Nortel Networks 325 series, 425 series, 450 series, 4500 Series, 5500 series - page 199

Configuring authentication 199

Table 41

Managing Active Directory passwords

/cfg/doamin #/aaa/auth #/ldap/activedire

followed by:

enaexpired true|false Specifies whether the system will perform a

password-expired check.

•true—the system performs a

password-expired check against Active

Directory when the client logs on.

•false—the system does not perform a

password-expired check against Active

Directory when the client logs on.

expiredgro <group> Specifiesthe group in which clients with

expired passwords will be placed.

expasgrou Sets the group in which users with expired

passwords should be placed.

Before using this command, define the use

group in the Local database. Configure a link

to a site where the user can change his/her

password. Configure an access rule restricting

access to the specified site.

recursivem true|false Specifies the setting for recursive group

membership.

•true—if the client belongs to an Active

Directory group which, in turn, belongs to

another group, all groups are returned.

•false—if the client belongs to an Active

Directory group which, in turn, belongs

to another group, only the first group is

returned.

Configuring Advanced LDAP Settings

The Advanced LDAP settings configure the desired attribute/value when

searching for a user record in an LDAP/Active Directory database. The

feature is disabled by default, which means that no extra requirement is

added when searching for a user record.

To configure the advanced settings, use the following commands

Nortel Secure Network Access Switch

Using the Command Line Interface

NN47230-100 03.01 Standard

28 July 2008

Copyright © 2007,2008 NortelNetworks

.

Contents

Main Page Contents Configuring the domain 79 Configuration of the RADIUS server 127 Configuration of Microsoft NAP Interoperability 139 Configuring groups and profiles 149 Configuring authentication 171 Managing system users and groups 211 Customizing the portal and user logon 227 Configuring system settings 257 Managing certificates 297 Configuring SNMP 323 Viewing system information and performance statistics 337 Maintaining and managing the system 351 Upgrading or reinstalling the software 367 The Command Line Interface 377 Configuration example 385 Troubleshooting 403 Page Page Software license Nortel Networks software license agreement 1. 2. 3. 4. a. b. c. d. e. Page New in this release Other changes Introduction Text conventions Page Related information Publications Page Overview The Nortel SNAS Supporting additional users with the software license le Role of the Nortel SNAS Page Page Groups and profiles Authentication methods Nortel Health Agent host integrity check Multi-OS Applet Support Page Nortel SNAS clusters Interface conguration One armed configuration Nortel SNAS conguration and management tools Nortel SNAS conguration roadmap Page Page Initial setup About the IP addresses Management IP address Portal Virtual IP address Real IP address Initial setup Setting up a single Nortel SNAS device or the rst in a cluster Page WARNING Page Page restricted in accordance with the rights specified in the access rules for the group. The default is restricted. Settings created by the quick setup wizard Adding a Nortel SNAS device to a cluster Before you begin Joining a cluster Page Page Next steps Applying and saving the conguration Page Managing the network access devices Managing network access devices Roadmap of domain switch commands Page Adding a network access devices Using the quick switch setup wizard Page Manually adding a switch Deleting a network access devices Conguring the network access devices To configure a network access devices in the Nortel SNAS domain, use /cfg/domain #/switch <switch ID> switch ID is the ID or name of the switch you want to configure. The Switch menu appears. The Switch menu includes the following options: Mapping the VLANs Page Managing SSH keys Page Generating SSH keys for the domain To generate, view, and export the public SSH key for the domain, use the Page The SSH Key menu appears. The SSH Key menu includes the following options: Reimporting the network access devices SSH key Monitoring switch health Controlling communication with the network access devices Conguring SSCPLite Conguring SNMP Proles Conguring SNMP Versions Conguring SSCPLite Community Conguring SNMP Templates Page Conguring the domain Conguring the domain Page Roadmap of domain commands Page Using the Nortel SNAS domain quick setup wizard in the CLI Page Page Deleting a domain Conguring domain parameters Page Page Conguring the Nortel Health Agent check Page Page Using the quick Nortel Health Agent setup wizard in the CLI Conguring the SSL server The server number assigned to the portal server configured for the domain is server 1001. To configure the portal server used in the domain, use the following The Server 1001 menu appears. The Server 1001 menu includes the following options: Tracing SSL traffic The Trace menu appears. The Trace menu includes the following options: Page Page Configuring SSL settings To configure SSL-specific settings for the portal server, use the following The SSL Settings menu appears. The SSL Settings menu includes the following options: Page Configuring traffic log settings Conguring HTTP redirect Browser-Based Management Conguration Browser-Based Management Conguration with SSL Conguring advanced settings Conguring RADIUS accounting Managing RADIUS accounting servers To configure the Nortel SNAS to use external RADIUS accounting servers, use the following command: Page Configuring Nortel SNAS -specific attributes Conguring local DHCP services Page DHCP Settings menu The DHCP settings menu includes the following options: Filter DHCP subnet type Standard DHCP subnet type Managing local DHCP leases The following commands are provided for managing DHCP leases: Creation of the location Creation of the locations Conguring Lumension PatchLink integration Page Page Conguration of the RADIUS server Overview of RADIUS server 802.1x functionality Roadmap of RADIUS server conguration commands Conguration of the RADIUS server To configure the RADIUS server, use the following command The RADIUS Server menu appears. The RADIUS Server menu includes the following options: Conguration of the client To configure the client, use the following command: The RADIUS Clients menu appears. The RADIUS Clients menu includes the following options: Conguration of the realms To configure the realms, use the following command: Page Conguration of the dictionary To configure the dictionary, use the following command: Page Page Page Select the server certicate Select the server certificate from the list, use the following command: This includes the following options: Select the CA certicate Select the server certificate from the list, use the following command: This includes the following options: Conguration of Microsoft NAP Interoperability This chapter includes the following topics: Roadmap of NAP conguration commands Conguration of NAP Interoperability Probation Settings Remote Network Policy Servers To create the remote network policy servers, use the following command: The Remote Network Policy Servers menu includes the following Page Page Page Page Conguring groups and proles Overview Groups Default group Linksets SRS rule Extended proles Page Conguring groups and extended proles Roadmap of group and prole commands Page Page Page Page Page Page Page Page Conguring client lters The Client Filter menu includes the following options: Page The Extended Profile menu appears. The Extended Profile menu includes the following options: Creating RADIUS attributes to a group Mapping linksets to a group or prole Page Creating a default group Page Conguring authentication Overview Page Conguring authentication Roadmap of authentication commands Page Page Conguring authentication methods Page Conguring advanced settings Conguring RADIUS authentication Adding the RADIUS authentication method Modifying RADIUS configuration settings Page Managing RADIUS authentication servers The Radius servers menu appears. The Radius servers menu includes the following options: Configuring session timeout The Session Timeout menu appears. The Session Timeout menu includes the following options: Conguring LDAP authentication Adding the LDAP authentication method Modifying LDAP configuration settings To modify settings for the specific LDAP configuration, use the following The LDAP menu appears. The LDAP menu includes the following options: Page Page Managing LDAP authentication servers The LDAP servers menu includes the following options: Managing LDAP macros Page Group Search Configuration Managing Active Directory passwords Configuring Advanced LDAP Settings Conguring local database authentication Adding the local database authentication method Managing the local portal database Page Page Page Managing the local MAC database Page Specifying authentication fallback order Page Managing system users and groups User rights and group membership Managing system users and groups Roadmap of system user management commands Managing user accounts and passwords The User menu appears. The User menu includes the following options: Page Page Managing user settings Managing user groups CLI conguration examples Adding a new user Page Changing a users group assignment Page Changing passwords Page Deleting a user Page Customizing the portal and user logon Overview Captive portal and Exclude List Portal display Portal look and feel Page Page Self service portal Linksets and links Macros Automatic redirection to internal sites Examples of redirection URLs and links Managing the end user experience Automatic JRE upload Windows domain logon script Customizing the portal and logon Roadmap of portal and logon conguration commands Page Conguring the captive portal Conguring the Exclude List Changing the portal language 4Set the portal to display the new language (see Setting the portal display language (page 243)). Configuring language support To manage the language definition files in the system, use the following The Language Support menu appears. The Language Support menu includes the following options: Setting the portal display language To set the preferred language for the portal display, use the following Conguring the portal display The Portal menu appears. The Portal menu includes the following options: Page Page Page Changing the portal colors To customize the colors used for the portal display, use the following The Portal Colors menu appears. The Portal Colors menu includes the following options: For more information about the portal colors and themes, see Colors (page 231) . Conguring custom content To add custom content, such as Java applets, to the portal, use the Conguring linksets Page Conguring links To create and configure the links included in the linkset, use the following /cfg/doamin #/linkset <linkset ID> /link <index> index is an integer in the range 1 to 256 that indicates the position of the link in the linkset. Page Configuring external link settings Page Conguring system settings This chapter includes the following topics: Conguring the cluster To configure the cluster, access the System menu by using the following Page Page Page Page Conguring system settings To view and configure cluster-wide system settings, use the following The System menu appears. The System menu includes the following options: Page Conguring the Nortel SNAS host Page Page Page Viewing host information Conguring host interfaces Page Conguring static routes To manage static routes for a particular interface, use the following Conguring host ports Managing interface ports Conguring the Access List Conguring date and time settings Conguring DNS servers and settings To configure DNS settings for the cluster, use the following command: The DNS Settings menu appears. The DNS Settings menu includes the following options: Managing DNS servers Page Conguring RSA servers The RSA Servers menu appears. The RSA Servers menu includes the following options: Conguring syslog servers Page Page Enabling TunnelGuardSRS administration Conguring Nortel SNAS host SSH keys Managing known hosts SSH keys The SSH Known Host Keys menu includes the following options: Conguring RADIUS auditing About RADIUS auditing About the vendor-specific attributes Configuring RADIUS auditing Managing RADIUS audit servers To configure the Nortel SNAS to use external RADIUS audit servers, use The RADIUS Audit Servers menu appears. The RADIUS Audit Servers menu includes the following options: Conguring authentication of system users The Authentication menu appears. The Authentication menu includes the following options: Managing RADIUS authentication servers Conguration of auto blacklisting To create the auto blacklisting, use the following command: The Auto Blacklisting menu appears. The Auto Blacklisting menu includes the following options: Conguration of harden password To configure harden password, use the following command: The Harden Password menu appears. The Harden Password menu includes the following options: Page Managing certicates Overview Key and certicate formats Creating certicates Installing certicates and keys Saving or exporting certicates and keys Updating certicates Managing private keys and certicates Roadmap of certicate management commands Managing and viewing certicates and keys Page Page Generating and submitting a CSR parameters. The combined length of the parameters cannot exceed 225 bytes. Identifier domain name Page Page Adding a certicate to the Nortel SNAS Page Adding a private key to the Nortel SNAS Page Importing certicates and keys into the Nortel SNAS Page Displaying or saving a certicate and key Page Exporting a certicate and key from the Nortel SNAS Generating a test certicate Page Page Conguring SNMP Conguring SNMP Roadmap of SNMP commands Conguring SNMP settings To configure SNMP management of the Nortel SNAS cluster, use the The SNMP menu appears. The SNMP menu includes the following options: Conguring the SNMP v2 MIB To configure parameters in the standard SNMPv2 MIB, use the following The SNMPv2-MIB menu appears. The SNMPv2-MIB menu includes the following options: Conguring the SNMP community Page Conguring SNMP notication targets target ID is a positive integer that uniquely identifies the notification target in the cluster. Conguring SNMP events Page Page Page Viewing system information and performance statistics Viewing system information and performance statistics Roadmap of information and statistics commands Page Viewing system information The Information menu appears. The Information menu includes the following options: Page Page Page Page Viewing alarm events To view active alarms, use the following command: The Events menu appears. The Events menu includes the following options: Viewing log les Page Kicking by username or address Nortel SNAS TPS Interface Page Maintaining and managing the system Managing and maintaining the system Roadmap of maintenance and boot commands Performing maintenance The Maintenance menu appears. The Maintenance menu includes the following options: Page Page Backing up or restoring the conguration To save the system configuration to a file on a file exchange server, use /cfg/ptcfg <protocol> <host name or IP address of server> <filename on server> Page Page Conguring the Nortel SNAS scheduler The Scheduler menu appears. The Scheduler menu includes the following options: Addition of a scheduled task To add a scheduled task, use the following command: This includes the following fields: Page Managing Nortel SNAS devices To manage Nortel SNAS software and devices, use the following The Boot menu appears. The Boot menu includes the following options: Managing software for a Nortel SNAS device The Software Management menu appears. The Software Management menu includes the following options: Page Page Page Upgrading or reinstalling the software Upgrading the Nortel SNAS Performing minor and major release upgrades Downloading the software image Activating the software upgrade package Page Page Reinstalling the software Before you begin Reinstalling the software from an external le server Page Reinstalling the software from a CD Page The Command Line Interface Connecting to the Nortel SNAS Establishing a console connection Requirements Procedure steps Establishing a Telnet connection Enabling and restricting Telnet access Running Telnet Establishing a connection using SSH Enabling and restricting SSH access Running an SSH client Accessing the Nortel SNAS cluster Page CLI Main Menu or Setup Command line history and editing Idle timeout Page Conguration example Scenario Page Steps 1. 2. 3. 4. Page Page Page Page Congure the network core router Configuring the Nortel SNAS pVIP subnet Creating port-based VLANs Configuring the VoIP VLANs Configuring the Red, Yellow, and Green VLANs Configuring the NSNA uplink filter Page Page Completing initial setup Adding the network access devices Page Mapping the VLANs Enabling the network access devices Page Troubleshooting Enable Telnet or SSH access Check the Access List Check the IP address configuration Cannot add the Nortel SNAS to a cluster Cannot contact the MIP Check the Access List Add Interface 1 IP addresses and the MIP to the Access List The Nortel SNAS stops responding Telnet or SSH connection to the MIP Console connection A user password is lost Administrator user password Operator user password Root user password Boot user password Trace tools System diagnostics Installed certicates Network diagnostics Page Active alarms and the events log le Error log les CLI reference Using the CLI Global commands Page Command line history and editing CLI shortcuts Command stacking Command abbreviation Tab completion Using a submenu name as a command argument Using slashes and spaces in commands CLI Main Menu CLI command reference Information menu Statistics menu Conguration menu Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Boot menu Maintenance menu Page Syslog messages Operating system (OS) messages System Control Process messages About alarm messages Page About event messages Trafc ProcessingSubsystem messages Page Page Table 82 "Traffic Processing messagesINFO" (page 460) lists the Traffic Processing INFO messages. Start-up messages AAA subsystem messages Page NSNAS subsystem messages There are two categories of NSNAS subsystem messages: Table 86 "NSNASERROR" (page 463) lists the NSNAS ERROR messages. Table 87 "NSNASINFO" (page 464) lists the NSNAS INFO messages. Page Syslog messages in alphabetical order Page Page Page Page Page Page Page Page Page Page Page Supported MIBs Supported MIBs Page Page Page Supported traps Table 90 "Supported traps" (page 481) describes the traps supported by the Nortel SNAS. Page Supported ciphers Page Adding User Preferences attribute to Active Directory Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003) Page Create a shortcut to the console window Permit write operations to the schema (Windows 2000 Server) Create a new attribute (Windows 2000 Server and Windows Server 2003) Create the new class Add isdUserPrefs attribute to nortelSSLOffload class Add the nortelSSLOffload Class to the User Class Page Conguring DHCP to auto-congure IP Phones Conguring IP Phone auto-conguration Creating the DHCP options Page Page Conguring the Call Server Information and VLAN Information options Page Page Setting up the IP Phone Using a Windows domain logon script to launch the Nortel SNAS portal Conguring the logon script Creating a logon script Assigning the logon script Page Software licensing information OpenSSL License issues Original SSLeay License GNU General Public License Page Page Page Page Apache Software License, Version 1.1 Bouncy Castle license Page Index A B C D E F G H I J K L M N O P Q R S T U V W Y Page Page Nortel Secure Network Access Switch Using the Command Line Interface