365-360-005 Enterprise Network Solution User Guide Issue 1.0
Contents
1. Table 11 5 User Name Parsing Delimiters Field Description Type Value Realm Enter the realm delimiter Text Default value delimiter characters characters Specifies a list of characters in search order to parse the user name into a user and realm By default the realm is the left hand value and the user is the right hand value unless the delimiter is found in the Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 135 8950 AAA policy server Configure timeout properties of policy server Specifies that the realm is the right hand value and the user is the left hand value of the parsed user name This list is not a subset of the Realm Delimiter characters Field Description Type Value Delimiters for realm on right side value Delimiters Enter the delimiters for Text Default value for realms realms on the right hand on the right side hand side Result The configured values are displayed on the User Name Parsing Delimiters panel Configure timeout properties of policy server Purpose Use this procedure to configure timeout properties of policy server Procedure 1 From SMT navigation pane select Configuration Tools gt Server Properties Result The Server Properties window opens 2 Select Timeouts Result The Timeout Properties panel opens 136 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J2. Network Access Server NAS RADIUS Server Fb Sa KA f supplicant ri authenticator backend auth server TLS handshake phase certificate exchange Role of Certificate Manager A Certificate Manager functions as a root or subordinate certificate authority This subsystem issues renews and revokes certificates and generates Certificate Revocation List CRLs The certificate manager publishes certificates to a LDAP directory and files and CRLs to an LDAP directory or a file The Certificate Manager is configured to accept requests from end entities Registration Managers or both The certificate manager can process requests either manually that is with the aid of a human being or automatically based entirely on customizable policies and procedures When set up to work with a separate Registration Manager the Certificate Manager processes requests and returns the signed certificates to the Registration Manager for distribution to the end entities 8950 AAA and certificates 168 8950 AAA does not issue any certificates An external Certificate Authority CA issues the certificates The 8950 AAA checks the certificates as part of the authentication process Microsoft CA is used in Enterprise environment although 8950 AAA can use other third party CAs Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Certificate management Generate certificates for AAA using third party CA The 8950 AAA server is
3. eese 119 11 8950 AAA policy server 123 8050 AAA policy SERVER eoi sta ce eor Oe DERE Oe ERO ETE OPUS e eg POSU I REPRE 123 Start ee 124 From the S MT iiiter es eive etie van e Es 124 From the command line wundow eese enne neen nennen teet trennen enne 125 AS Wandows service et ee ie edente de ce eee P RE etate e ree e legte pet 125 Configure 8950 AAA protocol properties for policy server nene 127 Configure delimiters for policy server eeeesesseeeeeeeeere eene 134 Configure timeout properties of policy server sssssseseeeeeeeeee eene tnter 136 12 8950 AAA Configuration server 139 SO AAA configuration SeEVer eoseenesie tertie iiie teer tre ae teer ede ete ep aee ep Eee ete ine dnte 139 Configuration server properties nce oae E ree ee ade pene hber erts 140 13 Derby database 143 Database contiguration eee ger tette ec ER ege 143 Configure DB replication Ite reete etate ble e dee EE 146 Part V 8950 AAA management 151 14 Remote configuration 153 8950 AAA remote Conftgeuraton esee eene ettet thne enne tense EEEa esten entente 153 Ee EE 155 Add Tile MS tisesscss See EE EE ago 158 Edit file EE 163 Delete file entry session eee aeter e Pee tee eet en a ee diete eere ute eet TETEE 163 15 Certificate management 165 Certificates aiios eor en nieder pemestemecdemi esten ib ed ep D ates 165 Alcatel Lucent 8950 AAA Release 6 6 1 v 365 360 005 ISSUE 1 0 J UNE 2010 Contents Need tor cert fiCates e
4. 178 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Machine authentication 5 Click Object Types Result The Object Types window opens Figure 15 14 Object Types Built in security principals a Groups DI users 6 Check Groups and click OK Figure 15 15 Select Users or Groups iSelect Users or Groups 7 Enter Domain Computers in the text box and click OK Result The policy window displays the updated content Alcatel Lucent 8950 AAA Release 6 6 1 179 365 360 005 ISSUE 1 0 JUNE 2010 Machine authentication Figure 15 16 Local Security Setting Local Security Setting Explain This Setting ej Access this computer from the network Add User or Group Remove A Modifying this setting may affect compatibility with clients services and applications For more information see Access this computer from the network 0823659 coct_ e 8 Click Apply and OK to save the changes Accept all warnings 9 Double click Act as part of operating system in Figure 15 11 10 Click Add User or Group Result A dialog box to add or select users and groups opens 11 Enter the domain and the username Note This user has the rights to call Windows APIs 180 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Machine authentication Figure 15 17 Select Users or Groups ms Select Users or Groups
5. Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 121 Vendor specific attributes Add vendor specific attributes to the dictionary Field Description Type Value Hidden If set to true the value of this Boolean Default value No attribute is not displayed in the server and accounting logs Internal If set to true this attribute 1s Boolean Default value No marked as an internal attribute and is used only in 8950 AAA Reject Ok Unless set to true this attribute is Boolean Default value No not included in RADIUS access reject Challenge Ok Unless set to true this attribute is Boolean Default value No not included in RADIUS access challenge May Encrypt If enabled indicates that the value Boolean Default value No for this attribute is encrypted Mandatory Records M Bit rule for diameter List of values Default value Must Reference Reference document for this Text Default value No attribute For example RFC number Enim Miss Declares a managed enumeration Text Default value No Related Information Values tab The Values tab allows you to add the enumeration values for the attributes The codes entered here are unique to the values for this attribute Enter the Aliases as provided by the vendors Ensure to separate the Aliases with a comma Overrides tab The Overrides tab allows you to enter codec overrides for this attribute Aliases tab The A
6. User Profile Source Accounting User Profile Source RADIUS User File Accounting Method Detail File User File Name EAP TTLS mypolicy users Proxy Accounting No Authentication Attribute Sets Authentication EAP MS Chap V2 Attribute Set to Use OmniSwitch Allowed Types EAP MS Chap V2 If Attribute Set Not Found Reject the Request Tunnel Enabled Yes Read Set from User Profile No Allowed Tunnel Types ms User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 13 Click Finish to complete the PolicyAssistant configuration 14 Click Save to save the policy created Configure authentication with Microsoft Active Directory as user source Purpose Use this procedure to configure authentication with user source as Microsoft Active Directory using PolicyAssistant Procedure 1 From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 6 2 Enter a new name for your policy For example enter the policy name as AuthWindowsAD mypolicy Click Next Result The Source for User Profiles window opens See Figure 7 7 Alcatel Lucent 8950 AAA Release 6 6 1 75 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch 3 Select Microso
7. Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Result The Source for User Profiles window opens See Figure 7 7 4 Select None and click Next Result The Authenticating Access Requests window opens See Figure 7 8 5 Expand External Authentications and select RSA ACE Server SecurelD and click Next Result The Accounting Configuration window opens See Figure 7 9 6 Perform the following steps a Click Advanced Authentication Option Figure 7 21 Advanced Authentication Options Advanced Authentication Options a User Profile Options Tunneled EAP Transports The PolicyAssistant can automatically process EAP authentication requests tunneled through the Following EAP types PEAP TTLS and GTC To enable automatic EAP negotiation enable Allow EAP Tunneling below and add desired tunneled EAP types Specify the allowed tunneled authentication types below by moving a type from the Available Tunnels list to the Allowed Tunnels list Use the Up Down buttons to specify the order the types are negotiated Available EAP Tunnel Types Allowed EAP Tunnel Types PEAP GTC in PEAP TILS GTC GTC in PEAP GTC in TTLS A EI ag St e d e f Select EAP Tunneling Select GTC in PEAP in Allowed EAP Tunnel types Click gt Click Close Click Next Result The Accou
8. Result The 8950 AAA Policy Set Installation window opens Alcatel Lucent 8950 AAA Release 6 6 1 31 365 360 005 ISSUE 1 0 JUNE 2010 Installation of 8950 AAA server and PolicyAssistant Installation on Microsoft Windows Figure 5 5 8950 AAA Policy Set Installation 4 8950 AAA Policy Set Installation Alcatel Lucent 8950 AAA Version 6 5 Setup Program Select the option to install a PolicyFlow 8950 AAA uses PolicyFlow to make decisions about how to authenticate users and store accounting information it When using PolicyAssistant 8950 444 uses a predefined PolicyFlow that retrieves user information from an LDAP Directory RADIUS User File Database or Remote RADIUS Server User authentication can be done by Windows NT UNIX Plain Text Passwords RSA ACE Server SecurID and Wireless EAP Install WiMAX Policy Set When using WiMAX option 8950 AAA uses a predefined PolicyFlow to integrate with Alcatel Lucent WiMAX solution Install Femto Policy Set When using Femto option 8950 AAA uses a predefined PolicyFlow to integrate with Alcatel Lucent Femto solution Install a Policy Set Installs a predefined PolicyFlow configuration Select a set from the list to install it Build Your Own PolicyFlow Installs an empty PolicyFlow Use this option if you want to configure your own PolicyFlow 8 Select Install PolicyAssistant and click Next Result The Certificate Configuration window open
9. 9 Enter the certificate file name and private key password for RSA or DSA Click Next Result The EAP MS CHAP V2 Authentication Configuration window opens 10 Perform the following steps and click Next a b Enter the Windows domain name or computer name on which the Microsoft Windows SAM server is running Enter the domain or computer name only if EAP MS Chap V2 NT Password is chosen Select EAP client uses user instead of user realm to generate challenges Result The CRL Certificate Revocation List Configuration window opens 11 Click Next Result The Attribute Set for Policy window opens See Figure 7 12 12 Perform the following steps and click Next a b 74 From Attribute Set to use for this Policy section select Use Attribute Set From the list of templates select OmniSwitch For more information to configure templates see Configure templates From the Attribute Set Lookup Failure section select Reject the Request Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Result A window with a summary of policy configuration opens Figure 7 31 Policy configuration summary Policy Configuration EAP TTLS mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy
10. c Click Conditions tab Result The Conditions panel opens See Figure 7 2 4 Click Simple tab and perform the following steps a Select Match ALL Conditions b Click B Result The Conditions window opens See Figure 7 3 5 Click a Select the attribute lex Report Audit Status and select the operator as exists b Select the attribute lex Report Audit Status select the operator as equals and select the value as pass audit c Click OK Result The specified condition displays in the Simple panel Alcatel Lucent 8950 AAA Release 6 6 1 95 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure policy selection rules for CyberGateKeeper 6 Click OKto complete 7 Click Save to save the policy selection rule created Configure policy selection rule for CyberGateKeeper for Fail Audit Purpose Use this procedure to configure CyberGateKeeper Fail Audit policy selection rule Procedure l From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 1 2 From the Policy Selection Rules tab of the PolicyAssistant window click B to add a new rule Result The Rule Configuration window opens Figure 7 45 Rule Configuration d Rule Configuration Name CG Audit Fail Policy CG fail MD5 Reject Requests Conditions Max Connections Request Map Simple Advanced Match ALL Conditions
11. 13 Derby database Overview Purpose This chapter provides procedures to configure and access Derby using SMT For enterprise networks with a small subscriber database 8950 AAA provides embedded Derby database Contents This chapter covers the following topics Database configuration 143 Configure DB replication 145 Database configuration Purpose Use this procedure to configure the built in Derby database When to use Specify the configuration value for the built in Derby database Use this procedure if the default value needs to be changed Procedure l From SMT navigation pane select Configuration Tools Server Properties Result The Server Properties window opens 2 Select Policy Server gt Database Alcatel Lucent 8950 AAA Release 6 6 1 143 365 360 005 ISSUE 1 0 JUNE 2010 Derby database Database configuration Result Database Configuration panel opens Figure 13 1 Server Properties X Server Properties Policy Server USS USSv2 Configuration Server SI web Interface Database Configuration ai poi Inter ee Specifies the configuration values for the built in Derby database If the port is a non zero value the EI SSH Interface database is automatically started when you run the Policy server Sl RMI Registry Wi Certificates When assigning ports to the database make sure you do not have any conflicting services using this port ZS Lawful Intercept ES snm
12. Secondary Server Address Search Base cn users DC CGDEMO2 DC COM e Click Next Result The Attribute Set for Policy window opens See Figure 7 12 8 Perform the following a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reject the Request Click Next Result A window with a summary of policy configuration opens Alcatel Lucent 8950 AAA Release 6 6 1 77 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 33 Policy configuration summary Policy Configuration AuthWindowsAD mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source Accounting User Profile Source Microsoft Active Directory Accounting Method Detail File Proxy Accounting No Authentication S Authentication Microsoft Active Directory Attribute Sets Attribute Set to Use OmniSwitch If Attribute Set Not Found Reject the Request Use User Name for Lookup No Read Set from User Profile No User and Session Limits User Session Limit No Limit Total Policy Limit No Limit
13. 3 Enter the following in the fields in the window displayed e Vendor Name Enter the name of the vendor as specified e Vendor ID Enter the unique vendor number The Internet Assigned Numbers Authority LANA assigns these numbers to each registered vendor e VSA Format From the drop down box select a VSA format 4 Click OK Result The vendor information is added to the dictionary and the table is updated Add vendor specific attributes to the dictionary The Attributes tab allows you to configure and manage the attributes related to a vendor in the 8950 AAA Purpose Use this procedure to configure the vendor specific attributes Procedure l From the SMT navigation pane select File Tools gt Dictionary Editor Result The Vendors window opens See Figure 10 1 2 Select Attributes tab Result The Attributes window opens Alcatel Lucent 8950 AAA Release 6 6 1 119 365 360 005 ISSUE 1 0 JUNE 2010 Vendor specific attributes Add vendor specific attributes to the dictionary Figure 10 3 Vendors Attributes Vendors Attributes Diameter Applications Vendor Search Ericsson v adva ng Attribute Name Type vendor Name Codec DSL IMF Session empty 254 DSL Ericsson Acc Ccp Option Enumerated 2 Ericsson Ericsson Acc Input Errors Unsigned32 3 Ericsson Unsigned32 D Ericsson LE string 5 Ericsson Ericsson Acc Customer Id string 6 Ericsson Ericsson Acc Ip Gateway Pr
14. Match ANY Conditions Gg udocogdi Attribute Operator Value Iex Report Audit Status exists Iex Report Audit Status equals Fail audit 3 Perform the following steps a Enter the rule name b From the Policy drop down list select the policy name For example select the Audit Fail policy created for CyberGateKeeper 96 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure policy selection rules for CyberGateKeeper c Click Conditions tab Result The Conditions panel opens See Figure 7 2 4 Click Simple tab and perform the following steps a Select Match ALL Conditions b Click B Result The Conditions window opens See Figure 7 3 5 Click bJ a Select the attribute lex Report Audit Status and select the operator as exists b Select the attribute lex Report Audit Status select the operator as equals and select the value as fail audit c Click OK Result The specified condition displays on the Simple panel 6 Click OK to complete 7 Click Save to save the policy selection rule created Configure policy selection rule for CyberGateKeeper for Fail NoAudit Purpose Use this procedure to configure CyberGateKeeper Fail NoAudit policy selection rule Procedure 1 From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 1 2 From the Policy Selection Ru
15. Note If the Policy server is running click Reload to update the PolicyAssistant configuration 9 Click Finish to complete the PolicyAssistant configuration 10 Click Save to save the policy created Configure SAM authentication Purpose Use this procedure to configure Windows SAM authentication with user source as RADIUS User file using PolicyAssistant Procedure 1 From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 6 2 Enter a new name for your policy For example enter the policy name as AuthWindowsSAM mypolicy Click Next Result The Source for User Profiles window opens See Figure 7 7 78 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Select Windows Security Access Manager and click Next Result The Authenticating Access Requests window opens See Figure 7 8 Expand External Authentications select Windows Security Access Manager and click Next Result The Accounting Configuration window opens See Figure 7 9 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 Perform the following a In the User Session Limits section
16. ct examples 12 Click OK to save the changes Accept all warnings Result The policies on the local machine are now configured to allow machine authentication Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 JUNE 2010 181 Machine authentication Figure 15 18 Act as part of the operating system properties ge Act as part of the operating system Properties 182 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Glossary A API Application Programming Interface AAA Authorizing Authenticating and Accounting server AD Active Directory CA Certificate Authority CLI Command Line Interface CIDR Classless Inter Domain Routing CRL Certificate Revocation List EAP Extensible Authentication Protocol EAP TLS EAP Transport Layer Security EAP TTLS EAP Tunneled Transport Layer Security EAP PEAP EAP Protected Extensible Authentication Protocol EAP MD5 EAP Message Digest algorithm 5 EAP GTC EAP Generic Token Card Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 183 Glossary 184 EBG Enterprise Business Group IANA Internet Assigned Numbers Authority LDAP Lightweight Directory Access Protocol MAC Media Access Control NAS Network Access Server RADIUS Remote Authentication Dial In User Service RMI Remote Method Invocation SAM Security Access Manager SMT Server Management
17. to Default value 0 s Session session timeout specify the Timeout The policy server rejects duration any request that has a session time value less than the value specified Alcatel Lucent 8950 AAA Release 6 6 1 137 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA policy server 138 Configure timeout properties of policy server Field Description Type Value If Session Time is not set in the reply attributes then no action is needed Session If enabled the session Boolean Yes Time from time is the time No Time of remaining from the Day Time of Day check item Default Enter the time for which Use EI to Default value 3 m Challenge the policy server needs to specify the Timeout wait for the challenge duration response from the clients Default Enter the time out before Use to Default value 15 s Challenge marking the challenge 8 response as Linger specify the Timeout duration Linger Default Par ER EE Use El to Default value 10m Continde the policy server needs to ide wait for the continue specify the Timeout response from the clients duration Default Enter the ume out before Use El to Default value 15 s Continue marking the continue response as Linger specify the Timeout duration Linger Result The configured values are displayed on the Timeout Properties panel Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 12 8950 AAA Con
18. 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for CyberGateKeeper Configure PolicyAssistant rules for CyberGateKeeper This section contains procedures to configure PolicyAssistant for different samples of CyberGateKeeper Note Samples are provided for the following three different audit categories of the CyberGateKeeper Pass Audit Fail Audit Fail Noaudit Configure CG pass MD5 authentication with RADIUS User File as user source for Pass Audit Purpose Use this procedure to configure CG pass MD5 authentication with the RADIUS User File as user source and using the Policy Assistant This sample policy is for Pass Audit status Procedure l From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens 2 Click 8 to add a new policy Result The Policy Configuration window opens See Figure 7 6 3 Enter a new name for your policy For example enter the policy name as CG pass MD5 mypolicy Click Next Result The Source for User Profiles window opens See Figure 7 7 4 Select Radius User File and click Next Result The Authentication Access Requests window opens See Figure 7 8 5 Expand EAP Authentication in the list of Authentication Types select EAP MD5 and click Next Result The Accounting Configuration window opens See Figure 7 9 Alcatel Lucent 8950 AAA Release 6 6 1 87 365 360 005 ISSUE 1 0 JUNE 201
19. 10z ga xHh9 KXWE9Y1uoMEDUAN7rBZZxDJv6sTAYjfvEBFuTPihsPMFlDuv3lo9NqTVlxMUgexa N6ROGXJ1PlBhPl185Vni5rSsOwWFFZKEn9jrmbDAr8jM5Ox Lf T TERRAS 3qzlo duB RX54s MeHBZQeJ6rwctQ SjTvMRfQ7s qFUxrXI ZLUYvOc4 auukh2GD r yRr 7wiT AwMgzvw8q64H7 53xQeys 1vvdoRPVCUw EnnFFkYIzsHotmli9TlyDqgDS EC vrtXHjj7PksuPmroAsQMq66Q3kN8vzQz42LKDd3eag nfo2Qbcc20aoWDTAzzTkQ ZaGvcTwckqatarv9wzcjzcOUfmqv qt camTxob3Rv97yazn5KkwCfzvues2 J Br1N 2u4PBA 4 END ENCRYPTED PRIVATE KEY 2 BEGIN CERTIFICATE REQUEST MIIBkjCB AIBADAgMQswCQYDVOQGEWJVUZERMASGATUEAXMIQUFBU2 Vyd Uwgz8w DQY JKOZIhvcNAQEBBQADQYOAMIGJAOGBALTM7ydSRQTO4 qqUM a3ZEt4 Dl QyQbQu UwvBv SEBEOZBKBX6D5wOeddJpd v3 5xucwqc 18KfF24CMzF0300794 f Cs FVWTIEA x TX4uFymLsrLq3JHs6Qxwr9obbHoarQ9s2qrTY w2 PER3gF6eTaB8bVEHYUvqNEs pbDa NBTKTBPTO73lAgMBAAGOMzAxBgk qhk 1G9wOBCO4 XJDATMASGATUdDWOEAWIGWDAT BgNVHSUEDDAKBggr BgEFBQCDATANBgk ghk 1G9WwOBAQUF AAOBGQCXZ Y 3MOPH8V8NuU 2 5PTBN4GrnR8esG j bMBx5h7ZIMhPe5 RKLqQvHNEUSD15tQ eH1 00do00NMs dYB bkD Sd4 ewbxzak Ad nxut 8r rwadynBU ox113swDSgkHunYe2wMLmfsQUSgeUcIGTr clitxzdNsY6oTXcLApsg5spo7N9 A END CERTIFICATE REQUEST BEGIN CERTIFICATE m 4 ZCCAkygAwIBAgIBADANBgk qhk iG9wOBAQQOF ADBbMQs wCQYDVQQGEwJ JT j EL MAKGA1UECBMCSOEXDDAKBQNVBACT A0MUj EMMAOGA1UEChMDQUxVMQwwCgYDVOQL EwNOT1MXFTATBgNVBAMTDEFMVSlOT1MtcmOvdDAeFwOxMDAZMj QwODU3 NDRaFwOx EK NDRaMFSxCzAJBQNVBAYTAK lOMQswCQYDVQQIEWJLQTEMMAOGALUE BXMDQK xSMQwwC gy DVQQKEWNBTFUXDDAKBGNVBASTAQ5PUZEVMBMG
20. 55 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 14 User File Name Configuration Policy Configuration MD5 radiusfile mypolicy User File Name Configuration Enter the name of the file that contains your user profiles Note If you specify a file that does not exist the PolicyAssistant automatically creates an empty File For you User File Name Mp5 radiusfile mypolicy users 8 The user file name appears by default If needed modify the user file name and click Next Result The Attribute Set for Policy window opens See Figure 7 12 9 Perform the following steps a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reject the Request d Click Next Result A window with a summary of policy configuration opens 56 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 15 Policy configuration summary Policy Configuration MD5 radiusfile mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to ch
21. 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 131 8950 AAA policy server Configure 8950 AAA protocol properties for policy server Table 11 3 Attributes Properties Field Description Type Value Reveal If enabled attributes that are Boolean Yes Hidden marked as hidden in the No Attributes dictionary are displayed in the packet trace If disabled hidden attribute value is displayed as hidden Strict If enabled attributes that Boolean Yes Attribute cannot be encoded cause No Encoding exception If not enabled attributes that cannot be encoded are skipped or are not sent 7 Select Requests Result The Radius Request Properties panel opens 132 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA policy server Configure 8950 AAA protocol properties for policy server Figure 11 5 Radius Request Properties X Server Properties p Policy Server USS USSv2 Configuration Server 3 web Interface Admin Interface SSH Interface J RMI Registry Wi Certificates J Lawful Intercept tof snmp Fi SCTP Database 8 User Provisioning iB Radius Properties Diameter Properties TACACS Properties IV Attributes X Requests Delimiters t3 Timeouts Fei Advanced Radius Request Properties Specifies the configuration values that control how the Policy server handles RADIUS requests packets Place the mouse over each opt
22. Acc Tunnel Secret 3 To add attributes to the dictionary click a Result The Attributes Properties window opens 120 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Vendor specific attributes Figure 10 4 Vendors Attributes Properties Add vendor specific attributes to the dictionary Attribute Properties Attribute Overrides Aliases Enter the information about the attribute below If the type of the attribute is an enumeration enter the values on the Values tab Name Digest Response Type String iv Code 206 Vendor Name Lucent AAA v DI Codec draft sterman aaa sip 01 iv Hidden Oves No KI Internal QO Yes No E Reject Ok O Yes S No 4 Challenge Ok Yes No E May Encrypt Yes No E Mandatory Must v DI Protected May v 4 Reference Enum Class 4 Use Table 10 1 to enter the information and click OK Table 10 1 Vendor attributes Field Description Type Value Name Name of the vendor specific Text Default value No attribute to be added Type Type of the attribute such as Dictionary Default value No String IP Address Integer and so type list on Code The attribute code Signed Default value No integer Vendor Name Name of the vendor List of values Default value Base Codec The code encoder and decoder List of values Default value No
23. CyberGateKeeper provides the following functionalities e Achieves comprehensive policy compliance e Assists in antivirus and software updates e Continuously audits network systems e Fully scalable e Supports centralized management and custom tests e Allows efficient remediation Brick firewall The Brick provides high speed firewall VPN QoS VLAN and virtual firewall capabilities in a single configuration The functionalities of the Brick also include advanced distributed denial of service attack protection strong authentication real time monitoring logging and reporting Omni Access WLAN OmniAccess WLAN is a wireless access point through which mobile users connect to the enterprise network The 8950 AAA server authenticates and authorizes the users or supplicants as they scan and connect to wireless access points User profile stores This topic provides a list of internal and external user profile stores subscriber databases used in the enterprise Figure 1 1 provides an overview of the enterprise network Customers with a smaller user base can use the built in Derby database For a large user base customers can choose external databases to store user details like user logins passwords authorization profiles and so on Database 8950 AAA supports external databases like Oracle MySQL MS SQL server which support JDBC The following information is stored in databases e Home subscribers authentication information e
24. EAP MS Chap V2 NT password Attribute Sets Allowed Types EAP MS Chap V2 NT password Attribute Set to Use OmniSwitch If Attribute Set Not Found Reject the Request Tunnel Enabled Yes Use User Name for Lookup No Allowed Tunnel Types pgap Read Set from User Profile No User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 12 Click Finish to complete the PolicyAssistant configuration 13 Click Save to save the policy created Configure EAP TLS authentication with RADIUS User File as user source Use this procedure to configure EAP TLS authentication using PolicyAssistant Users are authenticated using X 509 certificates This authentication method does not involve any user credential authentication Procedure l From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens 2 Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 3 Enter a new name for your policy For example enter the policy name as EAP TLS mypolicy Click Next Result The Source for User Profiles window opens See Figure 7 7 Alcatel Lucent 8950 AAA Release 6 6 1 69 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch 4 Sele
25. Host Shared Secret Client Classes amp Attributes i 127 0 0 1 secret Save l Reload J Close 2 Click amp to add a new RADIUS client Result The Radius Client Properties window opens 112 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 RADIUS client configuration Figure 9 2 Any RADIUS client configuration Radius Client Properties Radius Client Properties Dictionary Client IP Address or Host Shared Secret Character Set For Encoding Add NLIL Eo String Attributes Check Duplicates Check Authenticators asma c c ccc cssc Radius Client Properties Client Classes amp Attributes Comment 127 0 0 1 secret xt default TAOS Port Normalization off Authenticaton Timeout Accounting Timeout Server Default File Encoding gt Truncate Attributes at First NUL Yes No O Yes No Yes O No Auto Use Table 9 1 to enter the information and click OK Table 9 1 RADIUS client Properties Field Description Type Value Client IP Enter the Domain name IP Address range Text Default Address or of IP addresses or a CIDR block of value No Host addresses Shared Secret Shared secret between AAA and client Text Default value No Dictionary Enter the name of the dictionary to use for Dictionary Default the client class definition codec value No For an enterprise network select
26. Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA policy server Configure 8950 AAA protocol properties for policy server Use Table 11 2 to enter the information Table 11 2 TACACS Properties Field Description Type Value TACACS Enter the listener address that the Network address Default Address policy server uses for the TACACS format value 49 service XXX XXX XXX XXX lt port gt Result The configured values are displayed on the Terminal Access Controller Access Control System Plus Properties panel Select Attributes Result The Attributes Properties panel opens Figure 11 4 Attributes Properties X Server Properties SI web Interface BH Admin Interface SSH Interface Sj RMI Registry Wi Certificates gj Lawful Intercept of Map Imi scre 9 Database B User Provisioning R Radius Properties 9 Diameter Properties TACACS Properties ES Requests Delimiters t3 Timeouts a Advanced Attribute Properties Policy Server USS USSv2 Configuration Server Specifies the configuration values that control how the Policy server handles RADIUS attributes Place the mouse over each option to display how it is used by the server Reveal Hidden Attributes Yes No Strict Attribute Encoding Yes No 6 Use Table 11 3 to enter the information Alcatel Lucent 8950 AAA Release
27. PolicyAssistant rules for OmniSwitch Result The Source for User Profiles window opens See Figure 7 7 4 Select RADIUS User File and click Next Result The Authentication Access Requests window opens See Figure 7 8 5 Perform the following steps a Expand EAP Authentication in the list of Authentication Types and select EAP MS Chap V2 b Click Advanced Authentication Options tab Figure 7 16 Advanced Authentication Options Advanced Authentication Options I Automatic Password Detection User Profile Options Tunneled EAP Transports The PolicyAssistant can automatically process EAP authentication requests tunneled through the Following EAP types PEAP TTLS and GTC To enable automatic EAP negotiation enable Allow EAP Tunneling below and add desired tunneled EAP types Specify the allowed tunneled authentication types below by moving a type from the Available Tunnels list to the Allowed Tunnels list Use the Up Down buttons to specify the order the types are negotiated Available EAP Tunnel Types Allowed EAP Tunnel Types PEAP PEAP TILS GTC GTC in PEAP GTC in TTLS c In the Advanced Authentication Options window select Tunneled EAP tab d Select Allow EAP Tunneling e From the Available EAP Tunnel Types section select PEAP and click gt f Click Close g Click Next 58 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssist
28. RSA Certificate File Name server Dem RSA Private Key Password server DSA Certificate File Name DSA Private Key Password Challenge Prompt Enter your identity PEAP Version 1 IETF Draft 5 GA Certificate Manager 9 Perform the following steps and click Next a Enter the certificate file name and private key password for RSA or DSA b Enter the challenge prompt c Specify the compatibility mode for PEAP Versionl Alcatel Lucent 8950 AAA Release 6 6 1 59 365 360 005 ISSUE 1 0 J UNE 2010 60 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Result The EAP MS CHAP V2 Authentication Configuration window opens Figure 7 18 EAP MS CHAP V2 Authentication Configuration Policy Configuration EAP PEAP MSCHAPv2 mypolicy EAP MS CHAP 2 Authenticaton Configuration You have selected an authentication type either EAP MS CHAP V2 or EAP MS CHAP V2 with NT If you selected EAP MS CHAP V2 you can optionally specify the Windows domain or computer name for the server running Microsoft Windows SAM server If you selected EAP M5 CHAP V2 with NT this value is required Windows Domain APO1 EAP client uses user instead of user amp xealm to generate challenges 10 Perform the following steps a Enter the Windows domain or computer name on which the Microsoft Windows SAM server is running Enter the domain or computer name only if EAP MS Chap V2 NT Password is chosen b
29. Select EAP client uses user instead of user realm to generate challenges c Click Next Result The CRL Certificate Revocation List Configuration window opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAs sistant Configure PolicyAssistant rules for OmniSwitch Figure 7 19 CRL Certificate Revocation List Configuration 12 Policy Configuration EAP PEAP MSCHAPv2 mypolicy CRL Certificate Revocation List Configuration Enter the Following information about your CRL configuration 4 check is made to see if a x 509 certificate has been revoked by looking up the serial number of the certificate in a Certificate Revocation List CHL CRL Issuer Certificate File CRL Issuer Certificate Perform the following steps and click Next a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reject the Request Result A window with a summary of the policy configuration opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 61 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 20 Policy configuration summary Policy Configuration EAP PEAP MSCHAPv2 mypolicy User File Name EAP PEAP
30. Setup Program Setup will install 8950 AAA in the Following Folder To install to this Folder click Next To install to a different Folder enter the new folder name or click Browse and select another Folder Destination Folder E XAAA 4 Touse the default installation location click Next To choose a different location click Browse and select the desired location Result The Choose Installation Type window opens 28 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Installation of 8950 AAA server and PolicyAssistant Installation on Microsoft Windows Figure 5 2 Choose Installation Type b Choose Installation Type Alcatel Lucent 8950 AAA Version 6 5 Setup Program Choose one or more of the Following options to install Installs the 8950 AAA Servers Policy Server Universal Session Server Configuration Server and the Server Management Tool on one machine Install Server Management Tool Only Installs the Server Management Tool For remote configuration of the 8950 AAA servers 5 Select the required installation type from the following and click Next a Select Install 8950 AAA option to install both 8950 AAA server and the SMT GUI client application b Select Install Server Management Tool Only option to install only the SMT GUI application to manage and monitor a remote 8950 AAA server Result The License File Location window opens Alcatel Lucent 8
31. Source Accounting User Profile Source RADIUS User File Accounting Method Detail File User File Name CG pass MD5 mypolicy users Proxy Accounting No Authentication Attribute Sets Authentication EAP MD5 Attribute Set to Use CG Pass Template Allowed Types EAP Me If Attribute Set Not Found Continue without Attribute Set Read Set from User Profile No User and Session Limits User Session Limit One Session Total Policy Limit No Limit Note IF the Policy server is running click Reload to update the PolicyAssistant configuration 10 Click Finish to complete the PolicyAssistant configuration for CG pass MDS 11 Click Save to save the policy created Configure CG fail MD5 authentication with RADIUS User File as user source for Fail Audit Purpose Use this procedure to configure CG fail MD5 authentication with the RADIUS User File as user source and using the PolicyAssistant This sample policy is for Fail Audit status Procedure 1 From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens 2 Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 3 Enter a new name for your policy For example enter the policy name as CG fail MD5 mypolicy Click Next 90 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAss
32. The key feature in an enterprise network is the PolicyAssistant You can configure the PolicyAssistant according to the requirements in the enterprise network This chapter describes the procedures to install 8950 AAA PolicyAssistant and sample enterprise policy rules Modify the sample rules according to the enterprise requirements Contents This chapter covers the following topics Installation on Microsoft Windows AT Install sample policies and rules for enterprise network 34 Start SMT on Windows platform 34 Installation on Microsoft Windows Purpose Use this procedure to install 8950 AAA PolicyAssistant on Microsoft Windows Before you begin Ensure that you have a valid license file for the 8950 AAA software version you need to install Alcatel Lucent 8950 AAA Release 6 6 1 27 365 360 005 ISSUE 1 0 JUNE 2010 Installation of 8950 AAA server and PolicyAssistant Installation on Microsoft Windows Procedure l Double click 8950 aaa 6 x zip and extract the files to a temporary directory 2 Navigate to the location of the unzipped 8950 AAA files and double click setup exe The 8950 AAA Setup program appears Result Click Next The Software License Agreement window opens 3 Accept the license agreement terms and click Next Result The Choose Destination Location window opens Figure 5 1 Choose Destination Location Q Choose Destination Location BAX Alcatel Lucent 8950 AAA Version 6 5
33. Tool SNMP Simple Network Management Protocol TACACS Terminal Access Controller Access Control System TLS Transport Level Security Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Glossary USS Universal State Server UPS User Provisioning Tool VLAN Virtual Local Area Network VSA Vendor Specific Attributes WLAN Wireless Local Area Network Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 185
34. User information e Profiles for verification e Profile to return to the access controllers authorization data 8 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Enterprise network with 8950 AAA End devices in enterprises network LDAP The Lightweight Directory Access Protocol LDAP is an application protocol for querying and modifying data using directory services running over TCP IP The 8950 AAA server supports the following LDAP databases e Sun One DS e OpenLDAP e 8661 DS Microsoft AD The 8950 AAA authenticates Windows users and machines user profiles stored in Microsoft AD Files 8950 AAA can authenticate user profiles from flat file database End devices in enterprises network The 8950 AAA server can authenticate the following end user devices in an enterprise network e Dual mode WiFi Smartphones e Corporate computer e Home computer e Public computer For more information on the device or supplicant types see Table 1 1 Supplicant types Table 1 1 depicts the supplicant types supported by the 8950 AAA Table 1 1 Supplicant types Supplicant Web site Product type Comments Windows XP http www microsoft com Commercial Included in Supplicant en us default aspx included in Windows XP Windows XP Juniper http www juniper net cust Commercial Available for XP Odyssey omers support products oa and Windows 7 c jsp The 8950 AAA can poss
35. Windows the sdconf rec file must reside in your system path field is not enabled New RSA Library Version Enter the directory where the RSA ACE Server File rsa_api properties is stored IF not specified defaults to the 8950 444 run directory Path to RSA ACE File C 44A run ace c Click Next Result The EAP PEAP GTC configuration window opens See Figure 7 17 10 Perform the following steps and click Next a Enter the certificate file name and private key password for RSA or DSA 64 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch b Enter the challenge prompt c Specify the compatibility mode for PEAP Versionl Result The EAP GTC Configuration window opens 11 Enter the message prompt for GTC configuration Figure 7 23 EAP GTC configuration Policy Configuration EAP PEAP GTC mypolicy EAP GTC Configuration Enter the Following information about your GTC configuration Message Prompt Enter your password Click Next Result The Attribute Set for Policy window opens See Figure 7 12 12 Perform the following steps a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reje
36. a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 7 Perform the following steps a In the User Session Limits section select No Limit b In the Policy Limits section select No Limit c Click Next Result The User File Name Configuration window opens See Figure 7 14 8 The user file name appears by default If needed modify the user file name and click Next Result The EAP TTLS Configuration window opens Alcatel Lucent 8950 AAA Release 6 6 1 73 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 30 EAP TTLS Configuration Policy Configuration EAP TTLS mypolicy TTLS Configuration Enter the Following information about your TTLS configuration You must specify either the RSA or the DS4 Certificate File and Private Key Password Both the RSA and DSA info may be specified Refer to the SMT Guide For more information about configuring TTLS If you don t have your own certificate authority you can use the Certificate Manager panel under the File Tools section or click the Certificate Manager button below to generate root server and client certificates RSA Certificate File Name server pem RSA Private Key Password server DSA Certificate File Name DSA Private Key Password Certificate Manager
37. all local interfaces SSH Enter the address and port that Network Default Address the server listens for SSH Address in value 9020 Port connections XXxx xxx xxx x number 0 implies xx port do not start SSH at format all Registry Enter the port to be used when Integer Default value Port creating an RMI registry 9097 Normally an RMI registry runs at the address specified However if there is no registry the configuration server tries to create one on the local host By default it uses the RMI port 9097 but this property enables another port if necessary Secure Enter the secure registry port for Integer Default value Registry connecting through RMI secured 9098 Port mode Log File Specify the name of the file in Text Default value Name which configuration server needs config log to write the messages and errors Level of Select the required log level or One of the Error Messages to debug level The level list values Warning Log determines the type of messages f Notice that the configuration server writes to the log file Info Salient Debug Verbose Blither Default value Info Alcatel Lucent 8950 AAA Release 6 6 1 141 365 360 005 ISSUE 1 0 JUNE 2010 8950 AAA Configuration server Configuration server properties Result The configuration server properties configured are displayed on the Server Properties window 142 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010
38. canfin Joe lt lll LS Other File Name 4 Perform the following a Select the required file from the Remote Files list If the required file is not present in the list enter the file name in the Other File Name field b Click gt to move the selected file to Selected File list c Click Next Result The File Selection Wizard window with the selected file details opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Remote configuration Add file list Figure 14 6 File Selection Wizard Selected file details File Selection Wizard Below is the list of Files that will be added Click Finish to validate and add the Files Server test1 135 250 26 37 Remote File Local File Format Server dictionary html dictionary html Text testi Click to Finish to continue or back to reconfigure the server or selected files 5 Click Finish Result The selected list of files appears on the Remote Configuration window Procedure2 1 From SMT navigation pane select Configuration Tools gt Remote Configuration Result The Remote Configuration window opens See Figure 14 2 2 From the bottom panel click rg Result The File Entry window opens Alcatel Lucent 8950 AAA Release 6 6 1 161 365 360 005 ISSUE 1 0 JUNE 2010 Remote configuration Add file list Figure 14 7 File Entry t File Entry Use the following properties to specify a s
39. displays on the Simple panel Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure policy selection rules for CyberGateKeeper 6 Click OKto complete 7 Click Save to save the policy selection rule created Alcatel Lucent 8950 AAA Release 6 6 1 99 365 360 005 ISSUE 1 0 JUNE 2010 Configure templates Overview Purpose This chapter describes the procedures to configure the templates A template is an attribute group A template contains all the attributes that are sent by the AAA server to the AAA clients for example NAS after successful authentication The clients use these attribute values to set up a session The template defines the service profiles that the 8950 AAA server sends back to NAS clients For example the NAS clients are OmniSwitch OmniAccess and so on In addition the template defines the set of attribute value pairs which are verified by the 8950 AAA server before authorizing the client to access the services You can create and modify the templates according to the requirements of the enterprise network Example 1 User Password can be configured as a verify attribute The 8950 AAA server then verifies the incoming password with the password attribute configured in the verify list Example 2 All users connecting through OmniS witch are assigned a particular VLAN ID Then a template can be defined with attribute filter id vlan id and apply
40. embedded database which stores the user profiles for 8950 AAA Customers with a smaller subscriber database can use the built in Derby database LDAP 8950 AAA has an LDAP listener for handling LDAP requests Policy flow processes these requests Supported LDAP operations are Bind Search Compare Add Modify and Delete Server Management Tool SMT Server Management Tool SMT is the graphical user interface to 8950 AAA SMT provides access to different components of 8950 AAA SMT is used to administer the product Alcatel Lucent 8950 AAA Release 6 6 1 15 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA overview Components of 8950 AAA 16 Admin server The admin server allows you to interact with 8950 AAA independent of the SMT You can connect to the Admin server using Telnet and SSH console The 8950 AAA supports CLI for remote login and debugging purposes Administrator can use this CLI for executing commands for administrative purposes Configuration server Configuration server allows administrators to access remote 8950 AAA server by using the SMT Web server The 8950 AAA server has a built in web server for performing the following functions e Display server information such as version of 8950 AAA host name java version and so on e Track authentication and accounting statistics e Maintain the 8950 AAA documentation index to provide all information related to 8950 AAA product e Maintain User Provisioning To
41. isnin raae a a aaa Ea aeei eoa aana 175 Figure 15 11 Local Security Settings sese e E a T R enne 177 Figure 15 12 Access this computer from the network Properties essere 178 Figure 15 13 Select Users or GrOUDS eei e eterne teite esoe sa erene tae bene Rae be Lote a keine de 178 Figure 15 14 Object Types 2e eem edebant eddie Oni itas 179 Alcatel Lucent 8950 AAA Release 6 6 1 ix 365 360 005 ISSUE 1 0 J UNE 2010 List of figures Figure 15 15 Figure 15 16 Figure 15 17 Figure 15 18 Select Users or Groups e reote tete pete Here ETE de Cepeda 179 Local Security Setting idola e red uie e ce aci ede 180 select Users or Groups nite hd ob tU AR t eed tree edis 181 Act as part of the operating system properties rennen 182 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 List of tables Table 1 1 ee ee 9 Table 2 1 8950 AAA component mterface eene nennen enne rennen 18 Table9 1 RADIUS client Properties out onis eediteiee eicere d eterne d aene bea cepa eed aep aeu ebd 113 Table 10 1 Vendor attributes rrr teen rre Re get Fee ceres gel GENEE 121 Table 11 1 RADIUS Properties rerit ettet te Pre ado ede ENKE 128 Tabl 11 2 TACACS Properties isis EE 131 Table 11 3 Attributes Properties eet REENEN a a ENEE 132 Table 11 4 RADIUS Requests Properties eese eren nnne nnne enne 133 Table 11 5 User Name Parsing Delimiter A 135 Table 11 6 Time
42. select No Limit b In the Policy Limits section select No Limit c Click Next Result The User File Name Configuration window opens See Figure 7 14 Enter the user file name and click Next Result The Windows Security Access Manager Configuration window opens See Figure 7 34 Alcatel Lucent 8950 AAA Release 6 6 1 79 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 34 Windows Security Access Manager Policy Configuration AuthWindowsSAM mypolicy Windows Security Access Manager Configuration Enter the domain or computer name for the server running Microsoft Windows SAM server NT Domain CGDEMO2 8 Enter the domain or computer name on which the Windows Security Access Manager is running Click Next Result The Attribute Set for Policy window opens See Figure 7 12 9 Perform the following a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reject the Request Click Next Result A window with a summary of policy configuration opens 80 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 35 Policy configura
43. standard and Vendor Specific Attributes VSA This design provides the 8950 AAA the ability to adapt to various vendors of edge devices in an enterprise network e 8950 AAA offers a built in programming language for writing custom AAA policy applications This powerful PolicyFlow language allows configuring the 8950 AAA according to any complex policy rules of an enterprise PolicyFlow architecture built on Java programming language is flexible and extensible e PolicyAssistant is a graphical wizard to define policies for enterprise policy rules If the application requires complex policies use policy flows instead of the PolicyAssistant e Logging mechanism is flexible and configured according to the requirements The Server Management Tool SMT provides a graphical remote configuration and management interface to all of the 8950 AAA features e In addition to the SMT the 8950 AAA provides a Command Line Interface CLD which allows you to access and operate the 8950 AAA in the enterprise network environment It supports Telnet and SSH based CLI through the admin console An administrator can use this CLI for executing commands for administrative purposes Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA overview Access restrictions Access restrictions With the help of 8950 AAA the user can define authorization rules and decide on the type of access provided to the user after successfu
44. the Allowed Tunnels list Use the Up Down buttons to specify the order the types are negotiated Available EAP Tunnel Types Allowed EAP Tunnel Types PEAP PEAP TTLS GTC GTC in PEAP GTC in TTLS Close Select User Profile Options tab Select Ignore Auth Type attributes in the user profile Select EAP Tunneling tab Select PEAP in Allowed EAP Tunnel types Click gt Click Close j Click Next ro op 5 m Result The Accounting Configuration window opens See Figure 7 9 Alcatel Lucent 8950 AAA Release 6 6 1 67 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch 6 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 7 Perform the following steps and click Next a In the User and Session Limits section select No Limit b In the Policy Limits section select No Limit Result The EAP PEAP Configuration window opens See Figure 7 17 8 Perform the following steps and click Next a Enter the certificate file name and private key password for RSA or DSA b Enter the challenge prompt c Specify the compatibility mode for PEAP Versionl Result The EAP MS CHAP V2 Authentication Configuration window opens See Figure 7 18 9
45. the following topics PolicyAssistant KS Policy 38 Policy Wizard 39 PolicyAssistant Policy Assistant helps the service providers to set up a secure access to the network resources PolicyAssistant creates manages and applies policies to control how and when the users access the network PolicyAssistant allows you to configure 8950 AAA software through its built in Policy Wizard The Policy Wizard collects data on processing your request and saves it to the PolicyAssistant files The PolicyAssistant panel in the Server Management Tool SMT contains a table of available policies defined for your network You can configure the Policy Assistant to support multiple policies The number of policies required depends on the following factors e Type of services provided by the network e Equipment requirements Alcatel Lucent 8950 AAA Release 6 6 1 37 365 360 005 ISSUE 1 0 JUNE 2010 PolicyAssistant overview Policy e Customer requirements e Geographic location of the customer Start PolicyAssistant Policy In the SMT navigation pane select Configuration Tools gt PolicyAssistant The PolicyAssistant window opens Figure 6 1 PolicyAssistant Ze PolicyAssistant GIE DG Dag A Policy Z MDS DB User Profile Source Database Authentication EAP MDS User Limit No Limit The PolicyAssistant manages policies to control user s access to your network A policy defined in the
46. this template to the policy rule configured in 8950 AAA At present CyberGateKeeper and OmniSwitch templates are available for the user n the enterprise network Contents This chapter covers the following topics Create a template 102 Edit a template 107 Delete a template 108 Alcatel Lucent 8950 AAA Release 6 6 1 101 365 360 005 ISSUE 1 0 J UNE 2010 Configure templates Create a template Create a template Purpose Use this procedure to create a template Procedure 1 From the SMT navigation pane select File Tools gt User Files Result The User Files window opens Figure 8 1 User Files S User Files ruum User Name Items to Verify Check Items Items Sent Back To Client Reply Items Attribute 2 Click Open Result The User File List window opens 102 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure templates Figure 8 2 User File List User File List User Files user us e eap_users txt security_users security_users new test users users users templates 3 Select users templates and click Open Result The User Files users templates window opens Figure 8 3 User Files users templates S User Files users templates User Entries Default User Entries agaga User Name PPP emplate blank SLIP CSLIP TELNET Items to Verify Check Attri
47. used At least one server and the secret are required and the secret are required Servers 192 168 10 11 Servers 192 168 10 12 a E gt A G I IU amp EJ Shared Secret secret 7 Shared Secret secret 8 Enter the proxy port address for both authentication server and the accounting server and click Next Result A window with a summary of policy configuration opens Alcatel Lucent 8950 AAA Release 6 6 1 85 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 39 Policy configuration summary You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source User Profile Source Radius Server Proxy Servers 192 168 10 11 Shared Secret secret Accounting Accounting Method None Proxy Accounting Yes Welte t Shared Secret secret er and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 9 Click Finish to complete the PolicyAssistant configuration for proxy RADIUS server 10 Click Save to save the policy created Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1
48. window displays the selected attributes 7 Click OK Result The values display on the User File window 8 Click Save to save the template Alcatel Lucent 8950 AAA Release 6 6 1 107 365 360 005 ISSUE 1 0 JUNE 2010 Configure templates Delete a template Delete a template Purpose Use this procedure to delete a template Procedure l From the SMT navigation pane select File Tools gt User Files Result The User Files window opens See Figure 8 1 2 Click Open Result The User File List window opens See Figure 8 2 3 Select users templates and click Open Result The User Files users templates window opens See Figure 8 3 4 Select the required template and click amp to delete the template 5 Click Save to save the template 108 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Part IV 8950 AAA configuration Overview Purpose The SMT application provides various tools to configure the 8950 AAA server This part provides a description of few configuration tools and procedures used in the 8950 AAA server in the enterprise network For more details see http www 8950aaa com doc 6 3 SMT pdf Contents This part covers the following chapters RADIUS client configuration 111 Vendor specific attributes 117 8950 AAA policy server 123 8950 AAA Configuration server 139 Derby database 143 Alcatel Lucent 8950 AAA Release 6 6 1 109 365 360 005 ISSU
49. 0 Configure PolicyAssistant Configure PolicyAssistant rules for CyberGateKeeper 6 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 7 Perform the following steps a In the User and Session Limits section select One Session b In the Policy Limits section select No Limit c Click Next Result The User File Name Configuration window opens See Figure 7 14 8 The user file name appears by default If needed modify the user file name and click Next Result The Attribute Set for Policy window opens 88 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for CyberGateKeeper Figure 7 40 Attribute Set for Policy Policy Configuration CG pass MD5 mypolicy Attribute Set for Policy RADIUS attributes are used to define authorization checks and set session configuration options Attributes may be defined in a user s profile however the PolicyAssistant also supports the use of defined sets of attributes which can be added to any attributes defined in the user s profile You may define an attribute set that will apply to all users of this policy Use of an attribute set can make user profile maintenance simple by specifying attributes for all users U
50. 0 AAA allows you to view the server related statistics and the status of requests sent and received by 8950 AAA server Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA overview 8950 AAA component interfaces Figure 2 2 illustrates the components interface diagram Figure 2 2 Component interface diagram LDAP Client siue vvv 0668 lis LDAP server Policy flow plug ins SNMP manager i Ee http https Embedded Diameter Web browser i i Derby db Telnet SSH client IP packet 8950 AAA Core Engine Policy server SS7 Sigtran Gateway Configuration server redit Control System Table 2 1 describes the different components of 8950 AAA and the clients 8950 AAA component interfaces Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 17 8950 AAA overview 18 8950 AAA component interfaces Table 2 1 8950 AAA component interface 8950 AAA Client Description component 8950 AAA 8950 AAA 8950 AAA interacts with clients such as clients NAS B RAS HA LDAP client WAC and proxy AAA using 8950 AAA components such as RADIUS Diameter TacacsPlus and LDAP SNMP agent SNMP manager 8950 AAA interacts with SNMP manager using SNMP agent Web server Web browser 8950 AAA has a built in web server for handling http requests This server also hosts SOAP web services
51. 005 ISSUE 1 0 JUNE 2010 8950 AAA policy server Start policy server values It supports Telnet and SSH based Command Line Interface CLD through Admin console Policy server supports CLI for remote login and debugging purposes Administrators can use this CLI for executing commands for administrative purposes Policy server has a built in web server used for the following purposes e Display server information e Display authentication and accounting statistics e View documentation e Access to User Provisioning Tool UPS e View deployed SOAP services Policy server is a platform for supporting various functions and components of 8950 AAA The important functions are listed as follows e RADIUS listener for handling protocol specific AAA requests e Built in session database for managing the user sessions e SNMP MIB and trap support e Extensive logging capabilities with multiple log channels e Hosts embedded Derby database e Server monitoring and statistics tools Start policy server Purpose You can start the policy server in one of the following ways From the SMT From the command line window As Windows service application Before you begin Ensure to start the SMT before you start the policy server From the SMT Related information The tool bar of the SMT displays icons to start Policy Server and Configuration Server The figure shows the position of the Policy Server tool icon 124 Alcatel Lucent 89
52. 1 0 J UNE 2010 Vendor specific attributes Add vendor to the dictionary Add vendor to the dictionary Purpose Use this procedure to add vendor to the dictionary Procedure l From the SMT navigation pane select File Tools gt Dictionary Editor Result The Vendors window opens Figure 10 1 Vendors Vendors Attributes Diameter Applications CERK GI Vendor Name Vendor Id VSA Format GE Ericsson 5 rfc 1 Cisco 9 rfc 3Com 43 rfc Merit 61 rfc Nokia 94 rfc Shiva 166 rfc Ericsson ViG 193 rfc E Cisco YPN5000 255 rfc Livingston 307 rfc Microsoft 311 rfc USR 429 usr Ascend 529 rfc Alcatel 1430 637 rfc Alcatel 800 rfc Lucent AAA 831 rfc Xedia 838 rfc Alltel 1049 rfc Funk 1411 rfc CyberGuard 1457 rfc Bay 1584 rfc Orinoco 1751 rfc Foundry 1991 rfc Packeteer 2334 rfc Redback 2352 rfc Juniper 2636 rfc Nortel Cvx 2637 nortel Cisco VPN3000 3076 rfc f Gs SE iz kW talus em Ju Jj 2 Click H Result The Vendor Name window opens 118 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Vendor specific attributes Add vendor specific attributes to the dictionary Figure 10 2 Vendor Name Vendor Name Enter the vendor information below to add or edit a vendor to the dictionary Vendor Name Lucent 444 Vendor Id 831 VSAFormat RFC
53. 50 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA policy server Start policy server Procedure y 8950 AAA Server Management Tool Server Panel Edit Window Help 7 Policy Server tool icon amp Pet i 1 From the SMT navigation pane click the Policy Server tool icon 2 Select Start Server in the drop down list Result The policy server starts and the status changes to green From the command line window Procedure l Inthe command line window navigate to the Installed AAA Win folder 2 Enter the command aaa start policy Result The policy server starts and the status changes to green As Windows service application Before you begin Ensure you have the right local windows security enhancements before you begin this procedure The user should have administrative privileges and needs to be authenticated Follow this procedure to configure the security policy on the local system 1 From the Start menu navigate to Control Panel and select Administrative Tools 2 In the Administrative Tools window select Local Security Settings 3 Double click Act as part of the operating system 4 Click Add User or Group and enter the domain name and the user name 5 Click OK to save changes Accept all warnings The local security policy is now configured Alcatel Lucent 8950 AAA Release 6 6 1 125 365 360 005 ISSUE 1 0 JUNE 2010 8950 AAA policy server Start policy server Procedure l Cl
54. 950 AAA Release 6 6 1 29 365 360 005 ISSUE 1 0 JUNE 2010 Installation of 8950 AAA server and PolicyAssistant Installation on Microsoft Windows Figure 5 3 License File Location b License File Location Alcatel Lucent 8950 AAA Version 6 5 Setup Program Lucent requires that you have a valid license file to run the 8950 AAA Servers You should have received a license file when you registered your serial number or requested an evaluation copy If you do not have a valid license file please visit www 8950aaa com If you have a license file enter the name of the folder or click Browse and select the Folder that contains your 8950 AAA license file License File Folder b AaAlrunilicense txt 6 Enter the name of the folder or click Browse to specify the location of the license file and click Next Result The 8950 AAA Administrator Configuration window opens 30 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Installation of 8950 AAA server and PolicyAssistant Installation on Microsoft Windows Figure 5 4 8950 AAA Administrator Configuration 4 8950 AAA Administrator Configuration Alcatel Lucent 8950 AAA Version 6 5 Setup Program Enter the administrator s user name and password For the 8950 AAA Servers User Name admin Password admin lt Back Next gt J Cancel 7 Enter the administrator username and password and click Next
55. 950 AAA for enterprise network Overview Purpose This chapter provides a sequential approach to commission the 8950 AAA server in the enterprise network The procedure provides links to chapters that contain detailed procedures for each task Contents This chapter covers the following topics Set up 8950 AAA 25 Set up 8950 AAA Follow these steps to install configure and manage 8950 AAA in an enterprise network l Install the 8950 AAA server For more details on installation of the 8950 AAA server see Chapter 5 Installation of 8950 AAA server and Policy Assistant 2 Copy 8950 AAA sample policies and rules for enterprise network For more details see procedure Install sample policies and rules for enterprise network 3 Configure the policy rules or policies according to the requirements of the enterprise network For sample configurations of policies and rules see Chapter 7 Configure PolicyAssistant 4 Perform general configuration procedures on the 8950 AAA server Alcatel Lucent 8950 AAA Release 6 6 1 25 365 360 005 ISSUE 1 0 JUNE 2010 Set up 8950 AAA for enterprise network Set up 8950 AAA For detailed procedures see Part 4 8950 AAA configuration 5 For details on 8950 AAA server management see Part 5 8950 AAA management 26 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 5 Installation of 8950 AAA server and PolicyAssistant Overview Purpose
56. A Certificate File Name server Dem RSA Private Key Password server DSA Certificate File Name DSA Private Key Password Trusted File trusted pem Certificate Manager 70 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch 9 Click Next Result The CRL Certificate Revocation List Configuration window opens See Figure 7 19 10 Check CRL Checking Enabled and enter the certificate file name in CRL Issuer Certificate File Click Next Result The Attribute Set for Policy window opens See Figure 7 12 11 Perform the following steps and click Next a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reject the Request Result A window with a summary of policy configuration opens Figure 7 28 Policy configuration summary Policy Configuration EAP TLS mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source Accounting User Profile Source None Accounting Method Detail File Proxy Accounting No Authentication Authentication EAP TLS Attribut
57. AAA Release 6 6 1 XV 365 360 005 ISSUE 1 0 JUNE 2010 Part I 8950 AAA in enterprise solution Overview Purpose This part provides an overview of the enterprise network The network offers integrated solutions along with the 8950 AAA server to provide user centric security Contents This part covers the following chapters Enterprise network with 8950 AAA 8950 AAA overview 11 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 1 Enterprise network with 8950 AAA Overview Purpose This chapter provides an overview of the enterprise network It describes the various components and interfaces in the enterprise network and their roles It also explains the role of the 8950 AAA server in providing user centric security in the enterprise network Contents This chapter covers the following topics Description 4 EBG architecture diagram 4 EBG components and roles 5 Access control process 6 Network interfaces 3 User profile stores 8 End devices in enterprises network 9 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 JUNE 2010 Enterprise network with 8950 AAA Description Description The enterprise business solution is an integrated security solution implemented in an enterprise network The integrated solution uses the 8950 AAA server in providing user centric security to the enterprise network The user centric secu
58. ALUEAXMMQUXV LUSPUYLyb2 90MIGFMAOGCSqGSIb3 DQEBAQUAA GNADCB1QKBgQDb22 qz 8HD 8m3 M6ehfFxXHOeE 1941 SXF 94 wybNy13 7wI SbybZi uBxqzpk Yw3 j 12621 ligy7crm49fB HAI14 8CWODMSR S x FbhnOIHvqv8kPvyvxgbj duxcisvxdkv vFISL KyromrS 3v bLvpL 5 vnmgpponho4 AYwr Ij FGnJOIDAQABO4G2MIGZMBOGATUdDGQWBBSr Yx99 n1 HICUxvU xt dcywSZ6uUzCB wYDVROj BHwweoAUq2F F25f xyA IMBLF nxMs Eme ir lohxeRdMFs xCZAJBgNVBAYTAK ToMQsWCQYDVQQIEWJLQTEMMAOGALUEBXMDQk xS MQwwC gY DVQQKEWNBTFUXDDAKBQNVBAS TAO 5PUZEVMBMGALUEAXMMQUXVLUSPUYLy b2 S0ggEAMAWGAL UdEWQFMAMBAT BwDQY JKOZT hv CNAQEEBQADGYEAK 3 AmmEQT X810 RzZUCG 1qC6L4 500 vsVaf PFE9wwevOogK7FAyzwwIln 5P632mw7NMywS BEKKP TGe1CB1051gH3EG HBD1186bawf st 6TKuxeG8zcbueVdULmsBYQYRFXs BaKaGQd nPRUASIONCNBidcnvDjyivorQIsEClO END CERTIFICATE Modify the Private Key Password attribute from the security properties file in run directory Ensure that this attribute is populated with password used for encrypting the server certificate private key in the 8950 AAA Certificate Manager Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 J UNE 2010 ISSUE 1 0 175 A Machine authentication Overview The policies on the local machine need to be configured to allow machine authentication when using the EAP PEAP AD authentication protocol Use this procedure to configure policies on the local machine Procedure 1 On Windows navigate to Start gt Control Panel gt Administrative
59. Admin server USS Telnet SSH LDAP client Admin server component enables you to interact with 8950 AAA using admin interface commands Admin server can be connected using Telnet and SSH consoles USS offers an LDAP interface to enable the external elements to view or search information of current sessions USS PolicyFlow plug ins Access USS using PolicyFlow plug ins such as StateServer and StateClient PolicyFlow plug in allows you to edit and delete the session information PolicyFlow Plug ins External systems JDBC LDAP and Diameter plug ins are used to access external database SQL LDAP server and credit control system respectively Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Part Il 8950 AAA installation Overview Purpose This part provides hardware and software information about the 8950 AAA server and procedures to install the 8950 AAA in the enterprise network scenario Contents This part covers the following chapters 8950 AAA hardware and operating platform 21 Set up 8950 AAA for enterprise network 25 Installation of 8950 AAA server and PolicyAssistant af Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 19 3 8950 AAA hardware and operating platform Overview Purpose Contents This chapter provides hardware and operating platform requirements for the 8950 AAA se
60. Alcatel Lucent v 000 0000090000000070750550207 LLL LLL v 00900000000000000002700002 LLENO Alcatel Lucent 8950 AAA Release 6 6 1 Enterprise Business Solution User Guide 365 360 005 J UNE 2010 ISSUE 1 0 Legal notice Alcatel Lucent Alcatel Lucent and the Alcatel Lucent logo are trademarks of Alcatel Lucent All other trademarks are the property of their respective owners The information presented is subject to change without notice Alcatel Lucent assumes no responsibility for inaccuracies contained herein Copyright 2010 Alcatel Lucent All rights reserved Contents About this document xiii PUT POSE RE xiii Intended RE E xiii Sis E E xiii How touse this et EE xiii enee EE E Eaa xiv DOCUMENE SUPPOPt c ERS xiv Technical SUPPOM a cade vepeeusgisdeegettE xiv HOW 0 0 Lc P EE XV HOW t0 en XV Part I 8950 AAA in enterprise solution 1 Enterprise network with 8950 AAA Deci nnnm 4 EBG architeCture CEET geutededruert k P A BBG components nd tole8 i ege Set a aded r ribera e need re P T E be eats 5 Access control process e e ee REDE edet ea dee Eee ERE He bate ze epa EE mots 6 NetWork InterlaCeS teen tarn e EEE PRESE DOE SEEE dead Erde A IRE eege SEE EEEE EEEa 7 User p
61. E 1 0 J UNE 2010 9 RADIUS client configuration Overview Purpose This chapter describes the procedures to configure RADIUS clients RADIUS clients are network access servers such as wireless access points 802 1 X capable switches virtual private network VPN servers and dial up servers as they use the RADIUS protocol to communicate with RADIUS servers For example in the enterprise network OmniS witch OmniAccess CyberGateKeeper and Brick firewall are the RADIUS clients When you configure a RADIUS client in the enterprise network you designate the following properties Client name IP address Client Vendor Shared secret Message Authenticator attribute and so on These properties allow the clients to set up a secure network connection with the 8950 AAA server Contents This chapter covers the following topics Any RADIUS client configuration 112 Identifying a client type 115 Alcatel Lucent 8950 AAA Release 6 6 1 111 365 360 005 ISSUE 1 0 J UNE 2010 RADIUS client configuration Any RADIUS client configuration Any RADIUS client configuration Purpose Use this procedure to configure RADIUS clients Procedure l From the SMT navigation pane select Configuration Tools Client Peers Result The Client Properties window opens Figure 9 1 Client Properties EEN E Radius Clients 8 Diameter Peers 8 TACACS Clients 7 Client Classes ug udow3ivs Client IP Address or
62. From the top panel click B Result The Server Entry window opens See Figure 14 3 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Remote configuration Figure 14 3 Server Entry Server Entry Use the Following properties to specify a server entry Configure server entry Specifies the name of the server entry This is used to refer to this server From the file entries Name Specifies the list of hosts to try to retrieve files For this entry Typically you would only specify one host However you can specify multiple hosts to be used as fail over hosts Separate each host by a comma Host List Specifies the user name to authentication the connection to the hosts The user name must exist in the 8950 444 Operators on both the local server and the remote server In addition the passwords must match and be plain text User Specifies whether to connect with an SSL connection or plain connection Secure Oves No Specifies whether to terminate the Policy Server if a connection Fails or cannot retrieve a specified file Terminal Q Yes No 3 Use Table 14 1 to enter the information and click OK Table 14 1 Server Entry Field Description Type Value Name Enter the name of the server entry Use this name to refer to the server from file entries Text Host List Enter the host IP address Specifies the host to try to retrieve files fo
63. KCS 7 Certificate Template Web Server v Additional Attributes EP Local intracet 100 gt 5 Copy the certificate information from the Certificate Info section and paste in the Base 64 encoded certificate request field of Figure 15 8 Select Web Server from the Certificate Template drop down list and click Submit Result The Certificate Issued page opens Alcatel Lucent 8950 AAA Release 6 6 1 173 365 360 005 ISSUE 1 0 J UNE 2010 Certificate management Generate certificates for AAA using third party CA Figure 15 9 Certificate Issued Microsoft Certificate Services Windows Internet Explorer Go E ohtpi senenr centerv certfnish asp wot X P Fie Edt Wew Favorites Toos Help Yr od maot Cotfcite services FR we Pee ros Microsoft Cedificate Sereces AA AServ5 Certificate Issued The certificate you requested was issued to you ODER encoded or Base 64 encoded aad Download certificate chain Sd Local intracet 10 6 Select Base 64 encoded and click Download certificate link 7 Save the certificate as server in the AAA run directory In the Certificate Issued page click Home Result The Welcome page appears 8 Perform the following a Select the Download a CA Certificate or CRL and click Next b Select Base 64 Encoded and click Download CA Certificate c Give the filename as ca and save to the AAA run directory Result The certificate downloa
64. MSCHAP 2 mypolicy users Accounting Accounting Method Detail File Proxy Accounting No You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source User Profile Source RADIUS User File Authentication Authentication Allowed Types Tunnel Enabled EAP MS Chap V2 EAP MS Chap V2 Yes Allowed Tunnel Types pEap Attribute Sets Attribute Set to Use OmniSwitch If Attribute Set Not Found Reject the Request Read Set from User Profile No Total Policy Lirnit User and Session Limits User Session Limit No Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 13 Click Finish to complete the PolicyAssistant configuration 14 Click Save to save the policy created Configure EAP PEAP GTC authentication 62 Use this procedure to configure EAP PEAP GTC using PolicyAssistant Users are authenticated against Secure ID server From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 5 Result The Policy Configuration window opens See Figure 7 6 Procedure 1 2 Click to add a new policy 3 GTC mypolicy Click Next Enter a new name for your policy For example enter the policy name as EAP PEAP
65. Perform the following steps a Enter the Windows domain or computer name on which the Microsoft Windows SAM server is running Enter the domain or computer name only if EAP MS Chap V2 NT Password is chosen b Select EAP client uses user instead of user realm to generate challenges c Click Next Result The CRL Certificate Revocation List Configuration window opens See Figure 7 19 10 Click Next Result The Attribute Set for Policy window opens See Figure 7 12 11 Perform the following steps a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reject the Request d Click Next Result A window with a summary of policy configuration opens 68 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 26 Policy configuration summary Policy Configuration EAP PEAP AD mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source Accounting User Profile Source None Accounting Method Detail File Proxy Accounting No Authentication i Authentication
66. Profile No Note If the Policy server is running click Reload to update the Policy Assistant configuration 10 Click Finish to complete the PolicyAssistant configuration for CG NoAudit MDS 11 Click Save to save the policy created Configure policy selection rules for CyberGateKeeper Configure policy selection rule for CyberGateKeeper for Pass Audit Purpose Use this procedure to configure CyberGateKeeper Pass Audit policy selection rule Procedure l From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 1 2 From the Policy Selection Rules tab of the PolicyAssistant window click B to add a new rule 94 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure policy selection rules for CyberGateKeeper Result The Rule Configuration window opens Figure 7 44 Rule Configuration Rule Configuration Name CG Audit Pass Policy CG pass MD5 Reject Requests Conditions Max Connections Request Map Simple Advanced Match ALL Conditions Match ANY Conditions adang Attribute Operator Iex Report Audit Status exists Iex Report Audit Status 3 Perform the following steps a Enter the rule name b From the Policy drop down list select the policy name For example select the Audit Pass policy created for CyberGateKeeper
67. SA No Limit proxy proxy CG Audit Pass CG Audit Fail Tex Report Audit Status exists AND Tex Report Audit Status equals pass audit Iex Report Audit Status exists AND Iex Report Audit Status equals fail audit CG pass MD5 CG fail MDS No Limit No Limit CG No Audit Iex Report Audit Status exists AND Tex Report Audit Status equals Fail noaudit CG NoAudit MD5 No Limit CG Default Tex Report Audit Status not exists CG NoAudit MD5 No Limit Save Reload Edit Attribute Sets Install New PolicyFlow Close The PolicyAssistant window comprises two sections The top section allows you to create and configure new policies and manage policies to control user access to the network The bottom section contains four tabs that allows you to manage a selected policy A policy is a set of rules The Policy server uses the policy for the following functions e To authenticate users e To authorize and configure access to users e To store the accounting data Each policy defines the following e User source the location where the user profiles are stored Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 PolicyAssistant overview Policy Wizard e Type of authentication that the server performs e Policy limits e Account information processing Policy Wizard Use the Policy Wizard to create policies a
68. Server Properties te ete eed etalon sit eene Peto 144 Pisure 13 2 Derby Datab ases deeem ende ede eniti ette tete tege 146 Figure 13 3 Derby Database Entry iie eee eee ee ree E ehe eee Legen na 147 Figure 14 1 8950 AAA remote Configuration neret nnne nne 155 Figure 14 2 Remote Configuration esses ener nnne nnne nennen enne 156 Ligure 14 3 Server Entty doni diete tet eue pr epo pe Ph aee Ute rie ig 157 Figure 14 4 File Selection Wizard oenen orninan nisi tE Eana VEE EEEE NEEE Saa GAEDE 159 Figure 14 5 File Selection Wizard ccccceccsstesecessuteccesecnsecerseeesceetecesocesaerseessneentesececestecneoouteneres 160 Figure 14 6 File Selection Wizard Selected file details serene 161 Figure 14 7 Pile Entry eege See ete t Ee teer Rode te eter edere rte ile 162 Figure 15 1 Encryption and decryption with recipient Keys 166 Figure 15 2 Encryption and decryption with sender Keys 167 Eigure 15 3 Digital E 167 Figure 15 4 Deployment on 8950 AAA server 168 Figure 15 5 Microsoft Certificate Services sees 170 Figure 15 6 Request a Certificate essere nennen nennen nennen nnne nennen enne 171 Figure 15 7 Advanced Certificate Request eese eene eene 172 Figure 15 8 Submit a Certificate Request or Renewal Reouest cee ceeceeeceseesereeeeeeeeeeeeaeenaees 173 Pieure 15 9 Certificate 88U6d eie ende eret tees eerte ege 174 Figure 15 10 Combining certificates
69. Tools gt Local Security Policy Result The Local Security Settings window opens 2 On the left navigation panel expand Local Policies and select User Rights Assignment Figure 15 11 Local Security Settings 38 Local Sec urity Settings File Action View Help e gt Bg E Security Settings Policy Security Setting E Account Policies Tu Local Policies E Audit Policy User Rights Assignment Re Act as part of the operating system G9 Add workstations to domain 5 1 5 21 1467455 G Security Options aS Adjust memory quotas for a process Administrators Public Key Policies NA E inp E Services ee ha zn id a o Back up Files and directories ministrators Back Software Restriction Policies E Bypass DEE Gare RS Change the system time Administrators Pow Re Create a pagefile Administrators 88 Create a token object Re Create global objects Administrators INTE R Create permanent shared objects FH E j 3 IP Security Policies on Local Computer Alcatel Lucent 8950 AAA Release 6 6 1 177 365 360 005 ISSUE 1 0 J UNE 2010 Machine authentication 3 Onthe right panel double click Access this computer from the network Figure 15 12 Access this computer from the network Properties Administrators 4 Click Add User or Group Result A dialog box to add or select users and groups opens Figure 15 13 Select Users or Groups ISelect Users or Groups
70. UNE 2010 8950 AAA policy server Configure timeout properties of policy server Figure 11 7 Timeout Properties em Server Properties JE SSS Policy Server USS Uu Configuration Server Si Web Interface Timeout Properties i i F ER EE Specifies the configuration values For the Policy server timeouts 4 timeout is an amount of time to amp j 55H Interface wait before an action is taken Place the mouse over each option to display how it is used by the S RMI Registry server Wi Certificates Pil Lawful Intercept Client Timeout 10s B KI cof SNMP Minimum Session Timeout Os 4 S SEIR Session Time From Time of Day O Yes No 4 i LDAP Requests B Database Default Challenge Timeout 3m EN iz User Provisioning Default Challenge Timeout Linger 15s 4 RJ Radius Properties O Diameter Properties TACACS Properties Default Continue Timeout Linger 15s E 4 v Attributes m Requests Q Delimiters Zi Timeouts Advanced Default Continue Timeout 10m 4 3 Use Table 11 6 to enter the information and click Save Table 11 6 Timeout Properties Field Description Type Value Client Enter the time for which Use EJ to Default value 10 s Timeout the policy server needs to specify the wait before it discards the duration requests Note Match the Client Timeout with the timeout set on the NAS client Minimum Enter the minimum Use EJ
71. Windows platform ect et doeet cH ur AE EENEG Eed ANE 34 Part Ill 8950 AAA PolicyAssistant 35 6 PolicyAssistant overview 37 Ste 37 Start Policy EE 38 luii 38 Policy Ma gl i eiae posu meedulau eai p 39 7 Configure PolicyAssistant 41 Authentication methods RE ede RH d T uei SEENEN 42 Configure policy s lection tulere ee ertet me ert eeh eee eter coe te spe ree tals 42 Configure Policy Assistant rules for OmniSwitch eee eene 46 Configure EAP MD5 authentication with Database as user source seesseseeeeeene e 46 Configure EAP MD5 authentication with RADIUS User File as user source eee 54 Configure EAP PEAP MS CHAPv2 authentication with RADIUS User File as user source 57 Configure EAP PEAP GTC authentication ener ener en eren eren tenn nennen 62 Configure EAP PEAP AD authentication eessesseeeseeeeeeee teeth ener en eren nentes nennen 66 Configure EAP TLS authentication with RADIUS User File as user source 69 Configure EAP TTLS MS Chapv2 authentication with RADIUS User File as user source 72 Configure authentication with Microsoft Active Directory as user source seseeeeeee 75 Configure SAM authentication eine p tg T Edel ke era E Rote AA 78 Configure RSA ACE server as a user source for secureID tokens 20 0 0 eee eeeeseeeneeeneceteceseceeeeeseeeeneeeaes 81 Configure proxy authen
72. abases Result The Derby Databases window opens This window displays the predefined databases Figure 13 2 Derby Databases X Derby Databases The following properties configure how derby Database works DG az D Database Name Database Mode Registry Address Secure Connection Standalone No Replication lt none gt Standalone No Replication none lt none gt Standalone No Replication lt none gt lt none gt 2 Click Result The Derby Database Entry window opens 146 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Derby database Configure DB replication Figure 13 3 Derby Database Entry t Derby Database Entry Database Name aaal Database Mode Master Properties Use the Following to specify the configuration For the database listed above Registry Address Secure O ves No Derby Address Derby Replication Address 3 Use Table 13 2 and Table 13 3 to enter the values for the fields and click OK Table 13 2 Derby Database Entry Field Description Type Value Database Enter the database name Text Name Database Select the required mode of One of the list e Standalone Mode database configuration values No Database is configured in one Replication of the following mode e Ona non replication mode e Master e To be a master in e Slave replication mode In this Read mode the database is in an O
73. address is considered and port omitted default of 3799 is considered Network address format XXX XXX XXX XXX lt port gt Default value 3799 Truncate Attributes at First NUL If enabled attributes are truncated at the first NUL found in the value If disabled the attribute values are not truncated Enables support for NAS devices that send NUL characters in their attributes Boolean Add NUL to string attributes If enabled a NUL is appended to the end of plain string attributes in response requests to the NAS This property enables support for NAS devices that send NUL characters in their attributes Boolean Check Duplicates If enabled the server checks to see if the request received is a duplicate of a previously received request Duplicates are detected by a combination of the Source IP Source Port and Packet Authenticator The default setting is true This property can be set on a per client basis in the Client properties Boolean Check Authenticators If enabled the policy server checks the request authenticator and if not verified the request is dropped One of the list values Discard request when error If enabled the policy server discards packets when a method returns an error Boolean Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 129 8950 AAA policy server Configure 8950 AAA pro
74. ange the Policy User Profile Source Accounting User Profile Source RADIUS User File Accounting Method Detail File User File Name MD5 radiusfile mypolicy users Proxy Accounting No Authentication Attribute Sets Authentication EAP MDS Attribute Set to Use OmniSwitch Allowed Types EAP MDS If Attribute Set Not Found Reject the Request Read Set from User Profile No User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 10 Click Finish to complete the PolicyAssistant configuration 11 Click Save to save the policy created Configure EAP PEAP MS CHAPv2 authentication with RADIUS User File as user source Purpose Use this procedure to configure EAP PEAP MSChapV2 as inner authentication and no CRL checking authentication with RADIUS user file as user source using Policy Assistant Procedure 1 From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 5 2 Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 3 Enter a new name for your policy For example enter the policy name as EAP PEAP MSCHAPv2 mypolicy Click Next Alcatel Lucent 8950 AAA Release 6 6 1 57 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure
75. ant Configure PolicyAssistant rules for OmniSwitch Result The Accounting Configuration window opens See Figure 7 9 6 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 7 Perform the following steps and click Next a In the User Session Limits section select No Limit b In the Policy Limits section select No Limit Result The User File Name Configuration window opens See Figure 7 14 8 The user file name appears by default If needed modify the user file name and click Next Result The EAP PEAP Configuration window opens Figure 7 17 EAP PEAP Configuration Policy Configuration EAP PEAP MSCHAP v2 mypolicy EAP PEAP Configuration Enter the Following information about your PEAP configuration You must specify either the RSA or the DSA Certificate File and Private Key Password Both the RSA and DSA info may be specified Refer to the SMT Guide For more information about configuring PEAP If you don t have your own certificate authority you can use the Certificate Manager panel under the File Tools section or click the Certificate Manager button below to generate root server and client certificates Note Version D of PEAP is automatically supported The PEAP Version 1 mode setting does not affect Version 0 support
76. ation of your user profiles 3 Define how users are authenticated 4 Determine how accounting records are processed 5 Define any session limits that apply to this policy Enter the name of this policy Policy Name 3 Enter a new name for your policy For example enter the policy name as MD5 DB mypolicy Click Next Result The Source for User Profiles window opens Alcatel Lucent 8950 AAA Release 6 6 1 47 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 7 Source for User Profiles Policy Configuration MD5 DB mypolicy Source for User Profiles Where are the user profiles For this policy stored Note To see a description of an option select the source name User Profile Source Description RADIUS User File Retrieves user profiles from an SQL database OF jse By default the database is configured to run on the 4 same server localhost as the Policy server IF you LDAP Directory want to run the database on a different server C Microsoft Active Directory specify the location of your database in the Database Configuration a later step CH Windows Security Access Manager UNIX System UNIX Password File RSA ACE Server SecurID Secure Computing SafeWord Server Radius Server Proxy None 4 Select Database and click Next Result The Authenticating Access Requests window opens 48 Alcatel Lucen
77. btain certificates for production purposes If you are using Active Directory use the Microsoft Certificate Services to generate an SSL certificate Additional information To issue a certificate for a web server ensure that the following items are present e Domain administrator account e Internet Explorer browser e Windows server installed with Microsoft Certificate Services Procedure Note Keep the Certificate Manager window open until you execute all the steps Alcatel Lucent 8950 AAA Release 6 6 1 169 365 360 005 ISSUE 1 0 JUNE 2010 Certificate management Generate certificates for AAA using third party CA Launch the Internet Explorer and type http lt hostname gt certsrv to connect to the Certificate Services server Result The Microsoft Certificate Services window opens Figure 15 5 Microsoft Certificate Services f gt Microsoft Certificate Services Windows Internet Explorer GO E roiete EE p F e Edt Wew Favertes Toos Help Ye dE d Mcosolt Certificate services m D we hop Ed Microsoft Ceri ca wces AA AServ5 Welcome Use this Web site to request a certificate for your Web browser e mail client or other program By using a certificate vou can verify your identity to people you communicate with over the Web sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this Web site to download a certificate au
78. butes Items Sent Back To Client Reply Attributes New Save Reload Close 4 Click to add a new template Result The User Profile window opens Create a template Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 JUNE 2010 103 Create a template Configure templates Figure 8 4 User Profile User Profile User Name omniSwitch Password Authentication Type lt unspecified gt Items to Verify Check Attributes Items Sent Back To Client Reply Attributes Comment adawggies 5 Click Items Sent Back to Client Reply Attributes tab to add the reply attributes and click D Result The Attribute Properties window opens 104 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure templates Create a template Figure 8 5 Attribute Properties A Attribute Properties Use the following to specify an attribute and it s value Select the attribute then specify a value Use the description to help with specifying the value Attributes Value AAA Access Rule temp2 Acct Interval Time EE Callback Id Description Callback Number The Filter Id attribute is of the String type Class Configuration Token The value can contain ASCII characters a z A Z 0 9 etc Framed Compression This Attribute indicates the name of the Filter list For this user Zero Framed IP Address or more Filter Id at
79. ce and using the PolicyAssistant This sample policy is for CG NoAudit status Procedure 1 From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens 2 Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 92 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for CyberGateKeeper 3 Enter policy name and click Next For example enter the policy name as CG NoAudit MD5 mypolicy Result The Source for User Profiles window opens See Figure 7 7 4 Select RADIUS User File and click Next Result The Authenticating Access Requests window opens See Figure 7 8 5 Expand EAP Authentication in the list of Authentication Types select EAP MD5 and click Next Result The Accounting Configuration window opens See Figure 7 9 6 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 7 Perform the following steps a In the User and Session Limits section select One Session b In the Policy Limits section select No Limit c Click Next Result The User File Name Configuration window opens See Figure 7 14 8 The user file name appears by default If needed m
80. ct None and click Next Result The Authentication Access Requests window opens See Figure 7 8 5 Expand EAP Authentication in the list of Authentication Types select EAP TLS and click Next Result The Accounting Configuration window opens See Figure 7 9 6 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 7 Perform the following steps and click Next a In the User Session Limits section select No Limit b In the Policy Limits section select No Limit Result The TLS Transport Level Security Configuration window opens 8 Enter the certificate file name and private key password for RSA or DSA Figure 7 27 TLS Transport Level Security Configuration Policy Configuration EAP TLS mypolicy TLS Transport Level Security Configuration Enter the Following information about your TLS configuration You must specify either the RSA or the DSA Certificate File and Private Key Password Both the RSA and DSA info may be specified Refer to the SMT Guide For more information about configuring TLS If you don t have your own certificate authority you can use the Certificate Manager panel under the File Tools section or click the Certificate Manager button below to generate root server and client certificates RS
81. ct the Request d Click Next Result A window with a summary of policy configuration opens Alcatel Lucent 8950 AAA Release 6 6 1 65 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 24 Policy configuration summary Policy Configuration EAP PEAP GTC mypolicy use the Back button to change the Policy User Profile Source User Profile Source None Accounting Authentication Authentication RSA ACE Server SecurID RSA ACE Server Directory C A44Alrun ace Tunnel Enabled Yes Allowed Tunnel Types GTC in PEAP You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or Accounting Method Detail File Proxy Accounting No Attribute Sets User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Attribute Set to Use OmniSwitch If Attribute Set Not Found Reject the Request Use User Name For Lookup No Read Set from User Profile No Note If the Policy server is running click Reload to update the PolicyAssistant configuration 13 Click Finish to complete the PolicyAssistant configuration 14 Click Save to save the policy created Configure EAP PEAP AD authentication 3 66 Purpose Use this procedure to configure EAP PEAP AD using PolicyAssistant Modify the configuration s
82. default codec TAOS Port Select the version of TOAS to get the real Dictionary Default Normalization NAS port number out of the NAS port info Attribute List value No Use this field if your NASs are running TAOS Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 113 RADIUS client configuration Any RADIUS client configuration Field Description Type Value Authentication Timeout Enter time in milliseconds The Policy server waits for this time before it discards authentication requests This field overrides the Client Timeout value for authentications only Duration with default time unit of milliseconds Default value No Accounting Timeout Enter time in milliseconds The Policy server waits for this time before it discards accounting requests This field overrides the Client Timeout value for accounting requests only Duration with default time unit of milliseconds Default value No Character Set for Encoding Select from the drop down list the character set that is used to encode string attributes in requests For an enterprise network select default character set Character set Default value No Truncate Attributes at First NUL Add NUL to String Attributes This field specifies if the NAS devices send NUL characters in their attributes If enabled attributes are truncated at the first NUL found in the val
83. devices can verify the server credentials and as an option the server can verify the credentials of the supplicants or end user devices Alcatel Lucent 8950 AAA Release 6 6 1 165 365 360 005 ISSUE 1 0 JUNE 2010 Certificate management Certificates X 509 Certificates are issued by the Certificate Authority CA and are used in encrypting the data that is sent over the wire Encryption Decryption using Digital certificates Asymmetric cryptography is also known as public key cryptography which involves a pair of private and public keys to encrypt the data Public keys are incorporated into a certificate They are distributed with software or by electronic means such as web sites information servers and so on and need not be protected from disclosure The owners must safeguard all private keys against compromise and keep the private key a secret A digital certificate is a public key associated with an element The element can be a person device web server and so on and carries the fingerprint of the CA In other words a digital certificate is digitally signed with the CA private key and carries validity dates and a serial number As extra elements the certificate carries extra information such as key usage and constraints on the possible use of the certificate Data encrypted with the private key can only be decrypted with its public key and the inverse is true If the data sent by the sender is encrypted with the publ
84. ds Note Ensure that the server certificate file contains the following a Certificate chain starting with the server certificate which identifies the server and ending with the self signed CA root certificate b Anencrypted version of the private key associated with the public key contained in the server certificate 9 Using a text editor such as Notepad combine the private keys from the Certificate Manager server cer and ca cer in AAA run directory Save the file as server pem in the run directory Note Ensure that the file name is server pem and not server pem txt Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Certificate management Generate certificates for AAA using third party CA Result Figure 15 10 displays the combined certificates Figure 15 10 Combining certificates B server pem Notepad Ele Edit Format View Help BEGIN ENCRYPTED PRIVATE KEY MIICODAaBgkqhkic9wOBBQMwDQQIE5H600m4SgsCAQEEggKAuFA 7 7H9ZaVGr 3zwO TYEKN6deKRNX FGLITLHOMpPQ 07 a3 SMOLR 4t 3YDN 1WeRI 55 8wgGsNfrv74 BP aZz8nZwngip fqGmwI873ur TNXT7YFNSRSyp280ZIIMY pzfiaTVT5 provens OY vccamPnyhek Ehog4 Uc q4Qt aBEI BhCpGORQXAMDs gwIk5xbGOvOeeehUuLHyDAOq xXUWSCL OF 3TyZSYdNXKDt 1Hai0P3k27R03dA9859DlOtgzI4vkK2xughhtx uTVD Ihxroa5oEb7NNOATUCfBCFO715s2B86Hr nwPSWDwOWGN EE GuNMTMj 1G0zGzca oucqnamqrwDTXTGUh37AWRt s O Zwqogeb4cpkK Mr soHMr Qo Hg4A3SV3JV4TrormHoBvvxkooEHeixncwWTRNOUCGah2 eg2par VRAms Vv
85. e Sets Allowed Types EAP TLS Attribute Set to Use OmniSwitch If Attribute Set Not Found Reject the Request Use User Name For Lookup No Read Set from User Profile No User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 12 Click Finish to complete the PolicyAssistant configuration 13 Click Save to save the policy created Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 JUNE 2010 71 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Configure EAP TTLS MS Chapv2 authentication with RADIUS User File as user source Purpose Use this procedure to configure EAP TTLS EAP MSChapV2 as inner authentication and no CRL checking authentication with RADIUS user file as user source using PolicyAssistant Users are authenticated inside a secure tunnel Procedure l From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens 2 Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 3 Enter a new name for your policy For example enter the policy name as EAP TTLS mypolicy Click Next Result The Source for User Profiles window opens See Figure 7 7 4 Select RADIUS User File and click Next Result The Authentication Access Requ
86. e rules based on the existing sample rules Ensure to save them under a different name Configure EAP MD5 authentication with Database as user source Purpose Use this procedure to configure EAP MD5 authentication with database as user source using PolicyAssistant Procedure 1 From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens Figure 7 5 PolicyAssistant PolicyAssistant BAX The PolicyAssistant manages policies to control user s access to your network 4 policy defined in the top section is a set of rules the Policy server uses to determine how users are authenticated how access is authorized and configured and how accounting data is stored Dad pg A Policy User Profile Source Authentication User Limit Policy Limit Accounting lt 2 MD5 DB Database EAP MDS No Limit Mo Limit None Z MDS file RADIUS User File EAP MDS No Limit No Limit None amp MDS file test RADIUS User File EAP MDS No Limit No Limit None lt gt 2 Click 3 to add a new policy Result The Policy Configuration window opens 46 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 6 Policy Configuration Policy Configuration The Policy Wizard helps you create or modify a 8950 AAA policy Using this wizard you will 1 Name your policy 2 Set the loc
87. ed on the Remote Configuration window Delete file entry Purpose Use this procedure to delete a file entry Procedure 1 From SMT navigation pane select Configuration Tools gt Remote Configuration Result The Remote Configuration window opens See Figure 14 1 2 Select the required file entry and click B Note To delete all the files click 9 Result The selected file entry is deleted Alcatel Lucent 8950 AAA Release 6 6 1 163 365 360 005 ISSUE 1 0 JUNE 2010 15 Certificate management Overview Purpose This chapter provides an overview about certificate management It describes what is a digital certificate and the various types of digital certificates used in the 8950 AAA configuration This chapter also provides procedures to manage certificates for example procedure to request for a certificate procedure to view a certificate procedure to create a certificate and so on Authentication methods such as EAP PEAP EAP TTLS and EAP TLS are commonly used in an enterprise network These methods use the X 509 certificates for authentication Contents This chapter covers the following topics Certificates 165 8950 AAA and certificates 168 Generate certificates for AAA using third party CA 169 Certificates Need for certificates Network authentication using EAP TLS EAP TTLS and EAP PEAP involves X 509 digital certificates Using these authentication methods supplicants or end user
88. ende ute dea bete qe tieniti ee pee 104 Eipure 8 5 Attribute Properties i aene epo de eedem eei tette qe rebote 105 Figure 8 6 User Profile for OmniSwitch eese eere nennen nennen nnne nennen 106 Figure 8 7 User Profile for CyberGateKeeper esee nennen nennen nennen 106 Peguet Client Properties 2 ise thc e Het ei ect ea te e ER Ue eeu e de EEEn 112 Figure 9 2 Radius Client Properties serino reren eea nennen tenente enne 113 Figure 9 3 Client Classes and Attributes sees nennen nennen nennen nnne nennen 116 viii Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 List of figures Ligure EH We inicie d e ete a esi tete pe He M eite ipte i ee te 118 Figure 10 2 Vendor Name denke dh t EIS niente oed er estes 119 Figure 10 3 Vendors Attributes ni i etes entente en taco thee tet teh E te natn 119 Figure 10 4 Vendors Attributes Properties nennen nennen 121 Fig r AIl Windows Services deg Ae REENEN 126 Figure 11 2 e A ee EEN 126 Figure 11 3 Radius Properties wisi tives ent etc n Rte senate LI etse stevenson ets 128 Eigure 11 4 Attributes EN EE 131 Figure 11 5 Radius Request Properties eese nre nennen nennen tnter ennt 133 Figure 11 6 User Name Parsing Delimiters eese nennen 135 Figure 11 7 Timeout Properties ice eddie eec Le td eese S Eee 137 Femme Tick Server Properties i e ebd ete seine 140 Figure 13 1
89. ene ER rr peter eed etes He eI ete PEE tpe te HERR TE Eee pei 165 Encryption Decryption using Digital certificates eeeceeeeeeeeeseeeseecaeceseeseeeseeesaeeeaeeeneeeaaeenaees 166 Process to procure the digital certificate eene enne 167 Certificate deployment on 8950 AAA eene enr en eren nne nesn tenete terere enne 168 Role of Certificate Manager series scssins oerte eet retener m e dee ira rea ites aie eel eee 168 8950 AAA et TEE 168 Generate certificates for AAA using third party CA 169 A Machine authentication 177 Glossary 183 vi Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 List of figures Figure 1 1 Architecture diagram of the EBG sounen 5 Figure 1 2 Access Control Process iari dritte rie tesi ee e EE eR eU E eese dni reve pee de Ee conics 6 Fisure 2 1 Components oE 8950 AAA ite Seege le Tua Puer d Re ud os egen d i 15 Figure 2 2 Component interface diagram sessi tnne entrent 17 Figure 5 1 Choose Destination Location ee eeceeeeeseesseeenceececaeceaeceaeceaeceseceeeeeeeeeeeeeaeeeaeeeeeeaaes 28 Figure 5 2 Choose Installation Type eicit teet tede etie ctae eee e iebatcolicdsiaisbepsetede 20 Fisure 5 5 License File Location aterert teri tree i epe phani tete nba rp tei yep Deed Uo Ever Fen p 30 Figure 5 4 8950 AAA Administrator Configuration eese 31 Figure 5 5 8950 AAA Policy Set Installation eese nennen 32 Figure 5 6 Certificate Conf
90. ent Tool to start the SMT to configure and manage your servers You can also view the Release Notes from the Setup Complete dialog 12 Install sample policy rules for the enterprise network For more details see Install sample policies and rules for enterprise network Alcatel Lucent 8950 AAA Release 6 6 1 33 365 360 005 ISSUE 1 0 JUNE 2010 Installation of 8950 AAA server and PolicyAssistant Install sample policies and rules for enterprise network Install sample policies and rules for enterprise network Overview The 8950 AAA server installation package for the enterprise network comprises predefined sample policy rules Use these policy rules to configure the PolicyAssistant to match the requirements of the enterprise network You can use these rules or create new rules based on these predefined rules For more information on configuring the PolicyAssistant based on the sample rules see Chapter 7 Configure PolicyAssistant Purpose Use this procedure to install the predefined sample policy rules for the enterprise network Procedure 1 On Windows navigate to Install Directory run samples ebg folder 2 Copy all the predefined sample policies to the lt nstall Directory gt run folder 3 Start SMT If SMT is already running restart SMT For more information on how to start SMT see procedure Start SMT on Windows platform 4 From the SMT navigation pane select Configuration Tools gt PolicyAssistant to view the sam
91. enter the policy name as RSA mypolicy Click Next Result The Source for User Profiles window opens See Figure 7 7 Alcatel Lucent 8950 AAA Release 6 6 1 81 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch 4 Select RSA ACE Server SecurelD and click Next Result The Accounting Configuration window opens See Figure 7 9 5 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 6 Perform the following steps a In the User Session Limits section select No Limit b In the Policy Limits section select No Limit c Click Next Result The RSA ACE Server Configuration window opens Figure 7 36 RSA ACE Server Configuration Policy Configuration RSA mypolicy RSA ACE Server Configuration 8950 AAA supports two RSA configurations Operating System Specific RSA and New RSA Library verions The Operating System specific RSA is older and has a possibly more stable library that run on specific operating systems The New RSA Library version is a new Java implementation than has better performance that the OS Specific Library fineratinn Svstem Snerilc RSA Enter the directory where the RSA ACE Server files sdconf rec are stored If not specified the directory de
92. er Password Authentication Type lt unspecified gt Items to Verify Check Attributes Items Sent Back To Client Reply Attributes Comment gd D Attribute E n Value Service Type Framed User Iex Role Production 209 Iex Role Restricted 210 Tunnel Type 7 Click OK Result The User File window displays the values 8 Click Save to save the template Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure templates Edit a template Edit a template Purpose Use this procedure to edit a template Procedure l From the SMT navigation pane select File Tools gt User Files Result The User Files window opens See Figure 8 1 2 Click Open Result The User File List window opens See Figure 8 2 3 Select users templates and click Open Result The User Files users templates window opens See Figure 8 3 4 Select the required template and click r e Result The User Profile window opens See Figure 8 4 5 Click Items Sent Back to Client tab a To delete a reply attribute highlight the attribute and click B b To add more reply attributes click a c To modify a reply attribute highlight the attribute and click E Result The Attribute Properties window opens See Figure 8 6 6 Perform the following steps a Select the required attribute and enter the corresponding value b Click Insert Result The User Profile
93. erver This method overcomes the defects in the PAP method Configure policy selection rule 42 Purpose Use this procedure to configure a policy selection rule Note The procedure details a sample rule definition Define an appropriate rule to choose a required policy For more detailed configuration procedures see the PolicyAssistant User Guide in the Documentation section at http www 8950aaa com Procedure l From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure policy selection rule Figure 7 1 PolicyAssistant PolicyAssistant The PolicyAssistant manages policies to control user s access to your network 4 policy defined in the top section is a set of rules the Policy server uses to determine how users are authenticated how access is authorized and configured and how accounting data is stored a emary Policy User Profile Source Authentication User Limit Policy Limit Database EAP MDS No Limit No Limit 4 MDS file RADIUS User File EAP MDS lt Accounting Policy Selection Rules Limits USS Settings Cisco PEAP The Policy Rules manages how a Policy is selected from information in a request adaga Name Condition Policy or Reject Max Connections IMD5 DBRule NAS IP Address equals 135 250 35 77 MDS DB No Lim
94. erver entry Remote File j Local File Format Text Server unspecified 3 Enter the information using the File Entry table and click OK Table 14 2 File Entry Field Description Type Value Remote File Enter the name of the file to Text retrieve from the remote server Local File Enter the file name to save Text locally which is retrieved from remote machine If not specified the remote file with the same name is saved Format Select the required file format One of the list Text Select Text for plain text files values Binary and Binary for zip files Server Specify the required host name Text Result The configured values are displayed on the Remote Configuration window 162 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Remote configuration Edit file list Edit file list Purpose Use this procedure to edit a file entry Procedure 1 From SMT navigation pane select Configuration Tools gt Remote Configuration Result The Remote Configuration window opens See Figure 14 2 2 Select the required file entry and click d Note Click to create a copy of the selected file Note Click E to change the file format of the selected file and click E to change the host server Result The File Entry window opens See Figure 14 7 3 Use Table 1 1 to edit the required field and click OK Result The changes are display
95. ests window opens See Figure 7 8 5 Perform the following steps a Expand EAP Authentication in the list of Authentication Types and select EAP MS Chap V2 Click Advanced Authentication Options tab In the Advanced Authentication Options window select Tunneled EAP tab Select Allow EAP Tunneling Roc e From the Available EAP Tunnel Types section select TTLS and click gt See Figure 7 29 72 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 29 Advanced Authentication Options Advanced Authentication Options Automatic Password Detection User Profile Options Tunneled EAP Transports The PolicyAssistant can automatically process EAP authentication requests tunneled through the Following EAP types PEAP TTLS and GTC To enable automatic EAP negotiation enable Allow EAP Tunneling below and add desired tunneled EAP types Allow EAP Tunneling Specify the allowed tunneled authentication types below by moving a type from the Available Tunnels list to the Allowed Tunnels list Use the Up Down buttons to specify the order the types are negotiated Available EAP Tunnel Types Allowed EAP Tunnel Types PEAP TTLS GTC GTC in PEAP GTC in TTLS f Click Close g Click Next Result The Accounting Configuration window opens See Figure 7 9 6 Select Save Accounting to a File and perform the following steps
96. ettings for local policies on a system running on Windows to allow EAP PEAP AD For more details see appendix Machine authentication Procedure From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 5 Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 Enter a new name for your policy For example enter the policy name as EAP PEAP AD mypolicy Click Next Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Result The Source for User Profiles window opens See Figure 7 7 4 Select None and click Next Result The Authenticating Access Requests window opens See Figure 7 8 5 Perform the following steps a Expand EAP Authentication b Select EAP MS Chap V2 NT password c Click Advanced Authentication Option Figure 7 25 Advanced Authentication Options Advanced Authentication Options SE User Profile Options Tunneled EAP Transports The PolicyAssistant can automatically process EAP authentication requests tunneled through the following EAP types PEAP TTLS and GTC To enable automatic EAP negotiation enable Allow EAP Tunneling below and add desired tunneled EAP types Specify the allowed tunneled authentication types below by moving a type from the Available Tunnels list to
97. evices in the Alcatel Lucent enterprise network CyberGateKeeper provides the auditing of host configuration and is placed behind the OmniSwitch This element is optional in an enterprise network In scenarios that do not have CyberGateKeeper the RADIUS clients or the edge devices such as the OmniS witch directly interface with the 8950 AAA User profile stores like LDAP server database server Windows AD server are behind the 8950 AAA server The 8950 AAA server uses the user profile stores to authenticate and authorize the users or devices that connect to the enterprise network 4 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Enterprise network with 8950 AAA EBG components and roles Figure 1 1 Architecture diagram of the EBG solution Microsoft AD LDAP Database a t e e e Ze e NC P P ap EAP over Radius SE xr E KE VPN Firewall Brick NAS Cyber Gate iCyber Gater INAS Neo a Keeper Keeper gt t mo HIC pen LI HO n dil OA WLAN hes NAS EAPO l K SS j amp mi jom em Supplicant EBG components and roles This topic provides a list of components in the enterprise network solution and briefly describes their roles and functions 8950 AAA Server RADIUS The 8950 AAA provides authentication authorization and accounting services for wired wireless and converged networks The 8950 AAA supports RADIUS protocol for authentication se
98. f This part covers the following chapters Remote configuration 153 Certificate management 165 Alcatel Lucent 8950 AAA Release 6 6 1 151 365 360 005 ISSUE 1 0 J UNE 2010 14 Remote configuration Overview Purpose This chapter describes the 8950 AAA remote configuration Contents This chapter covers the following topics 8950 AAA remote configuration 153 Configure server entry 155 Add file list 158 Edit file list 163 Delete file entry 163 8950 AAA remote configuration Remote configuration allows retrieval of files from a remote server using configuration server Remote configuration provides a centralized location for configuration files An 8950 AAA machine which provides centralized location for configuration files acts as a master machine Another 8950 AAA machine which tries to retrieve the configuration files from the master system becomes the slave The master configures the IP address of all the slaves and the slave configures the information of the master for example the IP address Alcatel Lucent 8950 AAA Release 6 6 1 153 365 360 005 ISSUE 1 0 JUNE 2010 Remote configuration 8950 AAA remote configuration 154 Slave retrieves the files which require a centralized storage from the master machine Retrieval of files requires the policy server to be active on the slave machine When a file is updated or modified on the master machine
99. faults to Ivarjace On Windows the sdconf rec File must reside in your system path field is not enabled New RSA Library Version Enter the directory where the RSA A4CE Server file rsa_api properties is stored If not specified defaults to the 8950 444 run directory Path to RSA ACE file C 44A run ace Specifies whether to get a user template name from the shell field returned by the RSA Server 7 Perform the following steps a Select New RSA Library Version b Enter the path to the directory where the RSA ACE Server file library is stored 82 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch c Click Next Result The Attribute Set for Policy window opens See Figure 7 12 8 Perform the following steps a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Reject the Request d Click Next Result A window with a summary of policy configuration opens Figure 7 37 Policy configuration summary Policy Configuration RSA mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Po
100. figuration server Overview Purpose Contents This chapter describes the 8950 AAA configuration server The configuration server allows remote administration of 8950 AAA Configuration server allows you to connect to the 8950 AAA server remotely using SMT This chapter covers the following topics 8950 AAA configuration server 139 Configuration server properties 140 8950 AAA configuration server 8950 AAA SMT is used not only to connect to 8950 AAA server on the local system but also for connecting remotely Remote connection is achieved by using the configuration server You can connect to the 8950 AAA server in a secure mode or in an unsecured mode If you connect to 8950 AAA server securely ensure that there is a valid trusted certificate When you establish a secure connection to the 8950 AAA server through configuration server the SMT validates the 8950 AAA server using its own trusted certificate Once the certificate is validated the connection is established There are separate admin interface commands for configuration server Alcatel Lucent 8950 AAA Release 6 6 1 139 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA Configuration server Configuration server properties Configuration server properties Purpose Use this procedure to configure the configuration server Procedure l From the SMT navigation pane select Configuration Tools gt Server Properties Result The Server Propert
101. ft Active Directory and click Next Result The Authenticating Access Requests window opens See Figure 7 8 4 Expand External Authentications select Microsoft Active Directory and click Next Result The Accounting Configuration window opens See Figure 7 9 5 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 6 Perform the following In the User Session Limits section select No Limit a In the Policy Limits section select No Limit b Click Next Result The Microsoft Active Directory Configuration window opens 7 Perform the following a Enter the Bind Distinguished Name b Enter the Bind Password c Enter the Server Address d Enter the Search Base 76 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 32 Microsoft Active Directory Configuration Policy Configuration AuthWindowsAD mypolicy Microsoft Active Directory Configuration Enter the Following information for connecting to your Active Directory server Note All of the Fields below are required except the Secondary Address Bind Distiguished Name cn Administrator cn users DC CGDEMO2 DC COM Bind Password alcatel1 Server Address 192 168 1 226 389
102. ged Users Me a Yes No Supplicant Rejected Fail OmniSwitch Rejected Cyber GateKeeper LDAP ib j Quarantine te Other Radius Access Policy k _ Parameters are ls pushed to the OmniSwitch k L L VLAN ID Traffic 909 Anomaly Detection Bandwidth enforcement and Anomaly Detection The following steps describe the user access control process in the enterprise network 1 The 8950 AAA authenticates users based on user and device credentials or only user credentials as part of the 802 1x authentication In other scenarios like IP Touch phone only device credentials are verified through MAC address authentication If then the end user device is a the end user is authenticated through 802 1x authentication recognized supplicant protocol the end user device is an the end user is authenticated through MAC address unrecognized supplicant authentication protocol 6 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Enterprise network with 8950 AAA Network interfaces 2 The 8950 AAA server authenticates the user credentials by checking against the built in Derby database LDAP servers or other external databases like Windows AD The 8950 AAA server authorizes the user to access the services and starts the accounting process If the 8950 AAA server fails to recognize and authenticate a user the next action depends upon the pre
103. gure 14 1 8950 AAA remote configuration Master AAA P address of clients Username configured in the Operators panel Notify In case of Notify or E Retrieving In kid or of files ihe listof modification files of files Slave AAA Slave AAA IP address of IP address of Master Master List of List of configuration files configuration files retrieved retrieved Configure server entry Purpose Use this procedure to configure the server entries Master configures the slave information and slave configures the master information Procedure 1 From SMT navigation pane select Configuration Tools gt Remote Configuration Result The Remote Configuration window opens See Figure 14 2 Alcatel Lucent 8950 AAA Release 6 6 1 155 365 360 005 ISSUE 1 0 JUNE 2010 Remote configuration Configure server entry Figure 14 2 Remote Configuration E Remote Configuration The Remote Configuration feature allows you to retrieve files from a remote server using the Configuration Server This is typically used 4 to have one centralized location for configuration files You must specify which files are retrieved For every PolicyServer Use the top section to configure the connections to remote Configuration Servers Use the bottom section to list the files to retrieve You can retrieve files From more than one remote server eagamats GBguaoxgies 8 Save Notify Servers Close 2
104. i ipv4 address 17 Erksson Ericsson Acc Ip Gateway Sec ipv4 address fe Ericsson Ericsson Acc Route Policy Enumerated 9 Ericsson ca Ericsson Acc ML MLX Admin State Enumerated Ip Esso Ericsson Acc ML Call Threshold Unsigned32 11 Erisson Ericsson Acc ML Clear Threshold Unsigned32 12 Ericsson Unsigned32 13 Ericsson string 14 Ericsson Ericsson Acc Clearing Cause Enumerated 15 Ericsson Ericsson Acc Clearing Location Enumerated 16 Ericsson Ericsson Acc Service Profile string 17 Ericsson Ericsson Acc Request Type Enumerated 18 Ericsson Ericsson Acc Framed Bridge Enumerated 19 Ericsson Ericsson Acc Vpsm Oversubscribed Enumerated 20 Erisson Ericsson Acc Acct On Off Reason Enumerated 21 Ericsson Ericsson Acc Tunnel Port i 22 E Ericsson Acc Dns 5erver Pri ipv4 address Io j Eksso Ericsson Acc Dns Server Sec ipv4 address Ericsson Ericsson Acc Nbns Server Pri ipv4 address Ericsson Ericsson Acc Nbns Server Sec lipvd address 78 Esson Ericsson Acc Dial Port Index Unsqnedi 17 Essen ei Note To display the attributes based on the name of the vendor select the name of the vendor in the drop down box in the Vendor Search field Ericsson Acc Output Errors Ericsson Acc Access Partition Ericsson Acc ML Damping Factor Ericsson
105. ibly support other combinations that are not tested Alcatel Lucent 8950 AAA Release 6 6 1 9 365 360 005 ISSUE 1 0 JUNE 2010 2 8950 AAA overview Overview Purpose This chapter describes the features functions and supported protocols of 8950 AAA server that are available in the enterprise network Contents This chapter covers the following topics Description 12 Product features of 8950 AAA 12 Access restrictions 13 AAA redundancy 13 Authentication methods 13 Accounting status type 14 Components of 8950 AAA 15 8950 AAA component interfaces 17 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 11 8950 AAA overview Description Description The 8950 AAA server is a network entity that provides authentication authorization and accounting functionalities in carrier and enterprise networks In an enterprise network the 8950 AAA server interfaces with 802 1x switches wireless access points and audit solutions like CyberGateKeeper The 8950 AAA server supports RADIUS protocol to interface with the edge devices Product features of 8950 AAA 12 The following list describes a few features of 8950 AAA relevant to an enterprise network e 8950 AAA supports the 802 1x authentication using the following EAP protocols EAP TLS EAP TTLS EAP PEAP EAP MD5 EAP GTC 8950 AAA implements XML based dictionary which is a superset of RFC
106. ibutes properties specify how policy server handles RADIUS attributes RADIUS Request Properties specify how policy server handles RADIUS requests Purpose Use this procedure to configure the properties of policy server for processing RADIUS requests Procedure l From SMT navigation pane select Configuration Tools gt Server Properties Result The Server Properties window opens 2 Select Policy Server gt Radius Properties Result The Radius Properties panel opens Alcatel Lucent 8950 AAA Release 6 6 1 127 365 360 005 ISSUE 1 0 JUNE 2010 8950 AAA policy server Configure 8950 AAA protocol properties for policy server Figure 11 3 Radius Properties ZS Server Properties SI web Interface SSH Interface SI RMI Registry Wi Certificates tof SNMP cof scp Cf LDAP Requests B Database B User Provisioning B Radius Properties 9 Diameter Properties i TACACS Properties IV Attributes ZS Requests Q Delimiters Li Timeouts G Advanced SI Admin Interface SH Lawful Intercept EE Policy Server USS USSv2 Configuration Server Radius Properties Authentication Addresses 1812 Accounting Addresses 1813 Dynamic Authorization Addresses 3799 Specifies the configuration values for the Policy Server when processing Radius requests Type of Service Traffic Class g Truncate Attributes at First NUL S Yes O No Add NUL to String Att
107. ic key of the recipient the data is said to be truly encrypted The recipient has the private key and can decrypt the message Figure 15 1 Encryption and decryption with recipient keys Recipient s Recipient s public key private key Y Clear text Cipher text Clear text y Encryption E Decryption y Sender Recipient There are two possible ways for the sender to obtain the public key of the recipient 1 The recipient sends it to the sender in the clear As it is a public key there is no risk by sending it on the open 2 The sender retrieves it from a publicly known storage place typically provided by a PKI In another scenario the text is encrypted using the private key of the sender and then any person with the sender s public key can decrypt the message 166 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Certificate management Figure 15 2 Encryption and decryption with sender keys Sender s private key Clear text Cipher text E Encryption Sender s public key Clear text gt Decryption and Authentication Recipient Certificates If a recipient is able to decrypt the message it means the sender owns the other private key pair Since the sender owns the private key the recipient is aware of the identity of the sender Process to procure the digital certificate This procedure describes the steps taken by the end user to procure a digital certificate fr
108. ick Start button to display the Start menu 2 Navigate to Control Panel 3 Click Administrative Tools gt Services Result The Services window opens Figure 11 1 Windows Services Gi Services File Action View Help fe B 2R mE m n m i Services Local By Services Local 8950 AAA Policy Service Name Descrip Stat Startup Log On s E NET Runtime Optimization Servic Microso Manual Local System Start the service 8950 AAA Configuration Service Manual Local System By Ac Profile Manager Service Started Automatic Local System Bs Access Connections Main Service Started Automatic Local System Sis Alerter Notifies Disabled Local Service Bs Altiris Agent Enables Started Automatic Local System Application Layer Gateway Service Provide Started Manual Local Service Sa Application Management Provide Manual Local System SiS ASP NET State Service Provide Manual Network S Sy Automatic Updates Enables Manual Local System Sis Background Intelligent Transfer 5 Transfe Started Manual Local System B Bluetooth Service Handles Started Automatic Local System Sis ClipBook Enables Disabled Local System MA 2 mia D D I B t s 4 Select 8950 AAA Policy Service from the list of applications 5 Intheleft hand panel click Start the service or right click and select Start Result The policy server starts as a Windows service application The status changes
109. ies window opens 2 Click Configuration Server Result The Configuration Server panel opens Figure 12 1 Server Properties X Server Properties Policy Server USS USSv2 Configuration Server Specifies the properties used by the Configuration Server The Configuration Server is used by the Server Management Tool to configure a server from a remote location These properties are loaded each time the Configuration Server starts Any changes to these properties will take effect the next time you start the Configuration Server and log into the SMT Administration Address 127 0 0 1 9020 SSH Address WEEN el el fa Command Address 127 0 0 1 9019 Registry Port 9097 a Lei Secure Registry Port 9098 Log File Name config log el el Level of Messages to Log Info Save Close 3 Use Table 12 1 to enter the information and click Save 140 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA Configuration server Configuration server properties Table 12 1 Configuration Server properties Field Description Type Value Administrati Enter the TCP IP address on Network Default on Address which the configuration server Address in value 9020 admin interface listens for XXX XXL XXX X connections The hostname must xx port be a name that corresponds to a format local interface on the machine or the value which represents
110. iguration eicere er eder cr bra ee Re PE HERE HERE eau Een eek duo 33 Fisure 6 1 PolacyASsistantt iue erede ei Keesie een read prt rid ep adde keep ek doy ares erer 38 Figure 7 1 PolacyASSistant EE 43 Fisure 7 2 Rule Confiouratiomis initam ata ted ci i eerie tra e 44 Figure 7 3 Conditions ta ue retra LEER E E D EH le Ee bae EAE Le EE a eet Eod ee ede 45 Figure 7 4 Simple panel creto ete egene ERE E EEREN ENIE EEEE RER 45 Figure 7 5 Policy ASSIStatit uie ee aedi nette ibo e ode ed Fra ra Feeder Le e eS ede e pe eh dede 46 Figure 7 6 Policy Configuration ee essentia tbt te tte etn e Heb D Pee else de Lebe a neon inde 47 FEisure 7 7 Source for User Profiles soisi iae einer e e ert aad e PS dE PORE Ga 48 Figure 7 8 Authenticating Access Requests esessseseeeeseeseee eere nennen nennen nnne nne 49 Figure 7 9 Accounting Configuration renes NE EEEE EEEE ESRR 50 Figure 7 10 User and Session Lummts eren nne 51 Fisure 7 11 Database Contigur tion niece ree etg i Pe o P c E eed 52 Figure 7 12 Attribute Set for Policy dicatae ee eee luere ei idee bae Pe oh e uci boe tn eda 53 Figure 7 13 Policy configuration summary essere ener nre 54 Figure 7 14 User File Name Configuration eese eren enne enne 56 Figure 7 15 Policy configuration summary essere neret nnne tenentes 57 Figure 7 16 Advanced Authentication Options sess enne 58 Figure 7 17 HEAP PEAP Config
111. ion to display how it is used by the server Automatically Check Items Q Yes No Automatically Check Password Q Yes No Automatically Check Leftovers Q Yes No Automatically Remove Check Items Yes O No Automatically Check Minimum Session Timeout O Yes No 8 Use Table 11 4 to enter the information and click Save Table 11 4 RADIUS Requests Properties Field Description Type Value Automatically If enabled the policy server Boolean Yes Check Items runs a check item plug in No equivalent at the end of the method chain Automatically If enabled the policy server Boolean Yes Check checks the password at the No Passwords end of the method chain This property is similar to the AuthLocal plug in Automatically If enabled the policy server Boolean Yes Check rejects a request if there is No Leftovers Check Items left to be checked Automatically If enabled the policy server Boolean Yes Remove removes check items as No Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 133 8950 AAA policy server Configure delimiters for policy server Field Description Type Value Check Items they are checked by plug ins Automatically If enabled the policy server Boolean Yes Check compares the minimum No Minimum session timeout with the Session Time of Day value to Timeout decide whether to accept the request Configu
112. istant rules for CyberGateKeeper Result The Source for User Profiles window opens See Figure 7 7 4 Select Radius User File and click Next Result The Authentication Access Requests window opens See Figure 7 8 5 Expand EAP Authentication in the list of Authentication Types select EAP MD5 and click Next Result The Authenticating Access Requests window opens See Figure 7 8 6 Select EAP MD5 and click Next Result The Accounting Configuration window opens See Figure 7 9 7 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 8 Perform the following steps a In the User and Session Limits section select One Session b In the Policy Limits section select No Limit c Click Next Result The User File Name Configuration window opens See Figure 7 14 9 The user file name appears by default If needed modify the user file name and click Next Result The Attribute Set for Policy window opens See Figure 7 40 10 Perform the following steps a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select CG Fail Template For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Continue without Att
113. it BootRecords Acct Status Type lt equals gt Accounting On OR Acct Status Type lt equals gt Accounting Off DeviceBootRecords No User Access 2 From the Policy Selection Rules tab of the PolicyAssistant window click CH Result The Rule Configuration window opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 43 J UNE 2010 Configure PolicyAssistant Configure policy selection rule Figure 7 2 Rule Configuration Rule Configuration Name auth_users Policy MD5 DB Reject Requests Conditions Max Connections Request Map Simple Advanced Match ALL Conditions Match ANY Conditions adaxoe 3 Perform the following steps a Enter a name for the rule b From the Policy drop down list select the required policy c Click Conditions tab Result The Conditions panel opens See Figure 7 2 4 Click Simple tab and perform the following steps a Select Match ALL Conditions or Match Any Conditions as per your requirements b Click H Result The Conditions window opens 44 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure policy selection rule Figure 7 3 Conditions Attribute User Realm iv equals airfrance com 5 Select the attribute set the condition and enter the corresponding value Click OK Result The specified co
114. k part also called the routing prefix For example an IPv4 address and its subnet mask are 192 0 2 1 and 255 255 255 0 respectively The CIDR notation for the same IP address and subnet is 192 0 2 1 24 because the first 24 bits of the IP address indicate the network and subnet CIDR provides the possibility of fine grained routing prefix aggregation also known as supernetting or route summarization Identifying a client type This feature allows you to distinguish each RADIUS client You can assign a common attribute to a group of RADIUS clients belonging to one single category For example you can categorize all OmniS witch client devices by assigning a common attribute User Name as OmniSwitch Assigning attributes helps in configuring all clients belonging to one category as a single entity The Insert Row Wizard action button in this tab allows you to select the required type of client and to select the configuration options for that type of client The Insert a record action button allows you to set the client classes and attributes from the following list of options e Select from a Predefined Client Class e Add a Custom Client Class e Select or add the attribute and the value from the list Alcatel Lucent 8950 AAA Release 6 6 1 115 365 360 005 ISSUE 1 0 JUNE 2010 RADIUS client configuration Identifying a client type Figure 9 3 Client Classes and Attributes Predefined Client Class iederaule taos old taos 16 QCha
115. k space for installation Note The storage requirement of 100 MB is for installation For daily operations allow extra storage space for accounting data and log files The actual amount of disk space needed for logs and accounting records depends on many factors such as logging level accounting detail and the length of time for which the data is retained Hardware requirements 22 The performance of the 8950 AAA software depends on a variety of factors that are listed as follows Peak usage and average session times expected Storage of subscriber information such as SQL Database Oracle or Sybase or an LDAP directory Sun One Directory Hardware currently used such as Sun Servers or Intel Based server number of CPUs Memory Number of subscribers or the number of ports used in the system Type of connection services that are available such as dial in DSL VPN 802 11 Wireless LAN 802 1x or 3G 1X Data Operating system that the customer prefers such as Windows Intel and Linux Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA hardware and operating platform Hardware requirements e Layout of the physical network such as the location of RADIUS clients Contact Alcatel Lucent support channel to determine the hardware necessary to run the 8950 AAA server in your production environment Alcatel Lucent 8950 AAA Release 6 6 1 23 365 360 005 ISSUE 1 0 JUNE 2010 4 Set up 8
116. l Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Remote configuration Add file list Figure 14 4 File Selection Wizard File Selection Wizard Below is a list of the servers you have previously configured Select a server from the list and click Next to be able to select files from that server Make sure that you have a running Configuration Server on that server aaa 127 1 1 0 testi 135 250 37 21 3 Select the required host from the list and click Next Result The File Selection Wizard window with the list of files to be selected opens Alcatel Lucent 8950 AAA Release 6 6 1 159 365 360 005 ISSUE 1 0 JUNE 2010 Remote configuration Add file list Figure 14 5 File Selection Wizard A File Selection Wizard Below on the left is a list of the Files From the selected server The list on the right is the list of that will be added Select a File From the Remote File list and click the arrow buttons to add it to the Selected Files list You can also double click to add IF the Configuration Server is not running on the server the list will be empty but you can manually add Files by entering the name Other File Name Field and click the add arrow button Once all the files have been specified click Next to continue Remote Files aaa exec cfg aaa map aaa pf alerts alu utilities pfF alu utilities sav assistant dtd brokers xml cache osi client properties collector det
117. l authentication For example the access restrictions imposed can depend on the role of the user and they are defined by the user profiles in the Microsoft AD 8950 AAA retrieves the Local Groups or the Global Groups fields during authentication through the Microsoft AD These groups are verified against the rules of the enterprise and the appropriate access is provided For example an employee in the accounts domain is allowed to access the corporate network internally OmniSwitch using 802 1x while a sales employee is allowed to access the network using the VPN Corporate LAN or corporate WiFi network AAA redundancy You can configure the 8950 AAA server on two machines to support redundancy You can configure the two servers in the following two modes 1 Active Active In this mode both servers share the load In case one server fails the active server takes over The load sharing mode resumes once the failed server is restored 2 Active Standby In this mode one server is always on standby mode to take over when the active server fails Authentication methods The authentication mechanisms supported for an enterprise network are as follows Device only authentication MAC address authentication Authenticates the MAC address of the device against the device details in a flat file or database Example IP touch phone is one of the devices that gets authenticated with this method Authentication using certificate
118. les of the PolicyAssistant window click 3d to add a new rule Result The Rule Configuration window opens Alcatel Lucent 8950 AAA Release 6 6 1 97 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Figure 7 46 Rule Configuration d Rule Configuration Configure policy selection rules for CyberGateKeeper Name CG No Audit Policy CG NoAudit MD5 Reject Requests Conditions Max Connections Request Map Simple Advanced Match ALL Conditions Match ANY Conditions ug udouwgises Attribute Operator Value Iex Report Audit Status exists Iex Report Audit Status equals Fail noaudit 3 Perform the following steps a Enter the rule name b From the Policy drop down list select the policy name For example select the Fail NoAudit policy created for CyberGateKeeper c Click Conditions tab Result The Conditions panel opens See Figure 7 2 4 Click Simple tab and perform the following steps a Select Match ALL Conditions b Click l Result The Conditions window opens See Figure 7 3 5 Click a Select the attribute lex Report Audit Status and select the operator as exists b Select the attribute lex Report Audit Status select the operator as equals and select the value as fail noaudit c Click OK Note For CyberGateKeeper Default policy select the attribute Iex Report Audit Status and the operator exists Result The specified condition
119. liases tab allows you to enter the different attribute names for the same functionality Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 11 8950 AAA policy server Overview Purpose This chapter provides a description of the policy server and various configuration procedures for the policy server used in the 8950 AAA server The enterprise user can use the Policy server which uses the PolicyFlow language to configure complex policy rules which cannot be done using the PolicyAssistant Contents This chapter covers the following topics 8950 AAA policy server 123 Start policy server 124 Configure delimiters for policy server 134 Configure timeout properties of policy server 136 8950 AAA policy server Policy server handles the authentication authorization and accounting requests in the 8950 AAA server It is a multi threaded system designed to handle multiple tasks concurrently The 8950 AAA offers a built in programming language for writing custom AAA policy applications The PolicyFlow language allows the system to conform to any possible policy scenario PolicyFlow architecture built on Java programming language is flexible and extensible Policy server is an execution engine for PolicyFlow During operation policy server collects various system variables and generates alerts based on pre configured threshold Alcatel Lucent 8950 AAA Release 6 6 1 123 365 360
120. licy User Profile Source Accounting User Profile Source RSA ACE Server SecurID Accounting Method Detail File Get Template Name From Shell Field No Proxy Accounting No RSA ACE Server Directory CiAAAlruntace Attribute Sets Authentication Attribute Set to Use OmniSwitch Authentication None If Attribute Set Not Found Reject the Request Override Auth Type No Allowed Auth Types Use User Name For Lookup No Read Set from User Profile No User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 9 Click Finish to complete the PolicyAssistant configuration 10 Click Save to save the policy created Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 JUNE 2010 83 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Configure proxy authentication for RADIUS server Purpose Use this procedure to proxy authentication and accounting requests from RADIUS server Procedure l From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 5 2 Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 3 Enter a new name for your policy For example enter the policy name as proxy mypolicy Click Next Resu
121. lt The Source for User Profiles window opens See Figure 7 7 4 Select Radius Server Proxy and click Next Result The Authentication Access Requests window opens See Figure 7 8 5 Expand EAP Authentication in the list of Authentication Types select EAP MD5 and click Next Result The Accounting Configuration window opens See Figure 7 9 6 Perform the following steps and Click Next a Select Discard Accounting Information b Select Proxy Accounting Information checkbox Result The User and Session Limits window opens See Figure 7 10 7 Perform the following steps a In the User Session Limits section select No Limit b In the Policy Limits section select No Limit c Click Next Result The Radius Server Proxy Configuration window opens 84 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 38 Radius Server Proxy Configuration Policy Configuration proxy t3 Radius Server Proxy Configuration You need to enter the Following information about the remote RADIUS server The Servers are specified in Format host port The shared secret is used for all the servers This secret must match the shared secret on the remote servers c Authentication Server Configuration c Accounting Server Configuration If the port is not specified 1812 is used At least one server If the port is not specified 1813 is
122. master copies the updated file to the respective client machines if the file is present in the files list of client through notification For the slave to receive the copy of modified files during notification notify action the policy server needs to be active on the slave machine The configuration server needs to be running on the master machine every time Note There is no limit on the size of the file transferred A common password is configured on the Operators panel of master and slave machine with appropriate file access permissions The password has to be in plain text not encrypted Following are the types of configuration files transferred between the master and the slave machine Critical files The critical files are files that the policy server reads before processing the remote configuration If critical files are retrieved remotely then the server needs to restart automatically to receive the changes from the remote server The following are the critical files Server properties remote config html security properties dictionary xml Non critical files Files which do not affect the policy server hence policy server need not be restarted upon modification of these files Figure 14 1 8950 AAA remote configuration illustrates the 8950 AAA remote configuration scenario Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Remote configuration Configure server entry Fi
123. nd output packets Accounting On This marks the start of accounting for example upon booting by specifying the attribute as Accounting On Accounting Off This marks the end of accounting for example just before a scheduled reboot by specifying the attribute as Accounting Off Interim update Interim accounting is a periodical update from the RADIUS client NAS to the 8950 AAA accounting server sent after the accounting Start and before accounting Stop These records indicate that the session is active and provide the network usage details such as time elapsed since session started packets sent over the wire until now and so on to the accounting server Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA overview Components of 8950 AAA Components of 8950 AAA This topic provides a list of components of the 8950 AAA server and a brief explanation of all these components Figure 2 1 illustrates different components of 8950 AAA Figure 2 1 Components of 8950 AAA Web server Diameter Admin server mbedded Configuration Server Policy derby database execution Engine Cogging and Statistics SNMP Agent 8950 AAA work engine Policy Server RADIUS RADIUS listener of 8950 AAA handles the RADIUS requests sent by 8950 AAA clients TacacsPlus TacacsPlus listener of 8950 AAA handles the TacacsPlus requests sent by 8950 AAA clients Embedded Derby database Derby is an
124. nd populate the table containing the policy information When you run the PolicyAssistant for the first time the table panel does not appear instead a Policy Wizard displays The Policy Wizard allows you to create the first policy The Policy Wizard helps you to define the following information for each policy you create e Policy name e Location where user profiles are stored The user profile list includes User Files LDAP Database and so on e Authentication type for the user authentication The authentication type includes plain text passwords EAP authentication external authentication secure token cards and so on e A set of rules to process accounting records e Session or policy limits applicable to the policy Alcatel Lucent 8950 AAA Release 6 6 1 39 365 360 005 ISSUE 1 0 J UNE 2010 1 Overview Purpose This chapter describes procedures to configure selected sample policies and rules using Policy Assistant wizard Note The Policy selection rules are defined based on the incoming RADIUS attributes to select the appropriate policy to be executed The pre defined rules to configure the PolicyAssistant are located in the MAAVunNamplesvebg folder Copy the sample predefined policies from the samples folder before configuring the policy selection rules For more information to copy the sample rules see procedure Install sample policies and rules for enterprise network Contents This chapter covers the followi
125. ndition displays in the Simple panel Figure 7 4 Simple panel Name auth users Policy MD5 DB M Reject Requests Conditions Max Connections Request Map Simple Advanced Match ALL Conditions Match ANY Conditions CR ECKER Attribute 6 Click OK to complete Note Rules are defined based on the requirement to choose the appropriate policy Alcatel Lucent 8950 AAA Release 6 6 1 45 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Configure PolicyAssistant rules for OmniSwitch This section contains procedures to configure the Policy Assistant for different OmniSwitch policies The PolicyAssistant allows the following tasks on the sample rules 1 Create a rule From Figure 6 1 click s to create policy rules to configure the PolicyAssistant 2 Copy an existing sample rule From Figure 6 1 select the required rule and click to copy the rule You can modify and save the rule under a different name 3 Edit an existing sample rule From Figure 6 1 select the required rule and click to edit the rule The following procedures are sample configuration procedures to help you to configure the PolicyAssistant for different RADIUS clients in the enterprise network These procedures illustrate how you can choose a user profile source and an authentication method You can follow these procedures to creat
126. ng Delimiters panel opens Figure 11 6 User Name Parsing Delimiters ZS Server Properties Peng Policy Server USS USSv2 Configuration Server l web Interface SI Admin Interface SSH Interface SI RMI Registry Wi Certificates ZS Lawful Intercept Cf SNMP E SCTP P LDAP Requests B Database KS User Provisioning B Radius Properties IV Attributes Dei Requests Delimiters Li Timeouts a Advanced O Diameter Properties i TACACS Properties User Name Parsing Delimiters The Policy server allows parsing of the User Name attribute into the Base Name and Realm attributes The First property below lists all valid delimiters to split the User Name attribute All delimiters are evaluated in the order they are entered User Name is searched character by character from left to right for the match The split is done on the first occurrence of the delimiter Once a match is Found the second property is used to determine which part of the User Name attribute is the Base Name and which part is the Realm IF you specified a delimiter in the second property that was used to parse the User Name it is parsed as lt Base Name gt Delimiter lt Realm gt IF not it is parsed as lt Realm gt Delimiter lt Base Name gt Realm delimiter characters 4 Delimiters For realm on right hand side 4 Save Close Use Table 11 5 to enter the information and click Save
127. ng topics Authentication methods 42 Configure policy selection rule 42 Configure Policy Assistant rules for OmniSwitch 46 Configure Policy Assistant rules for CyberGateKeeper 87 Configure policy selection rules for CyberGateKeeper 94 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 JUNE 2010 41 Configure PolicyAssistant Authentication methods Authentication methods This topic describes the different authentication methods used in the enterprise network EAP MD5 This method is used to authenticate the 802 1x user credentials using MD5 hash mechanism EAP TLS This method is used to authenticate user devices using certificates In this mechanism both the server and client certificates are verified mutually EAP TTLS EAP PEAP Both these methods use X 509 certificates to create a secure tunnel inside which user credentials are authenticated Two of the internal authentication modes are as follows e EAP MSChapV2 which authenticates the user credentials against Windows SAM e EAP GTC where the user credentials are authenticated against RSA Ace server Authenticate against RSA ACE server Two of the authentication methods are as follows e PAP Using this method the 8950 AAA contacts the RSA ACE server to authenticate the user credentials e EAP PEAP GTC The 8950 AAA creates an outer tunnel and inside this tunnel GTC is used to authenticate the user credentials against RSA ACE s
128. nly active state and modified entries are replicated to the secondary server e To be slave in replication mode In this mode the database is configured in slave mode and is a read only database Note You can read slave data only if master database is down Alcatel Lucent 8950 AAA Release 6 6 1 147 365 360 005 ISSUE 1 0 J UNE 2010 Derby database 148 Table 13 3 Database Properties Configure DB replication Field Description Type Value Registry Address Enter the RMI registry address If the master database is configured in replication mode enter the IP address of the slave If the slave database is configured in replication mode enter the IP address of the master Master updates the slave database hence the master registers the slave address When master goes down slave can be accessed in a read only mode Slave must know which master it responds to hence registers the master address Note When master goes down slave cannot update the database it can only read from the database Network address in XXX OK XXX port format The default port for secure connection is 9100 or 9099 Secure Specify whether the communication is to be secure or not Boolean e Yes e No Default value No Derby Address Enter the address of Apache Derby database where slave is configured If master database is configured in replication mode then this address point
129. nting Configuration window opens See Figure 7 9 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 63 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch 7 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 8 Perform the following steps and click Next a In the User and Session Limits section select No Limit b In the Policy Limits section select No Limit Result The RSA ACE Server Configuration window opens 9 Perform the following steps a Select New RSA Library Version b Enter the path to the directory where the RSA ACE Server file library is stored Figure 7 22 RSA ACE Server Configuration Policy Configuration EAP PEAP GTC mypolicy RSA ACE Server Configuration 8950 444 supports two RSA configurations Operating System Specific RSA and New RSA Library verions The Operating System specific RSA is older and has a possibly more stable library that run on specific operating systems The New RSA Library version is a new Java implementation than has better performance that the OS Specific Library Operating System Specifc RSA Enter the directory where the RSA ACE Server Files sdconf rec are stored If not specified the directory defaults to varjace On
130. odify the user file name and click Next Result The Attribute Set for Policy window opens See Figure 7 40 9 Perform the following steps a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select CG Template For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Continue without Attribute Set d Click Next Result A window with a summary of policy configuration opens See Figure 7 13 Alcatel Lucent 8950 AAA Release 6 6 1 93 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure policy selection rules for CyberGateKeeper Figure 7 43 Policy configuration summary Policy Configuration CG NoAudit MD5 mypolicy User File Name CG NoAudit MD5 mypolicy users You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source User Profile Source RADIUS User File Accounting Accounting Method Detail File Proxy Accounting No Authentication Authentication EAP MDS Allowed Types EAP Me Total Policy Limit User and Session Limits User Session Limit One Session No Limit Attribute Sets Attribute Set to Use CG Template If Attribute Set Not Found Continue without Attribute Set Read Set from User
131. ol UPS to provision user profiles in Derby database Universal State Server USS Universal State Server USS of 8950 AAA is an in memory database held in RAM USS has a centralized view of the active AAA sessions Policy execution engine Policy execution engine of 8950 AAA processes the requests of RADIUS Policy engine works with the PolicyFlow language and uses PolicyFlow plug ins at run time to process the requests This plug in architecture with sophisticated logic programming capabilities provides unlimited flexibility It allows you to define and implement AAA access policies without custom software development 8950 AAA policy engine is built around a robust core request queue processor The processor receives incoming requests and routes them through selected processing plug in functions The request queue performs duplicate request detection and automatic deletion of timed out requests This optimization avoids the time spent on processing stale or duplicate requests and increases actual throughput over other AAA servers with similar transaction ratings SNMP agent 8950 AAA offers statistical information through SNMP The SNMP agent of 8950 AAA interacts with the SNMP manager to view the statistical data for every client as well as aggregate statistics 8950 SNMP agent supports only read only operation Logging and statistics The logging component of 8950 AAA creates and writes log messages for all the server actions 895
132. olicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 11 Database Configuration Policy Configuration MD5 DB mypolicy Database Configuration If you are connecting to a database on a different computer or a different database other than the built in database enter the information below Connect To Derby EA Derby Connection Information Host IP Address localhost Port 1527 DB Name aaa User Name aaadb Password OTT Realm Name Database Schema The PolicyAssistant allows two different schemas The PolicyAssistant database schema requires that for accounting records Version 1 stores active and a realm name to be used For the database query closed sessions in the same table Version 2 stores these sessions in seperate tables The Built in Enter the realm If you do not specify a realm Database uses Version 2 See PolicyAssistant DEFAULT is used documentation For more information about configuring database schema Realm Mame alcatel lucent com C Use version 2 Database Schema 8 Depending upon the type of database selected in the Connect To drop down list the connection information changes For example if you choose to connect to Derby database enter the following database host details and click Next a Enter the hostname or IP Address of the host Enter the database port Enter the database name Enter the username to access the databa
133. om a trusted CA Figure 15 3 Digital Certificate User Certification Authority Digital certificate Public Private key ey Build Pam Public Verify certificate Gantilicatan ey Request user for ority to Certification User Authority identification identification i user identification User identification es eem per mm OD QN OD E ee EI E e OU E ON G0 on em Gn 1 The user generates a certificate request and sends it to a CA This is also known as Root CA 2 The CA verifies the identity of the user and generates the certificate for the user This certificate can be a Sub CA certificate or end user certificate The end users can act as a Sub CA and generate further certificates for other entities or for their own usage Alcatel Lucent 8950 AAA Release 6 6 1 167 365 360 005 ISSUE 1 0 JUNE 2010 Certificate management 8950 AAA and certificates 3 End user certificate file contains the chain of certificates from Root CA Sub CAs and the end user certificate Certificate deployment on 8950 AAA In the enterprise network along with the operator certificates the 8950 AAA also has the root or trusted certificates of the client Similarly the client installs the root or trusted certificate of the server These root or trusted certificates are used for mutual verification Figure 15 4 Deployment on 8950 AAA server Certification Authority A m p EN Chent certificate reed ts Client
134. onfiguration Field Description Type Value Derby System Home Sets the location of the Derby database files Specifies the name of subdirectory under the 8950 AAA base installation directory Sets the derby system home Derby property Text The default value derby Derby Log Sets the 8950 AAA log One of the list value Warning Level level that messages from Notice the Derby database server Info are logged Salient Debug Verbose Blither Never The default value Debug Derby Severity Set the level of the Derby One of the list value None messages that Derby sends Warning to the logging system Statement These messages are logged at the Derby log level in the Transaction AAA logging system Session Database System Enable Driver If enabled the Derby driver Boolean Yes Trace level messages are logged No in the policy server log EIUS s The default value No Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 145 Derby database Configure DB replication Configure DB replication Purpose Use this procedure to configure the Derby replication Note To create a database use the Admin interface command derby create When to use When you want to create a database configuration or modify an existing database configuration to enable the Derby replication Procedure 1 From SMT navigation pane select Configuration Tools gt Derby Dat
135. out Properties 0 eee eee eeeseseeeeeeneeescecseecaeceaeceaeceaeesseceseeeseeseeeseaeseaeeeaeeeaaeeaaeenaeed 137 Table 12 1 Configuration Server properties 0 0 cee eeceessecsseceeceseceseceeceeeeeeeeeeeseneseaeeeaeeeaeeeaaesaaees 141 Table 13 1 Database Configuration uiuit piirin reiten e hae Db eee epa eu Eb rede epe 144 Table 13 2 Derby Database Entty ren tr eret tret te ences ete ote eara need S 147 Table 13 3 Database Properties wii is docs ricette nite ot Perte eate eue e a Ep Gender 148 Table 14 1 S erverEntty iios nee cur eo Era etia tei ioa reste ede 157 EISE MEN ullas iaa Eaa 162 Alcatel Lucent 8950 AAA Release 6 6 1 xi 365 360 005 ISSUE 1 0 J UNE 2010 About this document Purpose This document describes the 8950 AAA server and its role in providing security to the enterprise business network It provides procedures to configure the 8950 AAA server so that it interfaces with other network elements in the enterprise network and provides security for the end user to access the network It provides related procedures to configure the various components in the EBG network Intended audience This document is intended for installation operation engineering and validation personnel and other users in the capacity of network administrators familiar with 8950 AAA solutions Supported systems This document applies to the System Release 8950 AAA Enterprise Business Group Solution 6 6 1 How to use thi
136. p Derby Address 1527 F3 SCTP Derby System Home derby Derby LogLevel Debug 8 User Provisioning Derby Severity Warning Enable Driver Trace Yes No Radius Properties O Diameter Properties TACACS Properties Specifies the configuration values For the built in Hypersonic database The Hypersonic database is no j longer enabled by default It is only available For backward compatibility IF the port is a non zero Iv Attributes value the database is automatically started when you run the Policy server S Requests Delimiters When assigning ports to the database make sure you do not have any conflicting services using this t3 Timeouts mt Advanced Hypersonic Address 0 Hypersonic Shutdown NORMAL Log File Size 200 Save Close 3 Use Table 13 1 to enter the Derby DB information and click Save Table 13 1 Database Configuration Field Description Type Value Derby Address he li Network address in The default Set the listen addresses XXx xxx xxx xxx port value 1527 for Apache Derby format database server Note If the port is non zero value the database automatically starts when you run the policy server Important When assigning ports to the database ensure that no other conflicting services are using the port 144 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Derby database Database c
137. plate OmnSwth 7 Advanced d Click Next Result A window with a summary of policy configuration opens Alcatel Lucent 8950 AAA Release 6 6 1 53 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 13 Policy configuration summary Policy Configuration MD5 DB mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source Accounting User Profile Source Database Accounting Method Detail File Database JDBC Url jdbc derby localhost 1527 aaa Proxy Accounting No Database JDBC Driver org apache derby jdbc ClientDriver Attribute Sets Attribute Set to Use OmniSwitch Authentication If Attribute Set Not Found Reject the Request Authentication EAP MD5 Allowed Types EAP MDS Read Set from User Profile No Database Username aaadb User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 10 Click Finish to complete the PolicyAssistant configuration 11 Click Save to save the policy created Configure EAP MD5 authentication with RADIUS User File as user source 3 54 Purpose Use thi
138. ple rules in the Policy Assistant panel 5 Modify the sample rules according to the requirement Start SMT on Windows platform Choose one of the following methods to start SMT on Windows platform e Click Start button to display the Start menu Select Programs Navigate to the folder on which the 8950 AAA is installed Click Server Management Tool e Double click the Server management Tool icon on the desktop e Inthe command prompt window change directory to Install Directory bin enter the following command and press Enter aaa smt 34 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Part Ill 8950 AAA PolicyAssistant Overview Purpose Contents This part describes the PolicyAssistant for the enterprise network It provides procedures to configure create and edit a template and procedures to configure the PolicyAssistant for various enterprise network scenarios This part covers the following chapters PolicyAssistant overview 37 Configure PolicyAssistant 41 Configure templates 101 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 35 6 PolicyAssistant overview Overview Purpose This chapter provides an overview of policy policy wizard and PolicyAssistant used in 8950 AAA server The PolicyAssistant is a tool to create policies to define the user access rules in the enterprise network Contents This chapter covers
139. provisioned with its certificate chain and private key associated with its server certificate The 8950 AAA has a complete list of device root certificates that it encounters Following are the steps to establish a secure network connection The device or client requests for a network connection to the server 1 The 8950 AAA server responds to the request by sending the server certificate 2 The device or client verifies the server certificate to confirm that the device is talking to the right server 3 The device or client validation by 8950 AAA server depends on the configuration mode 8950 AAA is configured to one of the following modes Optional The client validation is performed only when the client sends the client certificate Required The client sends a valid client certificate to get authenticated Disabled The client validation does not happen 4 The network connection is established Generate certificates for AAA using third party CA This procedure describes the configuration of 8950 AAA with certificates issued from third party CA using the Microsoft CA as an example Purpose Use this procedure to request a certificate from the Microsoft Certificate Services using web server Note The 8950 AAA server is not a certification authority and hence does not provide certificates Use these self signed certificates for testing and demonstration purposes only Contact the authorized third party CAs to o
140. r this entry Note You can specify multiple hosts to be used as fail over hosts which are separated by a comma If the first specified host fails to connect second one is tried and so on Network IP address format XXX XXX XXX XXX port User Enter the user name to authenticate the connection to Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 JUNE 2010 157 Remote configuration Add file list Field Description Type Value the hosts Important The user name exists in the 8950 AAA Operators on both the local server and the remote server The passwords must match and be plain text Secure Specify whether to connect with an SSL connection or plain connection Boolean Terminal Specify whether to terminate the policy server during the following conditions Connection failure Fail to retrieve the specified file Boolean Result The configured values are displayed in the Server Entry window Add file list Purpose Use this procedure to add the list of file to retrieve from the master machine Note This procedure is not required on a master system Procedurel 1 From SMT navigation pane select Configuration Tools gt Remote Configuration Result The Remote Configuration window opens See Figure 14 2 2 From the bottom panel click E Result The File Selection Wizard window opens 158 Alcate
141. re delimiters for policy server Overview The policy server allows parsing of the User Name attribute into the Base Name and Realm attributes Realm delimiter characters lists all valid delimiters to split the User Name attribute All delimiters are evaluated in the order they are entered User Name is searched character by character from left to right for the match The split is done on the first occurrence of the delimiter Once a match is found Delimiters for realms on the right hand side determines which part of the User Name attribute is the Base User Name and which is the Realm lt domain name username gt For this case the delimiter should be Wi If you specify a delimiter in the second property that was used to parse the User Name it is parsed as lt Base Name gt Delimiter lt Realm gt By default the router parses usernames as follows username domainName The string to the left of the forward slash is the realm name and the string to the right of the symbol is the domain name Purpose Use this procedure to configure the delimiters for the policy server Procedure l From the SMT navigation pane select Configuration Tools gt Server Properties Result The Server Properties window opens 134 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA policy server Configure delimiters for policy server 2 Select Policy Server gt Delimiters Result The User Name Parsi
142. ribute Set d Click Next Result A window with a summary of policy configuration opens Alcatel Lucent 8950 AAA Release 6 6 1 91 365 360 005 ISSUE 1 0 JUNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for CyberGateKeeper Figure 7 42 Policy configuration summary Policy Configuration CG fail MD5 mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source Accounting User Profile Source RADIUS User File Accounting Method Detail File User File Name CG fail MD5 mypolicy users Proxy Accounting No Authentication Attribute Sets Authentication EAP MDS Attribute Set to Use CG Fail Template Allowed Types EAP MDS If Attribute Set Not Found Continue without Attribute Set Read Set from User Profile No User and Session Limits User Session Limit One Session Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 11 Click Finish to complete the PolicyAssistant configuration for CG fail MDS 12 Click Save to save the policy created Configure CG NoAudit MD5 authentication with RADIUS User File as user source for CG NoAudit Purpose Use this procedure to configure CG NoAudit MD5 authentication with the RADIUS User File as user sour
143. ributes Q ves No Check Duplicates Yes O No Check Authenticators Auto Discard Request when Error Yes O No Max RADIUS Packet Size 4096 Receive Buffer Size For RADIUS 262144 Send Buffer Size for RADIUS 262144 3 Use Table 11 1 to enter the required information Table 11 1 RADIUS Properties Field Description Type Value Authentication Enter the listening addresses for Network address Default Addresses authentication requests This format value 1645 field is a comma separated list yyy yyy xxx xxx lt Or 1812 of address port values port gt Note If this property is set to zero 0 policy server does not process the RADIUS authentication requests Accounting Enter the listening addresses for Network address Default Addresses accounting requests This field format value 1646 is a comma separated list of X Oe es OE SSC address port values port Note If this property is set to zero 0 policy server does not process the RADIUS accounting requests 128 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA policy server Configure 8950 AAA protocol properties for policy server Field Description Type Value Dynamic Authentication Addresses Enter the listening address for dynamic authentication requests This field is a comma separated list of address port values If the address is omitted default
144. rity blueprint prescribes a global corporate wide security infrastructure Simultaneously it separates the responsibility of providing security from the endpoints and applications It also assists in developing an independent chain of control for security and protects the endpoints Additionally it provides an always on and highly available security that is transparent to the end user The security architecture encompasses all the security modules in the network such as the IP firewall the VPN and the components that perform threat management The security architecture utilizes the authenticated identity of the end device user credentials device credentials or both and protects the content of all messages in the network This also allows the network administrator to control the user access to the network resources and applications The 8950 AAA server provides a full featured RADIUS protocol based solution to support the requirements of the core identity management that is the access and authorization process in the enterprise solutions EBG architecture diagram Figure 1 1 depicts the overall architecture of the enterprise network The 8950 AAA server provides authentication authorization and accounting services to users or devices connected to the edge network elements The figure illustrates how the end users are connected to the edge devices in the enterprise network OmniS witch Brick Firewall and OmniAccess WLAN are the edge d
145. rofile roc sis cers 8 End devices in enterprises netWOtrk n tote e nien nep b iq rasch peti Poets 9 2 8950 AAA overview 11 la recom EET 12 Product features of 8950 AAA ene este eit eiae raa nea ERREUR UN de ER E ed REA Re ERE rea neges 12 E REES EIERE eege P 13 AAA redundancy de egre Ede n man E ate Hn ED aded End Reais 13 Authentication methods ee et ertet e red eR CRI ee EAT Y Fee ae E ee VY esa eee ee ue EUR ae eade 13 e T ms 14 Components of 8950 AAA voraerien ieii e be SPERA Era REL HEP BR ete E e dba leer e HE Po nra eua thle 15 8950 AAA component interfaces serseriye ineeie eraa E EEN aeiae anaa eSEE VEE RAEE E 17 Part Il 8950 AAA installation 19 3 8950 AAA hardware and operating platform 21 Operating platform and environment nennen nennen rennen rennes teens etre nenne 21 EENHEETEN ess M Rech 22 Alcatel Lucent 8950 AAA Release 6 6 1 iii 365 360 005 ISSUE 1 0 JUNE 2010 Contents Server SLOLALS CRM 22 Hardware requirements uote t ette ere eee DP e YARN YE E ERR TE OREL oleo 22 4 Set up 8950 AAA for enterprise network 25 Setup 8950 ANA aii dede tcc m eic ecd Hee ted titre Ra A 25 5 Installation of 8950 AAA server and PolicyAssistant 27 Installation on Microsoft Windows ennt ener ener en eren nre tenn tenete 27 Install sample policies and rules for enterprise network eee 34 Statt SMT on
146. rtrqud am P Fie Edt Wew Favorites Tools Hep We dr dE Mcosolt Certficate Services Microsoft Certificate Seraces AA AServ5 Advanced Certificate Request The policy of the CA determines the types of certificates you can request Click one of the following options to Note You must have an enrollment agent certificate to submit a request on behalf of another user Ej Local intranet 100 e 4 Click Submit a certificate request by using a base 64 encoded CMC or PKCS 10 file or submit a renewal request by using a base 64 encoded PKCS 7 file link Result The Submit a Certificate Request or Renewal Request page opens 172 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Certificate management Generate certificates for AAA using third party CA Figure 15 8 Submit a Certificate Request or Renewal Request 2 Microsoft Certificate Services Windows Internet Explorer o d e E Mtoifsecver coetsrvicertr aot asp a n D Fie Edt View Favertes Toos Help 8 Yr dE Boost Certificate Services fa gt BE dh ero gt Microsoft Certificate Seraces AA AServ5 Submit a Certificate Request or Renewal Request To submit a saved request to the CA paste a base 64 encoded CMC or PKCS 10 certificate request or PKCS 37 renewal request generated by an external source such as a Web server in the Saved Request box Saved Request cercate request u CMC or PKCS 10 or P
147. rver This chapter covers the following topics Operating platform and environment 21 Server memory 22 Server storage 22 Hardware requirements 22 Operating platform and environment 8950 AAA supports Microsoft Windows 2003 Windows XP and Windows Server 2008 platforms 8950 AAA requires Java 2 Standard Edition J2SE version 6 x or later to run on all platforms Both J2SE JDK and JRE are supported However JDK is recommended as it provides additional tools for supporting Java applications Contact the operating system vendor or http java sun com for information on Java support for your computer Ensure that the Java environment maintains the current patch levels Alcatel Lucent 8950 AAA Release 6 6 1 21 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA hardware and operating platform Server memory Server memory By default memory allocated for 8950AAA process is 512 MB for a 32 bit JVM The memory usage depends on a number of factors few of which are listed as follows Server configuration User file size when used Total number of active subscribers during peak hour Platform check whether the USS and the SMT runs on the same platform as the 8950 AAA server Note For memory configuration contact 8950 AAA support team to get a confirmation on a Use of JVM 32 bit or 64 bit b Memory allocated for each type of JVM Server storage The server must have at least 100 MB of free dis
148. rvices In an enterprise network the 8950 AAA supports multiple 802 1x port authentication using EAP framework In addition the 8950 AAA interfaces with external LDAP servers Windows Active Directory 9 JDBC database and others to authenticate and authorize enterprise endpoints These external servers store authentication details about users user groups NAS devices and so on The 8950 AAA server provides the following functionality a Extensive AAA protocol support b Remote configuration management c Comprehensive monitoring and reporting Network Access Server NAS The Network Access Server NAS is the client gateway to access the network resources The NAS supports RADIUS 802 1x and EAP protocols for communicating with the 8950 AAA server to provide access to the users In an enterprise network the client network elements that communicate with the 8950 AAA server are OmniS witch VPN Brick firewall Omni Access and Omni Access WLAN Alcatel Lucent 8950 AAA Release 6 6 1 5 365 360 005 ISSUE 1 0 JUNE 2010 Enterprise network with 8950 AAA Access control process Supplicants Supplicants are the end user devices that connect to the NAS for example a computer a laptop a PDA a Smartphone and so on The supplicant can also be the resident software on client devices This software allows the end user devices to connect to the NAS over the 802 1x protocol Access control process Figure 1 2 Access Control Process Mana
149. s Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Installation of 8950 AAA server and PolicyAssistant Installation on Microsoft Windows Figure 5 6 Certificate Configuration amp Certificate Configuration Der Alcatel Lucent 8950 AAA Version 6 5 Setup Program 8950 AAA allows secure connections from the SMT to the Servers when connecting to the built in web service and For communication between Diameter peers To enable secure connections you need certificates Fill out the information below to generate a root and server certificate Once installed use Certificate Manger in the SMT to generate additional certificates IF you have an existing certificate or CA you may use it instead Root Password root Server Password server Root File Name root pem Trusted File Name trusted pem Server File Name server Dem Company Alcatel Lucent Internal Website http www alcatel lucent com City State Country India 9 Enter the Root Password and the Server Password to allow secure connection from SMT to the servers The default file names and location information are displayed If required edit the information 10 The 8950 AAA is installed at the selected location Result On completion of the installation the Installation Complete dialog box appears 11 Click Finish to close the installation program or click Run Server Managem
150. s End device and the server could mutually authenticate each other using X 509 certificates EAP TLS is the protocol is that is used to support this authentication mechanism Alcatel Lucent 8950 AAA Release 6 6 1 13 365 360 005 ISSUE 1 0 JUNE 2010 8950 AAA overview Accounting status type User Only authentication In this scenario only user name and password are authenticated EAP MD5 EAP GTC with RSA ACE are the protocols that are used to support this authentication mechanism Authentication using certificates along with user authentication In this scenario user credentials as well as the certificates installed on the server and device are authenticated EAP TTLS EAP PEAP are the protocols that are used to support this authentication mechanism Accounting status type 14 The 8950 AAA supports RADIUS accounting protocol as defined by RFC 2866 This protocol carries accounting information between NAS and a shared accounting server Following are the various accounting records sent by the RADIUS client to the 8950 AAA server Start At the start of the service delivery the client configured to use RADIUS Accounting services generates an Accounting Start packet describing the user and type of service delivered Stop At the end of the service delivery the client generates an Accounting Stop packet describing the type of service delivered and optional statistics such as elapsed time input and output octets or input a
151. s document The following table describes how to use this document Document organization When to use 8950 AAA in enterprise solution This part provides an overview of the enterprise business solution that offers integrated solutions in the AAA scenario that requires user centric security 8950 AAA installation This part provides hardware and software information about the 8950 AAA server and procedures to install the 8950 AAA in the enterprise network scenario on both Windows and UNIX platforms 8950 AAA Policy Assistant This part describes the PolicyAssistant and the usage of the PolicyAssistant to configure the rules to provide network access to an enterprise user Alcatel Lucent 8950 AAA Release 6 6 1 xiii 365 360 005 ISSUE 1 0 JUNE 2010 About this document Document organization When to use 8950 AAA configuration This part describes the procedures to configure the 8950 AAA so that it interacts with various network elements in the enterprise network 8950 AAA management This part provides a description of tools and interfaces used in the management of 8950 AAA server Conventions used This guide uses the following typographical conventions Appearance Description emphasis Text that is emphasized document titles Titles of books or other documents file or directory names The names of files or directories graphical user interface te
152. s procedure to configure EAP MD5 authentication with RADIUS user file as user source using PolicyAssistant Procedure From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens See Figure 7 5 Click B to add a new policy Result The Policy Configuration window opens See Figure 7 6 Enter a new name for your policy For example enter the policy name as MD5 radiusfile mypolicy Click Next Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Result The Source for User Profiles window opens See Figure 7 7 Select Radius User File and click Next Result The Authentication Access Requests window opens See Figure 7 8 Expand EAP Authentication in the list of Authentication Types select EAP MD5 and click Next Result The Accounting Configuration window opens See Figure 7 9 Select Save Accounting to a File and perform the following steps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens See Figure 7 10 Perform the following steps a In the User Session Limits section select No Limit b In the Policy Limits section select No Limit c Click Next Result The User File Name Configuration window opens Alcatel Lucent 8950 AAA Release 6 6 1
153. s to the IP address of the slave This property is disabled for slave configuration because if the master goes down the slave can only read the data and cannot update Network address in XXX XXX XXX XXX port format Default port 1527 Derby Replication Address Enter the Derby Replication address Specifies the address of the system where the Master Network address in XXX XXX XXX XXX port format Default port 4851 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Derby database Configure DB replication Field Description Type Value replicates to the Slave If Master database is being configured in replication then this address points to the IP address of the slave This property is disabled for slave configuration as it has the replicated copy 4 Result The new database is displayed on the Derby Database window Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 149 Part V 8950 AAA management IPM m 4 v we we dh dn d ecc ecc n DIDI scs 2222999999 TEE TEE TTT Overview Purpose The SMT provides various tools to manage the 8950 AAA server locally and remotely This part provides a description of few management tools and procedures used in the 8950 AAA server in the enterprise network For more details see http www 8950aaa com doc 6 3 SMT pd
154. se Enter the password mone p Enter the realm name User records in the database should correspond with the realm name entered here Result The Attribute Set for Policy window opens 9 Perform the following steps in the window a Check Use Attribute Set b From the list of templates select OmniSwitch For more information to configure templates see Configure templates 52 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch c From the Attribute Set Lookup Failure section select Reject the Request Figure 7 12 Attribute Set for Policy Policy Configuration MD5 DB mypolicy t3 Attribute Set for Policy The database contains user profiles that contain attributes You can specify attributes in the database or a use Reply_Template database field to specify an Attribute Set From the list below You can also specify an Attribute Set for all users in this Policy To specify Attribute Set For the entire Policy select an existing Attribute Set below or create a new Attribute Set Attribute Set to use For this Policy Attribute Set Lookup Failure Select the action to take if the any Attribute Set Use Attribute Sets Name cannot be found a template blank PPP SLIP Reject the Request CSLIP Discard the Request TELNET CG Template Continue without Attribute Set CG Pass Template CG Fail Tem
155. se the Attribute Set options below to specify the attributes to use for users in this Policy To specify Attribute Set for the entire Policy select an existing Attribute Set below or create a new Attribute Set Attribute Set to use For this Policy Use Attribute Sets ER VOI SLIP CSLIP TELNET Attribute Set Lookup Failure Select the action to take if the any Attribute Set Name cannot be Found Reject the Request Discard the Request CG Template CG Pass Template CG Fail T lat Advanced OmniSwitch 9 Perform the following steps a From Attribute Set to use for this Policy section select Use Attribute Set b From the list of templates select CG Pass Template For more information to configure templates see Configure templates c From the Attribute Set Lookup Failure section select Continue without Attribute Set d Click Next Result A window with a summary of policy configuration opens Alcatel Lucent 8950 AAA Release 6 6 1 89 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for CyberGateKeeper Figure 7 41 Policy configuration summary Policy Configuration CG pass MD5 mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile
156. sence of the CyberGateKeeper in the enterprise network If then CyberGateKeeper is present the CyberGateKeeper performs a host integrity check and the user is quarantined for further administrative investigations CyberGateKeeper is not the RADIUS client rejects the user and denies access of present services to the user Network interfaces This topic provides a list of the network elements that the 8950 AAA interface with in an enterprise network and provides a brief description of each of them OmniSwitch The OmniSwitch is an advanced fixed configuration family of Ethernet switches These switches provide wire rate Layer 2 forwarding and Layer 3 routing with advanced services They are fixed configuration triple speed 10 100 1000 switches that provide the following features e Increased network performance e Improved application response times Secured LAN Enhanced user productivity by maximizing mobility network capacity and services over existing category CyberGateKeeper The CyberGateKeeper is positioned between the NAS and the 8950 AAA RADIUS server It audits all networked systems continuously for policy compliance Unqualified systems attempting to access the network are quarantined by this network element and redirected for remediation Alcatel Lucent 8950 AAA Release 6 6 1 7 365 360 005 ISSUE 1 0 J UNE 2010 Enterprise network with 8950 AAA User profile stores The
157. t Custom Client Class E Attribute and Value Attribute LISDS Triplet USDS WirelessAccountStatus Used Service Unit User Equipment Info User Equipment Info Type User Equipment Info Value User Password 116 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 DEIN css 59909999 TP OTT TTT 10 Vendor specific attributes Overview Purpose This chapter describes the procedures to add the vendor and vendor specific attributes to the dictionary This feature allows the 8950 AAA to support any type of 802 1x access points in an enterprise network The 8950 AAA provides the ability to specify RADIUS attributes that are returned with a RADIUS response message These RADIUS attributes can be specified for each remote access policy and are configurable Some NAS vendors use vendor specific attributes VSAs to provide functionality that is not supported in standard attributes 8950 AAA enables you to create or edit VSAs to take advantage of proprietary functionality supported by some NAS vendors Example To integrate CyberGateKeeper with 8950 AAA server in the enterprise network the attribute Tex Report Audit Status a vendor specific attribute is added to the dictionary Contents This chapter covers the following topics Add vendor to the dictionary 118 Add vendor specific attributes to the dictionary 119 Alcatel Lucent 8950 AAA Release 6 6 1 117 365 360 005 ISSUE
158. t 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 8 Authenticating Access Requests Policy Configuration MD5 DB mypolicy IS Authenticating Access Requests How are users authenticated The PolicyAssistant can automatically process EAP authentication requests tunneled through the Following EAP types PEAP TTLS and GTC Click Advanced Authentication Options to configure EAP Tunneled Authentication Authentication Types Description EAP Authentication Uses the EAP Extensible Authentication Protocol EAP MDS MDS Authentication 4 simple CHAP like means of EAP TLS verifying the user password EAP LEAP EAP LEAP NT password EAP LEAP Plain text password EAP LEAP MD4 password O EAP MS Chap Y2 EAP MS Chap V2 NT password EAP MS Chap V2 Plain text passwo EPI Ii 2 j Advanced Authentication Options The PolicyAssistant can allow the user profile to contain authentication information that overrides the default policy authentication Click Advanced Authentication Options to configure User Profile options 5 Expand EAP Authentication in the list of Authentication Types select EAP MD5 and click Next Result The Accounting Configuration window opens Alcatel Lucent 8950 AAA Release 6 6 1 49 365 360 005 ISSUE 1 0 JUNE 2010 Configure Polic
159. teps a The file name appears by default If needed modify the file name b Select the rollover mode c Click Next Result The User and Session Limits window opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Configure PolicyAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 10 User and Session Limits Policy Configuration MD5 DB mypolicy User and Session Limits You can limit the total number of simultaneous sessions For this policy You can also limit the number of sessions For each user authorized with this policy Setting a limit to No Limit allows an unlimited number of sessions Note When a limit is set to No User Access or the session limit is exceeded access requests are rejected User Session Limits Policy Limits Enter the maximum number of simultaneous Enter the maximum number of simultaneous network sessions 4 user may have network sessions available to all users in this Policy No Limit No Limit No User Access No User Access Specific Limit Enter limit below Specific Limit Enter limit below 7 Enter the following details and click Next a In the User Session Limits panel select No Limit b In the Policy Limits panel select No Limit Result The Database Configuration window opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 51 J UNE 2010 Configure P
160. thority CA certificate certificate chain or certificate revocation ist CRL or to view the status of a pending request For more information about Certificate Services see Certificate Sennces Documentation Select a task View the status of a pending certificate request Download a CA certificate certificate chain or CRL amp Local intranet 100 2 Click Request a Certificate link Result The Request a Certificate page opens 170 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Certificate management Generate certificates for AAA using third party CA Figure 15 6 Request a Certificate gt Microsoft Certificate Services Windows Internet Explorer N G y o E htpjserver certsrv certrqus asp Fie Edt Wew Favortes Took Help Be d e Mcrosoft Certificate Services D D res es Microsoft Certificate Seraces AA AServ5 Request a Certificate Select the certificate type User Certificate Or submit an advanced certificate request 4 Local intranet um 3 Click Advanced Certificate Request link Result The Advanced Certificate Request page opens Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 171 Certificate management Generate certificates for AAA using third party CA Figure 15 7 Advanced Certificate Request Microsoft Certificate Services Windows Internet Explorer G e E ty server Icortsrv ce
161. tication for RADIUS server 84 Configure Policy Assistant rules for CyberGateKeeper eese eene 87 Configure CG pass MD5 authentication with RADIUS User File as user source for Pass Audit 87 Configure CG fail MD5 authentication with RADIUS User File as user source for Fail Audit 90 Configure CG NoAudit MD5 authentication with RADIUS User File as user source for CG NoAudit92 Configure policy selection rules for CyberGateKeeper eese nennen 94 Configure policy selection rule for CyberGateKeeper for Pass Audit 94 Configure policy selection rule for CyberGateKeeper for Fail Audi 96 iv Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 Contents Configure policy selection rule for CyberGateKeeper for Fail NoAudit eese 97 8 Configure templates 101 Create a template sea tate idtm o bed EORR ORI IER RE OU a NO gasii 102 Edit a templat 5 ire eR e REGE Rd awl oe He te dettes 107 Deleteatemplates Geet dee ete tos ot mt haul de td sect Ve dre ie tae Les DA EE 108 Part IV 8950 AAA configuration 109 9 RADIUS client configuration 111 Any RADIUS client configurations vie 0 eee t e reete Perte ere eee ete EE Sen eee lores 112 Identifying a client type teme ea p e ee p EE 115 10 Vendor specific attributes 117 Add vendor to the dictionary eie eee eec tee roter ord Da e ceder ae epe ee Ee e Debe 118 Add vendor specific attributes to the dictionary
162. tion summary Policy Configuration AuthWindowsSAM mypolicy You have completed the information to edit a Policy Below is a summary of the Policy configuration Click Finish to save your work or use the Back button to change the Policy User Profile Source Accounting User Profile Source Windows Security Access Manager Accounting Method Detail File Proxy Accounting No Authentication es M Authentication Windows Security Access Manager Attribute Sets NT Domain CGDEMO2 Attribute Set to Use OmniSwitch If Attribute Set Not Found Reject the Request Use User Name For Lookup No Read Set from User Profile No User and Session Limits User Session Limit No Limit Total Policy Limit No Limit Note If the Policy server is running click Reload to update the PolicyAssistant configuration 10 Click Finish to complete the PolicyAssistant configuration 11 Click Save to save the policy created Configure RSA ACE server as a user source for securelD tokens 3 Purpose Use this procedure to authenticate users against RSA ACE server as a user source for secureID tokens using Policy Assistant Procedure From the SMT navigation pane select Configuration Tools gt PolicyAssistant Result The PolicyAssistant window opens Click to add a new policy Result The Policy Configuration window opens See Figure 7 6 Enter a new name for your policy For example
163. to Started Figure 11 2 Windows Services On Services File Action View Help e m FBR m uw E Services Local E Services Local 8950 AAA Policy Service Name Descrip Stat Startup Log On As Be NET Runtime Optimization Servic Microso Manual Local System stop the service KEN AAA Configuration Service Manual Local System Pause the service p Restart the service 58 8950 AAA Policy Service Started Manual Local System Sis Ac Profile Manager Service Started Automatic Local System Bs Access Connections Main Service Started Automatic Local System Sa Alerter Notifies Disabled Local Service Be Altiris Agent Enables Started Automatic Local System Sa Application Layer Gateway Service Provide Started Manual Local Service Sy Application Management Provide Manual Local System Bs ASP NET State Service Provide Manual Network 5 Sa Automatic Updates Enables Manual Local System Si Backen pl Intelliaent Transfer S Transfe Started Manual 1 acal Svekerm 126 Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 8950 AAA policy server Configure 8950 AAA protocol properties for policy server To close the service application click Stop the service in the left hand panel or right click and select Stop Configure 8950 AAA protocol properties for policy server Overview RADIUS properties specify the configuration values for policy server when processing RADIUS requests Attr
164. tocol properties for policy server When responding to the RADIUS requests the policy server remembers cache the responses If the response is sent but lost and the NAS resends the same request the policy server responds with the cached response Policy server does process the request again This property sets the time for which the policy server keeps cached entries before discarding them Field Description Type Value If not enabled the policy server rejects the packet Max RADIUS Enter the maximum RADIUS EE Default packet size packet size that is allowed value 4096 Bytes Receive buffer Enter the size of the system Whole number Default size for UDP receive buffer assigned to value RADIUS the local socket 262144 Send buffer Enter the size of the system Nuoto mer Default size for UDP send buffer assigned to value RADIUS the local socket 262144 Type of Enter the traffic class or type Whole number Range 0 255 Service of service octet in the RADIUS Traffic Class IP header Response If enabled the policy server Boolean Yes Cache caches responses for the time No Timeout specified in the corresponding Enabled timeout property If not enabled responses are not cached Response Specify the response cache Use EI to Default Cache timeout specify the value 60 s Timeout duration Result The configured values are displayed on the Radius Properties panel 130 Alcatel
165. top section is a set of rules the Policy server uses to determine how users are authenticated how access is authorized and configured and how accounting data is stored Policy Limit No Limit Detail File Accounting 4 MDS file RADIUS User File EAP MDS No Limit No Limit Detail File 4 EAP PEAP D RADIUS User File EAP MS Chap V2 Policy Selection Rules Limits USS Settings Cisco PEAP No Limit No Limit Detail File adau y Name The Policy Rules manages how a Policy is selected from information in a request Condition Policy or Reject Max Connections auth EAPMDS Database User Realm equals xyz1 com MDS DB No Limit auth EAPMDS File User Realm equals xyz2 com MD5 file No Limit jauth PEAP MSChapv2 File User Realm equals xyz3 com auth PEAP GTC SecureID User Realm equals xyz4 com EAP PEAP GTC EAP PEAP No Limit No Limit auth PEAP MSChapv2 WindowsAD User Realm equals xyz5 com EAP PEAP AD No Limit auth EAPTLS File User Realm equals xyz6 com EAP TLS No Limit auth EAPTTLS MSChapv2 File User Realm lt equals gt xyz7 com EAP TTLS No Limit authWindowsAD User Realm equals xyz8 com com AuthWindowsAD No Limit authtWindowsSAM User Realm equals xyz9 com AuthWindowsSAM No Limit auth RSA User Realm equals xyz10 com R
166. tributes MAY be sent in an Access Accept packet Framed IP Netmask Framed IPX Metwork Identifying a Filter list by name allows the Filter to be used on Framed MTU different NASes without regard to Filter list implementation details Framed Pool Framed Protocol Framed Route Framed Routing Idle Timeout LI C Show All Attributes 6 Perform the following steps a b Select the required attribute enter the corresponding value and click Insert You can insert as many attributes as required The Description panel displays information on the type of value that can be assigned to an attribute for example String type Enumerated type IPv4 Address type and so on Click Close after inserting the attributes Result The User Profile window displays the selected attributes Note Figure 8 6 displays a sample OmniSwitch template and Figure 8 7 displays a sample CyberGateKeeper template Alcatel Lucent 8950 AAA Release 6 6 1 105 365 360 005 ISSUE 1 0 J UNE 2010 Configure templates Create a template Figure 8 6 User Profile for OmniSwitch t User Profile User Name OmniSwitch Password Authentication Type unspecified Items to Verify Check Attributes Items Sent Back To Client Reply Attributes Comment CECR CR Attribute Value Filter Id temp2 Figure 8 7 User Profile for CyberGateKeeper t User Profile User Name CyberGatekeep
167. ue If disabled the attribute values are not truncated This field specifies if the NAS devices send NUL characters in their attributes If enabled a NUL is appended to the end of plain string attributes in response requests to the NAS Boolean Boolean Default value Yes Default value No Check Duplicates Duplicates are detected by a combination of the Source IP Source Port and Packet Authenticator If enabled the server checks to see if the request received is a duplicate of a previously received request This property can be set on a pre client basis in the Client Properties Boolean Default value Yes Check Authenticators The drop down list box displays the Auto On or OFF options If enabled the Policy server checks the request authenticator and if not verified the request is dropped List of values Default value Auto Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 RADIUS client configuration Identifying a client type Note You can also configure the RADIUS client in the following two ways Byspecifying a range of IP addresses in the Client IP Address or Host field This type of configuration sets aside a block of unique IP addresses to be used for the client or host applications Byspecifying a CIDR block of IP addresses Here the IP address is followed by a slash and the number in decimal of bits used for the networ
168. uration eeeeeieeeeseeeeeeeea tenant nnn antenne tasas thee er sa teat tea 59 Figure 7 18 EAP MS CHAP V2 Authentication Confgeurapon ce ceeceeceeeeeeeeeeeeeseeeseeeaeeenaees 60 Figure 7 19 CRL Certificate Revocation List Confguraton 0 cee ceeceseceeeeeeeeeeeeeeeeeaeeeaeeeaaees 61 Figure 7 20 Policy configuration summary eeseeseeeseeeeeeerenr ener nennen nnne nnne enne 62 Alcatel Lucent 8950 AAA Release 6 6 1 vii 365 360 005 ISSUE 1 0 J UNE 2010 List of figures Figure 7 21 Advanced Authentication Options essere neret nennen 63 Figure 7 22 RSA ACE Server Configuration esee ener nre 64 Figure 7 22 BAP GTC configuration eerie a tee AEN EE SEENEN Ad 65 Figure 7 24 Policy configuration summary sseeeseeeeeeeeeeeeneene nnne nennen rennen eren nnne nenne 66 Figure 7 25 Advanced Authentication Options ener nennen nennen 67 Figure 7 26 Policy configuration summary sseesseeeeeeeeee eene ener en rennes nennen nenne 69 Figure 7 27 TLS Transport Level Security Configuration esee 70 Figure 7 28 Policy configuration summary ssesseeeseeeeeeeeeneene ener nre n rennen eren neen trennen tenent 71 Figure 7 29 Advanced Authentication Options ener nre 73 Figure 7 30 EAP TTLS Confeurapon nennen tenete enne nene entente sten entente 74 Figure 7 31 Policy configuration summary sese emeret nennen trennen nenne 75 Figure 7 32 Microsoft Active Directory Config
169. uration essere nennen enne TI Figure 7 33 Policy configuration summary sess enren rennen eren nnne 78 Figure 7 34 Windows Security Access Manager 80 Figure 7 35 Policy configuration summary sssesseeeseeeeeeeeeeneenee eene rennen eren eren neen trennen nenne 81 Figure 7 36 RSA ACE Server Configuration sees nennen nennen nennen nennen 82 Figure 7 37 Policy configuration summary seesseeeseeeeeeeeeeneene nenne nennen eren eren nennen 83 Figure 7 38 Radius Server Proxy Configuration seen nre nennen nennen nenne 85 Figure 7 39 Policy configuration summary sees enr en rennen ersten nest 86 Figure 7 40 Attribute Set for Bolten 89 Figure 7 41 Policy configuration summary sessi nnren eren nre nennen nennen 90 Figure 7 42 Policy configuration summary sinerent iari iaiia in 92 Figure 7 43 Policy configuration summary sseesseeeseeeeeeeeeeneenne enne eene en rennen eren neen trennen 94 Figure 7 44 Rule Configuration goe SEENEN ENEE eee ee a Ue Ree nce inb dae dee ERE eR Das 95 Figure 7 45 Rule Configuration une Eee P ER Bp E Ie Ein ou este Ree e Hace 96 Figure 7 46 Rule Configuration uere e eene eee ete eee erii ee He de NEEN 98 Figure o L Uset UE 102 Figure 8 2 User File List CHR e E RO oed ede eH Eta 103 Figure 8 3 User Files users templates eese ener nennen nennen nnne nnne enne 103 Pigure 8 4 User Profle uino e ete
170. xt Text that is displayed in a graphical user interface keyboard keys The name of a key on the keyboard system input Text that the user types as input to a system system output Text that a system displays or prints variable A value or command line parameter that the user provides Text or a value that is optional valuell value2 A choice of values or variables from which one value or variable is used variablellvariable2 Document support For support in using this document or any other Alcatel Lucent document contact Alcatel Lucent at one of the following telephone numbers e 1 888 582 3688 for the United States e 1 317 377 8618 for all other countries Technical support For technical support contact your local Alcatel Lucent customer support team See the Alcatel Lucent Support web site http alcatel lucent com support for contact information xiv Alcatel Lucent 8950 AAA Release 6 6 1 365 360 005 ISSUE 1 0 J UNE 2010 About this document How to order To order Alcatel Lucent documents contact your local sales representative or use the Online Customer Support Site OLCS web site http support alcatel lucent com How to comment To comment on this document go to the Online Comment Form http infodoc alcatel lucent com comments or e mail your comments to the Comments Hotline mailto comments alcatel lucent com Alcatel Lucent 8950
171. yAssistant Configure PolicyAssistant rules for OmniSwitch Figure 7 9 Accounting Configuration Processing Accounting Requests Discard Accounting Information Save Accounting to a File File Name MDS DB mypolicy detail Rollover Mode Monthly v Save Accounting to a Database Proxying Accounting Records Fi Proxy Accounting Information Accounting Configuration 6 Policy Configuration MD5 DB mypolicy X RADIUS clients NAS RAS and other access points send session accounting information to the Policy server in RADIUS accounting requests The Policy Assistant supports several options For processing these requests How do you want to process RADIUS accounting information Description Saves RADIUS accounting information to the specified File The Format of the information is the traditional Lucent Detail File Format Also select the how often the file is rolled over to a new File The default rollover is every month The Follow describes each rollover mode Hourly The file is rolled over each hour 08 00 09 00 10 00 etc The year month day and hour are appended to the file name For example given a File named acct is named acct 200306051 1 For 11 00 AM on June 5 of 2003 Daily The file is rolled over daily at 12 00 AM The year month and day are appended to the File iv 6 Select Save Accounting to a File and perform the following s
Download Pdf Manuals
Related Search