Related Manuals for Nortel 325 series
Summary of Contents for Nortel 325 series
-
Page 1: Using The Command Line Interface
Nortel Secure Network Access Switch Using the Command Line Interface Release: 2.0 Document Revision: 03.01 www.nortel.com NN47230-100 320818-D... - Page 2 ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.
-
Page 3: Table Of Contents
Next steps 54 Applying and saving the configuration 55 Managing the network access devices Before you begin 57 Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... - Page 4 Configuration of the RADIUS authentication methods 134 Configuration of the EAP authentication methods 136 Select the server certificate Select the CA certificate Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 5 Managing user accounts and passwords 213 Managing user settings 216 Managing user groups 217 CLI configuration examples 218 Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008...
- Page 6 Key and certificate formats 298 Creating certificates 299 Installing certificates and keys 299 Saving or exporting certificates and keys 300 Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008...
- Page 7 Upgrading or reinstalling the software Upgrading the Nortel SNAS Performing minor and major release upgrades 368 Activating the software upgrade package 369 Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 8 Command line history and editing 416 CLI shortcuts 417 Using slashes and spaces in commands 419 IP address and network mask formats 420 Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 9 Creating the script as a batch file 502 Creating the script as a VBScript file 503 Assigning the logon script 503 Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 10 Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks...
-
Page 11: Software License
30 days of purchase to obtain a credit for the full purchase price. "Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. - Page 12 Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or...
- Page 13 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
- Page 14 14 Software license Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks...
-
Page 15: New In This Release
SNAS using the administrative tool the policy is updated on the Nortel Health Agent running on the logged in operating systems. For more information, See the 92). Copyright © 2007, 2008 Nortel Networks “Configuring the Nortel Health Agent check” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 16: Other Changes
VLAN transition. for more information, see the “Multi-OS Applet Support” (page Other changes No changes. Copyright © 2007, 2008 Nortel Networks 32). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 17: Introduction
4050 or 4070) controls operation of the Nortel SNAS. This user guide covers the process of implementing the Nortel SNAS using the Nortel SNAS 4050 or 4070 for Nortel Secure Network Access Switch Software Release 2.0. The document includes the following information: •... -
Page 18: Before You Begin
Ensure that you are running the latest version of Nortel SNAS software. For information about upgrading the Nortel SNAS, see reinstalling the software” (page Text conventions This guide uses the following text conventions: Copyright © 2007, 2008 Nortel Networks “The Command Line Interface” “The Command Line Interface” (page --End-- 367). - Page 19 Courier text braces ({}) brackets ([ ]) ellipsis points (. . . ) Copyright © 2007, 2008 Nortel Networks Enter text based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping <ip_address>, you enter...
-
Page 20: Related Information
Nortel Secure Network Access Solution Guide, (NN47230-200) • Nortel Secure Network Access Switch 4050 Installation Guide , (NN47230-300). • Nortel Secure Network Access Switch 4050 User Guide for the CLI (NN47230-100), • Installing and Using the Security, • Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 5.0.1,... -
Page 21: Online
To locate the ERC for your product or service, go to the http://www.nortel.com/helpweb page and follow these links: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... - Page 22 Click CONTACT US on the left side of the HELP web page. Click Technical Support on the CONTACT US web page. Click Express Routing Codes on the TECHNICAL SUPPORT web page. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
-
Page 23: Overview
Support for MAC OSX, Linux OS, and non-interactive devices MAC address policy services Flexible deployment: Filter only and VLAN and filters deployment Copyright © 2007, 2008 Nortel Networks Section Not applicable. “Configuring local DHCP services” (page DHCP subnet type” (page 118) “Configuring local DHCP services”... -
Page 24: The Nortel Snas
(SSCP) are referred to as NSNA network access devices in this document. Generally, NSNA network access devices are the Ethernet Routing Switch 5500 Series and the Ethernet Routing Switch 8300. Specifically, Release 1.6.1 features are supported by the Ethernet Routing Switch 5500 Series, Release 5.0.2 and later. -
Page 25: Elements Of The Nortel Snas
Ethernet Routing Switch 8300 — Ethernet Routing Switch 4500, 5510, 5520, or 5530 ATTENTION NSNA Release 1.6.1 does not currently support the Ethernet Routing Switch 8300 as a Policy Enforcement Point. • RADIUS, DHCP, and DNS servers The following devices are additional, optional elements of the Nortel SNAS: •... -
Page 26: Supporting Additional Users With The Software License File
After you obtain the software license file from Nortel, you must copy the entire license key to the switch using the CLI or the BBI. When you copy the license key, ensure you include the BEGIN LICENSE and END LICENSE lines. -
Page 27: Role Of The Nortel Snas
If a device falls out of compliance, the Nortel SNAS can dynamically move the device into a quarantine or remediation VLAN. Copyright © 2007, 2008 Nortel Networks “Configuring the Nortel SNAS host” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... - Page 28 • NSNA network access devices including Nortel Ethernet Switch models - 325, 425, 450, 470 and 2500 series and Ethernet Routing Switch models - 4500 series, 5500 series, 8300 and 8600 as well as third-party switches. VLANs and filters Copyright © 2007, 2008 Nortel Networks...
- Page 29 Switch 8300, Software Release 2.2.8 , . To configure the Nortel SNAS for VLANs and filters enforcement, see “Configuring groups” (page Filters only Copyright © 2007, 2008 Nortel Networks 156), enftype. Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 30 • the Nortel Health Agent SRS rule to be applied • what on the portal page after the user has been authenticated Copyright © 2007, 2008 Nortel Networks 156), enftype. Though configuring for Filters 115). 115). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 31 MAC address, IP type, device type, and group name(s). You can optionally specify a user name, IP address of the device, comments, and the IP address, unit, and port of the switch to which the device is attached.
- Page 32 SRS rules, see information about the Nortel Health Agent SRS Builder in Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . For information about mapping an SRS rule to a group, see...
- Page 33 Between Nortel SNAS and client PC (Nortel Health Agent applet) For Nortel SNAS From edge switch to EPM Copyright © 2007, 2008 Nortel Networks Table 2 "Communication channels in the shows the communication channels in Communication protocol TCP and UDP...
- Page 34 Nortel SNAS and the network access devices, see keys” (page For information about managing SSH keys for Nortel SNAS management communications, see 284). Copyright © 2007, 2008 Nortel Networks Communication protocol Telnet over SSH The Secure Shell (SSH) protocol provides secure and 68).
-
Page 35: Nortel Snas Clusters
• fault tolerance—If a Nortel SNAS device fails, the failure is detected by the other node in the cluster, which takes over the switch control and session handling functions of the failed device. As long as there is one running Nortel SNAS, no sessions will be lost. -
Page 36: Nortel Snas Configuration And Management Tools
GUI management tool. You can then continue to use the CLI to configure and manage the Nortel SNAS, or you can use the GUI. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 37: Nortel Snas Configuration Roadmap
Nortel SNAS. For information about configuring the Nortel SNAS using the SREM, see Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . For general information about installing and using the SREM, see Installing and Using the Security, . - Page 38 If the edge switches are operating in Layer 2 mode, configure For more information about performing these general configuration steps, see the regular documentation for the type of router used in your network. Copyright © 2007, 2008 Nortel Networks scope. • Specify the default gateway.
- Page 39 Configure the Nortel SNAS portal Virtual IP address e Configure port tagging, if applicable. g Configure DHCP relay and IP routing if the switch is used in h (Optional) Configure the Red, Yellow, Green, and VoIP filters. k Configure the Nortel SNAS ports.
- Page 40 (page Configure system users (see groups” (page Configure the end user experience (see and user logon” (page Copyright © 2007, 2008 Nortel Networks 43)). Nortel recommends running the quick setup wizard “Configuring administrative settings” (page 68)). “Configuring groups” (page “Performing maintenance”...
-
Page 41: Initial Setup
Network Access Solution Guide, (NN47230-200). In order to configure the Nortel SNAS, you require the following information: • Copyright © 2007, 2008 Nortel Networks IP addresses — Nortel SNAS Management IP address (MIP), portal Virtual IP address (pVIP), Real IP address (RIP) —... -
Page 42: About The Ip Addresses
SNAS have only one pVIP. When the Nortel SNAS portal is configured as a captive portal, the pVIP is used to load balance logon requests. Copyright © 2007, 2008 Nortel Networks — network access devices — remediation server (if applicable) -
Page 43: Initial Setup
Action Log on using the following username and password: login: admin Password: admin The Setup Menu appears. Copyright © 2007, 2008 Nortel Networks 50). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Initial setup 43 “Adding a Nortel SNAS device... - Page 44 VLAN tagged. When configuring the network access devices in Layer 2 configurations, ensure that you add the uplink ports to the Nortel Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 45 If the core router attaches VLAN tag IDs to incoming packets, e Specify the default gateway IP address for Interface 2. The Copyright © 2007, 2008 Nortel Networks WARNING If you receive an error message that the iSD (the Nortel SNAS device) cannot contact the gateway, verify your settings on the core router.
- Page 46 If you do not generate the SSH host keys at this stage, generate them later when you configure the system (see Nortel SNAS host SSH keys” (page Copyright © 2007, 2008 Nortel Networks Enter port number for the traffic interface [1-4]: <port>...
- Page 47 Create http to https redirect server [yes]: Specify the action to be performed when an SRS rule check fails. The options are: Copyright © 2007, 2008 Nortel Networks “Managing SSH keys” (page “Configuring the domain” (page “Settings created by the quick setup wizard” (page...
- Page 48 Creating SRS rule ’srs-rule-syscred-test’ for compliancy check. This rule check for the presence of the file Copyright © 2007, 2008 Nortel Networks restricted. The session remains intact, but access is restricted in accordance with the rights specified in the access rules for the group.
-
Page 49: Settings Created By The Quick Setup Wizard
A test certificate is installed and mapped to the Nortel SNAS portal. The authentication method is set to Local database. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 50: Adding A Nortel Snas Device To A Cluster
(for more information, see “Managing software for a Nortel SNAS device” (page /cfg/sys/accesslist/list command to view settings for the Access List (for more information, see Copyright © 2007, 2008 Nortel Networks VLAN ID Client filter name nha_failed... - Page 51 Step Action Log on using the following username and password: login: admin Password: admin The Setup Menu appears. Copyright © 2007, 2008 Nortel Networks “About the IP addresses” (page 42) 35). 273). 372)). “Upgrading the Nortel SNAS ” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 52 Enter network mask [255.255.255.0]: <mask> If the core router attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard...
- Page 53 Nortel SNAS in the cluster. After a short while, you receive the login prompt. Copyright © 2007, 2008 Nortel Networks will be assigned to Interface 2. The port number must not be the same as the port number for the management interface (Interface 1).
-
Page 54: Next Steps
Specify the SRS rule for the nhauser group (see c Add the network access devices (see d Specify the VLAN mappings (see Copyright © 2007, 2008 Nortel Networks --End-- SSH access to the Nortel SNAS (for more information, see “Configuring administrative settings”... -
Page 55: Applying And Saving The Configuration
To save your configuration to a TFTP, FTP, SCP, or SFTP server, use the following command: /cfg/ptcfg For more information, see 356). Copyright © 2007, 2008 Nortel Networks Applying and saving the configuration 55 setup, configure the following: • Create the domain (see •... - Page 56 56 Initial setup Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks...
-
Page 57: Managing The Network Access Devices
In Trusted Computing Group (TCG) terminology, the edge switches in a Nortel SNAS function as the Policy Enforcement Point. In this document, the term network access devices is used to refer to the edge switch once it is configured for the Nortel SNAS network. -
Page 58: Managing Network Access Devices
Managing network access devices The Nortel SNAS starts communicating with the network access devices as soon as you enable the switch on the Nortel SNAS by using the /cfg/domain #/switch #/ena command. You cannot configure the VLAN mappings for a network access devices in the Nortel SNAS domain if the switch is enabled. -
Page 59: Nortel Secure Network Access Switch
/cfg/domain #/vlan /cfg/domain #/switch #/vlan /cfg/domain #/sshkey /cfg/domain #/switch #/sshkey /cfg/domain #/switch #/hlthchk /cfg/domain #/switch #/dis /cfg/domain #/switch #/ena Copyright © 2007, 2008 Nortel Networks Managing network access devices Parameter name <name> type ERS8300|ERS5500 ip <IPaddr> mgmtproto <sscp|sscplite> port <port>... -
Page 60: Adding A Network Access Devices
60 Managing the network access devices Adding a network access devices You can add a network access devices to the configuration in two ways. You must repeat the steps for each switch that you want to add to the domain configuration. •... -
Page 61: Using The Command Line Interface
ATTENTION Based on the discovery result, the wizard asks for switch ports, switch uplinks port (in case of sscplite switch) or NSNA communication port (in case of sscp switch). Specify the VLAN ID of the Red VLAN, as configured on the network access devices. -
Page 62: Nortel Secure Network Access Switch
ID to the network access devices. The switch is disabled when it is first added to the configuration. Do not enable the switch until you have completed configuring the system. For more information, see access devices ”... -
Page 63: Nortel Secure Network Access Switch
If the fingerprint is not successfully retrieved, you receive an error message (Error: Failed to retrieve host key). After you have added the switch, you must add or import the SSH public key for the switch (see 71)). -
Page 64: Deleting A Network Access Devices
Configuring the network access devices When you first add a network access devices to the Nortel SNAS domain, the switch is disabled by default. Do not enable the switch until you have completed configuring it. In particular, do not enable the switch until you... -
Page 65: Nortel Secure Network Access Switch
To configure a network access devices in the Nortel SNAS domain, use the following command: /cfg/domain #/switch <switch ID> where switch ID is the ID or name of the switch you want to configure. The Switch menu appears. The Switch menu includes the following options: /cfg/domain #/switch <switch ID>... -
Page 66: Mapping The Vlans
Mapping the VLANs The VLANs are configured on the network access devices. You specify the Red VLAN for each network access devices when you add the switch (see “Adding a network access devices ” (page you must identify the Yellow and Green VLANs to the Nortel SNAS. -
Page 67: Nortel Secure Network Access Switch
/cfg/domain #/switch #/vlan The Nortel SNAS maintains separate maps for the domain and the switch. If you add a VLAN from the domain-level vlan command, you must use the domain-level command for all future management of that mapping. -
Page 68: Managing Ssh Keys
SSH key generated during initial setup for all Nortel SNAS hosts in the cluster (see Export the Nortel SNAS public key to each network access devices. • Copyright © 2007, 2008 Nortel Networks Removes the specified VLAN entry from the applicable VLAN map. • index is an integer indicating the index... -
Page 69: Nortel Secure Network Access Switch
SSH key” (page ATTENTION In general, enter Apply to apply the changes immediately after you execute any of the SSH commands. Copyright © 2007, 2008 Nortel Networks Managing network access devices “Managing SSH keys for Nortel SNAS communication” (page 71)). -
Page 70: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Generates an SSH public key for the domain. There can be only one key in effect for the Nortel SNAS domain at any one time. If a key already exists, you are prompted to confirm that you want to replace it. -
Page 71: Nortel Secure Network Access Switch
Managing SSH keys for Nortel SNAS communication To retrieve the public key for the network access devices and export the public key for the domain, use the following command: Copyright © 2007, 2008 Nortel Networks Managing network access devices Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 72: Nortel Secure Network Access Switch
Whenever the network access devices generates a new public SSH key, you must import the new key into the Nortel SNAS domain. Copyright © 2007, 2008 Nortel Networks Retrieves the SSH public key from the network access devices, if it is reachable. -
Page 73: Monitoring Switch Health
The Nortel SNAS continually monitors the health of the network access devices. At specified intervals, a health check daemon sends queries and responses to the switch as a heartbeat mechanism. If no activity (heartbeat) is detected, the daemon will retry the health check for a specified number of times (the dead count). -
Page 74: Controlling Communication With The Network Access Devices
/cfg/domain #/switch #/dis Enter apply to apply the change immediately. ATTENTION If the switch is not going to be used in the Nortel SNAS network, Nortel recommends deleting the switch from the Nortel SNAS domain, rather than just disabling it. -
Page 75: Configuring Snmp Profiles
VOIP phones • Nortel SNAS should use MAC Authentication • Multiple PCs connected using hub to the switch port are not supported. To configure the sscplite, access the menu by using the following command. cfg/domain #/switch #/mgmtproto Configuration of switch menu are modified to include different communication protocols (sscp, sscplite). -
Page 76: Configuring Snmp Versions
SNMPv3 also facilitates remote configuration of the SNMP entities. SNMPv3 was formed mainly to address the deficiencies related to security and administration. Copyright © 2007, 2008 Nortel Networks Set the name of the profile. Set the supported SNMP versions. -
Page 77: Configuring Sscplite Community
The SNMP templates includes the following options: /cfg/device followed by list show import Copyright © 2007, 2008 Nortel Networks Set Read Community string Read = Public Set Write Community string Write = Private Set Trap Community string. trap = trap Lists the templates being used. -
Page 78: Nortel Secure Network Access Switch
78 Managing the network access devices export clear Copyright © 2007, 2008 Nortel Networks Export new switch Templates to the Tftp servers. Delete command will delete the template entry from the list and can delete the whole list of Templates. -
Page 79: Configuring The Domain
83). To delete a domain, see ATTENTION With Nortel Secure Network Access Switch Software Release 1.6.1, you cannot configure the Nortel SNAS to have more than one domain. Configuring the domain To configure the domain, access the Domain menu by using the following command: Copyright ©... -
Page 80: Nortel Secure Network Access Switch
• advanced settings such as a backend interface and logging options (see “Configuring advanced settings” (page Copyright © 2007, 2008 Nortel Networks “Configuring authentication” (page 171) “Configuring groups and profiles” (page “Configuring the Nortel Health Agent check” (page 92) “Configuring RADIUS accounting” (page 110) “Configuring SNMP Profiles”... -
Page 81: Roadmap Of Domain Commands
/cfg/domain <domain ID> /cfg/quick /cfg/domain #/del /cfg/domain <domain ID> /cfg/domain #/aaa/nha /cfg/domain #/aaa/nha/quick cfg/domain #/aaa/nha/desktopagent /cfg/domain #/server /cfg/domain #/server/trace Copyright © 2007, 2008 Nortel Networks Parameter name <name> pvips <IPaddr> recheck <interval> heartbeat <interval> hbretrycnt <count> hbretrycnt <count> status-quo on|off... -
Page 82: Nortel Secure Network Access Switch
/cfg/domain #/server/ssl /cfg/domain #/server/adv/traflog /cfg/domain #/httpredir /cfg/domain #/adv /cfg/domain #/aaa/radacct /cfg/domain #/aaa/radacct/servers /cfg/domain #/aaa/radacct/domainattr Copyright © 2007, 2008 Nortel Networks Parameter cert <certificate index> cachesize <sessions> cachettl <ttl> cacerts <certificate index> cachain <certificate index list> protocol ssl2 | ssl3 | ssl23 | tls1 ciphers <cipher list>... -
Page 83: Creating A Domain
/cfg/domain <domain ID> command and commands on the Domain menu. For more information about the Domain menu commands, see “Configuring domain parameters” (page Copyright © 2007, 2008 Nortel Networks “About the IP addresses” (page shows sample output for the 89). -
Page 84: Nortel Secure Network Access Switch
“Settings created by the quick setup wizard” (page You can later modify all settings created by the domain quick setup wizard (see “Configuring domain parameters” (page Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 49)). -
Page 85: Nortel Secure Network Access Switch
When prompted, paste in the certificate and key from a text c Enter an ellipsis (...) to signal the end of the certificate. d To continue, go to Copyright © 2007, 2008 Nortel Networks 89)). certificate file from a text editor, press Enter to accept the default value (no). -
Page 86: Nortel Secure Network Access Switch
Do you want to configure a switch? (yes/no) [no]: If you do want to add a network access devices, enter yes to launch the quick switch wizard. Go to Copyright © 2007, 2008 Nortel Networks For more information, see “Generating and submitting a CSR”... -
Page 87: Nortel Secure Network Access Switch
Apply to activate the changes. The wizard assigns the following default VLAN IDs: • • Copyright © 2007, 2008 Nortel Networks 60). step restricted—the session remains intact, but access is restricted in accordance with the rights specified in the access rules for the group teardown—the SSL session is torn down... -
Page 88: Nortel Secure Network Access Switch
Creating Authentication 1 Adding user ’nha’ with password ’nha’ Creating Group 2 Copyright © 2007, 2008 Nortel Networks 64)). You specify the Red VLAN when an existing certificate (Certificate 1) is being used no network access devices is being added... -
Page 89: Deleting A Domain
Nortel SNAS cluster. The Domain menu appears. The Domain menu includes the following options: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 90: Nortel Secure Network Access Switch
<IPaddr> location patchlink server Copyright © 2007, 2008 Nortel Networks Names or renames the domain. • name is a string that must be unique in the domain. The maximum length of the string is 255 characters. -
Page 91: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Accesses the Portal menu, in order to customize the portal page that in the client’s web browser (see user logon” (page Accesses the Linkset menu, in order to... -
Page 92: Configuring The Nortel Health Agent Check
/cfg/domain #/aaa/nha The Nortel Health Agent menu appears. The Nortel Health Agent menu includes the following options: Copyright © 2007, 2008 Nortel Networks Accesses the NAP menu to configure the NAP. (see“Configuration of Microsoft NAP Interoperability”... -
Page 93: Nortel Secure Network Access Switch
<interval> heartbeat <interval> hbretrycnt <count> Copyright © 2007, 2008 Nortel Networks Launches the Quick Nortel Health Agent setup wizard, in order to configure default Nortel Health Agent check settings and the check result (see Health Agent setup wizard in the CLI” (page 96)). -
Page 94: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Specifies whether the Nortel SNAS domain operates in status-quo mode. Status-quo mode determines the behavior of the Nortel SNAS if no client activity is detected after the inactivity interval (heartbeat x hbretrycnt). -
Page 95: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Lists the SRS rules configured for the domain. For information about creating SRS rules, see the information about the Nortel Health Agent SRS Rule Builder in Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . -
Page 96: Nortel Secure Network Access Switch
Do you want to create a test user for system authentication? (yes/no) [yes]: Do you want to create a test local user? (yes/no) [yes]: User policy configuration... Creating Client Filter 1 Copyright © 2007, 2008 Nortel Networks • info—high-level information about processes •... -
Page 97: Configuring The Ssl Server
>> Nortel Health Agent# apply Changes applied successfully. Configuring the SSL server The server number assigned to the portal server configured for the domain is server 1001. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 98: Nortel Secure Network Access Switch
<port> interface <interface ID> dnsname <name> trace Copyright © 2007, 2008 Nortel Networks Specifies the port to which the portal server listens for HTTPS communications. • port is an integer in the range 1–65534 that indicates the TCP port number. The default is 443. -
Page 99: Nortel Secure Network Access Switch
Tracing SSL traffic /cfg/domain #/server/trace followed by: ssldump Copyright © 2007, 2008 Nortel Networks Accesses the SSL Settings menu, in order to configure SSL settings for the portal server (see “Configuring SSL settings” (page Accesses the Advance settings menu, in order... -
Page 100: Nortel Secure Network Access Switch
100 Configuring the domain /cfg/domain #/server/trace followed by: tcpdump Copyright © 2007, 2008 Nortel Networks specify. You are prompted to enter the required information. You can specify the file exchange server using either the host name or the IP address. -
Page 101: Nortel Secure Network Access Switch
/cfg/domain #/server/trace followed by: ping <host> dnslookup <host> traceroute <host> Copyright © 2007, 2008 Nortel Networks You can read a saved TCP traffic dump file using the TCPDUMP or Ethereal application on a remote machine. The default output mode is interactive. -
Page 102: Nortel Secure Network Access Switch
Configuring SSL Settings /cfg/domain #/server/ssl followed by: cert <certificate index> Copyright © 2007, 2008 Nortel Networks • host is the host name or IP address of the target station If a backend interface is mapped to the current Nortel SNAS domain, the check is made through the backend interface. -
Page 103: Nortel Secure Network Access Switch
<ttl> cacerts <certificate index> cachain <certificate index list> Copyright © 2007, 2008 Nortel Networks Sets the size of the SSL cache. • sessions is an integer less than or equal to 10000 indicating the number of cached sessions. The default is 4000. -
Page 104: Nortel Secure Network Access Switch
23|tls1 verify none|optional|r equired ciphers <cipher list> Copyright © 2007, 2008 Nortel Networks The SSL server can use chain certificates only if the protocol version is set to ssl3 or ssl23 (see /cfg/domain #/server/ssl/protocol). Specifies the protocol to use when establishing an SSL session with a client. -
Page 105: Nortel Secure Network Access Switch
SSL terminating device itself. You can also enable it temporarily for debugging purposes. Copyright © 2007, 2008 Nortel Networks included in the backend servers’ list of preferred ciphers as the SSL connection will otherwise be refused. -
Page 106: Nortel Secure Network Access Switch
<IPaddr> udpport <port> priority debug|info| notice Copyright © 2007, 2008 Nortel Networks Specifies the IP address of the syslog server. Specifies the UDP port number of the syslog server. • port is an integer in the range 1–65534 that indicates the UDP port number. -
Page 107: Configuring Http Redirect
Table 9 Configuring HTTP redirect /cfg/domain #/httpredir followed by: port <port> Copyright © 2007, 2008 Nortel Networks Enables traffic logging with syslog messages to the specified syslog server. Traffic logging with syslog messages is disabled by default. Disables traffic logging with syslog messages. -
Page 108: Browser-Based Management Configuration
Management IP address assigned to your SNAS cluster in your web browser. The HTTPS menu includes the following options Copyright © 2007, 2008 Nortel Networks Otherwise, the client PC will not be able to reach the portal for user authentication. -
Page 109: Configuring Advanced Settings
The Advanced menu includes the following options: Table 12 Configuring advanced settings /cfg/domain #/adv Copyright © 2007, 2008 Nortel Networks Sets the port number to be used for browser-based SNAS configuration from the BBI using SSL. Enables the HTTPS server used for browser-based configuration on the SNAS using SSL. -
Page 110: Configuring Radius Accounting
• Nortel SNAS device Real IP address (RIP) • session ID Copyright © 2007, 2008 Nortel Networks References a previously created interface to serve as a backend interface for the domain. • interface ID is an integer that indicates the interface number. -
Page 111: Nortel Secure Network Access Switch
Configuring RADIUS accounting /cfg/domain #/aaa/radacct followed by: servers domainattr Copyright © 2007, 2008 Nortel Networks “Configuring Nortel SNAS -specific 114)). In conjunction with custom plugins on RADIUS, “Managing RADIUS accounting servers” (page Accesses the Radius Accounting Servers menu, in order to configure external RADIUS accounting servers for the domain (see “Managing RADIUS accounting servers”... -
Page 112: Nortel Secure Network Access Switch
Table 14 Managing RADIUS accounting servers /cfg/domain #/aaa/radacct/servers followed by: list del <index number> Copyright © 2007, 2008 Nortel Networks Enables RADIUS accounting. The default is disabled. Disables RADIUS accounting. The default is disabled. Lists the IP addresses of currently configured RADIUS accounting servers, by index number. -
Page 113: Nortel Secure Network Access Switch
<shared secret> insert <index number> <IPaddr> move <index number> <new index number> Copyright © 2007, 2008 Nortel Networks Adds a RADIUS accounting server to the configuration. You are prompted to enter the following information: • IPaddr—the IP address of the accounting server •... -
Page 114: Nortel Secure Network Access Switch
To configure vendor-specific attributes in order to identify the Nortel SNAS domain, use the following command: /cfg/domain #/aaa/radacct/domainattr The Domain Attribute menu appears. The Domain Attribute menu includes the following options: Copyright © 2007, 2008 Nortel Networks http://www.iana.org/assignments/enterprise --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 115: Configuring Local Dhcp Services
• support for non-NSNA network access devices including Nortel Ethernet Switch Models 325 / 425 / 450 / 470 and 2500 series and Ethernet Routing Switch models - 4500 series, 5500 series, 8300 and 8600 as well as third party switches, and support for multiple devices on a port (for example, when a hub is connected to the port). -
Page 116: Nortel Secure Network Access Switch
DHCP subnets and types. You are provided with the option of changing the global values when specific DHCP settings are configured. See Settings menu” (page Copyright © 2007, 2008 Nortel Networks “Standard DHCP subnet type” (page “Filter DHCP subnet type” (page 118). -
Page 117: Nortel Secure Network Access Switch
# deletes the range with index number #. • add IPaddressLower IPaddressUpper adds a new range with lower and upper limits defined by IPaddressLower and IPaddressUpper, respectively. Copyright © 2007, 2008 Nortel Networks 117). “Standard DHCP subnet type” (page 120), or “Hub DHCP subnet type” (page... -
Page 118: Nortel Secure Network Access Switch
• move #A #B changes the index number of range #A to #B and changes the index number of #B to #A. That is, the ranges switch places in the range list. Prompts you to identify and configure values for the standard DHCP options. -
Page 119: Nortel Secure Network Access Switch
To direct the clients to an external DHCP server, enter the IP address of the server here and do not configure the green zone. Enter a name for the VLAN. vlan Copyright © 2007, 2008 Nortel Networks “Nortel SNAS enforcement types” “Configuring groups” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 120: Nortel Secure Network Access Switch
Nortel SNAS. The filter DHCP subnet type allows you to optomize network performance by redirecting DNS services from the Nortel SNAS to the corporate DNS server. The menu for the filter DHCP subnet type includes: Copyright © 2007, 2008 Nortel Networks 117). 117). 117). -
Page 121: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks 117). 117). “Configuring local DHCP services” Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 122: Nortel Secure Network Access Switch
Use subnet together with a subnet address and mask to delete DHCP leases for the subnet. Use all to delete all DHCP leases. Copyright © 2007, 2008 Nortel Networks 117). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 123: Creation Of The Location
The Location List menu appears. The Location List menu includes the following options: /cfg/domain/location/locations followed by: add <switch Ip> <unit/port> Copyright © 2007, 2008 Nortel Networks A string that specifies a unique location name. Manage switch ip, unit/port details. • add—adds switch, unit/portr. -
Page 124: Configuring Lumension Patchlink Integration
The PatchLink Servers menu appears. The PatchLink Servers menu includes the following options: /cfg/domain/patchlink followed by: add <IP address> <username> <password> Copyright © 2007, 2008 Nortel Networks Removes the locations from the configuration. • • lists all the configured locations. -
Page 125: Nortel Secure Network Access Switch
/cfg/domain/patchlink followed by: del <index number> list Copyright © 2007, 2008 Nortel Networks Deletes the patch link server from the patch link list. • Lists all patch link server added by user name, password. Enables the patch link server. Disables the patch link server. -
Page 126: Nortel Secure Network Access Switch
126 Configuring the domain Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 127: Configuration Of The Radius Server
Integration of RADIUS server with the Nortel Health Agent’s 802.1x supports 802.1x for user authentication and health assessment in the Nortel SNAS. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 128: Roadmap Of Radius Server Configuration Commands
Command /cfg/domain/radius /cfg/domain/radius/clients /cfg/domain/radius/realms /cfg/domain/radius/dictionary /cfg/domain/radius/accounting /cfg/domain/radius/methods Copyright © 2007, 2008 Nortel Networks Parameter authentication port accounting port list del <index number> add <client IP address> <shared secret > insert <index number> <client IP address>... -
Page 129: Configuration Of The Radius Server
To configure the RADIUS server, use the following command /cfg/domain/radius The RADIUS Server menu appears. The RADIUS Server menu includes the following options: Copyright © 2007, 2008 Nortel Networks Configuration of the RADIUS server 129 Parameter insert <index number> <method name>... -
Page 130: Configuration Of The Client
<index number> add <client IP address> <shared secret> Copyright © 2007, 2008 Nortel Networks Specify the authentication port. Default value is 1812. Specify the accounting port. Default value is 1813. Lists the IP addresses of currently configured clients, by index number. -
Page 131: Configuration Of The Realms
The RADIUS Realms menu appears. The RADIUS Realms menu includes the following options: /cfg/domain/radius/realms followed by: list Copyright © 2007, 2008 Nortel Networks Inserts a client at a particular position in the list of clients in the configuration. • index number—specify the index number. -
Page 132: Nortel Secure Network Access Switch
<index number> <realm name> <authentication server id> move <index number> <destination index number> Copyright © 2007, 2008 Nortel Networks Removes the specified realms from the current configuration. The index numbers of the remaining entries adjust accordingly. •... -
Page 133: Configuration Of The Dictionary
<protocol> <server> <filename> export <protocol> <server> <filename> <vender id> view delete <index number> Copyright © 2007, 2008 Nortel Networks Configuration of the dictionary Sets default RADIUS attribute configuration. Imports dictionary from TFTP/FTP/SCP/SFT P server. • protocol—protocol is the import protocol. -
Page 134: Configuration Of The Radius Accounting
Configuration of the RADIUS authentication methods To configure the RADIUS authentication methods, use the following command: /cfg/domain/radius/methods Copyright © 2007, 2008 Nortel Networks Clears all the vendor dictionary. Lists configured vendor dictionaries by index number. Shows the accounting log information for the following: •... -
Page 135: Nortel Secure Network Access Switch
The RADIUS Authentication Methods menu includes the following options: /cfg/domain/radius/methods followed by: list del <index number> add <method name> Copyright © 2007, 2008 Nortel Networks Configuration of the RADIUS authentication methods 135 Lists the authentication methods: 2. proxy 3. acct 4. pap 5. chap mschapv1 7. -
Page 136: Configuration Of The Eap Authentication Methods
The EAP Authentication Methods menu appears. The EAP Authentication Methods menu includes the following options: /cfg/domain/radius/eapmethods followed by: list Copyright © 2007, 2008 Nortel Networks Inserts a methods at a particular position in the list • index number—is the identification... -
Page 137: Select The Server Certificate
Select the server certificate Select the server certificate from the list, use the following command: /cfg/domain/radius/cert Copyright © 2007, 2008 Nortel Networks Removes the specified EAP method from the current configuration. The index numbers of the remaining entries adjust accordingly. -
Page 138: Select The Ca Certificate
This includes the following options: /cfg/domain/radius/cacert followed by: current value select the CA certificate Copyright © 2007, 2008 Nortel Networks The current server certificate number appears. Specify the server certificate number. The value ranges from 1 to 1500. The certificate number refers to certificates stored in the certificate repository. -
Page 139: Configuration Of Microsoft Nap Interoperability
The following roadmap lists the Command Line Interface (CLI) commands to configure Network Access Protection (NAP). Use this list as a quick reference. Command /cfg/domain/nap /cfg/domain/nap/probation /cfg/domain/nap/moreinfo /cfg/domain/nap /cfg/domain/nap/servers Copyright © 2007, 2008 Nortel Networks Parameter autorem ena [<true|false>] dis [<true|false>] date <date> time <time> troubleshooting URL pdp <local|remote>... -
Page 140: Configuration Of Nap Interoperability
Nortel SNAS. If your system does not contain a Microsoft NPS server in place, it can still deploy clients with NAP support enabled and then adds a Microsoft NPS server if desired. Copyright © 2007, 2008 Nortel Networks Parameter insert <position> <ip> <port> <secret>... -
Page 141: Probation Settings
The Probation Settings menu includes the following options: cfg/domain/nap/probation followed by: date time Copyright © 2007, 2008 Nortel Networks Configuration of NAP Interoperability 141 Sets necessary updates to allow a noncompliant computer to become compliant. Values: false and true. default: false. -
Page 142: Remote Network Policy Servers
<index number> <IPaddr> <port> <shared secret> Copyright © 2007, 2008 Nortel Networks Lists the IP addresses of currently configured remote network policy servers, by index number.. Removes the specified remote network policy server from the current configuration. The index numbers of the remaining entries adjust accordingly. -
Page 143: System Health Validators
<index number> add <vendor ID> <component ID> <module name> Copyright © 2007, 2008 Nortel Networks Configuration of NAP Interoperability 143 The index number you specify must be in use. The index numbers of existing servers with this index number and higher are incremented by 1. -
Page 144: Configuration Of Windows System Health Validator
The Windows System Health Validators menu includes the following options: cfg/domain/nap/wshv followed by: firewall Copyright © 2007, 2008 Nortel Networks Inserts a system health validators at a particular position in the configuration. • index number —the index number you want the system health validators to have •... -
Page 145: Nortel Secure Network Access Switch
<antivirus> <uptodate> spyware <antispy> <uptodate> secupdates<enab led> <severity> <lastsync> <wsus> <winupdate> Copyright © 2007, 2008 Nortel Networks Configuration of NAP Interoperability 145 Virus Protection. • antivirus—Enables or disables the antivirus. Values: true and false default: false • uptodate—Specifies whether the antivirus is up to date or not. -
Page 146: Nortel Secure Network Access Switch
146 Configuration of Microsoft NAP Interoperability cfg/domain/nap/wshv followed by: Copyright © 2007, 2008 Nortel Networks This setting is only applicable when Security Updates Protection is "true." default: important • lastsync—designates the duration of time allowed to pass since the Windows endpoint was... -
Page 147: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Configuration of NAP Interoperability 147 default: false Enables or disables the automatic updates. Values: on and off default: on Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 148: Nortel Secure Network Access Switch
148 Configuration of Microsoft NAP Interoperability Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 149: Configuring Groups And Profiles
“Extended profiles” (page 151) For more information about groups and extended profiles in the Nortel SNAS, see Nortel Secure Network Access Solution Guide, (NN47230-200). Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 150: Groups
Nortel SNAS, the Nortel SNAS will map the user to the default group. To create a default group, see Copyright © 2007, 2008 Nortel Networks “Creating a default group” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 151: Linksets
You can define up to 63 extended profiles for each group. In Nortel Secure Network Access Switch Software Release 1.6.1, the data for an extended profile include the following configurable parameters: •... -
Page 152: Before You Begin
Group names defined on the Nortel SNAS must correspond to group names used by the authentication services. "Group names in the Nortel SNAS and authentication services" (page 153) authentication methods. Copyright © 2007, 2008 Nortel Networks 162). 164). summarizes the requirements for the various --End--... -
Page 153: Configuring Groups And Extended Profiles
Use this list as a quick reference or click on any entry for more information: Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 153 Group name on the Nortel SNAS must correspond to... -
Page 154: Nortel Secure Network Access Switch
/cfg/doamin #/aaa/filter <filter ID> /cfg/doamin #/aaa/group <group ID | group name>/extend [<profile ID>] /cfg/doamin #/aaa/group #/linkset /cfg/doamin #/aaa/group #/extend #/linkset Copyright © 2007, 2008 Nortel Networks Parameter name <name> restrict srs <SRS rule name> agentmode <runonce | continuous | never>... -
Page 155: Nortel Secure Network Access Switch
#/aaa/group #/sessionttl cfg/domain #/aaa/group #/locations /cfg/doamin #/aaa/group #/radattr/ cfg/domain #/aaa/group #/cachepass cfg/domain #/aaa/group #/syscredent /cfg/doamin #/aaa/defgroup <group name> Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 155 Parameter insert <index number> <linkset name> move <index number> <new index number>... -
Page 156: Configuring Groups
If you ran the quick setup wizard during initial setup, a group called nhauser is created with group ID = 1. The Group menu includes the following options: Copyright © 2007, 2008 Nortel Networks Table 22 "Group names in the Nortel SNAS and 153). -
Page 157: Nortel Secure Network Access Switch
<name> restrict extend <profile ID> Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 157 Names or renames the group. After you have defined a name for the group, you can use either the group name or the group ID to access the Group menu. -
Page 158: Nortel Secure Network Access Switch
<SRS rule name> mactrust <bypass | none> Copyright © 2007, 2008 Nortel Networks Specifies the preconfigured Nortel Health Agent SRS rule to apply to the group. For information about configuring the SRS rules using the SREM, see Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . -
Page 159: Nortel Secure Network Access Switch
<continuou s | runonce | never> macreg <true | false> Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 159 Establishes Nortel Health Agent monitoring mode. Select continuous for cyclic monitoring of the end point by Nortel Health Agent. The user must keep the initial browser window open for the duration of the session. -
Page 160: Nortel Secure Network Access Switch
<filter-only | vlan-filter> admrights <user> <passwd> <action> <reset> Copyright © 2007, 2008 Nortel Networks Establishes the enforcement type for NSNA network access devices; that is, device that support SSCP. filter-only indicates that Red, Yellow, and Green enforcement zones are specified by filters within the Red VLAN. -
Page 161: Nortel Secure Network Access Switch
/cfg/doamin #/aaa/group <group ID> command and commands on the Group menu. Figure 5 Group menu commands Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 161 User access to the network is denied when the administrative rights parameter is active and the username/password configuration is invalid. -
Page 162: Configuring Client Filters
When you first create the filter, you are prompted to enter the client filter name. The Client Filter menu appears. Copyright © 2007, 2008 Nortel Networks cachepass : true|false Set the system username. Set the system password. Set the systems previous username. -
Page 163: Nortel Secure Network Access Switch
<name> true|false|ignore comment <comment> Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 163 Names or renames the filter. After you have defined a name for the filter, you can use either the filter name or the filter ID to access the Client Filter menu. -
Page 164: Configuring Extended Profiles
You can later change the VLAN assignment for the profile by using the vlan command on the Extended Profile menu. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 165: Nortel Secure Network Access Switch
Figure 7 "Extended Profile menu commands" (page 166) output for the /cfg/doamin #/aaa/group <group ID> /extend command and commands on the Extended Profile menu. Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 165 Specifies the predefined client filter that determines whether the Nortel SNAS will apply this extended profile to the user. -
Page 166: Creating Radius Attributes To A Group
<vendor> <id> <value> del <index> add <vendor> <id> <value> Copyright © 2007, 2008 Nortel Networks Lists the currently configured RADIUS attributes by index number. Removes the RADIUS attribute entry represented by the specified index number. The index numbers of the remaining entries adjust accordingly. -
Page 167: Mapping Linksets To A Group Or Profile
You can tailor the portal page for different users by mapping preconfigured linksets to groups and extended profiles. For more information about linksets, see Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 167 Inserts a RADIUS attribute at a particular position in the list. -
Page 168: Nortel Secure Network Access Switch
Figure 9 "Linksets menu commands" (page 169) for the /cfg/doamin #/aaa/group <group ID> /linkset command and commands on the Linksets menu. Copyright © 2007, 2008 Nortel Networks Lists the currently configured linksets by index number. Removes the linkset entry represented by the specified index number. -
Page 169: Creating A Default Group
VLAN (see “Configuring extended profiles” (page command to make this group the default group: /cfg/doamin #/aaa/defgroup <group name> Copyright © 2007, 2008 Nortel Networks Configuring groups and extended profiles 169 “Configuring groups” (page 156) 164)). Then use the following... -
Page 170: Nortel Secure Network Access Switch
170 Configuring groups and profiles Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 171: Configuring Authentication
Lightweight Directory Access Protocol (LDAP) • local databases on the Nortel SNAS — local portal database — local MAC database Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 172: Before You Begin
For external authentication servers, create or modify settings on the external server as required. a A free RADIUS server may require specific settings in the b A Steel-belted RADIUS server requires specific settings in the Copyright © 2007, 2008 Nortel Networks “Configuring authentication methods” (page 83)). 149)). -
Page 173: Nortel Secure Network Access Switch
An MS IAS RADIUS server may require vendor parameters to To configure external authentication, you require the following information about the authentication server configuration: a RADIUS servers: b LDAP servers: Copyright © 2007, 2008 Nortel Networks be configured on the Microsoft Management Console (MMC). • server IP address •... -
Page 174: Configuring Authentication
Nortel SNAS domain. Use this list as a quick reference or click on any entry for more information: Table 31 Roadmap of CLI commands Command /cfg/doamin #/aaa/auth <auth ID> Copyright © 2007, 2008 Nortel Networks --End-- Parameter type radius | ldap | local name <name> display... -
Page 175: Nortel Secure Network Access Switch
/cfg/doamin #/aaa/auth #/radius /cfg/doamin #/aaa/auth #/radius/ser vers /cfg/doamin #/aaa/auth #/radius/sess iontim /cfg/doamin #/aaa/auth #/ldap /cfg/doamin #/aaa/auth #/ldap/serve Copyright © 2007, 2008 Nortel Networks Parameter groupauth <auth IDs> secondauth <auth ID> vendorid <vendor ID> vendortype <vendor type> domainid <domain ID> domaintype <domain type>... -
Page 176: Nortel Secure Network Access Switch
/cfg/doamin #/aaa/auth #/ldap/active dire /cfg/doamin #/aaa/auth #/ldap/adv /cfg/doamin #/aaa/auth #/local /cfg/doamin #/aaa/auth #/local/radat /cfg/doamin #/aaa/macdb Copyright © 2007, 2008 Nortel Networks Parameter add <IPaddr> <port> insert <index number> <IPaddr> move <index number> <new index number> list del <index number>... -
Page 177: Configuring Authentication Methods
Table 32 Configuring Authentication /cfg/doamin #/aaa/auth <auth ID> followed by: type radius|ldap|ntlm|s iteminder|cleartrust|c ert|rsa|local Copyright © 2007, 2008 Nortel Networks Parameter export <protocol> <server> <filename> clear Sets the authentication mechanism. ATTENTION The selected authentication type determines, which submenu option will display. -
Page 178: Nortel Secure Network Access Switch
<name> display radius|ldap|local Copyright © 2007, 2008 Nortel Networks Names or renames the method. After you have defined a name for the method, you can use either the method name or the auth ID to access the Authentication menu. -
Page 179: Configuring Advanced Settings
/cfg/doamin #/aaa/auth #/adv followed by: groupauth <auth IDs> secondauth <auth ID> Copyright © 2007, 2008 Nortel Networks Specifies one or more preconfigured LDAP or Local database authentication schemes (not including the current one) that will be used to retrieve the user’s group information after the user has been authenticated. -
Page 180: Configuring Radius Authentication
“Modifying RADIUS configuration settings” (page 182) • “Managing RADIUS authentication servers” (page 184) • “Configuring session timeout” (page 186) Copyright © 2007, 2008 Nortel Networks servers in cases where the first authentication method is token based or uses client certificate authentication. ATTENTION Not supported in Nortel Secure Network Access Switch Software Release 1.6.1. -
Page 181: Nortel Secure Network Access Switch
Vendor-Type value used in combination with the Vendor-Id to identify the domain. The default is 3. Copyright © 2007, 2008 Nortel Networks “Modifying RADIUS configuration settings” (page 156)). The default is 1. Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 182: Nortel Secure Network Access Switch
To modify settings for the specific RADIUS configuration, use the following command: /cfg/doamin #/aaa/auth #/radius The RADIUS menu appears. The RADIUS menu includes the following options: Copyright © 2007, 2008 Nortel Networks 177). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 “Configuring... -
Page 183: Nortel Secure Network Access Switch
<vendor ID> vendortype <vendor type> domainid <domain ID> Copyright © 2007, 2008 Nortel Networks Accesses the RADIUS servers menu, in order to manage the external RADIUS servers configured for the domain (see RADIUS authentication servers” (page Specifies the vendor-specific attribute used by the RADIUS server to send group names to the Nortel SNAS. -
Page 184: Nortel Secure Network Access Switch
RADIUS configuration is included in the authentication order you have specified for the Nortel SNAS domain (see authentication fallback order” (page Copyright © 2007, 2008 Nortel Networks Specifies the Vendor-Type value used in combination with the Vendor-Id to identify the domain. -
Page 185: Nortel Secure Network Access Switch
<index number> add <IPaddr> <port> <shared secret> Copyright © 2007, 2008 Nortel Networks Lists the IP address, port, and shared secret of currently configured RADIUS authentication servers, by index number. Removes the specified RADIUS authentication server from the current configuration. The index numbers of the remaining entries adjust accordingly. -
Page 186: Nortel Secure Network Access Switch
/cfg/doamin #/aaa/auth #/radius/sessiontim The Session Timeout menu appears. The Session Timeout menu includes the following options: Copyright © 2007, 2008 Nortel Networks Inserts a server at a particular position in the list of RADIUS authentication servers in the configuration. -
Page 187: Configuring Ldap Authentication
• “Managing LDAP macros” (page 195) • “Managing Active Directory passwords” (page 198) Copyright © 2007, 2008 Nortel Networks Specifies the vendor-specific attribute used by the RADIUS server to send a session timeout value to the Nortel SNAS. The default Vendor-Id is 0. -
Page 188: Nortel Secure Network Access Switch
An account must be created on the LDAP server to enable the Nortel SNAS to do the bind search in the directory structure. Copyright © 2007, 2008 Nortel Networks “Configuring authentication methods” “Modifying LDAP configuration settings” (page... -
Page 189: Nortel Secure Network Access Switch
Authentication menu commands —LDAP Modifying LDAP configuration settings To modify settings for the authentication method itself, see authentication methods” (page Copyright © 2007, 2008 Nortel Networks 177). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 190: Nortel Secure Network Access Switch
<names> userattr <names> Copyright © 2007, 2008 Nortel Networks Accesses the LDAP servers menu, in order to manage the external LDAP servers configured for the domain (see LDAP authentication servers” (page Sets the search base entry. -
Page 191: Nortel Secure Network Access Switch
<DN> isdbindpas <password> ldapmacro enaldaps true|false Copyright © 2007, 2008 Nortel Networks login name is bill. If the user attribute is defined as sAMAccountName, the user record for Bill Smith will be found. The isdbinddn and isdbindpas... -
Page 192: Nortel Secure Network Access Switch
/cfg/doamin #/aaa/auth #/ldap followed by: ldapscert enauserpre true|false enacutdomain true|false timeout <interval> activedire Copyright © 2007, 2008 Nortel Networks Specify the certificate number. Enables or disables storage of user preferences in an external LDAP/Active Directory database. • true—storage and retrieval of user preferences is enabled. -
Page 193: Nortel Secure Network Access Switch
To manage the LDAP servers used for client authentication in the domain, use the following command: /cfg/doamin #/aaa/auth #/ldap/servers The LDAP servers menu appears. Copyright © 2007, 2008 Nortel Networks Enables the short group format. Configures the NVG to extract the first part of a returned Distinguished Name (DN) as the group name to be used. -
Page 194: Nortel Secure Network Access Switch
<index number> add <IPaddr> <port> insert <index number> <IPaddr> Copyright © 2007, 2008 Nortel Networks Lists the IP address and port of currently configured LDAP servers, by index number. Removes the specified LDAP server from the current configuration. The index numbers of the remaining entries adjust accordingly. -
Page 195: Nortel Secure Network Access Switch
Managing LDAP macros /cfg/doamin #/aaa/auth #/ldap/ldapmacro followed by: list Copyright © 2007, 2008 Nortel Networks The index number you specify must be in use. The index numbers of existing servers with this index number and higher are incremented by Moves a server up or down the list of LDAP servers in the configuration. -
Page 196: Nortel Secure Network Access Switch
<LDAP attribute> [<prefix>] [<suffix>] insert <index number> <variable name> Copyright © 2007, 2008 Nortel Networks Removes the specified LDAP macro from the current configuration. The index numbers of the remaining entries adjust accordingly. To view the index numbers of all configured LDAP macros, use the list command. -
Page 197: Nortel Secure Network Access Switch
#/aaa/auth #/ldap/groupsearch followed by: groupbase <group searchbase entry> Copyright © 2007, 2008 Nortel Networks The index number you specify must be in use. The index numbers of existing macros with this index number and higher are incremented by Moves a macro up or down the list of macros in the configuration. -
Page 198: Nortel Secure Network Access Switch
/cfg/doamin #/aaa/auth #/ldap/activedire The Active Directory Settings menu appears. The Active Directory Settings menu includes the following options: Copyright © 2007, 2008 Nortel Networks Defines the LDAP attribute that has the group member’s name. The default value is uniqueMember. -
Page 199: Nortel Secure Network Access Switch
To configure the advanced settings, use the following commands Copyright © 2007, 2008 Nortel Networks Specifies whether the system will perform a password-expired check. -
Page 200: Configuring Local Database Authentication
(page 202) database” (page Modify settings for the authentication method itself, if desired (see Copyright © 2007, 2008 Nortel Networks Enables the extra search filter. • true - The search filter is enabled. Specify the desired attribute/value using the commands below. -
Page 201: Nortel Secure Network Access Switch
However, if you want the user name in the local database to mirror the Windows login name, observe Windows username conventions (for example, keep the length to no more than 32 characters). Copyright © 2007, 2008 Nortel Networks 209)). --End-- “Managing the local portal 202)). -
Page 202: Nortel Secure Network Access Switch
Authentication menu commands—local database Managing the local portal database The local portal database provides a respository for usernames and passwords. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 203: Nortel Secure Network Access Switch
Table 43 Managing the local portal database /cfg/doamin #/aaa/auth #/local followed by: add <user name> <password> <group> Copyright © 2007, 2008 Nortel Networks 179). Adds a user to the local authentication database. You are prompted for the following information: •... -
Page 204: Nortel Secure Network Access Switch
<desired group> radattr<add> <list> <del> del <user name> list Copyright © 2007, 2008 Nortel Networks prompted for the user name and password you define for the database. • password—the password that applies to the user you specified. To use the local... -
Page 205: Nortel Secure Network Access Switch
Table 43 Managing the local portal database (cont’d.) import <protocol> <server> <filename> <key> Copyright © 2007, 2008 Nortel Networks Imports a database from the specified TFTP/FTP/SCP/SFTP file exchange server. You are prompted to provide the following information: • protocol is the import protocol. Options are tftp|ftp|scp|sftp. -
Page 206: Nortel Secure Network Access Switch
The local MAC database provides a repository for MAC addresses. There is no design limit on the number of addresses the database can hold and up to 10,000 addresses has been verified. Copyright © 2007, 2008 Nortel Networks Exports the local database to the specified TFTP/FTP/SCP/SFTP file exchange server. -
Page 207: Nortel Secure Network Access Switch
• comments—any ASCII string, up to 80 characters; optional Copyright © 2007, 2008 Nortel Networks PC: when the host is a computer examples: a printer, a video camera); it is recommended that... -
Page 208: Nortel Secure Network Access Switch
PC. You must be a member of a group for which macreg is set to True (/cfg/doamin #/aaa/group #/macreg). To add or modify a MAC address, perform the following steps: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 209: Specifying Authentication Fallback Order
/cfg/doamin #/aaa/authorder <auth ID>[,<auth ID>] When prompted, enter the authentication method IDs in the order in which you want the methods applied. Use a comma to separate the entries. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 210: Nortel Secure Network Access Switch
RADIUS server. 210) shows the required command. Figure 13 Authentication order command Copyright © 2007, 2008 Nortel Networks Figure 13 "Authentication order command" (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 211: Managing System Users And Groups
For more information about default user groups and related access levels, see (page 381). Copyright © 2007, 2008 Nortel Networks “Accessing the Nortel SNAS cluster” (page 212). When a user is a member of “Accessing the Nortel SNAS cluster”... -
Page 212: Managing System Users And Groups
The following roadmap lists all the CLI commands to configure and manage system users for the Nortel SNAS cluster. Use this list as a quick reference or click on any entry for more information: Copyright © 2007, 2008 Nortel Networks Rights System... -
Page 213: Managing User Accounts And Passwords
Managing user accounts and passwords /cfg/sys/user followed by: password <old password> <new password> <confirm new password> Copyright © 2007, 2008 Nortel Networks Managing system users and groups 213 Parameter password <old password> <new password> <confirm new password> expire <time> list del <username>... -
Page 214: Nortel Secure Network Access Switch
<time> list del <username> Copyright © 2007, 2008 Nortel Networks Sets an expiration time for system user passwords. The time applies to all system users. The counter starts from when the password was last set. The first time the system user logs on after the specified time has expired, the user is prompted for a new password. -
Page 215: Nortel Secure Network Access Switch
<username> edit <username> caphrase Copyright © 2007, 2008 Nortel Networks Managing system users and groups 215 Adds a user account to the system. The maximum length of the user name is 255 characters. No spaces are allowed. -
Page 216: Managing User Settings
<user password> <confirm user password> groups Copyright © 2007, 2008 Nortel Networks ATTENTION The caphrase menu command is displayed only when the logged on user is a member of the certadmin group. Sets the login password for the specified user. -
Page 217: Managing User Groups
<group index> add admin|oper|certadm Copyright © 2007, 2008 Nortel Networks Managing system users and groups 217 Lists all groups to which the user is currently assigned, by group index number. Removes the user from the specified group. -
Page 218: Cli Configuration Examples
- Edit a user caphrase - Certadmin export passphrase >> User# Add the new user and designate a user name. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 219: Nortel Secure Network Access Switch
When successfully logged on, the user can change his or her own password. The login password is case sensitive and can contain spaces. Copyright © 2007, 2008 Nortel Networks Managing system users and groups 219 oper admin... -
Page 220: Nortel Secure Network Access Switch
>> User cert_admin# ../caphrase Enter new passphrase: Re-enter to confirm: Passphrase changed. Copyright © 2007, 2008 Nortel Networks Step 9), a Certificate Administrator export passphrase Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 221: Nortel Secure Network Access Switch
"granting" user is already a member. The admin user, who by default is a member of all three groups (admin, oper, and certadmin) can therefore add users to any of these groups. Copyright © 2007, 2008 Nortel Networks Managing system users and groups 221 1: admin... -
Page 222: Nortel Secure Network Access Switch
Verify and apply the changes. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 223: Nortel Secure Network Access Switch
Type the passwd command to change your current password. When your own password is changed, the change takes effect immediately without having to use the apply command. Copyright © 2007, 2008 Nortel Networks Managing system users and groups 223 1: admin... -
Page 224: Nortel Secure Network Access Switch
Specify the user name of the user whose password you want to change. >> User# edit Name of user to edit: cert_admin Type the password command to initialize the password change. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 225: Nortel Secure Network Access Switch
- Edit a user >> User# Specify the user name of the user you want to remove from the system configuration. Copyright © 2007, 2008 Nortel Networks Managing system users and groups 225 --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 226: Nortel Secure Network Access Switch
The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the revert command. >> User# list >>User# apply Copyright © 2007, 2008 Nortel Networks root admin oper -cert_admin --End--... -
Page 227: Customizing The Portal And User Logon
— “Portal look and feel” (page 230) — “Language localization” (page 233) — “Linksets and links” (page 234) Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 228: Captive Portal And Exclude List
By default, the captive portal Exclude List includes the following: • windowsupdate This will match all automatic Windows update domain names used by browsers, for example: Copyright © 2007, 2008 Nortel Networks 240). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 “Configuring the... -
Page 229: Nortel Secure Network Access Switch
String Expressions [abc...] [^abc...] r1|r2 r1r2 Escape sequences Copyright © 2007, 2008 Nortel Networks 240). Usage Matches the non-metacharacter c. Matches the literal character c (see escape sequence). Matches any character. Matches the beginning of a string. Matches the end of a string. -
Page 230: Portal Display
• “Colors” (page 231) For information about the commands to configure the portal look and feel, “Configuring the portal display” (page Default appearance tab" (page 231) Copyright © 2007, 2008 Nortel Networks carriage return escape vertical tab space delete the octal value ddd... -
Page 231: Nortel Secure Network Access Switch
• aqua • apple • jeans • cinnamon • candy Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Overview 231... -
Page 232: Nortel Secure Network Access Switch
Dark blue Navy Light skyblue Medium blue Dark red For the commands to configure the colors used on the portal, see “Changing the portal colors” (page Copyright © 2007, 2008 Nortel Networks Hexadecimal code FFFFFF 000000 A9A9A9 D3D3D3 FF0000 008000... -
Page 233: Nortel Secure Network Access Switch
Open the file with a text editor such as Notepad. b Verify that the charset parameter specified in the c Translate the entries displayed under msgstr (message Copyright © 2007, 2008 Nortel Networks “Automatic redirection to internal sites” 242)). -
Page 234: Nortel Secure Network Access Switch
If the autorun linkset includes multiple links, multiple browser windows will open. For information about configuring autorun, see Copyright © 2007, 2008 Nortel Networks ATTENTION Do not translate the entries under msgid (message id). -
Page 235: Nortel Secure Network Access Switch
• <var:group>—expands to the name of the group of which the currently logged in client is a member Copyright © 2007, 2008 Nortel Networks 236)). The linkset feature allows more granular control of 167)). “Configuring links” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 236: Nortel Secure Network Access Switch
Redirect the client to a password-protected site. ATTENTION The user name and password on the intranet site and the portal must be identical. Copyright © 2007, 2008 Nortel Networks “Configuring the portal display” (page Redirection URL or link text Redirection URL: https://nsnas.example.com/http/inside.example... -
Page 237: Managing The End User Experience
Create the plugins.html file, with a link to the JRE installer that you want. Download the JRE installer from the Sun Microsystems Java web site (http://www.java.com). Copyright © 2007, 2008 Nortel Networks Redirection URL or link text Linktext (static text) entry: <script>if ("<var:group>" == "deptA") { location.replace... -
Page 238: Customizing The Portal And Logon
Use this list as a quick reference or click on any entry for more information. Command /cfg/doamin #/dnscapt /cfg/doamin #/dnscapt/exclude /cfg/lang Copyright © 2007, 2008 Nortel Networks --End-- 250). For information about the “Using a Windows domain logon Parameter list del <index name>... -
Page 239: Nortel Secure Network Access Switch
/cfg/doamin #/portal/lang /cfg/doamin #/portal /cfg/doamin #/portal/colors /cfg/doamin #/portal/content /cfg/doamin #/linkset <linkset ID> /cfg/doamin #/linkset <linkset ID>/link <index> Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 239 Parameter del <code> setlang <code> charset list import <protocol> <server> <filename>... -
Page 240: Configuring The Captive Portal
To create and manage the Exclude List, use the following command: /cfg/doamin #/dnscapt/exclude The DNS Exclude menu appears. The DNS Exclude menu includes the following options: Copyright © 2007, 2008 Nortel Networks Parameter type external | ftp Accesses the DNS Exclude menu, in order to configure the Exclude List (see “Configuring the Exclude List”... -
Page 241: Changing The Portal Language
Translate the language definition template file (see localization” (page 233) Import the translated language definition file (see language support” (page Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 241 Lists the currently configured Exclude List entries by index number Removes the Exclude List entry represented by the specified index number. -
Page 242: Nortel Secure Network Access Switch
The Language Support menu appears. The Language Support menu includes the following options: /cfg/lang followed by: import <protocol> <server> <filename> <code> Copyright © 2007, 2008 Nortel Networks 243)). --End-- Imports a ready-to-use language definition file from the specified TFTP/FTP/SCP/SFTP file exchange server. -
Page 243: Nortel Secure Network Access Switch
/cfg/doamin #/portal/lang The Portal Language menu appears. The Portal Language menu includes the following options: Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 243 Exports the language definition template to the specified TFTP/FTP/SCP/SFTP file exchange server. -
Page 244: Configuring The Portal Display
The Portal menu includes the following options: /cfg/doamin #/portal followed by: import <protocol> <server> <filename> Copyright © 2007, 2008 Nortel Networks Specifies the language to be used for the portal display. • code is the ISO 639 language code to... -
Page 245: Nortel Secure Network Access Switch
/cfg/doamin #/portal followed by: restore banner redirect <URL> Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 245 When the download is complete and you apply the changes, the new image replaces the existing banner image on the portal web page. -
Page 246: Nortel Secure Network Access Switch
246 Customizing the portal and user logon /cfg/doamin #/portal followed by: logintext <text> iconmode clean|fancy Copyright © 2007, 2008 Nortel Networks To remove redirection, replace the previously specified URL with an empty string by pressing Enter at the URL prompt. -
Page 247: Nortel Secure Network Access Switch
<text> linkurl on|off linkcols <columns> Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 247 Specifies static text to be displayed above the group links on the portal Home tab. The static text for all clients, but the links themselves may change, depending on the client’s group membership. -
Page 248: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Sets the width of the link table on the portal Home tab. The link table is adjusted to the left on the white area of the Home tab. The options for the table width are: •... -
Page 249: Changing The Portal Colors
The Portal Colors menu includes the following options: /cfg/doamin #/portal/colors followed by: color1 <code> color2 <code> color3 <code> Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 249 The default value is on. Specifies the color for the large background area below the tabs. •... -
Page 250: Configuring Custom Content
The Portal Custom Content menu includes the following options: /cfg/doamin #/portal/content followed by: import <protocol> <server> <filename> Copyright © 2007, 2008 Nortel Networks Specifies the color fornon-active tabs. • code is the hexadecimal value for the color, including the # symbol (not case sensitive) The default value is #58B2C9. -
Page 251: Configuring Linksets
If you ran the quick setup wizard during initial setup, two linksets have been created: nha_passed (linkset ID = 1) and nha_failed (linkset ID = 2). The linksets are empty. Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 251 Exports a content file (in ZIP format) -
Page 252: Nortel Secure Network Access Switch
/cfg/doamin #/linkset <linkset ID> followed by: name <name> text <text> Copyright © 2007, 2008 Nortel Networks Names or renames the linkset. After you have defined a name for the linkset, you can use either the linkset name or the linkset ID to access the Linkset menu. -
Page 253: Configuring Links
You must enter the index for the new link. You will then be prompted to enter the following parameters: Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 253 Specifies whether autorun support is enabled or disabled. -
Page 254: Nortel Secure Network Access Switch
/cfg/doamin #/linkset <linkset ID> /link <index> followed by: move <new index> text <text> Copyright © 2007, 2008 Nortel Networks Moves the link to a new position in the linkset. The index numbers of existing link entries with this index number and higher are incremented by 1. -
Page 255: Nortel Secure Network Access Switch
To launch the wizard to configure settings for a link to an external web page, use the following command: /cfg/doamin #/linkset <linkset ID> /link <index> / external/quick Copyright © 2007, 2008 Nortel Networks Customizing the portal and logon 255 Specifies the type of link. The options are: •... -
Page 256: Nortel Secure Network Access Switch
• path—the path on the web server. You must specify a path. A single slash (/) indicates the web server document root. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 257: Configuring System Settings
SNAS host Real IP address (RIP) in order to configure the system. Configuring the cluster To configure the cluster, access the System menu by using the following command: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 258: Roadmap Of System Commands
The following roadmap lists the CLI commands to configure cluster-wide parameters and the Nortel SNAS host within the cluster. Use this list as a quick reference or click on any entry for more information: Copyright © 2007, 2008 Nortel Networks “Configuring system settings” 264)) “Configuring static routes”... -
Page 259: Nortel Secure Network Access Switch
/cfg/sys/host <host ID>/interface <interface ID> /cfg/sys/routes /cfg/sys/host <host ID>/routes /cfg/sys/host #/interface <interface ID>/routes /cfg/sys/host #/port <port> /cfg/sys/host #/interface <interface ID>/ports Copyright © 2007, 2008 Nortel Networks Parameter mip <IPaddr> distrace ip <IPaddr> sysName <name> sysLocatio <location> license <key> gateway <IPaddr>... -
Page 260: Nortel Secure Network Access Switch
260 Configuring system settings Command /cfg/sys/accesslist /cfg/sys/time /cfg/sys/time/ntp /cfg/sys/dns /cfg/sys/dns/servers /cfg/sys/rsa /cfg/sys/syslog Copyright © 2007, 2008 Nortel Networks Parameter add <port> list del <index number> add <IPaddr> <mask> date <date> time <time> tzone list del <index number> add <IPaddr> cachesize <entries>... -
Page 261: Nortel Secure Network Access Switch
Command /cfg/sys/adm /cfg/sys/adm/srsadmin /cfg/sys/adm/sshkeys /cfg/sys/adm/sshkeys/knownhosts /cfg/sys/adm/audit /cfg/sys/adm/audit/servers /cfg/sys/adm/auth /cfg/sys/adm/auth/servers /cfg/sys/adm/abl Copyright © 2007, 2008 Nortel Networks Parameter sonmp on | off clitimeout <interval> telnet on | off ssh on | off redist yes | no port <port> generate show list del <index number>... -
Page 262: Configuring System Settings
/cfg/sys/adm/abl/hardenpass Configuring system settings To view and configure cluster-wide system settings, use the following command: /cfg/sys The System menu appears. The System menu includes the following options: Copyright © 2007, 2008 Nortel Networks Parameter host_atmpt user_purge host_purge show clear list del <index number>... -
Page 263: Nortel Secure Network Access Switch
<server ID> syslog accesslist Copyright © 2007, 2008 Nortel Networks Sets the MIP for the cluster. The MIP identifies the cluster and must be unique on the network. For more information, see “About the IP addresses” (page... -
Page 264: Configuring The Nortel Snas Host
Nortel SNAS device. The Cluster Host menu appears. The Cluster Host menu includes the following options: Copyright © 2007, 2008 Nortel Networks Accesses the Administrative Applications menu, in order to set the CLI timeout value; manage Telnet, SSH, SNMP, and SONMP access to Nortel SNAS devices;... -
Page 265: Nortel Secure Network Access Switch
<name> sysLocatio <location> license <key> gateway <IPaddr> Copyright © 2007, 2008 Nortel Networks Sets the Real IP address (RIP) for Interface 1 on the device. The RIP is the Nortel SNAS device host IP address for network connectivity and must be unique on the network. For more... -
Page 266: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Accesses the Host Routes menu, in order to manage static routes for the Nortel SNAS when there is more than one interface (see “Configuring static routes” (page Accesses the Host Interface menu, in order to configure an IP interface (see host interfaces”... -
Page 267: Nortel Secure Network Access Switch
/cfg/sys/host <host ID> followed by: reboot delete Copyright © 2007, 2008 Nortel Networks Reboots the Nortel SNAS. If the Nortel SNAS you want to reboot has become isolated from the cluster, you will receive an error message when executing the reboot command. In this case, log on to... -
Page 268: Configuring Host Interfaces
/cfg/sys/host #/interface <interface ID> followed by: ip <IPaddr> netmask <mask> Copyright © 2007, 2008 Nortel Networks to delete the Nortel SNAS from the cluster configuration (/cfg/sys/host #/delete). Sets the network address for the interface. (For Interface 1, the network address is the RIP.) -
Page 269: Nortel Secure Network Access Switch
<tag> mode failover|trunking ports Copyright © 2007, 2008 Nortel Networks Sets the default gateway address for the interface. The default gateway is the IP address of the interface on the core router that will be used for management traffic (such as requests to private authentication servers and DNS servers). -
Page 270: Configuring Static Routes
Nortel SNAS device. To manage static routes for a particular interface, use the following command: Copyright © 2007, 2008 Nortel Networks Specifies the primary port in the interface, on which the active link is set up. If the primary port fails, the active link is immediately transferred to a remaining (secondary) port. -
Page 271: Configuring Host Ports
To configure the connection properties for a port, use the following command: /cfg/sys/host #/port <port> Copyright © 2007, 2008 Nortel Networks IP address information for all configured static routes, by index number. Removes the specified route from the system, host, or interface configuration. -
Page 272: Managing Interface Ports
ID is an integer in the range 1 to 252 that uniquely identifies the interface on the Nortel SNAS host. Copyright © 2007, 2008 Nortel Networks Specifies the Ethernet auto-negotiation setting for the host and NIC port. The options are: •... -
Page 273: Configuring The Access List
Nortel SNAS cluster, use the following command: /cfg/sys/accesslist The Access List menu appears. The Access List menu includes the following options: Copyright © 2007, 2008 Nortel Networks all ports assigned to the interface. Removes the specified port from the interface. •... -
Page 274: Configuring Date And Time Settings
The Date and Time menu includes the following options: /cfg/sys/time followed by: date <date> time <time> Copyright © 2007, 2008 Nortel Networks the network address and network mask for all entries in the Access List, by index number. Removes the specified entry from the list. •... -
Page 275: Nortel Secure Network Access Switch
<index number> add <IPaddr> Copyright © 2007, 2008 Nortel Networks Specifies the time zone. You are prompted to enter a continent or ocean area, a country, and a region (if applicable). To view available input options, press Enter to accept the default (select) in order to display selection menus for each item. -
Page 276: Configuring Dns Servers And Settings
<entries> retransmit <interval> count <count> ttl <ttl> Copyright © 2007, 2008 Nortel Networks Accesses the DNS Servers menu, in order to manage servers configured for the cluster (see “Managing DNS servers” (page Specifies the size of the local DNS cache. -
Page 277: Nortel Secure Network Access Switch
/cfg/sys/dns/servers The DNS Servers menu appears. The DNS Servers menu includes the following options: Copyright © 2007, 2008 Nortel Networks Sets the interval for the Nortel SNAS to check the health of the DNS servers. At the specified interval, the Nortel SNAS performs a DNS query to each DNS server in the system configuration to determine its health status. -
Page 278: Nortel Secure Network Access Switch
<index number> <IPaddr> move <index number> <new index number> Copyright © 2007, 2008 Nortel Networks Lists the IP addresses of currently configured DNS servers, by index number. Removes the specified DNS server from the system configuration. The index numbers of the remaining entries adjust accordingly. -
Page 279: Configuring Rsa Servers
To configure the symbolic name for the RSA server and import the sdconf.rec configuration file, use the following command: /cfg/sys/rsa The RSA Servers menu appears. ATTENTION This feature is not supported in Nortel Secure Network Access Switch Software Release 1.6.1. The RSA Servers menu includes the following options: /cfg/sys/rsa followed by: rsaname <name>... -
Page 280: Nortel Secure Network Access Switch
<index number> add <IPaddr> <facility> insert <index number> <IPaddr> <facility> Copyright © 2007, 2008 Nortel Networks Lists the IP addresses and facility numbers of all configured syslog servers, by index number. Removes the specified syslog server from the system configuration. The index numbers of the remaining entries adjust accordingly. -
Page 281: Configuring Administrative Settings
/cfg/sys/adm The Administrative Applications menu appears. The Administrative Applications menu includes the following options: Copyright © 2007, 2008 Nortel Networks The index number you specify must be in use. The index numbers of existing servers with this index number and higher are incremented by Moves a server up or down the list of syslog servers in the configuration. -
Page 282: Nortel Secure Network Access Switch
<interval> audit auth hardenpass Copyright © 2007, 2008 Nortel Networks Accesses the SNMP menu, in order to configure network management of the cluster (see ). Enables or disables support for SynOptics Network Management Protocol (SONMP) network topology information. The default is disabled (off). -
Page 283: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Enables or disables Telnet access for remote management of the system. The options are: • on—Telnet access is enabled. If there are no entries in the Access List, all Telnet connections are allowed. -
Page 284: Enabling Tunnelguard Srs Administration
Enabling TunnelGuard SRS administration To create and modify the TunnelGuard Software Requirement Set (SRS) rules, you must use the SREM (see Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), ). Before you can access the Rule Builder utility in the SREM, you must enable support for SRS administration. -
Page 285: Nortel Secure Network Access Switch
/cfg/sys/adm/sshkeys/knownhosts The SSH Known Host Keys menu appears. Copyright © 2007, 2008 Nortel Networks Generates new SSH host keys (RSA1, RSA, and DSA) to be used by all hosts in the cluster. Enter Apply to apply the change immediately and create the key. -
Page 286: Configuring Radius Auditing
You can configure the Nortel SNAS cluster to include a RADIUS server to receive log messages about commands executed in the CLI or the SREM, for audit purposes. Copyright © 2007, 2008 Nortel Networks Lists the type and fingerprint of the known SSH keys for remote hosts, by index number. -
Page 287: Nortel Secure Network Access Switch
Contact your RADIUS system administrator for information about the vendor-specific attributes used by the external RADIUS audit server. To simplify the task of finding audit entries in the RADIUS server log, do the following: Copyright © 2007, 2008 Nortel Networks 289)). “Configuring RADIUS accounting” (page http://www.iana.org/assignments/enterprise... -
Page 288: Nortel Secure Network Access Switch
The Audit menu includes the following options: /cfg/sys/adm/audit followed by: servers vendorid vendortype Copyright © 2007, 2008 Nortel Networks --End-- Accesses the RADIUS Audit Servers menu, in order to configure external RADIUS audit servers for the cluster (see audit servers” (page... -
Page 289: Nortel Secure Network Access Switch
<IPaddr> <port> <shared secret> insert <index number> <IPaddr> Copyright © 2007, 2008 Nortel Networks Lists the IP addresses of currently configured RADIUS audit servers, by index number. Removes the specified RADIUS audit server from the current configuration. The index numbers of the remaining entries adjust accordingly. -
Page 290: Configuring Authentication Of System Users
To configure the Nortel SNAS to support RADIUS authentication of system users, use the following command: /cfg/sys/adm/auth Copyright © 2007, 2008 Nortel Networks The index number you specify must be in use. The index numbers of existing servers with this... -
Page 291: Nortel Secure Network Access Switch
The Authentication menu includes the following options: /cfg/sys/adm/auth followed by: servers timeout <interval> fallback on|off Copyright © 2007, 2008 Nortel Networks Accesses the RADIUS Authentication Servers menu, in order to configure external RADIUS authentication servers for the cluster (see “Managing RADIUS authentication servers”... -
Page 292: Nortel Secure Network Access Switch
The RADIUS Authentication Servers menu includes the following options: /cfg/sys/adm/auth/servers followed by: list del <index number> Copyright © 2007, 2008 Nortel Networks Enables RADIUS authentication of system users. The default is disabled. Disables RADIUS authentication of system users. The default is disabled. -
Page 293: Configuration Of Auto Blacklisting
<index number> <new index number> Configuration of auto blacklisting To create the auto blacklisting, use the following command: cfg/sys/adm/abl Copyright © 2007, 2008 Nortel Networks Adds a RADIUS authentication server to the configuration. You are prompted to enter the following information: •... -
Page 294: Nortel Secure Network Access Switch
<del> hosts <list> <add> <del> user_atmpt host_atmpt user_purge host_purge show Copyright © 2007, 2008 Nortel Networks user names to be monitored. • list—lists monitored users. • add—adds a user to list, specify the unique user name. • del—deletes a user from lists, specify the index number. -
Page 295: Configuration Of Harden Password
Copyright © 2007, 2008 Nortel Networks Clears all blacklisted users/hosts. Enables the auto blacklisting. Disables auto blacklisting. Specify the minimum length of the password. The value ranges from 1 to 511. Specify the minimum number of lower case characters in the password. -
Page 296: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Specify the minimum number other characters in the password. The value ranges from 1 to 511. Specify the number of retries to enter the password. The value ranges from 1 to 15. -
Page 297: Managing Certificates
(SSL) certificates. When you add a key and certificate to one Nortel SNAS device in the cluster, the information is automatically propagated to all other devices in the cluster. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 298: Key And Certificate Formats
PKCS12 (also known as PFX) PKCS7 PKCS8 MS IIS 4 Copyright © 2007, 2008 Nortel Networks 102). summarizes the supported formats. Comment Encrypts the private key. Combines the private key and certificate in the same file. ATTENTION *You must use the PEM format when: •... -
Page 299: Creating Certificates
Nortel SNAS. Otherwise, the private key and the public key in the certificate will not match. Copyright © 2007, 2008 Nortel Networks Comment Key only (proprietary format). Requires conversion. For... -
Page 300: Saving Or Exporting Certificates And Keys
In the CLI, use the /cfg/cur cert command. In the SREM, use the Certificates > Certificates screen to add a new certificate. Copyright © 2007, 2008 Nortel Networks “Adding a private key to the Nortel 312)). 102)). -
Page 301: Managing Private Keys And Certificates
The following roadmap lists the CLI commands to configure and manage server certificates for the Nortel SNAS cluster. Use this list as a quick reference or click on any entry for more information: Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 301 “Installing certificates and keys” (page 102)). -
Page 302: Managing And Viewing Certificates And Keys
If you specify an unused certificate number, the certificate is created. The Certificate menu appears. The Certificate menu includes the following options: Copyright © 2007, 2008 Nortel Networks Parameter name <name> cert gensigned server | client... -
Page 303: Nortel Secure Network Access Switch
<name> cert revoke gensigned server|client request Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 303 Names or renames the certificate, as a mnemonic aid. Lets you paste the contents of a certificate file from a text editor. For more information, “Adding a certificate to the Nortel SNAS ”... -
Page 304: Nortel Secure Network Access Switch
[ <pass phrase> show info Copyright © 2007, 2008 Nortel Networks Signs a CSR by using the private key associated with the currently selected certificate. You are prompted to paste in the contents of a CSR. Client certificates are not supported in Nortel Secure Network Access Switch Software Release 1.6.1. -
Page 305: Generating And Submitting A Csr
Prepare the CSR. Enter the following command: /cfg/cert #/request You are prompted to enter the certificate request information. Table 54 "CSR information" (page 306) Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 305 detailed information about the subject part of the current certificate. -
Page 306: Nortel Secure Network Access Switch
(e.g., section): Common Name (e.g., your name or your server’s hostname): E-mail Address: Copyright © 2007, 2008 Nortel Networks Description The two-letter ISO code for the country where the web server is located. For current information about ISO country codes, see http://www.iana.org. -
Page 307: Nortel Secure Network Access Switch
(y/n) [n]: Generate the CSR. After you have provided the required information, press Enter. The CSR is generated and displayed on the screen. Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 307 Description Specifies alternative information for the subject if you did not provide a Common Name or e-mail address. -
Page 308: Nortel Secure Network Access Switch
Figure 15 Generating a CSR Save the CSR to a file. a Copy the entire CSR, including the -----BEGIN Copyright © 2007, 2008 Nortel Networks CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines, and paste it into a text editor. Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 309: Nortel Secure Network Access Switch
(page The certificate is ready to be added into the Nortel SNAS cluster (see Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 309 using a file name that indicates the server on which the certificate is to be used. -
Page 310: Adding A Certificate To The Nortel Snas
In a text editor, open the certificate file you received from the b Copy the entire contents, including the -----BEGIN Add the certificate. Copyright © 2007, 2008 Nortel Networks “Adding a certificate to the Nortel SNAS ” (page CERTIFICATE----- and -----END CERTIFICATE----- lines. -
Page 311: Nortel Secure Network Access Switch
Be sure to copy and paste the entire contents of the certificate file. Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 311 /cfg/cert #/cert (...) to terminate. -
Page 312: Adding A Private Key To The Nortel Snas
Copy the contents of the private key file. a Locate the file containing the private key. Make sure the Copyright © 2007, 2008 Nortel Networks --End-- key file corresponds with the certificate file you received from the CA. The public key contained in the certificate works in concert with the related private key to handle SSL transactions. -
Page 313: Nortel Secure Network Access Switch
/cfg/cert #/key command. For more information about the Certificate menu commands, see “Managing and viewing certificates and keys” (page Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 313 RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines. -
Page 314: Importing Certificates And Keys Into The Nortel Snas
When the Nortel SNAS retrieves the specified certificate file from the file exchange server, the Nortel SNAS software analyzes the contents and automatically adds the private key, if present. Copyright © 2007, 2008 Nortel Networks --End-- “Key and certificate formats” (page... -
Page 315: Nortel Secure Network Access Switch
The certificate and private key are now fully installed. Figure 18 "Adding a certificate and private key by importing" (page 316) Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 315 Description The file import protocol. The options are TFTP, FTP, SCP, SFTP. -
Page 316: Displaying Or Saving A Certificate And Key
#/export command (see SNAS ” (page To display the current certificate and key or save a copy, perform the following steps. Copyright © 2007, 2008 Nortel Networks “Managing and viewing certificates and keys” 302). --End-- “Exporting a certificate and key from the Nortel 318)). -
Page 317: Nortel Secure Network Access Switch
Figure 19 "Displaying a private key and certificate" (page 318) command. For more information about the Certificate menu commands, see (page Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 317 shows sample output for the /cfg/cert #/display “Managing and viewing certificates and keys” 302). -
Page 318: Exporting A Certificate And Key From The Nortel Snas
Access the Certificate menu by using the /cfg/cert <cert id> command, where <cert id> is the certificate number of the certificate you wish to export. Copyright © 2007, 2008 Nortel Networks --End-- “Key and certificate formats” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 319: Nortel Secure Network Access Switch
Export format Export pass phrase Reconfirm export pass phrase Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 319 Table 56 "Certificate and key export explains the required parameters. Description The file export protocol. The options are TFTP, FTP, SCP, SFTP. -
Page 320: Generating A Test Certificate
The certificate is generated immediately after you have provided all the required information. However, the test certificate and key are not activated until you apply the changes. Copyright © 2007, 2008 Nortel Networks Description The name of the file on the file exchange server. -
Page 321: Nortel Secure Network Access Switch
• • • For more information about the parameters, see information" (page Apply the changes. Copyright © 2007, 2008 Nortel Networks Managing private keys and certificates 321 country name (2-letter code) state or province name locality name organization name organizational unit name... -
Page 322: Nortel Secure Network Access Switch
322 Managing certificates Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 323: Configuring Snmp
SNMP v2c. You can specify any number of notification targets on the Nortel SNAS. For information about the MIBs supported on the Nortel SNAS, see “Supported MIBs” (page Copyright © 2007, 2008 Nortel Networks 477). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 324: Configuring Snmp
Command /cfg/sys/adm/snmp /cfg/sys/adm/snmp/snmpv2-mib /cfg/sys/adm/snmp/community/cfg/sys /adm/snmp/community /cfg/sys/adm/snmp/users <user ID> Copyright © 2007, 2008 Nortel Networks 325)) 326)) 327)) “Configuring SNMPv3 users” (page “Configuring SNMP notification targets” (page “Configuring SNMP events” (page Parameter versions <v1 | v2c | v3>... -
Page 325: Configuring Snmp Settings
/cfg/sys/adm/snmp The SNMP menu appears. The SNMP menu includes the following options: /cfg/sys/adm/snmp followed by: Copyright © 2007, 2008 Nortel Networks Parameter privpasswd <password> ip <IPaddr> port <port> version v1 | v2c | v3 addmonitor [<options>] -b <name>... -
Page 326: Configuring The Snmp V2 Mib
To configure parameters in the standard SNMPv2 MIB, use the following command: /cfg/sys/adm/snmp/snmpv2-mib The SNMPv2-MIB menu appears. The SNMPv2-MIB menu includes the following options: Copyright © 2007, 2008 Nortel Networks Specifies the SNMP versions allowed. Enter one or more of the following options: • v1—SNMP version 1 •... -
Page 327: Configuring The Snmp Community
The SNMP Community menu includes the following options: /cfg/sys/adm/snmp/community followed by: read <name> write <name> trap <name> Copyright © 2007, 2008 Nortel Networks Designates a contact person for the managed Nortel SNAS cluster. • contact is a string specifying the designated contact person’s name, together with information about how to contact this person. -
Page 328: Configuring Snmpv3 Users
(auth password) and encryption key (priv password). The default is priv. • permission—the USM user’s privileges. Valid options are: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 329: Nortel Secure Network Access Switch
The SNMP User menu includes the following options: /cfg/sys/adm/snmp/users <user ID> followed by: name <name> Copyright © 2007, 2008 Nortel Networks Names or renames the USM user. After you have defined a name for the user, you can use either the user name or the user ID to access the SNMP User menu. -
Page 330: Nortel Secure Network Access Switch
330 Configuring SNMP /cfg/sys/adm/snmp/users <user ID> followed by: seclevel none|auth|priv permission get|set|trap Copyright © 2007, 2008 Nortel Networks Specifies the degree of SNMP USM security. Valid options are: • none—SNMP access is granted without authentication. • auth—the SNMP user must provide a verified password before SNMP access is granted. -
Page 331: Configuring Snmp Notification Targets
/cfg/sys/adm/snmp/target <target ID> where target ID is a positive integer that uniquely identifies the notification target in the cluster. Copyright © 2007, 2008 Nortel Networks Specifies the protocol to be used to authenticate the USM user. Valid options are: •... -
Page 332: Configuring Snmp Events
To configure monitors and events defined in the DISMAN-EVENT-MIB, use the following command: /cfg/sys/adm/snmp/event The event menu appears. Copyright © 2007, 2008 Nortel Networks Specifies the IP address to which trap messages are sent. • IPaddr is the IP address of the SNMP manager. -
Page 333: Nortel Secure Network Access Switch
The event menu includes the following options: /cfg/sys/adm/snmp/event followed by: addmonitor [ <options> ] -b <name> <OID> <op> <value> Copyright © 2007, 2008 Nortel Networks Adds a boolean monitor and trigger as defined in the DISMAN-EVENT-MIB. Valid <options> are: •... -
Page 334: Nortel Secure Network Access Switch
334 Configuring SNMP /cfg/sys/adm/snmp/event followed by: addmonitor [ <options> ] -t <name> <OID> <value and event> Copyright © 2007, 2008 Nortel Networks Adds a threshold monitor and trigger as defined in the DISMAN-EVENT-MIB. Valid <options> are: • -c <comment>—adds a comment •... -
Page 335: Nortel Secure Network Access Switch
] -x <name> <OID> [present|absent| changed] delmonitor <name> addevent [-c <comment> ] <name> <notification> [ <OID...> ] Copyright © 2007, 2008 Nortel Networks Adds an existence monitor and trigger as defined in the DISMAN-EVENT-MIB. Valid <options> are: • -c <comment>—adds a comment •... -
Page 336: Nortel Secure Network Access Switch
336 Configuring SNMP /cfg/sys/adm/snmp/event followed by: delevent <name> list Copyright © 2007, 2008 Nortel Networks Removes the specified event from the configuration. configured monitors and events. For monitors, the monitor name, OID, and type. For events, the event name, notification OID, and comment. -
Page 337: Viewing System Information And Performance Statistics
The following roadmap lists the CLI commands to view information and statistics for the cluster. Use this list as a quick reference or click on any entry for more information: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 338: Nortel Secure Network Access Switch
338 Viewing system information and performance statistics Command /info /info/dhcp /info/events /info/logs /stats/aaa /stats/dump Copyright © 2007, 2008 Nortel Networks Parameter certs sonmp licenses [<domain ID>] kick <user> <addr> <group> blacklist <IPv4 Mac address> <blacklist duration> domain [<domain ID>] switches [<switch IP protocol/ve rsion>] [<status>] [<name type>]... -
Page 339: Viewing System Information
[ <domain ID> ] Copyright © 2007, 2008 Nortel Networks Viewing system information and performance statistics 339 information about all installed certificates, including the certificate name, serial number, expiration date, key size, and subject information for each certificate. -
Page 340: Nortel Secure Network Access Switch
<user> <addr> <group> blacklist <IPv4 Mac address> <blacklist duration> Copyright © 2007, 2008 Nortel Networks Allows the operator to log the specified user out of an Nortel SNAS session. You are prompted to enter the following information: Kick user by name. -
Page 341: Nortel Secure Network Access Switch
[<active clients>] dist [ <hostid> ] ip <IPaddr>|[option] Copyright © 2007, 2008 Nortel Networks Viewing system information and performance statistics 341 information about the domain configuration, such as the portal Virtual IP address (pVIP), Nortel Health Agent settings, authentication schemes, groups, client filters, SSL settings, portal display, network access devices, and SSH key. -
Page 342: Nortel Secure Network Access Switch
<subnet> <all>]] [<del> [<addr> <subnet> <all>]] <stats> Copyright © 2007, 2008 Nortel Networks session information for a client based on a specified MAC address. You are prompted to provide the MAC address. The information includes: the domain ID; the switch ID and port (in slot/port format);... -
Page 343: Nortel Secure Network Access Switch
[yes/no]>] local ethernet Copyright © 2007, 2008 Nortel Networks Viewing system information and performance statistics 343 information about the configured snmp profile. For information, see information about the network access devices in a domain, by device. Information includes the... -
Page 344: Viewing Alarm Events
Viewing alarm events To view active alarms, use the following command: /info/events Copyright © 2007, 2008 Nortel Networks • dropped: error due to lack of resources • overruns: error due to lack of resources • frame: error due to malformed packets •... -
Page 345: Viewing Log Files
/info/logs The Logs menu appears. The Logs menu includes the following options: Copyright © 2007, 2008 Nortel Networks Viewing system information and performance statistics 345 all alarms in the active alarm list, by their main attributes: severity level, alarm ID number, date and time when triggered, alarm name, sender, and cause. -
Page 346: Viewing Aaa Statistics
/stats/aaa The AAA Statistics menu appears. The AAA Statistics menu includes the following options: Copyright © 2007, 2008 Nortel Networks a list of all log files. Transmits the log file from the Nortel SNAS cluster to a file on the specified TFTP/FTP/SFTP file exchange server. -
Page 347: Nortel Secure Network Access Switch
<domain ID> dump Figure 21 "AAA statistics dump" (page 348) /stats/aaa/dump command. Copyright © 2007, 2008 Nortel Networks Viewing system information and performance statistics 347 authentication statistics by domain for all Nortel SNAS hosts in the cluster since the system was started. -
Page 348: Viewing All Statistics
Viewing all statistics To view all available statistics for the Nortel SNAS cluster, use the following command: /stats/dump Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 349: Kicking By Username Or Address
To blacklist a device, use the following command: info/blacklist The blacklist menu includes the following options: Copyright © 2007, 2008 Nortel Networks Viewing system information and performance statistics 349 Kick user by name. • name—a string that uniquely identifies the user. -
Page 350: Nortel Secure Network Access Switch
350 Viewing system information and performance statistics info/blacklist followed by: IPv4 Mac address blacklist duration Copyright © 2007, 2008 Nortel Networks Specify the IPv4 or MAC Address to be blacklisted. Specify the duration to blacklist the device. Range: 1 minute to 31 days (for example:... -
Page 351: Maintaining And Managing The System
(page • software and device management (see devices” (page 361) (page 363)): Copyright © 2007, 2008 Nortel Networks “Performing maintenance” (page 409). 356)) “Managing software for a Nortel SNAS device” Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 352: Managing And Maintaining The System
Command /maint /cfg/ptcfg <protocol> <host name or IP address of server> <filename on server> Copyright © 2007, 2008 Nortel Networks Parameter log <start-log> <stop-log> <displaylog> <clearlog> dumplogs <protocol> <host name or IP address of server> <filename on server>... -
Page 353: Performing Maintenance
/maint The Maintenance menu appears. The Maintenance menu includes the following options: /maint followed by: logs<in-memory> Copyright © 2007, 2008 Nortel Networks Managing and maintaining the system 353 Parameter software halt reboot delete activate <version>... -
Page 354: Nortel Secure Network Access Switch
<filename on server> <collect info from all cluster host?> Copyright © 2007, 2008 Nortel Networks Collects system log file information and sends it to a file on the specified file exchange server. The information can then be used for technical support purposes. -
Page 355: Nortel Secure Network Access Switch
<tags> <domain ID> <output mode> Copyright © 2007, 2008 Nortel Networks Managing and maintaining the system 355 connected. Valid options are y (= yes, all) or n (= no, single). If you specify n (= no) and you are connected to the MIP, information will be collected for the Nortel SNAS device currently in control of the MIP. -
Page 356: Backing Up Or Restoring The Configuration
To restore the system configuration, use the following command: /cfg/gtcfg <protocol> <host name or IP address of server> <filename on server> Copyright © 2007, 2008 Nortel Networks radius Enter the desired tag or a comma-separated list of tags (for example, enter aaa or aaa,dns). To trace all features, press Enter to accept the default. -
Page 357: Nortel Secure Network Access Switch
<host name or IP address of server> <filename on server> Copyright © 2007, 2008 Nortel Networks Managing and maintaining the system 357 Saves the current configuration, including private keys and certificates, to a file on the specified file exchange server. You can later use this file to restore the configuration by using the gtcfg command. -
Page 358: Nortel Secure Network Access Switch
<filename on server> dump [ <private/s ecret keys> ] Copyright © 2007, 2008 Nortel Networks Restores a configuration, including private keys and certificates, from a file on the specified file exchange server. You are prompted to provide the following information: •... -
Page 359: Configuring The Nortel Snas Scheduler
/cfg/scheduler/add This includes the following fields: /cfg/scheduler/add followed by: task day of week Copyright © 2007, 2008 Nortel Networks Managing and maintaining the system 359 Adds task to the scheduler. Deletes task from scheduler. • task number—specify the task number. -
Page 360: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Select the month. You can select the multiple months. The value ranges from 1 to 12. Select the day of the month. You can select the multiple days of a month. The value ranges from 1 to 31. -
Page 361: Managing Nortel Snas Devices
To manage Nortel SNAS software and devices, use the following command: /boot The Boot menu appears. Copyright © 2007, 2008 Nortel Networks Managing and maintaining the system 361 Specify the output mode. Values: tftp, and ftp. Specify the tag. 1 all, 2 aaa, 3 dhcp, 4 dns, 5 ssl, 6 nha, and 7 snas default is Specify the domain. -
Page 362: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Accesses the Software Management menu, in order to view, download, and activate software versions (see “Managing software for a Nortel SNAS device” (page 363)). Stops the Nortel SNAS device to which you are connected (using Telnet, SSH, or a console connection). -
Page 363: Managing Software For A Nortel Snas Device
The Software Management menu includes the following options: /boot/software followed by: Copyright © 2007, 2008 Nortel Networks Managing and maintaining the system 363 The /boot/delete command is primarily intended for when you want to delete a Nortel SNAS device in one of the following situations : •... -
Page 364: Nortel Secure Network Access Switch
<version> download <prot ocol> <server> <filename> Copyright © 2007, 2008 Nortel Networks Activates a downloaded software upgrade package that the cur command indicates as unpacked. If serious problems occur when the new software version runs, you can switch back to the previous version by activating the software version that the cur command indicates as old. -
Page 365: Nortel Secure Network Access Switch
/boot/software followed by: Copyright © 2007, 2008 Nortel Networks Managing and maintaining the system 365 admin@ <hostname> .isd Removes a software package that has been downloaded but not yet activated (status is unpacked). You cannot delete software versions with any other status (see the cur command). -
Page 366: Nortel Secure Network Access Switch
366 Maintaining and managing the system Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 367: Upgrading Or Reinstalling The Software
When you activate a software upgrade on a Nortel SNAS device, all the Nortel SNAS devices in the cluster reboot. All active sessions are lost. Upgrading the software on your Nortel SNAS requires the following: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 368: Performing Minor And Major Release Upgrades
For more information about enabling Telnet and SSH connections, see When you have gained access to the Nortel SNAS, download the software image (see Copyright © 2007, 2008 Nortel Networks --End-- 276). “Configuring administrative settings” (page “Downloading the software image”... -
Page 369: Activating The Software Upgrade Package
When a new version of the software is downloaded to the Nortel SNAS, the software package is decompressed automatically and Copyright © 2007, 2008 Nortel Networks <username or press ENTER for <password or press ENTER for default password in... -
Page 370: Nortel Secure Network Access Switch
If a software version marked old is available, it is possible to switch back to this version by activating it again. current means that a software version marked as old or unpacked has been activated. -
Page 371: Nortel Secure Network Access Switch
In this example, version x.x is now operational and will survive a reboot of the system, while the software version previously indicated as permanent is marked as old. Copyright © 2007, 2008 Nortel Networks performed the necessary health checks, the current status changes to permanent. -
Page 372: Reinstalling The Software
IP address of the TFTP/FTP/SCP/SFTP server • the name of the install image • authorization to log on as the boot user Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 373: Reinstalling The Software From An External File Server
Specify the port for network connectivity. Copyright © 2007, 2008 Nortel Networks 356).) If you want to make separate backup copies of “Saving or exporting certificates and 300).) “Reinstalling the software from a CD”... -
Page 374: Nortel Secure Network Access Switch
Log on as the admin user to enter the Setup menu and perform the initial setup of the Nortel SNAS device (see (page Copyright © 2007, 2008 Nortel Networks specify the VLAN tag ID used. anonymous logon. The default is anonymous. -
Page 375: Reinstalling The Software From A Cd
Boot the Nortel SNAS from the CD. Log on as the root user (no password). Run install-nsnas isd4050. When the installation is complete, remove the CD and reboot. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 376: Nortel Secure Network Access Switch
376 Upgrading or reinstalling the software Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 377: The Command Line Interface
/boot/delete commands, connect to the Real IP address (RIP) of the particular Nortel SNAS device on which you want to perform these commands, or connect to that Nortel SNAS with a console connection. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 378: Connecting To The Nortel Snas
Nortel Secure Network Access Switch 4050 Installation Guide , (NN47230-300). Procedure steps Step Action Connect the terminal to the Console port using the correct serial cable. Copyright © 2007, 2008 Nortel Networks 378)) 380)) Table 58 "Console configuration 378): Value 9600... -
Page 379: Establishing A Telnet Connection
However, depending on the severity of your security policy, you may want to enable Telnet access. You may also restrict Telnet access to one or more specific machines. Copyright © 2007, 2008 Nortel Networks Connecting to the Nortel SNAS --End--... -
Page 380: Establishing A Connection Using Ssh
Telnet client. However, since a secured and encrypted communication channel is set up even before the user name and password is transmitted, all traffic sent over the Copyright © 2007, 2008 Nortel Networks “Configuring the Access List” (page "ssh on|off" (page 283) “Configuring the Access List”... -
Page 381: Accessing The Nortel Snas Cluster
Reserve Root user access for advanced troubleshooting purposes, under guidance from Nortel customer support. For more information, see Copyright © 2007, 2008 Nortel Networks Accessing the Nortel SNAS cluster 381 “Accessing the Nortel SNAS cluster” (page 218). -
Page 382: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Table 59 "User access levels" (page 382) “Initial setup” (page 41)). However, the default passwords 223). Access Level Description The Operator is allowed read access to some of the menus and information available in the CLI. -
Page 383: Cli Main Menu Or Setup
After verifying the pending configuration changes, you can either apply the changes or use the revert command to remove them. Copyright © 2007, 2008 Nortel Networks “CLI reference” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 384: Nortel Secure Network Access Switch
384 The Command Line Interface Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 385: Configuration Example
SNAS device; two edge switches (one Ethernet Routing Switch 8300and one Ethernet Routing Switch 5510) functioning as network access devices ; an Ethernet Routing Switch 8600 functions only as the core router. BCM call server; a DNS server; a DHCP server; and a remediation server are connected to it. -
Page 386: Nortel Secure Network Access Switch
Table 60 "Network devices" (page 386) in this environment and their respective VLAN IDs and IP addresses. Table 60 Network devices Device/Service VLAN ID DHCP Copyright © 2007, 2008 Nortel Networks summarizes the devices connected VLAN IP Device IP address address 10.20.20.1 10.20.20.2 10.30.30.1... -
Page 387: Steps
“Configure the network DNS server” (page 388) “Configure the network DHCP server” (page 388) “Configure the network core router” (page 392) “Configure the Ethernet Routing Switch 8300” (page 393) Copyright © 2007, 2008 Nortel Networks VLAN IP Device IP address address 10.40.40.1... -
Page 388: Configure The Network Dns Server
Run the DHCP admin utility (Start > Programs > Administrative Tools > DHCP). Create a new DHCP scope (see DHCP scope" (page Copyright © 2007, 2008 Nortel Networks 389)). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 389: Nortel Secure Network Access Switch
Naming the new DHCP scope Specify the IP address range for the DHCP scope (see "Specifying the IP address range" (page Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 390: Nortel Secure Network Access Switch
Figure 28 Choosing to configure additional options Enter the IP address of the default gateway (see "Specifying the default gateway" (page Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 391: Nortel Secure Network Access Switch
Repeat VLAN in the network. Figure 31 "After all DHCP scopes have been created" (page 392) Copyright © 2007, 2008 Nortel Networks step 3 through step 8 for each Red, Yellow, and Green shows the DHCP scopes created for use in this example. -
Page 392: Configure The Network Core Router
Create IP interfaces for the VLANs. Since the edge switches are operating in Layer 2 mode, configure DHCP relay agents for the Red, Yellow, Green, and VoIP VLANs. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 393: Configure The Ethernet Routing Switch 8300
Configure the Ethernet Routing Switch 8300 The configuration procedure is based on the following assumptions: • You are starting with an installed switch that is not currently configured as part of the network. • You have installed Software Release 2.2.8. -
Page 394: Nortel Secure Network Access Switch
Passport-8310:6# config ethernet <slot/port> filter create Configuring the NSNA ports Add the uplink port: Passport-8310:6# config ethernet 1/48 nsna uplink uplink-vlans 110,120,130,140 Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 395: Configure The Ethernet Routing Switch 5510
Configure the Ethernet Routing Switch 5510 The following configuration example is based on the following assumptions: • You are starting with an installed switch that is not currently configured as part of the network. • You have installed Software Release 4.3. -
Page 396: Nortel Secure Network Access Switch
Configuring the NSNA ports Add the uplink port: 5510-48T(config)# interface fastEthernet 20 5510-48T(config-if)# nsna uplink vlans 210,220,230,240 5510-48T(config-if)# exit Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 397: Configure The Nortel Snas
Enter VLAN tag id (or zero for no VLAN) [0]: Enter default gateway IP address (or blank to skip): 10.40.40.1 Enter the Management IP (MIP) address: 10.40.40.3 Copyright © 2007, 2008 Nortel Networks - Join an existing cluster - Boot menu - Information menu... -
Page 398: Nortel Secure Network Access Switch
Completing initial setup Enable SSH for secure management communications (required for SREM): >> Main# cfg/sys/adm/ssh on Enable SRS administration: Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 399: Nortel Secure Network Access Switch
Adding the network access devices This example adds the Ethernet Routing Switch 8300manually, and uses the quick switch wizard to add the Ethernet Routing Switch 5510. In both cases, the example assumes that the switch is not reachable when it is added, and the switch public SSH key is therefore not automatically retrieved by the Nortel SNAS. -
Page 400: Nortel Secure Network Access Switch
Error: Failed to retrieve host key >> Switch 1# apply Changes applied successfully. Export the Nortel SNAS public SSH key to the Ethernet Routing Switch 8300: >> Switch 1# sshkey/export Import the public SSH key from the switch: >> SSH Key# import Adding the Ethernet Routing Switch 5510 Use the quick switch wizard: >>... -
Page 401: Nortel Secure Network Access Switch
Switch 8300(Switch 1) will always be used exclusively by Switch 1, whereas the VLAN IDs for the VLANs defined on the Ethernet Routing Switch 5510 (Switch 2) may be used by other edge switches added to the domain in future. Therefore, the VLAN mappings for Switch 1 are made at the switch-level command, while the VLAN mappings for Switch 2 are made at the domain level. -
Page 402: Nortel Secure Network Access Switch
402 Configuration example Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 403: Troubleshooting
Nortel SNAS are disabled for security reasons. Enter the command /cfg/sys/adm/cur to see whether remote access is enabled for Telnet or SSH. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 404: Nortel Secure Network Access Switch
If there are entries in the Access List but your host is not listed, use the /cfg/sys/accesslist/add command to add the required host to the Access List. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 405: Cannot Add The Nortel Snas To A Cluster
Nortel SNAS device already in the cluster. You can verify Copyright © 2007, 2008 Nortel Networks “Tracing SSL traffic” (page “How to get help” (page 21). -
Page 406: Cannot Contact The Mip
IP address, the Interface 1 IP address you intend to use for the new Nortel SNAS, and the MIP to the Access List. Copyright © 2007, 2008 Nortel Networks “Reinstalling the software” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 407: The Nortel Snas Stops Responding
Power button again to turn the machine on. Log on as the Administrator user when the login prompt appears. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 408: A User Password Is Lost
Nortel SNAS device is set up in a server room with restricted access. Copyright © 2007, 2008 Nortel Networks “Reinstalling the software” (page “Changing another users password” (page 224) -
Page 409: A User Fails To Connect To The Nortel Snas Domain
Logs failed DNS lookups made during a session Copyright © 2007, 2008 Nortel Networks 353). Sample output >> Maintenance# 12:54:08.875111: Trace started 12:54:28.834571 10.1.82.145 (1) aaa: "local user db Accept 1:john with groups ["trusted"]"... -
Page 410: System Diagnostics
To check if the Nortel SNAS is able to contact configured network access devices, routers, DNS servers, authentication servers, and IP addresses or domain names specified in group links, use the following command: >> Main# /maint/chkcfg Copyright © 2007, 2008 Nortel Networks Sample output >> Maintenance# 13:15:55.985432: Trace started 13:16:26.808831 10.1.82.145 (1) ssl: "SSL accept... -
Page 411: Nortel Secure Network Access Switch
To capture and analyze decrypted SSL traffic sent between clients and the portal server, enter the following command: >> Main# /cfg/doamin #/server/trace/ssldump Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 412: Active Alarms And The Events Log File
The file sent to the TFTP/FTP/SFTP server does not contain any sensitive information related to the system configuration, such as certificates or private keys. Copyright © 2007, 2008 Nortel Networks “Configuring syslog servers” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 413: Using The Cli
“CLI Main Menu” (page commands and a summary of each command function. You can enter menu commands at the prompt that follows each menu. Copyright © 2007, 2008 Nortel Networks 421)). Each menu contains a list of available Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 414: Global Commands
Copyright © 2007, 2008 Nortel Networks Table 64 "Global commands" (page 414) Action Display a summary of the global commands. Display help on a specific command in the command line interface. Display the current menu. -
Page 415: Nortel Secure Network Access Switch
<IPaddr or host name> curb dump Copyright © 2007, 2008 Nortel Networks Action Exit from the command line interface if the Nortel Secure Network Access Switch has stopped responding. TIP: This command should be used only when you are connected to a specific Nortel Secure Network Access Switch through a console connection. -
Page 416: Command Line History And Editing
Ctrl+p Ctrl+n Ctrl+a Ctrl+e Copyright © 2007, 2008 Nortel Networks Action Set the number of lines (n) that display on the screen at one time. TIP: The default value is 24 lines. When used without a value, the current setting. -
Page 417: Cli Shortcuts
For example, to access the list command in the NTP Servers menu from the Main menu prompt, use the following keyboard shortcut: >> Main# cfg/sys/time/ntp/list Copyright © 2007, 2008 Nortel Networks Description Move the cursor back, one position to the left. You can also use the left arrow key. -
Page 418: Nortel Secure Network Access Switch
To display the properties related to a specific submenu, you can include the submenu name as an argument to the cur command (at a menu prompt one level up from the desired submenu information). Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 419: Using Slashes And Spaces In Commands
For example, to specify a directory path and file name on the same line as the ftp command in the CLI, double quotation marks are required: >> Software Management# download ftp 10.0.0.1 "pub/SSL-5.1.1-upgrade_complete.pkg" Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 420: Ip Address And Network Mask Formats
Variable <var:user> <var:password> <var:group> Copyright © 2007, 2008 Nortel Networks describes variables and their use. Expands to the user name specified when the user logged on to the domain. Expands to the password specified when the user logged on to the domain. -
Page 421: Cli Main Menu
Operator. Figure 32 CLI main menu Copyright © 2007, 2008 Nortel Networks Expands to the Portal IP address. TIP: The variable can be included in redirect URLs. Expands to the domain name specified for the authentication method of the logged on user. -
Page 422: Cli Command Reference
The following CLI menus are accessible from the Main menu: • Information—provides submenus for displaying information about the current status of the Nortel Secure Network Access Switch. For the Information menu commands, see • Statistics—provides submenus for displaying Nortel SNAS performance statistics. -
Page 423: Statistics Menu
/info/events /info/logs Statistics menu The Statistics menu contains commands used to view statistics for the Nortel SNAS cluster and individual hosts. commands" (page 424) Copyright © 2007, 2008 Nortel Networks Parameters/Submenus dist [<hostid>] ip <ipaddr>|<option> mac <macaddr>|<option> sessions [<domainid> <switchid> [<username-p refix>]]... -
Page 424: Configuration Menu
SNAS. Table 69 "Configuration menu commands" (page 424) configuration commands in alphabetical order. Table 69 Configuration menu commands Command /cfg/cert <cert ID> Copyright © 2007, 2008 Nortel Networks Parameters/Submenus total isdhost <host ID> <domain ID> dump Parameters/Submenus name <string> cert... -
Page 425: Nortel Secure Network Access Switch
Command /cfg/cert <cert ID>/revoke /cfg/cert <cert ID>/revoke/auto matic /cfg/domain <domain ID> Copyright © 2007, 2008 Nortel Networks Parameters/Submenus show info subject validate keysize keyinfo add <integer> addx <integer> del <integer> list import <protocol> <server> <file> automatic url <url> authDN <LDAP-Distinguis hed-Name>... -
Page 426: Nortel Secure Network Access Switch
426 CLI reference Command /cfg/domain #/aaa/auth <auth ID> /cfg/domain #/aaa/auth <auth ID>/adv Copyright © 2007, 2008 Nortel Networks Parameters/Submenus switch snmp-profi vlan dhcp sshkey dnscapt httpredir radius quick syslog type radius|ldap|ntlm|sitemi nder|cleartrust|cert|r sa|local name <name> display radius|ldap|ntlm|sitemi nder|cleartrust|cert|r sa|local groupauth <auth IDs>... -
Page 427: Nortel Secure Network Access Switch
Command /cfg/domain #/aaa/auth <auth ID> (for LDAP) /cfg/domain #/aaa/auth <auth ID>/ldap /cfg/domain #/aaa/auth <auth ID>/ldap/activedire Copyright © 2007, 2008 Nortel Networks Parameters/Submenus servers searchbase <DN> groupattr <names> userattr <names> isdbinddn <DN> isdbindpas <password> ldapmacro enaldaps true|false ldapscert enauserpre true|false enacutdoma enashortgrp <enable... -
Page 428: Nortel Secure Network Access Switch
ID>/ldap/servers /cfg/domain #/aaa/auth <auth ID>/ldap/groupsearc /cfg/domain #/aaa/auth <auth ID>/ldap/adv /cfg/domain #/aaa/auth <auth ID> (for local portal database) Copyright © 2007, 2008 Nortel Networks Parameters/Submenus list <name> <attrname> <prefix> <suffix> del <index number> add <name> <attrname> <prefix> <suffix> insert <position> <name>... -
Page 429: Nortel Secure Network Access Switch
Command /cfg/domain #/aaa/auth <auth ID>/local /cfg/domain #/aaa/auth <auth ID> (for local MAC database) /cfg/domain #/aaa/auth <auth ID> (for RADIUS) Copyright © 2007, 2008 Nortel Networks Parameters/Submenus add <user name> <password> <group> passwd <user name> <password> groups <user name> <desired group>... -
Page 430: Nortel Secure Network Access Switch
/cfg/domain #/aaa/auth <auth ID>/radius/servers /cfg/domain #/aaa/auth <auth ID>/radius/sessiontim /cfg/domain #/aaa/authorder <auth ID>[,<auth ID>] /cfg/domain #/aaa/defgroup <group name> Copyright © 2007, 2008 Nortel Networks Parameters/Submenus servers vendorid <vendor ID> vendortype <vendor type> domainid <domain ID> domaintype <domain type> authproto pap|chapv2 timeout <interval>... -
Page 431: Nortel Secure Network Access Switch
Command /cfg/domain #/aaa/filter <filter ID> /cfg/domain #/aaa/group <group ID> Copyright © 2007, 2008 Nortel Networks Parameters/Submenus name <name> nha true|false|ignore nap true|false|ignore patchlink true|false|ig nore comment <comment> name <name> locations radattr restrict sessionttl linkset extend <profile ID> srs <SRS rule name>... -
Page 432: Nortel Secure Network Access Switch
432 CLI reference Command /cfg/domain #/aaa/group #/extend [<profile ID>] /cfg/domain #/aaa/group #/extend #/linkset /cfg/domain #/aaa/group #/linkset /cfg/domain #/aaa/group #/radattr Copyright © 2007, 2008 Nortel Networks Parameters/Submenus filter <name> vlan <ID|name> acl <string> radattr linkset list <name> del <index number> add <linkset name>... -
Page 433: Nortel Secure Network Access Switch
Command cfg/domain #/aaa/group #/syscredent cfg/domain #/aaa/group #/cachepass /cfg/domain #/aaa/radacct /cfg/domain #/aaa/radacct/serve Copyright © 2007, 2008 Nortel Networks Parameters/Submenus user <sys_user> passwd prevuser <sys_user> prevpasswd actdate <YYYY MM DD HH:MM|NN [s|m|h|d]> earlpush <YYYY MM DD HH:MM|NN [s|m|h|d]> exprprev updclients <bool> reset <confirm>... -
Page 434: Nortel Secure Network Access Switch
434 CLI reference Command /cfg/domain #/aaa/radacct/domai nattr /cfg/domain #/aaa/nha /cfg/domain #/aaa/nha/quick /cfg/domain #/adv Copyright © 2007, 2008 Nortel Networks Parameters/Submenus vendorid vendortype quick recheck <interval> heartbeat <interval> hbretrycnt <count> status-quo on|off onflysrs on|off desktopage desktopagent <on|off|auto> desktopnam Desktop agent shortcut name... -
Page 435: Nortel Secure Network Access Switch
Command /cfg/domain #/del /cfg/domain #/dhcp /cfg/domain #/dhcp Copyright © 2007, 2008 Nortel Networks Parameters/Submenus subnet stdopts Enter the standard options menu vendopts Enter the standard options menu (<number> <name> <value> <del> quick subnet <number> [<type> [<hub> [<type> <name> <address> <netmask>... -
Page 436: Nortel Secure Network Access Switch
436 CLI reference Command /cfg/domain #/dhcp/subnet /cfg/domain #/dnscapt /cfg/domain #/dnscapt/exclude /cfg/domain #/httpredir Copyright © 2007, 2008 Nortel Networks Parameters/Submenus type name address netmask phone <phone signature> relaygreen <set external DHCp server> vlan <vlan mane> <red ranges|stdopts|ven dopts> <yellow ranges|stdopts| vendopts>... -
Page 437: Nortel Secure Network Access Switch
Command /cfg/domain #/linkset <linkset ID> /cfg/domain #/linkset #/link <index> /cfg/domain #/linkset #/link #/external/quick /cfg/domain #/portal Copyright © 2007, 2008 Nortel Networks Parameters/Submenus name <name> text <text> autorun true|false link <index> move <new index> text <text> type external external import <protocol>... -
Page 438: Nortel Secure Network Access Switch
438 CLI reference Command /cfg/domain #/portal/colors /cfg/domain #/portal/content /cfg/domain #/portal/lang /cfg/domain #/portal/lang/beconv /cfg/domain #/quick /cfg/domain #/server Copyright © 2007, 2008 Nortel Networks Parameters/Submenus color1 <code> color2 <code> color3 <code> color4 <code> theme default|aqua|appl jeans|cinnamon|candy import <protocol> <host> <file> export <protocol> <host>... -
Page 439: Nortel Secure Network Access Switch
Command /cfg/domain #/server/adv/traflog /cfg/domain #/server/ssl /cfg/domain #/server/trace /cfg/domain #/sshkey Copyright © 2007, 2008 Nortel Networks Parameters/Submenus sysloghost <IPaddr> udpport <port> protocol ssl2|ssl3|ssl2 3|tls1 priority debug|info| notice cert <certificate index> cachesize <sessions> cachettl <ttl> cacerts <certificate index> cachain <certificate index list>... -
Page 440: Nortel Secure Network Access Switch
440 CLI reference Command /cfg/domain #/switch <switch ID> /cfg/domain #/switch #/dis /cfg/domain #/switch #/ena /cfg/domain #/switch #/hlthchk /cfg/domain #/switch #/sshkey Copyright © 2007, 2008 Nortel Networks Parameters/Submenus name <name> ip <IPaddr> mgmtproto <sscp|sscplit e> type ERS8300|ERS5500|ER S4500 port <port> hlthchk vlan rvid <VLAN ID>... -
Page 441: Nortel Secure Network Access Switch
Command /cfg/domain #/switch #/vlan /cfg/domain #/vlan /cfg/dump /cfg/gtcfg /cfg/lang /cfg/ptcfg /cfg/quick /cfg/sys Copyright © 2007, 2008 Nortel Networks Parameters/Submenus add <name> <VLAN ID> del <index> list add <name> <VLAN ID> del <index> list <protocol> <host> <filename> import <protocol> <server> <filename>... -
Page 442: Nortel Secure Network Access Switch
442 CLI reference Command /cfg/sys/accesslist /cfg/sys/adm /cfg/sys/adm/audit /cfg/sys/adm/audit/servers Copyright © 2007, 2008 Nortel Networks Parameters/Submenus distrace list del <index number> add <IPaddr> <mask> snmp sonmp on|off clitimeout <interval> audit auth hardenpass telnet on|off ssh on|off srsadmin http https sshkeys redist <yes|no>... -
Page 443: Nortel Secure Network Access Switch
Command /cfg/sys/adm/auth /cfg/sys/adm/auth/servers /cfg/sys/adm/abl Copyright © 2007, 2008 Nortel Networks Parameters/Submenus servers timeout <interval> fallback on|off ena [<true|false>] dis [<true|false>] list <ip> <port> <secret> del <index> add <ip> <port> <secret> insert <position> <ip> <port> <secret> move <index number value> <new index number value>... -
Page 444: Nortel Secure Network Access Switch
444 CLI reference Command /cfg/sys/adm/hardenpass /cfg/sys/adm/http /cfg/sys/adm/https /cfg/sys/adm/snmp /cfg/sys/adm/snmp /cfg/sys/adm/snmp/community Copyright © 2007, 2008 Nortel Networks Parameters/Submenus length <integer> lowercase <integer> uppercase <integer> digits <integer> others <integer> retry <integer> ena [<true|false>] dis [<true|false>] port <integer> ena [<true|false>] dis [<true|false>] port <integer>... -
Page 445: Nortel Secure Network Access Switch
Command /cfg/sys/adm/snmp/event /cfg/sys/adm/snmp/snmpv2-mib /cfg/sys/adm/snmp/target <target ID> /cfg/sys/adm/snmp/users <user ID> /cfg/sys/adm/srsadmin /cfg/sys/adm/sshkeys Copyright © 2007, 2008 Nortel Networks Parameters/Submenus addmonitor [-c Comment] [-f Freq] [-o OID]* [-b |-t | -x ...] Name Oid delmonitor <name> addevent [-c Comment>] Name Notification [OID...] delevent <name>... -
Page 446: Nortel Secure Network Access Switch
446 CLI reference Command /cfg/sys/adm/sshkeys/knownhosts /cfg/sys/dns /cfg/sys/dns/servers /cfg/sys/host #/interface #/ports /cfg/sys/host #/interface #/routes /cfg/sys/host #/interface <interface ID> Copyright © 2007, 2008 Nortel Networks Parameters/Submenus list del <index number> import <IPaddr> servers cachesize <entries> retransmit <interval> count <count> ttl <ttl> health <interval>... -
Page 447: Nortel Secure Network Access Switch
Command /cfg/sys/host #/port <port> /cfg/sys/host #/routes /cfg/sys/host <host ID> /cfg/sys/routes /cfg/sys/rsa Copyright © 2007, 2008 Nortel Networks Parameters/Submenus delete autoneg on|off speed <speed> mode full|half ip <IPaddr> sysName <name> sysLocation <location> license gateway <IPaddr> routes interface <interface number> port <nr>... -
Page 448: Boot Menu
Boot menu The Boot menu contains commands for management of Nortel SNAS software and devices. the boot commands in alphabetical order. Copyright © 2007, 2008 Nortel Networks Parameters/Submenus list <ip> <n> del <index> add <ip> <n> insert <position> <ip>... -
Page 449: Maintenance Menu
Nortel SNAS devices. Table 71 "Maintenance menu commands" (page 449) Maintenance commands. Table 71 Maintenance menu commands Command /maint /maint/log Copyright © 2007, 2008 Nortel Networks Parameters/Submenus software halt <confirm> reboot <confirm> delete cur <version> <name> <status> activate <software version>... -
Page 450: Nortel Secure Network Access Switch
450 CLI reference Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 451: Syslog Messages By Message Type
• start-up (see • AAA (see • NSNAS (see Copyright © 2007, 2008 Nortel Networks “Configuring syslog servers” (page “Operating system (OS) messages” (page “System Control Process messages” (page “Traffic Processing Subsystem messages” (page “Start-up messages” (page “AAA subsystem messages” (page “NSNAS subsystem messages”... -
Page 452: Operating System (Os) Messages
Application filesystem corrupt - reinstall required Table 74 "Operating system messages—ERROR" (page 453) operating system EMERG messages. Copyright © 2007, 2008 Nortel Networks Table 72 "Operating system messages—EMERG" (page Table 73 "Operating system messages—CRITICAL" Table 74 "Operating system messages—ERROR" (page... -
Page 453: System Control Process Messages
Events and alarms are stored in the event log file. You can access the event log file by using the /info/events/download command. You can view active alarms by using the /info/events/alarms command. For more information, see statistics” (page Copyright © 2007, 2008 Nortel Networks Syslog messages by message type 453 Category Explanation/Action ERROR Possible loss of configuration. -
Page 454: Nortel Secure Network Access Switch
Table 77 "System Control Process messages—ALARM" (page 455) the System Control Process ALARM messages. To simplify finding the alarm messages, the name parameter is listed first. Copyright © 2007, 2008 Nortel Networks Category Explanation/Action Sent whenever the system control process has been (re)started. -
Page 455: Nortel Secure Network Access Switch
Severity: warning Name: license Sender: <IP> Cause: license_expire_soon Extra: "Expires: <TIME>" Severity: warning Copyright © 2007, 2008 Nortel Networks Syslog messages by message type 455 Category Explanation/Action ALARM A member of the Nortel SNAS cluster is down. This alarm is only sent if the cluster contains more than one Nortel SNAS. -
Page 456: Nortel Secure Network Access Switch
Name: audit Sender: CLI Extra: Start <session> <details> Update <session> <details> Stop <session> <details> Name: license_expired Sender = <IP> Copyright © 2007, 2008 Nortel Networks Category Explanation/Action EVENT Indicates that a Nortel SNAS is recovering from a partitioned network situation. -
Page 457: Traffic Processing Subsystem Messages
<no> javascript error: <reason> for: <host><path> vbscript error: <reason> for: <host><path> Copyright © 2007, 2008 Nortel Networks Syslog messages by message type 457 Table 79 "Traffic Processing messages—CRITICAL" Table 80 "Traffic Processing messages—ERROR" (page Table 81 "Traffic Processing messages—WARNING"... -
Page 458: Nortel Secure Network Access Switch
<reason> (<header>) failed to parse Set-Cookie <header> Bad IP:PORT data <line> in hc script Bad regexp (<expr>) in health check Copyright © 2007, 2008 Nortel Networks Category Explanation/Action ERROR Problem encountered when parsing an encoded JavaScript. The problem... -
Page 459: Nortel Secure Network Access Switch
No PortalGuard license loaded: domain <id> *will* use portal authentication No Secure Service Partitioning loaded: server <id> *will not* use interface <n> Copyright © 2007, 2008 Nortel Networks Syslog messages by message type 459 Category Explanation/Action ERROR Bad script operation found in health check script. -
Page 460: Nortel Secure Network Access Switch
No CN supplied in server cert <subject> Bad CN supplied in server cert <subject> DNS alarm: dns server(s) are UP Copyright © 2007, 2008 Nortel Networks Category Explanation/Action WARNING The loaded (demo) license on the Nortel SNAS has expired. The Nortel SNAS now uses the default license. -
Page 461: Start-Up Messages
Table 84 "AAA messages—ERROR" (page 461) messages. Table 84 AAA messages—ERROR Message LDAP backend(s) unreachable Domain=\"<id>\" AuthId=\"<authid>\" Copyright © 2007, 2008 Nortel Networks Syslog messages by message type 461 Category Explanation/Action INFO Backend health check detected backend <ip>:<port> to be down. -
Page 462: Nortel Secure Network Access Switch
SrcIp="<ip>" [User="<user>"] Error=<error> NSNAS Logout Domain="<id>" SrcIp="<ip>" User="<user>" portal PORTAL Domain="<id>" User="<user>" Proto="<proto>" Host="<host>" Share="<share> " Path="<path>" Copyright © 2007, 2008 Nortel Networks Category INFO INFO INFO INFO INFO INFO Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 463: Nsnas Subsystem Messages
Table 86 NSNAS—ERROR Message Domain:1, Switch: <switchID> ERROR cmd timeout for cmd :<commandID> Table 87 "NSNAS—INFO" (page 464) Copyright © 2007, 2008 Nortel Networks Syslog messages by message type 463 Category INFO INFO INFO INFO INFO Table 86 "NSNAS—ERROR" (page Table 87 "NSNAS—INFO"... -
Page 464: Nortel Secure Network Access Switch
– SRS check failed, restrictingSRS – <SRS rule> <comment> – <item> – <reason> nhauser: user <username>[<pVIP>] – SRS checks ok, open session Copyright © 2007, 2008 Nortel Networks Category Explanation/Action INFO Domain A, switch B, unit C, port D Ethernet link is up. -
Page 465: Syslog Messages In Alphabetical Order
Bad CN supplied in server cert <subject> Bad IP:PORT data <line> in hc script Bad regexp (<expr>) in health check Bad script op found <script op> Copyright © 2007, 2008 Nortel Networks Syslog messages in alphabetical order 465 Severity Type INFO NSNAS INFO... -
Page 466: Nortel Secure Network Access Switch
Config filesystem restored from backup Connect failed: <reason> copy_software_release_failed css error: <reason> DNS alarm: all dns servers are DOWN DNS alarm: dns server(s) are Copyright © 2007, 2008 Nortel Networks Severity Type ERROR Traffic Processing ERROR Traffic Processing... -
Page 467: Nortel Secure Network Access Switch
Found <size> meg of phys mem gzip error: <reason> gzip warning: <reason> HC: backend <ip>:<port> is down HC: backend <ip>:<port> is up again html error: <reason> Copyright © 2007, 2008 Nortel Networks Syslog messages in alphabetical order 467 Severity Type ERROR NSNAS ERROR Traffic... -
Page 468: Nortel Secure Network Access Switch
Ignoring DNS packet was not from any of the defined namesserver <ip>:<port> internal error: <no> IPSEC server <id> uses default interface (interface <n> not configured) isd_down Copyright © 2007, 2008 Nortel Networks Severity Type ERROR Traffic Processing ERROR Traffic Processing... -
Page 469: Nortel Secure Network Access Switch
<reason> for: <host><path> jscript.encode error: <reason> LDAP backend(s) unreachable Domain=\"<id>\" AuthId=\"<authid>\" license license license_expired License expired Loaded <ip>:<port> log_open_failed Copyright © 2007, 2008 Nortel Networks Syslog messages in alphabetical order 469 Severity Type ERROR Traffic Processing ERROR Traffic Processing ERROR ALARM... -
Page 470: Nortel Secure Network Access Switch
No Secure Service Partitioning loaded: server <id> *will not* use interface <n> No TPS license limit NSNAS AddressAssigned Domain="<id>" Method=<"ssl"> SrcIp="<ip>" User="<user>" TunIP="<inner tunnel ip>" Copyright © 2007, 2008 Nortel Networks Severity Type INFO NSNAS ERROR ALARM System (CRITICAL) -
Page 471: Nortel Secure Network Access Switch
Proto="<proto>" Host="<host>" Share="<share>" Path="<path>" PORTAL Domain="<id>" User="<user>" Proto="<proto>" Host="<host>" Share="<share>" Path="<path>" Rebooting to revert to permanent OS version reload cert config done Copyright © 2007, 2008 Nortel Networks Syslog messages in alphabetical order 471 Severity Type INFO INFO INFO INFO EVENT... -
Page 472: Nortel Secure Network Access Switch
: <size> per server that use clicerts single_master socks error: <reason> SOCKS Rejected Domain="<id>" User="<user>" SrcIP="<ip>" Request="<request>" socks request: socks version <version> rejected Copyright © 2007, 2008 Nortel Networks Severity Type INFO Config Reload INFO Config Reload... -
Page 473: Nortel Secure Network Access Switch
System started [isdssl-<version>] INFO The private key and certificate don’t match for <server nr> TPS license limit (<limit>) exceeded TPS license limit: <limit> Copyright © 2007, 2008 Nortel Networks Syslog messages in alphabetical order 473 Severity Type INFO EVENT System... -
Page 474: Nortel Secure Network Access Switch
Unable to use client certificate for <server #> Unable to use client private key for <server #> Unable to use the certificate for <server nr> unknown WWW-Authenticate method, closing Copyright © 2007, 2008 Nortel Networks Severity Type INFO NSNAS INFO NSNAS INFO... -
Page 475: Nortel Secure Network Access Switch
Table 88 Syslog messages in alphabetical order (cont’d.) Message vbscript error: <reason> for: <host><path> www_authenticate: bad credentials Copyright © 2007, 2008 Nortel Networks Syslog messages in alphabetical order 475 Severity Type ERROR Traffic Processing ERROR Traffic Processing Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 476: Nortel Secure Network Access Switch
476 Syslog messages Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 477: Supported Mibs
Supported MIBs The following MIBs are supported by the Nortel SNAS: • ALTEON-ISD-PLATFORM-MIB • ALTEON-ISD-SSL-MIB • ALTEON-ROOT-MIB Copyright © 2007, 2008 Nortel Networks --End-- 323). Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 478: Nortel Secure Network Access Switch
5-ETH-MULTISEG-TOPOLOGY-MIB Table 89 "Supported MIBs" (page 478) some of the MIBs supported by the Nortel SNAS. Table 89 Supported MIBs ALTEON-ISD-PLATFORM-MIB Copyright © 2007, 2008 Nortel Networks provides more information about Description Contains the following groups and objects: • isdClusterGroup •... -
Page 479: Nortel Secure Network Access Switch
Table 89 Supported MIBs (cont’d.) ALTEON-ISD-SSL-MIB ALTEON-SSL-VPN-MIB DISMAN-EVENT-MIB ENTITY-MIB IF-MIB Copyright © 2007, 2008 Nortel Networks Description Contains objects for monitoring the SSL gateways. The following groups are implemented: • sslBasicGroup • sslEventGroup The following group is implemented: • vpnBasicGroup The MIB module for defining event triggers and actions. -
Page 480: Nortel Secure Network Access Switch
480 Supported MIBs Table 89 Supported MIBs (cont’d.) IP-FORWARD-MIB IP-MIB NORTEL-SECURE-ACCESS-SWITC H-MIB SNMP-FRAMEWORK-MIB SNMP-MPD-MIB SNMP-NOTIFICATION-MIB SNMP-TARGET-MIB Copyright © 2007, 2008 Nortel Networks Description • ifInUnknownProtos • ifOutNUnicast The following group is implemented: • ipCidrRouteGroup The following groups are implemented: •... -
Page 481: Supported Traps
Nortel SNAS. Table 90 Supported traps Trap Name authenticationFailure coldStart isdAlarmCleared Copyright © 2007, 2008 Nortel Networks Description The following group is implemented: • usmMIBBasicGroup Write access to all objects in this MIB is turned off in VACM. A standard MIB implemented by all agents. The following groups are implemented: •... -
Page 482: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Description Signifies that a Nortel SNAS device in the cluster is down and out of service. Sent when the Nortel SNAS devices in the cluster have different licenses and when a demo license has seven days left before expiration. -
Page 483: Nortel Secure Network Access Switch
AES256-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA DES-CBC3-MD5 DHE-RSA-AES128-SHA AES128-SHA RC4-SHA RC4-MD5 RC2-CBC-MD5 RC4-MD5 RC4-64-MD5 EXP1024-RC4-SHA EXP1024-DES-CBC-SHA EXP1024-RC2-CBC-MD5 Copyright © 2007, 2008 Nortel Networks Key Exchange SSL protocol Algorithm, Authentication SSLv3 DH, RSA SSLv3 RSA, RSA SSLv3 DH, RSA SSLv3 RSA, RSA SSLv2 RSA, RSA... -
Page 484: Nortel Secure Network Access Switch
DES-CBC-MD5 EXP-EDH-RSA-DES-CBC- EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5 ADH-AES256-SHA ADH-DES-CBC3-SHA ADH-AES128-SHA ADH-RC4-MD5 ADH-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 Copyright © 2007, 2008 Nortel Networks Key Exchange SSL protocol Algorithm, Authentication SSLv3 RSA (1024), RSA SSLv3 DH, RSA SSLv3 RSA, RSA SSLv2 RSA, RSA SSLv3... -
Page 485: Install All Administrative Tools (Windows 2000 Server)
Click Start and select Run. In the Open field, enter regsvr32 schmmgmt.dll. Note that there is a space between regsvr32 and schmmgmt.dll. Click OK. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 486: Add The Active Directory Schema Snap-In (Windows 2000 Server And Windows Server 2003)
Note that there is a space between mmc and /a. Click OK. The Console window . On the File (Console) menu, select Add/Remove Snap-in. The Add/Remove Snap-in window . Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 487: Nortel Secure Network Access Switch
Active Directory Schema is added to the Add/Remove Snap-in window. Click Closeto close the Add Standalone Snap-in window. Click OK. The Console window appears. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 488: Permit Write Operations To The Schema (Windows 2000 Server)
In the Console window, on the left pane, right-click Active Directory Schema. Select Operations Master. Select the check box, the Schema may be modified on this Domain Controller. Copyright © 2007, 2008 Nortel Networks --End-- --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 489: Create A New Attribute(Windows 2000 Server And Windows Server 2003)
The Create New Attribute window appears. Create the isdUserPrefs attribute as shown below: Click OK. Create the new class To create the nortelSSLOffload class, proceed as follows: Copyright © 2007, 2008 Nortel Networks --End-- --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 490: Nortel Secure Network Access Switch
Right-click and select Properties. The Properties window appears. Select the Attributes tab and click Add. Add the isdUserPrefs attribute as optional. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 491: Nortel Secure Network Access Switch
Select the Relationship tab. Next to Auxiliary Classes, click Add Class (Add). Add the nortelSSLOffload class as an auxiliary class as shown below: Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 492: Nortel Secure Network Access Switch
#/aaa/auth #/ldap/enauserpre or the BBI setting User Preferences under VPN Gateways>Authentication>Auth Servers (LDAP)>Modify) the remote user should now be able to store user preferences in Active Directory. Copyright © 2007, 2008 Nortel Networks --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 493: Nortel Secure Network Access Switch
DHCP server and learn the appropriate phone VLAN ID, and the second for the Phone VLAN itself. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 494: Configuring Ip Phone Auto-Configuration
On the Windows 2000 Server Start menu, select Programs > Administrative Tools > DHCP. The DHCP Management Console opens (see DHCP Management Console" (page Copyright © 2007, 2008 Nortel Networks “Creating the DHCP options” (page Call Server Information VLAN Information for auto-discovery of the IP Phone VLAN “Setting up the IP Phone”... -
Page 495: Nortel Secure Network Access Switch
The Predefined Options and Values dialog box opens (see Figure 34 "The Predefined Options and Values dialog box" (page 496)). Copyright © 2007, 2008 Nortel Networks Configuring IP Phone auto-configuration 495 Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 496: Nortel Secure Network Access Switch
The Option Type dialog box Create the DHCP option for the call server information. a In the Option Type dialog box, enter the required information Copyright © 2007, 2008 Nortel Networks 496)). (see Table 92 "Option Type dialog box field values for Call Server Information"... -
Page 497: Configuring The Call Server Information And Vlan Information Options
Right-click Scope Options, and select Configure Options. The Scope Options dialog box (see Options dialog box" (page Copyright © 2007, 2008 Nortel Networks Configuring IP Phone auto-configuration 497 The Option Type dialog box opens (see Option Type dialog box" (page (see Table 93 "Option Type dialog box field values for VLAN... -
Page 498: Nortel Secure Network Access Switch
Configure Call Server Information: a Select the check box beside 128 Call Server Information. b In the String value field, enter the following string: Copyright © 2007, 2008 Nortel Networks Nortel-i2004-A,iii.iii.iii.iii:ppppp,aaa,rrr;iii.iii.iii.iii:ppppp,aaa,rrr. ATTENTION The Nortel IP Phone 2002, IP Phone 2004, and IP Phone 2007 use the same signature. -
Page 499: Nortel Secure Network Access Switch
Click Apply. Configure VLAN Information: a In the Scope Options dialog box (see b In the String value field, enter the following string: Copyright © 2007, 2008 Nortel Networks Configuring IP Phone auto-configuration 499 Parameter Description The Action for the server... -
Page 500: Setting Up The Ip Phone
Select 0 to set the phone to use FULL DHCP. Select 2 (for Automatic) to set the phone to learn its VLAN ID from the DHCP server. Copyright © 2007, 2008 Nortel Networks • A colon (:) separates the hardware revision from the VLAN ID. -
Page 501: Configuring The Logon Script
%systemroot% \ SYSVOL \ sysvol \ [Domain Name] \ Policies \ [GUID] \ User \ Scripts \ Logon Copyright © 2007, 2008 Nortel Networks “Creating a logon script” (page Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 502: Creating A Logon Script
For example: "%programfiles%\Netscape\Netscape Browser\netscape.exe" Save the file as a batch file (*.bat). Copyright © 2007, 2008 Nortel Networks %systemroot% is an environment variable representing the operating system root folder. By default, in a Windows 2000 operating system, the root folder is called WINNT. -
Page 503: Creating The Script As A Vbscript File
Enter the file name of the script you want to assign, and click Click OK. The logon script is now assigned and will take effect the next time users log on to the domain. Copyright © 2007, 2008 Nortel Networks --End-- illustrates the steps. -
Page 504: Nortel Secure Network Access Switch
504 Using a Windows domain logon script to launch the Nortel SNAS portal Figure 37 Assigning a logon script --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 505: Nortel Secure Network Access Switch
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 506: Nortel Secure Network Access Switch
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 507: Nortel Secure Network Access Switch
GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008... -
Page 508: Nortel Secure Network Access Switch
Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 509: Nortel Secure Network Access Switch
For an executable work, complete source code means all the source code for all modules it contains, plus any associated Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 510: Nortel Secure Network Access Switch
License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 511: Nortel Secure Network Access Switch
NO WARRANTY Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 512: Nortel Secure Network Access Switch
Apache Software Foundation (http://www.apache.org)". Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 513: Nortel Secure Network Access Switch
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 514: Nortel Secure Network Access Switch
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright © 2007, 2008 Nortel Networks Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard... -
Page 515: Nortel Secure Network Access Switch
Administrator user, access level 381 allowed expressions and escape sequences, in Exclude List 229 AMPERSAND lt 24 AND symbol lt 24 Copyright © 2007, 2008 Nortel Networks Apache software license 512 ASCII terminal, for console connection 378 attribute for user preferences 485 authentication configure 174... -
Page 516: Nortel Secure Network Access Switch
415 exit 414 help 414 lines 416 netstat 415 nslookup 415 paste 414 ping 415 Copyright © 2007, 2008 Nortel Networks pwd 414 quit 414 traceroute 415 up 414 verbose 416 CLI online help 414 client filter configure 162 create 162 client filters... -
Page 517: Nortel Secure Network Access Switch
309 generate 305 information required 306 submit 309 cur (CLI global command) 415 Copyright © 2007, 2008 Nortel Networks curb (CLI global command) 415 customer support 21 default entries in Exclude List 228 portal page appearance 230... -
Page 518: Nortel Secure Network Access Switch
SSH keys 70 test certificate 320 global commands, CLI cur 415 curb 415 dump 415 exit 414 Copyright © 2007, 2008 Nortel Networks help 414 lines 416 netstat 415 nslookup 415 paste 414 ping 415 pwd 414 quit 414... -
Page 519: Nortel Secure Network Access Switch
Local DHCP leases managing 122 Local DHCP services configuring 115 DHCP Settings menu 117 Copyright © 2007, 2008 Nortel Networks Filter DHCP subnet type 120 Hub DHCP subnet type 118 leases 122 Standard DHCP subnet type 121 subnet types 115... -
Page 520: Nortel Secure Network Access Switch
42 RIP 43 SSH public key, export 68 Nortel SNAS (Secure Network Access Switch) 4050 Copyright © 2007, 2008 Nortel Networks configuration and management tools 36 MIP 42 role in Nortel SNAS 27 nslookup (CLI global command) 415 NSNA network access device 24 one armed configuration 36... -
Page 521: Nortel Secure Network Access Switch
Red VLAN, in Nortel SNAS 29 reinstalling software 372 reinstalling software, from CD 375 reinstalling software, from external file server 373 Copyright © 2007, 2008 Nortel Networks Remote Authentication Dial-In User Service. See RADIUS 31 remote management enable for SSH 54... -
Page 522: Nortel Secure Network Access Switch
34 key types 34 restrict access 380 unable to connect using 403 SSH keys Copyright © 2007, 2008 Nortel Networks export Nortel SNAS public key 68 generate 70 import network access device public key 69 manage 68, 71... -
Page 523: Nortel Secure Network Access Switch
369 minor or major release upgrade 368 user access levels 381 Boot user for reinstall 373 categories 381 Copyright © 2007, 2008 Nortel Networks passwords 382 preferences 485 user requirements for Nortel SNA browsers 25 JRE 25, 237... -
Page 524: Nortel Secure Network Access Switch
Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks... -
Page 526: Nortel Secure Network Access Switch
NORTEL PROVIDES THIS DOCUMENT "AS IS "WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.