Part No. 316804-C June 2005
4655 Great America Parkway Santa Clara, CA 95054
Configuring and Managing Security using the NNCLI and CLI Ethernet Routing Switch 8300 Software Release 2.2
*316804-C*
2
Copyright © Nortel Networks Limited 2005. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, Passport, and BayStack are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. Aegis is a trademark of Meetinghouse Data Communications, Inc. LINUX is a trademark of Linus Torvalds. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation. Red Hat is a trademark of Red Hat, Inc. UNIX is a trademark of UNIX System Laboratories, Inc. Zone Labs is a trademark of Zone Labs, Inc. The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
316804-C
3
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software. 1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software. 2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply. 3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.
Configuring and Managing Security using the NNCLI and CLI
4
4. General a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction. c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.
316804-C
5 Contents
Preface ...... 21 Before you begin ...... 21 About the NNCLI ...... 22 NNCLI command modes ...... 22 Accessing the NNCLI ...... 24 Returning to the CLI ...... 25 Text conventions ...... 26 Hard-copy technical manuals ...... 27 How to get help ...... 28
Chapter 1: Overview of security features ...... 29 CLI passwords ...... 30 Port lock feature ...... 30 Access policies for services ...... 31 SNMP version 3 (SNMPv3) ...... 31 SNMP engine ...... 32 snmpEngineID ...... 32 Dispatcher ...... 33 Message processing ...... 33 Security ...... 33 Access control ...... 34 View-based Access Control (VACM) ...... 35 Secure Shell and Secure Copy ...... 36 SSH version 2 (SSH v2) ...... 39 SSH guidelines ...... 41 Key generation and removal ...... 41 Block SNMP ...... 42 SCP command ...... 42 RADIUS ...... 42
Configuring and Managing Security using the NNCLI and CLI
6 Contents
How RADIUS works ...... 43 Configuring the RADIUS server ...... 43 Configuring the RADIUS client ...... 44 RADIUS authentication ...... 45 RADIUS accounting ...... 45 EAPoL ...... 47 EAPoL terminology ...... 47 Standard 802.1x configuration (single supplicant per port) ...... 48 EAPoL static-based security mode ...... 52 Non-standard 802.1x guest VLAN ...... 54 Guest VLAN ...... 54 Guest VLAN security mode ...... 56 Configuration guidelines for setting up a guest VLAN ...... 58 Enabling multiple EAPoL sessions per port ...... 59 Basic EAPOL multihost-based security ...... 60 Enhanced EAPOL multihost-based security ...... 62 EAPoL dynamic VLAN assignment ...... 67 RADIUS MAC centralization ...... 68 Working with RADIUS ...... 71 RADIUS configuration prerequisites for EAPoL ...... 72 RADIUS accounting for EAPoL ...... 73 Configuring the Ethernet Routing Switch 8300 for EAP and RADIUS ...... 75 System requirements ...... 77 TACACS+ ...... 77 TACACS+ architecture ...... 78 TACACS+ authentication ...... 79 TACACS+ authorization ...... 80 TACACS+ access levels ...... 80
Chapter 2: Setting passwords and locking ports using the NNCLI...... 81 Roadmap of NNCLI password and lock port commands ...... 81 Changing passwords ...... 82 Resetting passwords ...... 83 Setting the port lock ...... 83 Enabling port lock ...... 84
316804-C
Contents 7
Disabling port lock ...... 84
Chapter 3: Setting passwords and locking ports using the CLI ...... 85 Roadmap of CLI password and port lock commands ...... 85 Changing passwords ...... 86 Resetting passwords ...... 88 Setting the port lock ...... 88
Chapter 4: Configuring access policies using the NNCLI ...... 89 Roadmap of NNCLI access policy commands ...... 90 Enabling and disabling the access policy feature globally ...... 92 Configuring access policies ...... 92 Creating an access policy ...... 94 Allowing a network or device access to the switch ...... 94 Specifying the host and username for rlogin ...... 98 Assigning a precedence for the policy ...... 99 Naming an access policy ...... 99 Enabling or disabling an access policy ...... 99 Configuration example - access policies ...... 100
Chapter 5: Configuring access policies using the CLI...... 103 Roadmap of CLI access policy commands ...... 104 Enabling the access policy feature globally ...... 105 Configuring access policies ...... 106 Creating an access policy ...... 107 Enabling an access service ...... 107 Allowing a network or device access to the switch ...... 109 Specifying the host and username for rlogin ...... 113 Assigning a precedence for the policy ...... 113 Naming an access policy ...... 114 Enabling or disabling an access policy ...... 114 Configuration example: access policies ...... 114
Chapter 6: Configuring SNMPv3 using the NNCLI ...... 117 Roadmap of NNCLI SNMPv3 commands ...... 118 Loading the encryption module ...... 119
Configuring and Managing Security using the NNCLI and CLI
8 Contents
Creating a new user in the USM table ...... 120 Other USM commands ...... 121 Creating a new user group member ...... 122 Other member commands ...... 123 Creating v3 group access ...... 124 Other group-access commands ...... 125 Creating a new entry for the MIB in the View table ...... 127 Other MIB-view commands ...... 128 Creating a community ...... 129 Changing the default community strings ...... 130 Other community commands ...... 130 SNMPv3 configuration example ...... 131 SNMPv1/SNMPv2 configuration example ...... 132 Displaying SNMP system information ...... 133 Blocking SNMP ...... 135
Chapter 7: Configuring SNMPv3 using the CLI...... 137 Roadmap of CLI SNMPv3 commands ...... 138 Loading the encryption module ...... 138 Creating a new user in the USM table ...... 140 Other USM commands ...... 140 Creating a new user group member ...... 142 Other group-member commands ...... 142 Creating v3 group access ...... 144 Other group-access commands ...... 145 Creating a new entry for the MIB in the View table ...... 147 Other MIB-view commands ...... 147 Creating a community ...... 151 Changing the default community strings ...... 151 Other community commands ...... 152 SNMPv3 configuration example ...... 155 SNMPv1/SNMPv2 configuration example ...... 155 Displaying SNMP system information ...... 157 Blocking SNMP ...... 159
316804-C
Contents 9
Chapter 8: Configuring SSH using the NNCLI ...... 161 NNCLI commands for SSH ...... 161 Enabling the SSH server ...... 162 Configuring SSH ...... 162 Defining the action ...... 162 Enabling/disabling DSA authentication ...... 163 Enabling/disabling the SSH daemon ...... 163 Setting the maximum number of SSH sessions ...... 163 Enabling password authentication ...... 163 Setting the SSH connection port ...... 163 Enabling RSA authentication ...... 164 Setting the SSH authentication timeout ...... 164 Setting the SSH version ...... 164 Creating the user-defined access policy to enable service connections . . . . 164 Loading the encryption module in the switch ...... 165 Viewing configured SSH parameters ...... 165
Chapter 9: Configuring SSH using the CLI ...... 167 CLI commands for SSH ...... 167 Enabling the SSH server ...... 168 Configuring SSH ...... 168 Defining the action ...... 168 Enabling/disabling DSA authentication ...... 168 Enabling/disabling the SSH daemon ...... 169 Setting the maximum number of SSH sessions ...... 169 Enabling password authentication ...... 169 Setting the SSH connection port ...... 169 Enabling RSA authentication ...... 170 Setting the SSH authentication timeout ...... 170 Setting the SSH version ...... 170 Creating the user-defined access policy to enable service connections . . . . 170 Loading the encryption module in the switch ...... 170 Viewing configured SSH parameters ...... 170
Configuring and Managing Security using the NNCLI and CLI
10 Contents
Chapter 10: Setting up RADIUS servers ...... 171 Updating files for the BSAC RADIUS server ...... 172 Using a third-party RADIUS server ...... 174 Updating the dictionary file for a Merit Network server ...... 175 Updating files for the freeRadius server ...... 175 Changing user access ...... 178 Subscriber and administrative interaction ...... 178 Configuring the BSAC or Merit Network server ...... 178 Configuring the freeRadius server ...... 181 Enabling EAP authentication ...... 183
Chapter 11: Configuring RADIUS authentication and accounting using the NNCLI ...... 185 Roadmap of NNCLI RADIUS commands ...... 185 Configuring RADIUS on the switch ...... 187 Enabling and disabling RADIUS authentication ...... 188 Configuring RADIUS access priority attribute values ...... 189 Configuration example: RADIUS authentication ...... 189 Enabling RADIUS accounting ...... 190 Configuring RADIUS accounting attribute values ...... 191 Configuration example: RADIUS accounting ...... 191 Showing RADIUS information ...... 192 Configuring a RADIUS server ...... 193 Configuration example: adding a RADIUS server ...... 195 Showing RADIUS server configurations and server statistics ...... 196 Showing RADIUS authentication statistics ...... 197 Showing RADIUS accounting statistics ...... 198
Chapter 12: Configuring RADIUS authentication and accounting using the CLI ...... 201 Roadmap of CLI RADIUS commands ...... 201 Configuring RADIUS on the switch ...... 203 Enabling RADIUS authentication ...... 204 Configuring RADIUS access priority attribute values ...... 205 Configuration example: RADIUS authentication ...... 205 Enabling RADIUS accounting ...... 206
316804-C
Contents 11
Configuring RADIUS accounting attribute values ...... 207 Configuration example: RADIUS accounting ...... 207 Showing RADIUS information ...... 208 Configuring a RADIUS server ...... 209 Configuration example: adding a RADIUS server ...... 212 Showing RADIUS server configurations and server statistics ...... 212 Showing RADIUS authentication statistics ...... 213 Showing RADIUS accounting statistics ...... 215
Chapter 13: Configuring EAPoL using the NNCLI ...... 217 Roadmap of NNCLI EAPoL commands ...... 218 Configuration prerequisites ...... 221 Configuring EAPoL globally ...... 221 Adding an EAPoL-enabled RADIUS server ...... 222 Configuration example: adding an EAPoL-enabled RADIUS server ...... 224 Deleting an EAPoL-enabled RADIUS server ...... 225 Modifying EAPoL-enabled RADIUS server parameters ...... 225 Configuring EAPoL on a port ...... 227 Configuration example: configuring EAPoL on a port ...... 229 Configuring non-EAPoL clients on a port ...... 230 Changing the authentication status of a port ...... 231 Showing EAPoL statistics ...... 232 Showing the EAPoL status of the switch ...... 232 Showing EAPoL authenticator statistics ...... 233 Showing EAPoL authenticator diagnostics ...... 235 Showing EAPoL authenticator session statistics ...... 238 Showing EAPoL configuration statistics ...... 240 Showing EAPoL operation statistics ...... 243 Showing multiple clients session information ...... 244 Viewing the status of non-EAPoL clients that use RADIUS ...... 246 Viewing allowed non-EAPoL MAC addresses ...... 248
Chapter 14: Configuring EAPOL using the CLI...... 249 Roadmap of CLI EAPoL commands ...... 250 Configuration prerequisites ...... 253 Configuring EAPoL globally ...... 254
Configuring and Managing Security using the NNCLI and CLI
12 Contents
Adding an EAPoL-enabled RADIUS server ...... 255 Configuration example: adding an EAPoL-enabled RADIUS server ...... 256 Deleting an EAPoL-enabled RADIUS server ...... 258 Modifying EAPoL-enabled RADIUS server parameters ...... 258 Configuring EAPoL on a port ...... 260 Configuration example: configuring EAPoL on a port ...... 262 Configuring non-EAPoL clients on a port ...... 264 Changing the authentication status of a port ...... 265 Showing EAPoL statistics ...... 266 Showing the EAPoL status of the switch ...... 266 Showing EAPoL authenticator statistics ...... 267 Showing EAPoL authenticator diagnostics ...... 269 Showing EAPoL authenticator session statistics ...... 272 Showing EAPoL configuration statistics ...... 274 Showing EAPoL operation statistics ...... 276 Showing multiple clients session information ...... 278 Viewing the status of non-EAPoL clients that use RADIUS ...... 280 Viewing allowed non-EAPoL MAC addresses ...... 282
Chapter 15: Configuring TACACS+ using the NNCLI ...... 283 Roadmap of CLI TACACS+ commands ...... 283 Enabling TACACS+ authentication ...... 284 Showing TACACS+ information ...... 284 Configuring a TACACS+ server ...... 285 Configuration example: enabling TACACS+ and adding a TACACS+ server ...... 287
Chapter 16: Configuring TACACS+ using the CLI...... 289 Roadmap of CLI TACACS+ commands ...... 289 Configuring TACACS+ on the switch ...... 290 Enabling TACACS+ ...... 291 Showing TACACS+ information ...... 291 Configuring a TACACS+ server ...... 292 Showing TACACS+ server configurations ...... 293 Configuration example: adding a TACACS+ server ...... 294
316804-C
Contents 13
Chapter 17: NNCLI configuration examples ...... 295 Configuring EAPoL via Layer 2 ...... 296 Configuration files ...... 299 Configuring EAPoL via Layer 3 ...... 300 Configuration files ...... 303 Configuring SNMPv3 ...... 304 Configuration files ...... 307 Configuring TACACS+ ...... 307 Supported TACACS+ servers ...... 308 TACACS+ configuration example ...... 308 Configuring the TACACS+ server ...... 309
Chapter 18: CLI configuration examples ...... 311 Configuring EAPoL through L2 ...... 311 Configuration files ...... 314 Configuring EAPoL through L3 ...... 315 Configuration files ...... 317 Configuring SNMPv3 ...... 318 Configuration files ...... 321 Configuring TACACS+ ...... 321 Supported TACACS+ servers ...... 322 TACACS+ configuration example ...... 322 Configuring the TACACS+ server ...... 323
Appendix A: TACACS+ server configuration examples ...... 325 Configuration example: Cisco ACS server ...... 325 Configuration example: ClearBox server ...... 331 Configuration example: Linux freeware server ...... 343
Index ...... 345
Configuring and Managing Security using the NNCLI and CLI
14 Contents
316804-C
15 Figures
Figure 1 USM association with VACM ...... 35 Figure 2 Overview of the SSH protocol ...... 37 Figure 3 SSH v2 protocols ...... 40 Figure 4 SSH user authentication protocol ...... 40 Figure 5 SSH connection protocol ...... 41 Figure 6 EAPoL standard 802.1x packet path example ...... 49 Figure 7 Standard 802.1x operational mode example ...... 51 Figure 8 EAPoL static-based security example ...... 53 Figure 9 Accessing the guest VLAN ...... 55 Figure 10 EAPoL Guest VLAN security example ...... 57 Figure 11 Basic EAPoL multihost-based security example ...... 61 Figure 12 Multiple EAPoL client example ...... 63 Figure 13 Enhanced EAPoL multihost-based security example ...... 65 Figure 14 Connecting the TACACS+ server through a local interface ...... 79 Figure 15 Connecting the TACACS+ server though the management interface . . . . 79 Figure 16 config cli password command sample output ...... 83 Figure 17 config cli password command sample output ...... 87 Figure 18 access-policy policy network command sample output (network) ...... 96 Figure 19 access-policy policy network command sample output (device) ...... 97 Figure 20 access-policy policy command sample output ...... 101 Figure 21 config sys access-policy policy service commands output ...... 109 Figure 22 config sys access-policy policy command sample output (network) . . . . 111 Figure 23 config sys access-policy policy command sample output (device) . . . . . 112 Figure 24 config sys access-policy policy command sample output ...... 116 Figure 25 FTP sample output from DOS window ...... 120 Figure 26 USM command sample output ...... 122 Figure 27 SNMPv3 group configuration sample output ...... 124 Figure 28 SNMPv3 group access configuration output ...... 127 Figure 29 MIB View configuration sample output ...... 129
Configuring and Managing Security using the NNCLI and CLI
16 Figures
Figure 30 Community configuration sample output ...... 131 Figure 31 SNMP system information sample output ...... 134 Figure 32 FTP sample output from DOS window ...... 139 Figure 33 USM command sample output ...... 141 Figure 34 SNMPv3 group configuration sample output ...... 143 Figure 35 SNMPv3 group access configuration sample output ...... 146 Figure 36 MIB view commands sample output ...... 149 Figure 37 MIB view commands sample output ...... 150 Figure 38 config snmp-v3 community info output ...... 152 Figure 39 Community commands sample output ...... 154 Figure 40 show config module sys sample output ...... 158 Figure 41 Updating information for the BSAC or Merit Network server ...... 179 Figure 42 radius authentication command sample output ...... 190 Figure 43 radius acct command sample output ...... 192 Figure 44 show radius command sample output ...... 193 Figure 45 radius-server command sample output ...... 195 Figure 46 show radius-server command sample output ...... 196 Figure 47 show radius-server authentication-stat command sample output ...... 197 Figure 48 show radius-server accounting command sample output ...... 199 Figure 49 config radius authentication-enable command sample output ...... 206 Figure 50 config radius acct-enable command sample output ...... 208 Figure 51 config radius info sample output ...... 209 Figure 52 config radius server command sample output ...... 212 Figure 53 show radius server config sample command output ...... 213 Figure 54 show radius server stat authentication command sample output ...... 214 Figure 55 show radius server stat accounting command sample output ...... 216 Figure 56 radius-server host command sample output ...... 224 Figure 57 eapol configuration command sample output ...... 229 Figure 58 show eapol command sample output ...... 233 Figure 59 show interface FastEthernet eapol auth-stats sample output ...... 234 Figure 60 show interface FastEthernet eapol auth-diags sample output ...... 236 Figure 61 show interface FastEthernet eapol session-stats sample output ...... 239 Figure 62 show interface FastEthernet eapol config sample output ...... 241 Figure 63 show interface FastEthernet eapol oper-stats sample output ...... 243
316804-C
Figures 17
Figure 64 show interface fastethernet eapol multi-host-session-stats command sample output ...... 245 Figure 65 show eapol multihost non-eap-mac status command sample output . . . 246 Figure 66 show eapol multihost non-eap-mac interface command sample output . 248 Figure 67 config radius server command sample output ...... 257 Figure 68 eapol configuration command sample output ...... 263 Figure 69 show sys eapol command sample output ...... 266 Figure 70 show ports info eapol auth-stats command sample output ...... 267 Figure 71 show ports info eapol auth-diags command sample output ...... 269 Figure 72 show ports info eapol session-stats command sample output ...... 272 Figure 73 show ports info eapol config command sample output ...... 274 Figure 74 show ports info eapol oper-stats command sample output ...... 277 Figure 75 show ports info eapol multi-host-session-stats command sample output 279 Figure 76 show ports info eapol radius-non-eap-mac command sample output . . 280 Figure 77 show ports info eapol radius-non-eap-mac parameters ...... 280 Figure 78 show ports info eapol non-eap-mac command sample output ...... 282 Figure 79 Sample of show tacacs command output ...... 284 Figure 80 Sample of tacacs server command input ...... 287 Figure 81 Sample of config tacacs info command output ...... 291 Figure 82 Sample of config tacacs+ server command output ...... 294 Figure 83 EAPoL via L2 ...... 296 Figure 84 EAPoL via L3 ...... 300 Figure 85 SNMPv3 for users with different permissions/privacy protocols ...... 304 Figure 86 TACACS+ server and management PC on the same subnet ...... 308 Figure 87 EAPoL via L2 ...... 312 Figure 88 EAPoL via L3 ...... 315 Figure 89 SNMPv3 for users with different permissions/privacy protocols ...... 318 Figure 90 TACACS+ server and management PC on the same subnet ...... 322 Figure 91 Cisco ACS (version 3.2) main administration window ...... 326 Figure 92 Group Setup window — Cisco ACS server configuration ...... 327 Figure 93 Network Configuration window — server setup ...... 328 Figure 94 Network Configuration window — client setup ...... 329 Figure 95 Group Setup window — viewing the group setup ...... 330 Figure 96 User Setup window — Cisco ACS server configuration ...... 331 Figure 97 General Extension Configurator ...... 332
Configuring and Managing Security using the NNCLI and CLI
18 Figures
Figure 98 Creating a client entry ...... 333 Figure 99 Default realm — Authentication tab ...... 334 Figure 100 Default realm — Authorization tab ...... 335 Figure 101 Adding parameters for the query ...... 336 Figure 102 Authorization Query window ...... 336 Figure 103 Query parameters added to Authorization Attribute-Value Pairs window 337 Figure 104 Authorization attribute-value pairs added to Authorization tab ...... 338 Figure 105 Users table — Microsoft® Access ...... 339 Figure 106 ClearBox Server Manager ...... 339 Figure 107 Connect to... dialog box ...... 340 Figure 108 TACACS+ server connected ...... 341 Figure 109 Server configured successfully ...... 342 Figure 110 Unsuccessful connection to TACACS+ server ...... 342 Figure 111 Successful login ...... 342 Figure 112 Unsuccessful login ...... 343 Figure 113 Sample config file — Linux TACACS+ server ...... 344
316804-C
19 Tables
Table 1 NNCLI command modes ...... 24 Table 2 Accounting events and logged information ...... 46 Table 3 Summary of accounting events and information logged...... 74 Table 4 802.1x session termination mapping ...... 75 Table 5 Ethernet Routing Switch 8300 access levels ...... 80 Table 6 show radius-server authentication-stat command statistics ...... 198 Table 7 show radius-server accounting-stat command statistics ...... 199 Table 8 show radius server stat authentication command statistics ...... 214 Table 9 show radius server stat accounting command statistics ...... 216 Table 10 Eap Authenticator Statistics table parameters ...... 234 Table 11 Eap Authenticator Diagnostics table parameters ...... 236 Table 12 Eap Authenticator Session Statistics table parameters ...... 239 Table 13 Eap Config table parameters ...... 242 Table 14 Eap Oper Stats table parameters ...... 244 Table 15 show ports info eapol oper-stats parameters ...... 245 Table 16 show eapol multihost non-eap-mac status parameters ...... 246 Table 17 show eapol multihost non-eap-mac interface parameters ...... 248 Table 18 show ports info eapol auth-stats parameters ...... 267 Table 19 show ports info eapol auth-diags parameters ...... 270 Table 20 show ports info eapol session-stats parameters ...... 273 Table 21 show ports info eapol config parameters ...... 275 Table 22 show ports info eapol oper-stats parameters ...... 277 Table 23 show ports info eapol oper-stats parameters ...... 279 Table 24 show ports info eapol non-eap-mac parameters ...... 282
Configuring and Managing Security using the NNCLI and CLI
20 Tables
316804-C
21 Preface
The Nortel* Ethernet Routing Switch 8300 is a flexible and multifunctional Layer 2/Layer 3 switch that supports diverse network architectures and protocols. The Ethernet Routing Switch 8300 provides security and control features such as Extensible Authentication Protocol over LAN (EAPoL), Simple Network Management Protocol, Version 3 (SNMP3), and Secure Shell (SSH). The Ethernet Routing Switch 8300 provides quality of service (QoS) for a high number of attached devices and supports future network requirements for QoS for critical applications, such as Voice over IP (VoIP).
This guide describes the security features available for the Ethernet Routing Switch 8300 Software Release 2.2. The guide provides instructions for initializing and customizing the features using the Nortel* Command Line Interface (NNCLI) and the Ethernet Routing Switch 8300 Command Line Interface (CLI).
To learn the basic structure and operation of the NNCLI, refer to NNCLI Command Line Reference for the Ethernet Routing Switch 8300 (316810-C). This reference guide describes the function and syntax of each NNCLI command.
To learn the basic structure and operation of the Ethernet Routing Switch 8300 CLI, refer to CLI Command Line Reference for the Ethernet Routing Switch 8300 (317360-C). This reference guide describes the function and syntax of each CLI command.
Before you begin
This guide is intended for network administrators who have the following background:
• basic knowledge of networks, Ethernet bridging, and IP routing • familiarity with networking concepts and terminology • experience with windowing systems or GUIs
Configuring and Managing Security using the NNCLI and CLI
22 Preface
• basic knowledge of network topologies
Before using this guide, you must complete the following procedures. For a new switch:
1 Install the switch. For installation instructions, see Installing and Maintaining the Ethernet Routing Switch 8306 and 8310 Chassis (316795-C) and Installing Ethernet Routing Switch 8300 Series Modules (316796-C). 2 Connect the switch to the network. For more information, see Getting Started (316799-C).
Ensure that you are running the latest version of Nortel Ethernet Routing Switch 8300 software. For information about upgrading the Ethernet Routing Switch 8300, see Upgrading to Ethernet Routing Switch 8300 Software Release 2.2 (318769-C).
About the NNCLI
This section describes the Nortel Command Line Interface (NNCLI) command modes you use to configure the Ethernet Routing Switch 8300 and the commands you use to access the NNCLI. You can access the NNCLI using the following methods:
• Telnet session •rlogin • local console port
NNCLI command modes
The NNCLI has four major command modes, listed in order of increasing privileges:
• User EXEC • Privileged EXEC • Global configuration
316804-C
Preface 23
• Interface configuration
Each mode provides a specific set of commands. The command set of a higher-privilege mode is a superset of a lower-privilege mode. That is, all lower-privilege mode commands are accessible when using a higher-privilege mode.
The command modes are as follows:
• User EXEC mode This is the initial mode of access. By default, the User Access Verification Password for this mode is empty, and password checking is disabled. The password can be changed (and password checking enabled) by the system administrator in Global configuration mode. Once the password is changed, it is activated immediately. • Privileged EXEC mode This mode is accessed from the User EXEC mode. When accessing this mode, you are prompted to provide a login name and password. The login name and password combination determines your access level in the Privileged EXEC mode and other higher modes. • Global configuration mode This mode allows you to make changes to the running configuration. If the configuration is saved, these settings survive reboots of the switch. • Interface configuration mode This mode allows you to modify either a logical interface, such as a VLAN, or a physical interface, such as a port/slot.
From either the Global configuration mode or the Interface configuration mode, all the configuration parameters (both global and interface) can be saved to a file. The default name for the configuration parameters file is config.cfg. Alternative filenames can also be used.
Configuring and Managing Security using the NNCLI and CLI
24 Preface
Table 1 lists the NNCLI command modes, the prompts for each mode, the abbreviated name for each mode, and how to enter and exit each mode.
Table 1 NNCLI command modes
Mode Command/mode Command mode Prompt name to enter or exit mode User EXEC Passport-8300:5> exec Default mode when NNCLI is started logout to exit Privileged EXEC Passport-8300:5# privExec enable to enter from User EXEC mode disable to exit to User EXEC mode Global Passport-8300:5(config)# config configure to enter configuration from Privileged EXEC mode exit to exit to Privileged EXEC mode Interface Passport-8300:5(config-if)# config-if interface to enter from configuration Global configuration mode exit to exit to Global configuration mode Note: Prompts are expressed in this table using the format Passport-8300:5; however, prompts returned from your switch typically reflect the specific chassis you use. For example, if you use the 8310 chassis, the prompts use the format Passport-8310:5. Prompts can be customized, also, using the NNCLI command snmp-server name
Accessing the NNCLI
When you first power up the Ethernet Routing Switch 8300, the default interface is the Ethernet Routing Switch 8300 CLI. To switch from the CLI to the NNCLI, you must change the NNCLI boot flag to true and save the boot configuration file using the following commands:
Passport-8310:5# config boot flags nncli true Passport-8310:5# save boot
316804-C
Preface 25
You must reboot the switch for this change to take effect. After you reboot the switch, access the NNCLI using Telnet, rlogin, or the local console port. You can log in to the switch using your password and the default privilege password nortel.
Use the following commands to:
• log in to the software using the default user name and password • access Global configuration mode Login: xxxxx Password: xxxxx Passport-8310:5> enable Password: nortel Passport-8310:5# configure terminal Passport-8310:5(config)#
Returning to the CLI
Note: The config.cfg file for the CLI and the config.cfg file for the NNCLI are not compatible. If you decide to change the CLI mode to NNCLI, or the reverse, you must use the config.cfg file for the selected mode.
To switch from the NNCLI to the CLI, enter the following commands:
Passport-8310:5(config)# no boot flags nncli Passport-8310:5(config)# exit Passport-8310:5(config)# save boot
You must reboot the switch for this change to take effect.
Configuring and Managing Security using the NNCLI and CLI
26 Preface
Text conventions
This guide uses the following text conventions:
angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping
316804-C
Preface 27
italic text Indicates variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is show at
Hard-copy technical manuals
You can download current versions of technical documentation for your Ethernet Routing Switch 8300 from the Nortel customer support web site at www.nortel.com/support.
If, for any reason, you cannot find a specific document, use the Search function:
1 Click Search at the top right-hand side of the web page. The Search page opens. 2 Ensure the Support tab is selected. 3 Enter the title or part number of the document in the Search field. 4 Click Search.
Configuring and Managing Security using the NNCLI and CLI
28 Preface
You can print the technical manuals and release notes free, directly from the Internet. Use Adobe* Acrobat Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to Adobe Systems at the www.adobe.com URL to download a free copy of the Adobe Acrobat Reader.
How to get help
If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
If you purchased a Nortel service program, contact Nortel Technical Support. To obtain contact information online, go to the www.nortel.com/contactus web page and click Technical Support.
Information about the Nortel Technical Solutions Centers is available from the www.nortel.com/callus web page.
An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to the www.nortel.com/erc web page.
316804-C
29 Chapter 1 Overview of security features
This chapter describes security features that allow you to restrict access to the Ethernet Routing Switch 8300. You protect the control path using: • Login and passwords • Access policies, which allow you to specify the network/address that is allowed to use a service/daemon • Secure protocols (for example, Secure Shell [SSH], Secure Copy [SCP], Simple Network Management Protocol [SNMP])
You protect the data path using:
• Layer 2 MAC address filtering • Layer 3 filtering (for example, IP, UDP/TCP filtering) • Mechanisms to prevent DOS (Denial of Service) attacks
You can use the supported command line interfaces (NNCLI or the Ethernet Routing Switch 8300 CLI) to set up passwords and community strings for access to all the management functions of the switch.
This chapter includes the following topics:
Topic Page CLI passwords 30 Port lock feature 30 Access policies for services 31 SNMP version 3 (SNMPv3) 31 Secure Shell and Secure Copy 36 RADIUS 42
Configuring and Managing Security using the NNCLI and CLI
30 Chapter 1 Overview of security features
Topic Page
EAPoL 47 TACACS+ 77
CLI passwords
The Ethernet Routing Switch 8300 is shipped with default passwords set for access to the CLI through a console or telnet session. Community strings are stored in encrypted format and are not stored in the configuration file. If the switch is booted for the first time, the password is set to default values. A log is generated that indicates any changes you make. If you are using the Java Device Manager (Device Manager), you can also specify the number of allowed Telnet sessions and rlogin sessions.
Caution: Please be aware that the default passwords/community strings are documented and well known. Nortel strongly recommends that you change the default passwords/community strings immediately after the first login.
Note: For security purposes, if you fail to login correctly on the master CPU in three consecutive instances, the CPU locks for 60 seconds.
Port lock feature
The Port Lock feature allows you to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action. Locked ports cannot be modified in any way until the port is unlocked. For instructions on locking ports using the NNCLI and CLI, see Chapter 2, “Setting passwords and locking ports using the NNCLI,” on page 81 and Chapter 3, “Setting passwords and locking ports using the CLI,” on page 85, respectively.
316804-C
Chapter 1 Overview of security features 31
Access policies for services
You can control access to the switch by creating an access policy. An access policy specifies the hosts or networks that can access the switch through various access services, such as Telnet, SNMP, HTTP, FTP, TFTP, or rlogin.
Note: To access the backup CPU using the peer rlogin command, you must also set an access policy that enables rlogin access to the backup CPU. For information about the peer rlogin command, see Getting Started.
For information about enabling access services for a specific policy using the NNCLI or the CLI, see Chapters 6 and 7, respectively.
You can define network stations that are explicitly allowed to access the switch or network stations explicitly forbidden to access the switch. For each service you can also specify the level of access, such as read-only or read/write/all.
When you set up access policies, you can either:
• Globally enable the access policy feature, and then create and enable individual policies. Each policy takes effect immediately when you enable it. • Create and enable individual access policies, and then globally enable the access policy feature to activate all the policies at the same time.
SNMP version 3 (SNMPv3)
The Simple Network Management Protocol (SNMP) allows you to remotely collect management data and configure devices. An SNMP agent is a software process that listens on UDP port 161 for SNMP messages. Each SNMP message sent to the agent contains a list of management objects to either retrieve or modify.
SNMP version 3 (SNMPv3) is an SNMP framework that supplements SNMPv2 by supporting the following:
• New SNMP message formats
Configuring and Managing Security using the NNCLI and CLI
32 Chapter 1 Overview of security features
• Security for messages • Access control • Remote configuration of SNMP parameters
An SNMP entity is an implementation of this architecture. Each such SNMP entity consists of an SNMP engine and one or more associated applications. SNMPv3 provides a means of security to the SNMP framework by supporting the following:
• Security for Messages • Access Control • Remote configuration of SNMP parameters • New SNMP message format
SNMP engine
An SNMP engine provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects. There is a one-to-one association between an SNMP engine and the SNMP entity, which contains it.
snmpEngineID
Within an administrative domain, an snmpEngineID is the unique identifier of an SNMP engine. Since there is a one-to-one association between SNMP engines and SNMP entities, the ID also uniquely and unambiguously identifies the SNMP entity within that administrative domain. The snmpEngineID is generated during the boot processing. The SNMP engine contains a:
• Dispatcher • Message Processing Subsystem • Security Subsystem • Access Control Subsystem
316804-C
Chapter 1 Overview of security features 33
Dispatcher
There is one dispatcher in an SNMP engine. It allows for concurrent support of multiple versions of SNMP messages in the SNMP engine. It does so by:
• Sending and receiving SNMP messages to/from the network • Determining the SNMP message version and interacting with the corresponding message processing model • Providing an abstract interface to SNMP applications for delivery of a PDU to an application • Providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity.
Message processing
The Message Processing subsystem prepares messages for sending and extracts data from received messages. The subsystem can contain multiple message processing models.
Security
Authentication
Authentication within the User-based Security Model (USM) allows the recipient of a message to verify the message sender and whether the message has been altered. If authentication is used, the integrity of the message is verified. Authentication uses a secret key to produce a fingerprint of the message. This fingerprint is included in the message. The receiving entity uses the same secret key to validate the fingerprint. The authentication protocols supported using USM are HMAC-MD5 and HMAC-SHA-96.
Privacy
The USM is an encryption Protocol for privacy. Only the data portion of a message is encrypted, the header and the security parameters are not. The privacy protocol supported using the USM is CBC-DES Symmetric Encryption Protocol.
Configuring and Managing Security using the NNCLI and CLI
34 Chapter 1 Overview of security features
Security
SNMPv3 security protects against the following:
• Modification of information — protects against altering information in transit • Masquerade — protects against an unauthorized entity assuming the identity of an authorized entity • Message Stream Modification — protection against delaying or replaying messages • Disclosure — protects against eavesdropping • Discovery procedure — finds the SnmpEngineID of a SNMP entity for a given transport address or transport endpoint address. • Time synchronization procedure— facilitates authenticated communication between entities
SNMPv3 does not protect against:
• Denial of service — prevention of exchanges between manager and agent • Traffic analysis — general pattern of traffic between managers and agents
Access control
USM system
In a USM system, the system uses a defined set of user identities for any authorized user on a particular SNMP engine. The user with authority on one SNMP engine must also have authorization on any SNMP engine with which the original SNMP engine communicates.
The USM system provides the following levels of communications:
• NoAuthNoPriv Communications without authentication and privacy • AuthNoPriv Communications with authentication and without privacy
316804-C
Chapter 1 Overview of security features 35
•AuthPriv Communications with authentication and privacy
Figure 1 shows the relationship between USM and View-based Access Control (VACM).
Figure 1 USM association with VACM
View-based Access Control (VACM)
VACM provides groups access, group security levels, and context based on a predefined subset of MIB objects. These MIB objects define a set of managed objects and instances.
Configuring and Managing Security using the NNCLI and CLI
36 Chapter 1 Overview of security features
VACM is the standard access control mechanism for SNMPv3, and it provides:
• Authorization service to control access to MIB objects at the PDU level • Alternative access control subsystems
The access is based on principal, security level, MIB context, object instance, and type of access requested (read/write). VACM MIB defines the policy and allows remote management.
Secure Shell and Secure Copy
Secure Shell (SSH) is a client/server protocol that allows you to conduct secure communications over a network. SSH supports a variety of the public/private key encryption schemes available. Using the public key of the host server, the client and server negotiate to generate a session key known only to the client and the server. This one-time key is then used to encrypt all traffic between the client and the server.
Secure CoPy (SCP) is a secure file transfer protocol. SCP replaces remote access utilities such as FTP with an encrypted alternative.
Figure 2 on page 37 shows an overview of the SSH protocol.
316804-C
Chapter 1 Overview of security features 37
Figure 2 Overview of the SSH protocol
Client Server Server Public host keys Authentication host key public H/private H
Session key H,S
H
Server key public S/private S
User terminal Shell/server SSH agent MUX MUX Agent socket
Locally forwarded Integrity Integrity TCP connection TCP port Encryption Encryption
10711EA
Using a combination of host, server, and session keys, the SSH protocol provides strong authentication and secure communication over a non-secure network. The SSH protocol offers protection from the following security risks:
•IP spoofing • IP source routing • DNS spoofing • man-in-the-middle/TCP hijacking attacks (interception of cleartext passwords and other data by intermediate hosts, or manipulation of data by people in control of intermediate hosts) • eavesdropping/password sniffing
Even if network security is compromised, traffic cannot be played back or decrypted, and the connection cannot be hijacked.
The secure channel of communication provided by SSH does not provide protection against break-in attempts or denial-of-service (DoS) attacks.
Configuring and Managing Security using the NNCLI and CLI
38 Chapter 1 Overview of security features
The SSH protocol supports the following security features:
• Authentication — identifies the SSH client. During the login process the SSH client is queried for a digital proof of identity. Supported authentications are RSA (SSH v1), DSA (SSH v2), and passwords (both SSH v1 and SSH v2). • Encryption — The SSH server uses encryption algorithms to scramble data and render it unintelligible, except to the receiver. Supported encryption is 3DES only. • Integrity — This guarantees that the data is transmitted from the sender to the receiver without any alteration. If any third party captures and modifies the traffic, the SSH server will detect the alteration.
Note: Currently, 3DES is the only encryption algorithm supported for the 8000 series Ethernet Routing Switch. Due to export restrictions, the encryption capability has been separated from the main image. Refer to the release notes accompanying your software release for the latest information on how to download the 3DES encryption image. The SSH server does not function properly without the use of this image.
The implementation of the SSH server in the 8000 series Ethernet Routing Switch enables the SSH client to make a secure connection to an 8000 series Ethernet Routing Switch, and will work with commercially available SSH clients.
Note: You must use CLI to initially configure SSH. You can use Device Manager to change the SSH configuration parameters, however, Nortel recommends that you use CLI. Nortel also recommends that you use the console port to configure the SSH parameters.
316804-C
Chapter 1 Overview of security features 39
SSH version 2 (SSH v2)
SSH protocol, version 2 (SSH v2) is a complete rewrite of the SSH v1 protocol. SSH v1 contains multiple functions in a single protocol. SSH v2 divides the functions among three layers:
• SSH Transport Layer (SSH-TRANS) The SSH transport layer manages the server authentication and provides the initial connection between the client and the server. Once established, the transport layer provides a secure, full-duplex connection between the client and server. • SSH Authentication Protocol (SSH-AUTH) The SSH authentication protocol runs on top of the SSH transport layer and authenticates the client-side user to the server. SSH-AUTH defines three authentication methods: public key, host-based, password. SSH-AUTH provides a single authenticated tunnel for the SSH connection protocol. • SSH Connection Protocol (SSH-CONN) The SSH connection protocol runs on top of the SSH transport layer and user authentication protocols. SSH-CONN provides interactive login sessions, remote execution of commands, forwarded TCP/IP connections, and forwarded X11 connections. These richer services are multiplexed into the single encrypted tunnel provided by the SSH transport layer.
Figure 3 on page 40 shows SSH v2 protocols. Figure 4 on page 40 shows SSH user authentication protocol. Figure 5 on page 41 shows SSH connection protocol.
Configuring and Managing Security using the NNCLI and CLI
40 Chapter 1 Overview of security features
Figure 3 SSH v2 protocols
SSH transport protocol
C I E C I E o n n o n n m t c m t c p e r p e r r g y r g y e r p Server e r p s i t Authentication s i t s t i s t i i y o i y o o n Session key o n n H,S n Client Server Public host keys host key public H/private H
H
Server key public S/private S
10714EA
Figure 4 SSH user authentication protocol
SSH user authentication protocol
User Key Public key authenticator U User Key Public---Private Public
Password Password
SSH signer Hostbased user, host C Client Host Keys Public---Private C
10713EA
316804-C
Chapter 1 Overview of security features 41
Figure 5 SSH connection protocol SSH connection protocol
User Channel Shell terminal
SSH Channel Agent agent socket
Locally Channel TCP forwarded connection agent
10712EA
The modular approach of SSH v2 offers improvements to the security, performance, and portability of the SSH v1 protocol.
Note: The SSH v1 and SSH v2 protocols are not compatible. While the SSH implementation in the 8000 series Ethernet Routing Switch supports both versions of SSH, Nortel recommends use of the SSH v2 protocol because it is more secure than SSH v1.
SSH guidelines
The following section provide guidelines for implementing SSH:
• “Key generation and removal” • “Block SNMP” on page 42 • “SCP command” on page 42
Key generation and removal
Generating keys requires that you have free space on the flash. A typical configuration requires less than 2 KBytes of free space. Before you generate a key, verify that you have sufficient space on the flash, using the dir command. If the flash is full when you attempt to generate a key, an error message appears and the key is not generated. If you receive the error message, you must delete unused files and re-generate the key.
If you remove only the public keys, enabling the SSH does not create new ones.
Configuring and Managing Security using the NNCLI and CLI
42 Chapter 1 Overview of security features
Block SNMP
The boot flag setting for block-snmp (config bootconfig flags block-snmp
SCP command
Nortel recommends that you use short filenames with the SCP command. The entire SCP command, including all options, usernames, and filenames should never exceed 80 characters.
RADIUS
Remote Access Dial-In User Services (RADIUS) is a distributed client/server system that assists in securing networks against unauthorized access, allowing a number of communication servers and clients to authenticate users’ identities through a central database. The database within the RADIUS server stores information about clients, users, passwords, and access privileges including the use of shared secret.
RADIUS is a fully open and standard protocol defined by RFCs (authentication [RFC 2865] and accounting [RFC 2866]). The Ethernet Routing Switch 8300 uses RADIUS authentication and accounting to:
• secure access to the switch using Telnet, rlogin, or the console port • track the management sessions (CLI only)
This section includes the following topics:
• “How RADIUS works”, next • “Configuring the RADIUS server” on page 43 • “Configuring the RADIUS client” on page 44 • “RADIUS authentication” on page 45
316804-C
Chapter 1 Overview of security features 43
• “RADIUS accounting” on page 45
How RADIUS works
A RADIUS application has two components:
• RADIUS server A computer equipped with server software (for example, a UNIX* workstation) that is located at a central office or campus. It has authentication and access information in a form that is compatible with the client. Typically, the database in the RADIUS server stores client information, user information, password, and access privileges, including the use of shared secret. A network can have one server for both authentication and accounting, or one server for each service. • RADIUS client A switch, router, or a remote access server equipped with client software, that typically resides on the same local area network (LAN) segment as the server. The client is the network access point between the remote users and the server.
The RADIUS process includes:
• RADIUS authentication, which allows you to identify remote users before you give them access to a central network site. • RADIUS accounting, which enables data collection on the server during a remote user’s dial-in session with the client.
Configuring the RADIUS server
The Ethernet Routing Switch 8300 software supports BaySecure Access Control (BSAC* — now known as the Steel-Belted Radius server (SBR)), Merit Network, and freeRadius servers. For instructions on installing the BSAC, Merit Network, or freeRadius server software on the server that you use, see the installation manual that came with your software. After the software is installed, you must make changes to one or more configuration files for these servers. For detailed information about the changes that must be made for the BSAC, Merit Network, or freeRadius server, see Chapter 10, “Setting up RADIUS servers,” on page 171.
Configuring and Managing Security using the NNCLI and CLI
44 Chapter 1 Overview of security features
After you have installed the software, configure the RADIUS server to respond to each of its clients. Make sure that the RADIUS server reaches the client by pinging the IP address of the client. If the server’s IP interface can successfully ping the client, the server can provide authentication to that client. You must add user names ro, L1, L2, L3, rw, and rwa to the RADIUS server if authentication is enabled. Users not added to the server will be denied access. In addition to these usernames (ro, L1, L2, L3, rw, and rwa), you can create additional user names to access the switch. You assign an access priority to an individual user. These access priorities, which range from Non-Access to Read-Write-All-Access, determine a user’s access level. The RADIUS server authenticates the user name and access priority that is assigned to that name.
For detailed instructions on configuring a RADIUS server, including adding clients, users, and access priorities, refer to the documentation that came with the server software. Configure at least two RADIUS servers in the network to provide redundancy. A maximum of ten RADIUS servers is allowed in a single network. Each server is assigned a priority and is contacted in that order.
Configuring the RADIUS client
You use the Ethernet Routing Switch 8300 CLI, the NNCLI, or Device Manager to configure the RADIUS client so that it can contact its RADIUS server. To configure the client, you must:
• Enable RADIUS. • Configure the IP address of the RADIUS server to be used. • Configure the shared secret. This secret must match the one defined in the RADIUS server. • Configure the access priority attribute value. This value must match the type value set in the dictionary file on the RADIUS server. The default value (192) is the recommended value. • Configure the order or priority in which the RADIUS server is used (if you have more than one RADIUS server in the network). • Set the UDP port that will be used by the client and the server during the authentication process. The UDP port between the client and the server must have the same value. For example, if the server is configured with UDP 1812, then the client must use the same UDP port value.
316804-C
Chapter 1 Overview of security features 45
RADIUS authentication
RADIUS authentication allows a remote server to authenticate users attempting to log in. The RADIUS server also provides access authority. RADIUS assists network security and authorization by managing a database of users. Use of the database allows the switch to verify user names and passwords, as well as information about the type of access priority available to the user.
When the RADIUS client sends an authentication request, if the RADIUS server requires additional information, such as a SecurID number, it sends a challenge-response. Along with the challenge-response, a reply-message attribute is sent. The reply-message is a text string, such as “Please enter the next number on your SecurID card:”. The maximum length of each reply-message attribute is 253 characters (as defined by the RFC). If you have multiple instances of reply-message attributes that together form a large message that can be displayed to the user, the maximum length is 2000 characters.
RADIUS accounting
RADIUS accounting logs all of the activity of each remote user in a session on the centralized RADIUS accounting server.
Session IDs for each RADIUS account are generated as 12-character strings. The first four characters in the string form a random number in hexadecimal format. The last eight characters in the string indicate, in hexadecimal format, the number of user sessions started since reboot.
The Network Access Server (NAS) IP address for a session is the address of the switch interface to which the remote session is connected over the network. For a console session, modem session, and sessions running on debug ports, this value is set to 0.0.0.0 (as is done with RADIUS authentication).
Configuring and Managing Security using the NNCLI and CLI
46 Chapter 1 Overview of security features
Table 2 summarizes events and associated accounting information logged at the RADIUS accounting server.
Table 2 Accounting events and logged information
Event Accounting information logged at server Accounting is turned on at router • Accounting on request: Network Access Server (NAS) • IP address. Accounting is turned off at router • Accounting off request: NAS IP address. User logs in • Accounting start request: NAS IP address • Session Id • Username More than 40 CLI commands are executed • Accounting Interim request: NAS IP address • Session Id • CLI commands • Username User logs off • Accounting Stop request: NAS IP Address • Session Id • Session duration • Username • number of octets input for session • number of octets output for session • number of packets input for session • number of packets output for session • CLI commands
When the switch communicates with the RADIUS accounting server, the following actions result:
• If the server sends an invalid response, the response is silently discarded and no attempt is made to resend the request. • If the server does not respond within the user-configured timeout interval, a user-specified number of attempts is made. If a server does not respond to any of the retries, requests are sent to the next priority server (if configured). You can configure up to ten RADIUS servers for redundancy.
316804-C
Chapter 1 Overview of security features 47
EAPoL
Extensible Authentication Protocol over LAN (EAPoL) is a port-based network access control protocol. This protocol is part of the IEEE 802.1x standard, which defines port-based network access control. EAPoL provides security by preventing users from accessing network resources before they have been authenticated. Without authentication, any user can access a network to assume a valid identity and access confidential material, or launch Denial of Service (DoS) attacks.
EAPoL allows you to set up network access control on internal LANs and to exchange authentication information between any endstation or server connected to the Ethernet Routing Switch 8300 and an authentication server (such as a RADIUS server). This security feature extends the benefits of remote authentication to internal LAN clients. For example, if a new client PC fails the authentication process, EAPoL prevents it from accessing the network.
This section includes the following topics:
• “EAPoL terminology”, next • “Standard 802.1x configuration (single supplicant per port)” on page 48 • “EAPoL static-based security mode” on page 52 • “Non-standard 802.1x guest VLAN” on page 54 • “Enabling multiple EAPoL sessions per port” on page 59 • “EAPoL dynamic VLAN assignment” on page 67 • “RADIUS MAC centralization” on page 68 • “Working with RADIUS” on page 71 • “RADIUS configuration prerequisites for EAPoL” on page 72 • “System requirements” on page 77 EAPoL terminology
Some components and terms used with EAPoL-based security are:
• Supplicant, which is a device, such as a PC, that applies for access to the network. • Authenticator, which is software on the Ethernet Routing Switch 8300 that authorizes or rejects a supplicant attached to the other end of a LAN segment.
Configuring and Managing Security using the NNCLI and CLI
48 Chapter 1 Overview of security features
• Authentication Server, which is a RADIUS server that provides authorization services to the authenticator. • Port Access Entity (PAE), which is software that controls each port on the switch. The PAE, which resides on the Ethernet Routing Switch 8300, supports the authenticator and supplicant functionalities. • Controlled port, which is any port on the switch with EAPoL enabled.
Standard 802.1x configuration (single supplicant per port)
The Authenticator facilitates the authentication exchanges that occur between the Supplicant and the Authentication Server. The Authenticator PAE encapsulates the EAPoL message into a RADIUS packet and then sends the packet to the Authentication Server.
The Authenticator also determines each controlled port’s operational state. At system initialization, or when a Supplicant initially connects to one of the switch’s controlled ports, the controlled port’s state is set to Blocking (unless Guest VLAN or allow-non-eap-mac is set to enabled). After the Authentication Server notifies the Authenticator PAE about the success or failure of the authentication, the Authenticator changes the controlled port’s operational state accordingly.
The Ethernet Routing Switch 8300 switch transmits and receives EAPoL frames, regardless of whether the port is authorized or unauthorized. Non-EAPoL frames are transmitted according to the rules below:
• If authentication succeeds, the controlled port’s operational state is set to Forwarding. This means that all the incoming and outgoing traffic is allowed through the port. • If authentication fails, the controlled port forwards traffic according to how you configure the port’s traffic control. The traffic control command can have one of the following two values: — Incoming and Outgoing—All non-EAPoL frames received on the controlled port are discarded, and the controlled port’s state is set to Blocking. — Incoming—All non-EAPoL frames received on the port are discarded, but transmit frames are forwarded through the port.
316804-C
Chapter 1 Overview of security features 49
Configuration example
Figure 6 illustrates the EAPoL standard packet path between a supplicant, the authenticator (EEthernet Routing Switch 8300), and the RADIUS server.
Figure 6 EAPoL standard 802.1x packet path example
New client PC Ethernet RADIUS Supplicant 1 Request ID Routing Authentication Switch 8300 Server Authenticator
2 Send ID 3 Forward ID
Forward request Request 5 for password 4 password
Forward 6 Send password 7 password
Grant access Authenticate 9 to network 8 new client
Access 10 network
Network
11153FB
In the above example, the Ethernet Routing Switch 8300 uses the following steps to authenticate a new client:
1 The Ethernet Routing Switch 8300 detects a new connection on one of its EAPoL-enabled ports and requests a user ID from the new client PC. 2 The new client sends its user ID to the switch. 3 The switch uses RADIUS to forward the user ID to the RADIUS server. 4 The RADIUS server responds with a request for the user’s password. 5 The switch forwards the RADIUS server’s request to the new client.
Configuring and Managing Security using the NNCLI and CLI
50 Chapter 1 Overview of security features
6 The new client sends an encrypted password to the switch, within the EAPoL packet. 7 The switch forwards the EAPoL packet to the RADIUS server. 8 The RADIUS server authenticates the password. 9 The switch grants the new client access to the network. 10 The new client accesses the network.
Note: If the RADIUS server cannot authenticate the new client, the client is denied access to the network unless Guest VLAN and allow-non-eap-mac is enabled.
To operate your Ethernet Routing Switch 8300 in the standard legacy 802.1x security mode, prepare the switch as follows:
1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with usedby set for each account. 3 Set the EAPoL port properties to Admin-state Auto.
Note: You cannot enable Guest VLAN or multi-host support while in the standard legacy 802.1x security mode.
Figure 7 on page 51 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode.
316804-C
Chapter 1 Overview of security features 51
Figure 7 Standard 802.1x operational mode example
A Port linkup
Restart
Hosts respond No to EAPoL Id Block all traffic, except EAPoL. A request ? Yes
Start EAPoL supplicant process.
EAP0L supplicant No Install discard filter for this A process successful MAC address. ?
Yes
Create 802.1x host Id Forward all ingress and start PAE state. egress traffic.
Key
Off-page reference
On-page reference
11360EA
Configuring and Managing Security using the NNCLI and CLI
52 Chapter 1 Overview of security features
EAPoL static-based security mode
This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the EAPoL static-based security mode.
When you operate the Ethernet Routing Switch 8300 in the EAPoL static-based security mode, the switch allows you to statically add up to eight hosts to the port MAC address table, while maintaining EAPoL security safeguards.
When in this mode, the non-eap-mac feature allows you to override the PAE-state machine.
Note: The EAPoL static-based security mode allows all configured hosts to have complete access to the same broadcast/unicast data on the port.
Port behavior using this type of operational mode resembles that of a shared media concept, where you can insert a hub between the switch port and the hosts. In this mode, you can configure up to eight non-eap-mac hosts. Once enabled, MAC addresses of only eight hosts are learned or allowed. If the Ethernet Routing Switch 8300 senses more than eight hosts, the discard record is set for the new host.
To operate your Ethernet Routing Switch 8300 in the EAPoL static-based security mode, prepare the switch as follows:
1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with usedby set for each account. 3 Set the EAPoL port properties to Admin-state Auto. 4 Disable non-eap-mac and add each MAC address in the format of XX:XX:XX:XX:XX:XX. 5 Enable non-eap-mac. The switch is now ready to accept frames from only the specified MACs.
316804-C
Chapter 1 Overview of security features 53
Figure 8 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode.
Figure 8 EAPoL static-based security example
A Port linkup
Restart
Hosts respond No No Hosts respond Block all traffic for this specific to EAPoL Id to EAPoL Id MAC address. request request ? ? Yes Yes B
Start EAPoL supplicant process. Learn MAC address in FDB. C
B
EAP0L supplicant No Install discard filter for this A process successful MAC address. ?
Yes C
Create 802.1x host Id Forward all ingress and start PAE state. egress traffic.
Key
Off-page reference
On-page reference
11362EA
Configuring and Managing Security using the NNCLI and CLI
54 Chapter 1 Overview of security features
Non-standard 802.1x guest VLAN
This section describes how the Ethernet Routing Switch 8300 allows you to set up a guest VLAN for users connected on EAPoL-enabled ports.
This section includes the following topics:
• “Guest VLAN”, next • “Guest VLAN security mode” on page 56 • “Configuration guidelines for setting up a guest VLAN” on page 58
Guest VLAN
You can configure the switch to allow users connected on EAPoL-enabled ports to a guest network (with restricted access until the port is authenticated).
This feature allows network access to users through the guest VLAN. A typical application for this scenario is for network partners, who are not currently registered, but can use the guest VLAN to register.
Note: In the following scenario, there is only one user, or one personal computer (PC). The guest VLAN applies to IP telephones and PCs that do not have EAPoL stacks to access the guest VLAN. If any device, which has been provided guest access, is authenticated, the port moves to the assigned VLAN.
Your Ethernet Routing Switch 8300 uses the following steps to enable the guest VLAN (refer to Figure 9 on page 55):
1 If Guest VLAN is enabled, the Ethernet Routing Switch 8300 moves EAPoL-enabled ports to the guest VLAN (Item 1 in Figure 9 on page 55). 2 When the Ethernet Routing Switch 8300 detects a new connection on one of its EAPoL-enabled ports, the switch requests a user Id from the new client (Item 2 and 3 in Figure 9 on page 55).
316804-C
Chapter 1 Overview of security features 55
3 When the new client replies with a user Id and password, the authenticator sends the information to the RADIUS server for authentication (Item 4 and 5 in Figure 9). 4 If the RADIUS server authenticates the new client, the port is placed in the assigned VLAN; otherwise, it remains in the Guest VLAN (Item 6 and 7 in Figure 9).
Figure 9 Accessing the guest VLAN
EAPoL-enabled ports Guest VLAN
New client PC Ethernet Restart EAPoL RADIUS Supplicant Routing session Authentication Switch 8300 Server Authenticator Guest VLAN enabled 1 To Guest VLAN EAPoL-enabled ports 2 Port linkup
3 Request User Id
Send User Id 4 Forward User Id and password 5 and password
Authenticate 6 new client
7 Place port in assigned VLAN
Network
11358FA
Configuring and Managing Security using the NNCLI and CLI
56 Chapter 1 Overview of security features
Guest VLAN security mode
This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the EAPoL Guest VLAN security mode. In this mode, only a single untrusted host is supported on EAPoL-enabled ports.
For this operating mode, although the host is untrusted, the Ethernet Routing Switch 8300 allows the host access to the network, as follows:
1 If the host responds to an EAPoL Identity Request, the host is treated similar to an 802.1x supplicant and enters the EAP authentication phase. 2 If EAPoL authentication is successful, the host is moved to the assigned VLAN. 3 If EAPoL authentication fails, or if there is no response to the EAPoL Identity Request, the port is moved to the Guest VLAN.
To operate your Ethernet Routing Switch 8300 in the EAPoL Guest VLAN security mode, prepare the switch as follows:
1 Globally enable EAPoL on your switch. 2 Set the EAPoL port properties to Admin-state Auto. 3 Globally configure Guest VLAN ID on your switch. 4 Enable Guest VLAN support on the switch ports.
Note: You cannot use Guest VLANs with multihost set to enabled.
Note: The Guest VLAN feature only allows one MAC address to be learned. If a second MAC address is learned, a discard filter is installed for any additional MAC addresses learned by the switch.
316804-C
Chapter 1 Overview of security features 57
Figure 10 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode.
Figure 10 EAPoL Guest VLAN security example
Port linkup
Hosts respond No Learn host MAC address. to EAPoL Id request ? Yes A Hosts respond No to EAPoL Id B request Start EAPoL supplicant process. ? Yes
A
EAP0L supplicant No process successful Port remains in Guest VLAN. B ?
Yes
Port is moved to assigned VLAN. B
Create 802.1x host Id Forward all ingress and start PAE state. egress traffic.
Key
Off-page reference
On-page reference
11362EA
Configuring and Managing Security using the NNCLI and CLI
58 Chapter 1 Overview of security features
Configuration guidelines for setting up a guest VLAN • You must configure a global default guest VLAN (refer to “Configuring guest networks:” on page 59). • Guest VLAN Support is a per-port option You can enable Guest VLANs with a valid Guest VLAN Id, per port. If the local Guest VLAN Id is not valid, you can still enable Guest VLAN features, as long as the configured global Guest VLAN Id is valid. • The Guest VLAN must be a port-based VLAN. • The Guest VLAN configuration settings are saved across resets. • If the port authorization fails, the port is placed back into the Guest VLAN, and an authentication failure error log message is displayed. • This feature affects ports in the EAP-Auto administrative state. It does not affect ports with force-authorized or force-unauthorized administrative state. • When the port is EAPoL-enabled: — If Guest VLAN is enabled, the port is placed in the Guest VLAN (for example, the port PVID = Guest VLAN Id). — If Guest VLAN is not enabled, the port only services EAPoL packets until it is Authenticated. Although the port may be preconfigured with an association with a specific VLAN, only EAPOL packets are processed until Authentication is complete and successful. — You cannot modify the Guest VLAN Id on an EAPoL-enabled port with Guest VLAN set to enabled. • When the port is EAPoL-disabled, the port is placed back into the preconfigured VLAN. • EAP Authentication: — Upon successful Authentication, the port is placed in a preconfigured VLAN or a RADIUS-assigned VLAN. — Upon Authentication Failure, if Guest VLAN is enabled, the port will be placed in a Guest VLAN. If Guest VLAN is not enabled, the port only services EAPoL packets. • Explicit Log Off by the supplicant: — If Guest VLAN is enabled, the port is placed in the Guest VLAN (for example, the port PVID = Guest VLAN Id). — If Guest VLAN is not enabled, the port only services EAPoL packets.
316804-C
Chapter 1 Overview of security features 59
• ReAuthentication can be enabled for the authMAC address. If ReAuthentication fails, the port is placed back into the Guest VLAN.
Configuring guest networks:
You can configure a guest VLAN using the NNCLI, CLI, or Device Manager.
• To configure a guest VLAN using the NNCLI, refer to Chapter 13, “Configuring EAPoL using the NNCLI,” on page 217. • To configure a guest VLAN using the CLI, refer to Chapter 14, “Configuring EAPOL using the CLI,” on page 249. • To configure a guest VLAN using Device Manager, refer to Configuring and Managing Security using Device Manager (part number 317346-C).
Enabling multiple EAPoL sessions per port
The multiple EAPoL feature allows for two modes of operation:
• “Basic EAPOL multihost-based security” on page 60 When in this operational mode, the Ethernet Routing Switch 8300 supports up to eight EAPoL supplicants on a single switch port. If more than eight EAPoL supplicant are sensed by the Ethernet Routing Switch 8300, the port is shut down and a console message and trap is sent to Device Manager. • “Enhanced EAPOL multihost-based security” on page 62 When in this operational mode, the Ethernet Routing Switch 8300 supports up to eight authenticated 802.1x EAPoL supplicants and, in addition, up to eight non-EAPoL MAC-based hosts can be supported on a single switch port.
Configuring and Managing Security using the NNCLI and CLI
60 Chapter 1 Overview of security features
Basic EAPOL multihost-based security
This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the Basic EAPoL multihost-based security mode.
When you operate your Ethernet Routing Switch 8300 in the Basic EAPoL multihost-based security mode, your switch supports up to eight EAPoL supplicants on a single switch port. If the Ethernet Routing Switch 8300 senses more than eight EAPoL supplicants on the port, the port is blocked, a warning message is displayed on the console, and a trap is sent to the Device Manager application.
To operate your Ethernet Routing Switch 8300 in the Basic EAPoL multihost-based security mode, prepare the switch as follows:
1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with “usedby,” set for each account. 3 Set the EAPoL port properties to Admin-state Auto. 4 Set the multi-host parameter to enable, and set the max-allowed-hosts value to the desired number of hosts.
Figure 11 on page 61 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode.
316804-C
Chapter 1 Overview of security features 61
Figure 11 Basic EAPoL multihost-based security example
A Port linkup
Restart
Hosts respond No to EAPoL Id Block all traffic for this specific request MAC address. ? Yes
Start EAPoL supplicant process.
EAP0L supplicant No Install discard filter for this A process successful MAC address. ?
Yes
Create 802.1x host Id Forward all ingress and start PAE state. egress traffic.
Key
Off-page reference
On-page reference
11364EA
Configuring and Managing Security using the NNCLI and CLI
62 Chapter 1 Overview of security features
Enhanced EAPOL multihost-based security
You can configure your Ethernet Routing Switch 8300 to allow multiple EAPoL clients and non-EAPoL clients to be connected on the same EAPoL-enabled port. Each client has to be authenticated before it can access the network.
Traffic from unauthorized hosts is allowed on the controlled port as long as there is one authorized host on that port. To restrict network access for non-EAPoL clients, you add only the MAC addresses of trusted clients to the allowed MAC address list. Traffic from all other clients, whose MAC address is not present in the allowed MAC address list, is discarded.
This section includes the following topics:
• “Multiple EAPoL client example”,” next • “Prerequisites for using the Enhanced multihost-based security mode” on page 63 • “Configuration guidelines for setting up multiple EAPoL sessions per port” on page 66
Multiple EAPoL client example
A typical application for this feature is a 2-port switch included in an IP telephone, which provides connectivity for the IP phone and the connected station (refer to Figure 12 on page 63).
316804-C
Chapter 1 Overview of security features 63
Figure 12 Multiple EAPoL client example
Ethernet Routing Nortel Hub RADIUS New client PC Switch 8300 supplicant IP telephone Authentication S1 server 8/1
IP telephone EAPoL port (with internal 2-port switch)
11359FB
Prerequisites for using the Enhanced multihost-based security mode
This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the Enhanced EAPoL Multihost-based security mode.
When you operate your Ethernet Routing Switch 8300 in the EAPoL Multihost-based security (with EAPoL MAC-based security) mode, you can add up to eight authenticated 802.1x supplicants on a single switch port and, in addition to the eight authenticated 802.1x supplicants, you can add up to eight more non-EAPoL MAC-based hosts.
This port behavior is similar to the shared media concept, where you can connect a hub or an IP telephone to the switch port. This mode is designed with IP Telephone in mind, where you can have a non-EAPoL IP Telephone and a non-EAPoL supported host. If the IP Telephone does not support EAP authentication, you must enter the IP Telephone’s MAC address in the “allow non-eap-mac” table. If the IP Telephone does support EAPoL, then the remaining eight non-EAPoL MAC-based hosts can be any host-type desired.
Configuring and Managing Security using the NNCLI and CLI
64 Chapter 1 Overview of security features
When in this mode, a new non-eap-mac feature allows you to override the PAE state machine.
Note: This mode allows all configured hosts to have complete access to the same broadcast/unicast data on this port.
To operate your Ethernet Routing Switch 8300 in the EAPoL Multihost-based security (with EAPoL MAC-based security) mode, prepare the switch as follows:
1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with “usedby,” set for each account. 3 Set the EAPoL port properties to Admin-state Auto. 4 Set Multi-host to enable and define the maximum number of hosts desired for this port. 5 Disable allow-non-eap-mac and add up to eight non-eap-mac MAC addresses in the format of XX:XX:XX:XX:XX:XX. 6 Enable allow-non-eap-mac.
Figure 13 on page 65 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode.
316804-C
Chapter 1 Overview of security features 65
Figure 13 Enhanced EAPoL multihost-based security example
A Port linkup
Restart
Hosts respond No No Hosts respond Block all traffic for this specific to EAPoL Id to EAPoL Id MAC address. request request ? ? Yes Yes B
Start EAPoL supplicant process. Learn MAC address in FDB. C
B
EAP0L supplicant No Install discard filter for this A process successful MAC address. ?
Yes C
Create 802.1x host Id Forward all ingress and start PAE state. egress traffic.
Key
Off-page reference
On-page reference
11362EA
Configuring and Managing Security using the NNCLI and CLI
66 Chapter 1 Overview of security features
Configuration guidelines for setting up multiple EAPoL sessions per port
The following list provides configuration guidelines for setting up multiple EAPoL sessions per port:
When multiple hosts is enabled per port:
• Upon the first successful authentication: — Only EAPoL packets and data from the allowed MAC address is allowed on that port. — As subsequent authentications complete, those MAC addresses are allowed as well. Only a predefined maximum number of authenticated users (MAC addresses) are allowed on a port. • If allow-non-eap-clients is disabled on the port, any traffic coming from non-EAPoL MAC addresses is discarded. • If allow-non-eap-clients is enabled on the port, the MAC Address is checked against the list of allowed-MAC addresses in the non-eap-mac list. If the MAC Address is not in the list, the traffic to and from the MAC address is discarded. • The default value for multiple authenticated host support, and non EAPoL clients is 1. — The maximum number of multiple authenticated clients that you can configure on a port is eight. — The maximum number of non-authenticated clients that you can configure on a port is eight. • When the port is configured for multiple authentications, the control directions state machine is disabled. • When the port is configured for multiple authentications, dynamic VLAN assignment from RADIUS is disabled.
When multiple hosts is disabled per port: • All MAC addresses created by EAPoL with discard bits set are deleted.
When EAPoL is disabled on the port: • All MAC addresses created by EAPoL with discard bits set are deleted.
316804-C
Chapter 1 Overview of security features 67
Configuring multiple EAPoL sessions per port:
You can configure multiple EAPoL sessions per port using the NNCLI, CLI, and Device Manager.
• To configure multiple EAPoL sessions using the NNCLI, refer to Chapter 13, “Configuring EAPoL using the NNCLI,” on page 217. • To configure multiple EAPoL sessions using the CLI, refer to Chapter 14, “Configuring EAPOL using the CLI,” on page 249. • To configure multiple EAPoL sessions using Device Manager, refer to Configuring and Managing Security using Device Manager (part number 317346-C).
EAPoL dynamic VLAN assignment
If EAPoL is enabled on a port, and then the port is authorized, the EAPoL feature dynamically changes the port’s VLAN configuration according to preconfigured values, and assigns a new VLAN. The new VLAN configuration values are applied according to previously stored parameters (based on the user_id) in the RADIUS server.
The following VLAN configuration values are affected:
•PVID • Port priority
When EAPoL is disabled on a port that was previously authorized, the port’s VLAN configuration values are restored directly from the switch’s non-volatile random access memory (NVRAM).
The following exceptions apply to dynamic VLAN assignments:
• Dynamic VLAN assignment is not supported in multihost mode. • The dynamic VLAN configuration values assigned by EAPoL are not stored in the switch’s NVRAM. • You can override the dynamic VLAN configuration values assigned by EAPoL; however, be aware that the values you configure are not stored in NVRAM.
Configuring and Managing Security using the NNCLI and CLI
68 Chapter 1 Overview of security features
• When EAPoL is enabled on a port, and you configure values other than VLAN configuration values, those values are applied and stored in NVRAM. • You cannot enable EAPoL on tagged ports or MLT ports. • You cannot change the VLAN/STG membership of EAPoL authorized ports.
You set up your Authentication Server (RADIUS server) for EAPoL dynamic VLAN assignments. The Authentication Server allows you to configure user-specific settings for VLAN memberships and port priority.
When you log on to a system that has been configured for EAPoL authentication, the Authentication Server recognizes your user ID and notifies the switch to assign preconfigured (user-specific) VLAN membership and port priorities to the switch. The configuration settings are based on configuration parameters that were customized for your user ID and previously stored on the Authentication Server.
RADIUS MAC centralization
This feature allows the centralization of MAC addresses for non-EAP clients (typically IP phones). An enable/disable flag is provided at the system level to globally enable/disable the RADIUS MAC centralization feature. Enabling RADIUS MAC centralization at port level takes effect only if the global flag is enabled.
Multiple clients can be connected to an EAP-enabled port (with multi-host feature enabled). Each of these clients must be authenticated to gain access to the network.
With allow-non-eap-clients enabled, traffic from the unauthorized host is allowed on the port. To restrict access to the non-EAP clients, the MAC address of that client must be added to the non-EAP MAC list. Traffic from clients that do not have a MAC address in the non-EAP MAC undergo RADIUS-based MAC authentication.
Note: To restrict access to the non-EAP clients, the MAC address (username) of the client that is to be allowed access to the network, and its corresponding password must be configured on the RADIUS server.
316804-C
Chapter 1 Overview of security features 69
For a non-EAP client to be authenticated with RADIUS-based MAC authentication, an Access-Request packet is sent to the RADIUS server with the username and password attributes. The username is the MAC address of the non-EAP host. The password is a string composed of the following, and in this order:
• source-IP (configured using the config radius server create
Note: If the source IP is not configured, the IP address 0.0.0.0 is used in the password string (password string contains 000000000000 as the IP string).
The generated password is encrypted using MD5 hashing before sending the Access-Request packet to the radius server. If an entry is present for the non-EAP user, then the RADIUS server authenticates the user by sending an Access-Accept packet to the switch.
Traffic from a non-EAP client that does not have a MAC address present in the non-EAP MAC, and that cannot be authenticated by the RADIUS server, is discarded and a log message is generated.
The user can configure the number of non-EAP clients allowed for each port by configuring max-non-eap-clients. The max-non-eap-clients is the sum of the number of non-EAP clients statically configured in the allowed list and the number of non-EAP clients authenticated/rejected/pending by the RADIUS server.
The config ethernet
Configuring and Managing Security using the NNCLI and CLI
70 Chapter 1 Overview of security features
If the user opts for shutdown, when non-eap-client [max + 1] is attained, with the maximum number of EAP sessions already reached, the port is shut down by changing the port state from auto to force-unauthorized. Trap and log messages are also added. If the user opts not to allow shutdown, a discard record is added for the non-EAP client, and trap and log messages are sent.
When RADIUS MAC centralization is enabled, and the allow-non-eap-mac feature is enabled, the MAC address of a non-EAP client connecting to the switch is checked against the non-EAP MAC list. There are two possible outcomes:
• If the user's MAC address is found in the non-EAP MAC list, the user is allowed access to the network. • If the user's Mac address is not in the non-EAP MAC list, an Access-Request packet is sent to the RADIUS server with the username and password attributes. A discard record is added for this MAC address until the RADIUS server authenticates it. The port is in a forwarding state. When a response is received from the RADIUS server, the discard record is either cleared or retained — depending on the result of the authentication.
Upon successful authentication, the user is allowed access to the network. The MAC address is learned on the port. The MAC priority, returned by the RADIUS server, is assigned as the QoS for the non-EAP MAC address.
Dynamic assignment of VLANs is not done for non-EAP clients.
If the RADIUS server cannot authenticate the user, the src-discard/dst-discard bits per MAC can be set to drop the intruder MAC. Traffic from non-EAP clients that do not have a MAC address assigned in the non-EAP MAC list, nor in the user configuration file of the RADIUS server, is discarded and a log message is generated.
To view the non-EAP clients and their state (authenticated/rejected/pending), use the show port info eapol radius-non-eap-mac
If allow-non-eap-mac is disabled on the EAP-enabled port, any traffic from non-eap MAC addressees is discarded using src-discard/dst-discard bits for the non-eap MAC.
316804-C
Chapter 1 Overview of security features 71
The non-EAP host is re-authenticated every time the MAC address is learned. If the switch encounters the an identical MAC address from another port, the non-EAP host must be re-authenticated on the port on which it was originally authenticated.
When RADIUS MAC centralization is disabled, but the allow-non-eap-mac feature is enabled, the MAC address of a non-EAP client connecting to the switch is checked against the non-EAP MAC list. There are two possible outcomes in this case:
• If the user's MAC address is found in the non-EAP MAC list, the user is allowed access to the network. • If the user's MAC address is not in the non-EAP MAC list, the src-discard/dst-discard bits per MAC can be set to drop the intruder MAC. Traffic from the non-EAP client whose MAC address is not present in the non-EAP MAC list is discarded.
Working with RADIUS
RADIUS (Remote Access Dial-In User Services) is a distributed client/server system that authenticates users identity through a central database. RADIUS is a fully open and standard protocol, defined by RFCs (Authentication: 2865, Accounting 2866).
In the Ethernet Routing Switch 8300, RADIUS performs the following functions:
• RADIUS authentication lets you identify remote users before you give them access to a central network site.
A RADIUS application has two components, the RADIUS server and the RADIUS client.
Configuring and Managing Security using the NNCLI and CLI
72 Chapter 1 Overview of security features
The RADIUS server is a computer equipped with server software (for example, a UNIX* workstation) that is located at a central office or campus. It has authentication and access information in a form that is compatible with the client. Typically, the database in the RADIUS server stores client information, user information, password, and access privileges, including the use of “shared secret.” A network can have one server for both authentication and accounting, or one server for each service.
Note: Radius accounting is not supported for this release.
The RADIUS client can be a switch, router or a remote access server that is equipped with client software and that typically resides on the same local area network (LAN) segment as the server. The client is the network access point between the remote users and the server. In the configuration described in this manual (see Figure 6 on page 49), the RADIUS client software resides on the Ethernet Routing Switch 8300.
RADIUS configuration prerequisites for EAPoL
The RADIUS server should be connected to a force-authorized port. This ensures that the port is always available and not tied to whether the switch is EAPoL-enabled. To set up the Authentication Server, set the following “Return List” attributes for all user configurations (refer to your Authentication Server documentation):
• VLAN membership attributes — Tunnel-Type: value 13, Tunnel-Type-VLAN — Tunnel-Medium-Type: value 6, Tunnel-Medium-Type-802 — Tunnel-Private-Group-Id: ASCII value 1 to 4094 (this value is used to identify the specified VLAN) Should be encoded by a string. For example, for VLAN 2, Tunnel-Private-Group-Id=''2''; for VLAN 10, Tunnel-Private-Group-Id=''10''. • Port priority (vendor-specific) attributes — Vendor Id: value 562, Nortel Vendor Id and value 1584, Bay Networks Vendor Id
316804-C
Chapter 1 Overview of security features 73
— Attribute Number: value 1, Port Priority — Attribute Value: value 0 (zero) to 7 (this value is used to indicate the port priority value assigned to the specified user)
RADIUS accounting for EAPoL
Ethernet Routing Switch 8300 supports accounting of EAPoL sessions using RADIUS accounting protocol. A user session is defined as the interval between the instance at which a user is successfully authenticated (port moves to authorized state) and the instance at which the port moves out of the authorized state.
Table 3 on page 74 summarizes the accounting events and the information logged.
Configuring and Managing Security using the NNCLI and CLI
74 Chapter 1 Overview of security features
Table 3 Summary of accounting events and information logged. Event Radius Attributes Description User is authenticated Acct-Status-Type start by EAPoL and port enters authorized Nas-IP-Address IP address to represent Ethernet state Routing Switch 8300 Nas-Port Port number on which the user is EAPoL authorized Acct-Session-Id Unique string representing the session User-Name EAPoL user name User logs off and Acct-Status-Type stop port enters un-authorized state Nas-IP-Address IP address to represent Ethernet Routing Switch 8300 Nas-Port Port number on which the user is EAPoL un-authorized Acct-Session-Id Unique string representing the session User-Name EAPoL user name Acct-Input-Octets Number of octets input to the port during the session Acct-Output-Octets Number of octets output to the port during the session Acct-Terminate-Cause Reason for terminating user session. Please see Table 4 for the mapping of 802.1x session termination cause to RADIUS accounting attribute. Acct-Session-Time Session interval
Table 4 on page 75 describes the mapping of 802.1x session termination cause to RADIUS accounting attribute.
316804-C
Chapter 1 Overview of security features 75
Table 4 802.1x session termination mapping
IEEE 802.1X RADIUS dot1xAuthSessionTerminateCause Value Acct-Terminate-Cause Value supplicantLogoff(1) User Request (1) portFailure(2) Lost Carrier (2) supplicantRestart(3) Supplicant Restart (19) reauthFailed(4) Reauthentication Failure (20) authControlForceUnauth(5) Admin Reset (6) portReInit(6) Port Reinitialized (21) portAdminDisabled(7) Port Administratively Disabled (22) notTerminatedYet(999) N/A
Configuring the Ethernet Routing Switch 8300 for EAP and RADIUS
The Ethernet Routing Switch 8300, through which UBP users connect, must be configured to communicate with the RADIUS server to exchange EAP authentication information, as well as user role information. You must specify the IP address of the RADIUS server, as well as the shared secret (a password that authenticates the device with the RADIUS server as an EAP access point). EAP must be enabled globally on each device, and EAP authentication settings must be set on each device port through which EAP/UBP users will connect.
Use the following procedure to set up the Ethernet Routing Switch 8300 for EAP and RADIUS:
1 Using the CLI, open a Telnet session. 2 Log in to the Ethernet Routing Switch 8300.
Configuring and Managing Security using the NNCLI and CLI
76 Chapter 1 Overview of security features
3 Enter the following command to create a RADIUS server to be used by EAPoL: config radius server create
where:
— IPaddr is the IP address of your RADIUS server. This address tells the switch where to find the RADIUS server from which it will obtain EAP authentication and user role information. — secretkey is the shared secret for RADIUS authentication. The shared secret is held in common by the RADIUS server and all EAP-enabled devices in your network. It authenticates each device with the RADIUS server as an EAP access point. When you configure your RADIUS server, you must use the same shared secret value that you use here. 4 Enter the following commands to enable the switch to communicate through EAP, and to globally enable session management: config sys set eapol enable config sys set eapol sess-manage true
Note: When OPS learns interfaces on the switch, it sets the config ethernet slot/port sess-manage-mode command to true on individual interfaces.
5 Enter the following commands to enable switch ports for EAP authentication: config ethernet
6 Enter the following command to save your changes: save
For more information about configuring RADIUS and EAP for the Ethernet Routing Switch 8300, see the appropriate chapters in this manual.
For more information about OPS and UBP, see the user documentation for your Optivity Policy Services 4.0 application.
316804-C
Chapter 1 Overview of security features 77
System requirements
The following are minimum system requirements for EAPoL:
• Ethernet Routing Switch 8300 running software release 2.1 and higher • RADIUS server — Steel Belted RADIUS* (version 4.7 and 5.0) — Microsoft IAS (Windows 2000 SP4) — Zone Labs* (Identity Server 5.1) — Free RADIUS • EAPoL clients (XP/Linux*) — Microsoft Windows 2000 SP4 — Microsoft Windows XP SP2 — Aegis* (version 2.2.1.27) available on Microsoft Windows 95 and beyond — Odyssey Client Manager (version 3.0.3.01194) available on Microsoft Windows 95 and beyond — Red Hat* 802.1x supplicant (version 9.0 with the appropriate package)
You must specify the Microsoft Windows 2000 IAS server (or any generic RADIUS server that supports EAP) as the primary RADIUS server for these devices. You must also configure your switch for VLANs (both protocol-based and port-based) and EAPoL security.
TACACS+
Ethernet Routing Switch 8300 supports the Terminal Access Controller Access Control System plus (TACACS+) client. TACACS+ is a security application implemented as a client/server-based protocol that provides centralized validation of users attempting to gain access to a router or network access server.
TACACS+ differs from RADIUS in two important ways:
• TACACS+ is a TCP-based protocol
Configuring and Managing Security using the NNCLI and CLI
78 Chapter 1 Overview of security features
• TACACS+ uses full packet encryption, rather than just encrypting the password (RADIUS authentication request)
Note: TACACS+ encrypts the entire body of the packet, but uses a standard TACACS+ header.
TACACS+ provides management of users who access a device through any of the management channels: Telnet, rlogin, FTP, SSH v1, and SSH v2.
During the login process, the TACACS+ client initiates TACACS+ authentication and authorization sessions with the server.
Note: Prompts for login and password occur prior to the authentication process. If both RADIUS and TACACS+ authentication are enabled, TACACS+ authentication always occurs before RADIUS authentication. If TACACS+ fails because there are no valid servers, then the username and password are used for RADIUS authentication. If RADIUS also fails, then the username and password are used for the local database. (That is, authentication is always attempted in the following order: TACACS+, RADIUS, the local database.) If TACACS+ returns an access denied packet, then the user is offered a new authentication attempt (login/password prompts are re-issued — the authentication process is not passed to RADIUS).
TACACS+ architecture
You can configure TACACS+ on the Ethernet Routing Switch 8300 using the following methods:
• Connect the TACACS+ server through a local interface (see Figure 14 on page 79). Management PCs can reside on the out-of-band management port, serial port, or on the corporate network. The TACACS+ server is placed on the corporate network so that it can be routed to the Ethernet Routing Switch 8300. • Connect the TACACS+ server through the management interface using an out-of-band management network (see Figure 15 on page 79).
316804-C
Chapter 1 Overview of security features 79
Figure 14 Connecting the TACACS+ server through a local interface
Corporate network Management PC
TACACS+ server Ethernet Routing Switch 8300
Figure 15 Connecting the TACACS+ server though the management interface
Out-of-band management network
Management PC
Ethernet Routing Switch 8300
TACACS+ TACACS+ server 1 server 2
Multiple TACACS+ servers can be configured for backup authentication in both the local interface and out-of-band management network scenarios. The primary authentication server will be determined by server priority.
TACACS+ authentication
TACACS + authentication offers complete control of authentication through login/password dialog and response. The authentication session provides username/password functionality.
Configuring and Managing Security using the NNCLI and CLI
80 Chapter 1 Overview of security features
TACACS+ authorization
The transition from the TACACS+ authentication to authorization phase is transparent to the user. Upon successful completion of the authentication session, an authorization session starts with the authenticated username. The authorization session provides access level functionality.
TACACS+ access levels
TACACS+ supports six Ethernet Routing Switch 8300 access levels. Table 5 shows the scheme used to map the access levels to TACACS+ privilege levels.
Table 5 Ethernet Routing Switch 8300 access levels
Ethernet Routing Switch 8300 access Privilege level level
None (0) 0 READ ONLY (1) 1 L1 READ WRITE (2) 2 L2 READ WRITE (3) 3 L3 READ WRITE (4) 4 READ WRITE (5) 5 READ WRITE ALL (6) 6
Note: This version of TACACS+ does not support any other TACACS+ arguments in authorization requests, such as cmd, cmd-arg, acl, zonelist, addr, routing, and so on. If you attempt to configure any argument in authorization requests (other than access level and privilege level), the TACACS+ request is dropped by the switch and an error is recorded to system log.
316804-C
81 Chapter 2 Setting passwords and locking ports using the NNCLI
This chapter describes how to set passwords and lock ports using the NNCLI. It includes the following topics:
Topic Page Changing passwords 82 Resetting passwords 83 Setting the port lock 83
Roadmap of NNCLI password and lock port commands
The following roadmap lists the NNCLI password and lock port commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter username
Configuring and Managing Security using the NNCLI and CLI
82 Chapter 2 Setting passwords and locking ports using the NNCLI
Changing passwords
The Ethernet Routing Switch 8300 is shipped with default passwords set for access to the NNCLI. To set new passwords for each access level or to change the login or password for the different access levels of the switch, use the following command from Global configuration mode:
username
where: string is the login name. The name can be up to 20 alphanumeric characters. l1 changes the layer 1 read write login and/or password. l2 changes the layer 2 read write login and/or password. l3 changes the layer 3 read write login and/or password. ro changes the read-only login and/or password. rw changes the read/write login and/or password. rwa changes the read/write/all login and/or password.
Configuration example: passwords
The following configuration example uses the commands described above to:
• Change the “ro” username to “test”. • Change the old password of “ro” to “12345” • View the modified access level information.
Figure 16 on page 83 shows sample output using these commands.
316804-C
Chapter 2 Setting passwords and locking ports using the NNCLI 83
Figure 16 config cli password command sample output
Passport-8310:6(config)# username test level ro
Enter the old password : ** Enter the New password : ****** Re-enter the New password : ******
Password changed successfully Passport-8310:6(config)#show username ACCESS LOGIN rwa rwa rw rw l3 l3 l2 l2 l1 l1 ro test Passport-8310:6(config)#
Resetting passwords
For recovery (passwords lost), you have to reset the switch and then apply the following command in Boot Monitor mode:
monitor# reset-passwd
For other issues related to passwords, please contact Nortel customer support.
Setting the port lock
The port lock feature allows you to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action. Locked ports cannot be modified in any way until the port is first unlocked.
Configuring and Managing Security using the NNCLI and CLI
84 Chapter 2 Setting passwords and locking ports using the NNCLI
Enabling port lock
To enable the port lock feature globally, use the following command from Global configuration mode:
portlock on
To enable the port lock feature for a specific port or ports, use the following command from Interface configuration mode:
interface FastEthernet slot/port[-
Disabling port lock
To disabling the port lock feature globally, use the following command from Global configuration mode:
portlock off
To disabling the port lock feature for a specific port or ports, use the following command from Interface configuration mode:
interface FastEthernet slot/port[-
316804-C
85 Chapter 3 Setting passwords and locking ports using the CLI
This chapter describes how to set passwords and lock ports using the Ethernet Routing Switch 8300 CLI. It includes the following topics:
Topic Page Changing passwords 86 Resetting passwords 88 Setting the port lock 88
Roadmap of CLI password and port lock commands
The following roadmap lists the CLI password and lock port commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter config cli password info ro
Configuring and Managing Security using the NNCLI and CLI
86 Chapter 3 Setting passwords and locking ports using the CLI
Changing passwords
The Ethernet Routing Switch 8300 is shipped with default passwords set for access to the CLI. To set new passwords for each access level or to change the login or password for the different access levels of the switch, use the following command:
config cli password
This command includes the following options:
config cli password followed by: info Shows current level parameter settings. ro
316804-C
Chapter 3 Setting passwords and locking ports using the CLI 87
Configuration example: passwords
The following configuration example uses the commands described above to:
• Change the “ro” username to “test.” • Change the old password of “ro” to “12345.” • View the modified access level information.
Figure 17 shows sample output using these commands.
Figure 17 config cli password command sample output
Passport-8310:5# config cli password ro test
Enter the old password : ** Enter the New password : ****** Re-enter the New password : ******
Password changed successfully Passport-8310:5# config cli password info
Sub-Context: clear config monitor show test trace Current Context:
ACCESS LOGIN rwa rwa rw rw l3 l3 l2 l2 l1 l1 ro test
Passport-8310:5#
Configuring and Managing Security using the NNCLI and CLI
88 Chapter 3 Setting passwords and locking ports using the CLI
Resetting passwords
For recovery (passwords lost), you have to reset the switch and then apply the following command in Boot Monitor mode:
monitor# reset-passwd
For any other issue related to passwords, please contact Nortel customer support.
Setting the port lock
The Port Lock feature allows you to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action. Locked ports cannot be modified in any way until the port is first unlocked.
To enable or disable the port lock feature globally, use the following command:
config sys set portlock
where: on locks all ports. off unlocks all ports.
To enable or disable the port lock feature for a specific port or ports, use the following command:
config ethernet
where: true locks the specified port or ports. false unlocks the specified port or ports.
316804-C
89 Chapter 4 Configuring access policies using the NNCLI
You can control access to the switch by creating an access policy. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SSH, HTTP, FTP, TFTP, or rlogin. You can enable or disable access services by setting flags from the Boot Monitor CLI or the NNCLI.
Note: To access the backup CPU using the peer rlogin command, you must set an access policy that enables rlogin access to the backup CPU. See Getting Started (316799-C) for more information about the peer rlogin command.
For information about enabling access services for a specific policy using the NNCLI, see “Enabling or disabling an access policy” on page 99.
You can define network stations explicitly allowed to access the switch or network stations explicitly forbidden to access the switch. For each service you can also specify the level of access, such as read-only or read/write/all.
When you set up access policies, you can either:
• Globally enable the access policy feature, and then create and enable individual policies. Each policy takes effect immediately when you enable it. • Create and enable individual access policies, and then globally enable the access policy feature to activate all the policies at the same time.
Configuring and Managing Security using the NNCLI and CLI
90 Chapter 4 Configuring access policies using the NNCLI
This chapter includes the following topics:
Topic Page Roadmap of NNCLI access policy commands 90 Enabling and disabling the access policy feature globally 92 Configuring access policies 92
Roadmap of NNCLI access policy commands
The following roadmap lists the NNCLI access policy commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter access-policy no access-policy access-policy policy
316804-C
Chapter 4 Configuring access policies using the NNCLI 91
Command Parameter username
Configuring and Managing Security using the NNCLI and CLI
92 Chapter 4 Configuring access policies using the NNCLI
Enabling and disabling the access policy feature globally
To enable the access policy feature globally, use the following command from Global configuration mode:
access-policy
To disable the access policy feature globally, use the following command from Global configuration mode:
no access-policy
Configuring access policies
To configure an access policy, use the following command from Global configuration mode:
access-policy policy
where: policy ID is the number that identifies the policy. The valid values are 1 to 65535.
This command includes the following parameters:
access-policy policy
316804-C
Chapter 4 Configuring access policies using the NNCLI 93
access-policy policy
To view the global access policy setting (on=enabled or off=disabled) and configuration information for all access policies, or for a specific access policy, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show access-policy [
Configuring and Managing Security using the NNCLI and CLI
94 Chapter 4 Configuring access policies using the NNCLI
where: polname specifies the name of the access policy for which you want to view information.
To display the global access policy setting (on=enabled or off=disabled), use the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show access policy
To delete an access policy, use the following command from Global configuration mode:
no access-policy policy
where: policy ID is the number that identifies the policy. The valid values are 1 to 65535.
Creating an access policy
To create an access policy, use the following command from Global configuration mode:
access-policy policy
where: policy ID is the number that identifies the policy that you are creating.
Allowing a network or device access to the switch
You can configure network access to be scoped to a network or constrained to a single device on a network through the use of the network mask. The mask controls how much of the IP address is to be considered. For example, with a subnet mask of 255.255.255.0, only the first 3 octets of the IP address are examined. The fourth octet becomes 0, as in 192.10.10.0. If a single device is to be examined, the subnet mask must be 255.255.255.255, which forces the entire IP address to be examined.
316804-C
Chapter 4 Configuring access policies using the NNCLI 95
To specify the network to which you want to allow access, use the following command from the Global configuration mode: access-policy policy
Example 1 • Create an access policy (policy 10). • Indicate that the access policy is for a network with an IP address of 192.10.10.0 and a mask of 255.255.255.0. • Display information about the configured access policies.
Figure 18 on page 96 shows how to configure an access policy for a network using the access-policy policy network command.
Configuring and Managing Security using the NNCLI and CLI
96 Chapter 4 Configuring access policies using the NNCLI
Figure 18 access-policy policy network command sample output (network)
Passport-8310:5(config)# access-policy policy 10 create Passport-8310:5(config)# access-policy policy 10 network 192.10.10.0 255.255.255.0 Passport-8310:5(config)# show access-policy
AccessPolicyEnable: on
Id: 1 Name: default PolicyEnable: true Mode: allow Service: http|telnet|ssh| Precedence: 128 NetAddr: 0.0.0.0 NetMask: 0.0.0.0 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 0
Id: 10 Name: policy10 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: 192.10.10.0 NetMask: 255.255.255.0 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 0
Passport-8310:5(config)#
Example 2 • Create an access policy (policy 20).
316804-C
Chapter 4 Configuring access policies using the NNCLI 97
• Indicate that the access policy is for a single device with an IP address of 192.10.10.2 and a mask of 255.255.255.255. • Display information about the configured access policies.
Figure 19 shows how to configure an access policy for a single device using the access-policy policy network command.
Figure 19 access-policy policy network command sample output (device)
Passport-8310:5(config)# access-policy policy 20 create Passport-8310:5(config)# access-policy policy 20 network 192.10.10.2 255.255.255.255 Passport-8310:5(config)# show access-policy
AccessPolicyEnable: on
Id: 1 Name: default PolicyEnable: true Mode: allow Service: http|telnet|ssh| Precedence: 128 NetAddr: 0.0.0.0 NetMask: 0.0.0.0 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 0
Id: 20 Name: policy20 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: 192.10.10.2 NetMask: 255.255.255.255 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 0
Passport-8310:5(config)#
Configuring and Managing Security using the NNCLI and CLI
98 Chapter 4 Configuring access policies using the NNCLI
To specify whether this network address is allowed or denied access through an access service, use the following command from Global configuration mode:
access-policy policy
where: policy ID 1-65535 is the number that identifies the policy that you are creating. allow|deny allows or denies access through the specified access service.
If the policy is to allow access, to specify a level of access, use the following command from Global configuration mode:
access-policy policy
where: policy ID 1-65535 is the number that identifies the policy that you are creating. string is the access level (ro, rw, rwa) or equivalent community string designation (read-only, read/write, or read/write/all).
Specifying the host and username for rlogin
For rlogin access, you must specify a trusted host address and a trusted host user name. To specify the host address and user name, use the following commands from Global configuration mode:
access-policy policy
access-policy policy
where: policy ID 1-65535 is the number that identifies the policy that you are creating. ipaddr is the trusted host address. name is the associated user name for this address.
To access the switch, you must log in using the user name and host address that you specified in this section.
316804-C
Chapter 4 Configuring access policies using the NNCLI 99
Assigning a precedence for the policy
To assign a precedence for the policy, use the following command from Global configuration mode:
access-policy policy
where: policy ID 1-65535 is the number that identifies the policy that you are creating. value is a number from 1 to 128. This value determines which policy to use if multiple policies apply. Lower numbers have higher precedence.
Naming an access policy
To assign a name to the policy, use the following command from Global configuration mode:
access-policy policy
where: policy ID 1-65535 is the number that identifies the policy that you are creating. name is a string from 0 to 15 characters.
Enabling or disabling an access policy
To enable an access policy, use the following command from Global configuration mode:
access-policy policy
where: policy ID is the number that identifies the policy that you are enabling. The valid values are 1 to 65535.
Configuring and Managing Security using the NNCLI and CLI
100 Chapter 4 Configuring access policies using the NNCLI
To disable an access policy, use the following command from Global configuration mode:
access-policy policy
where: policy ID is the number that identifies the policy that you are disabling. The valid values are 1 to 65535.
Configuration example - access policies
The following configuration example uses the previously described commands to:
• Create access policy 2345. • Set the network information for access policy 2345 to 12.12.12.12 255.255.255.255. • Set the username for access policy 2345 to test. • Set the host for access policy 2345 to 5.5.5.5. • Set the name for access policy 2345 to testpolicy. • Set the precedence for access policy 2345 to 100. • Enable FTP for access policy 2345. • Enable telnet for access policy 2345. • View information about the access policy.
Figure 20 on page 101 shows sample output using these commands.
316804-C
Chapter 4 Configuring access policies using the NNCLI 101
Figure 20 access-policy policy command sample output
Passport-8306:5(config)#access-policy policy 2345 create Passport-8306:5(config)#access-policy policy 2345 network 12.12.12.12 255.255.255.255 Passport-8306:5(config)#access-policy policy 2345 username test Passport-8306:5(config)#access-policy policy 2345 host 5.5.5.5 Passport-8306:5(config)#access-policy policy 2345 name testpolicy Passport-8306:5(config)#access-policy policy 2345 precedence 100 Passport-8306:5(config)#access-policy policy 2345 ftp Passport-8306:5(config)#access-policy policy 2345 telnet Passport-8306:5(config)#show access-policy
AccessPolicyEnable: on
Id: 1 Name: default PolicyEnable: true Mode: allow Service: http|telnet|ssh| Precedence: 128 NetAddr: 0.0.0.0 NetMask: 0.0.0.0 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 0
Id: 2345 Name: testpolicy PolicyEnable: true Mode: allow Service: ftp|telnet Precedence: 100 NetAddr: 12.12.12.12 NetMask: 255.255.255.255 TrustedHostAddr: 5.5.5.5 TrustedHostUserName: test AccessLevel: readOnly Usage: 0
Passport-8306:5(config)#
Configuring and Managing Security using the NNCLI and CLI
102 Chapter 4 Configuring access policies using the NNCLI
316804-C
103 Chapter 5 Configuring access policies using the CLI
You can control access to the switch by creating an access policy. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SSH, HTTP, FTP, TFTP, or rlogin. You can enable or disable access services by setting flags from the Boot Monitor CLI or the CLI.
Note: To access the backup CPU using the peer rlogin command, you must set an access policy that enables rlogin access to the backup CPU. See Getting Started (316799-C) for more information about the peer rlogin command.
For information about enabling access services for a specific policy using the CLI, see “Enabling or disabling an access policy” on page 114.
You can define network stations explicitly allowed to access the switch or network stations explicitly forbidden to access the switch. For each service you can also specify the level of access, such as read-only or read/write/all.
When you set up access policies, you can either:
• Globally enable the access policy feature, and then create and enable individual policies. Each policy takes effect immediately when you enable it. • Create and enable individual access policies, and then globally enable the access policy feature to activate all the policies at the same time.
Configuring and Managing Security using the NNCLI and CLI
104 Chapter 5 Configuring access policies using the CLI
This chapter includes the following topics:
Topic Page Roadmap of CLI access policy commands 104 Enabling the access policy feature globally 105 Configuring access policies 106
Roadmap of CLI access policy commands
The following roadmap lists the CLI access policy commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter config sys access-policy enable
316804-C
Chapter 5 Configuring access policies using the CLI 105
Command Parameter http
Enabling the access policy feature globally
To enable the access policy feature globally, use the following command:
config sys access-policy enable
where: true enables the access-policy feature globally. false disables the access-policy feature globally.
Configuring and Managing Security using the NNCLI and CLI
106 Chapter 5 Configuring access policies using the CLI
Configuring access policies
To configure an access policy, use the following command:
config sys access-policy policy
where: pid is the number that identifies the access policy. The valid values are 1 to 65535.
This command includes the following parameters:
config sys access-policy policy
316804-C
Chapter 5 Configuring access policies using the CLI 107
config sys access-policy policy
Creating an access policy
To create an access policy, use the following command:
config sys access-policy policy
where: pid is the number that identifies the policy that you are creating. The valid values are 1 to 65535.
Enabling an access service
To enable or disable an access service for the specified policy, use the following command:
config sys access-policy policy
where: pid is the number that identifies the policy. The valid values are 1 to 65535.
Configuring and Managing Security using the NNCLI and CLI
108 Chapter 5 Configuring access policies using the CLI
This command includes the following parameters:
config sys access-policy policy
Configuration example: access policy and service
The following configuration example uses the commands described above to:
• Enable FTP for access policy 2345. • Enable telnet for access policy 2345. • View the information for the access policy.
Figure 21 on page 109 show sample output using these commands.
316804-C
Chapter 5 Configuring access policies using the CLI 109
Figure 21 config sys access-policy policy service commands output
Passport-8310:5# config sys access-policy policy 2345 service ftp enable Passport-8310:5# config sys access-policy policy 2345 service telnet enable Passport-8310:5# config sys access-policy policy 2345 service info
Sub-Context: clear config dump monitor show test trace wsm asfm sam Current Context:
http : disable rlogin : disable telnet : enable ssh : disable tftp : disable ftp : enable
Passport-8310:5#
Allowing a network or device access to the switch
You can configure network access to be scoped to a network or constrained to a single device on a network through the use of the network mask. The mask controls how much of the IP address is to be considered. For example, with a subnet mask of 255.255.255.0, only the first 3 octets of the IP address are examined. The fourth octet becomes 0, as in 192.10.10.0. If a single device is to be examined, the subnet mask must be 255.255.255.255, which forces the entire IP address to be examined.
To specify the network or device to which you want to allow access, use the following command:
config sys access-policy policy
Configuring and Managing Security using the NNCLI and CLI
110 Chapter 5 Configuring access policies using the CLI
where: pid is the number that identifies the policy that you are creating. The valid values are 1 to 65535. addr/mask is the IP address and subnet mask that are being permitted or denied access through the specified access service.
Example 1 • Create an access policy (policy 10). • Indicate that the access policy is for a network with an IP address of 192.10.10.0 and a mask of 255.255.255.0. • Display information about the configured access policies.
Figure 22 on page 111 shows how to configure an access policy for a network using the config sys access-policy policy command.
316804-C
Chapter 5 Configuring access policies using the CLI 111
Figure 22 config sys access-policy policy command sample output (network)
Passport-8310:5# config sys access-policy policy 10 create Passport-8310:5# config sys access-policy policy 10 network 192.10.10.0/ 255.255.255.0 Passport-8310:5# show sys access-policy info
AccessPolicyEnable: on
Id: 1 Name: default PolicyEnable: true Mode: allow Service: http|telnet|ssh| Precedence: 128 NetAddr: 0.0.0.0 NetMask: 0.0.0.0 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 245
Id: 10 Name: policy10 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: 192.10.10.0 NetMask: 255.255.255.0 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 0
Passport-8310:5#
Example 2 • Create an access policy (policy 20). • Indicate that the access policy is for a single device with an IP address of 192.10.10.2 and a mask of 255.255.255.255. • Display information about the configured access policies.
Configuring and Managing Security using the NNCLI and CLI
112 Chapter 5 Configuring access policies using the CLI
Figure 23 shows how to configure an access policy for a single device using the config sys access-policy policy command.
Figure 23 config sys access-policy policy command sample output (device)
Passport-8310:5# config sys access-policy policy 20 create Passport-8310:5# config sys access-policy policy 20 network 192.10.10.2/ 255.255.255.255 Passport-8310:5# show sys access-policy info
AccessPolicyEnable: on
Id: 1 Name: default PolicyEnable: true Mode: allow Service: http|telnet|ssh| Precedence: 128 NetAddr: 0.0.0.0 NetMask: 0.0.0.0 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 245
Id: 20 Name: policy20 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: 192.10.10.2 NetMask: 255.255.255.255 TrustedHostAddr: 0.0.0.0 TrustedHostUserName: none AccessLevel: readOnly Usage: 0
Passport-8310:5#
To specify whether this network address is allowed or denied access through an access service, use the following command:
config sys access-policy policy
316804-C
Chapter 5 Configuring access policies using the CLI 113
where: pid is the number that identifies the policy that you are creating. The valid values are 1 to 65535. allow|deny allows or denies access through the specified access service.
If the policy is to allow access, to specify a level of access, use the following command:
config sys access-policy policy
where: pid is the number that identifies the policy that you are creating. The valid values are 1 to 65535. level is the access level; the valid values are ro (read-only), rw (read-write), and rwa (read/write/all).
Specifying the host and username for rlogin
For rlogin access, you must specify a trusted host address and a trusted host user name. To specify the host address and user name, use the following commands:
config sys access-policy policy
config sys access-policy policy
where: pid is the number that identifies the policy that you are creating. The valid values are 1 to 65535. ipaddr is the trusted host address. string is the associated user name for this address.
To access the switch, you must log in using the user name and host address that you configure using these commands.
Assigning a precedence for the policy
To assign a precedence for the policy, use the following command:
config sys access-policy policy
Configuring and Managing Security using the NNCLI and CLI
114 Chapter 5 Configuring access policies using the CLI
where: pid is the number that identifies the policy that you are creating. The valid values are 1 to 65535 precedence is a number from 1 to 128. This value determines which policy to use if multiple policies apply. Lower numbers have higher precedence.
Naming an access policy
To assign a name to the policy, use the following command:
config sys access-policy policy
where: pid is the number that identifies the policy that you are creating. name is a string from 1 to 15 characters.
Enabling or disabling an access policy
To enable or disable an access policy, use the following command:
config sys access-policy policy
where: pid is the number that identifies the policy that you are enabling or disabling. The valid values are 1 to 65535. enable|disable enables or disables the specified policy.
Configuration example: access policies
The following configuration example uses the commands described above to:
• Create access policy 2345. • View the information for the access policy. • Set the network information for access policy 2345 to 12.12.12.12/ 255.255.255.255. • Set the username for access policy 2345 to test. • Set the host for access policy 2345 to 5.5.5.5. • Set the name for access policy 2345 to testpolicy.
316804-C
Chapter 5 Configuring access policies using the CLI 115
• Set the precedence for access policy 2345 to 100. • View the information for the access policy.
Figure 24 on page 116 shows sample output using these commands.
Configuring and Managing Security using the NNCLI and CLI
116 Chapter 5 Configuring access policies using the CLI
Figure 24 config sys access-policy policy command sample output
Passport-8310:5# config sys access-policy policy 2345 create Passport-8310:5# config sys access-policy policy 2345 info
Sub-Context: clear config monitor show test trace Current Context:
create : delete : N/A name : policy2345 policy enable : true mode : allow precedence : 10 network : 0.0.0.0/0.0.0.0 host : 0.0.0.0 username : none accesslevel : readOnly
Passport-8310:5# config sys access-policy policy 2345 network 12.12.12.12/ 255.255.255.255 Passport-8310:5# config sys access-policy policy 2345 username test Passport-8310:5# config sys access-policy policy 2345 host 5.5.5.5 Passport-8310:5# config sys access-policy policy 2345 name testpolicy Passport-8310:5# config sys access-policy policy 2345 precedence 100 Passport-8310:5# config sys access-policy policy 2345 info
Sub-Context: clear config monitor show test trace Current Context:
create : delete : N/A name : testpolicy policy enable : true mode : allow precedence : 100 network : 12.12.12.12/255.255.255.255 host : 5.5.5.5 username : test accesslevel : readOnly
Passport-8310:5#
316804-C
117 Chapter 6 Configuring SNMPv3 using the NNCLI
An SNMPv3 engine provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects. There is a one-to-one association between an SNMP engine and the SNMP entity, which contains it.
This chapter describes how to set up your SNMP configuration using the NNCLI:
Topic Page Loading the encryption module 119 Creating a new user in the USM table 120 Creating a new user group member 122 Creating v3 group access 124 Creating a new entry for the MIB in the View table 127 Creating a community 129 SNMPv3 configuration example 131 SNMPv1/SNMPv2 configuration example 132 Displaying SNMP system information 133 Blocking SNMP 135
Configuring and Managing Security using the NNCLI and CLI
118 Chapter 6 Configuring SNMPv3 using the NNCLI
Roadmap of NNCLI SNMPv3 commands
The following roadmap lists the NNCLI SNMPv3 commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter snmp-server user
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 119
Loading the encryption module
Before you access the switch using SNMPv3 with DES encryption, you must load the encryption module, p83c2200.des, which allows you to use the Privacy protocol.
1 Open www.nortel.com/support in your browser. 2 Log in. 3 Ensure the Browse product support tab is selected. 4 Select Passport from the list in box 1. 5 Select Ethernet Routing Switch 8300 from the list in box 2. 6 Select Software from the list in box 3. 7 Click Go. 8 Click on the Ethernet Routing Switch 8300 SNMPv3 & 3DES link. 9 Answer the questions on the questionnaire. 10 Click Submit. 11 Right-click on the file download link and enter a file location in which to copy the DES encryption module. 12 Click OK. 13 The file is downloaded.
Note: Note the location of this file. You must load the file on the switch before you can use the protocol.
14 Use FTP or TFTP to load this file to the switch. Note: If FTP or TFTP fails, either the service is not enabled or a filter is blocking FTP or TFTP access.
15 Open the DOS window. Figure 25 on page 120 shows sample output from an FTP session.
Configuring and Managing Security using the NNCLI and CLI
120 Chapter 6 Configuring SNMPv3 using the NNCLI
Figure 25 FTP sample output from DOS window
c:\ftp <10.10.10.10> Connected to <10.10.10.10> 220 Passport FTP server ready User (<10.10.10.10>:(none)): rwa 331 Password required Password: *** 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> put
16 Return to the Ethernet Routing Switch 8300 and load the module from Global configuration mode, by entering the following command: load-module DES /flash/p83c2200.des
Creating a new user in the USM table
To create a new user in the USM table on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode:
snmp-server user
where:
• UserName specifies the security name. The name is used as an index to the table. The range is 1 to 32 characters. • auth protocol specifies an authentication protocol. If no value is entered, the entry has no authentication capability. The protocol choices are MD5 and SHA. • auth
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 121
Other USM commands
The following are additional snmp-server user commands:
snmp-server user followed by: auth
To delete a user from the v3 VACM table, use the following command from Global configuration mode:
no snmp-server user
To view information about a user, use the following command from Global configuration mode:
show snmp-server user
Configuration example: USM
The following configuration example uses the commands described above to:
• Create a new USM user, testing. • Set the authentication protocol to MD5. • Set the authentication password to test. • Display information on the user.
Figure 26 on page 122 shows sample output using these commands.
Configuring and Managing Security using the NNCLI and CLI
122 Chapter 6 Configuring SNMPv3 using the NNCLI
Figure 26 USM command sample output
Passport-8306:5(config)#snmp-server user testing md5 auth test Passport-8306:5(config)#show snmp-server user
Engine ID = 80:00:08:E0:03:00:80:2D:B7:AC:00
======USM Configuration ======User Name Protocol ------testing HMAC_MD5, NO PRIVACY initialview NO AUTH, NO PRIVACY
2 out of 2 Total entries displayed ------
Passport-8306:5(config)#
Creating a new user group member
To create a new group member on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode:
snmp-server member
The snmp-server member command includes the following options:
snmp-server member followed by: user name Creates the new entry with this user name. The range is 1 to 32 characters. model Specifies the message processing model to use when generating an SNMP message. The valid options are usm, snmpv1, and snmpv2c. group name Assigns the user to the group for data access. The range is 1 to 32 characters.
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 123
Other member commands
The following are additional snmp-server member commands:
snmp-server member followed by: name
To delete a user group from the v3 VACM table, use the following command from Global configuration mode:
no snmp-server member
To view information about a user group, use the following command from Global configuration mode:
show snmp-server member
Configuration example: SNMPv3 group
The following configuration example uses the commands described above to:
• Create a new group user, john, using security model USM for group. • Create a new group user, nick, using security model SNMPv2 for group. • View the group member information. • Delete group user nick. • View the group member information.
Figure 27 on page 124 shows sample output using these commands.
Configuring and Managing Security using the NNCLI and CLI
124 Chapter 6 Configuring SNMPv3 using the NNCLI
Figure 27 SNMPv3 group configuration sample output
Passport-8306:5(config)# snmp-server member john usm group Passport-8306:5(config)# snmp-server member nick snmpv2c group Passport-8306:5(config)# show snmp-server member
======VACM Group Membership Configuration ======Sec Model User Name Group Name ------snmpv1 initialview v1v2grp snmpv2c nick group snmpv2c initialview v1v2grp usm john group 4 out of 4 Total entries displayed ------
Passport-8306:5(config)# no snmp-server member nick snmpv2c Passport-8306:5(config)# show snmp-server member
======VACM Group Membership Configuration ======Sec Model User Name Group Name ------snmpv1 initialview v1v2grp snmpv2c initialview v1v2grp usm john group
3 out of 3 Total entries displayed ------
Passport-8306:5(config)#
Creating v3 group access
To create new access for a group in the VACM table on the Ethernet Routing Switch 8300, use the following command from Global configuration mode:
snmp-server group
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 125
The snmp-server group command includes the following options:
snmp-server group followed by: group name Creates the new entry with this group name. The range is 1 to 32 characters. prefix Assigns a context prefix. The range is 0 to 32 characters. Note: The prefix option is not supported in the current release of the Ethernet Routing Switch 8300; however, because it is part of the index for the table, it must be configured. When you configure prefix, enter ““ to indicate an empty string. model Assigns the authentication checking to communicate to the switch. The valid options are usm, snmpv1, and snmpv2c. level Assigns the minimum level of security required to gain the access rights allowed by this conceptual row. The valid options are authPriv, authNoPriv, or noAuthNoPriv.
Other group-access commands
The following is an additional snmp-server group command:
snmp-server group followed by: view
To delete group access from the v3 VACM table, use the following command:
no snmp-server group
Configuring and Managing Security using the NNCLI and CLI
126 Chapter 6 Configuring SNMPv3 using the NNCLI
To see information about a the group, use the following command from Global configuration mode:
show snmp-server group
Configuration example: SNMPv3 group access
The following configuration example uses the commands described above to:
• Create a new group access, secondary, using ““ as the prefix, the security model as USM, and level as NoAuthNoPriv. • Create a new group access, tertiary, using ““ as the prefix, security model as USM, and level as NoAuthNoPriv. • Delete group access for secondary. • Change the group access for tertiary to read as tertiary and write as tertiary. • Display the configured VACM groups.
Figure 28 on page 127 shows sample output using these commands.
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 127
Figure 28 SNMPv3 group access configuration output
Passport-8306:5(config)# snmp-server group secondary ““ usm noAuthNoPriv Passport-8306:5(config)# snmp-server group tertiary ““ usm noAuthNoPriv Passport-8306:5(config)# no snmp-server group secondary ““ usm noAuthNoPriv Passport-8306:5(config)# snmp-server group view tertiary ““ usm noAuthNoPriv read tertiary write tertiary Passport-8310:6(config)#show snmp-server group
======VACM Group Access Configuration ======Group Prefix Model Level ReadV WriteV ------initial usm authPriv org org readgrp snmpv1 noAuthNoPriv v1v2only readgrp snmpv2c noAuthNoPriv v1v2only v1v2grp snmpv1 noAuthNoPriv v1v2only v1v2only v1v2grp snmpv2c noAuthNoPriv v1v2only v1v2only tertiary usm noAuthNoPriv tertiary tertiary
6 out of 6 Total entries displayed ------
Passport-8310:6(config)#
Creating a new entry for the MIB in the View table
To create a new entry for the MIB View table on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode:
snmp-server view
Configuring and Managing Security using the NNCLI and CLI
128 Chapter 6 Configuring SNMPv3 using the NNCLI
The snmp-server view command includes the following options:
snmp-server view followed by: View Name Creates a new entry with this group name. The range is 1 to 32 characters. subtree oid The prefix that defines the set of MIB objects accessible by this SNMP entity. The range is 1 to 32 characters. mask
Other MIB-view commands
The following are additional snmp-server view commands:
snmp-server view followed by: mask
To delete an entry for the MIB view table, use the following command:
no snmp-server view
Configuration example: MIB view
The following configuration example uses the commands described above to:
• Create a new MIB view, dev, using the subtree oid as 1.3.8.7.1.4 and type is include.
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 129
• Change the type to exclude.
Figure 29 shows sample output using these commands.
Figure 29 MIB View configuration sample output
Passport-8306:5(config)# snmp-server view dev 1.3.8.7.1.4 type include Passport-8306:5(config)# snmp-server view type dev 1.3.8.7.1.4 exclude Passport-8306:5(config)#
Creating a community
Note: When you configure SNMPv3 with a community table, the group member must be configured with both the snmpv1 and the snmpv2c entries (see “Creating a new user group member” on page 122 for instructions). The current implementation of Device Manager uses SNMPv1 for discovering the Ethernet Routing Switch 8300 and SNMPv2c for accessing the MIB.
To create a community on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode:
snmp-server community
The snmp-server community command includes the following options:
snmp-server community followed by: Comm Idx The unique index value of a row in this table. The range is 1-32 characters. commstr The community string for which a row in this table represents a configuration. security Maps the community string to the security name in the VACM Group Member Table.
Configuring and Managing Security using the NNCLI and CLI
130 Chapter 6 Configuring SNMPv3 using the NNCLI
Changing the default community strings
If you’re using the default public/private access through SNMPv1, SNMPv2, or SNMPv3 and want to change them, use the following commands:
snmp-server community name first new_public snmp-server community name second new_private
Other community commands
The following are additional snmp-server community commands:
snmp-server community followed by: name
To delete an entry from the community table, use the following command:
no snmp-server community
Note: You cannot delete the default communities (first and second).
Configuration example: community
The following configuration example uses the commands described above to:
• Create a community using third as the index, using public as the name, and v1v2only as security. • Change the name to private. • Change the security to v1v3only.
Figure 30 on page 131 shows sample output using these commands.
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 131
Figure 30 Community configuration sample output
Passport-8306:5(config)# snmp-server community third public v1v2only Passport-8306:5(config)# snmp-server community name third private Passport-8306:5(config)# snmp-server community security third v1v3only Passport-8306:5(config)#
SNMPv3 configuration example
The following procedure shows how to create a user for SNMPv3, create a group for that user, assign view access for that group, and create and assign a MIB view for that group. You use the following commands from Global configuration mode.
1 Create a user (for example, rdalton). snmp-server user rdalton md5 auth password
2 Create a group and assign that to the user. snmp-server member rdalton usm newgroup
3 Assign view access for the newly created group. snmp-server group newgroup ““ usm authNoPriv
4 Create a MIB view. snmp-server view newmibview 1.3
5 Assign a MIB view for the group. snmp-server group view newgroup ““ usm authNoPriv read-view newmibview write-view newmibview
Configuring and Managing Security using the NNCLI and CLI
132 Chapter 6 Configuring SNMPv3 using the NNCLI
SNMPv1/SNMPv2 configuration example
The following procedure shows how to create a user for SNMPv1 or SNMPv2, create a group for that user, and assign view access and a MIB view for that group. You use these commands from Global configuration mode.
1 Create a user. For this example, index1 is the index of the entry, newgroup is the community string that will be used for login, and initialview is the security name that is associated with the group-member table (VCAM table). snmp-server community index1 newgroup initialview
2 Create a group and assign it to a user for SNMPv1 or SNMPv2. For this example, newgroupgrp is the group that belongs to the community newgroup. snmp-server member initialview snmpv1 newgroupgrp or snmp-server member initialview snmpv2c newgroupgrp
3 Assign view access for the newly created group. snmp-server group newgroupgrp ““ snmpv1 noAuthNoPriv or snmp-server group newgroupgrp ““ snmpv2c noAuthNoPriv
4 Assign a MIB view for the group. For this example, use the root MIB view; if this does not exist, use org.
snmp-server group view newgroupgrp ““ snmpv1 noAuthNoPriv read root write root or snmp-server group view newgroupgrp ““ snmpv2c noAuthNoPriv read root write root
Note: You can also create your own MIB view by using the command snmp-server view
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 133
Displaying SNMP system information
To display the running configuration, including SNMP system information, on the Ethernet Routing Switch 8300, enter the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show running-config
Configuration example: show SNMP system information
Figure 31 on page 134 shows sample output for the show running-config command.
Configuring and Managing Security using the NNCLI and CLI
134 Chapter 6 Configuring SNMPv3 using the NNCLI
Figure 31 SNMP system information sample output
Passport-8310:6(config)#show running-config Preparing to Display Configuration... # # WED MAR 17 06:36:09 2004 UTC # box type : Passport-8310 # software version : REL2.2.0.0_B106 # monitor version : 2.2.0.0/106 # # # Asic Info : # SlotNum|Name |CardType |Parts Description # # Slot 1 8348TXPOE 0x50211130 # Slot 2 8324GTX 0x50220118 # Slot 3 -- 0x00000001 # Slot 4 -- 0x00000001 # Slot 5 -- 0x00000001 # Slot 6 8393SF 0x50022108 CPU: PP=1 FA=2 XBAR=0 CPLD=5 . . . # # SNMP V3 GLOBAL CONFIGURATION # snmp-server host 47.140.53.74 v1 public # # SNMP V3 GROUP MEMBERSHIP CONFIGURATION #
snmp-server member john usm group # # SNMP V3 GROUP ACCESS CONFIGURATION # snmp-server group "test1" "20" snmpv1 noAuthNoPriv snmp-server group "test1" "20" snmpv1 authPriv snmp-server group "tertiary" "" usm noAuthNoPriv snmp-server group "secondary" "" usm noAuthNoPriv # # SNMP V3 MIB VIEW CONFIGURATION # . . .
316804-C
Chapter 6 Configuring SNMPv3 using the NNCLI 135
Note: To maintain security, the USM table is not displayed. This prevents viewing of the USM auth and priv passwords. When you chose save config, the usm table is saved in an encrypted file called snmp_usm.txt without the default entries.
Blocking SNMP
You disable SNMP access to the Ethernet Routing Switch 8300 by entering the following commands:
Passport-8310:5(config)#bootconfig flags block-snmp Passport-8310:5(config)#exit Passport-8310:5#save boot Passport-8310:5#boot -y
By default, SNMP access is enabled. To reenable SNMP access, enter the following command:
Passport-8310:5(config)#no bootconfig flags block-snmp
Configuring and Managing Security using the NNCLI and CLI
136 Chapter 6 Configuring SNMPv3 using the NNCLI
316804-C
137 Chapter 7 Configuring SNMPv3 using the CLI
An SNMPv3 engine provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects. There is a one-to-one association between an SNMP engine and the SNMP entity, which contains it.
This chapter describes how to set up your SNMP configuration using the CLI, and contains the following topics:
Topic Page Loading the encryption module 138 Creating a new user in the USM table 140 Creating a new user group member 142 Creating v3 group access 144 Creating a new entry for the MIB in the View table 147 Creating a community 151 SNMPv3 configuration example 155 SNMPv1/SNMPv2 configuration example 155 Displaying SNMP system information 159 Blocking SNMP 159
Configuring and Managing Security using the NNCLI and CLI
138 Chapter 7 Configuring SNMPv3 using the CLI
Roadmap of CLI SNMPv3 commands
The following roadmap lists the CLI SNMPv3 commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter config snmp-v3 usm create
Loading the encryption module
Before you access the switch using SNMPv3 with DES encryption, you must load the encryption module, p83c2200.des, which allows you to use the Privacy protocol.
1 Open www.nortel.com/support in your browser. 2 Log in. 3 Ensure the Browse product support tab is selected. 4 Select Passport from the list in box 1. 5 Select Ethernet Routing Switch 8300 from the list in box 2. 6 Select Software from the list in box 3. 7 Click Go.
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 139
8 Click on the Ethernet Routing Switch 8300 SNMPv3 & 3DES link. 9 Answer the questions on the questionnaire. 10 Click Submit. 11 Right-click on the file download link and enter a file location in which to copy the DES encryption module. 12 Click OK. 13 The file is downloaded.
Note: Note the location of this file. You must load the file on the switch before you can use the protocol.
14 Use FTP or TFTP to load this file to the switch. Note: If FTP or TFTP fails, either the service is not enabled or a filter is blocking FTP or TFTP access.
15 Open the DOS window. Figure 32 shows sample output from an FTP session.
Figure 32 FTP sample output from DOS window
c:\ftp <10.10.10.10> Connected to <10.10.10.10> 220 Passport FTP server ready User (<10.10.10.10>:(none)): rwa 331 Password required Password: *** 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> put
16 Return to the Ethernet Routing Switch 8300 and load the module. config load-module DES /flash/p83c2200.des
Configuring and Managing Security using the NNCLI and CLI
140 Chapter 7 Configuring SNMPv3 using the CLI
Creating a new user in the USM table
To create a new user in the USM table on the Ethernet Routing Switch 8300, enter the following command:
config snmp-v3 usm create
where:
• User Name specifies the security name. The name is used as an index to the table. The range is 1 to 32 characters. • auth protocol specifies an authentication protocol. If no value is entered, the entry has no authentication capability. The protocol choices are MD5 and SHA. • auth value specifies an authentication password. If no value is entered, the entry has no authentication capability. The range is 1 to 32 characters. • priv value assigns a privacy password. If no value is entered, the entry has no privacy capability. The range is 1 to 32 characters. You must set authentication before you can set the privacy option.
Other USM commands
The following are additional config snmp-v3 usm commands:
config snmp-v3 usm followed by: info Displays the configured USM users. delete
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 141
Configuration example: USM
The following configuration example uses the commands described above to:
• Create a new USM user, testing. • Set the authentication protocol to MD5. • Set the authentication password to test. • Display information on the user.
Figure 33 shows sample output using these commands.
Figure 33 USM command sample output
Passport-8310:5# config snmp-v3 usm create testing md5 auth test
WARNING : For security purpose, we are strongly recommanded that NOT to use repeated pattern for your password.
Passport-8310:5# config snmp-v3 usm info
Engine ID = 80:00:08:E0:03:00:0E:40:BF:50:00
======USM Configuration ======User Name Protocol ------user1 HMAC_MD5, DES PRIVACY user2 HMAC_MD5, NO PRIVACY testing HMAC_MD5, NO PRIVACY
3 out of 3 Total entries displayed ------
Passport-8310:5#
Configuring and Managing Security using the NNCLI and CLI
142 Chapter 7 Configuring SNMPv3 using the CLI
Creating a new user group member
To create a new user group for the v3 VACM table on the Ethernet Routing Switch 8300, enter the following command:
config snmp-v3 group-member create
The config snmp-v3 group-member create command includes the following options:
config snmp-v3 group-member create followed by: user name Creates the new entry with this user name. The range is 1 to 32 characters. model Specifies the message processing model to use when generating an SNMP message. The valid options are snmpv1, snmpv2c, and usm. group name Assigns the user to the group for data access. The range is 1 to 32 characters. This is an optional parameter.
Other group-member commands
The following are additional config snmp-v3 group-member commands:
config snmp-v3 group-member followed by: info Displays the VACM group membership configuration delete
Configuration example: SNMPv3 group
The following configuration example uses the commands described above to:
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 143
• Create a new group user, john, using security model USM for group. • Create a new group user, nick, using security model SNMPv2 for group. • View the group member information. • Delete group user nick. • View the group member information.
Figure 34 shows sample output using these commands.
Figure 34 SNMPv3 group configuration sample output
Passport-8310:5# config snmp-v3 group-member create john usm group Passport-8310:5# config snmp-v3 group-member create nick snmpv2c group Passport-8310:5# config snmp-v3 group-member info
======VACM Group Membership Configuration ======Sec Model User Name Group Name ------snmpv1 initialview v1v2grp snmpv2c nick group snmpv2c initialview v1v2grp usm john group 4 out of 4 Total entries displayed ------
Passport-8310:5# config snmp-v3 group-member delete nick snmpv2c Passport-8310:5# config snmp-v3 group-member info
======VACM Group Membership Configuration ======Sec Model User Name Group Name ------snmpv1 initialview v1v2grp snmpv2c initialview v1v2grp usm john group
3 out of 3 Total entries displayed ------
Passport-8310:5#
Configuring and Managing Security using the NNCLI and CLI
144 Chapter 7 Configuring SNMPv3 using the CLI
Creating v3 group access
To create new access for a group in the VACM table on the Ethernet Routing Switch 8300, use the following command:
config snmp-v3 group-access create
The config snmp-v3 group-access create command includes the following options:
config snmp-v3 group-access create followed by: group name Creates the new entry with this group name. The range is 1 to 32 characters. prefix Assigns a context prefix. The range is 0 to 32 characters. Note: The prefix option is not supported in the current release of the Ethernet Routing Switch 8300; however, because it is part of the index for the table, it must be configured. When you configure prefix, enter ““ to indicate an empty string. model Assigns the authentication checking to communicate to the switch. The valid options are usm, snmpv1, and snmpv2c. level Assigns the minimum level of security required to gain the access rights allowed by this conceptual row. The valid options are authPriv, authNoPriv, or noAuthNoPriv.
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 145
Other group-access commands
The following are additional config snmp-v3 group-access commands:
config snmp-v3 group-access followed by: info Displays VACM group access information, including group names and access levels. delete
Configuration example: SNMPv3 group access
The following configuration example uses the commands described above to:
• Create a new group access, secondary, using ““ as the prefix, the security model as USM, and level as NoAuthNoPriv. • Create a new group access, tertiary, using ““ as the prefix, security model as USM, level as NoAuthNoPriv. • View the group access information. • Delete group access for secondary. • Assign the MIB view, org, to the group, tertiary. • View the group access information.
Figure 35 on page 146 shows sample output using these commands.
Configuring and Managing Security using the NNCLI and CLI
146 Chapter 7 Configuring SNMPv3 using the CLI
Figure 35 SNMPv3 group access configuration sample output
Passport-8310:5# config snmp-v3 group-access create secondary "" usm noAuthNoPriv Passport-8310:5# config snmp-v3 group-access create tertiary "" usm noAuthNoPriv Passport-8310:5# config snmp-v3 group-access info ======VACM Group Access Configuration ======Group Prefix Model Level ReadV WriteV ------group_1 usm authNoPriv org private group_1 usm authPriv org org initial usm authPriv org org readgrp snmpv1 noAuthNoPriv v1v2only readgrp snmpv2c noAuthNoPriv v1v2only v1v2grp snmpv1 noAuthNoPriv v1v2only v1v2only v1v2grp snmpv2c noAuthNoPriv v1v2only v1v2only tertiary usm noAuthNoPriv secondary usm noAuthNoPriv
9 out of 9 Total entries displayed ------
Passport-8310:5# config snmp-v3 group-access delete secondary "" usm noAuthNoPriv Passport-8310:5# config snmp-v3 group-access view tertiary "" usm noAuthNoPriv read org write org Passport-8310:5# config snmp-v3 group-access info
======VACM Group Access Configuration ======Group Prefix Model Level ReadV WriteV ------group_1 usm authNoPriv org private group_1 usm authPriv org org initial usm authPriv org org readgrp snmpv1 noAuthNoPriv v1v2only readgrp snmpv2c noAuthNoPriv v1v2only v1v2grp snmpv1 noAuthNoPriv v1v2only v1v2only v1v2grp snmpv2c noAuthNoPriv v1v2only v1v2only tertiary usm noAuthNoPriv org org
8 out of 8 Total entries displayed ------
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 147
Creating a new entry for the MIB in the View table
To create a new entry for the MIB View table on the Ethernet Routing Switch 8300, enter the following command:
config snmp-v3 mib-view create
The config snmp-v3 mib-view create command includes the following options:
config snmp-v3 mib-view create followed by: View Name Creates a new entry with this group name. The range is 1 to 32 characters. subtree oid The prefix that defines the set of MIB objects accessible by this SNMP entity. The range is 1 to 32 characters. mask
Other MIB-view commands
The following are additional config snmp-v3 mib-view commands:
config snmp-v3 mib-view followed by: info Displays MIB view information, including view names and subtree object IDs. delete
Configuring and Managing Security using the NNCLI and CLI
148 Chapter 7 Configuring SNMPv3 using the CLI
config snmp-v3 mib-view followed by: mask
Configuration example: MIB view
The following configuration example uses the commands described above to:
• Create a new MIB view, dev, using a subtree oid of 1.3.8.7.1.4, a mask of ffff, and type of include. • View the MIB view information. • Change the type to exclude. • View the MIB view information.
Figure 36 on page 149 and Figure 37 on page 150 shows sample output using these commands.
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 149
Figure 36 MIB view commands sample output
Passport-8310:5# config snmp-v3 mib-view create dev 1.3.8.7.1.4 mask ffff type include Passport-8310:5# config snmp-v3 mib-view info
======MIB View ======View Name Subtree Mask Type ------dev 1.3.8.7.1.4 0xffff include org 1 include root 1 include snmp 1.3.6.1.6.3 include snmp 1.3.6.1.2.1.1 include layer1 1.3 exclude layer1 1.3.6.1.2.1.1 include layer1 1.3.6.1.2.1.2.2.1.7 include
8 out of 8 Total entries displayed ------Passport-8310:5# config snmp-v3 mib-view type dev 1.3.8.7.1.4 exclude Passport-8310:5# config snmp-v3 mib-view info
======MIB View ======View Name Subtree Mask Type ------dev 1.3.8.7.1.4 0xffff exclude org 1 include root 1 include snmp 1.3.6.1.6.3 include snmp 1.3.6.1.2.1.1 include layer1 1.3 exclude layer1 1.3.6.1.2.1.1 include layer1 1.3.6.1.2.1.2.2.1.7 include
8 out of 8 Total entries displayed ------Passport-8310:5#
Configuring and Managing Security using the NNCLI and CLI
150 Chapter 7 Configuring SNMPv3 using the CLI
Figure 37 MIB view commands sample output
Passport-8310:5# config snmp-v3 mib-view create dev 1.3.8.7.1.4 type include Passport-8310:5# config snmp-v3 mib-view info
======MIB View ======View Name Subtree Mask Type ------dev 1.3.8.7.1.4 include org 1.3 include root 1 include snmp 1.3.6.1.6.3 include snmp 1.3.6.1.2.1.1 include v1v2only 1 include v1v2only 1.3.6.1.6.3.16 exclude v1v2only 1.3.6.1.6.3.18 exclude 8 out of 8 Total entries displayed
------
Passport-8310:5# config snmp-v3 mib-view type dev 1.3.8.7.1.4 exclude Passport-8310:5# config snmp-v3 mib-view info
======MIB View ======View Name Subtree Mask Type ------dev 1.3.8.7.1.4 exclude org 1.3 include root 1 include snmp 1.3.6.1.6.3 include snmp 1.3.6.1.2.1.1 include v1v2only 1 include v1v2only 1.3 include v1v2only 1.3.6.1.6.3.18 exclude 8 out of 8 Total entries displayed
------
Passport-8310:5#
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 151
Creating a community
Note: When you configure SNMPv3 with a community table, the group member must be configured with both the snmpv1 and the snmpv2c entries (see “Creating a new user group member” on page 142 for instructions). The current implementation of Device Manager uses SNMPv1 for discovering the Ethernet Routing Switch 8300 and SNMPv2c for accessing the MIB.
To create a community on the Ethernet Routing Switch 8300, enter the following command:
config snmp-v3 community create
The config snmp-v3 community create command includes the following options:
config snmp-v3 community create followed by: Comm Idx The unique index value of a row in this table. The range is 1-32 characters. name The community string for which a row in this table represents a configuration. name can be up to 32 characters. security Maps community string to the security name in the VACM Group Member Table. security can be up to 32 characters.
Changing the default community strings
If you’re using the default public/private access through SNMPv1, SNMPv2, or SNMPv3 and want to change them, use the following commands:
config snmp-v3 community name first new_public config snmp-v3 community name second new_private
Configuring and Managing Security using the NNCLI and CLI
152 Chapter 7 Configuring SNMPv3 using the CLI
To view the Community Table, use the following command:
config snmp-v3 community info
Figure 38 shows the output from this command.
Figure 38 config snmp-v3 community info output
Passport-8310:5# config snmp-v3 community info
======Community Table ======INDEX NAME SECURITYNAME ------first ******** readview second ******** initialview
2 out of 2 Total entries displayed ------
Passport-8310:5#
Other community commands
The following are additional config snmp-v3 community commands:
config snmp-v3 community followed by: info Displays the community table, including the index, name, and security name. delete
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 153
Configuration example: community
The following configuration example uses the commands described above to:
• Create a community using third as the index, using public as the name, and v1v2only as security. • View the community information. • Change the name to private. • View the community information. • Change the security to v1v3only. • View the community information.
Figure 39 on page 154 shows sample output using these commands.
Configuring and Managing Security using the NNCLI and CLI
154 Chapter 7 Configuring SNMPv3 using the CLI
Figure 39 Community commands sample output
Passport-8310:5# config snmp-v3 community create third public v1v2only Passport-8310:5# config snmp-v3 community info
======Community Table ======INDEX NAME SECURITYNAME ------first ******** readview second ******** initialview third ******** v1v2only
3 out of 3 Total entries displayed ------
Passport-8310:5# config snmp-v3 community name third new-name private Passport-8310:5# config snmp-v3 community info
======Community Table ======INDEX NAME SECURITYNAME ------first ******** readview second ******** initialview third ******** v1v2only
3 out of 3 Total entries displayed ------
Passport-8310:5# config snmp-v3 community security third new-security v1v3only Passport-8310:5# config snmp-v3 community info
======Community Table ======INDEX NAME SECURITYNAME ------first ******** readview second ******** initialview third ******** v1v3only
3 out of 3 Total entries displayed ------
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 155
SNMPv3 configuration example
The following procedure shows how to create a user for SNMPv3, create a group for that user, assign view access for that group, and create and assign a MIB view for that group.
1 Create a user (for example, rdalton). config snmp-v3 usm create rdalton md5 auth password
2 Create a group and assign it to the user. config snmp-v3 group-member create rdalton usm newgroup
3 Assign view access for the newly created group. config snmp-v3 group-access create newgroup ““ usm authNoPriv
4 Create a MIB view. config snmp-v3 mib-view create newmibview 1.3
5 Assign a MIB view for the group. config snmp-v3 group-access view newgroup ““ usm authNoPriv read newmibview write newmibview
SNMPv1/SNMPv2 configuration example
The following procedure shows how to create a user for SNMPv1 or SNMPv2, create a group for that user, and assign view access and a MIB view for that group.
1 Create a user. For this example, index1 is the index of the entry, newgroup is the community string that will be used for login, and initialview is the security name that is associated with the group-member table (VCAM table). config snmp-v3 community create index1 newgroup initialview
2 Create a group and assign it to a user for SNMPv1 or SNMPv2. For this example, newgroupgrp is the group that belongs to the community newgroup.
Configuring and Managing Security using the NNCLI and CLI
156 Chapter 7 Configuring SNMPv3 using the CLI
config snmp-v3 group-member create initialview snmpv1 newgroupgrp or config snmp-v3 group-member create initialview snmpv2c newgroupgrp
3 Assign view access for the newly created group. config snmp-v3 group-access create newgroupgrp ““ snmpv1 noAuthNoPriv or config snmp-v3 group-access create newgroupgrp ““ snmpv2c noAuthNoPriv
4 Assign a MIB view for the group. For this example, use the root MIB view; if this does not exist, use org. config snmp-v3 group-access view newgroupgrp ““ snmpv1 noAuthNoPriv read root write root or config snmp-v3 group-access view newgroupgrp ““ snmpv2c noAuthNoPriv read root write root
Note: You can also create your own MIB view by using the command config snmp-v3 mib-view create
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 157
Displaying SNMP system information
To display configuration information, including SNMP system information, on the Ethernet Routing Switch 8300, enter the following command:
show config module sys
Configuration example: show SNMP system information
Figure 40 on page 158 shows sample output for the show config module sys command.
Configuring and Managing Security using the NNCLI and CLI
158 Chapter 7 Configuring SNMPv3 using the CLI
Figure 40 show config module sys sample output
Passport-8310:5# show config module sys Preparing to Display Configuration... # # WED MAR 17 08:33:54 2004 UTC # box type : Passport-8310 # software version : REL2.2.0.0_B108 # monitor version : 2.2.0.0/108 #
# # Asic Info : # SlotNum|Name |CardType |Parts Description # # Slot 1 -- 0x00000001 # Slot 2 -- 0x00000001 # Slot 3 -- 0x00000001 # Slot 4 -- 0x00000001 # Slot 5 8393SF 0x50022108 CPU: PP=1 FA=2 XBAR=0 CPLD=5 . . . # SNMP V3 GROUP MEMBERSHIP CONFIGURATION # snmp-v3 group-member create user1 usm group_1 snmp-v3 group-member create user2 usm group_1
# # SNMP V3 GROUP ACCESS CONFIGURATION # snmp-v3 group-access create group_1 "" usm authNoPriv snmp-v3 group-access view group_1 "" usm authNoPriv read "org" write "private" snmp-v3 group-access create group_1 "" usm authPriv snmp-v3 group-access view group_1 "" usm authPriv read "org" write "org" snmp-v3 group-access create tertiary "" usm noAuthNoPriv snmp-v3 group-access view tertiary "" usm noAuthNoPriv read "tertiary" write "tertiary" # # SNMP V3 MIB VIEW CONFIGURATION # snmp-v3 mib-view create private 1.3.6.1.4 type exclude . . .
316804-C
Chapter 7 Configuring SNMPv3 using the CLI 159
Note: To maintain security, the USM table is not displayed. This prevents viewing of the USM auth and priv passwords. When you chose save config, the usm table is saved in an encrypted file called snmp_usm.txt without the default entries.
Blocking SNMP
You disable SNMP access to the Ethernet Routing Switch 8300 by entering the following commands:
Passport-8310:5#config bootconfig flags block-snmp true Passport-8310:5#save boot Passport-8310:5#boot -y
By default, SNMP access is enabled. To reenable SNMP access, enter the following command:
Passport-8310:5#config bootconfig flags block-snmp false
Configuring and Managing Security using the NNCLI and CLI
160 Chapter 7 Configuring SNMPv3 using the CLI
316804-C 161 Chapter 8 Configuring SSH using the NNCLI
This chapter describes how to configure SSH using the NNCLI.
The Ethernet Routing Switch 8300 acts as a server (the client mode is not currently supported), and secures the communication between a client (PC, Unix) and the switch.
The implementation of the SSH server in the Ethernet Routing Switch 8300 enables the SSH client to make a secure connection to an Ethernet Routing Switch 8300 and works with commercially-available SSH clients.
Note: Due to export restrictions, the encryption capability is separated from the main image. This requires the p83c2200.img file to be loaded separately.
NNCLI commands for SSH
This section lists the NNCLI commands used to enable SSH and configure SSH parameters.
Specifically, this chapter includes the following topics:
Topic Page Enabling the SSH server 162 Configuring SSH 162 Defining the action 162 Enabling/disabling DSA authentication 163 Enabling/disabling the SSH daemon 163
Configuring and Managing Security using the NNCLI and CLI
162 Chapter 8 Configuring SSH using the NNCLI
Topic Page
Setting the maximum number of SSH sessions 163 Enabling password authentication 163 Setting the SSH connection port 163 Enabling RSA authentication 164 Setting the SSH authentication timeout 164 Setting the SSH version 164 Creating the user-defined access policy to enable 164 service connections Loading the encryption module in the switch 165 Viewing configured SSH parameters 165
Enabling the SSH server
To enable the SSH server, use the following command from Global configuration mode and higher:
bootconfig flags sshd no bootconfig flags sshd
Configuring SSH
Use the following commands to configure SSH parameters. The NNCLI commands must be executed from Global configuration mode or higher.
Defining the action
The command is broken into individual commands in NNCLI mode. The no ssh dsa-host-key command is equivalent to the dsa-keydel CLI option. Similarly, the no ssh rsa-host-key corresponds to rsakeydel.
ssh dsa-host-key [integer] no ssh dsa-host-key ssh rsa-host-key [integer] no ssh rsa-host-key
316804-C
Chapter 8 Configuring SSH using the NNCLI 163 where
Enabling/disabling DSA authentication ssh dsa-auth no ssh dsa-auth
The default value is true/enabled.
Enabling/disabling the SSH daemon ssh secure ssh no ssh
By default, the daemon is disabled.
Setting the maximum number of SSH sessions ssh max-session [integer] where
Enabling password authentication ssh pass-auth no ssh pass-auth
By default, password authentication is enabled.
Setting the SSH connection port ssh port
Configuring and Managing Security using the NNCLI and CLI
164 Chapter 8 Configuring SSH using the NNCLI
where
Note: SSH session is not established for reserved ports. If you attempt to configure a reserved port (for example, port 23 (Telnet)) as an SSH connection port, the SSH session will not be established. Furthermore, you cannot later change the port number or any other parameters, even if you disable SSH. The default SSH connection port is 22. To configure additional SSH connection ports, use port numbers greater than 1024 (up to 65535).
Enabling RSA authentication
ssh rsa-auth no ssh rsa-key
By default, RSA authentication is enabled.
Setting the SSH authentication timeout
ssh timeout
where
Setting the SSH version
ssh version {v2only|both}
The default value is v2only.
Creating the user-defined access policy to enable service connections
The user-defined policy must be created before enabling/disabling any service.
access-policy policy
316804-C
Chapter 8 Configuring SSH using the NNCLI 165
Loading the encryption module in the switch load-module 3DES WORD <1-1536>
Viewing configured SSH parameters
The SSH parameters can be verified using the following commands. The commands can be executed from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes. show ssh global show ssh session
Configuring and Managing Security using the NNCLI and CLI
166 Chapter 8 Configuring SSH using the NNCLI
316804-C 167 Chapter 9 Configuring SSH using the CLI
This chapter describes how to configure SSH using the CLI.
The Ethernet Routing Switch 8300 switch acts as a server (the client mode is not currently supported), and secures the communication between a client (PC, Unix) and the switch.
The implementation of the SSH server in the Ethernet Routing Switch 8300 enables the SSH client to make a secure connection to an Ethernet Routing Switch 8300 and works with commercially-available SSH clients.
Note: Due to export restrictions, the encryption capability is separated from the main image. This requires the p83c2200.img file to be loaded separately.
CLI commands for SSH
This section lists the CLI commands used to enable SSH and configure SSH parameters.
Specifically, this chapter includes the following topics:
Topic Page Enabling the SSH server 168 Configuring SSH 168 Defining the action 168 Enabling/disabling DSA authentication 168 Enabling/disabling the SSH daemon 169
Configuring and Managing Security using the NNCLI and CLI
168 Chapter 9 Configuring SSH using the CLI
Topic Page
Setting the maximum number of SSH sessions 169 Enabling password authentication 169 Setting the SSH connection port 169 Enabling RSA authentication 170 Setting the SSH authentication timeout 170 Setting the SSH version 170 Creating the user-defined access policy to enable 170 service connections Loading the encryption module in the switch 170 Viewing configured SSH parameters 170
Enabling the SSH server
Use the following command to enable the SSH server:
config bootconfig flags sshd
Configuring SSH
Use the following commands to configure SSH parameters.
Defining the action
config sys set ssh action
where:
•
Enabling/disabling DSA authentication
config sys set ssh dsa-auth
316804-C
Chapter 9 Configuring SSH using the CLI 169
Enabling/disabling the SSH daemon config sys set ssh enable
• true enables SSH • false disables SSH • secure disables SSH and enables non-secure services
Setting the maximum number of SSH sessions config sys set ssh max-sessions
Enabling password authentication config sys set ssh pass-auth
By default, password authentication is enabled.
Setting the SSH connection port config sys set ssh port
Note: SSH session is not established for reserved ports. If you attempt to configure a reserved port (for example, port 23 (Telnet)) as an SSH connection port, the SSH session will not be established. Furthermore, you cannot later change the port number or any other parameters, even if you disable SSH. The default SSH connection port is 22. To configure additional SSH connection ports, use port numbers greater than 1024 (up to 65535).
Configuring and Managing Security using the NNCLI and CLI
170 Chapter 9 Configuring SSH using the CLI
Enabling RSA authentication
config sys set ssh rsa-auth
By default, RSA authentication is enabled.
Setting the SSH authentication timeout
config sys set ssh timeout
where
Setting the SSH version
config sys set ssh version
The default value is v2only.
Creating the user-defined access policy to enable service connections
The user-defined policy must be created before enabling/disabling any service.
config sys access-policy policy
Loading the encryption module in the switch
config load-module <3DES|DES>
Viewing configured SSH parameters
The SSH parameters can be verified using the following commands.
show ssh global show ssh session
316804-C
171 Chapter 10 Setting up RADIUS servers
Nortel recommends that you configure at least two RADIUS servers in the network to provide redundancy. You can configure a maximum of 10 RADIUS servers in a single network.
The Ethernet Routing Switch 8300 software supports BaySecure Access Control (BSAC*), Merit Network, and freeRadius servers. For instructions on installing the BSAC, Merit Network, or freeRadius server software on the server that you will use, see the installation manual that came with your software.
Note: The BSAC server is now known as the Steel-Belted Radius server (SBR). The SBR Version 4.0 and higher includes a module that supports EAP. The procedures in this chapter for preparing a BSAC server to support RADIUS authentication are valid for the SBR.
After the software is installed, you must make changes to one or more files for these servers. For information about the changes that must be made for the BSAC server, see “Updating files for the BSAC RADIUS server.” For information about the changes that must be made for the Merit Network server, see “Updating the dictionary file for a Merit Network server.” For information about changes that must be made for the freeRadius server, see “Updating files for the freeRadius server.”
For detailed instructions on configuring a RADIUS server, including adding clients and adding users and access priorities, refer to the documentation that came with the server software.
Configuring and Managing Security using the NNCLI and CLI
172 Chapter 10 Setting up RADIUS servers
This chapter describes how to update four files for the BSAC RADIUS server, one file for the Merit Network server, and three files for the freeRadius server. It also describes the vendor-specific attribute format for CLI commands if you’re using a third-party RADIUS server and need to modify the dictionary files. Specifically, this chapter includes the following topics:
Topic Page Updating files for the BSAC RADIUS server 172 Using a third-party RADIUS server 174 Updating the dictionary file for a Merit Network server 175 Updating files for the freeRadius server 175 Changing user access 178 Enabling EAP authentication 183
Updating files for the BSAC RADIUS server
After you have installed the BSAC server software on either a UNIX or Windows NT server, you must update four files for BSAC to successfully authenticate a user:
• The main dictionary (radius.dct). This file must be edited to contain an entry of parameters from the newly created Ethernet Routing Switch dictionary. • A private dictionary (pprt8300.dct). This file, which is specific to the Ethernet Routing Switch 8300, must be generated. It will be sourced and used by dictiona.dcm and vendor.ini. • The vendor.ini file. This file must contain an entry for the Ethernet Routing Switch 8300 in order for the file to acknowledge the model/type during the client configuration. • The account.ini file. This file must contain the CLI-Command= entry.
Specifically, you must make the following configuration changes for the BSAC server:
1 Add the following lines in files radius.dct and pprt8300.dct:
316804-C
Chapter 10 Setting up RADIUS servers 173
ATTRIBUTE Access-Priority 26 [vid=1584 type1=192 len1=+2 data=integer]R VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6
ATTRIBUTE Cli-Command 26 [vid=1584 type1=193 len1=+2 data=string]
Note: The value in the type1 field must match the vendor-specific authentication attribute value.
2 Add the following lines in vendor.ini:
vendor-product = Nortel Passport 8300 dictionary = pprt8300 ignore-ports = no port-number-usage = per-port-type help-id = 0
3 Add the following entry to the account.ini file: Cli-Command= 4 In the account.ini file, make sure that the following lines are present:
User-Name= Acct-Input-Octets= Acct-Output-Octets= Acct-Session-Id= Acct-Session-Time= Acct-Input-Packets= Acct-Output-Packets=
Configuring and Managing Security using the NNCLI and CLI
174 Chapter 10 Setting up RADIUS servers
5 Restart the server to activate the changes.
Using a third-party RADIUS server
If you’re using a third-party RADIUS server and need to modify the dictionary files, you must use the following vendor-specific attribute format for CLI commands:
1 1 2 2+x +----+----+------+------+ |type|len | Vendor-Id | value (string) | | | | | | +----+----+------+------+ | | 1 1 v x +----+----+------+ |type|len | value (cli-command) | | | | | +----+----+------+
316804-C
Chapter 10 Setting up RADIUS servers 175
Updating the dictionary file for a Merit Network server
You must add the following lines in the dictionary file for the Merit Network server:
VENDOR Nortel 1584
ATTRIBUTE Access-Priority 192 integer Nortel
VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6
ATTRIBUTE Cli-Command 192 string Nortel
You must restart the server to activate the changes.
Updating files for the freeRadius server
After you have installed the freeRadius server software on either a UNIX or Windows NT server, you must update three files for freeRadius to successfully authenticate a user:
• A private dictionary (dictionary.nortel). • clients.conf •users
Configuring and Managing Security using the NNCLI and CLI
176 Chapter 10 Setting up RADIUS servers
Specifically, you must make the following configuration changes for the freeRadius server:
1 Add the following lines in the dictionary file:
VENDOR Nortel 1584
BEGIN-VENDOR Nortel
ATTRIBUTE Access-Priority 192 integer
VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6
#CLI profile ATTRIBUTE Command-Access 194 integer
#CLI Commands ATTRIBUTE Cli-Commands 193 string
#CLI Commands ATTRIBUTE Commands 195 string
VALUE Command-Access FALSE 0 VALUE Command-Access True 1
#802 priority (value: 0-7) ATTRIBUTE Dot1x-Port-Priority 1 integer
2 Add the following lines in clients.conf. You must enter these lines for the freeRadius server to work. The secret is not encrypted, so be careful when giving permissions to the directories.
316804-C
Chapter 10 Setting up RADIUS servers 177
client 130.128.254.5/32 { secret = test shortname = R5 nastype = other }
3 Add the following lines in users.
# EAPoL users, using Microsoft Windows Domain convention DOMAIN2\\user_n Auth-Type := EAP, User-Password == "password" Reply-Message = "You're authenticated, %u !!",
DOMAIN2\\eap_user Auth-Type := EAP, User-Password == "eap_password" Reply-Message = "You're authenticated, %u !!",
# Console/Telnet access via regular RADIUS # the following will prohibit user "administrator" from issuing commands "config ip" tree administrator Auth-Type := Local, User-Password == "dimension" Access-Priority = "Read-Write-All-Access", Command-Access = "FALSE", Commands = "config ip"
You must restart the server to activate the changes.
Configuring and Managing Security using the NNCLI and CLI
178 Chapter 10 Setting up RADIUS servers
Changing user access
As a network administrator, you can override a user’s access to specific CLI commands by configuring the RADIUS server for user authentication. You must still give access based on the existing six access levels in the Ethernet Routing Switch 8300, but you can customize user access by permitting and preventing access to specific CLI commands.
Subscriber and administrative interaction
You must configure the following three returnable attributes for each user:
• Access priority (single instance) - the access levels currently available on Ethernet Routing Switch 8300: ro, l1, l2, l3, rw, rwa. • Command access (single instance) - indicates whether the NNCLI or CLI commands configured on the RADIUS server are allowed or disallowed for the user. • NNCLI or CLI commands (multiple instances) - the list of commands that the user can/cannot use. The user cannot include allow and deny commands in the list of multiple commands; the commands must be either all allow or all deny.
Configuring the BSAC or Merit Network server
To change the configuration of a BSAC or Merit Network server:
1 Create a new file (for example, pprtl2l3.dct) and update the information as shown in Figure 41 on page 179.
316804-C
Chapter 10 Setting up RADIUS servers 179
Figure 41 Updating information for the BSAC or Merit Network server
############################################################################## # passaprt.dct - RADLINX PASSaPORT dictionary # # (See README.DCT for more details on the format of this file) ############################################################################## # # Use the Radius specification attributes in lieu of the RADLINX PASSaPORT ones # @radius.dct # # Define additional RADLINX PASSaPORT parameters # (add RADLINX PASSaPORT specific attributes below)
ATTRIBUTE Radlinx-Vendor-Specific 26 [vid=648 data=string] R
############################################################################## # pprtl2l3.dct - RADLINX PASSaPORT dictionary ############################################################################## #Define Nortel Passport 1000 & 8000 Layer 2 & Layer 3 dictionary #@radius.dct @pprtL2L3.dct ATTRIBUTE Access-Priority 26 [vid=1584 type1=192 len1=+2 data=integer] r VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 VALUE Access-Priority CommReadOnly 1 VALUE Access-Priority CommReadWriteLayer1 2 VALUE Access-Priority CommReadWriteLayer2 4 VALUE Access-Priority CommReadWriteLayer3 8 VALUE Access-Priority CommReadWrite 16 VALUE Access-Priority CommReadWriteAll 32
ATTRIBUTE Acct-Status-Type 26 [vid=1584 type1=193 len1=+2 data=integer] r VALUE Acct-Status-Type Start 1 VALUE Acct-Status-Type Stop 2 VALUE Acct-Status-Type Interim-Update 3 VALUE Acct-Status-Type Accounting-On 7 VALUE Acct-Status-Type Accounting-Off 8
ATTRIBUTE Command-Access 26 [vid=1584 type1=194 len1=+2 data=integer] r VALUE Command-Access TRUE 1 VALUE Command-Access FALSE 0
ATTRIBUTE Cli-Commands 26 [vid=1584 type1=195 len1=+2 data=string]R ################################################################################
Configuring and Managing Security using the NNCLI and CLI
180 Chapter 10 Setting up RADIUS servers
The default values are 192,194,195. If you change these values on the Ethernet Routing Switch 8300, you must change them in the file.
Assign one of the following access levels to a user:
VENDOR Nortel 1584
ATTRIBUTE Access-Priority 192 integer Nortel
VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6
ATTRIBUTE Cli-Command 192 string Nortel
The following are the values that are valid for the Command-Access Attribute:
VALUE Command-Access TRUE 1 VALUE Command-Access FALSE 0
2 In the file dictiona.dcm, reference the new file pprtl2l2.dct: @pprtl2l3.dct
3 Update the file vendor.ini as follows:
vendor-product = Nortel Passport 8300 Switches dictionary = pprtl2l3 ignore-ports = no help-id = 0
316804-C
Chapter 10 Setting up RADIUS servers 181
Configuring the freeRadius server
To change the configuration of a freeRADIUS server:
1 Create a new file dictionary.passport and include it in the dictionary file. 2 Add the following to the dictionary.passport file:
VENDOR Passport 1584 ATTRIBUTE Access-Priority-Attribute 192 integer Passport ATTRIBUTE Cli-Commands-Attribute 195 string Passport ATTRIBUTE Command-Access 194 integer Passport
192,193 are the default values. If you change these values on the Ethernet Routing Switch 8300, you must change them in the file.
Assign one of the following access levels to a user:
VENDOR Nortel 1584
ATTRIBUTE Access-Priority 192 integer Nortel
VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6
ATTRIBUTE Cli-Command 192 string Nortel
The following values are valid for the Command-Access Attribute.
VALUE Command-Access FALSE 0 VALUE Command-Access TRUE 1
3 Modify the file clients.conf to provide access to the Ethernet Routing Switch 8300 and to provide the secret value:
x.x.x.x mysecret
Configuring and Managing Security using the NNCLI and CLI
182 Chapter 10 Setting up RADIUS servers
where x.x.x.x is the Ethernet Routing Switch 8300 IP address. mysecret is the secret configured while creating a RADIUS server.
Note: The secret value configured on the RADIUS server must be the same as the one configured in the Ethernet Routing Switch 8300.
4 The file users must have the following access:
rwa Auth-Type:= Local, Password == rwa Access-Priority = RWA-Access,
The user and password must be rwa and Access-Priority must be in the dictionary.passport file.
Example 1
User- john Access-Priority – L2-Access Command-Access - True Cli-Commands - Config ip forwarding
Though John has only L2 access, he can use the command config ip forwarding, which normally requires L3 access.
Example 2
User- Mike Access-Priority - RWA-Access Command-Access – False Cli-Commands – reset
Although Mike has rwa access, he is prevented from using the reset command to reboot the switch.
316804-C
Chapter 10 Setting up RADIUS servers 183
5 If a user enters the help command, the system displays help for only those commands to which the user has access.
Note: If you prevent access to any command, only the lowest option in the command tree cannot be accessed. For example, if you prevent access to the CLI command config sys set for a user, the user is able to display or execute config or config sys; however, the user cannot display or execute set.
Enabling EAP authentication
To enable EAP authentication:
1 Ensure the RADIUS authentication and accounting ports match between the SBR server and the 8300 switch. 2 Edit the eap.ini file in the SBR’s “Radius\Service” directory to accommodate the authentication paradigm. 3 Update 5 files for the SBR server: a The main dictionary (radius.dct). This file must be edited to contain an entry of parameters from the newly-created Passport dictionary. b A private dictionary (pprt8300.dct). This file, which is specific to the Ethernet Routing Switch 8300, must be generated. It will be sourced and used by (dictiona.dcm) and (vendor.ini). c The vendor.ini file. This file must contain an entry for the Ethernet Routing Switch 8300 in order for the file to acknowledge the model/type during the client configuration. d The account.ini file. This file must contain the CLI Command = entry. e The eap.ini file for SBR Ver4.0 and above for EAP authentication. Specifically, you must make the following configuration changes for the SBR server:
Configuring and Managing Security using the NNCLI and CLI
184 Chapter 10 Setting up RADIUS servers
a Add the following lines in files radius.dct and pprt8300.dct: ATTRIBUTE Access-Priority 26 [vid=1584 type1=192 len1=+2 data=integer] VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 ATTRIBUTE Cli-Command 26 [vid=1584 type1=193 len1=+2 data=string]
Note: The value in the type1 field must match the vendor-specific authentication attribute value.
b Add the following lines in vendor.ini: vendor-product = Nortel Passport 8300 dictionary = pprt8300 ignore-ports = no port-number-usage = per-port-type help-id = 0
c Add the following entry to the account.ini file: Cli-Command=
d In the account.ini file, ensure that the following lines are present: vendor-product = Nortel Passport 8300 dictionary = pprt8300 ignore-ports = no port-number-usage = per-port-type help-id = 0
e To enable EAP authentication, for the SBR Server Version 4.0 and above, uncomment the line in the eap.ini file. f Save changes and restart the server to activate the changes.
316804-C
185 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
This chapter describes how to configure RADIUS authentication and accounting using the NNCLI.
Specifically, it includes the following topics:
Topic Page Roadmap of NNCLI RADIUS commands 185 Configuring RADIUS on the switch 187 Enabling RADIUS accounting 190 Showing RADIUS information 192 Configuring a RADIUS server 193 Showing RADIUS server configurations and server statistics 196
Roadmap of NNCLI RADIUS commands
The following roadmap lists the NNCLI RADIUS commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter radius access-priority-attribute
Configuring and Managing Security using the NNCLI and CLI
186 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
Command Parameter authentication clear-stat cli-commands-attribute
316804-C
Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 187
Configuring RADIUS on the switch
To configure RADIUS on the switch, use the following command from Global configuration mode:
radius
The radius command uses the following options:
radius followed by: access-priority-attribute Sets the vendor-specific attribute value of the
Configuring and Managing Security using the NNCLI and CLI
188 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
radius followed by: cli-profile Enables RADIUS profiling. To disable RADIUS profiling, use the command no radius cli-profile. command-access-attribute Sets the CLI/NNCLI commands attribute value to
Enabling and disabling RADIUS authentication
To enable RADIUS authentication globally on the switch, use the following command from the Global configuration mode:
radius authentication
To disable RADIUS authentication globally on the switch, use the following command from the Global configuration mode:
no radius authentication
316804-C
Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 189
Configuring RADIUS access priority attribute values
To configure the RADIUS access priority attribute value, use the following command from Global configuration mode:
radius access-priority-attribute
where: value is in the range 192–240. The default value is 192.
Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192.
Configuration example: RADIUS authentication
The following configuration example uses the radius commands to configure RADIUS authentication. Figure 42 on page 190 shows sample output.
Note: Figure 42 on page 190 is an example only. The access priority attribute value can be configured, however Nortel recommends that you use the default setting of 192 for the Ethernet Routing Switch 8300.
Configuring and Managing Security using the NNCLI and CLI
190 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
Figure 42 radius authentication command sample output
Passport-8310:5(config)# radius authentication Passport-8310:5(config)# radius access-priority-attribute 196 Passport-8310:5(config)# show radius acct-attribute-value : 193 acct-enable : false acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5(config)#
Enabling RADIUS accounting
To enable RADIUS accounting globally on the switch, use the following command from the Global configuration mode:
radius acct
To disable RADIUS accounting globally on the switch, use the following command from the Global configuration mode:
no radius acct
Note: When RADIUS accounting is enabled, expect a delay in the CLI login process. When accounting is enabled, the switch must attempt to connect to all RADIUS servers individually (there are three retries for each server), and if a server responds, the switch must send the accounting-start message. This creates the delay. If you are not using RADIUS accounting, ensure it is disabled to prevent the login delays.
316804-C
Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 191
Configuring RADIUS accounting attribute values
To configure the RADIUS accounting attribute value, use the following command from Global configuration mode:
radius acct-attribute-value
where: value is in the range 192–240. The default value is 193.
Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192.
Configuration example: RADIUS accounting
The following configuration example uses the radius commands to configure RADIUS accounting. Figure 43 on page 192 shows sample output.
Note: To use the default value for attributes, omit the command that configures the attribute value. In Figure 43 on page 192, the user did not enter the radius acct-attribute-value command. The switch uses the default value for the attribute.
Configuring and Managing Security using the NNCLI and CLI
192 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
Figure 43 radius acct command sample output
Passport-8310:5(config)# radius acct Passport-8310:5(config)# show radius acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5(config)#
Showing RADIUS information
To display the global status of RADIUS information, enter the following command from either Global configuration or Privileged EXEC mode:
show radius
Figure 44 on page 193 shows sample output for the show radius command.
316804-C
Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 193
Figure 44 show radius command sample output
Passport-8306:5(config)#show radius acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 192 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : false maxserver : 10 sourceip-flag: false Passport-8306:5(config)#
Configuring a RADIUS server
To create a RADIUS server, use the following command from the Global configuration mode:
radius-server
To delete a RADIUS server, use the following command from the Global configuration mode:
no radius-server
Configuring and Managing Security using the NNCLI and CLI
194 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
This command includes the following options:
radius-server followed by: Required parameters Creates a server. To delete a server, use the host
316804-C
Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 195
radius-server followed by: set
Configuration example: adding a RADIUS server
The following configuration example uses the commands described above to add a RADIUS server with IP address 12.12.12.12 and a key of 9.
Figure 45 shows sample output using these commands.
Figure 45 radius-server command sample output
Passport-8306:5(config)#radius-server host 12.12.12.12 key 9 Passport-8306:5(config)#
Configuring and Managing Security using the NNCLI and CLI
196 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
Showing RADIUS server configurations and server statistics
To display current RADIUS server configurations and server statistics, use the following command from either Global configuration or Privileged EXEC mode:
show radius-server
Note: To clear server statistics, use the radius clear-stat command from Global configuration mode.
Figure 46 shows sample output for the show radius-server command.
Figure 46 show radius-server command sample output
Passport-8306:5(config)#show radius-server create :
Name Usedby Secret Port Pri Retry Timeout Auth Acct Acct source enbld port enbld ip ------12.12.12.12 cli 9 1812 10 1 3 true 1813 true 3.138.138.138 10.10.10.10 cli show 1812 10 1 3 true 1813 true 3.138.138.138
delete : N/A set : N/A
Note: You cannot collect the following network statistics from a console port: the number of input and output packets, and the number of input and output bytes. All other statistics from console ports are available to assist with debugging.
316804-C
Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 197
Showing RADIUS authentication statistics
To show RADIUS authentication statistics, use the following command from Global configuration or Privileged EXEC mode:
show radius-server authentication-stat
To display statistics for a specific RADIUS server, use the following command syntax:
show radius-server authentication [
Figure 47 shows sample output for the show radius-server command.
Figure 47 show radius-server authentication-stat command sample output
Passport-8306:5(config)#show radius-server authentication-stat
Responses with invalid server address: 0
Radius Server(UsedBy) : 12.12.12.12(cli) ------Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challenges : 0 Round-trip Time : unknown Nas Ip Address : 0.0.0.0
Radius Server(UsedBy) : 10.10.10.10(cli) ------Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challenges : 0 Round-trip Time : unknown Nas Ip Address : 0.0.0.0
Passport-8306:5(config)#
Configuring and Managing Security using the NNCLI and CLI
198 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
Table 6 describes the statistics from this command.
Table 6 show radius-server authentication-stat command statistics
Item Description RADIUS Server The IP address of the RADIUS server. The (Usedby) value (Useby) indicates the service that uses the RADIUS server (CLI or EAP). Access Requests Number of RADIUS access-response packets sent to this server. This does not include retransmissions. Access Accepts Number of RADIUS access-accept packets, valid or invalid, received from this server. Access Rejects Number of RADIUS access-reject packets, valid or invalid, received from this server. Bad Responses Number of RADIUS invalid access-response packets received from this server. Client Retries Number of authentication retransmissions to the server. Pending Requests Access-request packets sent to the server that have not yet received a response, or have timed out. Access Challenges Authentication parameter that indicates the number of access-challenges sent by the RADIUS server. Round-trip Time Time difference between the instant when a RADIUS Request is sent to the server and the instant when the RADIUS Response is received from the server. Nas IP Address IP address that represents the NAS used in RADIUS requests sent to this server.
Showing RADIUS accounting statistics
To show RADIUS accounting statistics, use the following command from Global configuration or Privileged EXEC mode:
show radius-server accounting-stat
To display statistics for a specific RADIUS server, use the following command syntax:
show radius-server accounting [
Figure 48 on page 199 shows sample output for the show radius-server command.
316804-C
Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 199
Figure 48 show radius-server accounting command sample output
Passport-8306:5(config)#show radius-server accounting 12.12.12.12
Radius Server(UsedBy) : 12.12.12.12(cli) ------Acct On Requests : 2 Acct Off Requests : 1 Acct Start Requests : 2 Acct Stop Requests : 2 Acct Interim Requests : 0 Acct Bad Responses : 0 Acct Pending Requests : 0 Acct Client Retries : 7 Passport-8306:5(config)#
Table 7 describes the statistics from this command.
Table 7 show radius-server accounting-stat command statistics
Item Description RADIUS Server The IP address of the RADIUS server. The (Usedby) value (Useby) indicates the service that uses the RADIUS server (CLI or EAP). Acct On Requests Number of accounting-on requests sent to the server. Acct Off Requests Number of accounting-off requests sent to the server. Acct Start Requests Number of accounting-start requests sent to the server. Acct Stop Requests Number of accounting-stop requests sent to the server. Acct Interim Requests Number of accounting interim-requests sent to the server. Acct Bad Responses Number of invalid accounting responses from the server that are discarded. Acct Pending Number of accounting requests waiting to be sent to the server. Requests Acct Client Retries Number of accounting retries made to this server.
Configuring and Managing Security using the NNCLI and CLI
200 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI
316804-C
201 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
This chapter describes how to configure RADIUS authentication and accounting using the CLI. Specifically, it includes the following topics:
Topic Page Roadmap of CLI RADIUS commands 201 Configuring RADIUS on the switch 203 Enabling RADIUS authentication 204 Enabling RADIUS accounting 206 Showing RADIUS information 208 Configuring a RADIUS server 209 Showing RADIUS server configurations and server statistics 212
Roadmap of CLI RADIUS commands
The following roadmap lists the CLI RADIUS commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter config radius info access-priority-attribute
Configuring and Managing Security using the NNCLI and CLI
202 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
Command Parameter authentication-enable
316804-C
Chapter 12 Configuring RADIUS authentication and accounting using the CLI 203
Command Parameter show radius server stat authentication [
Configuring RADIUS on the switch
To configure RADIUS on the switch, use the following command:
config radius
This is a complete listing of all of the config radius commands. The sections that follow provide specific details about each command.
config radius followed by: info Displays global RADIUS settings. access-priority-attribute Sets the vendor-specific access-priority attribute
Configuring and Managing Security using the NNCLI and CLI
204 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
config radius followed by: cli-commands-attribute Sets the vendor-specific attribute value of the
Enabling RADIUS authentication
To enable or disable RADIUS authentication globally on the switch, use the following command:
config radius authentication-enable
where: true enables RADIUS authentication globally. false disables RADIUS authentication globally.
316804-C
Chapter 12 Configuring RADIUS authentication and accounting using the CLI 205
Configuring RADIUS access priority attribute values
To configure the RADIUS authentication access priority attribute value, use the following command:
config radius access-priority-attribute
where: value is in the range 192–240. The default value is 192.
Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192.
Configuration example: RADIUS authentication
The following configuration example uses the config radius commands to configure RADIUS authentication. Figure 49 on page 206 shows sample output.
Note: Figure 49 on page 206 is an example only. The access priority attribute value can be configured, however Nortel recommends that you use the default setting of 192 for the Ethernet Routing Switch 8300.
Configuring and Managing Security using the NNCLI and CLI
206 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
Figure 49 config radius authentication-enable command sample output
Passport-8310:5# config radius authentication-enable true Passport-8310:5# config radius access-priority-attribute 196 Passport-8310:5# config radius maxserver 10 Passport-8310:5# config radius info
Sub-Context: clear config monitor show test trace Current Context:
acct-attribute-value : 193 acct-enable : false acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5#
Enabling RADIUS accounting
To enable or disable RADIUS accounting globally on the switch, use the following command:
config radius acct-enable
where: true enables RADIUS accounting globally. false disables RADIUS accounting globally.
Note: When RADIUS accounting is enabled, expect a delay in the CLI login process. When accounting is enabled, the switch must attempt to connect to all RADIUS servers individually (there are three retries for each server), and if a server responds, the switch must send the accounting-start message. This creates the delay. If you are not using RADIUS accounting, ensure it is disabled to prevent the login delays.
316804-C
Chapter 12 Configuring RADIUS authentication and accounting using the CLI 207
Configuring RADIUS accounting attribute values
To configure the RADIUS accounting attribute value, use the following command:
config radius acct-attribute-value
where: value is in the range 192–240. The default value is 193.
Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192.
Configuration example: RADIUS accounting
The following configuration example uses the config radius commands to configure RADIUS accounting. Figure 50 on page 208 shows sample output.
Note: To use the default value for attributes, omit the command that configures the attribute value. In Figure 50 on page 208, the user did not enter the config radius acct-attribute-value command. The switch uses the default value for the attribute.
Configuring and Managing Security using the NNCLI and CLI
208 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
Figure 50 config radius acct-enable command sample output
Passport-8310:5# config radius acct-enable true Passport-8310:5# config radius info
Sub-Context: clear config monitor show test trace Current Context:
acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5#
Showing RADIUS information
To display the global status of RADIUS information, use one of the following commands:
config radius info
or
show radius info
Figure 51 on page 209 shows sample output for the config radius info command. The output for the show radius info command is the same as that for config radius info command.
316804-C
Chapter 12 Configuring RADIUS authentication and accounting using the CLI 209
Figure 51 config radius info sample output
Passport-8310:5# config radius info
Sub-Context: clear config monitor show test trace Current Context:
acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 192 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5#
Configuring a RADIUS server
To create, delete, or get information about a RADIUS server, use the following command:
config radius server
Configuring and Managing Security using the NNCLI and CLI
210 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
This command includes the following options:
config radius server followed by: info Displays a list of all configured RADIUS servers. create
316804-C
Chapter 12 Configuring RADIUS authentication and accounting using the CLI 211
config radius server followed by: delete
Configuring and Managing Security using the NNCLI and CLI
212 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
Configuration example: adding a RADIUS server
The following configuration example uses the config radius server commands to:
• add a RADIUS server with IP address 12.12.12.12, a key of 9, and used by CLI • view RADIUS server information
Figure 52 shows sample output.
Figure 52 config radius server command sample output
Passport-8310:5# config radius server create 12.12.12.12 secret 9 usedby cli Passport-8310:5# config radius server info
Sub-Context: clear config monitor show test trace Current Context:
create :
Name Usedby Secret Port Prio Retry Timeout Enabled Acct-port Acct-enabled 12.12.12.12 cli 9 1812 10 1 3 true 1813 true
delete : N/A set : N/A
Passport-8310:5#
Showing RADIUS server configurations and server statistics
The show radius server config command displays current RADIUS server configurations. The command uses the syntax:
show radius server config
Note: To clear server statistics, use the config radius clear-stat command.
316804-C
Chapter 12 Configuring RADIUS authentication and accounting using the CLI 213
Figure 53 shows sample output for the show radius server config command.
Figure 53 show radius server config sample command output
Passport-8310:5# show radius server config
Sub-Context: clear config monitor show test trace Current Context:
create :
Name Usedby Secret Port Prio Retry Timeout Auth Acct Acct source enbld port enbld ip ------12.12.12.12 cli 9 1812 10 1 3 true 1813 true 0.0.0.0 10.10.10.10 cli show 1812 10 1 3 true 1813 true 0.0.0.0
delete : N/A set : N/A
Passport-8310:5#
Note: You cannot collect the following network statistics from a console port: the number of input and output packets, and the number of input and output bytes. All other statistics from console ports are available to assist with debugging.
Showing RADIUS authentication statistics
The show radius server stat authentication command displays statistics for the current RADIUS servers. The command uses the syntax:
show radius server stat authentication [
Figure 54 on page 214 shows sample output for the show radius server stat authentication command.
Configuring and Managing Security using the NNCLI and CLI
214 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
Figure 54 show radius server stat authentication command sample output
Passport-8310:5# show radius server stat authentication
Responses with invalid server address: 0
Radius Server(UsedBy) : 12.12.12.12(cli) ------Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challanges : 0 Round-trip Time : unknown Nas Ip Address : 0.0.0.0
Radius Server(UsedBy) : 10.10.10.10(cli) ------Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challanges : 0 Round-trip Time : unknown Nas Ip Address : 0.0.0.0
Passport-8310:5#
Table 8 describes the statistics from this command.
Table 8 show radius server stat authentication command statistics
Item Description Radius Server The IP address of the RADIUS server. (UsedBy) The service that uses the RADIUS server (CLI or EAP). Access Requests Number of access-request packets sent to the server; does not include retransmissions.
316804-C
Chapter 12 Configuring RADIUS authentication and accounting using the CLI 215
Table 8 show radius server stat authentication command statistics (continued)
Item Description Access Accepts Number of access-accept packets, valid or invalid, received from the server. Access Rejects Number of access-reject packets, valid or invalid, received from the server. Bad Responses Number of invalid access-response packets received from the server. Client Retries Number of authentication retransmissions to the server. Pending Requests Access-request packets sent to the server that have not yet received a response, or have timed out. Access Challenges Number of Access-Challenge packets received from the RADIUS server. Round-trip Time Time difference between the instant when a RADIUS Request is sent to the server and the instant when the RADIUS Response is received from the server. Nas IP Address IP address that represents the NAS used in RADIUS requests sent to this server.
Showing RADIUS accounting statistics
The show radius server stat accounting command displays statistics for the current RADIUS servers. The command uses the syntax:
show radius server stat accounting [
Figure 55 on page 216 shows sample output for the show radius server stat accounting command.
Configuring and Managing Security using the NNCLI and CLI
216 Chapter 12 Configuring RADIUS authentication and accounting using the CLI
Figure 55 show radius server stat accounting command sample output
Passport-8310:5# show radius server stat accounting 12.12.12.12
Radius Server(UsedBy) : 12.12.12.12(cli) ------Acct On Requests : 0 Acct Off Requests : 0 Acct Start Requests : 0 Acct Stop Requests : 0 Acct Interim Requests : 0 Acct Bad Responses : 0 Acct Pending Requests : 0 Acct Client Retries : 0 Passport-8310:5#
Table 9 describes the statistics from this command.
Table 9 show radius server stat accounting command statistics
Item Description Radius Server The IP address of the RADIUS server. (UsedBy) The service that uses the RADIUS server (CLI or EAP). Acct On Requests Number of accounting-on requests sent to the server. Acct Off Requests Number of accounting-off requests sent to the server. Acct Start Requests Number of accounting-start requests sent to the server. Acct Stop Requests Number of accounting-stop requests sent to the server. Acct Interim Requests Number of accounting interim-requests sent to the server. Acct Bad Responses Number of invalid accounting responses from the server that are discarded. Acct Pending Number of accounting requests waiting to be sent to the server. Requests Acct Client Retries Number of accounting retries made to this server.
316804-C
217 Chapter 13 Configuring EAPoL using the NNCLI
Extensible Authentication Protocol over LAN (EAPoL) is a port-based network access control protocol. EAPoL provides security to your network by preventing users from accessing network resources before they are authenticated.
EAPoL allows you to set up network access control on internal LANs and to exchange authentication information between any end station or server connected to the Ethernet Routing Switch 8300 and an authentication server (such as a RADIUS server). This security feature extends the benefits of remote authentication to internal LAN clients. For example, if a new client PC fails the authentication process, EAPoL prevents it from accessing the network.
This chapter includes the following topics:
Topic Page Roadmap of NNCLI EAPoL commands 218 Configuration prerequisites 221 Configuring EAPoL globally 221 Adding an EAPoL-enabled RADIUS server 222 Deleting an EAPoL-enabled RADIUS server 225 Modifying EAPoL-enabled RADIUS server parameters 225 Configuring EAPoL on a port 227 Configuring non-EAPoL clients on a port 230 Changing the authentication status of a port 231 Showing EAPoL statistics 232 Viewing the status of non-EAPoL clients that use RADIUS 246
Configuring and Managing Security using the NNCLI and CLI
218 Chapter 13 Configuring EAPoL using the NNCLI
Roadmap of NNCLI EAPoL commands
The following roadmap lists the NNCLI EAPoL commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter Global configuration mode radius-server host
Global configuration mode no radius-server
Global configuration mode radius-server set
Global configuration mode eapol (Also, no eapol) acct-enable clear-stat guest-vlan multihost radius-non-eap-enable radius-discard-filter-ageout
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 219
Command Parameter max-request multihost enable port {slot/port[-slot/port][, ...]} quiet-interval
Interface mode eapol multihost allow-non-eap-enable eap-mac-max
Show commands show eapol show interface
Configuring and Managing Security using the NNCLI and CLI
220 Chapter 13 Configuring EAPoL using the NNCLI
Command Parameter show interface
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 221
Configuration prerequisites
Use the following configuration rules when using EAPoL:
• Before configuring your switch for EAPoL and RADIUS MAC centralization, you must configure at least one EAPoL RADIUS Server and Shared Secret fields. • You cannot configure EAPoL on ports that are currently configured for: — shared segments — multilink trunking (MLT) —tagging
Note: Although you can enable both port mirroring and EAPoL on a port, Nortel does not recommend it.
• You can enable EAPoL in any order; that is, you do not have to enable EAPoL locally before you enable it globally. • You can connect up to eight clients on each EAPoL-enabled port if you enable the Multiple Host feature.
EAPoL uses the RADIUS protocol to authenticate EAPoL logins. Refer to Chapter 11, “Configuring RADIUS authentication and accounting using the NNCLI,” on page 185 for more information on using the RADIUS protocol.
Configuring EAPoL globally
You can use the eapol command to globally enable or disable EAPoL on your switch (EAPoL is disabled on your switch, by default.) Use this command to make all the controlled switch ports EAPoL-enabled.
To enable EAPoL globally on your switch, enter the following command from the Global configuration mode:
eapol
Configuring and Managing Security using the NNCLI and CLI
222 Chapter 13 Configuring EAPoL using the NNCLI
To disable EAPoL globally on your switch, use no before commands. For example:
no eapol
This command includes the following parameters:
eapol followed by: acct-enable Enable RADIUS accounting for EAPoL sessions. clear-stat Clears all EAPoL authentication and diagnostic statistics. guest-vlan Globally assigns and enables the Guest VLAN identification number on the switch. • Use the eapol guest-vlan vid
Adding an EAPoL-enabled RADIUS server
The Ethernet Routing Switch 8300 can use RADIUS servers for authentication services. To add an EAPoL-enabled RADIUS server, use the following command from the Global configuration mode:
radius-server host
where:
• ipaddr indicates the IP address of the selected server
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 223
• value specifies the secret key, which is a string of up to 20 characters. The RADIUS server uses this password to validate users.
Note: The useby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication.
Other optional parameters that you can use with the radius-server host
Configuring and Managing Security using the NNCLI and CLI
224 Chapter 13 Configuring EAPoL using the NNCLI
Configuration example: adding an EAPoL-enabled RADIUS server
To configure a RADIUS server to be used by EAPoL on the Ethernet Routing Switch 8300:
1 Enable RADIUS authentication globally: Passport-8310:5(config)#radius authentication 2 Add the RADIUS server:
Passport-8310:5(config)#radius-server host
By default, the Ethernet Routing Switch 8300 uses RADIUS UDP ports 1812 and 1813. You can change the port number or other RADIUS server options when you add the RADIUS server.
Figure 56 shows the command input and results.
Figure 56 radius-server host command sample output
Passport-8310:5(config)# radius authentication Passport-8310:5(config)# radius-server host 12.12.12.12 key eap-key usedby eapol Passport-8310:5(config)# show radius-server
create :
Name Used Secret Port Pri Re Time Auth Acct Acct source by try out enbld port enbld ip ------12.12.12.12 eap eap-ke 1812 10 1 3 true 1813 true 0.0.0.0 y delete : N/A set : N/A Passport-8310:5(config)#
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 225
Note: When a port is configured for EAPoL (that is, it has an EAPoL status of auto) only one Supplicant is allowed on this port. Multiple EAPoL Supplicants are allowed when multihost is enabled on the port.
Deleting an EAPoL-enabled RADIUS server
To delete an EAPoL-enabled RADIUS server, use the following command from the Global configuration mode:
no radius-server
where: ipaddr indicates the IP address of the selected server.
Note: The useby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication.
Modifying EAPoL-enabled RADIUS server parameters
To set EAPoL-enabled RADIUS server parameters without having to delete the server and recreate it, use the following command from Global configuration mode:
radius-server set
where: ipaddr indicates the IP address of the selected server.
Note: The useby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication.
Configuring and Managing Security using the NNCLI and CLI
226 Chapter 13 Configuring EAPoL using the NNCLI
Other optional parameters that you can use with the radius-server set
radius-server set
For more information about this command and the options that can be used with it, refer to Chapter 11, “Configuring RADIUS authentication and accounting using the NNCLI,” on page 185.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 227
Configuring EAPoL on a port
To configure EAPoL on a specific port, use the following command from the Interface configuration mode:
eapol
Note: Ensure you are in the Interface configuration mode for a port, or a range of ports. For example, from the Global configuration mode, enter the command: interface fastethernet {slot/port[-slot/port][, ...]}
This command includes the following parameters:
eapol followed by: guest-vlan enable Enables the Guest VLAN on this port. Use the no eapol guest-vlan enable command to disable the Guest VLAN on the port. guest-vlan vid
Configuring and Managing Security using the NNCLI and CLI
228 Chapter 13 Configuring EAPoL using the NNCLI
eapol (continued) followed by: re-authenticate Re-authenticates the Supplicant connected to this port immediately. Note: Before you can reauthenticate the Supplicant connected to this port, you must first enable reauthentication (see “re-authentication”). re-authentication Enables or disables re-authentication. When enabled, re-authenticates an existing Supplicant at the time interval specified in re-authentication-period
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 229
Configuration example: configuring EAPoL on a port
The following configuration example uses the commands described above to perform the following tasks on port 5/5.
• Set the status so the port is automatically authenticated. • Retry sending packets to the Supplicant up to four times maximum. • Wait 120 seconds between an authentication failure and another attempt. • Wait 90 seconds for the Supplicant’s response to EAP Request/Identity packets. • Wait 90 seconds for a response from the RADIUS server. • Wait 90 seconds for the Supplicant’s response to all EAP packets, except EAP Request/Identity packets. • Wait 7200 seconds (2 hours) between successive re-authentications. • Set re-authentication to enable so that the Supplicant will be re-authenticated every 90 seconds, as specified by the re-authentication period.
Note: The NNCLI enables you to string several or all of the available parameters together. For example, you can combine the first two commands in the example below into one command: Passport-8310:5(config-if)#eapol status authorized max-req 4
Figure 57 shows sample output for using the commands for this configuration example.
Figure 57 eapol configuration command sample output
Passport-8310:5(config-if)#eapol status auto Passport-8310:5(config-if)#eapol max-req 4 Passport-8310:5(config-if)#eapol quiet-interval 120 Passport-8310:5(config-if)#eapol transmit-interval 90 Passport-8310:5(config-if)#eapol server-timeout 90 Passport-8310:5(config-if)#eapol supplicant-timeout 90 Passport-8310:5(config-if)#eapol re-authentication-period 7200 Passport-8310:5(config-if)#eapol re-authentication enable Passport-8310:5(config-if)#
Configuring and Managing Security using the NNCLI and CLI
230 Chapter 13 Configuring EAPoL using the NNCLI
Configuring non-EAPoL clients on a port
To configure non-EAPoL clients on a specific port, use the following command from the Interface configuration mode:
eapol multihost
Note: Ensure you are in the Interface configuration mode for a port. For example, from the Global configuration mode, enter the interface fastethernet {slot/port[-slot/port][, ...]} command.
This command includes the following parameters:
eapol multihost followed by: allow-non-eap-enable Sets the port to allow (enable) or not allow (disable) a mix of EAPoL clients. • Use the no keyword to disable a mix of EAPoL clients. eap-mac-max
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 231
eapol multihost (continued) followed by: port {slot/port[-slot/ Allows you to enter the port or ports you want to port][, ...]} configure for EAPoL. Note: If you omit this parameter, the system uses the port number specified when you entered the interface command. radius-non-eap-enable Enables RADIUS MAC centralization per interface. shut-down-on-intrusion- When enabled, allows the port to shut down when enable the maximum non-EAP clients limit is reached.
Changing the authentication status of a port
By default, ports are force-authorized. This means that the ports are always authorized and are not authenticated by the RADIUS server.
You can change this setting so that the ports are always unauthorized (force-unauthorized). You can also make the ports controlled so that they are automatically authenticated when you globally enable EAPoL (auto). The auto setting automatically authenticates the port according to the results of the RADIUS server.
Use the following procedure to navigate from Global configuration mode to Interface configuration mode and set the authentication state for the specified port or ports:
1 Enter the Interface mode from the Global configuration mode and select the port you want to edit: Passport-8310:5(config)#interface FastEthernet
Configuring and Managing Security using the NNCLI and CLI
232 Chapter 13 Configuring EAPoL using the NNCLI
where:
• auto specifies that port authorization status depends on the results of the EAPoL authentication by the RADIUS server. • authorized indicates that the port is always authorized. • unauthorized indicates that the port is always unauthorized.
For example, to enable EAPoL on Ethernet port 1/1, enter the following commands:
Passport-8310:5(config)#interface FastEthernet 1/1 Passport-8310:5(config-if)#eapol status auto
Showing EAPoL statistics
The Ethernet Routing Switch 8300 provides the following show commands to help you to monitor and troubleshoot your switch:
• “Showing the EAPoL status of the switch” on page 232 • “Showing EAPoL authenticator statistics” on page 233 • “Showing EAPoL authenticator diagnostics” on page 235 • “Showing EAPoL authenticator session statistics” on page 238 • “Showing EAPoL configuration statistics” on page 240 • “Showing EAPoL operation statistics” on page 243
Showing the EAPoL status of the switch
To view the current configuration of the switch, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show eapol
Figure 58 on page 233 shows sample output for this command.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 233
Figure 58 show eapol command sample output
Passport-8306:5(config)#show eapol eap : disabled acct-enable : false default-guest-vlan : false guest-vlan : 4095 radius-mac-centralization : disabled Passport-8306:5(config)#
Showing EAPoL authenticator statistics
To display the authenticator statistics, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show interface
where: portlist uses the convention {slot/port[-slot/port][, ...]}.
Figure 59 on page 234 shows sample output for this command.
Configuring and Managing Security using the NNCLI and CLI
234 Chapter 13 Configuring EAPoL using the NNCLI
Figure 59 show interface FastEthernet eapol auth-stats sample output
Passport-8310:6(config)#show interface FastEthernet eapol auth-stats
======Eap Authenticator Statistics ======PORT TOTAL TOTAL START LOGOFF RESP_ID RESP REQ-ID REQ INVALID LENGTH FRAME LAST-SRC RX TX RCVD RCVD RCVD RCVD TX TX FRAMES ERROR VER MAC ------1/1 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/2 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/3 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/4 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/5 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/6 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/7 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/8 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/9 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/10 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/11 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/12 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/13 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/14 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/15 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 1/16 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00
Passport-8310:6(config)#
Table 10 describes the parameters in the Eap Authenticator Statistics table.
Table 10 Eap Authenticator Statistics table parameters
Field Description TOTAL RX Displays the number of valid EAPoL frames of any type that have been received by this Authenticator. TOTAL TX Displays the number of EAPoL frame types of any type that have been transmitted by this Authenticator. START RCVD Displays the number of EAPoL start frames that have been received by this Authenticator. LOGOFF RCVD Displays the number of EAPoL logoff frames that have been received by this Authenticator. RESP_ID RCVD Displays the number of EAPoL Resp/Id frames that have been received by this Authenticator. RESP RCVD Displays the number of valid EAP Response frames (Other than Resp/Id frames) that have been received by this Authenticator. REQ_ID TX Displays the number of EAPoL Req/Id frames that have been transmitted by this Authenticator.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 235
Table 10 Eap Authenticator Statistics table parameters (continued)
Field Description REQ TX Displays the number of EAP Req/Id frames (other than Rq/Id frames) that have been transmitted by this Authenticator. INVALID FRAMES Displays the number of EAPoL frames that have been received by this Authenticator in which the frame type is not recognized. LENGTH ERROR Displays the number of EAPoL frames that have been received by this Authenticator in which the packet body length field is not valid. FRAME VER Displays the protocol version number that was in the most recently received EAPoL frame. LAST_SRC MAC Displays the source MAC address that was in the most recently received EAPoL frame.
Showing EAPoL authenticator diagnostics
To display the authenticator diagnostics, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show interface
where: portlist uses the convention {slot/port[-slot/port][, ...]}.
Figure 60 on page 236 shows sample output for this command.
Configuring and Managing Security using the NNCLI and CLI
236 Chapter 13 Configuring EAPoL using the NNCLI
Figure 60 show interface FastEthernet eapol auth-diags sample output
Passport-8310:6(config)#show interface FastEthernet eapol auth-diags
======Eap Authenticator Diagnostics Table ======Port 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8 ------Enter Conn 0 0 0 0 0 0 0 0 Logoff While Conn 0 0 0 0 0 0 0 0 Enter Authing 0 0 0 0 0 0 0 0 Success While Authing 0 0 0 0 0 0 0 0 Timeout while Authing 0 0 0 0 0 0 0 0 Fail While Authing 0 0 0 0 0 0 0 0 Reauths While Authing 0 0 0 0 0 0 0 0 Starts While Authing 0 0 0 0 0 0 0 0 Logoffs While Authing 0 0 0 0 0 0 0 0 Reauths While Authed 0 0 0 0 0 0 0 0 Starts While Authed 0 0 0 0 0 0 0 0 Logoffs While Authed 0 0 0 0 0 0 0 0 Bkend Resps 0 0 0 0 0 0 0 0 Bkend Access Chall 0 0 0 0 0 0 0 0 Bkend Reqs ToSupp 0 0 0 0 0 0 0 0 Bkend NonNak From Supp 0 0 0 0 0 0 0 0 Bkend Auth Succ 0 0 0 0 0 0 0 0 Bkend Auth Fails 0 0 0 0 0 0 0 0
Table 11 describes the parameters in the Eap Authenticator Diagnostics table.
Table 11 Eap Authenticator Diagnostics table parameters
Field Description Enter Conn Counts the number of times that the Authenticator PAE state machine transitions to the Connecting state from any other state. Logoff While Conn Counts the number of times that the Authenticator PAE state machine transitions from Connected to Disconnected as a result of receiving an EAPoL-Logoff message. Enter Authing Counts the number of times that the Authenticator PAE state machine transitions from Connecting to Authenticating as a result of receiving an EAP-Response/ Identity message being received from the Supplicant.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 237
Table 11 Eap Authenticator Diagnostics table parameters (continued)
Field Description Success While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Authenticated as a result of the Backend authentication state machine indicating successful authentication of the Supplicant. Timeout While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of the Backend authentication state machine indicating authentication timeout. Fail While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Held as a result of the Backend authentication state machine indicating authentication failure. Reauths While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of a reauthentication request. Starts While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Start message being received from the Supplicant. Logoffs While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Logoff message being received from the Supplicant. Reauths While Authed Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of a reauthentication request. Starts While Authed Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of an EAPoL-Start message being received from the Supplicant. Logoffs While Authed Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Disconnected as a result of an EAPoL-Logoff message being received from the Supplicant. Bkend Resps Counts the number of times that the Backend Authentication state machine sends an Initial-Access request packet to the Authentication server. Bkend Access Chall Counts the number of times that the Backend Authentication state machine receives an Initial-Access challenge packet from the Authentication server.
Configuring and Managing Security using the NNCLI and CLI
238 Chapter 13 Configuring EAPoL using the NNCLI
Table 11 Eap Authenticator Diagnostics table parameters (continued)
Field Description Bkend Reqs ToSupp Counts the number of times that the Backend Authentication state machine sends an EAP request packet (other than an Identity, Notification, failure, or success message) to the Supplicant. Bkend NonNak From Supp Counts the number of times that the Backend Authentication state machine receives a response from the Supplicant to an initial EAP request and the response is something other than EAP-NAK. Bkend Auth Succ Counts the number of times that the Backend Authentication state machine receives an EAP-success message from the Authentication server. Bkend Auth Fails Counts the number of times that the Backend Authentication state machine receives an EAP-failure message from the Authentication server.
Showing EAPoL authenticator session statistics
To display the authenticator statistics per session, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show interface
where: portlist uses the convention {slot/port[-slot/port][, ...]}.
Figure 61 on page 239 shows sample output for this command.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 239
Figure 61 show interface FastEthernet eapol session-stats sample output
Passport-8310:5(config-if)# show interface FastEthernet eapol session-stats
======Eap Authenticator Session Statistics ======TOTAL TOTAL TOTAL TOTAL OCTETS OCTETS FRAMES FRAMES SESSION AUTHENTIC SESSION TERMINATE USER PORT RCVD TXMT RCVD TXMT ID METHOD TIME CAUSE NAME ------5/1 0 0 0 0 none 0 day(s),00:00:00 none 5/2 0 0 0 0 none 0 day(s),00:00:00 none 5/3 0 0 0 0 none 0 day(s),00:00:00 none 5/4 0 0 0 0 none 0 day(s),00:00:00 none 5/5 0 0 0 0 none 0 day(s),00:00:00 none 5/6 0 0 0 0 none 0 day(s),00:00:00 none 5/7 0 0 0 0 none 0 day(s),00:00:00 none 5/8 0 0 0 0 none 0 day(s),00:00:00 none . . Passport-8310:5(config-if)#
Table 12 describes the parameters in the Eap Authenticator Session Statistics table.
Table 12 Eap Authenticator Session Statistics table parameters
Field Description TOTAL OCTETS RCVD Displays the number of octets received in user data frames on this port during the session. TOTAL OCTETS TXMT Displays the number of octets transmitted in user data frames on this port during the session. TOTAL FRAMES RCVD Displays the number of user data frames received on this port during the session. TOTAL FRAMES TXMT Displays the number of user data frames transmitted on this port during the session. SESSION ID Displays a unique identifier for the session that is at least three characters. AUTHENTIC METHOD Displays the authentication method (remote or local RADIUS server) used to establish the session. SESSION TIME Displays the duration of the session (in seconds).
Configuring and Managing Security using the NNCLI and CLI
240 Chapter 13 Configuring EAPoL using the NNCLI
Table 12 Eap Authenticator Session Statistics table parameters (continued)
Field Description TERMINATE CAUSE Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated USER NAME Displays the user name of the Supplicant PAE.
Showing EAPoL configuration statistics
To display configuration information for the supplicant PAE associated with each selected port, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show interface
where: portlist uses the convention {slot/port[-slot/port][, ...]}
Figure 62 on page 241 shows sample output for this command.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 241
Figure 62 show interface FastEthernet eapol config sample output
Passport-8310:6(config)#show interface FastEthernet eapol config
======Eap Authenticator Config Table ======PORT 2/1 2/2 2/3 2/4 2/5 ------Admin Status force-auth force-auth force-auth force-auth force-auth
Control Direction both both both both both
Max Request 2 2 2 2 2
Quiet Period 60 60 60 60 60
Transmit Period 30 30 30 30 30
Server Timeout 30 30 30 30 30
Supplicant Timeout 30 30 30 30 30
Reauthentication false false false false false
Reauth Period 3600 3600 3600 3600 3600
Guest-Vlan State disabled disabled disabled disabled disabled
Guest-Vlan ID 4095 4095 4095 4095 4095
Multi Host disabled disabled disabled disabled disabled
Max Multi Host 1 1 1 1 1
Allow Non-Eap Host disabled disabled disabled disabled disabled
Max Non-Eap Host 1 1 1 1 1
Passport-8310:6(config)#
Configuring and Managing Security using the NNCLI and CLI
242 Chapter 13 Configuring EAPoL using the NNCLI
Table 13 describes the parameters in the Eap Authenticator Config table.
Table 13 Eap Config table parameters
Item Description ADMIN STATUS Displays the authentication status for this port. force-unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. force-authorized - port is always authorized. CTRL DIR Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. If traffic-control-directions is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. If traffic-control-directions is set to incoming -and -outgoing, traffic is blocked in both directions. MAX REQ Displays the maximum number of times to retry sending packets to the Supplicant. QUIET PERIOD Displays the time interval (in seconds) between authentication failure and the start of a new authentication. TRANSMIT PERIOD Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for EAP Request/Identity packets. SERVER TIMEOUT Displays the time (in seconds) that the Authenticator waits for a response from the RADIUS server. SUPPLICANT TIMEOUT Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for all EAP packets except EAP Request/Identity packets. REAUTHENTICATION When set to true, the Authenticator re-authenticates a Supplicant at the time interval specified in REAUTH PERIOD. REAUTH PERIOD Displays the time interval (in seconds) between successive re-authentications.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 243
Showing EAPoL operation statistics
To display statistical information about the authenticator, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode:
show interface
where: portlist uses the convention {slot/port[-slot/port][, ...]}.
Figure 63 shows sample output for this command.
Figure 63 show interface FastEthernet eapol oper-stats sample output
Passport-8310:6(config)#show interface FastEthernet eapol oper-stats
======Eap Oper Stats ======PORT CTRL PORT PAE BKEND DIR STATUS STATUS STATUS ------1/1 both authorized force-authorized idle 1/2 both authorized force-authorized idle 1/3 both authorized force-authorized idle 1/4 both authorized force-authorized idle 1/5 both authorized force-authorized idle 1/6 both authorized force-authorized idle 1/7 both authorized force-authorized idle 1/8 both authorized force-authorized idle 1/9 both authorized force-authorized idle 1/10 both authorized force-authorized idle 1/11 both authorized force-authorized idle 1/12 both authorized force-authorized idle 1/13 both authorized force-authorized idle 1/14 both authorized force-authorized idle 1/15 both authorized force-authorized idle 1/16 both authorized force-authorized idle
Passport-8310:6(config)#
Configuring and Managing Security using the NNCLI and CLI
244 Chapter 13 Configuring EAPoL using the NNCLI
Table 14 describes the parameters in the Eap Oper Stats table.
Table 14 Eap Oper Stats table parameters
Item Description CTRL DIR Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. If traffic-control-directions is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. If traffic-control-directions is set to incoming -and -outgoing, traffic is blocked in both directions. PORT STATUS Displays the authentication status for this port. unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. authorized - port is always authorized. PAE STATUS Displays the current Authenticator PAE state. The possible states are: initialized disconnected connecting authenticating authenticated aborting held force-authorized force-unauthorized BKEND STATUS Displays the current state of Backend Authentication. The possible states are: request response success fail timeout idle initialize
Showing multiple clients session information
To display information about multiple client sessions configured on one or more ports, use the following command from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes:
show interface
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 64 on page 245 shows sample output for this command. In this example, ports 1/1 to 1/4 have been selected for display.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 245
Figure 64 show interface fastethernet eapol multi-host-session-stats command sample output
Passport-8310:5# show interface fastethernet eapol multi-host-session-stats 1/1-1/8 Unit/Port Client-Mac_Addr Session-Id Auth-Method Session-Time ------1/1 00:00:00:00:00:00 10 local-server 00:04:16:09 1/2 00:00:00:00:00:00 20 local-server 00:00:05:32 1/3 00:00:00:00:00:00 30 local-server 00:02:24:45 1/4 00:00:00:00:00:00 40 local-server 00:01:09:03
Term-Cause User-Name ------re-auth failure not-terminated user2 not-terminated user3 not-terminated user4
Table 15 describes the information provided for multiple client sessions.
Table 15 show ports info eapol oper-stats parameters
Item Description Unit/Port Lists the port number for the displayed statistics. Client MAC Displays the MAC address of the client. Address Session ID Displays the unique identifier for the session. Authentication Displays the authentication method (remote-server or local-server) Method used to establish the session. Session Time Displays the duration of the session (in days, hours, minutes, and seconds). Terminate Cause Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated User Name Displays the username of the Supplicant PAE.
Configuring and Managing Security using the NNCLI and CLI
246 Chapter 13 Configuring EAPoL using the NNCLI
Viewing the status of non-EAPoL clients that use RADIUS
To view information about non-EAPoL clients using RADIUS on one or more ports, use the following command from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes:
show eapol multihost non-eap-mac status [
where: ports uses the convention {slot/port[-slot/port][, ...]}.
Figure 65 shows sample output for this command.
Figure 65 show eapol multihost non-eap-mac status command sample output
Passport-8310:5(config)# show eapol multihost non-eap-mac status Unit/Port Client Mac Addr Authentication Status ------1/1 00:00:00:00:00:00 pending 1/2 00:00:00:00:00:00 pending 1/3 00:00:00:00:00:00 request-dropped 1/4 00:00:00:00:00:00 authenticated
Passport-8310:5(config)#
Table 16 describes the information provided by the show eapol multihost non-eap-mac status command.
Table 16 show eapol multihost non-eap-mac status parameters
Item Description Unit/Port Indicates the slot/port number.
316804-C
Chapter 13 Configuring EAPoL using the NNCLI 247
Table 16 show eapol multihost non-eap-mac status parameters (continued)
Item Description Client Mac Displays the non-EAP MAC address for the device connected to the Address port. Authentication Displays the RADIUS authentication status of the learned MAC Status addresses. There are five possible status options: Pending Rejected Authenticated Request dropped Server not reachable
Note: Non-EAP clients are not authenticated if the RADIUS queue is full, or if the RADIUS server cannot process the requests. For example, when the RADIUS server is down during the STP convergence, a discard filter is added for non-EAP clients. The RADIUS request for the non-EAP clients times out and is dropped. That is, the non-EAP clients are discarded and never get a chance to be authenticated. In addition, if the RADIUS queue is full and more RADIUS requests come in, all those additional RADIUS requests are dropped. To solve this issue, in Ethernet Routing Switch 8300 software release 2.2 the authentication status of the non-EAP client changes from pending to radius-server-not-reachable when the RADIUS request of a non-EAP client times out. Also, when the RADIUS request of a non-EAP client is dropped due to insufficient space in the RADIUS queue, the authentication status of the non-EAP client is changed to radius-request-dropped. The discarded RADIUS non-EAP clients (with an authentication status of radius-request-dropped or radius-server-not-reachable) receive another chance to be authenticated when one of the following occurs: • The discard-filter-ageout timer (configured by the user) expires. By default, the discard-filter-ageout value is 10 seconds. The user can configure it to a value in the range of 5–3600 seconds. • Traffic from the RADIUS server is received. In addition, a consistency check prevents enabling EAP and unknown-mac-discard together.
Configuring and Managing Security using the NNCLI and CLI
248 Chapter 13 Configuring EAPoL using the NNCLI
Viewing allowed non-EAPoL MAC addresses
To view the allowed non-EAPoL MAC addresses and the associated slot/port for each, use the following command from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes:
show eapol multihost non-eap-mac interface [
where: ports uses the convention {slot/port[-slot/port][, ...]}.
Figure 66 shows sample output for this command.
Figure 66 show eapol multihost non-eap-mac interface command sample output
Passport-8310:5(config)# show eapol multihost non-eap-mac interface Unit/Port Allowed Mac Addr ------1/1 00:00:00:00:00:00 1/2 00:00:00:00:00:00 1/3 00:00:00:00:00:00 1/4 00:00:00:00:00:00
Passport-8310:5(config)#
Table 17 describes the information provided by the show eapol multihost non-eap-mac interface command.
Table 17 show eapol multihost non-eap-mac interface parameters
Item Description Unit/Port Indicates the slot/port number. Allowed Mac Displays the list of allowed non-EAP MAC addresses that have been Address added.
316804-C
249 Chapter 14 Configuring EAPOL using the CLI
Extensible Authentication Protocol over LAN (EAPoL) is a port-based network access control protocol. EAPoL provides security to your network by preventing users from accessing network resources before they are authenticated.
EAPoL allows you to set up network access control on internal LANs and to exchange authentication information between any end station or server connected to the Ethernet Routing Switch 8300 and an authentication server (such as a RADIUS server). This security feature extends the benefits of remote authentication to internal LAN clients. For example, if a new client PC fails the authentication process, EAPoL prevents it from accessing the network.
This chapter includes the following topics:
Topic Page Roadmap of CLI EAPoL commands 250 Configuration prerequisites 253 Adding an EAPoL-enabled RADIUS server 255 Deleting an EAPoL-enabled RADIUS server 258 Modifying EAPoL-enabled RADIUS server parameters 258 Configuring EAPoL globally 254 Configuring EAPoL on a port 260 Configuring non-EAPoL clients on a port 264 Showing EAPoL statistics 266 Viewing the status of non-EAPoL clients that use RADIUS 280
Configuring and Managing Security using the NNCLI and CLI
250 Chapter 14 Configuring EAPOL using the CLI
Roadmap of CLI EAPoL commands
The following roadmap lists the CLI EAPoL commands and their parameters. Use this list as a quick reference or click on any entry for more information:
Command Parameter config radius server create
316804-C
Chapter 14 Configuring EAPOL using the CLI 251
Command Parameter guest-vlan
show sys eapol
Configuring and Managing Security using the NNCLI and CLI
252 Chapter 14 Configuring EAPOL using the CLI
Command Parameter show ports info eapol auth-stats [
316804-C
Chapter 14 Configuring EAPOL using the CLI 253
Configuration prerequisites
Use the following configuration rules when using EAPoL:
• Before configuring your switch for EAPoL and RADIUS MAC centralization, you must configure at least one EAPoL RADIUS Server and Shared Secret field. • You cannot configure EAPoL on ports that are currently configured for: — shared segments — multilink trunking (MLT) —tagging
Note: Although you can enable both port mirroring and EAPoL on a port, Nortel does not recommend it.
• You can enable EAPoL in any order; that is, you do not have to enable EAPoL locally before you can enable it globally. • You can connect up to eight clients on each EAPoL-enabled port if you enable the Multiple Host feature.
EAPoL uses the RADIUS protocol to authenticate EAPoL logins. See Chapter 12, “Configuring RADIUS authentication and accounting using the CLI,” on page 201 for more information on using the RADIUS protocol.
Configuring and Managing Security using the NNCLI and CLI
254 Chapter 14 Configuring EAPOL using the CLI
Configuring EAPoL globally
To globally configure EAPoL, use the following command:
config sys set eapol
This command includes the following parameters:
config sys set eapol followed by: info Displays information about the current global EAPoL configuration. acct-enable
316804-C
Chapter 14 Configuring EAPOL using the CLI 255
Adding an EAPoL-enabled RADIUS server
The Ethernet Routing Switch 8300 can use RADIUS servers for authentication services. To add an EAPoL-enabled RADIUS server, use the following command:
config radius server create
where:
• ipaddr indicates the IP address of the selected server. • value specifies the secret key, which is a string of up to 20 characters. The RADIUS server uses this password to validate users.
Note: The usedby attribute determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication.
Configuring and Managing Security using the NNCLI and CLI
256 Chapter 14 Configuring EAPOL using the CLI
Other optional parameters that you can use with the config radius server create
config radius server
Configuration example: adding an EAPoL-enabled RADIUS server
To configure a RADIUS server to be used by EAPoL on the Ethernet Routing Switch 8300:
1 Enable RADIUS authentication globally: Passport-8310:5# config radius authentication-enable true 2 Add the RADIUS server:
316804-C
Chapter 14 Configuring EAPOL using the CLI 257
Passport-8310:5# config radius server create
Figure 67 config radius server command sample output
Passport-8310:5# config radius authentication-enable true Passport-8310:5# config radius server create 12.12.12.12 secret 9 usedby eapol Passport-8310:5# config radius server info
Sub-Context: clear config monitor show test trace Current Context:
create :
Name Used Secret Port Pri Re Time Auth Acct Acct source by try out enbld port enbld ip ------12.12.12.12 eap 9 1812 10 1 3 true 1813 true 0.0.0.0
delete : N/A set : N/A Passport-8310:5#
Note: When a port is configured for EAPoL (that is, it has an EAPoL status of auto), up to eight supplicants and eight non-EAPoL clients (MACs) are allowed on this port.
Configuring and Managing Security using the NNCLI and CLI
258 Chapter 14 Configuring EAPOL using the CLI
Deleting an EAPoL-enabled RADIUS server
To delete an EAPoL-enabled RADIUS server, use the following command:
config radius server delete
where: ipaddr indicates the IP address of the selected server.
Note: The usedby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication.
Modifying EAPoL-enabled RADIUS server parameters
To set EAPoL-enabled RADIUS server parameters without having to delete the server and recreate it, use the following command:
config radius server set
where: ipaddr indicates the IP address of the selected server.
Note: The usedby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication.
316804-C
Chapter 14 Configuring EAPOL using the CLI 259
Other optional parameters that you can use with the config radius server set
For more information about this command and the options that can be used with it, refer to Chapter 12, “Configuring RADIUS authentication and accounting using the CLI,” on page 201.
Configuring and Managing Security using the NNCLI and CLI
260 Chapter 14 Configuring EAPOL using the CLI
Configuring EAPoL on a port
To configure EAPoL on a specific port, use the following command:
config ethernet
where: ports uses the convention {slot/port[-slot/port][, ...]}
This command includes the following parameters:
config ethernet
316804-C
Chapter 14 Configuring EAPOL using the CLI 261 config ethernet
Configuring and Managing Security using the NNCLI and CLI
262 Chapter 14 Configuring EAPOL using the CLI
config ethernet
Configuration example: configuring EAPoL on a port
The following configuration example uses commands described above to perform the following tasks on port 1/1.
• Set the status so the port is automatically authenticated. • Retry sending packets to the Supplicant up to four times maximum. • Wait 120 seconds between an authentication failure and another attempt. • Wait 90 seconds for the Supplicant’s response to EAP Request/Identity packets. • Wait 90 seconds for a response from the RADIUS server. • Wait 90 seconds for the Supplicant’s response to all EAP packets, except EAP Request/Identity packets. • Wait 7200 seconds (2 hours) between successive re-authentications. • Set re-authentication to enable so that the Supplicant will be re-authenticated every 90 seconds, as specified by the re-authentication period.
Figure 68 on page 263 shows sample output for using the commands for this configuration example.
The config ethernet
316804-C
Chapter 14 Configuring EAPOL using the CLI 263
Figure 68 eapol configuration command sample output
Passport-8310:6#config ethernet 1/1 eapol Passport-8310:6/config/ethernet/1/1/eapol# admin-status auto Passport-8310:6/config/ethernet/1/1/eapol# max-req 4 Passport-8310:6/config/ethernet/1/1/eapol# quiet-period 120 Passport-8310:6/config/ethernet/1/1/eapol# transmit-period 90 Passport-8310:6/config/ethernet/1/1/eapol# server-timeout 90 Passport-8310:6/config/ethernet/1/1/eapol# supplicant-timeout 90 Passport-8310:6/config/ethernet/1/1/eapol# reauthentication-period 7200 Passport-8310:6/config/ethernet/1/1/eapol# reauthentication true
Passport-8610:5# config ethernet 1/1 eapol info admin-status : auto admin-traffic-control : incoming-and-outgoing default-guest-vlan : disabled guest-vlan : 4095 multi-host : enabled max-multi-hosts : 1 max-req : 4 quiet-period : 120 transmit-period : 90 server-timeout : 90 supplicant-timeout : 90 reauthentication-period : 7200 reauthentication : true
Configuring and Managing Security using the NNCLI and CLI
264 Chapter 14 Configuring EAPOL using the CLI
Configuring non-EAPoL clients on a port
To configure non-EAPoL clients on a specific port, use the following command:
config ethernet
where: ports uses the convention {slot/port[-slot/port][, ...]}
This command includes the following parameters:
config ethernet
316804-C
Chapter 14 Configuring EAPOL using the CLI 265
Changing the authentication status of a port
By default, ports are force-authorized. This means that the ports are always authorized and are not authenticated by the RADIUS server.
You can change this setting so that the ports are always unauthorized (force-unauthorized). You can also make the ports controlled so that they are automatically authenticated when you globally enable EAPoL (auto). The auto setting automatically authenticates the port according to the results of the RADIUS server.
Use the following procedure to navigate from Global configuration mode to Interface configuration mode and set the authentication state for the specified port or ports:
1 Select the port you want to edit: Passport-8310:5# config ethernet
where:
• auto specifies that port authorization status depends on the results of the EAPoL authentication by the RADIUS server. • force-authorized indicates that the port is always authorized. • force-unauthorized indicates that the port is always unauthorized.
For example, to enable EAPoL on Ethernet port 1/1, enter the following commands:
Passport-8310:5# config ethernet 1/1 Passport-8310:5/config/ethernet/1/1# eapol admin-status auto
Configuring and Managing Security using the NNCLI and CLI
266 Chapter 14 Configuring EAPOL using the CLI
Showing EAPoL statistics
The Ethernet Routing Switch 8300 provides the following show commands to help you to monitor and troubleshoot your switch:
• “Showing the EAPoL status of the switch” on page 266 • “Showing EAPoL authenticator statistics” on page 267 • “Showing EAPoL authenticator diagnostics” on page 269 • “Showing EAPoL authenticator session statistics” on page 272 • “Showing EAPoL configuration statistics” on page 274 • “Showing EAPoL operation statistics” on page 276
Showing the EAPoL status of the switch
To view the current configuration of the switch, use the following command:
show sys eapol
Figure 69 shows sample output for this command.
Figure 69 show sys eapol command sample output
Passport-8610:5# show sys eapol eap : enabled acct-enable : false default-guest-vlan : false guest-vlan : 4095 radius-mac-centralization : enabled Passport-8610:5#
316804-C
Chapter 14 Configuring EAPOL using the CLI 267
Showing EAPoL authenticator statistics
To view the authenticator statistics, use the following command:
show ports info eapol auth-stats [
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 70 shows sample output for this command.
Figure 70 show ports info eapol auth-stats command sample output
Passport-8310:5# show ports info eapol auth-stats 1/1
======Eap Authenticator Statistics ======PORT TOTAL TOTAL START LOGOFF RESP_ID RESP REQ-ID REQ INVALID LENGTH FRAME LAST-SRC RX TX RCVD RCVD RCVD RCVD TX TX FRAMES ERROR VER MAC ------1/1 0 0 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00 ------
Table 18 describes the parameters in the Eap Authenticator Statistics table.
Table 18 show ports info eapol auth-stats parameters
Field Description TOTAL RX Displays the number of valid EAPoL frames that have been received by this Authenticator. TOTAL TX Displays the number of EAPoL frames that have been transmitted by this Authenticator. START RCVD Displays the number of EAPoL start frames that have been received by this Authenticator. LOGOFF RCVD Displays the number of EAPoL logoff frames that have been received by this Authenticator. RESP_ID RCVD Displays the number of EAPoL Resp/Id frames that have been received by this Authenticator.
Configuring and Managing Security using the NNCLI and CLI
268 Chapter 14 Configuring EAPOL using the CLI
Table 18 show ports info eapol auth-stats parameters (continued)
Field Description RESP RCVD Displays the number of valid EAP Response frames (Other than Resp/Id frames) that have been received by this Authenticator. REQ_ID TX Displays the number of EAPoL Req/Id frames that have been transmitted by this Authenticator. REQ TX Displays the number of EAPoL Required frames (other than Rq/Id frames) that have been transmitted by this Authenticator. INVALID FRAMES Displays the number of EAPoL frames that have been received by this Authenticator in which the frame type is not recognized. LENGTH ERROR Displays the number of EAPoL frames that have been received by this Authenticator in which the packet body length field is not valid. FRAME VER Displays the protocol version number that was in the most recently received EAPoL frame. LAST_SRC MAC Displays the source MAC address that was in the most recently received EAPoL frame.
316804-C
Chapter 14 Configuring EAPOL using the CLI 269
Showing EAPoL authenticator diagnostics
To view the authenticator diagnostics, use the following command:
show ports info eapol auth-diags [
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 71 shows sample output for this command.
Figure 71 show ports info eapol auth-diags command sample output
Passport-8310:5# show ports info eapol auth-diags
======Eap Authenticator Diagnostics Table ======Port 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8 ------Enter Conn 0 0 0 0 0 0 0 0 Logoff While Conn 0 0 0 0 0 0 0 0 Enter Authing 0 0 0 0 0 0 0 0 Success While Authing 0 0 0 0 0 0 0 0 Timeout while Authing 0 0 0 0 0 0 0 0 Fail While Authing 0 0 0 0 0 0 0 0 Reauths While Authing 0 0 0 0 0 0 0 0 Starts While Authing 0 0 0 0 0 0 0 0 Logoffs While Authing 0 0 0 0 0 0 0 0 Reauths While Authed 0 0 0 0 0 0 0 0 Starts While Authed 0 0 0 0 0 0 0 0 Logoffs While Authed 0 0 0 0 0 0 0 0 Bkend Resps 0 0 0 0 0 0 0 0 Bkend Access Chall 0 0 0 0 0 0 0 0 Bkend Reqs ToSupp 0 0 0 0 0 0 0 0 Bkend NonNak From Supp 0 0 0 0 0 0 0 0 Bkend Auth Succ 0 0 0 0 0 0 0 0 Bkend Auth Fails 0 0 0 0 0 0 0 0
Configuring and Managing Security using the NNCLI and CLI
270 Chapter 14 Configuring EAPOL using the CLI
Table 19 describes the parameters in the Eap Authenticator Diagnostics Table.
Table 19 show ports info eapol auth-diags parameters
Field Description Enter Conn Counts the number of times that the Authenticator PAE state machine transitions to the Connecting state from any other state. Logoff While Conn Counts the number of times that the Authenticator PAE state machine transitions from Connected to Disconnected as a result of receiving an EAPoL-Logoff message. Enter Authing Counts the number of times that the Authenticator PAE state machine transitions from Connecting to Authenticating as a result of receiving an EAP-Response/ Identity message being received from the Supplicant. Success While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Authenticated as a result of the Backend authentication state machine indicating successful authentication of the Supplicant. Timeout While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of the Backend authentication state machine indicating authentication timeout. Fail While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Held as a result of the Backend authentication state machine indicating authentication failure. Reauths While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of a reauthentication request. Starts While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Start message being received from the Supplicant. Logoffs While Authing Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Logoff message being received from the Supplicant. Reauths While Authed Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of a reauthentication request.
316804-C
Chapter 14 Configuring EAPOL using the CLI 271
Table 19 show ports info eapol auth-diags parameters (continued)
Field Description Starts While Authed Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of an EAPoL-Start message being received from the Supplicant. Logoffs While Authed Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Disconnected as a result of an EAPoL-Logoff message being received from the Supplicant. Bkend Resps Counts the number of times that the Backend Authentication state machine sends an Initial-Access request packet to the Authentication server. Bkend Access Chall Counts the number of times that the Backend Authentication state machine receives an Initial-Access challenge packet from the Authentication server. Bkend OtherReqs ToSupp Counts the number of times that the Backend Authentication state machine sends an EAP request packet (other than an Identity, Notification, failure, or success message) to the Supplicant. Bkend NonNak FromSupp Counts the number of times that the Backend Authentication state machine receives a response from the Supplicant to an initial EAP request and the response is something other than EAP-NAK. Bkend Auth Succ Counts the number of times that the Backend Authentication state machine receives an EAP-success message from the Authentication server. Bkend Auth Fails Counts the number of times that the Backend Authentication state machine receives an EAP-failure message from the Authentication server.
Configuring and Managing Security using the NNCLI and CLI
272 Chapter 14 Configuring EAPOL using the CLI
Showing EAPoL authenticator session statistics
To view the authenticator statistics per session, use the following command:
show ports info eapol session-stats [
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 72 shows sample output for this command.
Figure 72 show ports info eapol session-stats command sample output
Passport-8310:5/show/ports/info/eapol# session-stats
======Eap Authenticator Session Statistics ======TOTAL TOTAL TOTAL TOTAL OCTETS OCTETS FRAMES FRAMES SESSION AUTHENTIC SESSION TERMINATE USER PORT RCVD TXMT RCVD TXMT ID METHOD TIME CAUSE NAME ------5/1 0 0 0 0 none 0 day(s), 00:00:00 none 5/2 0 0 0 0 none 0 day(s), 00:00:00 none 5/3 0 0 0 0 none 0 day(s), 00:00:00 none 5/4 0 0 0 0 none 0 day(s), 00:00:00 none 5/5 0 0 0 0 none 0 day(s), 00:00:00 none 5/6 0 0 0 0 none 0 day(s), 00:00:00 none 5/7 0 0 0 0 none 0 day(s), 00:00:00 none 5/8 0 0 0 0 none 0 day(s), 00:00:00 none 7/1 0 0 0 0 none 0 day(s), 00:00:00 none 7/2 0 0 0 0 none 0 day(s), 00:00:00 none 7/3 0 0 0 0 none 0 day(s), 00:00:00 none 7/4 0 0 0 0 none 0 day(s), 00:00:00 none 7/5 0 0 0 0 none 0 day(s), 00:00:00 none 7/6 0 0 0 0 none 0 day(s), 00:00:00 none 7/7 0 0 0 0 none 0 day(s), 00:00:00 none
316804-C
Chapter 14 Configuring EAPOL using the CLI 273
Table 20 describes the parameters in the Eap Authenticator Session Statistics table.
Table 20 show ports info eapol session-stats parameters
Field Description TOTAL OCTETS RCVD Displays the number of octets received in user data frames on this port during the session. TOTAL OCTETS TXMT Displays the number of octets transmitted in user data frames on this port during the session. TOTAL FRAMES RCVD Displays the number of user data frames received on this port during the session. TOTAL FRAMES TXMT Displays the number of user data frames transmitted on this port during the session. SESSION ID Displays a unique identifier for the session that is at least three characters. AUTHENTIC METHOD Displays the authentication method (remote or local RADIUS server) used to establish the session. SESSION TIME Displays the duration of the session (in days, hours, minutes, and seconds). TERMINATE CAUSE Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated USER NAME Displays the user name of the Supplicant PAE.
Configuring and Managing Security using the NNCLI and CLI
274 Chapter 14 Configuring EAPOL using the CLI
Showing EAPoL configuration statistics
To display configuration information for the supplicant PAE associated with each selected port, use the following command:
show ports info eapol config [
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 73 shows sample output for this command.
Figure 73 show ports info eapol config command sample output
Passport-8310:5# show ports info eapol config 1/1
======Eap Authenticator Config Table ======Port 1/1 ------Admin Status force-auth Control Direction both Max Request 2 Quiet Period 60 Transmit Period 30 Server Timeout 30 Supplicant Timeout 30 Reauthentication false Reauth Period 3600 Guest-Vlan State disabled Guest-Vlan ID 4095 Multi Host enabled Max Multi Host 1 Allow Non-Eap Host disabled Max Non-Eap Host 1
316804-C
Chapter 14 Configuring EAPOL using the CLI 275
Table 21 describes the parameters in the Eap Authenticator Config table.
Table 21 show ports info eapol config parameters
Item Description Admin Status Displays the authentication status for this port. force-unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. force-authorized - port is always authorized. Control Direction Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. • If the admin-traffic-control field value is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. • If the admin-traffic-control field value is set to incoming-and-outgoing, traffic is blocked in both directions. Max Request Displays the maximum number of times to retry sending packets to the Supplicant. Quiet Period Displays the time interval (in seconds) between authentication failure and the start of a new authentication. Transmit Period Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for EAP Request/Identity packets. Server Timeout Displays the time (in seconds) that the Authenticator waits for a response from the RADIUS server. Supplcant Timeout Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for all EAP packets except EAP Request/Identity packets. Reauthentication When set to true, the Authenticator re-authenticates a Supplicant at the time interval specified in Reauth Period. Reauth Period Displays the time interval (in seconds) between successive re-authentications. Guest-Vlan State Displays the state (enabled or disabled) of the Guest VLAN on this port. Guest-Vlan ID Displays the guest VLAN identification number (vid). • vid is the vlan id, an integer value in the range 1 and 4000. Multi Host Displays the multiple EAPoL client setting (enabled or disabled) on the specified port.
Configuring and Managing Security using the NNCLI and CLI
276 Chapter 14 Configuring EAPOL using the CLI
Table 21 show ports info eapol config parameters (continued)
Item Description Max Multi Host Displays the number of EAPoL hosts configured on the port. Up to 8 EAPoL hosts can reside on the port. Allow Non-Eap Host Displays the Allow Non-EAPoL hosts setting (enabled or disabled) for this port. Max Non-Eap Host Displays the number of Non-EAPoL hosts configured on the port. Up to 8 Non-EAPoL hosts can reside on the port.
Showing EAPoL operation statistics
To display statistical information about the authenticator, use the following command:
show ports info eapol oper-stats [
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 74 on page 277 shows sample output for this command. In this example, ports 1/1 to 1/8 have been selected for display.
316804-C
Chapter 14 Configuring EAPOL using the CLI 277
Figure 74 show ports info eapol oper-stats command sample output
Passport-8310:5# show ports info eapol oper-stats 1/1-1/8
======Eap Oper Stats ======PORT CTRL PORT PAE BKEND DIR STATUS STATUS STATUS ------1/1 both authorized force-authorized idle 1/2 both authorized force-authorized idle 1/3 both authorized force-authorized idle 1/4 both authorized force-authorized idle 1/5 both authorized force-authorized idle 1/6 both authorized force-authorized idle 1/7 both authorized force-authorized idle 1/8 both authorized force-authorized idle
Table 22 describes the parameters in the Eap Oper Stats table.
Table 22 show ports info eapol oper-stats parameters
Item Description CTRL DIR Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. • If the admin-traffic-control field value is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. • If the admin-traffic-control field value is set to incoming-and-outgoing, traffic is blocked in both directions. PORT STATUS Displays the authentication status for this port. unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. authorized - port is always authorized.
Configuring and Managing Security using the NNCLI and CLI
278 Chapter 14 Configuring EAPOL using the CLI
Table 22 show ports info eapol oper-stats parameters (continued)
Item Description PAE STATUS Displays the current Authenticator PAE state. The possible states are: initialized disconnected connecting authenticating authenticated aborting held force-authorized force-unauthorized BKEND STATUS Displays the current state of Backend Authentication. The possible states are: request response success fail timeout idle initialize
Showing multiple clients session information
To display information about multiple client sessions configured on one or more ports, use the following command:
show ports info eapol multi-host-session-stats [
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 75 on page 279 shows sample output for this command. In this example, ports 1/1 to 1/4 have been selected for display.
316804-C
Chapter 14 Configuring EAPOL using the CLI 279
Figure 75 show ports info eapol multi-host-session-stats command sample output
Passport-8310:5# show ports info eapol multi-host-session-stats 1/1-1/4 Unit/Port Client-Mac_Addr Session-Id Auth-Method Session-Time ------1/1 00:00:00:00:00:00 10 local-server 00:04:16:09 1/2 00:00:00:00:00:00 20 local-server 00:00:05:32 1/3 00:00:00:00:00:00 30 local-server 00:02:24:45 1/4 00:00:00:00:00:00 40 local-server 00:01:09:03
Term-Cause User-Name ------re-auth failure not-terminated user2 not-terminated user3 not-terminated user4
Table 23 describes the information provided for multiple client sessions.
Table 23 show ports info eapol oper-stats parameters
Item Description Unit/Port Lists the port number for the displayed statistics. Client MAC Displays the MAC address of the client. Address Session ID Displays the unique identifier for the session. Authentication Displays the authentication method (remote-server or local-server) Method used to establish the session. Session Time Displays the duration of the session (in days, hours, minutes, and seconds). Terminate Cause Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated User Name Displays the username of the Supplicant PAE.
Configuring and Managing Security using the NNCLI and CLI
280 Chapter 14 Configuring EAPOL using the CLI
Viewing the status of non-EAPoL clients that use RADIUS
To view information about non-EAPoL clients using RADIUS on one or more ports, use the following command:
show ports info eapol radius-non-eap-mac [
where: ports uses the convention {slot/port[-slot/port][, ...]}
Figure 76 shows sample output for this command. In this example, ports 1/1 to 1/4 have been selected for display.
Figure 76 show ports info eapol radius-non-eap-mac command sample output
Passport-8310:5# show ports info eapol radius-non-eap-mac 1/1-1/4 Unit/Port Client Mac Addr Authentication Status ------1/1 00:00:00:00:00:00 pending 1/2 00:00:00:00:00:00 pending 1/3 00:00:00:00:00:00 request-dropped 1/4 00:00:00:00:00:00 pending
Passport-8310:5#
Table 77 describes the information available for non-eap clients.
Figure 77 show ports info eapol radius-non-eap-mac parameters
Item Description Unit/Port Indicates the slot and port numbers.
316804-C
Chapter 14 Configuring EAPOL using the CLI 281
Figure 77 show ports info eapol radius-non-eap-mac parameters (continued)
Item Description Client Mac Displays the non-EAP MAC address for the device connected to the Address port. Authentication Displays the RADIUS authentication status of the learned MAC Status addresses. There are five possible status options: Pending Rejected Authenticated Request dropped Server not reachable
Note: Non-EAP clients are not authenticated if the RADIUS queue is full, or if the RADIUS server cannot process the requests. For example, when the RADIUS server is down during the STP convergence, a discard filter is added for non-EAP clients. The RADIUS request for the non-EAP clients times out and is dropped. That is, the non-EAP clients are discarded and never get a chance to be authenticated. In addition, if the RADIUS queue is full and more RADIUS requests come in, all those additional RADIUS requests are dropped. To solve this issue, in Ethernet Routing Switch 8300 software release 2.2 the authentication status of the non-EAP client changes from pending to radius-server-not-reachable when the RADIUS request of a non-EAP client times out. Also, when the RADIUS request of a non-EAP client is dropped due to insufficient space in the RADIUS queue, the authentication status of the non-EAP client is changed to radius-request-dropped. The discarded RADIUS non-EAP clients (with an authentication status of radius-request-dropped or radius-server-not-reachable) receive another chance to be authenticated when one of the following occurs: • The discard-filter-ageout timer (configured by the user) expires. By default, the discard-filter-ageout value is 10 seconds. The user can configure it to a value in the range of 5–3600 seconds. • Traffic from the RADIUS server is received. In addition, a consistency check prevents enabling EAP and unknown-mac-discard together.
Configuring and Managing Security using the NNCLI and CLI
282 Chapter 14 Configuring EAPOL using the CLI
Viewing allowed non-EAPoL MAC addresses
To view the allowed non-EAPoL MAC addresses and the associated slot/port for each, use the following command from any mode:
show ports info eapol non-eap-mac [
where: ports uses the convention {slot/port[-slot/port][, ...]}.
Figure 78 shows sample output for this command.
Figure 78 show ports info eapol non-eap-mac command sample output
Passport-8310:5# show ports info eapol non-eap-mac 1/1-1/4 Unit/Port Allowed Mac Addr ------1/1 00:00:00:00:00:00 1/2 00:00:00:00:00:00 1/3 00:00:00:00:00:00 1/4 00:00:00:00:00:00
Passport-8310:5#
Table 24 describes the information provided by the show ports info eapol non-eap-mac command.
Table 24 show ports info eapol non-eap-mac parameters
Item Description Unit/Port Indicates the slot/port number. Allowed Mac Displays the list of allowed non-EAP MAC addresses that have been Address added.
316804-C
283 Chapter 15 Configuring TACACS+ using the NNCLI
This chapter describes how to configure TACACS+ using the NNCLI.
Specifically, it includes the following topics:
Topic Page Roadmap of CLI TACACS+ commands 283 Enabling TACACS+ authentication 284 Configuring a TACACS+ server 285 Configuration example: enabling TACACS+ and adding a 287 TACACS+ ser ver
Roadmap of CLI TACACS+ commands
The following roadmap lists the CLI TACACS+ commands and their parameters. Use this list as a quick reference, or click on any entry for more information:
Command Optional parameters tacacs enable no tacacs enable show tacacs tacacs server
Configuring and Managing Security using the NNCLI and CLI
284 Chapter 15 Configuring TACACS+ using the NNCLI
Enabling TACACS+ authentication
To enable TACACS+ authentication globally on the switch, use the following command from the Global configuration mode:
tacacs enable
To disable TACACS+ authentication globally on the switch, use the following command from the Global configuration mode:
no tacacs enable
Showing TACACS+ information
To display the status of TACACS+ configuration, enter the following command from any mode:
show tacacs
Figure 79 shows sample output for the show tacacs command.
Figure 79 Sample of show tacacs command output
Passport-8310:5# show tacacs
TACACS+ authentication is enabled.
IP address Status Key Port Prio Timeout Single Source IP ------1.1.1.1 NotConn myKey 49 1 10 No 0.0.0.0
Passport-8310:5(config)#
316804-C
Chapter 15 Configuring TACACS+ using the NNCLI 285
Configuring a TACACS+ server
To add a TACACS+ server, use the following command from the Global configuration mode:
tacacs server
where:
• ipaddr is the IP address of the server you want to add • key
Note: The key
Configuring and Managing Security using the NNCLI and CLI
286 Chapter 15 Configuring TACACS+ using the NNCLI
After you have added the TACACS+ server, use the following tacacs server
tacacs server
To delete a TACACS+ server, use the following command from the Global configuration mode:
no tacacs server
316804-C
Chapter 15 Configuring TACACS+ using the NNCLI 287
Configuration example: enabling TACACS+ and adding a TACACS+ server
The following configuration example uses the commands described above to enable TACACS+ globally and add a TACACS+ server with the following parameters:
• IP address 12.12.12.12 •key of myKey
Figure 80 shows sample input using these commands.
Figure 80 Sample of tacacs server command input
Passport-8310:5(config)# tacacs enable Passport-8310:5(config)# tacacs server 12.12.12.12 key 9 Passport-8310:5(config)# show tacacs
TACACS+ authentication is enabled.
IP address Status Key Port Prio Timeout Single Source IP ------12.12.12.12 Conn myKey 49 1 10 No 0.0.0.0
Passport-8310:5(config)#
Configuring and Managing Security using the NNCLI and CLI
288 Chapter 15 Configuring TACACS+ using the NNCLI
316804-C
289 Chapter 16 Configuring TACACS+ using the CLI
This chapter describes how to configure TACACS+ using the CLI.
Specifically, it includes the following topics:
Topic Page Roadmap of CLI TACACS+ commands 289 Configuring TACACS+ on the switch 290 Configuring a TACACS+ server 292 Configuration example: adding a TACACS+ server 294
Roadmap of CLI TACACS+ commands
The following roadmap lists the CLI TACACS+ commands and their parameters. Use this list as a quick reference, or click on any entry for more information:
Command Parameter config tacacs info enable
Configuring and Managing Security using the NNCLI and CLI
290 Chapter 16 Configuring TACACS+ using the CLI
Command Parameter set
Configuring TACACS+ on the switch
To configure TACACS+ on the switch, use the following command:
config tacacs
This is a complete list of the config tacacs commands. The sections that follow provide specific details about each command.
config tacacs followed by: info Displays global TACACS+ settings. Note: The show tacacs info command can also be used to display TACACS+ server settings. enable
316804-C
Chapter 16 Configuring TACACS+ using the CLI 291
Enabling TACACS+
To enable or disable TACACS+ authentication on the switch, use the following command:
config tacacs enable
where: true enables TACACS+ authentication false disables TACACS+ authentication
Showing TACACS+ information
To display the status of TACACS+ authentication, enter one of the following commands:
config tacacs info
or
show tacacs info
Figure 81 shows sample output for the config tacacs info command.
Figure 81 Sample of config tacacs info command output
Passport-8310:5# config tacacs info
Sub-context: clear config monitor show test trace Current Context:
enable : true
Passport-8310:5#
Configuring and Managing Security using the NNCLI and CLI
292 Chapter 16 Configuring TACACS+ using the CLI
Configuring a TACACS+ server
To create, delete, or get information about a TACACS+ server, use the following command:
config tacacs server
The following shows a complete list of the config tacacs server commands.
config tacacs server followed by: info Displays the TACACS+ server settings. Note: The show tacacs server config command can also be used to display TACACS+ server settings. create
316804-C
Chapter 16 Configuring TACACS+ using the CLI 293 config tacacs server followed by: set
Showing TACACS+ server configurations
To display current TACACS+ server configurations, enter one of the following commands:
config tacacs server info
or
show tacacs server config
Figure 82 on page 294 shows sample output for the config tacacs server info command.
Configuring and Managing Security using the NNCLI and CLI
294 Chapter 16 Configuring TACACS+ using the CLI
Configuration example: adding a TACACS+ server
The following configuration example uses the commands described above to add a TACACS+ server with the following parameters:
• IP address 12.12.12.12 •key of myKey • priority value of 2 • timeout value of 25 • single-connection enabled
Figure 82 shows sample output using these commands.
Figure 82 Sample of config tacacs+ server command output
Passport-8310:5# config tacacs server create 12.12.12.12 secret myKey priority 2 timeout 25 single-connection true Passport-8310:5# config tacacs server info
Sub-context: clear config monitor show test trace Current Context: create :
Name Status Secret Port Prio Timeout Single Source 12.12.12.12 Conn myKey 49 2 25 true 0.0.0.0
delete : N/A set : N/A
Passport-8310:5#
316804-C
295 Chapter 17 NNCLI configuration examples
This chapter provides examples of common EAPoL and SNMPv3 configuration tasks, including the NNCLI commands you use to create the example configurations.
Note: For a complete description of NNCLI commands you can use to configure specific EAPoL and SNMPv3 tasks, including those shown in this chapter, see the appropriate NNCLI chapter in this guide.
This chapter includes the following topics:
Topic Page Configuring EAPoL via Layer 2 296 Configuring EAPoL via Layer 3 300 Configuring SNMPv3 304
Configuring and Managing Security using the NNCLI and CLI
296 Chapter 17 NNCLI configuration examples
Configuring EAPoL via Layer 2
In this configuration example, you use VLAN 2 for the EAPoL Supplicants, ports 1/20-1/25. You use port 1/13 for the trunk port to the Ethernet Routing Switch 8600 core. Only ports 1/20 and 1/21 are ready for EAPoL users. The other EAPoL Supplicant ports (1/22-1/25) are reserved for future EAPoL use; configure these ports so that they cannot be accessed. All ports are FastEthernet 10/100. Specifically, this configuration example shows how to perform the following tasks:
• Create VLAN 2 for EAPoL with port 1/13 and ports 1/20-1/25 • Use IP address of 10.1.30.2/24 on VLAN 2 • Configure ports 1/20 and 1/21 for EAPoL auto • Configure ports 1/22-1/25 for EAPoL force-unauthorized • Configure a RADIUS server on the Ethernet Routing Switch 8300 switch that points to the Authentication Server
Figure 83 illustrates this configuration example.
Figure 83 EAPoL via L2
Core 1/20 EAP Supplicants Ethernet Routing Ethernet Routing EAP Switch 8600 A Switch 8600 B Authenticator 1/21
1/13 10.1.30.x/24 Ethernet Routing RADIUS Switch 8300 Authentication Server 1/22-1/25 Reserved for future EAP users 10.1.30.10/24 VLAN 2
EAPvial2
To configure the switch for this example, follow these steps:
1 Create VLAN 2 as a port-based VLAN using STG 1:
316804-C
Chapter 17 NNCLI configuration examples 297
Passport-8310:5(config)#vlan create 2 type port 1 2 If required, enable VLAN tagging on port 1/13: Passport-8310:5(config)#interface fastEthernet 1/13 Passport-8310:5(config-if)#encapsulation dot1q Passport-8310:5(config-if)#exit 3 Add VLAN members: Passport-8310:5(config)#vlan members add 2 1/13,1/20-1/25 4 Remove port members from the default VLAN: Passport-8310:5(config)#vlan members remove 1 1/13,1/ 20-1/25 5 Add an IP address to VLAN 2: Passport-8310:5(config)#interface vlan 2 Passport-8310:5(config-if)#ip address 10.1.30.2 255.255.255.0 Passport-8310:5(config-if)#exit 6 Enable EAPoL globally: Passport-8310:5(config)#eapol 7 Enable EAPoL on ports 1/20 and 1/21: a Go to ports 1/20-1/21: Passport-8310:5(config)#interface fastEthernet 1/20-1/ 21 b Set EAPoL status to auto: Passport-8310:5(config-if)#eapol status auto Passport-8310:5(config-if)#exit 8 Set ports 1/22-1/25 to EAPoL unauthorized: a Go to ports 1/22-1/25: Passport-8310:5(config)#interface fastEthernet 1/22- 1/25 b Set EAPoL status to unauthorized: Passport-8310:5(config-if)#eapol status unauthorized Passport-8310:5(config-if)#exit 9 Add the RADIUS server configuration:
Configuring and Managing Security using the NNCLI and CLI
298 Chapter 17 NNCLI configuration examples
a Enable RADIUS globally: Passport-8310:5(config)#radius b Add the RADIUS server; use the RADIUS key eap8300: Passport-8310:5(config)#radius-server host 10.1.30.10 key eap8300 useby eap
316804-C
Chapter 17 NNCLI configuration examples 299
Configuration files
This section shows the configuration commands and parameters used to create the topology shown in Figure 83 on page 296. You can copy and paste the command outputs shown here to update your configuration files.
# PORT CONFIGURATION - PHASE I # interface FastEthernet 1/20 eapol status auto interface FastEthernet 1/21 eapol status auto interface FastEthernet 1/22 eapol status unauthorized interface FastEthernet 1/23 eapol status unauthorized interface FastEthernet 1/24 eapol status unauthorized interface FastEthernet 1/25 eapol status unauthorized config terminal # # VLAN CONFIGURATION # no vlan members 1 1/13,1/20-1/25 portmember vlan create 2 type port 1 no vlan members 2 1/1-1/12,1/14-1/19,1/26-1/48,2/1-2/24,5/1-5/8 portmember vlan members 2 1/13,1/20-1/25 portmember interface VLAN 2 ip address 10.1.30.2 255.255.255.0 config terminal # # RADIUS CONFIGURATION # radius-server host 10.1.30.10 key eap8300 useby eapol acct-port 1813 radius # # GLOBAL EAP CONFIGURATION # eapol
Configuring and Managing Security using the NNCLI and CLI
300 Chapter 17 NNCLI configuration examples
Configuring EAPoL via Layer 3
In this configuration example, the Ethernet Routing Switch 8300 is connected to a routed core. Specifically, this configuration example shows how to perform the following tasks:
• Create VLAN 2 with port 1/13 and IP address of 10.1.25.2/24 to be used to connect to the core network. • Create VLAN 3 with ports 1/20 and 1/21 and IP address of 10.1.26.1/24 to be used for the EAPoL Supplicants. • Add a static default route pointing to 10.1.25.1 on the Ethernet Routing Switch 8600 switch B. • Configure RADIUS-server pointing to the authentication server.
Figure 84 illustrates this configuration example.
Figure 84 EAPoL via L3
Core (OSPF) EAP 1/24 Supplicants Ethernet Routing Ethernet Routing Ethernet Routing Switch 8600 A Switch 8600 B Switch 8300 1/13 1/25 .1 .2 .1 10.1.26.x/24 10.1.30.x/24 10.1.25.x/24
RADIUS VLAN 2 VLAN 3 Authentication Server
10.1.30.10/24
Configure Ethernet Routing Switch 8600 B with static route for 10.1.26.0/24 network and enable OSPF static route redistribution. EAPvial3
To configure the switch for this example, follow these steps:
1 Remove ports from the default VLAN: Passport-8310:5(config)#vlan members remove 1 1/13, 1/ 24-1/25 2 Create VLAN 2 as a port-based VLAN using STG 1: Passport-8310:5(config)#vlan create 2 type port 1
316804-C
Chapter 17 NNCLI configuration examples 301
3 If required, enable VLAN tagging on port 1/13: Passport-8310:5(config)#interface fastEthernet 1/13 Passport-8310:5(config-if)#encapsulation dot1q Passport-8310:5(config-if)#exit 4 Add VLAN members: Passport-8310:5(config)#vlan members add 2 1/13 5 Add IP address to VLAN 2: Passport-8310:5(config)#interface vlan 2 Passport-8310:5(config-if)#ip address 10.1.25.2 255.255.255.0 Passport-8310:5(config-if)#exit 6 Create VLAN 3 as a port-based VLAN using STG 1: Passport-8310:5(config)#vlan create 3 type port 1 7 Add VLAN members: Passport-8310:5(config)#vlan members add 3 1/24-1/25 8 Add an IP address to VLAN 3: Passport-8310:5(config)#interface vlan 3 Passport-8310:5(config-if)#ip address 10.1.26.1 255.255.255.0 Passport-8310:5(config-if)#exit 9 Add static route: Passport-8310:5(config)#ip route 0.0.0.0 0.0.0.0 10.1.25.1 1 10 Enable EAPoL globally: Passport-8310:5(config)#eapol 11 Enable EAPoL on ports 1/24 and 1/25: a Go to ports 1/24-1/25: Passport-8310:5(config)#interface fastEthernet 1/24-1/ 25 b Set EAPoL status to auto: Passport-8310:5(config-if)#eapol status auto Passport-8310:5(config-if)#exit
Configuring and Managing Security using the NNCLI and CLI
302 Chapter 17 NNCLI configuration examples
12 Add the RADIUS server configuration: a Enable RADIUS globally Passport-8310:5(config)#radius b Add the RADIUS server; use the RADIUS key eap8300. Passport-8310:5(config)#radius-server host 10.1.30.10 key eap8300 useby eap
316804-C
Chapter 17 NNCLI configuration examples 303
Configuration files
This section shows the configuration commands and parameters used to create the topology shown in Figure 84 on page 300. You can copy and paste the command outputs shown here to update your configuration files.
# PORT CONFIGURATION - PHASE I # interface FastEthernet 1/24 eapol status auto interface FastEthernet 1/25 eapol status auto config terminal # # VLAN CONFIGURATION # no vlan members 1 1/13,1/24-1/25 portmember vlan create 2 type port 1 no vlan members 2 1/1-1/12,1/14-1/48,2/1-2/24,5/1-5/8 portmember vlan members 2 1/13 portmember interface VLAN 2 ip address 10.1.25.2 255.255.255.0
config terminal vlan create 3 type port 1 color 2 no vlan members 3 1/1-1/23,1/26-1/48,2/1-2/24,5/1-5/8 portmember vlan members 3 1/24-1/25 portmember interface VLAN 3 ip address 10.1.26.1 255.255.255.0 config terminal
##
ip route 0.0.0.0 0.0.0.0 10.1.25.1 1 preference 5 # # RADIUS CONFIGURATION # radius-server host 10.1.30.10 key eap8300 useby eapol acct-port 1813 radius # # GLOBAL EAP CONFIGURATION # eapol
Configuring and Managing Security using the NNCLI and CLI
304 Chapter 17 NNCLI configuration examples
Configuring SNMPv3
In this configuration example, you add two users with different MIB permissions and privacy protocols to the USM table. Specifically, this configuration example shows how to perform the following tasks:
• Add User 1 to the USM table with an authentication protocol of MD5 and a privacy protocol of DES (authPriv). • Allow User 1 full MIB views with full permission (both read and write), starting from the existing org level. • Add User 2 to the USM table with an authentication protocol of MD5 and no privacy protocol (authNoPriv). • Allow User 2 full MIB read permission, starting from the existing org level, but excluding write permission from all private Enterprise MIBs.
Note: The org level gives users access to both the standard MIB and private tree branches; the private level gives users access to only MIB objects below the private branch of the MIB tree.
Figure 85 illustrates this configuration example.
Figure 85 SNMPv3 for users with different permissions/privacy protocols
Configure User 1 with MD5 and privacy protocol DES and full read/write permissions
Ethernet Routing Switch 8300 User 1 SNMPv3 Access
USM table
User 2
Configure User 2 with MD5 and no privacy protocol and read-only permission snmpv3
316804-C
Chapter 17 NNCLI configuration examples 305
To configure the switch for this example, follow these steps:
1 Load the DES module: After you have installed the DES module on the Ethernet Routing Switch 8300, enter the following command:
Passport-8310:5(config)# load-module des /flash/ p83c2200.des 2 Add User 1 to the USM table. For this example, specify a user name of user1, an MD5 password of user1234, and a DES privacy password of userpriv.
Passport-8310:5(config)# snmp-server user user1 md5 auth user1234 priv userpriv 3 Add User 1 to the USM group. For this example, add user1 to a USM group named group_1.
Passport-8310:5(config)# snmp-server member user1 usm group_1 4 Assign access level to the USM group. For this example, assign an access level of authPriv to the USM group group_1.
Passport-8310:5(config)# snmp-server group group_1 "" usm authpriv 5 Assign read and write view to the USM group. For this example, assign read and write view, starting at org, to the USM group group_1.
Passport-8310:5(config)# snmp-server group view group_1 "" usm authpriv read-view org write-view org 6 Add User 2 to the USM table. For this example, specify a user name of user2, and a MD5 password of user2abcd.
Passport-8310:5(config)# snmp-server user user2 md5 auth user2abcd 7 Add User 2 to the USM group. For this example, add User 2 to the group named group_1 that you created in step 3.
Passport-8310:5(config)# snmp-server member user2 usm group_1
Configuring and Managing Security using the NNCLI and CLI
306 Chapter 17 NNCLI configuration examples
8 Assign the access level to the USM group. For this example, assign an access level of authNoPriv to the USM group group_1.
Passport-8310:5(config)# snmp-server group group_1 "" usm authnoPriv 9 Create a new MIB view to exclude the private MIB for User 2. For this example, add a new MIB view named private to exclude access to the SNMP Private MIB.
Passport-8310:5(config)# snmp-server view private 1.3.6.1.4 type exclude 10 Assign read and write view to the USM group. For this example, assign read view only, starting at org, and read and write view, starting at the private, to the USM group group_1.
Passport-8310:5(config)# snmp-server group view group_1 "" usm authnoPriv read-view org write-view private
316804-C
Chapter 17 NNCLI configuration examples 307
Configuration files
This section shows the configuration commands and parameters used to set up User 1 and User 2 for SNMPv3, as shown in Figure 85 on page 304. You can copy and paste the command outputs shown here to update your configuration files.
# # SNMP V3 GROUP MEMBERSHIP CONFIGURATION #
snmp-server member user1 usm group_1 snmp-server member user2 usm group_1
# # SNMP V3 GROUP ACCESS CONFIGURATION #
snmp-server group "group_1" "" usm authNoPriv snmp-server group view "group_1" "" usm authNoPriv read-view "org" write-view "private" snmp-server group "group_1" "" usm authPriv snmp-server group view "group_1" "" usm authPriv read-view "org" write-view "org"
# # SNMP V3 MIB VIEW CONFIGURATION #
snmp-server view create private 1.3.6.1.4 type exclude
#
Configuring TACACS+
In this configuration example, you configure the Ethernet Routing Switch 8300 to use TACACS+ to authenticate and authorize different levels of users. In this scenario, both the management PC and the TACACS+ server reside in the same subnet of a local Ethernet port (see Figure 86 on page 308). A routed configuration where the PC and the server sit on a separate subnet is also supported.
Configuring and Managing Security using the NNCLI and CLI
308 Chapter 17 NNCLI configuration examples
Figure 86 TACACS+ server and management PC on the same subnet
Corporate Slot 1, network Management Port 8 (1/8) PC 10.10.10.30
Ethernet Routing Switch 8300 TACACS+ server Management IP: 10.10.10.10 10.10.10.20
Supported TACACS+ servers
The following TACACS+ servers are supported by Nortel:
• Cisco ACS (version 3.2) • ClearBox (version 2.4.5) • Linux Freeware TACPLUS (version 4.0.3.2)
TACACS+ configuration example
To configure the switch for this example:
1 Configure the management VLAN. For example, from the Global configuration mode, create the port-based management VLAN 10 in STG 1. Add the local Ethernet port (1/8), and identify the management IP address and netmask: Passport-8310:5(config)# vlan create 10 type port 1 Passport-8310:5(config)# vlan members add 10 1/8 Passport-8310:5(config)# interface vlan 10
316804-C
Chapter 17 NNCLI configuration examples 309
Passport-8310:5(config-if)# ip address 10.10.10.10 255.255.255.0 2 Configure the Ethernet Routing Switch to point to the TACACS+ server for authentication. In this example, the secret key string is “secret”. Passport-8310:5# tacacs server 10.10.10.20 key secret 3 Enable TACACS+. Passport-8310:5# tacacs enable
Configuring the TACACS+ server
On the TACACS+ server, you must define the following items:
• user profiles and corresponding authorization levels (see “TACACS+ access levels” on page 80 for information on Ethernet Routing Switch 8300 access levels and privileges) • a client (in this case, the Ethernet Routing Switch 8300)
Note: The secret key string configured on the Ethernet Routing Switch 8300 must match that configured on the TACACS+ server.
Refer to Appendix A, “TACACS+ server configuration examples,” on page 325 for TACACS+ server configuration examples.
Configuring and Managing Security using the NNCLI and CLI
310 Chapter 17 NNCLI configuration examples
316804-C
311 Chapter 18 CLI configuration examples
This chapter provides examples of common EAPoL and SNMPv3 configuration tasks, including the CLI commands you use to create the example configurations.
Note: For a complete description of CLI commands you can use to configure specific EAPoL and SNMPv3 tasks, including those shown in this chapter, see the appropriate CLI chapter in this guide.
This chapter includes the following topics:
Topic Page Configuring EAPoL through L2 311 Configuring EAPoL through L3 315 Configuring SNMPv3 318 Configuring TACACS+ 321
Configuring EAPoL through L2
In this configuration example, you use VLAN 2 for the EAPoL Supplicants, ports 1/20-1/25. You use port 1/13 for the trunk port to the Ethernet Routing Switch 8600 core. Only ports 1/20 and 1/21 are ready for EAPoL users. The other EAPoL Supplicant ports (1/22-1/25) are reserved for future EAPoL use; configure these ports so that they cannot be accessed. Specifically, this configuration example shows how to perform the following tasks:
• Create VLAN 2 for EAPoL with port 1/13 and ports 1/20-1/25 • Use IP address of 10.1.30.2/24 on VLAN 2 • Configure ports 1/20 and 1/21 for EAPoL auto
Configuring and Managing Security using the NNCLI and CLI
312 Chapter 18 CLI configuration examples
• Configure ports 1/22-1/25 for EAPoL force-unauthorized • Configure a RADIUS-server on the Ethernet Routing Switch 8300 that points to the Authentication Server
Figure 87 illustrates this configuration example.
Figure 87 EAPoL via L2
Core 1/20 EAP Supplicants Ethernet Routing Ethernet Routing EAP Switch 8600 A Switch 8600 B Authenticator 1/21
1/13 10.1.30.x/24 Ethernet Routing RADIUS Switch 8300 Authentication Server 1/22-1/25 Reserved for future EAP users 10.1.30.10/24 VLAN 2
EAPvial2
To configure the switch for this example, follow these steps:
1 Create VLAN 2 as a port-based VLAN using STG 1: Passport-8310:5# config vlan 2 create byport 1 2 If required, enable VLAN tagging on port 1/13: Passport-8310:5# config ethernet 1/13 perform-tagging enable 3 Add VLAN members: Passport-8310:5# config vlan 2 ports add 1/13,1/20-1/25 4 Remove port members from the default VLAN: Passport-8310:5# config vlan 1 ports remove 1/13,1/20-1/ 25 5 Add IP address to VLAN 2: Passport-8310:5# config vlan 2 ip create 10.1.30.2/24
316804-C
Chapter 18 CLI configuration examples 313
6 Enable EAPoL globally: Passport-8310:5# config sys set eapol enable 7 Enable EAPoL on ports 1/20 and 1/21: Passport-8310:5# config ethernet 1/20-1/21 eapol admin-status auto 8 Set ports 1/22-1/25 to EAPoL unauthorized: Passport-8310:5# config ethernet 1/22-1/25 eapol admin-status force-unauthorized 9 Add the RADIUS server configuration: a Enable RADIUS globally: Passport-8310:5# config radius enable true b Add the RADIUS server, assuming the RADIUS key = eap8300: Passport-8310:5# config radius server create 10.1.30.10 secret eap8300 usedby eap
Configuring and Managing Security using the NNCLI and CLI
314 Chapter 18 CLI configuration examples
Configuration files
This section shows the configuration commands and parameters used to create the topology shown in Figure 87 on page 312. You can copy and paste the command outputs shown here to update your configuration files.
# # PORT CONFIGURATION - PHASE I #
ethernet 1/20 eapol admin-status auto ethernet 1/21 eapol admin-status auto ethernet 1/22 eapol admin-status force-unauthorized ethernet 1/23 eapol admin-status force-unauthorized ethernet 1/24 eapol admin-status force-unauthorized ethernet 1/25 eapol admin-status force-unauthorized
# # # VLAN CONFIGURATION #
vlan 1 ports remove 1/13,1/20-1/25 member portmember vlan 2 create byport 1 vlan 2 ports remove 1/1-1/12,1/14-1/19,1/26-1/48,2/1-2/24,5/1-5/8 member portmember vlan 2 ports add 1/13,1/20-1/25 member portmember vlan 2 ip create 10.1.30.2/255.255.255.0
# # # RADIUS CONFIGURATION #
radius server create 10.1.30.10 secret eap8300 usedby eapol acct-port 1813 radius enable true
# # GLOBAL EAP CONFIGURATION #
sys set eapol enable
back
316804-C
Chapter 18 CLI configuration examples 315
Configuring EAPoL through L3
In this configuration example, the Ethernet Routing Switch 8300 is connected to a routed core. Specifically, this configuration example shows how to perform the following tasks:
• Create VLAN 2 with port 1/13 and IP address of 10.1.25.2/24 to be used to connect to the core network. • Create VLAN 3 with ports 1/20 and 1/21 and IP address of 10.1.26.1/24 to be used for the EAPoL Supplicants. • Add a static default route pointing to 10.1.25.1 on Ethernet Routing Switch 8600 switch B. • Configure RADIUS-server pointing to the authentication server.
Figure 88 illustrates this configuration example.
Figure 88 EAPoL via L3
Core (OSPF) EAP 1/24 Supplicants Ethernet Routing Ethernet Routing Ethernet Routing Switch 8600 A Switch 8600 B Switch 8300 1/13 1/25 .1 .2 .1 10.1.26.x/24 10.1.30.x/24 10.1.25.x/24
RADIUS VLAN 2 VLAN 3 Authentication Server
10.1.30.10/24
Configure Ethernet Routing Switch 8600 B with static route for 10.1.26.0/24 network and enable OSPF static route redistribution. EAPvial3
To configure the switch for this example, follow these steps:
1 Remove ports from the default VLAN: Passport-8310:5# config vlan 1 ports remove 1/13,1/24-1/ 25 2 Create VLAN 2 as a port-based VLAN using STG 1: Passport-8310:5# config vlan 2 create byport 1
Configuring and Managing Security using the NNCLI and CLI
316 Chapter 18 CLI configuration examples
3 If required, enable VLAN tagging on port 1/13: Passport-8310:5# config ethernet 1/13 perform-tagging enable 4 Add VLAN members: Passport-8310:5# config vlan 2 ports add 1/13 5 Add IP address to VLAN 2: Passport-8310:5# config vlan 2 ip create 10.1.25.2/24 6 Create VLAN 3 as a port-based VLAN using STG 1: Passport-8310:5# config vlan 3 create byport 1 7 Add VLAN members: Passport-8310:5# config vlan 3 ports add 1/24-1/25 8 Add IP address to VLAN 3: Passport-8310:5# config vlan 3 ip create 10.1.26.1/24 9 Add static route: Passport-8310:5# config ip static-route create 0.0.0.0/0 next-hop 10.1.25.1 cost 1 10 Enable EAPoL globally: Passport-8310:5# config sys set eapol enable 11 Enable EAPoL on ports 1/24 and 1/25: Passport-8310:5# config ethernet 1/24-1/25 eapol admin-status auto 12 Add the RADIUS server configuration: a Enable RADIUS Globally Passport-8310:5# config radius enable true b Add the RADIUS server, assuming the RADIUS key = eap8300 Passport-8310:5# config radius server create 10.1.30.10 secret eap8300 usedby eap
316804-C
Chapter 18 CLI configuration examples 317
Configuration files
This section shows the configuration commands and parameters used to create the topology shown in Figure 88 on page 315. You can copy and paste the command outputs shown here to update your configuration files.
# # PORT CONFIGURATION - PHASE I #
ethernet 1/1 eapol reauthentication true ethernet 1/24 eapol admin-status auto ethernet 1/25 eapol admin-status auto
# # VLAN CONFIGURATION # vlan 1 ports remove 1/13,1/24-1/25 member portmember vlan 2 create byport 1 vlan 2 ports remove 1/1-1/12,1/14-1/48,2/1-2/24,5/1-5/8 member portmember vlan 2 ports add 1/13 member portmember vlan 2 ip create 10.1.25.2/255.255.255.0 vlan 3 create byport 1 vlan 3 ports remove 1/1-1/23,1/26-1/48,2/1-2/24,5/1-5/8 member portmember vlan 3 ports add 1/24-1/25 member portmember vlan 3 ip create 10.1.26.1/255.255.255.0 # ip static-route create 0.0.0.0/0.0.0.0 next-hop 10.1.25.1 cost 1 # # # RADIUS CONFIGURATION # radius server create 10.1.30.10 secret eap8300 usedby eapol acct-port 1813 radius enable true # # GLOBAL EAP CONFIGURATION # sys set eapol enable back
Configuring and Managing Security using the NNCLI and CLI
318 Chapter 18 CLI configuration examples
Configuring SNMPv3
In this configuration example, you add two users to the USM table with different MIB permissions and privacy protocols to the USM table. Specifically, this configuration example shows how to perform the following tasks:
• Add User 1 to the USM table with an authentication protocol of MD5 and a privacy protocol of DES (authPriv). • Allow User 1 full MIB views with full permission (both read and write), starting from the existing org level. • Add User 2 to the USM table with an authentication protocol of MD5 and no privacy protocol (authNoPriv). • Allow User 2 full MIB read permission, starting from the existing org level, but excluding write permission from all Private Enterprise MIBs.
Note: The org level gives users access to both the standard MIB and private tree branches; the private level gives users access to only MIB objects below the private branch of the MIB tree.
Figure 89 illustrates this configuration example.
Figure 89 SNMPv3 for users with different permissions/privacy protocols
Configure User 1 with MD5 and privacy protocol DES and full read/write permissions
Ethernet Routing Switch 8300 User 1 SNMPv3 Access
USM table
User 2
Configure User 2 with MD5 and no privacy protocol and read-only permission snmpv3
316804-C
Chapter 18 CLI configuration examples 319
To configure the switch for this example, follow these steps:
1 Load the DES module: After you have installed the DES module on the Ethernet Routing Switch 8300, enter the following command:
Passport-8310:5# config load-module DES /flash/ p83c2200.des 2 Add User 1 to the USM table. For this example, specify a user name of user1, an MD5 password of user1234, and a DES privacy password of userpriv.
Passport-8310:5# config snmp-v3 usm create user1 md5 auth user1234 priv userpriv 3 Add User 1 to the USM group. For this example, add user1 to a USM group named group_1.
Passport-8310:5# config snmp-v3 group-member create user1 usm group_1 4 Assign access level to the USM group. For this example, assign an access level of authPriv to the USM group group_1.
Passport-8310:5# config snmp-v3 group-access create group_1 "" usm authPriv 5 Assign read and write view to the USM group. For this example, assign read and write view, starting at org, to the USM group group_1.
Passport-8310:5# config snmp-v3 group-access view group_1 "" usm authPriv read org write org 6 Add User 2 to the USM table. For this example, specify a user name of user2, and a MD5 password of user2abcd.
Passport-8310:5# config snmp-v3 usm create user2 md5 auth user2abcd 7 Add User 2 to the USM group. For this example, add User 2 to the group named group_1 that you created in step 3.
Passport-8310:5# config snmp-v3 group-member create user2 usm group_1
Configuring and Managing Security using the NNCLI and CLI
320 Chapter 18 CLI configuration examples
8 Assign the access level to the USM group. For this example, assign an access level of authNoPriv to the USM group group_1.
Passport-8310:5# config snmp-v3 group-access create group_1 "" usm authNoPriv 9 Create a new MIB view to exclude the private MIB for User 2. For this example, add a new MIB view named private to exclude access to the SNMP Private MIB.
Passport-8310:5# config snmp-v3 mib-view create private 1.3.6.1.4 type exclude 10 Assign read and write view to the USM group. For this example, assign read view only, starting at org, and read and write view, starting at private, to the USM group group_1.
Passport-8310:5# config snmp-v3 group-access view group_1 "" usm authNoPriv read org write private
316804-C
Chapter 18 CLI configuration examples 321
Configuration files
This section shows the configuration commands and parameters used to set up User 1 and User 2 for SNMPv3, as shown in Figure 89 on page 318. You can copy and paste the command outputs shown here to update your configuration files.
# # SNMP V3 GROUP MEMBERSHIP CONFIGURATION #
snmp-v3 group-member create user1 usm group_1 snmp-v3 group-member create user2 usm group_1
# # SNMP V3 GROUP ACCESS CONFIGURATION #
snmp-v3 group-access create group_1 "" usm authNoPriv snmp-v3 group-access view group_1 "" usm authNoPriv read "org" write "private" snmp-v3 group-access create group_1 "" usm authPriv snmp-v3 group-access view group_1 "" usm authPriv read "org" write "org"
# # SNMP V3 MIB VIEW CONFIGURATION #
snmp-v3 mib-view create private 1.3.6.1.4 type exclude
#
Configuring TACACS+
In this configuration example, you configure the Ethernet Routing Switch 8300 to use TACACS+ to authenticate and authorize different levels of users. In this scenario, both the management PC and the TACACS+ server reside in the same subnet of a local Ethernet port (see Figure 90 on page 322). A routed configuration where the PC and the server sit on a separate subnet is also supported.
Configuring and Managing Security using the NNCLI and CLI
322 Chapter 18 CLI configuration examples
Figure 90 TACACS+ server and management PC on the same subnet
Corporate Slot 1, network Management Port 8 (1/8) PC 10.10.10.30
Ethernet Routing Switch 8300 TACACS+ server Management IP: 10.10.10.10 10.10.10.20
Supported TACACS+ servers
The following TACACS+ servers are supported by Nortel:
• Cisco ACS (version 3.2) • ClearBox (version 2.4.5) • Linux Freeware TACPLUS (version 4.0.3.2)
TACACS+ configuration example
To configure the switch for this example:
1 Configure the management VLAN. For example, create the port-based management VLAN 10 in STG 1. Add the local Ethernet port (1/8), and identify the management IP address and netmask: Passport-8310:5# config vlan 10 create byport 1 Passport-8310:5# config vlan 10 ports add 1/8 Passport-8310:5# config vlan 10 ip create 10.10.10.10/24
316804-C
Chapter 18 CLI configuration examples 323
2 Configure the Ethernet Routing Switch to point to the TACACS+ server for authentication. In this example, the secret key string is “secret”. Passport-8310:5# config tacacs server create 10.10.10.20 secret secret 3 Enable TACACS+. Passport-8310:5# config tacacs enable true
Configuring the TACACS+ server
On the TACACS+ server, you must define the following items:
• user profiles and corresponding authorization levels (see “TACACS+ access levels” on page 80 for information on Ethernet Routing Switch 8300 access levels and privileges) • a client (in this case, the Ethernet Routing Switch 8300)
Note: The secret key string configured on the Ethernet Routing Switch 8300 must match that configured on the TACACS+ server.
Refer to Appendix A, “TACACS+ server configuration examples,” on page 325 for TACACS+ server configuration examples.
Configuring and Managing Security using the NNCLI and CLI
324 Chapter 18 CLI configuration examples
316804-C
325 Appendix A TACACS+ server configuration examples
Refer to the following sections for basic configuration examples of the TACACS+ server:
• “Configuration example: Cisco ACS server” on page 325 • “Configuration example: ClearBox server” on page 331 • “Configuration example: Linux freeware server” on page 343
Configuration example: Cisco ACS server
In this example, the Cisco ACS (version 3.2) TACACS+ server is configured. Figure 91 on page 326 shows the main administration window. Refer to vendor documentation for your server for specific configuration procedures.
Configuring and Managing Security using the NNCLI and CLI
326 Appendix A TACACS+ server configuration examples
Figure 91 Cisco ACS (version 3.2) main administration window
1 Define the users and the corresponding authorization levels. If you map users to default group settings, it is easier to remember which user belongs to each group. For example, the rwa user belongs to group 6 to match Privilege level 6. All rwa user settings are picked up from group 6 by default. Figure 92 on page 327 shows a sample Group Setup window.
316804-C
Appendix A TACACS+ server configuration examples 327
Figure 92 Group Setup window — Cisco ACS server configuration
2 Configure the server settings. Figure 93 on page 328 shows a sample Network Configuration window to configure the authorization, authentication, and accounting (AAA) server for TACACS+.
Configuring and Managing Security using the NNCLI and CLI
328 Appendix A TACACS+ server configuration examples
Figure 93 Network Configuration window — server setup
3 Define the client. Figure 94 on page 329 shows a sample Network Configuration window to configure the client. Authenticate using TACACS+. Single-connection can be used, but this must match the configuration on the Ethernet Routing Switch 8300.
316804-C
Appendix A TACACS+ server configuration examples 329
Figure 94 Network Configuration window — client setup
4 Verify the groups you have configured. In this example, the user is associated with a user group (see Figure 95 on page 330). An rwa account belongs to group 6, therefore its privilege level corresponds to the settings for groups 6. The ro accounts belong to group 0, L1 accounts belong to group 2, and so on.
Configuring and Managing Security using the NNCLI and CLI
330 Appendix A TACACS+ server configuration examples
Figure 95 Group Setup window — viewing the group setup
5 View users, their status, and the corresponding group to which each belongs. Figure 96 on page 331 shows a sample User Setup window. You can use this window to find, add, edit, and view users settings.
316804-C
Appendix A TACACS+ server configuration examples 331
Figure 96 User Setup window — Cisco ACS server configuration
Configuration example: ClearBox server
1 Run the General Extension Configurator and configure the user data source (see Figure 97 on page 332). In this example, Microsoft® Access was used to create a database of user names and authorization levels; the general.mdb file needs to include these users.
Configuring and Managing Security using the NNCLI and CLI
332 Appendix A TACACS+ server configuration examples
Figure 97 General Extension Configurator
2 Create a Client entry for 10.10.10.10 (see Figure 86 on page 308) by right-clicking the TACACS+ Clients item. The TACACS+ Client, in this case, is the Ethernet Routing Switch 8300. Enter the appropriate information. The shared secret needs to match the value configured on the Ethernet Routing Switch 8300.
316804-C
Appendix A TACACS+ server configuration examples 333
Figure 98 Creating a client entry
The default realm Authentication tab will look like that in Figure 99 on page 334.
Configuring and Managing Security using the NNCLI and CLI
334 Appendix A TACACS+ server configuration examples
Figure 99 Default realm — Authentication tab
3 Select Realms > def > Authorization tab. A new service is required that allows the server to assign certain levels of access. 4 Click the + button to add an attribute-value pair for privilege levels. See Figure 100 on page 335.
316804-C
Appendix A TACACS+ server configuration examples 335
Figure 100 Default realm — Authorization tab
5 Enter information in the window as shown in Figure 101 on page 336. 6 Click + to add the parameters for the query.
Configuring and Managing Security using the NNCLI and CLI
336 Appendix A TACACS+ server configuration examples
Figure 101 Adding parameters for the query
7 Use the string shown in Figure 102 for the authorization query.
Figure 102 Authorization Query window
316804-C
Appendix A TACACS+ server configuration examples 337
The final window should look like that in Figure 103.
Figure 103 Query parameters added to Authorization Attribute-Value Pairs window
8 Click OK. The information appears on the Authorization tab (see Figure 104 on page 338).
Configuring and Managing Security using the NNCLI and CLI
338 Appendix A TACACS+ server configuration examples
Figure 104 Authorization attribute-value pairs added to Authorization tab
9 Navigate to the general.mdb file as specified earlier. Note that Microsoft® Access or third party software is required to read this file. This user table should look like that in Figure 105 on page 339. If the Privilege column does not exist, create one and populate it according to the desired access level.
Note: When using the 30-day demo for ClearBox, the user names cannot be more than four characters in length.
316804-C
Appendix A TACACS+ server configuration examples 339
Figure 105 Users table — Microsoft® Access
10 Run the Server Manager (you must now start the server). See Figure 106. 11 Click the Connect button.
Figure 106 ClearBox Server Manager
Configuring and Managing Security using the NNCLI and CLI
340 Appendix A TACACS+ server configuration examples
The Connect to... dialog box opens (see Figure 107). 12 Click OK (do not fill in any fields).
Figure 107 Connect to... dialog box
13 Click OK at the warning message. 14 Click Start. The Server Manager should now look like that in Figure 108 on page 341. Any changes to the General Server Extension Configurator require that the server be restarted.
316804-C
Appendix A TACACS+ server configuration examples 341
Figure 108 TACACS+ server connected
15 Verify that the server is configured correctly. Refer to Figure 109 on page 342.
Configuring and Managing Security using the NNCLI and CLI
342 Appendix A TACACS+ server configuration examples
Figure 109 Server configured successfully
Passport-8310:5# config tacacs server info
Subcontext:
Current Context:
create:
Name Status Secret Port Prio Timeout Single Source 10.10.10.20 Conn secret 49 1 5 false 0.0.0.0
delete : N/A
set : N/A
When connection to the TACACS+ server is unsuccessful, you see the error message shown in Figure 110. The server connection has failed due to misconfiguration. Check to see that you have entered the correct IP addresses.
Figure 110 Unsuccessful connection to TACACS+ server
CPU5 [04/06/05 09:58:42] SW ERROR Failed to use TACACS+ for authentication
A successful login looks like that in Figure 111.
Figure 111 Successful login
CPU5 [04/06/05 06:35:42] SW INFO TACACS+ authentication succeeded
A failed login looks like that in Figure 112 on page 343.
316804-C
Appendix A TACACS+ server configuration examples 343
Figure 112 Unsuccessful login
CPU5 [04/05/05 12:00:09] SW INFO TACACS+ authentication failed CPU5 [04/05/05 12:00:09] SW WARNING Code=0x1ff0009 Blocked unauthorized cli access
Configuration example: Linux freeware server
1 After TACACS+ is installed on the Linux server, change the directory to: $cd /etc/tacacs 2 Open the config file tac_plus.cfg: $vi tac_plus.cfg 3 Comment out all the existing lines in the config file. Add new lines similar to the following: # Enter your NAS key and user name key =
default service = permit service = exec { priv-lvl =
Configuring and Managing Security using the NNCLI and CLI
344 Appendix A TACACS+ server configuration examples
where:
Figure 113 Sample config file — Linux TACACS+ server
$vi tac_plus.cfg
# Created by Joe SMITH([email protected]) # Read user_guide and tacacs+ FAQ for more information # # Enter your NAS key key = secretkey
user = smithJ {
default service = permit service = exec { priv-lvl = 6 } login = cleartext M5xyH8
4 Save the changes to the tac_plus.cfg file. 5 Run the TACACS+ daemon using the following command: $/usr/local/sbin/tac_plus -C /etc/tacacs/tac_plus.cfg & where, • tac_plus is stored under /usr/local/sbin • the config file that we just edited in stored at /etc/tacacs/ The TACACS+ server on Linux is ready to authenticate users.
316804-C
345 Index
Numerics access-policy policy command 92 access-policy policy disable command 99, 100 3DES encryption 38 access-policy policy enable command 99, 100 A access-policy policy host command 98 access-policy policy name command 99 access policies assigning a precedence for, using the NNCLI 99 access-policy policy precedence command 99 assigning a precedence for, using the Passport access-policy policy username command 98 8300 CLI 113 authentication configuring, using the CLI 92, 106 DSA 38 creating, using the CLI 94, 107 RSA 38 enabling globally, using the NNCLI 92 authentication server 48 enabling globally, using the Passport 8300 CLI 105 authenticator 47 enabling, using the CLI 99, 100, 114 naming, using the CLI 114 B naming, using the NNCLI 99 overview of 31, 89, 103 BSAC RADIUS servers specifying the host and username for rlogin, configuring 172, 176 using the CLI 113 specifying the host and username for rlogin, C using the NNCLI 98 CLI access services changing password for, using the CLI 82 allowing network access for, using the CLI 109 changing password for, using the Passport 8300 allowing network access for, using the NNCLI CLI 86 95 controlling access to 82, 86 enabling for a specified policy, using the CLI 107 returning to, from NNCLI 25 list of 108 CLI commands accessing config ethernet eapol 260, 264 NNCLI 24 config radius 203 access-policy command 92 config radius access-priority-attribute 205 access-policy policy config radius acct-attribute-value 207 accesslevel command 98 config radius enable 204 create command 94 config radius info 208 mode command 98 config radius server 209
Configuring and Managing Security using the NNCLI and CLI
346 Index
config radius server create 255 precedence 99 config radius server delete 258 username 98 config radius server set 258 config ethernet eapol 260, 264 config snmp-v3 group-access 144 config radius 203 config snmp-v3 group-member 142 config radius access-priority-attribute 205 config snmp-v3 usm 140 config radius acct-attribute-value 207 config sys access-policy 105 config radius enable 204 config sys access-policy policy 106 config radius info 208 config sys access-policy policy accesslevel 113 config radius server 209 config sys access-policy policy host 113 config radius server create 255 config sys access-policy policy mode 112 config radius server delete 258 config sys access-policy policy name 114 config radius server set 258 config sys access-policy policy network 109 config snmp-v3 group-access 144 config sys access-policy policy precedence 113 config snmp-v3 group-member 142 config sys access-policy policy service 107 config snmp-v3 usm 140 config sys access-policy policy username 113 config sys access-policy 105 config tacacs server 293 config sys access-policy policy 106 password 86 config sys access-policy policy accesslevel 113 portlock 88 config sys access-policy policy host 113 reset-passwd 83, 88 config sys access-policy policy mode 112 show ports info eapol auth-diags 269 config sys access-policy policy name 114 show ports info eapol auth-stats 267 config sys access-policy policy network 109 show ports info eapol config 274 config sys access-policy policy precedence 113 show ports info eapol multi-host-session-stats config sys access-policy policy service 107 278 config sys access-policy policy username 113 show ports info eapol non-eap-mac 282 config tacacs server info 293 show ports info eapol oper-stats 276 EAPol 227 show ports info eapol radius-non-eap-mac 280 EAPoL enable 221 show ports info eapol session-stats 272 password 82, 86 show radius info 208 portlock 84, 88 show radius server config 212 radius access-priority-attribute 189, 191 show sys eapol 266 radius disable 187, 188, 190, 290 show tacacs info 291 radius enable 187, 188, 190, 290 commands radius-server 193 access-policy 92 show access-policy 93 access-policy policy 92 show eapol 232 accesslevel 98 show eapol multihost non-eap-mac interface 248 create 94 show interface eapol multihost-session-stats 244 disable 99, 100 show ports eapol auth-diags 235 enable 99, 100 show ports eapol auth-stats 233 host 98 show ports eapol config 240 mode 98 show ports eapol oper-stats 243 name 99 show ports eapol session-stats 238 network command 95 show ports info eapol auth-diags 269
316804-C
Index 347
show ports info eapol auth-stats 267 config snmp-v3 usm 140 show ports info eapol config 274 config sys access-policy command 105 show ports info eapol multi-host-session-stats config sys access-policy policy accesslevel 278 command 113 show ports info eapol non-eap-mac 282 show ports info eapol oper-stats 276 config sys access-policy policy host command 113 show ports info eapol radius-non-eap-mac 246, config sys access-policy policy mode command 280 112 show ports info eapol session-stats 272 config sys access-policy policy name command show radius 192 114 show radius info 208 config sys access-policy policy network command show radius server config 212 109 show radius-server 196 show running-config module sys 133 config sys access-policy policy precedence show sys eapol 266 command 113 show tacac 284 config sys access-policy policy service command show tacacs info 291 107 snmp-server community 129 config sys access-policy policy username snmp-server group 124 command 113 snmp-server member 122 config sys access-policy policy command 106 snmp-server user 120 snmp-server view 127 controlled port 48 tacacs+ disable 284 conventions, text 26 tacacs+ enable 284 customer support 28 commands, NNCLI modes 22 D config ethernet eapol command 260, 264 DSA authentication 38 config ntp command 122, 125, 128, 129, 147, 151 config radius access-priority-attribute command E 205 config radius acct-attribute-value command 207 EAPoL authentication server 48 config radius command 203 authenticator 47 config radius enable command 204 configuration example 49 config radius info command 208 configuration prerequisites 221, 253 config radius server command 209 configuration process 48 configuring authentication status 231, 265 config radius server create command 255 configuring globally 221 config radius server delete command 258 configuring ports 227, 230, 260, 264 config radius server set command 258 configuring RADIUS 72 config snmp-v3 group-access 144 controlled port 48 description 47 config snmp-v3 group-member 142 enable command 221
Configuring and Managing Security using the NNCLI and CLI
348 Index
port access entity (PAE) 48 accesslevel 98 show allowed non-EAPoL MAC addresses (CLI) create 94 282 disable 99, 100 show allowed non-EAPoL MAC addresses enable 99, 100 (NNCLI) 248 host 98 show Authenticator statistics 233, 267 mode 98 show configuration statistics 240, 274 name 99 show diagnostic statistics 235, 269 network 95 show multiple clients session information (CLI) precedence 99 278 username 98 show multiple clients session information EAPol 227 (NNCLI) 244 EAPoL enable 221 show non-EAPoL clients that use RADIUS modes 22 (CLI) 280 password 82 show non-EAPoL clients that use RADIUS portlock 84 (NNCLI) 246 radius access-priority-attribute 189, 191 show operation statistics 243, 276 radius disable 187, 188, 190, 290 show session statistics 238, 272 radius enable 187, 188, 190, 290 showing current switch status 232, 266 radius-server 193 supplicant 47 show access-policy 93 system requirements 77 show eapol 232 VLANs, dynamic assignment 67 show eapol multihost non-eap-mac interface 248 encryption show interface eapol multihost-session-stats 244 3DES 38 show ports eapol auth-diags 235 show ports eapol auth-stats 233 Extensible Authentication Protocol over LAN. See show ports eapol config 240 EAPoL show ports eapol oper-stats 243 show ports eapol session-stats 238 F show ports info eapol radius-non-eap-mac 246 freeRadius servers, configuring 175 show radius 192 show radius-server 196 show running-config module sys 133 M show tacacs 284 Merit Network servers, configuring 175 snmp-server community 129 snmp-server group 124 snmp-server member 122 N snmp-server user 120 NNCLI snmp-server view 127 accessing 24 tacacs+ disable 284 returning to CLI 25 tacacs+ enable 284 switching from CLI 24 NNCLI commands P access-policy 92 access-policy policy 92 Passport 8300 CLI
316804-C
Index 349
changing password for, using the Passport 8300 client 72 CLI 86 configuring, using the CLI 203 controlling access to 86 deleting a server with NNCLI 225 Passport 8300 CLI commands deleting a server with Passport 8300 CLI 258 config radius server create 255 displaying global status of, using the NNCLI 192 config radius server delete 258 displaying global status of, using the Passport config radius server set 258 8300 CLI 208 config snmp-v3 group-access 144 overview of 42 config snmp-v3 group-member 142 Servers config snmp-v3 usm 140 BSAC show ports info eapol auth-stats 267 configuring 172, 176 using third party 172, 174 password command 82 servers password commands 86 adding, using the CLI 209 password recovery command 83, 88 adding, using the NNCLI 193 passwords deleting, using the CLI 209 changing CLI, using the CLI 82 deleting, using the NNCLI 193 changing CLI, using the Passport 8300 CLI 86 displaying configuration for, using the CLI 212 port access entity (PAE) 48 displaying configuration for, using the NNCLI port lock feature 196 overview of 30, 83, 88 setting up, using the CLI 209 portlock command 84, 88 setting up, using the NNCLI 193 product support 28 setting server parameters with NNCLI 225 setting server parameters with Passport 8300 CLI publications 258 hard copy 27 vendor-specific attributes 72 R radius access-priority-attribute command 189, 191 radius disable command 187, 188, 190, 290 RADIUS radius enable command 187, 188, 190, 290 accounting configuring attribute values for, using the CLI RADIUS MAC centralization 207 enabling globally using NNCLI 222 overview of 45 enabling on the port using CLI 264 adding a server with NNCLI 222 enabling on the port using NNCLI 231 adding a server with Passport 8300 CLI 255 globally enabling using CLI 254 authentication port shutdown using CLI 264 configuring attribute values for, using the CLI port shutdown using NNCLI 231 205 setting ageout period using CLI 254 configuring attribute values for, using the setting ageout period using NNCLI 222 NNCLI 189, 191 RADIUS, configuring for EAPoL 72 enabling, using the CLI 204 radius-server command 193 enabling, using the NNCLI 187, 188, 190, 290 Remote Access Dial-In User Services, see RADIUS overview of 45
Configuring and Managing Security using the NNCLI and CLI
350 Index reset password command 83, 88 show sys eapol command 266 RSA authentication 38 show tacacs command 284 show tacacs info command 291 S show tacacs server config 293 Secure Shell version 2 (SSH-2) snmp-server community 129 overview 39 snmp-server group 124 servers snmp-server member 122 configuring BSAC RADIUS 172, 176 snmp-server user 120 freeRadius, configuring 175 Merit Network, configuring 175 snmp-server view 127 using third-party RADIUS 172, 174 SSH version 2 (SSH-2) show access-policy command 93 overview 39 show eapol command 232 supplicant 47 show eapol multihost non-eap-mac interface support, Nortel 28 command 248 switching show interface eapol multihost-session-stats to CLI 25 command 244 to NNCLI 24 show ports eapol auth-diags command 235 show ports eapol auth-stats command 233 T show ports eapol config command 240 TACACS+ authentication show ports eapol oper-stats command 243 disabling, using the NNCLI 284 show ports eapol session-stats command 238 enabling, using the NNCLI 284 show ports info eapol auth-diags command 269 displaying global status of, using the CLI 291 show ports info eapol auth-stats command 267 displaying global status of, using the NNCLI 284 servers show ports info eapol config command 274 displaying configuration for, using the CLI show ports info eapol multi-host-session-stats 293 command 278 tacacs+ disable command 284 show ports info eapol non-eap-mac command 282 tacacs+ enable command 284 show ports info eapol oper-stats command 276 technical publications 27 show ports info eapol radius-non-eap-mac technical support 28 command 246, 280 text conventions 26 show ports info eapol session-stats command 272 show radius command 192 V show radius info command 208 show radius server config command 212 vendor-specific attributes 72 show radius-server command 196 VLANs, EAPoL dynamic assignment 67 show running-config module sys 133
316804-C