- Nortel Secure Network Access Switch Using the Command Line Interface Release: 2.0 Document Revision: 03.01 www.nortel.com NN47230-100 . 
- Nortel Secure Network Access Switch Release: 2.0 Publication: NN47230-100 Document status: Standard Document release date: 28 July 2008 Copyright © 2007, 2008 Nortel Networks All Rights Reserved. Sourced in Canada, the United States of America, and India LEGAL NOTICE While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS "WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. 
- . Contents Software license 11 New in this release 15 Features 15 Other changes 16 Introduction 17 Before you begin 18 Text conventions 18 Related information 20 Publications 20 Online 21 How to get help 21 Overview 23 The Nortel SNAS 24 Elements of the Nortel SNAS 25 Supported users 25 Supporting additional users with the software license file 26 Role of the Nortel SNAS 27 Nortel SNAS clusters 35 Interface configuration 35 Nortel SNAS configuration and management tools 36 Nortel SNAS configu 
- Managing network access devices 58 Roadmap of domain switch commands 58 Adding a network access devices 60 Deleting a network access devices 64 Configuring the network access devices 64 Mapping the VLANs 66 Managing SSH keys 68 Monitoring switch health 73 Controlling communication with the network access devices Configuring SSCPLite 74 Configuring SNMP Profiles 75 Configuring SNMP Versions 76 Configuring SSCPLite Community 77 Configuring SNMP Templates 77 Configuring the domain Configuring the domain 79 
- Configuration of Microsoft NAP Interoperability Roadmap of NAP configuration commands 139 Configuration of NAP Interoperability 140 Probation Settings 141 Remote Network Policy Servers 142 System Health Validators 143 Configuration of Windows System Health Validator 139 144 Configuring groups and profiles 149 Overview 149 Groups 150 Linksets 151 SRS rule 151 Extended profiles 151 Before you begin 152 Configuring groups and extended profiles 153 Roadmap of group and profile commands 153 Configuring g 
- Customizing the portal and user logon Overview 227 Captive portal and Exclude List 228 Portal display 230 Managing the end user experience 237 Customizing the portal and logon 238 Roadmap of portal and logon configuration commands Configuring the captive portal 240 Configuring the Exclude List 240 Changing the portal language 241 Configuring the portal display 244 Changing the portal colors 249 Configuring custom content 250 Configuring linksets 251 Configuring links 253 Configuring system settings 227 
- Updating certificates 300 Managing private keys and certificates 301 Roadmap of certificate management commands 301 Managing and viewing certificates and keys 302 Generating and submitting a CSR 305 Adding a certificate to the Nortel SNAS 310 Adding a private key to the Nortel SNAS 312 Importing certificates and keys into the Nortel SNAS 314 Displaying or saving a certificate and key 316 Exporting a certificate and key from the Nortel SNAS 318 Generating a test certificate 320 Configuring SNMP 323 Conf 
- Reinstalling the software 372 Before you begin 372 Reinstalling the software from an external file server Reinstalling the software from a CD 375 373 The Command Line Interface 377 Connecting to the Nortel SNAS 378 Establishing a console connection 378 Establishing a Telnet connection 379 Establishing a connection using SSH 380 Accessing the Nortel SNAS cluster 381 CLI Main Menu or Setup 383 Command line history and editing 383 Idle timeout 383 Configuration example Scenario 385 Steps 387 Configure t 
- Variables 420 CLI Main Menu 421 CLI command reference 422 Information menu 422 Statistics menu 423 Configuration menu 424 Boot menu 448 Maintenance menu 449 Syslog messages by message type 451 Operating system (OS) messages 452 System Control Process messages 453 Traffic Processing Subsystem messages 457 Start-up messages 461 AAA subsystem messages 461 NSNAS subsystem messages 463 Syslog messages in alphabetical order 465 Supported MIBs 477 Supported traps 481 485 Install All Administrative Tools (Windows 
- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Software license This section contains the Nortel Networks software license. Nortel Networks software license agreement This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel Networks Corporation and its subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. 
- Software license uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. 
- Nortel Networks software license agreement 13 a. 
- Software license Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . New in this release The following sections detail what’s new in Nortel Secure Network Access Using the Command Line Interface, (NN47230-100) for Release 2.0. • • “Features” (page 15) “Other changes” (page 16) Features This is the second standard release of the document. See the following sections for information, which are added in this Release. 
- New in this release Multi-OS Applet Support—The Nortel Health captive portal applet supports Windows and non-Windows operating systems. For non-Windows operating systems the applet supports collecting operating systems information and VLAN transition. for more information, see the “Multi-OS Applet Support” (page 32). Other changes No changes. Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Introduction Nortel* Secure Network Access (Nortel SNAS ) is a clientless solution that provides seamless, secure access to the corporate network from inside or outside that network. 
- Introduction and syntax of each CLI command are described in the document. For information on accessing the CLI, see “The Command Line Interface” (page 377). BBI is a graphical user interface (GUI) that runs in an online, interactive mode. BBI allows the management of multiple devices (for example, the Nortel SNAS) from one application. For information about using BBI to configure and manage Nortel SNAS, see Nortel Secure Network Access Switch Configuration — Using the BBI, (NN47230-500). 
- Text conventions 19 angle brackets (< >) Enter text based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping , you enter ping 192.32.10.12 bold text Objects such as window names, dialog box names, and icons, as well as user interface objects such as buttons, tabs, and menu items. bold Courier text Command names, options, and text that you must enter. Example: Use the dinfo command. 
- Introduction italic text Variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is show at , valid_route is one variable and you substitute one value for it. plain Courier text Command syntax and system output, for example, prompts and system messages. Example: Set Trap Monitor Filters separator ( > ) Menu paths. 
- How to get help • Release Notes for the Nortel Secure Network Access Solution, Software Release 1.6.1 (NN47230-400), • Release Notes for Enterprise Switch Manager (ESM), Software Release 5.2 (209960-H), • • Using Enterprise Switch Manager Release 5.1 (208963-F), 21 Nortel Secure Network Access Switch Configuration — Using the BBI, (NN47230-500). Online To access Nortel technical documentation online, go to the Nortel web site: http://www.nortel. 
- Introduction Step Action 1 Click CONTACT US on the left side of the HELP web page. 2 Click Technical Support on the CONTACT US web page. 3 Click Express Routing Codes on the TECHNICAL SUPPORT web page. --End-- Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Overview The Nortel Secure Network Access Solution Release 2.0 features are mapped to the relevant section(s) in this guide in the following table. For information on the Nortel SNAS Release 1.6.1 see Release Notes for Nortel Secure Network Access Solution Release 1.6.1, NN47230-400, (formerly 320850). Table 1 Features on NSNA Feature Section Performance and scalability enhancements: 20,000 concurrent users Not applicable. 
- Overview ATTENTION Switches that support the Switch to Nortel SNAS Communication Protocol (SSCP) are referred to as NSNA network access devices in this document. Generally, NSNA network access devices are the Ethernet Routing Switch 5500 Series and the Ethernet Routing Switch 8300. Specifically, Release 1.6.1 features are supported by the Ethernet Routing Switch 5500 Series, Release 5.0.2 and later. 
- The Nortel SNAS 25 Elements of the Nortel SNAS The following devices are essential elements of the Nortel SNAS: • Nortel Secure Network Access Switch 4050or 4070 (Nortel SNAS 4050 or 4070), which acts as the Policy Decision Point • network access devices, which acts as the Policy Enforcement Point — Ethernet Routing Switch 8300 — Ethernet Routing Switch 4500, 5510, 5520, or 5530 ATTENTION NSNA Release 1.6.1 does not currently support the Ethernet Routing Switch 8300 as a Policy Enforcement Point. 
- Overview — Nortel IP Phone 2002 — Nortel IP Phone 2004 — Nortel IP Phone 2007 See Release Notes for the Nortel Secure Network Access Solution, Software Release 1.6.1 (NN47230-400), for the minimum firmware versions required for the IP Phones operating with different call servers. Each Nortel SNAS -enabled port on a network access devices can support one PC (untagged traffic) and one IP Phone (tagged traffic). Softphone traffic is considered to be the same as PC traffic (untagged). 
- The Nortel SNAS 27 The following shows a sample display of the CLI interface when copying the license key: >> Main# cfg/sys/host Enter Host number: 1 >> iSD host 1# license Paste the license, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. 
- Overview Nortel SNAS functions The Nortel SNAS performs the following functions: • Acts as a web server portal, which is accessed by users in clientless mode for authentication and host integrity check and which sends remediation instructions and guidelines to endpoint clients if they fail the host integrity check. • Communicates with backend authentication servers to identify authorized users and levels of access. 
- The Nortel SNAS 29 Four type of Layer 2 or Layer 3 VLANs are configured for VLANs and filters enforcement: • Red—extremely restricted access. If the default filters are used, the user can communicate only with the Nortel SNAS and the Windows domain controller network. There is one Red VLAN for each network access devices. • Yellow—restricted access for remediation purposes if the client PC fails the host integrity check. 
- Overview Filters only enforcement uses two VLANs: Red and VoIP. A client computer is placed in the Red VLAN where it is held pending successful authentication. If successful, Nortel Health Agent integrity checking can be used to determine if remediation is required. Filters are applied to direct the client to the appropriate network resources but the client remains in the same VLAN regardless of its status. 
- The Nortel SNAS 31 For information about configuring groups and extended profiles on the Nortel SNAS, see “Configuring groups and profiles” (page 149). Authentication methods You can configure more than one authentication method within a Nortel SNAS domain. Nortel Secure Network Access Switch Software Release 2. 
- Overview Nortel Health Agent host integrity check The Nortel Health Agent application checks client host integrity by verifying that the components you have specified are required for the client’s personal firewall (executables, DLLs, configuration files, and so on) are installed and active on the client PC. You specify the required component entities and engineering rules by configuring a Software Requirement Set (SRS) rule and mapping the rule to a user group. 
- The Nortel SNAS 33 The “Multi-OS Support" feature allows the Nortel Health Agent to identify Linux operating system or Macintosh operating system users and collect the necessary information. The Nortel Health Agent is allowed to identify the operating system as Linux or Macintosh and collect the device specific information and also performs additional compliance checks for those operating systems. 
- Overview Table 2 Communication channels in the Nortel SNAS network (cont’d.) Communication Communication protocol From EPM to edge switch Telnet over SSH From authorized endpoint to DHCP server UDP Telnet or SSH can be used for management communications between remote PCs and the Nortel SNAS devices. 
- The Nortel SNAS 35 Nortel SNAS clusters For Release 1.6.1 A cluster is a group of Nortel SNAS 4050 devices that share the same configuration parameters. Nortel Secure Network Access Switch Software Release 1.6.1 supports four Nortel SNAS 4050 devices, or nodes, in a cluster. A network can contain multiple clusters. For Release 2.0 A cluster is a group of Nortel SNAS 4050 or 4070 devices that share the same configuration parameters. Nortel Secure Network Access Switch Software Release 2. 
- Overview the management side handles Nortel SNAS management traffic (traffic connecting the Nortel SNAS to internal resources and configuring the Nortel SNAS from a management station). The Nortel SNAS supports what is known as an One armed configuration. The following section describes this configuration type. One armed configuration In an one armed configuration, the Nortel SNAS has only one interface, which acts as both the client portal interface and the management traffic interface. 
- Nortel SNAS configuration roadmap 37 The configuration chapters in this User Guide describe the specific CLI commands used to configure the Nortel SNAS. For general information about using the CLI, see “The Command Line Interface” (page 377). • Security & Routing Element Manager (SREM) The SREM is a GUI application you can use to configure and manage the Nortel SNAS. 
- Overview a Create a DHCP scope. b Specify the IP address range and subnet mask for that scope. c Configure the following DHCP options: • • Specify the default gateway. • If desired, configure DHCP so that the IP Phones learn their VLAN configuration data automatically from the DHCP server. For more information, see “Configuring DHCP to auto-configure IP Phones” (page 493). Specify the DNS server to be used by endpoints in that scope. 
- Nortel SNAS configuration roadmap 4 39 Configure the network access devices: a Configure static routes to all the networks behind the core router. b Configure the switch management VLAN, if necessary. c Configure and enable SSH on the switch. d Configure the Nortel SNAS portal Virtual IP address (pVIP)/subnet. e Configure port tagging, if applicable. For a Layer 2 switch, the uplink ports must be tagged to allow them to participate in multiple VLANs. f Create the port-based VLANs. 
- Overview 5 Perform the initial setup on the Nortel SNAS (see “Initial setup” (page 43)). Nortel recommends running the quick setup wizard during initial setup, in order to create and configure basic settings for a fully functional portal. 6 Enable SSH and SRS Admin to allow communication with the SREM (see “Configuring administrative settings” (page 281)). 
- . Initial setup This chapter includes the following topics: Topic “Before you begin” (page 41) “About the IP addresses” (page 42) “Initial setup” (page 43) “Setting up a single Nortel SNAS device or the first in a cluster” (page 43) “Adding a Nortel SNAS device to a cluster” (page 50) “Next steps” (page 54) “Applying and saving the configuration” (page 55) Before you begin Before you can set up the Nortel SNAS, you must complete the following tasks: Step Action 1 Plan the network. 
- Initial setup — network access devices — remediation server (if applicable) For more information about the Nortel SNAS MIP, pVIP, and RIP, see “About the IP addresses” (page 42). • VLAN IDs — Nortel SNAS management VLAN — Red VLANs — Yellow VLANs — Green VLANs — VoIP VLANs (optional) • Groups and profiles to be configured 2 Configure the network DNS server, DHCP server, core router, and network access devices, as described in “Nortel SNAS configuration roadmap” (page 37), steps 1 through 4. 
- Initial setup 43 Real IP address The Real IP address (RIP) is the Nortel SNAS device host IP address for network connectivity. The RIP is the IP address used for communication between Nortel SNAS devices in a cluster. The RIP must be unique on the network and must be within the same subnet as the MIP. ATTENTION Nortel recommends that you always use the MIP for remote configuration, even though it is possible to configure the Nortel SNAS device remotely by connecting to its RIP. 
- Initial setup Alteon iSD NSNAS Hardware platform: 4050 Software version: x.x -----------------------------------------------------[Setup Menu] join - Join an existing cluster new - Initialize host as a new installation boot - Boot menu info - Information menu exit - Exit [global command, always available] >> Setup# 2 Select the option for a new installation. >> Setup# new Setup will guide you through the initial configuration. 3 Specify the management interface port number. 
- Initial setup 45 SNAS management VLAN, for traffic between the Nortel SNAS and the network access device. 7 Specify the default gateway IP address. Enter default gateway IP address (or blank to skip):  The default gateway is the IP address of the interface on the core router that will be used if no other interface is specified. The default gateway IP address must be within the same network address range as the RIP. 8 Specify the MIP for this device or cluster. 
- Initial setup Enter port number for the traffic interface [1-4]:  Enter IP address for this machine (on traffic interface):  Enter network mask [255.255.255.0]:  Enter VLAN tag id (or zero for no VLAN) [0]: Enter default gateway IP address (on the traffic interface):  10 Specify the time zone. 
- Initial setup 47 For communication between the Nortel SNAS and the network access devices, generate the SSH key after you have completed the initial setup (see “Managing SSH keys” (page 68)). 16 Change the admin user password, if desired. Enter a password for the "admin" user: Re-enter to confirm: Make sure you remember the password you define for the admin user. 
- Initial setup • restricted. The session remains intact, but access is restricted in accordance with the rights specified in the access rules for the group. • teardown. The SSL session is torn down. The default is restricted. Use restricted (teardown/restricted) action for Nortel Health Agent check failure? [yes]: 24 Create the default user and group. The action to be performed when the Nortel Health Agent check fails depends on your selection in step f. 
- Initial setup 49 C:\tunnelguard\tg.txt Creating linkset ’nha_system_passed’. Creating linkset ’nha_system_failed’. Creating group ’nhauser’ with secure access. Associating group ’nhasystem’ with srs rule ’srs-rule-syscred-test’. Creating extended profile, full access when nha_system_passed Enter system green vlan id [115]:  Creating extended profile, remediation access when nha_system_failed Enter yellow vlan id [120]:  Creating system account ’nha’ in group ’nhasystem’. 
- Initial setup 5 One test user is configured. You were prompted to set a user name and password during the quick setup wizard (in this example, user name and password are both set to nha). The test user belongs to a group called nhauser. There are two profiles within the group: nha_passed and nha_failed. Each profile is associated with a client filter and a linkset. The profiles determine the VLAN to which the user is allocated. 
- Initial setup 51 Do not proceed with the join operation until the following requirements are met. • Verify that the IP addresses you will assign to the new Nortel SNAS device conform to Nortel SNAS network requirements. For more information, see “About the IP addresses” (page 42) and “Interface configuration” (page 35). • The Access List is updated, if necessary. The Access List is a system-wide list of IP addresses for hosts authorized to access the Nortel SNAS devices by Telnet and SSH. 
- Initial setup Alteon iSD NSNAS Hardware platform: 4050 Software version: x.x -----------------------------------------------------[Setup Menu] join - Join an existing cluster new - Initialize host as a new installation boot - Boot menu info - Information menu exit - Exit [global command, always available] >> Setup# 2 Select the option to join an existing cluster. >> Setup# join Setup will guide you through the initial configuration. 3 Specify the management interface port number. 
- Initial setup 53 Enter VLAN tag id (or zero for no VLAN) [0]: 7 Configure the interface for client portal traffic (Interface 2). a Specify a port number for the client portal interface. This port will be assigned to Interface 2. The port number must not be the same as the port number for the management interface (Interface 1). b Specify the RIP for Interface 2. c Specify the network mask for the RIP on Interface 2. 
- Initial setup Setup successful. login: --End-- Next steps Step Action 1 To enable the SREM connection to the Nortel SNAS: a Use the /cfg/sys/adm/ssh on command to enable SSH access to the Nortel SNAS (for more information, see “Configuring administrative settings” (page 281)). b Use the /cfg/sys/adm/srsadmin ena command to enable SRS administration (for more information, see “Enabling TunnelGuard SRS administration” (page 284)). 
- Applying and saving the configuration 55 e If you did not run the quick setup wizard during the initial setup, configure the following: • • • 4 Create the domain (see “Creating a domain” (page 83)). Create at least one group. Specify the VLANs to be used when the Nortel Health Agent check succeeds and when it fails (see “Configuring extended profiles” (page 164)). Save the configuration (see “Applying and saving the configuration” (page 55)). 
- Initial setup Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Managing the network access devices This chapter includes the following topics: Topic “Before you begin” (page 57) “Managing network access devices ” (page 58) “Roadmap of domain switch commands” (page 58) “Adding a network access devices ” (page 60) “Deleting a network access devices ” (page 64) “Configuring the network access devices ” (page 64) “Mapping the VLANs” (page 66) “Managing SSH keys” (page 68) “Monitoring switch health” (page 73) “Controlling communication with the network access devices 
- Managing the network access devices • Create the domain, if applicable. If you ran the quick setup wizard during initial setup, Domain 1 is created. For more information about creating a domain, see “Configuring the domain” (page 79). • Configure the edge switches for Nortel SNAS (see “Nortel SNAS configuration roadmap” (page 37), step 4). For detailed information about configuring the edge switches for Nortel SNAS, see Release Notes for the Ethernet Routing Switch 8300, Software Release 2.2. 
- Managing network access devices Command Parameter /cfg/domain #/switch  name  type ERS8300|ERS5500 ip  mgmtproto  port  rvid  reset ena dis delete /cfg/domain #/vlan add   del  list /cfg/domain #/switch #/vlan add   del  list /cfg/domain #/sshkey generate show export /cfg/domain #/switch #/sshkey import add del show export user  /cfg/domain #/switch #/hlthchk interval  deadcnt  
- Managing the network access devices Adding a network access devices You can add a network access devices to the configuration in two ways. You must repeat the steps for each switch that you want to add to the domain configuration. 
- Managing network access devices 61 ATTENTION Based on the discovery result, the wizard asks for switch ports, switch uplinks port (in case of sscplite switch) or NSNA communication port (in case of sscp switch). 5 Specify the VLAN ID of the Red VLAN, as configured on the network access devices. The network access devices in the domain can share a common Red VLAN or can each have a separate Red VLAN. Red vlan id of Switch:  6 Specify the type of switch. 
- Managing the network access devices a At the prompt to add the SSH key, enter Yes. b When prompted, paste in the key from a text file, then press Enter. c Enter an ellipsis (...) to signal the end of the key. d To continue, go to step 7. Do you want to add ssh key? (yes/no) [no]: yes Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > 47.80.18. 
- Managing network access devices 63 When you first add the network access devices, you are prompted to enter the following information: • switch name—a string that identifies the switch on the Nortel SNAS. The maximum length of the string is 255 characters. After you have defined a name for the switch, you can use either the switch name or the switch ID to access the Switch menu. • type of switch—valid options are ERS8300, ERS5500, and ERS4500. The input is case sensitive. 
- Managing the network access devices Figure 2 Adding a switch manually Deleting a network access devices To remove a network access devices from the domain configuration, first disable the switch then delete it. Use the following commands: /cfg/domain #/switch #/dis /cfg/domain/switch/delete The disable and delete commands log out all clients connected through the switch. The delete command removes the current switch from the control of the Nortel SNAS cluster. 
- Managing network access devices To configure a network access devices in the Nortel SNAS domain, use the following command: /cfg/domain #/switch  where switch ID is the ID or name of the switch you want to configure. The Switch menu appears. The Switch menu includes the following options: /cfg/domain #/switch  followed by: name  Names or renames the switch. 
- Managing the network access devices /cfg/domain #/switch  followed by: rvid  Identifies the Red VLAN for the network access devices. • VLAN ID is the ID of the Red VLAN, as configured on the switch sshkey Accesses the SSH Key menu, in order to manage the exchange of public keys between the switch and the Nortel SNAS (see “Managing SSH keys for Nortel SNAS communication” (page 71)) reset Resets all the Nortel SNAS -enabled ports on the switch. 
- Managing network access devices 67 To manage the VLAN mappings for all the network access devices in the Nortel SNAS domain, first disable all the switches in the domain, then use the following command: /cfg/domain #/vlan To manage the VLAN mappings for a specific network access devices, first disable the switch in the domain, then use the following command: /cfg/domain #/switch #/vlan The Nortel SNAS maintains separate maps for the domain and the switch. 
- Managing the network access devices /cfg/domain #[/switch #]/vlan followed by: del  Removes the specified VLAN entry from the applicable VLAN map. • index is an integer indicating the index number automatically assigned to the VLAN mapping when you created it The index numbers of the remaining entries adjust accordingly. To view the index numbers for all VLAN entries in the map, use the /cfg/domain #[/switch #]/vlan/list command. 
- Managing network access devices 69 “Managing SSH keys for Nortel SNAS communication” (page 71)). • For an Ethernet Routing Switch 5510, 5520, or 5530: Use the /cfg/domain #/sshkey/export command to upload the key to a TFTP server, for manual retrieval from the switch (see “Generating SSH keys for the domain” (page 70)). For information about downloading the key from the server to the switch, see Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 5.0.1, . 
- Managing the network access devices Generating SSH keys for the domain To generate, view, and export the public SSH key for the domain, use the following command: /cfg/domain #/sshkey The NSNAS SSH key menu appears. The NSNAS SSH key menu includes the following options: /cfg/domain #/sshkey followed by: generate Generates an SSH public key for the domain. There can be only one key in effect for the Nortel SNAS domain at any one time. 
- Managing network access devices 71 Figure 3 "Generating an SSH key for the domain" (page 71) shows sample output for the /cfg/domain #/sshkey command. Figure 3 Generating an SSH key for the domain Managing SSH keys for Nortel SNAS communication To retrieve the public key for the network access devices and export the public key for the domain, use the following command: Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03. 
- Managing the network access devices /cfg/domain #/switch #/sshkey The SSH Key menu appears. The SSH Key menu includes the following options: /cfg/domain #/switch #/sshkey followed by: import Retrieves the SSH public key from the network access devices, if it is reachable. add Allows you to paste in the contents of a key file you have downloaded from the Ethernet Routing Switch 8300 network access devices. When prompted, paste in the key, then press Enter. Enter an elllipsis (... 
- Managing network access devices 73 Step Action 1 Use the /cfg/domain #/switch #/sshkey/del command to delete the original key. 2 Enter Apply to apply the change immediately. 3 Use the /cfg/domain #/switch #/sshkey/import command to import the new key. 4 Enter Apply to apply the change immediately. --End-- Monitoring switch health The Nortel SNAS continually monitors the health of the network access devices. 
- Managing the network access devices /cfg/domain #/switch #/hlthchk followed by: deadcnt  Specifies the number of times the Nortel SNAS will repeat the check for switch activity when no heartbeat is detected. • count is an integer in the range 1–65535 that indicates the number of retries. The default is 3. If no heartbeat is detected after the specified number of retries, the Nortel SNAS enters status-quo mode. 
- Configuring SNMP Profiles 75 Nortel ES 325, 425, 450, 460, BPS, 470, and ERS 2500, 4500, 5500, 8300, and 8600. In addition, SSCPLite supports Cisco 2900, 3500, and 3700 series Ethernet switches. • • • SSCPLite uses the SNMP Protocol • • Nortel SNAS should use MAC Authentication Switches does not support Dynamic Host Control Protocol Switches may not support the DHCP signature based identification for VOIP phones Multiple PCs connected using hub to the switch port are not supported. 
- Managing the network access devices The SNMPProfile # menu appears. The snmp profile menu includes the following options: /cfg/domain #/snmp-profile followed by  Set the name of the profile.  Set the supported SNMP versions.  SNMP community menu appears.  Set SNMP port to communicate. refresh Set the data refresh rate interval.  Set the CLI login user name.  Set the CLI login password.  Set the CLI login type. 
- Configuring SNMP Templates Configuring SSCPLite Community To configure SSCPLite Community, use the following command /cfg/domain #/snmp-profile #/community • SNMP community is the group that devices and manages stations running SNMP. An SNMP device or agent may belong to more than one SNMP community. It will not respond to requests from management stations that do not belong to one of its communities. • SNMP can be protected from the internet with a firewall. 
- Managing the network access devices export Export new switch Templates to the Tftp servers. clear Delete command will delete the template entry from the list and can delete the whole list of Templates. Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Configuring the domain This chapter includes the following topics: Topic “Configuring the domain” (page 79) “Roadmap of domain commands” (page 81) “Creating a domain” (page 83) “Deleting a domain” (page 89) “Configuring domain parameters” (page 89) “Configuring the Nortel Health Agent check” (page 92) “Configuring the SSL server” (page 97) “Configuring HTTP redirect” (page 107) “Configuring advanced settings” (page 109) “Configuring RADIUS accounting” (page 110) “Configuring local DHCP services” (pag 
- Configuring the domain /cfg/domain From the Domain menu, you can configure and manage the following: • domain parameters such as name and portal IP address (pVIP) (see “Configuring domain parameters” (page 89)) • Authentication, Authorization, and Accounting (AAA) features — for authentication, see “Configuring authentication” (page 171) — for authorization, see “Configuring groups and profiles” (page 149) and “Configuring the Nortel Health Agent check” (page 92) — for accounting, see “Configuring 
- Configuring the domain 81 Roadmap of domain commands The following roadmap lists the CLI commands to configure the domain in a Nortel SNAS deployment. 
- Configuring the domain Command Parameter /cfg/domain #/server/ssl cert  cachesize  cachettl  cacerts  cachain  protocol ssl2 | ssl3 | ssl23 | tls1 ciphers  ena dis /cfg/domain #/server/adv/traflog sysloghost  udpport  protocol ssl2 | ssl3 | ssl23 | tls1 priority debug | info | notice facility auth | authpriv | daemon | local0-7 ena dis /cfg/domain #/httpredir port  redir on | off /cfg/do 
- Configuring the domain 83 Creating a domain You can create a domain in two ways: • • “Manually creating a domain” (page 83) “Using the Nortel SNAS domain quick setup wizard in the CLI” (page 84) Manually creating a domain To create and configure a domain manually, use the following command: /cfg/domain  where domain ID is an integer in the range 1 to 256 that uniquely identifies the domain in the Nortel SNAS cluster. 
- Configuring the domain Figure 4 Creating a domain Using the Nortel SNAS domain quick setup wizard in the CLI To create a domain using the Nortel SNAS quick setup wizard, use the following command: /cfg/quick The NSNAS quick setup wizard is similar to the quick setup wizard available during initial setup. 
- Configuring the domain Step Action 1 Launch the domain quick setup wizard. 85 >> Main# cfg/quick 2 Specify the pVIP of the Nortel SNAS domain. You can configure additional pVIPs later (see “Configuring domain parameters” (page 89)). IP address of domain portal:  3 Specify a name for the Nortel SNAS domain, as a mnemonic aid. Name of the domain:  4 Specify the port on which the portal web server listens for SSL communications. The default for HTTPS communications is port 443. 
- Configuring the domain Use existing certificate (no/1) [no]: Create a test certificate? (yes/no): no Enter server certificate. Paste the certificate and key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. > 7 To create a test certificate: a At the prompt to create a test certificate, enter Yes. b When prompted, enter the required certificate information. For more information, see “Generating and submitting a CSR” (page 305). 
- Configuring the domain 87 If you do not want to add a network access devices at this time, press Enter to accept the default value (no). Go to step 12. 11 To add a network access devices, enter the required information when prompted. For more information, see “Using the quick switch setup wizard” (page 60). 
- Configuring the domain You can change the VLAN mappings when you add or modify the network access devices (see “Configuring the network access devices ” (page 64)). You specify the Red VLAN when you add the network access devices to the domain. The components created by the wizard depend on the selections you made in the preceding steps. 
- Configuring the domain 89 Group for system policies Name: nhasystem Creating Extended Profile 1 Giving system access when system health checks passed Creating "green_system" vlan with id 115 Creating Extended Profile 2 Giving remediation access when system health checks failed Creating "yellow" vlan with id 120 Not using SRS rule for system compliancy 2008 03 10 00:46 2008 03 10 00:14 Setting Activation and Earliest Push Date Enable System Credentials Adding user ’nhasystem’ with password ’nhasystem’ Use 
- Configuring the domain Table 4 Configuring domain parameters /cfg/domain  followed by: Names or renames the domain. name • name is a string that must be unique in the domain. The maximum length of the string is 255 characters. The name is a mnemonic aid only and is not used by other functions. pvips  Sets the pVIP for the domain. The pVIP is the portal address to which clients connect in order to access the Nortel SNAS network. 
- Configuring the domain 91 Table 4 Configuring domain parameters (cont’d.) /cfg/domain  followed by: portal Accesses the Portal menu, in order to customize the portal page that in the client’s web browser (see “Customizing the portal and user logon” (page 227)). linkset Accesses the Linkset menu, in order to configure the linksets to display on the portal Home tab (see “Configuring linksets” (page 251)). 
- Configuring the domain Table 4 Configuring domain parameters (cont’d.) /cfg/domain  followed by: nap Accesses the NAP menu to configure the NAP. (see“Configuration of Microsoft NAP Interoperability” (page 139)) quick Launches the quick switch setup wizard, in order to add network access devices to the Nortel SNAS domain (see “Using the quick switch setup wizard” (page 60)). syslog Accesses the Syslog Servers menu. 
- Configuring the domain 93 Table 5 Configuring the Nortel Health Agent /cfg/domain #/aaa/nha followed by: quick Launches the Quick Nortel Health Agent setup wizard, in order to configure default Nortel Health Agent check settings and the check result (see “Using the quick Nortel Health Agent setup wizard in the CLI” (page 96)). recheck  Sets the time interval between SRS rule rechecks made by the Nortel Health Agent applet on the client machine. 
- Configuring the domain Table 5 Configuring the Nortel Health Agent (cont’d.) /cfg/domain #/aaa/nha followed by: status-quo on|off Specifies whether the Nortel SNAS domain operates in status-quo mode. Status-quo mode determines the behavior of the Nortel SNAS if no client activity is detected after the inactivity interval (heartbeat x hbretrycnt). The options are: • on—the client session continues indefinitely • off—the Nortel SNAS terminates the session immediately The default is off. 
- Configuring the domain 95 Table 5 Configuring the Nortel Health Agent (cont’d.) /cfg/domain #/aaa/nha followed by: list Lists the SRS rules configured for the domain. For information about creating SRS rules, see the information about the Nortel Health Agent SRS Rule Builder in Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . The Nortel Health Agent applet can apply different SRS rules for different groups. 
- Configuring the domain Table 5 Configuring the Nortel Health Agent (cont’d.) /cfg/domain #/aaa/nha followed by: • info—high-level information about processes • debug—detailed information about all processes The default is info. The information in the client’s Java Console window. You can use the information to track errors in the Nortel Health Agent SRS rules. 
- Configuring the domain 97 Name: nha_passed Creating Client Filter 2 Name: nha_failed Using existing nha_passed linkset Using existing nha_failed linkset Using existing SRS Rule srs-rule-test Creating Group 1 Group for user policies Name: nhauser Creating Extended Profile 1 Giving full access when health check passed Using existing green vlan Creating Extended Profile 2 Giving remediation access when health check failed Using existing yellow vlan Using SRS rule for user compliancy: srs-rule-test Adding use 
- Configuring the domain To configure the portal server used in the domain, use the following command: /cfg/domain #/server The Server 1001 menu appears. The Server 1001 menu includes the following options: Table 6 Configuring SSL server /cfg/domain #/server followed by: port  Specifies the port to which the portal server listens for HTTPS communications. • interface  Specifies the backend interface used by the server. 
- Configuring the domain 99 Table 6 Configuring SSL server (cont’d.) /cfg/domain #/server followed by: ssl Accesses the SSL Settings menu, in order to configure SSL settings for the portal server (see “Configuring SSL settings” (page 102)). adv Accesses the Advance settings menu, in order to configure traffic log settings for a syslog server (see “Configuring traffic log settings” (page 105)). 
- Configuring the domain /cfg/domain #/server/trace followed by: specify. You are prompted to enter the required information. You can specify the file exchange server using either the host name or the IP address. For TFTP, the number of files sent depends on the amount of captured information. A sequence number is appended to the file name given in the CLI, starting at 1 and incremented automatically for additional files. 
- Configuring the domain 101 /cfg/domain #/server/trace followed by: You can read a saved TCP traffic dump file using the TCPDUMP or Ethereal application on a remote machine. The default output mode is interactive. ping  Verifies station-to-station connectivity across the network. • host is the host name or IP address of the target station If a backend interface is mapped to the current Nortel SNAS domain, the check is made through the backend interface. 
- Configuring the domain /cfg/domain #/server/trace followed by: • host is the host name or IP address of the target station If a backend interface is mapped to the current Nortel SNAS domain, the check is made through the backend interface. To map a backend interface to the domain, use the /cfg/domain #/adv/interface command (see “Configuring advanced settings” (page 109)). To be able to use a host name, the DNS parameters must be configured (see “Configuring DNS servers and settings” (page 276)). 
- Configuring the domain 103 Table 8 Configuring SSL Settings (cont’d.) /cfg/domain #/server/ssl followed by: cachesize  Sets the size of the SSL cache. • sessions is an integer less than or equal to 10000 indicating the number of cached sessions. The default is 4000. If there are many cache misses, increase the cachesize value for better performance. cachettl  Specifies the maximum time to live (TTL) value for items in the SSL cache. After the TTL has expired, the items are discarded. 
- Configuring the domain Table 8 Configuring SSL Settings (cont’d.) /cfg/domain #/server/ssl followed by: The SSL server can use chain certificates only if the protocol version is set to ssl3 or ssl23 (see /cfg/domain #/server/ssl/protocol). protocol ssl2|ssl3|ssl 23|tls1 Specifies the protocol to use when establishing an SSL session with a client. Valid options are: • • • ssl2—accept SSL 2.0 only • tls1—accept TLS 1.0 only ssl3—accept SSL 3.0 and TLS 1.0 ssl23—accept SSL 2.0, SSL 3.0, and TLS 1. 
- Configuring the domain 105 Table 8 Configuring SSL Settings (cont’d.) /cfg/domain #/server/ssl followed by: included in the backend servers’ list of preferred ciphers as the SSL connection will otherwise be refused. Specifies the cipher preference list. • cipher list is an expression that consists of cipher strings separated by colons. The default cipher list is ALL@STRENGTH. For more information about cipher lists, see “Supported ciphers” (page 483). ena Enables SSL on the portal server. 
- Configuring the domain Because of the amount of traffic generated, Nortel recommends that you set up syslog on the backend server if possible. A syslog message generated on a Nortel SNAS device looks like the following: Mar 8 14:14:33 192.168.128.24 : 192.168.128.189 TLSv1/SSLv3 DES-CBC3-SHA "GET / HTTP/1.0". 
- Configuring the domain 107 /cfg/domain #/httpredir followed by: ena Enables traffic logging with syslog messages to the specified syslog server. Traffic logging with syslog messages is disabled by default. dis Disables traffic logging with syslog messages. Traffic logging with syslog messages is disabled by default. Configuring HTTP redirect You can configure the Nortel SNAS domain to automatically redirect HTTP requests to the HTTPS server. For example, a client request directed to http://nsnas. 
- Configuring the domain Otherwise, the client PC will not be able to reach the portal for user authentication. redir on|off Specifies whether HTTP requests will be redirected to the HTTPS server. • • on—HTTP redirect is enabled off—HTTP redirect is disabled The default is off. Browser-Based Management Configuration The HTTP menu is used for enabling/disabling browser-based configuration of your VPN Gateway. 
- Configuring the domain Table 11 Browser-Based Management Configuration with SSL cfg/sys/adm/https followed by port Sets the port number to be used for browser-based SNAS configuration from the BBI using SSL. ena Enables the HTTPS server used for browser-based configuration on the SNAS using SSL. dis Disables the HTTPS server used for browser-based configuration on the SNAS using SSL. 
- Configuring the domain followed by: interface  References a previously created interface to serve as a backend interface for the domain. • interface ID is an integer that indicates the interface number. The default is 0. To configure the interface, use the /cfg/sys/host #/interface command (see “Configuring host interfaces” (page 268)). log Specifies the type of requests and operations to log. You are prompted to enter a comma-separated list of log types. 
- Configuring the domain 111 When the user session terminates, the Nortel SNAS sends an accounting request stop packet to the accounting server. The stop packet contains the following information: • • • session ID session time cause of termination Configure the RADIUS server in accordance with the recommendations in RFC 2866. Certain Nortel SNAS -specific attributes are sent to the RADIUS server when you enable accounting (see “Configuring Nortel SNAS -specific attributes” (page 114)). 
- Configuring the domain Table 13 Configuring RADIUS accounting (cont’d.) /cfg/domain #/aaa/radacct followed by: ena Enables RADIUS accounting. The default is disabled. dis Disables RADIUS accounting. The default is disabled. Managing RADIUS accounting servers To configure the Nortel SNAS to use external RADIUS accounting servers, use the following command: /cfg/domain #/aaa/radacct/servers The Radius Accounting Servers menu appears. 
- Configuring the domain 113 Table 14 Managing RADIUS accounting servers (cont’d.) /cfg/domain #/aaa/radacct/servers followed by: add    Adds a RADIUS accounting server to the configuration. You are prompted to enter the following information: • IPaddr—the IP address of the accounting server • port—the TCP port number used for RADIUS accounting. The default is 1813. 
- Configuring the domain Configuring Nortel SNAS -specific attributes The RADIUS accounting server uses Vendor-Id and Vendor-Type attributes in combination to identify the source of the accounting information. The attributes are sent to the RADIUS accounting server together with the accounting information for the logged in user. You can assign vendor-specific codes to the Vendor-Id and Vendor-Type attributes for the Nortel SNAS domain. 
- Configuring the domain 115 Table 15 Configuring Nortel SNAS-specific attributes /cfg/domain #/aaa/radacct/domainattr followed by: vendorid Corresponds to the vendor-specific attribute used by the RADIUS accounting server to identify accounting information from the Nortel SNAS domain. The default Vendor-Id is 1872 (Alteon). vendortype Corresponds to the Vendor-Type value used in combination with the Vendor-Id to identify accounting information from the Nortel SNAS domain. 
- Configuring the domain Table 16 Configuring local DHCP services /cfg/doamin #/dhcp followed by: subnet      Initiates a series of prompts that define the DHCP subnet. • number is a unique number between 1 and 256 that you provide that the system uses to identify the subnet. The prompt is—Enter DHCP subnet number (1-256): • type is a Nortel SNAS term that defines the type of DHCP service. 
- Configuring the domain 117 Table 16 Configuring local DHCP services (cont’d.) /cfg/doamin #/dhcp followed by: vendopts    -  Initiates a series of prompts that allow you to specify RFC 2132 vendor options. • number is a unique number between 1 and 254 that you provide that the system uses to identify the vendor options. The prompt is—Enter vendor options number (1-254): • name refers to a name you provide for this set of vendor options.
 
- Configuring the domain • insert # IPaddressLower IPaddressUpper inserts a new range above the range having index number #. For example, if # is 3, the new range is assigned index number 3 and the current range with index number 3 is reassigned to index number 4. The lower and upper limits of the new range are defined by IPaddressLower and IPaddressUpper, respectively. • move #A #B changes the index number of range #A to #B and changes the index number of #B to #A. 
- Configuring the domain 119 — direct all DNS requests to the Nortel SNAS — allow HTTP, HTTPS, ICMP, and DHCP traffic to access the Nortel SNAS subnet only • creating access control lists or filters on upstream routers for the yellow and green address ranges, to direct connection requests to appropriate network resources • configuring the router that serves the Nortel SNAS to relay DHCP requests to the Nortel SNAS management IP address (MIP); RFC 2131 server to server unicast messages are supported • 
- Configuring the domain Table 18 Hub DHCP subnet type (cont’d.) red Configures the IP address range and options for the red enforcement zone. See “DHCP Settings menu” (page 117). Enter the IP address range for the red enforcement zone. Enter the pVIP of the Nortel SNAS for the DNS address (option 6). It is recommended that you configure a short lease time (option 51). yellow Defines the yellow enforcement zone. See “DHCP Settings menu” (page 117). 
- Configuring the domain 121 Table 19 Filter DHCP subnet type type the current DHCP subnet type and prompts you to change or reenter the type. Enter: filter. name the current name of the subnet and prompts you to change or reenter the name. Enter a name. address the current network address of the subnet and prompts you to change or reenter the address. Enter an address consistent with your network environment. 
- Configuring the domain Table 20 Standard DHCP subnet type (cont’d.) address the current network address of the subnet and prompts you to change or reenter the address. netmask the current network mask of the subnet and prompts you to change or reenter the network mask. settings See “DHCP Settings menu” (page 117). ena Enables the subnet. dis Disables the subnet. del Deletes the subnet. 
- Configuring the domain 123 Creation of the location To create the location, use the following command: /cfg/domain #/location Enter the location number. Creates the location #. Enter the name of the location. The Location menu appears. The Location menu includes the following options: /cfg/domain #/location followed by: name A string that specifies a unique location name. locations  -  -  Manage switch ip, unit/port details. • • • del add—adds switch, unit/portr. 
 
- Configuring the domain /cfg/domain/location/locations followed by: del  Removes the locations from the configuration. • index number—specify the index number. • unit/port—specify the Unit/Port. lists all the configured locations. 
- Configuring the domain 125 /cfg/domain/patchlink followed by: del  Deletes the patch link server from the patch link list. • index number—is the identification number automatically assigned to the patch link server, when you added the patch link server to the configuration. list Lists all patch link server added by user name, password. ena Enables the patch link server. dis Disables the patch link server. 
- Configuring the domain Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Configuration of the RADIUS server This chapter includes the following topics: Topic “Overview of RADIUS server” (page 127) “Roadmap of RADIUS server configuration commands” (page 128) “Configuration of the RADIUS server” (page 129) “Configuration of the client” (page 130) “Configuration of the realms” (page 131) “Configuration of the dictionary ” (page 133) “Configuration of the RADIUS accounting” (page 134) “Configuration of the RADIUS authentication methods” (page 134) “Configuration of the EAP a 
- Configuration of the RADIUS server Roadmap of RADIUS server configuration commands The following roadmap lists the Command Line Interface (CLI) commands to configure Remote Authentication Dial-In User service (RADIUS). Use this list as a quick reference. 
- Configuration of the RADIUS server Parameter Command insert   move   /cfg/domain/radius/eapmethods list del  add   insert    move   /cfg/domain/radius/cert current value select the certificate /cfg/domain/radius/cacert current value select the certificate Configuration of the RADIUS server To configure the RADIUS 
- Configuration of the RADIUS server /cfg/domain/radius followed by: authentication port Specify the authentication port. Default value is 1812. accounting port Specify the accounting port. Default value is 1813. Configuration of the client To configure the client, use the following command: /cfg/domain/radius/clients The RADIUS Clients menu appears. 
- Configuration of the realms 131 /cfg/domain/radius/clients followed by: insert    move   Inserts a client at a particular position in the list of clients in the configuration. • index number—specify the index number. • client IP address —specify the IP address of the client. • shared secret—the password used to authenticate the Nortel SNAS to the clients. 
- Configuration of the RADIUS server /cfg/domain/radius/realms followed by: del  Removes the specified realms from the current configuration. The index numbers of the remaining entries adjust accordingly. • index number—the original index number of the client you want to remove. To view the index numbers of all configured clients use the list command. 
- Configuration of the dictionary 133 Configuration of the dictionary To configure the dictionary, use the following command: /cfg/domain/radius/dictionary The RADIUS Attribute Dictionary menu appears. The RADIUS Attribute Dictionary menu includes the following options: /cfg/domain/radius/dictionary followed by: default Sets default RADIUS attribute configuration. import    Imports dictionary from TFTP/FTP/SCP/SFT P server. 
- Configuration of the RADIUS server /cfg/domain/radius/dictionary followed by: clear Clears all the vendor dictionary. list Lists configured vendor dictionaries by index number. Configuration of the RADIUS accounting To configure the RADIUS accounting, use the following command: /cfg/domain/radius/accounting The RADIUS Accounting menu appears. 
- Configuration of the RADIUS authentication methods 135 The RADIUS Authentication Methods menu appears. The RADIUS Authentication Methods menu includes the following options: /cfg/domain/radius/methods followed by: list Lists the authentication methods: 1. mac 2. proxy 3. acct 4. pap 5. chap 6. mschapv1 7. mschapv2 8. eap del  Removes the specified methods from the current configuration.The index numbers of the remaining entries adjust accordingly. 
- Configuration of the RADIUS server /cfg/domain/radius/methods followed by: Inserts a methods at a particular position in the list insert   • index number—is the identification number automatically assigned to the method,when you added the method to the configuration.specify the index number. • method name—is a string that must be unique. The maximum allowable length of the string is 255 characters, but Nortel recommends a maximum of 32 characters. 
- Select the server certificate 137 /cfg/domain/radius/eapmethods followed by: del  Removes the specified EAP method from the current configuration. The index numbers of the remaining entries adjust accordingly. • add   Adds a EAP method to the configuration. 
- Configuration of the RADIUS server This includes the following options: /cfg/domain/radius/cert followed by: current value The current server certificate number appears. select the certificate Specify the server certificate number. The value ranges from 1 to 1500. The certificate number refers to certificates stored in the certificate repository. 
- . Configuration of Microsoft NAP Interoperability This chapter includes the following topics: Topic “Roadmap of NAP configuration commands” (page 139) “Configuration of NAP Interoperability” (page 140) “Probation Settings” (page 141) “Remote Network Policy Servers ” (page 142) “System Health Validators ” (page 143) “Configuration of Windows System Health Validator ” (page 144) Roadmap of NAP configuration commands The following roadmap lists the Command Line Interface (CLI) commands to configure Netw 
- Configuration of Microsoft NAP Interoperability Parameter Command insert     move   /cfg/domain/nap/shvs list del add    insert     move   /cfg/domain/nap/wshv firewall on|off autoupdate on|off virus enabled true|false uptodate true|false spyware enabled true|false uptodate true|false secupdates  
- Configuration of NAP Interoperability 141 Windows 802.1x Supplicant—The Nortel Health Agent integrated with the Microsoft NAP Agent provides a robust EAP supplicant for Windows Vista and XP Operating Systems. To configure the Network Access Protection (NAP), use the following command: cfg/domain/nap The NAP menu appears. The NAP menu includes the following options: cfg/domain/nap/ followed by: autorem Sets necessary updates to allow a noncompliant computer to become compliant. Values: false and true. 
- Configuration of Microsoft NAP Interoperability Remote Network Policy Servers To create the remote network policy servers, use the following command: cfg/domain/nap/servers The Remote Network Policy Servers menu includes the following options: cfg/domain/nap/servers followed by: list Lists the IP addresses of currently configured remote network policy servers, by index number.. del  Removes the specified remote network policy server from the current configuration. 
- Configuration of NAP Interoperability 143 cfg/domain/nap/servers followed by: The index number you specify must be in use. The index numbers of existing servers with this index number and higher are incremented by 1. move   Moves a server up or down the list of remote network policy server in the configuration. 
- Configuration of Microsoft NAP Interoperability cfg/domain/nap/shvs followed by: Inserts a system health validators at a particular position in the configuration. insert     • index number —the index number you want the system health validators to have • vendor ID—specify the vendor ID you are adding • • component ID—specify the component ID.. module name—specify the module name. The index number you specify must be in use. 
- Configuration of NAP Interoperability 145 cfg/domain/nap/wshv followed by: virus   spyware   secupdates     Virus Protection. • antivirus—Enables or disables the antivirus. Values: true and false default: false • uptodate—Specifies whether the antivirus is up to date or not. Values: true and false default: true. Spyware Protection. • antispy —Enables or disables the antispyware. 
- Configuration of Microsoft NAP Interoperability cfg/domain/nap/wshv followed by: This setting is only applicable when Security Updates Protection is "true." default: important • lastsync—designates the duration of time allowed to pass since the Windows endpoint was last updated its own copy of its Windows security update list from its security update source (Windows Update or Windows Server Update Service). 
- Configuration of NAP Interoperability 147 cfg/domain/nap/wshv followed by: default: false autoupdate Enables or disables the automatic updates. Values: on and off default: on Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- Configuration of Microsoft NAP Interoperability Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Configuring groups and profiles This chapter includes the following topics: Topic “Overview” (page 149) “Groups” (page 150) “Linksets” (page 151) “SRS rule” (page 151) “Extended profiles” (page 151) “Before you begin” (page 152) “Configuring groups and extended profiles” (page 153) “Roadmap of group and profile commands” (page 153) “Configuring groups” (page 156) “Configuring client filters” (page 162) “Configuring extended profiles” (page 164) “Mapping linksets to a group or profile” (page 167) “Cr 
- Configuring groups and profiles Groups The Nortel SNAS determines which VLANs users are authorized to access, based on group membership. When a user logs on to the Nortel SNAS domain, the authentication method returns the group name associated with the user’s credentials. The Nortel SNAS then maps the user to groups defined on the Nortel SNAS. You can define up to 1023 groups in the Nortel SNAS domain. 
- Overview 151 Linksets A linkset is a set of links that display on the portal page, so that the user can easily access internal or external web sites, servers, or applications. After the user has been authenticated, the user’s portal page all the linksets associated with the group to which the user belongs. The user’s portal page also all the linksets associated with the user’s extended profile. 
- Configuring groups and profiles Each extended profile references a client filter in a one-to-one relationship. With Nortel Secure Network Access Switch Software Release 1.6.1, you can configure the Nortel Health Agent check result as the criterion for the client filters, in order to establish the user’s security status. The client filter referenced in the extended profile determines whether the extended profile data will be applied to the user. 
- Configuring groups and extended profiles 153 Table 22 Group names in the Nortel SNAS and authentication services Authentication method Group name on the Nortel SNAS must correspond to... RADIUS A group name defined in the vendor-specific attribute used by the RADIUS server. Contact your RADIUS system administrator for information. LDAP A group name defined in the LDAP group attribute used by the LDAP server. Contact your LDAP system administrator for information. 
- Configuring groups and profiles Table 23 Roadmap of CLI commands Command Parameter /cfg/doamin #/aaa/group  name  restrict srs  agentmode  mactrust  enftype  macreg  reguser  admrights     comment  del /cfg/doamin #/aaa/filter  name  srs  comment  del /cfg/doamin #/aaa/group  
- Configuring groups and extended profiles 155 Table 23 Roadmap of CLI commands (cont’d. 
- Configuring groups and profiles Configuring groups To create and configure a group, use the following command: /cfg/doamin #/aaa/group  where group ID is an integer in the range 1 to 1023 that uniquely identifies the group in the Nortel SNAS domain. When you first create the group, you must enter the group ID. After you have created the group, you can use either the ID or the name to access the group for configuration. 
- Configuring groups and extended profiles 157 Table 24 Configuring groups /cfg/doamin #/aaa/group # followed by: name  Names or renames the group. After you have defined a name for the group, you can use either the group name or the group ID to access the Group menu. • name is a string that must be unique in the domain. The maximum length of the string is 255 characters. The group name must match a group name used by the authentication services. 
- Configuring groups and profiles Table 24 Configuring groups (cont’d.) /cfg/doamin #/aaa/group # followed by: srs  Specifies the preconfigured Nortel Health Agent SRS rule to apply to the group. For information about configuring the SRS rules using the SREM, see Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . You cannot configure SRS rules in the CLI. mactrust  Sets the authentication and integrity checking requirements. 
- Configuring groups and extended profiles 159 Table 24 Configuring groups (cont’d.) /cfg/doamin #/aaa/group # followed by: agentmode  Establishes Nortel Health Agent monitoring mode. Select continuous for cyclic monitoring of the end point by Nortel Health Agent. The user must keep the initial browser window open for the duration of the session. Select runonce for one cycle of checking only. 
- Configuring groups and profiles Table 24 Configuring groups (cont’d.) /cfg/doamin #/aaa/group # followed by: enftype  Establishes the enforcement type for NSNA network access devices; that is, device that support SSCP. filter-only indicates that Red, Yellow, and Green enforcement zones are specified by filters within the Red VLAN. vlan-filter indicates that enforcement zones are specified by filters applied to unique Red, Yellow, and Green VLANs. 
- Configuring groups and extended profiles 161 Table 24 Configuring groups (cont’d.) /cfg/doamin #/aaa/group # followed by: User access to the network is denied when the administrative rights parameter is active and the username/password configuration is invalid. Use reset to remove the admrights username and password; that is, as if they had never been configured. comment  Sets a comment for the group. del Removes the group from the Nortel SNAS domain. 
- Configuring groups and profiles Table 25 Configuring group 1 cfg/domain #/aaa/group 1/cachepass Usage cachepass : true|false Table 26 Configuring group 1 cfg/domain #/aaa/group 1/syscredent/ User Set the system username. passwd Set the system password. prevuser Set the systems previous username. prevpasswd Systems previous password. actdate New password effective date. 
- Configuring groups and extended profiles 163 ATTENTION If you ran the quick setup wizard during initial setup, two client filters have been created: nha_passed (filter ID = 1) and nha_failed (filter ID = 2). The Client Filter menu includes the following options: Table 27 Configuring client filters /cfg/doamin #/aaa/filter  followed by: name  Names or renames the filter. 
- Configuring groups and profiles Figure 6 "Client Filter menu commands" (page 164) shows sample output for the /cfg/doamin #/aaa/filter  command and commands on the Client Filter menu. 
- Configuring groups and extended profiles 165 The Extended Profile menu appears. ATTENTION If you ran the quick setup wizard during initial setup, two extended profiles have been created: profile ID 1 associated with client filter nha_failed, and profile ID 2 associated with client filter nha_passed. 
- Configuring groups and profiles Figure 7 Extended Profile menu commands Creating RADIUS attributes to a group To create a RADIUS Attribute to a group, access the Group RADIUS Attributes menu from the Group menu. Use the following command: /cfg/doamin #/aaa/group #/radattr The Group RADIUS Attributes menu appears. 
- Configuring groups and extended profiles 167 Table 29 Configure RADIUS Attributes (cont’d.) /cfg/doamin #/aaa/group #/radattr followed by: insert     Inserts a RADIUS attribute at a particular position in the list. move   Moves a RADIUS attribute entry up or down the list. The index numbers of the remaining entries adjust accordingly. 
- Configuring groups and profiles To map a linkset to a group, access the Linksets menu from the Group menu. Use the following command: /cfg/doamin #/aaa/group #/linkset To map a linkset to an extended profile, access the Linksets menu from the Extended Profile menu. Use the following command: /cfg/doamin #/aaa/group #/extend #/linkset The Linksets menu appears. 
- Configuring groups and extended profiles Figure 9 Linksets menu commands Creating a default group To create a default group, first create a group with extended profiles mapped to a restrictive VLAN (see “Configuring groups” (page 156) and “Configuring extended profiles” (page 164)). Then use the following command to make this group the default group: /cfg/doamin #/aaa/defgroup  Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03. 
- Configuring groups and profiles Nortel Secure Network Access Switch Using the Command Line Interface NN47230-100 03.01 Standard 28 July 2008 Copyright © 2007, 2008 Nortel Networks . 
- . Configuring authentication This chapter includes the following topics: Topic “Overview” (page 171) “Before you begin” (page 172) “Configuring authentication” (page 174) “Roadmap of authentication commands” (page 174) “Configuring authentication methods” (page 177) “Configuring advanced settings” (page 179) “Configuring RADIUS authentication” (page 180) “Configuring LDAP authentication” (page 187) “Configuring local database authentication” (page 200) “Specifying authentication fallback order” (page 
- Configuring authentication ATTENTION If you ran the quick setup wizard during initial setup, the Local database authentication method has been created as Authentication 1. You can configure more than one authentication method within a Nortel SNAS domain. You determine the order in which the methods are applied by default. Client credentials are checked against the various authentication databases until the first match is found. 
- Before you begin 173 c An MS IAS RADIUS server may require vendor parameters to be configured on the Microsoft Management Console (MMC). 4 To configure external authentication, you require the following information about the authentication server configuration: a RADIUS servers: • • • • • server IP address port number used for the service shared secret Vendor-Id attribute Vendor-Type ATTENTION You can assign vendor-specific codes to the Vendor-Id and Vendor-Type attributes. 
- Configuring authentication Configuring authentication The basic steps for configuring and managing client authentication are: Step Action 1 Create the authentication methods. 2 Configure specific settings for the methods. 3 Specify the order in which the authentication methods will be applied. Perform this step even if you define only one method on the Nortel SNAS. 
- Configuring authentication 175 Table 31 Roadmap of CLI commands (cont’d. 
- Configuring authentication Table 31 Roadmap of CLI commands (cont’d. 
- Configuring authentication 177 Table 31 Roadmap of CLI commands (cont’d.) Parameter Command export    clear /cfg/doamin #/aaa/authorder [,] Configuring authentication methods To create and configure an authentication method, use the following command: /cfg/doamin #/aaa/auth  where auth ID is an integer in the range 1 to 63 that uniquely identifies the authentication method in the Nortel SNAS domain. 
- Configuring authentication Table 32 Configuring Authentication (cont’d.) /cfg/doamin #/aaa/auth  followed by: name  Names or renames the method. After you have defined a name for the method, you can use either the method name or the auth ID to access the Authentication menu. • name is a string that must be unique in the domain. The maximum allowable length of the string is 255 characters, but Nortel recommends a maximum of 32 characters. 
- Configuring authentication 179 Configuring advanced settings You can configure the Nortel SNAS domain to use one method for authentication and another for authorization. For example, there are three authentication methods configured for the domain: Local (auth ID 1), RADIUS (auth ID 2), and LDAP (auth ID 3). The user groups are stored in an LDAP database. You can configure the domain to have the Local and LDAP methods used for authorization after users have been authenticated by RADIUS. 
- Configuring authentication /cfg/doamin #/aaa/auth #/adv followed by: servers in cases where the first authentication method is token based or uses client certificate authentication. ATTENTION Not supported in Nortel Secure Network Access Switch Software Release 1.6.1. 
- Configuring authentication 181 Adding the RADIUS authentication method The command to create the authentication ID launches a wizard. When prompted, enter the following information. You can later modify all settings for the specific RADIUS configuration (see “Configuring authentication methods” (page 177) and “Modifying RADIUS configuration settings” (page 182)). • authentication type—options are radius|ldap|ntlm|sitemeinder |cleartrust|cert|rsa|local. Enter radius. 
- Configuring authentication The Authentication menu . Figure 10 "Authentication menu commands—RADIUS" (page 182) shows sample output for the RADIUS method for the /cfg/doamin #/aaa/auth  command and commands on the Authentication menu. Figure 10 Authentication menu commands—RADIUS Modifying RADIUS configuration settings To modify settings for the authentication method itself, see “Configuring authentication methods” (page 177). 
- Configuring authentication 183 Table 34 Configuring authentication methods /cfg/doamin #/aaa/auth #/radius followed by: servers Accesses the RADIUS servers menu, in order to manage the external RADIUS servers configured for the domain (see “Managing RADIUS authentication servers” (page 184)). vendorid  Specifies the vendor-specific attribute used by the RADIUS server to send group names to the Nortel SNAS. The default Vendor-Id is 1872 (Alteon). 
- Configuring authentication Table 34 Configuring authentication methods (cont’d.) /cfg/doamin #/aaa/auth #/radius followed by: domaintype  Specifies the Vendor-Type value used in combination with the Vendor-Id to identify the domain. The default is 3. authproto pap|chapv2 Specifies the protocol used for communication between the Nortel SNAS and the RADIUS server. 
- Configuring authentication 185 To manage the RADIUS servers used for client authentication in the domain, use the following command: /cfg/doamin #/aaa/auth #/radius/servers The Radius servers menu appears. The Radius servers menu includes the following options: Table 35 RADIUS authenticaion servers /cfg/doamin #/aaa/auth #/radius/servers followed by: list Lists the IP address, port, and shared secret of currently configured RADIUS authentication servers, by index number. 
- Configuring authentication Table 35 RADIUS authenticaion servers (cont’d.) /cfg/doamin #/aaa/auth #/radius/servers followed by: insert   Inserts a server at a particular position in the list of RADIUS authentication servers in the configuration. • index number—the index number you want the server to have • IPaddr—the IP address of the authentication server you are adding The index number you specify must be in use. 
- Configuring authentication 187 Table 36 Configuring session timeout /cfg/doamin #/aaa/auth #/radius/sessiontim followed by: vendorid  Specifies the vendor-specific attribute used by the RADIUS server to send a session timeout value to the Nortel SNAS. The default Vendor-Id is 0. With the Vendor-Type also set to 0 (the default value), the RADIUS server sends the standard attribute for session timeout. 
- Configuring authentication Adding the LDAP authentication method The command to create the authentication ID launches a wizard. When prompted, enter the following information. For more information about the parameters, see searchbase . You can later modify all settings for the specific LDAP configuration (see “Configuring authentication methods” (page 177) and “Modifying LDAP configuration settings” (page 189)). • • authentication type—options are radius|ldap|local. Enter ldap. 
- Configuring authentication 189 • isdBindPassword—used to authenticate the Nortel SNAS to the LDAP server. The isdBindPassword is the password, configured in the Schema Admins account, for the entry referenced in isdBindDN. • enable LDAPS—if true, makes LDAP requests between the Nortel SNAS and the LDAP server occur over a secure SSL connection. The default is false. Retain the default value or reset to false. The Authentication menu . 
- Configuring authentication To modify settings for the specific LDAP configuration, use the following command: /cfg/doamin #/aaa/auth #/ldap The LDAP menu appears. The LDAP menu includes the following options: Table 37 Configuring LDAP settings /cfg/doamin #/aaa/auth #/ldap followed by: servers Accesses the LDAP servers menu, in order to manage the external LDAP servers configured for the domain (see “Managing LDAP authentication servers” (page 193)). searchbase Sets the search base entry. 
- Configuring authentication 191 Table 37 Configuring LDAP settings (cont’d.) /cfg/doamin #/aaa/auth #/ldap followed by: login name is bill. If the user attribute is defined as sAMAccountName, the user record for Bill Smith will be found. The isdbinddn and isdbindpas parameters are required so that the Nortel SNAS can authenticate itself to the LDAP server, in order to search the DIT. 
- Configuring authentication Table 37 Configuring LDAP settings (cont’d.) /cfg/doamin #/aaa/auth #/ldap followed by: ldapscert Specify the certificate number. enauserpre true|false Enables or disables storage of user preferences in an external LDAP/Active Directory database. • true—storage and retrieval of user preferences is enabled. When the client logs out from a portal session, the Nortel SNAS saves any user preferences accumulated during the session in the isdUserPrefs attribute. 
- Configuring authentication 193 Table 37 Configuring LDAP settings (cont’d.) /cfg/doamin #/aaa/auth #/ldap followed by: enashortgr Enables the short group format. Configures the NVG to extract the first part of a returned Distinguished Name (DN) as the group name to be used. This makes it easier to configure the group name in the VPN to configure the entire DN string as group name. groupsearc the LDAP Group Search menu. adv the Advanced LDAP menu. 
- Configuring authentication The LDAP servers menu includes the following options: Table 38 Managing LDAP authentication servers /cfg/doamin #/aaa/auth #/ldap/servers followed by: list Lists the IP address and port of currently configured LDAP servers, by index number. del  Removes the specified LDAP server from the current configuration. The index numbers of the remaining entries adjust accordingly. To view the index numbers of all configured LDAP servers, use the list command. 
- Configuring authentication 195 Table 38 Managing LDAP authentication servers (cont’d.) /cfg/doamin #/aaa/auth #/ldap/servers followed by: The index number you specify must be in use. The index numbers of existing servers with this index number and higher are incremented by 1. move   Moves a server up or down the list of LDAP servers in the configuration. 
- Configuring authentication Table 39 Managing LDAP macros (cont’d.) /cfg/doamin #/aaa/auth #/ldap/ldapmacro followed by: del  Removes the specified LDAP macro from the current configuration. The index numbers of the remaining entries adjust accordingly. To view the index numbers of all configured LDAP macros, use the list command. add   [] [] Adds an LDAP macro to the configuration. 
- Configuring authentication 197 Table 39 Managing LDAP macros (cont’d.) /cfg/doamin #/aaa/auth #/ldap/ldapmacro followed by: The index number you specify must be in use. The index numbers of existing macros with this index number and higher are incremented by 1. move   Moves a macro up or down the list of macros in the configuration. 
- Configuring authentication Table 40 Group Search Configuration (cont’d.) memberattr Defines the LDAP attribute that has the group member’s name. The default value is uniqueMember. ena Enables the group search feature. dis Disables the group search feature. Managing Active Directory passwords You can set up a mechanism for clients to change their passwords when the passwords expire. Step Action 1 Define a user group in the Local database for users whose passwords have expired. 
- Configuring authentication 199 Table 41 Managing Active Directory passwords /cfg/doamin #/aaa/auth #/ldap/activedire followed by: enaexpired true|false Specifies whether the system will perform a password-expired check. • true—the system performs a password-expired check against Active Directory when the client logs on. • false—the system does not perform a password-expired check against Active Directory when the client logs on. 
- Configuring authentication Table 42 Configuring Advanced LDAP Settings /cfg/doamin #/aaa/auth #/ldap/adv followed by: Enables the extra search filter. enaxfilter true|false • true - The search filter is enabled. Specify the desired attribute/value using the commands below. • false -The search filter is disabled. The default value is false. xfilteratt Sets the desired attribute when searching for user records. 
- Configuring authentication 5 201 Set the authentication order (see “Specifying authentication fallback order” (page 209)). --End-- Adding the local database authentication method To create the Local database authentication method, use the following command: /cfg/doamin #/aaa/auth  where auth ID is an integer in the range 1 to 63 that uniquely identifies the authentication method in the Nortel SNAS domain. If you do not specify the auth ID in the command, you are prompted for it. 
- Configuring authentication • password (passwd)—the password that applies to the user you specified. • group name—the name of the group to which the specified user belongs. The group must exist in the Nortel SNAS domain. To view available group names, press TAB. ATTENTION The prompt implies that you can enter multiple group names for a user, but the Nortel SNAS does not allow membership in multiple groups. 
- Configuring authentication 203 You can add users to the database in two ways: • manually, using the /cfg/doamin #/aaa/auth #/local/add command • by importing a database, using the /cfg/doamin #/aaa/auth #/local/ import command ATTENTION The imported database overwrites existing entries in the local database. You can use the local database for authorization only, after an external authentication server has authenticated the user. 
- Configuring authentication Table 43 Managing the local portal database (cont’d.) prompted for the user name and password you define for the database. • password—the password that applies to the user you specified. To use the local database for authorization only, after an external authentication server has authenticated the user, enter an asterisk (*). • group—the name of the group to which the specified user belongs. The group must exist in the NSNAS domain. 
- Configuring authentication 205 Table 43 Managing the local portal database (cont’d.) import     Imports a database from the specified TFTP/FTP/SCP/SFTP file exchange server. You are prompted to provide the following information: • protocol is the import protocol. Options are tftp|ftp|scp|sftp. • server is the host name or IP address of the server. • filename is the name of the database file on the server. • key is the password key for user password protection. 
- Configuring authentication Table 43 Managing the local portal database (cont’d.) export     Exports the local database to the specified TFTP/FTP/SCP/SFTP file exchange server. You are prompted to provide the following information: • protocol is the export protocol. Options are tftp|ftp|scp|sftp. • server is the host name or IP address of the server. • filename is the name of the destination database file on the server (for example, db.txt). 
- Configuring authentication 207 You can add MAC addresses to the database in three ways: • • • using the /cfg/doamin #/aaa/auth #/macdb/add command using the /cfg/doamin #/aaa/auth #/macdb/import command to import a file that has been properly formatted using the MAC Registration portal provided at login when a user belongs to a group with macreg set to True (/cfg/doamin #/aaa/group #/macreg) To manage MAC addresses and associated parameters, use the following command: /cfg/doamin #/aaa/auth #/macdb The 
- Configuring authentication Table 44 Managing the local MAC database (cont’d.) Enter apply when the MAC database# prompt . Duplicate and wildcard MAC addresses are not supported in NSNA release 1.6.1 del  Deletes the specified MAC address from the database. list Lists all entries in the MAC database. show Shows a particular MAC entry from the MAC database. import    Imports a database from the specified TFTP/FTP/SCP/SFTP file exchange server. 
- Configuring authentication Step Action 1 Log in to the network. 2 Click the MAC Register tab. 209 The MAC Registration interface . 3 Complete the form. 4 Click the Register button. A confirmation message is returned indicating that the MAC address has been registered. 5 Click the Done button. Repeat to add or modify another MAC address. --End-- Additions or modifications to the MAC database do not affect current sessions. 
- Configuring authentication To view the currently configured authentication methods and their corresponding authentication IDs, use the /cfg/doamin #/aaa/cur command. For example: You have configured Local database authentication under auth ID 1, RADIUS authentication under auth ID 2, and LDAP authentication under auth ID 3. You want the Nortel SNAS to check the local database first, then send requests to the LDAP server, then to the RADIUS server. 
- . Managing system users and groups This chapter includes the following topics: Topic “User rights and group membership” (page 211) “Managing system users and groups” (page 212) “Roadmap of system user management commands” (page 212) “Managing user accounts and passwords” (page 213) “Managing user settings” (page 216) “Managing user groups” (page 217) “CLI configuration examples” (page 218) User rights and group membership There are three groups of system users who routinely access the system for conf 
- Managing system users and groups Table 45 Group membership and user rights Rights Group Account System User account Add user Delete user Password Group Add user Delete user Change own Change others admin admin Yes Yes Yes, to own gro up Yes Yes Yes, if Admin is a member of the oth er user’s first group certadmin admin No No Yes, to own gro up No Yes No oper oper admi n No No Yes, to own gro up No Yes No Managing system users and groups To manage system users and group 
- Managing system users and groups 213 Table 46 Roadmap of system user commands Command Parameter /cfg/sys/user password    expire  
- Managing system users and groups Table 47 Managing user accounts and passwords (cont’d.) /cfg/sys/user followed by: expire  
- Managing system users and groups 215 Table 47 Managing user accounts and passwords (cont’d.) /cfg/sys/user followed by: add  Adds a user account to the system. The maximum length of the user name is 255 characters. No spaces are allowed. After adding a user account, you must also assign the user account to a group (see “Managing user groups” (page 217)). You must have administrator rights in order to add user accounts. 
- Managing system users and groups Table 47 Managing user accounts and passwords (cont’d.) /cfg/sys/user followed by: ATTENTION The caphrase menu command is displayed only when the logged on user is a member of the certadmin group. Managing user settings You must have administrator rights in order to change a user’s settings. You must also be a member of the other user’s first group (the first group listed for the other user when you use the /cfg/sys/user/edit  /groups/list command). 
- Managing system users and groups 217 Managing user groups All users must belong to at least one group. Only an administrator user can add a new user account to the system, but any user can grant an existing user membership in a group to which the granting user belongs. By default, the administrator user is a member of all three built-in groups (admin, oper, certadmin) and can therefore add a new user to any of these groups. 
- Managing system users and groups CLI configuration examples This section includes the following detailed examples: • • • “Adding a new user” (page 218) “Changing a users group assignment” (page 221) “Changing passwords” (page 223) — “Changing your own password” (page 223) — “Changing another users password” (page 224) • “Deleting a user” (page 225) Adding a new user To add a new user to the system, you must be a member of the admin group. 
- Managing system users and groups 219 The maximum length for a user name is 255 characters. No spaces are allowed. Each time the new user logs in to the Nortel SNAS cluster, the user must enter the name you designate as the user name in this step. >> User# add Name of user to add: cert_admin (maximum 255 characters, no spaces) 4 Assign the new user to a user group. You can only assign a user to a group in which you yourself are a member. 
- Managing system users and groups >> Groups# /cfg/sys/user >> User# edit cert_admin >> User cert_admin# password Enter admin’s current password: ( admin user password) Enter new password for cert_admin: ( cert_admin user password) Re-enter to confirm: (reconfirm cert_admin user password) 7 Apply the changes. >> User cert_admin# apply Changes applied successfully. 8 Let the Certificate Administrator user define an export passphrase. 
- Managing system users and groups 9 221 Remove the admin user from the certadmin group. Again, this step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. Note however, that once the admin user is removed from the certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group membership anew. 
- Managing system users and groups Step Action 1 Log on to the Nortel SNAS cluster. In this example the cert_admin user, who is a member of the certadmin group, will add the admin user to the certadmin group. The example assumes that the admin user previously removed himself or herself from the certadmin group, in order to fully separate the Administrator user role from the Certificate Administrator user role. login: cert_admin Password: ( cert_admin user password) 2 Access the User Menu. 
- Managing system users and groups 223 >> Groups# list Old: 1: admin 2: oper Pending: 1: admin 2: oper 3: certadmin >> Groups# apply --End-- Changing passwords Changing your own password All users can change their own password. Login passwords are case sensitive and can contain spaces. Step Action 1 Log on to the Nortel SNAS cluster by entering your user name and current password. login: cert_admin Password: ( cert_admin user password) 2 Access the User Menu. 
- Managing system users and groups >> User# passwd Enter cert_admin’s current password: (current cert_admin user password) Enter new password: (new cert_admin user password) Re-enter to confirm: (reconfirm new cert_admin user password) Password changed. 
- Managing system users and groups 225 >> User cert_admin# password Enter admin’s current password: ( admin user password) Enter new password for cert_admin: (new password for user being edited) Re-enter to confirm: (confirm new password for user being edited) 5 Apply the changes. >> User cert_admin# apply Changes applied successfully. --End-- Deleting a user To delete a user from the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group. 
- Managing system users and groups In this example, the cert_admin user is removed from the system. To list all users currently added to the system configuration, use the list command. >> User# del cert_admin 4 Verify and apply the changes. The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the revert command. 
- . Customizing the portal and user logon This chapter includes the following topics: Topic “Overview” (page 227) “Captive portal and Exclude List” (page 228) “Portal display” (page 230) “Managing the end user experience” (page 237) “Customizing the portal and logon” (page 238) “Roadmap of portal and logon configuration commands” (page 238) “Configuring the captive portal” (page 240) “Configuring the Exclude List” (page 240) “Changing the portal language” (page 241) “Configuring the portal display” (pag 
- Customizing the portal and user logon — “Macros” (page 235) — “Automatic redirection to internal sites” (page 236) — “Examples of redirection URLs and links” (page 236) • “Managing the end user experience” (page 237) Captive portal and Exclude List When the Nortel SNAS is configured to function as a captive portal, the Nortel SNAS acts as a DNS proxy while clients are in the Red VLAN. 
- Overview 229 — windowsupdate.com — windowsupdate.microsoft.com — download.windowsupdate.microsoft.com For information about configuring the Exclude List, see “Configuring the Exclude List” (page 240). Table 50 "Allowed regular expressions and escape sequences" (page 229) lists the regular expressions and escape sequences you can use in an Exclude List entry. The set of allowable regular expressions is a subset of the set found in egrep and in the AWK programming language. 
- Customizing the portal and user logon Table 50 Allowed regular expressions and escape sequences (cont’d. 
- Overview 231 Figure 14 Default appearance of the portal Home tab Colors • • • • There are four colors used on the portal page: color1—the large background area below the tabs color2—the background area behind the tab labels color3—the fields, information area, and clean icons on the active tab color4—not used There are five optional color themes. The themes are predefined sets of web-safe colors that complement each other. 
- Customizing the portal and user logon You can change the individual colors, but Nortel recommends using the color themes to change the look and feel of the portal page. If you change the portal colors, use colors that are considered web safe. Also consider how the applied colors fit with your company logo and brand. The colors are specified using hexadecimal codes. Table 51 "Common colors, with hexadecimal codes" (page 232) lists the hexadecimal values for some commonly used web-safe colors. 
- Overview 233 For examples of how you can use macros to configure links and redirection to internal sites, see “Automatic redirection to internal sites” (page 236). Self service portal The Nortel SNAS self-service portal provides a web-based ‘help desk’ for users to collect information about their network connection, compliance, user status, and also for provisioning a guest access for users. This can be customized by using localized language files. 
- Customizing the portal and user logon ATTENTION Do not translate the entries under msgid (message id). There are useful Open Source software tools for translating po files. Search for po files editor in your web search engine to find tools that run on Windows and Unix. 
- Overview 235 The linkset autorun feature is similar to the portal feature allowing automatic redirection to internal sites (see “Automatic redirection to internal sites” (page 236)). The linkset feature allows more granular control of this functionality. Also, unlike the linkset autorun feature, the automatic redirection feature does not open the link in a new browser window. 
- Customizing the portal and user logon Automatic redirection to internal sites You can configure the portal to automatically redirect authenticated clients to an internal site. Unlike the linkset autorun feature, automatic redirection does not open a new browser window. Rather, it replaces the default Home page in the internal frame on the portal browser page. As long as the browser remains open, the session remains logged in. 
- Overview 237 Table 52 Examples of redirection URLs and link text (cont’d.) Purpose Redirection URL or link text Redirect clients to different sites, depending on their group membership (deptA or deptB). Linktext (static text) entry: