2250 stores the system software internally. NS-2250 have two sets of system software: system software (main), which is normally used, and system software (backup), which is used when system software (main) cannot be used.
Page 214 (1)Connect a device management terminal to the CONSOLE port of the NS-2250. (2)Switch on the power of the NS-2250. After the message “Hit [Enter] key to Enter Rom-Monitor...” appears on the device management terminal, quickly press the Enter key to display the “MON>” prompt of Rom-Monitor. Hit [Enter] key to Enter Rom-Monitor...
Page 215: Copy System Software
5.5.2 Copy system software For the system software of the NS-2250, you can copy the system firmware that is currently running to the system firmware that is not running. To copy system software (main) to system software (backup), carry out for the “copy system”...
Page 216: Upgrade Or Downgrade System Software
5.5.4 Upgrade or downgrade system software This section describes the procedure to upgrade or downgrade the system software of the NS-2250. While the system software file sent to the NS-2250 is different, the upgrade and downgrade operations and procedures are the same. The procedures to upgrade or downgrade the NS-2250 are described using the following conditions: IP address of NS-2250: “192.168.1.100”, IP address of the FTP/TFTP server or FTP client: “192.168.1.101”.
Page 217 (c)NS-2250# ftp verup 192.168.1.101↲ Connected to 10.5.31.171 (192.168.1.101). 220 FTP Server ready. Name (192.168.1.101:root): XXXX↲ 331 Password required for XXXX Password: 230 User ne logged in. ftp> hash↲ Hash mark printing on (1024 bytes/hash mark). ftp> binary↲ 200 Type set to I ftp>...
Page 218 From the client terminal, carry out the “ftp” command, and then log in to the NS-2250 as an upgrade user (verup). Carry out the FTP “put” command to transfer the difference file (example: system.2250.Verxxx) with the file name “system”. If the FTP transfer fails, try again.
Page 219 Run the upgrade/downgrade Carry out the “verup execute” command to run the upgrade/downgrade. If the upgrade finishes, a restart confirmation message appears. Enter “y”. If “y” is entered, the NS-2250 restarts. ↲ (c)NS-2250# verup execute Do you update main-system version [y/n] ? y↲ Caution Carry out the “verup execute”...
Page 220 Copy system software If necessary, make sure that the system software (backup) is the same version as that of the system software (main). To copy system software (main) to system software (backup), carry out for the “copy system” command. (c)NS-2250# copy system main to backup↲ Do you copy main system to backup system [y/n] ? y↲...
Page 221: Replace System Software
5.5.5 Replace system software This section describes the procedure to replace the system software of the NS-2250. The procedures to replace the NS-2250 are described using the following conditions: IP address of NS-2250: “192.168.1.100”, IP address of the FTP/TFTP server or FTP client: “192.168.1.101”.
Page 222 (c)NS-2250# ftp verup 192.168.1.101↲ Connected to 10.5.31.171 (192.168.1.101). 220 FTP Server ready. Name (192.168.1.101:root): XXXX↲ 331 Password required for XXXX Password: 230 User ne logged in. ftp> hash↲ Hash mark printing on (1024 bytes/hash mark). ftp> binary↲ 200 Type set to I ftp>...
Page 223 From the client terminal, carry out the “ftp” command, and then log in to the NS-2250 as an upgrade user (verup). Carry out the FTP “put” command to transfer the system image file (example: NS-2250.sys.vXXX) with the file name “NS-2250.sys”. If the FTP transfer fails, try again.
Page 224 Check the version of the system image After the system image file transfered, carry out the “show system-image” command, and then check the version of the system image. (c)NS-2250# show system-image↲ System Image Name : NS-2250.sys Product : NS-2250 Version : 1.0.1 Date : 2015-XX-XX...
Page 225 Copy system software If necessary, make sure that the system software (backup) is the same version as that of the system software (main). To copy system software (main) to system software (backup), carry out for the “copy system” command. (c)NS-2250# copy system main to backup↲ Do you copy main system to backup system [y/n] ? y↲...
Page 226: Save System Software
5.5.6 Save system software This section describes the procedure to save the system software of the NS-2250. The procedures to replace the system image of NS-2250 are described using the following conditions: IP address of NS-2250: “192.168.1.100”, IP address of the FTP/TFTP server or FTP client: “192.168.1.101”.
Page 227 (3) Transfer the system image file Transfer system image file to the NS-2250 by the following one of ways. - Way using the tftp command of NS-2250 - Way using the ftp command of NS-2250 - Way using the FTP/SFTP client ■...
Page 228 ■ Way using the FTP/SFTP client Carry out the “enable ftpd” command to enable the FTP server of the NS-2250. Next, carry out the “create allowhost” command to allow FTP/SFTP connections from the client terminal. Configure the password for the upgrade user (verup). To use an SFTP client, which uses the SSH protocol, refer to Section 4.6.6, “Configure the SSH server”...
Page 229 From the client terminal, carry out the “ftp” command, and then log in to the NS-2250 as an upgrade user (verup). Carry out the FTP “get” command to transfer the system image file “NS-2250.sys” with the file name (example: NS-2250.sys.vXXX). If the FTP transfer fails, try again.
Page 230: Save And Download Port Logs Manually
Save and download port logs manually This section describes the procedures to save port logs of the NS-2250 to an FLASH memory, download port logs by an FTP client, and send them to a TFTP server. (1) Save port logs manually To save the port logs of serial port 1 to the FLASH memory, carry out the “logsave”...
Page 231 (c)NS-2250# enable ftp↲ (c)NS-2250# create allowhost all service ftpd↲ (c)NS-2250# set user log password↲ Changing password for user log. New password: ↲ Retype new password: ↲ Password for log changed From the FTP client, log in to the NS-2250 as a log download user (log), and then confirm that the saved port logs are present.
Page 232 Download the saved port log files to the FTP client. ftp> get tty01 _ 1507092109.log↲ local: tty01_0610111441.log remote: tty01_0610111441.log 227 Entering Passive Mode (192.168.1.100,200,242) 150 Opening ASCII mode data connection for tty01_1507092109.log (28 bytes). 226 File send OK. 28 bytes received in 0.0013 seconds (22 Kbytes/s) ftp>...
Page 233: Reset To Default Setting
Reset to default setting To reset the NS-2250 to default settings, carry out the “clear startup” command. You can initialize particular startup files only or specify the “all” option to initialize all startup files (startup1 to 4 files on the USB memory and within the NS-2250). To initialize various log files at the same time, carry out the “shutdown logclear”...
Page 235: Chapter 6 Troubleshooting
Chapter 6 Troubleshooting Chapter 6 describes the troubleshooting of the NS-2250. Chapter content Overview of troubleshooting NS-2250 hardware trouble 6.2.1 The power does not switch on 6.2.2 The STATUS lights are on or flashing Communication trouble 6.3.1 Check console logs 6.3.2 Check settings 6.3.3...
Page 236: Overview Of Troubleshooting
When some trouble has occurred within NS-2250, list the symptoms or phenomenon, and then refer to this chapter to resolve the problem. Furthermore, the Technical information section on our web site includes frequently asked questions about the NS-2250 and other technical information. See the following URL. http://www.seiko-sol.co.jp/...
Page 237: Ns-2250 Hardware Trouble
NS-2250 hardware trouble This section describes how to deal with trouble related to the hardware of the NS-2250. 6.2.1 The power does not switch on If the power of the NS-2250 does not switch on (the POWER light is not on) even after checking the following, the NS-2250 is likely malfunctioning.
Page 238: The Status Lights Are On Or Flashing
6.2.2 The STATUS lights are on or flashing If the power of the NS-2250 is switched on, the POWER light switch on, and the startup process begins. The STATUS lights switch on in the following order. If the NS-2250 starts normally, all the STATUS lights switch off.
Page 239: Communication Trouble
Communication trouble Communication troubleshooting can be separated into the following methods. Check error messages saved in the console logs If an error message is displayed when the NS-2250 is started or during communication, this message is saved in the console logs. When trouble occurs, you can deal with the trouble by checking error messages saved in the console logs.
Page 240: Check Settings
6.3.2 Check settings If the NS-2250 is not operating as intended, check the settings of the NS-2250. You can check the settings of the NS-2250 by viewing the running configuration. (c)NS-2250# show config running↲ ....echo "SYSTEM configuration..." set timezone Tokyo echo “IP configuration...”...
Page 241: Network Communication Connection Trouble
6.3.3 Network communication connection trouble (1) Check the LINK/ACT light If the LAN port LINK/ACT light on or flashing the rear of NS-2250 is off even after checking the following items or (3) below, the NS-2250 is likely malfunctioning. Switch off the power of the NS-2250 immediately, unplug power cable, and then request for repair.
Page 242 Check the transceiver counter and error counter of the LAN port of the NS-2250 and make sure there are no errors. (c)NS-2250# show stats ether <Receive Statistics> <Transmit Statistics> Frames Bytes Frames Bytes ------------------------------------------------------------ eth1 687962 45761090 23382 eth2 (c)NS-2250# show stats ether 1↲ Statistics eth1 <Receive information>...
Page 243 (4) Check access control of the servers If you cannot connect to the NS-2250 from a telnet or FTP client, check the status and access control of the servers of the NS-2250. (c)NS-2250# show service↲ <telnetd> status : enable port : 23 <sshd>...
Page 244: Serial Communication Connection Trouble
6.3.4 Serial communication connection trouble Check the Tx and Rx light If the Tx and Rx light on the rear of NS-2250 is off and serial communication is not possible even after checking the following items, the NS-2250 is likely malfunctioning. Switch off the power of the NS-2250 immediately, unplug power cable, and then request for repair.
Page 245 Check the status of the port server and make sure the port numbers are correct. (c)NS-2250# show portd↵ auth status : none connect status : direct base port number telnet rw : 8101 ro : 8201 rw : 8301 ro : 8401 timeout status idle_timeout : off ro_timeout...
Page 246 Check the usage status of the serial port to which you want to connect and make sure that is possible to connect. (c)NS-2250# show portd session↵ telnet rw : 3 ro : 0 rw : 0 ro : 0 available session (telnet only : 69 / ssh only : 46) ------------------------------------------------------------------ : Label Session-Limit...
Page 247 Make sure access control of the port server allows the serial port in question. (c)NS-2250# show allowhost↲ Service Address/Mask Access tty List -------------------------------------------------------- portd/sshrw portd/telrw telnetd (c)NS-2250# Check the transceiver counter and error counter of the serial port of the NS-2250 and make sure there are no errors.
Page 248: Trouble With The Radius Authentication / Accounting Function
6.3.5 Trouble with the RADIUS authentication / accounting function When the RADIUS authentication function/RADIUS accounting function of the NS-2250 is not operating correctly, carry out the following checks. Check the RADIUS authentication server/RADIUS accounting server Make sure the RADIUS authentication server/RADIUS accounting server is running and configured correctly.
Page 249 (2) Check the RADIUS authentication function/RADIUS accounting function by using the “show” commands Carry “show” commands listed below, then make sure authentication/accounting method, RADIUS authentication client/RADIUS accounting client settings, and access group settings of the NS-2250 are correct. Check the authentication method and RADIUS authentication client settings (“show auth”, “show auth radius”, and “show auth access_group”...
Page 250 (c)NS-2250# show auth access _ group↲ Protocol : Radius Attribute : Filter-ID ------------------------------------------------------- <root> attr : admin_grp ------------------------------------------------------- <normal> attr : normal_grp ------------------------------------------------------- <portusr> attr : port_grp port : 1-32 6-16...
Page 251 Check the accounting method and RADIUS accounting client settings (“show acct” and “show acct radius” commands) (c)NS-2250# show acct↲ <acct information> Mode : radius (c)NS-2250# show acct radius↲ <acct radius information> Retry Auth_deny_stop : remote Session-id : 1815249 <radius server 1> IP address : 192.168.1.1 Port number...
Page 252 Check by using the “trace” command If the settings of the RADIUS authentication client/RADIUS accounting client are correct, carry out the “trace” command to perform a trace of the RADIUS protocol between the NS-2250 and the RADIUS authentication server/RADIUS accounting server. Analyze the results of the “trace”...
Page 253 Level 2 (advanced) (c)NS-2250# trace radius level 2↵ 13:49:42.287299 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 98) 10.1.1.1.16510 > 10.1.1.2.radius: RADIUS, length: 70 Access Request (1), id: 0x36, Authenticator: db690ce1ef1d774451fec2bcfa651857 Username Attribute (1), length: 6, Value: root Password Attribute (2), length: 18, Value: NAS IP Address Attribute (4), length: 6, Value: 10.1.1.1 NAS ID Attribute (32), length: 9, Value: NS-2250...
Page 254: Trouble With The Tacacs+ Function
6.3.6 Trouble with the TACACS+ function When the TACACS+ function of the NS-2250 is not operating correctly, carry out the following checks. Check the TACACS+ server Make sure TACACS+ server is running and configured correctly. Can you ping the TACACS+ server from the NS-2250? Is the TACACS+ server program running on the TACACS+ server? Is the port number of the TACACS+ server TCP (49)? Do the secret keys of the TACACS+ server and the NS-2250 match?
Page 255 (c)NS-2250# show auth access _ group↲ Protocol : Tacacs+ Attribute : UserSpecific (Attribute Value Pair) ------------------------------------------------------- <root> attr_val : grp=admin_grp ------------------------------------------------------- <normal> attr_val : grp=normal_grp ------------------------------------------------------- <portusr> attr_val : grp=port_grp port : 1-32 Check the TACACS+ accounting settings (“show acct” and “show acct tacacs” command) (c)NS-2250# show acct↲...
Page 256 Check the statistical information of the TACACS+ authentication/approval (show stats auth tacacs) (c)NS-2250# show stats auth tacacs↲ <authentication tacacs+ statistics> Id IP address Send Rcv_AllowRcv_DenyRcv_Error Timeout ------------------------------------------------------------------- 1 192.168.1.1 121 110 2 192.168.1.2 <authorization tacacs+ statistics> Id IP address Send Rcv_AllowRcv_DenyRcv_Error Timeout ------------------------------------------------------------------- 1 192.168.1.1 121 110...
Page 257 Check by using the “trace” command If the TACACS+ settings are correct, carry out the “trace” command to perform a trace of the TACACS+ protocol between the NS-2250 and the TACACS+ server and check for a response from the TACACS+ server. Note that the “trace”...
Page 258: Other Trouble
Other trouble This section describes methods to deal with other trouble. 6.4.1 The password of the device management user has been forgotten If the password of the device management user has been forgotten, connect a device management terminal to the serial port of the NS-2250, and then start Rom-Monitor. Next, start the system software with the unspecified startup file, and then initialize the settings.
Page 259 (5) Restart the NS-2250. (c)NS-2250# reboot↲ Do you really want to reboot with main system and default startup [y/n] ? y↲ 6-25...
Page 261: Appendix A User Privileges
Appendix A User privileges Appendix A describes user privileges. Chapter content User privileges list...
Page 262: User Privileges List
A.1 User privileges list Users registered to the NS-2250 are given the following privileges according to the groups to which they belong. A <normal user> belongs to the “normal” group created by a device administrator. A <port user> belongs to the “portusr” group created by a device administrator. Other users are registered in advance as default users of the NS-2250.
Page 263: Appendix B Examples Of Attributes And Radius Authentication / Accounting Server Settings
Appendix B Examples of attributes and RADIUS authentication / accounting server settings Appendix B describes examples of attributes and RADIUS authentication/accounting server settings. Chapter content RADIUS authentication function/RADIUS accounting function Attributes sent to the RADIUS authentication server Attributes of the RADIUS authentication server processed by the NS-2250 Attributes sent to the RADIUS accounting server Examples of RADIUS authentication/accounting server settings...
Page 264: Radius Authentication Client / Accounting Client Function
RADIUS authentication client / accounting client function If the RADIUS authentication function of the NS-2250 has been configured, the RADIUS authentication client of the NS-2250 carries out user authentication by sending an authentication request (Access Request packet) to the specified RADIUS authentication server after login to the NS-2250 or access to the serial ports of the NS-2250.
Page 265: Attributes Sent To The Radius Authentication Server
Attributes sent to the RADIUS authentication server The following table shows the attributes the RADIUS authentication client of the NS-2250 sends to the RADIUS authentication server. TableB-1 Attributes sent to the RADIUS authentication server Value Attribute name Number Content form Name of the user to receive authentication.
Page 266: Attributes Of The Radius Authentication Server Processed By The Ns-2250
Attributes of the RADIUS authentication server processed by the NS-2250 The following table shows the attributes of the RADIUS authentication server processed by the NS-2250. If the NS-2250 receives an attribute not in the table, it ignores the received attribute. Table B-2 Attributes of the RADIUS authentication server processed by the NS-2250 Attribute name Number...
Page 267 When multiple Filter-Id attributes have been configured for users of the RADIUS authentication server and either the “set auth radius server { normal | root | portusr } filter_id_head” “create auth access_group” command has been configured corresponding to each user, log in as a user in the following table. Priority during login is as follows: 1.
Page 268: Attributes Sent To The Radius Accounting Server
Attributes sent to the RADIUS accounting server The following table shows the attributes the RADIUS accounting client of the NS-2250 sends to the RADIUS accounting server. Attributes with a mark (○) in the START column store an accounting START packet. Attributes with a mark (○) in the STOP column store an accounting STOP packet.
Page 269: Examples Of Radius Authentication/Accounting Server Settings
Examples of RADIUS authentication/accounting server settings This section describes setting examples for a Livingston RADIUS server. Because setting file names and attributes differ by RADIUS server, always check the manual of the RADIUS authentication/accounting server you are using. B.5.1 Client registration Register the client (NS-2250) that will use the RADIUS authentication/accounting server with the RADIUS authentication/accounting server.
Page 270 If you will use a RADIUS authentication server that is already using another service, the “users” file of the RADIUS server may be configured with attributes that the NS-2250 does not support. However, even in such cases, the NS-2250 evaluates only Filter-ID attributes so authentication can be performed without any particular problems.
Page 271 If you want normal users and device management users to undergo RADIUS authentication along with port users, use one of the following commands to configure user identifiers to identify user groups with NS-2250. When using “filter_id_head” set auth radius server normal filter_id_headNS-2250_NORMAL [Normal user] set auth radius server root filter_id_head NS2250_ROOT [Device...
Page 272 “Users” file settings example 3 (when using the access grouping function) # Normal user settings somebody Password = “abc” Filter-Id = “normal_grp”, # Device management user settings root Password = “def” Filter-Id = “admin_grp”, # Port user settings (Specify access privileges of serial ports # carrying out the “create auth access_group”...
Page 273: Accounting Logs Of The Radius Accounting Server
Accounting logs of the RADIUS accounting server This section lists examples of the accounting logs stored in the RADIUS accounting server. Livingston RADIUS accounting servers store the account logs in the “detail” file. The output of accounting logs depends on the RADIUS accounting server. For details of the accounting logs, see the manual of the RADIUS accounting server you are using.
Page 274 Tue Sep 23 15:02:13 2008 Acct-Status-Type = Start NAS-IP-Address = 192.168.1.100 NAS-Port = 10000 User-Name = “root” Acct-Session-Id = “25002654” Acct-Authentic = LOCAL Tue Sep 23 15:04:15 2008 Acct-Status-Type = Stop NAS-IP-Address = 192.168.1.100 Acct-Terminate-Cause = User-Request Acct-Session-Time = 122 NAS-Port = 10000 User-Name = “root”...
Page 275: Appendix C Rom-Monitor
Appendix C Rom-Monitor Appendix C describes Rom-Monitor of the NS-2250. Chapter content Rom-Monitor...
Page 276: C.1 Rom-Monitor
Rom-Monitor If the following operations or conditions occur on the NS-2250, the system switches to Rom-Monitor. The NS-2250 has been shut down by the “shutdown” command. The NS-2250 was started and then the Enter key was pressed from the console when the “Hit Enter key to stop autoboot:”...
Page 277: Appendix D Third-Party Software Licenses
Appendix D Third-party software licenses Appendix D describes the third-party software licenses used by the NS-2250. Chapter content Third-party software licenses...
Page 278: Third-Party Software Licenses
D.1 Third-party software licenses License for SysVinit, SysVinit-tools, bootlogd, busybox, e2fsprogs, ethtool, freeradius, kernel, libgcc, linux, logrotate, pam_tacplus, procps, proftpd, syslog-ng, u-boot, udev GNU GENERAL PUBLIC LICENCE Version2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Page 279 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 280 following: • a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, • b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 281 claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system;...
Page 282 License for Linux-PAM, rsyslog GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works.
Page 283 TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you".
Page 284 The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met.
Page 285 This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
Page 286 "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
Page 287 All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
Page 288 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version.
Page 289 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work.
Page 290 License for eglibc, u-boot GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Page 291 The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs.
Page 292: Table Of
above, provided that you also meet all of these conditions: * a) The modified work must itself be a software library. * b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. * c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
Page 293 When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library.
Page 294 * a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. * b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.
Page 295 and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission.
Page 296 License for u-boot GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Page 297 Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license.
Page 298: Table Of
License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2.
Page 299 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.
Page 300 For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
Page 301 of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 302 License for u-boot, xinetd Berkeley-based copyrights: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 303 License for dropbear The MIT License Copyright (c) <year> <copyright holders> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:...
Page 304 License for libcap Redistribution and use in source and binary forms of libcap, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain any existing copyright notice, and this entire permission notice in its entirety, including the disclaimer of warranties.
Page 305 License for net-snmp, net-snmp-libs ---- Part 1: CMU/UCD copyright notice: (BSD like) ----- Copyright 1989, 1991, 1992 by Carnegie Mellon University Derivative Work - 1996, 1998-2000 Copyright 1996, 1998-2000 The Regents of the University of California All Rights Reserved Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or...
Page 306 ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) ----- Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 307 ---- Part 5: Sparta, Inc copyright notice (BSD) ----- Copyright (c) 2003-2004, Sparta, Inc All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 308 License for openssh, openssh-server * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland All rights reserved * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh"...
Page 309 OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.
Page 310 The Regents of the University of California. All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 311 Darren Tucker * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1.Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * 2.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Page 312 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES;...
Page 313 License for tcl This software is copyrighted by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, ActiveState Corporation and other parties. The following terms apply to all files associated with the software unless explicitly disclaimed in individual files. The authors hereby grant permission to use, copy, modify, distribute, and license this software and its documentation for any purpose, provided that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions.
Page 314 License for u-boot The eCos license version 2.0 This file is part of eCos, the Embedded Configurable Operating System. Copyright (C) 1998, 1999, 2000, 2001, 2002 Red Hat, Inc. eCos is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation;...
Page 315 License for zlib This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1.
Page 317 8, Nakase 1-chome, Mihama-ku, Chiba-shi, Chiba 261-8507,Japan tel (+81)43-273-3184 http://www.seiko-sol.co.jp...

Seiko SmartCS NS-2250 Instruction Manual

Chapter 1 Overview of the NS-2250

Chapter 2 Functions

Chapter 3 Configuration Procedures

Chapter 4 Settings

Chapter 5 Management and Maintenance

Chapter 6 Troubleshooting

Appendix A User Privileges

Appendix B Examples of Attributes and RADIUS Authentication / Accounting Server Settings

Appendix C Rom-Monitor

Appendix D Third-Party Software Licenses

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Seiko SmartCS NS-2250

Summary of Contents for Seiko SmartCS NS-2250