Download
Share
Print this page
Avaya ERS 5600 Technical Configuration Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Network Router
  5. ERS 5600
  6. Technical configuration manual

Avaya ERS 5600 Technical Configuration Manual

Identify engines ignition server, ethernet routing switch, device authentication using identity engines ignition server
Hide thumbs Also See for ERS 5600:

Advertisement

Quick Links

Identify Engines Ignition Server
Ethernet Routing Switch
5500 5600 4500 2500
Engineering
> Device Authentication using Identity
Engines Ignition Server Technical
Configuration Guide
Enterprise Solutions Engineering
Document Date: April 2010
Document Number: NN48500-586
Document Version: 2.0

Advertisement

loading
Need help?

Need help?

Do you have a question about the ERS 5600 and is the answer not in the manual?

Questions and answers

Related Manuals for Avaya ERS 5600

Summary of Contents for Avaya ERS 5600

  • Page 1 Identify Engines Ignition Server Ethernet Routing Switch 5500 5600 4500 2500 Engineering > Device Authentication using Identity Engines Ignition Server Technical Configuration Guide Enterprise Solutions Engineering Document Date: April 2010 Document Number: NN48500-586 Document Version: 2.0...
  • Page 2 Ethernet edge switches and the Network Access Control infrastructure provided by Avaya’s Identity Engines portfolio. The audience for this Technical Configuration Guide is intended to be Avaya Sales teams, Partner Sales teams and end-user customers. Revision Control...

  • Page 3: Table Of Contents

    Configuration Examples ....................5 Biomedical Device Authentication using Identify Engines Ignition Server and ERS5500 5 Software Baseline ........................ 50 Reference Documentation ....................51 Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.

  • Page 4: Conventions

    Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Avaya devices are displayed in a Lucinda Console font: ERS5520-48T# show running-config ! Embedded ASCII Configuration Generator Script ! Model = Ethernet Routing Switch 5520-24T-PWR ! Software version = v5.0.0.011...

  • Page 5: Overview: Medical Device Authentication Using Identify Engines

    MAC address. Avaya’s Ignition Server can be configured for device authentication using just the prefix of the biomedical manufacturer’s vendor MAC.

  • Page 6: Configuration Examples

    1.3 Configuration Examples Although any Avaya switch as shown in Section 1.1 could be used, for this example, we will use an ERS5520 for allow for both device authentication with or without policy. 1.4 Biomedical Device Authentication using Identify...
  • Page 7 You can either leave port member 14-20 in VLAN 1 or create a separate VLAN and add the port members as we have done by creating VLAN 3000. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 8 ERS5520-1 Step 1 – Set the IP address of the switch 5520-24T-1(config)# interface vlan 201 5520-24T-1(config-if)# ip address 47.133.56.66 netmask 255.255.255.0 5520-24T-1(config-if)# exit Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 9 ERS5520-1 Step 3 – Enable NEAP password format of MAC address only 5520-24T-1(config)# eapol multihost non-eap-pwd-fmt mac-addr ERS5520-1 Step 4 – Enable EAP globally 5520-24T-1(config)# eapol enable Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 10 5520-24T-1(config-if)# eapol multihost eap-mac-max 1 5520-24T-1(config-if)# eapol multihost non-eap-mac-max 1 5520-24T-1(config-if)# eapol multihost radius-non-eap-enable 5520-24T-1(config-if)# eapol multihost non-eap-use-radius-assigned-vlan 5520-24T-1(config-if)# eapol multihost enable 5520-24T-1(config-if)# exit Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 11 Admin Status Verify that the EAP is enabled on ports 14 to 20 by verifying that the Admin Status is set to Auto. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 12 Allow Auto Non-EAP MHSA: Disabled Allow Non-EAP Phones: Disabled RADIUS Req Pkt Send Mode: Multicast Allow RADIUS VLANs: Disabled Allow Non-EAP RADIUS VLANs: Enabled Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 13 UntagAll Port 15 3000 0 UntagAll Port 16 3000 0 UntagAll Port 17 3000 0 UntagAll Port 18 1500 UntagAll Port 19 Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 14 Port Members of VLAN 1600 with PVID of 1600. Ports 19 & 20 should be members of VLAN 1500 with PVID of 1500. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 15 IDE Step 2 – Name the new Nortel device template (Nortel-VLAN in this example), set the VLAN Method to Use VLAN ID, set the MAC Address Source: to Inbound-User-Name, and click on OK Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 16  Source from the default setting of Inbound-Calling-Station-Id to Inbound-User-Name for device authentication to work when using a Avaya ERS switch as an EAP authenticator. This only applies to device authentication and not user authentication. Avaya Inc. – Proprietary & Confidential.
  • Page 17 IDE Step 2 – Via the Outbound Attribute window, enter a name for the attribute (i.e. VLAN as used in this example), and select Tunnel-Private-Group-Id via the RADIUS Attribute radio button. Click on OK when done Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 18 Philips VLAN. Start by entering a name via the Outbound Value Name: window (i.e. vlan-1500-Philips as used in this example) and click on New Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 19 VLAN Label: window and enter the correct VLAN number (i.e. 1500 as used in this example) in the VLAN ID: window. Click on OK twice when done. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 20 Siemens VLAN. Start by entering a name via the Outbound Value Name: window (i.e. vlan-1600-Siemens as used in this example) and click on New Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 21 (formerly Bayer Diagnostics Sudbury Ltd) 0030E6 Draeger Medical Systems, Inc. (was: SIEMENS MEDICAL SYSTEMS) 0003B1 Hospira Inc. (was: Abbott Laboratories) 001AFA Welch Allyn, Inc. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 22 IDE Step 2 – First we will create a rule for the Philips medical devices. Start by clicking on Add and then enter a name for the rule when the New Rule window pops up. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 23 In our example, we are authenticating Philips MAC addresses which start with “00:09:5C” so we will enter 00095c. Click on OK when completed. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 24 IDE Step 6 – Next, we will create a rule for the Siemens medical devices. Click on Add and then enter a name for the rule when the New Rule window pops up. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 25 In our example, we are authenticating Siemens MAC addresses which start with “00:18:65” so we will enter 001865. Click on OK when completed. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 26 IDE Step 10 – Once completed, the policy should look something like the following. Click on the Access Policy Summary button next to verify the policy as shown below Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 27 Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 28 1.4.3.4 Add the Nortel switches as authenticators For Ignition Server to process the Avaya switch RADIUS requests, each switch must be added as an Authenticator. IDE Step 1 – Go to Site Configuration -> Authenticators -> default. For example, we will create new container named Medical by right clicking default and selecting Add Container.
  • Page 29 RADIUS Access checked off if you like for user authentication, but, it is not required for this example. Click on OK when done. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 30 Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 31 First, we will add the MAC prefix for Philips. Via the Internal Devices window. Click on New and enter the MAC prefix 00095c* as shown below and click OK when done. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 32 Next, we will add the MAC prefix for Siemens Via the Internal Devices window. Click on New and enter the MAC prefix 001865** as shown below and click OK when done. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 33 Troubleshoot tab, go to Directory Service Debugger and select the Device Lookup tab. Enter a valid MAC address to test such as 00095c010203 and click on the Send Request button. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 34 Verify the following pertaining to the configuration used in this example:  Account-locked: 0 (0 indicates account is not locked)  Device-address: 00095c  Device-name: Philips  Device-vlan: label: “vlan1500” id: “1500” Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 35 Log Viewer, and select the Access tab. Via the message of a valid device, right-click the message and select Access Record Details. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 36 Result: Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 37 This is useful information in that it displays the port number on the Avaya ERS switch where device is on. You can use this information to keep track if each device MAC address and what port on the switch the device is connected to.
  • Page 38 1.4.6 Adding User Based Policies (UBP) Option The ERS 5500 and ERS 5600 both support User Based Policies (UBP) that can be used with EAP or non-EAP MAC authentication. UBP filter sets can be configured locally on the switch and applied upon an EAP Supplicant or non-EAP device successfully authenticating against a RADIUS server.
  • Page 39 ERS5520-1 Step 1 – Enable EAP user-based Policies 5520-24T-1(config)# eapol user-based-policies enable ERS5520-1 Step 2 – Enable EAP multihost NEAP policies 5520-24T-1(config)# eapol multihost non-eap-user-based-policies enable Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 40 IDE Step 2 – Enter an appropriate name in the Outbound Attribute window (i.e. UBP as used in this example), select VSA Vendor Nortel and VSA value ERS-User-Based-Policy as shown below. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 41 IDE Step 4 – When the Outbound Value Details window pops up, enter a name (i.e. UROLphilips as used in this example) via the Outbound Value Name window and click on New. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 42 IDE Step 6 – Via Site Configuration ->Provisioning -> Outbound Values and click on New one more time to add the outbound attribute for the Siemens devices Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 43 String and enter string name of UROLsiemenss for the UBP name of “siemens” configured for the Philips devices on the ERS5520 switch. Click on OK twice. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 44 IDE Step 10 – Move the attribute we configured above named UROLphilips from All Outbound Value box to the Provision With box and click OK. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 45 IDE Step 12 – Move the attribute we configured above named UROLsiemens from All Outbound Value box to the Provision With box and click OK. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 46 IDE Step 13 – Once complete, we can go to Site Configuration -> Access Policy -> MAC Auth - > default-radius-device and clicking on Access Policy Summary to view the policy configuration which should look something like the following. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 47 IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 48 Verify the DSCP value is correct, should be 0x1A (decimal 26) for the Philips policy and 0x10 (decimal 16) for the Siemens policy. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 49 If the device has successfully authenticated, and if the RADIUS server has been configured correctly, the policy named philips or simens will be displayed. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.
  • Page 50 “1101000” and 64 in binary is “1000000” where if you drop the two least significant bits become binary “11010” or decimal 26 and binary “10000” or decimal 16 respectively. Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.

  • Page 51: Software Baseline

    2. Software Baseline Product Minimum Software Level Identity Engines 6.0.1 ERS2500 ERS4500 ERS5500 ERS5600 Avaya Inc. – Proprietary & Confidential. Use pursuant to the terms of your signed agreement or Avaya policy.

  • Page 52: Reference Documentation

    © 2010 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United S tates and other countries. All trademarks identified by ®, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc.

This manual is also suitable for:

Ers 5500Ers 4500Ers 2400