Alcatel-Lucent 8950 AAA User Manual
  1. Manuals
  2. Brands
  3. Alcatel-Lucent Manuals
  4. Software
  5. 8950 AAA
  6. User manual
Alcatel-Lucent 8950 AAA User Manual

Alcatel-Lucent 8950 AAA User Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
Table of Contents

Advertisement

Quick Links

Alcatel-Lucent
8950 AAA (Authorization, Authentication, Accounting)
User's Guide | Release 6.0
365-360-001R6.0
ISSUE 1
DEC 2008

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 8950 AAA and is the answer not in the manual?

Questions and answers

Related Manuals for Alcatel-Lucent 8950 AAA

Summary of Contents for Alcatel-Lucent 8950 AAA

  • Page 1 Alcatel-Lucent 8950 AAA (Authorization, Authentication, Accounting) User’s Guide | Release 6.0 365-360-001R6.0 ISSUE 1 DEC 2008...
  • Page 2 Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2008 Alcatel-Lucent. All Rights Reserved.

  • Page 3: Table Of Contents

    Obtaining Technical Support ........................1-vii Part 1: Configuration Tools Navigation Pane Introduction to 8950 AAA What is 8950 AAA? ..........................1-1 RADIUS Terms Explained ........................1-3 8950 AAA Server Management Tool Overview Purpose of the Server Management Tool ....................2-1 Starting the Server Management Tool .......................
  • Page 4 Policy Flow Files ............................8-3 Method Configuration ..........................8-4 Method Dispatch Section .......................... 8-9 Using the 8950 AAA Policy Assistant in Server Management Tool Understanding PolicyFlow, the PolicyAssistant, and the Policy Wizard ..........9-2 Installing the PolicyAssistant ........................9-2 Preparing to Create Your First Policy ....................... 9-3 Using the Policy Wizard ...........................
  • Page 5 Configuring Reports The Configure Reports Panel ........................15-1 Part III: Logging Tools Navigation Pane Message Logging 8950 AAA Message Overview ........................ 16-1 Logging Tools ............................16-2 Server Log Messages ..........................16-3 Log Channels ............................16-6 Log Channel Configuration Panel Tabs ....................16-14 Notes on the Naming of Size Based Files .....................
  • Page 6 The PolicyAssistant and User Files ......................19-2 The SMT User Files Panel ........................19-3 Creating an Attribute Set File ....................... 19-16 8950 AAA Dictionary Editor Accessing the Dictionary Editor Panel ....................20-1 Vendors Tab ............................. 20-2 Attributes Tab ............................20-4 Diameter Applications Tab ........................
  • Page 7 Contents .................................................... Part VI: Database Tools Navigation Pane Creating and Managing User Profiles with the Built-in Database Understanding Database Users ........................ 23-1 Logging in to the Database ........................23-2 Creating and Managing User Profiles ..................... 23-3 Understanding Database SQL Tool ....................... 23-19 Managing Hypersonic Database Users ....................
  • Page 8 Contents ......................................................................................................v i i i 365-360-001R6.0 Issue 1 December 2008...

  • Page 9: About This Information Product

    The PolicyAssistant creates, manages, and applies policies to control how and when users access your network. A policy is a set of rules that 8950 AAA uses to determine how users are authenticated, how access is authorized and configured, and how accounting data is stored.

  • Page 10: Where To Go First

    For more information about installing 8950 AAA and general software and hardware requirements, read the 8950 AAA Quick Start Guide. If you are new to 8950 AAA, the links below should help determine where to go first: Ready to configure 8950 AAA?

  • Page 11: How This Manual Is Organized

    How This Manual Is Organized Manual organization This manual covers the steps necessary to set up your 8950 AAA server, clients, and user profiles to process user requests for network access. The manual is organized as follows: Chapter 1, “Introduction to 8950 AAA”...
  • Page 12 This chapter discusses the tools that are available for the configuration and management of address pools of 8950 AAA, using Universal State server. Chapter 14, “Stats Collector” This chapter discusses about the various parts of 8950 AAA tool that collects statistical information of 8950 AAA. Chapter 15, “Configuring Reports”...
  • Page 13 8950 AAA product. Chapter 21, “Managing files” This chapter discusses 8950 AAA files and how to create and manage them using the File manager panel. Chapter 22, “8950 AAA Certificate Manager”...

  • Page 14: Conventions

    <server IP address or name> is the address of name 8950 AAA of the server. 8950 AAA 6.0 italics Names of manuals or the first Refer to the User’s Guide and occurrence of a glossary Reference term.

  • Page 15: Recommended Reading

    Reference reading The following books cover a variety of topics that you might encounter while working with 8950 AAA. These books provide more information on the vast number of protocols and applications that 8950 AAA supports. Building Internet Firewalls (2nd ed.). Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman, and Deborah Russell.
  • Page 16 • http://support.lucent.com Alcatel-Lucent Customer Support Web Site: • Support Channel 2: If you have purchased 8950 AAA within the last 90 days, you can contact Lucent Technologies World-Wide Services (LWS) for email support: http://support.lucent.com Alcatel-Lucent Customer Support Web Site: •...

  • Page 17: Part 1: Configuration Tools Navigation Pane

    Chapter 6, “Configuring 8950 AAA Realm Routing Table Properties” Chapter 7, “Configuring 8950 AAA Remotely” Chapter 8, “Using the 8950 AAA Policy Flow Editor” Chapter 9, “Using the 8950 AAA Policy Assistant in Server Management Tool” Chapter 10, “Configuring 8950 AAA USSv2” 10-1 Chapter 11, “Configuring 8950 AAA Operators”...
  • Page 18 ......................................................................................................1 -2 365-360-001R6.0 Issue 1, December 2008...

  • Page 19: Introduction To 8950 Aaa

    An example of a RADIUS client might be a network access server (NAS), a Wi-Fi access point, or even a Web page. 8950 AAA is a tool that promotes system integrity not only for the network server, but also for the client-server relationship.
  • Page 20 Returning an answer (accept or reject) to the RADIUS client • A user profile contains information about a user that 8950 AAA uses to process a RADIUS request. The information usually includes the user name and password, and might include other information needed to implement local access policies. User profiles can be stored in files, databases, directories, Web-based services, etc.

  • Page 21: Radius Terms Explained

    8950 AAA uses policies to define a set of rules that the server uses to determine access rights, user privileges, and accounting practices based on information contained in the Access-Request and information about the user who is requesting access.
  • Page 22 RADIUS Terms Explained .................................................... 8950 AAA requires that at least one policy be defined, but it can be configured to handle many policies. You decide how many policies are necessary based on your business needs. The needs can range from the type and level of services you provide, equipment requirements, and customer requirements, to the geographic location of your customers and the time of day.
  • Page 23 It then waits for a response. Accounting Activities In addition, the 8950 AAA server can collect and store session and billing data. The server can save this data to text files (RADIUS Detail file), the built-in database, or any SQL database that supports a Java Database Connectivity (JDBC) driver, or forward the data to another RADIUS server.
  • Page 24 Introduction to 8950 AAA RADIUS Terms Explained ......................................................................................................1 - 6 365-360-001 R6.0 Issue 1, December 2008...

  • Page 25: 8950 Aaa Server Management Tool Overview

    The SMT is a standalone application that is started and run independently of the 8950 AAA server. The SMT may be run on the same computer as 8950 AAA or on a different computer. When the SMT is not run on the same platform as 8950 AAA then a small application called the 8950 AAA server must be started on the 8950 AAA platform before the SMT can be used.

  • Page 26: Starting The Server Management Tool

    8950 AAA Server Management Tool Overview Starting the Server Management Tool .................................................... Figure 2-1 illustrates the 8950 AAA SMT architecture. Figure 2-1 8950 AAA System with SMT REQUEST ACCESS- REQUEST SERVICE UNIVERSAL RADIUS STATE NETWORK SERVER SERVER SESSION ACCESS ACCESS...
  • Page 27 This can be an administrator name or a user configured for operator access. 3. Select the appropriate Connect option for your 8950 AAA server. You can open and edit files locally or connect to a remote 8950 AAA Server with the SMT. Result: When the SMT is not running on the same platform as the 8950 AAA server, the Configuration Server is used to execute commands issued by the SMT.

  • Page 28: The Server Management Tool User Interface

    The Server Management Tool User Interface .................................................... Figure 2-3 SMT Login Panel–Connecting to Configuration Server Important! Each instance of the SMT can only manage one 8950 AAA server at a time. 4. Choose the appropriate Host/IP address to connect to the appropriate 8950 AAA server.
  • Page 29 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... Figure 2-4 The SMT User Interface–Default screen Navigation pane The main frame of the window, located below the taskbar, is called the Data pane. The following screen shows an example of a Data pane when clicked on one of the menu options from the Navigation Pane.
  • Page 30 Navigation pane, a panel is displayed in the Data pane. The Data pane can display multiple panels simultaneously. SMT Menu Bar The 8950 AAA SMT menu bar appears at the top of the SMT interface as a list of menus as shown in Figure 2-6.
  • Page 31 Each menu contains a set of commands as described in Table 2-1. Table 2-1 SMT Menu Commands Menu/Command Description Server Connect to Server Establish link to the 8950 AAA server. • • Disconnect from Server Log off from the currently connected 8950 • • AAA server.
  • Page 32 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... Table 2-1 SMT Menu Commands Menu/Command Description Preferences Customize SMT features for this and • • succeeding SMT sessions. Expand All Display all folder components within the •...
  • Page 33 Table 2-2. Table 2-2 SMT Tool bar–Buttons Buttons Description Log off the currently connected 8950 AAA server. Use the connect menu option to reconnect. Show the status of the Policy server running on the host of the 8950 AAA currently connected 8950 AAA server. When the server is running, the button is green and if it is not running, the button is red.
  • Page 34 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... Table 2-2 SMT Tool bar–Buttons Close the active panel. If any changes have been made to that panel, a panel box appears asking if the changes should be saved. If no panel is displayed then this option is not available.
  • Page 35 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... Table 2-2 SMT Tool bar–Buttons Displays System Information. Displays SMT help. Displays Technical Support File Packager window for gathering files and send to technical support. Allows you to launch test tools in another process.
  • Page 36 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... Figure 2-8 SMT–Navigation Pane There are 5 categories of panels or tools. The navigation pane can be linked to a toolbox because each panel provides a different tool and each tool can be accessed by selecting the panel name.
  • Page 37 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... Figure 2-9 SMT–Data Pane without panels SMT Data pane without Panel Figure 2-10 SMT–Data Pane with panel SMT Data pane with Panel SMT Log Pane .................................................... 2 - 1 3 365-360-001 R6.0...
  • Page 38 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... The Log pane appears at the bottom of the SMT user interface when you click on the SMT Log tab in the screen. The SMT Log pane is used for displaying log messages of the SMT,...
  • Page 39 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... Figure 2-12 SMT–Server Log pane SMT Server Log The SMT server pane contains buttons that are used for executing commands within the application. The commands are described in Table 2-4.
  • Page 40 8950 AAA Server Management Tool Overview The Server Management Tool User Interface .................................................... T E P S ..................................................................................2 - 16 365-360-001 R6.0 Issue 1, December 2008...

  • Page 41: Server Management Tool Command Set

    Installing the PolicyAssistant and the Policy Flow Editor 3-13 SMT menus and their commands SMT Menus As described in the section“SMT Menu Bar” on 2-6, the 8950 AAA Server Management Tool contains five command menus, as follows: Server • Panel •...
  • Page 42 The Server menu contains commands that manage the connection between the SMT and the 8950 AAA server. It is found on the SMT menu bar. During the start procedure, either a local or remote connection to the configuration server is attempted. A local or remote connection is necessary to display and enable the SMT GUI.
  • Page 43 • configuration files into the running 8950 AAA server. The 8950 AAA server loads certain files into memory when it is started, for example, • the list of RADIUS clients. These files can also be reloaded while the server is running.
  • Page 44 8950 AAA run subdirectory. The Save to Web Page (HTML) option saves the output to an HTML file created in • the 8950 AAA run subdirectory. The Print Preview option displays the output on the screen and provides an option •...
  • Page 45 Server Management Tool Command Set SMT menus and their commands .................................................... Figure 3-3 Configuration Print options dialog–Print Configuration option Edit Commands The Edit menu displays commonly used text editing commands as well as server preferences and data pane management options. To display the Edit menu, select Edit on the menu bar.
  • Page 46 Server Management Tool Command Set SMT menus and their commands .................................................... Figure 3-4 SMT–Preferences Panel Table 3-1 describes the fields of the SMT Preferences Panel. Table 3-1 SMT Preferences Panel–Properties Configured Items Description General Info Displays the general information such as Version details, Host Information, Operating System information, Java information, and so on.
  • Page 47 Server Management Tool Command Set SMT menus and their commands .................................................... Table 3-1 SMT Preferences Panel–Properties Configured Items Description Display Settings Sets and display desktop components, icons, and windows sizes and locations. All the settings are Yes or No buttons. Choose appropriate buttons as per the requirement(s).
  • Page 48 Server Control Sets how often the SMT checks the status of the 8950 and configuration servers. On Windows platforms, controls 8950 AAA operation as a Windows service. Database Enables display of database panels and sets database connection options.
  • Page 49 Server Management Tool Command Set SMT menus and their commands .................................................... Table 3-1 SMT Preferences Panel–Properties Configured Items Description Check-items List Sets the attributes displayed in the default Check-items list that is available in various SMT panels. You may select an attribute from the full dictionary attribute list, labeled Attributes, on the left side of the pane or enter your own attribute name in the custom attribute text box.
  • Page 50 Server Management Tool Command Set SMT menus and their commands .................................................... Figure 3-5 SMT Preferences Panel–Check-Items List Search/Find The Find Menu section has two options that helps to find or find once again the word/item you want to search. Find •...

  • Page 51: Managing Data In Smt Panels

    Server Management Tool Command Set Managing Data in SMT Panels .................................................... Using the Window Menu to Manage Panels This menu contains commands that allow the user to manage the panels that are open within the data pane. Cascade, Maximize, Tile Horizontal, Tile Vertical, and Arrange Icons display the panels as in other graphical user interfaces.
  • Page 52 Server Management Tool Command Set Managing Data in SMT Panels .................................................... Important! In some cases more than one icon may be used for a given function. This is due to space limitations on some of the panels. Table 3-2 Panel Control Functions Action Description Button Icon...

  • Page 53: Sizing Table Columns

    You can choose to install and work on either the Policy Flow Editor or the Policy Assistant at a time. By default, the Policy Flow Editor is enabled when you install the 8950 AAA GUI. To enable the Policy Assistant, perform the following steps.
  • Page 54 Server Management Tool Command Set Installing the PolicyAssistant and the Policy Flow Editor .................................................... Figure 3-10 SMT–Policy Flow Installation page 3. Select Install Policy Assistant and click the Install Policy Flow button. The following message appears. Figure 3-11 SMT–Policy Flow Installation warning message 4.
  • Page 55 Tool” for more information on the PolicyAssistant. While the PolicyAssistant is very easy to use, there are some decisions you must make to successfully set up 8950 AAA. Installing PolicyFlow Editor 1. To enable the PolicyFlow Editor, perform the following steps: 2.
  • Page 56 Server Management Tool Command Set Installing the PolicyAssistant and the Policy Flow Editor .................................................... Installing PolicyFlow Editor for a configuration set To enable the PolicyFlow Editor for a configuration set, perform the following steps: 1. In the PolicyFlow Installation page, as shown in Figure 3-10, select Install a Configuration Set.

  • Page 57: Managing 8950 Aaa Servers

    Managing 8950 AAA Servers Overview Purpose This section discusses how the SMT is used to control the behavior of 8950 AAA servers and to define properties associated with the servers. The following topics are included in this chapter: Configuring Server Properties...

  • Page 58: Policy Server Tab

    Figure 4-1 Server Properties Panel The Server Properties Panel Use the Server Properties panel to control the behavior of the 8950 AAA servers including how the 8950 AAA server processes packets and manages data flow between its servers and clients.
  • Page 59 The Web Interface Configuration panel specifies the configuration values for running the built-in web interface. The web interface allows you to query statistical information about the 8950 AAA servers from a standard web browser. This interface is automatically started when you run the 8950 AAA servers.
  • Page 60 Figure 4-2 Policy Server–Admin Interface Configuration Panel The Admin Interface Configuration panel specifies the configuration values for running the Admin interface. The Admin interface allows you to administer the 8950 AAA servers from a telnet connection. This interface is automatically started when you run the 8950 AAA servers.
  • Page 61 Figure 4-3 Policy Server–SSH Interface Configuration Panel The SSH Interface Configuration panel specifies the configuration values for running the SSH interface. The SSH interface allows you to administer the 8950 AAA servers from secure connections using an SSH client. This interface is automatically started when you run the 8950 AAA servers.
  • Page 62 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-3 SSH Interface–Properties Configurable Properties Description Default Encryption Specifies the default encryption to use for connections if not specified by the client. Default Hash Specifies the default hash algorithm to use for connections if not specified by the client.
  • Page 63 Managing 8950 AAA Servers Policy Server tab .................................................... Figure 4-4 Policy Server–RMI Registry Configuration Panel The RMI Registry Configuration panel specifies the port for running the RMI Registry for both secured and non secured. The RMI Registry is used to get statistical information from the RADIUS Server and the StateServer from the SMT.
  • Page 64 Managing 8950 AAA Servers Policy Server tab .................................................... Figure 4-5 Policy Server–SMT and Server Certificates Panel The SMT and Server Certificates panel specifies the names of the certificate files to use for secure connections (SSL) for RMI connections and communications between the primary and secondary state servers for replication.
  • Page 65 The value of zero (0) disables the address. SNMP Panel The SNMP properties can configure the SNMP agent built into the 8950 AAA server. 8950 AAA acts as an SNMP agent counting events that it receives..................................................... 4 - 9 365-360-001R6.0...
  • Page 66 Managing 8950 AAA Servers Policy Server tab .................................................... To go to the Simple Network Management Protocol (SNMP) Properties panel, click on the SNMP option from the Policy Server data pane menu options on the left side. The SNMP properties panel is displayed as shown in Figure 4-7.
  • Page 67 RFC-3411 as follows: The first four octets of the engineID are set to the 8950 AAA enterprise number ‘831’ with the very first bit set to 1 (8000033f), octet number 5 is set to 01 to indicate an IPv4 address and finally octets 6 through 9 are set the servers IP address.
  • Page 68 Managing 8950 AAA Servers Policy Server tab .................................................... Figure 4-8 Policy Server–Database Configuration Panel The Database Configuration panel specifies the configuration values for the built-in Derby database. If the port is a non-zero, the database is automatically started when you run the policy server.
  • Page 69 8950 AAA base installation directory. Sets the derby.system.home Derby property. Derby Log level Sets the 8950 AAA log level that messages from the Derby database server will be logged. Derby Severity Sets the level of the Derby messages that Derby will output to our logging system.
  • Page 70 Managing 8950 AAA Servers Policy Server tab .................................................... Figure 4-9 Policy Server–User Provisioning System Panel The User Provisioning system specifies the configuration values for the built-in User Provisioning system. The connection information below specifies how and where the provisioning system finds the database to manage the data.
  • Page 71 Managing 8950 AAA Servers Policy Server tab .................................................... Figure 4-10 Policy Server–RADIUS Properties Panel The RADIUS properties panel specifies the configuration values for the Policy server when processing Radius requests. Table 4-10 lists the configurable entities of this panel. Table 4-10 Radius Properties panel–Properties...
  • Page 72 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-10 Radius Properties panel–Properties Configurable Properties Description Dynamic Authentication Sets the listening address for dynamic authentication requests. Addresses This value is a comma separated list of address:port values. If address is omitted, it is assumed to be *. If the port is omitted, it defaults to 3799.
  • Page 73 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-10 Radius Properties panel–Properties Configurable Properties Description Response Cache Timeout When responding to the RADIUS requests, the policy server can remember (cache) the responses. If the response is sent, but lost and the NAS resends the same request, the policy server can respond with the cached response and not have to process the request again.
  • Page 74 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-11 lists the configurable entities of this panel. Table 4-11 Diameter Properties panel–Properties Configurable Properties Description Diameter Address Sets the listen addresses for diameter requests. This value is a comma separated list of address:port values. If address is omitted, it is assumed to be *.
  • Page 75 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-11 Diameter Properties panel–Properties Configurable Properties Description Device Watchdog Rate The AAA Transport Profile document defines a heartbeat mechanism for maintaining connection state through the periodic exchange of ‘Device-Watchdog’ messages between two peers in their connected state.
  • Page 76 Managing 8950 AAA Servers Policy Server tab .................................................... TACACS+ Properties Panel To go to the TACACS+ Properties panel, click on the TACACS+ Properties option from the Policy Server data pane menu options on the left side. The Terminal Access Controller...
  • Page 77 Managing 8950 AAA Servers Policy Server tab .................................................... Attribute Properties Panel To go to the Attribute Properties panel, click on the Attributes option from the Policy Server data pane menu options on the left side. The Attribute Properties panel is displayed...
  • Page 78 Managing 8950 AAA Servers Policy Server tab .................................................... Requests Properties Panel To go to the Requests Properties panel, click on the Requests option from the Policy Server data pane menu options on the left side. The Radius Request Properties panel is...
  • Page 79 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-14 Radius Request Properties panel–Properties Configurable Properties Description Automatically Check Leftovers Yes or No option. If enabled, the policy server rejects a request if there are check items left to be checked.
  • Page 80 Managing 8950 AAA Servers Policy Server tab .................................................... The first property below lists all valid delimiters to split the User-Name attribute. All delimiters are evaluated in the order they are entered. User-Name is searched character by character from left to right for the match. The split is done on the first occurrence of the delimiter.
  • Page 81 Managing 8950 AAA Servers Policy Server tab .................................................... Figure 4-16 Policy Server–Timeout Properties Panel The Timeout properties panel specifies the configuration values for the Policy server timeouts. A timeout is an amount of time to wait before an action is taken. Place the mouse over each option to display how it is used by the server.
  • Page 82 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-16 Timeout Properties Panel–Properties Configurable Properties Description Default Challenge Timeout Default Challenge Timeout. Duration with default timeunit in seconds. Default Challenge Timeout Linger Default challenge timeout linger. Duration with default timeunit in seconds.
  • Page 83 Managing 8950 AAA Servers Policy Server tab .................................................... Table 4-17 lists the configurable entities of this panel. Table 4-17 Advanced Properties Panel–Properties Configurable Properties Description Max Plug-ins in Method Chains Specifies the maximum number of plug-in invocations for ISPs. The default is 100.

  • Page 84: Universal State Server Tab

    About the Universal State Server tab The Universal State Server (USS) is an in-memory database optimized to track network- resource usage. It interacts with the 8950 AAA server to maintain usage counts and enforce resource limits within the network. The Universal State Server tab allows you to configure the entities in the Universal State Server.
  • Page 85 Managing 8950 AAA Servers Universal State Server tab .................................................... Figure 4-18 Universal State Server Properties Panel USS Panel When you click on the Universal State Server tab option, by default, the Universal State Server properties panel is displayed as shown in Figure 4-18.
  • Page 86 Managing 8950 AAA Servers Universal State Server tab .................................................... Table 4-18 Universal State Server Panel–Properties Configurable Properties Description Key Separator Specifies the character that separates the key into two parts for the creation of secondary indices. This character should not appear in the values used to construct the key (that is, the NAS-IP-Address and NAS- Port).
  • Page 87 Managing 8950 AAA Servers Universal State Server tab .................................................... Figure 4-19 Universal State Server Replication Panel with HA-USS tab The HA-USS tab in the Universal State Server Replication panel specifies the values for configuring the high-availability (replicated) universal state server (HA-USS).
  • Page 88 Managing 8950 AAA Servers Universal State Server tab .................................................... Table 4-19 Universal State Server Replication Panel–HA-USS tab properties Configurable Properties Description Use Secure Connections Yes or No option. Specifies to use secure connections (SSL) for registry connections and communications between the primary and secondary state servers.
  • Page 89 Managing 8950 AAA Servers Universal State Server tab .................................................... Figure 4-20 Universal State Server Replication Panel with Advanced tab The Advanced tab in the Universal State Server Replication panel specifies the advanced properties of the HA-USS. In most circumstances these properties will not need to be changed.
  • Page 90 Managing 8950 AAA Servers Universal State Server tab .................................................... Table 4-20 Universal State Server Replication panel–Advanced tab properties Configurable Properties Description Minimum Flow Entries Sets the minimum number of entries in the primary replication queue before plug-in flow control enables.
  • Page 91 Managing 8950 AAA Servers Universal State Server tab .................................................... A table is displayed that lists the attributes to count and specifies the type of the attribute. Four action buttons are also displayed above the table that allows you to perform the...
  • Page 92 Managing 8950 AAA Servers Universal State Server tab .................................................... Figure 4-22 Universal State Server–Indices The Indices panel specifies the attributes that the Universal State Server creates an index for. The USS uses each index to track the resources of the attribute. Use the ‘index’ admin command in the Admin Interface panel to list resources for a given attribute.
  • Page 93 Managing 8950 AAA Servers Universal State Server tab .................................................... Figure 4-23 State Server version 2 Panel The State Server version 2 panel specifies the values for configuring the version 2 of the universal state server. Table 4-22 lists the configurable entities of this panel.

  • Page 94: Configuration Server Tab

    Managing 8950 AAA Servers Configuration Server tab .................................................... Table 4-22 State Server version 2 panel properties Configurable Properties Description Idle Ack Rate When remote ack rate per heartbeat interval drops below this limit a prepared reconciliation is started. Merge Pool Size Specifies the number of threads servicing inbound replication.
  • Page 95 Managing 8950 AAA Servers Configuration Server tab .................................................... Figure 4-24 Configuration Server Panel The Configuration Server panel specifies the properties used by the configuration server. The configuration server is used by the Server Management Tool to configure a server from a remote location. These properties are loaded each time the configuration server starts.
  • Page 96 Managing 8950 AAA Servers Configuration Server tab .................................................... Table 4-23 lists the configurable entities of this panel. Table 4-23 Configuration Server Panel properties Configurable Properties Description Administration Address Specifies the TCP/IP address on which the Admin interface listens for connections. The address is in the form of a hostname (or “*”) followed by a colon, followed by the port...

  • Page 97: Configuring 8950 Aaa Client Properties

    The server uses the source IP address or domain name of the data packet to locate client information stored in a special 8950 AAA file called the clients file. The clients file is maintained using the Clients panel of the SMT. Messages from unknown clients are logged and then discarded.

  • Page 98: Configuring Clients

    • Important! Do not add entries for remote servers that will receive requests provided from the 8950 AAA server unless requests are also received directly from this remote server. Using the SMT to Configure Clients This section describes how to configure a 8950 AAA client. The specific procedure that follows lists steps to modify an existing client using the Server Management Tool.
  • Page 99 The following sections in this chapter explain each of these tabs in detail. Using the Client/Peers SMT Action buttons The Client/Peers menu bar also consists of a set of Action Buttons that appear at the top of the 8950 AAA client/peer panel, as shown in Figure 5-2.

  • Page 100: The Radius Clients Tab

    The secret key shared between the 8950 AAA server and the client. The shared secret must be entered exactly the same way on both the 8950 AAA and the client. Errors in entering the secret key is one of the most common causes of 8950 AAA configuration problems.
  • Page 101 Configuring 8950 AAA Client Properties The Radius Clients tab .................................................... Using the Radius Client Properties tab to Add a record The Radius Client Properties tab allows you to add a record and enter information in the required fields as shown in Figure 5-4.
  • Page 102 Configuring 8950 AAA Client Properties The Radius Clients tab .................................................... Table 5-2 Radius Client Properties Field Name Description Authentication Timeout Specifies the time, in milliseconds, the Policy server will wait before it discards authentication requests. This overrides the Client Timeout value for authentications only.
  • Page 103 5-5. Figure 5-5 The Lucent Clients Dialog–Add record panel This panel allows you to select the type of the Alcatel-Lucent client. Select the required client and select the configuration options for that type of client and click OK. The appropriate predefined client class is selected.

  • Page 104: The Diameter Peers Tab

    Configuring 8950 AAA Client Properties The Diameter Peers tab .................................................... Figure 5-6 The Client Classes and Attributes dialog–Add record panel 3. This panel allows you to select the Client Classes and Attributes from either a list of Predefined Client Class, or allows you to add a Custom Client Class, or allows you to select/add the Attribute and value from the list.
  • Page 105 Configuring 8950 AAA Client Properties The Diameter Peers tab .................................................... Table 5-3 Client/Peers SMT–Diameter Peers tab Properties Column Name Description Admin State The state of the diameter server. The Transport Layer Security (TLS). This is to secure the diameter server.
  • Page 106 Configuring 8950 AAA Client Properties The Diameter Peers tab .................................................... Figure 5-7 The Peer Properties panel Table 5-8 explains each of these fields and the field descriptions. Figure 5-8 Peer Properties panel–Properties Field Name Description Peer Name Specifies the name of the peer.

  • Page 107: The Tacacs+ Clients Tab

    Configuring 8950 AAA Client Properties The TACACS+ Clients tab .................................................... Using the Client Classes & Attributes tab in the Peer Entry panel The Client Classes & Attributes is one of the tabs in the Peer Entry Panel. This panel allows you to perform the following actions using the action buttons: Insert a record •...
  • Page 108 The secret key shared between the 8950 AAA server and the client. The shared secret must be entered exactly the same way on both the 8950 AAA and the client. Errors in entering the secret key is one of the most common causes of 8950 AAA configuration problems.
  • Page 109 Configuring 8950 AAA Client Properties The TACACS+ Clients tab .................................................... Figure 5-9 The TACACS+ Client Properties panel Table 5-10 explains each of these fields and the field descriptions. Figure 5-10 TACACS+ Client Properties panel–Properties Field Name Description Client IP Address or Host Specifies the Domain name, IP Address, range of IP addresses, or a CIDR block of addresses.

  • Page 110: The Client Classes Tab

    Configuring 8950 AAA Client Properties The Client Classes tab .................................................... 1. The Insert a record action button displays the Client Classes and Attributes panel. This panel allows you to select the Client Classes and Attributes from either a list of Predefined Client Class, or allows you to add a Custom Client Class, or allows you to select/add the Attribute and value from the list.
  • Page 111 Configuring 8950 AAA Client Properties The Client Classes tab .................................................... Figure 5-12 The Client Class Properties panel–Properties tab This panel has four tabs as following: Properties tab • Protocol Specific tab • Custom tab • Comment tab • Using the Properties tab in the Client Class Properties...
  • Page 112 Configuring 8950 AAA Client Properties The Client Classes tab .................................................... Table 5-5 Client Classes tab information Field Name Description Dictionary Specifies the dictionary name to use for this client class definition. Dictionary for Authentication Specifies the dictionary to use for authentication requests.
  • Page 113 Configuring 8950 AAA Client Properties The Client Classes tab .................................................... Using the Protocol Specific tab in the Client Class Properties To configure the Protocol Specific properties of a Client Class, click on the Protocol Specific tab in the Client Class Properties panel. The Protocol Specific tab is displayed...
  • Page 114 Configuring 8950 AAA Client Properties The Client Classes tab .................................................... Figure 5-14 The Client Class Properties–Properties tab information Field Name Description TAOS Port Normalization Specifies how to get the real NAS port number out of the NAS port info. This should only be used if your NASs are running TAOS.
  • Page 115 Configuring 8950 AAA Client Properties The Client Classes tab .................................................... Figure 5-14 The Client Class Properties–Properties tab information Field Name Description Diameter Charset Specifies the default character set to use for character based Diameter AVP values which are lacking a defined endcoding.
  • Page 116 Configuring 8950 AAA Client Properties The Client Classes tab .................................................... Figure 5-15 The Client Class Properties–Custom tab The Attribute Properties panel allows you to specify an<Product Family> attribute and it’s value. Select the attribute, then specify a value. Use the description to help with the specifying the value.

  • Page 117: Configuring 8950 Aaa Realm Routing Table Properties

    Action in the entry. Using the SMT to Configure Realm Routing Table This section describes how to configure a 8950 AAA Realm Routing Table. The specific procedure that follows lists steps to configure or modify an existing Realm Routing Table using the Server Management Tool.
  • Page 118 Figure 6-2 The 8950 AAA SMT–Realm Routing Table panel The Realm Routing Table panel (Figure 6-2) contains a menu bar that consists of a set of Action Buttons that appear at the top of the 8950 AAA Realm Routing Table panel, as shown in Figure 6-2.
  • Page 119 Configuring 8950 AAA Realm Routing Table Properties Configuring Realm Routing Table .................................................... Delete selected record • Delete all records • Make a copy of selected record • Move selected record up • Move selected record down • You can perform any of the required actions using these action buttons.
  • Page 120 Configuring 8950 AAA Realm Routing Table Properties Configuring Realm Routing Table .................................................... • The Route Properties This is used to specify the properties of the route once a match is found using the above criteria. Table 6-1 Route Entry Properties...

  • Page 121: Configuring 8950 Aaa Remotely

    Using the SMT to retrieve files from a remote server This section describes how to configure a 8950 AAA to retrieve files from a remote server. This is typically used to have one centralized location for configuration files. You must specify which files are retrieved for every Policy Server.
  • Page 122 The Remote Configuration panel (Figure 7-2) contains two sections that consists of 2 sets of Action buttons that appear in the 8950 AAA Remote Configuration panel, as shown Figure 7-2. The action buttons that are in the top section are used to configure the connections to remote configuration servers.
  • Page 123 Configuring 8950 AAA Remotely Remote Configuration .................................................... Figure 7-3 Remote Configuration–Action buttons in the top section These action buttons allow you to perform the following actions: Insert a record • Edit selected record • Delete selected record • Delete all records •...
  • Page 124 Specifies the user name to authentication the connection to the hosts. The user name must exist in the 8950 AAA Operators on both the local server and the remote server. In addition, the passwords must match and be plain text.
  • Page 125 Configuring 8950 AAA Remotely Remote Configuration .................................................... Action buttons–Bottom Section The action buttons that are in the bottom section are used to list the files to retrieve. You can retrieve files from more than one remote server. The Bottom set of action buttons are as shown in Figure 7-6.
  • Page 126 Configuring 8950 AAA Remotely Remote Configuration .................................................... Figure 7-7 The File Entry–Add record panel Table 7-8 explains each of these fields and the field descriptions that you need to specify in this screen. Figure 7-8 File Entry Properties Field Name...
  • Page 127 Configuring 8950 AAA Remotely Remote Configuration .................................................... Figure 7-9 The File Selection Wizard panel This panel displays a list of the servers you have previously configured. Select a server from the list and click Next to be able to select the Remote files.
  • Page 128 Configuring 8950 AAA Remotely Remote Configuration .................................................... Figure 7-10 The File Selection Wizard panel This panel displays a list of files from the selected server. The list on the right is the list of that will be added. Select a file from the Remote File list and click the arrow buttons to add it to the Selected Files list.

  • Page 129: Using The 8950 Aaa Policy Flow Editor

    Policy Flow Editor How to install the Policy Flow Editor You can elect to install the PolicyFlow Editor during the 8950 AAA installation process. If you see the PolicyAssistant in the Navigation Pane and do not see the PolicyFlow Editor, then the PolicyFlow Editor is not installed.
  • Page 130 Figure 8-1. Figure 8-1 Navigation Pane–Policy Flow Editor option The PolicyFlow Editor option in the Navigation pane Result: The 8950 AAA PolicyFlow Editor panel is displayed as shown in Figure 8-2..................................................... 8 - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 131: Policy Flow Files

    Using the 8950 AAA Policy Flow Editor Policy Flow Files .................................................... Figure 8-2 The 8950 AAA SMT–PolicyFlow Editor panel Policy Flow Files Policy Flow Files Section The Policy Flow Files section is the middle or in-between section of the PolicyFlow Editor panel.

  • Page 132: Method Configuration

    Using the 8950 AAA Policy Flow Editor Method Configuration .................................................... The other action button, -, allows you to delete the selected PolicyFlow file. Select the required PolicyFlow file from the drop-down list box and click the - action button. A pop- up window will ask you if you are sure you want to delete the selected PolicyFlow File.
  • Page 133 Using the 8950 AAA Policy Flow Editor Method Configuration .................................................... Important! To copy a method under a PolicyFlow file from another method file, right click on the Copy a method from another method file icon. Select the desired method from the policyflow file list. The method gets added in the selected policyflow file.
  • Page 134 Using the 8950 AAA Policy Flow Editor Method Configuration .................................................... Use the Timeout field to enter the timeout duration. Timeout specifies the maximum time that a particular plug-in takes before following an error path. Method On EAP Nak specifies the method to be invoked when the specified plug-in receives an EAP Nak from the client.
  • Page 135 Using the 8950 AAA Policy Flow Editor Method Configuration .................................................... Figure 8-7 Method Configuration pane - Success Msg tabl Use the Method Properties tab to specify the properties of the method chosen as shown in the Figure 8-7. Advanced tab allows you to specify additional properties of the some of the methods...
  • Page 136 Using the 8950 AAA Policy Flow Editor Method Configuration .................................................... Figure 8-9 Method Configuration pane - Success Msg tabl PolicyFlow Topics tab describes in general about the plug-ins, methods, and the policyflow along with their properties (see Figure 8-5).....................................................

  • Page 137: Method Dispatch Section

    Using the 8950 AAA Policy Flow Editor Method Dispatch Section .................................................... Figure 8-10 Method Configuration pane - Success Msg tabl Method Dispatch Section Method Dispatch Section The Method Dispatch section is the top section of the PolicyFlow Editor panel. This is used to determine how to route requests to the PolicyFlows that are defined in the bottom section.
  • Page 138 Using the 8950 AAA Policy Flow Editor Method Dispatch Section .................................................... Assign File and Method for selected row • You can perform any of the required actions using these action buttons. Important! Some of the necessary actions will be available with some of these buttons.
  • Page 139 Using the 8950 AAA Policy Flow Editor Method Dispatch Section .................................................... Figure 8-13 Method Dispatch Properties–Properties tab Field Name Description Type Specifies the packet type. Code Specifies the code point of packet type. Method File Specifies the name of the method file that contains the method to start processing PolicyFlow.
  • Page 140 Using the 8950 AAA Policy Flow Editor Method Dispatch Section ......................................................................................................8 - 12 365-360-001R6.0 Issue 1, December 2008...
  • Page 141 Purpose This chapter discusses the process of how to use, configure, and create necessary entities for the PolicyAssistant in the 8950 AAA Server Management Tool. This chapter describes how to use the PolicyAssistant and Policy Wizard to create and access Policies.

  • Page 142: Using The 8950 Aaa Policy Assistant In Server Management Tool

    Installing the PolicyAssistant How to install the Policy Assistant You can elect to install the PolicyAssistant during the 8950 AAA installation process. If you see the PolicyFlow Editor in the Navigation Pane and do not see the PolicyAssistant, then the PolicyAssistant is not installed.

  • Page 143: Preparing To Create Your First Policy

    Management Tool .................................................... Preparing to Create Your First Policy Opening the PolicyAssistant The following sections describe how to configure the 8950 AAA PolicyAsssistant. As explained earlier in Chapter 3, “Server Management Tool Command Set,” only one of the Policy functions, either the PolicyFlow Editor or PolicyAssistant, can be operated at a time.

  • Page 144: Using The Policy Wizard

    The following sections walk you through the primary functions addressed by the Policy Wizard. Your first objective as a 8950 AAA administrator is to determine the components of your policy: how your network stores user profiles (user source), authenticates users (authentication source), applies access rules, set session parameters and processes accounting data.
  • Page 145 Using the 8950 AAA Policy Assistant in Server Using the Policy Wizard Management Tool .................................................... Figure 9-3 Policy Name Panel in the Policy Wizard Enter a Policy Name for this policy that is descriptive of the configuration that it represents. A policy name helps you organize multiple policies. Examples of good policy names might be: Dial-Access-Policy, Wi-Fi-Policy, Proxy-Users, Sales-Department, etc.
  • Page 146 • RADIUS User Files 8950 AAA supports the use of traditional RADIUS user files. RADIUS user files are uniquely formatted text files. The Server Management Tool enables you to create and manage these files without the need to understand or implement the formatting rules.
  • Page 147 Use this option if users are stored in an LDAP directory as inet orgPersons, as defined in RFC 2798. Microsoft Active Directory Microsoft Active Directory should only be used as a user source when 8950 AAA is not running on a Windows platform. Windows Security Access Manager The Windows Security Access Manager (SAM) system option is only available when 8950 AAA is running on a Windows platform.
  • Page 148 Your password or shadow files must be formatted in standard UNIX password file format (for a full description, see the UNIX password man page, section 4 or 5). The 8950 AAA server requires you to place the user’s name in column one in the file. Passwords, if included, may be encrypted with DES, MD5, or SHA1.
  • Page 149 Using the 8950 AAA Policy Assistant in Server Using the Policy Wizard Management Tool .................................................... Figure 9-5 Authentication Access Requests Panel in the Policy Wizard To determine a method for authenticating users, select an Authentication Type from the list that appears within the Authentication Types pane, as shown in Figure 9-5.
  • Page 150 Using the 8950 AAA Policy Assistant in Server Using the Policy Wizard Management Tool .................................................... Table 9-1 Authentication Types Option Description Plain Text Password Verifies the password in the user profile matches with the passwords in the user request. Passwords must be in plain text format.
  • Page 151 Using the 8950 AAA Policy Assistant in Server Using the Policy Wizard Management Tool .................................................... Table 9-1 Authentication Types Option Description Windows Security Access Manager Uses Windows NT or Security Access Manager (SAM) to verify the password in the user request. This option is only supported on Microsoft Windows platforms.
  • Page 152 Using the 8950 AAA Policy Assistant in Server Using the Policy Wizard Management Tool .................................................... Table 9-1 Authentication Types Option Description Reject All Request Automatically rejects the request. Typically used to disable access for a Policy. EAP Authentication EAP Authentications are typically used in conjunction with the Ethernet 802.1x...
  • Page 153 If you choose Discard Accounting Information, then accounting data will not be saved. If you choose to save your accounting data to a file, enter the File Name. 8950 AAA creates the file when accounting activity is initiated by a RADIUS request. 8950 AAA...
  • Page 154 .................................................... By default, if you choose to save accounting data to an SQL database, the PolicyAssistant uses the built-in 8950 AAA database. Accounting records can be managed by using the Database Tools panel. If you want to forward your accounting data to a remote server, select Proxy Accounting Information.
  • Page 155 Management Tool .................................................... another user, for example, user4@myisp.com, now attempts to log on the 8950 AAA server rejects the access request. In this case, user4’s session would exceed the Policy limit, even though the session would not have exceeded the User Session Limit.

  • Page 156: Understanding And Creating Attribute Sets

    Understanding and Creating Attribute Sets About Attribute Set 8950 AAA uses two key actions during Access-Request processing to authorize users and configure user sessions upon successful authentications: performing authorization checks and session provisioning. Attributes contain the information used to support these actions.
  • Page 157 1700 The 8950 AAA server supports session provisioning by returning reply attributes to the NAS upon a successful authentication. Reply attributes, stored in a attribute set, or possibly a user profile, provide additional parameters the NAS needs to complete an access request.
  • Page 158 Protocol attribute set to “SLIP” the NAS should drop the session. With the 8950 AAA PolicyAssistant it is possible to define attribute sets that apply to all users of a policy. This means that individual user profiles need only contain a user name and password.

  • Page 159: Adding Attribute Sets To Your Policy

    Using the 8950 AAA Policy Assistant in Server Adding Attribute Sets to Your Policy Management Tool .................................................... Adding Attribute Sets to Your Policy About adding Attribute sets This section covers the use of the Policy Wizard to create attribute sets and assumes that...

  • Page 160: Creating Attribute Sets

    Using the 8950 AAA Policy Assistant in Server Creating Attribute Sets Management Tool .................................................... Creating Attribute Sets The following procedure lists the steps to create or edit an Attribute Set: 1. To edit an existing attribute set, select its name from the scroll list To define a new set, click Insert a record button.
  • Page 161 Using the 8950 AAA Policy Assistant in Server Creating Attribute Sets Management Tool .................................................... Figure 9-12 Attribute Properties Panel a. Select an attribute from the Attributes list and enter or select an appropriate Value. Important! If you also have verification attributes in a user profile, in case of conflicts the attribute setting from the user profile will be applied.
  • Page 162 Using the 8950 AAA Policy Assistant in Server Creating Attribute Sets Management Tool .................................................... Figure 9-13 Items to Verify Tab of the Attribute Sets Panel 4. Click the Items Sent Back to NAS tab to add reply attributes for this policy.

  • Page 163: Defining A Failure Mode

    Using the 8950 AAA Policy Assistant in Server Defining a Failure Mode Management Tool .................................................... Figure 9-14 Items Sent Back to NAS tab of the Attribute Sets Panel 6. Click OK to close the Attribute Sets panel and return to the Attribute Set for Policy panel in the Policy Wizard.
  • Page 164 Using the 8950 AAA Policy Assistant in Server Defining a Failure Mode Management Tool .................................................... Table 9-3 Attribute Set Options Option Description Continue without the Attribute Continue processing the request, but without the attributes from the Attribute Set. If authentication and authorization are successful the Access-Request is sent.

  • Page 165: Reviewing Your Policy

    After creating a policy, you must decide how to route incoming requests to a specific policy. 8950 AAA enables you to use a realm name or a DNIS number to identify the correct policy for your users. For example, you may need to group corporate users by the domain they belong to or the access number they dial when traveling.
  • Page 166 Using the 8950 AAA Policy Assistant in Server Using the PolicyAssistant Management Tool .................................................... access to your network. A policy is a set of rules the Policy server uses to determine how users are authenticated, how access is authorized and configured, and how accounting data is stored.
  • Page 167 Using the 8950 AAA Policy Assistant in Server Using the PolicyAssistant Management Tool .................................................... Delete all records • Make a copy of selected records • Move selected record up • Move selected record down • These action buttons allows you to perform appropriate actions.
  • Page 168 For example, if the phone number 555-1212 is associated with the realm foo.net and a user eileen@gato.com dials 555-1212 to connect to the network, the 8950 AAA server treats the user as though they were in the foo.net realm ignoring the gato.com realm. The server searches for the user profile in the source defined for the foo.net realm.
  • Page 169 Using the 8950 AAA Policy Assistant in Server Using the PolicyAssistant Management Tool .................................................... 1. To add a new Realm or DNIS, click on the insert a record, action button. The Realm and DNIS Limits panel is displayed as shown in the Figure 9-19.

  • Page 170: Saving Your Policies

    This concludes the use of the PolicyAssistant to create policies and realms. Click Save to store the changes to your policies. If the 8950 AAA server is running and you have made changes to your policies, Realms or DNIS Limits, USS Settings, and Cisco PEAP, click Reload to store your changes and update the active server files.
  • Page 171 Automatic Password Detection–Defines the password format types that can be • automatically detected by 8950 AAA. User Profile Options–Defines the options that 8950 AAA can read from the Auth- • Type attribute in the user’s profile. Tunneled EAP–Defines tunneled EAP types that the PolicyAssistant can process if •...
  • Page 172 Using the 8950 AAA Policy Assistant in Server Advanced Authentication Options Management Tool .................................................... Table 9-4 Advanced Authentication Option Tab/Group/Option Description – MD5 Detect passwords using MD5 format – Salted MD5 Detect passwords using Salted MD5 format – MD4 Detect passwords using MD4 format –...
  • Page 173 Using the 8950 AAA Policy Assistant in Server Advanced Authentication Options Management Tool .................................................... Table 9-4 Advanced Authentication Option Tab/Group/Option Description – UNIX/Linux SHA Detect passwords using UNIX/Linux SHA format • External Authentication Use information from external source as specified in Auth-Type attribute –...
  • Page 174 Using the 8950 AAA Policy Assistant in Server Advanced Authentication Options Management Tool .................................................... Table 9-4 Advanced Authentication Option Tab/Group/Option Description – TTLS with Generic Token Card Allow TTLS with Generic Token Card tunnel type installed – Generic Token Card...
  • Page 175 Using the 8950 AAA Policy Assistant in Server Advanced Authentication Options Management Tool .................................................... On the Authenticating Access Requests panel (Figure 9-5), if you selected the option Allow Any of the Following, then, after clicking Advanced Authentication Options, the Advanced Authentication Options window appears as shown in Figure 9-20.
  • Page 176 Using the 8950 AAA Policy Assistant in Server Advanced Authentication Options Management Tool .................................................... Figure 9-21 Advanced Authentications Options–Tunneled EAP tab Options Transports tab option Click on the Transports tab and the following panel is displayed, as shown in Figure 9-22.

  • Page 177: Advanced Attribute Set Options

    Advanced options panel. It is possible for 8950 AAA to read multiple attribute sets during the processing of a single user request. This might be the case if there was an Attribute Set defined in the User Profile and another set defined for the policy.
  • Page 178 Using the 8950 AAA Policy Assistant in Server Advanced Attribute Set Options Management Tool .................................................... User Profile is read first, then the policy set is read. If an attribute is defined in both Attribute Sets, the first assignment read takes precedence. That is, the attribute definition from the User Profile would be the one used in the Access-Accept response.

  • Page 179: Configuring 8950 Aaa Ussv2

    The Universal State Server (USS) and Universal State Server version 2 (USSv2) The Universal State Server (USS) is an in-memory database optimized to track network- resource usage. It interacts with the 8950 AAA Server to maintain usage counts and enforce resource limits within the network.
  • Page 180 Figure 10-1. Figure 10-1 Navigation Pane–USSv2 Configuration option The USSv2 Configuration option in the Navigation pane Result: The 8950 AAA USSv2 Configuration panel is displayed as shown in Figure 10-2..................................................... 1 0 -2 365-360-001R6.0 Issue 1, December 2008...
  • Page 181 The USSv2 Configuration panel (Figure 10-2) contains two sections that consists of 2 sets of Action buttons that appear in the 8950 AAA USSv2 Configuration panel, as shown Figure 10-2. The action buttons that are in the top section are used to configure State Servers. The action buttons that are in the bottom section are used to configure the Replicated servers.
  • Page 182 Configuring 8950 AAA USSv2 USSv2 Configuration .................................................... To Insert a record, click on the action button. The StateServer Configuration panel is displayed as shown in Figure 10-4. This panel allows you to add a StateServer and its type as shown in Figure 10-4.
  • Page 183 The USSv2 Configuration panel (Figure 10-2) contains two sections that consists of 2 sets of Action buttons that appear in the 8950 AAA USSv2 Configuration panel, as shown Figure 10-2. The action buttons that are in the bottom section are used to configure Replicated Servers.
  • Page 184 Configuring 8950 AAA USSv2 USSv2 Configuration .................................................... Figure 10-6 USSv2 Configuration–Action buttons in the Replicated Servers section These action buttons allow you to perform the following actions: Insert a record • Edit selected record • Delete selected record • Delete all records •...
  • Page 185 Configuring 8950 AAA USSv2 USSv2 Configuration .................................................... Table 10-3 USSv2 Replicated Server Configuration Properties Field Name Description Server Address Specifies the IP address of the server. If not specified the default port is 9199. Replicated Server Timeout Specifies the amount of time the replication queue is kept active after a replicated server has gone down.
  • Page 186 Configuring 8950 AAA USSv2 USSv2 Configuration ......................................................................................................1 0 -8 365-360-001R6.0 Issue 1, December 2008...

  • Page 187: Configuring 8950 Aaa Operators

    Operators Overview Purpose This chapter provides information about defining administrator access to 8950 AAA. It defines different administrator roles and functions. It also provides information on how to use the SMT Operators panel. The following topics are included in this chapter:...
  • Page 188 Configuring 8950 AAA Operators Administering the 8950 AAA System .................................................... There are four basic types of administrators for a 8950 AAA system, as follows: Table 11-1 8950 AAA–Types of Administrators Types of Administrators Description Administrative User This is the System Administrator specified during installation.

  • Page 189: 8950 Aaa Operators Panel

    8950 AAA Operators Panel .................................................... 8950 AAA Operators Panel 8950 AAA Operators To set up the account for the Admin User or a System Operator, select 8950 AAA Operators from the SMT Navigation Pane, as shown in Figure 11-1. Figure 11-1 Navigation Pane–8950 AAA Operators option...
  • Page 190 .................................................... Properties Tab Use the fields on the Properties tab to specify values used by the 8950 AAA servers that permit access to each server. Any changes to these values will be reflected next time you start the 8950 AAA servers. By default, the Properties tab attributes are displayed in the...
  • Page 191 The Operators tab of the 8950 AAA Operators panel lists the individual System operators who are allowed to access the 8950 AAA servers. Operators may be modified or added using the action or control buttons on the top of the panel.
  • Page 192 The options are described in Table 11-6 on page SNMP V3 Users The SNMP V3 Users tab in the 8950 AAA Operators panel specifies the SNMP version 3 operators. SNMP operator(s) information can be modified or added using the action or control buttons on the top side of the panel.
  • Page 193 Configuring 8950 AAA Operators 8950 AAA Operators Panel .................................................... Figure 11-4 8950 AAA Operators–SNMP V3 Users tab panel 1. There are a set of action buttons on the top of this panel as shown in Figure 11-5. Figure 11-5 Action buttons panel 2.
  • Page 194 Configuring 8950 AAA Operators 8950 AAA Operators Panel .................................................... Figure 11-6 Operators Properties–SNMP V3 User Properties panel 3. The SNMP V3 User Properties panel has two tabs, the User Properties tab and the Comment tab. 4. Enter the SNMP User properties in the User Properties tab.
  • Page 195 RADIUS server. The RADIUS Authentication tab panel allows you to do this. In the 8950 AAA Operators Panel, Figure 11-2, click on the RADIUS Authentication tab. The 8950 AAA Operators–RADIUS Authentication tab panel is displayed as shown Figure 11-7..................................................... 1 1 - 9 365-360-001R6.0...
  • Page 196 Configuring 8950 AAA Operators 8950 AAA Operators Panel .................................................... Figure 11-7 8950 AAA Operators–RADIUS Authentication tab panel Table 11-5 describes the fields/attributes and descriptions in the RADIUS Authentication tab. Table 11-5 Radius Authentication Tab Attributes Access Type Description Authentication Address...

  • Page 197: Adding An Operator

    Configuring 8950 AAA Operators Adding an Operator .................................................... Adding an Operator How to add an Operator The following procedure lists the steps for creating a new System Operator. 1. From the list of action buttons panel on the top, as shown in...
  • Page 198 6. To create a text comment for this System Operator, select the Comments tab, click the mouse pointer within the text area, and enter the comment. 7. Click OK to save and return to the 8950 AAA Operators panel. Click Cancel to return without saving.

  • Page 199: Adding An Access Rule

    Figure 11-9. Each access rule consists of three components: Access Type defines the type of 8950 AAA object to which this rule applies. • File, Command, or Rule Pattern names the object or objects to which this Access Rule •...
  • Page 200 Configuring 8950 AAA Operators Adding an Access Rule .................................................... Table 11-7 Access Rules–Access Type Component Access Type Description Role Access Type Controls access to Remote Method Invocation (RMI). Generally applies to SMT access permissions to RADIUS and state servers and by the HAUSS during replication.
  • Page 201 Configuring 8950 AAA Operators Adding an Access Rule .................................................... Figure 11-11 Access Item Configuration Dialog–Command Access Type As described above for File Pattern, enter a value for Command Pattern using either a name, a limited wildcard pattern, or the button to the right of the field.

  • Page 202: Modifying A System Operator

    How to modify a System Operator The following procedure lists the steps for changing the attributes of a System Operator. 1. From the Operators tab on the 8950 AAA Operators panel, select the operator to be modified. 2. Double click on the operator or select the Edit selected record panel control button.
  • Page 203 Configuring 8950 AAA Operators Modifying a System Operator .................................................... Figure 11-13 Modifying a System Operator 3. Modify the existing User name, Password, or Authentication Type. 4. Modify any rule by selecting it and double clicking on the rule or by clicking the Edit selected record action button that appears to the top of the list of access rules.
  • Page 204 Configuring 8950 AAA Operators Modifying a System Operator ......................................................................................................1 1 -1 8 365-360-001R6.0 Issue 1, December 2008...

  • Page 205: Configuring Simple Address Manager

    Configuring Simple Address Manager Overview Purpose This section discusses the tools that are used for the configuration and management of address pool by the Simple Address Manager. Simple Address Manager provides dynamic address pool management. The following topic(s) is/are included in this chapter: Simple Address Manager Configuration 12-1 Simple Address Manager Configuration...
  • Page 206 Configuring Simple Address Manager Simple Address Manager Configuration .................................................... Figure 12-2 Simple Address Manager Panel The Simple Address Manager contains three tabs: Pool Configuration • Currently Leased Addresses • Pool Statistics • Pool Configuration tab The Simple Address Manager panel with the Pool configuration tab selected is shown in Figure 12-4 selected.
  • Page 207 Configuring Simple Address Manager Simple Address Manager Configuration .................................................... Move selected record down • Figure 12-4 Simple Address Manager: Pool Configuration tab Click on the action button. Address Pool Configuration panel is displayed as shown in the Figure 12-4. This screen allows you to add records to the Address Pool Configuration.
  • Page 208 Configuring Simple Address Manager Simple Address Manager Configuration .................................................... Currently Leased Addresses tab Figure 12-6 displays the Simple Address Manager panel with the Currently Leased Addresses tab selected. This screen displays the details of IP addresses that have been leased. Figure 12-6 Simple Address Manager–Currently Leased Addresses tab Table 12-1 describes the different attributes/properties of the leased IP address.
  • Page 209 Configuring Simple Address Manager Simple Address Manager Configuration .................................................... Pool Statistics tab Figure 12-7 displays the Simple Address Manager panel with the Pool Statistics tab selected. This screen displays the available addresses for each pool. Figure 12-7 Simple Address Manager–Pool Statistics tab Table 12-2 describes details of the pool to which the leased IP address belongs.
  • Page 210 Configuring Simple Address Manager Simple Address Manager Configuration ......................................................................................................1 2 -6 365-360-001R6.0 Issue 1, December 2008...

  • Page 211: Configuring Uss Address Manager

    Manager Overview Purpose This section discusses the tools that are available for the configuration and management of address pools of 8950 AAA, using Universal State server. The following topics are included in this chapter: USS Address Manager Configuration 13-1 USS Address Manager Configuration...
  • Page 212 Toggle the activation of selected pool (Not seen for the Pool Selector tab) • Using the Pool Configuration tab in USS Address Manager Panel The USS 8950 AAA Address Manager panel with the Pool configuration tab selected is shown in Figure 13-4.
  • Page 213 Configuring USS Address Manager USS Address Manager Configuration .................................................... Figure 13-4 USS Address Manager–Pool Configuration tabl On the USS Address Manager panel, click the Pool Configuration tab. Click on the action button. Pool Configuration panel is displayed as shown in Figure 13-2.
  • Page 214 Configuring USS Address Manager USS Address Manager Configuration .................................................... Figure 13-5 USS Address Manager–Pool Configuration Panell On the below portion of Pool Configuration panel, there is a Range panel. Use the Range panel to specify the range of IP addresses. On the Range panel, click on the action button.
  • Page 215 Configuring USS Address Manager USS Address Manager Configuration .................................................... Using the Pool Selectors tab in USS Address Manager Panel The USS Address Manager panel with the Pool Selector tab selected is shown in Figure 13-7 selected. Figure 13-7 USS Address Manager–Pool Selector Panell On the USS Address Manager panel, click the Pool Selector tab.
  • Page 216 Configuring USS Address Manager USS Address Manager Configuration .................................................... Figure 13-8 USS Address Manager–Pool Configuration Panell Enter the Pool Selector Name and select the required allocation scheme. The pool name is displayed in the Pool Name field. Click OK to add the record. The record added is displayed in the Figure 13-7.

  • Page 217: Part Ii: Stats Collecting Navigation Pane

    Part II: Stats Collecting Navigation Pane Overview Purpose This part consolidates the chapters related to Configuration Tools in the SMT Navigation pane. Contents This part includes the following chapters. Chapter 14, “Stats Collector” 14-1 Chapter 15, “Configuring Reports” 15-1 .................................................... I I - 1 365-360-001R6.0 Issue 1, December 2008...
  • Page 218 ......................................................................................................I I - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 219: Stats Collector

    Overview The collector is the part of 8950 AAA that collects statistical information about various parts of 8950 AAA. The Collector has Groups, which are listed on the left. Each group contains a list of statistics that you can enable.

  • Page 220: Stats Collector Panel

    Stats Collector Stats Collector Panel .................................................... Stats Collector Panel About Stats Collector Panel The Stats Collector panel provides the ability to monitor the following aspects of 8950 AAA server operations: Add, Modify, or Delete Client/Peer IP information • Enable or Disable instances •...
  • Page 221 Stats Collector Stats Collector Panel .................................................... The right section has two parts. The top portion displays information about the • selected group/item. It allows you to add, modify, or delete client/peer IP instance information and allows you to change the interval for these instances and to either enable/disable these instances.
  • Page 222 Name Description Save Saves the information in the 8950 AAA database. Reload Reloads the Stats collector information to the 8950 AAA database. Close Closes the Stats Collector panel. Using the Stats Collector Action buttons The action buttons on the top of the right side of the Stats Collector panel allows you to...
  • Page 223 Stats Collector Stats Collector Panel .................................................... 6. To disable the selected instance or to disable all the instances in the selected group, click on the Disable button. It gives you an option to either disable the selected instance/entry or to disable all the instances/entries in the group. Choose the required option.
  • Page 224 Stats Collector Stats Collector Panel ......................................................................................................1 4 -6 365-360-001R6.0 Issue 1, December 2008...

  • Page 225: Configuring Reports

    The Configure Reports panel provides the ability to configure and generate reports from the statistical data collected by the 8950 AAA. The Reports Configurator is the part of 8950 AAA that allows you to create reports for data collected by the 8950 AAA.
  • Page 226 Configuring Reports The Configure Reports Panel .................................................... Figure 15-2 Configure Reports Panel The Configure Reports panel (Figure 15-2) contains five columns and a set of Action Buttons that appear at the top of the screen, as shown in Figure 15-3. Figure 15-3 Configure Reports Panel–...
  • Page 227 Configuring Reports The Configure Reports Panel .................................................... 1. To Insert a record, click the Add a record action button, . The Configure Report panel is displayed as shown in Figure 15-4. This panel allows you to add a record/report and enter required information to configure a report as shown in Figure 15-4.
  • Page 228 Configuring Reports The Configure Reports Panel .................................................... Use the buttons at the bottom of the screen to select or deselect the listed variable(s). They are described in Table 15-2. Table 15-2 Configure Reports Panel–Buttons Name Description Select All Selects all the displayed variables. Deselect All Deselects all the displayed variables.
  • Page 229 Configuring Reports The Configure Reports Panel .................................................... Figure 15-5 Report Panel–Chart tab This has two tabs. The Chart tab shows the report in graphical format as shown in Figure 15-5. The Raw Sample Data tab shows the report in the sequenced format, as shown in Figure 15-6.
  • Page 230 Configuring Reports The Configure Reports Panel ......................................................................................................1 5 -6 365-360-001R6.0 Issue 1, December 2008...

  • Page 231: Part Iii: Logging Tools Navigation Pane

    Part III: Logging Tools Navigation Pane Overview Purpose This part consolidates the chapters related to Logging Tools in the SMT Navigation pane. Contents This part includes the following chapter(s). Chapter 16, “Message Logging” 16-1 .................................................... I I I - 1 365-360-001R6.0 Issue 1, December 2008...
  • Page 232 ......................................................................................................I I I - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 233: Message Logging

    Message Logging Overview Purpose The 8950 AAA Server Management Tool allows the user to manage how and when a server can log messages. This section describes the messages and how to control message logging. The following topics are included in this chapter:...

  • Page 234: Logging Tools

    For example: 2005/02/24 09:10:57.760 Area • The functional area of the 8950 AAA software that generated the message. Usually, this information follows the timestamp and is contained within angle brackets (< >). For example: <nr.setup> Level •...

  • Page 235: Server Log Messages

    Message Logging Server Log Messages .................................................... The Log Rules panel defines basic criteria that 8950 AAA uses to determine which • messages to log and the channel to which the message should be logged. Figure 16-1 Logging Tools Section in the Navigation Pane The following sections provide more information on the panels, their components, and their functionality.
  • Page 236 Message Logging Server Log Messages .................................................... Figure 16-2 Server Log Messages Panel The messages displayed are log messages the Policy Server uses when reporting information such as errors, warnings and information messages. You can edit the Message portion. However, the Name field should not be changed because it is the key the server uses to look up the message in the file.
  • Page 237 Message Logging Server Log Messages .................................................... To Insert a record, click on the action button. The Message Entry panel is displayed as shown in Figure 16-3. This panel allows you to add a Log Message entry and corresponding properties as shown in Figure 16-3.

  • Page 238: Log Channels

    Log Channels About Log Channels When 8950 AAA is first installed, all log messages are sent to the policy.log file. However, log messages can be directed to a wide range of other output destinations. Some destinations that can be used for log channels include, but are not limited to: Files •...
  • Page 239 LogToFile. When 8950 AAA is first installed, LogToFile is the only configured log r u n channel. LogToFile sends messages to the file policy.log, which is in the 8950 AAA directory. On the left side of the Log Channels panel there is a list of log channel configurations.
  • Page 240 Message Logging Log Channels .................................................... Configuring a Log Channel The following procedure defines the steps of the built-in wizard that configures a log channel. 1. Select the action button. Result: The Log Channel Configuration panel appears showing the first screen of the configuration panel, as shown in Figure 16-6.
  • Page 241 Message Logging Log Channels .................................................... Figure 16-7 Log Channel Configuration Panel–Output Types 3. Select the required Output Type. The Description of the selected Output Type is displayed in the Description section of the panel. Click Next to define the properties of the channel.
  • Page 242 Name of an alternate channel to use if an error is encountered while writing to this channel. 8950 AAA cannot determine if a Syslog server is responding. If syslog is your default output channel, you might wish define a redundant channel using a local file as the destination.
  • Page 243 8950 AAA: Starting server initialization This checkbox controls whether 8950 AAA includes the log area in the log message. The log area is the part of the 8950 AAA server which logged the message. Format Area For example, is the log area in <nr.setup>...
  • Page 244 Table 16-4 Destination/Output Options Field Name Description Checked exception - Error conditions that the 8950 AAA is able to check for and knows how to handle. These are normal operational errors that can occur in the 8950 AAA server. Four options are available to define the amount of information to include in a log message about a checked exception.
  • Page 245 Message Logging Log Channels .................................................... Table 16-4 Destination/Output Options Field Name Description Defines the character set the 8950 AAA Server uses when encoding the log message. Character sets that are available for selection: • 8859_1 • UTF8 Char Set •...

  • Page 246: Log Channel Configuration Panel Tabs

    7. Click Back to modify any values or Finish to return to the Log Channels panel. 8. Click Save to store your channel configurations to the server. Click Close to remove the panel. Log Channel additions and changes take affect the next time you start the 8950 AAA server. Log Channel Configuration Panel Tabs...
  • Page 247 Message Logging Log Channel Configuration Panel Tabs .................................................... Figure 16-10 Log Channel Configuration Panel–Documentation Tab with File (No Switching) properties The remainder of this section shows the Properties and Advanced tab for each log channel destination/output type with descriptions of each field. Exec The Exec destination executes an external process.
  • Page 248 File (No Switching) 8950 AAA writes the log messages to a file. The contents of the log file is plain text. This type does not allow any file switching, which means that it will continue to write to the same file.
  • Page 249 File with Size Based File Switching The 8950 AAA writes the log messages to a file. 8950 AAA switches the log file it writes when a user specified file size is reached. The contents of the 8950 AAA log file is plain text.
  • Page 250 Important! For more information please “Notes on the Naming of Time Based Files” on page 21 Sets the size at which the log file is changed by the 8950 AAA server. Size Example: where is the size specified in this...

  • Page 251: Notes On The Naming Of Size Based Files

    File with Time Based File Switching The 8950 AAA server writes the log messages to a file. 8950 AAA switches the log file it writes when a specified time interval is reached. Options are hourly, daily, weekly, monthly, or you can specify a custom time interval. The contents of a 8950 AAA log file is plain text.
  • Page 252 Message Logging Notes on the Naming of Size Based Files .................................................... Figure 16-15 File with Time Based File Switching–Properties Tab Table 16-8 explains the fields and the field descriptions that you will specify in this screen. Table 16-8 File with Time Based File Switching–Properties tab Fields Field Name Description Sets how often the log file is switched (the...

  • Page 253: Notes On The Naming Of Time Based Files

    “Notes on the Naming of Time Based Files” on page 21 Notes on the Naming of Time Based Files As described previously, 8950 AAA writes to a log file with the following name format: <prefix> + <pattern> + <suffix> <prefix>...
  • Page 254 Appropriate title to which describes the process. Multiple Log Outputs The 8950 AAA server sends log messages to a list of channels for processing. This allows you to send a particular log message to more than one output. This can be used instead of using multiple channels with log rules.
  • Page 255 Each channel controls the formatting of the message. SNMP Trap The SNMP Trap destination type allows 8950 AAA to write log messages to an SNMP version 1 management system. The messages are sent as SNMP Traps. The Properties tab is shown in Figure 16-18.
  • Page 256 Message Logging Notes on the Naming of Time Based Files .................................................... Figure 16-18 SNMP Trap–Properties Tab Table 16-11 explains the fields and the field descriptions that you will specify in this screen. Table 16-11 SNMP Trap–Properties tab fields Field Name Description Community Sets the SNMP v.1 community string.
  • Page 257 Message Logging Notes on the Naming of Time Based Files .................................................... Table 16-11 SNMP Trap–Properties tab fields Field Name Description Server Address Defines the host/IP of the SNMP management system. The Server Address is in format host:port. Example: 127.0.0.1:162 Figure 16-19 SNMP Trap–Advanced Tab Table 16-12 explains the fields and the field descriptions that you will specify in this screen.
  • Page 258 .................................................... SQL Database The Database channel writes log messages to a SQL compliant database. Each 8950 AAA log message is represented by a row (record) in the database table. Every log message in 8950 AAA contains the following pieces: Timestamp, Thread, Area, Level, Message, and a Java Stacktrace.
  • Page 259 This is an optional field; the data type is varchar. Standard Output or Standard Error When logging to Standard Out or Standard Error, 8950 AAA sends log messages to the system file descriptor for standard_output (stdout) or standard_error (stderr). If stdout or stderr is not redirected, messages will appear in the same command window in which 8950 AAA was started.
  • Page 260 Because of this, the log channel defined in the On-Error will only be used for errors that occur within the 8950 AAA server. The properties and advanced tabs are displayed in...
  • Page 261 The default is auth. Priority Defines the priority to change all messages logged by 8950 AAA. Example: alert The default is , which converts 8950 AAA log levels to Syslog severity levels..................................................... 16 - 2 9 365-360-001R6.0 Issue 1, December 2008...
  • Page 262 Example: 8950 AAA The default is Format Host Name Determines whether the hostname, in which the 8950 AAA server is running, is included in the message sent to the Syslog server. The default is unchecked (the hostname is not included).
  • Page 263 The character set to use to be used for the log message. Trash The Trash Channel causes the 8950 AAA server to silently discard the log message. The Trash destination is typically used for excluding certain log output by temporarily dropping output that results from a Log Rule.

  • Page 264: Log Rules

    Log Area The Log Area is a limited wildcard pattern (see note below) used to indicate a program area. 8950 AAA is divided into several program areas. Each 8950 AAA program area performs a specific function. For example, accessing external files, request queue management, request decoding, command execution, plug-in execution, etc.
  • Page 265 Log Rules - Definition and Use In 8950 AAA, Log Rules define the conditions under which messages will be logged and the Log Channel or Channels to which the messages will be sent. To display the Log Rules panel, select Log Rules from the Navigation Area, as shown in Figure 16-25.
  • Page 266 The list is divided into three sections: • – Active Log Rules Log Rules currently in effect in the running 8950 AAA server. This choice cannot be selected when the 8950 AAA server is not running. – Startup Log Rules A set of Log Rules that are loaded automatically whenever 8950 AAA starts.
  • Page 267 Table 16-17 Parts of a Log Rule Log Rule Field Description Area 8950 AAA server program area for which this log rule is used. Request Indicates whether this log rule affects all RADIUS requests or only RADIUS requests that match a defined pattern.
  • Page 268 16-28. Figure 16-28 Log Rule Configuration Wizard–Log Area 5. In this step you will select the 8950 AAA Log Area to which this rule will apply. Pick one of the following three options: Match All Areas - If selected, this rule will apply in all 8950 AAA Log Areas.
  • Page 269 16-29. Figure 16-29 Log Rule Configuration Wizard–Matching Rule 7. In this step you may define a matching rule to test the value of 8950 AAA PolicyFlow variables. Match All Radius Requests - All RADIUS requests will be considered for logging •...
  • Page 270 Message Logging Log Rules .................................................... 8. When done, click Next. Result: The next panel of the Log Rule Configuration Wizard appears for setting the value level field of the log rule that is being defined, as displayed in Figure 16-30. 9.
  • Page 271 Regular Expression syntax. The Regular Expression is matched against the text content of the log message. This is different from the Expression entered in step 3 which was matched against 8950 AAA PolicyFlow variables. Select one of the two available options: Any Message - indicates that there is no restriction on the log message •...
  • Page 272 Figure 16-32 Log Rule Configuration Wizard–Continue Processing 13. In this step, you define what 8950 AAA will do following execution of this Log Rule. By default, 8950 AAA examines the Log Rules in the Active Rule Set starting with the first rule and works down through the last rule until it finds a Log Rule that matches all of its criteria (Log Area, Expressions, Log Level, etc.) After a matching rule has been...
  • Page 273 Message Logging Log Rules .................................................... Figure 16-33 Log Rule Configuration Wizard–Message Destination 15. In this final step you will select the Log Channel or Log Channels to which log messages should be sent. One or more items may be selected from the list as follows: Table 16-18 Log Channel Selection To select one Log Channel Click the Log Channel name...
  • Page 274 Message Logging Log Rules .................................................... Figure 16-34 Log Rule Configuration Wizard–Completion 17. This step provides a way to verify the Log Rule information. Verify the data and click < Back to modify any of the previous screens or click Finish you are complete.
  • Page 275 Message Logging Log Rules .................................................... Follow these steps to move a log rule to a different position within the Active Log Rules list: 1. Select the log rule entry that is to be moved 2. Click the up or down arrow button enough times to move the log rule entry to the desired location.
  • Page 276 Message Logging Log Rules ......................................................................................................1 6 -4 4 365-360-001R6.0 Issue 1, December 2008...

  • Page 277: Part Iv: Monitoring Tools Navigation Pane

    Part IV: Monitoring Tools Navigation Pane Overview Purpose This part consolidates the chapters related to Monitoring Tools in the SMT Navigation pane. Contents This part includes the following chapters. Chapter 17, “Server Statistics” 17-1 Chapter 18, “Using LiveAdministrator” 18-1 .................................................... I V - 1 365-360-001R6.0 Issue 1, December 2008...
  • Page 278 ......................................................................................................I V - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 279: Server Statistics

    17-31 Monitoring Server Statistics About Monitoring Server Statistics There are two panels that are used for viewing activity of the 8950 AAA Server. They are located under the SMT Navigation Area, under Monitoring Tools. They are: The Server Statistics Panel •...

  • Page 280: Server Statistics Panel

    About Server Statistics Panel The Server Statistics panel provides the ability to monitor the following aspects of 8950 AAA server operations: Requests to and responses from the 8950 AAA server • Requests and responses to 8950 AAA from other servers •...
  • Page 281 “Diameter Statistics” on page 9 Total number of diameter packets processed. “Memory Usage” on page 10 Amount of memory used by 8950 AAA and the Java Virtual Machine (JVM). “Proxy Authentication” on page 12 Counts / percentages based on request status for Access-Requests forwarded to other servers.
  • Page 282 Request queue size, maximum value, and high water mark. “Server Threads” on page 27 Status of currently running threads. Screens that Monitor RADIUS Requests Sent to the 8950 AAA Server This section describes the following four screens: Authentication Requests •...
  • Page 283 Server Statistics Server Statistics Panel .................................................... The Total columns group displays the total count for the row since the last server reset. The Interval columns group displays changes in counts since the last interval update. The update interval was set as shown in Figure 17-3.
  • Page 284 Server Statistics Server Statistics Panel .................................................... Table 17-4 Authentication Statistics Counters Counter Description of the Packet Duplicate The number of Access-Request packets that matched another request which was already in the request queue (no response was sent for the duplicate request). Invalid The number packets received from unknown clients.
  • Page 285 Server Statistics Server Statistics Panel .................................................... Figure 17-4 Server Statistics–Accounting Requests The columns are used in the same way as with authentication requests (Table 17-2). The requests are sorted according to accounting disposition, as described in Table 17-5. Table 17-5 Accounting Disposition Disposition Description of the Packet Requests...
  • Page 286 Server Statistics Server Statistics Panel .................................................... The screen also displays a performance monitor. This is a graph that displays the number of packet samples (horizontal scale) against packets per update interval (vertical scale). The graph can show up to four types of accounting request based on disposition. Select or clear the appropriate checkbox to control this display.
  • Page 287 Server Statistics Server Statistics Panel .................................................... Table 17-6 Radius Items–Tabulated Items RADIUS Item Description Average Milliseconds / Packet Average (Mean) rate of amount of taken to process a packet. Minimum Milliseconds Least amount of time spent processing a single packet. Maximum Milliseconds Greatest amount of time spent processing a single packet.
  • Page 288 (Due to errors in any of the attributes). Memory Usage This screen provides information regarding the amount of memory used by the 8950 AAA server and the Java Virtual Machine (JVM). Memory is expressed in kilobytes. Data is displayed within a table and a graph that memory usage over time.
  • Page 289 In the table, the Memory column shows total memory used by the Java Virtual Machine (JVM) and the amount of memory currently in use by the 8950 AAA within the JVM. The values in the Interval Change column are updated with each interval update. It shows the amount of change, if any, that occurred during the last update interval.
  • Page 290 Server Statistics Server Statistics Panel .................................................... Proxy Authentication The Proxy Authentication screen displays information regarding authentication requests that have been sent to other servers for processing. Proxy authentication requests are categorized according to status or disposition. Figure 17-8 Server Statistics–Proxy Authentication As with other screens, this screen displays two groups of columns labeled Total and Interval.
  • Page 291 The screen also contains a performance monitor which displays the number of packet samples (horizontal scale) over time, per update interval (vertical scale). Proxy Accounting The Proxy Accounting screen displays information regarding accounting requests that are sent to servers other than the 8950 AAA server..................................................... 17 - 1 3 365-360-001R6.0...
  • Page 292 Server Statistics Server Statistics Panel .................................................... Figure 17-9 Server Statistics–Proxy Accounting As with other screens, this screen displays two groups of columns labeled Total and Interval. They display numerical values as follows: The Total columns display statistics about all packet types received by other servers. •...
  • Page 293 Select or clear the appropriate checkbox to control this display. Pending Proxy Requests This screen is used to keep track of authentication and accounting requests that have been sent to other servers and for which the 8950 AAA server is waiting for status. It is shown Figure 17-10.
  • Page 294 This screen is used to track the time required for proxy authentication and proxy accounting requests to return to the 8950 AAA server. The time measurement starts when the request is sent and ends when the response is received is shown in Figure 17-11.
  • Page 295 Server Statistics Server Statistics Panel .................................................... Figure 17-11 Server Statistics–Proxy Roundtrip Times Data is expressed both in tabular form and through performance monitors, one for proxy authentication requests and one for proxy accounting requests. The screen contains two columns as follows: Round Trip Time–Total time spent waiting for responses to proxy authentication •...
  • Page 296 Server Statistics Server Statistics Panel .................................................... Sessions The State Server Sessions screen is used to monitor the 8950 AAA Universal State Server (USS). It contains three tabs and one performance monitor, as shown in Figure 17-13. To the USS, a network session is an occupied port on a specific client. A session is defined by a series of RADIUS requests that pertain to the particular port and client.
  • Page 297 Server Statistics Server Statistics Panel .................................................... Figure 17-13 Server Statistics–Sessions It contains three columns used for displaying tabular data with respect to the three types of sessions. They are described in Table 17-10. Table 17-10 State Server–Sessions Tab properties Column Name Description Total Total number of sessions of each type since the State...
  • Page 298 Server Statistics Server Statistics Panel .................................................... Figure 17-14 Server Statistics–Requests It provides tabular data regarding different requests to the State Server. Data is arranged in two columns labeled Total and Interval. They display numerical values as follows: The Total column displays a count of packets since server initialization. •...
  • Page 299 Server Statistics Server Statistics Panel .................................................... Figure 17-15 displays the Replication screen. Figure 17-15 Server Statistics: Replication Data is displayed in columns and through a performance monitor (graph). There are two columns: The Total column displays the count of replicated sessions since server initialization. •...
  • Page 300 Figure 17-16 Server Statistics–State Changes State Events Every session reports on the server events via the 8950 AAA Server Statistics. Below is an example of how the events are presented. There are two tabs namely State Change Total and State Changes in Last Interval (See...
  • Page 301 Server Statistics Server Statistics Panel .................................................... Figure 17-17 Server Statistics–State Events Screens that Monitor State Server Activity This sections describes the following two screens: Methods: #auto • Methods: aaa • Each screen provides the ability to monitor the methods that are called during PolicyFlow processing.
  • Page 302 Execution passed to the method, if any, Method-On-Fail named in the control property. Accept Accept Method forced an immediate in the 8950 AAA packet engine. Reject Reject Method forced an immediate in the 8950 AAA packet engine.
  • Page 303 Server Statistics Server Statistics Panel .................................................... Important! One method invocation can produce entries in more than one column. For example, a method that results in a Time-out also counts as an Error, as well as being counted in the Total column. The following sections display each of the four tabs on the Methods: #auto screen and the Methods: aaa screen.
  • Page 304 Server Statistics Server Statistics Panel .................................................... Methods: #auto Figure 17-18 Server Statistics–Methods: #auto Methods: aaa Figure 17-19 Server Statistics–Methods: aaa Screens that Monitor Internal Server Processing This sections describes the following two screens: Server Queues • .................................................... 1 7 -2 6 365-360-001R6.0 Issue 1, December 2008...
  • Page 305 Server Threads A thread is a code segment that can be executed simultaneously with other threads. At any given time, the 8950 AAA server executes multiple threads. The Server Threads screen (Figure 17-21) displays information about threads that are currently running.

  • Page 306: Sessions/ Counters/ Indices Panel

    State State of the thread. Figure 17-21 Server Statistics–Server Threads Sessions/ Counters/ Indices Panel Sessions/Counters/Indices Panel The Ports/Counters panel monitors three properties of the 8950 AAA Universal State Server (USS): sessions, counters, and indices..................................................... 1 7 -2 8 365-360-001R6.0...
  • Page 307 User-Name=axrippa is 2, that means there are two active sessions on the network for which the User-Name=axrippa. Counters may be used to enforce PolicyFlow resource limit policies on the 8950 AAA server. To display the Sessions/Counters/Indices panel, use the SMT Navigation Pane to select...
  • Page 308 Server Statistics Sessions/ Counters/ Indices Panel .................................................... Table 17-17 Sessions/Counters/Indices–Sessions tab Use Refresh to update the NAS and Session key list. Click Send Stop to stop or inactivate the selected NAS and Session key. Use the Refresh Entry to update the state server entries. The state server entry attributes are described in the Table 17-18.

  • Page 309: Uss Address Statistics Panel

    Click Browse Selected Index to select other IP addresses. USS Address Statistics Panel Sessions/Counters/Indices Panel The USS Address Statistics panel monitors the address statistics of 8950 AAA Universal State Server (USS). The USS addresses are created and maintained by the USS. The Address Pool is configured using the USS Address Manager panel.
  • Page 310 Server Statistics USS Address Statistics Panel .................................................... Figure 17-26 USS Address Statistics Panel Table 17-19 Pools Attribute Description Pool Name Name of the Pool. Active State of the pool (active or not). Total Total addresses in the pool. Free Number of free addresses in the pool. Used Number of used addresses in the pool.
  • Page 311 Using LiveAdministrator Overview Purpose This section provides information about the 8950 AAA LiveAdministrator and some of the terms that you will encounter when working with the 8950 AAA product. The following topics are included in this chapter: 8950 AAA LiveAdministrator 18-2...

  • Page 312: Using Liveadministrator

    Using LiveAdministrator 8950 AAA LiveAdministrator .................................................... 8950 AAA LiveAdministrator Live Administrator Use the LiveAdministrator panel to manage, diagnose and control an operational 8950 AAA server. LiveAdministrator provides a graphical user interface that enables the following: Display of server settings •...

  • Page 313: General Info

    Live Administrator panel and is displayed as shown in Figure 18-2. This screen displays read-only information about the 8950 AAA server. Some of the fields are as described in Table 18-1. Table 18-1 Live Administrator–General Info properties...

  • Page 314: License Information

    Using LiveAdministrator License Information .................................................... Table 18-1 Live Administrator–General Info properties Version The Version number of 8950 AAA Server Management Tool (SMT). Host Name of host system. Running Since Time and date when the server was last started. OS Version The Operating System (OS) version.

  • Page 315: System Information

    .................................................... Figure 18-3 LiveAdministrator Panel–License Information The work area appears on the right side displays license information about the 8950 AAA. Click the Copy Properties to Clipboard button to copy all entries to memory. Open a text file and paste the clipboard contents into the text file.

  • Page 316: Garbage Collection

    To copy all entries to memory, click Copy Properties to Clipboard. Open a text file and paste the clipboard contents into the text file. The work area appears on the right side displays system information about the 8950 AAA. Click the Copy Properties to Clipboard button to copy all entries to memory. Open a text file and paste the clipboard contents into the text file.
  • Page 317 Table 18-2 Live Administrator–Garbage Collection properties Field Name Description Used Amount of JVM memory currently in use by 8950 AAA. Total Amount of memory available to the JVM. This screen contains two buttons for managing memory. Click the Run Garbage Collection button to release memory that is no longer used by the server back to the JVM.

  • Page 318: Files In Use

    Figure 18-6. This screen displays a list of files that have been read and are currently in use by the 8950 AAA server. The work area allows the user to display the contents of the selected file on the right side of the work area.

  • Page 319: Admin Scripts

    Using LiveAdministrator Admin Scripts .................................................... Admin Scripts About Admin Scripts Select Admin Scripts to display the corresponding work area as shown in Figure 18-7. This work area displays a list of a wide range of administrative files used by the 8950 AAA server.

  • Page 320: Properties

    • message appears in the lower window of the work area displaying the results of the script execution. If the list of script files available to 8950 AAA has changed, click Update File List • button, , to refresh the list.

  • Page 321: Cache Entries

    • Important! Decide carefully about removing an entry. There is no confirmation request and there is no undo operation. The only recovery is to restart the 8950 AAA server. To update the list of properties, click the Refresh button, •...

  • Page 322: Peer Control

    Using LiveAdministrator Peer Control .................................................... Figure 18-9 LiveAdministrator–Cache Entries There are two sets of action buttons in this screen. The first set has two action buttons. These allow you to Add a Cache entry or refresh the list. The second set of action buttons in the top of the panel allows you to perform required actions.

  • Page 323: Advanced

    Using LiveAdministrator Advanced .................................................... Figure 18-10 LiveAdministrator–Peer Control There are four buttons in this screen that allows you to set the Activity State as required. To set the Activity State to Down, click the Set Down button. • To set the Activity State to Auto, click the Set Auto button. •...
  • Page 324 Using LiveAdministrator Advanced .................................................... Figure 18-11 LiveAdministrator–Advanced This screen allows the user to execute arbitrary administrator interface commands. The commands are defined in a text field in the top section of the work area and then are sent to the server for execution. Commands may be directly typed into the text field or may be selected from the Admin Commands window as shown in Figure 18-12.
  • Page 325 Using LiveAdministrator Advanced .................................................... Figure 18-12 LiveAdministrator–Admin Commands There are two buttons at the bottom of the Commands window of Figure 18-11. The Clear button removes all information from the text area window. The History button displays a pop-up window (Figure 18-13) containing commands that have been entered through this interface.
  • Page 326 Using LiveAdministrator Advanced ......................................................................................................1 8 -1 6 365-360-001R6.0 Issue 1, December 2008...

  • Page 327: Part V: File Tools Navigation Pane

    This part consolidates the chapters related to File Tools in the SMT Navigation pane. Contents This part includes the following chapters. Chapter 19, “Creating and Managing User Profiles with Files” 19-1 Chapter 20, “8950 AAA Dictionary Editor” 20-1 Chapter 21, “Managing files” 21-1 Chapter 22, “8950 AAA Certificate Manager”...
  • Page 328 ......................................................................................................V - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 329: Creating And Managing User Profiles With Files

    (often referred to as Reply-Items) in the user profile. However, in 8950 AAA this is usually done with Attribute Sets. The information used in 8950 AAA for authentication and authorization may come from a single source or may contain data collected from several sources combined together to form a single logical user profile.

  • Page 330: The User File

    The User File User file A 8950 AAA user file is a text file that contains user profiles for users authorized to access your network. A user file contains one or more profile entries. Each entry is indexed by an index key. The User-Name is typically used as the index key, but it is also possible to create entries indexed by other data: real name, DNIS (Dialed Number), Realm, etc.

  • Page 331: The Smt User Files Panel

    Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... Figure 19-1 User File Configuration Dialog in the PolicyAssistant If the file you named does not exist, then the PolicyAssistant will create an empty file for you. In addition to creating a new user file, PolicyAssistant can also create and maintain user files through the SMT User Files panel.
  • Page 332 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... 1. Select User Files from the File Tools folder on the Navigation pane. The User Files panel appears as shown in Figure 19-2. Figure 19-2 The User Files panel Important! Note that the panel title is simply User Files and no file name is listed;...
  • Page 333 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... Figure 19-4 The User Files panel Figure 19-5 User File List: List All Files Important! The SMT identifies a file as a user file if it is located in the run directory and the file name contains either *users* or *usr*.
  • Page 334 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... Figure 19-6 New User File Dialog 2. Enter a name for the new user file in the New File dialog. 3. Click OK to return to the User Files panel and load the selected file. Adding a New User The following procedure describes how to add a new user to a user file: 1.
  • Page 335 By definition, something that can be encrypted can also be decrypted. For authentication checking of hashed passwords, 8950 AAA takes the password entered by the user and hashes it using the exact same calculation that was used to hash the password in the user profile.
  • Page 336 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... Figure 19-9 User Files–List of Authentication Types Important! This field is only available in Expert mode. If you are not in Expert mode, then the Authentication Type attribute, if set, is only visible under the Items to Verify tab (See Figure 19-4).
  • Page 337 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... Figure 19-10 User Files–List of User Names 3. Double-click the user name that corresponds to the desired User Profile. Result: The User Profile window appears as shown in Figure 19-11.
  • Page 338 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... Figure 19-11 User Profile Setting Verification Attributes for a User You may assign verification attributes to a user’s profile to allow the server to perform additional authorization checks unique to this user. When using the PolicyAssistant this is normally not necessary.
  • Page 339 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... Figure 19-12 Attribute Properties Dialog 4. Select an attribute from the Attributes list. Depending upon the chosen attribute, the Value field will either be a text field or a drop-down list of possible values. 5.
  • Page 340 NAS if the authentication step is successful. This is referred to as session provisioning. You may assign reply attributes to a user’s profile and 8950 AAA will return these attributes to the NAS if the authentication and authorization steps are successful. This is referred to as session provisioning.
  • Page 341 Creating and Managing User Profiles with Files The SMT User Files Panel .................................................... 1. From the User Profiles window, click the Items Sent Back to Client tab to add reply attributes for this user as depicted in Figure 19-14. Figure 19-14 User Profile–Items Sent back to NAS 2.
  • Page 342 For example, you can limit the session time to one hour, select the Session-Timeout attribute and enter in the Value field; or on a Alcatel-Lucent NAS product to 3600 identify a specific IP address pool from which addresses are assigned, select the Ascend-Assign-IP-Pool attribute and enter an appropriate value in the Value field.
  • Page 343 Saving Changes to the User Profile To make any changes to the file permanent, click Save on the Clients panel. To make changes to the currently running 8950 AAA server, you must click Reload on the User Files panel. Important!

  • Page 344: Creating An Attribute Set File

    Creating and Managing User Profiles with Files Creating an Attribute Set File .................................................... Creating an Attribute Set File Attribute Sets Attribute Sets are stored in RADIUS user files called users.templates. Attribute sets are also frequently called templates. The following procedure shows how to create a user file and add an attribute set to it.

  • Page 345: 8950 Aaa Dictionary Editor

    Editor Overview Purpose This section provides information about the 8950 AAA Data Dictionary and some of the terms that you will encounter when working with the 8950 AAA product. The following topics are included in this chapter: Accessing the Dictionary Editor Panel...

  • Page 346: Vendors Tab

    8950 AAA Dictionary Editor Vendors Tab .................................................... Figure 20-2 8950 AAA Dictionary Editor Panel The Dictionary Editor Panel Use the Dictionary Editor panel to manage information about the Vendors, Attributes, and Diameter Applications of 8950 AAA. By default, the details of the Vendors tab is displayed when the Dictionary Editor panel is opened.
  • Page 347 The Vendor Specific Attribute (VSA) format. Using the Vendors tab Action buttons The Vendors tab panel also consists of a set of Action Buttons that appear at the top of the 8950 AAA Dictionary Editor’s Vendors tab panel, as shown in Figure 20-2.

  • Page 348: Attributes Tab

    8950 AAA Dictionary Editor Attributes Tab .................................................... 1. The Insert a record action button displays the Vendor Name dialog panel, as shown in Figure 20-4. This panel allows you to add a vendor information to the dictionary. Figure 20-4 Dictionary Editor–Vendor Name Dialog 2.
  • Page 349 The code encode and decoder. Using the Attributes tab Action buttons The Attributes tab panel also consists of a set of Action Buttons that appear at the top of the 8950 AAA Dictionary Editor’s Attributes tab panel, as shown in Figure 20-5.
  • Page 350 8950 AAA Dictionary Editor Attributes Tab .................................................... Figure 20-6 Attributes tab–Action buttons These action buttons allow you to perform the following actions: Insert a record • Edit selected record • Delete selected record • Delete all records • Make a copy of selected record •...
  • Page 351 8950 AAA Dictionary Editor Attributes Tab .................................................... 1. The Insert a record action button displays the Attribute Properties dialog, as shown in Figure 20-7. This dialog allows you to add attribute information to the dictionary. Figure 20-7 Dictionary Editor Panel–Attribute properties dialog The Attribute Properties dialog has a set of tabs namely, Attribute, Values, Overrides, Aliases, and Subattributes.
  • Page 352 8950 AAA Dictionary Editor Attributes Tab .................................................... Table 20-3 Dictionary Editor–Attributes of Attributes tab Attributes Description Reject Ok During radius reject disposition processing, if an attribute in the reply variable group is not marked reply- ok = true, then it is not included in the Access-Reject.

  • Page 353: Diameter Applications Tab

    About the Diameter Applications tab The Diameter Applications tab allows you to configure and manage the diameter application details related to a vendor in 8950 AAA. To go to the Diameter Applications tab, click on the Diameter Applications tab in the Dictionary Editor panel.
  • Page 354 .................................................... Using the Diameter Applications tab Action buttons The Diameter Applications tab panel also consists of a set of Action Buttons that appear at the top of the 8950 AAA Dictionary Editor’s Diameter Applications tab panel, as shown Figure 20-8.
  • Page 355 8950 AAA Dictionary Editor Diameter Applications Tab .................................................... 2. The Edit a selected record action button displays the Application Name dialog, as shown in Figure 20-10. This displays the selected Application information and allows you to edit the application information in the dictionary.
  • Page 356 8950 AAA Dictionary Editor Diameter Applications Tab ......................................................................................................2 0 -1 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 357: Managing Files

    Managing files Overview Purpose This section discusses 8950 AAA files and how to create and manage them using the File manager panel. The following topics are included in this chapter: The File Manager Panel 21-1 Tail panel 21-10 The File Manager Panel...
  • Page 358 Managing files The File Manager Panel .................................................... Table 21-1 Navigation Pane–File Manager Viewing File Attributes and File Content As shown in Figure 21-1, the File Manager panel displays the following attributes of a file: Filename • File size • Date last modified •...
  • Page 359 The File Manager Panel .................................................... Figure 21-1 File Manager Panel There are many different types of files that are used by 8950 AAA File Manager. The most commonly used files that would be of interest to an admin user are listed in Table 21-2.
  • Page 360 Various settings for maintaining 8950 AAA system security. A GUI editor is available in the SMT for managing this data. You may also use the 8950 AAA Operators Panel in the SMT to manage this data. security_users A users file containing profiles for 8950 AAA admin users.
  • Page 361 Global server settings. A GUI editor is available in the SMT for managing this data. You may also use the 8950 AAA Server Properties Panel in the SMT to manage this data. smt.log Messages logged from the SMT application.
  • Page 362 Refreshes the file manager panel. Creating a New File Click the action button, New, to create a file in the run directory. After the New 8950 AAA File dialog appears, as shown in Figure 21-3, enter a unique file name and click OK.
  • Page 363 Managing files The File Manager Panel .................................................... Figure 21-4 Editing a Plain Text File Property file which opens the file in a Property File Editor panel. • This GUI editor displays a set of properties and values. Selecting a value and clicking the edit button (or double clicking the property name) opens a separate editor window in which the property name and/or value can be changed.
  • Page 364 User file which opens the file in a User File panel. This editor option opens a file • as a user file and uses the 8950 AAA SMT User Files GUI editor to edit the file. An example is shown in Figure 21-6.
  • Page 365 Managing files The File Manager Panel .................................................... Copy a File Click Copy to copy the contents of the selected file to a new file. The Copy File dialog appears (Figure 21-7) requesting a name for the new file. To copy the file, enter the name and click OK.

  • Page 366: Tail Panel

    The Tail panel enables the user to use or perform the Tail action, similar to the UNIX tail option, on the 8950 AAA files. When you perform the tail option on a selected file, the standard output is put in this selected file at the designated place or at the end of the file.
  • Page 367 Tail panel .................................................... Figure 21-11 Tail Panel The Tail panel allows you to open an existing file from the list of 8950 AAA files. 2. To open existing file(s), click Open. Result: The Configuration File List dialog is displayed, as shown in Figure 21-12.
  • Page 368 Managing files Tail panel .................................................... Figure 21-13 Tail Panel–with opened file 4. You can Start or Stop, Pause, Clear, or Close the tail. Select the desired option. 5. Select Close to close the tail. T E P S ..................................................................................2 1 -1 2 365-360-001R6.0 Issue 1, December 2008...
  • Page 369 Overview Purpose This chapter discusses the 8950 AAA Certificate Manager, also known as aaa-cert. Root certificates generated with aaa-cert are self-signed certificates. This means that in order for a client or server to verify the certificates signed by an aaa-cert root certificate, they must install the root certificates as a trusted certificate authorities.

  • Page 370: 8950 Aaa Certificate Manager

    The public key is used to verify other (server & client) certificates signed by the root certificate. Server certificates are used by 8950 AAA to authenticate itself to remote clients. Server certificates are signed by a root certificate. In order to sign the server certificate, aaa-cert needs access to a root certificate and the private key associated with the certificate.
  • Page 371 NR Access Level • Figure 22-2 File Manager Panel There are different types of files that are used by 8950 AAA Certificate Manager. There are seven action buttons at the top of the Certificate Manager panel, as shown in Figure 22-3.
  • Page 372 8950 AAA Certificate Manager The Certificate Manager Panel .................................................... Figure 22-3 Certificate Manager panel–Action buttons These are described in Table 22-1. Table 22-1 Certificate Manager Panel–Action buttons Button Name Description Create certificate Allows you to create a new certificate file and add it to the list of files.
  • Page 373 8950 AAA Certificate Manager The Certificate Manager Panel .................................................... Figure 22-4 Editing a Plain Text File Property file which opens the file in a Property File Editor panel. • This GUI editor displays a set of properties and values. Selecting a value and clicking the edit button (or double clicking the property name) opens a separate editor window in which the property name and/or value can be changed.
  • Page 374 User file which opens the file in a User File panel. • This editor option opens a file as a user file and uses the 8950 AAA SMT User Files GUI editor to edit the file. An example is shown in Figure 22-6.
  • Page 375 8950 AAA Certificate Manager The Certificate Manager Panel .................................................... Copy a File Click Copy to copy the contents of the selected file to a new file. The Copy File dialog appears (Figure 22-7) requesting a name for the new file. To copy...

  • Page 376: Requirements For Using The Certificate Manager

    If you will be using EAP-TLS, you will need Root certificate, a Server certificate and one or more Client certificates. Follow the procedures defined in the next section, “Procedures for Creating Certificates”. Important! The ncert utility saves all certificate files in the 8950 AAA run directory..................................................... 2 2 -8 365-360-001R6.0 Issue 1, December 2008...

  • Page 377: Types Of Certificates In Certificate Manager

    8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Types of Certificates in Certificate Manager About the Types of Certificates The Certificate Manager allows you to create different types of certificates and perform the options as described in Table 22-2.
  • Page 378 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Some additional properties of the Certificate type (also shown in Figure 22-10) are explained in Table 22-2 Table 22-3 Certificate Manager–Types of Certificate (Additional Properties) Certificate Types Description Certificate Request...
  • Page 379 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Figure 22-10 New Certificate Dialog–Certificate Type 2. Select the Certificate Type as Root and click Next. Result: The Root Certificate Type–Subject and Duration dialog is displayed, as shown Figure 22-11.
  • Page 380 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Important! The file is overwritten only if it exist before. Otherwise, a new certificate is created. Result: The Root Certificate Type–Certificate Complete dialog is displayed, as shown Figure 22-12.
  • Page 381 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Figure 22-13 Server/Client Certificate Type–Subject and Duration 3. Use this screen to specify the subject information about the certificate. The fields, Common Name and the Country, are mandatory fields. Also specify the length of time the certificate is valid and specify the advanced properties of the certificate.
  • Page 382 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Result: The Server or Client Certificate Type–Certificate Files and Passwords dialog is displayed, as shown in Figure 22-15. Figure 22-15 Server/Client Certificate Type–Certificate Files and Passwords dialog 5. Specify the certificate files and passwords. For the Root file and password, enter the file name and password you specified when creating the root certificate.
  • Page 383 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... 6. Click Finish to go back to the File Manager panel as shown in Figure 22-2. Requesting for a Certificate This dialog or panel generates a key pair and a PKCS #10 certificate request which can be used to request a server certificate.
  • Page 384 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Figure 22-18 Certificate Request Password dialog 4. Specify the password to use to encrypt the certificate request. Optionally, specify a file name to save the private key. Click Next.
  • Page 385 8950 AAA Certificate Manager Types of Certificates in Certificate Manager .................................................... Viewing an existing Certificate This dialog or panel allows you to select the type of certificate you want to create. 1. Click the Create Certificate action button, Result: The New Certificate dialog appears, as shown in Figure 22-10.

  • Page 386: Procedures For Creating Certificates

    Important! Do not run this procedure if you already have a self-signed root certificate. 1. From the 8950 AAA bin directory enter the following: ./aaa-cert -gui 2. From the GUI select Root Certificate and click Next > 3. Enter a Common Name for your Root certificate, for example, MyRootCert.
  • Page 387 You must have a server certificate for certain EAP types, for example: EAP-TLS, EAP-TTLS, EAP-PEAP. 1. If the aaa-cert GUI is not open, from the 8950 AAA bin directory, type: ./aaa-cert -gui 2. From the GUI select Server Certificate and click Next >...

  • Page 388: Notes On Using Certificates

    Rather than using aaa-cert to generate a root certificate, a root certificate from another source, including another installation of 8950 AAA could be used for your site. However, when using aaa-cert you must always have the private key for the Root certificate you will be using and know the password used to encrypt the private key.

  • Page 389: How To Configure For A Tls Demo Out Of The Box

    ->setup.bat -dir C:\work\8950AAA -agree -server -adminUser admin - adminPass admin -nogui ------------------------------------------------------------ 8950AAA Setup, Version 5 Copyright (c) 2008 Alcatel-Lucent. All Rights Reserved. You are about to install 8950AAA. Enter 'X' at any prompt to exit the setup program. Using Java version: Java(TM) 2 Runtime Environment, Standard Edition Sun Microsystems Inc.
  • Page 390 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... Copying File - data.dnis-info.csv Copying File - data.realm-info.csv Copying File - initial.hsqldb Copying File - Jdbc.acct_insert.map Copying File - Jdbc.acct_insert.sql Copying File - Jdbc.acct_insert_active.sql Copying File - Jdbc.acct_move.sql...
  • Page 391 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... Mar 1 22:42 root.pem-rwxrwxrwa 1 Administrators None 2918 Mar 1 22:42 server.pem-rwxrwxrwa 1 Administrators None 944 Mar 1 22:35 trusted.pem Started SMT..->..\bin\nrsmt -u admin -p admin -l Configured PolicyAssistant accepting all of the included samples defaults up until the Authentication Page.
  • Page 392 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... Create a small tuple file using notepad: ->cat tuple.txt User-Name = steve NAS-IP-Address = 127.0.0.1 NAS-Port = 1 And launch the RADIUS test tool in EAP-TLS mode to check: ->..\bin\nrtest -f tuple.txt -cbc EapTls$SimpleCallback -id steve...
  • Page 393 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... TLS_DH_DSS_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DH_DSS_WITH_DES_CBC_SHA TLS_DH_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA compression_methods NULL Xmit: Access-Request User-Name = "steve"...
  • Page 394 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... State = "2" Packet authenticator is valid Recv: Access-Challenge after 30 ms. Message-Authenticator = "95224CCC2B120F28B9269A5A43BB17AE" State = "3" Session-Timeout = 180 EAP-Message = "Request/EAP-TLS(4): flags=00() frag.length=513"...
  • Page 395 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... Message-Authenticator = "84752505CFB9AE3678B6013BDFDE3F32" State = "4" Session-Timeout = 180 EAP-Message = "Request/EAP-TLS(5): flags=00() " Xmit: Access-Request User-Name = "steve" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Message-Authenticator = "00000000000000000000000000000000"...
  • Page 396 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... Framed-IP-Netmask = 255.255.255.255 Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Message-Authenticator = "A68A3FFF3FABCADFDCAB9E5DBE2F561B" MS-MPPE-Recv-Key = F4BF4E108DF391ED40FB9CD5F20734C45D503F3CAFDDBC72E242C7E90F8 83CC0 MS-MPPE-Send-Key = 9613F55C951DB46E298647818E8771E04392FEA91E62337C6315332A36C484F EAP-Message = "Success(6)"...
  • Page 397 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... AutoChecks complete 2864 <engine.worker.9> Reply encode: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.10.6 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp"...
  • Page 398 8950 AAA Certificate Manager How to Configure for a TLS Demo Out of the Box .................................................... T E P S ..................................................................................2 2 -3 0 365-360-001R6.0 Issue 1, December 2008...

  • Page 399: Part Vi: Database Tools Navigation Pane

    Part VI: Database Tools Navigation Pane Overview Purpose This part consolidates the chapter(s) related to Database Tools in the SMT Navigation pane. Contents This part includes the following chapter(s). Chapter 23, “Creating and Managing User Profiles with the Built-in Database” 23-1 ....................................................
  • Page 400 ......................................................................................................V I - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 401: Creating And Managing User Profiles With The Built-In Database

    The built-in database, like any other database, requires database manager accounts. In 8950 AAA these are called Database Users. When 8950 AAA is first installed there is one Database User account enabled, the System Administrator. The user name for this account is “sa”...

  • Page 402: Logging In To The Database

    Creating and Managing User Profiles with the Built-in Logging in to the Database Database .................................................... administrator is to assign a password and, if necessary for the site, create additional database user accounts for other people who will manage user profiles or perform database administration tasks.

  • Page 403: Creating And Managing User Profiles

    .................................................... Figure 23-2 Database Table Tool–Login panell Important! The database server is embedded in the 8950 AAA server and starts automatically. Therefore, it is important to remember that in order to manage users, the 8950 AAA server must be running.
  • Page 404 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-3 Accessing the User Profiles Tool Panel 2. Select the appropriate DB Name, enter a User Name, and Password. 3. Click Connect. The User Profiles Tool–options panel appears as depicted in Figure 23-4.
  • Page 405 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... As said earlier, the User Profiles Tool is almost the same as the Database Table Tool. To try out the actions that can be taken on this panel and to understand more about these functionality, refer to “Understanding the Database Table Tool Panel”...
  • Page 406 A Table is a database file that contains rows of information. Each row in a table represents a record and each row contains one or more columns or fields. The example 8950 AAA supported schema (shown in the following sections) contains 4 tables: Authentication for User Profiles •...
  • Page 407 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... The display area shows data from the currently selected table and view. Use the action • buttons in the top of the display area to modify the contents of a table. The function of each button is listed in Table 23-1.
  • Page 408 8950 AAA supports a predefined database schema for storage of user profiles. However, it is possible for you to edit this schema to remove unneeded columns (fields) and rename fields to more useful settings.
  • Page 409 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Panel Modification Buttons are listed in Table 23-1 on page Insert a Record within the Current Panel To create a new record within the current table, perform the following steps: 1.
  • Page 410 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-10 DB Table Tool–Selected Record 3. Add or modify information as desired. 4. Select OK, Cancel, or Revert. Click OK to accept the modified record data. A confirmation prompt appears indicating that the table will be updated.
  • Page 411 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-11 DB Table Tool–Delete All Records Confirmation 2. Select Yes to delete all records or No to cancel the request. Copy Records This procedure allows you to use an existing record as a template for a new record within the current table.
  • Page 412 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-12 DB Table Tool–Filter Records 2. Enter data within the fields of the Filter Records window to create filtering criteria. The data will be used for a record search by matching field values within the existing table.
  • Page 413 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-13 Sample Filter Results Clear a Filter and Query all records To disable the current filter, perform the following steps: 1. Click the Query all records action button. Result: The table with its original set of records appears.
  • Page 414 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-14 DB Table Tool–Import Information 2. Enter data in the required fields. File Name requires an absolute directory path that may be typed within the field or selected using the browse button that follows the field.
  • Page 415 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-15 DB Table Tool–File Type List Set the values of User Name and User Realm. 3. Select OK, Cancel, or Revert. Click OK to accept the modified record data. A confirmation prompt appears indicating that the table will be updated.
  • Page 416 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-16 Database Preferences–Alias and Table Names Enter the Alias Name and the Table Name for the table. You may select a Table Name by clicking the folder button that appears after the Table Name field.
  • Page 417 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-18 Database Preferences–Selected Columns 2. Use this window to determine the table columns to be displayed. To do this, select a name from the Table Columns list and click the Add button .
  • Page 418 Creating and Managing User Profiles with the Built-in Creating and Managing User Profiles Database .................................................... Figure 23-19 Database Preferences–Initialization and Filter 3. The Display Records on Initialization is disabled by default. Select the Yes (Enable) button. This ensures that all records are queried and displayed as soon as you login to the database.

  • Page 419: Understanding Database Sql Tool

    Using the Database SQL Tool The database SQL Tool can be used to run SQL commands and get required results. This section discusses the use of the built-in 8950 AAA SQL database tool for running and managing queries of the network users.
  • Page 420 Creating and Managing User Profiles with the Built-in Understanding Database SQL Tool Database .................................................... Opening the Database SQL Tool To open the Database SQL tool: 1. Click the Database button and select the Database SQL Tool... option. The Database SQL Tool connection panel is displayed, as shown in Figure 23-21.
  • Page 421 Creating and Managing User Profiles with the Built-in Understanding Database SQL Tool Database .................................................... area to execute the required commands. The function of each of these buttons are listed Table 23-3. Table 23-3 Database SQL Tool Panel–Action buttons Name Description Icon Execute Command Executes the SQL command that is typed in the...

  • Page 422: Managing Hypersonic Database Users

    Creating and Managing User Profiles with the Built-in Managing Hypersonic Database Users Database .................................................... Figure 23-23 Database SQL Tool Panel 5. Use the control buttons at the bottom of the screen to manage the available table views. They are described in Table 23-4.
  • Page 423 Creating and Managing User Profiles with the Built-in Managing Hypersonic Database Users Database .................................................... 1. Click the Database button and select the Manage Hypersonic Database Users... option. The Manage Hypersonic Database Users connection panel is displayed, as shown in Figure 23-24.
  • Page 424 Creating and Managing User Profiles with the Built-in Managing Hypersonic Database Users Database ......................................................................................................2 3 -2 4 365-360-001R6.0 Issue 1, December 2008...

  • Page 425: Part Vii: Other Chapters

    Part VII: Other chapters Overview Purpose This part contains the other chapters related to SMT. Contents This part includes the following chapter(s). Chapter 24, “Server Diagnostics and Control Commands” 24-1 .................................................... V I I - 1 365-360-001R6.0 Issue 1, December 2008...
  • Page 426 ......................................................................................................V I I - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 427: Server Diagnostics And Control Commands

    Server Diagnostics and Control Commands Overview Purpose This chapter discusses the use of server diagnostics with the 8950 AAA server. It also describes the control command set. The following topics are included in this chapter: Server Diagnostics and Control 24-1...

  • Page 428: List Of Server Commands

    Server Diagnostics and Control Commands List of Server Commands .................................................... List of Server Commands About Server Commands This section describes each command by listing the following components: Command name • Brief description of the command • Command format containing syntax and arguments •...
  • Page 429 Server Diagnostics and Control Commands List of Server Commands .................................................... cache count Description: Counts entries matching the key (may use trailing wild cards). Command Format: cache count <key> <key> The key that matches the count entries. cache delete Description: Deletes entries matching the key (may use trailing wild cards). Command Format: cache delete <key>...
  • Page 430 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: cache save <fileName> <filename> The name of the file in which cache contents will be saved. client This section list the client commands and the argument: client classes Description: Lists the client classes.
  • Page 431 Server Diagnostics and Control Commands List of Server Commands .................................................... derby exec Description: Executes a SQL statement against a connected database. Command Format: derby create {<statement-element>} <statement-element> The SQL statement. derby freeze Description: Freezes an internal derby database. Command Format: derby freeze <database>...
  • Page 432 Server Diagnostics and Control Commands List of Server Commands .................................................... derby restore Description: Restores aa internal derby database. Command Format: derby restore <database> (<timestamp|<directory>) <database> Name of the database. <timestamp> Enter the timestamp (yyyy-mm-dd hh:mm:ss[nnnnnn]. <directory> Name of the directory. derby run Description: Runs a script file against a connected database.
  • Page 433 Server Diagnostics and Control Commands List of Server Commands .................................................... diag chrono The following section lists the diag chrono commands and their arguments. diag chrono dump Description: Dumps the chronograph entries (hi resolution timers). Command Format: diag chrono dump There are no arguments for this command. Example: ==>...
  • Page 434 Server Diagnostics and Control Commands List of Server Commands .................................................... diag engine stats Description: Lists the engine statistics. Command Format: diag engine stats There are no arguments for this command. diag field The following section lists the diag field commands and their arguments: diag field list Description: Lists the field entries.
  • Page 435 Server Diagnostics and Control Commands List of Server Commands .................................................... <disposition> :: = * | total | expire| statetimeout | <dipositionName> <bucket> :: = * | count | time [-notrim] Specifies to include all statistics. When not specified, only statistics with non-zero values are retrieved.
  • Page 436 Server Diagnostics and Control Commands List of Server Commands .................................................... diag pending The following section lists the diag pending commands and their arguments: diag pending stats Description: Lists the pending statistics for a server. Command Format: diag pending stats There are no arguments for this command. diag queue The following section lists the diag queue commands and their arguments: diag queue list...
  • Page 437 Server Diagnostics and Control Commands List of Server Commands .................................................... diag tcp The following section lists the diag tcp commands and their arguments: diag tcp keys Description: Dumps the current selector keys. Command Format: diag tcp keys There are no arguments for this command. diag tcp stats Description: Dumps the tcp stats.
  • Page 438 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: eap aka cache count[<permanent_user_name>] [<permanent_user_nam The name of the permanent user. e>] eap aka cache delete Description: Deletes fast reauth entries by permanent username. Command Format: eap aka cache delete [<permanent_user_name>] [<permanent_user_nam The name of the permanent user.
  • Page 439 Server Diagnostics and Control Commands List of Server Commands .................................................... file This command manages file behavior. Command Format: file close <filename>|delete <filename>|list|open|reload {<filename>}|rename <oldfilename> <newfilename>|view <filename> The following section lists the file commands and their arguments: file close Description: Closes a file. Command Format: file close <fileName>...
  • Page 440 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: file rename <oldFileName> <newFileName> <oldFileName> he current name of the file to be renamed. <newFileName> he new name of the file to be renamed. file view Description: Views the contents of a file. Command Format: file view <fileName>...
  • Page 441 Server Diagnostics and Control Commands List of Server Commands .................................................... java gc Description: Forces a garbage collection on the JVM. Command Format: jave gc There are no arguments for this command. java gc stats Description: Lists the JVM garbage collector statistics. Command Format: jave gc stats There are no arguments for this command.
  • Page 442 Server Diagnostics and Control Commands List of Server Commands .................................................... java thread monitor cpu Description: Controls java thread cpu time monitoring. Command Format: java thread monitor cpu [<boolean>] <boolean> Mention true or false. java thread stats Description: Lists thread statistics. Command Format: java thread stats There are no arguments for this command.
  • Page 443 List of Server Commands .................................................... <rule> ::= [<areaCondition>] [<itemCondition>] [<logLevel>] [<pattern>] {<channel>} [<areaCondition>]::= AREA=<wildcarad value> [<itemCondition>]::= <variable expression> =<wildcard value> <rule> Specifies the section of the 8950 AAA [<areaCondition>] server where the message is generated. [<itemCondition>] may be expressed as rule [<logLevel>] areaCondition, itemCondition, [<pattern>]...
  • Page 444 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: logrule insert <num> <rule> <num> <rule> ::= [<areaCondition>] [<itemCondition>] [<logLevel>] [<pattern>] {<channel>} [<areaCondition>]::= AREA=<wildcard value> [<itemCondition>]::= <variable expression> =<wildcard value> <num> Specifies where to insert this log rule. rule may be expressed as [<areaCondition>] <rule>...
  • Page 445 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: logrule remove <num> <num> The number of the log rule to be deleted. logrule save Description: Dumps logging rules to a file. Command Format: logrule save <fileName> The name of the file to which the logging rules <fileName>...
  • Page 446 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: peer up <peerName> > The name of the peer server. <peerName radius client Description: This command lists the client radius. Command Format: radius clients There are no arguments for this command. server This command manages server functions, such as server version.
  • Page 447 Server Diagnostics and Control Commands List of Server Commands .................................................... server property set Description: Sets a server property. Command Format: server property set <name> = <value> <name> The name of the server property to be set. <value> The value of the server property to be set. server property unset Description: Unsets a server property.
  • Page 448 Server Diagnostics and Control Commands List of Server Commands .................................................... server version Description: Displays the server version. Command Format: server version There are no arguments for this command. session This command manages session functions. Command Format: session exec | info The following section lists the session commands and their arguments: session exec Description: Executes a script file on this session.
  • Page 449 Server Diagnostics and Control Commands List of Server Commands .................................................... stats client Description: Lists statistics for a client. Command Format: stats client <ipAddress> The IP Address of the client. <ipAddress> stats clients Description: Lists clients with statistics. Command Format: stats clients There are no arguments for this command.
  • Page 450 Server Diagnostics and Control Commands List of Server Commands .................................................... stats servers Description: Lists servers with statistics. Command Format: stats servers There are no arguments for this command. stats var dump Description: Lists the variables of a group. Command Format: stats var dump <group>...
  • Page 451 Server Diagnostics and Control Commands List of Server Commands .................................................... system version Description: Displays output OS version. Command Format: system version There are no arguments for this command. tacacsplus clients This command displays a list TACACS+ clients Command Format: system [PROPERTY] There are no arguments for this command.
  • Page 452 Server Diagnostics and Control Commands List of Server Commands .................................................... uss index list Description: Lists entries using index Command Format: uss index list [<index>[<value>]] This parameter specifies the name of the index to <index> retrieve. This parameter specifies the value for the index <value>...
  • Page 453 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: uss save <fileName> The name of the file to which the state database [<fileName>] will be saved. Example ==> uss save <filename> ==> uss stats Description: Lists state database statistics. Command Format: uss stats <name>...
  • Page 454 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: uss stop key <key> The key associated with the state entry to be <key> stopped. uss stop nas Description: Stops all entries for a NAS. Command Format: uss stop nas There are no arguments for this command.
  • Page 455 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: uss2 entry list <model> [<file>] ] Name of the model <model> The file name. <file> uss2 model dump Description: Displays information about one or all models. Command Format: uss2 model dump <model-name>] Name of the model.
  • Page 456 Server Diagnostics and Control Commands List of Server Commands .................................................... Command Format: uss2 reset <model> <key> Name of the model <model> <key> The key associated with the state entry to be reset. uss2 reset all Description: Resets all the sessions in the model. Command Format: uss2 reset all<model>...
  • Page 457 Server Diagnostics and Control Commands List of Server Commands .................................................... uss2 save Description: Saves all session state to thgiven file. Command Format: uss2 save <model> [<file>] Name of the model. <model> <file> Name of the file. T E P S ................................
  • Page 458 Server Diagnostics and Control Commands List of Server Commands ......................................................................................................2 4 -3 2 365-360-001R6.0 Issue 1, December 2008...
  • Page 459 Part VIII: Appendix Overview Purpose This part contains the Appendix chapter(s) related to SMT. Contents This part includes the following chapter(s). Chapter A, “Supplementary Information” .................................................... V I I I - 1 365-360-001R6.0 Issue 1, December 2008...
  • Page 460 ......................................................................................................V I I I - 2 365-360-001R6.0 Issue 1, December 2008...

  • Page 461: Part Viii: Appendix A Supplementary Information

    About Displaying the Built-in Web Interface To display the built-in Web interface, perform the following procedure: 1. Open a browser window. 2. Using the IP address of the 8950 AAA server, set the URL field to the following: http://IP address:9080 Result: A login window appears.

  • Page 462: Displaying The Radius Server Administration Interface

    Displaying the RADIUS Server Administration Interface About RADIUS Server Administration Interface Use the following procedure to display the RADIUS server Admin interface: 1. Using the IP address of the 8950 AAA server, open a Telnet window using the following command: telnet IP address 9023 Result: A Telnet screen appears.

  • Page 463: Displaying The Configuration Server Administration Interface

    Displaying the Configuration Server Administration Interface About Configuration Server Administration Interface Use the following procedure to display the configuration server administration interface: 1. Using the IP address of the 8950 AAA server, open a Telnet window by executing the following command: telnet IP address 9020 Result: A Telnet screen appears.
  • Page 464 Supplementary Information Displaying the Configuration Server Administration Interface .................................................... Figure A-3 Telnet Session–Configuration Server Administration Address .................................................... A - 4 365-360-001 R6.0 Issue 1, December 2008...

  • Page 465: Glossary

    An accounting request that has its accounting start attribute set to start ACE/SERVER® RSA product that acts as a server for a 8950 AAA server APPLICATION A collection of executable and configuration files that, when operated upon, provide a defined set...
  • Page 466 Character string that allows access to a database CONFIGURATION SERVER System that is used by the Server Managment Tool to collect server configuration information and statistical information regarding the 8950 AAA Server and the Universal State Server Central Processing Unit ....................................................
  • Page 467 Glossary .................................................... DIAMETER An Authentication, Authorization, and Accounting (AAA) protocol. DATA PACKET Information transmitted over a network DATA PANE Part of the SMT GUI where each SMT panel is displayed DNIS Dialed Number Identification Service—Identifies the number that the caller dialed Extensible Authentication Protocol—Protocol most commonly used in wireless LAN (Wi-Fi) applications EDIT MENU...
  • Page 468 Glossary .................................................... Internet Service Provider ISDN Integrated Services Digital Network JDBC Java Database Connectivity, an application programming interface (API) that allows Java programs to execute SQL statements JAVA Development Kit LDAP Lightweight Directory Access Protocol - Protocol for accessing on-line directory services running over TCP/IP.
  • Page 469 Glossary .................................................... MESSAGE AUTHENTICATOR Hashed version of a complete RADIUS message METHOD A programmed procedure that is executed when an object receives a message MICROSOFT ACTIVE DIRECTORY Windows 2000 directory service Network Access Identifier — username (See BASE-NAME and REALM) Network Access Server —...
  • Page 470 A set of rules that the server uses to determine access rights, user privileges, and accounting practices based on the user who is requesting access POLICYASSISTANT 8950 AAA tool used for creating PolicyFlow POLICYFLOW A set of AAA decisions used for processing a RADIUS request...
  • Page 471 Computer or device that manages network resources, for example, the UNIX host machine that contains 8950 AAA and supporting software SERVER MANAGEMENT TOOL 8950 AAA application used for configuring and managing 8950 AAA servers SERVER MENU List of SMT commands that manage server connections...
  • Page 472 TIMEOUT LINGER Additional time beyond the timeout period before an action is taken TNS LISTENER The TNS Listener is a persistent daemon process, run by Oracle that “listens” to the 8950 AAA application for database commands and updates. TOOLBAR Row of buttons used for invoking commands to a GUI-based application User Interface application.
  • Page 473 List of SMT commands that manage SMT panels WINDOWS SAM Windows Security Accounts Manager, a user source supported by 8950 AAA WRITE COMMUNITY Character string that allows access to a database in order to access write variables from the server ....................................................
  • Page 474 Glossary ......................................................................................................G L - 1 0 365-360-001R6.0 Issue 1, December 2008...

  • Page 475: Index

    Index ................disposition, Live Administrator Admin Scripts, AAA, ................Advanced, Access-Request, EAP Authentication, Cache Entries, accounting configuration, edit menu, Files in Use, acctmethodstats, Collapse all, Garbage Collection, Admin Commands, copy, General Info, administrator commands cut, License Information, state, Expand all, panel, arguments find,...
  • Page 476 Index .................................................... navigation pane, RADIUS User Files, Universal State Server commands NavisRadius™, reply attributes, state, Network Access Server, Reply-Items, UNIX System, Notes on File Naming, rolled-over file, User Profile Source, run directory, ................user profiles, run subdirectory, obtaining technical suppor,t User Profiles Tool panel, ................

Table of Contents

Save PDF