Page 1: Nortel Secure Network Access
Nortel Secure Network Access Switch 4050 User Guide Nortel Secure Network Access Switch Software Release 1.0 *320818-A* Part No. 320818-A December 2005 4655 Great America Parkway Santa Clara, CA 95054...
Page 2: Restricted Rights Legend
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
Page 4 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
Page 5: Table Of Contents
About the IP addresses ..........51 Nortel Secure Network Access Switch 4050 User Guide...
Page 6 Management IP address ......... 51 Portal Virtual IP address .
Page 7 Deleting a domain using the SREM ........163 Nortel Secure Network Access Switch 4050 User Guide...
Page 8 Configuring domain parameters using the SREM ......164 Additional domain configuration in the SREM ......166 Configuring the TunnelGuard check using the SREM .
Page 9 ........220 Nortel Secure Network Access Switch 4050 User Guide...
Page 10 Modifying RADIUS configuration ........273 Managing additional RADIUS servers ......279 Next steps .
Page 11 Adding a new user ..........360 Nortel Secure Network Access Switch 4050 User Guide...
Page 12 Changing a user’s group assignment ......365 Changing passwords ......... . . 366 Deleting a user .
Page 13 Reordering links using the SREM ....... . . 453 Nortel Secure Network Access Switch 4050 User Guide...
Page 14 Chapter 10: Configuring system settings ......457 Configuring the cluster using the CLI ........459 Roadmap of system commands .
Page 15 Configuring RADIUS auditing ........556 Configuring RADIUS audit settings using the SREM ....557 Nortel Secure Network Access Switch 4050 User Guide...
Page 16 Managing RADIUS audit servers using the SREM ....559 Managing RADIUS authentication of system users using the SREM ..562 Configuring RADIUS authentication of system users using the SREM .
Page 17 Viewing the controller list using the SREM ......673 Nortel Secure Network Access Switch 4050 User Guide...
Page 18 Viewing SONMP topology information using the SREM ....675 Viewing switch distribution using the SREM ......677 Viewing port information using the SREM .
Page 19 Steps ............. 782 Nortel Secure Network Access Switch 4050 User Guide...
Page 20 Configure the network DNS server ........782 Configure the network DHCP server .
Page 21 Operator user password ........844 Nortel Secure Network Access Switch 4050 User Guide...
Page 22 Root user password ......... . . 844 Boot user password .
Page 23 Index ............911 Nortel Secure Network Access Switch 4050 User Guide...
Page 24 24 Contents 320818-A...
Page 25: Preface
TunnelGuard • supports both dynamic and static IP clients The Nortel Secure Network Access Switch 4050 (Nortel SNAS 4050) controls operation of the Nortel SNA solution. This user guide covers the process of implementing the Nortel SNA solution using the Nortel SNAS 4050 for Nortel Secure Network Access Switch Software Release 1.0.
Page 26: Before You Begin
Before using this guide, you must complete the following procedures. For a new switch: Install the switch. For installation instructions, see Nortel Secure Network Access Switch 4050 Installation Guide (320846-A). Connect the switch to the network. For more information, see Ensure that you are running the latest version of Nortel SNAS 4050 software.
Page 27: Text Conventions
Example: If the command syntax is ethernet/2/1 [<parameter> <value>]... you enter and as many ethernet/2/1 parameter-value pairs as needed. Nortel Secure Network Access Switch 4050 User Guide , you must enter either , but not both. , you can enter...
Page 28: Related Information
Refer to the following publications for information on the Nortel SNA solution: • Nortel Secure Network Access Solution Guide (320817-A) • Nortel Secure Network Access Switch 4050 Installation Guide (320846-A) • Nortel Secure Network Access Switch 4050 User Guide (320818-A) •...
Page 29: Online
Nortel for assistance: • To obtain Nortel Technical Support contact information, click the CONTACT US link on the left side of the page. www.adobe.com to download a free copy of Adobe Reader. Nortel Secure Network Access Switch 4050 User Guide www.nortel.com/help...
Page 30 • To call a Nortel Technical Solutions Center for assistance, click the CALL US link on the left side of the page to find the telephone number for your region. An Express Routing Code (ERC) is available for many Nortel products and services.
Page 31: Chapter 1: Overview
Nortel SNA enforces policy compliance, such as for Sarbanes-Oxley and COBIT, ensuring that the required anti-virus applications or software patches are installed before users are granted network access. Nortel Secure Network Access Switch 4050 User Guide Page...
Page 32: Elements Of The Nsna Solution
Elements of the NSNA solution The following devices are essential elements of the Nortel SNA solution: • Nortel Secure Network Access Switch 4050 (Nortel SNAS 4050), which acts as the Policy Decision Point • network access device, which acts as the Policy Enforcement Point —...
Page 33: Role Of The Nortel Snas 4050
If a device falls out of compliance, the Nortel SNAS 4050 can dynamically move the device into a quarantine or remediation VLAN. Nortel Secure Network Access Switch 4050 User Guide...
Page 34: Nortel Snas 4050 Functions
Nortel SNAS 4050 functions The Nortel SNAS 4050 performs the following functions: • Acts as a web server portal, which is accessed by users in clientless mode for authentication and host integrity check and which sends remediation instructions and guidelines to endpoint clients if they fail the host integrity check.
Page 35: Groups And Profiles
For information about configuring groups and extended profiles on the Nortel SNAS 4050, see “Configuring groups and profiles” on page Nortel Secure Network Access Switch 4050 User Guide 191.
Page 36: Authentication Methods
Authentication methods You can configure more than one authentication method within a Nortel SNAS 4050 domain. Nortel Secure Network Access Switch Software Release 1.0 supports the following authentication methods: • external database — Remote Authentication Dial-In User Service (RADIUS) — Lightweight Directory Access Protocol (LDAP) The Nortel SNAS 4050 authenticates the user by sending a query to an external RADIUS or LDAP server.
Page 37: Tunnelguard Host Integrity Check
“TunnelGuard SRS Builder” on page 317. For information about mapping an SRS rule to a group, see “Configuring groups using the CLI” on page 198 “Configuring groups using the SREM” on page 208. Nortel Secure Network Access Switch 4050 User Guide...
Page 38: Communication Channels
Communication channels Communications between the Nortel SNAS 4050 and key elements of the Nortel SNA solution are secure and encrypted. channels in the network. Table 1 Communication channels in the Nortel SNA network Communication Between Nortel SNAS 4050 and edge switches Between Nortel SNAS 4050 devices in a cluster...
Page 39: Nortel Snas 4050 Clusters
“Managing SSH keys using the “Configuring Nortel SNAS 4050 host SSH keys using the “Configuring Nortel SNAS 4050 host SSH keys using the Nortel Secure Network Access Switch 4050 User Guide 102.
Page 40: One-Armed And Two-Armed Configurations
• fault tolerance — If a Nortel SNAS 4050 device fails, the failure is detected by the other node in the cluster, which takes over the switch control and session handling functions of the failed device. As long as there is one running Nortel SNAS 4050, no sessions will be lost.
Page 41: One-Armed Configuration
Two-armed configuration In a two-armed configuration, there are two separate interfaces. Interface 1 handles management traffic. Interface 2 handles client portal traffic. Nortel Secure Network Access Switch 4050 User Guide Management/client portal interface (1) 192.168.128.11 (MIP [management]) NSNAS 192.168.128.12 (RIP [host]) 192.168.128.100 (pVIP [portal])
Page 42: Nortel Sna Configuration And Management Tools
Figure 2 illustrates a two-armed configuration. Figure 2 Two-armed configuration Client portal interface (2) 192.168.128.11 (RIP 2 [host]) 192.168.128.100 (pVIP [portal]) Internet Nortel SNA configuration and management tools You can use a number of device and network management tools to configure the Nortel SNAS 4050 and manage the Nortel SNA solution: •...
Page 43: Nortel Snas 4050 Configuration Roadmap
Configure the network DNS server to create a forward lookup zone for the Nortel SNAS 4050 domain. For an example, see Configure the network DHCP server. For an example, see 617. “Configuration example” on page “Configuration example” on page Nortel Secure Network Access Switch 4050 User Guide 779. 779.
Page 44 For each VLAN: Create a DHCP scope. b Specify the IP address range and subnet mask for that scope. Configure the following DHCP options: — Specify the default gateway. — Specify the DNS server to be used by endpoints in that scope. —...
Page 45 You can modify the filters after NSNA is enabled. Configure the VoIP VLANs. Configure the Red, Yellow, and Green VLANs, associating each with the applicable filters. Configure the NSNA ports. Nortel Secure Network Access Switch 4050 User Guide (step j). Configure the...
Page 46 Identify switch ports as either uplink or dynamic. When you configure the uplink ports, you associate the NSNA VLANs with those ports. Clients are connected on the dynamic ports. You can configure NSNA ports (both dynamic and uplink) after NSNA is enabled globally. Enable NSNA globally.
Page 47 353). 17 Configure the end user experience (see logon” on page 385). Nortel Secure Network Access Switch 4050 User Guide “Checking configuration using the SREM” “Configuring client filters using the CLI” on “Configuring extended profiles using the “Configuring authentication” on “Managing system users and groups”...
Page 48 48 Chapter 1 Overview 320818-A...
Page 49: Chapter 2: Initial Setup
Adding a Nortel SNAS 4050 device to a cluster Next steps Applying and saving the configuration Applying and saving the configuration using the CLI Applying and saving the configuration using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 50: Before You Begin
Before you begin Before you can set up the Nortel SNAS 4050, you must complete the following tasks: Plan the network. For more information, see Nortel Secure Network Access Solution Guide (320817-A). In order to configure the Nortel SNAS 4050, you require the following information: •...
Page 51: About The Ip Addresses
SNAS 4050 device, Nortel recommends that each Nortel SNAS 4050 have only one pVIP. When the Nortel SNAS 4050 portal is configured as a captive portal, the pVIP is used to load balance logon requests. 770). Nortel Secure Network Access Switch 4050 User Guide “Establishing a...
Page 52: Real Ip Address
Real IP address The Real IP address (RIP) is the Nortel SNAS 4050 device host IP address for network connectivity. The RIP is the IP address used for communication between Nortel SNAS 4050 devices in a cluster. The RIP must be unique on the network and must be within the same subnet as the MIP.
Page 53 Interface 1 is used for both management traffic (Nortel SNAS 4050 management and connections to intranet resources) and client portal traffic (traffic between the TunnelGuard applet on the client and the portal). Nortel Secure Network Access Switch 4050 User Guide [global command, always available]...
Page 54 In a two-armed configuration, you are specifying the port you want to use for Nortel SNAS 4050 management traffic. Note: You can later convert a one-armed configuration into a two-armed one by adding a new interface to the cluster and assigning an unused port to that interface.
Page 55 VLAN tag ID used. Specify the default gateway IP address for Interface 2. The default gateway is the IP address of the interface on the core router that will be Nortel Secure Network Access Switch 4050 User Guide step . Go to...
Page 56 used if no other interface is specified. The default gateway IP address on Interface 2 must be within the same subnet as the RIP for Interface 2. Enter port number for the traffic interface [1-4]: <port> Enter IP address for this machine (on traffic interface): <IPaddr>...
Page 57 SSH key after you have completed the initial setup (see “Managing SSH keys using the CLI” on page 84 using the SREM” on page Nortel Secure Network Access Switch 4050 User Guide 528. “Configuring Nortel SNAS 4050 host “Configuring Nortel SNAS 4050...
Page 58 16 Change the admin user password, if desired. Enter a password for the "admin" user: Re-enter to confirm: Make sure you remember the password you define for the admin user. You will need to provide the correct admin user password when logging in to the Nortel SNAS 4050 (or the Nortel SNAS 4050 cluster) for configuration purposes.
Page 59 ) or fails ( tg_passed tg_failed prompts you to specify the VLAN IDs to associate with the respective profiles. Nortel Secure Network Access Switch 4050 User Guide in the DNS search list, users company.com from the portal nsnas.company.com ) within a group ( tunnelguard ) the TunnelGuard check.
Page 60: Settings Created By The Quick Setup Wizard
The action to be performed when the TunnelGuard check fails depends on your selection in Create default tunnel guard user [no]: yes Using 'restricted' action for TunnelGuard failure. User name: tg User password: tg Creating client filter 'tg_passed'. Creating client filter 'tg_failed'. Creating linkset 'tg_passed'.
Page 61: Adding A Nortel Snas 4050 Device To A Cluster
You can later modify settings for the cluster, the device, and the interfaces using /cfg/sys/[host <host ID>/interface] VLAN ID yellow green commands. Nortel Secure Network Access Switch 4050 User Guide Table 2 Linkset name tg_failed tg_passed “Setting up a 52), you can add...
Page 62: Before You Begin
Before you begin Log on to the existing Nortel SNAS 4050 device to check the software version and system settings. Use the installed software version (for more information, see Nortel SNAS 4050 device using the CLI” on page accesslist/list information, see Do not proceed with the join operation until the following requirements are met.
Page 63: Joining A Cluster
Setup will guide you through the initial configuration. Specify the management interface port number. This port will be assigned to Interface 1. Enter port number for the management interface [1-4]: <port> Nortel Secure Network Access Switch 4050 User Guide 757). [global command, always available]...
Page 64 In a one-armed configuration, you are specifying the port you want to use for all network connectivity, since Interface 1 is used for both management traffic (Nortel SNAS 4050 management and connections to intranet resources) and client portal traffic (traffic between the TunnelGuard applet on the client and the portal).
Page 65 RIP for Interface 2. Enter default gateway IP address (on the traffic interface): <IPaddr> 11 Provide the correct admin user password configured for the existing cluster. Enter the existing admin user password: <password> Nortel Secure Network Access Switch 4050 User Guide...
Page 66: Next Steps
12 Wait while the Setup utility finishes processing. When processing is complete, you will see The new Nortel SNAS 4050 automatically picks up all other required configuration data from the existing Nortel SNAS 4050 in the cluster. After a short while, you receive the Setup successful.
Page 67: Applying And Saving The Configuration
203 “Configuring extended profiles using the SREM” on page 219). “Applying and saving the configuration” on Nortel Secure Network Access Switch 4050 User Guide “Managing SSH “Managing SSH keys using the group (see “Configuring “Configuring groups using the “Adding a network access device...
Page 68: Applying And Saving The Configuration Using The Cli
Applying and saving the configuration using the CLI If you have not already done so after each sequence of configuration steps, confirm your changes using the To view your configuration on the screen, for copy and paste into a text file, use the following command: /cfg/dump To save your configuration to a TFTP, FTP, SCP, or SFTP server, use the following...
Page 69 Apply and Commit buttons. Figure 3 Apply and Commit buttons For more information about the Apply and Commit functions, see Installing and Using the Security & Routing Element Manager (SREM) (320199-B). Nortel Secure Network Access Switch 4050 User Guide...
Page 70 70 Chapter 2 Initial setup 320818-A...
Page 71: Chapter 3: Managing The Network Access Devices
Adding a network access device using the SREM Deleting a network access device using the SREM Configuring the network access devices using the SREM Mapping the VLANs using the SREM Managing SSH keys using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 72: Before You Begin
Topic Monitoring switch health using the SREM Controlling communication with the network access devices using the SREM Before you begin In Trusted Computing Group (TCG) terminology, the edge switches in a Nortel SNA solution function as the Policy Enforcement Point. In this document, the term network access device is used to refer to the edge switch once it is configured for the Nortel SNA network.
Page 73: Managing Network Access Devices Using The Cli
Nortel SNA deployment. Use this list as a quick reference or click on any entry for more information: Command /cfg/domain #/switch <switch ID> /cfg/domain #/switch #/delete /cfg/domain #/switch <switch ID> command. command. Parameter name <name> type ERS8300|ERS5500 ip <IPaddr> port <port> rvid <VLAN ID> Nortel Secure Network Access Switch 4050 User Guide...
Page 74 Command /cfg/domain #/vlan /cfg/domain #/switch #/vlan /cfg/domain #/sshkey /cfg/domain #/switch #/sshkey /cfg/domain #/switch #/hlthchk /cfg/domain #/switch #/dis /cfg/domain #/switch #/ena 320818-A Parameter reset delete add <name> <VLAN ID> del <index> list add <name> <VLAN ID> del <index> list generate show export import show...
Page 75: Adding A Network Access Device Using The Cli
Enter the type of the switch (ERS8300/ERS5500) [ERS8300] Specify the IP address of the network access device. IP address of Switch: <IPaddr> (for an Ethernet Routing Switch 5510, 5520, or ERS55 Nortel Secure Network Access Switch 4050 User Guide 80).
Page 76 Specify the TCP port for communication between the Nortel SNAS 4050 and the network access device. The default is port 5000. NSNA communication port[5000]: The SSH fingerprint of the switch is automatically picked up if the switch is reachable. If the fingerprint is successfully retrieved, go to If the fingerprint is not successfully retrieved, you will receive an error message and be prompted to add the SSH key.
Page 77 For more information, see “Configuring the network access devices using the CLI” on page Creating Switch 1 Use apply to activate the new Switch. >> Domain 1# Nortel Secure Network Access Switch 4050 User Guide...
Page 78: Manually Adding A Switch
Manually adding a switch To add a network access device and configure it manually, use the following command: /cfg/domain #/switch <switch ID> where switch ID network access device in the Nortel SNAS 4050 domain. When you first add the network access device, you are prompted to enter the following information: •...
Page 79: Deleting A Network Access Device Using The Cli
To remove a network access device from the domain configuration, first disable the switch then delete it. Use the following commands: /cfg/domain #/switch #/dis /cfg/domain #/switch #/delete disable delete switch. commands log out all clients connected through the Nortel Secure Network Access Switch 4050 User Guide...
Page 80: Configuring The Network Access Devices Using The Cli
delete SNAS 4050 cluster. Configuring the network access devices using the CLI When you first add a network access device to the Nortel SNAS 4050 domain, the switch is disabled by default. Do not enable the switch until you have completed configuring it.
Page 81 <VLAN ID> sshkey reset Nortel Secure Network Access Switch 4050 User Guide Names or renames the switch. After you have defined a name for the switch, you can use either the switch name or the switch ID to access the Switch menu.
Page 82: Mapping The Vlans Using The Cli
/cfg/domain #/switch <switch ID> followed by: delete Mapping the VLANs using the CLI The VLANs are configured on the network access devices. You specify the Red VLAN for each network access device when you add the switch (see network access device using the CLI” on page must identify the Yellow and Green VLANs to the Nortel SNAS 4050.
Page 83 /cfg/domain #[/switch #]/vlan followed by: add <name> <VLAN ID> del <index> list Nortel Secure Network Access Switch 4050 User Guide command, you must use the vlan command, you must use the vlan Adds the specified VLAN to the domain or switch VLAN map.
Page 84: Managing Ssh Keys Using The Cli
Managing SSH keys using the CLI The Nortel SNAS 4050 and the network access devices controlled by the Nortel SNAS 4050 domain exchange public keys so that they can authenticate themselves to each other in future SSH communications. To enable secure communication between the Nortel SNAS 4050 and the network access device, do the following: Generate an SSH public key for the Nortel SNAS 4050 domain (see “Generating SSH keys for the domain using the CLI”...
Page 85: Generating Ssh Keys For The Domain Using The Cli
To generate, view, and export the public SSH key for the domain, use the following command: /cfg/domain #/sshkey The NSNAS SSH key menu displays. Nortel Secure Network Access Switch 4050 User Guide “Managing SSH keys for Nortel SNA 88). to apply the changes immediately after...
Page 86 The NSNAS SSH key menu includes the following options: /cfg/domain #/sshkey followed by: generate show export 320818-A Generates an SSH public key for the domain. There can be only one key in effect for the Nortel SNAS 4050 domain at any one time. If a key already exists, you are prompted to confirm that you want to replace it.
Page 87 Enter hostname or IP address of server: localhost Enter filename on server: key.pub Trying to export NSNAS public key to tftp://local- host/key.pub sent 590 bytes >> NSNAS SSH key# Nortel Secure Network Access Switch 4050 User Guide command. /cfg/domain #/sshkey...
Page 88: Managing Ssh Keys For Nortel Sna Communication Using The Cli
Managing SSH keys for Nortel SNA communication using the CLI To retrieve the public key for the network access device and export the public key for the domain, use the following command: /cfg/domain #/switch #/sshkey The SSH Key menu displays. The SSH Key menu includes the following options: /cfg/domain #/switch #/sshkey followed by:...
Page 89: Reimporting The Network Access Device Ssh Key Using The Cli
/cfg/domain #/switch #/hlthchk The HealthCheck menu displays. network access device SSH key using “Managing SSH keys for Nortel Nortel Secure Network Access Switch 4050 User Guide command to delete the command to import...
Page 90: Controlling Communication With The Network Access Devices Using The Cli
The HealthCheck menu includes the following options: /cfg/domain #/switch #/hlthchk followed by: interval <interval> deadcnt <count> sq-int <interval> Controlling communication with the network access devices using the CLI To stop communication between the Nortel SNAS 4050 and a network access device, use the following command: /cfg/domain #/switch #/dis Enter...
Page 91: Managing Network Access Devices Using The Srem
Adding a network access device using the SREM To add a network access device, use the following steps: Select the Secure Access Domain > domain > Switches > Switches tab. to apply the change immediately. Nortel Secure Network Access Switch 4050 User Guide “Controlling 115.
Page 92 The Switches screen appears (see page 116). Click Add. The Add a Switch dialog box appears (see Figure 6 Add a Switch Enter the network access device information in the applicable fields. describes the Add a Switch fields. Table 3 Add a Switch fields Field Index...
Page 93: Deleting A Network Access Device Using The Srem
“Mapping the VLANs using the SREM” on page the necessary SSH keys (see page 102). “Managing network access devices using the SREM” on “Managing SSH keys using the SREM” on Nortel Secure Network Access Switch 4050 User Guide Figure 16 on 96) and exchanged...
Page 94 To reconfigure the VLAN mappings for an existing network access device, you must first disable it (see devices using the SREM” on page disabled, complete the following steps: Select the Secure Access Domain > domain > Switches > switch > Configuration tab.
Page 95 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide ERS8300 — an Ethernet Routing Switch 8300 ERS5500 —...
Page 96: Mapping The Vlans Using The Srem
Mapping the VLANs using the SREM The VLANs are configured on the network access devices. You specify the Red VLAN for each network access device when you add the switch (see network access device using the SREM” on page you must identify the Yellow and Green VLANs to the Nortel SNAS 4050. You can perform the VLAN mapping in two ways: •...
Page 97: Mapping Vlans By Domain
VLAN Table. For detailed steps on adding or removing VLANs, see: • “Adding VLANs to a domain” on page 98 • “Removing VLANs from a domain” on page 99 Figure 8), listing all current VLANs Nortel Secure Network Access Switch 4050 User Guide...
Page 98 Adding VLANs to a domain To add VLANs to a domain, complete the following steps: Select the Secure Access Domain > domain > VLANs tab. The domain VLANs screen appears (see Click Add. The Add a new VLAN dialog box appears (see Figure 9 Add a new VLAN Enter the VLAN information in the applicable fields.
Page 99 The VLAN disappears from the VLAN Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure...
Page 100: Mapping Vlans By Switch
Mapping VLANs by switch To map VLANs by switch, you must first disable the network access device (see “Managing network access devices using the SREM” on page network access device is disabled, select the Secure Access Domain > domain > Switches >...
Page 101 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 10 on page 100).
Page 102: Managing Ssh Keys Using The Srem
Removing VLANs from a switch To remove existing VLANs from the switch, complete the following steps: Select the Secure Access Domain > domain > Switches > switch > VLANs tab. The switch VLANs screen appears (see Select a VLAN entry from the VLAN Table. Click Delete.
Page 103 Add the new SSH key manually. If the network access device was reachable when you added it to the domain configuration, the SSH key was automatically retrieved. Nortel Secure Network Access Switch 4050 User Guide “Initial setup”, step 15 on page 109).
Page 104 If the network access device defaults, it generates a new public key. You must reimport the key whenever the switch generates a new public key (see “Reimporting the network access device SSH key using the SREM” on page 110). Note: In general, click Apply on the toolbar immediately after you change any of the SSH settings.
Page 105: Generating Ssh Keys For The Domain Using The Srem
To generate, view, and export the public SSH key for the domain, complete the following steps: Select the Secure Access Domain > domain > SSH Key > Key Generation tab. The Key Generation screen appears (see Figure 12 Key Generation screen Figure 12). Nortel Secure Network Access Switch 4050 User Guide...
Page 106: Exporting Ssh Keys For The Domain Using The Srem
Table 9 screen. Table 7 Switch SSH Key fields Field Generate SSH Key Show Copy Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Exporting SSH keys for the domain using the SREM You cannot export the domain SSH key directly to an Ethernet Routing Switch 5500 series switch.
Page 107 Chapter 3 Managing the network access devices 107 The Export Key screen appears (see Figure 13). Figure 13 Export Key screen Nortel Secure Network Access Switch 4050 User Guide...
Page 108 Enter the export information in the applicable fields. fields available from the Export Key screen. Table 8 Export Key fields Field Protocol Host Filename Username Password Click Apply on the toolbar to begin the export process. 320818-A Description Specifies the export protocol to use. The options are: •...
Page 109: Managing Ssh Keys For Nortel Sna Communication Using The Srem
Select the Secure Access Domain > domain > Switches > switch > SSH Key tab. The switch SSH Key screen appears (see Figure 14 Switch SSH Key screen Figure 14). Nortel Secure Network Access Switch 4050 User Guide...
Page 110: Reimporting The Network Access Device Ssh Key Using The Srem
Table 9 screen. Table 9 Switch SSH Key fields Field User Name Import SSH Key from Switch Retrieves the SSH public key from the network access Export SSH Key to Switch Delete Switch SSH Key Show Copy Paste Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 111: Monitoring Switch Health Using The Srem
To configure parameters for the Nortel SNAS 4050 health checks, complete the following steps: Select the Secure Access Domain > domain > Switches > switch > Health Check tab. Figure 14 on page Nortel Secure Network Access Switch 4050 User Guide 109). “Managing SSH keys 109.
Page 112 112 Chapter 3 Managing the network access devices The Health Check screen appears (see Figure 15). Figure 15 Health Check screen 320818-A...
Page 113: Viewing A Connected Client List Using The Srem
Accepts an integer that indicates the time interval in seconds (s), minutes (m), or hours (h). The valid range is 0 to 64800s (18h). The default is 1m (1 minute). Nortel Secure Network Access Switch 4050 User Guide Table 10 describes...
Page 114 The Connected Clients screen appears, displaying information about the connection status and a list of all connected clients. describes the Connected Clients fields. Table 11 Connected Clients fields Field Auto Refresh Interval Logging Controller List Switch Connection Status Connected Client Table 320818-A Description Specifies whether the information displayed is...
Page 115: Controlling Communication With The Network Access Devices Using The Srem
In particular, do not enable the switch until you have mapped the VLANs (see “Mapping the VLANs using the SREM” on page the necessary SSH keys (see page 102). “Managing SSH keys using the SREM” on Nortel Secure Network Access Switch 4050 User Guide 96) and exchanged...
Page 116 To disable or enable the network access device, perform the following steps: Select the Secure Access Domain > domain > Switches > switch > Configuration tab. The network access device Configuration screen appears (see Figure 16 Switch Configuration screen Ensure the Enable Switch setting is correct. •...
Page 117: Chapter 4: Configuring The Domain
Configuring domain parameters using the SREM Configuring the TunnelGuard check using the SREM Configuring the SSL server using the SREM Configuring HTTP redirect using the SREM Configuring RADIUS accounting using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 118: Configuring The Domain Using The Cli
A Nortel SNAS 4050 domain encompasses all the switches, authentication servers, and remediation servers associated with that Nortel SNAS 4050 cluster. If you ran the quick setup wizard during initial setup, Domain 1 has been created. If you did not run the quick setup wizard, you must create at least one domain. For information about creating a domain, see page 121 To delete a domain, see...
Page 119: Roadmap Of Domain Commands
“Managing SSH keys using the CLI” on “Configuring HTTP redirect using the CLI” on Parameter name <name> pvips <IPaddr> recheck <interval> heartbeat <interval> hbretrycnt <count> status-quo on|off action teardown|restricted list Nortel Secure Network Access Switch 4050 User Guide 385) 145)
Page 120 Command /cfg/domain #/aaa/tg/quick /cfg/domain #/server /cfg/domain #/server/trace /cfg/domain #/server/ssl /cfg/domain #/server/adv/traflog /cfg/domain #/httpredir 320818-A Parameter details on|off loglevel fatal|error|warning| info|debug port <port> interface <interface ID> dnsname <name> ssldump tcpdump ping <host> dnslookup <host> traceroute <host> cert <certificate index> cachesize <sessions> cachettl <ttl>...
Page 121: Creating A Domain Using The Cli
<index number> add <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number> vendortype is an integer in the range 1 to 256 that uniquely identifies the Nortel Secure Network Access Switch 4050 User Guide...
Page 122 When you first create the domain, you are prompted to enter the following parameters: • domain name — a string that identifies the domain on the Nortel SNAS 4050, as a mnemonic aid. The maximum length of the string is 255 characters. •...
Page 123: Using The Nortel Snas 4050 Domain Quick Setup Wizard In The Cli
Using the Nortel SNAS 4050 domain quick setup wizard in the To create a domain using the NSNAS quick setup wizard, use the following command: /cfg/quick The NSNAS quick setup wizard is similar to the quick setup wizard available during initial setup. Nortel Secure Network Access Switch 4050 User Guide...
Page 124 Depending on the options you select in connection with certificates and creating a test user, the two wizards also create similar default settings (see by the quick setup wizard” on page You can later modify all settings created by the domain quick setup wizard (see “Configuring domain parameters using the CLI”...
Page 125 When prompted, enter the required certificate information. For more information, see “Generating and submitting a CSR using the CLI” on page 579. Nortel Secure Network Access Switch 4050 User Guide “Managing certificates” ) to signal the end of the certificate. 126.
Page 126 To continue, go to Use existing certificate (no/1) [no]: Create a test certificate? (yes/no): yes The combined length of the following parameters may not exceed 225 bytes. Country Name (2 letter code): State or Province Name (full name): Locality Name (eg, city): Organization Name (eg, company): Organizational Unit Name (eg, section): Common Name (eg, your name or your server's hostname):...
Page 127 If you do not want to create a test user, enter 14 Wait while the wizard completes processing to create the domain, then enter to activate the changes. Apply Nortel Secure Network Access Switch 4050 User Guide “Using the quick switch setup wizard” ) in the default , with password...
Page 128 The wizard assigns the following default VLAN IDs: • Green VLAN = VLAN ID 110 • Yellow VLAN = VLAN ID 120 You can change the VLAN mappings when you add or modify the network access devices (see on page device to the domain.
Page 129: Deleting A Domain Using The Cli
This command removes the current domain from the system configuration, including all settings in menus and submenus for the portal, groups, authentication services, linksets, and network access devices configured for that domain. Nortel Secure Network Access Switch 4050 User Guide...
Page 130: Configuring Domain Parameters Using The Cli
Configuring domain parameters using the CLI To configure the domain, use the following command: /cfg/domain <domain ID> where domain ID domain in the Nortel SNAS 4050 cluster. The Domain menu displays. The Domain menu includes the following options: /cfg/domain <domain ID> followed by: name <name>...
Page 131 Nortel Secure Network Access Switch 4050 User Guide Accesses the Portal menu, in order to customize the portal page that displays in the client’s web browser (see “Customizing the portal and user logon” on page 385).
Page 132: Configuring The Tunnelguard Check Using The Cli
Configuring the TunnelGuard check using the CLI Before an authenticated client is allowed into the network, the TunnelGuard application checks client host integrity by verifying that the components required for the client’s personal firewall (executables, DLLs, configuration files, and so on) are installed and active on the client PC.
Page 133 <interval> hbretrycnt <count> status-quo on|off action teardown|restricted list Nortel Secure Network Access Switch 4050 User Guide Sets the time interval between checks for client activity. • interval is an integer that indicates the time interval in seconds ( ), minutes ( The valid range is 60s (1m) to 86400s (24h).
Page 134: Using The Quick Tunnelguard Setup Wizard In The Cli
/cfg/domain #/aaa/tg followed by: details on|off loglevel fatal|error|warning| info|debug Using the quick TunnelGuard setup wizard in the CLI To configure the settings for the SRS rule check using the TunnelGuard quick setup wizard, use the following command: /cfg/domain #/aaa/tg/quick The TunnelGuard quick setup wizard is similar to the last few steps of the Nortel SNAS 4050 domain quick setup wizard.
Page 135: Configuring The Ssl Server Using The Cli
The server number assigned to the portal server configured for the domain is server 1001. To configure the portal server used in the domain, use the following command: /cfg/domain #/server The Server 1001 menu displays. Nortel Secure Network Access Switch 4050 User Guide...
Page 136: Tracing Ssl Traffic Using The Cli
The Server 1001 menu includes the following options: /cfg/domain #/server followed by: port <port> interface <interface ID> dnsname <name> trace Tracing SSL traffic using the CLI To verify connectivity and to capture information about SSL and TCP traffic between clients and the portal server, use the following command: /cfg/domain #/server/trace 320818-A Specifies the port to which the portal server listens for...
Page 137 The Trace menu includes the following options: /cfg/domain #/server/trace followed by: ssldump Nortel Secure Network Access Switch 4050 User Guide Creates a dump of the SSL traffic flowing between clients and the portal server. You are prompted to enter the following information: •...
Page 138 /cfg/domain #/server/trace followed by: tcpdump ping <host> 320818-A Creates a dump of the TCP traffic flowing between clients and the virtual SSL server. You are prompted to enter the following information: • tcpdump flags tcpdump filter more information about the flags and filter expressions available for TCPDUMP using UNIX, see http://www.tcpdump.org/tcpdump_man.html.
Page 139: Configuring Ssl Settings Using The Cli
/cfg/domain #/server/ssl The SSL Settings menu displays. Nortel Secure Network Access Switch 4050 User Guide Finds the IP address for a machine whose host name you specify, or the host name of a machine whose IP address you specify.
Page 140 The SSL Settings menu includes the following options: /cfg/domain #/server/ssl followed by: cert <certificate index> cachesize <sessions> cachettl <ttl> cacerts <certificate index> 320818-A Specifies which server certificate the portal server will use. You cannot specify more than one server certificate for the server to use at any one time. •...
Page 141 <cipher list> Nortel Secure Network Access Switch 4050 User Guide Specifies the CA certificate chain of the server certificate. • certificate index list comma-separated list of the certificate index numbers assigned to the certificates in the chain.
Page 142: Configuring Traffic Log Settings Using The Cli
/cfg/domain #/server/ssl followed by: Configuring traffic log settings using the CLI You can configure a syslog server to receive User Datagram Protocol (UDP) syslog messages for all HTTP requests handled by the portal server. Nortel does not recommend routinely enabling this functionality for the following reasons: •...
Page 143 Nortel Secure Network Access Switch 4050 User Guide Specifies the IP address of the syslog server. Specifies the UDP port number of the syslog server. • is an integer in the range 1–65534 that port indicates the UDP port number.
Page 144: Configuring Http Redirect Using The Cli
/cfg/domain #/server/adv/traflog followed by: Configuring HTTP redirect using the CLI You can configure the Nortel SNAS 4050 domain to automatically redirect HTTP requests to the HTTPS server. For example, a client request directed to http://nsnas.com To configure the domain to automatically redirect HTTP requests to the HTTPS server specified for the domain, use the following command: /cfg/domain #/httpredir The Http Redir menu displays.
Page 145: Configuring Advanced Settings Using The Cli
The default is login Each type of log generates its own set of syslog messages. The syslog messages include date, time, type of request, user, source IP address, and requested destination. Nortel Secure Network Access Switch 4050 User Guide command (see...
Page 146: Configuring Radius Accounting Using The Cli
Configuring RADIUS accounting using the CLI The Nortel SNAS 4050 can be configured to provide support for logging administrative operations and user session start and stop messages to a RADIUS accounting server. With RADIUS accounting enabled, the Nortel SNAS 4050 sends an accounting request start packet to the accounting server for each user who successfully authenticates to the Nortel SNAS 4050 domain.
Page 147: Managing Radius Accounting Servers Using The Cli
To configure the Nortel SNAS 4050 to use external RADIUS accounting servers, use the following command: /cfg/domain #/aaa/radacct/servers The Radius Accounting Servers menu displays. Nortel Secure Network Access Switch 4050 User Guide 147). Accesses the Radius Accounting Servers menu, in order to configure external RADIUS accounting servers for the domain (see “Managing RADIUS accounting...
Page 148 The Radius Accounting Servers menu includes the following options: /cfg/domain #/aaa/radacct/servers followed by: list del <index number> add <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number> 320818-A Lists the IP addresses of currently configured RADIUS accounting servers, by index number.
Page 149: Configuring Nortel Snas 4050-Specific Attributes Using The Cli
NSNAS-Portal-ID Map this string to the Vendor-Type value. To configure vendor-specific attributes in order to identify the Nortel SNAS 4050 domain, use the following command: /cfg/domain #/aaa/radacct/vpnattribu The VPN Attribute menu displays. Nortel Secure Network Access Switch 4050 User Guide...
Page 150: Configuring The Domain Using The Srem
The VPN Attribute menu includes the following options: /cfg/domain #/aaa/radacct/vpnattribu followed by: vendorid vendortype Configuring the domain using the SREM To configure the domain, select the Secure Access Domain > Secure Access Domain Table tab. The Secure Access Domain Table screen appears (see Figure 19 on page From the Secure Access Domain screens, you can configure and manage the following:...
Page 151: Creating A Domain Using The Srem
“Customizing the portal and user logon” on page “Managing the network access devices” on “Managing the network access devices” on “Managing SSH keys using the SREM” on “Configuring HTTP redirect using the SREM” on Nortel Secure Network Access Switch 4050 User Guide 385)
Page 152: Manually Creating A Domain Using The Srem
Manually creating a domain using the SREM To create and configure a domain manually, perform the following steps: Select the Secure Access Domain > Secure Access Domain Table tab. The Secure Access Domain Table screen appears (see Figure 19 Secure Access Domain Table screen 320818-A Figure 19).
Page 153 The new domain appears in the Secure Access Domain Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 20).
Page 154: Using The Srem Domain Quick Wizard
154 Chapter 4 Configuring the domain Using the SREM Domain Quick Wizard The Nortel SNAS 4050 quick setup wizard is similar to the quick setup wizard available during initial setup. Depending on the options you select in connection with certificates and creating a test user, the two wizards also create similar default settings (see “Settings created by the quick setup wizard”...
Page 155 To create a domain using the Nortel SNAS 4050 quick setup wizard, perform the following steps: Select the Secure Access Domain > Domain Quick Wizard tab. The Domain Quick Wizard screen appears (see Figure 21 Domain Quick Wizard screen Figure Nortel Secure Network Access Switch 4050 User Guide 21).
Page 156 Click Domain Quick Wizard. The Domain Quick Wizard — General Settings dialog box appears (see Figure 22). Figure 22 Enter the general domain information in the applicable fields. describes the General Settings fields. Table 13 Domain Quick Wizard — General Settings fields Field Domain IP Address Domain Name...
Page 157 Enter the full name of the state or province. Locality Specifies the name of the city where the head office of the organization is located. Nortel Secure Network Access Switch 4050 User Guide – Certificate Figure 23).
Page 158 Table 14 Domain Quick Wizard — Certificate fields (continued) Field Organization Name Organization Unit Common Name Email Address Alternate Name Valid Days Key Length Input Server Certificate Server Certificate Click Next. 320818-A Description Specifies the registered name of the organization. The organization must own the domain name that appears in the common name of the web server.
Page 159 Certificate Chain Specifies whether the SSL server uses chain certificates. Select additional certificates from the list to force the SSL server to use chain certificates. Click Next. Nortel Secure Network Access Switch 4050 User Guide – Certificate Chain Table 15...
Page 160 The Domain Quick Wizard — Server dialog box appears (see Figure 25 Enter the server information in the applicable fields. Server fields. Table 16 Domain Quick Wizard — Server fields Field Create HTTP or HTTPS Redirect Server 10 Click Next. 320818-A –...
Page 161 Allows you to paste in the switch public SSH key if it was not automatically retrieved. Alternatively, you can later import the key from the switch (see using the SREM” on page 12 Click Next. Nortel Secure Network Access Switch 4050 User Guide – Switch “Managing SSH keys 102). Figure...
Page 162 The Domain Quick Wizard — Tunnel Guard dialog box appears (see Figure 27). Figure 27 13 Enter the TunnelGuard information in the applicable fields. describes the Tunnel Guard fields. Table 18 Domain Quick Wizard — Tunnel Guard fields Field Tunnel Guard Action Create Tunnel Guard Test User 14 Click Finish.
Page 163: Deleting A Domain Using The Srem
Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. “Managing the network access devices” on page “Secure Access Domain Table 152). Nortel Secure Network Access Switch 4050 User Guide 71).
Page 164: Configuring Domain Parameters Using The Srem
Configuring domain parameters using the SREM To configure a domain, perform the following steps: Select the Secure Access Domain > domain > Configuration tab. The domain Configuration screen appears (see Figure 28 Domain Configuration screen 320818-A Figure 28).
Page 165 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Table 19 “About the IP addresses” on page —...
Page 166: Additional Domain Configuration In The Srem
Additional domain configuration in the SREM To configure additional domain settings, there are tabs and tree components available beyond the Configuration tab. Table 20 describes the purpose of additional tabs from the Secure Access Domain > domain > Configuration screen. Table 20 Additional domain configuration tabs SREM tab...
Page 167 Additional domain tree components Component Portal Links Server Switches Portal Nortel Secure Network Access Switch 4050 User Guide Description Accesses the Portal Links screens, in order to configure links and linksets displayed after client authentication is completed. For more information, see “Linksets and links”...
Page 168: Configuring The Tunnelguard Check Using The Srem
168 Chapter 4 Configuring the domain Configuring the TunnelGuard check using the SREM Before an authenticated client is allowed into the network, the TunnelGuard application checks client host integrity by verifying that the components required for the client’s personal firewall (executables, DLLs, configuration files, and so on) are installed and active on the client PC.
Page 169 Select the Secure Access Domain > domain > AAA > Tunnel Guard > Configuration tab. The TunnelGuard Configuration screen appears (see Figure 29 TunnelGuard Configuration screen Nortel Secure Network Access Switch 4050 User Guide Figure 29).
Page 170 Enter the TunnelGuard information in the applicable fields. describes the TunnelGuard Configuration fields. Table 22 TunnelGuard Configuration fields Field Recheck Interval Action on Failure Heart Beat Interval Heart Beat Retry Count Status-quo Mode 320818-A Description Specifies the time interval between SRS rule rechecks made by the TunnelGuard applet on the client machine.
Page 171 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide If selected, then the details will be displayed.
Page 172: Using The Tunnelguard Quick Setup In The Srem
Using the TunnelGuard Quick Setup in the SREM To configure settings for the TunnelGuard host integrity check and the check result, perform the following steps: Select the Secure Access Domain > domain > AAA > Tunnel Guard > Quick Setup tab. The TunnelGuard Quick Setup screen appears (see Figure 30 TunnelGuard Quick Setup screen...
Page 173 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide restricted — the session remains intact, but access is...
Page 174: Configuring The Ssl Server Using The Srem
Configuring the SSL server using the SREM To configure settings for the SSL server, perform the following steps: Select the Secure Access Domain > domain > Server > Configuration tab. The server Configuration screen appears (see Figure 31 Server Configuration screen 320818-A Figure 31).
Page 175 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Table 24 the FQDN is registered in DNS...
Page 176: Configuring Ssl Settings Using The Srem
Configuring SSL settings using the SREM To configure SSL-specific settings for the portal server, perform the following steps: Select the Secure Access Domain > domain > Server > SSL Settings tab. The server SSL Settings screen appears (see Figure 32 Server SSL Settings screen 320818-A Figure...
Page 177 Allows an integer that indicates the TTL value in seconds measurement unit, seconds is assumed. The default is 5m (5 minutes). Nortel Secure Network Access Switch 4050 User Guide Table 25 ssl2 — accept SSL 2.0 only ssl3 — accept SSL 3.0 and TLS 1.0 ssl23 —...
Page 178: Configuring Traffic Log Settings Using The Srem
Table 25 Server SSL Settings fields (continued) Field CA Chain List CA Certificate List Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Configuring traffic log settings using the SREM You can configure a syslog server to receive User Datagram Protocol (UDP) syslog messages for all HTTP requests handled by the portal server.
Page 179 Select the Secure Access Domain > domain > Server > Traffic Log Syslog Settings tab. The Traffic Log Syslog Settings screen appears (see Figure 33 Traffic Log Syslog Settings screen Nortel Secure Network Access Switch 4050 User Guide Figure 33).
Page 180 Enter the traffic log information in the applicable fields. the Traffic Log Syslog Settings fields. Table 26 Traffic Log Syslog Settings fields Field IP Address UDP Port Priority Facility Enabled Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 181: Tracing Ssl Traffic Using The Srem
Configuring HTTP redirect using the SREM You can configure the Nortel SNAS 4050 domain to automatically redirect HTTP requests to the HTTPS server. For example, a client request directed to is automatically redirected to http://nsnas.com https://nsnas.com Nortel Secure Network Access Switch 4050 User Guide...
Page 182 To configure the domain to automatically redirect HTTP requests to the HTTPS server specified for the domain, perform the following steps: Select the Secure Access Domain > domain > HTTP Redirect tab. The HTTP Redirect screen appears (see Figure 34 HTTP Redirect screen 320818-A Figure...
Page 183: Configuring Radius Accounting Using The Srem
Otherwise, the client PC will not be able to reach the portal for user authentication. Specifies whether HTTP requests will be redirected to the HTTPS server. Nortel Secure Network Access Switch 4050 User Guide Table 27 describes...
Page 184: Configuring Nortel Snas 4050-Specific Attributes Using The Srem
184 Chapter 4 Configuring the domain • cause of termination Configure the RADIUS server in accordance with the recommendations in RFC 2866. Certain Nortel SNAS 4050-specific attributes are sent to the RADIUS server when you enable accounting (see “Configuring Nortel SNAS 4050-specific attributes using the SREM”...
Page 185 Select the Secure Access Domain > domain > AAA > Radius Accounting > Configuration tab. The RADIUS accounting Configuration screen appears (see Figure 35 RADIUS accounting Configuration screen Nortel Secure Network Access Switch 4050 User Guide Figure 34).
Page 186: Managing Radius Accounting Servers Using The Srem
Enter the RADIUS accounting information in the applicable fields. describes the RADIUS accounting Configuration fields. Table 28 RADIUS accounting Configuration fields Field Enable Radius Accounting Vendor ID Vendor Type Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 187 The Radius Accounting Servers screen appears (see Figure 36 Radius Accounting Servers screen Click Add. The Add a Radius Accounting Server dialog box appears (see Figure 37 Add a Radius Accounting Server Nortel Secure Network Access Switch 4050 User Guide Figure 36). Figure 37).
Page 188 Enter the RADIUS accounting server information in the applicable fields. Table 29 Table 29 Radius Accounting Server fields Field IP Address Port Secret Click Add. The RADUIS accounting server appears in the Radius Accounting Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 189 Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 36 on page 187).
Page 190 190 Chapter 4 Configuring the domain 320818-A...
Page 191: Chapter 5: Configuring Groups And Profiles
Creating a default group using the CLI Configuring groups and extended profiles using the SREM Configuring groups using the SREM Configuring client filters using the SREM Configuring extended profiles using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 192: Overview
Topic Mapping linksets to a group or profile using the SREM Creating a default group using the SREM Overview This section includes the following topics: • “Groups” on page 192 • “Linksets” on page 194 • “TunnelGuard SRS rule” on page 194 •...
Page 193: Default Group
To create a default group, see page 208 “Creating a default group using the SREM” on page Nortel Secure Network Access Switch 4050 User Guide “Linksets” on page “Extended profiles” on page “Configuring groups using the “Creating a default group using the CLI”...
Page 194: Linksets
Linksets A linkset is a set of links that display on the portal page, so that the user can easily access internal or external web sites, servers, or applications. After the user has been authenticated, the user’s portal page displays all the linksets associated with the group to which the user belongs.
Page 195: Extended Profiles
For information about configuring extended profiles, see profiles using the CLI” on page 203 SREM” on page 219. “Configuring client filters “Configuring client filters using the SREM” on “Configuring extended profiles using the Nortel Secure Network Access Switch 4050 User Guide “Configuring extended...
Page 196: Before You Begin
Before you begin Before you configure groups, client filters, and extended profiles on the Nortel SNAS 4050, complete the following tasks: Create the linksets, if desired (see Create the SRS rules (see If authentication services have already been configured, ascertain the group names used by the authentication services.
Page 197: Roadmap Of Group And Profile Commands
<name> restrict tgsrs <SRS rule name> comment <comment> name <name> tg true|false|ignore comment <comment> filter <name> vlan <name> linkset list del <index number> add <linkset name> Nortel Secure Network Access Switch 4050 User Guide “Configuring extended “Mapping linksets to...
Page 198: Configuring Groups Using The Cli
Command /cfg/domain 1/aaa/group #/extend #/linkset /cfg/domain 1/aaa/defgroup <group name> Configuring groups using the CLI To create and configure a group, use the following command: /cfg/domain 1/aaa/group <group ID> where group ID group in the Nortel SNAS 4050 domain. When you first create the group, you must enter the group ID. After you have created the group, you can use either the ID or the name to access the group for configuration.
Page 199 <profile ID> Nortel Secure Network Access Switch 4050 User Guide has been created with group ID = 1. Names or renames the group. After you have defined a name for the group, you can use either the group name or the group ID to access the Group menu.
Page 200 /cfg/domain 1/aaa/group # followed by: tgsrs <SRS rule name> comment <comment> Figure 38 shows sample output for the <group ID> Figure 38 >> Main# /cfg/domain 1/AAA/group 2 Creating Group 2 Group name: TestGroup Enter number of sessions (0 is unlimited): ---------------------------------------------------------- [Group 2 Menu] name...
Page 201: Configuring Client Filters Using The Cli
The Client Filter menu displays. Note: If you ran the quick setup wizard during initial setup, two client filters have been created: (filter ID = 2). (filter ID = 1) and tg_passed Nortel Secure Network Access Switch 4050 User Guide tg_failed...
Page 202 Client Filter /cfg/domain 1/aaa/filter <filter ID> followed by: name <name> tg true|false|ignore comment <comment> 320818-A menu includes the following options: Names or renames the filter. After you have defined a name for the filter, you can use either the filter name or the filter ID to access the Client Filter menu.
Page 203: Configuring Extended Profiles Using The Cli
ID or the name of the associated client filter to access the extended profile for configuration. /cfg/domain 1/aaa/filter -Set comment is an integer in the range 1 to 63 that uniquely identifies the Nortel Secure Network Access Switch 4050 User Guide...
Page 204 When you first create the profile, you are prompted to enter the following parameters: • client filter name — the name of the predefined client filter that determines whether the Nortel SNAS 4050 will apply this extended profile to the user. To view available filters, press TAB at the prompt.
Page 205 Creating Extended Profile 2 >> Extended Profile 2# Nortel Secure Network Access Switch 4050 User Guide Accesses the Linksets menu, in order to map preconfigured linksets to the profile (see linksets to a group or profile using the CLI” on page 206).
Page 206: Mapping Linksets To A Group Or Profile Using The Cli
Mapping linksets to a group or profile using the CLI You can tailor the portal page for different users by mapping preconfigured linksets to groups and extended profiles. For more information about linksets, see To map a linkset to a group, access the Linksets menu from the Group menu. Use the following command: /cfg/domain 1/aaa/group #/linkset To map a linkset to an extended profile, access the Linksets menu from the...
Page 207 Index number to move: Destination index: >> Linksets# list Old: Pending: 1: example2 2: example1 3: example3 >> Linksets# del 2 >> Linksets# list Old: Pending: 1: example2 2: example3 Nortel Secure Network Access Switch 4050 User Guide /cfg/domain 1/aaa/group...
Page 208: Creating A Default Group Using The Cli
Creating a default group using the CLI To create a default group, first create a group with extended profiles mapped to a restrictive VLAN (see “Configuring extended profiles using the CLI” on page following command to make this group the default group: /cfg/domain 1/aaa/defgroup <group name>...
Page 209: Using The Guide For Creating Groups
As each step, follow the instructions provided before continuing with the next configuration step. Click Finish to exit the guide after completing all of the steps, or click Cancel to exit the guide any time before finishing. Nortel Secure Network Access Switch 4050 User Guide...
Page 210: Adding A Group
Adding a group To create and configure a group, perform the following steps: Select the Secure Access Domain > domain > AAA > Groups tab. The Groups screen appears (see Figure 42 Groups screen 320818-A Figure 42).
Page 211 The new group appears in the list of groups. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 43).
Page 212: Modifying A Group
Modifying a group To configure a group, perform the following steps: Select the Secure Access Domain > domain > AAA > Groups > group > Configuration tab. The group Configuration screen appears (see Figure 44 Group Configuration screen 320818-A Figure 44).
Page 213: Configuring Client Filters Using The Srem
Specifies the preconfigured TunnelGuard SRS rule to apply to the group. For information about configuring the SRS rules using the SREM, see “TunnelGuard SRS Builder” on page 317. A comment related to this group. Nortel Secure Network Access Switch 4050 User Guide Table 32 describes the...
Page 214: Adding A Client Filter
Adding a client filter To create and configure a client filter, perform the following steps: Select the Secure Access Domain > domain > AAA > Filters > Client Filters tab. The Client Filters screen appears (see Figure 45 Client Filters screen 320818-A Figure 45).
Page 215 Add a Client Filter fields (Sheet 1 of 2) Field Description Filter ID (Index) An integer in the range 1 to 63 that uniquely identifies the filter in the Nortel SNAS 4050 domain. Nortel Secure Network Access Switch 4050 User Guide Figure 46). Table 33 describes...
Page 216 Table 33 Add a Client Filter fields (Sheet 2 of 2) Field Name TunnelGuard Check Passed Specifies whether passing or failing the TunnelGuard Click Apply. The new client filter now appears in the Client Filters table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 217: Modifying A Client Filter
To configure a client filter, perform the following steps: Select the Secure Access Domain > domain > AAA > Filters > filter > Configuration tab. The client filter Configuration screen appears (see Figure 47 Client filter Configuration screen Nortel Secure Network Access Switch 4050 User Guide Figure 47).
Page 218 Enter the Client Filter information in the applicable fields. the Client Filter configuration fields. Table 34 Client Filters configuration fields Field Filter ID (Index) Name TunnelGuard Check Passed Specifies whether passing or failing the TunnelGuard Comment Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 219: Configuring Extended Profiles Using The Srem
This section contains the following topics: • “Adding an extended profile” on page 220 • “Modifying an extended profile” on page 222 Nortel Secure Network Access Switch 4050 User Guide...
Page 220: Adding An Extended Profile
Adding an extended profile To create an extended profile for a group, perform the following steps: Select the Secure Access Domain > domain > AAA > Groups > group > Extended Profiles tab. The Extended Profiles screen appears (see Figure 48 Extended Profiles screen 320818-A Figure...
Page 221 The name of the VLAN to which the Nortel SNAS 4050 will assign users with this profile. Click Apply to create the new extended profile. The new extended appears appears in the list on the Extended Profiles tab. Nortel Secure Network Access Switch 4050 User Guide Figure 49). Table 35...
Page 222: Modifying An Extended Profile
Modifying an extended profile To modify an extended profile for a group, perform the following steps: Select the Secure Access Domain > domain > AAA > Groups > group > extended profile > Configuration tab. The extended profiles Configuration screen appears (see Figure 50 Extended profiles Configuration screen 320818-A...
Page 223: Mapping Linksets To A Group Or Profile Using The Srem
Nortel SNAS 4050 will apply this extended profile to the user. The name of the VLAN to which the Nortel SNAS 4050 will assign users with this profile. “Configuring linksets using the Nortel Secure Network Access Switch 4050 User Guide Table 36...
Page 224: Mapping Linksets To A Group
Mapping linksets to a group To map a linkset to a group, select the Secure Access Domain > domain > AAA > Groups > group > Linksets tab. The Linksets screen appears and displays the group Linkset Table (see Figure 51 Linksets screen for a group The group Linkset Table allows you to manage linksets for the selected group, by performing any of the following procedures:...
Page 225 The new linkset appears in the Linkset Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 51 on Figure 52).
Page 226 Removing linksets from a group To remove a linkset from a group, perform the following steps: Select the Secure Access Domain > domain > AAA > Groups > group > Linksets tab. The Linksets screen appears and displays the Linkset Table (see page 224).
Page 227: Mapping Linksets To A Profile
• “Adding linksets to an extended profile” on page 228 • “Removing linksets from an extended profile” on page 229 • “Reordering linksets in an extended profile” on page 229 Nortel Secure Network Access Switch 4050 User Guide Figure 53).
Page 228 Adding linksets to an extended profile To add a linkset to an extended profile, perform the following steps: Select the Secure Access Domain > domain > AAA > Groups > group > extended profile > Linksets tab. The Linksets screen appears and displays the Linkset Table (see page 227).
Page 229 Adjust the linkset position with the up and down arrows. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 51 on Figure 51 on...
Page 230: Creating A Default Group Using The Srem
Creating a default group using the SREM To create a default group, first create a group with extended profiles mapped to a restrictive VLAN (see “Configuring extended profiles using the SREM” on page following steps: Select the Secure Access Domain > domain > AAA tab. The AAA Configuration screen appears (see Figure 55 AAA Configuration screen...
Page 231 The name of the group you want to set as a default. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Table 39 describes the...
Page 232 232 Chapter 5 Configuring groups and profiles 320818-A...
Page 233: Chapter 6: Configuring Authentication
Configuring authentication methods using the SREM Configuring RADIUS authentication using the SREM Configuring LDAP authentication using the SREM Configuring local database authentication using the SREM Specifying authentication fallback order using the SREM Saving authentication settings Nortel Secure Network Access Switch 4050 User Guide Page...
Page 234: Overview
Overview The Nortel SNAS 4050 controls authentication of clients when they log on to the network. The Nortel SNA solution supports the following authentication methods in Nortel Secure Network Access Switch Software Release 1.0: • external database — Remote Authentication Dial-In User Service (RADIUS) —...
Page 235: Before You Begin
— server IP address — port number used for the service — shared secret — Vendor-Id attribute “Creating a domain using the SREM” on “Configuring groups and profiles” on Nortel Secure Network Access Switch 4050 User Guide “Creating a domain...
Page 236: Configuring Authentication Using The Cli
— Vendor-Type Note: You can assign vendor-specific codes to the Vendor-Id and Vendor-Type attributes. The RADIUS server uses Vendor-Id and Vendor-Type attributes in combination to identify what values it will assign and send for attributes such as group name and session timeout. Each vendor has a specific dictionary.
Page 237: Roadmap Of Authentication Commands
Command /cfg/domain 1/aaa/auth <auth ID> /cfg/domain 1/aaa/auth #/adv /cfg/domain 1/aaa/auth #/radius Parameter type radius|ldap|local name <name> display groupauth <auth IDs> secondauth <auth ID> vendorid <vendor ID> vendortype <vendor type> Nortel Secure Network Access Switch 4050 User Guide 267)
Page 238 Command /cfg/domain 1/aaa/auth #/radius/serv /cfg/domain 1/aaa/auth #/radius/sess iontim /cfg/domain 1/aaa/auth #/ldap /cfg/domain 1/aaa/auth #/ldap/server 320818-A Parameter domainid <domain ID> domaintype <domain type> authproto pap|chapv2 timeout <interval> list del <index number> add <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number>...
Page 239: Configuring Authentication Methods Using The Cli
<user name> <desired group> del <user name> list import <protocol> <server> <filename> <key> export <protocol> <server> <filename> <key> is an integer in the range 1 to 63 that uniquely identifies the Nortel Secure Network Access Switch 4050 User Guide...
Page 240 When you first create the method, you are prompted to specify the type. For Nortel Secure Network Access Switch Software Release 1.0, valid options are: • RADIUS • LDAP • local The selected method type determines the remainder of the parameters you are prompted to provide when you create the method, as well as the submenu options that are provided on the Authentication menu.
Page 241: Configuring Advanced Settings Using The Cli
CLI” on page Removes the method from the Nortel SNAS 4050 domain. /cfg/domain 1/aaa/auth 2/ . When a user logs on through RADIUS, the system first Nortel Secure Network Access Switch 4050 User Guide 261) “Configuring 241). groupauth...
Page 242: Configuring Radius Authentication Using The Cli
To configure the current authentication scheme to retrieve user group information from a different authentication scheme, use the following command: /cfg/domain 1/aaa/auth #/adv The Advanced menu displays. The Advanced menu includes the following options: /cfg/domain 1/aaa/auth #/adv followed by: groupauth <auth IDs> secondauth <auth ID>...
Page 243: Adding The Radius Authentication Method Using The Cli
Vendor-Id is 1872 (Alteon). To use a standard RADIUS attribute rather than the vendor-specific one, set the vendor ID to 0 (see also vendor type). Nortel Secure Network Access Switch 4050 User Guide “Configuring authentication methods using the CLI” radius|ldap|local ) —...
Page 244 • vendor type for group — corresponds to the Vendor-Type value used in combination with the Vendor-Id to identify the groups to which the user belongs. The group names to which the vendor-specific attribute points must match names you define on the Nortel SNAS 4050 using the 1/aaa/group <group ID>...
Page 245: Modifying Radius Configuration Settings Using The Cli
To modify settings for the authentication method itself, see authentication methods using the CLI” on page To modify settings for the specific RADIUS configuration, use the following command: /cfg/domain 1/aaa/auth #/radius Nortel Secure Network Access Switch 4050 User Guide command and commands on the “Configuring 239.
Page 246 The RADIUS menu displays. The RADIUS menu includes the following options: /cfg/domain 1/aaa/auth #/radius followed by: servers vendorid <vendor ID> vendortype <vendor type> domainid <domain ID> domaintype <domain type> authproto pap|chapv2 320818-A Accesses the RADIUS servers menu, in order to manage the external RADIUS servers configured for the domain (see “Managing RADIUS authentication...
Page 247: Managing Radius Authentication Servers Using The Cli
/cfg/domain 1/aaa/auth #/radius/servers The Radius servers menu displays. Nortel Secure Network Access Switch 4050 User Guide Sets the timeout interval for a connection request to a RADIUS server. At the end of the timeout period, if no connection has been established, authentication will fail.
Page 248 The Radius servers menu includes the following options: /cfg/domain 1/aaa/auth #/radius/servers followed by: list del <index number> add <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number> 320818-A Lists the IP address, port, and shared secret of currently configured RADIUS authentication servers, by index number.
Page 249: Configuring Session Timeout Using The Cli
Nortel SNAS 4050. The default is 0. Enables retrieval of the RADIUS server session timeout value. The default is disabled. Disables retrieval of the RADIUS server session timeout value. The default is disabled. Nortel Secure Network Access Switch 4050 User Guide...
Page 250: Adding The Ldap Authentication Method Using The Cli
where auth ID authentication method in the Nortel SNAS 4050 domain. If you do not specify the in the command, you are prompted for it. auth ID When you first create the method for the domain, you must enter the authentication ID.
Page 251 SNAS 4050 and the LDAP server occur over a secure SSL connection. The default is false. Retain the default value or reset to The Authentication menu displays. Nortel Secure Network Access Switch 4050 User Guide isdBindDN ). An account must be created...
Page 252: Modifying Ldap Configuration Settings Using The Cli
Figure 57 shows sample output for the LDAP method for the 1/aaa/auth <auth ID> menu. Figure 57 >> Main# /cfg/domain 1/aaa/auth Enter auth id: (1-63) 3 Creating Authentication 3 Select one of radius, ldap, or local: ldap Auth name: ldap Entering: LDAP settings menu Entering: LDAP servers menu IP Address to add: <IPaddr>...
Page 253 /cfg/domain 1/aaa/auth #/ldap followed by: servers searchbase <DN> groupattr <names> Nortel Secure Network Access Switch 4050 User Guide Accesses the LDAP servers menu, in order to manage the external LDAP servers configured for the domain (see “Managing LDAP authentication servers using the CLI”...
Page 254 /cfg/domain 1/aaa/auth #/ldap followed by: userattr <names> isdbinddn <DN> isdbindpas <password> ldapmacro 320818-A Refers to one of the following: 1. the LDAP attribute that contains the user name used for authenticating a client in the domain The default user attribute name is Do not use the isdbinddn commands.
Page 255 <interval> activedire Nortel Secure Network Access Switch 4050 User Guide If true, makes LDAP requests between the Nortel SNAS 4050 and the LDAP server occur over a secure SSL connection (LDAPS). The default is false. Retain...
Page 256: Managing Ldap Authentication Servers Using The Cli
Managing LDAP authentication servers using the CLI You can configure additional LDAP servers for the domain, for redundancy. You can have a maximum of three LDAP authentication servers in the configuration. You can control the order in which the LDAP servers respond to authentication requests.
Page 257 <index number> <IPaddr> move <index number> <new index number> Nortel Secure Network Access Switch 4050 User Guide Removes the specified LDAP server from the current configuration. The index numbers of the remaining entries adjust accordingly. To view the index numbers of all configured LDAP...
Page 258: Managing Ldap Macros Using The Cli
Managing LDAP macros using the CLI You can create your own macros (or variables), to allow you to retrieve data from the LDAP database. You can then map the variable to an LDAP user attribute in order to create user-specific links on the portal Home tab. When the client successfully logs on, the variable expands to the value retrieved from the LDAP or Active Directory user record.
Page 259 <index number> <variable name> move <index number> <new index number> Nortel Secure Network Access Switch 4050 User Guide Adds an LDAP macro to the configuration. You are prompted to enter the following information: • — the name of the variable.
Page 260: Managing Active Directory Passwords Using The Cli
Managing Active Directory passwords using the CLI You can set up a mechanism for clients to change their passwords when the passwords expire. Define a user group in the Local database for users whose passwords have expired. Create a linkset and link to a site where the user can change the password (see “Configuring groups using the CLI”...
Page 261: Configuring Local Database Authentication Using The Cli
), who belongs to a group called “Managing the local database using the CLI” on command (see “Managing the local database using 264). “Specifying authentication fallback order 267). Nortel Secure Network Access Switch 4050 User Guide 261). 264. /cfg/domain 1/aaa/ 239).
Page 262 where auth ID authentication method in the Nortel SNAS 4050 domain. If you do not specify the in the command, you are prompted for it.. auth ID When you first create the method for the domain, you must enter the authentication ID.
Page 263 - Set authentication mechanism name - Set auth name display - Set auth display name radius - RADIUS settings menu - Advanced settings menu - Remove Authentication >> Authentication 4# Nortel Secure Network Access Switch 4050 User Guide command and commands on the...
Page 264: Managing The Local Database Using The Cli
Managing the local database using the CLI You can add users to the database in two ways: • manually, using the • by importing a database, using the import Note: The imported database overwrites existing entries in the local database. You can use the local database for authorization only, after an external authentication server has authenticated the user.
Page 265 <user name> <desired group> del <user name> list Nortel Secure Network Access Switch 4050 User Guide Adds a user to the local authentication database. You are prompted for the following information: • — a string that specifies a unique user name user logon name.
Page 266 /cfg/domain 1/aaa/auth #/local followed by: import <protocol> <server> <filename> <key> 320818-A Imports a database from the specified TFTP/FTP/SCP/SFTP file exchange server. You are prompted to provide the following information: • is the import protocol. Options are protocol tftp|ftp|scp|sftp. • is the host name or IP address of the server server.
Page 267: Specifying Authentication Fallback Order Using The Cli
(encrypted), and group, separated by a colon. The following is an example of an exported user record with the password encrypted: john:$2$7á?yLs…ßìöonž±†:trusted where $2$ indicates an encrypted password Nortel Secure Network Access Switch 4050 User Guide db.txt...
Page 268 Perform this step even if there is only one method defined on the Nortel SNAS 4050. Note: For best performance, set the authentication order so that the method that supports the biggest proportion of users is applied first. However, if you use the Nortel SNAS 4050 local database as one of the authentication methods, Nortel recommends that you set the Local method to be first in the authentication order.
Page 269: Configuring Authentication Using The Srem
“Configuring LDAP authentication using the SREM” on page 282 • “Configuring local database authentication using the SREM” on page 298 • “Specifying authentication fallback order using the SREM” on page 314 • “Saving authentication settings” on page 316 Nortel Secure Network Access Switch 4050 User Guide...
Page 270: Configuring Authentication Methods Using The Srem
Configuring authentication methods using the SREM To create and configure an authentication method, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > Authentication Server Table tab. The Authentication Server Table appears (see Figure 60 Authentication Server Table 320818-A Figure...
Page 271: Configuring Radius Authentication Using The Srem
Add extra RADIUS servers, for redundancy, if desired (see additional RADIUS servers” on page “Configuring RADIUS authentication “Configuring LDAP authentication using “Configuring local database 273) 279) Nortel Secure Network Access Switch 4050 User Guide Figure 61 on 272) “Modifying “Managing...
Page 272: Adding The Radius Method And Server
Adding the RADIUS method and server To configure the Nortel SNAS 4050 to use an external RADIUS or Steel-belted RADIUS server for authentication, perform the following steps: In the Add an Authentication Server dialog box, select Radius from the drop-down list. The display of the Add an Authentication Server dialog box refreshes (see Figure 61).
Page 273: Modifying Radius Configuration
SNAS 4050. Click Commit on the toolbar to save the changes permanently. Modifying RADIUS configuration You can modify the RADIUS configuration in the following ways: • Modify settings for the authentication method itself (see RADIUS method settings” on page Nortel Secure Network Access Switch 4050 User Guide “Modifying 274).
Page 274 • Modify settings for the specific RADIUS configuration (see RADIUS configuration settings” on page Modifying RADIUS method settings To modify settings for an existing RADIUS authentication method, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > radius >...
Page 275 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide...
Page 276 Modifying RADIUS configuration settings To modify the RADIUS method configuration, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > radius > Radius Configuration tab. The Radius Configuration screen appears (see Figure 63 Radius Configuration 320818-A Figure 63).
Page 277 • • If you do not specify a measurement unit, seconds is assumed. The range is 1–10000 seconds. The default is 10 seconds. Nortel Secure Network Access Switch 4050 User Guide s — seconds m — minutes h — hours...
Page 278 Table 42 Radius Configuration fields (continued) Field Authentication Protocol Vendor ID Vendor Type State Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A Description Specifies the protocol used for communication between the Nortel SNAS 4050 and the RADIUS server.
Page 279: Managing Additional Radius Servers
To manage additional RADIUS servers, select the Secure Access Domain > domain > AAA > Authentication > radius > Radius Servers tab. The RADIUS Servers screen appears (see Figure 64), displaying a list of the existing RADIUS servers. Figure 64 Radius Servers Nortel Secure Network Access Switch 4050 User Guide...
Page 280: Adding A Radius Server
The RADIUS Server Table allows you to manage additional RADIUS servers by performing any of the following procedures: • “Adding a RADIUS server” on page 280 • “Reordering additional RADIUS servers” on page 281 • “Removing a RADIUS server” on page 281 Adding a RADIUS server To add additional RADIUS servers for redundancy, perform the following steps: Select the Secure Access Domain >...
Page 281: Removing A Radius Server
To remove an existing RADIUS server from the RADIUS Server Table, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > radius > Radius Servers tab. Nortel Secure Network Access Switch 4050 User Guide Figure 69 on page 291).
Page 282: Next Steps
The RADIUS Servers screen appears (see Select an RADIUS server entry from the RADIUS Server Table. Click Delete. A confirmation dialog appears. Click Yes. The RADIUS server is removed from the RADIUS Server Table. Click Apply on the toolbar to accept the new order, and adjust index numbers for the RADIUS servers accordingly.
Page 283: Adding The Ldap Method And Server
Future releases of the Nortel SNAS 4050 software will allow you to reference this name in a client filter, so authentication to this server becomes a condition for access rights for a group. Nortel Secure Network Access Switch 4050 User Guide...
Page 284: Modifying Ldap Configuration
Table 44 Add an Authentication Server — LDAP fields (continued) Field Display Name IP Address Port Click Apply. The LDAP authentication method displays in the Authentication Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 285 Select the Secure Access Domain > domain > AAA > Authentication > ldap > Configuration tab. The Configuration screen appears, showing current settings for the method (see Figure Figure 67 Configuration 67). Nortel Secure Network Access Switch 4050 User Guide...
Page 286 Modify settings for the authentication method as necessary. Table 45 Table 45 Configuration fields Field Index Name Mechanism Display Name Group Authentication List Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A describes the Configuration fields.
Page 287 To modify the LDAP method configuration, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Configuration tab. The LDAP Configuration screen appears (see Figure 68 LDAP Configuration Figure Nortel Secure Network Access Switch 4050 User Guide 68).
Page 288 Modify settings for the LDAP configuration as necessary. Table 46 Table 46 LDAP Configuration fields Field Enable LDAPs Search Base Entry Group Attribute 320818-A describes the LDAP Configuration fields. Description If selected, makes LDAP requests between the Nortel SNAS 4050 and the LDAP server occur over a secure SSL connection (LDAPS).
Page 289 Bind ISD DN. Required for the Search Base Entry and User Attribute method 2. Nortel Secure Network Access Switch 4050 User Guide authenticating a client in the domain. The default user attribute name is Do not use the Bind ISD DN and Bind ISD Password fields.
Page 290 Table 46 LDAP Configuration fields (continued) Field Enable User Preferences Cut Domain From User Name LDAP Server Timeout Expired Password Group Check Expired Account Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A Description Enables or disables storage of user preferences in an...
Page 291: Managing Additional Ldap Servers
To manage additional LDAP servers, select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Servers tab. The LDAP Servers screen appears (see Figure 69), displaying a list of the existing LDAP servers. Figure 69 LDAP Servers Nortel Secure Network Access Switch 4050 User Guide...
Page 292 The LDAP Server Table allows you to manage additional LDAP servers by performing any of the following procedures: • “Adding an LDAP server” on page 292 • “Reordering additional LDAP servers” on page 293 • “Removing an LDAP server” on page 293 Adding an LDAP server To add an additional LDAP server, perform the following steps: Select the Secure Access Domain >...
Page 293 Select an LDAP server entry from the LDAP Server Table. Click Delete. A confirmation dialog appears. Click Yes. The LDAP server is removed from the LDAP Server Table. Nortel Secure Network Access Switch 4050 User Guide Figure 69 on page 291). Figure 69 on page 291).
Page 294: Managing Ldap Macros
Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Managing LDAP macros You can create your own macros (or variables), to allow you to retrieve data from the LDAP database.
Page 295 • “Adding LDAP macros” on page 296 • “Reordering LDAP macros” on page 297 • “Removing LDAP macros” on page 297 Figure 71) and displays a list of existing Nortel Secure Network Access Switch 4050 User Guide...
Page 296 Adding LDAP macros To create an LDAP macro variable, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > ldap > LDAP Macros tab. The LDAP Macros screen appears (see Click Add. The Add an LDAP Macro dialog box appears (see Figure 72 Enter the LDAP macro information in the applicable fields.
Page 297 Select an LDAP macro entry from the LDAP Macro Table. Click Delete. A confirmation dialog appears. Click Yes. The LDAP macro is removed from the LDAP Macro Table. Nortel Secure Network Access Switch 4050 User Guide Figure 71 on page 295). Figure 71 on page 295).
Page 298: Next Steps
Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Next steps Configure additional authentication methods, if desired (see RADIUS authentication using the SREM” on page 271 database authentication using the SREM”...
Page 299: Adding The Local Method
In the Add an Authentication Server dialog box, select Local from the drop-down list. The display of the Add an Authentication Server dialog box refreshes (see Figure 73). Figure 73 Add an Authentication Server — Local Nortel Secure Network Access Switch 4050 User Guide...
Page 300 Enter the authentication server information in the applicable fields. Table 49 Table 49 Add an Authentication Server — Local fields Field Index Name Display Name User Name User Password Confirm Change User Group Click Apply. The Local authentication method displays in the Authentication Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 301: Populating The Database
> Local Users tab. The Local Users screen appears (see Figure 74 Local Users “Adding users to the local database” on page “Importing a database” on page Figure 74). Nortel Secure Network Access Switch 4050 User Guide 301) 304)
Page 302 Click Add. The Add a Local User dialog box appears (see Figure 75 Enter the local user information in the applicable fields. Table 50 Table 50 Add a Local User fields Field User Name User Password Confirm Change User Group 320818-A Add a Local User describes the Add a Local User fields.
Page 303 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide for each user you want to add to the database.
Page 304 Importing a database Note: The imported database will overwrite existing entries in the local database. To import a database of local users, perform the following steps. Select the Secure Access Domain > domain > AAA > Authentication > local > Import Local User Database tab. The Import Local User Database screen appears (see Figure 76 Import Local User Database...
Page 305: Modifying Local Database Configuration
Modify user settings in the local database (see page 307). • Modify user passwords in the local database (see passwords” on page 309). Nortel Secure Network Access Switch 4050 User Guide tftp sftp 306). “Modifying local users” on “Modifying local user “Modifying Local...
Page 306 Modifying Local method settings To modify settings for an existing local or LDAP authentication method, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > local > Configuration tab. The Configuration screen appears, showing current settings for the method (see Figure Figure 77...
Page 307 To edit settings for existing users in the database, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > local > Local Users tab. The Local Users screen appears (see Nortel Secure Network Access Switch 4050 User Guide Figure 67 on page 285).
Page 308 In the User Name list, select the user you want to edit. The Local Users screen refreshes to display an editing pane in the bottom half of the screen, with the user Configuration tab active (see Figure 78 Local Users — Configuration 320818-A Figure 78).
Page 309 To modify password settings for existing users in the database, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > local > Local Users tab. The Local Users screen appears (see Nortel Secure Network Access Switch 4050 User Guide Figure 74 on page 301).
Page 310 In the User Name list, select the user you want to edit. The Local Users screen refreshes to display an editing pane in the bottom half of the screen, with the user Configuration tab active (see page 308). Select the Local User Configuration tab. The Local Users screen refreshes to display the Local User Configuration tab active (see Figure 79...
Page 311 (*). Confirm Confirms the user password. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide...
Page 312: Exporting The Database
Exporting the database To export the database of local users, perform the following steps: Select the Secure Access Domain > domain > AAA > Authentication > local > Export Local User Database tab. The Export Local User Database screen appears (see Figure 80 Export Local User Database 320818-A...
Page 313: Next Steps
RADIUS authentication using the SREM” on page 271 LDAP authentication using the SREM” on page Set the authentication order (see using the SREM” on page Commit the changes (see Nortel Secure Network Access Switch 4050 User Guide tftp sftp 282). “Specifying authentication fallback order 314).
Page 314: Specifying Authentication Fallback Order Using The Srem
Specifying authentication fallback order using the SREM Authentication in the Nortel SNAS 4050 solution is performed by checking client credentials against available authentication databases until the first match is found. You specify the order in which the Nortel SNAS 4050 applies the methods configured for the Nortel SNAS 4050 domain.
Page 315 In the Fallback Order section, specify the authentication methods you wish to use by selecting the applicable check boxes. An authentication method whose check box is clear will not be used in the domain. Nortel Secure Network Access Switch 4050 User Guide Figure 80).
Page 316: Saving Authentication Settings
Rearrange the list so that the methods appear in the desired order. Click on a method to select it. b Using the up and down arrows, move the method to the desired position in the list. Repeat for the other methods until the list is in the desired order. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 317: Chapter 7: Tunnelguard Srs Builder
Adding entries to a software definition Creating logical expressions Registry-based rules Manually creating SRS entries File age check Adding comments Deleting SRS rules and their components TunnelGuard support for API calls Making API calls Nortel Secure Network Access Switch 4050 User Guide Page...
Page 318: Configuring Srs Rules
Configuring SRS rules The building blocks used to construct the Software Requirement Set (SRS) are files (or combinations of files) and registry key settings that must either be present or be absent on the client host. You can create different SRS rules for different groups.
Page 319: Menu Commands
Software Definition menu items (Sheet 1 of 2) Item New Software Definition Delete Software Definition Description Save the SRS definition in the Nortel SNAS 4050 LDAP database. Description Creates a new software definition. Deletes the selected software definition. Nortel Secure Network Access Switch 4050 User Guide...
Page 320: Software Definition Entry Menu
Table 57 Software Definition menu items (Sheet 2 of 2) Item Clone Software Definition Import Software Definition Export Software Definition Edit Software Definition Comment Auto Generate TunnelGuard Rule Software Definition Entry menu Table 58 describes important items from the Software Definition Entry menu. Table 58 Software Definition Entry menu items (Sheet 1 of 2) Item...
Page 321: Tunnelguard Rule Menu
You may want to refresh the view if you have launched other applications while running the SRS builder or if other processes started after the SRS builder was started. Nortel Secure Network Access Switch 4050 User Guide...
Page 322: Srs Definition Toolbar
SRS definition toolbar The buttons on the SRS definition toolbar allow you to create, delete, and manage software requirement sets. a description of each item see Figure 82 SRS Definition toolbar Create a new SRS definition Delete an existing SRS definition Clone an SRS Import an SRS definition from an XML file Export an SRS definition to an XML file...
Page 323: Software Definition - Available Srs List
API option, the file will be loaded and the API called. If checked, means the component contains a third party API for further checking. Shows the hash algorithm used to generate the hash. Shows the hash value of the file. Nortel Secure Network Access Switch 4050 User Guide...
Page 324: Customizing A Component
Customizing a component When an SRS component is selected by clicking on it, you can customize it using the toolbar below the component table, as shown in about available customizations, see Figure 83 Table 63 Component customization descriptions Item Add OnDisk file as entry Add selected memory module as entry Add registry key entry...
Page 325: Memory Snapshot
Shows the name of the process or file currently in memory. Shows the unique system process ID for each running process. Shows a text description, if one is available, for each process. Nortel Secure Network Access Switch 4050 User Guide...
Page 326: Srs Rule List
SRS Rule list The SRS Rule list shows the existing SRS rules. These rules are retrieved from the Nortel SNAS 4050 at the TunnelGuard SRS Builder applet start-up time. For a description of the information provided, see Table 65 SRS Rule information Item TunnelGuard Rule Name TunnelGuard Rule...
Page 327: Managing Tunnelguard Rules And Expressions
Creating a software definition To create a software definition, perform the following steps: On the Software Definition menu, select New software definition. The New SRS window appears (see Figure 84 on page Nortel Secure Network Access Switch 4050 User Guide 328).
Page 328: Adding Entries To A Software Definition
Figure 84 Enter a name for the software definition and click OK. For example, to create a software definition specifying the antivirus modules that must be present on the client system, enter the name “Antivirus”. The new software definition is added in the Software Definition area. Adding entries to a software definition There are different ways of specifying which files and software executables should be (or should not be) present or running on the client system.
Page 329 Then enter the desired key path and key value in the fields. Use this option if a module name varies in different setups and is available in a registry key. To ignore path checking, select the Ignore Path Checking check box. Nortel Secure Network Access Switch 4050 User Guide...
Page 330 If enabled, the client system will be searched for the specified file name, irrespective of path to folder. In the Process Name field, enter the name of the process whose module you wish to add as a software definition entry. The name of the selected process is displayed by default.
Page 331: Selecting File On Disk
Using the NOT operand when forming logical expressions, you can then instruct TunnelGuard to verify that certain files are not present on the client system. Nortel Secure Network Access Switch 4050 User Guide “Creating logical...
Page 332 To create a software definition entry for a file not shown in the memory snapshot, perform the following steps: On the Software Definition Entry menu, select Add OnDisk File as entry. To include the file in a new software definition, first create the new software definition (select New Software Definition on the Software Definition menu).
Page 333: Creating Logical Expressions
For instructions on how to create a software definition, see “Creating a software definition” on page Nortel Secure Network Access Switch 4050 User Guide 327.
Page 334 Click the TunnelGuard Rule Definition tab. TunnelGuard rules and expressions with the same names as the software definitions have been created and appear on the TunnelGuard Rule Definition tab (see Figure 87 The TunnelGuard Rule Definition tab In the example above, two TunnelGuard rules have been created, each defining a unique application.
Page 335 Click the Form TunnelGuard Rule Expression button. A new expression is created and copied to the Available Expressions area (see Figure 88 on page 336). Nortel Secure Network Access Switch 4050 User Guide...
Page 336 Figure 88 The Available Expressions screen Create a new TunnelGuard Rule. On the TunnelGuard Rule menu, select New TunnelGuard Rule. The New SRS Rule window appears (see Figure 89 Enter a name for the TunnelGuard rule and click OK. 320818-A Figure The New SRS Rule window 89).
Page 337 Scroll through the list of expressions and choose the expression you would to associate with this rule. Any logical expression that you create may be used in a new logical expression, for example to construct more complex conditions. Nortel Secure Network Access Switch 4050 User Guide...
Page 338: Registry-Based Rules
Registry-based rules TunnelGuard Agent supports checking of on-disk files, running processes, hash checking, and version numbers to verify installed software packages. Reading the registry settings on a client’s PC is another way of checking software packages and their installed state. The following sections provide details on registry-based rules: •...
Page 339 = 100 — matches integer values that are exactly equal to 100 • < 50 — matches integer values that are less than 50 • != 200 — matches all integer values that are not equal to 200 Nortel Secure Network Access Switch 4050 User Guide...
Page 340 Table 67 describes supported constructs for string-based regular expressions. Table 67 Constructs for string based regular expressions (Sheet 1 of 2) String regular expression \xhh [abc] [^abc] [a-z] [a-d[m-p]] [a-z&&[def]] [a-z&&[^bc]] X{n} X{n,} X{n,m} 320818-A Description The character x Any character The backslash character The character with octal value 0n (0 <= n <= 7) The character with the hexidecimal value 0xhh...
Page 341: Creating A Registry Entry
Click the Software Definition tab in the TunnelGuard Software and Rule Definition Tool page. Click the Software Definition Entry menu and select Add Registry Key Entry. The Registry Entry page opens (see Nortel Secure Network Access Switch 4050 User Guide Figure 91 on page 342).
Page 342: Registry-Based File/Module
Figure 91 Select the Registry Key Path from the Registry Editor. Select the Key Value type. Enter the Key Value Data Expression. Click OK. If you want to create multiple entries, click Save and More. That saves this entry and another window opens for you to create another Registry entry. Registry-based File/Module If the File/Module path or name is not known to the administrator or is not static for SRS rule creation, the file name or module is sometimes available as Registry...
Page 343: Manually Creating Srs Entries
Click the Software Definition tab in the TunnelGuard Software and Rule Definition Tool page. Click the Software Definition Entry menu and select Create New OnDisk SRS Entry. The Create New OnDisk SRS Entry page opens (see page 344). Nortel Secure Network Access Switch 4050 User Guide Figure 92 on...
Page 344 Figure 92 Click Browse Local System to select the File or Module Path. The File (OR Module) Path appears in the text box and the rest of the information on the page is filled in automatically. Note: If you select Fetch Module Path from Registry Entry, you must manually enter the Registry Entry and the Key Value.
Page 345: Manually Creating A Memory Module Entry
Click the Software Definition tab in the TunnelGuard Software and Rule Definition Tool page. Select Software Definition Entry > Create New Memory Module SRS Entry menu item. The Create New Memory Module SRS Entry page opens (see page 346). Nortel Secure Network Access Switch 4050 User Guide Figure 93 on...
Page 346 Figure 93 Click Browse Local System to select the File or Module Path. The File (OR Module) Path appears in the text box and the rest of the information on the page is filled in automatically. Note: If you select Fetch Module Path from Registry Entry, you must enter the Registry Entry and the Key Value.
Page 347: File Age Check
This interface is accessed from a button in the middle of the TunnelGuard Software and Rule Definition Tool page. shows the interface you use to set the relative date and time Nortel Secure Network Access Switch 4050 User Guide...
Page 348: Adding Comments
Figure 94 Adding comments • “Adding a TunnelGuard rule comment” on page 348 • “Adding a software definition comment” on page 349 Adding a TunnelGuard rule comment By adding a TunnelGuard rule comment to a TunnelGuard rule, you can provide important information to the user (for example, the reason the TunnelGuard checks failed and the recommended action).
Page 349: Adding A Software Definition Comment
“Deleting a software definition” on page 350 • “Deleting a software definition entry” on page 350 • “Deleting a TunnelGuard rule” on page 350 • “Deleting an expression” on page 350 • Nortel Secure Network Access Switch 4050 User Guide Figure 95 on...
Page 350: Deleting A Software Definition
Deleting a software definition Click the Software Definition tab. In the Software Definition column, select the desired software definition. Click the trash can symbol on the tool bar located above the Software Definition column. Note: You cannot delete a software definition that is used in a TunnelGuard rule.
Page 351: Tunnelguard Support For Api Calls
10 seconds or less. If an answer is not returned in a timely manner, it is assumed the software is unavailable, and the call times out and returns an error message. Nortel Secure Network Access Switch 4050 User Guide...
Page 352 352 Chapter 7 TunnelGuard SRS Builder 320818-A...
Page 353: Chapter 8: Managing System Users And Groups
Setting password expiry using the SREM Changing your password using the SREM Changing another user’s password using the SREM Setting the certificate export passphrase using the SREM Managing user groups using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 354: User Rights And Group Membership
User rights and group membership There are three groups of system users who routinely access the system for configuration and management: • admin (administrator) • certadmin (certificate administrator) • oper (operator) Note: There are two additional types of users with specialized functions: boot and root.
Page 355: Managing System Users And Groups Using The Cli
Parameter password <old password> <new password> <confirm new password> expire <time> list del <username> add <username> caphrase password <own password> <user password> <confirm user password> Nortel Secure Network Access Switch 4050 User Guide 360) “Changing passwords” on 369) “CLI configuration...
Page 356: Managing User Accounts And Passwords Using The Cli
Command /cfg/sys/user/edit <username>/groups Managing user accounts and passwords using the CLI To change the password for the currently logged on user and to add or delete user accounts, access the User menu by using the following command: /cfg/sys/user menu displays. User menu includes the following options: User...
Page 357 /cfg/sys/user followed by: del <username> add <username> Nortel Secure Network Access Switch 4050 User Guide Removes the specified user account from the system. Of the three built-in users (admin, oper, and root), only the oper user can be deleted. You must have administrator rights in order to delete user accounts.
Page 358: Managing User Settings Using The Cli
/cfg/sys/user followed by: edit <username> caphrase Managing user settings using the CLI You must have administrator rights in order to change a user’s settings. You must also be a member of the other user’s first group (the first group listed for the other user when you use the command).
Page 359: Managing User Groups Using The Cli
Passwords can contain spaces and are case sensitive. Accesses the Groups menu, in order to manage user group assignments (see the CLI” on page 359). Displays the current group settings for the specified user. Nortel Secure Network Access Switch 4050 User Guide “Managing user groups using...
Page 360: Cli Configuration Examples
To set or change a user’s group assignment, access the Groups menu by using the following command: /cfg/sys/user/edit <username>/groups Groups Groups /cfg/sys/user/edit <username>/groups followed by: list del <group index> admin|oper|certadmin CLI configuration examples This section includes the following detailed examples: •...
Page 361 You can only assign a user to a group in which you yourself are a member. When this criterion is met, users can be assigned to one or more of the following three groups: Nortel Secure Network Access Switch 4050 User Guide /cfg/domain ), the certadmin user has...
Page 362 — oper — admin — certadmin By default, the admin user is a member of all groups above, and can therefore assign a new or existing user to any of these groups. The group assignment of a user dictates the user rights and access levels to the system. >>...
Page 363 The export passphrase can contain spaces and is case sensitive. >> User cert_admin# ../caphrase Enter new passphrase: Re-enter to confirm: Passphrase changed. Nortel Secure Network Access Switch 4050 User Guide ). When the admin /cfg/ptcfg /cfg/sys/user/caphrase caphrase command. For...
Page 364 Remove the admin user from the certadmin group. Again, this step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. Note however, that once the admin user is removed from the certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group membership anew.
Page 365: Changing A User's Group Assignment
- Certadmin export passphrase >> User# Assign the admin user certadmin user rights by adding the admin user to the certadmin group. >> User# edit admin >> User admin# groups/add Enter group name: certadmin Nortel Secure Network Access Switch 4050 User Guide...
Page 366: Changing Passwords
Note: A user must be assigned to at least one group at any given time. If you want to replace a user’s single group assignment, you must therefore always first add the user to the desired new group, then remove the user from the old group.
Page 367 /cfg/sys/user/edit <username>/groups/list command). Login passwords are case sensitive and can contain spaces. Log on to the Nortel SNAS 4050 cluster as the admin user. login: admin Password: (admin user password) Nortel Secure Network Access Switch 4050 User Guide command. apply...
Page 368 Access the User Menu. >> Main# /cfg/sys/user ------------------------------------------------------------ [User Menu] passwd list edit caphrase >> User# Specify the user name of the user whose password you want to change. >> User# edit Name of user to edit: cert_admin Type the >>...
Page 369: Deleting A User
In this example, the cert_admin user is removed from the system. To list all users currently added to the system configuration, use the >> User# del cert_admin Verify and apply the changes. Nortel Secure Network Access Switch 4050 User Guide command. list...
Page 370: Managing System Users And Groups Using The Srem
The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the >> User# list root admin oper -cert_admin >> User# apply Managing system users and groups using the SREM To manage users, choose from one of the following tasks: •...
Page 371 Only the admin user can add users to the system. After adding a user, you must assign the user to a group (see “Managing user groups using the SREM” on page 381). Nortel Secure Network Access Switch 4050 User Guide...
Page 372: Adding New User Accounts
Only the admin user can delete users from the system. Of the three built-in users (admin, oper, and root), only the oper user can be deleted. Note: When you delete a user, the user’s group assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group.
Page 373: Removing Existing User Accounts
The entry is immediately removed from the User Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Table 69 Figure 96 on page 371).
Page 374: Setting Password Expiry Using The Srem
Setting password expiry using the SREM To set a password expiry date for all passwords in the system, perform the following steps: Select the System > Manage Users > Password Setting tab. The Password Setting screen appears (see Figure 98 Password Setting 320818-A Figure...
Page 375 A value of 0 indicates that the password never expires. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Table 70...
Page 376: Changing Your Password Using The Srem
Changing your password using the SREM Only the admin user can change the passwords of other users. Logged on users can change their own passwords. To change the password for the logged on user, perform the following steps: Select the System > Manage Users > Change Your Password tab. The Change Your Password screen appears (see Figure 99 Change Your Password...
Page 377: Changing Another User's Password Using The Srem
The current password. Sets the new password. The password must be at least four characters and can contain spaces. The password is case sensitive. Confirms the new password. Nortel Secure Network Access Switch 4050 User Guide Table 71 describes the...
Page 378 To change the password for another user, perform the following steps: Select the System > Manage Users > user > Change User Password tab. The Change User Password screen appears (see Figure 100 Change User Password 320818-A Figure 100).
Page 379: Setting The Certificate Export Passphrase Using The Srem
The current password of the admin user performing the change. Sets the new password. The password must be at least four characters and can contain spaces. The password is case sensitive. Confirms the new password. Nortel Secure Network Access Switch 4050 User Guide Table 71 describes the...
Page 380 To set a certificate export pass phrase, perform the following steps: Select the System > Manage Users > Set Certificate Export PassPhrase tab. The Set Certificate Export PassPhrase screen appears (see Figure 101 Set Certificate Export PassPhrase 320818-A Figure 101).
Page 381: Managing User Groups Using The Srem
Description Sets the pass phrase. Must be at least four characters. Confirms the pass phrase. Nortel Secure Network Access Switch 4050 User Guide Table 73 describes...
Page 382: Adding A User Group
To manage the group to which a user belongs, select the System > Manage Users > user > User Groups tab. The User Groups screen appears, displaying the user’s current group membership (see Figure 102 User Groups Choose from the following tasks to manage users groups: •...
Page 383: Removing A User Group
The User Groups screen appears (see Select the group to remove from the User Group Table. Click Delete. A confirmation dialog appears. Click Yes. Nortel Secure Network Access Switch 4050 User Guide Figure 103). Table 74 Figure 102 on page 382).
Page 384 384 Chapter 8 Managing system users and groups The user group is immediately removed from the User Group Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A...
Page 385: Chapter 9: Customizing The Portal And User Logon
Configuring links using the CLI Customizing the portal and logon using the SREM Configuring the captive portal using the SREM Changing the portal language using the SREM Configuring the portal display using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 386: Overview
Topic Changing the portal colors using the SREM Configuring custom content using the SREM Configuring linksets using the SREM Configuring links using the SREM Overview The end user accesses the Nortel SNA network through the Nortel SNAS 4050 portal. You can customize the end user experience by configuring the following logon and portal features: •...
Page 387: Exclude List
For information about configuring the Exclude List, see List using the CLI” on page 401 SREM” on page 418. Nortel Secure Network Access Switch 4050 User Guide “Configuring the captive “Configuring the captive portal using the “Configuring the Exclude “Configuring the DNS Exclude List using the...
Page 388 Table 75 lists the regular expressions and escape sequences you can use in an Exclude List entry. The set of allowable regular expressions is a subset of the set found in egrep and in the AWK programming language. The escape sequences are allowed in Erlang strings.
Page 389: Portal Display
“Configuring the portal display using the CLI” on page 405 portal display using the SREM” on page “Portal look and feel” on page “Language localization” on page 394) “Automatic redirection to internal sites” on 425. Nortel Secure Network Access Switch 4050 User Guide 389) 392) “Configuring the...
Page 390 Default appearance Figure 104 shows the default portal Home tab. Figure 104 Default appearance of the portal Home tab Active tab, URL Banner area, and icon (Color3) Colors There are four colors used on the portal page: • color1 — the large background area below the tabs •...
Page 391 Hexadecimal code White FFFFFF Black 000000 Dark gray A9A9A9 Light gray D3D3D3 FF0000 Green 008000 Blue 0000FF Yellow FFFF00 Orange FFA500 Violet EE82EE Dark violet 9400D3 Pink FFC0CB Nortel Secure Network Access Switch 4050 User Guide Table 76 lists the hexadecimal...
Page 392: Language Localization
Table 76 Common colors, with hexadecimal codes (Sheet 2 of 2) Color Brown Beige Lime green Light green Dark blue Navy Light skyblue Medium blue Dark red For the commands to configure the colors used on the portal, see portal colors using the CLI” on page 408 SREM”...
Page 393 Set the portal to display the new language (see language using the CLI” on page 404 using the SREM” on page Nortel Secure Network Access Switch 4050 User Guide “Configuring language support “Importing and exporting language parameter specified in the Content-Type entry is (message string).
Page 394: Linksets And Links
Linksets and links You can add the following types of links to the portal Home tab: • External — links directly to a web page. Suitable for external web sites. • FTP — links to a directory on an FTP server. A linkset is a set of one or more links.
Page 395: Macros
> — expands to the name of the group of which the currently var:group logged in client is a member Nortel Secure Network Access Switch 4050 User Guide “Mapping linksets to a group or profile using “Mapping linksets to a group or profile using the...
Page 396: Automatic Redirection To Internal Sites
Automatic redirection to internal sites You can configure the portal to automatically redirect authenticated clients to an internal site. Unlike the linkset autorun feature, automatic redirection does not open a new browser window. Rather, it replaces the default Home page in the internal frame on the portal browser page.
Page 397: Managing The End User Experience
Redirection URL or link text Linktext (static text) entry: <script>if ("<var:group>" == "deptA") { location.replace ("https://nsnas.example.com/http/ inside.example.com/deptA.html");} else if ("<var:group>" == "deptB") { location.replace ("https://nsnas.example.com/http/in side.example.com/deptB.html");} </script> Link: <a href=https://nsnas.example.com/ logout.yaws> Logout from portal </a> Nortel Secure Network Access Switch 4050 User Guide...
Page 398: Windows Domain Logon Script
Download the JRE installer from the Sun Microsystems Java web site (http://www.java.com). Bundle plugins.html and the JRE installer in a zip file. Add the zip file as custom content to the portal. For general information about adding custom content to the portal, see “Configuring custom content using the CLI”...
Page 399 [<letter>] del <code> setlang <code> charset list import <protocol> <server> <filename> restore banner redirect <URL> logintext <text> iconmode clean|fancy linktext <text> linkurl on|off linkcols <columns> linkwidth <width> companynam ieclear on|off color1 <code> Nortel Secure Network Access Switch 4050 User Guide...
Page 400 Command /cfg/domain 1/portal/content /cfg/domain 1/linkset <linkset ID> /cfg/domain 1/linkset <linkset ID>/link <index> /cfg/domain 1/linkset <linkset ID>/link <index>/ external/quick /cfg/domain 1/linkset <linkset ID>/link <index>/ ftp/quick 320818-A Parameter color2 <code> color3 <code> color4 <code> theme default|aqua|apple| jeans|cinnamon|candy import <protocol> <server> <filename> export <protocol> <server> <filename>...
Page 401: Configuring The Captive Portal Using The Cli
Accesses the DNS Exclude menu, in order to configure the Exclude List (see Exclude List using the CLI” on page Enables captive portal functionality. Disables captive portal functionality. Nortel Secure Network Access Switch 4050 User Guide “Configuring the 401). “Exclude List” on...
Page 402: Changing The Portal Language Using The Cli
The DNS Exclude menu includes the following options: /cfg/domain 1/dnscapt/exclude followed by: list del <index name> add <domain name> insert <index number> <domain name> move <index number> <new index number> Changing the portal language using the CLI To change the language displayed for tab names, general text, messages, buttons, and field labels on the portal page, do the following: Export the language definition template (see using the CLI”...
Page 403 Chapter 9 Customizing the portal and user logon 403 Configuring language support using the CLI To manage the language definition files in the system, use the following command: /cfg/lang The Language Support menu displays. Nortel Secure Network Access Switch 4050 User Guide...
Page 404 The Language Support menu includes the following options: /cfg/lang followed by: import <protocol> <server> <filename> <code> export <protocol> <server> <filename> list 320818-A Imports a ready-to-use language definition file from the specified TFTP/FTP/SCP/SFTP file exchange server. • is the import protocol. Options are protocol tftp|ftp|scp|sftp.
Page 405: Setting The Portal Display Language Using The Cli
<code> charset list Nortel Secure Network Access Switch 4050 User Guide Lists all valid language codes and their corresponding description. To list all valid language codes beginning with a specific letter, specify the letter in the command.
Page 406 Configuring the portal display using the CLI To modify the look and feel of the portal page that displays in the client’s web browser, use the following command: /cfg/domain 1/portal The Portal menu displays. The Portal menu includes the following options: /cfg/domain 1/portal followed by: import <protocol>...
Page 407 <URL> logintext <text> iconmode clean|fancy Nortel Secure Network Access Switch 4050 User Guide Sets the URL to which clients are automatically redirected after authentication by the portal. • is the URL to which to direct the client,...
Page 408: Changing The Portal Colors Using The Cli
/cfg/domain 1/portal followed by: linktext <text> linkurl on|off linkcols <columns> linkwidth <width> companynam colors 320818-A Specifies static text to be displayed above the group links on the portal Home tab. The static text displays for all clients, but the links themselves may change, depending on the client’s group membership.
Page 409: Configuring Custom Content Using The Cli
The user will also be logged off from any other sites at the same time. • — when the user logs off from the portal, the cache is not cleared until the user closes the browser The default value is Nortel Secure Network Access Switch 4050 User Guide...
Page 410: Configuring Custom Content Using The Cli
The Portal Colors menu includes the following options: /cfg/domain 1/portal/colors followed by: color1 <code> color2 <code> color3 <code> color4 <code> theme default|aqua|apple| jeans|cinnamon|candy For more information about the portal colors and themes, see page 390. Configuring custom content using the CLI To add custom content, such as Java applets, to the portal, use the following command: /cfg/domain 1/portal/content...
Page 411 <protocol> <server> <filename> export <protocol> <server> <filename> delete available Nortel Secure Network Access Switch 4050 User Guide Imports a content file (in ZIP format) from the specified TFTP/FTP/SCP/SFTP file exchange server. • is the import protocol. Options are protocol The default is tftp|ftp|scp|sftp.
Page 412: Configuring Linksets Using The Cli
Configuring linksets using the CLI A linkset is a set of links that display on the portal Home tab. For more information about linksets and links, see To create and configure a linkset, use the following command: /cfg/domain 1/linkset <linkset ID> where linkset ID the linkset in the Nortel SNAS 4050 domain.
Page 413: Configuring Links Using The Cli
<text> autorun true|false link <index> Nortel Secure Network Access Switch 4050 User Guide Names or renames the linkset. After you have defined a name for the linkset, you can use either the linkset name or the linkset ID to access the Linkset menu.
Page 414 Configuring links using the CLI To create and configure the links included in the linkset, use the following command: /cfg/domain 1/linkset <linkset ID>/link <index> where index link in the linkset. When you first create the link, if you do not specify the index in the command, you will be prompted to enter the index or name.
Page 415: Configuring External Link Settings Using The Cli
<text> type external|ftp external Nortel Secure Network Access Switch 4050 User Guide Moves the link to a new position in the linkset. The index numbers of existing link entries with this index number and higher are incremented by 1.
Page 416: Customizing The Portal And Logon Using The Srem
Configuring external link settings using the CLI To launch the wizard to configure settings for a link to an external web page, use the following command: /cfg/domain 1/linkset <linkset ID>/link <index>/ external/quick The wizard prompts you to enter the following settings: •...
Page 417: Configuring The Captive Portal Using The Srem
To configure the Nortel SNAS 4050 portal as a captive portal, perform the following steps: Select the Secure Access Domain > domain > DNS Capture tab. The DNS Capture screen appears (see 386.) Figure 105). Nortel Secure Network Access Switch 4050 User Guide...
Page 418: Configuring The Dns Exclude List Using The Srem
Figure 105 DNS Capture screen The DNS Capture screen includes the following components: Table 78 DNS Capture fields Fields Enable DNS Capture DNS Exclude List Select Enable DNS Capture to enable the Nortel SNAS 4050 portal as a captive portal. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 419 DNS servers. For information about allowable expressions and escape sequences see Click Add. The entry appears in the DNS Exclude List. Nortel Secure Network Access Switch 4050 User Guide “Exclude List” on Figure 105). Figure 106).
Page 420: Changing The Portal Language Using The Srem
To remove an entry from the Exclude List: In the DNS Exclude List, select the entry you want to remove. b Click Delete. When prompted, click Yes. The entry is removed from the DNS Exclude List. To move an entry up or down in the DNS Exclude List: Select the entry you want to move.
Page 421: Importing And Exporting Language Definitions
Choose from one of the following tasks: • “Viewing predefined languages” on page 421 • “Viewing and removing custom languages” on page 421 • “Importing and exporting language definitions” on page 422 Figure 107). Nortel Secure Network Access Switch 4050 User Guide...
Page 422 Viewing predefined languages To view predefined languages, click the Pre-defined Languages tab. The Pre-defined Languages table appears (see Viewing and removing custom languages To view custom languages, use the following procedure: Select the System > Language > Custom Languages tab. The Custom Added Languages table appears (see Figure 108 Custom Added Languages...
Page 423: Importing And Exporting Language Definitions
Importing and exporting language definitions To import or export a language definition, use the following procedure: Click the Import/Export Definition tab. The Import/Export Definition screen appears (see Figure 109 Import/Export Definition Nortel Secure Network Access Switch 4050 User Guide Figure 109).
Page 424 Enter the Language information in the applicable fields. the Import Definition fields. Table 80 Field Action Protocol Host Filename ISO 639 Code Username Password Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Note: When exporting, the language definition is exported immediately after the Apply button is clicked.
Page 425: Setting The Portal Display Language Using The Srem
To set the preferred language for the portal display, perform the following steps: Select the Secure Access Domain > domain > Portal > Language tab. The Language screen appears (see Figure 110 Language screen Figure 110). Nortel Secure Network Access Switch 4050 User Guide...
Page 426: Configuring Content
Enter the language information in the applicable fields. Langauge fields. Table 81 Language fields Field Charset in use Used Language Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Configuring the portal display using the SREM To modify the look and feel of the portal page that displays in the client’s web browser, select one of the following options:...
Page 427 To configure and modify portal content, perform the following steps: Select the Secure Access Domain > domain > Portal navigation tree component. The portal Configuration tab appears (see Figure 111 Portal Configuration screen Figure 111). Nortel Secure Network Access Switch 4050 User Guide...
Page 428 Enter the Portal Configuration information in the applicable fields. describes the Portal Configuration fields. Table 82 Portal Configuration fields Field Installed Banner Company Name Icon Mode Number of Columns on Home Tab Width of Link Columns URL on Link Page 320818-A Description Displays the file name of the banner image file currently in...
Page 429 You can type in the text or paste it in at the prompt. Press Enter to create a new line. Restore Default Banner Restores the default Nortel banner. Nortel Secure Network Access Switch 4050 User Guide parameter is: var:portal 395. For more information about >...
Page 430: Importing Banners
Importing banners To import a banner to display on the portal Home page, perform the following steps: Select the Secure Access Domain > domain > Portal > Import Banner tab. The Import Banner screen appears (see Figure 112 Import Banner screen 320818-A Figure 112).
Page 431 SNAS 4050 domains, the total size of all imported banner image files must not exceed 16 MB. For more information about the customizable elements on the portal web page, see “Portal look and feel” on page Nortel Secure Network Access Switch 4050 User Guide Table 83 tftp sftp 389.
Page 432: Changing The Portal Colors Using The Srem
Changing the portal colors using the SREM To customize the colors used for portal display, perform the following steps: Select the Secure Access Domain > domain > Portal > Color Settings tab. The Color Settings screen appears (see Figure 113 Color Settings screen 320818-A Figure...
Page 433 SNAS 4050. Click Commit on the toolbar to save the changes permanently. For more information about the portal colors and themes, see feel” on page 389. Nortel Secure Network Access Switch 4050 User Guide Table 84 describes the “Portal look and...
Page 434: Configuring Custom Content Using The Srem
Configuring custom content using the SREM To configure custom content, such as Java applets, on the portal, perform the following steps: • “Viewing basic information about custom content” on page 434 • “Importing custom content” on page 436 • “Exporting custom content” on page 438 320818-A...
Page 435 To view basic information about the existing custom content, perform the following steps: Select the Secure Access Domain > domain > Portal > Custom Content > Basic tab. The Basics screen appears (see Figure 114 Basics screen Figure 114). Nortel Secure Network Access Switch 4050 User Guide...
Page 436: Importing Custom Content
Enter the basic information in the applicable fields. Basics fields. Table 85 Basics fields Field Custom Content State Available Space Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A Table 85 Description...
Page 437 To import custom content, perform the following steps: Select the Secure Access Domain > domain > Portal > Custom Content > Import Content tab. The Import Content screen appears (see Figure 115 Import Content screen Figure 115). Nortel Secure Network Access Switch 4050 User Guide...
Page 438 Enter the import information in the applicable fields. Import Content fields. Table 86 Import Content fields Field Protocol Host Filename Username Password Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A Description Specifies the import protocol.
Page 439: Exporting Custom Content
To export custom content, perform the following steps: Select the Secure Access Domain > domain > Portal > Custom Content > Export Content tab. The Export Content screen appears (see Figure 116 Export Content screen Figure 115). Nortel Secure Network Access Switch 4050 User Guide...
Page 440: Configuring Linksets Using The Srem
Enter the export information in the applicable fields. Export Content fields. Table 87 Export Content fields Field Protocol Host Filename Username Password Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Configuring linksets using the SREM A linkset is a set of links that display on the portal Home tab.
Page 441: Creating A Linkset
To create a linkset, perform the following steps: Select the Secure Access Domain > domain > Portal Links > Portal Links tab. The Portal Links screen appears (see Figure 117 Portal Links screen Figure 117). Nortel Secure Network Access Switch 4050 User Guide...
Page 442 Click Add. The Add a Linkset dialog box appears (see Figure 118 Enter the linkset information in the applicable fields. Add a Linkset fields. Table 88 Add a Linkset fields Field Index Name Link Text Click Apply. The new linkset appears in the linkset table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 443: Modifying A Linkset
To modify a linkset, perform the following steps: Select the Secure Access Domain > domain > Portal Links > linkset > Configuration tab. The linkset Configuration screen appears (see Figure 119 Linkset Configuration screen Figure Nortel Secure Network Access Switch 4050 User Guide 119).
Page 444 Enter the linkset information in the applicable fields. linkset Configuration fields. Table 89 Linkset Configuration fields Field Index Name Link Text Enable AutoRun Note: If you ran the quick setup wizard during initial setup, two linksets have been created: (linkset ID = 2). The linksets are empty.
Page 445: Configuring Links Using The Srem
“Modifying external link settings using the SREM” on page 450 • “Modifying FTP link settings using the SREM” on page 452 • “Reordering links using the SREM” on page 453 “Linksets and links” on page Nortel Secure Network Access Switch 4050 User Guide 394.
Page 446 Creating an external link using the SREM To create an external link, perform the following steps: Select the Secure Access Domain > domain > Portal Links > linkset > Links tab. The Links screen appears (see Figure 120 Links screen 320818-A Figure 120).
Page 447 URL contained in the link. Protocol Specifies the protocol used for this link. Available options are: • • Note: This field is available for External links only. Nortel Secure Network Access Switch 4050 User Guide Figure Table 90 https http 121). describes the Add...
Page 448: Creating An Ftp Link Using The Srem
Table 90 Add a Portal Link fields (continued) Field Host Path Click Apply. The new external link appears in the Links table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Creating an FTP link using the SREM Note: Nortel Secure Network Access Switch Software Release 1.0 supports External links only.
Page 449 Ensure that FTP is selected from the list at the top of the dialog. If external link fields were being displayed, the dialog refreshes to display the fields required for an FTP link. Nortel Secure Network Access Switch 4050 User Guide Figure 120 on page 445).
Page 450 Enter the link information in the applicable fields. a Portal Link — FTP fields. Table 91 Add a Portal Link — FTP fields Field Index Link Text FTP Host Initial Host Path Click Apply. The new FTP link appears in the Links table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 451: Modifying External Link Settings Using The Srem
Select the Secure Access Domain > domain > Portal Links > linkset > ext.link > Configuration tab. The external link Configuration screen appears (see Figure 123 External link Configuration screen Nortel Secure Network Access Switch 4050 User Guide Figure 123).
Page 452 Enter the link information in the applicable fields. external link Configuration fields. Table 92 External link Configuration fields Field Index Link Text HREF Protocol Host Path Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A Table 92 Description...
Page 453: Modifying Ftp Link Settings Using The Srem
Select the Secure Access Domain > domain > Portal Links > linkset > ftp link > Configuration tab. The FTP link Configuration screen appears (see Figure 124 FTP link Configuration screen Figure Nortel Secure Network Access Switch 4050 User Guide 124).
Page 454 Enter the link information in the applicable fields. link Configuration fields. Table 93 FTP link Configuration fields Field Index Link Text FTP Host Initial Host Path Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Reordering links using the SREM To change the order in which links display in the linkset, perform the following steps:...
Page 455 Specifies an integer in the range 1 to 256 that identifies the position of the link within the linkset. The index number of existing link entries with this index number and higher are incremented by 1. Nortel Secure Network Access Switch 4050 User Guide describes the Re Order...
Page 456 456 Chapter 9 Customizing the portal and user logon 320818-A...
Page 457: Chapter 10: Configuring System Settings
Enabling TunnelGuard SRS administration using the CLI Configuring Nortel SNAS 4050 host SSH keys using the CLI Configuring RADIUS auditing using the CLI Configuring authentication of system users using the CLI Nortel Secure Network Access Switch 4050 User Guide Page...
Page 458 Topic Configuring the cluster using the SREM Configuring system settings using the SREM Configuring a Nortel SNAS 4050 host using the SREM Configuring host interfaces using the SREM Configuring static routes using the SREM Configuring host ports using the SREM Managing interface ports using the SREM Configuring the access list using the SREM Managing date and time settings using the SREM...
Page 459: Configuring The Cluster Using The Cli
“Configuring the Access List using the CLI” on page 617) “Enabling TunnelGuard SRS “Configuring RADIUS auditing using 488) “Managing system users and groups” on page Nortel Secure Network Access Switch 4050 User Guide “Configuring 465) 471) 480) (not “Configuring 483) “Configuring SNMP”...
Page 460: Roadmap Of System Commands
• disabling SSL traffic trace commands (see the CLI” on page Roadmap of system commands The following roadmap lists the CLI commands to configure cluster-wide parameters and the Nortel SNAS 4050 host within the cluster. Use this list as a quick reference or click on any entry for more information: Command /cfg/sys...
Page 461 <port> add <port> list del <index number> add <IPaddr> <mask> date <date> time <time> tzone list del <index number> add <IPaddr> cachesize <entries> retransmit <interval> count <count> ttl <ttl> Nortel Secure Network Access Switch 4050 User Guide...
Page 462 Command /cfg/sys/dns/servers /cfg/sys/rsa /cfg/sys/syslog /cfg/sys/adm /cfg/sys/adm/srsadmin /cfg/sys/adm/sshkeys 320818-A Parameter health <interval> hdown <count> hup <count> list del <index number> add <IPaddr> insert <index number> <IPaddr> move <index number> <new index number> rsaname <name> import <protocol> <server> <filename> [<FTP user name> <FTP password>] rmnodesecr list...
Page 463: Configuring System Settings Using The Cli
<index number> <IPaddr> move <index number> <new index number> timeout <interval> fallback on|off list del <index number> add <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number> Nortel Secure Network Access Switch 4050 User Guide...
Page 464 Configuring system settings using the CLI To view and configure cluster-wide system settings, use the following command: /cfg/sys The System menu displays. The System menu includes the following options: /cfg/sys followed by: mip <IPaddr> host <host ID> routes time rsa <server ID> syslog 320818-A Sets the MIP for the cluster.
Page 465: Configuring The Nortel Snas 4050 Host Using The Cli
“Tracing SSL traffic using the CLI” on page 136). command is used to improve security. distrace The only way to reverse this command is to do a boot install. command also allows you to halt, reboot, or Nortel Secure Network Access Switch 4050 User Guide...
Page 466 The Cluster Host menu includes the following options: /cfg/sys/host <host ID> followed by: ip <IPaddr> sysName <name> sysLocatio <location> license <key> gateway <IPaddr> routes interface <interface number> 320818-A Sets the Real IP address (RIP) for Interface 1 on the device. The RIP is the Nortel SNAS 4050 device host IP address for network connectivity and must be unique on the network.
Page 467 /cfg/sys/host <host ID> followed by: port ports hwplatform halt Nortel Secure Network Access Switch 4050 User Guide Accesses the Host Port menu, in order to configure port properties (see “Configuring host ports using the CLI” on page 472). Lists the physical ports on the device, by port number.
Page 468 /cfg/sys/host <host ID> followed by: reboot delete 320818-A Reboots the Nortel SNAS 4050. If the Nortel SNAS 4050 you want to reboot has become isolated from the cluster, you will receive an error message when executing the In this case, log on to the Nortel SNAS 4050 using a console connection or remotely by connecting to the Nortel SNAS 4050 RIP (host address).
Page 469: Viewing Host Information
1 to 252 that uniquely identifies Sets the network address for the interface. (For Interface 1, the network address is the RIP.) Sets the subnet mask for the interface. Nortel Secure Network Access Switch 4050 User Guide command.
Page 470 /cfg/sys/host #/interface <interface ID> followed by: gateway <IPaddr> routes vlanid <tag> mode failover|trunking ports 320818-A Sets the default gateway address for the interface. The default gateway is the IP address of the interface on the core router that will be used for management traffic (such as requests to private authentication servers and DNS servers).
Page 471: Configuring Static Routes Using The Cli
Removes the interface from the system configuration. is an integer in the range 1 to 252 that uniquely identifies Nortel Secure Network Access Switch 4050 User Guide...
Page 472: Configuring Host Ports Using The Cli
The system, host, or interface Routes menu displays. When you add a static route to the system, host, or interface configuration, the route is automatically assigned an index number. There are separate sequences of index numbers for routes configured for the cluster, for each host, and for each interface.
Page 473: Managing Interface Ports Using The Cli
Sets the duplex mode for the host and NIC port when auto-negotiation is set to half The default duplex mode is is an integer in the range 1 to 252 that uniquely identifies Nortel Secure Network Access Switch 4050 User Guide . The options are full full...
Page 474: Configuring The Access List Using The Cli
The Interface Ports menu includes the following options: /cfg/sys/host #/interface <interface ID>/ports followed by: list del <port> add <port> Configuring the Access List using the CLI The Access List is a cluster-wide list of IP addresses for hosts authorized to access the Nortel SNAS 4050 devices by Telnet, SSH, and SREM.
Page 475: Configuring Date And Time Settings Using The Cli
You can set the mask to mask specify a single machine or a range of machines on a specific network. An index number is automatically assigned to the entry. Nortel Secure Network Access Switch 4050 User Guide...
Page 476: Managing Ntp Servers
The Date and Time menu includes the following options: /cfg/sys/time followed by: date <date> time <time> tzone Managing NTP servers You can add NTP servers to the system configuration to enable the NTP client on the Nortel SNAS 4050 to synchronize its clock. To compensate for discrepancies, it is recommended that NTP have access to at least three NTP servers.
Page 477: Configuring Dns Servers And Settings Using The Cli
Specifies the size of the local DNS cache. • is an integer in the range 0–10000 entries indicating the maximum number of DNS entries in the local DNS cache. The default is 1000. Nortel Secure Network Access Switch 4050 User Guide “Managing DNS...
Page 478 /cfg/sys/dns followed by: retransmit <interval> count <count> ttl <ttl> health <interval> hdown <count> hup <count> 320818-A Sets the interval for retransmitting a DNS query. • interval is a positive integer that indicates the time interval in seconds ( ), minutes ( ).
Page 479: Managing Dns Servers
<index number> add <IPaddr> insert <index number> <IPaddr> Nortel Secure Network Access Switch 4050 User Guide 386.) Lists the IP addresses of currently configured DNS servers, by index number. Removes the specified DNS server from the system configuration. The index numbers of the remaining entries adjust accordingly.
Page 480: Configuring Rsa Servers Using The Cli
/cfg/sys/dns/servers followed by: move <index number> <new index number> Configuring RSA servers using the CLI To configure the symbolic name for the RSA server and import the configuration file, use the following command: /cfg/sys/rsa The RSA Servers menu displays. Note: This feature is not supported in Nortel Secure Network Access Switch Software Release 1.0.
Page 481: Configuring Syslog Servers Using The Cli
Authentication will then fail until the Node secret created check box is unchecked in the Edit Agent Host window on the RSA server. Deletes the current RSA server information. Nortel Secure Network Access Switch 4050 User Guide file from the file sdconf.rec...
Page 482 The Syslog Servers menu includes the following options: /cfg/sys/syslog followed by: list del <index number> add <IPaddr> <facility> insert <index number> <IPaddr> <facility> move <index number> <new index number> 320818-A Lists the IP addresses and facility numbers of all configured syslog servers, by index number. Removes the specified syslog server from the system configuration.
Page 483: Configuring Administrative Settings Using The Cli
When the user is automatically logged out, any unapplied changes are lost. Save your configuration changes regularly by using the global command. Nortel Secure Network Access Switch 4050 User Guide 485) ), hours ( ), or apply...
Page 484 /cfg/sys/adm followed by: audit auth telnet on|off ssh on|off srsadmin sshkeys 320818-A Accesses the Audit menu, in order to configure RADIUS auditing (see “Configuring RADIUS auditing using the CLI” on page 488). Accesses the Authentication menu, in order to configure RADIUS authentication of system users (see “Configuring authentication of system users using the CLI”...
Page 485: Enabling Tunnelguard Srs Administration Using The Cli
Specifies the TCP port used for communication with the SRS administration server. The default is port 4443. Enables SRS administration, for creating and managing SRS rules. Disables SRS administration. The default is disabled. Nortel Secure Network Access Switch 4050 User Guide 317). Before...
Page 486 During initial setup, there is an option to generate the SSH host keys automatically. To generate and view the SSH keys used by all hosts in the cluster for secure management communications, use the following command: /cfg/sys/adm/sshkeys The SSH Host Keys menu displays. The SSH Host Keys menu includes the following options: /cfg/sys/adm/sshkeys followed by:...
Page 487: Managing Known Hosts Ssh Keys Using The Cli
<index number> import <IPaddr> Nortel Secure Network Access Switch 4050 User Guide Lists the type and fingerprint of the known SSH keys for remote hosts, by index number. Removes the specified known host SSH key. To view the index numbers of all known host SSH keys, use the command.
Page 488: Configuring Radius Auditing Using The Cli
488 Chapter 10 Configuring system settings Configuring RADIUS auditing using the CLI You can configure the Nortel SNAS 4050 cluster to include a RADIUS server to receive log messages about commands executed in the CLI or the SREM, for audit purposes.
Page 489: Configuring Radius Auditing
The Audit menu includes the following options: /cfg/sys/adm/audit followed by: servers vendorid Nortel Secure Network Access Switch 4050 User Guide Accesses the RADIUS Audit Servers menu, in order to configure external RADIUS audit servers for the cluster (see “Managing RADIUS audit servers using the CLI”...
Page 490: Managing Radius Audit Servers Using The Cli
/cfg/sys/adm/audit followed by: vendortype Managing RADIUS audit servers using the CLI To configure the Nortel SNAS 4050 to use external RADIUS audit servers, use the following command: /cfg/sys/adm/audit/servers The RADIUS Audit Servers menu displays. The RADIUS Audit Servers menu includes the following options: /cfg/sys/adm/audit/servers followed by: list...
Page 491 <index number> <IPaddr> move <index number> <new index number> Nortel Secure Network Access Switch 4050 User Guide Adds a RADIUS audit server to the configuration. You are prompted to enter the following information: • — the IP address of the audit server IPaddr •...
Page 492: Configuring Authentication Of System Users Using The Cli
Configuring authentication of system users using the CLI You can configure the Nortel SNAS 4050 cluster to use an external RADIUS server to authenticate system users. Authentication applies to both CLI and SREM users. The user name and password defined on the RADIUS server must be the same as the user name and password defined on the Nortel SNAS 4050.
Page 493: Managing Radius Authentication Servers Using The Cli
/cfg/sys/adm/auth/servers The RADIUS Authentication Servers menu displays. Nortel Secure Network Access Switch 4050 User Guide Sets the timeout interval for a connection request to a RADIUS server. At the end of the timeout period, if no connection has been established, authentication will fail.
Page 494 The RADIUS Authentication Servers menu includes the following options: /cfg/sys/adm/auth/servers followed by: list del <index number> add <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number> 320818-A Lists the IP addresses of currently configured RADIUS authentication servers, by index number.
Page 495: Configuring The Cluster Using The Srem
“Adding an SSH key for a known host using the SREM” on page 553 • “Managing RADIUS audit settings using the SREM” on page 554 • “Managing RADIUS authentication of system users using the SREM” on page 562 Nortel Secure Network Access Switch 4050 User Guide...
Page 496: Configuring System Settings Using The Srem
Configuring system settings using the SREM To view and configure cluster-wide system settings, perform the following steps: Select the System > Configuration tab. The system Configuration screen appears (see Figure 126 System Configuration 320818-A Figure 126).
Page 497: Configuring A Nortel Snas 4050 Host Using The Srem
To reset the MIP, log on to the RIP instead. “Configuring host interfaces 508. For details about configuring host and interface “Configuring host ports using the SREM” on page Nortel Secure Network Access Switch 4050 User Guide 520, 523.
Page 498: Viewing Host Information
Viewing host information To display a list of available Nortel SNAS 4050 hosts, select the System > Hosts > Hosts tab. The Hosts screen appears (see SNAS 4050 configuration. Figure 127 Hosts To view detailed host information, select a particular host from the navigation tree, or in the Hosts list.
Page 499: Viewing And Configuring Tcp/Ip Properties
To configure basic TCP/IP properties for a particular Nortel SNAS 4050 device in the cluster, perform the following steps: Select the System > Hosts > host > Host tab. The Host screen appears (see Figure 128 Host Figure 128). Nortel Secure Network Access Switch 4050 User Guide...
Page 500: Viewing And Installing Host Licenses
Enter the host information in the applicable fields. fields. Table 96 Host fields Field Index IP Address System Name System Location IP Gateway HW Platform Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Viewing and installing host licenses There are three ways to view installed licenses using the SREM: •...
Page 501 To view global licenses for all Nortel SNAS 4050 devices in the cluster, perform the following steps: Select the System > Hosts > Licenses > Global Licenses tab. The Global Licenses screen appears (see Figure 129 Global Licenses 506. Figure 129). Nortel Secure Network Access Switch 4050 User Guide...
Page 502 Table 97 Table 97 Global Licenses fields Field Auto Refresh Interval Logging State of Global Licences Modify the Auto Refresh and Logging settings, if desired. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A describes the Global Licenses fields.
Page 503 To view licenses by domain for all Nortel SNAS 4050 devices in the cluster, perform the following steps: Select the System > Hosts > Licenses > Per Domain Licenses tab. The Per Domain Licenses screen appears (see Figure 130 Per Domain Licenses Figure Nortel Secure Network Access Switch 4050 User Guide 130).
Page 504 Table 98 Table 98 Per Domain Licenses fields Field Auto Refresh Interval Logging State of Licences Per Domain Modify the Auto Refresh and Logging settings, if desired. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050.
Page 505 System > Hosts > host > Installed Licenses tab. The Installed Licenses screen appears (see Figure 131), displaying a list of the type and value for each license installed on that Nortel SNAS 4050 host. Figure 131 Installed Licenses Nortel Secure Network Access Switch 4050 User Guide...
Page 506 Installing a license for a particular host The Nortel SNA SSL (portal and Nortel SNAS 4050 domain client access) license is available for 100, 250, 500, and 1000 users. Note: Before installing a new license, you must first purchase a Nortel SNA SSL (portal and Nortel SNAS 4050 domain client access) license key from Nortel Technical Support.
Page 507 Click Add to add the new license to this Nortel SNAS 4050 host. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Figure Nortel Secure Network Access Switch 4050 User Guide 132).
Page 508: Configuring Host Interfaces Using The Srem
Configuring host interfaces using the SREM The default IP interface on the Nortel SNAS 4050 host is Interface 1. You can create additional interfaces and specify the ports to be assigned to each interface. If you assign more than one port to an interface, you can choose whether the ports will operate in failover or trunking mode.
Page 509: Adding A Host Interface
An integer in the range 1 to 252 that uniquely identifies the interface on the Nortel SNAS 4050. Ip Address Sets the network address for the interface. (For Interface 1, the network address is the RIP.) Nortel Secure Network Access Switch 4050 User Guide Figure 133 on page 508). Figure 134).
Page 510 Table 99 Add an Interface fields (continued) Field Gateway Netmask VlanId Mode Primary Port Click Apply. The new interface appears in the Interfaces table. 320818-A Description Sets the default gateway address for the interface. The default gateway is the IP address of the interface on the core router that will be used for management traffic (such as requests to private authentication servers and DNS servers).
Page 511: Configuring An Existing Host Interface
To configure an existing host interface, perform the following steps: Select the System > Hosts > host > interface > Interface tab. The Interface configuration screen appears (see Figure 135 Interface configuration screen Figure Nortel Secure Network Access Switch 4050 User Guide 135).
Page 512 Enter the interface information in the applicable fields. the Interface configuration fields. Table 100 Field Index Ip Address Gateway Netmask VlanId 320818-A Interface fields Description An integer in the range 1 to 252 that uniquely identifies the interface on the Nortel SNAS 4050. This field cannot be changed after the interface is added.
Page 513 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide failover — only one link is active at any given time. If the...
Page 514: Removing A Host Interface
Removing a host interface To delete a host interface, perform the following steps: Select the System > Hosts > host > Interfaces tab. The Interfaces screen appears (see Select an interface from the list. Click Delete. A confirmation dialog appears. Click Yes.
Page 515: Viewing Static Routes For A Cluster
The IP Routes screen appears (see Figure 136), displaying a list of the existing static routes on the Nortel SNAS 4050 cluster. Figure 136 IP Routes To continue, see “Managing static routes” on page 517. Nortel Secure Network Access Switch 4050 User Guide...
Page 516: Viewing Static Routes For A Host
Viewing static routes for a host To configure static routes for a host, select the System > Hosts > host > Routes tab. The Routes screen appears (see routes on this host. Figure 137 Routes To continue, see 320818-A Figure 137), displaying a list of the existing static “Managing static routes”...
Page 517: Viewing Static Routes For An Interface
To continue, see “Managing static routes” on page 517. Managing static routes Select the static route tab for the appropriate level, as described in “Configuring static routes using the SREM” on page 514. Nortel Secure Network Access Switch 4050 User Guide...
Page 518: Adding A Static Route
From the selected static route screen, complete the following tasks as necessary: • “Adding a static route” on page 518 • “Removing a static route” on page 519 Adding a static route To add a static routes, perform the following steps: Select the static route from the table.
Page 519: Removing A Static Route
The static route is removed from the table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide...
Page 520: Configuring Host Ports Using The Srem
Configuring host ports using the SREM To configure the connection properties for a port, perform the following steps: Select the System > Hosts > host > Ports tab. The Ports screen appears (see Figure 140 Ports 320818-A Figure 140).
Page 521 Chapter 10 Configuring system settings 521 Select a port to configure from the list. The Port screen appears (see Figure 141), displaying configuration details for the selected port. Figure 141 Port Nortel Secure Network Access Switch 4050 User Guide...
Page 522 Enter the port information in the applicable fields. Port fields. Table 102 Field Index Autonegotiate Speed Mode Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A Port fields Description...
Page 523: Managing Interface Ports Using The Srem
The Port screen appears (see Figure 142 Port This screen allows you to complete any of the following tasks: • “Adding interface ports” on page 524 • “Removing interface ports” on page 524 Figure 142). Nortel Secure Network Access Switch 4050 User Guide...
Page 524: Adding Interface Ports
Adding interface ports To add ports to the selected interface, perform the following steps: Select the System > Hosts > host > interface > Port tab. The Port screen appears (see Click Add. The Add a Port dialog appears. Enter the port information in the applicable fields. Add a Port fields.
Page 525: Configuring The Access List Using The Srem
For information about enabling Telnet and SSH access, see administrative settings using the CLI” on page 483 settings using the SREM” on page To configure the access list, select the System > Access List tab. “Configuring administrative 546. Nortel Secure Network Access Switch 4050 User Guide “Configuring...
Page 526: Adding An Access List Entry
The Access List Table appears (see Figure 143 Access List From here, you can manage the access list by choosing from the following tasks: • “Adding an access list entry” on page 526 • “Removing an Access List entry” on page 527 Adding an access list entry To add an entry to the access list, perform the following steps: Select the System >...
Page 527: Removing An Access List Entry
Select the System > Access List tab. The Access List Table appears (see Select an entry from the Access List Table to remove. Click Delete. A confirmation dialog appears. Nortel Secure Network Access Switch 4050 User Guide Figure 144). Table 104 Figure 143 on page 526).
Page 528: Managing Date And Time Settings Using The Srem
Click Yes. The entry disappears from the Access List Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Managing date and time settings using the SREM To manage system date and time settings, select the System >...
Page 529: Configuring The Date And Time Settings
Displays a list of active NTP servers. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 145 on page 528).
Page 530: Adding An Ntp Server
Adding an NTP server To add an additional NTP server, perform the following steps: Select the System > Date and Time tab. The Date and Time screen appears (see Click Add. The Add NTP Server dialog box appears (see Figure 146 Enter the NTP Server information in the applicable fields.
Page 531: Removing An Ntp Server
The NTP server entry disappears from the NTP Server Table Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 145 on page 528).
Page 532: Configuring Dns Settings Using The Srem
Configuring DNS settings using the SREM To configure DNS client settings, use the following procedure: Select the System > DNS Client Settings tab. The DNS Client Settings screen appears (see Figure 147 DNS Client Settings 320818-A Figure 147).
Page 533 DNS server is up. The default is 2. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Table 107 ), minutes ( ), or hours ( ).
Page 534: Configuring Servers Using The Srem
Configuring servers using the SREM To configure servers, choose from one of the following tasks: • “Managing syslog servers” on page 534 • “Managing DNS servers” on page 537 • “Managing RSA servers” on page 540 Managing syslog servers To manage syslog servers, select the System > Servers > Syslog Servers tab. The Syslog Servers table appears (see syslog servers.
Page 535 Local Facility Specifies a local facility number that can be used to uniquely identify syslog entries. Click Add. The syslog server entry appears in the Syslog Server Table. Nortel Secure Network Access Switch 4050 User Guide Figure 148). Figure 149).
Page 536 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Reordering a new syslog server To reorder the existing syslog servers, perform the following steps: Select the System >...
Page 537: Managing Dns Servers
From this screen, you can complete the following tasks as necessary: • “Adding a DNS server” on page 538 • “Removing an existing DNS server” on page 539 386.) Nortel Secure Network Access Switch 4050 User Guide “Captive Figure 150).
Page 538: Adding A Dns Server
Adding a DNS server To manage DNS servers in the system configuration, perform the following steps: Select the System > Servers > DNS Servers tab. The DNS Server Table appears (see Click Add. The Add DNS Server dialog box appears (see Figure 151 Enter the DNS server information in the applicable fields.
Page 539 The DNS server entry is immediately removed from the DNS Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 150 on page 537).
Page 540: Managing Rsa Servers
Managing RSA servers To manage RSA servers, select the System > Servers > RSA Server Table tab. The RSA Server Table appears (see already been configured on the Nortel SNAS 4050. Note: This feature is not supported in Nortel Secure Network Access Switch Software Release 1.0.
Page 541 The RSA server appears in the RSA Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 152 on page 540).
Page 542 Removing an existing RSA server To remove an existing RSA server, perform the following steps. Select the System > Servers > RSA Server Table tab. The RSA Server Table appears (see Select the RSA server entry to remove from the RSA Server Table. Click Delete.
Page 543 Specifies the index value for the server entry. This value cannot be changed once the RSA server has been created. Specifies the symbolic name of the RSA server. Nortel Secure Network Access Switch 4050 User Guide 154). The screen displays the...
Page 544 Click Remove Secret Node. The RSA node secret is immediately removed. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Importing sdconf.rec sdconf.rec ACE/Server information. Contact your RSA ACE/Server administrator to obtain the file and make it available on the specified TFTP/FTP/SCP/SFTP server.
Page 545 Chapter 10 Configuring system settings 545 Select the Import sdconf.rec tab. The Import sdconf.rec screen appears (see Figure 155). Figure 155 Import sdconf.rec Nortel Secure Network Access Switch 4050 User Guide...
Page 546: Configuring Administrative Settings Using The Srem
Enter the importing information in the applicable fields. the Import sdconf.rec fields. Table 112 Field Protocol Host Filename Username Password Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050 and import the sdconf.rec file. Click Commit on the toolbar to save the changes permanently.
Page 547: Configuring Srs Control Settings Using The Srem
To configure support for managing the SRS rules, perform the following steps: Select the System > Administrative > SRS Control Settings tab. The SRS Control Settings screen appears (see Figure 156 SRS Control Settings “TunnelGuard SRS Builder” on page Figure Nortel Secure Network Access Switch 4050 User Guide 317). Before 156).
Page 548: Configuring Nortel Snas 4050 Host Ssh Keys Using The Srem
Enter the SRS Control information in the applicable fields. describes the SRS Control Settings fields. Table 113 Field SRS Port Enabled Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Configuring Nortel SNAS 4050 host SSH keys using the SREM The Nortel SNAS 4050 functions as both SSH client (for importing and exporting...
Page 549: Showing Ssh Keys
Show SSH Keys To show the existing SSH key, click Show. The keys display in the following formats: • RSA1 keys — the OpenSSH implementation, except that the line is wrapped. Figure 157). Nortel Secure Network Access Switch 4050 User Guide...
Page 550 • RSA and DSA keys — the SECSH Public Key File Format, as described in Internet Draft To copy the existing SSH key, click Copy. To fully conform to the OpenSSH implementation for RSA1 keys, you may need to edit the output back into a single line for use in the key storage of an SSH client.
Page 551: Managing Nortel Snas 4050 And Known Host Ssh Keys
To import the public SSH key of a known remote host, use the following steps: Click the Hosts tab. The Hosts screen appears (see Figure 158 SSH Keys – Hosts Figure 158). Nortel Secure Network Access Switch 4050 User Guide...
Page 552 To generate the Nortel SNAS 4050 host SSH key: Enter the host information in applicable fields. Hosts fields. Table 114 Field SSH Key for IP Address Hosts Table b Click Generate SSH Keys. To remove a known host SSH key: Select the SSH key from the Hosts Table.
Page 553: Adding An Ssh Key For A Known Host Using The Srem
To add the public SSH key of a known remote host, use the following steps: Click the Add SSH Key tab. The Add SSH Key screen appears (see Figure 159 Add SSH Key Figure 159). Nortel Secure Network Access Switch 4050 User Guide...
Page 554: Managing Radius Audit Settings Using The Srem
Enter the remote host information in the applicable fields. the Add SSH Key fields. Table 115 Field Host name or IP Address Click Paste to enter the contents of a downloaded SSH key file in the box provided. Valid formats are: •...
Page 555: About The Vendor-Specific Attributes
To simplify the task of finding audit entries in the RADIUS server log, do the following: In the RADIUS server dictionary, define a descriptive string (for example, NSNAS-SSL-Audit-Trail Map this string to the Vendor-Type value. Nortel Secure Network Access Switch 4050 User Guide “Managing RADIUS audit servers using the 183.
Page 556: Configuring Radius Auditing
Configuring RADIUS auditing To configure the Nortel SNAS 4050 to support RADIUS auditing, choose from one of the following tasks: • “Configuring RADIUS audit settings using the SREM” on page 557 • “Managing RADIUS audit servers using the SREM” on page 559 320818-A...
Page 557: Configuring Radius Audit Settings Using The Srem
Select the System > Administrative > Radius Audit > Configuration tab. The RADIUS audit Configuration screen appears (see Figure 160 RADIUS audit Configuration Enter the Audit Configuration information in the applicable fields. Nortel Secure Network Access Switch 4050 User Guide Figure 160). Table 116...
Page 558 describes the Add Audit Configuration fields. Table 116 Field Vendor ID Vendor Type Audit Enabled Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A Add Audit Configuration fields Description...
Page 559: Managing Radius Audit Servers Using The Srem
Audit Servers Select from the following tasks to manage the audit servers: • “Adding a new Audit Server” on page 560 • “Removing an existing RADIUS audit server” on page 561 Nortel Secure Network Access Switch 4050 User Guide Figure 161),...
Page 560 Adding a new Audit Server To add a new RADIUS audit server, perform the following steps: Select the System > Administrative > Radius Audit > Audit Servers tab. The Audit Server Table appears (see Click Add. The Add Audit Server dialog box appears (see Figure 162 Enter the RADIUS audit server information in the fields provided.
Page 561 The audit server entry is immediately removed from the Audit Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 161 on page 559).
Page 562: Managing Radius Authentication Of System Users Using The Srem
Managing RADIUS authentication of system users using the SREM You can configure the Nortel SNAS 4050 cluster to use an external RADIUS server to authenticate system users. Authentication applies to both CLI and SREM users. The user name and password defined on the RADIUS server must be the same as the user name and password defined on the Nortel SNAS 4050.
Page 563: Configuring Radius Authentication Of System Users Using The Srem
To configure RADIUS authentication, perform the following steps: Select the System > Administrative > Radius Authentication > Configuration tab. The RADIUS authentication Configuration screen appears (see Figure 163 Radius Authentication Configuration Nortel Secure Network Access Switch 4050 User Guide Figure 163).
Page 564 Enter the RADIUS authentication information in the applicable fields. Table 118 Table 118 Field Server Timeout Use Local Password as Fallback RADIUS Authentication Enabled Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. 320818-A describes the Radius Audit Configuration fields.
Page 565: Managing Radius Authentication Servers Using The Srem
Radius Server Table Select from the following tasks to manage the RADIUS authentication servers: • “Adding a RADIUS authentication server” on page 566 • “Removing an existing RADIUS server” on page 567 Figure 164). Nortel Secure Network Access Switch 4050 User Guide...
Page 566 Adding a RADIUS authentication server To add a new RADIUS authentication server, perform the following steps: Select the System > Administrative > Radius Authentication > Radius Servers tab. The Radius Server Table appears (see Click Add. The Add Radius Server dialog box appears (see Figure 165 Enter the RADIUS server information in the applicable fields.
Page 567 Server Table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 164 on page 565).
Page 568 568 Chapter 10 Configuring system settings 320818-A...
Page 569: Chapter 11: Managing Certificates
Exporting a certificate and key from the Nortel SNAS 4050 using the CLI 594 Generating a test certificate using the CLI Managing private keys and certificates using the SREM Creating a certificate using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 570: Overview
Topic Generating and submitting a CSR using the SREM Importing a certificate or key using the SREM Displaying or saving a certificate and key using the SREM Exporting a certificate and key from the Nortel SNAS 4050 using the SREM Viewing certificate information using the SREM Overview To use the encryption capabilities of the Nortel SNAS 4050, you must add a key...
Page 571: Key And Certificate Formats
Most browsers allow importing a combined key and certificate file in the PKCS12 format. Certificate only. Key only (used in WebLogic). Key only (proprietary format). Nortel Secure Network Access Switch 4050 User Guide Table 120 summarizes the...
Page 572 Table 120 Supported key and certificate formats (Sheet 2 of 2) Format Import/Add Export/Save Comment Netscape Enterprise Server iPlanet Server *You must use the PEM format when: • you save keys and certificates by copying • you add a key or certificate by pasting 320818-A Key only (proprietary format).
Page 573: Creating Certificates
“Adding a private key to the Nortel SNAS 4050 using the CLI” on page 587). 601). “Generating and submitting a CSR using the CLI” on 573). 176). Nortel Secure Network Access Switch 4050 User Guide “Generating and “Generating and submitting “Installing “Configuring SSL “Importing certificates 603)
Page 574: Saving Or Exporting Certificates And Keys
If you use the certificate index number of an installed certificate when adding a new certificate, the installed certificate is overwritten. After you have installed the certificate, map it to the Nortel SNAS 4050 portal (see “Configuring SSL settings using the CLI” on page 139 settings using the SREM”...
Page 575: Managing Private Keys And Certificates Using The Cli
/cfg/cur cert “Configuring SSL settings using the SREM” 176). /cfg/cert <old cert ID>/del 579) 584) 587) Nortel Secure Network Access Switch 4050 User Guide command. In the SREM, use the “Generating “Generating and 601). 573). “Configuring SSL settings command. In the “Managing and...
Page 576: Roadmap Of Certificate Management Commands
• import certificates and private keys (see the Nortel SNAS 4050 using the CLI” on page • save certificates and private keys (see key using the CLI” on page • export certificates and private keys (see the Nortel SNAS 4050 using the CLI” on page •...
Page 577: Managing And Viewing Certificates And Keys Using The Cli
Nortel SNAS 4050 using the CLI” on page Accesses the Revocation menu. Not supported in Nortel Secure Network Access Switch Software Release 1.0. Nortel Secure Network Access Switch 4050 User Guide “Adding a “Adding a private key 587.
Page 578 /cfg/cert <cert ID> followed by: gensigned server|client request sign test import export 320818-A Generates a certificate that is signed using the private key associated with the currently selected certificate. You are prompted to provide the following parameters: <country> <state or province> <locality> <organization>...
Page 579: Generating And Submitting A Csr Using The Cli
For the Nortel SNAS 4050, private keys are protected by the cluster. Removes the current certificate and private key. /cfg/cert <cert id> Nortel Secure Network Access Switch 4050 User Guide 591. /cfg/...
Page 580 • to generate a CSR for a new certificate, < certificate number • to generate a CSR to renew an existing certificate, < existing certificate number Prepare the CSR. Enter the following command: /cfg/cert #/request You are prompted to enter the certificate request information. explains the required parameters.
Page 581 Apply the changes. The private key is created and stored in encrypted form on the Nortel SNAS 4050 using the specified certificate number. Nortel Secure Network Access Switch 4050 User Guide Description Specifies alternative information for the subject if you did not provide a Common Name or e-mail address.
Page 582 Figure 166 For more information about the Certificate menu commands, see and viewing certificates and keys using the CLI” on page Figure 166 >> Certificate 2# The combined length of the following parameters may not exceed 225 bytes. Country Name (2 letter code): State or Province Name (full name): Locality Name (eg, city): Organization Name (eg, company):...
Page 583 When prompted, paste the CSR as required in the CA online request process. If the CA requires you to identify a server software vendor whose software you used to generate the CSR, specify Apache. Nortel Secure Network Access Switch 4050 User Guide -----BEGIN CERTIFICATE -----END CERTIFICATE REQUEST----- extension.
Page 584: Adding A Certificate To The Nortel Snas 4050 Using The Cli
The CA processes the CSR and returns a signed certificate. Create a backup copy of the certificate (see the CLI” on page The certificate is ready to be added into the Nortel SNAS 4050 cluster (see “Adding a certificate to the Nortel SNAS 4050 using the CLI” on page Adding a certificate to the Nortel SNAS 4050 using the CLI The following steps describe how to install a certificate (and key, if applicable) using the copy-and-paste method.
Page 585 CSR and are using a new certificate request number, you must now add the corresponding private key (see private key to the Nortel SNAS 4050 using the CLI” on page Nortel Secure Network Access Switch 4050 User Guide command. -----BEGIN -----END CERTIFICATE-----...
Page 586 Figure 167 more information about the Certificate menu commands, see viewing certificates and keys using the CLI” on page Note: Depending on the type of certificate the CA generates (registered or chain), your certificate may be substantially different from the sample output.
Page 587: Adding A Private Key To The Nortel Snas 4050 Using The Cli
Apply the changes. The certificate and private key are now fully installed. /cfg/cert <cert id> > is the certificate number. cert id -----BEGIN RSA PRIVATE -----END RSA PRIVATE KEY----- Nortel Secure Network Access Switch 4050 User Guide lines. ) to...
Page 588: Importing Certificates And Keys Into The Nortel Snas 4050 Using The Cli
Figure 168 more information about the Certificate menu commands, see viewing certificates and keys using the CLI” on page Figure 168 >> Certificate 2# key Paste the key, press Enter to create a new line, and then type "..."(without the quotation marks) to terminate. >...
Page 589 Certificate and key import information Parameter Protocol Server host name or IP address The host name or IP address of the file exchange File name Nortel Secure Network Access Switch 4050 User Guide /cfg/cert <cert id> > is the certificate number. command. /cfg/cert #/show Table 122 explains the required parameters.
Page 590 Table 122 Parameter [FTP user name and password] [Pass phrase] If the private key was not included in the certificate file, repeat page 589 Apply the changes. The certificate and private key are now fully installed. Figure 169 For more information about the Certificate menu commands, see and viewing certificates and keys using the CLI”...
Page 591: Displaying Or Saving A Certificate And Key Using The Cli
(for example, when adding, importing, or exporting private keys and certificates). /cfg/cert <cert id> > is the certificate number of the certificate you cert id Nortel Secure Network Access Switch 4050 User Guide /cfg/cert #/export /info/...
Page 592 Copy the private key, certificate, or both, as required. For the private key, ensure that you include the KEY----- For the certificate, ensure that you include the CERTIFICATE----- Paste the private key, certificate, or both into a text editor. Save the file with a .PEM extension. 320818-A -----END RSA PRIVATE KEY----- -----END CERTIFICATE-----...
Page 593 MjIyMDI0OVoXDTA2MDgxMjIyMDI0OVowgb8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybm lhMRAwDgYDVQQHEwdUZXN0aW5nMSgwJgYDVQQKEx9UZXN0IEluYy4gMSAxNTowMjo0OSAyMDA1LTA4 LTEyMRIwEAYDVQQLEwl0ZXN0IGRlcHQxIDAeBgNVBAMTF3d3dy5kdW1teXNzbHRlc3RpbmcuY29tMS kwJwYJKoZIhvcNAQkBFhp0ZXN0ZXJAZHVtbXlzc2x0ZXN0aW5nLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAsxrMJKkS3bpgPylTGUzoBA/H9CKrSMEpWxFOTYs262BYaFrk/jLMHwExmUfhyN M9jugxv5sFG5duLL2bg4jfRawJnZsJ1CC3bY+n8sqPAv4f1Wy46DrYbS9cucOC5v4hu85DlV0oNAB8 8M3F7B6DN0Jwhub1N3nTv8zpT56keeECAwEAAaOCAXIwggFuMAwGA1UdEwQFMAMBAf8wEQYJYIZIAY b4QgEBBAQDAgJEMDIGCWCGSAGG+EIBDQQlFiNBbHRlb24vTm9ydGVsIEdlbmVyYXRlZCBDZXJ0aWZp Y2F0ZTAdBgNVHQ4EFgQU4fQWn5yi7hkDDWXud+2Pl8XWgn8wgewGA1UdIwSB5DCB4YAU4fQWn5yi7h kDDWXud+2Pl8XWgn+hgcWkgcIwgb8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAw DgYDVQQHEwdUZXN0aW5nMSgwJgYDVQQKEx9UZXN0IEluYy4gMSAxNTowMjo0OSAyMDA1LTA4LTEyMR IwEAYDVQQLEwl0ZXN0IGRlcHQxIDAeBgNVBAMTF3d3dy5kdW1teXNzbHRlc3RpbmcuY29tMSkwJwYJ KoZIhvcNAQkBFhp0ZXN0ZXJAZHVtbXlzc2x0ZXN0aW5nLmNvbYIBADAJBgNVHRIEAjAAMA0GCSqGSI b3DQEBBAUAA4GBAHhnJNTeShcMqXVPbyZn5V9DRgZvSMOi+fHr7M7rMpEvYYwD5Idga6YCYmZxpcmx TpPhFsUX5XRXHWNA/e3LzzpDqq0j82k6JrnpwqWLcWe6AeSCsrQF2lFsZy/r0HFQ12hFmRmKMpgElf LzfJ2eg6oct9lYzUx4m/84Fd1QE7mb -----END CERTIFICATE----- >> Certificate 1# shows sample output for the Nortel Secure Network Access Switch 4050 User Guide command. /cfg/cert #/display “Managing 577.
Page 594: Exporting A Certificate And Key From The Nortel Snas 4050 Using The Cli
Exporting a certificate and key from the Nortel SNAS 4050 using the CLI You can export certificate files and key files from the Nortel SNAS 4050 using TFTP, FTP, SCP, or SFTP. For information about the formats supported for export, “Key and certificate formats”...
Page 595 Reconfirm export pass phrase Key and certificate file name [FTP user name and password] Nortel Secure Network Access Switch 4050 User Guide Description The key and certificate format in which you want to export the key and certificate. Valid options are: •...
Page 596: Generating A Test Certificate Using The Cli
Figure 171 For more information about the Certificate menu commands, see and viewing certificates and keys using the CLI” on page Figure 171 >> Certificate 1# export Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp Enter hostname or IP address of server: ftp.example.com Select the desired export format, enter a pass phrase and specify the name of the output file.
Page 597: Managing Private Keys And Certificates Using The Srem
“Creating a certificate using the SREM” on “Generating and submitting a 601) “Importing a certificate or key using 603) “Displaying or saving a certificate and 605) “Exporting a certificate and key from Nortel Secure Network Access Switch 4050 User Guide 580. 607) “Viewing 610)
Page 598: Viewing Certificates Using The Srem
Viewing certificates using the SREM To view basic information about all certificates configured for the Nortel SNAS 4050 cluster, select the Certificates > Certificates tab. The Certificates screen appears (see available on the Nortel SNA cluster. Figure 172 Certificates screen To remove an existing certificate, perform the following steps: Select the certificate from the Certificates list.
Page 599: Creating A Certificate Using The Srem
Figure 172 on page Description An integer in the range 1 to 1500 that uniquely identifies the certificate in the Nortel SNAS 4050 domain. Names the certificate, as a mnemonic aid. Nortel Secure Network Access Switch 4050 User Guide 598). Figure 173).
Page 600 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Before this certificate can be used, a certificate signing request (CSR) must be generated, submitted to a CA, and imported into the Nortel SNAS 4050. For details on this process, continue with SREM”...
Page 601: Generating And Submitting A Csr Using The Srem
Generating and submitting a CSR using the SREM To generate a CSR, perform the following steps: Select the Certificates > certificate > CA Request tab. The CA Request screen appears (see Figure 174 CA Request screen Figure 174). Nortel Secure Network Access Switch 4050 User Guide...
Page 602 Enter the certificate information in the applicable fields. Table 125 Table 125 Field Country State/Province Locality Organization Organization Unit Common Name E-mail Address: Alternate Name Key Length Password 320818-A describes the CA Request fields. CA Request fields Description The two-letter ISO code for the country where the web server is located.
Page 603: Importing A Certificate Or Key Using The Srem
TFTP, FTP, SCP, or SFTP. For information about the formats supported for import, see “Key and certificate formats” on page file you created in .csr -----BEGIN CERTIFICATE -----END CERTIFICATE REQUEST----- 571. Nortel Secure Network Access Switch 4050 User Guide step lines. 603).
Page 604 To import a certificate and private key into the Nortel SNAS 4050, perform the following steps. Upload the certificate file and key file to the file exchange server. Note: You can arrange to include your private key in the certificate file. When the Nortel SNAS 4050 retrieves the specified certificate file from the file exchange server, the Nortel SNAS 4050 software analyzes the contents and automatically adds the private key, if present.
Page 605: Displaying Or Saving A Certificate And Key Using The Srem
For anonymous mode, the Nortel SNAS 4050 uses the following string as the password (for logging purposes): admin@<hostname>.isd If the key is password protected, the password phrase specified when the key was created or exported. Nortel Secure Network Access Switch 4050 User Guide anonymous...
Page 606 To display the current certificate and key or save a copy, perform the following steps: Select the Certificates > certificate > Display Certificate tab. The Display Certificate screen appears (see Figure 176 Display Certificate screen 320818-A Figure 176).
Page 607: Exporting A Certificate And Key From The Nortel Snas 4050 Using The Srem
TFTP, FTP, SCP, or SFTP. For information about the formats supported for export, “Key and certificate formats” on page Description Specifies the password phrase used to encrypt the certificate. Confirms the password phrase used to encrypt the certificate. 571. Nortel Secure Network Access Switch 4050 User Guide...
Page 608 To export a certificate and key from the Nortel SNAS 4050, perform the following steps. Select the Certificates > certificate > Export Certificate tab. The Export Certificate screen appears (see Figure 177 Export Certificate screen 320818-A Figure 177).
Page 609 Key File Username Password Password Phrase Nortel Secure Network Access Switch 4050 User Guide Description The file import protocol. The options are TFTP, FTP, SCP, SFTP. The default is FTP. The host name or IP address of the file exchange server.
Page 610: Viewing Certificate Information Using The Srem
Click Apply on the toolbar to export the certificate. The certificate and private key are immediately exported to the specified host. Viewing certificate information using the SREM Certificate information is distributed over three screens. To view configuration details, expiration dates, subject settings, or other details of a certificate, choose from the following tasks: •...
Page 611 Names or renames the certificate, as a mnemonic aid. Displays information about how the private key associated with the currently selected certificate is protected. For the Nortel SNAS 4050, private keys are protected by the cluster. Nortel Secure Network Access Switch 4050 User Guide 172).
Page 612: Viewing General Information
Table 129 Field Key Size Key Status Details Viewing general information To view basic information about a certificate on the Nortel SNAS 4050 cluster, select the Certificates > certificate > Info tab. 320818-A Certificate Configuration fields Description Displays the key size of the private key in the current certificate.
Page 613 For current information about ISO country codes, see http://www.iana.org. The name of the state or province where the head office of the organization is located. Enter the full name of the state or province. Nortel Secure Network Access Switch 4050 User Guide...
Page 614: Viewing Certificate Subject Settings
Table 130 Field Locality Organization Organization Unit Common Name Viewing certificate subject settings To view subject settings for a certificate on the Nortel SNAS 4050 cluster, select the Certificates > certificate > Subject tab. 320818-A Info fields Description The name of the city where the head office of the organization is located.
Page 615 The name of the state or province where the head office of the organization is located. Enter the full name of the state or province. The name of the city where the head office of the organization is located. Nortel Secure Network Access Switch 4050 User Guide...
Page 616 Table 131 Field Organization Organization Unit Common Name Email Address 320818-A Subject fields Description The registered name of the organization. The organization must own the domain name that appears in the common name of the web server. Do not abbreviate the organization name and do not use any of the following characters: <...
Page 617: Chapter 12: Configuring Snmp
Configuring SNMP events using the CLI Configuring SNMP settings using the SREM Configuring SNMP using the SREM Configuring SNMP targets using the SREM Configuring SNMPv3 users using the SREM Configuring SNMP events using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 618: Configuring Snmp Using The Cli
Simple Network Management Protocol (SNMP) is a set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDU), to different parts of a network. The SNMP-compliant agents on the Nortel SNAS 4050 devices store data about themselves in Management Information Bases (MIB) and return this data to the SNMP requesters.
Page 619: Roadmap Of Snmp Commands
<v1|v2c|v3> sysContact <contact> snmpEnable disabled|enabled read <name> write <name> trap <name> name <name> seclevel none|auth|priv permission get|set|trap authproto md5|sha authpasswd <password> privproto des|aes privpasswd <password> ip <IPaddr> port <port> version v1|v2c|v3 Nortel Secure Network Access Switch 4050 User Guide...
Page 620: Configuring Snmp Settings Using The Cli
Command /cfg/sys/adm/snmp/event Configuring SNMP settings using the CLI To configure SNMP management of the Nortel SNAS 4050 cluster, use the following command: /cfg/sys/adm/snmp The SNMP menu displays. The SNMP menu includes the following options: /cfg/sys/adm/snmp followed by: 320818-A Parameter addmonitor [<options>] -b <name> <OID>...
Page 621: Configuring The Snmp V2 Mib Using The Cli
CLI” on page 626). Accesses the Event menu, in order to create custom monitoring definitions for the objects in the DISMAN-EVENT-MIB (see notification targets using the CLI” on page Nortel Secure Network Access Switch 4050 User Guide “Configuring SNMP 626).
Page 622: Configuring The Snmp Community Using The Cli
The SNMPv2-MIB menu includes the following options: /cfg/sys/adm/snmp/snmpv2-mib followed by: sysContact <contact> snmpEnable disabled|enabled Configuring the SNMP community using the CLI To configure the community aspects of SNMP monitoring, use the following command: /cfg/sys/adm/snmp/community The SNMP Community menu displays. The SNMP Community menu includes the following options: /cfg/sys/adm/snmp/community followed by: read <name>...
Page 623: Configuring Snmpv3 Users Using The Cli
(auth password) and encryption key (priv password). The default is priv • permission — the USM user’s privileges. Valid options are: • — USM user is authorized to perform SNMP get requests (read access to the MIB). Nortel Secure Network Access Switch 4050 User Guide...
Page 624 • access to the MIB). Write access automatically implies read access as well. • trap messages. • authentication protocol — the protocol to be used to authenticate the USM user. Valid options are: • • The default is • auth password — a string of at least eight characters specifying the password for USM user authentication.
Page 625 Nortel Secure Network Access Switch 4050 User Guide Names or renames the USM user. After you have defined a name for the user, you can use either the user name or the user ID to access the SNMP User menu.
Page 626: Configuring Snmp Notification Targets Using The Cli
/cfg/sys/adm/snmp/users <user ID> followed by: authpasswd <password> privproto des|aes privpasswd <password> Configuring SNMP notification targets using the CLI SNMP managers function as the notification targets for SNMP monitoring. To configure notification targets, use the following command: /cfg/sys/adm/snmp/target <target ID> where target ID target in the cluster.
Page 627: Configuring Snmp Events Using The Cli
Valid options are: • — SNMP version 1 • — SNMP version 2c • — SNMP version 3 The default is Removes the current SNMP manager from the Nortel SNAS 4050 configuration. Nortel Secure Network Access Switch 4050 User Guide...
Page 628 The event menu includes the following options: /cfg/sys/adm/snmp/event followed by: addmonitor [<options>] -b <name> <OID> <op> <value> 320818-A Adds a boolean monitor and trigger as defined in the DISMAN-EVENT-MIB. Valid < > are: options • — adds a comment -c <comment> •...
Page 629 /cfg/sys/adm/snmp/event followed by: addmonitor [<options>] -t <name> <OID> <value and event> Nortel Secure Network Access Switch 4050 User Guide Adds a threshold monitor and trigger as defined in the DISMAN-EVENT-MIB. Valid < > are: options • — adds a comment -c <comment>...
Page 630 /cfg/sys/adm/snmp/event followed by: addmonitor [<options>] -x <name> <OID> [present|absent| changed] delmonitor <name> addevent [-c <comment>] <name> <notification> [<OID...>] delevent <name> list 320818-A Adds an existence monitor and trigger as defined in the DISMAN-EVENT-MIB. Valid < > are: options • — adds a comment -c <comment>...
Page 631: Configuring Snmp Settings Using The Srem
“Configuring SNMP using the SREM” on page 632 • “Configuring SNMP targets using the SREM” on page 634 • “Configuring SNMPv3 users using the SREM” on page 640 • “Configuring SNMP events using the SREM” on page 647 Nortel Secure Network Access Switch 4050 User Guide...
Page 632: Configuring Snmp Using The Srem
Configuring SNMP using the SREM To configure SNMP, perform the following steps: Select the System > Administrative > SNMP > Configuration tab. The Configuration screen appears (see Figure 181 SNMP Configuration 320818-A Figure 181).
Page 633 The default trap community name is Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Table 132 public...
Page 634: Configuring Snmp Targets Using The Srem
Configuring SNMP targets using the SREM SNMP managers function as the notification targets for SNMP monitoring. To configure SNMP notification targets, choose from one of the following tasks: • “Adding SNMP targets” on page 635 • “Managing SNMP targets” on page 638 •...
Page 635: Adding Snmp Targets
To add an SNMP target, perform the following steps: Select the System > Administrative > SNMP > SNMP Targets > SNMP Target Table tab. The SNMP Target Table appears (see Figure 182 SNMP Target Table Figure 182). Nortel Secure Network Access Switch 4050 User Guide...
Page 636 Click Add. The Add SNMP Target dialog box appears (see Figure 183 320818-A Add SNMP Target Figure 183).
Page 637 Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide v1 — use SNMPv1 v2c — use SNMPv2c v3 —...
Page 638: Managing Snmp Targets
Managing SNMP targets To manage SNMP targets, perform the following steps: Select the System > Administrative > SNMP > SNMP Targets > target > Target Settings tab. The Target Settings screen appears (see Figure 184 Target Settings 320818-A Figure 184).
Page 639: Removing Snmp Targets
Target Table tab. The SNMP Target Table appears (see Select the SNMP target to remove from the SNMP Target Table. Click Delete. Nortel Secure Network Access Switch 4050 User Guide v1 — use SNMPv1 v2c — use SNMPv2c v3 — use SNMPv3...
Page 640: Configuring Snmpv3 Users Using The Srem
A dialog box appears asking for confirmation. Click Yes. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Configuring SNMPv3 users using the SREM The Nortel SNAS 4050 manages SNMPv3 users based on the User-based Security Model (USM) for SNMP version 3.
Page 641: Adding Snmpv3 Users
To add an SNMPv3 user, perform the following steps: Select the System > Administrative > SNMP > SNMPv3 Users > SNMPv3 User Table tab. The SNMPv3 User Table appears (see Figure 185 SNMPv3 User Table Figure 185). Nortel Secure Network Access Switch 4050 User Guide...
Page 642 Click Add. The Add SNMPv3 User dialog box appears (see Figure 186 320818-A Add SNMPv3 User Figure 186).
Page 643 • • The default is des. Nortel Secure Network Access Switch 4050 User Guide none — SNMP access is granted without authentication. auth — the SNMP user must provide a verified password before SNMP access is granted. You are later prompted to specify the required password (auth password).
Page 644: Managing Snmpv3 Users
Click Apply. The new SNMPv3 user appears in the table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Managing SNMPv3 users To manage SNMPv3 users, or configure permission sets for a new SNMPv3 user, perform the following steps: Select the System >...
Page 645 Specifies the USM user’s individual encryption key. The password is required if the security level is set to priv. The password must be at least eight characters long. Nortel Secure Network Access Switch 4050 User Guide none — SNMP access is granted without authentication.
Page 646: Removing Snmpv3 Users
Table 136 Field Authentication Protocol Privacy Protocol Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Removing SNMPv3 users To delete an existing SNMPv3 user, perform the following steps: Select the System >...
Page 647: Configuring Snmp Events Using The Srem
To view a description and list of related fields for each monitor type, choose from the following sections: • “Boolean monitors” on page 650 • “Threshold monitors” on page 652 • “Existence monitors” on page 654 Nortel Secure Network Access Switch 4050 User Guide...
Page 648: Adding Monitor Events
Adding monitor events To add monitor events, perform the following steps: Select the System > Administrative > SNMP > Event > Monitor Table tab. The Monitor Table appears (see Figure 188 Monitor Table 320818-A Figure 188).
Page 649: Viewing Configuration Details Of Monitor Events
Monitor settings cannot be edited after the monitor is created. To change settings for an existing monitor, that monitor must first be removed and then recreated with the correct settings. Nortel Secure Network Access Switch 4050 User Guide 651, Figure 191 on page...
Page 650: Removing Monitor Events
Depending on the type of monitor selected, the fields displayed on the Configuration tab will change. For descriptions of the displayed fields, refer to the appropriate section: • “Boolean monitors” on page 650 • “Threshold monitors” on page 652 • “Existence monitors”...
Page 651 Specifies a comment for this monitor. Frequency Specifies the sampling interval, in seconds. The default value is 600. Additional OIDs in Event Specifies any additional OIDs for this monitor to trigger. Nortel Secure Network Access Switch 4050 User Guide equals notEquals lessThanOrEquals greaterThanOrEquals lessThan...
Page 652: Threshold Monitors
Table 138 Field Delta Discontinuity OID Delta Discontinuity OID type Specifies the type of discontinuity to monitor for. The For details on adding a Boolean monitor, see page 648. Threshold monitors Threshold monitors compare a monitored OID against a range of values, and triggers events if the comparison determines that the OID value is rising too quickly, falling too quickly, or outside of certain boundaries.
Page 653 Delta Discontinuity OID type Specifies the type of discontinuity to monitor for. The options are: • • • For details on adding a Threshold monitor, see page 648. Nortel Secure Network Access Switch 4050 User Guide timeTicks timeStamp dateAndTime “Adding monitor events” on Table 139.
Page 654: Existence Monitors
Existence monitors Existence monitors check the condition of a monitored OID to see determine if it is present, missing, or changed. Events are triggered if the result matches the desired condition. Figure 191 Fields used to add and configure an Existence monitor are listed in Table 140 Field Name...
Page 655: Managing Notification Events
Once notification events are added, they cannot be modified. To change the settings of an existing notification event, first remove that notification and then create a new notification event with the desired changes. Nortel Secure Network Access Switch 4050 User Guide timeTicks timeStamp dateAndTime “Adding monitor events”...
Page 656 Adding notification events To add notification events, perform the following steps: Select the System > Administrative > SNMP > Event > Notification Table tab. The Notification Table screen appears (see Figure 192 Notification Table 320818-A Figure 192).
Page 657 The notification event appears in the table. Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Nortel Secure Network Access Switch 4050 User Guide Figure 193).
Page 658 Removing notification events To delete a notification event, perform the following steps: Select the System > Administrative > SNMP > Event > Notification Table tab. The Notification Table appears (see Select the notification event to be removed. The Configuration subtab appears, displaying details for the selected notification event.
Page 659: Chapter 13: Viewing System Information And Performance Statistics
Nortel SNAS 4050 hosts. You can view AAA performance statistics for the Nortel SNAS 4050 cluster as a whole or for individual hosts in the cluster since the system was started. Nortel Secure Network Access Switch 4050 User Guide Page...
Page 660: Viewing System Information And Performance Statistics Using The Cli
Viewing system information and performance statistics using the CLI To view current information about system status and the system configuration, access the Information menu by using the following command: /info To view performance statistics for the cluster and for individual Nortel SNAS 4050 hosts, access the Statistics menu by using the following command: /stats Roadmap of information and statistics commands...
Page 661: Viewing System Information Using The Cli
To view current information about system status and the system configuration, use the following command: /info The Information menu displays. Parameter local ethernet ports alarms download <protocol> <server> <filename> list download <protocol> <server> <filename> total isdhost <host ID> <domain ID> dump Nortel Secure Network Access Switch 4050 User Guide...
Page 662 The Information menu includes the following options: /info followed by: certs sonmp licenses [<domain ID>] 320818-A Displays information about all installed certificates, including the certificate name, serial number, expiration date, key size, and subject information for each certificate. Displays information about the current system configuration, including: •...
Page 663 [<domainid>] [<switchid>] dist [<hostid>] ip <domain ID> <IPaddr> Nortel Secure Network Access Switch 4050 User Guide Allows the operator to log the specified user out of an Nortel SNAS 4050 session. You are prompted to enter the following information: •...
Page 664 /info followed by: mac <MACaddr> sessions [<domain ID> [<switch ID> [<username-prefix>]]] contlist [<Exclude buffers+cache from mem util: [yes/no]>] 320818-A Displays session information for a client based on a specified MAC address. You are prompted to provide the MAC address. The information includes: the domain ID;...
Page 665 Nortel Secure Network Access Switch 4050 User Guide Displays the current software version, hardware platform, up time (since last boot), IP address, and Ethernet MAC address for the particular Nortel SNAS 4050 device to which you have connected. If you...
Page 666: Viewing Alarm Events Using The Cli
/info followed by: events logs Viewing alarm events using the CLI To view active alarms, use the following command: /info/events The Events menu displays. The Events menu includes the following options: /info/events followed by: alarms download <protocol> <server> <filename> 320818-A Accesses the Events menu, in order to view and download active alarms and logged events (see “Viewing alarm events using the CLI”...
Page 667: Viewing Log Files Using The Cli
• is the host name or IP address of the server server. • is the name of the destination log file filename (*.log.x) on the file exchange server. Nortel Secure Network Access Switch 4050 User Guide The default is tftp...
Page 668 The CLI reports statistics for all authentication methods configured in the cluster, whether or not they have been included in the authentication order scheme (see “Specifying authentication fallback order using the CLI” on page statistics for a particular authentication method are always a row of zeroes, this might be because the method is not included in the authentication order scheme.
Page 669 ------------------------------------------------------ 10.0.0.1:389 RADIUS Servers -------------------------------------------------------- 192.168.0.1:1645 Local DB ---------------------------------------------- Licenses ---------------------------------------------- Local Auth Stats for host 2 LDAP Servers ------------------------------------------------------ Nortel Secure Network Access Switch 4050 User Guide /stats/aaa/dump DOMAIN Accepted Rejected DOMAIN Accepted Rejected DOMAIN Accepted Rejected DOMAIN Accepted...
Page 670: Viewing All Statistics Using The Cli
Viewing all statistics using the CLI To view all available statistics for the Nortel SNAS 4050 cluster, use the following command: /stats/dump Because the Nortel SNAS 4050 collects only AAA statistics, the command is equivalent to the Viewing system information and performance statistics using the SREM You can view configuration, status, and performance information for a Nortel SNAS 4050 device or for the cluster as a whole.
Page 671 The length of time that the Nortel SNAS 4050 has been running. The Real IP address RIP) of the Nortel SNAS 4050 device. The MAC address of the Nortel SNAS 4050 device. Nortel Secure Network Access Switch 4050 User Guide 195).
Page 672: Viewing Cluster Information Using The Srem
Viewing cluster information using the SREM To view cluster information, select one of the following topics: • “Viewing the controller list using the SREM” on page 673 • “Viewing SONMP topology information using the SREM” on page 675 • “Viewing switch distribution using the SREM” on page 677 •...
Page 673: Viewing The Controller List Using The Srem
To view information about all the Nortel SNAS 4050 devices in the cluster, select the Information > Controller List tab. The Controller List screen appears (see Figure 196). Figure 196 Controller List screen Nortel Secure Network Access Switch 4050 User Guide...
Page 674 Table 143 describes the Controller List fields. Table 143 Field Auto Refresh Interval Logging Controller List 320818-A Controller List fields Description Specifies whether the information displayed is automatically refreshed. Specifies the interval in seconds before the screen is automatically refreshed. Only applicable if Auto Refresh is selected.
Page 675: Viewing Sonmp Topology Information Using The Srem
Viewing SONMP topology information using the SREM To view SynOptics Network Management Protocol (SONMP) network topology information, select the Information > SONMP State tab. The SONMP State screen appears (see Figure 197). Figure 197 SONMP State screen Nortel Secure Network Access Switch 4050 User Guide...
Page 676 Table 144 describes the SONMP State fields. Table 144 Field Auto Refresh Interval Logging SONMP State Table 320818-A SONMP State fields Description Specifies whether the information displayed is automatically refreshed. Specifies the interval in seconds before the screen is automatically refreshed. Only applicable if Auto Refresh is selected.
Page 677: Viewing Switch Distribution Using The Srem
To view current status information about network access devices in the cluster, select the Information > Switch Distribution tab. The Switch Distribution screen appears (see Figure 198). Figure 198 Switch Distribution screen Nortel Secure Network Access Switch 4050 User Guide...
Page 678: Viewing Port Information Using The Srem
Table 145 describes the Switch Distribution fields. Table 145 Field Switch Distribution Viewing port information using the SREM You can view information about the status of the physical ports on the Ethernet network interface card (NIC) on the particular Nortel SNAS 4050 device to which you have connected.
Page 679 Port Information fields (Sheet 1 of 2) Description Specifies whether the information displayed is automatically refreshed. Specifies the interval in seconds before the screen is automatically refreshed. Only applicable if Auto Refresh is selected. Nortel Secure Network Access Switch 4050 User Guide Figure 199).
Page 680: Viewing License Information Using The Srem
Table 146 Field Logging Port Status Viewing license information using the SREM You can view information about license usage for the system as a whole or by domain. To view license information, select from the following tasks: • “Viewing global license information” on page 681 •...
Page 681 Chapter 13 Viewing system information and performance statistics 681 Viewing global license information To view global license information, select the Information > Licenses > Global Licenses tab. The Global Licenses screen appears (see Figure 200). Figure 200 Global Licenses screen Nortel Secure Network Access Switch 4050 User Guide...
Page 682 Table 147 describes the Global Licenses fields. Table 147 Field Auto Refresh Interval Logging State of Global Licenses 320818-A Global Licenses fields Description Specifies whether the information displayed is automatically refreshed. Specifies the interval in seconds before the screen is automatically refreshed.
Page 683 Viewing license information for a domain To view license usage by domain, select the Information > Licenses > Per Domain Licenses tab. The Per Domain Licenses screen appears (see Figure 201). Figure 201 Per Domain Licenses screen Nortel Secure Network Access Switch 4050 User Guide...
Page 684: Viewing Session Details Using The Srem
Table 148 describes the Per Domain Licenses fields. Table 148 Field Auto Refresh Interval Logging State of Licenses Per Domain Viewing session details using the SREM You can view information about active sessions for all clients, or for an individual or group of clients.
Page 685 To restrict the display to specific sessions, click Find or Filter to set match criteria. Find and Filter use regular expressions to specify the pattern to match. Only sessions that match the set criteria will appear in the list. Nortel Secure Network Access Switch 4050 User Guide...
Page 686 Table 149 describes the Sessions parameters. Table 149 Parameter Domain ID Switch ID User Name Source IP Source MAC Address VLAN ID Login Time Device Type Port ID Portal IP 320818-A Sessions parameters Description The domain ID of the domain in which the session is occurring.
Page 687 To view details about active sessions, select the Information > Sessions > session > Session Properties tab. The Session Properties screen appears (see Figure 203). Figure 203 Session Properties screen The Session Properties screen displays details for all the selected session. Nortel Secure Network Access Switch 4050 User Guide...
Page 688 Table 150 describes the Session Properties parameters. Table 150 Parameter Domain ID Switch ID User Name Source IP Source MAC Address VLAN ID Login Time Device Type Port ID Portal IP Ending active user sessions It may be necessary to end active user sessions for a variety of reasons. To kick a user off the Nortel SNAS 4050 device, perform the following steps: To view details about active sessions, select the Information >...
Page 689 Table 151 Table 151 Field User Name Domain ID Click KickOut. describes the KickOut User fields. KickOut User fields Description Specifies the user name. Specifies which domain where the selected user resides in. Nortel Secure Network Access Switch 4050 User Guide...
Page 690 Viewing the number of active sessions using the SREM To view the number of active sessions, select the Information > Sessions > Number of Sessions tab. The Number of Sessions screen appears (see Figure 205 Number of Sessions screen Table 152 describes the Number of Sessions fields.
Page 691: Viewing Alarms Using The Srem
Alarms are also sent as syslog messages. To view system alarms, select from the following tasks: • “Viewing active alarms using the SREM” on page 692 • “Downloading alarms using the SREM” on page 694 Nortel Secure Network Access Switch 4050 User Guide...
Page 692 Viewing active alarms using the SREM To view the active alarms for the Nortel SNAS 4050 cluster, select the Information > Alarms > Active Alarms tab. The Active Alarms screen appears (see Figure 206 Active Alarms screen 320818-A Figure 206).
Page 693 Field Auto Refresh Interval Logging Active Alarms Table Nortel Secure Network Access Switch 4050 User Guide Description Specifies whether the information displayed is automatically refreshed. Specifies the interval in seconds before the screen is automatically refreshed. Only applicable if Auto Refresh is selected.
Page 694 Downloading alarms using the SREM To download an alarm as a logged event, select the Information > Alarms > Download Alarms tab. The Download Alarms screen appears (see Figure 207 Download Alarms screen 320818-A Figure 207).
Page 695: Managing Log Files Using The Srem
“Viewing the log list using the SREM” on page 696 • “Downloading log files using the SREM” on page 697 Nortel Secure Network Access Switch 4050 User Guide Description The file export protocol. The options are TFTP, FTP, SFTP. The default is FTP.
Page 696 Viewing the log list using the SREM To view a list of all active logs, select the Information > Logs tab. The Logs screen appears (see To delete a log file, select the file in the list and click Delete. Figure 208 Logs screen 320818-A...
Page 697 Download fields (Sheet 1 of 2) Description The file export protocol. The options are TFTP, FTP, SFTP. The default is FTP. The host name or IP address of the file exchange server. Nortel Secure Network Access Switch 4050 User Guide 209).
Page 698: Viewing Aaa Statistics Using The Srem
Table 155 Field Filename Username Password Viewing AAA statistics using the SREM You can view authentication statistics for the Nortel SNAS 4050 cluster as a whole or for one specific Nortel SNAS 4050 host in the cluster. For each configured authentication method and authentication server, the following information displays: •...
Page 699: Viewing Aaa Statistics For A Host
In the Statistics > AAA > Host Statistics > Hosts table, select the desired host. Then, in the Statistics > AAA > Host Statistics > Hosts > Domain Statistics table, select the desired domain. Figure 210). Nortel Secure Network Access Switch 4050 User Guide...
Page 700 b Expand the Statistics > AAA > Host Statistics > host navigation tree components, and select the desired domain. The License tab opens (see Depending on which authentication methods are configured for that host, some or all of the following tabs may be available: •...
Page 701: Viewing License Statistics
156. License statistics (Sheet 1 of 2) Description Enables or disables auto refresh of statistics. Specifies the interval at which to auto refresh. Enables or disables statistics logging in the specified location. Nortel Secure Network Access Switch 4050 User Guide...
Page 702: Viewing Radius Statistics
Table 156 Field SSL Accepted SSL Rejected Viewing RADIUS statistics To view RADIUS statistics, select the Radius tab. The RADIUS statistics appear (see Figure 212 RADIUS statistics 320818-A License statistics (Sheet 2 of 2) Description Displays the sum of accepted connections by license type. For the Nortel SNAS 4050, SSL is the only type of license.
Page 703 Displays statistics for each RADIUS server. The fields displayed are: • • • • Nortel Secure Network Access Switch 4050 User Guide seeTable 157. IP Address/Port — Displays the RADIUS server IP address and TCP port. Accepted — Displays the number of accepted requests to the RADIUS server.
Page 704: Viewing Local Database Statistics
Viewing Local database statistics To view Local database statistics, select the Local DB tab. The Local DB statistics appear (see Figure 213 Local DB statistics For a description of the fields, Table 158 Field Auto Refresh Interval Logging 320818-A Figure 213 on page seeTable 158.
Page 705: Viewing Ldap Statistics
Displays the number of accepted requests to the Local database. Displays the number of rejected requests to the Local database. Rejections occur, for example, when a user submits an incorrect password. Figure 214 on page Nortel Secure Network Access Switch 4050 User Guide 705).
Page 706 For a description of the fields, Table 159 Field Auto Refresh Interval Logging Server Statistics Table 320818-A seeTable 159. LDAP statistics Description Enables or disables auto refresh of statistics. Specifies the interval at which to auto refresh. Enables or disables statistics logging in the specified location.
Page 707: Viewing Aaa Statistics For The Domain
In the navigation tree, expand Domain Statistics and select a domain. Depending on the authentication methods configured for the domain, the following tabs may be available: • License • Radius • Local DB Figure 215 on page Nortel Secure Network Access Switch 4050 User Guide 707).
Page 708 • LDAP Select one of the following tasks: • Viewing License statistics (see • Viewing RADIUS statistics (see • Viewing Local DB statistics (see page 713). • Viewing LDAP statistics (see 320818-A “Viewing License statistics” on page “Viewing RADIUS statistics” on page 711 “Viewing Local database statistics”...
Page 709: Viewing License Statistics
Table 160 Field Auto Refresh Interval Figure 216). seeTable 160. License statistics (Sheet 1 of 2) Description Enables or disables auto refresh of statistics. Specifies the interval at which to auto refresh. Nortel Secure Network Access Switch 4050 User Guide...
Page 710 Table 160 Field Logging SSL Accepted SSL Rejected 320818-A License statistics (Sheet 2 of 2) Description Enables or disables statistics logging in the specified location. Displays the sum of accepted connections by license type. For the Nortel SNAS 4050, SSL is the only type of license. Displays the sum of connections rejected because they exceeded the allowed number of concurrent users.
Page 711: Viewing Radius Statistics
Table 161 Field Auto Refresh Interval Figure Table 161. Viewing RADIUS Statistics (Sheet 1 of 2) Description Enables or disables auto refresh of statistics. Specifies the interval at which to auto refresh. Nortel Secure Network Access Switch 4050 User Guide 217).
Page 712 Table 161 Field Logging Server Statistics Table 320818-A Viewing RADIUS Statistics (Sheet 2 of 2) Description Enables or disables statistics logging in the specified location. Displays statistics for each RADIUS server. The fields displayed are: • IP Address/Port — Specifies the RADIUS server IP address and TCP port.
Page 713: Viewing Local Database Statistics
Table 162 Field Auto Refresh Interval seeTable 162. Local DB statistics (Sheet 1 of 2) Description Enables or disables auto refresh of statistics. Specifies the interval at which to auto refresh. Nortel Secure Network Access Switch 4050 User Guide Figure 218).
Page 714 Table 162 Field Logging Accepted Rejected 320818-A Local DB statistics (Sheet 2 of 2) Description Enables or disables statistics logging in the specified location. Displays the number of accepted requests to the Local database. Displays the number of rejected requests to the Local database.
Page 715: Viewing Ldap Statistics
Table 163 Field Auto Refresh Interval Figure 219). seeTable 163. Viewing LDAP Statistics (Sheet 1 of 2) Description Enables or disables auto refresh of statistics. Specifies the interval at which to auto refresh. Nortel Secure Network Access Switch 4050 User Guide...
Page 716: Viewing Ethernet Statistics Using The Srem
Table 163 Field Logging Server Statistics Table Viewing Ethernet statistics using the SREM You can view statistics for the Ethernet network interface card (NIC) on the particular Nortel SNAS 4050 device to which you have connected. If you have connected to the MIP, the information relates to the Nortel SNAS 4050 device in the cluster that is currently in control of the MIP.
Page 717 From the Ethernet Interface Table, select an interface. Select one of the following tasks: • Viewing Rx statistics (see • Viewing Tx statistics (see Figure 220). “Viewing Rx statistics” on page “Viewing Tx statistics” on page Nortel Secure Network Access Switch 4050 User Guide 718) 720)
Page 718: Viewing Rx Statistics
Viewing Rx statistics To view Rx statistics for an interface, select the Rx Statistics tab. The Rx Statistics screen appears (see Figure 221 The Rx statistics screen For a description of the fields Table 164 Field Auto Refresh Interval 320818-A Figure seeTable 164.
Page 719 Displays number of packet errors due to lack of resources. Rx Frames Displays number of errors due to malformed packets. Nortel Secure Network Access Switch 4050 User Guide Cumulative — Displays a cumulative count of packets as they are received.
Page 720: Viewing Tx Statistics
Viewing Tx statistics To view Tx statistics for an interface, select Tx Statistics tab. The Tx statistics screen appears (see Figure 222 The Tx statistics screen For a description of the fields Table 165 Field Auto Refresh Interval 320818-A Figure seeTable 165.
Page 721 Note: A non-zero collision value may indicate incorrect configuration of Ethernet auto-negotiation. For more information, see on page Nortel Secure Network Access Switch 4050 User Guide Cumulative — Displays a cumulative count of packets as they are transmitted. Incremental — Displays the number of transmitted incrementally.
Page 722 722 Chapter 13 Viewing system information and performance statistics 320818-A...
Page 723: Chapter 14: Maintaining And Managing The System
Backing up or restoring the configuration using the SREM Managing Nortel SNAS 4050 devices and software using the SREM Downloading files using the SREM Running Nortel SNAS 4050 diagnostics using the SREM Nortel Secure Network Access Switch 4050 User Guide Page...
Page 724: Managing And Maintaining The System Using The Cli
You can perform the following activities to manage and maintain the system and individual Nortel SNAS 4050 devices: • maintenance, in order to collect information for troubleshooting and technical support purposes (see “Performing maintenance using the SREM” on page • Dump log file or system internal status information and send it to a file exchange server.
Page 725: Roadmap Of Maintenance And Boot Commands
/cfg/gtcfg <protocol> <server> <filename> <passphrase> /cfg/dump [<passphrase>] /boot /boot/software Parameter dumplogs <protocol> <server> <filename> <all-isds?> dumpstats <protocol> <server> <filename> <all-isds?> chkcfg starttrace <tags> <domain ID> <output mode> stoptrace software halt reboot delete activate <version> Nortel Secure Network Access Switch 4050 User Guide...
Page 726: Performing Maintenance Using The Cli
Command Performing maintenance using the CLI To check the applied configuration and to download log file and system status information for technical support purposes, use the following command: /maint The Maintenance menu displays. 320818-A Parameter download <protocol> <server> <filename>...
Page 727 <protocol> <server> <filename> <all-isds?> Nortel Secure Network Access Switch 4050 User Guide Collects system log file information and sends it to a file on the specified file exchange server. The information can then be used for technical support purposes. You...
Page 728 /maint followed by: dumpstats <protocol> <server> <filename> <all-isds?> chkcfg 320818-A Collects current system internal status information and sends it to a file on the specified file exchange server. The information can then be used for technical support purposes. You are prompted to provide the following parameters if you do not specify them in the command: •...
Page 729 <tags> <domain ID> <output mode> stoptrace Nortel Secure Network Access Switch 4050 User Guide Logs information pertaining to a client session. You are prompted to provide the following information: • — specifies the specific features or tags subsystems to which you want to limit tracing.
Page 730: Backing Up Or Restoring The Configuration Using The Cli
730 Chapter 14 Maintaining and managing the system Backing up or restoring the configuration using the CLI To save the system configuration to a file on a file exchange server, use the following command: /cfg/ptcfg <protocol> <server> <filename> <passphrase> To restore the system configuration, use the following command: /cfg/gtcfg <protocol>...
Page 731 <protocol> <server> <filename> <passphrase> Nortel Secure Network Access Switch 4050 User Guide Saves the current configuration, including private keys and certificates, to a file on the specified file exchange server. You can later use this file to restore the...
Page 732 Table 166 /cfg followed by: gtcfg <protocol> <server> <filename> <passphrase> dump [<passphrase>] 320818-A Configuration menu backup and restore commands Restores a configuration, including private keys and certificates, from a file on the specified file exchange server. You are prompted to provide the following information: •...
Page 733: Managing Nortel Snas 4050 Devices Using The Cli
If you have a Telnet or SSH connection to the Management IP address (MIP), use the /cfg/sys/host #/ command instead (see halt Note: Always use the halt off the device. Nortel Secure Network Access Switch 4050 User Guide page 467). command before turning...
Page 734: Managing Software For A Nortel Snas 4050 Device Using The Cli
/boot followed by: reboot delete Managing software for a Nortel SNAS 4050 device using the CLI To view, download, and activate software versions for the Nortel SNAS 4050 device to which you are connected, use the following command: /boot/software The Software Management menu displays. 320818-A Reboots the Nortel SNAS 4050 device to which you are connected (using Telnet, SSH, or a console...
Page 735 The Software Management menu includes the following options: /boot/software followed by: activate <version> Nortel Secure Network Access Switch 4050 User Guide Displays the status of the software versions on the particular device to which are connected. The status options are: •...
Page 736: Managing And Maintaining The System Using The Srem
/boot/software followed by: download <protocol> <server> <filename> Managing and maintaining the system using the SREM Performing maintenance using the SREM To perform maintenance activities, choose from one of the following tasks: • “Dumping logs and status information using the SREM” on page 737 •...
Page 737: Dumping Logs And Status Information Using The Srem
The information can then be used for technical support purposes. To dump logs or statistics, perform the following steps: Select the System > Maintenance > Dumps tab. The Dumps screen appears (see Figure 223 Dumps Figure 223). Nortel Secure Network Access Switch 4050 User Guide...
Page 738: Starting And Stopping A Trace Using The Srem
Enter the Dump information in the applicable fields. Dump fields. Table 167 Field Dumplogs/Dumpstats Protocol Hostname/IP Address Filename Collect info for all iSDs Username Password Click Dump. Starting and stopping a trace using the SREM You can perform a trace to log information about a client session. 320818-A Dump fields Description...
Page 739 To start or stop a trace, perform the following steps: Select the System > Maintenance > Start/Stop Trace tab. The Start/Stop Trace screen appears (see Figure 224 Start/Stop Trace Figure 224). Nortel Secure Network Access Switch 4050 User Guide...
Page 740 Enter the Trace information in the applicable fields. Start/Stop Trace fields. Table 168 Field Trace type Domain Protocol Hostname Username Password Remote Filename To start the trace, click Start Trace. To stop the trace, click Stop Trace. 320818-A Start/Stop Trace fields Description Specifies the specific features or subsystems to which you want to limit tracing.
Page 741: Checking Configuration Using The Srem
Select the System > Maintenance > Check Configuration tab. The Check Configuration screen appears (see Figure 225 Check Configuration Click Check Configuration. When the check is complete, results are displayed on the screen. Figure Nortel Secure Network Access Switch 4050 User Guide 225).
Page 742: Backing Up Or Restoring The Configuration Using The Srem
Backing up or restoring the configuration using the SREM You can save the current configuration, including private keys and certificates, to a file on the specified file exchange server as backup. You can later use this backup file to restore the configuration. To create a backup of your system or restore the configuration from an existing backup, perform the following steps: Select the System >...
Page 743: Managing Nortel Snas 4050 Devices And Software Using The Srem
354. For FTP and SFTP, the user name to access the file exchange server. For FTP and SFTP, the password to access the file exchange server. Nortel Secure Network Access Switch 4050 User Guide Table 169 “User rights and...
Page 744: Managing Software Versions Using The Srem
• “Rebooting or deleting a Nortel SNAS 4050 device using the SREM” on page 750 Managing software versions using the SREM To manage software images and perform upgrades on the Nortel SNAS 4050 device to which you are connected, select the System > Boot > Image List tab. The Image List screen appears (see SNAS 4050 software versions used on this device.
Page 745 • “Activating a software image” on page 747 • “Removing an inactive software image” on page 748 Nortel Secure Network Access Switch 4050 User Guide — the software version that is currently permanent operational — the software version that preceded the currently operational software version —...
Page 746 Viewing details of the active software image To view the details of the currently active software image on the Nortel SNAS 4050 device to which you are connected, perform the following steps: Select the System > Boot > Image List tab. The Image List screen appears (see Select the image with a Status of permanent from the Image List.
Page 747 Figure 229 Image Click Activate to make the selected image active. A confirmation dialog box appears. Figure 227 on page 229). For a description of each field that is displayed, see Nortel Secure Network Access Switch 4050 User Guide 744). 744.
Page 748: Downloading Images Using The Srem
When prompted, click Yes. The Nortel SNAS 4050 reboots when you confirm the Activate command. Note: When you activate a software upgrade on a Nortel SNAS 4050 device, all the Nortel SNAS 4050 devices in the cluster reboot. All active sessions are lost.
Page 749 To download an image from a file exchange server, perform the following steps: Select the System > Boot > Download Image tab. The Download Image screen appears (see Figure 230 Download Image Figure 230). Nortel Secure Network Access Switch 4050 User Guide...
Page 750: Rebooting Or Deleting A Nortel Snas 4050 Device Using The Srem
Enter the Download Image information in the applicable fields. describes the Download Image fields. Table 171 Field Download Type Host Filename Username Password Click Apply on the toolbar to send the current changes to the Nortel SNAS 4050. Click Commit on the toolbar to save the changes permanently. Rebooting or deleting a Nortel SNAS 4050 device using the SREM You can shut down or reboot a Nortel SNAS 4050 device that has become isolated...
Page 751 Halt. When prompted, click Yes. Always use this command before turning off the device. To reset the Nortel SNAS 4050 device to which you are connected, click Delete. When prompted, click Yes. Nortel Secure Network Access Switch 4050 User Guide Figure 231).
Page 752: Downloading Files Using The Srem
The command resets the device to its factory default configuration. All IP configuration is lost. The software itself remains intact. After executing the delete command, you can only access the device using a console connection and performing the initial setup. If you receive a warning that the device you are trying to delete has no contact with any other master Nortel SNAS 4050 device in the cluster, also connect to the MIP and delete the Nortel SNAS 4050 device from the cluster by using the...
Page 753 The host name or IP address of the file exchange server. The user name and password to access the file exchange server. The user name and password to access the file exchange server. Nortel Secure Network Access Switch 4050 User Guide 232).
Page 754: Running Nortel Snas 4050 Diagnostics Using The Srem
Table 172 Field Remote File Path Local Directory Running Nortel SNAS 4050 diagnostics using the SREM To run basic diagnostics on the Nortel SNAS 4050, select the Diagnostics tab. The Diagnostics screen appears (see Figure 233 Diagnostics screen 320818-A File Download fields Description The remote path where the file resides.
Page 755 Diagnostics fields. Table 173 Diagnostics fields Field Operation IP Address or Host Name Nortel Secure Network Access Switch 4050 User Guide Description The diagnostic operation to perform. The options are: • Ping — verify station-to-station connectivity across the network.
Page 756 756 Chapter 14 Maintaining and managing the system 320818-A...
Page 757: Chapter 15: Upgrading Or Reinstalling The Software
Minor release upgrade: This is typically a bug fix release. All configuration data is retained. To perform a minor upgrade, connect to the Management IP address (MIP) of the cluster you want to upgrade. Nortel Secure Network Access Switch 4050 User Guide Page...
Page 758: Performing Minor And Major Release Upgrades
Major release upgrade: This kind of release may contain bug fixes as well as feature enhancements. All configuration data is retained. To perform a major upgrade, connect to the MIP of the cluster you want to upgrade. Note: When you activate a software upgrade on a Nortel SNAS 4050 device, all the Nortel SNAS 4050 devices in the cluster reboot.
Page 759: Downloading The Software Image Using The Cli
Enter the host name or IP address of the server. Enter hostname or IP address of server: <server host name or IP> Enter the file name of the software upgrade package to download. Nortel Secure Network Access Switch 4050 User Guide 483.
Page 760: Activating The Software Upgrade Package
If needed, the file name can be prefixed with a search path to the directory on the TFTP/FTP/SCP/SFTP server. If you are using anonymous mode when downloading the software package from an FTP server, the following string is used as the password (for logging purposes): admin@hostname/IP.isd.
Page 761 Note: When you activate a software upgrade on a Nortel SNAS 4050 device, all the Nortel SNAS 4050 devices in the cluster reboot. All active sessions are lost. Nortel Secure Network Access Switch 4050 User Guide command. Status ------...
Page 762 At the Software Management# prompt, enter: >> Software Management# activate x.x Confirm action 'activate'? [y/n]: y Activate ok, relogin out here> Restarting system. login: Note: Activating the unpacked software upgrade package may cause the command line interface (CLI) software to be upgraded as well. Therefore, you will be logged out of the system, and will have to log in again.
Page 763: Reinstalling The Software
Nortel SNAS 4050 using a console connection • an install image, loaded on a TFTP/FTP/SCP/SFTP server on your network • the IP address of the TFTP/FTP/SCP/SFTP server • the name of the install image Nortel Secure Network Access Switch 4050 User Guide...
Page 764 • authorization to log on as the boot user Note: A reinstall wipes out all configuration data, including network settings. Before reinstalling the software on a Nortel SNAS 4050 device with a working configuration, save all configuration data to a file on a TFTP/FTP/SCP/SFTP server.
Page 765: Reinstalling The Software From An External File Server
If the core router attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used. Specify the host IP address for the device. d Specify the network mask. *** Reinstall Upgrade Procedure *** Nortel Secure Network Access Switch 4050 User Guide ForgetMe command, /boot/delete...
Page 766 Specify the default gateway IP address. Select a network port (1-4, or i for info) [1]: Enter VLAN tag id (or zero for no VLAN tag) [0]: Enter IP address for this iSD [192.168.128.185]: Enter network mask [255.255.255.0]: Enter gateway IP address [192.168.128.1]: Specify the download details: protocol for the download method b server IP address...
Page 767: Reinstalling The Software From A Cd
To reinstall the software image from a CD, perform the following steps: Boot the Nortel SNAS 4050 from the CD. Log on as the root user (no password). install-nsnas isd4050 When the installation is complete, remove the CD and reboot. Nortel Secure Network Access Switch 4050 User Guide...
Page 768 768 Chapter 15 Upgrading or reinstalling the software 320818-A...
Page 769: Chapter 16: The Command Line Interface
Nortel SNAS 4050 or cluster either through a local console connection (using a computer running terminal emulation software) or through a remote session using a Telnet client or a Secure Shell (SSH) client. Nortel Secure Network Access Switch 4050 User Guide Page...
Page 770: Connecting To The Nortel Snas 4050
When using a Telnet or SSH client to connect to a cluster of Nortel SNAS 4050 devices, always connect to the Management IP address (MIP). Configuration changes are automatically propagated to all members of the cluster. However, to use the /boot/halt the Real IP address (RIP) of the particular Nortel SNAS 4050 device on which you want to perform these commands, or connect to that Nortel SNAS 4050 with a...
Page 771: Requirements
You will next be required to log on by entering a user name and a password. For more information on user accounts and default passwords, see Nortel SNAS 4050 cluster” on page Nortel Secure Network Access Switch 4050 User Guide Table 174: 775.
Page 772: Establishing A Telnet Connection
Establishing a Telnet connection A Telnet connection offers the convenience of accessing the Nortel SNAS 4050 cluster from any workstation connected to the network. Telnet access provides the same options for user access and administrator access as those available through the console port.
Page 773: Running Telnet
(see page one or more specific machines, see on page 474. 775. 484). For more information on how to restrict SSH access to “Configuring the Access List using the CLI” Nortel Secure Network Access Switch 4050 User Guide “Accessing /cfg/sys/adm/ssh...
Page 774: Running An Ssh Client
774 Chapter 16 The Command Line Interface Running an SSH client Connecting to the Nortel SNAS 4050 using an SSH client is similar to connecting using Telnet: the IP parameters on the Nortel SNAS 4050 must be configured in advance, and SSH access must be enabled. After you provide a valid user name and password, the CLI in the Nortel SNAS 4050 is accessible the same way as when using a Telnet client.
Page 775: Accessing The Nortel Snas 4050 Cluster
For security reasons, it is only possible to log on as the Root user through the console port using terminal emulation software. Reserve Root user access for advanced troubleshooting purposes, under guidance from Nortel customer support. For more information, see 360. “How to get help” on page Nortel Secure Network Access Switch 4050 User Guide...
Page 776 Access to the Nortel SNAS 4050 CLI and settings is controlled through the use of four predefined user accounts and passwords. Once you are connected to the Nortel SNAS 4050 by a console connection or remote connection (Telnet or SSH), you are prompted to enter a user account name and the corresponding password.
Page 777: Cli Main Menu Or Setup
- Show command help menu - Exit [global command, always available] Appendix A, “CLI reference,” on page page 483). Nortel Secure Network Access Switch 4050 User Guide “Initial setup” on page 49), a utility [global command] [global command] [global command] 803.
Page 778 778 Chapter 16 The Command Line Interface If you are automatically disconnected after the specified idle timeout interval, any unapplied configuration changes are lost. Therefore, make sure to save your configuration changes regularly by using the global command. apply If you have unapplied configuration changes when you use the global exit command to log out from the CLI, you will be prompted to use the global diff...
Page 779: Chapter 17: Configuration Example
Switch 8600 functioning as the core router; a BCM call server; a DNS server; a DHCP server; and a remediation server. The edge switches function in Layer 2 mode. Figure 235 on page 780 illustrates the network configuration. Nortel Secure Network Access Switch 4050 User Guide Page...
Page 780 Figure 235 Basic configuration VLAN 20 Server IP: 10.20.20.2/24 GW: 10.20.20.1 VLAN 30 1/11 1/31 DHCP Server Ethernet Routing IP: 10.30.30.2/24 Switch 8600 1/47 GW: 10.30.30.1 10.200.200.10 1, 210, 220, 230, 240 Port 20 Remediation Server IP: 10.120.120.2/24 Ethernet Routing GW: 10.120.120.1 10.200.200.20 Table 176...
Page 781 10.120.120.1 10.11.11.1 VLANs for the Ethernet Routing Switch 8300 VLAN ID VLANs for the Ethernet Routing Switch 5510 VLAN ID Nortel Secure Network Access Switch 4050 User Guide Ethernet Routing Device IP address Switch 8600 port 10.40.40.2 (RIP) 10.40.40.3 (MIP) 10.40.40.100 (pVIP)
Page 782: Steps
Steps “Configure the network DNS server” on page 782 “Configure the network DHCP server” on page 783 “Configure the network core router” on page 789 “Configure the Ethernet Routing Switch 8300 using the CLI” on page 790 “Configure the Ethernet Routing Switch 5510” on page 793 “Adding the network access devices”...
Page 783: Configure The Network Dhcp Server
Log in to the server using the administrator username and password. Run the DHCP admin utility (Start > Programs > Administrative Tools > DHCP). Create a new DHCP scope (see Figure 237 Creating a new DHCP scope Figure 237). Nortel Secure Network Access Switch 4050 User Guide...
Page 784 Enter a descriptive name to identify the new scope (see In this example, you are creating a DHCP scope for the Red VLAN on the Ethernet Routing Switch 8300. The scope start address for the VLAN is 10.110.110.5 and the end address is 10.110.110.25. The scope you create must have a range of IP addresses that is large enough to accommodate all endpoint devices in your network.
Page 785 Chapter 17 Configuration example 785 Specify the IP address range for the DHCP scope (see Figure 239). Figure 239 Specifying the IP address range Nortel Secure Network Access Switch 4050 User Guide...
Page 786 Select the Yes, I want to configure these options now option button on the Configure DHCP Options window (see Figure 240 320818-A Choosing to configure additional options Figure 240).
Page 787 Chapter 17 Configuration example 787 Enter the IP address of the default gateway (see Figure 241). Figure 241 Specifying the default gateway Nortel Secure Network Access Switch 4050 User Guide...
Page 788 Enter the IP address of the DNS server (see Figure 242 Note: In this configuration example, the Nortel SNAS 4050 will function as a captive portal. For the Red VLAN scope, the DNS server must be the Nortel SNAS 4050 portal Virtual IP address (pVIP). For the Yellow and Green VLAN scopes, enter the IP addresses for the regular DNS servers in your network.
Page 789: Configure The Network Core Router
Refer to the regular documentation for the type of router used in your network. Create the Red, Yellow, Green, VoIP, and Nortel SNAS 4050 management VLANs. shows the DHCP scopes created for use in this example. Nortel Secure Network Access Switch 4050 User Guide...
Page 790: Configure The Ethernet Routing Switch 8300 Using The Cli
Assign the VLAN port members. Since the edge switches in this example are operating in Layer 2 mode, enable 802.1q tagging on the uplink ports to enable them to participate in multiple VLANs, then add the ports to the applicable VLANs. Create IP interfaces for the VLANs.
Page 791: Enabling Ssh
Configuring the Red, Yellow, and Green VLANs Passport-8310:5# config vlan 110 nsna color red filter-id Passport-8310:5# config vlan 120 nsna color yellow filter-id 320 yellow-subnet-ip 10.120.120.0/24 Passport-8310:5# config vlan 130 nsna color green filter-id Nortel Secure Network Access Switch 4050 User Guide...
Page 792: Configuring The Nsna Uplink Filter
792 Chapter 17 Configuration example Configuring the NSNA uplink filter Passport-8310:6# config filter acl 100 create ip acl-name "dhcp" Passport-8310:6/config# filter acl 100 ace 1 create Passport-8310:6# config filter acl 100 ace 1 action fwd2cpu precedence 1 Passport-8310:6# config filter acl 100 ace 1 ip ipfragment non-fragments Passport-8310:6# config filter acl 100 ace 1 protocol udp eq Passport-8310:6# config filter acl 100 ace 1 port dst-port...
Page 793: Configure The Ethernet Routing Switch 5510
“Configuring the login domain controller filters” on page 795 “Configuring the NSNA ports” on page 795 “Enabling NSNA globally” on page 795 Setting the switch IP address 5510-48T(config)# ip address 10.200.200.20 netmask 255.255.255.0 5510-48T(config)# ip default-gateway 10.200.200.10 Nortel Secure Network Access Switch 4050 User Guide...
Page 794: Configuring Ssh
794 Chapter 17 Configuration example Configuring SSH In this example, the assumption is that the Nortel SNAS 4050 public key has already been uploaded to the TFTP server (10.20.20.20). 5510-48T(config)# ssh download-auth-key address 10.20.20.20 key-name sac_key.1.pub 5510-48T(config)# ssh Configuring the Nortel SNAS 4050 pVIP subnet 5510-48T(config)# nsna nsnas 10.40.40.0/24 Creating port-based VLANs 5510-48T(config)# vlan create 210 type port...
Page 795: Configuring The Login Domain Controller Filters
Enabling NSNA globally 5510-48T(config)#nsna enable Configure the Nortel SNAS 4050 To configure the Nortel SNAS 4050, perform the following steps: “Performing initial setup” on page 796 “Completing initial setup” on page 797 Nortel Secure Network Access Switch 4050 User Guide...
Page 796: Performing Initial Setup
“Adding the network access devices” on page 798 “Mapping the VLANs” on page 800 “Enabling the network access devices” on page 801 Performing initial setup Establish a serial console connection to the Nortel SNAS 4050 device. The Setup utility launches automatically on startup. Alteon iSD NSNAS Hardware platform: 4050 Software version: x.x...
Page 797: Completing Initial Setup
Creating user 'tg' in group 'tunnelguard'. Initializing system...ok Setup successful. Relogin to configure. Completing initial setup Enable SSH for secure management communications (required for SREM): >> Main# cfg/sys/adm/ssh on Enable SRS administration: >> Main# cfg/sys/adm/srsadmin/ena Nortel Secure Network Access Switch 4050 User Guide...
Page 798: Adding The Network Access Devices
Generate and activate the SSH key for communication with the network access devices: >> Main# cfg/domain 1/sshkey/generate Generating new SSH key, this operation takes a few seconds... done. Apply to activate. >> NSNAS SSH key# apply Create a test SRS rule and specify it for the >>...
Page 799 Changes applied successfully. Export the Nortel SNAS 4050 public SSH key to the Ethernet Routing Switch 8300: >> Switch 1# sshkey/export Import the public SSH key from the switch: >> SSH Key# import Nortel Secure Network Access Switch 4050 User Guide...
Page 800: Mapping The Vlans
800 Chapter 17 Configuration example Adding the Ethernet Routing Switch 5510 Use the quick switch wizard: >> Main# cfg/domain 1/quick Enter the type of the switch (ERS8300/ERS5500) [ERS8300]: ERS55 IP address of Switch: 10.200.200.20 NSNA communication port[5000]: Trying to retrieve fingerprint...failed. Error: “Failed to retrieve host key”...
Page 801: Enabling The Network Access Devices
Chapter 17 Configuration example 801 >> Domain Vlan# apply Changes applied successfully. Enabling the network access devices >> Main# cfg/domain 1/switch 1/ena >> Switch 1# ../switch 2/ena >> Switch 2# apply Changes applied successfully. Nortel Secure Network Access Switch 4050 User Guide...
Page 802 802 Chapter 17 Configuration example 320818-A...
Page 803: Appendix Acli Reference
CLI shortcuts Using slashes and spaces in commands IP address and network mask formats Variables CLI Main Menu CLI command reference Information menu Statistics menu Configuration menu Boot menu Maintenance menu Nortel Secure Network Access Switch 4050 User Guide Page...
Page 804: Using The Cli
Using the CLI CLI commands are grouped into a series of menus and submenus (see Menu” on page summary of each command function. You can enter menu commands at the prompt that follows each menu. Global commands Basic commands are recognized throughout the menu hierarchy. Use the global commands in and save configuration changes.
Page 805 Exit from the command line interface if the Nortel Secure Network Access Switch 4050 has stopped responding. TIP: This command should be used only when you are connected to a specific Nortel Secure Network Access Switch 4050 through a console connection. Do not use this command when connected to the Management IP of the cluster through a Telnet or SSH connection.
Page 806: Command Line History And Editing
Table 179 Global commands (Sheet 3 of 3) Command Action Sets the level of information displayed on the screen: verbose <n> 0 = Quiet: Nothing appears except errors—not even prompts. 1 = Normal: Prompts and requested output are shown without menus. 2 = Verbose: Everything is shown.
Page 807: Cli Shortcuts
( For example, to access the Main menu prompt, use the following keyboard shortcut: >> Main# cfg/sys/time/ntp/list ), on a single line. command in the NTP Servers menu from the list Nortel Secure Network Access Switch 4050 User Guide...
Page 808: Command Abbreviation
You can also use command stacking to proceed one or more levels in the menu system, and go directly to another submenu and one of the related menu options in that submenu. For example, to proceed two levels (from the NTP Servers menu to the System menu) and then go to the DNS settings menu to access the DNS servers menu, use the following command: >>...
Page 809: Using A Submenu Name As A Command Argument
VLAN tag id = 0 Mode = failover Primary port = 0 Interface Ports: Host Port 1: Autonegotiation = on Nortel Secure Network Access Switch 4050 User Guide command (at a menu prompt one level ), use the following /cfg/sys...
Page 810: Using Slashes And Spaces In Commands
If you use the related to the Configuration menu and all submenus displays. Using slashes and spaces in commands To include a forward slash (/) or a space in a command string, place the string containing the slash or space within double quotation marks before you execute the command.
Page 811: Variables
TunnelGuard check has failed. Operator-defined Custom variables can be created to retrieve the desired values from RADIUS and variables LDAP databases. it can also be expressed as it can also be expressed as Nortel Secure Network Access Switch 4050 User Guide...
Page 812: Cli Main Menu
The following CLI menus are accessible from the Main menu: • Information — provides submenus for displaying information about the current status of the Nortel Secure Network Access Switch 4050. For the Information menu commands, see • Statistics — provides submenus for displaying Nortel SNAS 4050 performance statistics.
Page 813 Appendix A CLI reference 813 • Maintenance — used for sending technical support information to an external file server. For the Maintenance menu commands, see “Maintenance menu” on page 836. Nortel Secure Network Access Switch 4050 User Guide...
Page 814: Information Menu
Information menu The Information menu contains commands used to display current information about the Nortel SNAS 4050 system status and configuration. Information commands in alphabetical order and provides cross-references to more detailed information. Table 182 Information menu commands (Sheet 1 of 2) Command /info 320818-A...
Page 815: Statistics Menu
<protocol> <server> <filename> Table 183 Parameters/Submenus total isdhost <host ID> <domain ID> dump Nortel Secure Network Access Switch 4050 User Guide Purpose Usage View active alarms. page 666 View and download log page 667 files. lists the Statistics commands...
Page 816: Configuration Menu
Configuration menu The Configuration menu contains commands used to configure the Nortel SNAS 4050. provides cross-references to more detailed information. Table 184 Configuration menu commands (Sheet 1 of 19) Command /cfg/cert <cert ID> 320818-A Table 184 lists the configuration commands in alphabetical order and Parameters/Submenus name <name>...
Page 817 <name> display radius|ldap|local groupauth <auth IDs> secondauth <auth ID> Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Configure the domain. page 130 Create and configure an page 239 authentication method. Configure the current...
Page 818 Table 184 Configuration menu commands (Sheet 3 of 19) Command /cfg/domain #/aaa/ auth #/ldap /cfg/domain #/aaa/ auth #/ldap/activedire /cfg/domain #/aaa/ auth #/ldap/ldapmacro /cfg/domain #/aaa/ auth #/ldap/servers /cfg/domain #/aaa/auth (for local database) <auth ID> 320818-A Parameters/Submenus servers searchbase <DN> groupattr <names> userattr <names>...
Page 819 <index number> add <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number> Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Manage client users and page 264 their passwords in the local database.
Page 820 Table 184 Configuration menu commands (Sheet 5 of 19) Command /cfg/domain #/aaa/ auth #/radius/ sessiontim /cfg/domain #/aaa/ authorder <auth ID>[,<auth ID>] /cfg/domain #/aaa/ defgroup <group name> /cfg/domain #/aaa/ filter <filter ID> /cfg/domain #/aaa/ group <group ID> /cfg/domain #/aaa/ group #/extend [<profile ID>] 320818-A Parameters/Submenus...
Page 821 <IPaddr> <port> <shared secret> insert <index number> <IPaddr> move <index number> <new index number> vendorid vendortype Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Map predefined linksets page 206 to an extended profile. Map predefined linksets page 206 to a group.
Page 822 Table 184 Configuration menu commands (Sheet 7 of 19) Command /cfg/domain #/aaa/tg /cfg/domain #/aaa/tg/ quick /cfg/domain #/adv /cfg/domain #/del /cfg/domain #/dnscapt /cfg/domain #/dnscapt/ exclude /cfg/domain #/ httpredir 320818-A Parameters/Submenus quick recheck <interval> heartbeat <interval> hbretrycnt <count> status-quo on|off action teardown|restricted list details on|off loglevel...
Page 823 <text> linkurl on|off linkcols <columns> linkwidth <width> companynam colors content lang ieclear on|off Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Create and configure a page 412 linkset. Create and configure the page 414 links included in the linkset.
Page 824 Table 184 Configuration menu commands (Sheet 9 of 19) Command /cfg/domain #/portal/ colors /cfg/domain #/portal/ content /cfg/domain #/portal/ lang /cfg/domain #/quick /cfg/domain #/server 320818-A Parameters/Submenus color1 <code> color2 <code> color3 <code> color4 <code> theme default|aqua|apple| jeans|cinnamon|candy import <protocol> <server> <filename> export <protocol>...
Page 825 <host> dnslookup <host> traceroute <host> generate show export Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Set up a syslog server to page 143 receive UDP syslog messages for all HTTP requests handled by the portal server.
Page 826 Table 184 Configuration menu commands (Sheet 11 of 19) Command /cfg/domain #/switch <switch ID> /cfg/domain #/ switch #/dis /cfg/domain #/ switch #/ena /cfg/domain #/ switch #/hlthchk /cfg/domain #/ switch #/sshkey /cfg/domain #/ switch #/vlan 320818-A Parameters/Submenus name <name> type ERS8300|ERS5500 ip <IPaddr>...
Page 827 <host ID> routes time rsa <server ID> syslog accesslist user distrace Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Manage the VLAN page 82 mappings for all the network access devices in the domain. Perform a configuration page 730 dump.
Page 828 Table 184 Configuration menu commands (Sheet 13 of 19) Command /cfg/sys/accesslist /cfg/sys/adm /cfg/sys/adm/audit /cfg/sys/adm/audit/ servers /cfg/sys/adm/auth 320818-A Parameters/Submenus list del <index number> add <IPaddr> <mask> snmp sonmp on|off clitimeout <interval> audit auth telnet on|off ssh on|off srsadmin sshkeys servers vendorid vendortype list del <index number>...
Page 829 <v1|v2c|v3> snmpv2-mib community users target event read <name> write <name> trap <name> Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Configure the Nortel page 493 SNAS 4050 to use external RADIUS servers to authenticate system users. Configure SNMP for the page 618 Nortel SNA network.
Page 830 Table 184 Configuration menu commands (Sheet 15 of 19) Command /cfg/sys/adm/snmp/ event /cfg/sys/adm/snmp/ snmpv2-mib /cfg/sys/adm/snmp/ target <target ID> 320818-A Parameters/Submenus addmonitor [<options>] -b <name> <OID> <op> <value> addmonitor [<options>] -t <name> <OID> <value and event> addmonitor [<options>] -x <name> <OID> [present|absent| changed] delmonitor <name>...
Page 831 <entries> retransmit <interval> count <count> ttl <ttl> health <interval> hdown <count> hup <count> Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Manage SNMPv3 users page 623 in the Nortel SNAS 4050 configuration. Configure support for page 485 managing the SRS rules.
Page 832 Table 184 Configuration menu commands (Sheet 17 of 19) Command /cfg/sys/dns/servers /cfg/sys/host #/ interface #/ports /cfg/sys/host #/ interface #/routes /cfg/sys/host #/ interface <interface ID> /cfg/sys/host #/port <port> /cfg/sys/host #/routes 320818-A Parameters/Submenus list del <index number> add <IPaddr> insert <index number> <IPaddr>...
Page 833 <index number> add <IPaddr> <facility> insert <index number> <IPaddr> <facility> move <index number> <new index number> Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Configure basic TCP/IP page 465 properties for a particular Nortel SNAS 4050 device...
Page 834 Table 184 Configuration menu commands (Sheet 19 of 19) Command /cfg/sys/time /cfg/sys/time/ntp /cfg/sys/user /cfg/sys/user/edit <username> /cfg/sys/user/edit <username>/groups 320818-A Parameters/Submenus date <date> time <time> tzone list del <index number> add <IPaddr> password <old password> <new password> <confirm new password> expire <time> list del <username>...
Page 835: Boot Menu
Parameters/Submenus software halt reboot delete activate <version> download <protocol> <server> <filename> Nortel Secure Network Access Switch 4050 User Guide Purpose Usage Manage Nortel page 733 SNAS 4050 software and devices. View, download, and page 734...
Page 836: Maintenance Menu
Maintenance menu The Maintenance menu contains commands used to perform maintenance and management activities for the system and individual Nortel SNAS 4050 devices. Table 186 lists the Maintenance commands and provides a cross-reference to more detailed information. Table 186 Maintenance menu commands Command /maint 320818-A...
Page 837: Chapter 18: Troubleshooting
The Nortel SNAS 4050 stops responding (page • A user password is lost (page • A user fails to connect to the Nortel SNAS 4050 domain (page 841) 843). 844). Nortel Secure Network Access Switch 4050 User Guide Page 838) 841) 845).
Page 838: Cannot Connect To The Nortel Snas 4050 Using Telnet Or Ssh
Cannot connect to the Nortel SNAS 4050 using Telnet or Verify the current configuration Connect with a console connection and check that Telnet or SSH access to the Nortel SNAS 4050 is enabled. By default, remote connections to the Nortel SNAS 4050 are disabled for security reasons.
Page 839: Check The Ip Address Configuration
If your host is allowed to access the Nortel SNAS 4050 over the network according to the Access List, check that you have configured the correct IP addresses on the Nortel SNAS 4050. Nortel Secure Network Access Switch 4050 User Guide...
Page 840 Ensure that you ping the host IP address (RIP) of the Nortel SNAS 4050, and not the Management IP address (MIP) of the cluster in which the Nortel SNAS 4050 is a member. Enter the command for all Nortel SNAS 4050 devices in the cluster. >>...
Page 841: Cannot Add The Nortel Snas 4050 To A Cluster
Management IP address (MIP). /boot/software/cur permanent 763. After you adjust the software 758. Then add the Nortel SNAS 4050 device from the Setup menu. Nortel Secure Network Access Switch 4050 User Guide join . The active from the Setup join “Performing minor and...
Page 842: Check The Access List
The problem may be that there are existing entries in the Access List. When Telnet or SSH access is enabled, only those hosts listed in the Access List are allowed to access the Nortel SNAS 4050 over the network. If no hosts have been added to the Access List, this means that any host is allowed to access the Nortel SNAS 4050 over the network (assuming that Telnet or SSH access is enabled).
Page 843: The Nortel Snas 4050 Stops Responding
Log on as the Administrator user and again use the command to check if the /info/contlist operational status of the Nortel SNAS 4050 is now up. Nortel Secure Network Access Switch 4050 User Guide...
Page 844: A User Password Is Lost
If the operational status of the Nortel SNAS 4050 is still down, reboot the machine. On the device, press the Power button on the back panel to turn the machine off, wait until the fan comes to a standstill, and then press the Power button again to turn the machine on.
Page 845: Boot User Password
Enter tags (list of all,aaa,dns,ssl,tg,snas) [all]: aaa,ssl Enter Domain (or 0 for all Domains) [0]: Output mode (interactive/tftp/ftp/sftp) [interactive]: 775. command to trace the different steps involved in a Nortel Secure Network Access Switch 4050 User Guide “Accessing the Nortel...
Page 846 For more information about the for the trace, and the available output modes, see the CLI” on page Table 187 shows sample output for the various tags. Table 187 Sample output for the trace command Description Sample output >> Maintenance# Logs authentication 12:54:08.875111: Trace started method, user...
Page 847: System Diagnostics
The method used to check the connection (for example, ping) is also displayed. Appendix A, “CLI to cross-reference to where the commands are described “Running Nortel SNAS 4050 754. Nortel Secure Network Access Switch 4050 User Guide...
Page 848 To check network settings for a specific Nortel SNAS 4050, access the Cluster Host menu by typing the following commands: >> Main# /cfg/sys/host <host by index number> >> Cluster Host 1# cur To check general network settings related to the cluster to which you have connected, enter the following command: >>...
Page 849: Active Alarms And The Events Log File
(or, optionally, all Nortel SNAS 4050 devices in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP/FTP/SFTP command. The command collects /maint/dumplogs Nortel Secure Network Access Switch 4050 User Guide 481.
Page 850 850 Chapter 18 Troubleshooting server you specify. The information can then be used for technical support purposes. The file sent to the TFTP/FTP/SFTP server does not contain any sensitive information related to the system configuration, such as certificates or private keys. 320818-A...
Page 851: Appendix B Syslog Messages
(see • start-up (see • AAA (see • NSNAS (see “Configuring syslog servers using the CLI” on page 481 page 852) page 853) page 857) page 860) page 861) page 863) Nortel Secure Network Access Switch 4050 User Guide 534.
Page 852: Operating System (Os) Messages
Operating system (OS) messages There are three categories of operating system (OS) system messages: • EMERG (see • CRITICAL (see • ERROR (see Table 188 lists the EMERG operating system messages. Table 188 Operating system messages — EMERG Message Root filesystem corrupt Config filesystem corrupt beyond repair Failed to write to config filesystem...
Page 853: System Control Process Messages
OS version). Table 191 on page 854) Table 193 on page 855) Table 194 on page 856) /info/events/download command. For more information, see /info/events/alarms Nortel Secure Network Access Switch 4050 User Guide Config filesystem command. You can view active alarms 659.
Page 854: About Alarm Messages
Table 191 lists the System Control Process INFO messages. Table 191 System control process messages — INFO Message System started [isdssl-<version>] About alarm messages Alarms are sent at a syslog level corresponding to the alarm severity shown in Table 192. Table 192 Alarm severity CRITICAL...
Page 855 Check loaded licenses using the /cfg/sys/cur ALARM The (demo) license loaded to the local Nortel SNAS 4050 expires within 7 days. Check loaded licenses using the /cfg/sys/cur command. Nortel Secure Network Access Switch 4050 User Guide command.
Page 856: About Event Messages
About event messages Events are sent at the NOTICE syslog level. Event messages are formatted according to the following pattern: Name: <Name> Sender: <Sender> Extra: <Extra> Table 194 lists the System Control Process EVENT messages. Table 194 System Control Process messages — EVENT Message Name: partitioned_network Sender and Extra is lower level information.
Page 857: Traffic Processing Subsystem Messages
VBScript on the page. ERROR Problem encountered when parsing an encoded JavaScript. The problem could be in the Nortel SNAS 4050 JavaScript parser, or it could be a problem on the processed page. Nortel Secure Network Access Switch 4050 User Guide...
Page 858 Table 196 Traffic Processing messages — ERROR (Sheet 2 of 3) Message css error: <reason> Failed to syslog traffic :<reason> -- disabling traf log www_authenticate: bad credentials http error: <reason>, Request=”<method> <host><path>” http header warning cli: <reason> (<header>) http header warning srv: <reason> (<header>) failed to parse Set-Cookie <header>...
Page 859 Nortel SNAS 4050. WARNING A specific interface is configured to be used by the IPsec server but this interface is not configured on the Nortel SNAS 4050. Nortel Secure Network Access Switch 4050 User Guide /cfg/ is set to off.
Page 860: Start-Up Messages
Table 198 lists the Traffic Processing INFO messages. Table 198 Traffic Processing messages — INFO Message gzip error: <reason> gzip warning: <reason> accept() turned off (<nr>) too many fds No cert supplied by backend server No CN supplied in server cert <subject> Bad CN supplied in server cert <subject>...
Page 861: Aaa Subsystem Messages
Amount of physical memory found on system. Table 200 on page 861) Table 201 on page 862) Category Explanation/Action ERROR Indicates LDAP server(s) cannot be reached when a user tries to log in to the portal. Nortel Secure Network Access Switch 4050 User Guide...
Page 862 Table 201 lists the AAA INFO messages. INFO messages are generated only if the CLI command Table 201 AAA messages — INFO (Sheet 1 of 2) Log value Message contains... login NSNAS LoginSucceeded Domain=”<id>” Method=<“ssl”> SrcIp=”<ip>” User=”<user>” Groups=”<groups>” NSNAS LoginSucceeded Domain=”<id>”...
Page 863: Nsnas Subsystem Messages
Table 202 on page 864) Table 203 on page 864) Nortel Secure Network Access Switch 4050 User Guide The client failed to access the specified web server requested from the portal. The client failed to access the specified folder/directory on the specified file server requested from the portal’s Files...
Page 864 Table 202 lists the NSNAS ERROR messages. Table 202 NSNAS — ERROR Message Domain:1, Switch: <switchID> ERROR cmd timeout for cmd :<commandID> Table 203 lists the NSNAS INFO messages. Table 203 NSNAS — INFO (Sheet 1 of 2) Message [A:B:C:D] NSNA portup [A:B:C:D] NSNA portdown LoginSucceeded Domain=”1”...
Page 865: Syslog Messages In Alphabetical Order
The Nortel SNAS 4050 has temporarily Processing stopped accepting new connections. This will happen when the Nortel SNAS 4050 is overloaded. It will start accepting connections once it has finished processing its current sessions. CRITICAL Reinstall. Nortel Secure Network Access Switch 4050 User Guide...
Page 866 Table 204 Syslog messages in alphabetical order (Sheet 2 of 10) Message audit Bad CN supplied in server cert <subject> Bad IP:PORT data <line> in hc script Bad regexp (<expr>) in health check Bad script op found <script op> Bad string found <string> Can't bind to local address: <ip>:<port>: <reason>...
Page 867 SNAS 4050 tried to send traffic logging syslog messages. Traffic syslogging was disabled as a result. Probable hardware error. Reinstall. INFO Start-up Amount of physical memory found on system. INFO Traffic Problem encountered when processing Processing compressed content. Nortel Secure Network Access Switch 4050 User Guide...
Page 868 Table 204 Syslog messages in alphabetical order (Sheet 4 of 10) Message gzip warning: <reason> HC: backend <ip>:<port> is down INFO HC: backend <ip>:<port> is up again html error: <reason> http error: <reason>, Request=”<method> <host><path>” http header warning cli: <reason> (<header>) http header warning srv: <reason>...
Page 869 Control are stored) could not be opened. INFO NSNAS On Domain 1, user “<user>” with IP : ”<IP>” and belonging to group “<group>/<profile>/ ” has logged in. ERROR Loss of logs. Nortel Secure Network Access Switch 4050 User Guide /cfg/sys/cur...
Page 870 Table 204 Syslog messages in alphabetical order (Sheet 6 of 10) Message make_software_release_permane nt_failed Missing files in config filesystem No cert supplied by backend server No CN supplied in server cert <subject> No more than <nr> backend supported No PortalGuard license loaded: Domain <id>...
Page 871 Resuming accepting new sessions after Reload loading new configuration. INFO Config Virtual server configuration reloading start. Reload EMERG The system cannot boot, but stops with a single-user prompt. fsck failed. Reinstall in order to recover. Nortel Secure Network Access Switch 4050 User Guide...
Page 872 Table 204 Syslog messages in alphabetical order (Sheet 8 of 10) Message Root filesystem repaired - rebooting Server <id> uses default interface (interface <n> not configured) Set CSWIFT as default Since we use clicerts, force adjust totalcache size to : <size> per server that use clicerts single_master socks error: <reason>...
Page 873 Key for doing sslconnect is not valid. Processing Please reconfigure. ERROR Traffic Certificate for doing sslconnect is not valid. Processing Please reconfigure. ERROR Traffic Key for doing sslconnect is not valid. Processing Please reconfigure. Nortel Secure Network Access Switch 4050 User Guide...
Page 874 Table 204 Syslog messages in alphabetical order (Sheet 10 of 10) Message Unable to use the certificate for <server nr> unknown WWW-Authenticate method, closing vbscript error: <reason> for: <host><path> www_authenticate: bad credentials 320818-A Severity Type Explanation ERROR Traffic Unsuitable certificate configured for server Processing ERROR Traffic...
Page 875: Appendix C: Supported Mibs
For information about configuring the SNMP agent in a cluster, see SNMP” on page Supported MIBs The following MIBs are supported by the Nortel SNAS 4050: • ALTEON-ISD-PLATFORM-MIB • ALTEON-ISD-SSL-MIB • ALTEON-ROOT-MIB • ALTEON-SAC-CAP 617. Nortel Secure Network Access Switch 4050 User Guide “Configuring...
Page 876 • ALTEON-SSL-VPN-MIB • ANAifType-MIB • DISMAN-EVENT-MIB • ENTITY-MIB • IF-MIB • IP-FORWARD-MIB • IP-MIB • NORTEL-SECURE-ACCESS-SWITCH-MIB • S5-ROOT-MIB • S5-TCS-MIB • SNMP-FRAMEWORK-MIB • SNMP-MPD-MIB • SNMP-NOTIFICATION-MIB • SNMP-TARGET-MIB • SNMP-USER-BASED-SM-MIB • SNMPv2-MIB • SNMP-VIEW-BASED-ACM-MIB • SYNOPTICS-ROOT-MIB • 5-ETH-MULTISEG-TOPOLOGY-MIB Table 205 provides more information about some of the MIBs supported by the Nortel SNAS 4050.
Page 877 The agent does not implement the following objects: • ifType • ifSpeed • ifLastChange • ifInUnknownProtos • ifOutNUnicast The following group is implemented: • ipCidrRouteGroup The following groups are implemented: • ipGroup • icmpGroup Nortel Secure Network Access Switch 4050 User Guide...
Page 878 Table 205 Supported MIBs (Sheet 3 of 3) NORTEL-SECURE-ACCESS-SWITCH- SNMP-FRAMEWORK-MIB SNMP-MPD-MIB SNMP-NOTIFICATION-MIB SNMP-TARGET-MIB SNMP-USER-BASED-SM-MIB SNMPv2-MIB SNMP-VIEW-BASED-ACM-MIB 320818-A Description Contains objects for monitoring the Nortel SNAS 4050 devices. The following groups are implemented: • snasBasicGroup • snasEventGroup The following group is implemented: •...
Page 879: Supported Traps
Sent when the agent detects that one of the links (interfaces) has gone down. Defined in IF-MIB. Sent when the agent detects that one of the links (interfaces) has gone up. Defined in IF-MIB. Nortel Secure Network Access Switch 4050 User Guide to enabled or...
Page 880 880 Appendix C Supported MIBs 320818-A...
Page 881: Appendix D Supported Ciphers
SSLv2 RSA, RSA SSLv3 RSA(1024), RSA SSLv3 RSA (1024), RSA SSLv3 RSA (1024), RSA SSLv3 RSA (1024), RSA Nortel Secure Network Access Switch 4050 User Guide Encryption MAC Digest Algorithm Algorithm AES (256) SHA1 AES (256) SHA1 3DES (168) SHA1...
Page 882 Table 207 Supported ciphers Cipher name EDH-RSA-DES-CBC-SHA DES-CBC-SHA DES-CBC-MD5 EXP-EDH-RSA-DES-CBC-SH EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5 ADH-AES256-SHA ADH-DES-CBC3-SHA ADH-AES128-SHA ADH-RC4-MD5 ADH-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 320818-A Key Exchange Algorithm, SSL protocol Authentication SSLv3 DH, RSA SSLv3 RSA, RSA SSLv2 RSA, RSA SSLv3 DH (512), RSA SSLv3 RSA (512), RSA SSLv3...
Page 883: Appendix E: Adding User Preferences Attribute To Active Directory
Click Start and select Run. In the Open field, enter regsvr32 schmmgmt.dll. Note that there is a space between regsvr32 and schmmgmt.dll. Click OK. This command will register schmmgmt.dll on your computer. Nortel Secure Network Access Switch 4050 User Guide...
Page 884: Add The Active Directory Schema Snap-In (Windows 2000 Server And Windows Server 2003)
Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003) Click Start and select Run. On Windows 2000 Server, enter mmc in the Open field. On Windows Server 2003, enter mmc /a instead. Note that there is a space between mmc and /a. Click OK.
Page 885 Under Snap-in, select Active Directory Schema and click Add. Active Directory Schema is added to the Add/Remove Snap-in window. Click Close to close the Add Standalone Snap-in window. The Add/Remove Snap-in window redisplays. Nortel Secure Network Access Switch 4050 User Guide...
Page 886: Create A Shortcut To The Console Window
Click OK. The Console window redisplays. To save the console (including the Schema snap-in), go to the File (Console) menu and select Save. The Save As windows displays. 10 Save the console in the Windows\System 32 root folder. As file name, enter schmmgmt.msc. 11 Click Save.
Page 887: Create A New Attribute (Windows 2000 Server And Windows Server 2003)
You receive a warning that creating schema objects is a permanent operation and cannot be undone. Click Continue. The Create New Attribute window displays. Create the isdUserPrefs attribute as shown below: Click OK. Nortel Secure Network Access Switch 4050 User Guide...
Page 888: Create The New Class
Create the new class To create the nortelSSLOffload class, proceed as follows: In the Console window, right-click Classes, point to New and select Class. You will now receive a warning that creating schema classes is a permanent operation and cannot be undone. Click Continue.
Page 889: Add The Nortelssloffload Class To The User Class
In the Console window, on the left pane, expand Classes and select user. Right-click and select Properties. The Properties window is displayed. Select the Relationship tab. Next to Auxiliary Classes, click Add Class (Add). Nortel Secure Network Access Switch 4050 User Guide...
Page 890 Add the nortelSSLOffload class as an auxiliary class as shown below: Click OK. Once you have enabled the User Preferences feature on the Nortel SNAS 4050 (using the CLI command /cfg/domain #/aaa/auth #/ ldap/enauserpre or the BBI setting User Preferences under VPN Gateways>Authentication>Auth Servers (LDAP)>Modify) the remote user should now be able to store user preferences in Active Directory.
Page 891: Appendix F: Configuring Dhcp To Auto-Configure Ip Phones
DHCP server and learn the appropriate phone VLAN ID, and the second for the Phone VLAN itself. Nortel Secure Network Access Switch 4050 User Guide...
Page 892: Configuring Ip Phone Auto-Configuration
For information on the minimum firmware versions required to support IP Phones in the Nortel SNA solution, see Release Notes for the Nortel Secure Network Access Solution, Software Release 1.0 (320850-A). Configuring IP Phone auto-configuration To configure Windows 2000 Server DHCP to auto-configure the IP Phones, perform the following steps: Create DHCP options (see •...
Page 893 Note: When you expand the DHCP server navigation tree component, the scopes for that particular server are listed below the server name and IP address. From the DHCP Management Console toolbar, select Action > Set Predefined Options. Nortel Secure Network Access Switch 4050 User Guide...
Page 894 The Predefined Options and Values dialog box opens (see Figure 246 Click Add. The Option Type dialog box opens (see 320818-A The Predefined Options and Values dialog box Figure 246). Figure 247 on page 895).
Page 895 Create the DHCP option for the auto-discovery of VLAN ID information: In the Predefined Options and Values dialog box, click Add. The Option Type dialog box opens (see Nortel Secure Network Access Switch 4050 User Guide Figure 247 on page 895).
Page 896: Configuring The Call Server Information And Vlan Information Options
b In the Option Type dialog box, enter the required information (see Table Table 209 Field Name Data type Code Description Click OK. In the Predefined Options and Values dialog box, click OK, to return to the DCHP Management Console. Configuring the Call Server Information and VLAN Information options For the Auto VLAN Discovery feature, you must configure the options for both...
Page 897 The Scope Options dialog box displays (see Figure 248 The Scope Options dialog box Using the scroll bar, scroll down the list to find the two DHCP options just created. Nortel Secure Network Access Switch 4050 User Guide Figure 248).
Page 898 Configure Call Server Information: Select the check box beside 128 Call Server Information. b In the String value field, enter the following string: Nortel-i2004-A,iii.iii.iii.iii:ppppp,aaa,rrr;iii.iii.iii.iii:ppppp,aaa,rrr. Note: The Nortel IP Phone 2002, IP Phone 2004, and IP Phone 2007 use the same signature. Therefore, the string value for Call Server Information is the same for all these IP Phones.
Page 899: Setting Up The Ip Phone
The hardware revision of the IP Phone The VLAN ID in decimal through step 6 to configure the options for the to use DHCP. ) to set the phone to learn its VLAN ID from the Nortel Secure Network Access Switch 4050 User Guide 897), select...
Page 900 900 Appendix F Configuring DHCP to auto-configure IP Phones 320818-A...
Page 901: Appendix G: Using A Windows Domain Logon Script To Launch The Nortel
Configuring the logon script To configure the logon script to automatically launch an end user’s browser, perform the following steps: Create the logon script (see “Creating a logon script” on page Nortel Secure Network Access Switch 4050 User Guide 902).
Page 902: Creating A Logon Script
On a Windows 2000 domain controller, save the script to the following directory: %systemroot% \ SYSVOL \ sysvol \ [Domain Name] \ Policies \ [GUID] \ User \ Scripts \ Logon where: • %systemroot% is an environment variable representing the operating system root folder.
Page 903: Creating The Script As A Vbscript File
904 illustrates the steps. Click Start > Administrative Tools > Active Directory Users and Computers. Right-click the domain to which you want to add the script, and select Properties. Nortel Secure Network Access Switch 4050 User Guide Figure 249 on...
Page 904 On the Group Policy tab, click Open. Double-click Default Domain Policy. Right-click the Default Domain Policy and select Edit. Expand User Configuration > Windows Settings and select Scripts (Logon/Logoff). In the right pane, double-click Logon. Click Add. Enter the file name of the script you want to assign, and click OK. 10 Click OK.
Page 905: Appendix H: Software Licensing Information
Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following Nortel Secure Network Access Switch 4050 User Guide...
Page 906: Gnu General Public License
906 Appendix H Software licensing information conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Page 907 Nortel Secure Network Access Switch 4050 User Guide...
Page 908 908 Appendix H Software licensing information 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void and will automatically terminate your rights under this License.
Page 909 Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>. Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. Nortel Secure Network Access Switch 4050 User Guide...
Page 910 910 Appendix H Software licensing information Bouncy Castle license Copyright (c) 2000 - 2004 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the...
Page 911: Index
242 supported 234 use different authorization method 241, 242 view information 268 authorization methods use different authentication method 241, 242 authorization, in Nortel SNA. See groups automatic JRE upload 397 Nortel Secure Network Access Switch 4050 User Guide...
Page 912 automatic redirection, from portal 396 autorun linksets 394 backend interface configure 145 backup certificates and keys 574, 591, 605 configuration 67 secondary authentication method 242 baud rate, console connection 771 bookmarks, add attribute 883 boolean monitor, for SNMP events 627, 650 Boot user access level 775 software reinstall 765...
Page 913 123 domain, using SREM domain quick wizard 154 extended profile 203, 220 group 198 groups, SREM guide 209 LDAP authentication method 249, 283 Local authentication method 261, 299 Nortel Secure Network Access Switch 4050 User Guide...
Page 914 RADIUS authentication method 242, 272 CSR (Certificate Signing Request) and associated private key 583 generate 579, 601 information required 580, 602 submit 583 CTRL, ^ (CLI global command) 805 cur (CLI global command) 805 curb (CLI global command) 805 customer support 29 default entries in Exclude List 387 portal page appearance 390...
Page 915 SSH key 85, 103 See also add initial setup 52 install certificates and keys 573, 584 interfaces, in two-armed configuration client portal traffic 40 IP addresses 52 management traffic 40 Nortel Secure Network Access Switch 4050 User Guide...
Page 916 IP addresses 51 in two-armed configuration 52 MIP 51 pVIP 51 RIP 52 subnet requirements 52 IP Phones, supported in Nortel SNA 33 join a cluster 61 JRE requirement, for Nortel SNA 33 JRE upload, from portal page 397 key types, for SSH host keys 39 language change on portal page 393 on portal page 392...
Page 917 39 configuration and management tools 42 domain 118 export public SSH key 103, 106 functions 34 import network access device public SSH key 103 initial setup 52 MIP 51 pVIP 51 Nortel Secure Network Access Switch 4050 User Guide...
Page 918 RIP 52 role in Nortel SNA solution 33 SSH public key, export 84 nslookup (CLI global command) 805 one-armed configuration 40, 41 online help CLI 804 OpenSSL license issues 905 operating system requirements, for Nortel SNA 32 Operator user, access level 775 passwords 776 Active Directory, manage 260 modify in local authentication database 309...
Page 919 627, 650 configure 618, 633 configure community 622 configure events 627, 647 configure notification targets 626 configure SNMPv2 MIB 621 configure SNMPv3 users 623, 640 configure targets 634 enable management 620 Nortel Secure Network Access Switch 4050 User Guide...
Page 920 existence monitor 627, 654 in Nortel SNA 618 manage events 655 manage monitor events 647 manage targets 638 monitors 627 supported MIBs 875 supported traps 879 threshold monitor 627, 652 versions supported 618 SNMPv2 MIB configure 621 described 878 SNMPv3 users configure 623, 640 software activate downloaded upgrade package 761...
Page 921 RADIUS accounting 149, 184 vendor-specific codes for RADIUS authentication 236 verbose (display option) 806 view information authentication methods 268 certificates 577, 598, 610 connected clients 113 Virtual IP address. See pVIP VLANs colors described 34 Nortel Secure Network Access Switch 4050 User Guide...
Page 922 default mapping, domain quick setup wizard 128 in Nortel SNA solution 34 mapping 82, 96 VoIP phones, supported in Nortel SNA 33 VoIP VLAN, in Nortel SNA solution 35 Windows domain logon script 398 wizards domain quick setup 123 quick setup 58 quick switch setup 75 quick TunnelGuard setup 134, 172 SREM domain quick 154...

Nortel Secure Network Access Switch 4050 User Manual

Preface

Chapter 1: Overview

Chapter 2: Initial Setup

Chapter 3: Managing the Network Access Devices

Topic

Chapter 4: Configuring the Domain

Chapter 5: Configuring Groups and Profiles

Chapter 6: Configuring Authentication

Chapter 7: Tunnelguard SRS Builder

Chapter 8: Managing System Users and Groups

Chapter 9: Customizing the Portal and User Logon

Quick Links

Nortel Secure Network Access

Related Manuals for Nortel Nortel Secure Network Access Switch 4050

Summary of Contents for Nortel Nortel Secure Network Access Switch 4050