Nortel Secure Network Access Switch
Using the Command Line
Interface
Release: 2.0
Document Revision: 03.01
www.nortel.com
NN47230-100
320818-D
.
Download from Www.Somanuals.com. All Manuals Search And Download.
3
.
Contents
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
4
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
5
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
6
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
7
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
8
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
9
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
10
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
11
.
Software license
This section contains the Nortel Networks software license.
Nortel Networks software license agreement
This Software License Agreement ("License Agreement") is between
you, the end-user ("Customer") and Nortel Networks Corporation and
its subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THE
FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE
TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE.
USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF
THIS LICENSE AGREEMENT. If you do not accept these terms and
conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full
purchase price.
"Software" is owned or licensed by Nortel Networks, its parent or one of
its subsidiaries or affiliates, and is copyrighted and licensed, not sold.
Software consists of machine-readable instructions, its components, data,
audio-visual content (such as images, text, recordings or pictures) and
related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country
where you acquired the Software. You obtain no rights other than those
granted to you under this License Agreement. You are responsible for the
selection of the Software and for the installation of, use of, and results
obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a
nonexclusive license to use a copy of the Software on only one
machine at any one time or to the extent of the activation or authorized
usage level, whichever is applicable. To the extent Software is
furnished for use with designated hardware or Customer furnished
equipment ("CFE"), Customer is granted a nonexclusive license to
use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as
confidential information using the same care and discretion Customer
uses with its own similar information that it does not wish to disclose,
publish or disseminate. Customer will ensure that anyone who
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
12 Software license
uses the Software does so only in compliance with the terms of this
Agreement. Customer shall not a) use, copy, modify, transfer or
distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the
Software; c) create derivative works or modifications unless expressly
authorized; or d) sublicense, rent or lease the Software. Licensors
of intellectual property to Nortel Networks are beneficiaries of this
provision. Upon termination or breach of the license by Customer or in
the event designated hardware or CFE is no longer in use, Customer
will promptly return the Software to Nortel Networks or certify its
destruction. Nortel Networks may audit by remote polling or other
reasonable means to determine Customer’s Software activation or
usage levels. If suppliers of third party software included in Software
require Nortel Networks to include additional or different terms,
Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in
writing between Nortel Networks and Customer, Software is provided
"AS IS" without any warranties (conditions) of any kind. NORTEL
NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS)
FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is
not obligated to provide support of any kind for the Software. Some
jurisdictions do not allow exclusion of implied warranties, and, in such
event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL
NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY
OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY
CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS,
FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL,
PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST
PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR
OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF
YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS,
ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR
POSSIBILITY. The foregoing limitations of remedies also apply to any
developer and/or supplier of the Software. Such developer and/or
supplier is an intended beneficiary of this Section. Some jurisdictions
do not allow these limitations or exclusions and, in such event, they
may not apply.
4. General
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Nortel Networks software license agreement 13
a. If Customer is the United States Government, the following
paragraph shall apply: All Nortel Networks Software available
under this License Agreement is commercial computer software
and commercial computer software documentation and, in the
event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software
documentation are governed by Nortel Networks standard
commercial license in accordance with U.S. Federal Regulations
at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R.
227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks
may terminate the license if Customer fails to comply with the terms
and conditions of this license. In either event, upon termination,
Customer must either return the Software to Nortel Networks or
certify its destruction.
c. Customer is responsible for payment of any taxes, including
personal property taxes, resulting from Customer’s use of the
Software. Customer agrees to comply with all applicable laws
including all applicable export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than
two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the
complete and exclusive agreement between Customer and Nortel
Networks.
f. This License Agreement is governed by the laws of the country in
which Customer acquires the Software. If the Software is acquired
in the United States, then this License Agreement is governed by
the laws of the state of New York.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
14 Software license
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
15
.
New in this release
The following sections detail what’s new in Nortel Secure Network Access
Using the Command Line Interface, (NN47230-100) for Release 2.0.
•
•
Features
This is the second standard release of the document. See the following
sections for information, which are added in this Release.
•
•
•
•
•
•
•
•
•
•
•
•
•
On-the-fly SRS Policy Change—When a security policy is modified
on the SNAS using the administrative tool the policy is updated on the
Nortel Health Agent running on the logged in operating systems. For more
information, See the “Configuring the Nortel Health Agent check” (page
92).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
16 New in this release
Multi-OS Applet Support—The Nortel Health captive portal applet
supports Windows and non-Windows operating systems. For
non-Windows operating systems the applet supports collecting operating
systems information and VLAN transition. for more information, see the
Other changes
No changes.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
17
.
Introduction
Nortel* Secure Network Access (Nortel SNAS ) is a clientless solution that
provides seamless, secure access to the corporate network from inside
or outside that network. The Nortel SNAS combines multiple hardware
devices and software components to support the following features:
•
partitions the network resources into access zones (authentication,
remediation, and full access)
•
•
provides continual device integrity checking using Nortel Health Agent
supports both dynamic and static IP clients
The Nortel Secure Network Access Switch 4050or 4070 (Nortel SNAS
4050 or 4070) controls operation of the Nortel SNAS.
This user guide covers the process of implementing the Nortel SNAS using
the Nortel SNAS 4050 or 4070 for Nortel Secure Network Access Switch
Software Release 2.0. The document includes the following information:
•
overview of the role of the Nortel SNAS 4050 or 4070 in the Nortel
SNAS
•
•
initial setup
configuring authentication, authorization, and accounting (AAA)
features
•
•
•
•
•
managing system users
customizing the portal
upgrading the software
logging and monitoring
troubleshooting installation and operation
The document provides instructions for initializing and customizing the
features using the Command Line Interface (CLI). To learn the basic
structure and operation of the Nortel SNAS CLI, refer to “CLI reference”
(page 413). This reference guide provides links to where the function
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
18 Introduction
and syntax of each CLI command are described in the document. For
information on accessing the CLI, see “The Command Line Interface”
BBI is a graphical user interface (GUI) that runs in an online, interactive
mode. BBI allows the management of multiple devices (for example, the
Nortel SNAS) from one application. For information about using BBI to
configure and manage Nortel SNAS, see Nortel Secure Network Access
Switch Configuration — Using the BBI, (NN47230-500).
Before you begin
This guide is intended for network administrators who have the following
background:
•
•
•
•
basic knowledge of networks, Ethernet bridging, and IP routing
familiarity with networking concepts and terminology
experience with windowing systems or GUIs
basic knowledge of network topologies
Before using this guide, you must complete the following procedures. For
a new switch:
Step
1
Action
Install the switch.
For installation instructions, see Nortel Secure Network Access
Switch 4050 Installation Guide , (NN47230-300).
2
Connect the switch to the network.
For more information, see “The Command Line Interface” (page
377).
--End--
Ensure that you are running the latest version of Nortel SNAS software.
For information about upgrading the Nortel SNAS, see “Upgrading or
Text conventions
This guide uses the following text conventions:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Text conventions 19
angle brackets (< >)
Enter text based on the description inside the
brackets. Do not type the brackets when entering
the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold text
Objects such as window names, dialog box names,
and icons, as well as user interface objects such
as buttons, tabs, and menu items.
bold Courier text
Command names, options, and text that you must
enter.
Example: Use the dinfo command.
Example: Enter show ip {alerts|routes}.
braces ({})
Required elements in syntax descriptions where
there is more than one option. You must choose
only one of the options. Do not type the braces
when entering the command.
Example: If the command syntax is
show ip {alerts|routes}, you must enter
either show ip alerts or show ip routes, but
not both.
brackets ([ ])
Optional elements in syntax descriptions. Do not
type the brackets when entering the command.
Example: If the command syntax is
show ip interfaces [-alerts], you can enter
either show ip interfaces or
show ip interfaces -alerts.
ellipsis points (. . . )
Repeat the last element of the command as
needed.
Example: If the command syntax is
ethernet/2/1 [ <parameter> <value> ]...,
you enter ethernet/2/1 and as many
parameter-value pairs as needed.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
20 Introduction
italic text
Variables in command syntax descriptions. Also
indicates new terms and book titles. Where a
variable is two or more words, the words are
connected by an underscore.
Example: If the command syntax is
show at <valid_route>,
valid_route is one variable and you substitute
one value for it.
plain Courier text
separator ( > )
Command syntax and system output, for example,
prompts and system messages.
Example: Set Trap Monitor Filters
Menu paths.
Example: Protocols > IP identifies the IP
command on the Protocols menu.
vertical line ( | )
Options for command keywords and arguments.
Enter only one of the options. Do not type the
vertical line when entering the command.
Example: If the command syntax is
show ip {alerts|routes}, you enter either
show ip alerts or show ip routes, but not
both.
Related information
This section lists information sources that relate to this document.
Publications
Refer to the following publications for information on the Nortel SNAS:
•
•
Nortel Secure Network Access Solution Guide, (NN47230-200)
Nortel Secure Network Access Switch 4050 Installation Guide ,
(NN47230-300).
•
Nortel Secure Network Access Switch 4050 User Guide for the CLI
(NN47230-100),
•
•
Installing and Using the Security,
Release Notes for Nortel Ethernet Routing Switch 5500 Series,
Software Release 5.0.1,
•
Release Notes for the Ethernet Routing Switch 8300, Software
Release 2.2.8 ,
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
How to get help 21
•
•
Release Notes for the Nortel Secure Network Access Solution,
Software Release 1.6.1 (NN47230-400),
Release Notes for Enterprise Switch Manager (ESM), Software
Release 5.2 (209960-H),
•
•
Using Enterprise Switch Manager Release 5.1 (208963-F),
Nortel Secure Network Access Switch Configuration — Using the BBI,
(NN47230-500).
Online
To access Nortel technical documentation online, go to the Nortel web site:
You can download current versions of technical documentation. To locate
documents, browse by category or search using the product name or
number.
You can print the technical manuals and release notes free, directly from
the Internet. Use Adobe* Reader* to open the manuals and release
notes, search for the sections you need, and print them on most standard
download a free copy of Adobe Reader.
How to get help
If you purchased a service contract for your Nortel product from a
distributor or authorized reseller, contact the technical support staff for that
distributor or reseller for assistance.
If you purchased a Nortel service program, use the http://www.nortel.com/h
elp web page to locate information to contact Nortel for assistance:
•
To obtain Nortel Technical Support contact information, click the
CONTACT US link on the left side of the page.
•
To call a Nortel Technical Solutions Center for assistance, click the
CALL US link on the left side of the page to find the telephone number
for your region.
An Express Routing Code (ERC) is available for many Nortel products and
services. When you use an ERC, your call is routed to a technical support
person who specializes in supporting that product or service. To locate the
page and follow these links:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
22 Introduction
Step
Action
1
2
3
Click CONTACT US on the left side of the HELP web page.
Click Technical Support on the CONTACT US web page.
Click Express Routing Codes on the TECHNICAL SUPPORT
web page.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
23
.
Overview
The Nortel Secure Network Access Solution Release 2.0 features are
mapped to the relevant section(s) in this guide in the following table. For
information on the Nortel SNAS Release 1.6.1 see Release Notes for
Nortel Secure Network Access Solution Release 1.6.1, NN47230-400,
(formerly 320850).
Table 1
Features on NSNA
Feature
Section
Performance and scalability
enhancements: 20,000 concurrent
users
Not applicable.
Support for hubs
- 325 / 425 / 450 / 470 and 2500 series
and Ethernet Routing Switch models -
4500 series, 5500 series, 8300 and 8600.
Support for WLAN Controller
Support of RADIUS server
Support of Microsoft NAP Interoperability
Nortel Health Agent Run-Once,
Continuous and Never modes
Support for MAC OSX, Linux OS, and
non-interactive devices
MAC address policy services
and filters deployment
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
24 Overview
ATTENTION
Switches that support the Switch to Nortel SNAS Communication Protocol
(SSCP) are referred to as NSNA network access devices in this document.
Generally, NSNA network access devices are the Ethernet Routing Switch
5500 Series and the Ethernet Routing Switch 8300. Specifically, Release 1.6.1
features are supported by the Ethernet Routing Switch 5500 Series, Release
5.0.2 and later.
ATTENTION
The character combination "<" appears instead of the character "<" in several
command strings in this document. For example, <DN> rather than <DN>.
Resolution is under investigation.
This chapter includes the following topics:
Topic
The Nortel SNAS
Nortel Secure Network Access Solution (Nortel SNAS ) is a protective
framework to completely secure the network from endpoint vulnerability.
The Nortel SNAS addresses endpoint security and enforces policy
compliance. Nortel SNAS delivers endpoint security by enabling only
trusted, role-based access privileges premised on the security level of the
device, user identity, and session context. Nortel SNAS enforces policy
compliance, such as for Sarbanes-Oxley and COBIT, ensuring that the
required anti-virus applications or software patches are installed before
users are granted network access.
For Nortel, success is delivering technologies providing secure access
to your information using security-compliant systems. Your success
is measured by increased employee productivity and lower network
operations costs. Nortel’s solutions provide your organization with the
network intelligence required for success.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
The Nortel SNAS 25
Elements of the Nortel SNAS
The following devices are essential elements of the Nortel SNAS:
•
Nortel Secure Network Access Switch 4050or 4070 (Nortel SNAS 4050
or 4070), which acts as the Policy Decision Point
•
network access devices, which acts as the Policy Enforcement Point
— Ethernet Routing Switch 8300
— Ethernet Routing Switch 4500, 5510, 5520, or 5530
ATTENTION
NSNA Release 1.6.1 does not currently support the Ethernet Routing Switch
8300 as a Policy Enforcement Point.
•
RADIUS, DHCP, and DNS servers
The following devices are additional, optional elements of the Nortel
SNAS:
•
•
remediation server
corporate authentication services such as LDAP or RADIUS services
Each Nortel SNAS device can support up to five network access devices.
Supported users
The Nortel SNAS supports the following types of users:
•
PCs using the following operating systems:
— Windows 2000 SP4
— Windows XP SP2
— Linux
— MAC OS
— Vista
The Nortel SNAS supports the following browsers:
— Internet Explorer version 6.0 or later
— Netscape Navigator version 7.3 or later
— Mozilla Firefox version 1.0.6 or later
Java Runtime Environment (JRE) for all browsers:
— JRE 1.6.0_04 or later
VoIP phones
•
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
26 Overview
— Nortel IP Phone 2002
— Nortel IP Phone 2004
— Nortel IP Phone 2007
See Release Notes for the Nortel Secure Network Access Solution,
Software Release 1.6.1 (NN47230-400), for the minimum firmware
versions required for the IP Phones operating with different call
servers.
Each Nortel SNAS -enabled port on a network access devices can support
one PC (untagged traffic) and one IP Phone (tagged traffic). Softphone
traffic is considered to be the same as PC traffic (untagged).
ATTENTION
Where there is both an IP Phone and a PC, the PC must be connected through
the 3-port switch on the IP Phone.
Supporting additional users with the software license file
The standard Nortel SNAS 4050 implementation can support up to 200
authenticated user sessions. To support additional users on your Nortel
SNAS 4050 switch, you must obtain a Nortel SNA software license
file. The software license file contains a software license key that you
must enter into the Nortel SNAS 4050 switch to activate support for the
additional users. The file can support an additional 100, 250, 500, or 1000
users.
ATTENTION
An authenticated IP Phone is considered to be a licensed user.
Your unique software license key is based on your switch MAC address.
Before you obtain your software license file, first record the MAC address
for the Nortel Secure Network Access Switch to be upgraded. To find the
MAC address in the Command Line Interface, use the /info/local
command.
To obtain your software license file, contact Nortel to order the Nortel SNA
Software License Certificate. Follow the instructions on this certificate to
obtain your software license file.
After you obtain the software license file from Nortel, you must copy
the entire license key to the switch using the CLI or the BBI. When you
copy the license key, ensure you include the BEGIN LICENSE and END
LICENSE lines.
To copy the license key using the CLI, use the following command:
/cfg/sys/host <host ID> license <key>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
The Nortel SNAS 27
The following shows a sample display of the CLI interface when copying
the license key:
>> Main# cfg/sys/host
Enter Host number:
1
>> iSD host 1# license
Paste the license, press Enter to create a new line,
and then type "..." (without the quotation marks)
to terminate.
> -----BEGIN LICENSE-----
> U4GsdGVkX36AJpnd8KL4iImtRzBvZy+iANDzxog22+vq6Qx4aawSl4FVQo
> lXYlsNNFJpYW/vl3osvNPXhzcLV2E9hNHlqirkzc5aLDJ+2xYpK/BRDrMZ
> 86OQvdBMyer53xgq8Kk/5BvoFcQYvEC/yWrFyrmZr4XPtAr3qmuZ8UxLqJ
> 0x7PUrp6tVI=
> -----END LICENSE-----
> ...
License loaded
To copy the license key using the BBI, use the Install New License screen
(System > Hosts > host > Install New License).
To view the license using BBI, in the cluster select Cluster > Hosts >
License from the menu. For more information, see Nortel Secure Network
Access Switch Configuration — Using the BBI, (NN47230-500).
Role of the Nortel SNAS
The Nortel SNAS helps protect the network by ensuring endpoint
compliance for devices that connect to the network.
Before allowing a device to have full network access, the Nortel SNAS
checks user credentials and host integrity against predefined corporate
policy criteria. Through tight integration with network access devices, the
Nortel SNAS can:
•
•
•
dynamically move the user into a quarantine VLAN
dynamically grant the user full or limited network access
dynamically apply per port firewall rules that apply to a device’s
connection
Once a device has been granted network access, the Nortel SNAS
continually monitors the health status of the device to ensure continued
compliance. If a device falls out of compliance, the Nortel SNAS can
dynamically move the device into a quarantine or remediation VLAN.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
28 Overview
Nortel SNAS functions
The Nortel SNAS performs the following functions:
•
Acts as a web server portal, which is accessed by users in clientless
mode for authentication and host integrity check and which sends
remediation instructions and guidelines to endpoint clients if they fail
the host integrity check.
•
•
•
•
Communicates with backend authentication servers to identify
authorized users and levels of access.
Acts as a policy server, which communicates with the Nortel Health
Agent applet that verifies host integrity.
Instructs the network access devices to move clients to the appropriate
enforcement zones.
Can be a DNS proxy in the Red VLAN when the Nortel SNAS functions
as a captive portal
•
•
•
•
•
•
Supports the RADIUS server
Supports Microsoft NAP Interoperability.
Performs session management.
Monitors the health of clients and switches.
Performs logging and auditing functions.
Provides High Availability (HA) through IPmig protocol.
Nortel SNAS enforcement types
Nortel SNAS provides several enforcement types for restricting access
to the network.
•
VLANs and filters uses a combination of VLANs and filters to provide
enforcement. It is available with NSNA network access devices; that is,
devices that support SSCP (Switch-SNAS Communication Protocol),
SSCP-Lite, and 802.1x switches.
•
•
Filters only uses only filters to provide enforcement. It is available with
NSNA network access devices.
NSNA network access devices including Nortel Ethernet Switch
models - 325, 425, 450, 470 and 2500 series and Ethernet Routing
Switch models - 4500 series, 5500 series, 8300 and 8600 as well as
third-party switches.
VLANs and filters
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
The Nortel SNAS 29
Four type of Layer 2 or Layer 3 VLANs are configured for VLANs and
filters enforcement:
•
Red—extremely restricted access. If the default filters are used, the
user can communicate only with the Nortel SNAS and the Windows
domain controller network. There is one Red VLAN for each network
access devices.
•
Yellow—restricted access for remediation purposes if the client PC fails
the host integrity check. Depending on the filters and Nortel Health
Agent rules configured for the network, the client may be directed to
a remediation server participating in the Yellow VLAN. There can be
up to five Yellow VLANs for each network access devices. Each user
group is associated with only one Yellow VLAN.
•
•
Green—full access, in accordance with the user’s access privileges.
There can be up to five Green VLANs for each network access
devices.
VoIP—automatic access for VoIP traffic. The network access devices
places VoIP calls in a VoIP VLAN without submitting them to the Nortel
SNAS authentication and authorization process.
When a client attempts to connect to the network, the network access
devices places the client in its Red VLAN. The Nortel SNAS authenticates
the client. By default, the Nortel SNAS then downloads a Nortel Health
Agent applet to check the integrity of the client host. If the integrity check
fails, the Nortel SNAS instructs the network access devices to move the
client to a Yellow VLAN, with its associated filter. If the integrity check
succeeds, the Nortel SNAS instructs the network access devices to move
the client to a Green VLAN, with its associated filter. The network access
devices applies the filters when it changes the port membership.
The VoIP filters allow IP phone traffic into preconfigured VoIP VLANs, for
VoIP communication only.
The default filters can be modified to accommodate network requirements,
such as Quality of Service (QoS) or specific workstation boot processes
and network communications.
For information about configuring VLANs and filters on the network access
devices, see Release Notes for Nortel Ethernet Routing Switch 5500
Series, Software Release 5.0.1, or Release Notes for the Ethernet Routing
Switch 8300, Software Release 2.2.8 , .
To configure the Nortel SNAS for VLANs and filters enforcement, see
Filters only
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
30 Overview
Filters only enforcement uses two VLANs: Red and VoIP. A client
computer is placed in the Red VLAN where it is held pending successful
authentication. If successful, Nortel Health Agent integrity checking can be
used to determine if remediation is required. Filters are applied to direct
the client to the appropriate network resources but the client remains in
the same VLAN regardless of its status. This contrasts with VLANs and
filters where the client is moved to another VLAN in addition to applying
filters. Filters only handles IP phones in the same manner as VLANs
and filters.
With Filters only, there is less network configuration than with VLANs and
filters because there are only two VLANs (Red and VoIP) to configure.
However, the double layer of protection afforded with VLANs and filters
is not provided.
To configure the Nortel SNAS for Filters only enforcement, see
only can result in higher DNS demands on the Nortel SNAS, using the
filter DHCP subnet type maintains these demands at the same level as
DHCP hub subnet
DHCP hub subnet enforcement allows the Nortel SNAS to operate with
a broader range of Nortel ethernet switches as well as third party network
access devices. Unlike VLANs and filters and Filters only enforcement,
DHCP hub subnet enforcement does not require SSCP support on the
network access device.
The DHCP hub subnet configuration is an integral component of the
DHCP services provided by the Nortel SNAS. For more information, see
Groups and profiles
Users are organized in groups. In the user gorup we can specify Locaion
also. Group membership determines:
•
user access rights
Within the group, extended profiles further refine access rights
depending on the outcome of the Nortel Health Agent checks.
•
•
•
number of sessions allowed
the Nortel Health Agent SRS rule to be applied
what on the portal page after the user has been authenticated
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
The Nortel SNAS 31
For information about configuring groups and extended profiles on the
Authentication methods
You can configure more than one authentication method within a Nortel
SNAS domain. Nortel Secure Network Access Switch Software Release
2.0 supports the following authentication methods:
•
external database
— Remote Authentication Dial-In User Service (RADIUS)
— Lightweight Directory Access Protocol (LDAP)
The Nortel SNAS authenticates the user by sending a query to an
external RADIUS or LDAP server. This makes it possible to use
authentication databases already existing within the intranet. The
Nortel SNAS device includes username and password in the query and
requires the name of one or more access groups in return. The name
of the RADIUS and LDAP access group attribute is configurable.
•
local authentication databases
— Portal authentication: The Nortel SNAS can store up to 1,000 user
authentication entries in its own portal database. Each entry in the
database specifies a username, password, and relevant access
group.
Use the local authentication method if no external authentication
databases exist, for testing purposes, for speedy deployment, or
as a fallback for external database queries. You can also use the
local database for authorization only, if an external server provides
authentication services but cannot be configured to return a list of
authorized groups.
— MAC authentication: The media access control (MAC) address of
the end point device can be used for authentication. The Nortel
SNAS 4050 can store over 10,000 MAC addresses and support
over 2,000 concurrent MAC sessions. Each entry in the database
specifies a MAC address, IP type, device type, and group name(s).
You can optionally specify a user name, IP address of the device,
comments, and the IP address, unit, and port of the switch to which
the device is attached.
You can populate the local authentication databases by manually
adding entries on the Nortel SNAS, or you can import a database from
a TFTP/FTP/SCP/SFTP server.
For information about configuring authentication on the Nortel SNAS, see
For more information about the way Nortel SNAS controls network access,
see Nortel Secure Network Access Solution Guide, (NN47230-200).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
32 Overview
Nortel Health Agent host integrity check
The Nortel Health Agent application checks client host integrity by verifying
that the components you have specified are required for the client’s
personal firewall (executables, DLLs, configuration files, and so on) are
installed and active on the client PC. You specify the required component
entities and engineering rules by configuring a Software Requirement Set
(SRS) rule and mapping the rule to a user group.
After a client gets authenticated, the Nortel SNAS downloads a Nortel
Health Agent as an applet to the client PC. The Nortel Health Agent applet
fetches the SRS rule applicable for the group to which the authenticated
user belongs, so that Nortel Health Agent can perform the appropriate host
integrity check. The Nortel Health Agent applet reports the result of the
host integrity check to the Nortel SNAS.
If the required components are present on the client machine, Nortel
Health Agent reports that the SRS rule check succeeded. The Nortel
SNAS then instructs the network access devices to permit access to
intranet resources in accordance with the user group’s access privileges.
The Nortel SNAS also requests the Nortel Health Agent applet to redo a
DHCP request in order to renew the client’s DHCP lease with the network
access devices.
If the required components are not present on the client machine, Nortel
Health Agent reports that the SRS rule check failed. You configure
behavior following host integrity check failure: The session can be torn
down, or the Nortel SNAS can instruct the network access devices to grant
the client restricted access to the network for remediation purposes.
The Nortel Health Agent applet repeats the host integrity check periodically
throughout the client session. If the check fails at any time, the client
is either evicted or quarantined, depending on the behavior you have
configured. The recheck interval is configurable.
For information about configuring the Nortel Health Agent host integrity
information about configuring the SRS rules, see information about the
Nortel Health Agent SRS Builder in Nortel Secure Network Access Switch
4050 User Guide for the SREM (NN47230-101), . For information about
Multi-OS Applet Support
The Nortel Health captive portal applet supports Windows and
non-Windows operating systems. For non-Windows operating systems
the applet supports collecting operating systems information and VLAN
transition.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
The Nortel SNAS 33
The “Multi-OS Support" feature allows the Nortel Health Agent to identify
Linux operating system or Macintosh operating system users and collect
the necessary information. The Nortel Health Agent is allowed to identify
the operating system as Linux or Macintosh and collect the device specific
information and also performs additional compliance checks for those
operating systems.
The following types of Linux operating system are supported:
•
•
•
•
•
RedHat Enterprise Linux 4
RedHat Enterprise Linux 3
Fedora Core 6
Fedora Core 5
SUSE Linux Enterprise 10
The following types of Macintosh operating system are supported:
•
•
•
•
•
Mac OS X Server v10.5 Leopard
Mac OS X Server v10.4 Tiger
Mac OS X v10.3 Panther
Mac OS X v10.2
Mac OS 9
Communication channels
Communications between the Nortel SNAS and key elements of the Nortel
SNAS are secure and encrypted. Table 2 "Communication channels in the
Nortel SNAS network" (page 33) shows the communication channels in
the network.
Table 2
Communication channels in the Nortel SNAS network
Communication
Communication protocol
Between Nortel SNAS and edge
switches
SSH
Between Nortel SNAS devices in a
cluster
TCP and UDP
SSL/TLS
Between Nortel SNAS and client PC
(Nortel Health Agent applet)
For Nortel SNAS
BBI
From edge switch to EPM
SNMPv3 Inform
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
34 Overview
Table 2
Communication channels in the Nortel SNAS network (cont’d.)
Communication
Communication protocol
From EPM to edge switch
Telnet over SSH
UDP
From authorized endpoint to DHCP
server
Telnet or SSH can be used for management communications between
remote PCs and the Nortel SNAS devices.
About SSH The Secure Shell (SSH) protocol provides secure and
encrypted communication between the Nortel SNAS and the network
access devices, and between Nortel SNAS devices and remote
management PCs not using Telnet.
SSH uses either password authentication or public key authentication.
With public key authentication, pairs of public/private SSH host keys
protect against "man in the middle" attacks by providing a mechanism for
the SSH client to authenticate the server. SSH clients keep track of the
public keys to be used to authenticate different SSH server hosts.
SSH clients in the Nortel SNAS network do not silently accept new keys
from previously unknown server hosts. Instead, they refuse the connection
if the key does not match their known hosts.
The Nortel SNAS supports the use of three different SSH host key types:
•
•
•
RSA1
RSA
DSA
SSH protocol version 1 always uses RSA1 keys. SSH protocol version
2 uses either RSA or DSA keys.
For management communications in the Nortel SNAS, the Nortel SNAS
can act both as SSH server (when a user connects to the CLI using an
SSH client) and as SSH client (when the Nortel SNAS initiates file or data
transfers using the SCP or SFTP protocols).
For information about managing SSH keys for communication between
the Nortel SNAS and the network access devices, see “Managing SSH
For information about managing SSH keys for Nortel SNAS management
communications, see “Configuring Nortel SNAS host SSH keys” (page
284).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
The Nortel SNAS 35
Nortel SNAS clusters
For Release 1.6.1
A cluster is a group of Nortel SNAS 4050 devices that share the same
configuration parameters. Nortel Secure Network Access Switch Software
Release 1.6.1 supports four Nortel SNAS 4050 devices, or nodes, in a
cluster. A network can contain multiple clusters.
For Release 2.0
A cluster is a group of Nortel SNAS 4050 or 4070 devices that share the
same configuration parameters. Nortel Secure Network Access Switch
Software Release 2.0 supports a combination of four Nortel SNAS 4050
and 4070 devices, or nodes, in a cluster. A Nortel SNAS network can
contain multiple clusters.
Clustering offers the following benefits:
•
manageability—The cluster is a single, seamless unit that automatically
pushes configuration changes to its members.
•
scalability—The Nortel SNAS nodes in a cluster share the burden
of resource-intensive operations. The cluster distributes control of
the network access devices between the Nortel SNAS nodes and
distributes handling of session logon. As a result, Nortel SNAS devices
in a cluster can control more switches and handle more user sessions.
•
fault tolerance—If a Nortel SNAS device fails, the failure is detected by
the other node in the cluster, which takes over the switch control and
session handling functions of the failed device. As long as there is one
running Nortel SNAS, no sessions will be lost.
The devices in the cluster can be located anywhere in the network and
do not have to be physically connected to each other. All the Nortel
SNAS devices in the cluster must be in the same subnet. The cluster is
created during initial setup of the second node, when you specify that
the setup is a join operation and you associate the node with an existing
Management IP address (MIP).
For more information about Nortel SNAS IP addresses, see “About the IP
addresses” (page 42). For information about adding a node to a cluster,
Interface configuration
The Nortel SNAS must interface to two kinds of traffic: client and
management. The interface to the client side handles traffic between the
Nortel Health Agent applet on the client and the portal. The interface to
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
36 Overview
the management side handles Nortel SNAS management traffic (traffic
connecting the Nortel SNAS to internal resources and configuring the
Nortel SNAS from a management station).
The Nortel SNAS supports what is known as an One armed configuration.
The following section describes this configuration type.
One armed configuration
In an one armed configuration, the Nortel SNAS has only one interface,
which acts as both the client portal interface and the management traffic
interface.
Figure 1 "One armed configuration" (page 36) illustrates a one-armed
configuration.
Figure 1
One armed configuration
Nortel SNAS configuration and management tools
You can use a number of device and network management tools to
configure and manage the Nortel SNAS:
•
Command Line Interface (CLI)
You must use the CLI to perform initial setup on the Nortel SNAS and
to set up the Secure Shell (SSH) connection between the Nortel SNAS
and the network access devices, and between the Nortel SNAS and
the GUI management tool. You can then continue to use the CLI to
configure and manage the Nortel SNAS, or you can use the GUI.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Nortel SNAS configuration roadmap 37
The configuration chapters in this User Guide describe the specific CLI
commands used to configure the Nortel SNAS. For general information
•
Security & Routing Element Manager (SREM)
The SREM is a GUI application you can use to configure and manage
the Nortel SNAS.
For information about configuring the Nortel SNAS using the SREM,
see Nortel Secure Network Access Switch 4050 User Guide for the
SREM (NN47230-101), . For general information about installing and
using the SREM, see Installing and Using the Security, .
•
•
Browser Based Interface (BBI)
The BBI is a web browser application you can use to configure and
manage the Nortel SNAS.
For information about configuring the Nortel SNAS using the BBI, see
Nortel Secure Network Access Switch Configuration — Using the BBI
(NN47230-500).
Enterprise Policy Manager (EPM) release 4.2
Enterprise Policy Manager (EPM) is a security policy and quality
of service provisioning application. You can use EPM to provision
filters on the Nortel SNAS network access devices. EPM 4.2 supports
preconfiguration of Red, Yellow, and Green VLAN filters prior to
enabling the Nortel SNAS feature. In future releases of the Nortel
SNAS and EPM software, users will have the additional ability to add
and modify security and quality of service filters while Nortel SNAS is
enabled on the device.
For general information about installing and using EPM, see Installing
Nortel Enterprise Policy Manager (318389), .
•
Simple Network Management Protocol (SNMP) agent
For information about configuring SNMP for the Nortel SNAS, see
Nortel SNAS configuration roadmap
The following task list is an overview of the steps required to configure the
Nortel SNAS.
Step
1
Action
Configure the network DNS server to create a forward lookup
zone for the Nortel SNAS domain.
Configure the network DHCP server.
2
For each VLAN:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
38 Overview
a Create a DHCP scope.
b Specify the IP address range and subnet mask for that
scope.
c Configure the following DHCP options:
• Specify the default gateway.
• Specify the DNS server to be used by endpoints in that
scope.
• If desired, configure DHCP so that the IP Phones learn
their VLAN configuration data automatically from the
DHCP server. For more information, see “Configuring
ATTENTION
For the Red VLANs, the DNS server setting is one of the Nortel
SNAS portal Virtual IP addresses (pVIP).
While the endpoint is in the Red VLAN, there are limited DNS server
functions to be performed, and the Nortel SNAS itself acts as the
DNS server. When the endpoint is in one of the other VLANs, DNS
requests are forwarded to the corporate DNS servers.
The DNS server setting is required for the captive portal to work.
Configure the network core router:
3
a Create the Red, Yellow, Green, VoIP, and Nortel SNAS
management VLANs.
b If the edge switches are operating in Layer 2 mode, enable
802.1q tagging on the uplink ports to enable them to
participate in multiple VLANs, then add the ports to the
applicable VLANs.
ATTENTION
The uplink ports must participate in all the VLANs.
c Configure IP addresses for the VLANs.
These IP interfaces are the default gateways the DHCP
Relay will use.
d If the edge switches are operating in Layer 2 mode, configure
DHCP relay agents for the Red, Yellow, Green, and VoIP
VLANs.
Use the applicable show commands on the router to verify
that DHCP relay is activated to reach the correct scope for
each VLAN.
For more information about performing these general
configuration steps, see the regular documentation for the type
of router used in your network.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Nortel SNAS configuration roadmap 39
4
Configure the network access devices:
a Configure static routes to all the networks behind the core
router.
b Configure the switch management VLAN, if necessary.
c Configure and enable SSH on the switch.
d Configure the Nortel SNAS portal Virtual IP address
(pVIP)/subnet.
e Configure port tagging, if applicable.
For a Layer 2 switch, the uplink ports must be tagged to allow
them to participate in multiple VLANs.
f
Create the port-based VLANs.
These VLANs are configured as VoIP, Red, Yellow, and
g Configure DHCP relay and IP routing if the switch is used in
Layer 3 mode.
h (Optional) Configure the Red, Yellow, Green, and VoIP filters.
The filters are configured automatically as predefined defaults
when you configure the Red, Yellow, and Green VLANs (step
j). Configure the filters manually only if your particular system
setup requires you to modify the default filters. You can
modify the filters after Nortel SNAS is enabled.
i
j
Configure the VoIP VLANs.
Configure the Red, Yellow, and Green VLANs, associating
each with the applicable filters.
k Configure the Nortel SNAS ports.
Identify switch ports as either uplink or dynamic. When you
configure the uplink ports, you associate the Nortel SNAS
VLANs with those ports. Clients are connected on the
dynamic ports. You can configure Nortel SNAS ports (both
dynamic and uplink) after Nortel SNAS is enabled globally.
l
Enable Nortel SNAS globally.
For more information about configuring an Ethernet Routing
Switch 5510, 5520, or 5530 in a Nortel SNAS network, see
Release Notes for Nortel Ethernet Routing Switch 5500 Series,
Software Release 5.0.1, .
For more information about configuring an Ethernet Routing
Switch 8300 in a Nortel SNAS network, see Release Notes for
the Ethernet Routing Switch 8300, Software Release 2.2.8 , .
For an example of the commands used to create a Nortel SNAS
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
40 Overview
5
Perform the initial setup on the Nortel SNAS (see “Initial setup”
(page 43)). Nortel recommends running the quick setup wizard
during initial setup, in order to create and configure basic
settings for a fully functional portal.
6
7
Enable SSH and SRS Admin to allow communication with the
Generate and activate the SSH key for communication
between the Nortel SNAS and the network access devices (see
8
Specify the Software Requirement Set (SRS) rule for the default
9
Add the network access devices and export the SSH key (see
10
11
12
13
14
15
16
17
Specify the VLAN mappings (see “Mapping the VLANs” (page
66)).
Test Nortel SNAS connectivity by using the /maint/chkcfg
Configure groups (see “Configuring groups and profiles” (page
149)).
Configure client filters (see “Configuring client filters” (page
162)).
Configure extended profiles (see “Configuring extended profiles”
(page 164) ).
Specify the authentication mechanisms (see “Configuring
Configure system users (see “Managing system users and
Configure the end user experience (see “Customizing the portal
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
41
.
Initial setup
This chapter includes the following topics:
Topic
Before you begin
Before you can set up the Nortel SNAS, you must complete the following
tasks:
Step
1
Action
Plan the network. For more information, see Nortel Secure
Network Access Solution Guide, (NN47230-200).
In order to configure the Nortel SNAS, you require the following
information:
• IP addresses
— Nortel SNAS Management IP address (MIP), portal Virtual
IP address (pVIP), Real IP address (RIP)
— default gateway
— DNS server
— NTP server (if applicable)
— external authentication servers (if applicable)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
42 Initial setup
— network access devices
— remediation server (if applicable)
For more information about the Nortel SNAS MIP, pVIP, and
• VLAN IDs
— Nortel SNAS management VLAN
— Red VLANs
— Yellow VLANs
— Green VLANs
— VoIP VLANs (optional)
• Groups and profiles to be configured
2
3
4
Configure the network DNS server, DHCP server, core router,
and network access devices, as described in “Nortel SNAS
Install the Nortel SNAS device. For more information, see
Nortel Secure Network Access Switch 4050 Installation Guide
, (NN47230-300).
Establish a console connection to the Nortel SNAS (see
--End--
About the IP addresses
Management IP address
The Management IP address (MIP) identifies the Nortel SNAS in the
network. In a multi-Nortel SNAS solution, the MIP is an IP alias to one
of the Nortel SNAS devices in the cluster and identifies the cluster. The
MIP always resides on a master Nortel SNAS device. If the master Nortel
SNAS that currently holds the MIP fails, the MIP automatically migrates to
a functional master Nortel SNAS. In order to configure the Nortel SNAS or
Nortel SNAS cluster remotely, you connect to the MIP using Telnet (for the
CLI) or SSH (for the CLI, the SREM or the BBI).
Portal Virtual IP address
The portal Virtual IP address (pVIP) is the address assigned to the Nortel
SNAS device’s web portal server. The pVIP is the address to which clients
connect in order to access the Nortel SNAS network. While the client is in
the Red VLAN and the Nortel SNAS is acting as DNS server, the pVIP is
the DNS server IP address. Although it is possible to assign more than
one pVIP to a Nortel SNAS device, Nortel recommends that each Nortel
SNAS have only one pVIP. When the Nortel SNAS portal is configured as
a captive portal, the pVIP is used to load balance logon requests.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Initial setup 43
Real IP address
The Real IP address (RIP) is the Nortel SNAS device host IP address for
network connectivity. The RIP is the IP address used for communication
between Nortel SNAS devices in a cluster. The RIP must be unique on the
network and must be within the same subnet as the MIP.
ATTENTION
Nortel recommends that you always use the MIP for remote configuration, even
though it is possible to configure the Nortel SNAS device remotely by connecting
to its RIP. Connecting to the MIP allows you to access all the Nortel SNAS
devices in a cluster. The MIP is always up, even if one of the Nortel SNAS
devices is down and therefore not reachable at its RIP.
ATTENTION
If an IP address — MIP, VIP, RIP, or gateway — is changed, the Nortel SNAS
must be rebooted for the change to take effect.
Initial setup
The initial setup is a guided process that launches automatically the first
time you power up the Nortel SNAS and log on. You must use a console
connection in order to perform the initial setup.
•
For a standalone Nortel SNAS or the first Nortel SNAS in a cluster, see
43).
•
To add a Nortel SNAS to a cluster, see “Adding a Nortel SNAS device
Setting up a single Nortel SNAS device or the first in a cluster
Step
1
Action
Log on using the following username and password:
login: admin
Password: admin
The Setup Menu appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
44 Initial setup
Alteon iSD NSNAS
Hardware platform: 4050
Software version: x.x
---------------------------------------------------
----
[Setup Menu]
join - Join an existing cluster
new - Initialize host as a new installation
boot - Boot menu
info - Information menu
exit - Exit [global command, always available]
>> Setup#
2
3
Select the option for a new installation.
>> Setup# new
Setup will guide you through the initial configuration.
Specify the management interface port number. This port will be
assigned to Interface 1.
Enter port number for the management interface [1-4]:
<port>
In an one-armed configuration, you are specifying the port you
want to use for all network connectivity, since Interface 1 is used
for both management traffic (Nortel SNAS management and
connections to intranet resources) and client portal traffic (traffic
between the Nortel Health Agent applet on the client and the
portal).
4
Specify the RIP for this device. This IP address will be assigned
to Interface 1.
Enter IP address for this machine (on management
interface): <IPaddr>
The RIP must be unique on the network and must be within the
same subnet as the MIP.
5
6
Specify the network mask for the RIP on Interface 1.
Enter network mask [255.255.255.0]: <mask>
If the core router attaches VLAN tag IDs to incoming packets,
specify the VLAN tag ID used.
Enter VLAN tag id (or zero for no VLAN) [0]:
If you do not specify a VLAN tag id (in other words, you accept
the default value of zero), the traffic will not be VLAN tagged.
When configuring the network access devices in Layer 2
configurations, ensure that you add the uplink ports to the Nortel
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Initial setup 45
SNAS management VLAN, for traffic between the Nortel SNAS
and the network access device.
7
8
Specify the default gateway IP address.
Enter default gateway IP address (or blank to skip):
<IPaddr>
The default gateway is the IP address of the interface on the
core router that will be used if no other interface is specified. The
default gateway IP address must be within the same network
address range as the RIP.
Specify the MIP for this device or cluster.
Enter the Management IP (MIP) address: <IPaddr>
Making sure the MIP does not exist...ok
Trying to contact gateway...ok
The MIP must be unique on the network and must be within the
same subnet as the RIP and the default gateway for Interface 1.
WARNING
If you receive an error message that the iSD (the
Nortel SNAS device) cannot contact the gateway,
verify your settings on the core router. Do not
proceed with the initial setup until the connectivity test
succeeds.
9
Configure the interface for client portal traffic (Interface 2).
a Specify a port number for the client portal interface. This port
will be assigned to Interface 2. The port number must not be
the same as the port number for the management interface
(Interface 1).
b Specify the RIP for Interface 2.
c Specify the network mask for the RIP on Interface 2.
d If the core router attaches VLAN tag IDs to incoming packets,
specify the VLAN tag ID used.
e Specify the default gateway IP address for Interface 2. The
default gateway is the IP address of the interface on the core
router that will be used if no other interface is specified. The
default gateway IP address on Interface 2 must be within the
same subnet as the RIP for Interface 2.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
46 Initial setup
Enter port number for the traffic interface [1-4]:
<port>
Enter IP address for this machine (on traffic
interface): <IPaddr>
Enter network mask [255.255.255.0]: <mask>
Enter VLAN tag id (or zero for no VLAN) [0]:
Enter default gateway IP address (on the traffic
interface): <IPaddr>
10
Specify the time zone.
Enter a timezone or ’select’ [select]: <timezone>
If you do not know the time zone you need, press <CR> to
access the selection menus:
Select a continent or ocean: <Continent or ocean by
number>
Select a country: <Country by number>
Select a region: <Region by number, if applicable>
Selected timezone: <Suggested timezone, based on your
selections>
11
12
13
Enter the current date settings.
Enter the current date (YYYY-MM-DD) [2008-03-10]:
Enter the current time settings.
Enter the current time (HH:MM:SS) [00:04:10]:
Specify the NTP server, if applicable.
Enter NTP server address (or blank to skip): <IPaddr>
ATTENTION
If you do not have access to an NTP server at this point, you
can configure this item after the initial setup is completed. See
14
15
Specify the DNS server.
Enter DNS server address (or blank to skip): <IPaddr>
Generate the new SSH host keys for secure management and
maintenance communication from and to Nortel SNAS devices.
Generate new SSH host keys (yes/no) [yes]:
This may take a few seconds...ok
If you do not generate the SSH host keys at this stage, generate
them later when you configure the system (see “Configuring
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Initial setup 47
For communication between the Nortel SNAS and the network
access devices, generate the SSH key after you have completed
16
17
Change the admin user password, if desired.
Enter a password for the "admin" user:
Re-enter to confirm:
Make sure you remember the password you define for the admin
user. You will need to provide the correct admin user password
when logging in to the Nortel SNAS (or the Nortel SNAS cluster)
for configuration purposes.
Run the Nortel SNAS quick setup wizard. This creates all the
settings required to enable a fully functional portal, which you
For information about the default settings created by the wizard,
18
19
Start the quick setup wizard.
Run NSNAS quick setup wizard [yes]: yes
Creating default networks under /cfg/doamin #/aaa/
network
Specify the portal virtual IP address (pvip) of the Nortel SNAS
device.
Enter NSNAS Portal Virtual IP address(pvip): <IPaddr>
20
21
Specify a name for the Nortel SNAS domain.
Enter NSNAS Domain name: <name>
Specify any domain names you wish to add to the DNS search
list, as a convenience to clients. If the domain name is in the
DNS search list, clients can use a shortened form of the domain
name in the address fields on the Nortel SNAS portal.
Enter comma separated DNS search list
(eg company.com,intranet.company.com):
For example, if you entered company.com in the DNS search
list, users can type nsnas to connect to nsnas.company.com
from the portal page.
22
23
If you want to enable HTTP to HTTPS redirection, create a
redirect server.
Create http to https redirect server [yes]:
Specify the action to be performed when an SRS rule check fails.
The options are:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
48 Initial setup
• restricted. The session remains intact, but access is
restricted in accordance with the rights specified in the
access rules for the group.
• teardown. The SSL session is torn down.
The default is restricted.
Use restricted (teardown/restricted) action for Nortel
Health Agent check failure? [yes]:
24
Create the default user and group.
The action to be performed when the Nortel Health Agent check
Using ’restricted’ action for Nortel Health Agent check
failure.
Setting up user account policies...
Create default user account [yes]:
User name: nha
User password: nha
Creating SRS rule ’srs-rule-test’ for compliancy
check.
This rule check for the presence of the file
C:\tunnelguard\tg.txt
Creating client filter ’nha_passed’.
Creating client filter ’nha_failed’.
Creating linkset ’nha_passed’.
Creating linkset ’nha_failed’.
Creating group ’nhauser’ with secure access.
Associating group ’nhauser’ with srs rule ’srs-rule-te
st’.
Creating extended profile, full access when
nha_passed
Enter green vlan id [110]: <VID>
Creating extended profile, remediation access when
nha_failed
Enter yellow vlan id [120]: <VID>
Creating user ’nha’ in group ’nhauser’.
Setting up system account policies...
Create default system account [yes]:
System account name: sys
System account password: sys
Creating client filter ’nha_passed’.
Creating client filter ’nha_system_failed’.
Creating SRS rule ’srs-rule-syscred-test’ for
compliancy check.
This rule check for the presence of the file
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Initial setup 49
C:\tunnelguard\tg.txt
Creating linkset ’nha_system_passed’.
Creating linkset ’nha_system_failed’.
Creating group ’nhauser’ with secure access.
Associating group ’nhasystem’ with srs rule
’srs-rule-syscred-test’.
Creating extended profile, full access when
nha_system_passed
Enter system green vlan id [115]: <VID>
Creating extended profile, remediation access when
nha_system_failed
Enter yellow vlan id [120]: <VID>
Creating system account ’nha’ in group ’nhasystem’.
Setting activation date to 2008 03 10 0:03.
Setting earliest push date to 2008 03 09 23:59.
Setting system credentials in group ’nhasystem’.
Would you like to enable the Nortel Desktop Agent?
[yes]:
Enabling Nortel Desktop Agent login on the captive
portal.
Enable secure web based configuration management
[yes]:
Enabling configuration management to https://192.168.
0.62:4443
Loading default radius dictionaries. Initializing
system......ok
Setup successful. Relogin to configure.
--End--
Settings created by the quick setup wizard
The quick setup wizard creates the following basic Nortel SNAS settings:
Step
1
Action
A Nortel SNAS domain (Doamin 1). A Nortel SNAS domain
encompasses all switches, authentication servers, and
remediation servers associated with the Nortel SNAS.
2
A virtual SSL server. A portal IP address, or pVIP, is assigned to
the virtual SSL server. Clients connect to the pVIP in order to
access the portal.
3
4
A test certificate is installed and mapped to the Nortel SNAS
portal.
The authentication method is set to Local database.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
50 Initial setup
5
One test user is configured. You were prompted to set a user
name and password during the quick setup wizard (in this
example, user name and password are both set to nha). The
test user belongs to a group called nhauser. There are two
profiles within the group: nha_passed and nha_failed. Each
profile is associated with a client filter and a linkset. The profiles
determine the VLAN to which the user is allocated. Table 3
"Extended profile details" (page 50) shows the extended profiles
that have been created.
Table 3
Extended profile details
Index
Client filter name VLAN ID
Linkset name
nha_failed
1
2
nha_failed
yellow
green
nha_passed
nha_passed
6
7
One or several domain names have been added to the DNS
search list, depending on what you specified at the prompt in the
quick setup wizard. This means that the client can enter a short
name in the portal’s various address fields (for example, inside
instead of inside.example.com if example.com was added
to the search list).
If you selected the option to enable http to https redirection, an
HTTP server was created to redirect requests made with http to
https, since the Nortel SNAS portal requires an SSL connection.
--End--
Adding a Nortel SNAS device to a cluster
After you have installed the first Nortel SNAS in a cluster (see “Setting
can add another Nortel SNAS to the cluster by configuring the second
Nortel SNAS setup to use the same MIP. When you set up the Nortel
SNAS to join an existing cluster, the second Nortel SNAS gets most of its
configuration from the existing Nortel SNAS device in the cluster. The
amount of configuration you need to do at setup is minimal.
You can later modify settings for the cluster, the device, and the interfaces
using the /cfg/sys/[host <host ID> /interface] commands.
Before you begin
Log on to the existing Nortel SNAS device to check the software version
and system settings. Use the /boot/software/cur command to
check the currently installed software version (for more information, see
/cfg/sys/accesslist/list command to view settings for the Access
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Initial setup 51
Do not proceed with the join operation until the following requirements are
met.
•
Verify that the IP addresses you will assign to the new Nortel SNAS
device conform to Nortel SNAS network requirements. For more
•
The Access List is updated, if necessary.
The Access List is a system-wide list of IP addresses for hosts
authorized to access the Nortel SNAS devices by Telnet and SSH.
If the /info/sys command executed on the existing Nortel SNAS
shows no items configured for the Access List, no action is required.
However, if the Access List is not empty before the new Nortel SNAS
joins the cluster, you must add to the Access List the cluster’s MIP, the
existing Nortel SNAS RIP on Interface 1, and the new Nortel SNAS
RIP on Interface 1. You must do this before you perform the join
operation, or the devices will not be able to communicate with each
other.
For information about adding entries to the Access List, see
•
The existing Nortel SNAS and the new Nortel SNAS must run the
same version of software. If the versions are different, decide which
version you want to use and then do one of the following:
— To change the version on the new NSNAS, download the desired
software image and reinstall the software (see “Reinstalling the
— To change the version on the existing Nortel SNAS, download the
desired software image and upgrade the software on the existing
ATTENTION
Nortel recommends always using the most recent software version.
Joining a cluster
Step
1
Action
Log on using the following username and password:
login: admin
Password: admin
The Setup Menu appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
52 Initial setup
Alteon iSD NSNAS
Hardware platform: 4050
Software version: x.x
---------------------------------------------------
----
[Setup Menu]
join - Join an existing cluster
new - Initialize host as a new installation
boot - Boot menu
info - Information menu
exit - Exit [global command, always available]
>> Setup#
2
3
Select the option to join an existing cluster.
>> Setup# join
Setup will guide you through the initial configuration.
Specify the management interface port number. This port will be
assigned to Interface 1.
Enter port number for the management interface [1-4]:
<port>
In a one-armed configuration, you are specifying the port you
want to use for all network connectivity, since Interface 1 is used
for both management traffic (Nortel SNAS management and
connections to intranet resources) and client portal traffic (traffic
between the Nortel Health Agent applet on the client and the
portal).
ATTENTION
For consistency, Nortel recommends that you specify the same
port number for the management interface port on all Nortel SNAS
devices in the cluster.
4
Specify the RIP for this device. This IP address will be assigned
to Interface 1.
Enter IP address for this machine (on management
interface): <IPaddr>
The RIP must be unique on the network and must be within the
same subnet as the MIP.
5
6
Specify the network mask for the RIP on Interface 1.
Enter network mask [255.255.255.0]: <mask>
If the core router attaches VLAN tag IDs to incoming packets,
specify the VLAN tag ID used.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Initial setup 53
Enter VLAN tag id (or zero for no VLAN) [0]:
7
Configure the interface for client portal traffic (Interface 2).
a Specify a port number for the client portal interface. This port
will be assigned to Interface 2. The port number must not be
the same as the port number for the management interface
(Interface 1).
b Specify the RIP for Interface 2.
c Specify the network mask for the RIP on Interface 2.
d If the core router attaches VLAN tag IDs to incoming packets,
specify the VLAN tag ID used.
Enter port number for the traffic interface [1-4]:
<port>
Enter IP address for this machine (on traffic
interface): <IPaddr>
Enter network mask [255.255.255.0]: <mask>
Enter VLAN tag id (or zero for no VLAN) [0]:
8
9
Specify the MIP of the existing cluster.
The system is initialized by connecting to the
management server on an existing iSD, which must be
operational and initialized.
Enter the Management IP (MIP) address: <IPaddr>
Specify the default gateway IP address for Interface 2. The
default gateway is the IP address of the interface on the core
router that will be used if no other interface is specified. The
default gateway IP address on Interface 2 must be within the
same subnet as the RIP for Interface 2.
Enter default gateway IP address (on the traffic
interface): <IPaddr>
10
11
Provide the correct admin user password configured for the
existing cluster.
Enter the existing admin user password: <password>
Wait while the setup utility finishes processing. When processing
is complete, you will see Setup successful.
The new Nortel SNAS automatically picks up all other required
configuration data from the existing Nortel SNAS in the cluster.
After a short while, you receive the login prompt.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
54 Initial setup
Setup successful.
login:
--End--
Next steps
Step
1
Action
To enable the SREM connection to the Nortel SNAS:
a Use the /cfg/sys/adm/ssh on command to enable
SSH access to the Nortel SNAS (for more information, see
b Use the /cfg/sys/adm/srsadmin ena command to
enable SRS administration (for more information, see
This is automatically enabled at the time of quick wizard as a
part of configuration management enable.
ATTENTION
For greater security, you may want to restrict access to the Nortel
SNAS to those machines specified in an Access List. In this case,
ensure that you add an IP address for the BBI to the Access List. For
more information about using the Access List to control Telnet and
From this point on, you can configure the Nortel SNAS using
either the CLI or the BBI.
2
3
To enable remote management using Telnet, use the
/cfg/sys/adm/telnet on command to enable Telnet access
to the Nortel SNAS (for more information, see “Configuring
To finish connecting the Nortel SNAS to the rest of the network,
complete the following tasks:
a Generate and activate the SSH keys for communication
between the Nortel SNAS and the network access devices
66)).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Applying and saving the configuration 55
e If you did not run the quick setup wizard during the initial
setup, configure the following:
•
• Create at least one group.
• Specify the VLANs to be used when the Nortel Health
Agent check succeeds and when it fails (see “Configuring
4
Save the configuration (see “Applying and saving the
--End--
Applying and saving the configuration
You must enter explicit commands in order to make configuration changes
permanent and in order to create a backup configuration file.
If you have not already done so after each sequence of configuration
steps, confirm your changes using the apply command.
To view your configuration on the screen, for copy and paste into a text
file, use the following command:
/cfg/dump
To save your configuration to a TFTP, FTP, SCP, or SFTP server, use the
following command:
/cfg/ptcfg
For more information, see “Backing up or restoring the configuration” (page
356).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
56 Initial setup
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
57
.
Managing the network access devices
This chapter includes the following topics:
Topic
Before you begin
In Trusted Computing Group (TCG) terminology, the edge switches in a
Nortel SNAS function as the Policy Enforcement Point. In this document,
the term network access devices is used to refer to the edge switch once it
is configured for the Nortel SNAS network.
The following edge switches can function as network access devices in
the Nortel SNAS:
•
•
Ethernet Routing Switch 8300
Ethernet Routing Switch 5510, 5520, and 5530
Before you can configure the edge switches as network access devices in
the Nortel SNAS domain, you must complete the following:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
58 Managing the network access devices
•
•
Create the domain, if applicable. If you ran the quick setup wizard
during initial setup, Domain 1 is created. For more information about
Configure the edge switches for Nortel SNAS (see “Nortel SNAS
about configuring the edge switches for Nortel SNAS, see Release
Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8
, or Release Notes for Nortel Ethernet Routing Switch 5500 Series,
Software Release 5.0.1, .
For secure communication between the Nortel SNAS and the network
access devices, each must have knowledge of the other’s public SSH key.
After you have added the network access devices to the Nortel SNAS
domain, you must exchange the necessary SSH keys (see “Managing
You require the following information for each network access devices:
•
•
•
•
IP address of the switch
VLAN names and VLAN IDs for the Red, Yellow, and Green VLANs
the TCP port to be used for Nortel SNAS communication
for Ethernet Routing Switch 8300 switches, a valid rwa user name
Managing network access devices
The Nortel SNAS starts communicating with the network access devices
as soon as you enable the switch on the Nortel SNAS by using the
/cfg/domain #/switch #/ena command.
You cannot configure the VLAN mappings for a network access devices in
the Nortel SNAS domain if the switch is enabled. When you add a network
access devices to the domain, it is disabled by default. Do not enable the
network access devices until you have completed the configuration. To
reconfigure the VLAN mappings for an existing network access devices,
first disable it by using the /cfg/domain #/switch #/dis command.
Roadmap of domain switch commands
The following roadmap lists the CLI commands to configure the network
access devices in a Nortel SNAS deployment. Use this list as a quick
reference or click on any entry for more information:
Parameter
Command
/cfg/domain #/switch <switch ID>
/cfg/domain #/switch #/delete
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 59
Parameter
Command
/cfg/domain #/switch <switch ID>
name <name>
type ERS8300|ERS5500
ip <IPaddr>
mgmtproto <sscp|sscplite>
port <port>
rvid <VLAN ID>
reset
ena
dis
delete
/cfg/domain #/vlan
add <name> <VLAN ID>
del <index>
list
/cfg/domain #/switch #/vlan
/cfg/domain #/sshkey
add <name> <VLAN ID>
del <index>
list
generate
show
export
/cfg/domain #/switch #/sshkey
import
add
del
show
export
user <user>
interval <interval>
deadcnt <count>
sq-int <interval>
/cfg/domain #/switch #/hlthchk
/cfg/domain #/switch #/dis
/cfg/domain #/switch #/ena
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
60 Managing the network access devices
Adding a network access devices
You can add a network access devices to the configuration in two ways.
You must repeat the steps for each switch that you want to add to the
domain configuration.
•
•
Using the quick switch setup wizard
To add a network access devices to the Nortel SNAS domain using the
quick switch setup wizard, use the following command:
/cfg/doamin #/quick
You can later modify all settings created by the quick switch setup wizard
Step
1
Action
Launch the quick switch setup wizard.
>> Main# /cfg/domain #/quick
2
3
Specify the IP address of the network access devices.
IP address of Switch: <IPaddr>
Specify the SNMP profile of the network access devices.
If the quick setup of your domain is not completed in this case
most likely there is no SNMP profile to select. See “Configuring
SNMP Profiles” (page 75) for more information.
SNMP profile:
4
It searches for the SNMP settings for the switch.
You will receive an error message and be prompted to use the
sscp or sscplite.
Starting auto discovery........
Using default SNMP Profile for auto discovery.........
.
Error: Auto Discovery Failed !! Please check the SNMP
settings in the Switch
Do you want to use sscp or sscplite <sscp/sscplite>
[sscp]:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 61
ATTENTION
Based on the discovery result, the wizard asks for switch ports, switch
uplinks port (in case of sscplite switch) or NSNA communication port
(in case of sscp switch).
5
6
Specify the VLAN ID of the Red VLAN, as configured on the
network access devices. The network access devices in the
domain can share a common Red VLAN or can each have a
separate Red VLAN.
Red vlan id of Switch: <VLAN ID>
Specify the type of switch. Valid options are:
ERS8300 (for an Ethernet Routing Switch 8300), ERS5500 or
ERS55 (for an Ethernet Routing Switch 5510, 5520, or 5530),
and ERS4500.
The default is ERS8300.
ATTENTION
The input is case sensitive.
Enter the type of the switch (ERS8300/ERS5500/ERS4500)
[ERS8300]:
7
8
Specify the TCP port for communication between the Nortel
SNAS and the network access devices. The default is port 5000.
NSNA communication port[5000]:
The SSH fingerprint of the switch is automatically picked up if the
switch is reachable. If the fingerprint is successfully retrieved,
If the fingerprint is not successfully retrieved, you will receive an
error message and be prompted to add the SSH key.
Trying to retrieve fingerprint...failed.
Error: "Failed to retrieve host key"
Do you want to add ssh key? (yes/no) [no]:
Choose one of the following:
a To paste in a public key you have downloaded from the
b To continue adding the switch to the configuration without
adding its public SSH key at this time, press Enter to accept
the default value (no). After you have added the switch, add
or import the SSH public key for the switch (see “Managing
9
To add the switch public key:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
62 Managing the network access devices
a At the prompt to add the SSH key, enter Yes.
b When prompted, paste in the key from a text file, then press
Enter.
c Enter an ellipsis (...) to signal the end of the key.
Do you want to add ssh key? (yes/no) [no]: yes
Paste the key, press Enter to create a new line,
and then type "..." (without the quotation marks)
to terminate.
> 47.80.18.98 ssh-dss
AAAAB3NzaC1kc3MAAABRAJfEJJvYic9yOrejtZ88prdWdRWBF8Q
km9iJz3I6t6O1nzymt1Z1DVMXxCSb2InPcjq3o7WfPKa3VnUNUg
TpESrFlH7ooK+Zys8iEUbmJ3kpAAAAFQCUE/74fr6ACaxJpMcz0
TlWwahdzwAAAFEAgPWVrk0VOOXQmfLhutwaTrxltIDkJzOEIXPf
AIEpvDsvnlNkFE/i2vVdq/GTKmAghfN3BYjRIQT0PAwUKOS5gky
fLG9I5rKqJ/hFWJThR4YAAABQI9yJG5Q7q+2Pnk+tx1Kd44nCD6
/9j7L4RIkIEnrDbgsVxvMcsNdI+HLnN+vmBR5wd+vrW5Bq/ToMv
PspwI+WbV8TjycWeC7nk/Tg++X53hc=
> ...
10
Wait while the wizard completes processing to add the network
access devices, then enter Apply to activate the changes. The
system automatically assigns the lowest available switch ID to
the network access devices.
The switch is disabled when it is first added to the configuration.
Do not enable the switch until you have completed configuring
the system. For more information, see “Configuring the network
Creating Switch 1
Use apply to activate the new Switch.
>> domain #
--End--
Manually adding a switch
To add a network access devices and configure it manually, use the
following command:
/cfg/domain #/switch <switch ID>
where
switch ID is an integer in the range 1 to 255 that
uniquely identifies the network access devices
in the Nortel SNAS domain.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 63
When you first add the network access devices, you are prompted to enter
the following information:
•
switch name—a string that identifies the switch on the Nortel SNAS.
The maximum length of the string is 255 characters. After you have
defined a name for the switch, you can use either the switch name or
the switch ID to access the Switch menu.
•
type of switch—valid options are ERS8300, ERS5500, and ERS4500.
The input is case sensitive.
•
•
IP address of the switch.
NSNA communication port—the TCP port for communication between
the Nortel SNAS and the network access devices. The default is port
5000.
•
•
Red VLAN ID—the VLAN ID of the Red VLAN configured on the
switch.
username—the user name for an rwa user on the switch (required for
Ethernet Routing Switch 8300 only).
The SSH fingerprint of the switch is automatically picked up if the switch
is reachable. If the fingerprint is not successfully retrieved, you receive an
error message (Error: Failed to retrieve host key). After you
have added the switch, you must add or import the SSH public key for the
71)).
The Switch menu appears.
Figure 2 "Adding a switch manually" (page 64) shows sample output for
the /cfg/domain #/switch command and commands on the Switch
menu. For more information about the Switch menu commands, see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
64 Managing the network access devices
Figure 2
Adding a switch manually
Deleting a network access devices
To remove a network access devices from the domain configuration, first
disable the switch then delete it. Use the following commands:
/cfg/domain #/switch #/dis
/cfg/domain/switch/delete
The disable and delete commands log out all clients connected
through the switch.
The delete command removes the current switch from the control of the
Nortel SNAS cluster.
Configuring the network access devices
When you first add a network access devices to the Nortel SNAS domain,
the switch is disabled by default. Do not enable the switch until you have
completed configuring it. In particular, do not enable the switch until you
exchanged the necessary SSH keys (see “Managing SSH keys” (page
68)).
If you want to reconfigure the VLAN mappings or delete a VLAN for an
existing network access devices, use the /cfg/domain/switch/dis
command to disable the switch first.
ATTENTION
Remember to enable the network access devices after completing the
configuration in order to activate the network access devices in the Nortel SNAS
network.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 65
To configure a network access devices in the Nortel SNAS domain, use
the following command:
/cfg/domain #/switch <switch ID>
where
switch ID is the ID or name of the switch you want to
configure.
The Switch menu appears.
The Switch menu includes the following options:
/cfg/domain #/switch <switch ID>
followed by:
name <name>
Names or renames the switch. After you have
defined a name for the switch, you can use
either the switch name or the switch ID to
access the Switch menu.
• name is a string that must be unique in the
domain. The maximum length of the string
is 255 characters.
type ERS8300|ERS5500
Specifies the type of network access devices.
Valid options are:
• ERS8300—an Ethernet Routing Switch
8300
• ERS5500—an Ethernet Routing Switch
5510, 5520, or 5530
The default is ERS8300.
Sets the Switch Management Protocol.
Specifies the IP address of the switch.
mgmtproto<mgmtproto>
ip <IPaddr>
Specifies the TCP port used for Nortel SNAS
communication. The default is port 5000.
port <port>
hlthchk
vlan
Accesses the Healthcheck menu, in order
to configure settings for the Nortel SNAS
to monitor the health of the switch (see
Accesses the Switch Vlan menu, in order to
map the Green and Yellow VLANs configured
on switch (see “Mapping the VLANs” (page
66)).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
66 Managing the network access devices
/cfg/domain #/switch <switch ID>
followed by:
rvid <VLAN ID>
Identifies the Red VLAN for the network access
devices.
• VLAN ID is the ID of the Red VLAN, as
configured on the switch
sshkey
Accesses the SSH Key menu, in order
to manage the exchange of public keys
between the switch and the Nortel SNAS
reset
ena
Resets all the Nortel SNAS -enabled ports on
the switch. Clients connected to the ports are
moved into the Red VLAN.
Enables the network access devices. As soon
as you enable the switch, the Nortel SNAS
begins communicating with the switch and
controlling its Nortel SNAS clients.
dis
Disables the switch for Nortel SNAS operation.
delete
Removes the switch from the Nortel SNAS
domain configuration.
Mapping the VLANs
The VLANs are configured on the network access devices. You specify the
Red VLAN for each network access devices when you add the switch (see
“Adding a network access devices ” (page 60)). After adding the switch,
you must identify the Yellow and Green VLANs to the Nortel SNAS.
You can perform the VLAN mapping in two ways:
•
for all switches in a domain (by using the /cfg/domain #/vlan/add
command)
•
switch by switch (by using the /cfg/domain #/switch #/vlan/add
command)
Nortel recommends mapping the VLANs by domain. In this way, if you
later add switches which use the same VLAN IDs, their VLAN mappings
will automatically be picked up.
If you map the VLANs by domain, you can modify the mapping for
a particular network access devices by using the switch-level vlan
command. Switch-level settings override domain settings.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 67
To manage the VLAN mappings for all the network access devices in the
Nortel SNAS domain, first disable all the switches in the domain, then use
the following command:
/cfg/domain #/vlan
To manage the VLAN mappings for a specific network access devices, first
disable the switch in the domain, then use the following command:
/cfg/domain #/switch #/vlan
The Nortel SNAS maintains separate maps for the domain and the switch.
If you add a VLAN from the domain-level vlan command, you must use
the domain-level command for all future management of that mapping.
Similarly, if you add a VLAN from the switch-level vlan command, you
must use the switch-level command for all future management of that
mapping.
The Domain vlan or Switch vlan menu appears.
The Domain vlan or Switch vlan menu includes the following options:
/cfg/domain #[/switch #]/vlan
followed by:
add <name> <VLAN ID>
Adds the specified VLAN to the domain or
switch VLAN map. You are prompted to
enter the required parameters if you do not
include them in the command.
• name is the name of the VLAN, as
configured on the switch
• VLAN ID is the ID of the VLAN, as
configured on the switch
The system automatically assigns an index
number to the VLAN entry when you add
it. If you are executing the command from
the Domain vlan menu, the index number
indicates the position of the new entry in
the domain map. If you are executing the
command from the Switch vlan menu, the
index number indicates the position of the
new entry in the switch map.
Repeat this command for each Green and
Yellow VLAN configured on the network
access devices.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
68 Managing the network access devices
/cfg/domain #[/switch #]/vlan
followed by:
del <index>
Removes the specified VLAN entry from the
applicable VLAN map.
• index is an integer indicating the index
number automatically assigned to the
VLAN mapping when you created it
The index numbers of the remaining entries
adjust accordingly.
To view the index numbers for all VLAN
entries in the map, use the /cfg/domain
#[/switch #]/vlan/list command.
list
The index number, name, and VLAN ID for
all VLAN entries in the map.
Managing SSH keys
The Nortel SNAS and the network access devices controlled by the
Nortel SNAS domain exchange public keys so that they can authenticate
themselves to each other in future SSH communications.
To enable secure communication between the Nortel SNAS and the
network access devices, do the following:
Step
1
Action
Generate an SSH public key for the Nortel SNAS domain (see
“Generating SSH keys for the domain” (page 70)), if necessary.
Apply the change immediately.
If you created the domain manually, the SSH key was generated
ATTENTION
The SSH key for the Nortel SNAS domain is not the same as the
SSH key generated during initial setup for all Nortel SNAS hosts in
2
Export the Nortel SNAS public key to each network access
devices.
• For an Ethernet Routing Switch 8300:
Use the /cfg/domain #/switch #/sshkey/export
command to export the key directly to the switch (see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 69
71)).
• For an Ethernet Routing Switch 5510, 5520, or 5530:
Use the /cfg/domain #/sshkey/export command to
upload the key to a TFTP server, for manual retrieval from
the switch (see “Generating SSH keys for the domain” (page
70)). For information about downloading the key from the
server to the switch, see Release Notes for Nortel Ethernet
Routing Switch 5500 Series, Software Release 5.0.1, .
If you regenerate the key at any time, you must re-export the
key to each network access devices.
ATTENTION
If you export the key after the network access devices are
enabled, you may need to disable and re-enable the switch in
order to activate the change.
3
For each network access devices, import its public key into the
Nortel SNAS domain, if necessary (see “Managing SSH keys for
• For an Ethernet Routing Switch 8300, you can retrieve the
key in two ways:
— Use the /cfg/domain #/switch #/sshkey/import
command to import the key directly from the network
access devices.
— Use the /cfg/domain #/switch #/sshkey/add
command to paste in the key.
• For an Ethernet Routing Switch 5510, 5520, or 5530:
— Use the /cfg/domain #/switch #/sshkey/import
command to import the key directly from the network
access devices.
If the network access devices was reachable when you added
it to the domain configuration, the SSH key was automatically
retrieved.
If the network access devices defaults, it generates a new public
key. You must reimport the key whenever the switch generates
a new public key (see “Reimporting the network access devices
ATTENTION
In general, enter Apply to apply the changes immediately after you
execute any of the SSH commands.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
70 Managing the network access devices
Generating SSH keys for the domain
To generate, view, and export the public SSH key for the domain, use the
following command:
/cfg/domain #/sshkey
The NSNAS SSH key menu appears.
The NSNAS SSH key menu includes the following options:
/cfg/domain #/sshkey
followed by:
generate
Generates an SSH public key for the domain.
There can be only one key in effect for the Nortel
SNAS domain at any one time. If a key already
exists, you are prompted to confirm that you want
to replace it.
Enter Apply to apply the change immediately and
create the key.
show
The SSH public key generated for the domain.
export
Exports the Nortel SNAS domain public key to a
file exchange server. You are prompted to enter
the following information:
• protocol—options are tftp|ftp|scp|sftp.
The default is tftp.
ATTENTION
Use TFTP to export to an Ethernet Routing
Switch 5500 Series switch. Ethernet Routing
Switch 5500 Series switches do not support
the other protocols.
• host name or IP address of the server
• file name of the key (file type .pub) you are
exporting
• for FTP, SCP, and SFTP, user name and
password to access the file exchange server
To export the key directly to an Ethernet Routing
Switch 8300, use the /cfg/domain #/switch
71)).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 71
output for the /cfg/domain #/sshkey command.
Figure 3
Generating an SSH key for the domain
Managing SSH keys for Nortel SNAS communication
To retrieve the public key for the network access devices and export the
public key for the domain, use the following command:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
72 Managing the network access devices
/cfg/domain #/switch #/sshkey
The SSH Key menu appears.
The SSH Key menu includes the following options:
/cfg/domain #/switch #/sshkey
followed by:
import
Retrieves the SSH public key from the network
access devices, if it is reachable.
add
Allows you to paste in the contents of a key
file you have downloaded from the Ethernet
Routing Switch 8300 network access devices.
When prompted, paste in the key, then press
Enter. Enter an elllipsis (...) to signal the end
of the key.
del
Deletes the SSH public key for the network
access devices in the domain.
show
export
The SSH public key type and fingerprint for the
network access devices.
Exports the SSH public key for the Nortel
SNAS domain to the network access devices.
ATTENTION
You cannot use this command to export
the key to an Ethernet Routing Switch
5500 series switch. Instead, use the
/cfg/domain#1/sshkey/export
command to upload the key to a file
exchange server.
user <user>
Specifies the user name for the network
access devices (required for Ethernet Routing
Switch 8300 only).
• user is the user name of an administrative
user (rwa) on the switch.
Reimporting the network access devices SSH key
Whenever the network access devices generates a new public SSH key,
you must import the new key into the Nortel SNAS domain.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing network access devices 73
Step
1
Action
Use the /cfg/domain #/switch #/sshkey/del command to
delete the original key.
2
3
Enter Apply to apply the change immediately.
Use the /cfg/domain #/switch #/sshkey/import
command to import the new key.
4
Enter Apply to apply the change immediately.
--End--
Monitoring switch health
The Nortel SNAS continually monitors the health of the network access
devices. At specified intervals, a health check daemon sends queries
and responses to the switch as a heartbeat mechanism. If no activity
(heartbeat) is detected, the daemon will retry the health check for a
specified number of times (the dead count). If there is still no heartbeat,
then after a further interval (the status-quo interval) the network access
devices moves all its clients into the Red VLAN. When connectivity is
re-established, the Nortel SNAS synchronizes sessions with the network
access devices.
The health check interval, dead count, and status-quo interval are
configurable.
To configure the interval and dead count parameters for the Nortel SNAS
health checks and status-quo mode, use the following command:
/cfg/domain #/switch #/hlthchk
The HealthCheck menu appears.
The HealthCheck menu includes the following options:
/cfg/domain #/switch #/hlthchk
followed by:
interval <interval>
Sets the time interval between checks for
switch activity.
• interval is an integer that indicates the
time interval in seconds (s), minutes (m), or
hours (h). The valid range is 60s (1m) to
64800s (18h). The default is 1m (1 minute).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
74 Managing the network access devices
/cfg/domain #/switch #/hlthchk
followed by:
deadcnt <count>
Specifies the number of times the Nortel SNAS
will repeat the check for switch activity when
no heartbeat is detected.
• count is an integer in the range 1–65535
that indicates the number of retries. The
default is 3.
If no heartbeat is detected after the specified
number of retries, the Nortel SNAS enters
status-quo mode.
sq-int <interval>
Sets the time interval for status-quo mode,
after which the network access devices moves
all clients into the Red VLAN.
• interval is an integer that indicates the
time interval in seconds (s), minutes (m), or
hours (h). The valid range is 0 to 64800s
(18h). The default is 1m (1 minute).
Controlling communication with the network access devices
To stop communication between the Nortel SNAS and a network access
devices, use the following command:
/cfg/domain #/switch #/dis
Enter apply to apply the change immediately.
ATTENTION
If the switch is not going to be used in the Nortel SNAS network, Nortel
recommends deleting the switch from the Nortel SNAS domain, rather than just
disabling it.
To restart communication between the Nortel SNAS and a network access
devices, use the following command:
/cfg/domain #/switch #/ena
Enter apply to apply the change immediately.
Configuring SSCPLite
SSCPLite is a SNAS enforcement protocol that uses SNMP to restrict a
users network access using dynamically provisioned VLAN’s based on
users credentials and device health assessment. SSCPLite supports
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP Profiles 75
Nortel ES 325, 425, 450, 460, BPS, 470, and ERS 2500, 4500, 5500,
8300, and 8600. In addition, SSCPLite supports Cisco 2900, 3500, and
3700 series Ethernet switches.
•
•
•
SSCPLite uses the SNMP Protocol
Switches does not support Dynamic Host Control Protocol
Switches may not support the DHCP signature based identification for
VOIP phones
•
•
Nortel SNAS should use MAC Authentication
Multiple PCs connected using hub to the switch port are not supported.
To configure the sscplite, access the menu by using the following
command.
cfg/domain #/switch #/mgmtproto
Configuration of switch menu are modified to include different
communication protocols (sscp, sscplite). SSCP is selected by default.
Usage: mgmtproto <sscp/sscplite>
SSCP SSCPLite
The sscplite includes the following option:
/cfg/domain #/switch #/sscplite
followed by:
profile
Set SNMP profile to use
Configuring SNMP Profiles
To configure the snmp profiles, use the following command:
cfg/domain #/snmp-profile
Enter the SNMP profile number. Creates the SNMP profile #.
Enter the name of this SNMP profile.
Enter the version supported for the SNMP profile. Values are v1, v2c, and
v3.
Enter the SNMP port to communicate.
Enter the data refresh interval in seconds.
Enter the CLI user name.
Enter the CLI user password.
Reconfirm the password.
Enter the CLI login type. Values are ssh and telnet.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
76 Managing the network access devices
The SNMPProfile # menu appears.
The snmp profile menu includes the following options:
/cfg/domain #/snmp-profile
followed by
<name>
Set the name of the profile.
<versions>
<community>
<port>
Set the supported SNMP versions.
SNMP community menu appears.
Set SNMP port to communicate.
Set the data refresh rate interval.
refresh
<cli-user>
<cli-passwd>
<cli-logint>
del
Set the CLI login user name.
Set the CLI login password.
Set the CLI login type.
Deletes the SNMP profile.
Configuring SNMP Versions
For configuring SNMP versions, use the following command:
/cfg/domain #/snmp-profile #/versions
The different versions of SNMP are the SNMPv1, SNMPv2c, and
SNMPv3.
•
SNMPv1 is the standard version of SNMP. SNMPv1 framework
distinguishes between application entities and protocol entities.
•
The SNMPv2c was created as an update of SNMPv1 with several
features. The key enhancements of SNMPv2c are focused on the SMI,
Manager-to-manager capability, and protocol operations.
•
SNMPv3 defines the secure version of the SNMP. In SNMPv3,
the concept of an authentication service is expanded to include
other services, such as privacy. SNMPv3 also facilitates remote
configuration of the SNMP entities. SNMPv3 was formed mainly to
address the deficiencies related to security and administration.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP Templates 77
Configuring SSCPLite Community
To configure SSCPLite Community, use the following command
/cfg/domain #/snmp-profile #/community
•
•
SNMP community is the group that devices and manages stations
running SNMP. An SNMP device or agent may belong to more
than one SNMP community. It will not respond to requests from
management stations that do not belong to one of its communities.
SNMP can be protected from the internet with a firewall. When
a device receives an authentication that fails, a trap is sent to a
management station.
The SSCPLite Community menu appears.
The SSCPLite Community menu includes the following options:
/cfg/domain #/snmp-profile #/community
followed by:
read
Set Read Community string
Read = Public
write
trap
Set Write Community string
Write = Private
Set Trap Community string.
trap = trap
Configuring SNMP Templates
To configure the SNMP templates, use the following commands:
/cfg/device
The SNMP templates includes the following options:
/cfg/device
followed by
list
Lists the templates being used.
show
Shows the detailed information in the template.
import
Imports new switch Templates to the SNAS.
This will add one more switch type in the
domain Menu.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
78 Managing the network access devices
export
clear
Export new switch Templates to the Tftp
servers.
Delete command will delete the template entry
from the list and can delete the whole list of
Templates.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
79
.
Configuring the domain
This chapter includes the following topics:
Topic
A Nortel SNAS domain encompasses all the switches, authentication
servers, and remediation servers associated with that Nortel SNAS cluster.
If you ran the quick setup wizard during initial setup, Domain 1 is created.
If you did not run the quick setup wizard, you must create at least one
domain. For information about creating a domain, see “Creating a domain”
ATTENTION
With Nortel Secure Network Access Switch Software Release 1.6.1, you cannot
configure the Nortel SNAS to have more than one domain.
Configuring the domain
To configure the domain, access the Domain menu by using the following
command:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
80 Configuring the domain
/cfg/domain
From the Domain menu, you can configure and manage the following:
•
domain parameters such as name and portal IP address (pVIP) (see
•
Authentication, Authorization, and Accounting (AAA) features
SNMP profile ( see “Configuring SNMP Profiles” (page 75)
•
•
PatchLink (see “Configuring Lumension PatchLink integration ” (page
124))
•
•
NAP Interoperability (see “Configuration of Microsoft NAP
•
•
the SSL server used for the domain portal (see “Configuring the SSL
— SSL trace commands
— SSL settings
— logging traffic with syslog messages
•
portal settings (see “Customizing the portal and user logon” (page
227))
— captive portal
— portal look and feel
— linksets
•
•
the network access devices (see “Managing the network access
the Nortel SNAS VLANs (see “Managing the network access devices ”
•
•
•
advanced settings such as a backend interface and logging options
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 81
Roadmap of domain commands
The following roadmap lists the CLI commands to configure the domain in
a Nortel SNAS deployment. Use this list as a quick reference or click on
any entry for more information:
Parameter
Command
/cfg/domain <domain ID>
/cfg/quick
/cfg/domain #/del
/cfg/domain <domain ID>
name <name>
pvips <IPaddr>
/cfg/domain #/aaa/nha
recheck <interval>
heartbeat <interval>
hbretrycnt <count>
hbretrycnt <count>
status-quo on|off
onflysrs on|off
desktopnam Desktop agent shortcut
name
action teardown | restricted
list
details on|off
custscript
on|off
persistoob
on|off
loglevel fatal | error | warning | info
| debug
/cfg/domain #/aaa/nha/quick
cfg/domain #/aaa/nha/desktopagent
/cfg/domain #/server
Usage: desktopagent <on|off|auto>
port <port>
interface <interface ID>
dnsname <name>
/cfg/domain #/server/trace
ssldump
tcpdump
ping <host>
dnslookup <host>
traceroute <host>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
82 Configuring the domain
Parameter
Command
/cfg/domain #/server/ssl
cert <certificate index>
cachesize <sessions>
cachettl <ttl>
cacerts <certificate index>
cachain <certificate index list>
protocol ssl2 | ssl3 | ssl23 | tls1
ciphers <cipher list>
ena
dis
/cfg/domain #/server/adv/traflog
sysloghost <IPaddr>
udpport <port>
protocol ssl2 | ssl3 | ssl23 | tls1
priority debug | info | notice
facility auth | authpriv | daemon |
local0-7
ena
dis
/cfg/domain #/httpredir
/cfg/domain #/adv
port <port>
redir on | off
interface <interface ID>
log
/cfg/domain #/aaa/radacct
/cfg/domain #/aaa/radacct/servers
ena
dis
list <ip> <port> <secret>
del <index number>
add <ip> <port> <secret>
insert <position> <ip> <port>
<secret>
move <index number value> <new index
number value>
/cfg/domain #/aaa/radacct/domainattr vendorid
vendortype
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 83
Creating a domain
You can create a domain in two ways:
•
•
Manually creating a domain
To create and configure a domain manually, use the following command:
/cfg/domain <domain ID>
where
domain ID is an integer in the range 1 to 256 that
uniquely identifies the domain in the Nortel
SNAS cluster.
When you first create the domain, you are prompted to enter the following
parameters:
•
domain name—a string that identifies the domain on the Nortel
SNAS, as a mnemonic aid. The maximum length of the string is 255
characters.
•
portal Virtual IP address (pVIP)—the IP address of the Nortel SNAS
portal. You can have more than one pVIP for a domain. To specify
more than one pVIP, use a comma separator. The pVIP is the address
to which the client connects for authentication and host integrity check.
The Domain menu appears.
Figure 4 "Creating a domain" (page 84) shows sample output for the
/cfg/domain <domain ID> command and commands on the Domain
menu. For more information about the Domain menu commands, see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
84 Configuring the domain
Figure 4
Creating a domain
Using the Nortel SNAS domain quick setup wizard in the CLI
To create a domain using the Nortel SNAS quick setup wizard, use the
following command:
/cfg/quick
The NSNAS quick setup wizard is similar to the quick setup wizard
available during initial setup.
Depending on the options you select in connection with certificates and
creating a test user, the two wizards also create similar default settings
You can later modify all settings created by the domain quick setup wizard
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 85
Step
1
Action
Launch the domain quick setup wizard.
>> Main# cfg/quick
2
Specify the pVIP of the Nortel SNAS domain.
You can configure additional pVIPs later (see “Configuring
IP address of domain portal: <IPaddr>
3
4
Specify a name for the Nortel SNAS domain, as a mnemonic aid.
Name of the domain: <name>
Specify the port on which the portal web server listens for SSL
communications. The default for HTTPS communications is port
443.
Listen port of domain portal [443]:
5
Specify the certificate to be used by the portal server.
Use existing certificate (no/1) [no]:
If certificates exist on the system, the certificate numbers will be
offered as valid input options. Choose one of the following:
a To create a new certificate by pasting in the contents of a
certificate file from a text editor, press Enter to accept the
b To create a test certificate, press Enter to accept the default
c To use an existing certificate, enter the applicable certificate
Use the /info/certs command to view the main attributes of
all configured certificates. The certificate number is shown in the
Certificate Menu line (for example, Certificate Menu 1:).
For more information about certificates and keys, see “Managing
6
To create a new certificate:
a At the prompt to create a test certificate, enter No.
b When prompted, paste in the certificate and key from a text
file, then press Enter.
c Enter an ellipsis (...) to signal the end of the certificate.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
86 Configuring the domain
Use existing certificate (no/1) [no]:
Create a test certificate? (yes/no): no
Enter server certificate.
Paste the certificate and key, press Enter to create a
new line, and then type "..." (without the quotation
marks) to terminate.
>
7
To create a test certificate:
a At the prompt to create a test certificate, enter Yes.
b When prompted, enter the required certificate information.
For more information, see “Generating and submitting a CSR”
Use existing certificate (no/1) [no]:
Create a test certificate? (yes/no): yes
The combined length of the following parameters may not
exceed 225 bytes.
Country Name (2 letter code):
State or Province Name (full name):
Locality Name (eg, city):
Organization Name (eg, company):
Organizational Unit Name (eg, section):
Common Name (eg, your name or your server’s hostname):
Email Address:
Subject alternative name (blank or comma separated
list of URI:<uri>, DNS:<fqdn>, IP:<ip-address>,
email:<email-address>):
Valid for days [365]:
Key size (512/1024/2048/4096) [1024]:
8
9
Specify whether the SSL server uses chain certificates.
Do you require chain certificates (yes/no) [no]:
If you want to enable HTTP to HTTPS redirection, create a
redirect server.
Do you want an http to https redirect server (yes/no)
[no]:
10
Specify whether you want to add a network access devices to
the domain.
Do you want to configure a switch? (yes/no) [no]:
If you do want to add a network access devices, enter yes to
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 87
If you do not want to add a network access devices at this time,
11
To add a network access devices, enter the required information
when prompted. For more information, see “Using the quick
Do you want to configure a switch? (yes/no) [no]: yes
Enter the type of the switch (ERS8300/ERS5500)
[ERS8300]: IP address of Switch:
NSNA communication port[5000]:
Red vlan id of Switch:
12
Specify the action to be performed when an SRS rule check fails.
The options are:
• restricted—the session remains intact, but access is
restricted in accordance with the rights specified in the
access rules for the group
• teardown—the SSL session is torn down
The default is restricted.
In the event that the Nortel health Agent checks fails
on a client, the session can be teardown, or left in
restricted mode with limited access.
Which action do you want to use for Health Agent check
failure? (teardown/restricted) [restricted]:
13
Specify whether you want to create a test local user (nha) in the
default nhauser group.
Do you want to create a test local user? (yes/no)
[yes]:
If you do want to create a test user, press Enter to accept the
default value (yes). The wizard will create a test user named
nha, with password nha, in the default nhauser group.
If you do not want to create a test user, enter no.
14
15
Specify whether you want to create a test user for system
authentication.
Do you want to create a test user for system
authentication? (yes/no) [yes]:
Wait while the wizard completes processing to create the
domain, then enter Apply to activate the changes.
The wizard assigns the following default VLAN IDs:
• Green VLAN = VLAN ID 110
• Yellow VLAN = VLAN ID 120
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
88 Configuring the domain
You can change the VLAN mappings when you add or modify
the network access devices (see “Configuring the network
access devices ” (page 64)). You specify the Red VLAN when
you add the network access devices to the domain.
The components created by the wizard depend on the selections
you made in the preceding steps. For example, the sample
output illustrates the following options:
• an existing certificate (Certificate 1) is being used
• no network access devices is being added
• the test user is being created
--End--
Creating Domain 1
Creating Certificate 1
Creating Client Filter 1
Name: nha_passed
Creating Client Filter 2
Name: nha_failed
Creating Client Filter 3
Name: nha_system_passed
Creating Client Filter 4
Name: nha_system_failed
Creating Linkset 1
Name: nha_passed
This Linkset just prints the Health Agent result
Creating Linkset 2
Name: nha_failed
This Linkset just prints the Health Agent result
Creating Linkset 3
Name: nha_system_passed
This Linkset just prints the Health Agent result
Creating Linkset 4
Name: nha_system_failed
This Linkset just prints the Health Agent result
Creating Group 1
Name: nhauser
Creating Extended Profile 1
Giving full access when health check passed
Creating "green" vlan with id 110
Creating Access rule 1
Giving remediation access when health check failed
Creating Extended Profile 2
Not using SRS rule for user compliancy:
Creating Authentication 1
Adding user ’nha’ with password ’nha’
Creating Group 2
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 89
Group for system policies
Name: nhasystem
Creating Extended Profile 1
Giving system access when system health checks passed
Creating "green_system" vlan with id 115
Creating Extended Profile 2
Giving remediation access when system health checks failed
Creating "yellow" vlan with id 120
Not using SRS rule for system compliancy
2008 03 10 00:46
2008 03 10 00:14
Setting Activation and Earliest Push Date
Enable System Credentials
Adding user ’nhasystem’ with password ’nhasystem’ Use apply to
activate the new domain.
>> Configuration# apply
Changes applied successfully.
Deleting a domain
To delete a domain, use the following command:
/cfg/domain #/del
This command removes the current domain from the system configuration,
including all settings in menus and submenus for the portal, groups,
authentication services, linksets, and network access devices configured
for that domain.
Configuring domain parameters
To configure the domain, use the following command:
/cfg/domain <domain ID>
where
domain ID is an integer in the range 1 to 256 that
uniquely identifies the domain in the Nortel
SNAS cluster.
The Domain menu appears.
The Domain menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
90 Configuring the domain
Table 4
Configuring domain parameters
/cfg/domain <domain ID>
followed by:
name<name>
Names or renames the domain.
• name is a string that must be unique in the
domain. The maximum length of the string
is 255 characters.
The name is a mnemonic aid only and is not
used by other functions.
pvips <IPaddr>
Sets the pVIP for the domain. The pVIP is the
portal address to which clients connect in order
to access the Nortel SNAS network. For more
information, see “About the IP addresses”
A domain can have more than one pVIP. To
configure multiple IP addresses for the portal,
use a comma to separate the IP address
entries.
aaa
Accesses the AAA menu, in order to configure
authentication, authorization, and accounting
features.
location
patchlink
server
Accesses the Location menu for the location
based security. (see “Creation of the location”
Accesses the PatchLink Servers menu. (see
Accesses the Server menu, in order
to configure the portal SSL server (see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 91
Table 4
Configuring domain parameters (cont’d.)
/cfg/domain <domain ID>
followed by:
portal
Accesses the Portal menu, in order to
customize the portal page that in the client’s
web browser (see “Customizing the portal and
linkset
switch
Accesses the Linkset menu, in order to
configure the linksets to display on the portal
Home tab (see “Configuring linksets” (page
251)).
Accesses the Switch menu, in order to
configure the network access devices
controlled by the Nortel SNAS domain (see
58)).
snmp-profi
vlan
Accesses the SNMPProfile menu.
75))
Accesses the Domain vlan menu, in order to
manage VLAN mappings on the Nortel SNAS
dhcp
Accesses the DHCP menu.
sshkey
Accesses the NSNAS SSH key menu, in order
to generate and show the public SSH key for
the Nortel SNAS domain (see “Generating
dnscapt
Accesses the DNS capture menu, in order
to set the Nortel SNAS domain portal as a
captive portal and to configure the Exclude
List (see “Configuring the captive portal” (page
240)).
httpredir
radius
Accesses the HTTP Redir menu, in order to
configure HTTP to HTTPS redirect settings
Accesses the RADIUS menu to configure
RADIUS server. (see“Configuration of the
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
92 Configuring the domain
Table 4
Configuring domain parameters (cont’d.)
/cfg/domain <domain ID>
followed by:
nap
Accesses the NAP menu to configure the
NAP. (see“Configuration of Microsoft NAP
quick
Launches the quick switch setup wizard, in
order to add network access devices to the
Nortel SNAS domain (see “Using the quick
syslog
adv
Accesses the Syslog Servers menu.
Accesses the Advanced menu, in order to
configure a backend interface for the Nortel
SNAS domain and specify the log settings for
syslog messages (see “Configuring advanced
del
Removes the current domain from the system
configuration, including all settings in menus
and submenus.
Configuring the Nortel Health Agent check
Before an authenticated client is allowed into the network, the Nortel
Health Agent application checks client host integrity by verifying that the
components required for the client’s personal firewall (executables, DLLs,
configuration files, and so on) are installed and active on the client PC. For
more information about how the Nortel Health Agent check operates in the
If you ran the quick setup wizard during the initial setup or to create the
domain, the Nortel Health Agent check has been configured with default
settings and the check result you selected (teardown or restricted). You
can rerun the Nortel Health Agent portion of the quick setup wizard at any
time by using the /cfg/domain #/aaa/nha/quick command (see
To configure settings for the Nortel Health Agent host integrity check and
the check result, use the following command:
/cfg/domain #/aaa/nha
The Nortel Health Agent menu appears.
The Nortel Health Agent menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 93
Table 5
Configuring the Nortel Health Agent
/cfg/domain #/aaa/nha
followed by:
quick
Launches the Quick Nortel Health Agent
setup wizard, in order to configure default
Nortel Health Agent check settings and the
check result (see “Using the quick Nortel
96)).
recheck <interval>
Sets the time interval between SRS rule
rechecks made by the Nortel Health Agent
applet on the client machine.
• interval is an integer that indicates the
time interval in seconds (s), minutes (m),
hours (h), or days (d). The valid range is
60s (1m) to 86400s (1d). The default is
15m (15 minutes).
If a recheck fails, the Nortel SNAS performs
the action specified in the action command
heartbeat <interval>
Sets the time interval between checks for
client activity.
• interval is an integer that indicates the
time interval in seconds (s), minutes (m),
hours (h), or days (d). The valid range is
60s (1m) to 86400s (1d). The default is
1m (1 minute).
hbretrycnt <count>
Specifies the number of times the Nortel
SNAS repeats the check for client activity
when no heartbeat is detected.
• count is an integer in the range 1–65535
that indicates the number of retries. The
default is 3.
If no heartbeat is detected after the specified
number of retries (the inactivity interval),
the Nortel SNAS default behavior is to
terminate the session (see /cfg/domain
#/aaa/nha/status-quo).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
94 Configuring the domain
Table 5
Configuring the Nortel Health Agent (cont’d.)
/cfg/domain #/aaa/nha
followed by:
status-quo on|off
Specifies whether the Nortel SNAS domain
operates in status-quo mode. Status-quo
mode determines the behavior of the
Nortel SNAS if no client activity is detected
after the inactivity interval (heartbeat x
hbretrycnt). The options are:
• on—the client session continues
indefinitely
• off—the Nortel SNAS terminates the
session immediately
The default is off.
onflysrs
Enables or disables the on-the-fly-srs-update-
mode.
When a security policy is modified on the
SNAS using the administrative tool the policy
is updated on the Nortel Health Agent running
on the logged in operating systems.
Values: on and off
default: off
desktopage
desktopnam
Enables or disables the desktop agent name.
Values: on, off, and auto
default: off
Specifies the desktop agent shortcut name.
action teardown|restric
ted
Specifies the action to be performed if the
client fails the Nortel Health Agent SRS rule
check. The options are:
• restricted—the session remains intact,
but access is restricted in accordance with
the rights specified in the access rules for
the group
• teardown—the SSL session is torn down
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 95
Table 5
Configuring the Nortel Health Agent (cont’d.)
/cfg/domain #/aaa/nha
followed by:
list
Lists the SRS rules configured for the
domain.
For information about creating SRS rules,
see the information about the Nortel Health
Agent SRS Rule Builder in Nortel Secure
Network Access Switch 4050 User Guide for
the SREM (NN47230-101), .
The Nortel Health Agent applet can apply
different SRS rules for different groups.
For information about specifying the SRS
rule to use for the Nortel Health Agent, see
details on|off
Specifies whether SRS failure details can be
displayed on the portal page.
Valid options are:
• on—details will be displayed
• off—details will not be displayed
The default is off.
If set to on, the client can click on the Nortel
Health Agent icon on the portal page to
display details about which elements of the
SRS rule check failed.
custscript
persistoob
Allows the client script customization.
Values: on and off
Persists the out-of-bound connections.
Values: on and off
loglevel fatal|error|war
ning| info|debug
Sets the log level for the Nortel Health Agent
applet. The options are:
• fatal—fatal errors only
• error—all errors
• warning—warning information about
conditions that are not error conditions
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
96 Configuring the domain
Table 5
Configuring the Nortel Health Agent (cont’d.)
/cfg/domain #/aaa/nha
followed by:
• info—high-level information about
processes
• debug—detailed information about all
processes
The default is info.
The information in the client’s Java Console
window. You can use the information to track
errors in the Nortel Health Agent SRS rules.
Using the quick Nortel Health Agent setup wizard in the CLI
To configure the settings for the SRS rule check using the Nortel Health
Agent quick setup wizard, use the following command:
/cfg/domain #/aaa/nha/quick
The Nortel Health Agent quick setup wizard is similar to the last few steps
of the Nortel SNAS domain quick setup wizard. The wizard prompts you
for the following information:
•
the action to be performed if the Nortel Health Agent check fails (see
•
The Nortel Health Agent quick setup wizard creates a default SRS rule
(srs-rule-test). This rule checks for the presence of a text file on the
client’s machine (C:\tunnelguard\tg.txt).
The following table shows the sample output for the Nortel Health Agent
quick setup wizard.
>> Main# /cfg/domain #/aaa/nha/quick
In the event that the Nortel Health Agent checks fails on a client, the session
can be teardown, or left in restricted mode with limited access.
Which action do you want to use for Nortel Health Agent check failure?
(teardown/restricted) [restricted]:
Do you want to create a test user for system authentication? (yes/no) [yes]:
Do you want to create a test local user? (yes/no) [yes]:
User policy configuration...
Creating Client Filter 1
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 97
Name: nha_passed
Creating Client Filter 2
Name: nha_failed
Using existing nha_passed linkset
Using existing nha_failed linkset
Using existing SRS Rule srs-rule-test
Creating Group 1
Group for user policies
Name: nhauser
Creating Extended Profile 1
Giving full access when health check passed
Using existing green vlan
Creating Extended Profile 2
Giving remediation access when health check failed
Using existing yellow vlan
Using SRS rule for user compliancy: srs-rule-test
Adding user ’nha’ with password ’nha’
System policy configuration...
Creating Client Filter 3
Name: nha_system_passed
Creating Client Filter 4
Name: nha_system_failed
Using existing nha_system_passed linkset
Using existing nha_system_failed linkset
Using existing SRS Rule srs-rule-syscred-test
Creating Group 2
Group for system policies
Name: nhasystem
Creating Extended Profile 1
Giving system access when system health passed
Using existing green_system vlan
Creating Extended Profile 2
Giving remediation access when system health failed
Using existing yellow vlan
Using SRS rule for system compliancy: srs-rule-syscred-test
2008 03 10 00:50
2008 03 10 00:18
Setting Activation and Earliest Push Date
Enable System Credentials
Adding system account ’sys’ with password ’sys’
Use ’diff’ to view pending changes, and ’apply’ to commit
>> Nortel Health Agent# apply Changes applied successfully.
Configuring the SSL server
The server number assigned to the portal server configured for the domain
is server 1001.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
98 Configuring the domain
To configure the portal server used in the domain, use the following
command:
/cfg/domain #/server
The Server 1001 menu appears.
The Server 1001 menu includes the following options:
Table 6
Configuring SSL server
/cfg/domain #/server
followed by:
port <port>
Specifies the port to which the portal server listens
for HTTPS communications.
• port is an integer in the range 1–65534 that
indicates the TCP port number. The default is
443.
interface <interface
ID>
Specifies the backend interface used by the server.
• interface ID is an integer that indicates the
interface number. The default is 0.
dnsname <name>
Assigns a DNS name to the portal IP address.
• name is the fully qualified domain name (FQDN)
of the pVIP (for example, nsnas.example.com).
Generally, you need to specify a DNS name only
if your corporate DNS server is unable to perform
reverse lookups of the portal IP address.
When you press Enter after specifying the DNS
name, the system performs a check against the
DNS server included in the system configuration
(see /cfg/sys/dns) to verify that:
• the FQDN is registered in DNS
• the resolved IP address corresponds to the
pVIP
trace
Accesses the Trace menu, in order to capture
and analyze SSL and TCP traffic between clients
and the portal server. For more information, see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 99
Table 6
Configuring SSL server (cont’d.)
/cfg/domain #/server
followed by:
ssl
Accesses the SSL Settings menu, in order to
configure SSL settings for the portal server (see
adv
Accesses the Advance settings menu, in order
to configure traffic log settings for a syslog server
Tracing SSL traffic
To verify connectivity and to capture information about SSL and TCP traffic
between clients and the portal server, use the following command:
/cfg/domain #/server/trace
The Trace menu appears.
The Trace menu includes the following options:
Table 7
Tracing SSL traffic
/cfg/domain #/server/trace
followed by:
ssldump
Creates a dump of the SSL traffic flowing
between clients and the portal server. You are
prompted to enter the following information:
• ssldump flags and ssldump
filter—for more information about
the flags and filter expressions available for
SSLDUMP using UNIX, see http://www.tcpd
• output mode
Options for the output mode are:
• interactive—captured information
decrypted on the screen. SSLDUMP
cannot decrypt any traffic if it is started after
the browser. SSLDUMP must be running
during the initial SSL handshake.
• tftp|ftp|sftp—the dump will be saved
as a file to the file exchange server you
specify, using a destination file name you
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
100 Configuring the domain
/cfg/domain #/server/trace
followed by:
specify. You are prompted to enter the
required information. You can specify the
file exchange server using either the host
name or the IP address.
For TFTP, the number of files sent depends
on the amount of captured information. A
sequence number is appended to the file
name given in the CLI, starting at 1 and
incremented automatically for additional
files.
For ftp and sftp, you will also be
prompted to specify a user name and
password valid on the file exchange server.
The default output mode is interactive.
tcpdump
Creates a dump of the TCP traffic flowing
between clients and the virtual SSL server.
You are prompted to enter the following
information:
• tcpdump flags and tcpdump
filter—for more information about
the flags and filter expressions available for
TCPDUMP using UNIX, see http://www.tcp
• output mode
Options for the output mode are:
• interactive—captured information on
the screen
• tftp|ftp|sftp—the dump will be saved
as a file to the file exchange server you
specify, using a destination file name you
specify. You are prompted to enter the
required information. You can specify the
file exchange server using either the host
name or the IP address.
For TFTP, the number of files sent depends
on the amount of captured information. A
sequence number is appended to the file
name given in the CLI, starting at 1 and
incremented automatically for additional
files.
For ftp and sftp, you will also be
prompted to specify a user name and
password valid on the file exchange server.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 101
/cfg/domain #/server/trace
followed by:
You can read a saved TCP traffic dump file
using the TCPDUMP or Ethereal application on
a remote machine.
The default output mode is interactive.
ping <host>
Verifies station-to-station connectivity across
the network.
• host is the host name or IP address of the
target station
If a backend interface is mapped to the current
Nortel SNAS domain, the check is made
through the backend interface. To map a
backend interface to the domain, use the
/cfg/domain #/adv/interface command
109)).
To be able to use a host name, the DNS
parameters must be configured (see
276)).
dnslookup <host>
Finds the IP address for a machine whose
host name you specify, or the host name of a
machine whose IP address you specify.
• host is the host name or IP address of the
machine
If a backend interface is mapped to the current
Nortel SNAS domain, the check is made
through the backend interface. To map a
backend interface to the domain, use the
/cfg/domain #/adv/interface command
109)).
traceroute <host>
Identifies the route used for station-to-station
connectivity across the network.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
102 Configuring the domain
/cfg/domain #/server/trace
followed by:
• host is the host name or IP address of the
target station
If a backend interface is mapped to the current
Nortel SNAS domain, the check is made
through the backend interface. To map a
backend interface to the domain, use the
/cfg/domain #/adv/interface command
109)).
To be able to use a host name, the DNS
parameters must be configured (see
276)).
Configuring SSL settings
To configure SSL-specific settings for the portal server, use the following
command:
/cfg/domain #/server/ssl
The SSL Settings menu appears.
The SSL Settings menu includes the following options:
Table 8
Configuring SSL Settings
/cfg/domain #/server/ssl
followed by:
cert <certificate
index>
Specifies which server certificate the portal
server will use. You cannot specify more than
one server certificate for the server to use at
any one time.
• certificate index is an integer
indicating the index number automatically
assigned to the certificate when you created
it
To view basic information about available
certificates, use the /info/certs command.
For information about adding a new certificate,
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 103
Table 8
Configuring SSL Settings (cont’d.)
/cfg/domain #/server/ssl
followed by:
cachesize <sessions>
Sets the size of the SSL cache.
• sessions is an integer less than or equal
to 10000 indicating the number of cached
sessions. The default is 4000.
If there are many cache misses, increase the
cachesize value for better performance.
cachettl <ttl>
Specifies the maximum time to live (TTL) value
for items in the SSL cache. After the TTL has
expired, the items are discarded.
• ttl is an integer that indicates the TTL
value in seconds (s), minutes (m), hours
(h), or days (d). If you do not specify a
measurement unit, seconds is assumed.
The default is 5m (5 minutes).
cacerts <certificate
index>
Specifies which of the available CA certificates
to use for client authentication.
Not supported in Nortel Secure Network Access
Switch Software Release 1.6.1.
cachain <certificate
index list>
Specifies the CA certificate chain of the server
certificate.
• certificate index list is a
comma-separated list of the certificate
index numbers assigned to the certificates in
the chain. The chain starts with the issuing
CA certificate of the server certificate and
can range up to the root CA certificate.
The command explicitly constructs the server
certificate chain. The chain and the server
certificate are sent to the browser.
To clear all specified chain certificates, press
Enter at the prompt to enter the certificate
numbers. At the prompt to confirm that you
want to clear the list, enter yes.
ATTENTION
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
104 Configuring the domain
Table 8
Configuring SSL Settings (cont’d.)
/cfg/domain #/server/ssl
followed by:
The SSL server can use chain certificates
only if the protocol version is set to
ssl3 or ssl23 (see /cfg/domain
#/server/ssl/protocol).
protocol ssl2|ssl3|ssl
23|tls1
Specifies the protocol to use when establishing
an SSL session with a client. Valid options are:
• ssl2—accept SSL 2.0 only
• ssl3—accept SSL 3.0 and TLS 1.0
• ssl23—accept SSL 2.0, SSL 3.0, and TLS
1.0
• tls1—accept TLS 1.0 only
The default value is ssl3.
verify none|optional|r
equired
Specifies the level of client authentication to
use when establishing an SSL session. Valid
options are:
• none—no client certificate is required
• optional—a client certificate is requested,
but the client need not present one
• required—a client certificate is required
The default value is none.
Not supported in Nortel Secure Network Access
Switch Software Release 1.6.1.
ciphers <cipher list>
Specifies the list of preferred ciphers. This
information is sent to the backend servers.The
default cipher list provides for using lighter
encryption algorithms between the SNAS and
the backend servers. Both the SNAS and the
backend servers typically are behind a firewall
in physically secured premises, using lighter
encryption algorithms on this network segment
should not compromise the overall security.
If you change the default list of preferred
ciphers, make sure the specified ciphers are
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 105
Table 8
Configuring SSL Settings (cont’d.)
/cfg/domain #/server/ssl
followed by:
included in the backend servers’ list of preferred
ciphers as the SSL connection will otherwise be
refused.
Specifies the cipher preference list.
• cipher list is an expression that consists
of cipher strings separated by colons. The
default cipher list is ALL@STRENGTH.
For more information about cipher lists, see
ena
Enables SSL on the portal server.
[<bool>]
SSL is enabled by default.
dis
Disables SSL on the portal server.
[<bool>]
SSL is enabled by default.
Configuring traffic log settings
You can configure a syslog server to receive User Datagram Protocol
(UDP) syslog messages for all HTTP requests handled by the portal
server.
Nortel does not recommend routinely enabling this functionality for the
following reasons:
•
•
•
Logging traffic with syslog messages generates a substantial amount
of network traffic.
Logging traffic places an additional CPU load on each Nortel SNAS
device in the cluster.
In general, syslog servers are not intended for the traffic type of log
message. Therefore, the syslog server might not be able to cope with
the quantity of syslog messages generated within a cluster of Nortel
SNAS devices.
Enable traffic logging with syslog messages in environments where laws or
regulations require traffic logging to be performed on the SSL terminating
device itself. You can also enable it temporarily for debugging purposes.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
106 Configuring the domain
Because of the amount of traffic generated, Nortel recommends that you
set up syslog on the backend server if possible.
A syslog message generated on a Nortel SNAS device looks like the
following:
Mar 8 14:14:33 192.168.128.24 <ISD-SSL>:
192.168.128.189 TLSv1/SSLv3 DES-CBC3-SHA "GET / HTTP/1.0".
To set up a syslog server to receive UDP syslog messages for all HTTP
requests handled by the portal server, use the following command:
/cfg/domain #/server/adv/traflog
The Traffic Log Settings menu appears.
The Traffic Log Settings menu includes the following options:
/cfg/domain #/server/adv/traflog
followed by:
sysloghost <IPaddr>
udpport <port>
Specifies the IP address of the syslog server.
Specifies the UDP port number of the syslog
server.
• port is an integer in the range 1–65534 that
indicates the UDP port number. The default is
514.
priority debug|info|
notice
Specifies the priority level of the syslog messages
that are sent. Valid options are:
• debug—information useful for debugging
purposes only
• info—informational messages
• notice—information about conditions that are
not error conditions but nevertheless warrant
special attention
The default value is info.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 107
/cfg/domain #/httpredir
followed by:
ena
Enables traffic logging with syslog messages to the
specified syslog server.
Traffic logging with syslog messages is disabled
by default.
dis
Disables traffic logging with syslog messages.
Traffic logging with syslog messages is disabled
by default.
Configuring HTTP redirect
You can configure the Nortel SNAS domain to automatically redirect HTTP
requests to the HTTPS server. For example, a client request directed to
http://nsnas.com is automatically redirected to https://nsnas.com.
To configure the domain to automatically redirect HTTP requests to the
HTTPS server specified for the domain, use the following command:
/cfg/domain #/httpredir
The Http Redir menu appears.
The Http Redir menu includes the following options:
Table 9
Configuring HTTP redirect
/cfg/domain #/httpredir
followed by:
port <port>
Specifies the port to which the portal server
listens for HTTP communications.
• port is an integer that indicates the TCP
port number. The default is 80.
ATTENTION
If you do not accept the default value
and you specify a different port, you must
modify the Red and Yellow filters on the
network access devices accordingly.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
108 Configuring the domain
Otherwise, the client PC will not be able to
reach the portal for user authentication.
redir on|off
Specifies whether HTTP requests will be
redirected to the HTTPS server.
• on—HTTP redirect is enabled
• off—HTTP redirect is disabled
The default is off.
Browser-Based Management Configuration
The HTTP menu is used for enabling/disabling browser-based
configuration of your VPN Gateway. To access the Browser-Based
Interface (BBI), enter the Management IP address assigned to SNAS
cluster in your web browser.
The HTTP menu includes the following options:
Table 10
Browser-Based Management Configuration
cfg/sys/adm/http/
followed by
port
Sets the port number to be used for
browser-based SNAS configuration using
the BBI.
ena
dis
Enables the HTTP server used for
browser-based configuration on the SNAS.
Disables the HTTP server used for
browser-based configuration on the SNAS.
Browser-Based Management Configuration with SSL
The HTTPS menu is used for enabling/disabling browser-based
configuration of your VPN Gateway through a secure SSL tunnel. To
access the Browser-Based Management Interface (BBI), enter the
Management IP address assigned to your SNAS cluster in your web
browser.
The HTTPS menu includes the following options
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 109
Table 11
Browser-Based Management Configuration with SSL
cfg/sys/adm/https
followed by
port
Sets the port number to be used for
browser-based SNAS configuration from
the BBI using SSL.
ena
Enables the HTTPS server used for
browser-based configuration on the SNAS
using SSL.
dis
Disables the HTTPS server used for
browser-based configuration on the SNAS
using SSL.
Configuring advanced settings
You can configure the following advanced settings for the Nortel SNAS
domain:
•
•
a backend interface
logging options
To map a backend interface to the domain and to configure logging
options, use the following command:
/cfg/domain #/adv
The Advanced menu appears.
The Advanced menu includes the following options:
Table 12
Configuring advanced settings
/cfg/domain #/adv
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
110 Configuring the domain
followed by:
interface <interface
ID>
References a previously created interface to
serve as a backend interface for the domain.
• interface ID is an integer that indicates
the interface number. The default is 0.
To configure the interface, use the
/cfg/sys/host #/interface command
log
Specifies the type of requests and operations
to log. You are prompted to enter a
comma-separated list of log types. Valid
options are:
• all—logs all options
• login—logs portal logins and logouts
• http—logs HTTP requests made from the
portal
• portal—logs non-HTTP portal operations,
such as FTP and SMB file server access
• reject—logs rejected requests
The default is login.
Each type of log generates its own set of
syslog messages. The syslog messages
include date, time, type of request, user,
source IP address, and requested destination.
Configuring RADIUS accounting
The Nortel SNAS can be configured to provide support for logging
administrative operations and user session start and stop messages to a
RADIUS accounting server.
With RADIUS accounting enabled, the Nortel SNAS sends an accounting
request start packet to the accounting server for each user who
successfully authenticates to the Nortel SNAS domain. The start packet
contains the following information:
•
•
•
client user name
Nortel SNAS device Real IP address (RIP)
session ID
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 111
When the user session terminates, the Nortel SNAS sends an accounting
request stop packet to the accounting server. The stop packet contains the
following information:
•
•
•
session ID
session time
cause of termination
Configure the RADIUS server in accordance with the recommendations in
RFC 2866.
Certain Nortel SNAS -specific attributes are sent to the RADIUS server
when you enable accounting (see “Configuring Nortel SNAS -specific
attributes” (page 114)). In conjunction with custom plugins on RADIUS,
these attributes can be used for more detailed monitoring of Nortel SNAS
activity.
When you add an external RADIUS accounting server to the configuration,
the server is automatically assigned an index number. Nortel SNAS
accounting will be performed by an available server with the lowest index
number. You can control accounting server usage by reassigning index
To configure the Nortel SNAS to support RADIUS accounting, use the
following command:
/cfg/domain #/aaa/radacct
The Radius Accounting menu appears.
The Radius Accounting menu includes the following options:
Table 13
Configuring RADIUS accounting
/cfg/domain #/aaa/radacct
followed by:
servers
Accesses the Radius Accounting Servers
menu, in order to configure external RADIUS
accounting servers for the domain (see
112)).
domainattr
Accesses the Domain Attribute menu, in
order to configure Nortel SNAS -specific
attributes to be sent to the accounting server
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
112 Configuring the domain
Table 13
Configuring RADIUS accounting (cont’d.)
/cfg/domain #/aaa/radacct
followed by:
ena
Enables RADIUS accounting.
The default is disabled.
dis
Disables RADIUS accounting.
The default is disabled.
Managing RADIUS accounting servers
To configure the Nortel SNAS to use external RADIUS accounting servers,
use the following command:
/cfg/domain #/aaa/radacct/servers
The Radius Accounting Servers menu appears.
The Radius Accounting Servers menu includes the following options:
Table 14
Managing RADIUS accounting servers
/cfg/domain #/aaa/radacct/servers
followed by:
list
Lists the IP addresses of currently configured
RADIUS accounting servers, by index number.
del <index number>
Removes the specified RADIUS accounting
server from the current configuration. The
index numbers of the remaining entries adjust
accordingly.
To view the index numbers of all configured
RADIUS accounting servers, use the list
command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 113
Table 14
Managing RADIUS accounting servers (cont’d.)
/cfg/domain #/aaa/radacct/servers
followed by:
add <IPaddr> <port>
<shared secret>
Adds a RADIUS accounting server to the
configuration. You are prompted to enter the
following information:
• IPaddr—the IP address of the accounting
server
• port—the TCP port number used for
RADIUS accounting. The default is 1813.
• shared secret—the password used
to authenticate the Nortel SNAS to the
accounting server
Shared secret must be same in NSNA and
RADIUS server.
The system automatically assigns the next
available index number to the server.
insert <index number>
<IPaddr>
Inserts a server at a particular position in
the list of RADIUS accounting servers in the
configuration.
• index number—the index number you
want the server to have
• IPaddr—the IP address of the accounting
server you are adding
The index number you specify must be in use.
The index numbers of existing servers with this
index number and higher are incremented by
1.
move <index number> <new Moves a server up or down the list of RADIUS
index number>
accounting servers in the configuration.
• index number—the original index number
of the server you want to move
• new index number—the index number
representing the new position of the server
in the list
The index numbers of the remaining entries
adjust accordingly.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
114 Configuring the domain
Configuring Nortel SNAS -specific attributes
The RADIUS accounting server uses Vendor-Id and Vendor-Type
attributes in combination to identify the source of the accounting
information. The attributes are sent to the RADIUS accounting server
together with the accounting information for the logged in user.
You can assign vendor-specific codes to the Vendor-Id and Vendor-Type
attributes for the Nortel SNAS domain. In this way, the RADIUS
accounting server can provide separate accounting information for each
Nortel SNAS domain.
Each vendor has a specific dictionary. The Vendor-Id specified for an
attribute identifies the dictionary the RADIUS server will use to retrieve
the attribute value. The Vendor-Type indicates the index number of the
required entry in the dictionary file.
The Internet Assigned Numbers Authority (IANA) has designated SMI
Network Management Private Enterprise Codes that can be assigned to
the Vendor-Id attribute (see http://www.iana.org/assignments/enterprise
-numbers).
RFC 2866 describes usage of the Vendor-Type attribute.
Contact your RADIUS system administrator for information about the
vendor-specific attributes used by the external RADIUS accounting server.
To simplify the task of finding accounting entries in the RADIUS server
log, do the following:
Step
1
Action
In the RADIUS server dictionary, define a descriptive string (for
example, NSNAS-Portal-ID).
2
Map this string to the Vendor-Type value.
--End--
To configure vendor-specific attributes in order to identify the Nortel SNAS
domain, use the following command:
/cfg/domain #/aaa/radacct/domainattr
The Domain Attribute menu appears.
The Domain Attribute menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 115
Table 15
Configuring Nortel SNAS-specific attributes
/cfg/domain #/aaa/radacct/domainattr
followed by:
vendorid
Corresponds to the vendor-specific attribute
used by the RADIUS accounting server to
identify accounting information from the Nortel
SNAS domain.
The default Vendor-Id is 1872 (Alteon).
vendortype
Corresponds to the Vendor-Type value used
in combination with the Vendor-Id to identify
accounting information from the Nortel SNAS
domain.
The default Vendor-Type value is 3.
Configuring local DHCP services
The Nortel SNAS can be configured for DHCP services, to provide:
•
support for non-NSNA network access devices including Nortel
Ethernet Switch Models 325 / 425 / 450 / 470 and 2500 series and
Ethernet Routing Switch models - 4500 series, 5500 series, 8300 and
8600 as well as third party switches, and support for multiple devices
on a port (for example, when a hub is connected to the port).
DHCP subnet type: hub.
•
•
DNS server redirect from Nortel SNAS to the corporate DNS server, to
optimize Nortel SNAS performance when Filters only enforcement is
DHCP subnet type: filter
a standard DHCP server that supports RFC 2131 in the context of the
Nortel SNAS network architecture; that is, server to server unicast
messages for DHCP relayed messages. For information on the Nortel
SNAS network architecture, see Nortel Secure Network Access
Solution Guide, NN47230-200, (formerly 320817).
DHCP subnet type: standard
To configure DHCP services, use the following command:
/cfg/doamin #/dhcp
The DHCP menu appears.
The DHCP menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
116 Configuring the domain
Table 16
Configuring local DHCP services
/cfg/doamin #/dhcp
followed by:
subnet <number>
<type> <name>
<address>
Initiates a series of prompts that define the DHCP subnet.
• number is a unique number between 1 and 256 that you provide that the
system uses to identify the subnet. The prompt is—Enter DHCP subnet
number (1-256):
<netmask>
• type is a Nortel SNAS term that defines the type of DHCP service. The
prompt is—Select one of hub, filter and standard:
See above the table for the application of each type.
— hub: for support of network access devices that do not support
SSCP, and multiple devices on a single port.
— filter: to provide a mechanism for redirecting the client to the
corporate DNS server when the network access points are NSNA
network access points and Filters only enforcement is configured.
— standard: for standard DHCP services that conform to RFC 2131
for DHCP relayed messages.
Each type has a set of configuration options associated with it. For
information on these options, see “Standard DHCP subnet type” (page
• name refers to a name you provide for the subnet. The prompt is—Set
the subnet name:
• address is the subnet address. The prompt is—Enter subnet
network address:
• netmask is the subnet mask. The prompt is—Enter subnet network
mask:
stdopts
Prompts you to identify and configure values for the standard DHCP options.
As a minimum, you must configure Option 3 (Default Router), Option 6
(Domain Name Server), Option 15 (Domain Name), and Option 51 (Lease
Time). When configuring Option 51 (Lease Time), the lease interval is
specified in seconds.
The values set at this level of the DHCP menus are applied globally to all
DHCP subnets and types. You are provided with the option of changing
the global values when specific DHCP settings are configured. See “DHCP
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 117
Table 16
Configuring local DHCP services (cont’d.)
/cfg/doamin #/dhcp
followed by:
vendopts
<number> <name>
<value> <del>
Initiates a series of prompts that allow you to specify RFC 2132 vendor
options.
• number is a unique number between 1 and 254 that you provide that
the system uses to identify the vendor options. The prompt is—Enter
vendor options number (1-254):
• name refers to a name you provide for this set of vendor options. The
prompt is—Set the vendor option name:
• type can be ip, ip_list, u8, u16, u32, string, or bool.
• value refers to allowed values for the type, as per RFC2132.
• del deletes the vendor options.
The values set at this level of the DHCP menus are applied globally to all
DHCP subnets and types. You are provided with the option of changing
the global values when specific DHCP settings are configured. See “DHCP
quick
Provides a quick DHCP setup wizard. Options are described under the
DHCP Settings menu
The DHCP settings menu whenever you select an option that requires a
range of IP addresses. This occurs when configuring:
•
•
•
the settings for the standard DHCP subnet type
the known and unknown ranges for the filter DHCP subnet type
the red, yellow, and green ranges for the hub DHCP subnet type.
The DHCP settings menu includes the following options:
Table 17
DHCP Settings menu
ranges <list>
<del> <add>
Establishes the lower and upper IP addresses of a range of IP addresses.
More than one range can be configured.
<insert> <move>
• list a list of current ranges. The format of the output is #: IP
address : IP address where # is an integer that specifies the index
of the range. The index is required to delete, insert, or move a range.
• del # deletes the range with index number #.
• add IPaddressLower IPaddressUpper adds a new range with lower
and upper limits defined by IPaddressLower and IPaddressUpper,
respectively.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
118 Configuring the domain
• insert # IPaddressLower IPaddressUpper inserts a new range
above the range having index number #. For example, if # is 3, the new
range is assigned index number 3 and the current range with index
number 3 is reassigned to index number 4. The lower and upper limits of
the new range are defined by IPaddressLower and IPaddressUpper,
respectively.
• move #A #B changes the index number of range #A to #B and changes
the index number of #B to #A. That is, the ranges switch places in the
range list.
stdopts
Prompts you to identify and configure values for the standard DHCP options.
If you have configured the DHCP standard options using the stdopts
command from the /cfg/doamin #/dhcp menu, those values carry
through to here. If you change the values here, the new values only apply to
the range(s) you are defining here.
vendopts
<number> <name>
<value> <del>
Initiates a series of prompts that allow you to specify RFC 2132 vendor
options.
If you have configured the vendor options using the vendopts command
from the /cfg/doamin #/dhcp menu, those values carry through to here.
If you change the values here, the new values only apply to the range(s)
you are defining here.
• number is a unique number between 1 and 254 that you provide that
the system uses to identify the vendor options. The prompt is—Enter
vendor options number (1-254):
• name refers to a name you provide for this set of vendor options. The
prompt is—Set the vendor option name:
• type can be ip, ip_list, u8, u16, u32, string, or bool.
• value refers to allowed values for the type, as per RFC2132.
• del deletes the vendor options.
Hub DHCP subnet type
The hub DHCP subnet type is used to support non-NSNA network access
devices, and multiple devices on a single port (for example, hubs). This
section assumes you are familiar with the information in “Configuring local
The end-to-end configuration process includes:
•
•
•
creating a VLAN that includes all ports on network access point ports
that are participating in the NSNA configuration
configuring three IP address ranges within the VLAN on the Nortel
SNAS; these define the red, yellow, and green enforcement zones
establishing filters for the red range on the network access points that:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 119
— direct all DNS requests to the Nortel SNAS
— allow HTTP, HTTPS, ICMP, and DHCP traffic to access the Nortel
SNAS subnet only
•
•
creating access control lists or filters on upstream routers for the yellow
and green address ranges, to direct connection requests to appropriate
network resources
configuring the router that serves the Nortel SNAS to relay DHCP
requests to the Nortel SNAS management IP address (MIP); RFC 2131
server to server unicast messages are supported
•
•
configuring the VoIP VLAN (see “Nortel SNAS enforcement types”
configuring Nortel SNAS groups to meet your authentication
information).
The menu for the hub DHCP subnet type includes:
Table 18
Hub DHCP subnet type
type
the current DHCP subnet type and prompts you to change or reenter the
type.
Enter: hub.
name
the current name of the subnet and prompts you to change or reenter the
name.
Enter a name.
address
netmask
phone
the current network address of the subnet and prompts you to change or
reenter the address.
the current network mask of the subnet and prompts you to change or
reenter the network mask.
Specify a phone signature for each type of IP phone connected to the
network. Supported phone types and their signatures are:
• Nortel i2001 — Nortel-i200
• Nortel i2002 — Nortel-i200
• Nortel i2004 — Nortel-i200
• Nortel i2007 — Nortel-i200
relaygreen
When the Nortel SNAS reassigns clients to a green enforcement zone, they
can be directed to the green zone managed by the Nortel SNAS or they can
be directed to an external DHCP server, generally your corporate server.
To direct the clients to an external DHCP server, enter the IP address of the
server here and do not configure the green zone.
vlan
Enter a name for the VLAN.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
120 Configuring the domain
Table 18
Hub DHCP subnet type (cont’d.)
red
Configures the IP address range and options for the red enforcement zone.
Enter the IP address range for the red enforcement zone. Enter the pVIP of
the Nortel SNAS for the DNS address (option 6). It is recommended that you
configure a short lease time (option 51).
yellow
green
Defines the yellow enforcement zone.
Enter the IP address range for the yellow enforcement zone. Enter the IP
address of your corporate remediation server for the DNS address (option
6).
Defines the green enforcement zone.
Enter the IP address range for the green enforcement zone. Enter the IP
address of your corporate DHCP server for the DNS address (option 6).
ena
dis
del
Enables the subnet.
Disables the subnet.
Deletes the subnet.
Filter DHCP subnet type
The filter DHCP subnet type provides a mechanism for redirecting the
client to the corporate DNS server when the network access points are
NSNA network access devices and Filter only enforcement is used. This
section assumes you are familiar with the information in “Configuring local
Background: When the Nortel SNAS determines that a client can be
moved from the Red enforcement zone, it directs Nortel Health Agent to
initiate an ipconfig release/renew to change the IP address of the client.
There are a number of situations where this Nortel Health Agent action
these situations, the IP address of the client remains as initially obtained
from the DHCP server and the DNS server for the client continues to be
the Nortel SNAS. The result is that all DNS resolution is handled by the
Nortel SNAS. The filter DHCP subnet type allows you to optomize network
performance by redirecting DNS services from the Nortel SNAS to the
corporate DNS server.
The menu for the filter DHCP subnet type includes:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 121
Table 19
Filter DHCP subnet type
type
the current DHCP subnet type and prompts you to change or reenter the
type.
Enter: filter.
name
the current name of the subnet and prompts you to change or reenter the
name.
Enter a name.
address
netmask
known
the current network address of the subnet and prompts you to change or
reenter the address.
Enter an address consistent with your network environment.
the current network mask of the subnet and prompts you to change or
reenter the network mask.
Enter a network mask consistent with your network environment.
The status of the client is changed from "unknown" to "known" after
authentication, and successful integrity checking when applicable.
Configure stdopts to point to the network domain name server.
unknown
The client is automatically assigned "unknown" status when the connection
is initiated. This is the Red enforcement zone for the filter DHCP subnet
type.
No configuration is required.
Enables the subnet.
ena
dis
del
Disables the subnet.
Deletes the subnet.
Standard DHCP subnet type
The standard DHCP subnet type provides DHCP services that conform to
RFC 2131 for server to server unicast messages. This section assumes
you are familiar with the information in “Configuring local DHCP services”
The menu for the standard DHCP subnet type includes:
Table 20
Standard DHCP subnet type
type
the current DHCP subnet type and prompts you to change or reenter the
type.
name
the current name of the subnet and prompts you to change or reenter the
name.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
122 Configuring the domain
Table 20
Standard DHCP subnet type (cont’d.)
address
the current network address of the subnet and prompts you to change or
reenter the address.
netmask
the current network mask of the subnet and prompts you to change or
reenter the network mask.
settings
ena
Enables the subnet.
dis
Disables the subnet.
del
Deletes the subnet.
Managing local DHCP leases
The following commands are provided for managing DHCP leases:
Table 21
Managing local DHCP leases
/info/dhcp/
list <list>
<del> <stats>
Use list to list current DHCP leases. See below.
Use del to delete current DHCP leases. See below.
Use stats to display information on all leases. The tabulated display has
these columns:
Dom (domain); Snet (Subnet number); Type (Standard, Filter, Hub); Network
(subnet address); Total (total number of leases); and the total number of
leases in each zone (Red, Green, Yellow, Unknown, Known).
/info/dhcp/
list/ <addr>
<subnet> <all>
Use addr together with an IP address or a MAC address to list the DHCP
lease for the address.
Use subnet together with a subnet address and mask to list DHCP leases
for the subnet.
Use all to list all DHCP leases.
/info/dhcp/
del/ <addr>
<subnet> <all>
Use addr together with an IP address or a MAC address to delete the
DHCP lease for the address.
Use subnet together with a subnet address and mask to delete DHCP
leases for the subnet.
Use all to delete all DHCP leases.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 123
Creation of the location
To create the location, use the following command:
/cfg/domain #/location
Enter the location number. Creates the location #.
Enter the name of the location.
The Location menu appears.
The Location menu includes the following options:
/cfg/domain #/location
followed by:
name
A string that specifies a unique location name.
locations <add>
<del> <list>
Manage switch ip, unit/port details.
• add—adds switch, unit/portr.
• del—deletes switch, unit/port.
• list—lists switch, unit/port.
Removes location from the configuration.
del
Creation of the locations
To create the locations, use the following command:
/cfg/domain/location/locations
The Location List menu appears.
The Location List menu includes the following options:
/cfg/domain/location/locations
followed by:
add <switch Ip> <unit/port>
Adds locations.
• switch Ip—specify the Switch Ip.
• unit/port—specify the
Unit/Port.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
124 Configuring the domain
/cfg/domain/location/locations
followed by:
del <index number>
Removes the locations from the
configuration.
• index number—specify the index
number.
• unit/port—specify the
Unit/Port.
list
lists all the configured locations.
Configuring Lumension PatchLink integration
Nortel SNAS is integrated with the Lumension PatchLink security patch
management system, which allows to proactively enforce user and device
compliance by ensuring that devices are properly patched and up-to-date.
PatchLink server is a patch and vulnerability management solution. It
works in an Agent mode, where an installed agent (system service)
communicates to a central PatchLink server and updates the system as
and when patches are available. Patchlink solution is integrated to verify
the compliance status of the client with Nortel SNAS.
To create the patchlink server, use the following command:
/cfg/domain/patchlink
The PatchLink Servers menu appears.
The PatchLink Servers menu includes the following options:
/cfg/domain/patchlink
followed by:
add <IP address> <username>
<password>
Adds a patch link server.
• IP address—specify the IP
address.
• username—string that specifies a
unique user login name.
• password—the password that
applies to the user you specified.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the domain 125
/cfg/domain/patchlink
followed by:
del <index number>
Deletes the patch link server from the
patch link list.
• index number—is the
identification number automatically
assigned to the patch link server,
when you added the patch link
server to the configuration.
list
ena
Lists all patch link server added by
user name, password.
Enables the patch link server.
Disables the patch link server.
dis
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
126 Configuring the domain
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
127
.
Configuration of the RADIUS server
This chapter includes the following topics:
Topic
Overview of RADIUS server
The Nortel SNAS is integrated with full featured RADIUS server. The
RADIUS server is used to authenticate users through PAP or CHAP
authentication methods. It also works in a more complex 802.1x
environment, which supports EAP-MD5, TLS, PEAP, and TTLS
authentication methods.
Radius server configuration includes the RADIUS realms, clients,
authentication methods, EAP authentication methods, dictionary,
accounting logs, and accounting ports components.
802.1x functionality
Integration of RADIUS server with the Nortel Health Agent’s 802.1x
supports 802.1x for user authentication and health assessment in the
Nortel SNAS.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
128 Configuration of the RADIUS server
Roadmap of RADIUS server configuration commands
The following roadmap lists the Command Line Interface (CLI) commands
to configure Remote Authentication Dial-In User service (RADIUS). Use
this list as a quick reference.
Parameter
Command
/cfg/domain/radius
authentication port
accounting port
/cfg/domain/radius/clients
list
del <index number>
add <client IP address> <shared secret >
insert <index number> <client IP address>
<shared secret>
move <index number> <destination index
number>
/cfg/domain/radius/realms
list
del <index number>
add <realm name / ip address> <authentica
tion server id>>
insert <index number> <realm name / ip
address> <authentication server id>
move <index number> <destination index
number>
/cfg/domain/radius/dictionary
default
import <protocol> <host> <filename>
export <protocol> <host> <filename>
<venderid>
view
del <vendor id>
clear
list
/cfg/domain/radius/accounting
/cfg/domain/radius/methods
view
export <protocol> <host> <filename>
clear
list
del <index number>
add <method name>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of the RADIUS server 129
Parameter
Command
insert <index number> <method name>
move <index number> <destination index
number>
/cfg/domain/radius/eapmethods
list
del <index number>
add <method type> <module name>
insert <index number> <method type>
<module name>
move <index number> <destination index
number>
/cfg/domain/radius/cert
/cfg/domain/radius/cacert
current value
select the certificate
current value
select the certificate
Configuration of the RADIUS server
To configure the RADIUS server, use the following command
/cfg/domain/radius
The RADIUS Server menu appears.
The RADIUS Server menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
130 Configuration of the RADIUS server
/cfg/domain/radius
followed by:
authentication port
accounting port
Specify the authentication port.
Default value is 1812.
Specify the accounting port.
Default value is 1813.
Configuration of the client
To configure the client, use the following command:
/cfg/domain/radius/clients
The RADIUS Clients menu appears.
The RADIUS Clients menu includes the following options:
/cfg/domain/radius/clients
followed by:
list
Lists the IP addresses of currently
configured clients, by index number.
del <index number>
Removes the specified client from
the current configuration. The index
numbers of the remaining entries
adjust accordingly.
• index number—specify the index
number.
To view the index numbers of
all configured clients use the list
command.
add <client IP address>
<shared secret>
Adds a client to the configuration list.
• client IP address—the IP
address of the client.
• shared secret—the password
used to authenticate the Nortel
SNAS to the RADIUS clients.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of the realms 131
/cfg/domain/radius/clients
followed by:
insert <index number> <client
IP address> <shared secret>
Inserts a client at a particular position
in the list of clients in the configuration.
• index number—specify the index
number.
• client IP address —specify the
IP address of the client.
• shared secret—the password
used to authenticate the Nortel
SNAS to the clients.
move <index number>
<destination index>
Moves a client up or down the list of
clients in the configuration.
• index number—the original index
number of the client you want to
move
• destination index—the index
number representing the new
position of the server in the list.
Configuration of the realms
To configure the realms, use the following command:
/cfg/domain/radius/realm
The RADIUS Realms menu appears.
The RADIUS Realms menu includes the following options:
/cfg/domain/radius/realms
followed by:
list
Lists the IP addresses of currently
configured realms, by index number.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
132 Configuration of the RADIUS server
/cfg/domain/radius/realms
followed by:
del <index number>
Removes the specified realms from
the current configuration. The index
numbers of the remaining entries adjust
accordingly.
• index number—the original index
number of the client you want to
remove.
To view the index numbers of
all configured clients use the list
command.
add <realm name> <authenticat Adds a realm to the configuration.
ion server id>
• realm name—is a string identifying
the realm names.
• authentication server
id—select the authentication
server id. It the list based on the
authentication servers configured on
the device.
insert <index number> <realm
name> <authentication server
id>
Inserts a realm at a particular position
in the list of clients in the configuration.
• index number—the index number
you want the realms to have.
• realm name—is a string identifying
the realm names.
• authentication server
id—select the authentication
server id. It the list based on the
authentication servers configured on
the device.
move <index number>
<destination index number>
Moves a client up or down the list of
Realms in the configuration.
• index number—the original index
number of the realms you want to
move.
• destination index—the index
number representing the new
position of the realms in the list.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of the dictionary 133
Configuration of the dictionary
To configure the dictionary, use the following command:
/cfg/domain/radius/dictionary
The RADIUS Attribute Dictionary menu appears.
The RADIUS Attribute Dictionary menu includes the following options:
/cfg/domain/radius/dictionary
followed by:
default
Sets default RADIUS attribute configuration.
import <protocol>
<server> <filename>
Imports dictionary from TFTP/FTP/SCP/SFT
P server.
• protocol—protocol is the import
protocol. Options are tftp|ftp|scp|sftp.
Default value is tftp.
• server—specify the hostname or IP
address of the server.
• filename—specify the name of the
database file on the server.
export <protocol>
<server> <filename>
<vender id>
Exports dictionary to TFTP/FTP/SCP/SFTP
server.
• protocol—protocol is the export
protocol. Options are tftp|ftp|scp|sftp.
Default value is tftp.
• server—specify the hostname or IP
address of the server.
• filename—is a name of the database
file on the server.
• vender id—corresponds to the
vendor-specific attribute used by the
RADIUS server.
view
Views the vendor dictionary.
delete <index number>
Removes the specified vendor dictionary.
• index number—is the identification
number automatically assigned to the
dictionary when you added the dictionary
to the configuration.specify the index
number to remove.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
134 Configuration of the RADIUS server
/cfg/domain/radius/dictionary
followed by:
clear
Clears all the vendor dictionary.
list
Lists configured vendor dictionaries by index
number.
Configuration of the RADIUS accounting
To configure the RADIUS accounting, use the following command:
/cfg/domain/radius/accounting
The RADIUS Accounting menu appears.
The RADIUS Accounting menu includes the following options:
/cfg/domain/radius/accounting
followed by:
view
Shows the accounting log information
for the following:
• Time
•
User-name
• Status-Type
• Terminate-cause
export <protocol> <hostname
or IP address> <filename>
Exports the accounting log to
FTP/FTP/SCP/SFTP server
• protocol—is the export protocol.
Options are tftp|ftp|scp|sftp.
• hostname or IP address—is
the hostname or IP address of the
server.
• filename—specify the filename on
the server.
clear
Clears the accounting log information.
Configuration of the RADIUS authentication methods
To configure the RADIUS authentication methods, use the following
command:
/cfg/domain/radius/methods
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of the RADIUS authentication methods 135
The RADIUS Authentication Methods menu appears.
The RADIUS Authentication Methods menu includes the following
options:
/cfg/domain/radius/methods
followed by:
list
Lists the authentication methods:
1. mac
2. proxy
3. acct
4. pap
5. chap
6. mschapv1
7. mschapv2
8. eap
del <index number>
Removes the specified methods from
the current configuration.The index
numbers of the remaining entries adjust
accordingly.
• index number—is the identification
number automatically assigned to
the method,when you added the
method to the configuration. specify
the index number to remove from the
configuration
add <method name>
Adds a method to the configuration.
• method name—is a string that
must be unique in the domain. The
maximum allowable length of the
string is 255 characters, but Nortel
recommends a maximum of 32
characters.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
136 Configuration of the RADIUS server
/cfg/domain/radius/methods
followed by:
insert <index number>
<method name>
Inserts a methods at a particular position
in the list
• index number—is the identification
number automatically assigned to the
method,when you added the method
to the configuration.specify the index
number.
• method name—is a string that must
be unique. The maximum allowable
length of the string is 255 characters,
but Nortel recommends a maximum
of 32 characters.
move <index number>
<destination index>
Moves a method up or down the list .
• index number—the original index
number of the method you want to
move.
• destination index —the index
number representing the new position
of the method in the list.
Configuration of the EAP authentication methods
To configure the EAP authentication methods, use the following command:
/cfg/domain/radius/eapmethods
The EAP Authentication Methods menu appears.
The EAP Authentication Methods menu includes the following options:
/cfg/domain/radius/eapmethods
followed by:
list
Lists the EAP authentication methods.
• 1: 4 : eap_md5
• 2 :6 : eap_gtc
• 3: 26 : eap_mschapv2
• 4: 13 : eap_tls
• 5: 21 : eap_tls
• 6 :25 :eap_tls
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Select the server certificate 137
/cfg/domain/radius/eapmethods
followed by:
del <index number>
Removes the specified EAP method from the
current configuration. The index numbers of
the remaining entries adjust accordingly.
• index number—is the identification
number automatically assigned to the EAP
method, when you added the EAPmethod
to the configuration.
add <method type>
<module name>
Adds a EAP method to the configuration.
• method type—Specify the method type.
• module name—is a string that must be
unique. The maximum allowable length
of the string is 255 characters, but Nortel
recommends a maximum of 32 characters.
Specify the module name.
insert <index number>
<method type> <module
name>
Inserts a EAP method at a particular position
in the list.
• index number—is the identification
number automatically assigned to the EAP
method,when you added the method to the
configuration. Specify the index number.
• method type—Specify the method type.
• method name—is a string that must be
unique in the domain. The maximum
allowable length of the string is 255
characters, but Nortel recommends a
maximum of 32 characters. Specify the
module name.
move <index number>
<destination index>
Moves a EAP Method up or down the list .
• index number—the original index number
of the EAP Methods.
• destination index—the index number
representing the new position of the EAP
method in the lists.
Select the server certificate
Select the server certificate from the list, use the following command:
/cfg/domain/radius/cert
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
138 Configuration of the RADIUS server
This includes the following options:
/cfg/domain/radius/cert
followed by:
current value
The current server certificate number
appears.
select the certificate
Specify the server certificate number.
The value ranges from 1 to 1500.
The certificate number refers to certificates
stored in the certificate repository.
Select the CA certificate
Select the server certificate from the list, use the following command:
/cfg/domain x/radius/cacert
This includes the following options:
/cfg/domain/radius/cacert
followed by:
current value
The current CA certificate number
appears.
select the CA certificate
Specify the CA certificate number.
The value ranges from 1 to 1500.
The CA certificate number refers to
certificates stored in the certificate
repository.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
139
.
Configuration of Microsoft NAP
Interoperability
This chapter includes the following topics:
Topic
Roadmap of NAP configuration commands
The following roadmap lists the Command Line Interface (CLI) commands
to configure Network Access Protection (NAP). Use this list as a quick
reference.
Parameter
Command
/cfg/domain/nap
autorem
/cfg/domain/nap/probation
ena [<true|false>]
dis [<true|false>]
date <date>
time <time>
/cfg/domain/nap/moreinfo
/cfg/domain/nap
troubleshooting URL
pdp <local|remote>
list <ip> <port> <secret>
del
/cfg/domain/nap/servers
add <server IP address> <server port>
<shared secret>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
140 Configuration of Microsoft NAP Interoperability
Parameter
Command
insert <position> <ip> <port> <secret>
move <index number> <destination index
number>
/cfg/domain/nap/shvs
list
del
add <vendor ID> <component ID> <module
name>
insert <position> <vendor ID> <component
ID> <module name>
move <index number> <destination index
number>
/cfg/domain/nap/wshv
firewall on|off
autoupdate on|off
virus
enabled true|false
uptodate true|false
spyware
enabled true|false
uptodate true|false
secupdates <enabled> <severity>
<lastsync> <wsus> <winupdate>
Configuration of NAP Interoperability
Microsoft Network Access Protection (NAP), introduced with Windows
Vista and Windows Server is a new set of operating system components
that provides a platform for protected access to private networks. The
NAP platform provides an integrated way of detecting the health state of
a network client, which attempts to connect to a network and restricts the
access of the network client until the policy requirements for connecting
to the network are met. The NSNA NAP interoperability architecture
allows you to deploy both the NSNA solution and the Network Access
Protection (NAP) in a symbiotic manner. It also allows you to enforce
security policies for network access using NSNA and NAP together,
leveraging the strengths of both products. It also deploys the NAP clients
with or without a Microsoft NPS server present on your network. If the
Microsoft NPS server is available, it is consulted and its response are
used in a configurable way to enhance the access decision made by the
Nortel SNAS. If your system does not contain a Microsoft NPS server in
place, it can still deploy clients with NAP support enabled and then adds
a Microsoft NPS server if desired.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of NAP Interoperability 141
Windows 802.1x Supplicant—The Nortel Health Agent integrated with
the Microsoft NAP Agent provides a robust EAP supplicant for Windows
Vista and XP Operating Systems.
To configure the Network Access Protection (NAP), use the following
command:
cfg/domain/nap
The NAP menu appears.
The NAP menu includes the following options:
cfg/domain/nap/
followed by:
autorem
Sets necessary updates to allow a noncompliant
computer to become compliant.
Values: false and true.
default: false.
probation
Probation Settings
moreinfo<Troublshooting URL>
Set Troublshooting URL
pdp
Select the policy decision point.
Values: local and remote.
default: local
servers
shvs
Remote Network Policy Servers
System Health Validators
wshv
Windows System Health Validator
Probation Settings
To configure the probation settingsg, use the following command:
cfg/domain/nap/probation
The Probation Settings menu includes the following options:
cfg/domain/nap/probation
followed by:
ena
Enables full access for a limited time.
Disables full access for a limited time.
Sets the date (YYYY-MM-DD)
dis
date
time
Sets the time (24-hour, HH:MM:SS)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
142 Configuration of Microsoft NAP Interoperability
Remote Network Policy Servers
To create the remote network policy servers, use the following command:
cfg/domain/nap/servers
The Remote Network Policy Servers menu includes the following
options:
cfg/domain/nap/servers
followed by:
list
Lists the IP addresses of currently configured
remote network policy servers, by index number..
del <index number>
Removes the specified remote network policy
server from the current configuration. The
index numbers of the remaining entries adjust
accordingly.
To view the index numbers of all configured remote
network policy servers, use the list command.
add <IP address>
<port> <shared
secret>
Adds a server to the configuration.
• IP address—specify the IP address of the
server
• port—the TCP port number.
• shared secret—specify the password.
insert <index
number> <IPaddr>
<port> <shared
secret>
Inserts a server at a particular position in the list of
remote network policy server in the configuration.
• index number —the index number you want
the server to have
• IPaddr—specify the IP address of the remote
network policy serverr you are adding
• port—specify the TCP port number.
• shared secret—specify the password.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of NAP Interoperability 143
cfg/domain/nap/servers
followed by:
The index number you specify must be in use. The
index numbers of existing servers with this index
number and higher are incremented by 1.
move <index number>
<new index number>
Moves a server up or down the list of remote
network policy server in the configuration.
• index number—the original index number of
the server you want to move
• new index number—the index number
representing the new position of the server in
the list
The index numbers of the remaining entries adjust
accordingly.
System Health Validators
To create the system health validators, use the following command:
cfg/domain/nap/shvs
The System Health Validators menu includes the following options:
cfg/domain/nap/shvs
followed by:
list <vendor ID>
<component ID>
<module name>
Lists the vendor ID, component ID and module
name.
del <index number>
Removes the specified system health validators
from the current configuration. The index numbers
of the remaining entries adjust accordingly.
To view the index numbers of all configured remote
network policy servers, use the list command.
add <vendor ID>
<component ID>
<module name>
Adds a system health validators to the configuration.
• vendor ID—specify the vender ID.
• component ID—specify the component ID.
• module name—specify the module name.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
144 Configuration of Microsoft NAP Interoperability
cfg/domain/nap/shvs
followed by:
insert <index
Inserts a system health validators at a particular
number> <vendor
ID> <component ID>
<module name>
position in the configuration.
• index number —the index number you want
the system health validators to have
• vendor ID—specify the vendor ID you are
adding
• component ID—specify the component ID..
• module name—specify the module name.
The index number you specify must be in use. The
index numbers of existing system health validators
with this index number and higher are incremented
by 1.
move <index number>
<new index number>
Moves a system health validators up or down the
list of System Health Validators in the configuration.
• index number—the original index number of
the system health validators you want to move
• new index number—the index number
representing the new position of the system
health validators in the list
The index numbers of the remaining entries adjust
accordingly.
Configuration of Windows System Health Validator
To create the windows system health validator, use the following
command:
cfg/domain/nap/wshv
The Windows System Health Validators menu includes the following
options:
cfg/domain/nap/wshv
followed by:
firewall
Enables or disables the firewall application.
Values: on and off
default: on
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of NAP Interoperability 145
cfg/domain/nap/wshv
followed by:
virus <antivirus> Virus Protection.
<uptodate>
• antivirus—Enables or disables the antivirus.
Values: true and false
default: false
• uptodate—Specifies whether the antivirus is up to
date or not.
Values: true and false
default: true.
spyware <antispy> Spyware Protection.
<uptodate>
•
antispy —Enables or disables the antispyware.
Values: true and false
default: false
• uptodate—Specifies whether the antispyware is
up to date or not.
Values: true and false
default: true
secupdates<enab
led> <severity>
<lastsync> <wsus>
<winupdate>
Security Updates Protection.
• enabled—enables or disables the Windows
System Health Verifier (WSHV) to validate the
Windows endpoint’s current software security patch
levels. Microsoft Windows security update patches
are Windows update patches that fix specific
software security vulnerabilities.
Values: true and false
default: false
• severity—security Updates Severity instructs the
Windows System Health Verifier (WSHV) to validate
the minimum level of all Windows security update
patches on the Windows endpoint. For instance,
if the Security Updates Severity is set to "critical"
the Windows endpoint must have all Microsoft
Windows security update patches designated by the
Microsoft Research Center as "critical" installed for
the endpoint to be considered policy complaint.
Values: critical, important, moderate, low, and all
If the Security Updates Severity is set to "important"
the Windows endpoint must have security update
patches designated as "important" or higher
installed to be considered policy complaint (so
all updates designated as either "important" or
"critical").
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
146 Configuration of Microsoft NAP Interoperability
cfg/domain/nap/wshv
followed by:
This setting is only applicable when Security
Updates Protection is "true." default: important
• lastsync—designates the duration of time
allowed to pass since the Windows endpoint was
last updated its own copy of its Windows security
update list from its security update source (Windows
Update or Windows Server Update Service). Only if
the Windows endpoint has synchronized its security
update information from its update source within this
time is the endpoint considered policy compliant.
This setting is only applicable when Security
Updates Protection is "true."
default: 86400 seconds (1 day)
• wsus—designates whether Windows Server
Update Service (WSUS) is an acceptable source
for endpoints to obtain their Windows security
update information. When the endpoint reports its
security update status, it will do so with respect to
the security updates it knows about (local copy) and
the source where it obtained its security updates.
Values: true and false
If set to "true" the WSHV considers WSUS as an
acceptable source for the endpoint and accepts the
endpoint’s security update status.
This setting is only applicable when Security
Updates Protection is "true."
default: false
• winupdate—designates whether Microsoft’s
Windows Update is an acceptable source for
endpoints to obtain their Windows security update
information. When the endpoint reports its security
update status, it will do so with respect to the
security updates it knows about (local copy) and the
source where it obtained its security updates.
Values: true and false
If set to "true" the WSHV considers Windows
Update as an acceptable source for the endpoint
and accepts the endpoint’s security update status.
This setting is only applicable when Security
Updates Protection is "true."
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuration of NAP Interoperability 147
cfg/domain/nap/wshv
followed by:
default: false
autoupdate
Enables or disables the automatic updates. Values: on
and off
default: on
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
148 Configuration of Microsoft NAP Interoperability
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
149
.
Configuring groups and profiles
This chapter includes the following topics:
Topic
Overview
This section includes the following topics:
•
•
•
•
For more information about groups and extended profiles in the
Nortel SNAS, see Nortel Secure Network Access Solution Guide,
(NN47230-200).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
150 Configuring groups and profiles
Groups
The Nortel SNAS determines which VLANs users are authorized to
access, based on group membership.
When a user logs on to the Nortel SNAS domain, the authentication
method returns the group name associated with the user’s credentials.
The Nortel SNAS then maps the user to groups defined on the Nortel
SNAS. You can define up to 1023 groups in the Nortel SNAS domain.
Each group’s data include the following configurable parameters:
•
•
•
linksets
Nortel Health Agent SRS rule
extended profiles
After the user has been authenticated, the Nortel SNAS checks the
groups defined for the domain to match the group name returned from the
authentication database. For the duration of the user’s login session, the
Nortel SNAS maintains a record of the group matched to the user.
When the Nortel SNAS has identified the matching group, it applies group
data to the user as follows:
•
•
•
linksets—All linksets configured for the group of which the user is a
Nortel Health Agent SRS rule—The Nortel Health Agent host integrity
check uses the criteria specified in the SRS rule assigned to the group.
extended profiles—The Nortel SNAS checks the group to identify if
there is an applicable extended profile (see “Extended profiles” (page
151)).
For information about configuring a group, see “Configuring groups” (page
156).
Default group
You can configure a group to be the default group, with limited access
rights. If the group name returned from the authentication database does
not match any group defined on the Nortel SNAS, the Nortel SNAS will
map the user to the default group.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Overview 151
Linksets
A linkset is a set of links that display on the portal page, so that the user
can easily access internal or external web sites, servers, or applications.
After the user has been authenticated, the user’s portal page all the
linksets associated with the group to which the user belongs. The user’s
portal page also all the linksets associated with the user’s extended profile.
When mapping linksets to groups or extended profiles, make sure that the
access rules specified for the profile do not contradict the links defined for
the linkset.
For information about creating and configuring the linksets, see
For information about mapping the linksets to groups, see “Mapping
SRS rule
The SRS rule specified for the group is the set of operating system and
other software criteria that constitute the host integrity check performed by
the Nortel Health Agent applet. The SRS rule can be a composite of other
rules, but there is only one SRS rule for the group. Each group can have
a different SRS rule.
You cannot configure SRS rules using the CLI.
If you ran the quick setup wizard during the initial setup, you specified the
action to result if the SRS rule check fails. You can rerun the wizard at
any time by using the /cfg/doamin #/aaa/nha/quick command. If
you want to change the SRS rule check result, use the /cfg/doamin
Extended profiles
Passing or failing the SRS rule check is the only authorization control
provided at the group level. This is the base profile. In future releases of
the Nortel SNAS software, extended profiles will provide a mechanism
to achieve more granular authorization control, based on specific
characteristics of the user’s connection. You can define up to 63 extended
profiles for each group.
In Nortel Secure Network Access Switch Software Release 1.6.1, the data
for an extended profile include the following configurable parameters:
•
•
linksets
the VLAN which the user is authorized to access
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
152 Configuring groups and profiles
Each extended profile references a client filter in a one-to-one relationship.
With Nortel Secure Network Access Switch Software Release 1.6.1, you
can configure the Nortel Health Agent check result as the criterion for the
client filters, in order to establish the user’s security status.
The client filter referenced in the extended profile determines whether
the extended profile data will be applied to the user. After the user has
been authenticated and the Nortel Health Agent host integrity check has
been conducted, the Nortel SNAS checks the group’s extended profiles
in sequence, in order of the profile IDs, for a match between the client
filter conditions and the user’s security status. When it finds a match, the
Nortel SNAS applies that particular extended profile’s data to the user.
Data defined for the base profile (for example, linksets) are appended to
the extended profile’s data. If the Nortel SNAS finds no match in any of the
extended profiles, it applies the base profile data.
For information about configuring client filters, see “Configuring client
For information about configuring extended profiles, see “Configuring
Before you begin
Before you configure groups, client filters, and extended profiles on the
Nortel SNAS, complete the following tasks:
Step
1
Action
Create the linksets, if desired (see “Linksets and links” (page
234)).
2
Create the SRS rules (see Nortel Secure Network Access Switch
4050 User Guide for the SREM (NN47230-101), ), and for BBI
(see Nortel Secure Network Access Switch Configuration —
Using the BBI (NN47230-500)).
3
If authentication services have already been configured,
ascertain the group names used by the authentication services.
Group names defined on the Nortel SNAS must correspond
to group names used by the authentication services. Table 22
(page 153) summarizes the requirements for the various
authentication methods.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 153
Table 22
Group names in the Nortel SNAS and authentication services
Group name on the Nortel SNAS must
Authentication method
correspond to...
RADIUS
A group name defined in the vendor-specific
attribute used by the RADIUS server. Contact your
RADIUS system administrator for information.
LDAP
A group name defined in the LDAP group attribute
used by the LDAP server. Contact your LDAP
system administrator for information.
Local database
A group name used in the database. The group
name is for internal use to control access to
intranet resources according to the associated
access rules. When you add a user to the local
database, you map the user to one or more of the
defined user groups.
Configuring groups and extended profiles
The basic steps to configure groups and extended profiles on the Nortel
SNAS using the CLI are:
Step
Action
1
2
Configure the client filters that will be referenced in the extended
filters can be referenced by all extended profiles in the domain.
3
4
5
Configure the extended profiles for the group (see “Configuring
Map the linksets to the group and extended profiles (see
Create a default group, if desired (see “Creating a default group”
--End--
Roadmap of group and profile commands
The following roadmap lists all the CLI commands to configure groups,
client filters, extended profiles, and linkset mappings. Use this list as a
quick reference or click on any entry for more information:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
154 Configuring groups and profiles
Table 23
Roadmap of CLI commands
Parameter
Command
/cfg/doamin #/aaa/group <group ID>
name <name>
restrict
srs <SRS rule name>
agentmode <runonce | continuous |
never>
mactrust <bypass | none>
enftype <filter_only | vlan_filte
r>
macreg <true | false>
reguser <true | false>
admrights <user> <passwd> <action>
<reset>
comment <comment>
del
/cfg/doamin #/aaa/filter <filter ID>
name <name>
srs <true | false | ignore>
comment <comment>
del
filter <name>
/cfg/doamin #/aaa/group <group ID |
group name>/extend [<profile ID>]
vlan <name>
linkset
del
/cfg/doamin #/aaa/group #/linkset
list
del <index number>
add <linkset name>
insert <index number> <linkset
name>
move <index number> <new index
number>
/cfg/doamin #/aaa/group #/extend
#/linkset
list
del <index number>
add <linkset name>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 155
Table 23
Roadmap of CLI commands (cont’d.)
Parameter
Command
insert <index number> <linkset
name>
move <index number> <new index
number>
cfg/domain #/aaa/group #/sessionttl
cfg/domain #/aaa/group #/locations
/cfg/doamin #/aaa/group #/radattr/
Usage: sessionttl <ttl>
Usage: cachepass <true|false>
list
Usage: list <vendor> <id> <value>
Usage: del <index>
Usage: add
Usage: add <vendor> <id> <value>
Usage: insert <position> <vendor>
<id> <>value
Usage: move <value> <value>
Usage: cachepass <true|false>
cfg/domain #/aaa/group #/cachepass
cfg/domain #/aaa/group #/syscredent
/cfg/doamin #/aaa/defgroup <group name>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
156 Configuring groups and profiles
Configuring groups
To create and configure a group, use the following command:
/cfg/doamin #/aaa/group <group ID>
where
group ID is an integer in the range 1 to 1023 that
uniquely identifies the group in the Nortel
SNAS domain.
When you first create the group, you must enter the group ID. After you
have created the group, you can use either the ID or the name to access
the group for configuration.
When you first create the group, you are prompted to enter the following
parameters:
•
group name—a string that uniquely identifies the group on the Nortel
SNAS. The maximum length of the string is 255 characters. After
you have defined a name for the group, you can use either the group
name or the group ID to access the Group menu. The group name
must match a group name used by the authentication services. For
more information, see Table 22 "Group names in the Nortel SNAS and
•
number of sessions—the maximum number of simultaneous portal or
Nortel SNAS sessions allowed for each member of the group. The
default is 0 (unlimited). You can later modify the number of sessions by
using the restrict command on the Group menu.
ATTENTION
MAC OSX and Linux OS are supported through filter only mechanism; no VLAN
change is possible.
ATTENTION
MAC OSX users must log in again after sleep mode is activated.
The Group menu appears.
ATTENTION
If you ran the quick setup wizard during initial setup, a group called nhauser
is created with group ID = 1.
The Group menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 157
Table 24
Configuring groups
/cfg/doamin #/aaa/group #
followed by:
name <name>
Names or renames the group. After you have
defined a name for the group, you can use either
the group name or the group ID to access the
Group menu.
• name is a string that must be unique in the
domain. The maximum length of the string is
255 characters.
The group name must match a group name
used by the authentication services. For more
information, see Table 22 "Group names in the
153).
restrict
Sets the maximum number of simultaneous
portal or Nortel SNAS sessions allowed for each
member of the group.
For example, if the value is set to 2, then a user
can use two computers at the same time and have
two simultaneous sessions running. The default
is 0 (unlimited).
Accesses the Linksets menu, in order to map
preconfigured linksets to the group (see “Mapping
For information about creating and configuring the
extend <profile ID>
Accesses the Extended Profiles menu, in order
to configure extended profiles for the group (see
To view existing profiles, press TAB following the
extend command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
158 Configuring groups and profiles
Table 24
Configuring groups (cont’d.)
/cfg/doamin #/aaa/group #
followed by:
srs <SRS rule name>
Specifies the preconfigured Nortel Health Agent
SRS rule to apply to the group.
For information about configuring the SRS rules
using the SREM, see Nortel Secure Network
Access Switch 4050 User Guide for the SREM
(NN47230-101), . You cannot configure SRS rules
in the CLI.
mactrust
<bypass | none>
Sets the authentication and integrity checking
requirements.
Select bypass to apply MAC authentication.
If the client passes MAC authentication, then
portal authentication and Nortel Health Agent
integrity checking are bypassed; the client is given
access to the network. Since Nortel Health Agent
does not run, the system automatically applies
Filter_only enforcement (see enftype below).
If a user belongs to several groups, bypass occurs
only when all groups are configured for bypass.
If bypass authentication fails, the system invokes
portal authentication and Nortel Health Agent
integrity checking.
The bypass option requires that the MAC address
of the end point is registered in the local (Nortel
SNAS) MAC database. For information about
managing a local MAC database, see “Managing
Select none to provide portal authentication and
integrity checking only.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 159
Table 24
Configuring groups (cont’d.)
/cfg/doamin #/aaa/group #
followed by:
agentmode <continuou Establishes Nortel Health Agent monitoring mode.
s | runonce | never>
Select continuous for cyclic monitoring of the
end point by Nortel Health Agent. The user must
keep the initial browser window open for the
duration of the session.
Select runonce for one cycle of checking only.
The user can close the browser after Nortel Health
Agent has run and the end point has been moved
to the Green zone.
runonce is applied automatically when the
end point operating system is MacOS or Linux.
The Nortel Health Agent integrity check is not
performed on non-Windows operating systems.
Nortel Health Agent does not run when never
is selected and network access is determined by
authentication only. The system proceeds as if the
device passed the Nortel Health Agent integrity
check.
Filter_only enforcement is applied automatically
for non-Windows operating systems and when
never is selected (see enftype below).
macreg
<true | false>
Provides access to the local MAC database from
the client PC.
true allows group members to add or modify
entries; false denies access.
For information about managing a local MAC
database, see “Managing the local MAC
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
160 Configuring groups and profiles
Table 24
Configuring groups (cont’d.)
/cfg/doamin #/aaa/group #
followed by:
enftype
<filter-only |
vlan-filter>
Establishes the enforcement type for NSNA
network access devices; that is, device that
support SSCP.
filter-only indicates that Red, Yellow, and
Green enforcement zones are specified by filters
within the Red VLAN. vlan-filter indicates
that enforcement zones are specified by filters
applied to unique Red, Yellow, and Green VLANs.
For information on enforcement types, see “Nortel
Sets a username and password for raising the
privilege of the Nortel Health Agent applet to
administrator; applies to Windows operating
systems only.
admrights
<user> <passwd>
<action> <reset>
When the vlan-filter enforcement type
applies, Nortel Health Agent requires administrator
privileges to the PC in order to change the IP
address of the PC. If the privileges Nortel Health
Agent inherits from the username/password of the
user do not provide administrator privileges, you
can use admrights to raise the Nortel Health
Agent privileges.
Enter an administrator username and password
for user and password, respectively; for
example, the network administrator username and
password.
The user field accepts usernames with the format
domain\username.
When the administrator username and password
setting are not configured the following actions
can be selected:
• no_access denies access to the network; this
is the default
• filter_only selects filter_only enforcement
(see enftype above).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 161
Table 24
Configuring groups (cont’d.)
/cfg/doamin #/aaa/group #
followed by:
User access to the network is denied when the
administrative rights parameter is active and the
username/password configuration is invalid.
Use reset to remove the admrights username
and password; that is, as if they had never been
configured.
Sets a comment for the group.
comment <comment>
del
Removes the group from the Nortel SNAS
domain. When you delete the group, you also
delete all extended profiles associated with that
group ID.
Figure 5 "Group menu commands" (page 161) shows sample output for
the /cfg/doamin #/aaa/group <group ID> command and commands
on the Group menu.
Figure 5
Group menu commands
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
162 Configuring groups and profiles
Table 25
Configuring group 1
cfg/domain #/aaa/group 1/cachepass
Usage
cachepass : true|false
Table 26
Configuring group 1
cfg/domain #/aaa/group 1/syscredent/
User
Set the system username.
passwd
prevuser
prevpasswd
actdate
earplush
exprprev
updclients
reset
Set the system password.
Set the systems previous username.
Systems previous password.
New password effective date.
ena
dis
Configuring client filters
To create and configure a client filter, use the following command:
/cfg/doamin #/aaa/filter <filter ID>
where
filter ID is an integer in the range 1 to 63 that
uniquely identifies the filter in the Nortel
SNAS domain.
When you first create the filter, you must enter the filter ID. After you have
created the filter, you can use either the ID or the name to access the filter
for configuration.
When you first create the filter, you are prompted to enter the client filter
name.
The Client Filter menu appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 163
ATTENTION
If you ran the quick setup wizard during initial setup, two client filters have been
created: nha_passed (filter ID = 1) and nha_failed (filter ID = 2).
The Client Filter menu includes the following options:
Table 27
Configuring client filters
/cfg/doamin #/aaa/filter <filter ID>
followed by:
name <name>
Names or renames the filter. After you have
defined a name for the filter, you can use either
the filter name or the filter ID to access the Client
Filter menu.
• name is a string that must be unique in the
domain. The maximum length of the string is
255 characters.
You reference the client filter name when
configuring the extended profile.
nha
Specifies whether passing or failing the Nortel
true|false|ignore
Health Agent host integrity check triggers the filter.
• true—the client filter triggers when the Nortel
Health Agent check succeeds.
• false—the client filter triggers when the Nortel
Health Agent check fails.
• ignore—passing or failing the Nortel Health
Agent check will not trigger the client filter.
The default is ignore.
For example, in order to grant limited access rights
to users who fail the Nortel Health Agent check, set
the nha value to false, create an extended profile
that references this client filter, and then map the
extended profile to a restrictive VLAN.
For information about configuring the Nortel Health
Agent checks, see “Configuring the Nortel Health
Creates a comment about the client filter.
comment <comment>
del
Removes the client filter from the current
configuration.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
164 Configuring groups and profiles
Figure 6 "Client Filter menu commands" (page 164) shows sample output
for the /cfg/doamin #/aaa/filter <filter ID> command and
commands on the Client Filter menu.
Figure 6
Client Filter menu commands
Configuring extended profiles
To create and configure an extended profile, use the following command:
/cfg/doamin #/aaa/group <group ID | group name> /extend
[<profile ID>]
where
profile ID is an integer in the range 1 to 63 that
uniquely identifies the profile in the group.
If you do not enter the profile ID as part of the
command, you are prompted to do so.
When you first create the extended profile, you must enter the profile ID.
After you have created the extended profile, you can use either the profile
ID or the name of the associated client filter to access the extended profile
for configuration.
When you first create the profile, you are prompted to enter the following
parameters:
•
•
client filter name—the name of the predefined client filter that
determines whether the Nortel SNAS will apply this extended profile to
the user. To view available filters, press TAB at the prompt. You can
later change the filter referenced by the profile by using the filter
command on the Extended Profile menu.
VLAN—the name of the VLAN to which the Nortel SNAS will assign
users with this profile. You can later change the VLAN assignment
for the profile by using the vlan command on the Extended Profile
menu.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 165
The Extended Profile menu appears.
ATTENTION
If you ran the quick setup wizard during initial setup, two extended profiles have
been created: profile ID 1 associated with client filter nha_failed, and profile
ID 2 associated with client filter nha_passed.
The Extended Profile menu includes the following options:
Table 28
Configuring profiles
/cfg/doamin #/aaa/group #/extend #
followed by:
filter <name>
Specifies the predefined client filter that determines
whether the Nortel SNAS will apply this extended
profile to the user. If the user’s Nortel Health Agent
check result matches the filter’s criteria, the Nortel
SNAS will apply the extended profile. To view
available filters, press TAB following the filter
command.
• name is a string that must be unique in the
domain.
For information about configuring client filters, see
vlan <name>
linkset
Specifies the VLAN to which the Nortel SNAS will
assign users with this profile.
• name is a string that must be unique in the
domain.
Accesses the Linksets menu, in order to map
preconfigured linksets to the profile (see “Mapping
For information about creating and configuring the
del
Removes the extended profile from the group.
Figure 7 "Extended Profile menu commands" (page 166) shows sample
output for the /cfg/doamin #/aaa/group <group ID> /extend
command and commands on the Extended Profile menu.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
166 Configuring groups and profiles
Figure 7
Extended Profile menu commands
Creating RADIUS attributes to a group
To create a RADIUS Attribute to a group, access the Group RADIUS
Attributes menu from the Group menu. Use the following command:
/cfg/doamin #/aaa/group #/radattr
The Group RADIUS Attributes menu appears.
The Group RADIUS Attributes menu includes the following options:
Table 29
Configure RADIUS Attributes
/cfg/doamin #/aaa/group #/radattr
followed by:
Lists the currently configured RADIUS attributes by
index number.
list <vendor> <id>
<value>
Removes the RADIUS attribute entry represented
by the specified index number. The index numbers
of the remaining entries adjust accordingly.
del <index>
add <vendor> <id>
<value>
Adds a RADIUS attribute to the group. You can
add as many RADIUS attributes as you want.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 167
Table 29
Configure RADIUS Attributes (cont’d.)
/cfg/doamin #/aaa/group #/radattr
followed by:
Inserts a RADIUS attribute at a particular position
in the list.
insert <position>
<vendor> <id>
<value>
Moves a RADIUS attribute entry up or down the
list. The index numbers of the remaining entries
adjust accordingly.
move <value> <value>
The RADIUS Attribute menu commands shows a sample output for the
/cfg/doamin #/aaa/group <group ID> /radattr command and
commands on the Group RADIUS Attributes menu.
Figure 8
Group RADIUS Attribute menu commands
Mapping linksets to a group or profile
You can tailor the portal page for different users by mapping preconfigured
linksets to groups and extended profiles.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
168 Configuring groups and profiles
To map a linkset to a group, access the Linksets menu from the Group
menu. Use the following command:
/cfg/doamin #/aaa/group #/linkset
To map a linkset to an extended profile, access the Linksets menu from
the Extended Profile menu. Use the following command:
/cfg/doamin #/aaa/group #/extend #/linkset
The Linksets menu appears.
The Linksets menu includes the following options:
Table 30
Mapping linksets
/cfg/doamin #/aaa/group #[/extend #]/linkset
followed by:
Lists the currently configured linksets by index
list
number.
Removes the linkset entry represented by the
specified index number. The index numbers of the
remaining entries adjust accordingly.
del <index number>
add <linkset name>
Adds a linkset to the group or extended profile.
The linkset on the portal page after the user has
been authenticated. You can add as many linksets
as you want.
The Nortel SNAS assigns an index number to the
linkset name as you add the linkset to the list for
the group. The linksets display on the portal page
in the order of the index numbers.
Inserts a linkset at a particular position in the list.
The index numbers of existing linkset entries with
this index number and higher are incremented by
1.
insert <index
number> <linkset
name>
Moves a linkset entry up or down the list. The
index numbers of the remaining entries adjust
accordingly.
move <index number>
<new index number>
Figure 9 "Linksets menu commands" (page 169) shows a sample output
for the /cfg/doamin #/aaa/group <group ID> /linkset command
and commands on the Linksets menu.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring groups and extended profiles 169
Figure 9
Linksets menu commands
Creating a default group
To create a default group, first create a group with extended profiles
“Configuring extended profiles” (page 164)). Then use the following
command to make this group the default group:
/cfg/doamin #/aaa/defgroup <group name>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
170 Configuring groups and profiles
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
171
.
Configuring authentication
This chapter includes the following topics:
Topic
Overview
The Nortel SNAS controls authentication of clients when they log on to
the network.
The Nortel SNAS supports the following authentication methods in Nortel
Secure Network Access Switch Software Release 1.6.1:
•
external databases
— Remote Authentication Dial-In User Service (RADIUS)
— Lightweight Directory Access Protocol (LDAP)
local databases on the Nortel SNAS
— local portal database
•
— local MAC database
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
172 Configuring authentication
ATTENTION
If you ran the quick setup wizard during initial setup, the Local database
authentication method has been created as Authentication 1.
You can configure more than one authentication method within a Nortel
SNAS domain. You determine the order in which the methods are
applied by default. Client credentials are checked against the various
authentication databases until the first match is found.
You can configure the methods so that their names display on the portal
can then direct clients to select a specific authentication server (for
example, for direction to a specific Windows domain). If the client selects
a Login Service name, the authentication request is directed immediately
to the specified service. Otherwise, authentication defaults to being
carried out according to the authentication order you have configured (see
For general information about authentication within the Nortel SNAS, see
Nortel Secure Network Access Solution Guide, (NN47230-200).
Before you begin
Before you configure authentication on the Nortel SNAS, you must
complete the following tasks:
Step
1
Action
Create the Nortel SNAS domain, if applicable (see “Creating a
If you ran the quick setup wizard during initial setup, doamin #
has been created on the Nortel SNAS.
ATTENTION
With Nortel Secure Network Access Switch Software Release 1.6.1,
you cannot configure the Nortel SNAS to have more than one
domain.
2
3
Create and configure the groups (see “Configuring groups and
For external authentication servers, create or modify settings on
the external server as required.
a A free RADIUS server may require specific settings in the
clients.conf file and the Users file to match group parameters
you may have configured on the Nortel SNAS.
b A Steel-belted RADIUS server requires specific settings in the
vendor.ini file, master dictionary, and vendor dictionary.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Before you begin 173
c An MS IAS RADIUS server may require vendor parameters to
be configured on the Microsoft Management Console (MMC).
4
To configure external authentication, you require the following
information about the authentication server configuration:
a RADIUS servers:
• server IP address
• port number used for the service
• shared secret
• Vendor-Id attribute
• Vendor-Type
ATTENTION
You can assign vendor-specific codes to the Vendor-Id and
Vendor-Type attributes. The RADIUS server uses Vendor-Id and
Vendor-Type attributes in combination to identify what values
it will assign and send for attributes such as group name and
session timeout.
Each vendor has a specific dictionary. The Vendor-Id specified for
an attribute identifies the dictionary the RADIUS server will use to
retrieve the attribute value. The Vendor-Type indicates the index
number of the required entry in the dictionary file.
The Internet Assigned Numbers Authority (IANA) has
designated SMI Network Management Private Enterprise
Codes that can be assigned to the Vendor-Id attribute (see
RFC 2865 describes usage of the Vendor-Type attribute.
If you specify Vendor-Id and Vendor-Type on the RADIUS
server and on the Nortel SNAS, the Nortel SNAS will retrieve
vendor-specific values for the associated attribute. If you set the
Vendor-Id and Vendor-Type attributes to 0, the RADIUS server
sends standard attribute values.
b LDAP servers:
• server IP address
• port number used for the service
• configured accounts and users so that you can specify
appropriate search entries and group and user attributes
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
174 Configuring authentication
Configuring authentication
The basic steps for configuring and managing client authentication are:
Step
Action
Create the authentication methods.
1
2
3
Configure specific settings for the methods.
Specify the order in which the authentication methods will be
applied. Perform this step even if you define only one method on
the Nortel SNAS.
--End--
To configure authentication, access the AAA menu by using the following
command:
/cfg/doamin #/aaa
From the AAA menu, you can manage the following authentication-related
tasks:
•
creating and configuring the authentication methods
•
setting the order in which authentication methods will be applied (see
Roadmap of authentication commands
The following roadmap lists the CLI commands to configure client
authentication in the Nortel SNAS domain. Use this list as a quick
reference or click on any entry for more information:
Table 31
Roadmap of CLI commands
Parameter
Command
/cfg/doamin #/aaa/auth <auth ID>
type radius | ldap | local
name <name>
display
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 175
Table 31
Roadmap of CLI commands (cont’d.)
Parameter
Command
del
/cfg/doamin #/aaa/auth #/adv
/cfg/doamin #/aaa/auth #/radius
groupauth <auth IDs>
secondauth <auth ID>
vendorid <vendor ID>
vendortype <vendor type>
domainid <domain ID>
domaintype <domain type>
authproto pap|chapv2
timeout <interval>
list
/cfg/doamin #/aaa/auth #/radius/ser
vers
del <index number>
add <IPaddr> <port> <shared secret>
insert <index number> <IPaddr>
move <index number> <new index number>
vendorid <vendor ID>
/cfg/doamin #/aaa/auth #/radius/sess
iontim
vendortype <vendor type>
ena
dis
/cfg/doamin #/aaa/auth #/ldap
searchbase <DN>
groupattr <names>
userattr <names>
isdbinddn <DN>
isdbindpas <password>
enaldaps true | false
ldapscert
enauserpre true | false
enacutdomain true | false
enashortgrp true | false
timeout <interval>
list
/cfg/doamin #/aaa/auth #/ldap/serve
rs
del <index number>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
176 Configuring authentication
Table 31
Roadmap of CLI commands (cont’d.)
Parameter
Command
add <IPaddr> <port>
insert <index number> <IPaddr>
move <index number> <new index number>
list
/cfg/doamin #/aaa/auth #/ldap/ldapm
acro
del <index number>
add <variable name> <LDAP attribute>
[<prefix>] [<suffix>]
insert <index number> <variable name>
move <index number> <new index number>
enaexpired true | false
/cfg/doamin #/aaa/auth #/ldap/active
dire
expiredgro <group>
recursivem true | false
enaxfilter true | false
xfilteratt <filter attribute name>
xfilterval <filter attribute value>
add <user name> <password> <group>
passwd <user name> <password>
groups <user name> <desired group>
del <user name>
/cfg/doamin #/aaa/auth #/ldap/adv
/cfg/doamin #/aaa/auth #/local
list
import <protocol> <server> <filename>
<key>
export <protocol> <server> <filename>
<key>
/cfg/doamin #/aaa/auth #/local/radat
tr
add <user name> <vendor id> <attribute
id> <attribute value>
del <user name>
list
/cfg/doamin #/aaa/macdb
add
del <MAC address>
list
show <MAC address>
import <protocol> <server> <filename>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 177
Table 31
Roadmap of CLI commands (cont’d.)
Parameter
Command
export <protocol> <server> <filename>
clear
/cfg/doamin #/aaa/authorder <auth
ID>[,<auth ID>]
Configuring authentication methods
To create and configure an authentication method, use the following
command:
/cfg/doamin #/aaa/auth <auth ID>
where
auth ID is an integer in the range 1 to 63 that
uniquely identifies the authentication method
in the Nortel SNAS domain.
When you first create the method, you are prompted to specify the type.
For Nortel Secure Network Access Switch Software Release 1.6.1, valid
options are:
•
•
•
RADIUS
LDAP
local
The selected method type determines the remainder of the parameters
you are prompted to provide when you create the method, as well as the
submenu options that are provided on the Authentication menu appears.
The Authentication menu includes the following options:
Table 32
Configuring Authentication
/cfg/doamin #/aaa/auth <auth ID>
followed by:
Sets the authentication mechanism.
type radius|ldap|ntlm|s
iteminder|cleartrust|c
ert|rsa|local
ATTENTION
The selected authentication type determines,
which submenu option will display.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
178 Configuring authentication
Table 32
Configuring Authentication (cont’d.)
/cfg/doamin #/aaa/auth <auth ID>
followed by:
name <name>
Names or renames the method. After you have
defined a name for the method, you can use
either the method name or the auth ID to
access the Authentication menu.
• name is a string that must be unique in the
domain. The maximum allowable length
of the string is 255 characters, but Nortel
recommends a maximum of 32 characters.
In future releases of the Nortel SNAS software,
you will be able to reference this string in a
client filter, so that authentication to the server
in question becomes a condition for access
rights for a group.
display
Specifies a name for the method, to display
in the Login Service list box on the portal
login page, together with the names of other
authentication services available.
radius|ldap|local
Accesses a method-specific menu, in order to
configure settings for the method. The option
displayed depends on the method type.
• radius—accesses the RADIUS menu
• ldap—accesses the LDAP menu (see
187))
• local—accesses the Local database
adv
del
Accesses the Advanced menu, in order to
configure the current method to retrieve group
information from other authentication schemes
179)).
Removes the method from the Nortel SNAS
domain.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 179
Configuring advanced settings
You can configure the Nortel SNAS domain to use one method for
authentication and another for authorization.
For example, there are three authentication methods configured for the
domain: Local (auth ID 1), RADIUS (auth ID 2), and LDAP (auth ID 3).
The user groups are stored in an LDAP database. You can configure the
domain to have the Local and LDAP methods used for authorization after
users have been authenticated by RADIUS. In this example, the command
is: /cfg/doamin #/aaa/auth #/adv/groupauth 1,3. When a user
logs on through RADIUS, the system first checks the RADIUS database.
If no match is found, the system checks the other authentication schemes
(in the order in which you listed them in the groupauth command) to
see if the user name can be matched against user groups defined in the
authentication databases. The first group matched is returned to the Nortel
SNAS as the user’s group, and determines the user’s access privileges
for the session.
To configure the current authentication scheme to retrieve user group
information from a different authentication scheme, use the following
command:
/cfg/doamin #/aaa/auth #/adv
The Advanced menu appears.
The Advanced menu includes the following options:
Table 33
Configuring Advance Settings
/cfg/doamin #/aaa/auth #/adv
followed by:
groupauth <auth IDs>
Specifies one or more preconfigured LDAP or
Local database authentication schemes (not
including the current one) that will be used to
retrieve the user’s group information after the
user has been authenticated.
To specify more than one authentication
method to use for authorization, enter the auth
IDs separated by a comma (,).
secondauth <auth ID>
Specifies a second authentication service
to be used after the first one succeeds. The
feature supports single sign-on to backend
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
180 Configuring authentication
/cfg/doamin #/aaa/auth #/adv
followed by:
servers in cases where the first authentication
method is token based or uses client certificate
authentication.
ATTENTION
Not supported in Nortel Secure Network
Access Switch Software Release 1.6.1.
Configuring RADIUS authentication
To configure the Nortel SNAS domain to use an external RADIUS server
for authentication, use the following command:
/cfg/doamin #/aaa/auth <auth ID>
where auth ID is an integer in the range 1 to 63 that uniquely identifies
the authentication method in the Nortel SNAS domain. If you do not
specify the auth ID in the command, you are prompted for it.
When you first create the method for the domain, you must enter the
authentication ID. After you have created the method and defined a name
for it, you can use either the ID or the name to access the method for
configuration.
You can perform the following configuration tasks:
•
•
•
•
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 181
Adding the RADIUS authentication method
The command to create the authentication ID launches a wizard. When
prompted, enter the following information. You can later modify all settings
for the specific RADIUS configuration (see “Configuring authentication
182)).
•
authentication type—options are radius|ldap|ntlm|sitemeinder
|cleartrust|cert|rsa|local. Enter radius.
•
authentication method name (auth name)—a string that specifies a
name for the method. After you have defined a name for the method,
you can use either the method name or the auth ID to access
the Authentication menu. In future releases of the Nortel SNAS
software, you will be able to reference this string in a client filter, so
that authentication to the server in question becomes a condition for
access rights for a group.
•
•
IP address of the RADIUS server.
port on which the RADIUS server is listening—the port number
configured on the RADIUS server to specify the port used by the
service. The default is 1812.
•
•
shared secret—a unique shared secret configured on the RADIUS
server that authenticates the Nortel SNAS to the RADIUS server.
vendor ID for group—corresponds to the vendor-specific attribute used
by the RADIUS server to send group names to the Nortel SNAS. The
default Vendor-Id is 1872 (Alteon).
To use a standard RADIUS attribute rather than the vendor-specific
one, set the vendor ID to 0 (see also vendor type).
•
vendor type for group—corresponds to the Vendor-Type value used
in combination with the Vendor-Id to identify the groups to which
the user belongs. The group names to which the vendor-specific
attribute points must match names you define on the Nortel SNAS
using the /cfg/doamin #/aaa/group <group ID> command (see
“Configuring groups” (page 156)). The default is 1.
If you set the vendor ID to 0 in order to use a standard RADIUS
attribute (see vendor ID), set the vendor type to a standard attribute
type as defined in RFC 2865. For example, to use the standard
attribute Class, set the vendor ID to 0 and the vendor type to 25.
•
•
vendor ID for domain—corresponds to the vendor-specific attribute
used by the RADIUS server to send domain names to the Nortel
SNAS. The default Vendor-Id is 1872 (Alteon).
vendor type for domain—corresponds to the Vendor-Type value used
in combination with the Vendor-Id to identify the domain. The default
is 3.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
182 Configuring authentication
The Authentication menu .
#/aaa/auth <auth ID> command and commands on the
Authentication menu.
Figure 10
Authentication menu commands—RADIUS
Modifying RADIUS configuration settings
To modify settings for the authentication method itself, see “Configuring
To modify settings for the specific RADIUS configuration, use the following
command:
/cfg/doamin #/aaa/auth #/radius
The RADIUS menu appears.
The RADIUS menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 183
Table 34
Configuring authentication methods
/cfg/doamin #/aaa/auth #/radius
followed by:
servers
Accesses the RADIUS servers menu, in
order to manage the external RADIUS servers
configured for the domain (see “Managing
vendorid <vendor ID>
Specifies the vendor-specific attribute used
by the RADIUS server to send group names
to the Nortel SNAS. The default Vendor-Id is
1872 (Alteon).
To use a standard RADIUS attribute rather
than the vendor-specific one, set the vendor ID
to 0 (see also vendor type).
ATTENTION
If authproto is chapv2, the Vendor-Id
must be set to 311 (Microsoft).
vendortype <vendor
type>
Specifies the Vendor-Type value used in
combination with the Vendor-Id to identify the
groups to which the user belongs. The group
names to which the vendor-specific attribute
points must match names you define on the
NSNAS. The default is 1.
If you set the vendor ID to 0 in order to use a
standard RADIUS attribute (see vendor ID), set
the vendor type to a standard attribute type as
defined in RFC 2865. For example, to use the
standard attribute Class, set the vendor ID to 0
and the vendor type to 25.
domainid <domain ID>
Specifies the vendor-specific attribute used
by the RADIUS server to send domain names
to the NSNAS. The default Vendor-Id is 1872
(Alteon).
ATTENTION
If authproto is chapv2, consider
setting the Vendor-Id for the domain to 10
(MS-CHAP-Domain).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
184 Configuring authentication
Table 34
Configuring authentication methods (cont’d.)
/cfg/doamin #/aaa/auth #/radius
followed by:
domaintype <domain
type>
Specifies the Vendor-Type value used in
combination with the Vendor-Id to identify the
domain. The default is 3.
authproto pap|chapv2
Specifies the protocol used for communication
between the Nortel SNAS and the RADIUS
server. The options are:
• pap—Password Authentication Protocol
(PAP)
• chapv2—Challenge Handshake
Authentication Protocol (CHAP), version 2
The default is PAP.
timeout <interval>
Sets the timeout interval for a connection
request to a RADIUS server. At the end of
the timeout period, if no connection has been
established, authentication will fail.
• interval is an integer that indicates
the time interval in seconds (s), minutes
(m), or hours (h). If you do not specify a
measurement unit, seconds is assumed.
The range is 1–10000 seconds. The default
is 10 seconds.
sessiontim
Accesses the Session Timeout menu, in
order to configure settings to control the length
of client sessions (see “Configuring session
Managing RADIUS authentication servers
You can configure additional RADIUS servers for the domain, for
redundancy. You can have a maximum of three RADIUS authentication
servers in the configuration. You can control the order in which the
RADIUS servers respond to authentication requests.
To enable RADIUS authentication, ensure that the authentication ID that
represents the RADIUS configuration is included in the authentication
order you have specified for the Nortel SNAS domain (see “Specifying
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 185
To manage the RADIUS servers used for client authentication in the
domain, use the following command:
/cfg/doamin #/aaa/auth #/radius/servers
The Radius servers menu appears.
The Radius servers menu includes the following options:
Table 35
RADIUS authenticaion servers
/cfg/doamin #/aaa/auth #/radius/servers
followed by:
list
Lists the IP address, port, and shared secret
of currently configured RADIUS authentication
servers, by index number.
del <index number>
Removes the specified RADIUS authentication
server from the current configuration. The
index numbers of the remaining entries adjust
accordingly.
To view the index numbers of all configured
RADIUS authentication servers, use the list
command.
add <IPaddr> <port>
<shared secret>
Adds a RADIUS authentication server to the
configuration. You are prompted to enter the
following information:
• IPaddr—the IP address of the
authentication server
• port—the TCP port number used for
RADIUS authentication. The default is
1813.
• shared secret—the password used
to authenticate the Nortel SNAS to the
authentication server
The system automatically assigns the next
available index number to the server.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
186 Configuring authentication
Table 35
RADIUS authenticaion servers (cont’d.)
/cfg/doamin #/aaa/auth #/radius/servers
followed by:
insert <index number>
<IPaddr>
Inserts a server at a particular position in the
list of RADIUS authentication servers in the
configuration.
• index number—the index number you
want the server to have
• IPaddr—the IP address of the
authentication server you are adding
The index number you specify must be in use.
The index numbers of existing servers with this
index number and higher are incremented by
1.
move <index number> <new
index number>
Moves a server up or down the list of RADIUS
authentication servers in the configuration.
• index number—the original index number
of the server you want to move
• new index number—the index number
representing the new position of the server
in the list
The index numbers of the remaining entries
adjust accordingly.
Configuring session timeout
You can configure the Nortel SNAS to enable session timeout and to
retrieve a session timeout value from the RADIUS server. With session
timeout enabled, the session timeout value controls the length of the
client’s Nortel SNAS network session. When the time is up, the client is
automatically logged out. Idle time has no effect on the session timeout.
To configure the Nortel SNAS for session timeout, use the following
command:
/cfg/doamin #/aaa/auth #/radius/sessiontim
The Session Timeout menu appears.
The Session Timeout menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 187
Table 36
Configuring session timeout
/cfg/doamin #/aaa/auth #/radius/sessiontim
followed by:
vendorid <vendor ID>
Specifies the vendor-specific attribute used
by the RADIUS server to send a session
timeout value to the Nortel SNAS. The default
Vendor-Id is 0.
With the Vendor-Type also set to 0 (the default
value), the RADIUS server sends the standard
attribute for session timeout.
vendortype <vendor
type>
Specifies the Vendor-Type value used in
combination with the Vendor-Id to identify the
session timeout value to send to the Nortel
SNAS. The default is 0.
ena
dis
Enables retrieval of the RADIUS server
session timeout value. The default is disabled.
Disables retrieval of the RADIUS server
session timeout value. The default is disabled.
Configuring LDAP authentication
To configure the Nortel SNAS domain to use an external LDAP server for
authentication, use the following command:
/cfg/doamin #/aaa/auth <auth ID>
where auth ID is an integer in the range 1 to 63 that uniquely identifies
the authentication method in the Nortel SNAS domain. If you do not
specify the auth ID in the command, you are prompted for it.
When you first create the method for the domain, you must enter the
authentication ID. After you have created the method and defined a name
for it, you can use either the ID or the name to access the method for
configuration.
You can perform the following configuration tasks:
•
•
•
•
•
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
188 Configuring authentication
Adding the LDAP authentication method
The command to create the authentication ID launches a wizard. When
prompted, enter the following information. For more information about the
parameters, see searchbase <DN>. You can later modify all settings for
the specific LDAP configuration (see “Configuring authentication methods”
•
•
authentication type—options are radius|ldap|local. Enter ldap.
authentication method name (auth name)—a string that specifies a
name for the method. After you have defined a name for the method,
you can use either the method name or the auth ID to access
the Authentication menu. In future releases of the Nortel SNAS
software, you will be able to reference this string in a client filter, so
that authentication to the server in question becomes a condition for
access rights for a group.
•
•
IP address of the LDAP server.
port on which the LDAP server is listening—the port number configured
on the LDAP server to specify the port used by the service. The default
is 389.
•
search base entry—the Distinguished Name (DN) that points to one
of the following:
— the entry that is one level up from the user entries (does not require
isdBindDN and isdBindPassword)
— if user entries are located in several places in the LDAP Dictionary
Information Tree (DIT), the position in the DIT from where all user
records can be found with a subtree search (requires isdBindDN
and isdBindPassword)
•
•
group attribute name—the LDAP attribute that contains the names of
the groups. You can specify more than one group attribute name.
user attribute name—refers to one of the following:
— the LDAP attribute that contains the user name (does not require
isdBindDN and isdBindPassword)
— the LDAP attribute that is used in combination with the user’s login
name to search the DIT (requires isdBindDN and isdBindPassword)
•
isdBindDN—used to authenticate the Nortel SNAS to the LDAP server,
so that the LDAP DIT can be searched. The isdBindDN corresponds
to an entry created in the Schema Admins account (for example,
cn=ldap ldap, cn=Users, dc=example, dc=com). An account
must be created on the LDAP server to enable the Nortel SNAS to do
the bind search in the directory structure.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 189
•
•
isdBindPassword—used to authenticate the Nortel SNAS to the LDAP
server. The isdBindPassword is the password, configured in the
Schema Admins account, for the entry referenced in isdBindDN.
enable LDAPS—if true, makes LDAP requests between the Nortel
SNAS and the LDAP server occur over a secure SSL connection. The
default is false. Retain the default value or reset to false.
The Authentication menu .
sample output for the LDAP method for the /cfg/doamin #/aaa/auth
<auth ID> command and commands on the Authentication menu.
Figure 11
Authentication menu commands —LDAP
Modifying LDAP configuration settings
To modify settings for the authentication method itself, see “Configuring
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
190 Configuring authentication
To modify settings for the specific LDAP configuration, use the following
command:
/cfg/doamin #/aaa/auth #/ldap
The LDAP menu appears.
The LDAP menu includes the following options:
Table 37
Configuring LDAP settings
/cfg/doamin #/aaa/auth #/ldap
followed by:
servers
Accesses the LDAP servers menu, in
order to manage the external LDAP servers
configured for the domain (see “Managing
searchbase
Sets the search base entry.
groupattr <names>
Specifies the LDAP attribute that contains
the names of the groups. The group names
contained in the LDAP attribute must be
defined in the Nortel SNAS domain (see
To specify more than one group attribute
name, enter the names separated by a comma
(,).
userattr <names>
Refers to one of the following:
1. the LDAP attribute that contains the user
name used for authenticating a client in the
domain
The default user attribute name is uid.
Do not use the isdbinddn and
isdbindpas commands.
2. if the client’s portal logon name is different
from the RDN (for example, when using
LDAP for authentication towards Active
Directory), the LDAP attribute that is used
in combination with the client’s logon name
to search the DIT
For example, a user record in Active
Directory is defined as the following
DN: cn=Bill Smith, ou=Users,
dc=example, dc=com. The user
record also contains the attribute
sAMAccountName=bill. The user’s
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 191
Table 37
Configuring LDAP settings (cont’d.)
/cfg/doamin #/aaa/auth #/ldap
followed by:
login name is bill. If the user attribute
is defined as sAMAccountName, the user
record for Bill Smith will be found.
The isdbinddn and isdbindpas
parameters are required so that the Nortel
SNAS can authenticate itself to the LDAP
server, in order to search the DIT.
isdbinddn <DN>
Specifies an entry in the LDAP server used
to authenticate the Nortel SNAS to the LDAP
server, so that the LDAP DIT can be searched.
The isdBindDN corresponds to an entry
created in the Schema Admins account (for
example, cn=ldap ldap, cn=Users,
dc=example, dc=com).
Required for searchbase and userattr
method 2.
isdbindpas <password>
Specifies the password used to authenticate
the Nortel SNAS to the LDAP server. The
isdbindpas is the password, configured in
the Schema Admins account, for the entry
referenced in isdBindDN.
Required for searchbase and userattr
method 2.
ldapmacro
Accesses the LDAP Macro menu, in order
to manage macros (see “Managing LDAP
enaldaps true|false
If true, makes LDAP requests between the
Nortel SNAS and the LDAP server occur over
a secure SSL connection (LDAPS). The default
is false. Retain the default value or reset to
false.
ATTENTION
The default TCP port number used by the
LDAP protocol is 389. If LDAPS is enabled,
change the port number to 636.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
192 Configuring authentication
Table 37
Configuring LDAP settings (cont’d.)
/cfg/doamin #/aaa/auth #/ldap
followed by:
ldapscert
Specify the certificate number.
enauserpre true|false
Enables or disables storage of user
preferences in an external LDAP/Active
Directory database.
• true—storage and retrieval of user
preferences is enabled. When the client
logs out from a portal session, the Nortel
SNAS saves any user preferences
accumulated during the session in the
isdUserPrefs attribute. The next time the
client successfully logs on through the
portal, the Nortel SNAS retrieves the LDAP
attribute from the LDAP database.
• false—storage and retrieval of user
preferences is disabled.
To support storage and retrieval of user
preferences, you must extend the LDAP server
schema with one new ObjectClass and one
new Attribute. For more information, see
The default is false.
enacutdomain true|false
timeout <interval>
Enables or disables the cut domain from the
user name.
Sets the timeout interval for a connection
request to an LDAP server. At the end of the
timeout period, if no connection has been
established, authentication will fail.
• interval is an integer that indicates
the time interval in seconds (s), minutes
(m), or hours (h). If you do not specify a
measurement unit, seconds is assumed.
The range is 1–10000 seconds. The default
is 5 seconds.
activedire
Accesses the Active Directory menu, in order
to manage client passwords (see “Managing
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 193
Table 37
Configuring LDAP settings (cont’d.)
/cfg/doamin #/aaa/auth #/ldap
followed by:
enashortgr
Enables the short group format.
Configures the NVG to extract the first part of
a returned Distinguished Name (DN) as the
group name to be used. This makes it easier
to configure the group name in the VPN to
configure the entire DN string as group name.
groupsearc
adv
the LDAP Group Search menu.
the Advanced LDAP menu.
Managing LDAP authentication servers
You can configure additional LDAP servers for the domain, for
redundancy. You can have a maximum of three LDAP authentication
servers in the configuration. You can control the order in which the LDAP
servers respond to authentication requests.
If there is more than one LDAP server configured for the Nortel SNAS
domain, the first accessible LDAP server in the list returns a reply to
the query. This stops the query, regardless of whether or not the client’s
credentials were matched. If you add more than one LDAP server to the
domain, for redundancy, ensure that each listed LDAP server contains the
same SSL domain client database.
If the Nortel SNAS clients are dispersed in different LDAP server
databases, you can configure the LDAP servers as separate authentication
methods, with different authentication IDs. If you include all LDAP
authentication IDs in the authentication order, each LDAP server will be
used to authenticate client groups.
To enable LDAP authentication, ensure that the authentication ID that
represents the LDAP configuration is included in the authentication
order you have specified for the Nortel SNAS domain (see “Specifying
To manage the LDAP servers used for client authentication in the domain,
use the following command:
/cfg/doamin #/aaa/auth #/ldap/servers
The LDAP servers menu appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
194 Configuring authentication
The LDAP servers menu includes the following options:
Table 38
Managing LDAP authentication servers
/cfg/doamin #/aaa/auth #/ldap/servers
followed by:
list
Lists the IP address and port of currently
configured LDAP servers, by index number.
del <index number>
Removes the specified LDAP server from the
current configuration. The index numbers of
the remaining entries adjust accordingly.
To view the index numbers of all configured
LDAP servers, use the list command.
add <IPaddr> <port>
Adds an LDAP server to the configuration.
You are prompted to enter the following
information:
• IPaddr—the IP address of the
authentication server
• port—the TCP port number used for
LDAP authentication. The default is 389.
The system automatically assigns the next
available index number to the server.
ATTENTION
The default TCP port number used by the
LDAP protocol is 389. If LDAPS is enabled,
change the port number to 636.
insert <index number>
<IPaddr>
Inserts a server at a particular position in the
list of LDAP servers in the configuration.
• index number—the index number you
want the server to have
• IPaddr—the IP address of the server you
are adding
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 195
Table 38
Managing LDAP authentication servers (cont’d.)
/cfg/doamin #/aaa/auth #/ldap/servers
followed by:
The index number you specify must be in use.
The index numbers of existing servers with this
index number and higher are incremented by
1.
move <index number> <new
index number>
Moves a server up or down the list of LDAP
servers in the configuration.
• index number—the original index number
of the server you want to move
• new index number—the index number
representing the new position of the server
in the list
The index numbers of the remaining entries
adjust accordingly.
Managing LDAP macros
You can create your own macros (or variables), to allow you to retrieve
data from the LDAP database. You can then map the variable to an LDAP
user attribute in order to create user-specific links on the portal Home
tab. When the client successfully logs on, the variable expands to the
value retrieved from the LDAP or Active Directory user record. For more
To configure LDAP macros, use the following command:
/cfg/doamin #/aaa/auth #/ldap/ldapmacro
The LDAP macro menu appears.
The LDAP macro menu includes the following options:
Table 39
Managing LDAP macros
/cfg/doamin #/aaa/auth #/ldap/ldapmacro
followed by:
list
Lists all macros in the LDAP configuration in
the Nortel SNAS domain, by index number.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
196 Configuring authentication
Table 39
Managing LDAP macros (cont’d.)
/cfg/doamin #/aaa/auth #/ldap/ldapmacro
followed by:
del <index number>
Removes the specified LDAP macro from the
current configuration. The index numbers of
the remaining entries adjust accordingly.
To view the index numbers of all configured
LDAP macros, use the list command.
add <variable name>
<LDAP attribute>
[<prefix>] [<suffix>]
Adds an LDAP macro to the configuration.
You are prompted to enter the following
information:
• variable name—the name of the
variable.
• LDAP attribute—the LDAP user attribute
whose value will be retrieved from the
client’s LDAP/Active Directory user record.
• prefix—if the value string of the LDAP
attribute is long and you wish to extract
only part of it, the values at the start of the
string that you want to ignore. Combine
with a suffix if the value you want is in the
middle of the string.
• suffix—if the value string of the LDAP
attribute is long and you wish to extract
only part of it, the values at the end of the
string that you want to ignore. Combine
with a prefix if the value you want is in the
middle of the string.
The system automatically assigns the next
available index number to the macro.
insert <index number>
<variable name>
Inserts a macro at a particular position in the
list of LDAP macros in the configuration.
• index number—the index number you
want the macro to have
• variable name—the LDAP macro you are
adding
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 197
Table 39
Managing LDAP macros (cont’d.)
/cfg/doamin #/aaa/auth #/ldap/ldapmacro
followed by:
The index number you specify must be in use.
The index numbers of existing macros with this
index number and higher are incremented by
1.
move <index number> <new
index number>
Moves a macro up or down the list of macros
in the configuration.
• index number—the original index number
of the macro you want to move
• new index number—the index number
representing the new position of the macro
in the list
The index numbers of the remaining entries
adjust accordingly.
Group Search Configuration
The LDAP Group Search menu lets you configure the NVG to find group
information.
The Group Search menu includes the following options:
Table 40
Group Search Configuration
cfg/domain #/aaa/auth #/ldap/groupsearch
followed by:
groupbase
Sets the group base search entry
<group searchbase entry>
Assigns the DN (Distinguished Name) that
points to the entry where to start searching for
group entries in the Dictionary Information Tree
(DIT) on the iPlanet Directory Server
The group should be defined in the VPN with
one or more access rules.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
198 Configuring authentication
Table 40
Group Search Configuration (cont’d.)
memberattr
Defines the LDAP attribute that has the group
member’s name.
The default value is uniqueMember.
Enables the group search feature.
Disables the group search feature.
ena
dis
Managing Active Directory passwords
You can set up a mechanism for clients to change their passwords when
the passwords expire.
Step
1
Action
Define a user group in the Local database for users whose
passwords have expired.
2
3
4
Create a linkset and link to a site where the user can change the
Map the linkset to the group (see “Mapping linksets to a group
Set the Active Directory settings using the /cfg/doamin
#/aaa/auth #/ldap/activedire command.
--End--
To manage clients whose passwords have expired or who need to change
their passwords, use the following command:
/cfg/doamin #/aaa/auth #/ldap/activedire
The Active Directory Settings menu appears.
The Active Directory Settings menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 199
Table 41
Managing Active Directory passwords
/cfg/doamin #/aaa/auth #/ldap/activedire
followed by:
enaexpired true|false
Specifies whether the system will perform a
password-expired check.
• true—the system performs a
password-expired check against Active
Directory when the client logs on.
• false—the system does not perform a
password-expired check against Active
Directory when the client logs on.
Specifies the group in which clients with
expired passwords will be placed.
expiredgro <group>
expasgrou
Sets the group in which users with expired
passwords should be placed.
Before using this command, define the use
group in the Local database. Configure a link
to a site where the user can change his/her
password. Configure an access rule restricting
access to the specified site.
recursivem true|false
Specifies the setting for recursive group
membership.
• true—if the client belongs to an Active
Directory group which, in turn, belongs to
another group, all groups are returned.
• false—if the client belongs to an Active
Directory group which, in turn, belongs
to another group, only the first group is
returned.
Configuring Advanced LDAP Settings
The Advanced LDAP settings configure the desired attribute/value when
searching for a user record in an LDAP/Active Directory database. The
feature is disabled by default, which means that no extra requirement is
added when searching for a user record.
To configure the advanced settings, use the following commands
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
200 Configuring authentication
Table 42
Configuring Advanced LDAP Settings
/cfg/doamin #/aaa/auth #/ldap/adv
followed by:
enaxfilter true|false
Enables the extra search filter.
• true - The search filter is enabled. Specify
the desired attribute/value using the
commands below.
• false -The search filter is disabled. The
default value is false.
xfilteratt
xfilterval
Sets the desired attribute when searching
for user records. User records that contain
this attribute and the value specified with the
xfilterval command will be found. The default
attribute is objectclass.
Sets the desired value when searching for user
records. User records that contain the attribute
specified with the xfilteratt command and this
value will be found. The default value is person.
Configuring local database authentication
You can configure the Nortel SNAS domain to use local databases for
portal (username/password) or MAC authentication. To configure the local
database method, perform the following steps:
Step
1
Action
Create the Local database method (see “Adding the local
ATTENTION
If you ran the quick setup wizard during initial setup, Local database
authentication has been created with authentication ID = 1. The local
portal database contains one test user (nha), who belongs to a group
called nhauser.
2
3
Populate the database (see “Managing the local portal database”
Save a backup copy of the database (see “Managing the
4
Modify settings for the authentication method itself, if desired
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 201
5
Set the authentication order (see “Specifying authentication
--End--
Adding the local database authentication method
To create the Local database authentication method, use the following
command:
/cfg/doamin #/aaa/auth <auth ID>
where auth ID is an integer in the range 1 to 63 that uniquely identifies
the authentication method in the Nortel SNAS domain. If you do not
specify the auth ID in the command, you are prompted for it.
When you first create the method for the domain, you must enter the
authentication ID. After you have created the method and defined a name
for it, you can use either the ID or the name to access the method for
configuration.
The command to create the authentication ID launches a wizard. When
prompted, enter the following information. You can later modify all
settings for the specific local database configuration (see “Configuring
•
•
authentication type—options are radius|ldap|local. Enter local.
authentication method name (auth name)—a string that specifies a
name for the method. After you have defined a name for the method,
you can use either the method name or the auth ID to access
the Authentication menu. In future releases of the Nortel SNAS
software, you will be able to reference this string in a client filter, so
that authentication to the database in question becomes a condition for
access rights for a group.
•
user name—a string that specifies a unique user login name. This
item creates the first entry in the local database. To fully populate
the database, add more users later (see “Managing the local portal
There are no restrictions on the Nortel SNAS regarding acceptable
user names. However, if you want the user name in the local database
to mirror the Windows login name, observe Windows username
conventions (for example, keep the length to no more than 32
characters).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
202 Configuring authentication
•
•
password (passwd)—the password that applies to the user you
specified.
group name—the name of the group to which the specified user
belongs. The group must exist in the Nortel SNAS domain. To view
available group names, press TAB.
ATTENTION
The prompt implies that you can enter multiple group names for a user, but
the Nortel SNAS does not allow membership in multiple groups. If you enter
multiple group names, the first group name entered is the one that will be
returned to the Nortel SNAS after authentication.
The Authentication menu .
sample output for the Local method for the /cfg/doamin #/aaa/auth
<auth ID> command and commands on the Authentication menu.
Figure 12
Authentication menu commands—local database
Managing the local portal database
The local portal database provides a respository for usernames and
passwords.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 203
You can add users to the database in two ways:
•
manually, using the /cfg/doamin #/aaa/auth #/local/add
command
•
by importing a database, using the /cfg/doamin #/aaa/auth
#/local/ import command
ATTENTION
The imported database overwrites existing entries in the local database.
You can use the local database for authorization only, after an external
authentication server has authenticated the user. To do so, use an asterisk
(*) for the user password in the local database. For information about
configuring the Nortel SNAS to perform external database authentication in
conjunction with local database authorization, see “Configuring advanced
To manage users and their passwords in the local database, use the
following command:
/cfg/doamin #/aaa/auth #/local
The Local database menu appears.
The Local database menu includes the following options:
Table 43
Managing the local portal database
/cfg/doamin #/aaa/auth #/local
followed by:
add <user name>
<password> <group>
Adds a user to the local authentication
database. You are prompted for the following
information:
• user name—a string that specifies a
unique user logon name. There are no
restrictions on the NSNAS regarding
acceptable user names. However, if you
want the user name in the local database
to mirror the Windows login name, observe
Windows username conventions (for
example, keep the length to no more than
32 characters).
When the client attempts to log on to the
Nortel SNAS domain and local database
authentication is applied, the client is
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
204 Configuring authentication
Table 43
Managing the local portal database (cont’d.)
prompted for the user name and password
you define for the database.
• password—the password that applies to
the user you specified. To use the local
database for authorization only, after
an external authentication server has
authenticated the user, enter an asterisk
(*).
• group—the name of the group to which
the specified user belongs. The group must
exist in the NSNAS domain. The group
name is used for authorization. To view
available group names, press TAB or use
the /cfg/doamin #/aaa/ cur group
command.
Changes the specified user’s password in the
local database.
passwd <user name>
<password>
Changes the specified user’s group
membership in the local database.
groups <user name>
<desired group>
radattr<add> <list>
<del>
Configures the RADIUS attribute in the local
database.
del <user name>
Deletes the specified user from the local
database.
list
Lists all users added to the local database by
user name, password (encrypted), and group
membership.
The command a maximum of 100 database
entries at a time. If there are more than 100
entries in the database, you can limit the
display by using a string of characters directly
followed by an asterisk (*). For example, the
command list jo* all entries with user
names starting with jo.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 205
Table 43
Managing the local portal database (cont’d.)
import <protocol>
<server> <filename>
<key>
Imports a database from the specified
TFTP/FTP/SCP/SFTP file exchange server.
You are prompted to provide the following
information:
• protocol is the import protocol. Options
are tftp|ftp|scp|sftp.
• server is the host name or IP address of
the server.
• filename is the name of the database file
on the server.
• key is the password key for user password
protection. For a database file whose
passwords were protected with a key
when the file was exported, the key you
must provide is the same as the password
key provided at the time of export. If the
file is not protected with a key, enter any
characters (a minimum of four) when
prompted.
• FTP user name and password, if
applicable.
The file you import must be in ASCII
format. Each row entry consists of
values for user name, password, and
group, separated by a colon (for example,
username:password:group)
Passwords in the imported database can be
clear-text or encrypted. Clear-text passwords
will be encrypted after import.
The imported database overwrites existing
entries in the local database.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
206 Configuring authentication
Table 43
Managing the local portal database (cont’d.)
export <protocol>
<server> <filename>
<key>
Exports the local database to the specified
TFTP/FTP/SCP/SFTP file exchange server.
You are prompted to provide the following
information:
• protocol is the export protocol. Options
are tftp|ftp|scp|sftp.
• server is the host name or IP address of
the server.
• filename is the name of the destination
database file on the server (for example,
db.txt).
• key is the password key for user password
protection. If you are not protecting the
file with a key, enter any characters (a
minimum of four) when prompted.
• FTP user name and password, if
applicable.
The file is exported in ASCII format. Each
row entry consists of values for user name,
password (encrypted), and group, separated
by a colon. The following is an example of
an exported user record with the password
encrypted:
john:$2$7á?yLs...ßìöonž±†:trusted
where $2$ indicates an encrypted password
Managing the local MAC database
The local MAC database provides a repository for MAC addresses. There
is no design limit on the number of addresses the database can hold and
up to 10,000 addresses has been verified.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 207
You can add MAC addresses to the database in three ways:
•
•
using the /cfg/doamin #/aaa/auth #/macdb/add command
using the /cfg/doamin #/aaa/auth #/macdb/import command
to import a file that has been properly formatted
•
using the MAC Registration portal provided at login when a user
belongs to a group with macreg set to True (/cfg/doamin
#/aaa/group #/macreg)
To manage MAC addresses and associated parameters, use the following
command:
/cfg/doamin #/aaa/auth #/macdb
The MAC database menu appears.
The MAC database menu includes the following options:
Table 44
Managing the local MAC database
/cfg/doamin #/aaa/auth #/macdb
followed by:
add
Adds a MAC address to the local database. You are prompted for the
following information:
• MAC address—MAC address of the host
• user name—username of the host operator; optional
• device type <PC> <phone> <passive>
—
PC: when the host is a computer
— phone: when the host is a supported IP telephone
— passive: when the device does not have an operator (for
examples: a printer, a video camera); it is recommended that
passive devices belong to their own, unique group
• IP type <dhcp> <static>
— dhcp: when the IP address of the host is provided by a DHCP
server
— static: when the IP address of the host is static
• switch IP address—IP address of the network access device that
serves the host; optional; recommended when device type is passive
• group name(s)—The name(s) or ID number(s) of the NSNA group(s)
of which the host is a member; a list of available groups is provided; if
there is more than one group, separate with a colon
• comments—any ASCII string, up to 80 characters; optional
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
208 Configuring authentication
Table 44
Managing the local MAC database (cont’d.)
Enter apply when the MAC database# prompt .
Duplicate and wildcard MAC addresses are not supported in NSNA
release 1.6.1
del <MAC address>
Deletes the specified MAC address from the database.
Lists all entries in the MAC database.
list
show
Shows a particular MAC entry from the MAC database.
import <proto
col> <server>
<filename>
Imports a database from the specified TFTP/FTP/SCP/SFTP file exchange
server. You are prompted to provide the following information:
• protocol is the import protocol. Options are tftp|ftp|scp|sftp.
• server is the host name or IP address of the server.
• filename is the name of the database file on the server.
The file you import must be in ASCII format. Each line must have the form:
MAC address;user name;IP type;device type;IP address;switch IP;switch
unit;switch port;group(s);comments. Use a colon to separate group
names.
For example: 00:14:22:BB:12:8B;printer2;static;passive;192.168.2.23;;;;
printers;Room 314 printer
The imported database overwrites the existing database.
export <proto
col> <server>
<filename>
Exports the local database to the specified TFTP/FTP/SCP/SFTP file
exchange server. You are prompted to provide the following information:
• protocol is the export protocol. Options are tftp|ftp|scp|sftp.
• server is the host name or IP address of the server.
• filename is the name of the destination database file on the server
(for example, db.txt).
The file is exported in ASCII format. Each line entry has the form: MAC
address;user name;IP type;device type;IP address;switch IP;switch
unit;switch port;group(s);comments. Multiple group names are separated
by a colon.
clear
Clears the MAC database.
Adding MAC addresses using the MAC Registration interface The
MAC Registration interface allows you to add or modify MAC addresses
from your PC. You must be a member of a group for which macreg is set
to True (/cfg/doamin #/aaa/group #/macreg).
To add or modify a MAC address, perform the following steps:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring authentication 209
Step
Action
1
2
Log in to the network.
Click the MAC Register tab.
The MAC Registration interface .
3
Complete the form.
4
Click the Register button.
A confirmation message is returned indicating that the MAC address has been
registered.
5
Click the Done button.
Repeat to add or modify another MAC address.
--End--
Additions or modifications to the MAC database do not affect current
sessions.
Specifying authentication fallback order
Authentication in the Nortel SNAS is performed by checking client
credentials against available authentication databases until the first match
is found. You specify the order in which the Nortel SNAS applies the
methods configured for the Nortel SNAS domain.
Perform this step even if there is only one method defined on the Nortel
SNAS.
ATTENTION
For best performance, set the authentication order so that the method that
supports the biggest proportion of users is applied first. However, if you use
the Nortel SNAS local database as one of the authentication methods, Nortel
recommends that you set the Local method to be first in the authentication
order. The Local method is performed extremely fast, regardless of the number
of users in the database. Response times for the other methods depend on
such factors as current network load, server performance, and number of users
in the database.
To specify the authentication fallback order, use the following command:
/cfg/doamin #/aaa/authorder <auth ID>[,<auth ID>]
When prompted, enter the authentication method IDs in the order in which
you want the methods applied. Use a comma to separate the entries.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
210 Configuring authentication
To view the currently configured authentication methods and their
corresponding authentication IDs, use the /cfg/doamin #/aaa/cur
command.
For example: You have configured Local database authentication
under auth ID 1, RADIUS authentication under auth ID 2, and LDAP
authentication under auth ID 3. You want the Nortel SNAS to check
the local database first, then send requests to the LDAP server, then to
the RADIUS server. Figure 13 "Authentication order command" (page
210) shows the required command.
Figure 13
Authentication order command
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
211
.
Managing system users and groups
This chapter includes the following topics:
Topic
User rights and group membership
There are three groups of system users who routinely access the system
for configuration and management:
•
•
•
admin (administrator)
certadmin (certificate administrator)
oper (operator)
ATTENTION
There are two additional types of users with specialized functions: boot and root.
Group membership dictates user rights, as shown in Table 45 "Group
membership and user rights" (page 212). When a user is a member of
more than one group, user rights accumulate. The admin user, who by
default is a member of all three groups, therefore has the same user rights
as granted to members in the certadmin and oper group, in addition to the
specific user rights granted by the admin group membership. The most
permissive user rights become the effective user rights when a user is a
member of more than one group. For more information about default user
groups and related access levels, see “Accessing the Nortel SNAS cluster”
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
212 Managing system users and groups
Table 45
Group membership and user rights
Rights
Group
User
System
Password
Group
Account
account
Delete
user
Delete
user
Change
own
Change
others
Add user
Add user
admin
admin
Yes
Yes
Yes, to
own gro
up
Yes
Yes
Yes, if
Admin is
a member
of the oth
er user’s
first group
certadmin admin
No
No
No
Yes, to
own gro
up
No
No
Yes
Yes
No
oper
oper admi No
Yes, to
own gro
up
No
n
Managing system users and groups
To manage system users and groups, access the User menu by using the
following command:
/cfg/sys/user
From the User menu, you can configure and manage the following:
•
•
•
•
add new users (for a detailed example, see “Adding a new user” (page
218))
reassign users (for a detailed example, see “Changing a users group
change passwords (for a detailed example, see “Changing passwords”
For detailed information about the CLI commands, see “CLI configuration
Roadmap of system user management commands
The following roadmap lists all the CLI commands to configure and
manage system users for the Nortel SNAS cluster. Use this list as a quick
reference or click on any entry for more information:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing system users and groups 213
Table 46
Roadmap of system user commands
Parameter
Command
/cfg/sys/user
password <old password> <new
password> <confirm new password>
expire <time>
list
del <username>
add <username>
caphrase
/cfg/sys/user/edit <username>
password <own password> <user
password> <confirm user password>
cur
/cfg/sys/user/edit <username>/groups list
del <group index>
add admin|oper|certadmin
Managing user accounts and passwords
To change the password for the currently logged on user and to add
or delete user accounts, access the User menu by using the following
command:
/cfg/sys/user
The User menu appears.
The User menu includes the following options:
Table 47
Managing user accounts and passwords
/cfg/sys/user
followed by:
Allows you to change your own password. Passwords
can contain spaces and are case sensitive. The
change takes effect as soon as you execute the
command.
password <old
password>
<new password>
<confirm new
password>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
214 Managing system users and groups
Table 47
Managing user accounts and passwords (cont’d.)
/cfg/sys/user
followed by:
expire <time>
Sets an expiration time for system user passwords.
The time applies to all system users. The counter
starts from when the password was last set. The first
time the system user logs on after the specified time
has expired, the user is prompted for a new password.
• time is the length of time in days (d), hours (h),
minutes (m), or seconds (s or unspecified). The
default unit is seconds. The default expiration time
is 0 seconds (no expiry).
If the time you specify combines time units, the
format is DDdHHhMMmSS. For example, to make
all passwords expire in 30 days, 2 hours, and 45
minutes, enter 30d2h45m..
list
Lists all user accounts. The three built-in users (admin,
oper, and root) are always listed.
del <username>
Removes the specified user account from the system.
Of the three built-in users (admin, oper, and root), only
the oper user can be deleted.
You must have administrator rights in order to delete
user accounts.
ATTENTION
When you delete a user, the user’s group assignment
is also deleted. If you are deleting a user who is
the sole member of a group, none of the remaining
users on the system can then be added to that group.
Existing users can only be added to a group by a
user who is already a member of that group. Before
deleting a user, verify that the user is not the sole
member of a group.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing system users and groups 215
Table 47
Managing user accounts and passwords (cont’d.)
/cfg/sys/user
followed by:
add <username>
Adds a user account to the system. The maximum
length of the user name is 255 characters. No spaces
are allowed.
After adding a user account, you must also assign the
user account to a group (see “Managing user groups”
You must have administrator rights in order to add user
accounts.
edit <username>
Accesses the User <username> menu, in order
change user settings (see “Managing user settings”
You must have administrator rights in order to change
a user’s settings. You must also be a member of the
first group listed for the other user.
caphrase
Sets the certificate administrator’s passphrase for
encrypted private keys in a configuration backup, if the
certificate administrator role has been separated from
the administrator role.
If the admin user is a member of the certadmin group
(the default setting), the admin user is prompted for
an export passphrase to protect the private keys in
the configuration dump each time the /cfg/ptcfg
command is used.
Set a certificate administrator export passphrase
only if the admin user has removed himself or herself
from the certadmin group and added a certificate
administrator user with certadmin group rights.
When a configuration backup is performed using
the /cfg/ptcfg command, the certadmin export
passphrase is automatically used (without prompting
the user) to protect the encrypted private keys. When
the /cfg/gtcfg command is used to restore a
configuration backup from a file exchange server, the
user is prompted for the correct certadmin passphrase,
as defined using the caphrase command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
216 Managing system users and groups
Table 47
Managing user accounts and passwords (cont’d.)
/cfg/sys/user
followed by:
ATTENTION
The caphrase menu command is displayed
only when the logged on user is a member of the
certadmin group.
Managing user settings
You must have administrator rights in order to change a user’s settings.
You must also be a member of the other user’s first group (the first group
listed for the other user when you use the /cfg/sys/user/edit
<username> /groups/list command).
To set or change the login password for a specified user and to view and
manage group assignments, access the User <username> menu by
using the following command:
/cfg/sys/user/edit <username>
The User <username> menu appears.
The User <username> menu includes the following options:
Table 48
Managing user settings
/cfg/sys/user/edit <username>
followed by:
Sets the login password for the specified user.
Passwords can contain spaces and are case sensitive.
password <own
password>
<user password>
<confirm user
password>
groups
Accesses the Groups menu, in order to manage user
group assignments (see “Managing user groups” (page
217)).
cur
the current group settings for the specified user.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing system users and groups 217
Managing user groups
All users must belong to at least one group. Only an administrator user
can add a new user account to the system, but any user can grant an
existing user membership in a group to which the granting user belongs.
By default, the administrator user is a member of all three built-in groups
(admin, oper, certadmin) and can therefore add a new user to any of
these groups. However, a certificate administrator, who is a member of
the certadmin group only, can add an existing user to the certadmin group
only.
If a user belongs to only one group and you want to change the user’s
group membership, add the user to the new group first, and then remove
the user from the old one.
If a user belongs to several groups, the first group, according to CLI
numbering, determines the enforcement filters and VLANs that are applied.
To set or change a user’s group assignment, access the Groups menu by
using the following command:
/cfg/sys/user/edit <username> /groups
The Groups menu appears.
The Groups menu includes the following options:
Table 49
Managing user groups
/cfg/sys/user/edit <username> /groups
followed by:
list
Lists all groups to which the user is currently
assigned, by group index number.
del <group index>
Removes the user from the specified group.
• group index is an integer indicating the
group index number
You must have administrator rights in order to
remove other users from groups.
Assigns the user to one of the built-in groups
(admin, oper, certadmin).
add admin|oper|certadm
in
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
218 Managing system users and groups
CLI configuration examples
This section includes the following detailed examples:
•
•
•
•
Adding a new user
To add a new user to the system, you must be a member of the admin
group. By default, only the admin user is a member of the admin group.
In this configuration example, a certificate administrator user is added to
the system, and then assigned to the certadmin group. The certificate
administrator specializes in managing certificates and private keys, without
the possibility to change system parameters or configure virtual SSL
servers. A user who is a member of the certadmin group can therefore
access the Certificate menu (/cfg/cert), but not the SSL Server
1001 menu (/cfg/domain #/server/ssl). On the System menu
(/cfg/sys), the certadmin user has access only to the User submenu
(/cfg/sys/user).
Step
1
Action
Log on to the Nortel SNAS cluster as the admin user.
login: admin
Password: ( admin user password)
2
Access the User Menu.
>> Main# /cfg/sys/user
---------------------------------------------------
---------
[User Menu]
passwd - Change own password
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user
caphrase - Certadmin export passphrase
>> User#
3
Add the new user and designate a user name.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing system users and groups 219
The maximum length for a user name is 255 characters. No
spaces are allowed. Each time the new user logs in to the Nortel
SNAS cluster, the user must enter the name you designate as
the user name in this step.
>> User# add
Name of user to add: cert_admin (maximum 255 characters,
no spaces)
4
Assign the new user to a user group.
You can only assign a user to a group in which you yourself are
a member. When this criterion is met, users can be assigned to
one or more of the following three groups:
• oper
• admin
• certadmin
By default, the admin user is a member of all groups above,
and can therefore assign a new or existing user to any of these
groups. The group assignment of a user dictates the user rights
and access levels to the system.
>> User# edit cert_admin
>> User cert_admin# groups/add
Enter group name: certadmin
5
Verify and apply the group assignment.
When you enter the list command, the current and pending
group assignment of the user being edited is listed by index
number and group name. Because the cert_admin user is a new
user, the current group assignment listed by Old: is empty.
>> Groups# list
Old:
Pending:
1: certadmin
>> Groups# apply
Changes applied successfully.
6
Define a login password for the user.
When the user logs in to the Nortel SNAS cluster the first time,
the user will be prompted for the password you define in this
step. When successfully logged on, the user can change his or
her own password. The login password is case sensitive and can
contain spaces.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
220 Managing system users and groups
>> Groups# /cfg/sys/user
>> User# edit cert_admin
>> User cert_admin# password
Enter admin’s current password: ( admin user password)
Enter new password for cert_admin: ( cert_admin user
password)
Re-enter to confirm: (reconfirm cert_admin user password)
7
8
Apply the changes.
>> User cert_admin# apply
Changes applied successfully.
Let the Certificate Administrator user define an export
passphrase.
This step is only necessary if you want to fully separate the
Certificate Administrator user role from the Administrator user
role. If the admin user is removed from the certadmin group
(caphrase) must be defined.
As long as the admin user is a member of the certadmin
group (the default configuration), the admin user is prompted
for an export passphrase each time a configuration backup
that contains private keys is sent to a TFTP/FTP/SCP/SFTP
server (command: /cfg/ptcfg). When the admin user is
not a member of the certadmin group, the export passphrase
defined by the Certificate Administrator is used instead to
encrypt private keys in the configuration backup. The encryption
of private keys using the export passphrase defined by the
Certificate Administrator is performed transparently to the user,
without prompting. When the configuration backup is restored,
the Certificate Administrator must enter the correct export
passphrase.
ATTENTION
If the export passphrase defined by the Certificate Administrator is
lost, configuration backups made by the admin user while he or she
was not a member of the certadmin group cannot be restored.
The export passphrase defined by the Certificate
Administrator remains the same until changed by using
the /cfg/sys/user/caphrase command. For users who are
not members of the certadmin group, the caphrase command
in the User menu is hidden. Only users who are members of the
certadmin group should know the export passphrase. The export
passphrase can contain spaces and is case sensitive.
>> User cert_admin# ../caphrase
Enter new passphrase:
Re-enter to confirm:
Passphrase changed.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing system users and groups 221
9
Remove the admin user from the certadmin group.
Again, this step is only necessary if you want to fully separate
the Certificate Administrator user role from the Administrator user
role. Note however, that once the admin user is removed from
the certadmin group, only a user who is already a member of
the certadmin group can grant the admin user certadmin group
membership anew.
When the admin user is removed from the certadmin group,
only the Certificate Administrator user can access the Certificate
menu (/cfg/cert).
>> User# edit admin
>> User admin# groups/list
1: admin
2: oper
3: certadmin
>> Groups# del 3
ATTENTION
It is critical that a Certificate Administrator user is created and
assigned certadmin group membership before the admin user is
removed from the certadmin group. Otherwise there is no way to
assign certadmin group membership to a new user, or to restore
certadmin group membership to the admin user, should it become
necessary.
10
Verify and apply the changes.
>> Groups# list
Old:
1: admin
2: oper
3: certadmin
Pending:
1: admin
2: oper
>> Groups# apply
--End--
Changing a users group assignment
Only users who are members of the admin group can remove other users
from a group. All users can add an existing user to a group, but only to
a group in which the "granting" user is already a member. The admin
user, who by default is a member of all three groups (admin, oper, and
certadmin) can therefore add users to any of these groups.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
222 Managing system users and groups
Step
1
Action
Log on to the Nortel SNAS cluster.
In this example the cert_admin user, who is a member of the
certadmin group, will add the admin user to the certadmin
group. The example assumes that the admin user previously
removed himself or herself from the certadmin group, in order
to fully separate the Administrator user role from the Certificate
Administrator user role.
login: cert_admin
Password: ( cert_admin user password)
2
Access the User Menu.
>> Main# /cfg/sys/user
---------------------------------------------------
---------
[User Menu]
passwd - Change own password
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user
caphrase - Certadmin export passphrase
>> User#
3
Assign the admin user certadmin user rights by adding the admin
user to the certadmin group.
>> User# edit admin
>> User admin# groups/add
Enter group name: certadmin
ATTENTION
A user must be assigned to at least one group at any given time.
If you want to replace a user’s single group assignment, you must
therefore always first add the user to the desired new group, then
remove the user from the old group.
4
Verify and apply the changes.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing system users and groups 223
>> Groups# list
Old:
1: admin
2: oper
Pending:
1: admin
2: oper
3: certadmin
>> Groups# apply
--End--
Changing passwords
Changing your own password All users can change their own
password. Login passwords are case sensitive and can contain spaces.
Step
1
Action
Log on to the Nortel SNAS cluster by entering your user name
and current password.
login: cert_admin
Password: ( cert_admin user password)
2
Access the User Menu.
>> Main# /cfg/sys/user
---------------------------------------------------
---------
[User Menu]
passwd - Change own password
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user
caphrase - Certadmin export passphrase
>> User#
Type the passwd command to change your current password.
When your own password is changed, the change takes effect
immediately without having to use the apply command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
224 Managing system users and groups
>> User# passwd
Enter cert_admin’s current password: (current cert_admin
user password)
Enter new password: (new cert_admin user password)
Re-enter to confirm: (reconfirm new cert_admin user
password)
Password changed.
--End--
Changing another users password Only the admin user can change
another user’s password, and then only if the admin user is a member of
the other user’s first group (the group that is listed first for the user with the
/cfg/sys/user/edit <username>/groups/list command). Login
passwords are case sensitive and can contain spaces.
Step
1
Action
Log on to the Nortel SNAS cluster as the admin user.
login: admin
Password: ( admin user password)
2
Access the User Menu.
>> Main# /cfg/sys/user
---------------------------------------------------
---------
[User Menu]
passwd - Change own password
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user
caphrase - Certadmin export passphrase
>> User#
3
4
Specify the user name of the user whose password you want to
change.
>> User# edit
Name of user to edit: cert_admin
Type the password command to initialize the password change.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing system users and groups 225
>> User cert_admin# password
Enter admin’s current password: ( admin user password)
Enter new password for cert_admin: (new password for user
being edited)
Re-enter to confirm: (confirm new password for user being
edited)
5
Apply the changes.
>> User cert_admin# apply
Changes applied successfully.
--End--
Deleting a user
To delete a user from the system, you must be a member of the admin
group. By default, only the admin user is a member of the admin group.
ATTENTION
Remember that when a user is deleted, that user’s group assignment is also
deleted. If you are deleting a user who is the sole member of a group, none of
the remaining users on the system can then be added to that group. Existing
users can only be added to a group by a user who is already a member of that
group. Before deleting a user, you may therefore want to verify that the user is
not the sole member of a group.
Step
1
Action
Log on to the Nortel SNAS cluster as the admin user.
login: admin
Password: ( admin user password)
2
Access the User Menu.
>> Main# /cfg/sys/user
---------------------------------------------------
---------
[User Menu]
passwd - Change own password
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user
>> User#
3
Specify the user name of the user you want to remove from the
system configuration.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
226 Managing system users and groups
In this example, the cert_admin user is removed from the
system. To list all users currently added to the system
configuration, use the list command.
>> User# del cert_admin
4
Verify and apply the changes.
The imminent removal of the cert_admin user is indicated as a
pending configuration change by the minus sign (-). To cancel
a configuration change that has not yet been applied, use the
revert command.
>> User# list
root
admin
oper
-cert_admin
>>User# apply
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
227
.
Customizing the portal and user logon
This chapter includes the following topics:
Topic
Overview
The end user accesses the Nortel SNAS network through the Nortel SNAS
portal. You can customize the end user experience by configuring the
following logon and portal features:
•
•
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
228 Customizing the portal and user logon
•
Captive portal and Exclude List
When the Nortel SNAS is configured to function as a captive portal, the
Nortel SNAS acts as a DNS proxy while clients are in the Red VLAN. The
captive web portal:
•
•
•
accepts redirected HTTP/HTTPS requests from the clients
resolves unknown names to a fixed IP address
receives and manages communication requests from the clients to
unauthorized network resources
•
redirects client requests to an authentication page served by the portal
The DHCP server must be configured to assign the portal Virtual IP
address (pVIP) as the DNS server when the client is in the Red VLAN.
The DHCP server is configured to specify the regular DNS servers for
the scopes for the Green and Yellow VLANs. Once the client has been
authenticated and is in a Green or Yellow VLAN, DNS requests are
forwarded in the regular way to the corporate DNS servers.
For information about configuring the captive portal, see “Configuring the
Exclude List
The Exclude List is a configurable list of domain names that will not
be captured by the Nortel SNAS. The DNS server in the captive portal
forwards requests for domain names in the Exclude List directly to the
corporate DNS servers.
In order to speed up client logon, add to the Exclude List any domain
names for URLs that are routinely accessed during client logon or startup
sequences. The Exclude List entry can be the full domain name or an
expression.
By default, the captive portal Exclude List includes the following:
•
windowsupdate
This will match all automatic Windows update domain names used by
browsers, for example:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Overview 229
— windowsupdate.com
— windowsupdate.microsoft.com
— download.windowsupdate.microsoft.com
For information about configuring the Exclude List, see “Configuring the
229) lists the regular expressions and escape sequences you can use in
an Exclude List entry. The set of allowable regular expressions is a subset
of the set found in egrep and in the AWK programming language. The
escape sequences are allowed in Erlang strings.
Table 50
Allowed regular expressions and escape sequences
Usage
String
Expressions
c
Matches the non-metacharacter c.
Matches the literal character c (see escape sequence).
Matches any character.
\c
.
^
Matches the beginning of a string.
Matches the end of a string.
$
[abc...]
Character class, which matches any of the characters
abc....
Character ranges are specified by a pair of characters
separated by a hyphen (-).
[^abc...]
Negated character class, which matches any character
except abc....
Alternation—matches either r1 or r2.
Concatenation — matches r1 and then r2.
Matches one or more r ’s.
r1|r2
r1r2
r+
r*
Matches zero or more r ’s.
r?
Matches zero or one r ’s.
(r)
Grouping—matches r.
Escape sequences
\b
\f
backspace
form feed
\n
newline (line feed)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
230 Customizing the portal and user logon
Table 50
Allowed regular expressions and escape sequences (cont’d.)
\r
carriage return
tab
\t
escape
\e
\v
\s
\d
\ddd
\
vertical tab
space
delete
the octal value ddd
literal character
For example: \c for literal character c, \\ for backslash,
\" for double quotation marks (")
Portal display
You can modify the following features of the portal display and behavior:
•
•
•
•
post-authentication behavior (see “Automatic redirection to internal
Portal look and feel
You can customize the colors, logos, icons, and text used on the portal
page. You can also add custom content, such as Java applets, to the
portal. You can then add links to the portal page to make the content
available to clients.
This section includes information about the following topics:
•
•
For information about the commands to configure the portal look and feel,
tab" (page 231) shows the default portal Home tab.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Overview 231
Figure 14
Default appearance of the portal Home tab
Colors There are four colors used on the portal page:
•
•
•
•
color1—the large background area below the tabs
color2—the background area behind the tab labels
color3—the fields, information area, and clean icons on the active tab
color4—not used
There are five optional color themes. The themes are predefined sets of
web-safe colors that complement each other.
•
•
•
•
•
aqua
apple
jeans
cinnamon
candy
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
232 Customizing the portal and user logon
You can change the individual colors, but Nortel recommends using the
color themes to change the look and feel of the portal page. If you change
the portal colors, use colors that are considered web safe. Also consider
how the applied colors fit with your company logo and brand.
The colors are specified using hexadecimal codes. Table 51 "Common
colors, with hexadecimal codes" (page 232) lists the hexadecimal values
for some commonly used web-safe colors. For additional color values, use
an Internet search engine to find web sites offering comprehensive listings.
Table 51
Common colors, with hexadecimal codes
Color
Hexadecimal code
FFFFFF
000000
White
Black
Dark gray
Light gray
Red
A9A9A9
D3D3D3
FF0000
008000
Green
Blue
0000FF
Yellow
FFFF00
FFA500
EE82EE
9400D3
FFC0CB
A52A2A
F5F5DC
32CD32
90EE90
00008B
Orange
Violet
Dark violet
Pink
Brown
Beige
Lime green
Light green
Dark blue
Navy
000080
Light skyblue
Medium blue
Dark red
87CEFA
0000CD
8B0000
For the commands to configure the colors used on the portal, see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Overview 233
For examples of how you can use macros to configure links and
redirection to internal sites, see “Automatic redirection to internal sites”
Self service portal
The Nortel SNAS self-service portal provides a web-based ‘help desk’ for
users to collect information about their network connection, compliance,
user status, and also for provisioning a guest access for users. This can
be customized by using localized language files. The Nortel Health Agent
runs on non-English versions of the operating systems.
•
Language localization The default English-language dictionary file
contains entries for the text for tab names, general text, messages,
buttons, and field labels on the portal page. The entries in the dictionary
file can be translated into another language. You can then set the portal to
display the translated text.
The languages supported by the Nortel SNAS are configured for the
system, but the language selected for the portal is a domain parameter.
The Nortel SNAS uses ISO 639 language codes to track languages that
have been added to the configuration. English (en) is the predefined
language and is always present.
To change the language displayed for tab names, general text, messages,
buttons, and field labels on the portal page, do the following:
Step
1
Action
Export the language definition template (see “Configuring
2
Translate the language definition template file.
a Open the file with a text editor such as Notepad.
b Verify that the charset parameter specified in the
Content-Type entry is set according to the character encoding
scheme you are using. For example:
"Content-Type: text/plain; charset=iso-8859-1/n"
c Translate the entries displayed under msgstr (message
string).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
234 Customizing the portal and user logon
ATTENTION
Do not translate the entries under msgid (message id).
There are useful Open Source software tools for translating
po files. Search for po files editor in your web search engine
to find tools that run on Windows and Unix. A translation tool
is particularly useful when a new version of the Nortel SNAS
software is released: you can export the new template file
supplied with the software and merge it with a previously
translated language file, so that only new and changed text
strings need to be translated.
3
4
Import the translated language definition file (see “Configuring
Set the portal to display the new language (see “Setting the
--End--
Linksets and links
You can add the following types of links to the portal Home tab:
•
•
External—links directly to a web page. Suitable for external web sites.
FTP—links to a directory on an FTP server.
A linkset is a set of one or more links. Each linkset configured for the
domain can be mapped to one or more groups and extended profiles in the
domain. After the client has been authenticated, the client’s portal page
all the links included in the linksets associated with the client’s group.
The client’s portal page also all the linksets associated with the client’s
extended profile. For information about mapping linksets to groups and
Autorun linksets You can enable an autorun feature for a linkset so that
all links defined for that linkset execute automatically after the client has
been authenticated. For example, you can configure an autorun linkset
to automatically link to the URL of the remediation server, and then map
this linkset to all extended profiles which filter for clients who fail the Nortel
Health Agent host integrity check.
No links for the autorun linkset display on the portal page. Each link in the
linkset opens in a new browser window. If the autorun linkset includes
multiple links, multiple browser windows will open. For information about
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Overview 235
The linkset autorun feature is similar to the portal feature allowing
automatic redirection to internal sites (see “Automatic redirection to internal
sites” (page 236)). The linkset feature allows more granular control of
this functionality. Also, unlike the linkset autorun feature, the automatic
redirection feature does not open the link in a new browser window.
Planning the linksets Plan your configuration so that linksets containing
common links are separate from linksets containing group-specific links.
Also ensure that the links you are providing to resources do not contradict
the client’s access rights.
You can control the order in which links display on the portal Home tab.
Consider the following in your planning:
•
Linksets for the group display after the linksets for the client’s extended
profile.
•
The index number you assign to the linkset controls the order in which
the linksets display. You assign the index number when you map the
linkset to the group or extended profile (see “Mapping linksets to a
•
The index number you assign to the link controls the order in which the
links display within the linkset. You assign the index number when you
Macros
Macros are inline functions you can use to insert variable arguments in
text, in order to customize the portal for individual users.
The following macros are available for use as arguments in parameters for
links, display text, and redirection commands:
•
•
<var:portal>—expands to the domain name of the portal
<var:user>—expands to the user name of the currently logged in
client
•
•
<var:password>—expands to the password of the currently logged
in client
<var:group>—expands to the name of the group of which the
currently logged in client is a member
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
236 Customizing the portal and user logon
Automatic redirection to internal sites
You can configure the portal to automatically redirect authenticated clients
to an internal site. Unlike the linkset autorun feature, automatic redirection
does not open a new browser window. Rather, it replaces the default
Home page in the internal frame on the portal browser page. As long as
the browser remains open, the session remains logged in.
The commands to configure automatic redirection require you to specify
the URL to which the clients will be redirected, prefixed by the portal
Examples of redirection URLs and links
example specifications for redirection URLs and associated links. In these
examples:
•
•
the portal address is nsnas.example.com
the address to which you want to redirect clients is inside.example.com
Table 52
Examples of redirection URLs and link text
Purpose
Redirection URL or link text
Redirect the client to an internal site.
Redirection URL:
https://nsnas.example.com/http/inside.example
.com
or
https://<var:portal>/http/inside.example.com
Redirect the client to a password-protected site. Redirection URL:
https://<var:portal>/http/<var:user>:<var:passwo
rd>@inside.example.com/protected
ATTENTION
The user name and password on the intranet
site and the portal must be identical.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Overview 237
Table 52
Examples of redirection URLs and link text (cont’d.)
Purpose
Redirection URL or link text
Linktext (static text) entry:
Redirect clients to different sites, depending on
their group membership (deptA or deptB).
<script>if ("<var:group>" ==
"deptA") { location.replace
("https://nsnas.example.com/http/
inside.example.com/deptA.html");}
else if ("<var:group>" == "deptB") {
location.replace ("https://nsnas.ex
ample.com/http/inside.example.com/d
eptB.html");} </script>
Insert a link on the internal site for the client to
log off from the portal.
Link:
<a href=https://nsnas.example.com/
logout.yaws> Logout from portal
</a>
Managing the end user experience
Nortel recommends that you consider the following ways in which you can
manage the end user’s experience:
•
•
Automatic JRE upload
The Nortel SNAS portal requires the client device to be running a minimum
version of the Java Runtime Environment (JRE) in order for the Nortel
Health Agent applet to load properly. Nortel recommends adding the
required JRE version and plugins.html as custom content to the portal.
In this way, if the client does not meet the Java requirement and Nortel
Health Agent does not load, the client will be presented with a logon
screen to automatically download and install the required JRE.
To configure the portal to automate the process of updating the client’s
JRE version, perform the following steps:
Step
1
Action
Create the plugins.html file, with a link to the JRE installer that
you want.
2
Download the JRE installer from the Sun Microsystems Java
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
238 Customizing the portal and user logon
3
4
Bundle plugins.html and the JRE installer in a zip file.
Add the zip file as custom content to the portal.
--End--
For general information about adding custom content to the portal, see
“Configuring custom content” (page 250). For information about the
minimum JRE requirements, see Release Notes for the Nortel Secure
Network Access Solution, Software Release 1.6.1 (NN47230-400), .
Windows domain logon script
Configure a Windows domain logon script to automatically launch the end
user’s browser and present the Nortel SNAS portal page on start-up. The
exact requirements for the script depend on your particular network setup
and usual modes of end-user access.
For an example of a very simple script and instructions on assigning the
script to all users in the domain, see “Using a Windows domain logon
Customizing the portal and logon
The following section describes the CLI commands to customize the portal
and user logon.
Roadmap of portal and logon configuration commands
The following roadmap lists all the CLI commands to customize the portal
and user logon. Use this list as a quick reference or click on any entry for
more information.
Parameter
Command
/cfg/doamin #/dnscapt
ena
dis
/cfg/doamin #/dnscapt/exclude
list
del <index name>
add <domain name>
insert <index number> <domain name>
move <index number> <new index number>
/cfg/lang
import <protocol> <server> <filename>
<code>
export <protocol> <server> <filename>
list
vlist [<letter>]
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 239
Parameter
Command
del <code>
/cfg/doamin #/portal/lang
setlang <code>
charset
list
/cfg/doamin #/portal
import <protocol> <server> <filename>
restore
banner
redirect <URL>
logintext <text>
iconmode clean | fancy
linktext <text>
linkurl on | off
linkcols <columns>
linkwidth <width>
companynam
ieclear on | off
color1 <code>
color2 <code>
color3 <code>
color4 <code>
/cfg/doamin #/portal/colors
theme default | aqua | apple | jeans |
cinnamon | candy
/cfg/doamin #/portal/content
import <protocol> <server> <filename>
export <protocol> <server> <filename>
delete
available
ena
dis
/cfg/doamin #/linkset <linkset ID>
name <name>
text <text>
autorun true | false
del
/cfg/doamin #/linkset <linkset
ID>/link <index>
move <new index>
text <text>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
240 Customizing the portal and user logon
Parameter
Command
type external | ftp
del
/cfg/doamin #/linkset <linkset
ID>/link <index>/external/quick
/cfg/doamin #/linkset <linkset
ID>/link <index>/ftp/quick
Configuring the captive portal
By default, the Nortel SNAS is set up to function as a captive portal. (For
more information about the captive portal in the Nortel SNAS domain, see
To configure the Nortel SNAS portal as a captive portal, use the following
command:
/cfg/doamin #/dnscapt
The DNS Capture menu appears.
The DNS Capture menu includes the following options:
/cfg/doamin #/dnscapt
followed by:
exclude
Accesses the DNS Exclude menu, in
order to configure the Exclude List (see
ena
dis
Enables captive portal functionality.
Disables captive portal functionality.
Configuring the Exclude List
The Exclude List is a list of domain names that will not be captured by the
Nortel SNAS. (For more information about the Exclude List, see “Exclude
To create and manage the Exclude List, use the following command:
/cfg/doamin #/dnscapt/exclude
The DNS Exclude menu appears.
The DNS Exclude menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 241
/cfg/doamin #/dnscapt/exclude
followed by:
list
Lists the currently configured Exclude List
entries by index number
Removes the Exclude List entry represented
by the specified index number. The index
numbers of the remaining entries adjust
accordingly.
del <index name>
add <domain name>
Adds an entry to the Exclude List.
• domain name is a string identifying the
domain names to be forwarded directly to
the corporate DNS servers
For information about allowable expressions
and escape sequences, see “Exclude List”
The Nortel SNAS assigns the next available
index number to the entry.
Inserts an entry at a particular position in
the list. The index number you specify must
be in use. The index numbers of existing
entries with this index number and higher are
incremented by 1.
insert <index number>
<domain name>
Moves an entry up or down the list. The
index numbers of the remaining entries adjust
accordingly.
move <index number> <new
index number>
Changing the portal language
To change the language displayed for tab names, general text, messages,
buttons, and field labels on the portal page, do the following:
Step
1
Action
Export the language definition template (see “Configuring
2
3
Translate the language definition template file (see “Language
Import the translated language definition file (see “Configuring
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
242 Customizing the portal and user logon
4
Set the portal to display the new language (see “Setting the
--End--
Configuring language support
To manage the language definition files in the system, use the following
command:
/cfg/lang
The Language Support menu appears.
The Language Support menu includes the following options:
/cfg/lang
followed by:
import <protocol> <server>
<filename> <code>
Imports a ready-to-use language
definition file from the specified
TFTP/FTP/SCP/SFTP file exchange
server.
• protocol is the import protocol.
Options are tftp|ftp|scp|sftp.
• server is the host name or IP address
of the server
• filename is the name of the language
definition file on the server
• code is the ISO 639 language code to
identify the language
When you import the file, you are
prompted to specify the ISO 639 language
code. The language code is saved
to the configuration together with the
imported language definition file. To
view valid language codes, use the
/cfg/lang/vlist command.
For more information about language
support on the portal, see “Language
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 243
/cfg/lang
followed by:
export <protocol> <server>
<filename>
Exports the language definition template
to the specified TFTP/FTP/SCP/SFTP file
exchange server.
• protocol is the export protocol.
Options are tftp|ftp|scp|sftp.
• server is the host name or IP address
of the server
• filename is the name of the language
definition file
• code is the ISO 639 language code to
identify the language
Once the template file has been exported
and downloaded, you can translate
screen text, such as button and field
labels, directly in the file. Then upload the
translated file to a TFTP/FTP/SCP/SFTP
file exchange server and import it using the
/cfg/lang/import command.
list
Lists the languages that have been added
to the configuration, by language code and
description. English (en) is the predefined
language and is always present.
Lists all valid language codes and their
corresponding description. To list all valid
language codes beginning with a specific
letter, specify the letter in the command.
vlist [ <letter> ]
del <code>
Deletes the language definition file for
the specified language code. You cannot
delete a language file that is currently
in use. English (en) is the predefined
language and cannot be deleted.
Setting the portal display language
To set the preferred language for the portal display, use the following
command:
/cfg/doamin #/portal/lang
The Portal Language menu appears.
The Portal Language menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
244 Customizing the portal and user logon
/cfg/doamin #/portal/lang
followed by:
setlang <code>
Specifies the language to be used for the
portal display.
• code is the ISO 639 language code to
identify the language
Before you can set the preferred language,
you must import the corresponding
language definition file (see “Configuring
language support” (page 242)). To view
supported language codes, use the
/cfg/doamin #/portal/lang/list
command.
charset
list
Prints the character set that is currently in
use on the portal.
Lists the currently supported languages, by
language code and description.
Configuring the portal display
To modify the look and feel of the portal page that in the client’s web
browser, use the following command:
/cfg/doamin #/portal
The Portal menu appears.
The Portal menu includes the following options:
/cfg/doamin #/portal
followed by:
import <protocol> <server>
<filename>
Imports a graphics file for the banner
(in GIF format) from the specified
TFTP/FTP/SCP/SFTP file exchange
server.
• protocol is the import protocol.
Options are tftp|ftp|scp|sftp.
• server is the host name or IP address
of the server
• filename is the name of the graphics
file (.gif)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 245
/cfg/doamin #/portal
followed by:
When the download is complete and
you apply the changes, the new image
replaces the existing banner image on the
portal web page. Clients who are currently
logged on will not notice the change unless
they reload the portal web page.
The maximum size of the banner image
file is 16 MB. If there are several Nortel
SNAS domains, the total size of all
imported banner image files must not
exceed 16 MB.
For more information about the
customizable elements on the portal
web page, see “Portal look and feel” (page
230).
restore
banner
Restores the default Nortel banner.
the file name of the banner image file
currently in use.
redirect <URL>
Sets the URL to which clients
are automatically redirected after
authentication by the portal.
• URL is the URL to which to direct the
client, prefixed by the portal address
For example, if the portal address is
nsnas.example.com and you want
to redirect clients automatically to
inside.example.com, the URL parameter
is:
https://nsnas.example.com/http/inside.exa
mple.com
Alternatively, you can use the
<var:portal> macro to represent
the portal address.
With redirection configured, the client will
not be able to access tabs on the portal
page.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
246 Customizing the portal and user logon
/cfg/doamin #/portal
followed by:
To remove redirection, replace the
previously specified URL with an empty
string by pressing Enter at the URL
prompt.
For more information about using macros
more information about redirecting clients
to internal sites, see “Automatic redirection
logintext <text>
Specifies custom text to be displayed on
the portal logon page.
• text is an ordinary text string or HTML
code
You can type in the text or paste it in at
the prompt. To signal the end of the string,
press Enter to create a new line, type an
ellipsis (...), and then press Enter again.
iconmode clean|fancy
Specifies the mode for the icons
representing portal links (for example, file
server links).
• clean simple icons using a single
color (color3)
• fancy multicolored, shaded, and
animated icons
The default value is fancy.
For more information about linksets and
For information about configuring links,
For information about customizing the
colors used on the portal page, see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 247
/cfg/doamin #/portal
followed by:
linktext <text>
Specifies static text to be displayed above
the group links on the portal Home tab.
The static text for all clients, but the links
themselves may change, depending on the
client’s group membership.
• text is an ordinary text string or HTML
code
You can type in the text or paste it in at
the prompt. To signal the end of the string,
press Enter to create a new line, type an
ellipsis (...), and then press Enter again.
You can use the <var:user> and
<var:group> macros in the link text.
For an example of using the <var:group>
macro in a Java script linktext entry
in order to configure group-controlled
redirection to internal sites, see Table 52
For more information about using macros
more information about configuring links,
linkurl on|off
Sets the display mode for the Enter URL
field on the portal Home tab. Display mode
options are:
• on—the Enter URL field is displayed
• off—the Enter URL field is not
displayed
The default is on.
linkcols <columns>
Sets the number of columns for the link
table on the portal Home tab.
• columns is a positive integer
The default value is 2.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
248 Customizing the portal and user logon
/cfg/doamin #/portal
followed by:
linkwidth <width>
Sets the width of the link table on the
portal Home tab. The link table is adjusted
to the left on the white area of the Home
tab. The options for the table width are:
• auto—the columns are distributed
evenly across the Home tab
• <percent>—specifies the percentage
of the white area that will be used for
the link table. The range is 1–100%.
The default value is 100% (the entire
white area will be used).
companynam
colors
Specifies the company name to display on
the portal page. The default is Nortel.
Accesses the Portal Colors menu, in
order to customize the color theme and
individual colors used on the portal page
249)).
content
Accesses the Portal Custom Content
menu, in order to provide custom content
for the portal page (see “Configuring
lang
Accesses the Portal Language menu,
in order to set the preferred language for
the portal display (see “Setting the portal
ieclear on|off
Controls use of the ClearAuthenticationCa
che feature available in Internet Explorer
6, SP 1 and later (IE). The feature is
used to clear sensitive information (such
as passwords and cookies) from the
cache when a user logs out from a secure
session.
• on—the cache is cleared for all
instances of the current process when
the user logs off from the portal. The
user will also be logged off from any
other sites at the same time.
• off—when the user logs off from the
portal, the cache is not cleared until the
user closes the browser
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 249
/cfg/doamin #/portal
followed by:
The default value is on.
Changing the portal colors
To customize the colors used for the portal display, use the following
command:
/cfg/doamin #/portal/colors
The Portal Colors menu appears.
The Portal Colors menu includes the following options:
/cfg/doamin #/portal/colors
followed by:
color1 <code>
color2 <code>
color3 <code>
Specifies the color for the large
background area below the tabs.
• code is the hexadecimal value for the
color, including the # symbol (not case
sensitive)
The default value is #ACCDD5.
Specifies the color for the background area
behind the labels.
• code is the hexadecimal value for the
color, including the # symbol (not case
sensitive)
The default value is #D0E4E9.
Specifies the color for the fields,
information area, and clean icons on
the active tab.
• code is the hexadecimal value for the
color, including the # symbol (not case
sensitive)
The default value is #2088A2.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
250 Customizing the portal and user logon
/cfg/doamin #/portal/colors
followed by:
color4 <code>
Specifies the color fornon-active tabs.
• code is the hexadecimal value for the
color, including the # symbol (not case
sensitive)
The default value is #58B2C9.
Specifies the color theme for the portal.
The default is default.
theme default|aqua|apple|
jeans|cinnamon|candy
Configuring custom content
To add custom content, such as Java applets, to the portal, use the
following command:
/cfg/doamin #/portal/content
The Portal Custom Content menu appears.
The Portal Custom Content menu includes the following options:
/cfg/doamin #/portal/content
followed by:
import <protocol> <server>
<filename>
Imports a content file (in ZIP format) from
the specified TFTP/FTP/SCP/SFTP file
exchange server.
• protocol is the import protocol.
Options are tftp|ftp|scp|sftp.The
default is tftp.
• server is the host name or IP address
of the server
• filename is the name of the content
file (.zip) on the server
The file is saved in the portal’s root
directory and is automatically unpacked.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 251
/cfg/doamin #/portal/content
followed by:
export <protocol> <server>
<filename>
Exports a content file (in ZIP format)
from the portal to the specified
TFTP/FTP/SCP/SFTP file exchange
server.
• protocol is the export protocol.
Options are tftp|ftp|scp|sftp.
• server is the host name or IP address
of the server
• filename is the name of the content
file (.zip)
delete
available
ena
Deletes all uploaded content from the
portal.
Shows remaining memory space available
for custom content, in kilobytes (KB).
Enables client access to custom content.
The default is disabled.
dis
Disables client access to custom content.
Configuring linksets
A linkset is a set of links that display on the portal Home tab. For more
To create and configure a linkset, use the following command:
/cfg/doamin #/linkset <linkset ID>
where
linkset ID is an integer in the range 1 to 1024 that
uniquely identifies the linkset in the Nortel
SNAS domain.
ATTENTION
If you ran the quick setup wizard during initial setup, two linksets have been
created: nha_passed (linkset ID = 1) and nha_failed (linkset ID = 2). The
linksets are empty.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
252 Customizing the portal and user logon
When you first create the linkset, if you do not specify the ID in the
command, you will be prompted to enter the linkset ID or name. You must
enter the ID for the new linkset. You will then be prompted to enter the
linkset name. After you have created the linkset, you can use either the ID
or the name to access the linkset for configuration.
The Linkset menu appears.
The Linkset menu includes the following options:
/cfg/doamin #/linkset <linkset ID>
followed by:
name <name>
Names or renames the linkset. After you
have defined a name for the linkset, you
can use either the linkset name or the
linkset ID to access the Linkset menu.
• name is a string that must be unique in
the domain. The maximum length of
the string is 255 characters.
You reference the linkset name when
mapping the linkset to groups or extended
profiles using the /cfg/doamin
#/aaa/group #[/extend #]/linkset
command (see “Mapping linksets to a
When you map the linkset to a group,
members of the group get access to all
the links contained in the linkset. The links
display on the portal Home tab.
text <text>
Specifies text to display as a heading
above the linkset links on the portal Home
tab.
• text is an ordinary text string or HTML
code
The heading text is optional.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 253
/cfg/doamin #/linkset <linkset ID>
followed by:
autorun true|false
Specifies whether autorun support is
enabled or disabled. The options are:
• true—autorun is enabled
• false—autorun is disabled
If enabled, all links defined for the linkset
execute automatically after the client
has been authenticated. No links for this
linkset display on the portal Home tab.
The default is disabled.
For more information about the type of
links you can configure, see “Linksets and
link <index>
Accesses the Link menu, in order to
create or configure links for the linkset (see
To view existing linksets, press TAB
following the link command.
del
Removes the linkset from the current
configuration.
Configuring links
To create and configure the links included in the linkset, use the following
command:
/cfg/doamin #/linkset <linkset ID> /link <index>
where
index is an integer in the range 1 to 256 that
indicates the position of the link in the
linkset.
When you first create the link, if you do not specify the index in the
command, you will be prompted to enter the index or name. You must
enter the index for the new link. You will then be prompted to enter the
following parameters:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
254 Customizing the portal and user logon
•
•
link text—a string that on the portal Home tab as the clickable link text.
You can later modify the text by using the text command on the Link
menu.
type—the link type (external or ftp). The default is external.
After you enter the link type, you automatically enter a wizard to
configure type-specific settings for the link. You can later relaunch the
wizard to modify the settings. For more information about the settings,
The Link menu appears.
The Link menu includes the following options:
/cfg/doamin #/linkset <linkset ID> /link <index>
followed by:
move <new index>
Moves the link to a new position in the
linkset. The index numbers of existing link
entries with this index number and higher
are incremented by 1.
• new index is an integer in the range 1
to 256 that indicates the position of the
link in the linkset
For example: You have two portal links,
Link 1 and Link 2. To move Link 2 so it
before Link 1 on the portal page, enter the
following command:
>> Link 3# move 1
Link 2 becomes Link 1, and Link 1
becomes Link 2.
text <text>
Specifies text to display as the clickable
link text on the portal Home tab.
• text is an ordinary text string or HTML
code
Provide descriptive text that clearly
identifies the targeted resource. The
client sees only the link text, not the URL
contained in the link.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Customizing the portal and logon 255
/cfg/doamin #/linkset <linkset ID> /link <index>
followed by:
type external|ftp
Specifies the type of link. The options are:
• external—directs the client to a web
page. The external link is not secured
by the Nortel SNAS.
• ftp—directs the client to a directory on
an FTP file exchange server
The default is external.
The Link menu changes to include a
command corresponding to the specified
link type.
ATTENTION
Nortel Secure Network Access Switch
Software Release 1.6.1supports
external links only.
external
Accesses the External Settings menu, in
order to configure settings for the link (see
255)).
This command only if the link type is
external.
ftp
del
Accesses the FTP Settings menu, in order
to configure settings for the link.
This command only if the link type is ftp.
Removes the link from the current
configuration.
Configuring external link settings
To launch the wizard to configure settings for a link to an external web
page, use the following command:
/cfg/doamin #/linkset <linkset ID> /link <index> /
external/quick
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
256 Customizing the portal and user logon
The wizard prompts you to enter the following settings:
•
•
•
method—HTTP or HTTPS
host—the host name or IP address of the web server
path—the path on the web server. You must specify a path. A single
slash (/) indicates the web server document root.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
257
.
Configuring system settings
This chapter includes the following topics:
Topic
System settings apply to a cluster as a whole.
You can log on to either the Management IP address (MIP) or a Nortel
SNAS host Real IP address (RIP) in order to configure the system.
Configuring the cluster
To configure the cluster, access the System menu by using the following
command:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
258 Configuring system settings
/cfg/sys
From the System menu, you can configure and manage the following:
•
Management IP address (MIP) (see “Configuring system settings”
•
the Nortel SNAS host, including interfaces and ports (see “Configuring
•
•
•
•
supported in Nortel Secure Network Access Switch Software Release
1.6.1)
•
•
•
administrative applications, including
— managing RADIUS authentication of system users (see
•
•
disabling SSL traffic trace commands (see “Configuring system
Roadmap of system commands
The following roadmap lists the CLI commands to configure cluster-wide
parameters and the Nortel SNAS host within the cluster. Use this list as a
quick reference or click on any entry for more information:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 259
Parameter
Command
/cfg/sys
mip <IPaddr>
distrace
/cfg/sys/host <host ID>
ip <IPaddr>
sysName <name>
sysLocatio <location>
license <key>
gateway <IPaddr>
ports
hwplatform
halt
reboot
delete
/cfg/sys/host <host ID>/interface
<interface ID>
ip <IPaddr>
netmask <mask>
gateway <IPaddr>
vlanid <tag>
mode failover | trunking
primary <port>
delete
/cfg/sys/routes
list
del <index number>
add <IPaddr> <mask> <gateway>
list
/cfg/sys/host <host ID>/routes
del <index number>
add <IPaddr> <mask> <gateway>
list
/cfg/sys/host #/interface <interface
ID>/routes
del <index number>
add <IPaddr> <mask> <gateway>
autoneg on|off
speed <speed>
/cfg/sys/host #/port <port>
mode full | half
list
/cfg/sys/host #/interface <interface
ID>/ports
del <port>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
260 Configuring system settings
Command
Parameter
add <port>
/cfg/sys/accesslist
list
del <index number>
add <IPaddr> <mask>
date <date>
/cfg/sys/time
/cfg/sys/time/ntp
/cfg/sys/dns
time <time>
tzone
list
del <index number>
add <IPaddr>
cachesize <entries>
retransmit <interval>
count <count>
ttl <ttl>
health <interval>
hdown <count>
hup <count>
/cfg/sys/dns/servers
list
del <index number>
add <IPaddr>
insert <index number> <IPaddr>
move <index number> <new index
number>
/cfg/sys/rsa
rsaname <name>
import <protocol> <server>
<filename> [<FTP user name> <FTP
password>]
rmnodesecr
del
/cfg/sys/syslog
list
del <index number>
add <IPaddr> <facility>
insert <index number> <IPaddr>
<facility>
move <index number> <new index
number>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 261
Parameter
Command
/cfg/sys/adm
sonmp on | off
clitimeout <interval>
telnet on | off
ssh on | off
redist yes | no
/cfg/sys/adm/srsadmin
port <port>
ena
dis
/cfg/sys/adm/sshkeys
generate
show
/cfg/sys/adm/sshkeys/knownhosts
list
del <index number>
add
import <IPaddr>
/cfg/sys/adm/audit
vendorid
vendortype
ena
dis
/cfg/sys/adm/audit/servers
list
del <index number>
add <IPaddr> <port> <shared secret>
insert <index number> <IPaddr>
move <index number> <new index
number>
/cfg/sys/adm/auth
timeout <interval>
fallback on | off
ena
dis
/cfg/sys/adm/auth/servers
list
del <index number>
add <IPaddr> <port> <shared secret>
insert <index number> <IPaddr>
move <index number> <new index
number>
/cfg/sys/adm/abl
user_atmpt
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
262 Configuring system settings
Parameter
Command
host_atmpt
user_purge
host_purge
show
clear
ena
dis
/cfg/sys/adm/abl/users
/cfg/sys/adm/abl/hosts
/cfg/sys/adm/abl/hardenpass
list
del <index number>
add <user name>
list
del <index number>
add <Host IP address>
length <Minimum length>
lowercase <Lower case>
uppercase <Upper case>
digits <Digits>
others <other characters>
retry <maximum retries>
ena
dis
Configuring system settings
To view and configure cluster-wide system settings, use the following
command:
/cfg/sys
The System menu appears.
The System menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 263
/cfg/sys
followed by:
mip <IPaddr>
Sets the MIP for the cluster. The MIP identifies the
cluster and must be unique on the network. For more
ATTENTION
Nortel does not recommend reconfiguring this
parameter if you are logged on to the MIP, because
you may lose connectivity. To reset the MIP, log on
to the RIP instead.
Accesses the Cluster Host menu, in order to configure
a specific Nortel SNAS host (see “Configuring the
host <host ID>
routes
Accesses the Routes menu, in order to manage static
routes for the cluster when there is more than one
time
Accesses the Date and Time menu, in order to
configure date and time settings and to access
Network Time Protocol (NTP) servers (see “Configuring
dns
Accesses the DNS Settings menu, in order to manage
DNS servers and tune DNS settings (see “Configuring
rsa <server ID>
Accesses the RSA Servers menu, in order to configure
the RSA server (see “Configuring RSA servers” (page
279)).
ATTENTION
Not supported in Nortel Secure Network Access
Switch Software Release 1.6.1.
syslog
Accesses the Syslog Servers menu, in order
to configure the Syslog servers for receiving log
messages (see “Configuring syslog servers” (page
279)).
accesslist
Accesses the Access List menu, in order to control
Telnet and SSH access to Nortel SNAS devices (see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
264 Configuring system settings
/cfg/sys
followed by:
adm
Accesses the Administrative Applications menu,
in order to set the CLI timeout value; manage Telnet,
SSH, SNMP, and SONMP access to Nortel SNAS
devices; enable SRS administration; generate SSH
host keys; and configure the system for RADIUS
auditing and authentication of system users (see
user
Accesses the User menu, in order to manage users
and passwords (see “Managing system users and
distrace
Permanently disables the /cfg/domain
#/server/trace/ssldump and /cfg/domain
The distrace command is used to improve security.
The only way to reverse this command is to do a boot
install.
Configuring the Nortel SNAS host
To configure basic TCP/IP properties for a particular Nortel SNAS device
in the cluster, use the following command:
/cfg/sys/host <host ID>
where
host ID is an integer automatically assigned to
the host when you perform initial setup on the
Nortel SNAS device.
The /cfg/sys/host <host ID> command also allows you to halt,
reboot, or delete the specified Nortel SNAS device.
The Cluster Host menu appears.
The Cluster Host menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 265
/cfg/sys/host <host ID>
followed by:
ip <IPaddr>
Sets the Real IP address (RIP) for Interface
1 on the device. The RIP is the Nortel SNAS
device host IP address for network connectivity
and must be unique on the network. For more
information, see “About the IP addresses”
Changing the RIP using this command does
not affect the MIP for the cluster.
Assigns a name to the managed Nortel SNAS
host. The name is a useful mnemonic when
managing the Nortel SNAS using SNMP.
sysName <name>
Identifies the physical location of the managed
Nortel SNAS host. The location description is
a useful mnemonic when managing the Nortel
SNAS using SNMP.
sysLocatio <location>
license <key>
Installs the license key for the type of license
you have purchased. The Nortel SNAS SSL
(portal and Nortel SNAS domain client access)
license is available for 100, 250, 500, and
1000 users.
• key is text you paste in. The license key
text is supplied to you by Nortel Technical
Support. When pasting, ensure you include
the BEGIN LICENSE and END LICENSE
lines.
To obtain a license key, first use the
/info/local command to find out the MAC
address of the Nortel SNAS device. Then
provide the MAC address to Nortel Technical
Support and request the key for the desired
license type.
gateway <IPaddr>
Sets the default gateway address for the
device. The default gateway is the IP address
of the interface on the core router that will be
used if no other interface is specified.
To specify a default gateway for Interface
1 traffic, use the /cfg/sys/host
#/interface #/ gateway command
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
266 Configuring system settings
/cfg/sys/host <host ID>
followed by:
routes
Accesses the Host Routes menu, in order
to manage static routes for the Nortel SNAS
when there is more than one interface (see
Accesses the Host Interface menu, in order
to configure an IP interface (see “Configuring
interface <interface
number>
port
Accesses the Host Port menu, in order to
configure port properties (see “Configuring
ports
Lists the physical ports on the device, by port
number. Ports that can exist on the same
network (for failover or trunking) are listed
together, separated by a comma (,). A port
that cannot exist on the same network as
other listed ports appears after a colon (:). For
example:
Ports = 1,2:3
hwplatform
halt
the hardware platform of the Nortel SNAS
device.
Stops Nortel SNAS processing. Always use
this command before turning off the device.
If the Nortel SNAS you want to halt has
become isolated from the cluster, you will
receive an error message when executing
the halt command. In this case, log on to
the Nortel SNAS using a console connection
or remotely by connecting to the Nortel
SNAS RIP (host address). Then use the
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 267
/cfg/sys/host <host ID>
followed by:
reboot
Reboots the Nortel SNAS.
If the Nortel SNAS you want to reboot has
become isolated from the cluster, you will
receive an error message when executing
the reboot command. In this case, log on to
the Nortel SNAS using a console connection
or remotely by connecting to the Nortel
SNAS RIP (host address). Then use the
362) ).
delete
Removes the Nortel SNAS host from the
cluster and resets the device to its factory
default configuration. Other Nortel SNAS
devices in the cluster are not affected.
To ensure that you remove the intended Nortel
SNAS, first use the /cfg/sys/host #/cur
command to view current settings and verify
that it is the correct host. (To view information
for all Nortel SNAS devices in the cluster, use
the /cfg/sys/cur command.)
After you have removed the Nortel SNAS from
the cluster, you must use a console connection
to access the device. Log on as the admin
user with the admin password to enter the
Setup utility.
ATTENTION
If there are other Nortel SNAS devices in
the cluster configuration, you cannot delete
a device if it is the only Nortel SNAS in the
cluster whose status is up. In this case,
you will receive an error message when
executing the delete command. To delete
a device from the cluster while all the other
cluster members are down, log on to the
Nortel SNAS using a console connection
or remotely by connecting to the Nortel
SNAS RIP (host address). Then use the
/boot/delete command. When the
remaining cluster members come back up,
connect to the MIP and repeat the command
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
268 Configuring system settings
/cfg/sys/host <host ID>
followed by:
to delete the Nortel SNAS from the cluster
configuration (/cfg/sys/host #/delete).
Viewing host information
To view the host number and IP address for each Nortel SNAS device in
the cluster, use the /cfg/sys/host <host ID> /cur command.
Configuring host interfaces
The default IP interface on the Nortel SNAS host is Interface 1. You can
create additional interfaces and specify the ports to be assigned to each
interface. If you assign more than one port to an interface, you can choose
whether the ports will operate in failover or trunking mode.
You can create a maximum of four interfaces on each Nortel SNAS host.
To configure an IP interface and the assignment of physical ports on a
particular Nortel SNAS host, use the following command:
/cfg/sys/host <host ID> /interface <interface ID>
where interface ID is an integer in the range 1 to 252 that uniquely
identifies the interface on the Nortel SNAS host. To configure a
new interface, enter an unused interface ID number. To change the
configuration of an existing interface, enter the applicable interface ID
number.
The Host Interface menu appears.
The Host Interface menu includes the following options:
/cfg/sys/host #/interface <interface ID>
followed by:
Sets the network address for the interface.
(For Interface 1, the network address is the
RIP.)
ip <IPaddr>
Sets the subnet mask for the interface.
netmask <mask>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 269
/cfg/sys/host #/interface <interface ID>
followed by:
gateway <IPaddr>
Sets the default gateway address for the
interface. The default gateway is the IP
address of the interface on the core router that
will be used for management traffic (such as
requests to private authentication servers and
DNS servers).
The default gateway will be used only for
Nortel SNAS domains that point to this
interface (/cfg/doamin #/adv/interface.
If no domain points to this interface, the
specified gateway will be ignored.
routes
Accesses the Host Routes menu, in order
to manage static routes for the Nortel SNAS
when there is more than one interface (see
Specifies the VLAN tag if packets received by
the interface are tagged with a specific VLAN
tag ID.
vlanid <tag>
mode failover|trunking
Specifies the mode of operation for the port
numbers assigned to this interface. The
options are:
• failover—only one link is active at any
given time. If the port with an active link
fails, the active link is immediately switched
over to one of the other ports configured
for the interface. When you select failover
mode, you also have the option of
specifying a primary port (see /cfg/sys/
host #/interface #/primary).
• trunking—active links are sustained on
all configured ports simultaneously, in order
to increase network throughput.
The default is failover.
ports
Accesses the Interface Ports menu, in
order to manage ports for the interface (see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
270 Configuring system settings
/cfg/sys/host #/interface <interface ID>
followed by:
primary <port>
Specifies the primary port in the interface,
on which the active link is set up. If the
primary port fails, the active link is immediately
transferred to a remaining (secondary) port. As
soon as the primary port regains functionality,
the active link is transferred back to the
primary port.
• port is an integer indicating the port
number of the physical port assigned to the
interface. The default is 0 (zero).
The default value of zero means that the
currently active link remains in use until it
fails. If the port fails, the link is transferred to
another port. The link remains active on the
port to which it was transferred, even after the
failed port regains functionality.
The primary port setting applies only when
you have configured more than one port in the
interface, and the mode is failover.
delete
Removes the interface from the system
configuration.
Configuring static routes
To manage static routes on a cluster-wide level when more than one
interface is configured, use the following command:
/cfg/sys/routes
To manage static routes for a particular Nortel SNAS host when more than
one interface is configured, use the following command:
/cfg/sys/host <host ID> /routes
where
host ID is an integer automatically assigned to
the host when you perform initial setup on the
Nortel SNAS device.
To manage static routes for a particular interface, use the following
command:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 271
/cfg/sys/host #/interface <interface ID> /routes
where
interface ID is an integer in the range 1 to 252 that
uniquely identifies the interface on the Nortel
SNAS host.
The system, host, or interface Routes menu appears.
When you add a static route to the system, host, or interface configuration,
the route is automatically assigned an index number. There are separate
sequences of index numbers for routes configured for the cluster, for each
host, and for each interface.
The system, host, or interface Routes menu includes the following options:
/cfg/sys/[host #[/interface #]/]routes
followed by:
list
IP address information for all configured static routes,
by index number.
del <index
number>
Removes the specified route from the system, host, or
interface configuration.
• index number is the identification number
automatically assigned to the route when you added
the route to the configuration.
To view the index numbers of all configured static
routes, use the list command.
add <IPaddr>
<mask> <gateway>
Adds a static route to the system, host, or interface
configuration.
• IPaddr is the destination IP address.
• mask is the network mask.
• gateway is the IP address on the core router.
An index number is automatically assigned to the
route.
Configuring host ports
To configure the connection properties for a port, use the following
command:
/cfg/sys/host #/port <port>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
272 Configuring system settings
where port is an integer in the range 1 to 4 indicating the port number
of the physical port on the Nortel SNAS. The port number is the number
identifying the port on the back of the Nortel SNAS.
The Host Port menu appears.
The Host Port menu includes the following options:
/cfg/sys/host #/port <port>
followed by:
autoneg on|off
Specifies the Ethernet auto-negotiation setting for the
host and NIC port. The options are:
• on—the port is set to auto-negotiate speed and
mode. This is the recommended setting.
• off—speed and mode are fixed at a specified
setting.
The default is on.
When auto-negotiation is on, ensure that the
device to which the port is connected is also set to
auto-negotiate.
speed <speed>
mode full|half
Sets the speed for the host and NIC port when
auto-negotiation is set to off.
• speed—the port speed in megabits per second.
The options are 10|100|1000.
Sets the duplex mode for the host and NIC port when
auto-negotiation is set to off. The options are full
and half.
The default duplex mode is full.
Managing interface ports
To view and manage the ports assigned to an interface, use the following
command:
/cfg/sys/host #/interface <interface ID> /ports
where
interface ID is an integer in the range 1 to 252 that
uniquely identifies the interface on the Nortel
SNAS host.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 273
The Interface Ports menu appears.
The Interface Ports menu includes the following options:
/cfg/sys/host #/interface <interface ID> /ports
followed by:
list
all ports assigned to the interface.
del <port>
Removes the specified port from the interface.
• port is the port number of the physical port on the
device.
add <port>
Adds a port to be used in the interface.
• port is the port number of the physical port on the
device.
To view available port numbers on the Nortel SNAS
device, use the /cfg/sys/host #/ports command
Configuring the Access List
]The Access List is a cluster-wide list of IP addresses for hosts authorized
to access the Nortel SNAS devices by Telnet, SSH, and SREM. You can
configure the list to allow access by individual machines or a range of
machines on a specific network.
If the Access List is empty, then access is open to any machine.
ATTENTION
Before you join a Nortel SNAS to the cluster, if there are existing entries in
the Access List, you must add to the Access List the RIP (host IP address) for
Interface 1 of all Nortel SNAS devices in the cluster. You must do this before
you perform the join. Otherwise, the devices will not be able to communicate.
For information about enabling Telnet and SSH access, see “Configuring
To manage the Access List in order to control Telnet and SSH access to
the Nortel SNAS cluster, use the following command:
/cfg/sys/accesslist
The Access List menu appears.
The Access List menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
274 Configuring system settings
/cfg/sys/accesslist
followed by:
list
the network address and network mask for all
entries in the Access List, by index number.
del <index number>
Removes the specified entry from the list.
• index number is the identification number
automatically assigned to the entry when
you added the entry to the list.
To view the index numbers of all configured
Access List entries, use the list command.
add <IPaddr> <mask>
Adds an entry to the Access List. Only those
machines listed will be allowed to access the
Nortel SNAS through Telnet or SSH.
• IPaddr is the IP address of the host to be
allowed access.
• mask is the subnet mask. You can set
the mask to specify a single machine or a
range of machines on a specific network.
An index number is automatically assigned to
the entry.
Configuring date and time settings
To configure date and time settings for the cluster, use the following
command:
/cfg/sys/time
The Date and Time menu appears.
The Date and Time menu includes the following options:
/cfg/sys/time
followed by:
date <date>
Sets the system date.
• date is the date in YYYY-MM-DD format.
time <time>
Sets the system time.
• time is the time in HH:MM:SS format,
using a 24-hour clock.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 275
/cfg/sys/time
followed by:
tzone
Specifies the time zone. You are prompted
to enter a continent or ocean area, a country,
and a region (if applicable). To view available
input options, press Enter to accept the default
(select) in order to display selection menus
for each item.
ntp
Accesses the NTP Servers menu, in order to
manage NTP servers used by the cluster (see
Managing NTP servers
You can add NTP servers to the system configuration to enable the NTP
client on the Nortel SNAS to synchronize its clock. To compensate for
discrepancies, it is recommended that NTP have access to at least three
NTP servers.
To manage NTP servers used by the system, use the following command:
/cfg/sys/time/ntp
The NTP Servers menu appears.
The NTP Servers menu includes the following options:
/cfg/sys/time/ntp
followed by:
list
IP address information for all NTP servers
configured for the system, by index number.
del <index number>
Removes the specified NTP server from the
system configuration.
• index number is the identification number
automatically assigned to the server when
you added the server to the configuration.
To view the index numbers of all configured
NTP servers, use the list command.
add <IPaddr>
Adds an NTP server to the system
configuration.
• IPaddr is the IP address of the NTP
server.
An index number is automatically assigned to
the server.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
276 Configuring system settings
Configuring DNS servers and settings
To configure DNS settings for the cluster, use the following command:
/cfg/sys/dns
The DNS Settings menu appears.
The DNS Settings menu includes the following options:
/cfg/sys/dns
followed by:
servers
Accesses the DNS Servers menu, in order to
manage servers configured for the cluster (see
cachesize <entries>
Specifies the size of the local DNS cache.
• entries is an integer in the range
0–10000 indicating the maximum number
of DNS entries in the local DNS cache. The
default is 1000.
retransmit <interval>
Sets the interval for retransmitting a DNS
query.
• interval is a positive integer that
indicates the time interval in seconds
(s), minutes (m), hours (h), or days (d). If
you do not specify a measurement unit,
seconds is assumed. The default is 2 (2
seconds).
count <count>
Specifies the number of retries.
• count is a non-negative integer that
indicates the maximum number of times a
DNS query is retransmitted. The default is
3.
ttl <ttl>
Specifies the maximum time to live (TTL) value
for entries in the DNS cache. After the TTL
has expired, the entries are discarded.
• ttl is a non-negative integer that indicates
the TTL value in seconds (s), minutes
(m), hours (h), or days (d). You can enter
compound values (for example, 2h30m).
If you do not specify a measurement unit,
seconds is assumed. The default is 3h (3
hours).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 277
/cfg/sys/dns
followed by:
health <interval>
Sets the interval for the Nortel SNAS to check
the health of the DNS servers. At the specified
interval, the Nortel SNAS performs a DNS
query to each DNS server in the system
configuration to determine its health status.
• interval is an integer that indicates the
time interval in seconds (s), minutes (m),
hours (h), or days (d). If you do not specify
a measurement unit, seconds is assumed.
The default is 10 (10 seconds).
hdown <count>
Sets the health check down counter.
• count is a positive integer that indicates
the number of times a DNS server health
check can time out before the Nortel SNAS
determines the DNS server is down. The
default is 2.
hup <count>
Sets the health check up counter.
• count is a positive integer that indicates
the number of times a DNS server health
check returns a positive response before
the Nortel SNAS determines the DNS
server is up. The default is 2.
Managing DNS servers
You can add up to three DNS servers to the system configuration. The
DNS server is used by the captive portal when it forwards queries on
the Exclude List. (For more information about the captive portal and the
To configure the cluster to use external DNS servers, use the following
command:
/cfg/sys/dns/servers
The DNS Servers menu appears.
The DNS Servers menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
278 Configuring system settings
/cfg/sys/dns/servers
followed by:
list
Lists the IP addresses of currently configured
DNS servers, by index number.
del <index number>
Removes the specified DNS server from the
system configuration. The index numbers of
the remaining entries adjust accordingly.
To view the index numbers of all configured
DNS servers, use the list command.
add <IPaddr>
Adds a DNS server to the system
configuration.
• IPaddr—the IP address of the DNS server
The system automatically assigns the next
available index number to the server.
You can add up to three DNS servers to the
configuration.
insert <index number>
<IPaddr>
Inserts a server at a particular position in the
list of DNS servers in the configuration.
• index number—the index number you
want the server to have
• IPaddr—the IP address of the DNS server
you are adding
The index number you specify must be in use.
The index numbers of existing servers with this
index number and higher are incremented by
1.
move <index number> <new Moves a server up or down the list of DNS
index number>
servers in the configuration.
• index number—the original index number
of the server you want to move
• new index number—the index number
representing the new position of the server
in the list
The index numbers of the remaining entries
adjust accordingly.
To view the index numbers of all configured
DNS servers, use the list command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 279
Configuring RSA servers
To configure the symbolic name for the RSA server and import the
sdconf.rec configuration file, use the following command:
/cfg/sys/rsa
The RSA Servers menu appears.
ATTENTION
This feature is not supported in Nortel Secure Network Access Switch Software
Release 1.6.1.
The RSA Servers menu includes the following options:
/cfg/sys/rsa
followed by:
Sets the symbolic name of the RSA server.
rsaname <name>
import <protocol>
<server> <filename>
[ <FTP user name> <FTP
password> ]
Imports a copy of the sdconf.rec file from
the specified TFTP/FTP/SCP/SFTP server.
• protocol is the import protocol. Options
are tftp|ftp|scp|sftp.
• server is the host name or IP address of
the server.
• filename is the name of the sdconf.rec
file on the server.
The sdconf.rec file is a configuration file that
contains critical RSA ACE/Server information.
Contact your RSA ACE/Server administrator
to obtain the file and make it available on the
specified TFTP/FTP/SCP/SFTP server.
rmnodesecr
Removes the RSA node secret, if necessary.
Authentication will then fail until the Node
secret created check box is unchecked in the
Edit Agent Host window on the RSA server.
del
Deletes the current RSA server information.
Configuring syslog servers
The Nortel SNAS software can send log messages to specified syslog
hosts.
For descriptions of the log messages that the Nortel SNAS can send to a
To configure syslog servers for the cluster, use the following command:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
280 Configuring system settings
/cfg/sys/syslog
The Syslog Servers menu appears.
The Syslog Servers menu includes the following options:
/cfg/sys/syslog
followed by:
list
Lists the IP addresses and facility numbers of
all configured syslog servers, by index number.
del <index number>
Removes the specified syslog server from the
system configuration. The index numbers of
the remaining entries adjust accordingly.
To view the index numbers of all configured
syslog servers, use the list command.
add <IPaddr> <facility>
Adds a syslog server to the system
configuration. You are prompted to enter
the following information
• IPaddr—the IP address of the syslog
server
• facility—the local facility number, to
uniquely identify syslog entries. For more
information about the local facility number,
see the manual page for syslog.conf
under UNIX.
The system automatically assigns the next
available index number to the server.
insert <index number>
<IPaddr> <facility>
Assigns a specific index number to the syslog
server you add.
• index number—the index number you
want the server to have
• IPaddr—the IP address of the syslog
server you are adding
• facility—the local facility number, to
uniquely identify syslog entries. For more
information about the local facility number,
see the manual page for syslog.conf
under UNIX.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 281
/cfg/sys/syslog
followed by:
The index number you specify must be in use.
The index numbers of existing servers with this
index number and higher are incremented by
1.
move <index number> <new Moves a server up or down the list of syslog
index number>
servers in the configuration.
• index number—the original index number
of the server you want to move
• new index number—the index number
representing the new position of the server
in the list
The index numbers of the remaining entries
adjust accordingly.
To view the index numbers of all configured
syslog servers, use the list command.
Configuring administrative settings
Administrative settings control the functioning of the CLI. Important
administrative settings include:
•
•
•
enabling Telnet access to the CLI
enabling SSH access to the CLI (required in order to use the SREM)
enabling SRS administration to configure the Nortel Health Agent SRS
•
setting CLI idle timeout
To configure administrative settings for the system, use the following
command:
/cfg/sys/adm
The Administrative Applications menu appears.
The Administrative Applications menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
282 Configuring system settings
/cfg/sys/adm
followed by:
snmp
Accesses the SNMP menu, in order to
configure network management of the cluster
(see ).
Enables or disables support for SynOptics
Network Management Protocol (SONMP)
network topology information. The default is
disabled (off).
sonmp on|off
clitimeout <interval>
Sets the timeout interval for user inactivity
in the CLI. At the end of the timeout
period, if there is still no activity, the user is
automatically logged out.
• interval is an integer that indicates the
time interval in seconds (s), minutes (m),
hours (h), or days (d). If you do not specify
a measurement unit, seconds is assumed.
The range is 300–604800 seconds (5 m–7
d). The default is 600 (10 m).
Changes to the timeout value do not take
effect until the next logon.
When the user is automatically logged out,
any unapplied changes are lost. Save your
configuration changes regularly by using the
global apply command.
audit
auth
Accesses the Audit menu, in order to
configure RADIUS auditing (see “Configuring
Accesses the Authentication menu, in order
to configure RADIUS authentication of system
users (see “Configuring authentication of
abl
Accesses the Auto Blacklisting menu.
hardenpass
Accesses the Harden Password menu.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 283
/cfg/sys/adm
followed by:
telnet on|off
Enables or disables Telnet access for remote
management of the system. The options are:
• on—Telnet access is enabled. If there are
no entries in the Access List, all Telnet
connections are allowed. If there are any
entries in the Access List, only the specified
machines are allowed Telnet access.
• off—All Telnet connections are rejected,
including connections from machines in the
Access List.
The default is off.
For more information about the Access List,
ssh on|off
Enables or disables SSH access for remote
management of the system. The options are:
• on—SSH access is enabled. If there are
no entries in the Access List, all SSH
connections are allowed. If there are any
entries in the Access List, only the specified
machines are allowed SSH access.
• off—all SSH connections are rejected,
including connections from machines in the
Access List.
The default is off.
For more information about the Access List,
srsadmin
sshkeys
Accesses the SRS Admin menu, in order
to configure the SRS rules (see “Enabling
Accesses the SSH Host Keys menu, in order
to manage SSH keys used by all Nortel SNAS
hosts in the cluster in accordance with the
Single System Image (SSI) concept (see
redist
It affects the switch in all domains.
Values: yes and no
default: no
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
284 Configuring system settings
Enabling TunnelGuard SRS administration
To create and modify the TunnelGuard Software Requirement Set (SRS)
rules, you must use the SREM (see Nortel Secure Network Access Switch
4050 User Guide for the SREM (NN47230-101), ). Before you can access
the Rule Builder utility in the SREM, you must enable support for SRS
administration.
It is supported till Nortel Secure Network Access Switch Software Release
1.6.1.
To configure support for managing the SRS rules, use the following
command:
/cfg/sys/adm/srsadmin
The SRS Admin menu appears.
The SRS Admin menu includes the following options:
/cfg/sys/adm/srsadmin
followed by:
port <port>
Specifies the TCP port used for communication
with the SRS administration server. The
default is port 4443.
ena
dis
Enables SRS administration, for creating and
managing SRS rules.
Disables SRS administration. The default is
disabled.
Configuring Nortel SNAS host SSH keys
The Nortel SNAS functions as both SSH client (for importing and
exporting logs using SFTP) and SSH server for secure management
communications between the Nortel SNAS devices in a cluster.
ATTENTION
SCP is not supported.
The SSH host keys are a set of keys to be used by all hosts in the cluster
in accordance with the Single System Image (SSI) concept. As a result,
connections to the MIP always appear to an SSH client to be to the same
host.
During initial setup, there is an option to generate the SSH host keys
automatically.
To generate and view the SSH keys used by all hosts in the cluster for
secure management communications, use the following command:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 285
/cfg/sys/adm/sshkeys
The SSH Host Keys menu appears.
The SSH Host Keys menu includes the following options:
/cfg/sys/adm/sshkeys
followed by:
generate
Generates new SSH host keys (RSA1, RSA,
and DSA) to be used by all hosts in the cluster.
Enter Apply to apply the change immediately
and create the key.
show
the current SSH host keys and corresponding
fingerprints for the cluster. The following
formats are used:
• RSA1 keys—there is no standard format.
The format in the CLI output is the
OpenSSH implementation, except that the
line is wrapped. To fully conform to the
OpenSSH implementation, you may need
to edit the output back into a single line for
use in the key storage of an SSH client.
• RSA and DSA keys—the SECSH Public Ke
y File Format, as described in Internet Draft
draft-ietf-secsh-publickeyfile.
knownhosts
Accesses the SSH Known Host Keys menu,
in order to manage the public SSH keys of
remote hosts (see “Managing known hosts
Managing known hosts SSH keys
You can paste or import public SSH keys from remote hosts as a
convenience, so that you do not get prompted to accept a new key during
later use of SCP or SFTP for file or data transfer.
To achieve strict "man in the middle" protection, verify the fingerprint
before applying the changes.
To manage the public SSH keys of known remote hosts, use the following
command:
/cfg/sys/adm/sshkeys/knownhosts
The SSH Known Host Keys menu appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
286 Configuring system settings
The SSH Known Host Keys menu includes the following options:
/cfg/sys/adm/sshkeys/knownhosts
followed by:
list
Lists the type and fingerprint of the known SSH
keys for remote hosts, by index number.
del <index number>
Removes the specified known host SSH key.
To view the index numbers of all known host
SSH keys, use the list command.
add
Allows you to paste in the contents of a key file
you have downloaded from the remote host.
When prompted, paste in the key, then press
Enter. Enter an elllipsis (...) to signal the end
of the key.
Valid formats are as described for the
/cfg/sys/adm/sshkeys/show command
or the native format used by the OpenSSH
implementation.
If the key has a valid format, you will
be prompted for the corresponding host
name or IP address. You can provide a
comma-separated list of names and IP
addresses for the host.
The system automatically assigns the next
available index number to the known host SSH
key.
import <IPaddr>
Allows you to import an SSH key from a
remote host.
• IPaddr—the IP address of the remote host
The system automatically assigns the next
available index number to the known host SSH
key.
Configuring RADIUS auditing
You can configure the Nortel SNAS cluster to include a RADIUS server to
receive log messages about commands executed in the CLI or the SREM,
for audit purposes.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 287
About RADIUS auditing
An event is generated whenever a system user logs on, logs off, or issues
a command from a CLI session. The event contains information about user
name and session ID, as well as the name of executed commands. You
can configure the system to send the event to a RADIUS server for audit
trail logging, in accordance with RFC 2866 (RADIUS Accounting).
If auditing is enabled but no RADIUS server is configured, events will still
be generated to the event log and any configured syslog servers.
When you add an external RADIUS audit server to the configuration, the
server is automatically assigned an index number. You can add several
RADIUS audit servers, for backup purposes. Nortel SNAS auditing will be
performed by an available server with the lowest index number. You can
control audit server usage by reassigning index numbers (see “Managing
For information about configuring a RADIUS accounting server to log
About the vendor-specific attributes
The RADIUS audit server uses Vendor-Id and Vendor-Type attributes
in combination to identify the source of the audit information. The
attributes are sent to the RADIUS audit server together with the event log
information.
Each vendor has a specific dictionary. The Vendor-Id specified for an
attribute identifies the dictionary the RADIUS server will use to retrieve
the attribute value. The Vendor-Type indicates the index number of the
required entry in the dictionary file.
The Internet Assigned Numbers Authority (IANA) has designated SMI
Network Management Private Enterprise Codes that can be assigned to
the Vendor-Id attribute (see http://www.iana.org/assignments/enterprise
-numbers).
RFC 2866 describes usage of the Vendor-Type attribute.
Contact your RADIUS system administrator for information about the
vendor-specific attributes used by the external RADIUS audit server.
To simplify the task of finding audit entries in the RADIUS server log, do
the following:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
288 Configuring system settings
Step
1
Action
In the RADIUS server dictionary, define a descriptive string (for
example, NSNAS-SSL-Audit-Trail).
2
Map this string to the Vendor-Type value.
--End--
Configuring RADIUS auditing
To configure the Nortel SNAS to support RADIUS auditing, use the
following command:
/cfg/sys/adm/audit
The Audit menu appears.
The Audit menu includes the following options:
/cfg/sys/adm/audit
followed by:
servers
Accesses the RADIUS Audit Servers menu,
in order to configure external RADIUS audit
servers for the cluster (see “Managing RADIUS
vendorid
Corresponds to the vendor-specific attribute
used by the RADIUS audit server to identify
event log information from the Nortel SNAS
cluster.
The default Vendor-Id is 1872 (Alteon).
vendortype
Corresponds to the Vendor-Type value used
in combination with the Vendor-Id to identify
event log information from the Nortel SNAS
cluster.
The default Vendor-Type value is 2
(Alteon-ASA-Audit-Trail).
ena
dis
Enables RADIUS auditing.
The default is disabled.
Disables RADIUS auditing.
The default is disabled.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 289
Managing RADIUS audit servers
To configure the Nortel SNAS to use external RADIUS audit servers, use
the following command:
/cfg/sys/adm/audit/servers
The RADIUS Audit Servers menu appears.
The RADIUS Audit Servers menu includes the following options:
/cfg/sys/adm/audit/servers
followed by:
list
Lists the IP addresses of currently configured
RADIUS audit servers, by index number.
del <index number>
Removes the specified RADIUS audit server
from the current configuration. The index
numbers of the remaining entries adjust
accordingly.
To view the index numbers of all configured
RADIUS audit servers, use the list
command.
add <IPaddr> <port>
<shared secret>
Adds a RADIUS audit server to the
configuration. You are prompted to enter
the following information:
• IPaddr—the IP address of the audit server
• port—the TCP port number used for
RADIUS auditing. The default is 1813.
• shared secret—the password used to
authenticate the Nortel SNAS to the audit
server
The system automatically assigns the next
available index number to the server.
insert <index number>
<IPaddr>
Inserts a server at a particular position
in the list of RADIUS audit servers in the
configuration.
• index number—the index number you
want the server to have
• IPaddr—the IP address of the audit server
you are adding
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
290 Configuring system settings
/cfg/sys/adm/audit/servers
followed by:
The index number you specify must be in use.
The index numbers of existing servers with this
index number and higher are incremented by
1.
move <index number> <new Moves a server up or down the list of RADIUS
index number>
audit servers in the configuration.
• index number—the original index number
of the server you want to move
• new index number—the index number
representing the new position of the server
in the list
The index numbers of the remaining entries
adjust accordingly.
Configuring authentication of system users
You can configure the Nortel SNAS cluster to use an external RADIUS
server to authenticate system users. Authentication applies to both CLI
and SREM users.
The user name and password defined on the RADIUS server must be
the same as the user name and password defined on the Nortel SNAS.
When the user logs on, the RADIUS server authenticates the password.
The user group (admin, oper, or certadmin) is picked up from the local
definition of the user.
For more information about specifying user names, passwords, and group
assignments for Nortel SNAS system users, see “Managing system users
When you add an external RADIUS authentication server to the
configuration, the server is automatically assigned an index number. You
can add several RADIUS authentication servers, for backup purposes.
Nortel SNAS authentication will be performed by an available server with
the lowest index number. You can control authentication server usage
by reassigning index numbers (see “Managing RADIUS authentication
To configure the Nortel SNAS to support RADIUS authentication of system
users, use the following command:
/cfg/sys/adm/auth
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 291
The Authentication menu appears.
The Authentication menu includes the following options:
/cfg/sys/adm/auth
followed by:
servers
Accesses the RADIUS Authentication
Servers menu, in order to configure external
RADIUS authentication servers for the cluster
timeout <interval>
Sets the timeout interval for a connection
request to a RADIUS server. At the end of
the timeout period, if no connection has been
established, authentication will fail.
• interval is an integer that indicates
the time interval in seconds (s), minutes
(m), or hours (h). If you do not specify a
measurement unit, seconds is assumed.
The range is 1–10000 seconds. The default
is 10 seconds.
fallback on|off
Specifies the desired fallback mode. Valid
options are:
• on—if the RADIUS servers are
unreachable, the local passwords defined
on the Nortel SNAS are used as fallback
• off—if the RADIUS servers are
unreachable, the only way to access
the system is to reinstall the software (boot
install)
The default is on.
ATTENTION
With the fallback mode set to on, unwanted
access to the Nortel SNAS is possible
using a serial cable if the network cable
is disconnected and the local password is
known.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
292 Configuring system settings
/cfg/sys/adm/auth
followed by:
ena
Enables RADIUS authentication of system
users.
The default is disabled.
dis
Disables RADIUS authentication of system
users.
The default is disabled.
Managing RADIUS authentication servers
To configure the Nortel SNAS to use external RADIUS servers to
authenticate system users, use the following command:
/cfg/sys/adm/auth/servers
The RADIUS Authentication Servers menu appears.
The RADIUS Authentication Servers menu includes the following
options:
/cfg/sys/adm/auth/servers
followed by:
list
Lists the IP addresses of currently configured
RADIUS authentication servers, by index
number.
del <index number>
Removes the specified RADIUS authentication
server from the current configuration. The
index numbers of the remaining entries adjust
accordingly.
To view the index numbers of all configured
RADIUS authentication servers, use the list
command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 293
/cfg/sys/adm/auth/servers
followed by:
add <IPaddr> <port>
<shared secret>
Adds a RADIUS authentication server to the
configuration. You are prompted to enter the
following information:
• IPaddr—the IP address of the
authentication server
• port—the TCP port number used for
RADIUS authentication. The default is
1813.
• shared secret—the password used
to authenticate the Nortel SNAS to the
authentication server
The system automatically assigns the next
available index number to the server.
insert <index number>
<IPaddr>
Inserts a server at a particular position in the
list of RADIUS authentication servers in the
configuration.
• index number—the index number you
want the server to have
• IPaddr—the IP address of the
authentication server you are adding
The index number you specify must be in use.
The index numbers of existing servers with this
index number and higher are incremented by
1.
move <index number> <new Moves a server up or down the list of RADIUS
index number>
authentication servers in the configuration.
• index number—the original index number
of the server you want to move
• new index number—the index number
representing the new position of the server
in the list
The index numbers of the remaining entries
adjust accordingly.
Configuration of auto blacklisting
To create the auto blacklisting, use the following command:
cfg/sys/adm/abl
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
294 Configuring system settings
The Auto Blacklisting menu appears.
The Auto Blacklisting menu includes the following options:
cfg/sys/adm/abl
followed by:
users <list> <add>
<del>
user names to be monitored.
• list—lists monitored users.
• add—adds a user to list, specify the unique
user name.
• del—deletes a user from lists, specify the
index number.
hosts <list> <add>
<del>
hosts(IPs) to be monitored.
• list—lists monitored hosts.
• add—adds a host to list, specify the IP
address.
• del—deletes a host from list, specify the index
number.
user_atmpt
host_atmpt
user_purge
host_purge
show
Specifies allowed number of failed attempts to a
user account.
Default value is 10/1h attempts/time period.
Specifies allowed number of failed login attempts
from a host.
Default value is 10/1h attempts/timeperiod.
Specify time period for purging failed user attempt
record.
Default value is 2d.
Specify time period for purging failed host attempt
record.
Default value is 2d.
Shows the details of failed login attempts of users
and hosts
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring the cluster 295
cfg/sys/adm/abl
followed by:
clear
Clears all blacklisted users/hosts.
ena
dis
Enables the auto blacklisting.
Disables auto blacklisting.
Configuration of harden password
To configure harden password, use the following command:
cfg/sys/adm/hardenpass
The Harden Password menu appears.
The Harden Password menu includes the following options:
cfg/sys/adm/hardenpass
followed by:
length
Specify the minimum length of the password. The value
ranges from 1 to 511.
lowercase
uppercase
digits
Specify the minimum number of lower case characters in the
password. The value ranges from 1 to 511.
Specify the minimum number of upper case characters in the
password. The value ranges from 1 to 511.
Specify the minimum number of digits in the password. The
value ranges from 1 to 511.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
296 Configuring system settings
cfg/sys/adm/hardenpass
followed by:
others
Specify the minimum number other characters in the
password. The value ranges from 1 to 511.
retry
ena
Specify the number of retries to enter the password. The value
ranges from 1 to 15.
Enables harden password.
Disables harden password.
dis
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
297
.
Managing certificates
This chapter includes the following topics:
Topic
Overview
To use the encryption capabilities of the Nortel SNAS, you must add a key
and certificate that conforms to the X.509 standard.
The key and certificate apply to the cluster. It does not matter whether
you connect to the Management IP address (MIP) or Real IP address
(RIP) of a Nortel SNAS device in order to manage Secure Socket Layer
(SSL) certificates. When you add a key and certificate to one Nortel SNAS
device in the cluster, the information is automatically propagated to all
other devices in the cluster.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
298 Managing certificates
The Nortel SNAS can support a maximum of 1500 certificates. However,
only one server certificate can be mapped to a portal server at any one
time. For information about mapping a certificate to the portal server, see
If you ran the quick setup wizard during initial setup, a test certificate has
been installed and mapped to the Nortel SNAS portal.
You can install new certificates or import or renew existing certificates.
ATTENTION
The Nortel SNAS supports keys and certificates created by using Apache-SSL,
OpenSSL, or Stronghold SSL. However, for greater security, Nortel recommends
creating keys and generating certificate signing requests from within the Nortel
SNAS system using the CLI or SREM. This way, the encrypted private key never
leaves the Nortel SNAS and is invisible to the user.
Key and certificate formats
The Nortel SNAS supports importing, saving, and exporting private keys
and certificates in a number of standard formats. Table 53 "Supported key
and certificate formats" (page 298) summarizes the supported formats.
Table 53
Supported key and certificate formats
Format
Import/Add
Export/Save Comment
PEM*
Yes
Yes
Encrypts the private key. Combines the private key and
certificate in the same file.
ATTENTION
*You must use the PEM format when:
• you save keys and certificates by copying
• you add a key or certificate by pasting
DER
NET
Yes
Yes
Yes
Yes
Yes
Does not encrypt the private key. Allows you to store
the private key and certificate in separate files.
Encrypts the private key. Allows you to store the private
key and certificate in separate files.
PKCS12 Yes
(also
known
Encrypts the private key. Combines the private key
and certificate in the same file. Most browsers allow
importing a combined key and certificate file in the
PKCS12 format.
as PFX)
PKCS7
PKCS8
Yes
Yes
No
No
No
Certificate only.
Key only (used in WebLogic).
Key only (proprietary format).
MS IIS 4 Yes
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Overview 299
Table 53
Supported key and certificate formats (cont’d.)
Format
Import/Add
Export/Save Comment
Netsca
pe Ent
erprise
Server
Yes
No
Key only (proprietary format). Requires conversion. For
information about the conversion tool, contact Nortel
iPlanet
Server
Yes
No
Key only (proprietary format). Requires conversion. For
information about the conversion tool, contact Nortel
Creating certificates
The basic steps to create a new certificate are:
Step
1
Action
Generate a Certificate Signing Request (CSR) (see “Generating
2
Send the CSR to a Certificate Authority (CA), such as Entrust
or VeriSign, for certification (see “Generating and submitting a
3
4
Install the signed certificate on the Nortel SNAS cluster (see
Map the installed certificate to the Nortel SNAS portal server
--End--
Installing certificates and keys
There are two ways to install a certificate and key in the Nortel SNAS
cluster:
•
•
by importing from a TFTP/FTP/SCP/SFTP server (see “Importing
When you generate the CSR, the private key is created and stored in
encrypted form on the Nortel SNAS using the specified certificate number.
After you receive the certificate, which contains the corresponding public
key, use the same certificate number when you add the certificate to
the Nortel SNAS. Otherwise, the private key and the public key in the
certificate will not match.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
300 Managing certificates
If you do not generate a CSR but obtain the certificate by other means,
you must take additional steps to add a private key that corresponds to
the public key of the certificate (see “Adding a private key to the Nortel
If you use the certificate index number of an installed certificate when
adding a new certificate, the installed certificate is overwritten.
After you have installed the certificate, map it to the Nortel SNAS portal
Saving or exporting certificates and keys
You can extract copies of certificates and keys to save as backup or to
install on another device.
There are two ways to retrieve a certificate and key from the Nortel SNAS
cluster:
•
•
by exporting to a TFTP/FTP/SCP/SFTP server (see “Exporting a
The copy-and-paste method saves the certificate and key in PEM format.
The export method allows you to choose from a variety of file formats.
Nortel recommends using the PKCS12 format (also known as PFX). Most
web browsers accept importing a combined key and certificate file in the
PKCS12 format. For more information about the formats supported on the
Updating certificates
To update or renew an existing certificate, do not replace the existing
certificate by using its certificate number when you generate the CSR or
add the new certificate. Rather, keep the existing certificate until you have
verified that the new certificate works as designed.
The recommended steps to update an existing certificate are:
Step
1
Action
Check the certificate numbers currently in use to identify an
unused certificate number.
In the CLI, use the /cfg/cur cert command. In the SREM,
use the Certificates > Certificates screen to add a new
certificate.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 301
2
Create a new certificate, using an unused certificate number (see
a Generate a CSR.
b Submit the CSR to a CA.
3
4
5
When you receive the new, signed certificate, add it to the Nortel
Map the new certificate to the portal server (see “Configuring
After testing to verify that the new certificate works as intended,
delete the old certificate.
In the CLI, use the /cfg/cert <old cert ID> /del
command. In the SREM, use the Certificates > Certificates
screen to remove the old certificate.
--End--
Managing private keys and certificates
You can perform the following certificate management tasks in the CLI:
•
•
•
•
•
•
•
•
view, validate, and manage certificates and private keys (see
generate requests for signed certificates (see “Generating and
add certificates by copy-and-paste (see “Adding a certificate to the
add private keys by copy-and-paste (see “Adding a private key to the
import certificates and private keys (see “Importing certificates and
save certificates and private keys (see “Displaying or saving a
export certificates and private keys (see “Exporting a certificate and
create a self-signed certificate for testing purposes (see “Generating a
Roadmap of certificate management commands
The following roadmap lists the CLI commands to configure and manage
server certificates for the Nortel SNAS cluster. Use this list as a quick
reference or click on any entry for more information:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
302 Managing certificates
Command
Parameter
/cfg/cert <cert id>
name <name>
cert
key
gensigned server | client
request
sign
test
import
export
display [<pass phrase>]
show
info
subject
validate
keysize
keyinfo
del
Managing and viewing certificates and keys
To view basic information about all certificates configured for the Nortel
SNAS cluster, use the /info/certs command.
To manage private keys and certificates, access the Certificate menu by
using the following command:
/cfg/cert <cert id>
where
cert id is an integer in the range 1–1500
representing an index number that uniquely
identifies the certificate in the system.
If you specify an unused certificate number, the certificate is created.
The Certificate menu appears.
The Certificate menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 303
/cfg/cert <cert ID>
followed by:
Names or renames the certificate, as a
mnemonic aid.
name <name>
cert
Lets you paste the contents of a certificate
file from a text editor. For more information,
key
Lets you paste the contents of a key file from a
text editor. For more information, see “Adding
revoke
Accesses the Revocation menu.
Not supported in Nortel Secure Network
Access Switch Software Release 1.6.1.
gensigned server|client
Generates a certificate that is signed using
the private key associated with the currently
selected certificate.
You are prompted to provide the following
parameters: <country> <state or province>
<locality> <organization> <organizational unit>
<common name> <e-mail address> <validity
period> <key size> <CA cert true|false> <serial
number> <pass phrase>
• servergenerates a signed server certificate
provided with key use options that are
appropriate for server usage. Set the CA
cert value to true if you plan to issue your
own chained server certificates, generating
them from the currently generated server
certificate.The CA cert value you specify
when generating a certificate translates
into the X509v3 Basic Constraints property
in the generated certificate. To view the
properties of a certificate available on the
Nortel SNAS, use the /cfg/cert #/show
command.
• client—not supported in Nortel Secure
Network Access Switch Software Release
1.6.1.
request
Generates a certificate signing request.
For more information, see “Generating and
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
304 Managing certificates
/cfg/cert <cert ID>
followed by:
sign
Signs a CSR by using the private key
associated with the currently selected
certificate. You are prompted to paste in the
contents of a CSR.
Client certificates are not supported in Nortel
Secure Network Access Switch Software
Release 1.6.1.
test
Generates a self-signed certificate and private
key for testing purposes. For more information,
import
Installs a private key and certificate by
downloading it from a TFTP/FTP/SCP/SFTP
server. For more information, see “Importing
export
Exports the current key and certificate to a
TFTP/FTP/SCP/SFTP server in a format you
specify. For more information, see “Exporting
display [ <pass phrase>
]
the current key and certificate, in order to
save copies as backup or for export to another
device. For more information, see “Displaying
The display command allows you to save
private keys and certificates in the PEM format.
To save a certificate and key in another format,
use the /cfg/cert #/export command.
show
info
detailed information about the certificate,
excluding the certificate name.
the serial number, the expiration date, and
the values specified for the subject part of the
current certificate.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 305
/cfg/cert <cert ID>
followed by:
subject
detailed information about the subject part of
the current certificate.
For example:
C/countryName (2.5.4.6) = US
where:
• countryName is the mnemonic name
• 2.5.4.6 is the object identifier (OID)
• US is the value
validate
keysize
keyinfo
Validates that the private key matches the
public key in the current certificate.
the key size of the private key in the current
certificate.
information about how the private key
associated with the currently selected
certificate is protected. For the Nortel SNAS,
private keys are protected by the cluster.
del
Removes the current certificate and private
key.
Generating and submitting a CSR
To prepare a CSR for submission to a CA, perform the following steps:
Step
1
Action
Access the Certificate menu by using the /cfg/cert <cert
id> command, where:
• to generate a CSR for a new certificate, <cert id> is an
unused certificate number
• to generate a CSR to renew an existing certificate, <cert
id> is the existing certificate number
2
Prepare the CSR. Enter the following command:
/cfg/cert #/request
You are prompted to enter the certificate request information.
Table 54 "CSR information" (page 306) explains the required
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
306 Managing certificates
parameters. The combined length of the parameters cannot
exceed 225 bytes.
Table 54
CSR information
Prompt
Description
Country Name (2 letter
code):
The two-letter ISO code for the country
where the web server is located. For
current information about ISO country
State or Province Name
(full name):
The name of the state or province where
the head office of the organization is
located. Enter the full name of the state
or province.
Locality Name (e.g., city): The name of the city where the head
office of the organization is located.
Organization Name (e.g.,
company):
The registered name of the organization.
The organization must own the domain
name that appears in the common name
of the web server. Do not abbreviate the
organization name and do not use any
of the following characters:
< > ~ ! @ # $ % ^ * / \ ( ) ?
Organizational Unit Name The name of the department or group
(e.g., section):
that uses the secure web server.
Common Name (e.g.,
your name or your
server’s hostname):
The name of the web server as it
appears in the URL. The name must
be the same as the domain name of
the web server that is requesting a
certificate. If the web server name does
not match the common name in the
certificate, some browsers will refuse a
secure connection with your site. Do not
enter the protocol specifier (http://) or
any port numbers or pathnames in the
common name. Wildcards (such as * or
?) and IP address are not allowed.
E-mail Address:
The user’s e-mail address.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 307
Table 54
CSR information (cont’d.)
Prompt
Description
Subject alternative
name (blank or comma
separated list of
URI:<uri>, DNS:<fqdn>,
IP:<ip-address>,
Specifies alternative information for the
subject if you did not provide a Common
Name or e-mail address. The required
information is a comma-separated list as
follows:
email:<email-address>):
• URI:<uri>, a Uniform Resource
Identifier
• DNS:<fqdn>, the fully qualified
domain name
• IP:<ip-address>
• email:<email-address>
Generate new key pair
(y/n) [y]:
Specifies whether you want to generate
a new pair of private and public keys.
The default is y (yes).
If you are creating a CSR for a new
certificate, accept the option to generate
a new key pair.
If a configured certificate is approaching
its expiration date and you want to
renew it without replacing the existing
key, specify n (no). The CSR will
be based on the existing key for the
specified certificate number.
Key size [1024]:
The length of the generated key, in bits.
The default value is 1024.
Request a CA certificate
(y/n) [n]:
Specifies whether to request
a CA certificate to use for client
authentication. Request a CA certificate
if you plan to issue your own server
certificates or client certificates,
generating them from the requested CA
certificate. The default is n (no).
Specify challenge
password (y/n) [n]:
Specifies a password to be used during
manual revocation of the certificate.
3
Generate the CSR.
After you have provided the required information, press Enter.
The CSR is generated and displayed on the screen.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
308 Managing certificates
4
Apply the changes.
The private key is created and stored in encrypted form on the
Nortel SNAS using the specified certificate number.
Figure 15 "Generating a CSR" (page 308) shows sample output
for the /cfg/cert #/request command. For more information
Figure 15
Generating a CSR
5
Save the CSR to a file.
a Copy the entire CSR, including the -----BEGIN
CERTIFICATE REQUEST----- and -----END
CERTIFICATE REQUEST----- lines, and paste it into a text
editor.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 309
b Save the file with a .csr extension. Nortel recommends
using a file name that indicates the server on which the
certificate is to be used.
6
Save the private key to a file.
If you intend to use the same certificate number when you add
the returned certificate to the Nortel SNAS, perform this step only
if you want to create a backup copy of the private key.
If you do not intend to use the same certificate number when
you add the returned certificate to the Nortel SNAS, you must
perform this step in order to create the key file. When you add
the returned certificate to the Nortel SNAS using a different
certificate number, you will have to associate the private key with
the new certificate by pasting or importing the contents of the key
b Copy the private key, including the -----BEGIN RSA
PRIVATE KEY----- and -----END RSA PRIVATE
KEY----- lines, and paste it into a text editor.
c Save the text editor file with a .pem extension. Nortel
recommends using the same file name that you defined for
files is obvious.
7
Submit the CSR to a CA such as Entrust or VeriSign.
b Copy the entire CSR, including the -----BEGIN
CERTIFICATE REQUEST----- and -----END CERTIFICATE
REQUEST-----, lines.
c Use your web browser to access the CA web site and follow
the online instructions. The process for submitting the CSR
varies with each CA. When prompted, paste the CSR as
required in the CA online request process. If the CA requires
you to identify a server software vendor whose software you
used to generate the CSR, specify Apache.
8
The CA processes the CSR and returns a signed certificate.
Create a backup copy of the certificate (see “Displaying or
The certificate is ready to be added into the Nortel SNAS cluster
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
310 Managing certificates
Adding a certificate to the Nortel SNAS
The following steps describe how to install a certificate (and key, if
applicable) using the copy-and-paste method.
The certificate (and key, if applicable) must be in PEM format.
ATTENTION
Nortel recommends performing copy-and-paste operations using a Telnet or
SSH client to connect to the MIP. If you use a console connection to connect to
one of the Nortel SNAS devices in the cluster, you may find that HyperTerminal
under Microsoft Windows is slow to complete copy-and-paste operations.
Step
1
Action
Access the Certificate menu by using the /cfg/cert <cert
id> command, where <cert id> is the certificate number.
If you obtained the certificate by using the /cfg/cert
#/request command to generate the CSR, specify the same
certificate number as the certificate number you used to generate
the CSR. In this way, the private key remains connected to the
certificate number, and you do not need to perform an additional
step to add the private key.
If you obtained the certificate by means other than using the
/cfg/cert #/request command to generate the CSR, specify
a certificate number not used by any other configured certificate.
If the private key and the certificate are not contained in the
same file, you will have to perform an additional step to add the
private key (see “Adding a certificate to the Nortel SNAS ” (page
310)).
To view basic information about configured certificates, use the
/info/certs command.
To verify that the current certificate number is not in use by an
installed certificate, use the /cfg/cert #/show command.
2
Copy the certificate.
a In a text editor, open the certificate file you received from the
CA.
b Copy the entire contents, including the -----BEGIN
CERTIFICATE----- and -----END CERTIFICATE-----
lines.
If the certificate file contains the private key as well,
also include the entire contents of the key, including the
-----BEGIN RSA PRIVATE KEY----- and -----END RSA
PRIVATE KEY----- lines.
3
Add the certificate.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 311
a Enter the following command:
/cfg/cert #/cert
b Paste the certificate at the command prompt.
c Press Enter to create a new line, and then enter an ellipsis
(...) to terminate.
d If you are pasting in the private key at the same time, and if
the key has been password protected, you are prompted to
enter the password phrase. The password phrase required is
the one specified when the key was created or exported.
4
Apply the changes.
If you obtained the certificate by using the /cfg/cert
#/request command to generate the CSR and are using the
same certificate number, the certificate is now fully installed.
If you obtained the certificate by means other than using the
/cfg/cert #/request command to generate the CSR and
are using a new certificate number, you must now add the
corresponding private key (see “Adding a private key to the
sample output for the /cfg/cert #/cert command. For
more information about the Certificate menu commands, see
ATTENTION
Depending on the type of certificate the CA generates (registered or
chain), your certificate may be substantially different from the sample
output. Be sure to copy and paste the entire contents of the certificate
file.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
312 Managing certificates
Figure 16
Adding a certificate by pasting
--End--
Adding a private key to the Nortel SNAS
Step
1
Action
Access the Certificate menu by using the /cfg/cert <cert
id> command, where <cert id> is the certificate number.
Use the same certificate number you used when pasting the
certificate.
2
Copy the contents of the private key file.
a Locate the file containing the private key. Make sure the
key file corresponds with the certificate file you received
from the CA. The public key contained in the certificate
works in concert with the related private key to handle SSL
transactions.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 313
b In a text editor, open the key file.
c Copy the entire contents, including the -----BEGIN
RSA PRIVATE KEY----- and -----END RSA PRIVATE
KEY----- lines.
3
Add the private key.
a Enter the following command:
/cfg/cert #/key
b Paste the contents of the key file at the command prompt.
c Press Enter to create a new line, and then enter an ellipsis
(...) to terminate.
d If the key is password protected, you are prompted to enter
the password phrase. The password phrase required is the
one you specified when saving or exporting the private key.
4
Apply the changes.
The certificate and private key are now fully installed.
sample output for the /cfg/cert #/key command. For
more information about the Certificate menu commands, see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
314 Managing certificates
Figure 17
Adding a private key by pasting
--End--
Importing certificates and keys into the Nortel SNAS
You can import certificates and private keys into the Nortel SNAS using
TFTP, FTP, SCP, or SFTP. For information about the formats supported
To import a certificate and private key into the Nortel SNAS, perform the
following steps.
Step
1
Action
Upload the certificate file and key file to the file exchange server.
ATTENTION
You can arrange to include your private key in the certificate file.
When the Nortel SNAS retrieves the specified certificate file from the
file exchange server, the Nortel SNAS software analyzes the contents
and automatically adds the private key, if present.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 315
2
Access the Certificate menu by using the /cfg/cert <cert
id> command, where <cert id> is the certificate number.
To install a new certificate, specify an unused certificate number.
To replace an installed certificate, specify the installed certificate
index number.
To view basic information about all configured certificates,
use the /info/certs command. To verify that the current
certificate number is not in use by an installed certificate, use the
/cfg/cert #/show command.
3
Import the certificate. Enter the following command:
/cfg/cert #/import
You are prompted to enter the certificate and private key import
information. If the private key has been password protected, you
are prompted for the correct password phrase as well. Table 55
"Certificate and key import information" (page 315) explains the
required parameters.
Table 55
Certificate and key import information
Parameter
Description
Protocol
The file import protocol. The options are TFTP,
FTP, SCP, SFTP. The default is TFTP.
Server host name
or IP address
The host name or IP address of the file
exchange server.
File name
The name of the file on the file exchange
server.
[FTP user name
and password]
For FTP, SCP, and SFTP, the user name and
password to access the file exchange server.
The default is anonymous.
For anonymous mode, the Nortel SNAS uses
the following string as the password (for logging
purposes): admin@<hostname>.isd.
[Pass phrase]
If the key is password protected, the password
phrase specified when the key was created or
exported. The password phrase must be at
least four characters in length.
4
5
If the private key was not included in the certificate file, repeat
Apply the changes.
The certificate and private key are now fully installed.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
316 Managing certificates
command. For more information about the Certificate menu
commands, see “Managing and viewing certificates and keys”
Figure 18
Adding a certificate and private key by importing
--End--
Displaying or saving a certificate and key
You can display the current certificate and private key and then save
copies as backup or for export to another device.
When you display the certificate and private key, you are prompted to
protect it with a password phrase. Nortel recommends adding a password
phrase, because this adds an extra layer of security.
Save the certificate by copying the certificate section and pasting it into a
text editor, then saving the text file with a .PEM extension. Similarly, save
the private key by copying the key section and pasting it into a text editor,
then saving the text file with a .PEM extension. You can also save both the
certificate and the private key in one file, with a .PEM extension.
To save a certificate and key in another format, use the /cfg/cert
To display the current certificate and key or save a copy, perform the
following steps.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 317
Step
1
Action
Access the Certificate menu by using the /cfg/cert <cert
id> command, where <cert id> is the certificate number of
the certificate you wish to copy.
To view basic information about all configured certificates, use
the /info/certs command.
2
Display the private key and certificate. Enter the following
command:
/cfg/cert #/display
3
4
When prompted, specify whether or not the key will be
encrypted. The default is yes.
When prompted, specify a password phrase if you wish to
password protect the private key. The password phrase must
contain at least four characters.
If you specify a password phrase, the password phrase must be
provided on all occasions in future when the private key file is
accessed (for example, when adding, importing, or exporting
private keys and certificates).
5
Copy the private key, certificate, or both, as required.
For the private key, ensure that you include the -----BEGIN
RSA PRIVATE KEY----- and -----END RSA PRIVATE
KEY----- lines.
For the certificate, ensure that you include the -----BEGIN
CERTIFICATE----- and -----END CERTIFICATE-----
lines.
6
7
Paste the private key, certificate, or both into a text editor.
Save the file with a .PEM extension.
command. For more information about the Certificate menu
commands, see “Managing and viewing certificates and keys”
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
318 Managing certificates
Figure 19
Displaying a private key and certificate
--End--
Exporting a certificate and key from the Nortel SNAS
You can export certificate files and key files from the Nortel SNAS using
TFTP, FTP, SCP, or SFTP. For information about the formats supported
To export a certificate and key from the Nortel SNAS, perform the following
steps.
Step
1
Action
Access the Certificate menu by using the /cfg/cert <cert
id> command, where <cert id> is the certificate number of the
certificate you wish to export.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 319
To view basic information about all configured certificates, use
the /info/certs command.
2
Export the certificate. Enter the following command:
/cfg/cert #/export
You are prompted to enter the certificate and key export
information. The file is exported as soon as you have provided
all the required information. Table 56 "Certificate and key export
information" (page 319) explains the required parameters.
Table 56
Certificate and key export information
Parameter
Description
Protocol
The file export protocol. The options are TFTP,
FTP, SCP, SFTP. The default is TFTP.
Server host name
or IP address
The host name or IP address of the file
exchange server.
Export format
The key and certificate format in which you
want to export the key and certificate. Valid
options are:
• PEM
• DER
• NET
• PKCS12 (also known as PFX)
The PEM and PKCS12 formats always combine
the private key and certificate in the same file.
Nortel recommends using the PKCS12
format. Most web browsers accept importing a
combined key and certificate file in the PKCS12
format.
The formats have different capabilities
regarding private key encryption and the ability
to save the key and certificate in separate files.
For more information about the formats, see
Export pass
phrase
The password phrase to encrypt the private
key. The password phrase must be at least four
characters in length.
Reconfirm export
pass phrase
Re-enter the password phrase for confirmation.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
320 Managing certificates
Table 56
Certificate and key export information (cont’d.)
Parameter
Description
Key and certificate The name of the file on the file exchange
file name
server. If you are using a format that saves the
private key and certificate in the same file, you
are prompted for the combined file name. If
you are using a format that saves the private
key and certificate in separate files, you are
prompted separately for the key file name and
the certificate file name.
[FTP user name
and password]
For FTP, SCP, and SFTP, the user name and
password to access the file exchange server.
The default is anonymous.
command. For more information about the Certificate menu
commands, see “Managing and viewing certificates and keys”
Figure 20
Exporting a certificate and private key
--End--
Generating a test certificate
You can generate a self-signed certificate and private key for testing
purposes.
The certificate is generated immediately after you have provided all
the required information. However, the test certificate and key are not
activated until you apply the changes.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing private keys and certificates 321
To generate a test certificate, perform the following steps:
Step
1
Action
Access the Certificate menu by using the /cfg/cert <cert
id> command, where <cert id> is an unused certificate
number.
2
Generate the test certificate. Enter the following command:
/cfg/cert #/test
You are prompted to enter the following parameters. The
combined length of the parameters cannot exceed 225 bytes
• country name (2-letter code)
• state or province name
• locality name
• organization name
• organizational unit name
• common name
• e-mail address
• subject alternative name
• validity period—the default is 365 days
• key size—the default is 1024 bits
For more information about the parameters, see Table 54 "CSR
3
Apply the changes.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
322 Managing certificates
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
323
.
Configuring SNMP
This chapter includes the following topics:
Topic
Simple Network Management Protocol (SNMP) is a set of protocols
for managing complex networks. SNMP works by sending messages,
called protocol data units (PDU), to different parts of a network. The
SNMP-compliant agents on the Nortel SNAS devices store data about
themselves in Management Information Bases (MIB) and return this data
to the SNMP requesters.
There is one SNMP agent on each Nortel SNAS device, and the agent
listens to the Real IP address (RIP) of that particular device. On the Nortel
SNAS that currently holds the cluster Management IP address (MIP), the
SNMP agent also listens to the MIP.
The SNMP agent supports SNMP version 1, version 2c, and version 3.
Notification targets (the SNMP managers receiving trap messages sent by
the agent) can be configured to use SNMP v1, v2c, and v3. The default
is SNMP v2c. You can specify any number of notification targets on the
Nortel SNAS.
For information about the MIBs supported on the Nortel SNAS, see
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
324 Configuring SNMP
Configuring SNMP
To configure SNMP for the Nortel SNAS network, access the SNMP menu
by using the following command:
/cfg/sys/adm/snmp
From the SNMP menu, you can configure and manage the following:
•
•
•
general settings for SNMP management of the cluster (see
parameters in the standard SNMPv2 MIB (see “Configuring the SNMP
monitor, control, and trap community names (see “Configuring the
•
•
SNMP managers (see “Configuring SNMP notification targets” (page
331))
•
SNMP monitors and events (see “Configuring SNMP events” (page
332))
Roadmap of SNMP commands
The following roadmap lists the CLI commands to configure SNMP. Use
this list as a quick reference or click on any entry for more information:
Parameter
Command
/cfg/sys/adm/snmp
ena
dis
versions <v1 | v2c | v3>
sysContact <contact>
snmpEnable disabled | enabled
read <name>
/cfg/sys/adm/snmp/snmpv2-mib
/cfg/sys/adm/snmp/community/cfg/sys
/adm/snmp/community
write <name>
trap <name>
/cfg/sys/adm/snmp/users <user ID>
name <name>
seclevel none | auth | priv
permission get | set | trap
authproto md5 | sha
authpasswd <password>
privproto des | aes
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP 325
Parameter
Command
privpasswd <password>
del
/cfg/sys/adm/snmp/target <target ID>
ip <IPaddr>
port <port>
version v1 | v2c | v3
del
/cfg/sys/adm/snmp/event
addmonitor [<options>] -b <name>
<OID> <op> <value>
addmonitor [<options>] -t <name>
<OID> <value and event>
addmonitor [<options>] -x <name>
<OID> [present|absent|changed]
delmonitor <name>
addevent [-c <comment>] <name>
<notification> [<OID...>]
delevent <name>
list
Configuring SNMP settings
To configure SNMP management of the Nortel SNAS cluster, use the
following command:
/cfg/sys/adm/snmp
The SNMP menu appears.
The SNMP menu includes the following options:
/cfg/sys/adm/snmp
followed by:
Enables network management using
SNMP. The default is enabled.
ena
Disables network management using
SNMP.
dis
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
326 Configuring SNMP
/cfg/sys/adm/snmp
followed by:
versions <v1|v2c|v3>
Specifies the SNMP versions allowed.
Enter one or more of the following options:
• v1—SNMP version 1
• v2c—SNMP version 2c
• v3—SNMP version 3
To configure support for multiple versions,
use a comma to separate the entries.
The default is all versions (v1, v2c, v3).
Accesses the SNMPv2-MIB menu, in
order to configure parameters in the
standard SNMP v2 MIB for the system
326)).
snmpv2-mib
community
Accesses the SNMP Community menu, in
order to configure the community aspects
of SNMP monitoring (see “Configuring the
users
Accesses the SNMP User menu, in
order to manage SNMPv3 users (see
target
Accesses the Notification Target menu,
in order to configure the notification
target aspects of SNMP monitoring (see
event
Accesses the Event menu, in order to
create custom monitoring definitions for
the objects in the DISMAN-EVENT-MIB
Configuring the SNMP v2 MIB
To configure parameters in the standard SNMPv2 MIB, use the following
command:
/cfg/sys/adm/snmp/snmpv2-mib
The SNMPv2-MIB menu appears.
The SNMPv2-MIB menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP 327
/cfg/sys/adm/snmp/snmpv2-mib
followed by:
sysContact <contact>
Designates a contact person for the
managed Nortel SNAS cluster.
• contact is a string specifying the
designated contact person’s name,
together with information about how to
contact this person.
Enables or disables generating
authentication failure traps. The default is
disabled.
snmpEnable disabled|enabl
ed
Configuring the SNMP community
To configure the community aspects of SNMP monitoring, use the
following command:
/cfg/sys/adm/snmp/community
The SNMP Community menu appears.
The SNMP Community menu includes the following options:
/cfg/sys/adm/snmp/community
followed by:
read <name>
Specifies the monitor community name
that grants read access to the MIB. If you
do not specify a monitor community name,
read access is not granted.
The default monitor community name is
public.
Specifies the control community name that
grants read and write access to the MIB.
If you do not specify a control community
name, neither read nor write access is
granted.
write <name>
trap <name>
Specifies the trap community name that
accompanies trap messages sent to the
SNMP manager. If you do not specify a
trap community name, the sending of trap
messages is disabled.
The default trap community name is trap.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
328 Configuring SNMP
Configuring SNMPv3 users
The Nortel SNAS manages SNMPv3 users based on the User-based
Security Model (USM) for SNMP version 3. For more information about
USM, see RFC3414.
To manage SNMPv3 users in the Nortel SNAS configuration, use the
following command:
/cfg/sys/adm/snmp/users <user ID>
where user ID is an integer in the range 1 to 1024 that uniquely identifies
the SNMPv3 user in the Nortel SNAS cluster.
When you first create the user, you must enter the user ID. After you have
created the user, you can use either the ID or the name to access the user
for configuration.
When you first create the user, you are prompted to enter the following
parameters:
•
user name—a string that uniquely identifies the USM user in the Nortel
SNAS cluster. The maximum length of the string is 255 characters.
After you have defined a name for the user, you can use either the
user name or the user ID to access the SNMP User menu.
•
security level—the degree of SNMP USM security. Valid options are:
— none—SNMP access is granted without authentication.
— auth—SNMP user must provide a verified password before SNMP
access is granted. You are later prompted to specify the required
password (auth password). SNMP information is transmitted in
plain text.
— priv—SNMP user must provide a verified password before
SNMP access is granted, and all SNMP information is encrypted
with the user’s individual key. You are later prompted to specify
the required password (auth password) and encryption key (priv
password).
The default is priv.
•
permission—the USM user’s privileges. Valid options are:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP 329
— get—USM user is authorized to perform SNMP get requests (read
access to the MIB).
— set — USM user is authorized to perform SNMP set requests
(write access to the MIB). Write access automatically implies read
access as well.
— trap—USM user is authorized to receive trap event messages and
alarm messages.
•
authentication protocol—the protocol to be used to authenticate the
USM user. Valid options are:
— md5
— sha
The default is md5.
•
•
auth password—a string of at least eight characters specifying the
password for USM user authentication. The password is required if the
security level is set to auth or priv.
privacy protocol—the protocol used for encryption. Valid options are:
— des
— aes
The default is des.
•
priv password—a string of at least eight characters specifying the
USM user’s individual encryption key. The password is required if the
security level is set to priv.
The SNMP User menu appears.
The SNMP User menu includes the following options:
/cfg/sys/adm/snmp/users <user ID>
followed by:
name <name>
Names or renames the USM user. After
you have defined a name for the user, you
can use either the user name or the user
ID to access the SNMP User menu.
• name is a string that must be unique in
the cluster. The maximum length of the
string is 255 characters.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
330 Configuring SNMP
/cfg/sys/adm/snmp/users <user ID>
followed by:
seclevel none|auth|priv
Specifies the degree of SNMP USM
security. Valid options are:
• none—SNMP access is granted
without authentication.
• auth—the SNMP user must provide a
verified password before SNMP access
is granted. You are later prompted to
specify the required password (auth
password). SNMP information is
transmitted in plain text.
• priv—the SNMP user must provide a
verified password before SNMP access
is granted, and all SNMP information
is encrypted with the user’s individual
key. You are later prompted to specify
the required password (auth password)
and encryption key (priv password).
The default is priv.
permission get|set|trap
Specifies the USM user’s privileges. Valid
options are:
• get—USM user is authorized to
perform SNMP get requests (read
access to the MIB).
• set—USM user is authorized to
perform SNMP set requests (write
access to the MIB). Write access
automatically implies read access as
well.
• trap—USM user is authorized to
receive trap event messages and alarm
messages.
Enter the desired permissions, separated
by a comma (,).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP 331
/cfg/sys/adm/snmp/users <user ID>
followed by:
authproto md5|sha
Specifies the protocol to be used to
authenticate the USM user. Valid options
are:
• md5
• sha
The default is md5.
authpasswd <password>
privproto des|aes
Specifies the password for USM user
authentication. The password is required if
the security level is set to auth or priv.
• password is a string that must be at
least eight characters long.
Specifies the protocol used for encryption.
Valid options are:
• des
• aes
The default is des.
privpasswd <password>
Specifies the USM user’s individual
encryption key. The password is required
if the security level is set to priv.
• password is a string that must be at
least eight characters long.
del
Removes the USM user from the
configuration.
Configuring SNMP notification targets
SNMP managers function as the notification targets for SNMP monitoring.
To configure notification targets, use the following command:
/cfg/sys/adm/snmp/target <target ID>
where
target ID is a positive integer that uniquely
identifies the notification target in the
cluster.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
332 Configuring SNMP
The Notification Target menu appears.
The Notification Target menu includes the following options:
/cfg/sys/adm/snmp/target <target ID>
followed by:
ip <IPaddr>
Specifies the IP address to which trap
messages are sent.
• IPaddr is the IP address of the SNMP
manager.
Specifies the TCP port used by the SNMP
manager. The default is port 162.
port <port>
version v1|v2c|v3
Specifies the SNMP version used by the
SNMP manager. Valid options are:
• v1—SNMP version 1
• v2c—SNMP version 2c
• v3—SNMP version 3
The default is v2c.
del
Removes the current SNMP manager from
the Nortel SNAS configuration.
Configuring SNMP events
The Nortel SNAS supports three kinds of SNMP monitors, as defined in
the DISMAN-EVENT-MIB:
•
•
•
boolean —checks the value of a monitored object identifier (OID)
against a specific value, and triggers an event if the result matches a
specified operation.
threshold —compares a monitored OID against a range of values, and
triggers events if the comparison determines that the OID value is
rising too quickly, falling too quickly, or falls outside certain boundaries
existence —checks the condition of a monitored OID to determine if
it is present, absent, or changed, and triggers an event if the result
matches the specified condition
To configure monitors and events defined in the DISMAN-EVENT-MIB,
use the following command:
/cfg/sys/adm/snmp/event
The event menu appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP 333
The event menu includes the following options:
/cfg/sys/adm/snmp/event
followed by:
addmonitor [ <options> ] -b
<name> <OID> <op> <value>
Adds a boolean monitor and trigger as
defined in the DISMAN-EVENT-MIB.
Valid <options> are:
• -c <comment>—adds a comment
• -f <frequency>—the sampling
interval, in seconds. The default is 600
(10 minutes).
• -o <OID>—additional objects to send
in the event
• -e <EventName>—the name of a
notification event
• -d <OID>—the delta discontinuity OID
• -D timeTicks|timeStamp|dateAnd
Time—the delta discontinuity type
Other parameters are:
• name—a unique name you assign to
the monitor, for identification
• OID—the object identifier (or symbolic
name) to monitor
• op—the operator. Valid options are:
!= (not equals), == (equals), <= (less
than or equal to), >= (greater than or
equal to), < (less than), > (greater than)
• value—an integer indicating the value
against which the operation will be
performed
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
334 Configuring SNMP
/cfg/sys/adm/snmp/event
followed by:
addmonitor [ <options> ]
-t <name> <OID> <value and
event>
Adds a threshold monitor and trigger as
defined in the DISMAN-EVENT-MIB.
Valid <options> are:
• -c <comment>—adds a comment
• -f <frequency>—the sampling
interval, in seconds. The default is 600
(10 minutes).
• -o <OID>—additional objects to send
in the event
• -d <OID> — the delta discontinuity
OID
• -D timeTicks|timeStamp|dateAnd
Time — the delta discontinuity type
Other parameters are:
• name — a unique name you assign to
the monitor, for identification
• OID — the object identifier (or symbolic
name) to monitor
• value and event—a combination
of an integer and an event condition,
where the integer represents the event
condition threshold that will trigger
notification. Valid combinations are:
<LowVal> FallingEvent
<HighVal> RisingEvent
<DeltaLowVal> DeltaFallingEve
nt
<DeltaHighVal> DeltaRisingEve
nt
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring SNMP 335
/cfg/sys/adm/snmp/event
followed by:
addmonitor [ <options>
] -x <name> <OID>
Adds an existence monitor and trigger as
defined in the DISMAN-EVENT-MIB.
[present|absent| changed]
Valid <options> are:
• -c <comment>—adds a comment
• -f <frequency>—the sampling
interval, in seconds. The default is 600
(10 minutes).
• -o <OID>—additional objects to send
in the event
• -e <EventName>—the name of a
notification event
• -d <OID>—the delta discontinuity OID
• -D timeTicks|timeStamp|dateAnd
Time—the delta discontinuity type
Other parameters are:
• name—a unique name you assign to
the monitor, for identification
• OID—the object identifier (or symbolic
name) to monitor
• present|absent|changed—indicate
s whether the object being monitored is
present, absent, or has changed
Removes the specified monitor from the
configuration.
delmonitor <name>
addevent [-c <comment> ]
<name> <notification> [
<OID...> ]
Adds a notification event as defined in the
DISMAN-EVENT-MIB.
• -c <comment>—adds a comment
(optional)
• name—a unique name you assign to
the event, for identification
• notification—the OID (or symbolic
name) of the notification
• OID...—additional notification OIDs
(optional)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
336 Configuring SNMP
/cfg/sys/adm/snmp/event
followed by:
Removes the specified event from the
configuration.
delevent <name>
list
configured monitors and events. For
monitors, the monitor name, OID, and
type. For events, the event name,
notification OID, and comment.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
337
.
Viewing system information and
performance statistics
This chapter includes the following topics:
Topic
You can view current status information and events for the cluster and for
individual Nortel SNAS hosts. You can view AAA performance statistics for
the Nortel SNAS cluster as a whole or for individual hosts in the cluster
since the system was started.
Viewing system information and performance statistics
To view current information about system status and the system
configuration, access the Information menu by using the following
command:
/info
To view performance statistics for the cluster and for individual Nortel
SNAS hosts, access the Statistics menu by using the following command:
/stats
Roadmap of information and statistics commands
The following roadmap lists the CLI commands to view information and
statistics for the cluster. Use this list as a quick reference or click on any
entry for more information:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
338 Viewing system information and performance statistics
Parameter
Command
/info
certs
sys
sonmp
licenses [<domain ID>]
kick <user> <addr> <group>
blacklist <IPv4 Mac address>
<blacklist duration>
domain [<domain ID>]
switches [<switch IP protocol/ve
rsion>] [<status>] [<name type>]
[<controlled by>] [<active clients>]
dist [<hostid>]
ip <domain ID> <IPaddr>
mac <MACaddr>
sessions [<domain ID> [<switch ID>
[<username-prefix>]]]
groupsessi [<domain> <switch login>
<port type> <user vlan> <source IP/
portal IP> <source Mac/session type>]
snmp-profi
switch [<domainid>] [<switchid>]
contlist [<Exclude buffers+cache from
mem util: [yes/no]>]
local
ethernet
ports
/info/dhcp
list, del, and stats
alarms
/info/events
download <protocol> <server>
<filename>
/info/logs
/stats/aaa
list
download <protocol> <server>
<filename>
total
isdhost <host ID> <domain ID>
dump
/stats/dump
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Viewing system information and performance statistics 339
Viewing system information
To view current information about system status and the system
configuration, use the following command:
/info
The Information menu appears.
The Information menu includes the following options:
/info
followed by:
certs
information about all installed certificates, including
the certificate name, serial number, expiration
date, key size, and subject information for each
certificate.
sys
information about the current system configuration,
including:
• for each Nortel SNAS host in the cluster, the
Real IP address (RIP), network mask, default
gateway address, static routes, and port
configuration
• system settings such as date and time, DNS
settings, Access List, and administrative
applications
• NTP, DNS, syslog, audit, and other servers
For information about configuring the system, see
sonmp
SynOptics Network Management Protocol
(SONMP) network topology information, including
the IP address, MAC address, chassis type, and
state of all Nortel SNAS and SONMP-enabled
network devices in the system.
licenses [ <domain
ID> ]
information about the global license pool and
current usage, by license type and domain. For the
Nortel SNAS, SSL is the only type of license. To
restrict the display to a specific domain, enter the
domain ID as part of the command.
ATTENTION
With Nortel Secure Network Access Switch
Software Release 1.6.1, there is only one domain
in the system.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
340 Viewing system information and performance statistics
/info
followed by:
kick <user> <addr>
<group>
Allows the operator to log the specified user out
of an Nortel SNAS session. You are prompted to
enter the following information:
Kick user by name.
• name—a string that uniquely identifies the
user. The maximum length of the string is 255
characters.
hosts(IP) to be monitored.
• IPv4 or Mac Address—specify IPv4 or Mac
Address.
To log out multiple users, enter an asterisk (*)
when prompted for the user name. The system
lists the currently logged on users, by automatically
assigned index number. Enter the index numbers
corresponding to the users you wish to log out.
Kick group by name.
• name—a string that uniquely identifies the
group. The maximum length of the string is 255
characters.
For example, to log out users corresponding to
index numbers 1, 2, 3, and 5, enter 1-3,5.
blacklist <IPv4 Mac
address> <blacklist
duration>
Blacklists a device using ipv4 or MAC address and
set the duration of blacklisting the device.
• IPv4 Mac address—specify the IPv4 or MAC
Address to be blacklisted.
• blacklist duration—specify the duration to
blacklist the device.
Range: 1 minute to 31 days (for example: 20m)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Viewing system information and performance statistics 341
/info
followed by:
domain [ <domain ID>
]
information about the domain configuration, such
as the portal Virtual IP address (pVIP), Nortel
Health Agent settings, authentication schemes,
groups, client filters, SSL settings, portal display,
network access devices, and SSH key. To restrict
the display to a specific domain, enter the domain
ID as part of the command.
ATTENTION
With Nortel Secure Network Access Switch
Software Release 1.6.1, there is only one domain
in the system.
switches [<switch IP
protocol/version>]
[<status>] [<name
type>] [<controlled
by>] [<active
view the switch status information.
clients>]
information about the network access devices and
pVIP distribution, by domain.
dist [ <hostid> ]
ip <IPaddr>|[option] Searches the session table based on the specified
IP address and information about the client
session. You are prompted to provide the domain
ID and the IP address. The information includes:
the domain ID; the switch ID and port (in slot/port
format); the client’s user name (MAC address for
an IP Phone); the client’s current IP address; the
source MAC address; the date the client logged
on (time is reported if logon was today); the client
device type; the client’s current VLAN membership;
and the Nortel SNAS host IP address (RIP). The
options for device type are phone or dynamic PC
(dn_pc).
The information is the same as that displayed by
the /info/mac command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
342 Viewing system information and performance statistics
/info
followed by:
mac <macaddr>|[optio session information for a client based on a
n]
specified MAC address. You are prompted
to provide the MAC address. The information
includes: the domain ID; the switch ID and port
(in slot/port format); the client’s user name (MAC
address for an IP Phone); the client’s current IP
address; the source MAC address; the date the
client logged on (time is reported if logon was
today); the client device type; the client’s current
VLAN membership; and the Nortel SNAS host IP
address (RIP). The options for device type are
phone or dynamic PC (dn_pc).
The information is the same as that displayed by
the /info/ip command.
sessions [<domain
ID> <switchid/hub>
information about currently active sessions. The
information for each session includes: the domain
[<username_prefix>] ID; the switch ID and port (in slot/port format);
]
the client’s user name (MAC address for an IP
Phone); the client’s current IP address; the source
MAC address; the date the client logged on (time
is reported if logon was today); the client device
type; the client’s current VLAN membership; and
the portal IP address through which the client
logged on. The options for device type are phone
or dynamic PC (dn_pc).
To restrict the display to a specific domain, enter
the domain ID as part of the command. To restrict
the display to sessions originating from a specific
network access devices, enter the domain ID and
switch ID as part of the command. To restrict the
display to specific clients, enter the domain ID,
switch ID, and user name as part of the command.
Use an asterisk (*) after the user name input to
specify it as a prefix.
groupsessi
<groupname>
information about currently active group sessions.
dhcp [<list> [<addr>
<subnet> <all>]]
[<del> [<addr>
<subnet> <all>]]
<stats>
information about local DHCP leases. For
information, see “Managing local DHCP leases”
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Viewing system information and performance statistics 343
/info
followed by:
snmp-profi
information about the configured snmp profile. For
information, see “Configuring SNMP Profiles” (page
[<domainid>]
[<profileid>]
information about the network access devices in
a domain, by device. Information includes the
switch type, IP address, NSNA communication
port, Red VLAN ID, health check settings, SSH
key, and switch status. The information is a subset
of information displayed by the /info/domain
command.
switch [ <domainid> ]
[ <switchid> ]
contlist [<Exclude
buffers+cache
from mem util:
[yes/no]>]
information about the Nortel SNAS controllers in
the cluster. Information includes the RIP, CPU
usage, memory usage, and operational status of
each device. An asterisk (*) in the MIP column
indicates which Nortel SNAS device in the cluster
is currently is control of the MIP. An asterisk (*) in
the Local column indicates the particular Nortel
SNAS device to which you have connected. To
exclude buffers and cache from the memory usage
reported, enter the command as:
/info/contlist yes. To include buffers and
cache in the memory usage reported, enter the
command as: /info/contlist no. The default
is to include buffers and cache (no).
local
the current software version, hardware platform,
up time (since last boot), IP address, and Ethernet
MAC address for the particular Nortel SNAS
device to which you have connected. If you have
connected to the MIP, the information relates to the
Nortel SNAS device in the cluster that is currently
in control of the MIP.
ethernet
statistics for the Ethernet network interface card
(NIC) on the particular Nortel SNAS device to
which you have connected. If you have connected
to the MIP, the information relates to the Nortel
SNAS device in the cluster that is currently in
control of the MIP.
• RX packets: the total number of received
packets
• TX packets: the total number of transmitted
packets
• errors: packets lost due to error
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
344 Viewing system information and performance statistics
/info
followed by:
• dropped: error due to lack of resources
• overruns: error due to lack of resources
• frame: error due to malformed packets
• carrier: error due to lack of carrier
• collisions: number of packet collisions
• RX bytes: received packets in bytes
• TX packets: transmitted packets in bytes
ATTENTION
A non-zero collision value may indicate incorrect
configuration of Ethernet auto-negotiation. For
more information, see the autoneg command on
ports
the status of the physical ports on the Ethernet
network interface card (NIC) on the particular
Nortel SNAS device to which you have connected.
If you have connected to the MIP, the information
displayed relates to the Nortel SNAS device in the
cluster that is currently in control of the MIP.
For each port, information includes link status
(up/down) and the Ethernet auto-negotiation
setting (on/off). If the link is up, the information
also includes current values for speed
(10/100/1000) and duplex mode (half/full). If
the link is down and auto-negotiation is set to off,
the information includes the configured values for
speed and duplex mode.
events
logs
Accesses the Events menu, in order to view and
download active alarms and logged events (see
Accesses the Logs menu, in order to view and
download log files (see “Viewing log files” (page
345)).
Viewing alarm events
To view active alarms, use the following command:
/info/events
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Viewing system information and performance statistics 345
The Events menu appears.
The Events menu includes the following options:
/info/events
followed by:
alarms
all alarms in the active alarm list, by their main
attributes: severity level, alarm ID number,
date and time when triggered, alarm name,
sender, and cause.
To alert the operator at system logon, a notice
is displayed if there are active alarms.
Alarms are also sent as syslog messages.
download <protocol>
<server> <filename>
Transmits the event log file from the Nortel
SNAS cluster to a file on the specified
TFTP/FTP/SFTP file exchange server. You are
prompted to provide the following information:
• protocol is the export protocol. Options
are tftp|ftp|scp|sftp. The default is
tftp.
• server is the host name or IP address of
the server.
• filename is the name of the destination
log file on the file exchange server.
Viewing log files
To view and download log files, use the following command:
/info/logs
The Logs menu appears.
The Logs menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
346 Viewing system information and performance statistics
/info/logs
followed by:
list
a list of all log files.
download <protocol>
<server> <filename>
Transmits the log file from the Nortel SNAS cluster
to a file on the specified TFTP/FTP/SFTP file
exchange server. You are prompted to provide the
following information:
• protocol is the export protocol. Options are
tftp|ftp|scp|sftp. The default is tftp.
• server is the host name or IP address of the
server.
• filename is the name of the destination log
file (*.log.x) on the file exchange server.
Viewing AAA statistics
You can view authentication statistics for the Nortel SNAS cluster as a
whole or for one specific Nortel SNAS host in the cluster.
For each configured authentication method and authentication server, the
following information :
•
•
the number of authentication requests accepted and rejected
for external LDAP and RADIUS servers, the number of authentication
requests timed out
The external LDAP and RADIUS servers are listed by IP address and
TCP port number.
The CLI reports statistics for all authentication methods configured in the
cluster, whether or not they have been included in the authentication order
statistics for a particular authentication method are always a row of zeroes,
this might be because the method is not included in the authentication
order scheme.
To view authentication statistics for the Nortel SNAS cluster or for
individual Nortel SNAS hosts, use the following command:
/stats/aaa
The AAA Statistics menu appears.
The AAA Statistics menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Viewing system information and performance statistics 347
/stats/aaa
followed by:
total
authentication statistics by domain for all Nortel
SNAS hosts in the cluster since the system was
started.
isdhost <host ID>
<domain ID>
authentication statistics for the specified Nortel
SNAS host in the cluster since the system was
started. You are prompted to specify:
• <host ID>—the index number automatically
assigned to the Nortel SNAS host when you
performed the initial setup.
• <domain ID>—the index number automatically
assigned to the Nortel SNAS domain when you
created it. To view statistics for all domains,
enter 0.
ATTENTION
With Nortel Secure Network Access Switch
Software Release 1.6.1, there is only one domain
in the system.
dump
Dumps all authentication statistics in the CLI,
presenting them first by domain and then by Nortel
SNAS host. The display includes the number of
accepted and rejected requests for all configured
authentication methods, as well as the number of
accepted and rejected connections by license type
(SSL). In the case of the licenses statistics, the
value reported as Rejected refers to connections
exceeding the allowed number of concurrent users.
Figure 21 "AAA statistics dump" (page 348) shows sample output for the
/stats/aaa/dump command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
348 Viewing system information and performance statistics
Figure 21
AAA statistics dump
Viewing all statistics
To view all available statistics for the Nortel SNAS cluster, use the
following command:
/stats/dump
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Viewing system information and performance statistics 349
Because the Nortel SNAS collects only AAA statistics, the /stats/dump
command is equivalent to the /stats/aaa/dump command.
Kicking by username or address
To kick by username or address, use the following command:
info/kick
The Kick menu appears.
The Kick menu includes the following options:
info/kick
followed by:
user <name>
Kick user by name.
• name—a string that uniquely identifies
the user. The maximum length of the
string is 255 characters.
addr <IPv4 or Mac Address>
group <name>
hosts(IP) to be monitored.
• IPv4 or Mac Address—specify IPv4
or Mac Address.
•Kicnkagmreo—upabsytrninagmteh.at uniquely identifies
the group.The maximum length of the
string is 255 characters.
Nortel SNAS TPS Interface
This supports the blacklisting feature, which allows to configure a time-out
value for which the specified user or device is not permitted to connect
to the network.
You can blacklist a device using ipv4 or MAC address and set the duration
of blacklisting the device.
To blacklist a device, use the following command:
info/blacklist
The blacklist menu includes the following options:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
350 Viewing system information and performance statistics
info/blacklist
followed by:
Specify the IPv4 or MAC Address to be
IPv4 Mac address
blacklisted.
Specify the duration to blacklist the device.
Range: 1 minute to 31 days (for example:
20m)
blacklist duration
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
351
.
Maintaining and managing the system
This chapter includes the following topics:
Topic
You can perform the following activities to manage and maintain the
system and individual Nortel SNAS devices:
•
maintenance, in order to collect information for troubleshooting and
technical support purposes (see “Performing maintenance” (page
353)):
— Dump log file or system internal status information and send it to a
file exchange server.
— Check connectivity between the Nortel SNAS and all configured
gateways, routers, and servers.
— Start and stop tracing to log information about a client session. You
can limit the trace to specific features, such as SSL handshake;
authentication method, user name, group, and profile; DNS
lookups; and the Nortel Health Agent check.
You can use the trace feature as a debugging tool (for example,
to find out why authentication fails). For sample CLI outputs, see
•
•
configuration backup and restore (see “Backing up or restoring the
software and device management (see “Managing Nortel SNAS
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
352 Maintaining and managing the system
— Manage software versions and activate software upgrades.
— Shut down or reboot a particular Nortel SNAS device that has
become isolated from the cluster.
— Reset the configuration of a particular Nortel SNAS device back
to factory defaults.
Managing and maintaining the system
To perform maintenance activities, access the Maintenance menu by
using the following command:
/maint
To manage software versions and Nortel SNAS devices, connect to the
particular Nortel SNAS device using Telnet, SSH, or a console connection.
Do not connect to the Management IP address (MIP). Access the Boot
menu by using the following command:
/boot
Roadmap of maintenance and boot commands
The following roadmap lists the CLI commands to perform maintenance
and software and device management activities. Use this list as a quick
reference or click on any entry for more information:
Parameter
Command
/maint
log <start-log> <stop-log>
<displaylog> <clearlog>
dumplogs <protocol> <host name or
IP address of server> <filename on
server> <collect info from all cluster
host?>
dumpstats <protocol> <host name or
IP address of server> <filename on
server> <collect info from all cluster
host?>
chkcfg
starttrace <tags> <domain ID> <output
mode>
stoptrace
/cfg/ptcfg <protocol> <host name or
IP address of server> <filename on
server>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing and maintaining the system 353
Parameter
Command
/cfg/gtcfg <protocol> <host name or
IP address of server> <filename on
server>
/cfg/dump
/boot
software
halt
reboot
delete
/boot/software
cur
activate <version>
download <protocol> <server>
<filename>
del
Performing maintenance
To check the applied configuration and to download log file and system
status information for technical support purposes, use the following
command:
/maint
The Maintenance menu appears.
The Maintenance menu includes the following options:
/maint
followed by:
logs<in-memory>
Displays the logging system menu.
• start-log—starts logging messages into an
internal buffer.
• stop-log—stops logging messages into an
internal buffer.
• displaylog—set to display last n messages,
where n is order of 10.
• clearlog—clears the log messages.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
354 Maintaining and managing the system
/maint
followed by:
dumplogs
<protocol> <host
Collects system log file information and sends it
to a file on the specified file exchange server. The
name or IP address information can then be used for technical support
of server>
purposes. You are prompted to provide the following
parameters if you do not specify them in the command:
<filename on
server> <collect
info from all
cluster host?>
• protocol is the export protocol. Options are
tftp|ftp|sftp. The default is tftp.
• server is the host name or IP address of the file
exchange server.
• filename is the name of the destination log file
on the file exchange server. The file is in gzip
compressed tar format.
• all-isds? specifies whether the information is to
be collected from all Nortel SNAS devices in the
cluster or only from the device to which you are
connected. Valid options are y (= yes, all) or n (=
no, single).
If you specify n (= no) and you are connected to
the MIP, information will be collected for the Nortel
SNAS device currently in control of the MIP.
• for FTP and SFTP, user name and password.
The file sent to the file exchange server does not
contain any sensitive information related to the system
configuration, such as private keys.
dumpstats
<protocol> <host
Collects current system internal status information and
sends it to a file on the specified file exchange server.
name or IP address The information can then be used for technical support
of server>
purposes. You are prompted to provide the following
parameters if you do not specify them in the command:
<filename on
server> <collect
info from all
cluster host?>
• protocol is the export protocol. Options are
tftp|ftp|sftp. The default is tftp.
• server is the host name or IP address of the file
exchange server.
• filename is the name of the destination file on the
file exchange server. The file is in gzip compressed
tar format.
• all-isds? specifies whether the information is to
be collected from all Nortel SNAS devices in the
cluster or only from the device to which you are
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing and maintaining the system 355
/maint
followed by:
connected. Valid options are y (= yes, all) or n (=
no, single).
If you specify n (= no) and you are connected to
the MIP, information will be collected for the Nortel
SNAS device currently in control of the MIP.
• for FTP and SFTP, user name and password.
chkcfg
Checks if the Nortel SNAS is able to contact gateways,
routers, DNS servers, and authentication servers in
the system configuration. The command also checks if
the Nortel SNAS can connect to web servers specified
in group links. The CLI the result of the connectivity
check as well as the method used for the check (for
example, ping).
The following is sample output for the chkcfg
command:
Checking configuration from 192.168.128.21
0
Testing /cfg/sys/host 1/gateway:
192.168.128.3... ping ok
Testing /cfg/sys/dns/servers:
192.168.128.1... dns ok
All tests completed successfully
starttrace <tags> Logs information pertaining to a client session.
<domain ID>
<output mode>
You are prompted to provide the following information:
• tags—specifies the specific features or
subsystems to which you want to limit tracing. The
options are:
all—logs all information. The default is all.
aaa—logs authentication method, user name,
group, and extended profile
dns—logs failed DNS lookups made during the
session
ssl—logs information related to the SSL
handshake procedure (for example, the cipher
used)
nha—logs information related to the Nortel Health
Agent check (for example, Nortel Health Agent
session status and the SRS rule check result)
snas—logs operations and events of Nortel SNAS
-controlled switches
patchlink
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
356 Maintaining and managing the system
/maint
followed by:
radius
nap
Enter the desired tag or a comma-separated list of
tags (for example, enter aaa or aaa,dns). To trace
all features, press Enter to accept the default.
• domain ID—specifies the Nortel SNAS domain to
which you want to limit tracing. The default is all.
To trace all domains, enter 0 or press Enter.
ATTENTION
With Nortel Secure Network Access Switch
Software Release 1.6.1, there is only one domain
in the system.
• output mode—options are:
interactive—the information will be logged
directly in the CLI when a client authenticates to the
portal
tftp|ftp|sftp—the information will be logged
to a file exchange server. You are prompted to
provide the server information.
For sample output from the starttrace command,
stoptrace
Stops tracing. If you selected interactive mode for the
starttrace command and information is logged to
the CLI, press Enter to redisplay the CLI prompt.
Backing up or restoring the configuration
To save the system configuration to a file on a file exchange server, use
the following command:
/cfg/ptcfg <protocol> <host name or IP address of server>
<filename on server>
ATTENTION
The actual file name in server will be in "NSNAS-<NSNA Version No>-<filename
specified in ptcfg comamnd>" format.
To restore the system configuration, use the following command:
/cfg/gtcfg <protocol> <host name or IP address of server>
<filename on server>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing and maintaining the system 357
You can also dump the system configuration to the screen and then use
copy-and-paste to save it to a text file. To perform a configuration dump,
use the following command:
/cfg/dump [ <private/secret keys> ]
357) provides more information about the backup and restore commands
on the Configuration menu.
Table 57
Configuration menu backup and restore commands
/cfg
followed by:
ptcfg <protocol>
<host name or
IP address of
Saves the current configuration, including private
keys and certificates, to a file on the specified file
exchange server. You can later use this file to restore
server> <filename the configuration by using the gtcfg command. You
on server>
are prompted to provide the following information:
• protocol is the export protocol. Options are
tftp|ftp|scp|sftp. The default is tftp.
• server is the host name or IP address of the file
exchange server.
• filename is the name of the destination file on the
file exchange server.
ATTENTION
If you have fully separated the Administrator user
role from the Certificate Administrator user role,
the export passphrase defined by the Certificate
Administrator is used to protect the private keys
in the configuration, and this is transparent to the
user. If you later restore the configuration using the
gtcfg command, the Certificate Administrator must
enter the correct passphrase. For more information
on separating the Administrator user role from the
Certificate Administrator user role, see “Adding a new
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
358 Maintaining and managing the system
Table 57
Configuration menu backup and restore commands (cont’d.)
/cfg
followed by:
gtcfg <protocol>
<host name or
IP address of
Restores a configuration, including private keys and
certificates, from a file on the specified file exchange
server. You are prompted to provide the following
server> <filename information:
on server>
• protocol is the import protocol. Options are
tftp|ftp|scp|sftp. The default is tftp.
• server is the host name or IP address of the file
exchange server.
• filename is the name of the file on the file
exchange server.
ATTENTION
If you have fully separated the Administrator user
role from the Certificate Administrator user role,
the Certificate Administrator must enter the correct
passphrase. The Certificate Administrator defined the
passphrase using the /cfg/sys/user/caphrase .
dump [ <private/s Dumps the current configuration on screen in a format
ecret keys> ]
that allows you to restore the configuration without
downloading the configuration to a file server.
You are prompted to specify if you wish to include
private keys in the configuration dump. If you do, then
you are prompted to provide a password phrase in
order to protect the private keys. The password phrase
you specify applies to all private keys. If you later
restore the configuration, you will be prompted for this
password phrase.
Save the configuration to a text file by performing a
copy-and-paste operation to a text editor. You can later
restore the configuration by using the global paste
command, at any command prompt in the CLI, to
paste the contents of the saved text file. On pasting,
the content is batch processed by the Nortel SNAS.
To view the pending configuration changes resulting
from the batch processing, use the diff command.
To apply the configuration changes, use the apply
command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing and maintaining the system 359
Configuring the Nortel SNAS scheduler
The Nortel SNAS scheduler allows to run automated system maintenance
tasks at scheduled intervals. To configure the Scheduler tasks, use the
following command:
/cfg/scheduler
The Scheduler menu appears.
The Scheduler menu includes the following options:
/cfg/scheduler
followed by:
add
Adds task to the scheduler.
Deletes task from scheduler.
del <task number>
• task number—specify the task number.
list
Lists schedule time details for the following:
• Id
• Task
•
Scheduled Time
• Comments
ena
dis
Enables the scheduler task.
Disables the scheduler task.
Addition of a scheduled task
To add a scheduled task, use the following command:
/cfg/scheduler/add
This includes the following fields:
/cfg/scheduler/add
followed by:
task
Specifies the scheduled task. Values:
ptcfg | reboot | starttrace | stoptrace |
selftest | upgrade | export
day of week
Select the day of the week. You can select
the multiple days in a week. The value
ranges from 0 to 6.(Sunday = 0) and [*]:
1-5
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
360 Maintaining and managing the system
/cfg/scheduler/add
followed by:
month(s)
Select the month. You can select the
multiple months. The value ranges from 1
to 12.
day(s)
Select the day of the month. You can
select the multiple days of a month. The
value ranges from 1 to 31.
hour(s)
Specify the hour. The value ranges from 0
to 23.
minute(s)
Specify the minute. The value ranges from
0 to 59.
comments
Specify comment for this scheduler task.
Select the protocol. Values: tftp and ftp.
protocol
hostname or IP address
Specify the hostname or IP address of
server.
filename
password
Specify the filename.
Password for private keys in cfg.
/cfg/scheduler/add
followed by:
starttrace
day of week
Select the day of the week. You can
select the multiple days in a week.The
value ranges from 0 to 6. (Sunday = 0)
and [*]: 1-5
month(s)
day(s)
Select the month. You can select the
multiple months. The value ranges from
1 to 12. Every Month (*)
Select the day of the month. You can
select the multiple days of a month. The
value ranges from 1 to 31. Every Day (*)
hour(s)
Specify the hour. The value ranges from
0 to 23.
minute(s)
comments
Specify the minute. The value ranges
from 0 to 59.
Specify comment for this scheduler.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing and maintaining the system 361
/cfg/scheduler/add
followed by:
output mode
Specify the output mode. Values: tftp,
and ftp.
tags
Specify the tag. 1 all, 2 aaa, 3 dhcp, 4
dns, 5 ssl, 6 nha, and 7 snas default is
all
domain
Specify the domain.
TFTP Server
filename
Specify the TFTP server.
Specify the filename.
/cfg/scheduler/add
followed by:
upgrades
day of week
Select the day of the week. You can select
the multiple days in a week.
The value ranges from 0 to 6. (Sunday = 0)
and [*]: 1-5
month(s)
day(s)
Select the month. You can select the
multiple months.
The value ranges from 1 to 12 .
Select the day of the month. You can
select the multiple days of a month.
The value ranges from 1 to 31.
hour(s)
Specify the hour.
The value ranges from 0 to 23.
minute(s)
Specify the minute.
The value ranges from 0 to 59.
comments
Specify comment for this scheduler
Select the Protocol (tftp/ftp).
protocol
hostname or IP address
filename
Specify hostname or IP address of server.
Specify the filename.
Managing Nortel SNAS devices
To manage Nortel SNAS software and devices, use the following
command:
/boot
The Boot menu appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
362 Maintaining and managing the system
The Boot menu includes the following options:
/boot
followed by:
software
Accesses the Software Management menu, in order
to view, download, and activate software versions (see
363)).
halt
Stops the Nortel SNAS device to which you are
connected (using Telnet, SSH, or a console
connection). If you have a Telnet or SSH connection
to the Management IP address (MIP), use the
/cfg/sys/host #/ halt command instead (see
ATTENTION
Always use the halt command before turning off the
device.
reboot
delete
Reboots the Nortel SNAS device to which you
are connected (using Telnet, SSH, or a console
connection). If you have a Telnet or SSH connection
to the Management IP address (MIP), use the
/cfg/sys/host #/reboot command instead (see
Resets the Nortel SNAS device to which you
are connected (using Telnet, SSH, or a console
connection) to its factory default configuration. All IP
configuration is lost. The software itself remains intact.
After executing the delete command, you can only
access the device using a console connection. Log
on as the Admin user (user name: admin, password:
admin) to enter the Setup Menu.
ATTENTION
If you receive a warning that the device you are
trying to delete has no contact with any other master
Nortel SNAS device in the cluster, also connect
to the MIP (using Telnet or SSH) and delete the
Nortel SNAS device from the cluster by using the
(page 268) ).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing and maintaining the system 363
/boot
followed by:
The /boot/delete command is primarily intended for
when you want to delete a Nortel SNAS device in one
of the following situations :
• The device has become isolated from the cluster,
• The device has been physically removed from the
cluster without first performing the /cfg/sys/host
#/delete command.
In these situations, you must use the /boot/delete
command to present the Setup menu, from which you
can perform the new and join commands.
Managing software for a Nortel SNAS device
To view, download, and activate software versions for the Nortel SNAS
device to which you are connected, use the following command:
/boot/software
The Software Management menu appears.
The Software Management menu includes the following options:
/boot/software
followed by:
cur
the status of the software versions on the particular
device to which are connected. The status options are:
• permanent—the software version that is currently
operational
• old—the software version that preceded the
currently operational software version
• unpacked—the software upgrade package has
been downloaded but not yet activated
If you activate a software version indicated as either
unpacked or old, the status of that version is
propagated to permanent. The software status
change occurs after the Nortel SNAS device performs
a reboot.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
364 Maintaining and managing the system
/boot/software
followed by:
activate
<version>
Activates a downloaded software upgrade package
that the cur command indicates as unpacked. If
serious problems occur when the new software version
runs, you can switch back to the previous version by
activating the software version that the cur command
indicates as old.
The Nortel SNAS reboots when you confirm the
activate command.
ATTENTION
When you activate a software upgrade on a Nortel
SNAS device, all the Nortel SNAS devices in the
cluster reboot. All active sessions are lost.
download <prot
ocol> <server>
<filename>
Downloads a new software package from the specified
file exchange server, in order to perform a minor or
major upgrade. You are prompted to provide the
following parameters if you do not specify them in the
command:
• protocol is the import protocol. Options are
tftp|ftp|scp|sftp. The default is tftp.
• server is the host name or IP address of the file
exchange server.
• filename is the name of the software upgrade
package. Software upgrade packages typically
have the .pkg file name extension.
• for FTP, SCP, and SFTP, user name and password
If you include a directory path and file name
(separated by a forward slash (/)) on the same
line as the FTP server host name or IP address
when you run the command, make sure you put the
combined directory path and file name string within
double quotation marks. For example:
>> Software Management# download
ftp 10.0.0.1 "pub/NSNA-5.1.1-
upgrade_complete.pkg"
If you are using anonymous mode when
downloading the software package from an FTP
server, the Nortel SNAS uses the following string as
the password (for logging purposes):
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Managing and maintaining the system 365
/boot/software
followed by:
admin@ <hostname> .isd
del
Removes a software package that has been
downloaded but not yet activated (status is
unpacked). You cannot delete software versions with
any other status (see the cur command).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
366 Maintaining and managing the system
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
367
.
Upgrading or reinstalling the software
This chapter includes the following topics:
Topic
The Nortel SNAS software image is the executable code running on the
Nortel SNAS. A version of the image ships with the Nortel SNAS and is
preinstalled on the device. As new versions of the image are released, you
can upgrade the software running on your Nortel SNAS. In some cases,
you may need to reinstall the software on the Nortel SNAS in order to
return the device to its factory defaults.
Upgrading the Nortel SNAS
There are two types of upgrades:
•
Minor release upgrade: This is typically a bug fix release. All
configuration data is retained. To perform a minor upgrade, connect to
the Management IP address (MIP) of the cluster you want to upgrade.
Major release upgrade: This kind of release may contain bug fixes as
well as feature enhancements. All configuration data is retained. To
perform a major upgrade, connect to the MIP of the cluster you want
to upgrade.
ATTENTION
When you activate a software upgrade on a Nortel SNAS device, all the Nortel
SNAS devices in the cluster reboot. All active sessions are lost.
Upgrading the software on your Nortel SNAS requires the following:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
368 Upgrading or reinstalling the software
Step
1
Action
Loading the new software upgrade package or install image onto
a TFTP/FTP/SCP/SFTP server on your network.
2
3
Downloading the new software from the TFTP/FTP/SCP/SFTP
server to your Nortel SNAS.
Activating the software on the Nortel SNAS.
--End--
ATTENTION
Before upgrading, check the accompanying release notes for any specific
actions to take for the particular software upgrade package or install image.
Performing minor and major release upgrades
The following description applies to a minor or a major release upgrade.
To upgrade the Nortel SNAS you will need the following:
•
•
•
Access to one of your Nortel SNAS devices through a remote
connection (Telnet or SSH), or a console connection.
The software upgrade package, loaded on a TFTP/FTP/SCP/SFTP
server on your network.
The host name or IP address of the TFTP/FTP/SCP/SFTP server. If
you choose to specify the host name, note that the DNS parameters
must have been configured. For more information, see “Configuring
•
The name of the software upgrade package (upgrade packages are
identified by the .pkg file name extension).
The set of installed Nortel SNAS devices you are running in a cluster
cooperate to give you a single system view. Thus, to perform an upgrade,
you only need to connect to the MIP of the cluster. The upgrade will
automatically be executed on all the Nortel SNAS devices in operation at
the time of the upgrade. All configuration data is retained.
You can access the MIP by a Telnet or an SSH connection.
ATTENTION
Telnet and SSH connections to the Nortel SNAS are disabled by default, after
the initial setup has been performed. For more information about enabling Telnet
When you have gained access to the Nortel SNAS, download the software
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Upgrading the Nortel SNAS 369
Downloading the software image
To download the software upgrade package, perform the following steps:
Step
1
Action
Enter the following command at the Main menu prompt. Then
select whether to download the software upgrade package from
a TFTP/FTP/SCP/SFTP server.
For some TFTP servers, files larger than 16 MB may cause the
upgrade to fail.
>> Main# boot/software/download
Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp
2
3
Enter the host name or IP address of the server.
Enter hostname or IP address of server: <server host
name or IP>
Enter the file name of the software upgrade package to
download.
If needed, the file name can be prefixed with a search path to the
directory on the TFTP/FTP/SCP/SFTP server.
If you are using anonymous mode when downloading the
software package from an FTP server, the following string is
used as the password (for logging purposes):
admin@hostname/IP.isd.
Enter filename on server: <filename.pkg>
FTP User (anonymous): <username or press ENTER for
anonymous mode>
Password: <password or press ENTER for default password in
anonymous mode>
Received 28200364 bytes in 4.0 seconds
Unpacking...
ok
>> Software Management#
--End--
Activating the software upgrade package
The Nortel SNAS can hold up to two software versions simultaneously.
To view the current software status, use the /boot/software/cur
command. When a new version of the software is downloaded to the
Nortel SNAS, the software package is decompressed automatically and
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
370 Upgrading or reinstalling the software
marked as unpacked. After you activate the unpacked software version
(which causes the Nortel SNAS to reboot), the software version is marked
as permanent. The software version previously marked as permanent will
then be marked as old.
For minor and major releases, the software upgrade occurs in
synchronized fashion among the set of Nortel SNAS devices in a cluster. If
a Nortel SNAS device in a cluster is not operational when the software is
upgraded, it will automatically pick up the new version when it is started.
ATTENTION
If more than one software upgrade has been performed on a cluster while a
Nortel SNAS device has been out of operation, the software version currently in
use in that cluster must be reinstalled on that Nortel SNAS device. For more
information about how to perform a reinstall, see “Reinstalling the software”
When you have downloaded the software upgrade package, you can
inspect its status with the /boot/software/cur command.
Step
1
Action
At the Software Management# prompt, enter the following
command:
>> Software Management# cur
Version
-------
x.x
Name
Status
------
old
----
NSNAS
NSNAS
z.z
permanent
The downloaded software upgrade package is indicated with the
status unpacked. The software versions can be marked with
one out of four possible status values. The meaning of these
status values are:
• unpacked means that the software upgrade package has
been downloaded and automatically decompressed.
• permanent means that the software is operational and will
survive a reboot of the system.
• old means the software version has been permanent but is
not currently operational. If a software version marked old
is available, it is possible to switch back to this version by
activating it again.
• current means that a software version marked as old or
unpacked has been activated. As soon as the system has
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Upgrading the Nortel SNAS 371
performed the necessary health checks, the current status
changes to permanent.
To activate the unpacked software upgrade package, use the
/boot/software/activate command.
ATTENTION
When you activate a software upgrade on a Nortel SNAS device, all
the Nortel SNAS devices in the cluster reboot. All active sessions are
lost.
2
At the Software Management# prompt, enter:
>> Software Management# activate
Enter software version to activate:
Confirm action ’activate’? [y/n]: y
Activate ok, relogin
here>
<you are logged out
Restarting system.
login:
ATTENTION
Activating the unpacked software upgrade package may cause
the command line interface (CLI) software to be upgraded as well.
Therefore, you will be logged out of the system, and will have to log in
again. Wait until the login prompt appears. This may take up to two
minutes, depending on your type of hardware platform and whether
the system reboots.
3
Log in again and verify the new software version:
>> Main# boot/software/cur
Version
-------
x.x
Name
Status
------
permanent
old
----
NSNAS
NSNAS
z.z
In this example, version x.x is now operational and will survive
a reboot of the system, while the software version previously
indicated as permanent is marked as old.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
372 Upgrading or reinstalling the software
ATTENTION
If you encounter serious problems while running the new software
version, you can revert to the previous software version (now
indicated as old). To do this, activate the software version indicated
as old. When you log in again after having activated the old software
version, its status is indicated as current for a short while. After about
one minute, when the system has performed the necessary health
checks, the current status is changed to permanent.
--End--
Reinstalling the software
If you are adding a Nortel SNAS device to an existing cluster, you may
need to reinstall the software on the new Nortel SNAS if the software
versions on the new Nortel SNAS and the existing Nortel SNAS cluster
differ. Otherwise, it is only in the case of serious malfunction that you
might need to reinstall the software, and this seldom occurs.
You must perform the reinstall using a console connection.
Reinstalling the software resets the Nortel SNAS to its factory default
configuration. The reinstall erases all other configuration data and current
software, including old software image versions or upgrade packages that
may be stored in the flash memory card or on the hard disk.
Before you begin
To reinstall the software on the Nortel SNAS from an external file server,
you require the following:
•
•
access to the Nortel SNAS using a console connection
an install image, loaded on a TFTP/FTP/SCP/SFTP server on your
network
•
•
•
the IP address of the TFTP/FTP/SCP/SFTP server
the name of the install image
authorization to log on as the boot user
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Reinstalling the software 373
ATTENTION
A reinstall wipes out all configuration data, including network settings. Before
reinstalling the software on a Nortel SNAS device with a working configuration,
save all configuration data to a file on a TFTP/FTP/SCP/SFTP server. If you
use the ptcfg command in the CLI, the saved configuration data will include
installed keys and certificates. You can later restore the configuration, including
the installed keys and certificates, by using the gtcfg command. (For more
information about these CLI commands, see “Backing up or restoring the
configuration” (page 356).) If you want to make separate backup copies of
your keys and certificates, use the display or export commands. (For more
information about these commands, see “Saving or exporting certificates and
If a software CD was shipped with the Nortel SNAS, you can also reinstall
the software from the CD (see “Reinstalling the software from a CD” (page
375)).
Reinstalling the software from an external file server
To reinstall the software image downloaded to an external file server,
perform the following steps:
Step
1
Action
Log on as the boot user. The password for the boot user is
ForgetMe.
login: boot
Password: ForgetMe
*** Reinstall Upgrade Procedure ***
If you proceed beyond this point, the active network
configuration will be reset, requiring a reboot to
restore any current settings. However, no permanent
changes will be done until the boot image has been
downloaded.
Continue (y/n)? [y]:
Press Enter to accept the default (yes) and continue.
2
Specify the network port and IP network settings.
If the Nortel SNAS was previously configured for network access,
the previous settings are the suggested default values presented
within square brackets. To accept the suggested values, press
Enter. If the Nortel SNAS was not previously configured for
network access, or you deleted the Nortel SNAS from the cluster
using the /boot/delete command, no suggested values
related to a previous configuration are presented within square
brackets; you must provide information about the network
settings.
a Specify the port for network connectivity.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
374 Upgrading or reinstalling the software
b If the core router attaches VLAN tag IDs to incoming packets,
specify the VLAN tag ID used.
c Specify the host IP address for the device.
d Specify the network mask.
e Specify the default gateway IP address.
Select a network port (1-4, or i for info) [1]:
Enter VLAN tag id (or zero for no VLAN tag) [0]:
Enter IP address for this iSD [192.168.128.185]:
Enter network mask [255.255.255.0]:
Enter gateway IP address [192.168.128.1]:
3
Specify the download details:
a protocol for the download method
b server IP address
c file name of the boot image
d user name and password, if the server does not support
anonymous logon. The default is anonymous.
Select protocol (tftp/ftp/scp/sftp) [tftp]:
<protocol>
Enter <protocol> server address: <IPaddr>
Enter file name of boot image: NSNAS-x.x.x-boot.img
Enter FTP Username [anonymous]:
Password:
Downloading boot image...
Installing new boot image...
Done
ATTENTION
For some TFTP servers, files larger than 16 MB may cause the
update to fail.
4
5
Wait for the Nortel SNAS to reboot on the newly installed boot
image.
Restarting...
Restarting system.
Alteon WebSystems, Inc. 0004004C
Booting...
Login:
Log on as the admin user to enter the Setup menu and perform
the initial setup of the Nortel SNAS device (see “Initial setup”
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Reinstalling the software 375
Reinstalling the software from a CD
To reinstall the software image from a CD, perform the following steps:
Step
Action
1
2
3
4
Boot the Nortel SNAS from the CD.
Log on as the root user (no password).
Run install-nsnas isd4050.
When the installation is complete, remove the CD and reboot.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
376 Upgrading or reinstalling the software
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
377
.
The Command Line Interface
This chapter explains how to access the Nortel SNAS through the
Command Line Interface (CLI).
This chapter includes the following topics:
Topic
The Nortel SNAS software provides means for accessing, configuring, and
viewing information and statistics about the Nortel SNAS configuration. By
using the built-in, text-based command line interface and menu system,
you can access and configure the Nortel SNAS or cluster either through a
local console connection (using a computer running terminal emulation
software) or through a remote session using a Telnet client or a Secure
Shell (SSH) client.
When using a Telnet or SSH client to connect to a cluster of Nortel
SNAS devices, always connect to the Management IP address (MIP).
Configuration changes are automatically propagated to all members of
the cluster. However, to use the /boot/halt, /boot/reboot, or
/boot/delete commands, connect to the Real IP address (RIP) of
the particular Nortel SNAS device on which you want to perform these
commands, or connect to that Nortel SNAS with a console connection.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
378 The Command Line Interface
Connecting to the Nortel SNAS
You can access the CLI in two ways:
•
using a console connection through the console port (see “Establishing
•
using a Telnet connection or SSH connection over the network (see
Establishing a console connection
Use a console connection to perform the initial setup and when reinstalling
the Nortel SNAS software as the boot user. You must also use a console
connection when logging in as root user for advanced troubleshooting
purposes.
Requirements
To establish a console connection with the Nortel SNAS, you need the
following:
•
An ASCII terminal or a computer running terminal emulation software
set to the parameters shown in Table 58 "Console configuration
Table 58
Console configuration parameters
Parameter
Baud rate
Data bits
Parity
Value
9600
8
None
1
Stop bits
Flow control
None
•
A serial cable with a female DB-9 connector. For more specific
information, see the chapter about connecting to the Nortel SNAS
in Nortel Secure Network Access Switch 4050 Installation Guide ,
(NN47230-300).
Procedure steps
Step
1
Action
Connect the terminal to the Console port using the correct serial
cable.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Connecting to the Nortel SNAS 379
When connecting to a Nortel SNAS, use a serial cable with a
female DB-9 connector (shipped with the Nortel SNAS ).
2
3
Power on the terminal.
To establish the connection, press ENTER on your terminal.
--End--
You will next be required to log on by entering a user name and a
password. For more information on user accounts and default passwords,
Establishing a Telnet connection
A Telnet connection offers the convenience of accessing the Nortel SNAS
cluster from any workstation connected to the network. Telnet access
provides the same options for user access and administrator access as
those available through the console port.
When you use a Telnet connection to access the Nortel SNAS from a
workstation connected to the network, the communication channel is not
secure. All data flowing back and forth between the Telnet client and the
Nortel SNAS is sent unencrypted (including the password), and there is no
server host authentication.
To configure the Nortel SNAS cluster for Telnet access, you need to have
a device with Telnet client software located on the same network as the
Nortel SNAS device or cluster. The Nortel SNAS must have a RIP and a
MIP. If you have already performed the initial setup by selecting new or
join in the Setup menu, the assignment of IP addresses is complete.
When you are making configuration changes to a cluster of Nortel SNAS
devices using Telnet, Nortel recommends that you connect to the MIP.
However, if you want to halt or reboot a particular Nortel SNAS in a
cluster, or reset all configuration to the factory default settings, you must
connect to the RIP (the IP address of the particular Nortel SNAS device).
To view the IP addresses of all Nortel SNAS devices in a cluster, use the
/info/contlist command.
ATTENTION
Telnet/ssh will be enabled on RIP & MIP.
Enabling and restricting Telnet access
Telnet access to the Nortel SNAS cluster is disabled by default, for
security reasons. However, depending on the severity of your security
policy, you may want to enable Telnet access. You may also restrict Telnet
access to one or more specific machines.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
380 The Command Line Interface
For more information on how to enable Telnet access, see the
more information on how to restrict Telnet access to one or more specific
Running Telnet
Once the IP parameters on the Nortel SNAS are configured and Telnet
access is enabled, you can access the CLI using a Telnet connection.
To establish a Telnet connection with the Nortel SNAS, run the Telnet
program on your workstation and issue the Telnet command, followed by
the IP address of the Nortel SNAS.
telnet <IP address>
You will then be prompted to enter a valid user name and password. For
more information about different user accounts and default passwords, see
Establishing a connection using SSH
Using an SSH client to establish a connection over the network provides
the following security benefits:
•
•
•
server host authentication
encryption of passwords for user authentication
encryption of all traffic that is transmitted over the network when
configuring or collecting information from the Nortel SNAS
Enabling and restricting SSH access
SSH access to the Nortel SNAS is disabled by default. However,
depending on the severity of your security policy, you may want to enable
SSH access. You may also restrict SSH access to one or more specific
machines.
For more information on how to enable SSH access, see the
more information on how to restrict SSH access to one or more specific
Running an SSH client
Connecting to the Nortel SNAS using an SSH client is similar to
connecting using Telnet: the IP parameters on the Nortel SNAS must
be configured in advance, and SSH access must be enabled. After you
provide a valid user name and password, the CLI in the Nortel SNAS
is accessible the same way as when using a Telnet client. However,
since a secured and encrypted communication channel is set up even
before the user name and password is transmitted, all traffic sent over the
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Accessing the Nortel SNAS cluster 381
network while configuring or collecting information from the Nortel SNAS
is encrypted. For information about different user accounts and default
During the initial setup of the Nortel SNAS device or cluster, you
are provided with the choice to generate new SSH host keys. Nortel
recommends that you do so, in order to maintain a high level of security
when connecting to the Nortel SNAS using an SSH client. If you fear that
your SSH host keys have been compromised, you can create new host
keys at any time by using the /cfg/sys/adm/sshkeys/generate
command. When reconnecting to the Nortel SNAS after generating new
host keys, your SSH client will display a warning that the host identification
(or host keys) has changed.
Accessing the Nortel SNAS cluster
To enable better Nortel SNAS management and user accountability, there
are five categories of users who can access the Nortel SNAS cluster:
•
The Operator is granted read access only to the menus and
information appropriate to this user access level. The Operator cannot
make any changes to the configuration.
•
The Administrator can make any changes to the Nortel SNAS
configuration. Thus, the Administrator has read and write access to all
menus, information, and configuration commands in the Nortel SNAS
software.
•
A Certificate Administrator is a member of the certadmin group.
A Certificate Administrator has sufficient user rights to manage
certificates and private keys. By default, only the Administrator user
is a member of the certadmin group. To separate the Certificate
Administrator user role from the Administrator user role, the
Administrator user can add a new user account to the system, assign
the new user to the certadmin group, and then remove himself or
herself from the certadmin group. For more information, see “Adding a
•
•
The Boot user can perform a reinstallation only. For security reasons,
it is only possible to log on as the Boot user through the console port
using terminal emulation software. The default Boot user password
is ForgetMe. The Boot user password cannot be changed from the
default.
The Root user is granted full access to the underlying Linux operating
system. For security reasons, it is only possible to log on as the Root
user through the console port using terminal emulation software.
Reserve Root user access for advanced troubleshooting purposes,
under guidance from Nortel customer support.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
382 The Command Line Interface
Access to the Nortel SNAS CLI and settings is controlled through the use
of four predefined user accounts and passwords. Once you are connected
to the Nortel SNAS by a console connection or remote connection
(Telnet or SSH), you are prompted to enter a user account name and the
the default user accounts and passwords for each access level.
ATTENTION
The default Administrator user password can be changed during the initial
for the Operator user, the Boot user, and the Root user are used even after
the initial configuration. Nortel therefore recommends that you change the
default Nortel SNAS passwords for the Operator and Root user soon after the
initial configuration, and as regularly as required under your network security
policies.For more information about how to change a user account password,
Table 59
User access levels
User Account
oper
Default
Password
User Group Access Level Description
oper
oper
The Operator is allowed read access to some of
the menus and information available in the CLI.
admin
admin
admin
The Administrator is allowed both read and
write access to all menus, information and
configuration commands.
oper
certadmin
The Administrator can add users to all groups in
which the Administrator himself or herself is a
member. The Administrator can delete a user
from any of the other three built-in groups.
certadmin
By default, only the Administrator is a member
of the certadmin group.
Certadmin group rights are sufficient for
administrating certificates and keys on the
Nortel SNAS. A certificate administrator user
has no access to the SSL Server menu, and
only limited access to the System menu.
ForgetMe
ForgetMe
boot
root
The boot user can only perform a reinstallation
of the software, and only via a console
connection.
The root user has full access to the underlying
Linux operating system, but only via a console
connection.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Idle timeout 383
CLI Main Menu or Setup
Once the Administrator user password is verified, you are given complete
access to the Nortel SNAS. If the Nortel SNAS is still set to its factory
default configuration, the system will run Setup (see “Initial setup” (page
41)), a utility designed to help you through the first-time configuration
process. If the Nortel SNAS has already been configured, the Main menu
of the CLI is displayed instead.
Figure 22 "Administrator Main Menu" (page 383) shows the Main menu
with administrator privileges.
Figure 22
Administrator Main Menu
Command line history and editing
For a description of global commands, shortcuts, and command line
Idle timeout
The Nortel SNAS will disconnect your local console connection or
remote connection (Telnet or SSH) after 10 minutes of inactivity.
This value can be changed to a maximum value of 1 hour using the
/cfg/sys/adm/clitimeout command.
If you are automatically disconnected after the specified idle timeout
interval, any unapplied configuration changes are lost. Therefore, make
sure to save your configuration changes regularly by using the global
apply command.
If you have unapplied configuration changes when you use the global
exit command to log out from the CLI, you will be prompted to use the
global diff command to view the pending configuration changes. After
verifying the pending configuration changes, you can either apply the
changes or use the revert command to remove them.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
384 The Command Line Interface
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
385
.
Configuration example
This chapter provides an example of a basic Nortel SNAS configuration.
This chapter includes the following topics:
Topic
Scenario
The basic Nortel SNAS network in this example includes: one Nortel
SNAS device; two edge switches (one Ethernet Routing Switch 8300and
one Ethernet Routing Switch 5510) functioning as network access devices
; an Ethernet Routing Switch 8600 functions only as the core router. BCM
call server; a DNS server; a DHCP server; and a remediation server are
connected to it. The edge switches function in Layer 2 mode.
Figure 23 "Basic configuration" (page 386) illustrates the network
configuration.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
386 Configuration example
Figure 23
Basic configuration
Table 60 "Network devices" (page 386) summarizes the devices connected
in this environment and their respective VLAN IDs and IP addresses.
Table 60
Network devices
VLAN IP
address
Ethernet Routing
Switch 8600 port
Device/Service
VLAN ID
Device IP address
20
10.20.20.1
10.20.20.2
DNS
1/1
ATTENTION
1/1 refers to
port 1 of chasis
component
mounted on rack
1. (1/1-- unit 1 / port
1)
30
10.30.30.1
10.30.30.2
DHCP
1/11
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 387
Table 60
Network devices (cont’d.)
VLAN IP
address
Ethernet Routing
Switch 8600 port
Device/Service
VLAN ID
Device IP address
40
10.40.40.1
Nortel SNAS
10.40.40.2 (RIP)
10.40.40.3 (MIP)
10.40.40.100 (pVIP)
1/7
120
50
10.120.120.1
10.11.11.1
10.120.120.2
Remediation
server
1/31
1/23
10.11.11.254
Call server
387) summarizes the VLANs for the Ethernet Routing Switch 8300.
Table 61
VLANs for the Ethernet Routing Switch 8300
VLAN
Red
VLAN ID
110
Yellow subnet
N/A
120
Yellow
Green
VoIP
10.120.120.0/24
130
N/A
N/A
140
387) summarizes the VLANs for the Ethernet Routing Switch 5510.
Table 62
VLANs for the Ethernet Routing Switch 5510
VLAN
Red
VLAN ID
210
Yellow subnet
N/A
220
Yellow
Green
VoIP
10.120.120.0/24
230
N/A
N/A
240
ATTENTION
The management VLAN ID is the default (VLAN ID 1).
Steps
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
388 Configuration example
Configure the network DNS server
Create a forward lookup zone for the Nortel SNAS domain (see Figure
24 "DNS Forward Lookup configuration" (page 388)). In this example, a
lookup zone called sac.com has been created.
Figure 24
DNS Forward Lookup configuration
Configure the network DHCP server
To configure a DHCP scope using the New Scope Wizard (Windows 2000
server):
Step
1
Action
Log in to the server using the administrator username and
password.
2
3
Run the DHCP admin utility (Start > Programs > Administrative
Tools > DHCP).
Create a new DHCP scope (see Figure 25 "Creating a new
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 389
Figure 25
Creating a new DHCP scope
4
Enter a descriptive name to identify the new scope (see Figure
In this example, you are creating a DHCP scope for the Red
VLAN on the Ethernet Routing Switch 8300. The scope start
address for the VLAN is 10.110.110.5 and the end address is
10.110.110.25. The scope you create must have a range of IP
addresses that is large enough to accommodate all endpoint
devices in your network.
Figure 26
Naming the new DHCP scope
5
Specify the IP address range for the DHCP scope (see Figure 27
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
390 Configuration example
Figure 27
Specifying the IP address range
6
Select the Yes, I want to configure these options now option
Figure 28
Choosing to configure additional options
7
Enter the IP address of the default gateway (see Figure 29
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 391
Figure 29
Specifying the default gateway
8
Enter the IP address of the DNS server (see Figure 30
Figure 30
Specifying the DNS server
ATTENTION
In this configuration example, the Nortel SNAS will function as a
captive portal. For the Red VLAN scope, the DNS server must be
the Nortel SNAS portal Virtual IP address (pVIP). For the Yellow and
Green VLAN scopes, enter the IP addresses for the regular DNS
servers in your network.
9
VLAN in the network.
392) shows the DHCP scopes created for use in this example.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
392 Configuration example
Figure 31
After all DHCP scopes have been created
--End--
Configure the network core router
There are no special requirements for the core router in a Nortel SNAS
network. Refer to the regular documentation for the type of router used
in your network.
Step
1
Action
Create the Red, Yellow, Green, VoIP, and Nortel SNAS
management VLANs.
2
Assign the VLAN port members.
Since the edge switches in this example are operating in Layer
2 mode, enable 802.1q tagging on the uplink ports to enable
them to participate in multiple VLANs, then add the ports to the
applicable VLANs.
3
4
Create IP interfaces for the VLANs.
Since the edge switches are operating in Layer 2 mode,
configure DHCP relay agents for the Red, Yellow, Green, and
VoIP VLANs.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 393
Use the applicable show commands on the router to verify that
DHCP relay has been activated to reach the correct scope for
each VLAN.
--End--
Configure the Ethernet Routing Switch 8300
The configuration procedure is based on the following assumptions:
•
You are starting with an installed switch that is not currently configured
as part of the network.
•
•
•
•
You have installed Software Release 2.2.8.
You have configured basic switch connectivity.
You have initialized the switch and it is ready to accept configuration.
You have configured devices as described to this point.
Steps
To configure the Ethernet Routing Switch 8300for the Nortel SNAS
network, perform the following steps:
Enabling SSH
Passport-8310:5# config bootconfig flags ssh true
Passport-8310:5# config sys set ssh enable true
Passport-8310:5# config load-module 3DES /flash/P83C2280.
IMG
ATTENTION
You have the option of using the AES encryption module, instead of the 3DES
module.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
394 Configuration example
Configuring the Nortel SNAS pVIP subnet
Passport-8310:5# config nsna nsnas 10.40.40.0/24 add
Creating port-based VLANs
Passport-8310:5# config vlan 110 create byport 1
Passport-8310:5# config vlan 120 create byport 1
Passport-8310:5# config vlan 130 create byport 1
Passport-8310:5# config vlan 140 create byport 1
Configuring the VoIP VLANs
Passport-8310:5# config vlan 140 nsna color voip
Configuring the Red, Yellow, and Green VLANs
Passport-8310:5# config vlan 110 nsna color red filter-id
310
Passport-8310:5# config vlan 120 nsna color yellow
filter-id 320 yellow-subnet-ip 10.120.120.0/24
Passport-8310:5# config vlan 130 nsna color green filter-id
330
Configuring the NSNA uplink filter
Passport-8310:6# config filter acl 100 create ip acl-name
"dhcp"
Passport-8310:6/config#
filter acl 100 ace 1 create
Passport-8310:6# config filter acl 100 ace 1 action fwd2cpu
precedence 1
Passport-8310:6# config filter acl 100 ace 1 ip ipfragment
non-fragments
Passport-8310:6# config filter acl 100 ace 1 protocol udp eq
any
Passport-8310:6# config filter acl 100 ace 1 port dst-port
bootpd-dhcp
Passport-8310:6# config filter acl 100 ace default action
permit
Passport-8310:6# config filter acg 100 create 100 acg-name
"uplink"
Passport-8310:6# config ethernet <slot/port> filter create
100
Configuring the NSNA ports
Add the uplink port:
Passport-8310:6# config ethernet 1/48 nsna uplink
uplink-vlans 110,120,130,140
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 395
Add the client ports:
Passport-8310:5# config ethernet 1/16-1/17 nsna dynamic
Enabling NSNA globally
Passport-8310:5# config nsna state enable
Configure the Ethernet Routing Switch 5510
The following configuration example is based on the following
assumptions:
•
You are starting with an installed switch that is not currently configured
as part of the network.
•
•
•
•
You have installed Software Release 4.3.
You have configured basic switch connectivity.
You have initialized the switch and it is ready to accept configuration.
You have configured devices as described to this point.
Steps
To configure the Ethernet Routing Switch 5510 for the Nortel SNAS
network, perform the following steps:
Setting the switch IP address
5510-48T(config)# ip address 10.200.200.20 netmask
255.255.255.0
5510-48T(config)# ip default-gateway 10.200.200.10
Configuring SSH
In this example, the assumption is that the Nortel SNAS public key has
already been uploaded to the TFTP server (10.20.20.20).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
396 Configuration example
5510-48T(config)# ssh download-auth-key address
10.20.20.20 key-name sac_key.1.pub
5510-48T(config)# ssh
Configuring the Nortel SNAS pVIP subnet
5510-48T(config)# nsna nsnas 10.40.40.0/24
Creating port-based VLANs
5510-48T(config)# vlan create 210 type port
5510-48T(config)# vlan create 220 type port
5510-48T(config)# vlan create 230 type port
5510-48T(config)# vlan create 240 type port
Configuring the VoIP VLANs
5510-48T(config)# nsna vlan 240 color voip
Configuring the Red, Yellow, and Green VLANs
5510-48T(config)# nsna vlan 210 color red filter red
5510-48T(config)# nsna vlan 220 color yellow filter yellow
yellow-subnet 10.120.120.0/24
5510-48T(config)# nsna vlan 230 color green filter green
Configuring the login domain controller filters
ATTENTION
This step is optional.
The PC client must be able to access the login domain controller you configure
(that is, clients using the login domain controller must be able to ping that
controller).
5510-48T(config)# qos nsna classifier name RED dst-ip
10.200.2.12/32 ethertype 0x0800 drop-action disable block
wins-prim-sec eval-order 70
5510-48T(config)# qos nsna classifier name RED dst-ip
10.200.224.184/32 ethertype 0x0800 drop-action disable
block wins-prim-sec eval-order 71
Configuring the NSNA ports
Add the uplink port:
5510-48T(config)# interface fastEthernet 20
5510-48T(config-if)# nsna uplink vlans 210,220,230,240
5510-48T(config-if)# exit
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 397
Add the client ports:
5510-48T(config)# interface fastEthernet 3-5
5510-48T(config-if)# nsna dynamic voip-vlans 240
5510-48T(config-if)# exit
Enabling NSNA globally
5510-48T(config)# nsna enable
Configure the Nortel SNAS
To configure the Nortel SNAS, perform the following steps:
Performing initial setup
Establish a serial console connection to the Nortel SNAS device. The
Setup utility launches automatically on startup.
Alteon iSD NSNAS
Hardware platform: 4050
Software version: x.x
-------------------------------------------------------
[Setup Menu]
join
- Join an existing cluster
new - Initialize host as a new installation
boot - Boot menu
info
exit
- Information menu
- Exit [global command, always available]
>> Setup# new
Setup will guide you through the initial configuration.
Enter port number for the management interface [1-4]: 1
Enter IP address for this machine (on management
interface): 10.40.40.2
Enter network mask [255.255.255.0]: <mask>
Enter VLAN tag id (or zero for no VLAN) [0]:
Enter default gateway IP address (or blank to skip):
10.40.40.1
Enter the Management IP (MIP) address: 10.40.40.3
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
398 Configuration example
Making sure the MIP does not exist...ok
Trying to contact gateway...ok
Enter a timezone or ’select’ [select]: America/Los_Angeles
Enter the current date (YYYY-MM-DD) [2005-05-02]:
Enter the current time (HH:MM:SS) [19:14:52]:
Enter NTP server address (or blank to skip):
Enter DNS server address (or blank to skip): 10.20.20.2
Generate new SSH host keys (yes/no) [yes]:
This may take a few seconds...ok
Enter a password for the "admin" user:
Re-enter to confirm:
Run NSNAS quick setup wizard [yes]:
Creating default networks under /cfg/doamin #/aaa/
network
Enter NSNAS Portal Virtual IP address(pvip): 10.40.40.100
Enter NSNAS Domain name: Domain1
Enter comma separated DNS search list
(eg company.com,intranet.company.com):
Create http to https redirect server [no]:
Use restricted (teardown/restricted) action for Nortel
Health Agent failure? [yes]:
Create default tunnel guard user [no]: yes
Using ’restricted’ action for Nortel Health Agent failure.
User name: nha
User password: nha
Creating client filter ’nha_passed’.
Creating client filter ’nha_failed’.
Creating linkset ’nha_passed’.
Creating linkset ’nha_failed’.
Creating group ’nhauser’ with secure access.
Creating extended profile, full access when nha_passed
Enter green vlan id [110]: 130
Creating extended profile, remediation access when
nha_failed
Enter yellow vlan id [120]:
Creating user ’nha’ in group ’nhauser’.
Initializing system......ok
Setup successful. Relogin to configure.
Completing initial setup
Enable SSH for secure management communications (required for
SREM):
>> Main# cfg/sys/adm/ssh on
Enable SRS administration:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 399
>> Main# cfg/sys/adm/srsadmin/ena
Generate and activate the SSH key for communication with the network
access devices:
>> Main# cfg/doamin #/sshkey/generate
Generating new SSH key, this operation takes a few
seconds... done.
Apply to activate.
>> NSNAS SSH key# apply
Create a test SRS rule and specify it for the nhauser group:
>> Group 1# /cfg/doamin #/aaa/nha/quick
In the event that the Nortel Health Agent checks fails on a
client,
the session can be teardown, or left in restricted mode
with limited access.
Which action do you want to use for Nortel Health Agent
failure? (teardown/restricted) [restricted]:
Do you want to create a Nortel Health Agent test user?
(yes/no)
[yes]: no
Using existing nha_passed filter
Using existing nha_failed filter
Using existing nha_passed linkset
Using existing nha_failed linkset
Adding test SRS rule srs-rule-test
This rule check for the presence of the file
C:\tunnelguard\tg.txt
Using existing nha_passed filter
Use ’diff’ to view pending changes, and ’apply’ to commit
>> NHA# ../group #/srs srs-rule-test
>> Group 1# apply
Adding the network access devices
This example adds the Ethernet Routing Switch 8300manually, and uses
the quick switch wizard to add the Ethernet Routing Switch 5510. In both
cases, the example assumes that the switch is not reachable when it
is added, and the switch public SSH key is therefore not automatically
retrieved by the Nortel SNAS.
Adding the Ethernet Routing Switch 8300 Add the switch manually:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
400 Configuration example
>> Main# cfg/doamin #/switch 1
Creating Switch 1
Enter name of the switch: Switch1_ERS8300
Enter the type of the switch (ERS8300/ERS5500): ERS8300
Enter IP address of the switch: 10.200.200.5
NSNA communication port[5000]:
Enter VLAN Id of the Red VLAN: 110
Entering: SSH Key menu
Enter username: rwa
Leaving: SSH Key menu
-------------------------------------------------------
-----
[Switch 1 Menu]
name - Set Switch name
type
ip
- Set Type of the switch
- Set IP address
port
- Set NSNA communication port
hlthchk - Health check intervals for switch
vlan
rvid
- Vlan menu
- Set Red VLAN Id
sshkey - SSH Key menu
reset
ena
dis
- Reset all the ports on a switch
- Enable switch
- Disable switch
delete - Remove Switch
Error: Failed to retrieve host key
>> Switch 1# apply
Changes applied successfully.
Export the Nortel SNAS public SSH key to the Ethernet Routing Switch
8300:
>> Switch 1# sshkey/export
Import the public SSH key from the switch:
>> SSH Key# import
Adding the Ethernet Routing Switch 5510 Use the quick switch wizard:
>> Main# cfg/doamin #/quick
Enter the type of the switch (ERS8300/ERS5500) [ERS8300]:
ERS55
IP address of Switch: 10.200.200.20
NSNA communication port[5000]:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Steps 401
Trying to retrieve fingerprint...failed.
Error: "Failed to retrieve host key"
Do you want to add ssh key? (yes/no) [no]:
Red vlan id of Switch: 210
Creating Switch 2
Use apply to activate the new Switch.
>> doamin ##
Export the Nortel SNAS public SSH key to a TFTP server, for manual
retrieval by the Ethernet Routing Switch 5500:
>> Main# cfg/doamin #/sshkey/export tftp 10.20.20.20
sac_key.1.pub
Import the public SSH key from the switch:
>> Main# cfg/doamin #/switch 2/sshkey/import
Mapping the VLANs
This example assumes that the VLANs defined on the Ethernet Routing
Switch 8300(Switch 1) will always be used exclusively by Switch 1,
whereas the VLAN IDs for the VLANs defined on the Ethernet Routing
Switch 5510 (Switch 2) may be used by other edge switches added to the
domain in future. Therefore, the VLAN mappings for Switch 1 are made
at the switch-level command, while the VLAN mappings for Switch 2 are
made at the domain level.
>> Main# cfg/doamin #/switch 1/vlan/add yellow 120
>> Switch Vlan# add green 130
>> Switch Vlan# ../../vlan/add yellow 220
>> Domain Vlan# add green 230
>> Domain Vlan# apply
Changes applied successfully.
Enabling the network access devices
>> Main# cfg/doamin #/switch 1/ena
>> Switch 1# ../switch 2/ena
>> Switch 2# apply
Changes applied successfully.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
402 Configuration example
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
403
.
Troubleshooting
This chapter includes the following topics:
Topic
Troubleshooting tips
This chapter provides troubleshooting tips for the following problems:
•
•
•
•
•
•
Cannot connect to the Nortel SNAS using Telnet or SSH
Verify the current configuration
Connect with a console connection and check that Telnet or SSH access
to the Nortel SNAS is enabled. By default, remote connections to the
Nortel SNAS are disabled for security reasons. Enter the command
/cfg/sys/adm/cur to see whether remote access is enabled for Telnet
or SSH.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
404 Troubleshooting
Enable Telnet or SSH access
If your security policy affords enabling remote connections to the Nortel
SNAS, enter the command /cfg/sys/adm/telnet to enable Telnet
access, or the command /cfg/sys/adm/ssh to enable SSH access.
Apply your configuration changes.
>> Main# /cfg/sys/adm/ssh
Current value: off
Allow SSH CLI access (on/off): on
>> Administrative Applications# apply
Changes applied successfully.
Check the Access List
If you find that Telnet or SSH access is enabled but you still cannot
connect to the Nortel SNAS using a Telnet or SSH client, check whether
any hosts have been added to the Access List. Enter the command
/cfg/sys/accesslist/list to view the current Access List.
>> Main# /cfg/sys/accesslist/list
1: 192.168.128.78, 255.255.255.0
When Telnet or SSH access is enabled, only those hosts listed in the
Access List are allowed to access the Nortel SNAS over the network. If
no hosts have been added to the Access List, this means that any host is
allowed to access the Nortel SNAS over the network (assuming that Telnet
or SSH access is enabled).
If there are entries in the Access List but your host is not listed, use the
/cfg/sys/accesslist/add command to add the required host to the
Access List.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Troubleshooting tips 405
Check the IP address configuration
If your host is allowed to access the Nortel SNAS over the network
according to the Access List, check that you have configured the correct
IP addresses on the Nortel SNAS.
Ensure that you ping the host IP address (RIP) of the Nortel SNAS, and
not the Management IP address (MIP) of the cluster in which the Nortel
SNAS is a member. Enter the command /cfg/cur sys to view IP
address information for all Nortel SNAS devices in the cluster.
If the IP address assigned to the Nortel SNAS is correct, you may have a
routing problem. Try to run traceroute (a global command available
at any menu prompt) or the tcpdump command (or some other network
analysis tool) to locate the problem. For more information about the
If this does not help you to solve the problem, contact Nortel for technical
Cannot add the Nortel SNAS to a cluster
When you try to add a Nortel SNAS device to a cluster by selecting join
in the Setup menu, you may receive an error message stating that the
system is running an incompatible software version.
The incompatible software version referred to in the error message is
the software that is running on the Nortel SNAS device you are trying to
add to the cluster. This error message is displayed whenever the Nortel
SNAS you are trying to add has a different software version from the
Nortel SNAS device already in the cluster. In this situation, do one of the
following:
•
Adjust the software version on the Nortel SNAS device you are trying
to add to the cluster, to synchronize it with the software version running
on the Nortel SNAS device already in the cluster. You can verify
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
406 Troubleshooting
software versions by typing the command /boot/software/cur.
The active software version is indicated as permanent.
To adjust the software version on the Nortel SNAS device you want to
add to the cluster, you must either upgrade to a newer software version
or revert to an older software version. In either case, perform the steps
the software version, log on as the Administrator user and select join
from the Setup menu.
•
Upgrade the software version running on the Nortel SNAS device in
the cluster to the same version as running on the Nortel SNAS you
want to add to the cluster. Perform the steps described in “Performing
minor and major release upgrades” (page 368). Then add the Nortel
SNAS device by selecting join from the Setup menu.
Cannot contact the MIP
When you try to add a Nortel SNAS to a cluster by selecting join in the
Setup menu, you may receive an error message stating that the system is
unable to contact the Management IP address (MIP).
The problem may be that there are existing entries in the Access List.
When Telnet or SSH access is enabled, only those hosts listed in the
Access List are allowed to access the Nortel SNAS over the network. If
no hosts have been added to the Access List, this means that any host is
allowed to access the Nortel SNAS over the network (assuming that Telnet
or SSH access is enabled).
If the Access List contains entries, add the Interface 1 IP addresses of
both Nortel SNAS devices as well as the MIP to the Access List before
you attempt the join.
Check the Access List
On the existing Nortel SNAS device in the cluster, check whether
any hosts have been added to the Access List. Enter the command
/cfg/sys/accesslist/list to view the current Access List.
>> Main# /cfg/sys/accesslist/list
1: 192.168.128.78, 255.255.255.0
Add Interface 1 IP addresses and the MIP to the Access List
Use the /cfg/cur sys command to view the Host Interface 1 IP address
for the existing Nortel SNAS. Then use the /cfg/sys/accesslist/add
command to add this IP address, the Interface 1 IP address you intend to
use for the new Nortel SNAS, and the MIP to the Access List.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Troubleshooting tips 407
>> Main# /cfg/sys/accesslist/add
Enter network address: <IP address>
Enter netmask: <network mask>
Try again to add the Nortel SNAS to the cluster using the join command
in the Setup menu.
The Nortel SNAS stops responding
Telnet or SSH connection to the MIP
When you are connected to a cluster of Nortel SNAS devices through a
Telnet or SSH connection to the MIP, your connection to the cluster can
be maintained as long as at least one Nortel SNAS device in the cluster is
up and running. However, if the particular Nortel SNAS that currently is in
control of the MIP stops responding while you are connected, you must
close down your Telnet or SSH connection and reconnect to the MIP.
After you reconnect, use the /info/contlist command to view
the operational status of all Nortel SNAS devices in the cluster. If the
operational status of one of the Nortel SNAS devices is indicated as down,
reboot that machine: On the Nortel SNAS device, press the Power button
on the back panel to turn the machine off, wait until the fan comes to a
standstill, and then press the Power button again to turn the machine on.
Log on as the Administrator user when the logon prompt appears and
check the operational status again.
Console connection
If you are connected to a particular Nortel SNAS device through a console
connection and the device stops responding, press the key combination
Ctrl+^, then press Enter. This takes you back to the login prompt. Log on
as the Administrator user and check the operational status of the Nortel
SNAS. Enter the command /info/contlist to view the operational
status of the device.
If the operational status of the Nortel SNAS is indicated as down, try
rebooting the device by typing the command /boot/reboot. You will be
asked to confirm your action before the actual reboot is performed. Log on
as the Administrator user and again use the /info/contlist command
to check if the operational status of the Nortel SNAS is now up.
If the operational status of the Nortel SNAS is still down, reboot the
machine. On the device, press the Power button on the back panel to turn
the machine off, wait until the fan comes to a standstill, and then press the
Power button again to turn the machine on. Log on as the Administrator
user when the login prompt appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
408 Troubleshooting
A user password is lost
There are four types of system user passwords:
•
•
•
•
Administrator user password
If you have lost the Administrator user password the only way to regain
access to the Nortel SNAS as the Administrator user is to reinstall the
software, using a console connection as the Boot user.
Operator user password
If you have lost the Operator user password, log on as the Administrator
user and define a new Operator user password. Only the Administrator
user can change the Operator user password.
Root user password
If you have lost the Root user password, log on as the Administrator user
and define a new Root user password. Only the Administrator user can
Boot user password
The default Boot user password cannot be changed, and can therefore
never really be lost. If you have forgotten the Boot user password, see
The reason the Boot user password cannot be changed is that, if you lost
both the Administrator password and the Boot user password, the Nortel
SNAS would be rendered completely inaccessible to all users except the
Operator, who does not have rights to make configuration changes.
The fact that the Boot user password cannot be changed is not a security
concern. The Boot user can only access the Nortel SNAS with a console
connection using a serial cable, and it is assumed that the Nortel SNAS
device is set up in a server room with restricted access.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Trace tools 409
A user fails to connect to the Nortel SNAS domain
The following are common reasons why a user may have difficulty
authenticating to the Nortel SNAS domain or why a client connection
cannot be established.
•
•
•
The user name or password is wrong.
The configured authentication server cannot be reached.
The group name retrieved from the authentication server does not exist
on the Nortel SNAS.
Trace tools
Use the /maint/starttrace command to trace the different steps
involved in a specific process, such as authorization.
>> Main# maint/starttrace
Enter tags (list of all,aaa,dhcp,dns,ssl,tg,snas,patchlink,ra
dius,nap) [all]: aaa,ssl
Enter Domain (or 0 for all Domains) [0]:
Output mode (interactive/tftp/ftp/sftp) [interactive]:
For more information about the starttrace command, the tags you can
specify for the trace, and the available output modes, see “Performing
sample output for the various tags.
Table 63
Sample output for the trace command
Tag
Description
Sample output
aaa
>> Maintenance#
12:54:08.875111: Trace started
Logs authentication
method, user
name, group, and
profile
12:54:28.834571 10.1.82.145 (1) aaa: "local user db
Accept 1:john with groups ["trusted"]"
12:54:28.835144 10.1.82.145 (1) aaa: "final groups
for user: john groups: trusted:<base> "
12:54:29.917926 10.1.82.145 (1) aaa: "new groups for
user: john groups: trusted:<base> "
>> Maintenance#
dns
Logs failed DNS
lookups made
during a session
13:00:09.868682 10.1.82.145 (1) dns: "Failed to
lookup www.example.com in DNS (DNS domain name does
not exist)"
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
410 Troubleshooting
Table 63
Sample output for the trace command (cont’d.)
Tag
Description
Sample output
>> Maintenance#
ssl
Logs information
related to the
SSL handshake
procedure (for
example, the cipher
used)
13:15:55.985432: Trace started
13:16:26.808831 10.1.82.145 (1) ssl: "SSL accept
done, cipher is RC4-MD5"
13:16:28.802199 10.1.82.145 (1) ssl: "SSL accept
done, cipher is RC4-MD5"
13:16:29.012856 10.1.82.145 (1) ssl: "SSL accept
done, cipher is RC4-MD5"
>> Maintenance#
13:27:50.715545: Trace started
13:27:54.976137 10.1.82.145 (1) nha: "ssl user
john[192.168.128.19] - starting Nortel Health Agent
ssl session"
nha
Logs information
related to a Nortel
Health Agent check
(for example, SRS
rule check result)
13:28:17.204049 10.1.82.145 (1) nha: "ssl user
john[192.168.128.19] - agent authentication ok"
13:28:18.807447 10.1.82.145 (1) nha: "user
john[192.168.128.19] - SRS checks ok, open session"
To disable tracing, press Enter to display the Maintenance menu prompt,
then enter stoptrace.
System diagnostics
The following are useful diagnostic display commands. For more
information about the commands, use the alphabetical listings in “CLI
reference” (page 413) to cross-reference to where the commands are
described in more detail in this guide.
Installed certificates
To view the currently installed certificates, enter the following command:
>> Main# /info/certs
To view detailed information about a specific certificate, access the
Certificate menu and specify the desired certificate by its index number:
>> Main# /cfg/cert
Enter certificate number: (1-) <certificate number by index>
>> Certificate 1# show
Network diagnostics
To check if the Nortel SNAS is able to contact configured network access
devices, routers, DNS servers, authentication servers, and IP addresses or
domain names specified in group links, use the following command:
>> Main# /maint/chkcfg
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
System diagnostics 411
The screen output provides information about each configured network
element and shows whether the network test was successful or not. The
method used to check the connection (for example, ping) is also displayed.
To check network settings for a specific Nortel SNAS, access the Cluster
Host menu by typing the following commands:
>> Main# /cfg/sys/host <host by index number>
>> Cluster Host 1# cur
To check general network settings related to the cluster to which you have
connected, enter the following command:
>> Main# /cfg/sys/cur
The screen output provides information about the MIP, DNS servers,
Nortel SNAS hosts in the cluster, syslog servers, and NTP servers.
To check if the Nortel SNAS is getting network traffic, enter the following
command:
>> Main# /stats/dump
The screen output provides information about currently active request
sessions, total completed request sessions, and SSL statistics for
configured virtual SSL servers.
To check statistics for the local Ethernet network interface card, enter the
following command:
>> Main# /info/ethernet
The screen output provides information about the total number of received
and transmitted packets, the number of errors when receiving and
transmitting packets, and the type of error (such as dropped packets,
overrun packets, malformed packets, packet collisions, and lack of carrier).
To check if a virtual server (on the Nortel SNAS ) is working, enter the
following command at any menu prompt:
>> Main# ping <IP address of virtual server>
To capture and analyze TCP traffic between clients and the virtual SSL
server, enter the following command:
>> Main# /cfg/doamin #/server/trace/tcpdump
To capture and analyze decrypted SSL traffic sent between clients and the
portal server, enter the following command:
>> Main# /cfg/doamin #/server/trace/ssldump
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
412 Troubleshooting
Active alarms and the events log file
To view an alarm that has been triggered and is active, enter the following
command:
>> Main# /info/events/alarms
To save the events log file to an FTP/TFTP/SFTP server, enter the
following command:
>> Main# /info/events/download
You must provide the IP address or host name of the FTP/TFTP/SFTP
server, as well as a file name. After the events log file has been saved,
connect to the FTP/TFTP/SFTP server and examine the contents of the
file.
Error log files
If you have configured the Nortel SNAS to use a syslog server, the Nortel
SNAS sends log messages to the specified syslog server. For information
about configuring a UNIX Syslog daemon, see the Syslog manpages
under UNIX. For information about configuring the Nortel SNAS to use a
You can also use the /maint/dumplogs command. The command
collects system log file information from the Nortel SNAS to which you
are connected (or, optionally, all Nortel SNAS devices in the cluster) and
sends the information to a file in the gzip compressed tar format on the
TFTP/FTP/SFTP server you specify. The information can then be used
for technical support purposes. The file sent to the TFTP/FTP/SFTP
server does not contain any sensitive information related to the system
configuration, such as certificates or private keys.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
413
.
Appendix
CLI reference
The command line interface (CLI) allows you to view system information
and statistics. The Administrator can use the CLI for configuring the Nortel
SNAS system, software, and individual devices in the system.
This appendix includes the following topics:
Topic
Using the CLI
CLI commands are grouped into a series of menus and submenus (see
“CLI Main Menu” (page 421)). Each menu contains a list of available
commands and a summary of each command function.
You can enter menu commands at the prompt that follows each menu.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
414 CLI reference
Global commands
Basic commands are recognized throughout the menu hierarchy. Use the
online help, navigate through menus, and apply and save configuration
changes.
Table 64
Global commands
Command
Action
help
Display a summary of the global commands.
Display help on a specific command in the command line interface.
Display the current menu.
help <command>
.
print
..
Display the current menu.
Advance one level in the menu structure.
Advance one level in the menu structure.
up
/
Placed at the beginning of a command, returns to the Main menu.
Placed within a command string, the character separates multiple
commands on the same line.
cd "<menu/path>"
Display the menu indicated within quotation marks.
TIP: Type cd "/cfg/sys" at any prompt in the CLI to go to the
System menu. Also type /cfg/sys (no quotation marks) at any
menu prompt to go to the System menu.
pwd
Display the command path used to reach the current menu.
Apply pending configuration changes.
apply
diff
Show any pending configuration changes.
revert
Remove pending configuration changes between apply commands.
TIP: Use revert to restore configuration parameters set after the
most recent apply command.
paste
Restores a saved configuration that includes private keys. TIP:
Before you paste the configuration, you must provide the password
phrase you specified when you selected include the private keys
in the configuration dump. For more information, see the dump
exit
quit
Terminate the current session and log out. TIP: You are notified
if there are unapplied (pending) configuration changes when you
execute the exit command. Pending configuration changes are
lost if you log out without executing the apply command.
Terminate the current session and log out. TIP: You are notified
if there are unapplied (pending) configuration changes when you
execute the quit command,. Pending configuration chagnes are
lost if you log out without executing the apply command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Using the CLI 415
Table 64
Global commands (cont’d.)
Command
Ctrl+^
Action
Exit from the command line interface if the Nortel Secure Network
Access Switch has stopped responding. TIP: This command should
be used only when you are connected to a specific Nortel Secure
Network Access Switch through a console connection. Do not use
this command when connected to the Management IP of the cluster
through a Telnet or SSH connection.
netstat
Show the current network status of the Nortel Secure Network
Access Switch. The netstat command provides information about
active TCP connections, the state of all TCP/IP servers, and the
sockets the servers use.
nslookup
Find the IP address or host name of a machine. TIP: To use the
nslookup command, the Nortel Secure Network Access Switch
must be configured to use a DNS server.
Verify station-to-station connectivity across the network. TIP: You
can specify an IP address or host name in the command. To specify
host names, you must configure the DNS parameters.
ping <IPaddr or host
name>
Identify the route used for station-to-station connectivity across the
network. TIP: You can specify an IP address or host name of the
target station in the command. To specify host names, you must
configure the DNS parameters.
traceroute <IPaddr or
host name>
cur
View all the current settings for the active menu. The global
command cur can be executed with arguments
cur [<path>] [<depth>]
.
curb
dump
Obtain a summary of the current settings for the active menu. The
global command curb cab be executed with arguments
curb [<path>] [<depth>]
.
Dump the current configuration for the active menu. TIP: You
can cut and paste the dumped information into the CLI of another
operator at the same menu level. In all Statistics menus, the dump
command provides statistics information for the active menu.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
416 CLI reference
Table 64
Global commands (cont’d.)
Command
Action
Set the number of lines (n) that display on the screen at one time.
TIP: The default value is 24 lines. When used without a value, the
current setting.
lines <n>
verbose <n>
Sets the level of information displayed on the screen:
0 = Quiet: Nothing appears except errors—not even prompts.
1 = Normal: Prompts and requested output are shown without
menus.
2 = Verbose: Everything is shown.
TIP: The default level is 2. When used without a value, the current
setting .
Command line history and editing
You can use the CLI to retrieve and modify commands entered previously.
options that are available globally at the command line.
Table 65
Command line history and editing options
Option
history
!!
Description
Display a numbered list of the 10 most recent commands.
Repeat the most recent command.
Repeat the n th command shown on the history list.
! <n>
popd
Return to a position in the menu structure that was bookmarked
using the pushd command.
Recall previous command from the history list. TIP: You can also
use the up arrow key. You can use this command to regress
through the last 10 commands. The recalled command can be
executed as is, or edited using the options in this table.
Ctrl+p
Ctrl+n
Recall next command from the history list. TIP: You can also use
the down arrow key. Use this command to proceed through the next
10 commands. The recalled command can be executed as is, or
edited using the options in this table.
Move cursor to the beginning of the command line.
Move cursor to the end of the command line.
Ctrl+a
Ctrl+e
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Using the CLI 417
Table 65
Command line history and editing options (cont’d.)
Option
Ctrl+b
Description
Move the cursor back, one position to the left. You can also use the
left arrow key.
Ctrl+f
Move the cursor forward, one position to the right. You can also use
the right arrow key.
Backspace
Erase one character to the left of the cursor position. You can also
use the Delete key.
Ctrl+d
Ctrl+k
Delete one character at the cursor position.
Kill (erase) all characters from the cursor position to the end of the
command line.
Ctrl+l
Rewrite the most recent command.
Ctrl+c
Abort an on-going transaction. TIP: Press Ctrl+c when there is no
on-going transaction, in order to display the current menu.
ATTENTION
Pressing Ctrl+c does not abort screen output generated by the
cur command. Press q to abort the extensive screen output that
may result from the cur command.
Clear the entire line.
Ctrl+u
Other keys
Insert new characters at the cursor position.
CLI shortcuts
You can use the following CLI command shortcuts:
•
•
•
•
Command stacking
To access a submenu and one of the related menu options, you can type
multiple commands, separated by forward slashes (/), on a single line.
For example, to access the list command in the NTP Servers menu from
the Main menu prompt, use the following keyboard shortcut:
>> Main# cfg/sys/time/ntp/list
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
418 CLI reference
You can also use command stacking to proceed one or more levels in the
menu system, and go directly to another submenu and one of the related
menu options in that submenu.
For example, to proceed two levels (from the NTP Servers menu to the
System menu) and then go to the DNS settings menu to access the DNS
servers menu, use the following command:
>> NTP Servers# ../../dns/servers
Command abbreviation
You can abbreviate most commands.
To abbreviate a command, type the first characters which distinguish the
command from the others in the same menu or submenu.
For example, you can abbreviate the following command:
>> Main# cfg/sys/time/ntp/list
to
>> Main# c/sy/t/n/l
Tab completion
The Tab key can be used in the following ways:
•
To search for CLI commands or options:
— At the menu prompt, type the first character of a command. TIP:
You can use additional characters to refine the search.
— Press Tab.
A list of commands that begin with the character you selected
. If only one command matches the character you typed, that
command on the command line when you press Tab. Press
ENTER to execute the command.
•
To display the active menu:
— Ensure that the command line is blank.
— At the menu prompt, press the Tab key.
Using a submenu name as a command argument
To display the properties related to a specific submenu, you can include
the submenu name as an argument to the cur command (at a menu
prompt one level up from the desired submenu information).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Using the CLI 419
For example, to display system information at the Configuration menu
prompt, without descending into the System menu (/cfg/sys), use the
following command:
>> Configuration# cur sys
>> Configuration# cur sys
System:
Management IP (MIP) address = 192.168.128.211
iSD Host 1:
Type of the iSD = master
IP address = 192.168.128.213
License =
IPSEC user sessions: 250
Secure Service Partitioning
PortalGuard
TPS: unlimited
SSL user sessions: 250
Default gateway address = 192.168.128.3
Ports = 1 :
2
Hardware platform = 3070
Host Routes:
No items configured
Host Interface 1:
IP address = 192.168.128.213
Network mask = 255.255.255.0
VLAN tag id = 0
Mode = failover
Primary port = 0
Interface Ports:
1
Host Port 1:
Autonegotiation = on
If you use the cur command without the sys submenu argument,
information related to the Configuration menu and all submenus .
Using slashes and spaces in commands
To include a forward slash (/) or a space in a command string, place the
string containing the slash or space within double quotation marks before
you execute the command.
For example, to specify a directory path and file name on the same line as
the ftp command in the CLI, double quotation marks are required:
>> Software Management# download ftp 10.0.0.1
"pub/SSL-5.1.1-upgrade_complete.pkg"
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
420 CLI reference
IP address and network mask formats
IP addresses and network masks can be expressed in different ways in
the CLI.
IP addresses
IP addresses can be specified in the following ways:
•
•
Dotted decimal notation—specify the IP address as is: 10.0.0.1
According to the formats below:
— A.B.C.D = A.B.C.D, the equivalent of dotted decimal notation
— A.B.D = A.B.0.D — that is, 10.1.10 translates to 10.1.0.10
— A.D = A.0.0.D — that is, 10.1 translates to 10.0.0.1
— D = 0.0.0.D — that is, 10 translates to 0.0.0.10
Network masks
A network mask can be specified in dotted decimal notation or as number
of bits. Where the network mask is:
•
•
•
•
255.0.0.0 it can also be expressed as 8
255.255.0.0 it can also be expressed as 16
255.255.255.0 it can also be expressed as 24
255.255.255.255 it can also be expressed as 32
Variables
You can use variables in some commands and features in the Nortel
SNAS software.
TIP: Variables included in links are URL encoded. Variables included in
static texts are not URL encoded.
Table 66 "Variables" (page 420) describes variables and their use.
Table 66
Variables
Variable
Use
<var:user>
Expands to the user name specified when the user logged on to the
domain.
<var:password>
<var:group>
Expands to the password specified when the user logged on to the
domain.
Expands to the group to which the logged on user is a member.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI Main Menu 421
Table 66
Variables (cont’d.)
Variable
Use
<var:portal>
Expands to the Portal IP address. TIP: The variable can be included
in redirect URLs.
<var:domain>
Expands to the domain name specified for the authentication
method of the logged on user.
<var:method>
<var:sslsid>
<md5:...>
Expands to the access protocol used (http or https).
Expands to the SSL session ID in binary format.
Expands the variable or variables (for example, <md5:<user>:<p
assword>>) and computes an MD5 checksum which is Base 64
encoded. TIP: Can be used when creating dynamic HTTP headers.
<base64:...>
Expands the variable or variables (for example, <base64:<user>:<p
assword>>) and encodes them using Base 64. TIP: Can be used
when creating dynamic HTTP headers.
<var:nhaFailureReason>
<var:nhaFailureDetail>
Operator-defined variables
Expands to the Nortel Health Agent rule expression and the Nortel
Health Agent rule comment specified for the current SRS rule when
a Nortel Health Agent check has failed.
Expands to the software definition comment specified for the current
SRS rule, including additional failure details, when a Nortel Health
Agent check has failed.
Custom variables can be created to retrieve the desired values from
RADIUS and LDAP databases.
CLI Main Menu
The Main menu appears after a successful connection and login. Figure
32 "CLI main menu" (page 421) represents the Main menu as it appears
when logged on as Administrator. Note that some of the commands are
not available when logged on as Operator.
Figure 32
CLI main menu
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
422 CLI reference
CLI command reference
The following CLI menus are accessible from the Main menu:
•
•
•
Information—provides submenus for displaying information about the
current status of the Nortel Secure Network Access Switch. For the
Statistics—provides submenus for displaying Nortel SNAS
performance statistics. For the Statistics menu commands, see
Configuration—provides submenus for configuring the Nortel SNAS
cluster. Some of the commands in the Configuration menu are
available only when logged on as Administrator. For the Configuration
•
•
Boot—used for upgrading Nortel SNAS software and for rebooting
Nortel SNAS devices. The Boot menu is accessible only when logged
on as Administrator. For the Boot menu commands, see “Boot menu”
Maintenance—used for sending technical support information to
an external file server. For the Maintenance menu commands, see
Information menu
The Information menu contains commands used to display current
information about the Nortel SNAS system status and configuration.
Table 67 "Information menu commands" (page 422) lists the Information
commands in alphabetical order.
Table 67
Information menu commands
Command
Parameters/Submenus
Purpose
/info
certs
sys
View current information about
system status and the system
configuration.
sonmp
licenses
kick <user> <addr>
<group>
blacklist
domain [<domain ID>]
switches
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 423
Command
Parameters/Submenus
Purpose
dist [<hostid>]
ip <ipaddr>|<option>
mac <macaddr>|<option>
sessions [<domainid>
<switchid> [<username-p
refix>]]
groupsessi <groupname>
dhcp [<list> [<addr>
<subnet> <all>]] [<del>
[<addr> <subnet> <all>]]
<stats>
snmp-profi
switch [<domainid>]
[<switchid>]
contlist [<Exclude
buffers+cache from mem
util: [yes/no]>]
local
ethernet
ports
/info/events
/info/logs
alarms
View active alarms.
download <protocol>
<server> <filename>
list
View and download log files.
download <protocol>
<server> <filename>
Statistics menu
The Statistics menu contains commands used to view statistics for the
Nortel SNAS cluster and individual hosts. Table 68 "Statistics menu
commands" (page 424) lists the Statistics commands in alphabetical order.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
424 CLI reference
Table 68
Statistics menu commands
Command
Parameters/Submenus
Purpose
/stats
View performance
statistics for the
cluster and for
individual Nortel
SNAS hosts.
/stats/aaa
total
View authentication
statistics for the
Nortel SNAS cluster
or for individual
isdhost <host ID>
<domain ID> dump
Nortel SNAS hosts.
/stats/dump
View all available
statistics for the
Nortel SNAS
cluster.
Configuration menu
The Configuration menu contains commands used to configure the Nortel
configuration commands in alphabetical order.
Table 69
Configuration menu commands
Command
Parameters/Submenus
name <string>
cert
Purpose
/cfg/cert <cert ID>
Manage private
keys and certificat
es and access the
Certificate menu.
key
revoke
gensigned
request
sign
test
import <protocol>
<server> <certfile>
export
display [<encrypt
private key yes|no>
<export pass phrase>
<reconfirm export pass
phrase>]
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 425
Command
Parameters/Submenus
Purpose
show
info
subject
validate
keysize
keyinfo
del
/cfg/cert <cert ID>/revoke
add <integer>
addx <integer>
del <integer>
list
Access the
Revocation menu.
rev
import <protocol>
<server> <file>
automatic
url <url>
/cfg/cert <cert ID>/revoke/auto
matic
Access the
Automatic CRL
menu.
authDN <LDAP-Distinguis
hed-Name>
passwd <password>
interval <time>
cacerts
ena [<enabled|disabled>
]
dis [<enabled|disabled>
]
/cfg/domain <domain ID>
name <name>
pvips <IPaddr>
aaa
Configure the
domain.
location
patchlink
server
portal
linkset
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
426 CLI reference
Command
Parameters/Submenus
Purpose
switch
snmp-profi
vlan
dhcp
sshkey
dnscapt
httpredir
radius
nap
quick
syslog
adv
del
/cfg/domain #/aaa/auth <auth ID>
type
Create and
configure an
authentication
method.
radius|ldap|ntlm|sitemi
nder|cleartrust|cert|r
sa|local
name <name>
display
radius|ldap|ntlm|sitemi
nder|cleartrust|cert|r
sa|local
adv
del
/cfg/domain #/aaa/auth <auth
ID>/adv
groupauth <auth IDs>
Configure the
current authent
ication scheme
to retrieve user
group information
from a different
authentication
scheme.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 427
Command
Parameters/Submenus
Purpose
/cfg/domain #/aaa/auth <auth ID>
(for LDAP)
Configure the Nortel
SNAS domain to
use an external
LDAP server for
authentication.
/cfg/domain #/aaa/auth <auth
ID>/ldap
servers
Modify settings for
the specific LDAP
configuration.
searchbase <DN>
groupattr <names>
userattr <names>
isdbinddn <DN>
isdbindpas <password>
ldapmacro
enaldaps true|false
ldapscert
enauserpre true|false
enacutdoma
enashortgrp <enable
short group format >
<auth ID>
groupsearc
timeout <interval>
activedire
adv
/cfg/domain #/aaa/auth <auth
ID>/ldap/activedire
Manage clients
whose passwords
have expired
or who need
to change their
passwords,
enaexpired true|false
expiredgro <group>
exppasgrou <group name>
recursivem true|false
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
428 CLI reference
Command
Parameters/Submenus
Purpose
/cfg/domain #/aaa/auth <auth
ID>/ldap/ldapmacro
list <name> <attrname>
<prefix> <suffix>
Configure LDAP
macros.
del <index number>
add <name> <attrname>
<prefix> <suffix>
insert <position> <name>
<attrname> <prefix>
<suffix>
move <index number> <new
index number>
/cfg/domain #/aaa/auth <auth
ID>/ldap/servers
list <ip> <port>
del <index number>
add <ip> <port>
Manage the LDAP
servers used for
client authentication
in the domain.
insert <position> <ip>
<port>
move <index number> <new
index number>
/cfg/domain #/aaa/auth <auth
ID>/ldap/groupsearc
groupbase <distinguishe
d-name>
memberattr <string>
ena [<enabled|disabled>
]
dis [<enabled|disabled>
]
/cfg/domain #/aaa/auth <auth
ID>/ldap/adv
enaxfilter <true|false>
xfilteratt <string>
xfilterval <string>
/cfg/domain #/aaa/auth <auth ID>
Create the Local
authentication
method.
(for local portal database)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 429
Command
Parameters/Submenus
Purpose
/cfg/domain #/aaa/auth <auth
ID>/local
add <user name>
<password> <group>
Manage client users
and their passwords
in the local portal
database.
passwd <user name>
<password>
groups <user name>
<desired group>
radattr <add> <list>
<del>
del <user name>
list <prefix>
import <protocol> <host>
<filename>
export <protocol> <host>
<filename>
/cfg/domain #/aaa/auth <auth ID>
add <MAC address> <user
name> <IP type> <dhcp>
<static> [<device
Manage the local
MAC database
(for local MAC database)
type> [<PC> <phone>
<passive>]] <IP address>
<switch IP address>
<switch unit> <switch
port> <group names>
<comments>
del <MAC address>
list
show <mac>
import <protocol> <host>
<filename>
export <protocol> <host>
<filename>
clear
/cfg/domain #/aaa/auth <auth ID>
Configure the
domain to use
an external
(for RADIUS)
RADIUS server for
authentication.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
430 CLI reference
Command
Parameters/Submenus
servers
Purpose
/cfg/domain #/aaa/auth <auth
ID>/radius
Modify settings for
the specific RADIU
S configuration.
vendorid <vendor ID>
vendortype <vendor type>
domainid <domain ID>
domaintype <domain type>
authproto pap|chapv2
timeout <interval>
sessiontim
/cfg/domain #/aaa/auth <auth
ID>/radius/servers
list <ip> <auth_port>
<acct_port> <secret>
Manage the
RADIUS servers
used for client
authentication in
the domain.
del <index number>
add <ip> <auth_port>
<acct_port> <secret>
insert <position> <ip>
<auth_port> <acct_port>
<secret>
move <index number> <new
index number>
/cfg/domain #/aaa/auth <auth
ID>/radius/sessiontim
vendorid <vendor ID>
vendortype <vendor type>
ena [<bool>]
Configure the Nortel
SNAS for session
timeout.
dis [<bool>]
/cfg/domain #/aaa/authorder
<auth ID>[,<auth ID>]
Specify the
authentication
fallback order.
/cfg/domain #/aaa/defgroup
<group name>
Create a default
group to which
users are assigned
if they are not
associated with a
specific group in
the authentication
database.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 431
Command
Parameters/Submenus
Purpose
/cfg/domain #/aaa/filter <filter name <name>
ID>
Configure the
client filters, which
determine whether
extended profile
data will be applied
to a user.
nha true|false|ignore
nap true|false|ignore
patchlink true|false|ig
nore
comment <comment>
del
/cfg/domain #/aaa/group <group
ID>
name <name>
locations
Configure groups
on the domain.
radattr
restrict
sessionttl
linkset
extend <profile ID>
srs <SRS rule name>
mactrust <blacklist |
bypass | none>
agentmode <runonce |
continuous | never>
macreg <true | false>
reguser
enftype <filter_only |
vlan_filter>
cachepass
admrights <user>
<passwd> <action>
<reset>
syscredent
comment <comment>
del
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
432 CLI reference
Command
Parameters/Submenus
Purpose
/cfg/domain #/aaa/group #/extend filter <name>
Configure the
extended profiles
for a group.
[<profile ID>]
vlan <ID|name>
acl <string>
radattr
linkset
del
/cfg/domain #/aaa/group #/extend list <name>
Map predefined
linksets to an
extended profile.
#/linkset
del <index number>
add <linkset name>
insert <position>
<linkset name>
move <index number> <new
index number>
/cfg/domain #/aaa/group
#/linkset
list <name>
Map predefined
Linksets to a group.
del <index number>
add <name>
insert <position> <name>
move <index number> <new
index number>
/cfg/domain #/aaa/group
#/radattr
list <vendor> <id>
<value>
Map predefined
RADIUS attributes
to a group.
del <index number>
add <vendor> <id>
<value>
insert <position>
<vendor> <id> <value>
move <index number> <new
index number>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 433
Command
Parameters/Submenus
Purpose
cfg/domain #/aaa/group
#/syscredent
user <sys_user>
passwd
prevuser <sys_user>
prevpasswd
actdate <YYYY MM DD
HH:MM|NN [s|m|h|d]>
earlpush <YYYY MM DD
HH:MM|NN [s|m|h|d]>
exprprev
updclients <bool>
reset <confirm>
ena [<true|false>]
dis [<true|false>]
cfg/domain #/aaa/group
#/cachepass
Usage: cachepass
<true|false>
/cfg/domain #/aaa/radacct
servers
domainattr
ena
Configure the
Nortel SNAS to
support RADIUS
accounting.
dis
/cfg/domain #/aaa/radacct/serve
rs
list <ip> <port>
<secret>
Configure the
Nortel SNAS to use
external RADIUS
accounting servers.
del <index number>
add <ip> <port> <secret>
insert <position> <ip>
<port> <secret>
move <index number
value> <new index number
value>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
434 CLI reference
Command
Parameters/Submenus
vendorid
Purpose
/cfg/domain #/aaa/radacct/domai
nattr
Configure
vendor-specific
attributes in order
to identify the Nortel
SNAS domain.
vendortype
/cfg/domain #/aaa/nha
quick
Configure settings
for the Nortel Health
Agent host integrity
check and the
recheck <interval>
heartbeat <interval>
hbretrycnt <count>
status-quo on|off
onflysrs on|off
check result.
desktopage desktopagent
<on|off|auto>
desktopnam Desktop agent
shortcut name
action teardown|restric
ted
list
details on|off
custscript
on|off
persistoob
on|off
loglevel
fatal|error|warning|
info|debug
/cfg/domain #/aaa/nha/quick
/cfg/domain #/adv
Configure settings
for the SRS rule
check using the
Nortel Health Agent
quick setup wizard.
interface <integer>
Map a backend
interface to the
domain and
configure logging
options,
log <all | login | http |
portal | reject>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 435
Command
Parameters/Submenus
Purpose
/cfg/domain #/del
Remove the
current domain
from the system
configuration.
/cfg/domain #/dhcp
subnet
Configure local
DHCP services
stdopts Enter the
standard options menu
vendopts Enter the
standard options menu
(<number> <name> <value>
<del>
quick
/cfg/domain #/dhcp
subnet <number> [<type>
[<hub> [<type> <name>
<address> <netmask>
<phone> <relaygreen>
<vlan> <red ranges|std
opts|vendopts> <yellow
ranges|stdopts|vendo
pts> <green ranges|st
dopts|vendopts> <ena>
<dis> <del>]] [<filter>
[<type> <name> <address>
<netmask> <known>
Configure local
DHCP services
<unknown> <ena> <dis>
<del>]] [<standard>
[<type> <name> <address>
<netmask> <settings>
<ena> <dis> <del>]]]>
<name> <address>
<netmask>
stdopts Enter the
standard options menu
vendopts Enter the
standard options menu
(<number> <name> <value>
<del>
quick
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
436 CLI reference
Command
Parameters/Submenus
Purpose
/cfg/domain #/dhcp/subnet
type
Configure local
DHCP subnet
services
name
address
netmask
phone <phone signature>
relaygreen <set external
DHCp server>
vlan <vlan mane>
<red ranges|stdopts|ven
dopts>
<yellow ranges|stdopts|
vendopts>
<green ranges|stdopts|v
endopts>
ena [<enabled|disabled>
]
dis [<enabled|disabled>
]
del
/cfg/domain #/dnscapt
exclude
Configure the Nortel
SNAS portal as a
captive portal.
ena
dis
/cfg/domain #/dnscapt/exclude
list
Create and manage
the Exclude List.
del <index name>
add <domain name>
insert <index number>
<domain name>
move <index number> <new
index number>
/cfg/domain #/httpredir
port <integer>
redir on|off
Configure the
domain to
automatically
redirect HTTP
requests to the
HTTPS server
specified for the
domain.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 437
Command
Parameters/Submenus
name <name>
text <text>
autorun true|false
link <index>
del
Purpose
/cfg/domain #/linkset <linkset
ID>
Create and
configure a linkset.
/cfg/domain #/linkset #/link
<index>
move <new index>
text <text>
type external
external
Create and
configure the links
included in the
linkset.
del
/cfg/domain #/linkset #/link
#/external/quick
Launch the wizard
to configure settings
for a link to an
external web page.
/cfg/domain #/portal
import <protocol>
<server> <filename>
Modify the look
and feel of the
portal page that
in the client’s web
browser.
restore
banner
redirect <URL>
logintext <text>
iconmode clean|fancy
linktext <text>
linkurl on|off
linkcols <columns>
linkwidth <width>
companynam <string>
colors
content
lang
ieclear on|off
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
438 CLI reference
Command
Parameters/Submenus
color1 <code>
color2 <code>
color3 <code>
color4 <code>
Purpose
/cfg/domain #/portal/colors
Customize the
colors used for the
portal display.
theme default|aqua|appl
e|
jeans|cinnamon|candy
/cfg/domain #/portal/content
import <protocol> <host>
<file>
Add custom
content, such as
Java applets, to the
portal.
export <protocol> <host>
<filename>
delete <yes|no>
available
show
ena [<bool>]
dis [<bool>]
setlang <lang>
charset
/cfg/domain #/portal/lang
Set the preferred
language for the
portal display.
list [<prefix>]
beconv
/cfg/domain #/portal/lang/beconv
/cfg/domain #/quick
Configures
the backend
conversion.
add <protocol smb|ftp>
<host>
del <number>
list
Launch the quick
switch setup wizard
to add network
access devices to
the domain.
/cfg/domain #/server
port <port>
Configure the portal
server used in the
domain.
interface <interface ID>
dnsname <name>
trace
ssl
adv
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 439
Command
Parameters/Submenus
Purpose
/cfg/domain #/server/adv/traflog sysloghost <IPaddr>
udpport <port>
Set up a syslog
server to receive
UDP syslog
protocol ssl2|ssl3|ssl2
3|tls1
messages for all
HTTP requests
handled by the
portal server.
priority debug|info|
notice
ena
dis
/cfg/domain #/server/ssl
cert <certificate index>
cachesize <sessions>
cachettl <ttl>
Configure SSL-spe
cific settings for the
portal server.
cacerts <certificate
index>
cachain <certificate
index list>
protocol ssl2|ssl3|ssl2
3|tls1
verify none|optional|re
quired
ciphers <cipher list>
ena
dis
/cfg/domain #/server/trace
ssldump
Verify connectivity
and capture
information about
SSL and TCP traffic
between clients and
the portal server.
tcpdump
ping <host>
dnslookup <host>
traceroute <host>
generate
/cfg/domain #/sshkey
Generate, view, and
export the public
SSH key for the
domain.
show
export <protocol> <host>
<filename>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
440 CLI reference
Command
Parameters/Submenus
name <name>
Purpose
/cfg/domain #/switch <switch ID>
Configure the
network access
devices on the
domain.
ip <IPaddr>
mgmtproto <sscp|sscplit
e>
type ERS8300|ERS5500|ER
S4500
port <port>
hlthchk
vlan
rvid <VLAN ID>
sshkey
ena
dis
delete
/cfg/domain #/switch #/dis
/cfg/domain #/switch #/ena
/cfg/domain #/switch #/hlthchk
Stop communica
tion between the
Nortel SNAS and
a network access
devices.
Restart communic
ation between the
Nortel SNAS and
a network access
devices.
interval <seconds>
deadcnt <count>
sq-int <seconds>
Configure the
interval and dead
count parameters
for the Nortel SNAS
health checks and
status-quo mode.
/cfg/domain #/switch #/sshkey
import
add
Retrieve the public
key for the network
access devices and
export the public
del
key for the domain.
show
export
user <user>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 441
Command
Parameters/Submenus
add <name> <VLAN ID>
del <index>
Purpose
/cfg/domain #/switch #/vlan
Manage the VLAN
mappings for a
specific network
access devices.
list
/cfg/domain #/vlan
/cfg/dump
add <name> <VLAN ID>
del <index>
Manage the VLAN
mappings for all the
network access
devices in the
domain.
list
Perform a
configuration dump.
/cfg/gtcfg
/cfg/lang
<protocol> <host>
<filename>
Restore the system
configuration.
import <protocol>
<server> <filename>
<code>
Manage the
language definition
files in the system.
export <protocol>
<server> <filename>
list
vlist [<letter>]
del <code>
/cfg/ptcfg
/cfg/quick
/cfg/sys
<protocol> <host>
<filename>
Save the system
configuration to
a file on a file
exchange server.
Create a domain
using the Nortel
SNAS quick setup
wizard.
mip <IPaddr>
host <host ID>
routes
View and configure
cluster-wide system
settings.
time
dns
rsa <server ID>
syslog
accesslist
adm
user
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
442 CLI reference
Command
Parameters/Submenus
Purpose
distrace
/cfg/sys/accesslist
/cfg/sys/adm
list
Manage the Access
List in order to
control Telnet and
SSH access to
the Nortel SNAS
cluster.
del <index number>
add <IPaddr> <mask>
snmp
Configure
administrative
settings for the
system.
sonmp on|off
clitimeout <interval>
audit
auth
abl
hardenpass
telnet on|off
ssh on|off
srsadmin
http
https
sshkeys
redist <yes|no>
servers
/cfg/sys/adm/audit
Configure the Nortel
SNAS to support
RADIUS auditing.
vendorid <vendorid>
vendortype <vendortype>
ena
dis
/cfg/sys/adm/audit/servers
list <ip> <port>
<secret>
Configure the
Nortel SNAS to use
external RADIUS
audit servers.
del <index>
add <ip> <port> <secret>
insert <position> <ip>
<port> <secret>
move <index number
value> <new index number
value>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 443
Command
Parameters/Submenus
servers
Purpose
/cfg/sys/adm/auth
Configure the
Nortel SNAS to
support RADIUS
authentication of
system users.
timeout <interval>
fallback on|off
ena [<true|false>]
dis [<true|false>]
/cfg/sys/adm/auth/servers
list <ip> <port>
<secret>
Configure the
Nortel SNAS
to use external
RADIUS servers to
del <index>
add <ip> <port> <secret>
authenticate system
users.
insert <position> <ip>
<port> <secret>
move <index number
value> <new index number
value>
/cfg/sys/adm/abl
users <list> <add>
<delete>
Configure the Nortel
SNAS to support
auto blacklisting.
host <list> <add>
<delete>
user_atmpt <attempts/ti
meperiod>
host_atmpt <attempts/ti
meperiod>
user_perge time period
<<integer>[hd]>
host_perge time period
<<integer>[hd]>
show
clear
ena [<true|false>]
dis [<true|false>]
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
444 CLI reference
Command
Parameters/Submenus
length <integer>
lowercase <integer>
uppercase <integer>
digits <integer>
others <integer>
retry <integer>
Purpose
/cfg/sys/adm/hardenpass
Configure the Nortel
SNAS to support
harden password.
ena [<true|false>]
dis [<true|false>]
port <integer>
/cfg/sys/adm/http
/cfg/sys/adm/https
Configure the Nortel
SNAS to support
http settings.
ena [<true|false>]
dis [<true|false>]
port <integer>
Configure the Nortel
SNAS to support
https settings.
ena [<true|false>]
dis [<true|false>]
/cfg/sys/adm/snmp
/cfg/sys/adm/snmp
Configure SNMP
for the Nortel SNAS
network.
Configure SNMP
management of
the Nortel SNAS
cluster.
ena [<true|false>]
dis [<true|false>]
versions <v1|v2c|v3>
snmpv2-mib
community
users <id>
target <nr>
event
/cfg/sys/adm/snmp/community
read <name>
Configure the
community
aspects of SNMP
monitoring.
write <name>
trap <name>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 445
Command
Parameters/Submenus
Purpose
/cfg/sys/adm/snmp/event
addmonitor [-c Comment]
[-f Freq] [-o OID]* [-b
|-t | -x ...] Name Oid
...
Configure monitors
and events defined
in the DISMAN-EVE
NT-MIB.
delmonitor <name>
addevent [-c Comment>]
Name Notification
[OID...]
delevent <name>
list
/cfg/sys/adm/snmp/snmpv2-mib
sysContact <contact>
Configure
parameters in the
standard SNMPv2
MIB.
snmpEnable disabled|ena
bled
/cfg/sys/adm/snmp/target <target ip <IPaddr>
Configure
ID>
notification targets.
port <port>
version v1|v2c|v3
del
/cfg/sys/adm/snmp/users <user
ID>
name <name>
Manage SNMPv3
users in the Nortel
SNAS configuration.
seclevel none|auth|priv
permission get|set|trap
authproto md5|sha
authpasswd <password>
privproto des|aes
privpasswd <password>
del
/cfg/sys/adm/srsadmin
/cfg/sys/adm/sshkeys
port <port>
Configure support
for managing the
SRS rules.
ena
dis
generate
Generate and view
the SSH keys used
by all hosts in the
cluster for secure
management
show
knownhosts
communications.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
446 CLI reference
Command
Parameters/Submenus
Purpose
/cfg/sys/adm/sshkeys/knownhosts list
del <index number>
Manage the public
SSH keys of known
remote hosts.
add
import <IPaddr>
servers
/cfg/sys/dns
Configure DNS
settings for the
cluster.
cachesize <entries>
retransmit <interval>
count <count>
ttl <ttl>
health <interval>
hdown <count>
hup <count>
/cfg/sys/dns/servers
list
Configure the
cluster to use
external DNS
servers.
del <index number>
add <IPaddr>
insert <index number>
<IPaddr>
move <index number> <new
index number>
/cfg/sys/host #/interface
#/ports
list
View and manage
the ports assigned
to an interface.
del <port>
add <port>
list
/cfg/sys/host #/interface
#/routes
Manage static
routes for a
particular interface.
del <index number>
add <IPaddr> <mask>
<gateway>
/cfg/sys/host #/interface
<interface ID>
ip <IPaddr>
Configure an IP
interface and assign
physical ports on
a particular Nortel
SNAS host,
netmask <mask>
gateway <IPaddr>
routes
vlanid <tag>
mode failover|trunking
ports
primary <port>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 447
Command
Parameters/Submenus
Purpose
delete
/cfg/sys/host #/port <port>
Configure the
connection
properties for a
port.
autoneg on|off
speed <speed>
mode full|half
/cfg/sys/host #/routes
/cfg/sys/host <host ID>
Manage static
routes for a
particular Nortel
SNAS host
when more than
one interface is
configured.
ip <IPaddr>
Configure basic
TCP/IP properties
for a particular
sysName <name>
sysLocation <location>
license
Nortel SNAS device
in the cluster,
gateway <IPaddr>
routes
interface <interface
number>
port <nr>
ports
hwplatform
halt <confirm>
reboot <confirm>
delete
/cfg/sys/routes
/cfg/sys/rsa
Manage static
routes on a
cluster-wide level
when more than
one interface is
configured.
rsaname <name>
Configure the
symbolic name
for the RSA
server and import
the sdconf.rec
configuration file.
import <protocol> <host>
<filename>
rmnodesecr
del
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
448 CLI reference
Command
Parameters/Submenus
list <ip> <n>
del <index>
Purpose
/cfg/sys/syslog
Configure syslog
servers for the
cluster.
add <ip> <n>
insert <position> <ip>
<n>
move <index number
value> <new index number
value>
/cfg/sys/time
date <date>
time <time>
tzone <timezone>
ntp
Configure date and
time settings for the
cluster.
/cfg/sys/time/ntp
/cfg/sys/user
list <ip>
Manage NTP
servers used by
the system.
del <index>
add <ip>
passwd
Change the
password for the
currently logged
on user and add
or delete user
accounts.
expire <DDdHHhMMmSS>
list
del <username>
add <username>
edit <username>
caphrase
/cfg/sys/user/edit <username>
groups
Set or change the
login password for a
specified user and
view and manage
group assignments.
cur
/cfg/sys/user/edit <username>/g
roups
list
Set or change
a user’s group
assignment.
del <group index>
add admin|oper|certadmi
n
Boot menu
The Boot menu contains commands for management of Nortel SNAS
the boot commands in alphabetical order.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
CLI command reference 449
Table 70
Boot menu commands
Command
Parameters/Submenus
software
Purpose
/boot
Manage Nortel
SNAS software and
devices.
halt <confirm>
reboot <confirm>
delete
/boot/software
cur <version> <name>
<status>
View, download,
and activate
software versions
for the Nortel SNAS
device to which you
are connected.
activate <software
version>
download <protocol>
<host> <fname>
del <confirm>
Maintenance menu
The Maintenance menu contains commands used to perform maintenance
and management activities for the system and individual Nortel SNAS
Maintenance commands.
Table 71
Maintenance menu commands
Command
Parameters/Submenus
Purpose
/maint
log
Check the applied
configuration and
download log file
and system status
information for
dumplogs <protocol>
<host> <filename>
<all-isds?>
dumpstats <protocol>
<host> <filename>
<all-isds?>
technical support
purposes.
chkcfg list | chkcfg
[all-isds |one-isds]
[item...][syslog]
starttrace <tags (all|aa
a|dhcp|dns|ssl|tg|snas|
patchlink|radius|nap)>
[<domain ID>]
stoptrace
/maint/log
in-memory <start-log>
<stop-log> <displaylog>
<clearlog>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
450 CLI reference
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
451
.
Appendix
Syslog messages
This appendix contains a list of the syslog messages that are sent from the
Nortel SNAS to a syslog server, when a syslog server has been added
to the system configuration. For more information about adding a syslog
server to the system configuration, see “Configuring syslog servers” (page
279).
The syslog messages are presented in two ways:
•
•
Syslog messages by message type
The following types of messages occur:
•
operating system (OS) (see “Operating system (OS) messages” (page
452))
•
•
traffic processing (see “Traffic Processing Subsystem messages” (page
457))
•
•
•
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
452 Syslog messages
Operating system (OS) messages
There are three categories of operating system (OS) system messages:
•
•
•
452))
CRITICAL (see Table 73 "Operating system messages—CRITICAL"
453))
EMERG operating system messages.
Table 72
Operating system messages—EMERG
Message
Category
EMERG
Explanation/Action
Root filesystem corrupt
The system cannot boot, but stops with a
single-user prompt. fsck failed. Reinstall in
order to recover.
Config filesystem corrupt beyond EMERG
repair
The system cannot boot, but stops with a
single-user prompt. Reinstall in order to recover.
Failed to write to config
filesystem
EMERG
Probable hardware error. Reinstall.
operating system CRITICAL messages.
Table 73
Operating system messages—CRITICAL
Message
Category
Explanation/Action
Config filesystem re-initialized -
reinstall required
CRITICAL
Reinstall.
Application filesystem corrupt -
reinstall required
CRITICAL
Reinstall.
operating system EMERG messages.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages by message type 453
Table 74
Operating system messages—ERROR
Message
Category
Explanation/Action
Config filesystem corrupt
ERROR
Possible loss of configuration. Followed by the
message:
Config filesystem re-initialized -
reinstall required
or
Config filesystem restored from
backup.
Missing files in config filesystem
ERROR
Possible loss of configuration. Followed by the
message:
Config filesystem re-initialized -
reinstall required
or
Config filesystem restored from
backup.
Logs filesystem re-initialized
ERROR
ERROR
Loss of logs.
Root filesystem repaired -
rebooting
fsck found and fixed errors. Probably OK.
Config filesystem restored from
backup
ERROR
Loss of recent configuration changes.
Rebooting to revert to permanent ERROR
OS version
Happens after Config filesystem
re-initialized - reinstall required
or Config filesystem restored from
backup if software upgrade is in progress (in
other words, if failure at first boot on new OS
version).
System Control Process messages
There are three categories of System Control Process messages:
•
•
•
454))
Events and alarms are stored in the event log file. You can access the
event log file by using the /info/events/download command. You
can view active alarms by using the /info/events/alarms command.
For more information, see “Viewing system information and performance
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
454 Syslog messages
System Control Process INFO messages.
Table 75
System control process messages—INFO
Message
Category
Explanation/Action
System started [isdssl-<version>] INFO
Sent whenever the system control process has
been (re)started.
About alarm messages
Alarms are sent at a syslog level corresponding to the alarm severity
454).
Table 76
Alarm severity and syslog level correspondence
Alarm severity
CRITICAL
MAJOR
Syslog level
ALERT
CRITICAL
ERROR
MINOR
WARNING
*
WARNING
ERROR
Alarms are formatted according to the following pattern:
Id: <alarm sequence number>
Severity: <severity>
Name: <name of alarm>
Time. <date and time of the alarm>
Sender: <sender, e.g. system or the Nortel SNAS device’s IP address>
Cause: <cause of the alarm>
Extra: <additional information about the alarm>
When an alarm is cleared, one of the following messages is sent:
•
•
Alarm Cleared Name="<Name>" Id= "<ID>" Sender="<Sender>"
Alarm Cleared Id="<ID>"
the System Control Process ALARM messages. To simplify finding the
alarm messages, the name parameter is listed first.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages by message type 455
Table 77
System Control Process messages—ALARM
Message
Category
Explanation/Action
Name: isd_down
Sender: <IP>
Cause: down
Extra:
ALARM
ALARM
ALARM
A member of the Nortel SNAS cluster
is down. This alarm is only sent if the
cluster contains more than one Nortel
SNAS.
Severity: critical
Name: single_master
Sender: system
Cause: down
Extra:
Severity: warning
Only one master Nortel SNAS in the
cluster is up and running.
Name: log_open_failed
Sender: <IP>, event
Cause and Extra are explanations of
the fault.
The event log (where all events
and alarms are stored) could not be
opened.
Severity: major
Name: make_software_release_perm ALARM
anent_failed
Sender: <IP>
Cause: file_error | not_installed
Extra: "Detailed info"
Failed to make a new software
release permanent after being
activated. The system automatically
reverts to the previous version.
Severity: critical
Name: copy_software_release_failed ALARM
Sender: <IP>
Cause: copy_failed | bad_release
_package | no_release_package |
unpack_failed
A Nortel SNAS failed to install a
software release while trying to install
the same version as all other Nortel
SNAS devices in the cluster. The
failing Nortel SNAS tries to catch
up with the other cluster members,
because it was not up and running
when the new software version was
installed.
Extra: "Detailed info"
Severity: critical
Name: license
ALARM
ALARM
All Nortel SNAS devices in the cluster
do not have a license containing
the same set of licensed features.
Check loaded licenses using the
/cfg/sys/cur command.
Sender: license_server
Cause: license_not_loaded
Extra: "All iSDs do not have the same
license loaded"
Severity: warning
Name: license
Sender: <IP>
Cause: license_expire_soon
Extra: "Expires: <TIME>"
Severity: warning
The (demo) license loaded to the
local Nortel SNAS expires within 7
days. Check loaded licenses using
the /cfg/sys/cur command.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
456 Syslog messages
About event messages
Events are sent at the NOTICE syslog level. Event messages are
formatted according to the following pattern:
Name: <Name>
Sender: <Sender>
Extra: <Extra>
the System Control Process EVENT messages.
Table 78
System Control Process messages—EVENT
Message
Category
Explanation/Action
Name: partitioned_network
Sender and Extra is lower level
information.
EVENT
EVENT
Indicates that a Nortel SNAS is
recovering from a partitioned network
situation.
Name: ssi_mipishere
Sender: ssi
Extra: <IP>
Indicates that the Management IP
address (MIP) is now located at the
Nortel SNAS with the <IP> host IP
address.
Name: software_configuration_chang EVENT
Indicates that release <VSN>
ed
(version) software status is <Status>
(unpacked/installed/permanent).
Sender: system
Extra: software release version
<VSN> <Status>
Name: software_release_copying
Sender: <IP>
Extra: copy software release <VSN>
from other cluster member
EVENT
EVENT
Indicates that <IP> is copying the
release <VSN> from another cluster
member.
Name: software_release_rebooting
Sender: <IP>
Extra: reboot with release version
<VSN>
Indicates that a Nortel SNAS (<IP>) is
rebooting on a new release (in other
words, a Nortel SNAS that was not
up and running during the normal
installation is now catching up).
Name: audit
Sender: CLI
Extra: Start <session> <details>
Update <session> <details> Stop
<session> <details>
EVENT
EVENT
Sent when a CLI system administrator
enters, exits, or updates the CLI
if audit logging is enabled using
the /cfg/sys/adm/audit/ena
command.
Name: license_expired
Sender = <IP>
Indicates that the demo license
loaded to host <IP> has expired.
Check the loaded licenses with
/cfg/sys/cur.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages by message type 457
Traffic Processing Subsystem messages
There are four categories of Traffic Processing Subsystem messages:
•
•
•
•
CRITICAL (see Table 79 "Traffic Processing messages—CRITICAL"
457))
WARNING (see Table 81 "Traffic Processing messages—WARNING"
Traffic Processing CRITICAL messages.
Table 79
Traffic Processing messages—CRITICAL
Message
Category
CRITICAL
Explanation/Action
DNS alarm: all dns servers are
DOWN
All DNS servers are down. The Nortel
SNAS cannot perform any DNS
lookups.
Traffic Processing ERROR messages.
Table 80
Traffic Processing messages—ERROR
Message
Category
Explanation/Action
internal error: <no>
ERROR
An internal error occurred. Contact
support with as much information as
possible to reproduce this message.
javascript error: <reason> for:
<host><path>
ERROR
ERROR
JavaScript parsing error encountered
when parsing content from
<host><path>. The problem could be
in the Nortel SNAS JavaScript parser,
but most likely it is a syntax error in
the JavaScript on the page.
vbscript error: <reason> for:
<host><path>
VBScript parsing error encountered
when parsing content from
<host><path>. The problem could be
in the Nortel SNAS VBScript parser,
but most likely it is a syntax error in
the VBScript on the page.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
458 Syslog messages
Table 80
Traffic Processing messages—ERROR (cont’d.)
Message
Category
Explanation/Action
jscript.encode error: <reason>
ERROR
Problem encountered when parsing
an encoded JavaScript. The problem
could be in the Nortel SNAS
JavaScript parser, or it could be
a problem on the processed page.
css error: <reason>
ERROR
Problem encountered when parsing
a style sheet. The problem could be
in the Nortel SNAS css parser, or it
could be a problem on the processed
page.
Failed to syslog traffic :<reason> --
disabling traf log
ERROR
ERROR
Problem occurred when the Nortel
SNAS tried to send traffic logging
syslog messages. Traffic syslogging
was disabled as a result.
www_authenticate: bad credentials
The browser sent a malformed
WWW-Authenticate: credentials
header. Most likely a broken client.
http error: <reason>, Request="<meth ERROR
od> <host><path>"
A problem was encountered when
parsing the HTTP traffic. The problem
indicates either a non-standard
client/server or that the Nortel SNAS
HTTP parser is out of sync because
of an earlier non-standard transaction
from the client or server on this TCP
stream.
http header warning cli: <reason>
(<header>)
ERROR
ERROR
ERROR
The client sent a bad HTTP header.
http header warning srv: <reason>
(<header>)
The server sent a bad HTTP header.
failed to parse Set-Cookie <header>
The Nortel SNAS got a malformed
Set-Cookie header from the backend
web server.
Bad IP:PORT data <line> in hc script
ERROR
ERROR
Bad ip:port found in health check
script. Reconfigure the health script.
(Normally, the CLI captures this type
of problem earlier.)
Bad regexp (<expr>) in health check
Bad regular expression found in
health check script. Reconfigure
the health script. (Normally, the CLI
captures this type of problem earlier.)
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages by message type 459
Table 80
Traffic Processing messages—ERROR (cont’d.)
Message
Category
Explanation/Action
Bad script op found <script op>
ERROR
Bad script operation found in health
check script. Reconfigure the health
script. (Normally, the CLI captures
this type of problem earlier.)
Connect failed: <reason>
html error: <reason>
ERROR
ERROR
ERROR
Connect to backend server failed with
<reason>
Error encountered when parsing
HTML. Probably non-standard HTML.
socks error: <reason>
Error encountered when parsing the
socks traffic from the client. Probably
a non-standard socks client.
socks request: socks version
<version> rejected
ERROR
ERROR
Socks request of version <version>
received and rejected. Most likely a
non-standard socks client.
Failed to log to CLI :<reason> --
disabling CLI log
Failed to send troubleshooting log to
CLI. Disabling CLI troubleshooting
log.
Can’t bind to local address:
<ip>:<port>: <reason>
ERROR
ERROR
Problem encountered when trying to
set up virtual server on <ip>:<port>.
Ignoring DNS packet was not from
any of the defined names server
<ip>:<port>
Nortel SNAS received reply for
non-configured DNS server.
Traffic Processing WARNING messages.
Table 81
Traffic Processing messages—WARNING
Message
Category
Explanation/Action
DNS alarm: all dns servers are
DOWN
WARNING
All DNS servers are down. The Nortel
SNAS cannot perform any DNS
lookups.
TPS license limit (<limit>) exceeded
WARNING
WARNING
The transactions per second (TPS)
limit has been exceeded.
No PortalGuard license loaded:
domain <id> *will* use portal
authentication
The PortalGuard license has not been
loaded on the Nortel SNAS.
No Secure Service Partitioning
loaded: server <id> *will not* use
interface <n>
WARNING
The Secure Service Partitioning
license has not been loaded on
the Nortel SNAS but the server is
configured to use a specific interface.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
460 Syslog messages
Table 81
Traffic Processing messages—WARNING (cont’d.)
Message
Category
Explanation/Action
License expired
WARNING
The loaded (demo) license on the
Nortel SNAS has expired. The Nortel
SNAS now uses the default license.
Server <id> uses default interface
(interface <n> not configured)
WARNING
WARNING
A specific interface is configured to be
used by the server but this interface is
not configured on the Nortel SNAS.
IPSEC server <id> uses default
interface (interface <n> not
configured)
A specific interface is configured to
be used by the IPsec server but this
interface is not configured on the
Nortel SNAS.
Table 82 "Traffic Processing messages—INFO" (page 460) lists the Traffic
Processing INFO messages.
Table 82
Traffic Processing messages—INFO
Message
Category
Explanation/Action
gzip error: <reason>
INFO
Problem encountered when
processing compressed content.
gzip warning: <reason>
INFO
INFO
Problem encountered when
processing compressed content.
accept() turned off (<nr>) too many
fds
The Nortel SNAS has temporarily
stopped accepting new connections.
This happens when the Nortel SNAS
is overloaded. The Nortel SNAS will
start accepting connections once it
has finished processing its current
sessions.
No cert supplied by backend server
INFO
No certificate supplied by backend
server when doing SSL connect.
Session terminated to backend
server.
No CN supplied in server cert
<subject>
INFO
INFO
INFO
No CN found in the subject of the
certificate supplied by the backend
server.
Bad CN supplied in server cert
<subject>
Malformed CN found in subject of the
certificate supplied by the backend
server.
DNS alarm: dns server(s) are UP
At least one DNS server is now up.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages by message type 461
Table 82
Traffic Processing messages—INFO (cont’d.)
Message
Category
Explanation/Action
HC: backend <ip>:<port> is down
INFO
Backend health check detected
backend <ip>:<port> to be down.
HC: backend <ip>:<port> is up again
INFO
Backend health check detected
backend <ip>:<port> to be up.
Start-up messages
The Traffic Processing Subsystem Start-up messages include the INFO
category only.
Table 83 "Start-up messages—INFO" (page 461) lists the Start-up INFO
messages.
Table 83
Start-up messages—INFO
Message
Category
INFO
Explanation/Action
Loaded <ip>:<port>
Initializing virtual server <ip>:<port>.
Since we use clicerts, force adjust
totalcache size to : <size> per server
that use clicerts
INFO
Generated if the size of the SSL
session cache has been modified.
No TPS license limit
INFO
INFO
Unlimited TPS license used.
Found <size> meg of phys mem
Amount of physical memory found on
system.
AAA subsystem messages
There are two categories of Authentication, Authorization, and Accounting
(AAA) subsystem messages:
•
•
Table 84 "AAA messages—ERROR" (page 461) lists the AAA ERROR
messages.
Table 84
AAA messages—ERROR
Message
Category
Explanation/Action
LDAP backend(s) unreachable
Domain=\"<id>\" AuthId=\"<authid>\"
ERROR
Indicates LDAP server(s) cannot be
reached when a user tries to log in to
the portal.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
462 Syslog messages
Table 85 "AAA messages—INFO" (page 462) lists the AAA INFO
messages. INFO messages are generated only if the CLI command
/cfg/domain #/adv/log is enabled.
Table 85
AAA messages—INFO
Log value
contains...
Message
Category
login
NSNAS LoginSucceeded
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" User="<user>"
Groups="<groups>"
INFO
Logon to the Nortel SNAS
domain succeeded. The
client’s access method, IP
address, user name, and group
membership is shown.
NSNAS LoginSucceeded
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" User="<user>"
Groups="<groups>"
INFO
Logon to the Nortel SNAS
domain succeeded. The
client’s access method, IP
address, user name and group
membership is shown as well
as the IP address allocated
to the connection between
the Nortel SNAS and the
destination address (inner
tunnel).
TunIP="<inner tunnel ip>"
NSNAS AddressAssigned
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" User="<user>"
TunIP="<inner tunnel ip>"
INFO
INFO
Source IP address for the
connection between the Nortel
SNAS and the destination
address (inner tunnel) has
been allocated.
NSNAS LoginFailed
Logon to the Nortel SNAS
domain failed. The client’s
access method, IP address,
and user name is shown.
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" [User="<user>"]
Error=<error>
NSNAS Logout Domain="<id>" INFO
SrcIp="<ip>" User="<user>"
The client’s access method, IP
address, has logged out from
the Nortel SNAS domain.
portal
PORTAL Domain="<id>"
User="<user>" Proto="<proto>"
Host="<host>" Share="<share>
" Path="<path>"
INFO
The client has successfully
accessed the specified
folder/directory on the specified
file server requested from the
portal’s Files tab.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages by message type 463
Table 85
AAA messages—INFO (cont’d.)
Log value
Message
contains...
Category
http
HTTP Domain="<id>"
INFO
The user has successfully
accessed the specified web
server requested from the
portal.
Host="<host>" User="<user>"
SrcIP="<ip>" Request="<meth
od> <host> <path>"
HTTP NotLoggedIn
INFO
The user was not logged on
to the specified web server
requested from the portal.
Domain="<id>" Host="<host>"
SrcIP="<ip>" Request="<meth
od> <host> <path>"
reject
HTTP Rejected Domain="<id>" INFO
Host="<host>" User="<user>"
SrcIP="<ip>" Request="<meth
od> <host> <path>"
The client failed to access the
specified web server requested
from the portal.
PORTAL Rejected
INFO
The client failed to access the
specified folder/directory on the
specified file server requested
from the portal’s Files tab.
Domain="<id>" User="<user>"
Proto="<proto>" Host="<host>"
Share="<share>"
Path="<path>"
SOCKS Rejected Domain="<id INFO
>" User="<user>" SrcIP="<ip>"
Request="<request>"
The client failed to perform an
operation by using one of the
features available under the
portal’s Advanced tab.
NSNAS subsystem messages
There are two categories of NSNAS subsystem messages:
•
•
Table 86 "NSNAS—ERROR" (page 463) lists the NSNAS ERROR
messages.
Table 86
NSNAS—ERROR
Message
Category
Explanation/Action
Domain:1, Switch: <switchID>
ERROR cmd timeout for cmd
:<commandID>
ERROR
An internal command between the
specified switch and the Nortel
SNAS timed out. Check connectivity
between the switch and the Nortel
SNAS.
Table 87 "NSNAS—INFO" (page 464) lists the NSNAS INFO messages.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
464 Syslog messages
Table 87
NSNAS—INFO
Message
Category
Explanation/Action
[A:B:C:D] NSNA portup
INFO
Domain A, switch B, unit C, port D
Ethernet link is up.
[A:B:C:D] NSNA portdown
INFO
INFO
Domain A, switch B, unit C, port D
Ethernet link is down.
LoginSucceeded Domain="1"
SrcIp="<IPaddr>" Method="ssl" User=
"<user>" Groups="<group>/<profile>/
"
On Domain 1, user "<user>" with
IP : "<IP>" and belonging to group
"<group>/<profile>/" has logged in.
transferring user <user> on
Switch="1:<switchID>(<IPaddr>)",
Port="<unit/port>" to Vlan="<vlan>(<vl
anID>)"
INFO
Client device on Domain 1, Switch
<switchID> (switch IP address
<IPaddr> ), Unit <unit>, Port <port>
is being moved to the VLAN named
<vlan> with VLAN ID <vlanID>.
switch controller:switch [1:<switchID>] INFO
– Modified
The CLI configuration of Domain 1,
Switch <switchID> has been modified.
switch controller:switch [1:<switchID>] INFO
– Disconnected
Switch <switchID> of Domain 1 has
disconnected from the NSNAS.
switch controller:switch [1:<switchID>] INFO
– Added
Switch <switchID> has been added to
Domain 1.
switch controller:switch [1:<switchID>] INFO
- Deleted
Switch <switchID> has been deleted
from Domain 1.
nhauser: user <username>[<pVIP>]
– SRS check failed, restrictingSRS –
<SRS rule> <comment> – <item> –
<reason>
INFO
Nortel Health Agent applet
report: The user with user name
<username>, logged on to the Nortel
SNAS portal with portal Virtual IP
address <pVIP>, has failed the SRS
rule check, and access is restricted
in accordance with the behavior
configured for SRS rule failure.
To identify the rule, the message
includes the <SRS rule> name and
additional <comment> information
defined for the rule. The message
also includes the element of the
SRS rule (<item>) that failed and the
<reason> (for example, file not found).
nhauser: user <username>[<pVIP>] – INFO
SRS checks ok, open session
Nortel Health Agent applet
report: The user with user name
<username>, logged on to the Nortel
SNAS portal with portal Virtual IP
address <pVIP>, has passed the SRS
rule check and is authorized to start a
session in a Green VLAN.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages in alphabetical order 465
Syslog messages in alphabetical order
syslog messages in alphabetical order.
Table 88
Syslog messages in alphabetical order
Message
Severity
Type
Explanation
[A:B:C:D] NSNA portdown
INFO
INFO
INFO
NSNAS
Domain A, switch B, unit C, port
D Ethernet link is down.
[A:B:C:D] NSNA portup
NSNAS
Domain A, switch B, unit C, port
D Ethernet link is up.
accept() turned off (<nr>) too
many fds
Traffic
Processing
The Nortel SNAS has
temporarily stopped accepting
new connections. This will
happen when the Nortel SNAS is
overloaded. It will start accepting
connections once it has finished
processing its current sessions.
Application filesystem corrupt -
reinstall required
CRITICAL
EVENT
OS
Reinstall.
audit
System
Control
Sent when a CLI system
administrator enters, enters,
exits or updates the CLI if audit
logging is enabled using the
/cfg/sys/adm/audit/ena
command.
Bad CN supplied in server cert
<subject>
INFO
Traffic
Processing
Malformed CN found in subject
of the certificate supplied by the
backend server.
Bad IP:PORT data <line> in hc
script
ERROR
Traffic
Processing
Bad ip:port found in health
check script. Please reconfigure
the health script. This should
normally be captured earlier by
the CLI.
Bad regexp (<expr>) in health
check
ERROR
ERROR
Traffic
Processing
Bad regular expression found in
health check script. Please
reconfigure. This should
normally be captured earlier
by the CLI.
Bad script op found <script op>
Traffic
Processing
Bad script operation found in
health check script. Please
reconfigure. This should
normally be captured earlier
by the CLI.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
466 Syslog messages
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
Bad string found <string>
ERROR
Traffic
Processing
Bad load balancing string
encountered. This is normally
verified by the CLI.
Can’t bind to local address:
<ip>:<port>: <reason>
ERROR
ERROR
Traffic
Processing
Problem encountered when
trying to set up virtual server on
<ip>:<port>.
Config filesystem corrupt
OS
Possible loss of configuration.
Followed by the message Config
filesystem re-initialized - reinstall
required or Config filesystem
restored from backup.
Config filesystem corrupt beyond EMERG
repair
OS
The system cannot boot, but
stops with a single-user prompt.
Reinstall in order to recover.
Config filesystem re-initialized -
reinstall required
CRITICAL
ERROR
ERROR
OS
OS
Reinstall.
Config filesystem restored from
backup
Loss of recent configuration
changes.
Connect failed: <reason>
Traffic
Processing
Connect to backend server failed
with <reason>.
copy_software_release_failed
ALARM
(CRITICAL)
System
Control
A Nortel SNAS failed to install
a software release while trying
to install the same version as all
other Nortel SNAS devices in the
cluster. The failing Nortel SNAS
tries to catch up with the other
cluster members as it was not
up and running when the new
software version was installed.
css error: <reason>
ERROR
Traffic
Problem encountered when
Processing
parsing an style sheet. It may be
a problem with the css parser in
the Nortel SNAS or it could be a
problem on the processed page.
DNS alarm: all dns servers are
DOWN
CRITICAL
INFO
Traffic
Processing
All DNS servers are down. The
Nortel SNAS cannot perform any
DNS lookups.
DNS alarm: dns server(s) are
UP
Traffic
Processing
At least one DNS server is now
up.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages in alphabetical order 467
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
Domain:1, Switch: <switchID>
ERROR cmd timeout for cmd
:<commandID>
ERROR
NSNAS
An internal command between
the specified switch and the
Nortel SNAS timed out. Check
connectivity between the switch
and the Nortel SNAS.
failed to locate corresponding
portal for portal authenticated
http server
ERROR
Traffic
Processing
Portal authentication has been
configured for an http server,
but no portal using the same
xnet domain can be found. Make
sure that there is a portal running
using the same xnet id.
Failed to log to CLI :<reason> --
disabling CLI log
ERROR
ERROR
Traffic
Processing
Failed to send troubleshooting
log to CLI. Disabling CLI
troubleshooting log.
failed to parse Set-Cookie
<header>
Traffic
Processing
The Nortel SNAS got a
malformed Set-Cookie header
from the backend web server.
Failed to syslog traffic :<reason> ERROR
-- disabling traf log
Traffic
Processing
Problem occurred when the
Nortel SNAS tried to send traffic
logging syslog messages. Traffic
syslogging was disabled as a
result.
Failed to write to config
filesystem
EMERG
OS
Probable hardware error.
Reinstall.
Found <size> meg of phys mem INFO
Start-up
Amount of physical memory
found on system.
gzip error: <reason>
INFO
Traffic
Problem encountered when
Processing
processing compressed content.
gzip warning: <reason>
INFO
Traffic
Problem encountered when
Processing
processing compressed content.
HC: backend <ip>:<port> is
down
INFO
Traffic
Processing
Backend health check detected
backend <ip>:<port> to be down.
HC: backend <ip>:<port> is up
again
INFO
Traffic
Processing
Backend health check detected
backend <ip>:<port> to be up.
html error: <reason>
ERROR
Traffic
Processing
Error encountered when parsing
HTML. Probably non-standard
HTML.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
468 Syslog messages
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
http error: <reason>,
Request="<method>
<host><path>"
ERROR
Traffic
Processing
A problem was encountered
when parsing the HTTP traffic.
This is either an indication of
a non-standard client/server
or an indication that the Nortel
SNAS ’s HTTP parser has gotten
out of sync due to an earlier
non-standard transaction from
the client or server on this TCP
stream.
http header warning cli:
<reason> (<header>)
ERROR
ERROR
INFO
Traffic
Processing
The client sent a bad HTTP
header.
http header warning srv:
<reason> (<header>)
Traffic
Processing
The server sent a bad HTTP
header.
HTTP NotLoggedIn Domain="<i
d>" Host="<host>" SrcIP="<ip>"
Request="<method> <host>
<path>"
AAA
AAA
AAA
The user was not logged on
to the specified web server
requested from the Portal.
HTTP Rejected Domain="<id>"
Host="<host>" User="<user>" Sr
cIP="<ip>" Request="<method>
<host> <path>"
INFO
The user failed to access the
specified web server requested
from the Portal.
HTTP Domain="<id>" Host="<ho INFO
st>" User="<user>" SrcIP="<ip>"
Request="<method> <host>
<path>"
The user has successfully
accessed the specified web
server requested from the Portal.
Ignoring DNS packet was
not from any of the defined
namesserver <ip>:<port>
ERROR
Traffic
Processing
Nortel SNAS received reply for
non-configured DNS server.
internal error: <no>
ERROR
Traffic
Processing
An internal error occurred.
Please contact support with as
much information as possible to
reproduce this message.
IPSEC server <id> uses default
interface (interface <n> not
configured)
WARNING
Traffic
Processing
A specific interface is configured
to be used by the IPsec
server but this interface is not
configured on the Nortel SNAS.
isd_down
ALARM
(CRITICAL)
System
Control
A member of the Nortel SNAS
cluster is down. This alarm is
only sent if the cluster contains
more than one Nortel SNAS.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages in alphabetical order 469
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
javascript error: <reason> for:
<host><path>
ERROR
Traffic
Processing
JavaScript parsing error
encountered when parsing
content from <host><path>. This
could be a problem in the Nortel
SNAS JavaScript parser, but
most likely a syntactical error in
the JavaScript on that page.
jscript.encode error: <reason>
ERROR
Traffic
Processing
Problem encountered when
parsing an encoded JavaScript.
It may be a problem with the
JavaScript parser in the Nortel
SNAS or it could be a problem
on the processed page.
LDAP backend(s)
unreachable Domain=\"<id>\"
AuthId=\"<authid>\"
ERROR
ALARM
AAA
Shown if LDAP server(s) cannot
be reached when a user tries to
login to the Portal.
license
System
One or several Nortel SNAS
devices in the cluster do not
have the same SSL Nortel
SNAS license (with reference to
number of concurrent users).
(WARNING) Control
license
ALARM
(WARNING) Control
System
The (demo) license loaded to the
local Nortel SNAS expires within
7 days. Check loaded licenses
using the /cfg/sys/cur
command.
license_expired
License expired
EVENT
WARNING
INFO
System
Control
Indicates that the the demo
license at host <IP> has expired.
Check the loaded licenses with
/cfg/sys/cur.
Traffic
Processing
The loaded (demo) license on
the Nortel SNAS has expired.
The Nortel SNAS now uses the
default license.
Loaded <ip>:<port>
log_open_failed
Start-up
Initializing virtual server
<ip>:<port>.
ALARM
(MAJOR)
System
Control
The event log (where all events
and alarms are stored) could not
be opened.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
470 Syslog messages
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
LoginSucceeded Domain="1"
SrcIp="<IPaddr>"
Method="ssl" User="<user>"
Groups="<group>/<profile>/
INFO
NSNAS
On Domain 1, user "<user>"
with IP : "<IP>" and belonging to
group "<group>/<profile>/" has
logged in.
Logs filesystem re-initialized
ERROR
OS
Loss of logs.
make_software_release_perman ALARM
System
Control
Failed to make a new software
release permanent after being
activated. The system will
automatically revert to the
previous version.
ent_failed
(CRITICAL)
Missing files in config filesystem
ERROR
INFO
OS
Possible loss of configuration.
Followed by the message
"Config filesystem re-initialized -
reinstall required" or "Config
filesystem restored from
backup".
No cert supplied by backend
server
Traffic
Processing
No certificate supplied by
backend server when doing SSL
connect. Session terminated to
backend server.
No CN supplied in server cert
<subject>
INFO
Traffic
Processing
No CN found in the subject of
the certificate supplied by the
backend server.
No more than <nr> backend
supported
INFO
Start-up
Generated when more than
the maximum allowed backend
servers have been configured.
No PortalGuard license loaded:
Domain <id> *will* use portal
authentication
WARNING
WARNING
Traffic
Processing
The PortalGuard license has
not been loaded on the Nortel
SNAS.
No Secure Service Partitioning
loaded: server <id> *will not* use
interface <n>
Traffic
Processing
The Secure Service Partitioning
license has not been loaded on
the Nortel SNAS but the server
is configured to use a specific
interface.
No TPS license limit
INFO
INFO
Start-up
AAA
Unlimited TPS license used.
NSNAS AddressAssigned
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" User="<user>"
TunIP="<inner tunnel ip>"
Source IP address for the
connection between the Nortel
SNAS and the destination
address (inner tunnel) has been
allocated.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages in alphabetical order 471
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
NSNAS LoginFailed
INFO
AAA
Logon to the Nortel SNAS
domain failed. The client’s
access method, IP address, and
user name is shown.
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" [User="<user>"]
Error=<error>
NSNAS LoginSucceeded
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" User="<user>"
Groups="<groups>"
INFO
INFO
AAA
Login to the Nortel SNAS
domain succeeded. The client’s
access method, IP address, user
name and group membership is
shown.
NSNAS LoginSucceeded
Domain="<id>" Method=<"ssl">
SrcIp="<ip>" User="<user>"
Groups="<groups>"
AAA
Login to the Nortel SNAS
domain succeeded. The
client’s access method, client IP
address, user name and group
membership is shown as well
as the IP address allocated to
the connection between the
Nortel SNAS and the destination
address (inner tunnel).
TunIP="<inner tunnel ip>"
NSNAS Logout Domain="<id>"
SrcIp="<ip>" User="<user>"
INFO
AAA
Client has logged out from the
Nortel SNAS domain.
partitioned_network
EVENT
System
Control
Sent to indicate that a Nortel
SNAS is recovering from a
partitioned network situation.
PORTAL Rejected
INFO
INFO
AAA
AAA
OS
The remote user failed to access
the specified folder/directory
on the specified file server
requested from the Portal’s Files
tab.
Domain="<id>" User="<user>"
Proto="<proto>" Host="<host>"
Share="<share>" Path="<path>"
PORTAL Domain="<id>"
User="<user>" Proto="<proto>"
Host="<host>" Share="<share>"
Path="<path>"
The remote user has
successfully accessed the
specified folder/directory on the
specified file server requested
from the Portal’s Files tab.
Rebooting to revert to permanent ERROR
OS version
Happens after "Config filesystem
re-initialized - reinstall required"
or "Config filesystem restored
from backup" if software upgrade
is in progress (i.e. if failure at
first boot on new OS version).
reload cert config done
INFO
Config
Reload
Certificate reloading done.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
472 Syslog messages
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
reload cert config start
INFO
Config
Reload
Starting reloading of certificates.
reload configuration done
INFO
INFO
INFO
Config
Reload
Virtual server configuration
reloading done.
reload configuration network
down
Config
Reload
Accepting new sessions are
temporarily put on hold.
reload configuration network up
Config
Reload
Resuming accepting new
sessions after loading new
configuration.
reload configuration start
Root filesystem corrupt
INFO
Config
Reload
Virtual server configuration
reloading start.
EMERG
OS
The system cannot boot, but
stops with a single-user prompt.
fsck failed. Reinstall in order to
recover.
Root filesystem repaired -
rebooting
ERROR
OS
fsck found and fixed errors.
Probably OK.
Server <id> uses default
interface (interface <n> not
configured)
WARNING
Traffic
Processing
A specific interface is configured
to be used by the server but this
interface is not configured on the
Nortel SNAS.
Set CSWIFT as default
INFO
INFO
Start-up
Start-up
Using CSWIFT SSL hardware
acceleration.
Since we use clicerts, force
adjust totalcache size to : <size>
per server that use clicerts
Generated if the size of the
SSL session cache has been
modified.
single_master
ALARM
(WARNING) Control
System
Only one master Nortel SNAS in
the cluster is up and running.
socks error: <reason>
ERROR
Traffic
Processing
Error encountered when parsing
the socks traffic from the client.
Probably a non-standard socks
client.
SOCKS Rejected Domain="<id>" INFO
User="<user>" SrcIP="<ip>"
Request="<request>"
AAA
The client failed to perform an
operation by using one of the
features available under the
portal’s Advanced tab.
socks request: socks version
<version> rejected
ERROR
Traffic
Processing
Socks request of version
<version> received and rejected.
Most likely a non-standard socks
client.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages in alphabetical order 473
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
SOCKS Domain="<id>"
User="<user>" SrcIP="<ip>"
Request="<request>"
INFO
AAA
The client has successfully
performed an operation by using
one of the features available
under the portal’s Advanced tab.
software_configuration_changed EVENT
System
Control
Indicates that release <VSN>
(version) has been <Status>
(unpacked/installed/permanent).
software_release_copying
software_release_rebooting
EVENT
EVENT
System
Control
Indicates that <IP> is copying
the release <VSN> from another
cluster member.
System
Control
Indicates that a Nortel SNAS
(<IP>) is rebooting on a new
release (in other words, a
Nortel SNAS that was not up
and running during the normal
installation is now catching up).
ssi_mipishere
EVENT
System
Control
Tells that the MIP (management
IP address) is now located at the
Nortel SNAS with the <IP> host
IP address.
switch controller:switch
[1:<switchID>] – Added
INFO
INFO
INFO
NSNAS
NSNAS
NSNAS
Switch <switchID> has been
added to Domain 1.
switch controller:switch
[1:<switchID>] - Deleted
Switch <switchID> has been
deleted from Domain 1.
switch controller:switch
[1:<switchID>] – Disconnected
Switch <switchID> of Domain
1 has disconnected from the
NSNAS.
switch controller:switch
[1:<switchID>] – Modified
INFO
NSNAS
The CLI configuration of Domain
1, Switch <switchID> has been
modified.
System started [isdssl-<version>] INFO
System
Control
Sent whenever the system
control process has been
(re)started.
The private key and certificate
don’t match for <server nr>
ERROR
Traffic
Processing
Key and certificate does
not match for server #. The
certificate has to be changed.
TPS license limit (<limit>)
exceeded
WARNING
INFO
Traffic
Processing
The transactions per second
(TPS) limit has been exceeded.
TPS license limit: <limit>
Start-up
TPS limit set to <limit>.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
474 Syslog messages
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
transferring user <user> on
Switch="1:<switchID>(<IPa
ddr>)", Port="<unit/port>" to
Vlan="<vlan>(<vlanID>)
INFO
NSNAS
Client device on Domain 1,
Switch <switchID> (switch IP
address <IPaddr> ), Unit <unit>,
Port <port> is being moved to
the VLAN named <vlan> with
VLAN ID <vlanID>.
nhauser: user <usernam
e>[<pVIP>] – SRS check
failed, restrictingSRS – <SRS
rule> <comment> – <item> –
<reason>
INFO
NSNAS
Nortel Health Agent applet
report: The user with user
name <username>, logged
on to the Nortel SNAS portal
with portal Virtual IP address
<pVIP>, has failed the SRS rule
check, and access is restricted
in accordance with the behavior
configured for SRS rule failure.
To identify the rule, the message
includes the <SRS rule> name
and additional <comment>
information defined for the rule.
The message also includes the
element of the SRS rule (<item>)
that failed and the <reason> (for
example, file not found).
nhauser: user <username>[<p
VIP>] – SRS checks ok, open
session
INFO
NSNAS
Nortel Health Agent applet
report: The user with user name
<username>, logged on to the
Nortel SNAS portal with portal
Virtual IP address <pVIP>, has
passed the SRS rule check and
is authorized to start a session in
a Green VLAN.
Unable to find client private key
for <server #>
ERROR
ERROR
ERROR
ERROR
ERROR
Traffic
Processing
Key for doing sslconnect is not
valid. Please reconfigure.
Unable to use client certificate
for <server #>
Traffic
Processing
Certificate for doing sslconnect is
not valid. Please reconfigure.
Unable to use client private key
for <server #>
Traffic
Processing
Key for doing sslconnect is not
valid. Please reconfigure.
Unable to use the certificate for
<server nr>
Traffic
Processing
Unsuitable certificate configured
for server #.
unknown WWW-Authenticate
method, closing
Traffic
Processing
Backend server sent unknown
HTTP authentication method.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Syslog messages in alphabetical order 475
Table 88
Syslog messages in alphabetical order (cont’d.)
Message
Severity
Type
Explanation
vbscript error: <reason> for:
<host><path>
ERROR
Traffic
Processing
VBScript parsing error
encountered when parsing
content from <host><path>. This
could be a problem in the Nortel
SNAS VBScript parser, but most
likely a syntactical error in the
VBScript on that page.
www_authenticate: bad
credentials
ERROR
Traffic
Processing
The browser sent a malformed
WWW-Authenticate: credentials
header. Most likely a broken
client.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
476 Syslog messages
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
477
.
Appendix
Supported MIBs
This appendix describes the Management Information Bases (MIB) and
traps supported by the Nortel SNAS.
•
•
For detailed information about the MIB definitions currently implemented
for the SNMP agent, do the following:
Step
Action
1
2
3
4
Navigate to the Nortel SNAS Software page.
Download the tar.gz file for the Nortel SNAS MIBs.
Unzip the .tar file in order to access the file ALTEON-SAC-CA
P.mib.
ALTEON-SAC-CAP.mib contains an AGENT-CAPABILITIES
statement, which formally specifies which MIBs are implemented.
--End--
For information about configuring the SNMP agent in a cluster, see
Supported MIBs
The following MIBs are supported by the Nortel SNAS:
•
•
•
ALTEON-ISD-PLATFORM-MIB
ALTEON-ISD-SSL-MIB
ALTEON-ROOT-MIB
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
478 Supported MIBs
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
ALTEON-SAC-CAP
ALTEON-SSL-VPN-MIB
ANAifType-MIB
DISMAN-EVENT-MIB
ENTITY-MIB
IF-MIB
IP-FORWARD-MIB
IP-MIB
NORTEL-SECURE-ACCESS-SWITCH-MIB
S5-ROOT-MIB
S5-TCS-MIB
SNMP-FRAMEWORK-MIB
SNMP-MPD-MIB
SNMP-NOTIFICATION-MIB
SNMP-TARGET-MIB
SNMP-USER-BASED-SM-MIB
SNMPv2-MIB
SNMP-VIEW-BASED-ACM-MIB
SYNOPTICS-ROOT-MIB
5-ETH-MULTISEG-TOPOLOGY-MIB
Table 89 "Supported MIBs" (page 478) provides more information about
some of the MIBs supported by the Nortel SNAS.
Table 89
Supported MIBs
MIB
Description
ALTEON-ISD-PLATFORM-MIB
Contains the following groups and objects:
• isdClusterGroup
• isdResourceGroup
• isdAlarmGroup
• isdBasicNotificatioObjectsGroup
• isdEventNotificationGroup
• isdAlarmNotificationGroup
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Supported MIBs 479
Table 89
Supported MIBs (cont’d.)
MIB
Description
ALTEON-ISD-SSL-MIB
Contains objects for monitoring the SSL gateways. The
following groups are implemented:
• sslBasicGroup
• sslEventGroup
ALTEON-SSL-VPN-MIB
DISMAN-EVENT-MIB
The following group is implemented:
• vpnBasicGroup
The MIB module for defining event triggers and actions.
The following groups are implemented:
• dismanEventResourceGroup
• dismanEventTriggerGroup
• dismanEventObjectsGroup
• dismanEventEventGroup
• dismanEventNotificationObjectGroup
The following groups are implemented:
ENTITY-MIB
• entityPhysicalGroup
• entityPhysical2Group
• entityGeneralGroup
• entityNotificationsGroup
Write access to snmpTargetParamsTable is turned off in
VACM.
IF-MIB
The following groups are implemented:
• ifPacketGroup
• ifStackGroup
Limitations
The agent does not implement the following objects:
• ifType
• ifSpeed
• ifLastChange
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
480 Supported MIBs
Table 89
Supported MIBs (cont’d.)
MIB
Description
• ifInUnknownProtos
• ifOutNUnicast
IP-FORWARD-MIB
IP-MIB
The following group is implemented:
• ipCidrRouteGroup
The following groups are implemented:
• ipGroup
• icmpGroup
NORTEL-SECURE-ACCESS-SWITC
H-MIB
Contains objects for monitoring the Nortel SNAS devices.
The following groups are implemented:
• snasBasicGroup
• snasEventGroup
SNMP-FRAMEWORK-MIB
SNMP-MPD-MIB
The following group is implemented:
• snmpEngineGroup
The following group is implemented:
• snmpMPDGroup
SNMP-NOTIFICATION-MIB
The following group is implemented:
• snmpNotifyGroup
Write access to all objects in this MIB is turned off in
VACM.
SNMP-TARGET-MIB
The SNMP-TARGET-MIB contains information
about where to send traps. You can configure
and view trap information from the CLI, using the
/cfg/sys/adm/snmp/target command (see
The following groups are implemented:
• snmpTargetCommandResponderGroup
• snmpTargetBasicGroup
• snmpTargetResponseGroup
Write access to snmpTargetParamsTable is turned off in
VACM.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Supported traps 481
Table 89
Supported MIBs (cont’d.)
MIB
Description
SNMP-USER-BASED-SM-MIB
The following group is implemented:
• usmMIBBasicGroup
Write access to all objects in this MIB is turned off in
VACM.
SNMPv2-MIB
A standard MIB implemented by all agents. The following
groups are implemented:
• snmpGroup
• snmpSetGroup
• systemGroup
• snmpBasicNotificationsGroup
• snmpCommunityGroup
The following group is implemented:
SNMP-VIEW-BASED-ACM-MIB
• vacmBasicGroup
Write access to all objects in this MIB is turned off in
VACM.
Supported traps
Table 90 "Supported traps" (page 481) describes the traps supported by
the Nortel SNAS.
Table 90
Supported traps
Trap Name
Description
authenticationFailure
Sent when the SNMP agent receives an SNMP message
which is not properly authenticated. This trap is disabled
by default. To enable the trap through SNMP, set snmpEn
ableAuthenTraps to enabled or use the CLI command
/cfg/sys/adm/snmp/snmpv2-mib/snmpenable.
Defined in SNMPv2-MIB.
coldStart
Sent when the Nortel SNAS reboots.
Defined in SNMPv2-MIB.
isdAlarmCleared
Sent when an alarm is cleared.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
482 Supported MIBs
Table 90
Supported traps (cont’d.)
Trap Name
Description
isdDown
Signifies that a Nortel SNAS device in the cluster is down and
out of service.
isdLicense
Sent when the Nortel SNAS devices in the cluster have
different licenses and when a demo license has seven days left
before expiration.
Defined in ALTEON-ISD-PLATFORM-MIB.
Sent when a license has expired.
isdLicenseExpired
isdMipMigration
Signals that the master IP has migrated to another Nortel
SNAS.
isdSingleMaster
Signifies that only one master Nortel SNAS in the cluster is up
and operational. Only having one master in a cluster means
that the fault tolerance level is severely degraded—if the last
master fails, the system cannot be reconfigured.
linkDown
Sent when the agent detects that one of the links (interfaces)
has gone down.
Defined in IF-MIB.
linkUp
Sent when the agent detects that one of the links (interfaces)
has gone up.
Defined in IF-MIB.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
483
.
Appendix
Supported ciphers
The Nortel SNAS supports SSL version 2.0, SSL version 3.0, and TLS
version 1.0. The Nortel SNAS supports all ciphers covered in these
versions of SSL, except the IDEA and FORTEZZA ciphers and ciphers
using DH or DSS authentication.
Table 91
Supported ciphers
Key Exchange
Algorithm,
Authentication
Encryption
Algorithm
MAC Digest
Algorithm
Cipher name
SSL protocol
DHE-RSA-AES256-SHA
AES256-SHA
SSLv3
SSLv3
DH, RSA
AES (256)
AES (256)
3DES (168)
3DES (168)
3DES (168)
AES (128)
AES (128)
RC4 (128)
RC4 (128)
RC2 (128)
RC4 (128)
RC4 (64)
SHA1
SHA1
SHA1
SHA1
MD5
RSA, RSA
DH, RSA
EDH-RSA-DES-CBC3-SHA SSLv3
DES-CBC3-SHA
DES-CBC3-MD5
DHE-RSA-AES128-SHA
AES128-SHA
SSLv3
SSLv2
SSLv3
SSLv3
SSLv3
SSLv3
SSLv2
SSLv2
SSLv2
SSLv3
RSA, RSA
RSA, RSA
DH, RSA
SHA1
SHA1
SHA1
MD5
RSA, RSA
RSA, RSA
RSA, RSA
RSA, RSA
RSA, RSA
RSA, RSA
RC4-SHA
RC4-MD5
RC2-CBC-MD5
RC4-MD5
MD5
MD5
RC4-64-MD5
MD5
EXP1024-RC4-SHA
RSA(1024), RSA RC4 (56)
RSA (1024), RSA DES (56)
RSA (1024), RSA RC2 (56)
SHA1 EXPO
RT
EXP1024-DES-CBC-SHA
EXP1024-RC2-CBC-MD5
SSLv3
SSLv3
SHA1 EXPO
RT
MD5 EXPO
RT
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
484 Supported ciphers
Table 91
Supported ciphers (cont’d.)
Key Exchange
Algorithm,
Authentication
Encryption
Algorithm
MAC Digest
Algorithm
Cipher name
SSL protocol
EXP1024-RC4-MD5
SSLv3
RSA (1024), RSA RC4 (56)
MD5 EXPO
RT
EDH-RSA-DES-CBC-SHA
DES-CBC-SHA
SSLv3
SSLv3
SSLv2
SSLv3
DH, RSA
DES (56)
DES (56)
DES (56)
DES (40)
SHA1
SHA1
MD5
RSA, RSA
RSA, RSA
DH (512), RSA
DES-CBC-MD5
EXP-EDH-RSA-DES-CBC-
SHA
SHA1 EXPO
RT
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
SSLv3
SSLv3
SSLv3
SSLv2
SSLv2
RSA (512), RSA
RSA (512), RSA
RSA (512), RSA
RSA (512), RSA
RSA (512), RSA
DES (40)
RC2 (40)
RC4 (40)
RC2 (40)
RC4 (40)
SHA1 EXPO
RT
MD5 EXPO
RT
MD5 EXPO
RT
EXP-RC2-CBC-MD5
EXP-RC4-MD5
MD5 EXPO
RT
MD5 EXPO
RT
ADH-AES256-SHA
ADH-DES-CBC3-SHA
ADH-AES128-SHA
ADH-RC4-MD5
SSLv3
SSLv3
SSLv3
SSLv3
SSLv3
SSLv3
DH, NONE
DH, NONE
DH, NONE
DH, None
AES (256)
3DES (168)
AES (128)
RC4 (128)
DES (56)
SHA1
SHA1
SHA1
MD5
ADH-DES-CBC-SHA
EXP-ADH-DES-CBC-SHA
DH, NONE
DH (512), None
SHA1
DES (40)
SHA1 EXPO
RT
EXP-ADH-RC4-MD5
SSLv3
DH (512), None
RC4 (40)
MD5 EXPO
RT
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
485
.
Appendix
Adding User Preferences attribute to
Active Directory
For the remote user to be able to store user preferences on the Nortel
SNAS, you need to add the isdUserPrefs attribute to Active Directory.
This attribute will contain an opaque data structure, containing various
information that the user may have saved during a Portal session.
This description is based on Windows 2000 Server and Windows
Server 2003. Make sure that your account is a member of the Schema
Administrators group.
Install All Administrative Tools
(Windows 2000 Server)
Step
Action
1
2
3
4
Open the Control Panel and double-click Add/Remove Programs.
Select Windows 2000 Administrative Tools and click Change.
Click Next and select Install All Administrative Tools.
Follow the instructions on how to proceed with the installation.
--End--
Register the Schema Management dll
(Windows Server 2003)
Step
Action
1
2
Click Start and select Run.
In the Open field, enter regsvr32 schmmgmt.dll.
Note that there is a space between regsvr32 and schmmgmt.dll.
Click OK.
3
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
486 Adding User Preferences attribute to Active Directory
This command will register schmmgmt.dll on your computer.
--End--
Add the Active Directory Schema Snap-in
(Windows 2000 Server and Windows Server 2003)
Step
Action
1
2
Click Start and select Run.
On Windows 2000 Server, enter mmc in the Open field.
On Windows Server 2003, enter mmc /a instead.
Note that there is a space between mmc and /a.
Click OK.
3
The Console window .
4
On the File (Console) menu, select Add/Remove Snap-in.
The Add/Remove Snap-in window .
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
487
5
Click Add.
The Add Standalone Snap-in window appears.
6
Under Snap-in, select Active Directory Schema and click Add.
Active Directory Schema is added to the Add/Remove Snap-in
window.
7
8
Click Closeto close the Add Standalone Snap-in window.
Click OK.
The Console window appears.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
488 Adding User Preferences attribute to Active Directory
9
To save the console (including the Schema snap-in), go to the
File (Console) menu and select Save.
The Save As windows appears.
10
11
Save the console in the Windows\System 32 root folder.
Give the file name, as schmmgmt.msc.
Click Save.
--End--
Create a shortcut to the console window
Step
Action
1
2
3
Right-click Start, and select Open all Users.
Double-click the Programs and Administrative Tools folders.
On the File menu, point to New, and then select Shortcut.
The Create Shortcut Wizard appears.
4
5
In the Type the location of the item field, type schmmgmt.msc.
Click Next.
The Select a Title for the Program page appears.
6
7
In the Type a name for this shortcut field, type Active
Directory Schema.
Click Finish.
--End--
Permit write operations to the schema
(Windows 2000 Server)
To allow a domain controller to write to the schema, you must set a
registry entry that permits schema updates.
Step
1
Action
In the Console window, on the left pane, right-click Active
Directory Schema.
2
3
Select Operations Master.
Select the check box, the Schema may be modified on this
Domain Controller.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
489
4
Click OK.
--End--
Create a new attribute
(Windows 2000 Server and Windows Server 2003)
To create the isdUserPrefs attribute, proceed as follows:
Step
1
Action
In the Console window, on the left pane, expand Active Directory
Schema by clicking the plus (+) sign.
The Attributes and Classes folders display.
2
Right-click Attributes, point to New and select Attribute.
You receive a warning that creating schema objects is a
permanent operation and cannot be undone.
3
4
Click Continue.
The Create New Attribute window appears.
Create the isdUserPrefs attribute as shown below:
5
Click OK.
--End--
Create the new class
To create the nortelSSLOffload class, proceed as follows:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
490 Adding User Preferences attribute to Active Directory
Step
1
Action
In the Console window, right-click Classes, point to New and
select Class.
You will now receive a warning that creating schema classes is a
permanent operation and cannot be undone.
2
3
Click Continue.
The Create New Schema Class window appears.
Create the nortelSSLOffload class as shown below:
4
Click OK.
--End--
Add isdUserPrefs attribute to nortelSSLOffload class
Step
Action
1
2
3
In the Console window, on the left pane, expand Classes.
Select the nortelSSLOffload class.
Right-click and select Properties.
The Properties window appears.
4
5
Select the Attributes tab and click Add.
Add the isdUserPrefs attribute as optional.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
491
6
7
On the Default Security (Security) tab, set read/write permissions
for the group that should have permission to write user
preferences to the attribute.
Click OK.
--End--
Add the nortelSSLOffload Class to the User Class
Step
1
Action
In the Console window, on the left pane, expand Classes and
select user.
2
Right-click and select Properties.
The Properties window is displayed.
Select the Relationship tab.
3
4
5
Next to Auxiliary Classes, click Add Class (Add).
Add the nortelSSLOffload class as an auxiliary class as shown
below:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
492 Adding User Preferences attribute to Active Directory
6
Click OK.
Once you have enabled the User Preferences feature on
the Nortel SNAS (using the CLI command /cfg/domain
#/aaa/auth #/ldap/enauserpre or the BBI setting User
Preferences under VPN Gateways>Authentication>Auth
Servers (LDAP)>Modify) the remote user should now be able to
store user preferences in Active Directory.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
493
.
Appendix
Configuring DHCP to auto-configure IP
Phones
The DHCP server and the IP Phone 2002, IP Phone 2004, and IP Phone
2007 can be configured so that the IP Phone automatically obtains
its configuration data from the DHCP server. This feature reduces the
administrative overhead associated with bringing a large number of IP
Phones online.
In addition, the DHCP server and the IP Phone can be configured so that
the IP Phone can use the Auto VLAN Discovery feature, which allows the
IP Phone to discover the Phone VLAN ID.
This appendix explains how to:
•
configure the IP Phone to obtain its configuration data from a Windows
2000 Server DHCP server
•
retrieve VLAN information required to take advantage of the Auto
VLAN Discovery feature
This appendix is not intended to be a primer on how to set up a DHCP
server. The reader is assumed to have a working knowledge of Windows
2000 Server DHCP servers. The appendix also does not describe the
process used by the IP Phone to interact with the DHCP server or to boot
itself into the Phone VLAN.
ATTENTION
It is assumed that the necessary DHCP scopes defining the range of addresses
and lease duration have been created.
To take advantage of the Auto VLAN Discovery feature, two VLANs are
required: one for the phone to boot into initially, in order to communicate
with the DHCP server and learn the appropriate phone VLAN ID, and the
second for the Phone VLAN itself.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
494 Configuring DHCP to auto-configure IP Phones
For information on the minimum firmware versions required to support
IP Phones in the Nortel SNAS, see Release Notes for the Nortel Secure
Network Access Solution, Software Release 1.6.1 (NN47230-400), .
Configuring IP Phone auto-configuration
To configure Windows 2000 Server DHCP to auto-configure the IP
Phones, perform the following steps:
Step
1
Action
Create DHCP options (see “Creating the DHCP options” (page
494))
• Call Server Information
• VLAN Information for auto-discovery of the IP Phone VLAN
ID
2
3
Configure the DHCP options (see “Configuring the Call Server
Repeat this step for the data (or boot) VLAN and the Phone
VLAN.
--End--
Creating the DHCP options
Step
1
Action
On the Windows 2000 Server Start menu, select Programs >
Administrative Tools > DHCP.
The DHCP Management Console opens (see Figure 33 "The
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring IP Phone auto-configuration 495
Figure 33
The DHCP Management Console
2
3
Select the DHCP server you want to configure.
ATTENTION
When you expand the DHCP server navigation tree component, the
scopes for that particular server are listed below the server name and
IP address.
From the DHCP Management Console toolbar, select Action >
Set Predefined Options.
The Predefined Options and Values dialog box opens (see
496)).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
496 Configuring DHCP to auto-configure IP Phones
Figure 34
The Predefined Options and Values dialog box
4
Click Add.
The Option Type dialog box opens (see Figure 35 "The Option
Figure 35
The Option Type dialog box
5
Create the DHCP option for the call server information.
a In the Option Type dialog box, enter the required information
Table 92
Option Type dialog box field values for Call Server Information
Field
Value
Name
Call Server Information
String
Data type
Code
128 (Call Server configuration)
Comments (Optional)
Description
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring IP Phone auto-configuration 497
b Click OK.
6
Create the DHCP option for the auto-discovery of VLAN ID
information:
a In the Predefined Options and Values dialog box, click Add.
The Option Type dialog box opens (see Figure 35 "The
b In the Option Type dialog box, enter the required information
Table 93
Option Type dialog box field values for VLAN Information
Field
Value
Name
VLAN Information
String
Data type
Code
191
Description
Comments (Optional)
c Click OK.
7
In the Predefined Options and Values dialog box, click OK, to
return to the DCHP Management Console.
--End--
Configuring the Call Server Information and VLAN Information options
For the Auto VLAN Discovery feature, you must configure the options for
both the data (or boot) VLAN and the Phone VLAN. Configure the option
for the data (or boot) VLAN first, then repeat the steps to configure the
option for the Phone VLAN.
To configure the options, perform the following steps.
Step
1
Action
In the DHCP Management Console, expand the required VLAN:
• first, the data (or boot) VLAN used with the IP Phone
• when you repeat the steps, the Phone VLAN
2
Right-click Scope Options, and select Configure Options.
The Scope Options dialog box (see Figure 36 "The Scope
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
498 Configuring DHCP to auto-configure IP Phones
Figure 36
The Scope Options dialog box
3
4
Using the scroll bar, scroll down the list to find the two DHCP
options just created.
Configure Call Server Information:
a Select the check box beside 128 Call Server Information.
b In the String value field, enter the following string:
Nortel-i2004-A,iii.iii.iii.iii:ppppp,aaa,rrr;iii.iii.iii.iii:ppppp,aaa,rrr.
ATTENTION
The Nortel IP Phone 2002, IP Phone 2004, and IP Phone 2007
use the same signature. Therefore, the string value for Call
Server Information is the same for all these IP Phones.
(page 498) describes the parameters.
Table 94
Call Server Information string parameter values
Parameter
Description
A
The hardware revision of the IP
Phone
iii.iii.iii.iii
ppppp
The IP Address of the Call Server (S1
or S2)
The port number for the Call Server
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Configuring IP Phone auto-configuration 499
Table 94
Call Server Information string parameter values (cont’d.)
Parameter
Description
aaa
rrr
The Action for the server
The Retry Count for the server
The DHCP Option #128 pertains to the Call Server
information that the IP Phone will need in order to connect
to the call server.
The following rules apply:
• The IP Address must be separated from the port by a
colon (:).
• The parameters for the Primary (S1) and Secondary (S2)
are separated by a semicolon (;).
• The string must end in a period (.)
ATTENTION
After you have entered the string, it will subsequently appear
automatically each time the option is added to a scope.
c Click Apply.
5
Configure VLAN Information:
Scope Options dialog box" (page 498)), select 191 VLAN
Information.
b In the String value field, enter the following string:
VLAN-A:vvvv.
(page 499) describes the parameters.
Table 95
VLAN ID Information string parameter values
Parameter
Description
A
The hardware revision of the IP
Phone
vvvv
The VLAN ID in decimal
The site-specific option #191 pertains to the VLAN ID
information that the IP Phone will require in order to boot into
the Phone VLAN.
The following rules apply:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
500 Configuring DHCP to auto-configure IP Phones
• A colon (:) separates the hardware revision from the
VLAN ID.
• The string must end in a period (.)
c Click Apply
6
7
Click OK.
Phone VLAN.
--End--
Setting up the IP Phone
In order for the IP Phone to take advantage of the DHCP auto-configuratio
n features, set the IP Phone up as follows:
Step
Action
1
2
3
Set the DHCP Option on the IP Phone to 1 to use DHCP.
Select 0 to set the phone to use FULL DHCP.
Select 2 (for Automatic) to set the phone to learn its VLAN ID
from the DHCP server.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
501
.
Appendix
Using a Windows domain logon script
to launch the Nortel SNAS portal
This appendix explains how to configure a Windows domain logon script
to automatically launch an end user’s browser on startup and present the
Nortel SNAS portal page.
This appendix includes the following topics:
•
•
•
ATTENTION
This appendix provides an example of a very basic logon script to launch
the Nortel SNAS portal page. The simple script launches the end user’s
browser every time the user logs on, regardless of connection method. It is
beyond the scope of this document to show additional examples of scripts that
accommodate different modes of connecting to a Nortel SNAS port.
Configuring the logon script
To configure the logon script to automatically launch an end user’s
browser, perform the following steps:
Step
1
Action
Create the logon script (see “Creating a logon script” (page
502)).
2
On a Windows 2000 domain controller, save the script to the
following directory:
%systemroot% \ SYSVOL \ sysvol \ [Domain Name] \ Policies \
[GUID] \ User \ Scripts \ Logon
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
502 Using a Windows domain logon script to launch the Nortel SNAS portal
where:
• %systemroot% is an environment variable representing the
operating system root folder. By default, in a Windows 2000
operating system, the root folder is called WINNT.
• [Domain Name] represents the domain on which you will use
the logon script. The same script can be used in multiple
domains to accomplish the same task.
• [GUID] is a globally unique indentifier for associated group
policy objects.
3
Configure the default domain policy to assign the script to all
users in the domain (see “Assigning the logon script” (page
503)).
--End--
Creating a logon script
To create a logon script for use on a Windows domain controller to
automatically launch an end user’s browser, choose one of the following:
•
•
Creating the script as a batch file
Step
Action
1
2
Using Windows, open a plain text editor, such as Notepad.
Compose the script using the following sample format:
explorer.exe https://10.10.10.1
where 10.10.10.1 is the portal Virtual IP address (pVIP) of the
Nortel SNAS.
ATTENTION
As an alternative to using Explorer to launch the browser, you can
replace explorer.exe with the path and file name of your default
browser executable, enclosed in quotes. For example:
"%programfiles%\Netscape\Netscape Browser\netscape.exe"
Save the file as a batch file (*.bat).
3
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Assigning the logon script 503
Creating the script as a VBScript file
Step
Action
1
2
Using Windows, open a plain text editor, such as Notepad.
Compose the script using the following sample format:
Dim IE
Set IE = CreateObject("InternetExplorer.Application")
IE.visible = true
IE.Navigate "https://10.10.10.1"
where 10.10.10.1 is the portal Virtual IP address (pVIP) of the
Nortel SNAS.
3
Save the file as a VBScript file (*.vbs).
--End--
Assigning the logon script
To assign the logon script for use, perform the following steps. Figure 37
"Assigning a logon script" (page 504) illustrates the steps.
Step
1
Action
Click Start > Administrative Tools > Active Directory Users
and Computers.
2
Right-click the domain to which you want to add the script, and
select Properties.
3
4
5
6
On the Group Policy tab, click Open.
Double-click Default Domain Policy.
Right-click the Default Domain Policy and select Edit.
Expand User Configuration > Windows Settings and select
Scripts (Logon/Logoff).
7
8
9
In the right pane, double-click Logon.
Click Add.
Enter the file name of the script you want to assign, and click
OK.
10
Click OK. The logon script is now assigned and will take effect
the next time users log on to the domain.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
504 Using a Windows domain logon script to launch the Nortel SNAS portal
Figure 37
Assigning a logon script
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
505
.
Appendix
Software licensing information
OpenSSL License issues
The OpenSSL toolkit stays under a dual license: both the conditions of the
OpenSSL License and the original SSLeay license apply to the toolkit. See
below for the actual license texts. Both licenses are actually BSD-style
Open Source licenses. In case of any license issues related to OpenSSL
contact [email protected].
OpenSSL License Copyright © 1998-1999 The OpenSSL Project. All
rights reserved. Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgment: "This product includes
software developed by the OpenSSL Project for use in the OpenSSL
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not
be used to endorse or promote products derived from this software
without prior written permission. For written permission, please contact
5. Products derived from this software may not be called "OpenSSL" nor
may "OpenSSL" appear in their names without prior written permission of
the OpenSSL Project.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
506 Software licensing information
6. Redistributions of any form whatsoever must retain the following
acknowledgment: "This product includes software developed by the
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"
AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young
([email protected]). This product includes software written by Tim
Hudson ([email protected]).
Original SSLeay License
Copyright © 1995-1998 Eric Young ([email protected]) All rights
reserved. This package is an SSL implementation written by Eric Young
([email protected]). The implementation was written so as to conform
with Netscape SSL. This library is free for commercial and non-commercial
use as long as the following conditions are adhered to. The following
conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation
included with this distribution is covered by the same copyright terms
except that the holder is Tim Hudson ([email protected]). Copyright
remains Eric Young’s, and as such, any Copyright notices in the code
are not to be removed. If this package is used in a product, Eric Young
should be given attribution as the author of the parts of the library used.
This can be in the form of a textual message at program start-up or in
documentation (online or textual) provided with the package. Redistribution
and use in source and binary forms, with or without modification, are
permitted, provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list
of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
GNU General Public License 507
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement: "This product includes
cryptographic software written by Eric Young ([email protected])". The
word "cryptographic" can be left out if the routines from the library being
used are not cryptographic related.
4. If you include any Windows specific code (or a derivative thereof)
from the apps directory (application code), you must include an
acknowledgement: "This product includes software written by Tim Hudson
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The licence and distribution terms for any publicly available version or
derivative of this code cannot be changed. That is, this code cannot simply
be copied and put under another distribution licence [including the GNU
Public Licence.]
GNU General Public License
Version 2, June 1991
Copyright © 1989, 1991 Free Software Foundation, Inc. 59 Temple Place,
Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND
MODIFICATION
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
508 Software licensing information
0. This License applies to any program or other work that contains a
notice placed by the copyright holder saying it may be distributed under
the terms of this General Public License. The "Program," below, refers
to any such program or work. A "work based on the Program" means
either the Program or any derivative work under copyright law: that is,
a work containing the Program or a portion of it, either verbatim or with
modifications and/or translated into another language. (Hereinafter,
translation is included without limitation in the term "modification.") Each
licensee is addressed as "you."
Activities other than copying, distribution and modification are not covered
by this License; they are outside its scope. The act of running the Program
is not restricted, and the output from the Program is covered only if its
contents constitute a work based on the Program (independent of having
been made by running the Program). Whether that is true depends on
what the Program does.
1. You may copy and distribute verbatim copies of the Program’s source
code as you receive it, in any medium, provided that you conspicuously
and appropriately publish on each copy an appropriate copyright notice
and disclaimer of warranty; keep intact all the notices that refer to this
License and to the absence of any warranty; and give any other recipients
of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you
may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it,
thus forming a work based on the Program, and copy and distribute such
modifications or work under the terms of Section 1, above, provided that
you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that
you changed the files and the date of any change.
b) You must cause any work that you distribute or publish in whole or in
part that contains or is derived from the Program or any part thereof, to
be licensed as a whole at no charge to all third parties under the terms
of this License.
c) If the modified program normally reads commands interactively when
run, you must cause it (when started running for such interactive use in
the most ordinary way) to print or display an announcement, including an
appropriate copyright notice and a notice that there is no warranty (or else,
saying that you provide a warranty), and that users may redistribute the
program under these conditions, and telling the user how to view a copy
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
GNU General Public License 509
of this License. (Exception: If the Program itself is interactive but does not
normally print such an announcement, your work based on the Program is
not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable
sections of that work are not derived from the Program and can be
reasonably considered independent and separate works in themselves,
then this License, and its terms, do not apply to those sections when you
distribute them as separate works. But when you distribute the same
sections as part of a whole which is a work based on the Program, the
distribution of the whole must be on the terms of this License, whose
permissions for other licensees extend to the entire whole, and thus to
each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights
to the work written entirely by you; rather, the intent is to exercise the right
to control the distribution of derivative or collective works based on the
Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of a
storage or distribution medium does not bring the other work under the
scope of this License.
3. You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1
and 2, above, provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections 1 and
2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to
give any third party (for a charge no more than your cost of physically
performing source distribution) a complete machine-readable copy of the
corresponding source code, to be distributed under the terms of Sections 1
and 2, above, on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object
code or executable form with such an offer, in accordance with Subsection
b, above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source code
means all the source code for all modules it contains, plus any associated
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
510 Software licensing information
interface definition files, plus the scripts used to control compilation and
installation of the executable. However, as a special exception, the source
code distributed need not include anything that is normally distributed
(in either source or binary form) with the major components (compiler,
kernel, and so on) of the operating system on which the executable runs,
unless that component itself accompanies the executable. If distribution
of executable or object code is made by offering access to copy from a
designated place, then offering equivalent access to copy the source
code from the same place counts as distribution of the source code, even
though third parties are not compelled to copy the source along with the
object code.
4. You may not copy, modify, sublicense, or distribute the Program except
as expressly provided under this License. Any attempt otherwise to copy,
modify, sublicense or distribute the Program is void and will automatically
terminate your rights under this License. However, parties who have
received copies, or rights, from you under this License will not have their
licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed
it. However, nothing else grants you permission to modify or distribute
the Program or its derivative works. These actions are prohibited by law
if you do not accept this License. Therefore, by modifying or distributing
the Program (or any work based on the Program), you indicate your
acceptance of this License to do so, and all its terms and conditions for
copying, distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the original
licensor to copy, distribute, or modify the Program subject to these terms
and conditions. You may not impose any further restrictions on the
recipients’ exercise of the rights granted herein. You are not responsible
for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment, or allegation of patent
infringement, or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot distribute
so as to satisfy simultaneously your obligations under this License and
any other pertinent obligations, then as a consequence you may not
distribute the Program at all. For example, if a patent license would
not permit royalty-free redistribution of the Program by all those who
receive copies directly or indirectly through you, then the only way you
could satisfy both it and this License would be to refrain entirely from
distribution of the Program. If any portion of this section is held invalid
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
GNU General Public License 511
or unenforceable under any particular circumstance, the balance of the
section is intended to apply and the section as a whole is intended to apply
in other circumstances.
It is not the purpose of this section to induce you to infringe any patents
or other property right claims or to contest validity of any such claims;
this section has the sole purpose of protecting the integrity of the free
software distribution system, which is implemented by public license
practices. Many people have made generous contributions to the wide
range of software distributed through that system in reliance on consistent
application of that system. It is up to the author/donor to decide if he
or she is willing to distribute software through any other system and a
licensee cannot impose that choice. This section is intended to make
thoroughly clear what is believed to be a consequence of the rest of this
License.
8. If the distribution and/or use of the Program is restricted in certain
countries either by patents or by copyrighted interfaces, the original
copyright holder who places the Program under this License may add an
explicit geographical distribution limitation excluding those countries, so
that distribution is permitted only in or among countries not thus excluded.
In such case, this License incorporates the limitation as if written in the
body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will be
similar in spirit to the present version, but may differ in detail to address
new problems or concerns. Each version is given a distinguishing version
number. If the Program specifies a version number of this License which
applies to it and "any later version," you have the option of following
the terms and conditions either of that version or of any later version
published by the Free Software Foundation. If the Program does not
specify a version number of this License, you may choose any version
ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free
programs in which distribution conditions are different, write to the author
for permission. For software which is copyrighted by the Free Software
Foundation, write to the Free Software Foundation; we sometimes make
exceptions for this. Our decision will be guided by the two goals of
preserving the free status of all derivatives of our free software and of
promoting the sharing and reuse of software generally.
NO WARRANTY
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
512 Software licensing information
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE,
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT
PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING, THE COPYRIGHT HOLDERS AND/OR OTHER
PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO
THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE
COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION.
12. IN NO EVENT, UNLESS REQUIRED BY APPLICABLE LAW OR
AGREED TO IN WRITING, WILL ANY COPYRIGHT HOLDER, OR
ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL
OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF
THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN
IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS.
Apache Software License, Version 1.1
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution,
if any, must include the following acknowledgment: "This product
includes software developed by the Apache Software Foundation
in the software itself, if and wherever such third-party acknowledgments
normally appear.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Bouncy Castle license 513
4. The names "Apache" and "Apache Software Foundation" must not
be used to endorse or promote products derived from this software
without prior written permission. For written permission, please contact
5. Products derived from this software may not be called "Apache", nor
may "Apache" appear in their name, without prior written permission of
the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED \Q\QAS IS’’ AND ANY EXPRESSED
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals
on behalf of the Apache Software Foundation. For more information on the
Portions of this software are based upon public domain software originally
written at the National Center for Supercomputing Applications, University
of Illinois, Urbana-Champaign.
Bouncy Castle license
Copyright (c) 2000 - 2004 The Legion Of The Bouncy Castle
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
514 Software licensing information
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
515
.
Index
A
B
backup
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
516
C
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
517
SNMP 324–325
D
disable
domain
E
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
518
export
H
F
I
G
install
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
519
J
K
M
L
N
network access device
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
520
O
P
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
521
Q
S
save
R
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
522
supported
T
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
523
Telnet
V
W
U
Y
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
524
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Download from Www.Somanuals.com. All Manuals Search And Download.
Nortel Secure Network Access Switch
Using the Command Line Interface
Copyright © 2007, 2008 Nortel Networks
All Rights Reserved.
Release: 2.0
Publication: NN47230-100
Document status: Standard
Document revision: 03.01
Document release date: 28 July 2008
To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback.
www.nortel.com
Sourced in Canada, the United States of America, and India
LEGAL NOTICE
While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing
NORTEL PROVIDES THIS DOCUMENT "AS IS "WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS
OR IMPLIED. The information and/or products described in this document are subject to change without notice.
Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.
All other trademarks are the property of their respective owners.
Download from Www.Somanuals.com. All Manuals Search And Download.
|