Configuration - Security

Transcription

1 Release: Document Revision: NN A Rev01

2 Release: 5.3 Publication: NN Document Revision: Document status: Standard Document release date: 30 March 2009 Copyright 2009 Nortel Networks All Rights Reserved. Printed in Canada, India, and the United States of America LEGAL NOTICE While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners. ATTENTION For information about the safety precautions, read "Safety messages" in this guide. For information about the software license, read "Software license" in this guide.

3 Contents About this document AAA and user management configuration Introduction AAA RADIUS HWTACACS Domain-based User Management local user management Configuring AAA Establishing the configuration task Configuring the authentication scheme Configuring the authorization scheme Configuring the accounting scheme Configuring the recording scheme Allocating IP addresses to users Configuring IP address negotiation on an interface Forcing the access user to be offline Checking the configuration Configuring the RADIUS server template Establishing the configuration task Creating the RADIUS server template Configuring the RADIUS authentication server Configuring the RADIUS accounting server Configuring the protocol version of the RADIUS server Configuring the shared key of the RADIUS server Configuring the user name format of the RADIUS server Configuring the traffic unit of the RADIUS server Configuring the retransmission parameters of the RADIUS server Configuring the NAS port of the RADIUS server Checking the configuration Configuring the HWTACACS server template Establishing the configuration task Issue 5.3 (30 March 2009) Nortel Networks Inc. i

4 1.4.2 Creating the HWTACACS server template Configuring the HWTACACS authentication server Configuring the HWTACACS authorization server Configuring the HWTACACS accounting server Configuring the source IP address of the HWTACACS server Configuring the shared key of the HWTACACS server Configuring the user name format of the HWTACACS Server Configuring the traffic unit of the HWTACACS server Configuring the timer of the HWTACACS server Checking the configuration Configuring domains Establishing the configuration task Creating a domain Configuring the authentication, authorization and accounting schemes of the domain Configuring the RADIUS server template Configuring the HWTACACS server template Configuring the address-related attributes of the domain Configuring the Domain Status Setting the maximum number of access users allowed by the domain Setting the idle cut parameters of the user in the domain Configuring the idle cut function of the local user Checking the configuration Maintaining AAA and user management Clearing the statistics of the HWTACACS server Debugging the RADIUS or the HWTACACS server Configuration examples Example for configuring the RADIUS authentication and accounting Example for configuring local authentication and HWTACACS authentication, authorization and real-time Accounting Firewall configuration Introduction Firewall function ACL/packet filtering Configuring the firewall of ACL/Packet Filtering Establishing the configuration task Defining an ACL Rule Defining a class and a rule of traffic classification Defining a firewall action Applying a traffic policy Enabling the statistics on ACLs Checking the configuration Configuration examples ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 3 NAT configuration Introduction NAT T Many-to-many NAT and address pool Realization of NAT in the Secure Router NAT user Log Reference Configuring the basic NAT functions Establishing the configuration task Configuring an address pool Associating an ACL with an address pool Checking the configuration Configuring an internal server Establishing the configuration task Configuring the internal server Configuring the internal server for load balancing Configuring the internal server associated with multiple public network addresses (Optional) Configuring a static route Configuring a static ARP mapping entry Checking the configuration Configuring NAT attributes Establishing the configuration task Setting the aging time of NAT T Enabling NAT ALG Configuring NAT flow control, bandwidth, and BT flow control Checking the configuration Configuring NAT user Log Establishing the configuration task Enabling the NAT user log Maintaining NAT T Resetting NAT T Debugging NAT T Configuration examples Example for configuring NAT and the internal server Example for configuring load balancing, flow control, and speed control on the NAT server Troubleshooting The internal server runs abnormally Port mirroring configuration Introduction Configuring port mirroring Establishing the configuration tasks Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

6 4.2.2 Configuring a mirroring port Enabling port mirroring Checking the configuration Configuration examples Troubleshooting Configuration of the mirroring port fails Configuration of the mirrored port fails IPSec configuration Introduction Overview of IPSec Related concepts IPSec implementation in the Secure Router IPSec supporting MPLS VPN access Defining data flows to be protected Establishing the configuration task Defining data flows for protect Checking the configuration Configuring an IPSec proposal Establishing the configuration task Creating an IPSec proposal and entering the IPSec proposal view Configuring the IPSec protocol Specifying an authentication algorithm Configuring an encryption algorithm Configuring an encapsulation mode Checking the configuration Configuring an IPSec policy Establishing the configuration task Creating an IPSec policy and entering the IPSec policy view Configuring the ACL used in the IPSec policy Applying the IPSec proposal to the IPSec policy Configuring the SA duration Configuring the local and remote IP addresses of the tunnel (for manual negotiation only) Configuring SPI for an SA (for manual negotiation only) Configuring the key for an SA (for Manual Negotiation Only) Accessing MPLS VPN by binding VPN instance with SA Configuring the IKE peer for the IPSec policy (for IKE Negotiation Only) Configuring PFS feature used in IKE negotiation Configuring the global SA duration Checking the configuration Configuring IPSec policies using the IPSec policy template Establishing the configuration task iv Nortel Networks Inc. Issue 5.3 (30 March 2009)

7 5.5.2 Creating an IPSec policy template and entering the IPSec policy template Configuring the ACL used by the IPSec policy template Applying the IPSec proposal to the IPSec policy template Configuring the SA duration Configuring the IKE Peer for the IPSec policy template Configuring PFS used in the negotiation Configuring global SA duration Applying the IPSec policy template Checking the configuration Applying IPSec policies or an IPSec policy group on an interface Establishing the configuration task Applying an IPSec policy on the interface Checking the configuration Maintaining IPSec Displaying IPSec configuration Clearing IPSec packet statistics Debugging IPSec Maintaining the high speed encryption card Configuration examples Example for manually establishing an SA Example for accessing MPLS VPN by binding VPN instance and the interface Example for accessing MPLS VPN by binding VPN instance and SA IKE configuration Introduction Overview of IKE NAT Traversal in IPSec IKE implementation on the Secure Router Configuring the local ID used in IKE negotiation Establishing the configuration task Configuring the local ID used in the IKE negotiation Configuring the IKE security proposal Establishing the configuration task Creating the IKE security proposal and entering the IKE security proposal view Specifying an encryption algorithm Specifying an authentication method Specifying an authentication algorithm Specifying the DH group ID Configuring the duration of ISAKMP SA Checking the configuration Configuring attributes of the IKE peer Establishing the configuration task Issue 5.3 (30 March 2009) Nortel Networks Inc. v

8 6.4.2 Creating the IKE Peer and entering the IKE peer view Configuring an IKE negotiation mode Configuring an IKE proposal Configuring the local ID type Configuring NAT traversal of IPSec Configuring the identity authenticator Configuring the Peer IP address or address segment Configuring the peer name Accessing MPLS VPN by binding the VPN instance and SA Checking the configuration Adjusting IKE configuration Establishing the configuration task Configuring the interval for sending keepalive packets Configuring the timeout Period for waiting for keepalive packets Configuring the interval for sending NAT update packets Maintaining IKE Displaying IKE configuration Clearing the security tunnel Debugging IKE Example for setting up SAs through IKE A RADIUS / HWTACACS attribute list... A-1 A.1 RADIUS attribute...a-1 A.1.1 Standard RADIUS attribute...a-1 A.1.2 Huawei RADIUS attribute...a-5 A.2 HWTACACS attribute...a-9 B Glossary...B-1 C Acronyms and Abbreviations...C-1 Index... i-1 vi Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Figures Figure 1-1 RADIUS message structure Figure 1-2 Message flow between the RADIUS client and server Figure 1-3 HWTACACS authorization based on the commands Figure 1-4 Process of upgrading the HWTACACS user level Figure 1-5 Networking diagram of RADIUS authentication and accounting Figure 1-6 Networking diagram of local authentication and HWTACACS authentication, authorization and accounting Figure 2-1 Networking diagram of ACL/packet filtering-based firewall configuration Figure 3-1 NAT diagram Figure 3-2 Accessing the Internet through the router Figure 3-3 Diagram of user log information output Figure 3-4 Networking diagram of NAT configuration Figure 3-5 Networking diagram of NAT Server load balancing, flow control, bandwidth and BT flow control Figure 4-1 Typical networking diagram of port mirroring configuration Figure 5-1 Packets format of the transport mode Figure 5-2 Packets format of the tunnel mode Figure 5-3 Networking diagram of manually establishing an SA Figure 5-4 Networking diagram of MPLS VPN access by binding VPN instance and the interface Figure 5-5 Networking diagram of configuring MPLS VPN access by binding the VPN instance and the SA Figure 6-1 Process of setting up an SA Figure 6-2 Networking diagram of IKE configuration Issue 5.3 (30 March 2009) Nortel Networks Inc. vii

10

11 Tables Table 1-1 Differences between HWTACACS and RADIUS Table 3-1 List of interfaces and their corresponding private networks Issue 5.3 (30 March 2009) Nortel Networks Inc. ix

12 Contents About this document...1 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

13

14 About this document About this document Purpose This document describes the configuration of security, including AAA and user management, firewall, NAT, port mirroring, IPSec, and IKE. This document also provides the attributes list of RADIUS and HWTACACS. Related version The following table lists the product version related to this document. Product Name Nortel Secure Router 8000 Series Version Nortel Secure Router 8000 Series Intended audience The intended audiences of this document are: Network engineers Network administrators Customers who are familiar with network fundamentals Organization This document consists of six chapters and is organized as follows. Chapter 1 AAA and User Management Configuration Description This chapter introduces Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management, local user management and their configuration steps, along with typical examples. Issue 5.3 (30 March 2009) Nortel Networks Inc. 1

15 About this document Nortel Secure Router 8000 Series Chapter Description 2 Firewall Configuration This chapter describes the configuration of packet filtering firewall, along with typical examples. 3 NAT Configuration This chapter describes the configuration of NAT and NAT user logs, along with typical examples. 4 Port Mirroring Configuration This chapter describes the configuration of port mirroring, along with typical examples. 5 IPSec Configuration This chapter describes IP Security (IPSec) related concepts including security association, authentication algorithm, and the configuration steps, along with typical examples. 6 IKE Configuration This chapter describes the Internet Key Exchange (IKE) protocol related concepts and the configuration steps, along with typical examples. Appendix A Attributes List of RADIUS and HWTACACS Appendix B Glossary Appendix C Acronyms and Abbreviations This appendix covers the attributes of RADIUS and HWTACACS. This appendix collates frequently used glossaries in this document. This appendix collates frequently used acronyms and abbreviations in this document. Conventions Symbol conventions The following symbols may be found in this document. They are defined as follows. Symbol Description Indicates a hazard with a high level of risk which, if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk which, if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation that, if not avoided, could cause equipment damage, data loss, and performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save you time. 2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

16 About this document Symbol NOTE Description Provides additional information to emphasize or supplement important points of the main text. General conventions Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Terminal display is in Courier New. Command conventions Convention Boldface Italic Description The keywords of a command line are in boldface. Command arguments are in italic. [ ] Items (keywords or arguments) in square brackets [ ] are optional. { x y... } Alternative items are grouped in braces and separated by vertical bars. One is selected. [ x y... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. { x y... } * Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. &<1-n> The parameter before the & sign can be repeated 1 to n times. A line starting with the sign is comments. GUI conventions Convention Boldface Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Issue 5.3 (30 March 2009) Nortel Networks Inc. 3

17 About this document Nortel Secure Router 8000 Series Convention Description > Multi-level menus are in boldface and separated by the > signs. For example, choose File > Create > Folder. Keyboard operation Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt+A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn. Mouse operation Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position. Update history Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous versions. Updates in issue 01 ( ) Initial field trial release. 4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

18 Contents 1 AAA and user management configuration Introduction AAA RADIUS HWTACACS Domain-based User Management local user management Configuring AAA Establishing the configuration task Configuring the authentication scheme Configuring the authorization scheme Configuring the accounting scheme (Optional) Configuring the recording scheme Allocating IP addresses to users Configuring IP address negotiation on an interface Forcing the access user to be offline Checking the configuration Configuring the RADIUS server template Establishing the configuration task Creating the RADIUS server template Configuring the RADIUS authentication server Configuring the RADIUS accounting server (Optional) Configuring the protocol version of the RADIUS server (Optional) Configuring the shared key of the RADIUS server (Optional) Configuring the user name format of the RADIUS server (Optional) Configuring the traffic unit of the RADIUS server (Optional) Configuring the retransmission parameters of the RADIUS server (Optional) Configuring the NAS port of the RADIUS server Checking the configuration Configuring the HWTACACS server template Establishing the configuration task Creating the HWTACACS server template Issue 5.3 (30 March 2009) Nortel Networks Inc. i

19 1.4.3 Configuring the HWTACACS authentication server Configuring the HWTACACS authorization server Configuring the HWTACACS accounting server Configuring the source IP address of the HWTACACS server Configuring the shared key of the HWTACACS server Configuring the user name format of the HWTACACS Server Configuring the traffic unit of the HWTACACS server Configuring the timer of the HWTACACS server Checking the configuration Configuring domains Establishing the configuration task Creating a domain Configuring the authentication, authorization and accounting schemes of the domain Configuring the RADIUS server template Configuring the HWTACACS server template Configuring the address-related attributes of the domain Configuring the Domain Status Configuring the maximum number of access users allowed by the domain Configuring the idle cut parameters of the user in the domain Configuring the idle cut function of the local user Checking the configuration Maintaining AAA and user management Clearing the statistics of the HWTACACS server Debugging the RADIUS or the HWTACACS server Configuration examples Example for configuring the RADIUS authentication and accounting Example for configuring local authentication and HWTACACS authentication, authorization and real-time Accounting ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

20 Figures Figure 1-1 RADIUS message structure Figure 1-2 Message flow between the RADIUS client and server Figure 1-3 HWTACACS authorization based on the commands Figure 1-4 Process of upgrading the HWTACACS user level Figure 1-5 Networking diagram of RADIUS authentication and accounting Figure 1-6 Networking diagram of local authentication and HWTACACS authentication, authorization and accounting Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

21

22 Tables Table 1-1 Differences between HWTACACS and RADIUS Issue 5.3 (30 March 2009) Nortel Networks Inc. v

23

24 1 AAA and user management configuration 1 AAA and user management configuration About this chapter The following table shows the contents of this chapter. Section Description 1.1 Introduction This section describes the principle and concepts of AAA and user management. 1.2 Configuring AAA This section describes how to configure various attributes of AAA. 1.3 Configuring the RADIUS server template 1.4 Configuring the HWTACACS server template This section describes how to configure a RADIUS server template. This section describes how to configure an HWTACACS server template. 1.5 Configuring domains This section describes how to configure a domain. 1.6 Maintaining AAA and user management This section describes how to RADIUS or HWTACACS. clear statistics and debug 1.7 Configuration examples This section provides several configuration examples of AAA and user management. Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-1

25 1 AAA and user management configuration Nortel Secure Router 8000 Series 1.1 Introduction AAA Authentication Authorization This section describes the following topics that you need to know before you configure AAA: AAA RADIUS HWTACACS Domain-based User Management local user management Authentication, Authorization and Accounting (AAA) are three types of security services. Authentication: determines the users who can access the network. Authorization: authorizes the user to use some services. Accounting: records the network resource utilization of the user. AAA adopts the Server/Client model. In this model, the client runs on the administrated resource side and the server stores the user information. This model has good extensibility and is convenient for concentrated management over user information. AAA supports the following authentication modes: Non-authentication: completely trusts users and does not check their validity. It is rarely used. Local authentication: configures user information, including the user name, password and attributes, on a Network Access Server (NAS). It features fast processing speed and low operation costs. The major limitation of local authentication is that the hardware restricts the capacity of information storage. Remote authentication: authenticates users through the Remote Authentication Dial in User Service (RADIUS) protocol or the Nortel Terminal Access Controller Access Control System (HWTACACS) protocol. The NAS serves as the client to communicate with the RADIUS or HWTACACS server. The RADIUS protocol can be either a standard RADIUS protocol or an extended RADIUS protocol of Nortel, and cooperates with itellin or Comprehensive Access Management Server (CAMS) to complete the authentication. AAA supports the following authorization modes: Direct authorization: completely trusts users and directly authorizes them to pass through. Local authorization: authorizes users based on relative attributes of the local user account configured on the NAS. HWTACACS authorization: authorizes users through the HWTACACS server. 1-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

26 1 AAA and user management configuration If-authenticated authorization: allows the user to pass through the authorization after being authenticated through the non-authentication mode. RADIUS authorization: authorizes users after they pass RADIUS authentication. Accounting RADIUS RADIUS message structure AAA supports the following accounting modes: Non-accounting: provides free services. Local accounting: backs up and manages bills. It is a complementary protection measure of remote accounting, and can replace remote servers to charge users locally. Remote accounting: supports remote accounting through the RADIUS or HWTACACS server. Local and remote accounting: sends accounting packets to the local and the RADIUS server, or to the local and the HWTACACS server at the same time. This can improve the accounting reliability. RADIUS is one of the protocols you use to implement AAA. It was initially used to manage a large number of scattered users that use serial ports and modems. Now it is widely used in the Network Access Server (NAS) system. To obtain the right to access some networks or to use some network resources, you need to set up a connection with the NAS through a network, such as a telephony network. In this case, the NAS is in charge of authenticating the user or the connection. NAS sends your AAA information to the RADIUS server. RADIUS prescribes how to transmit the user information and accounting information between the NAS and RADIUS servers. The RADIUS server receives your connection request, completes authentication and then sends the required configuration back to the NAS. The authentication information between the NAS and the RADIUS server is transmitted with a key. This can protect the user's password from theft on insecure networks. Figure 1-1 shows the RADIUS message structure. Figure 1-1 RADIUS message structure Code Identifier Length 4 Authenticator 5 6 Attribute Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-3

27 1 AAA and user management configuration Nortel Secure Router 8000 Series RADIUS message flow Code indicates the message type. The type includes an access request, access permit or accounting request. Identifier specifies the numbers in ascending order when matching the request packets or response packets. Length indicates the total length of all fields. Authenticator authenticates the RADIUS validity. Attributes specifies the contents of a message, including various attributes related to the user. RADIUS provides the message flow and structure for the interaction between the client and the server. Figure 1-2 shows a simple message flow stipulated in the RADIUS protocol. Figure 1-2 Message flow between the RADIUS client and server User User name password Router/ Access server Request Response RADIUS server RADIUS features 1. When logging on to a network device such as a router or an access server, you first send a user name and password to the RADIUS client of the network device. 2. After the RADIUS client receives the user name and password, it sends an authentication request to the RADIUS server. 3. If the request is valid, the server completes the authentication and sends the required authorization information back to the client. The transmission of the authentication information uses a key between the client and RADIUS server encrypting information before being sent, preventing. theft of information on an insecure network. The accounting process is similar to the authentication or authorization process. The login can be a Point-to-Point Protocol (PPP) user that uses network resources, or a management user that configures and maintains the network device. You can save the user information such as user name and password on the network device. The authentication here is called local authentication. Using the User Datagram Protocol (UDP) as the transport protocol, RADIUS features good, real-time performance. Owing to the retransmission mechanism and standby server mechanism, RADIUS possesses high reliability. RADIUS is easy to be realized and is applicable to the multithreading structure of the server when there are a large number of users. As the RADIUS client, the NAS performs the following functions: Standard RADIUS protocol and extended attributes, including RFC2865 and RFC Nortel Networks Inc. Issue 5.3 (30 March 2009)

28 1 AAA and user management configuration HWTACACS Extended RADIUS+1.1 protocol of Nortel. Active detection on the RADIUS server state: After receiving an AAA authentication or accounting message, the NAS enables the server detection process if the status of the server is Down. The NAS then transforms the message into a packet that functions as the server probe packet and is sent to the current server. If a response packet is received from the RADIUS server, the NAS considers the server as ready. Local buffer retransmission of Accounting-stop packets: If the number of retransmission events exceeds the value configured, packets are saved to the buffer queue. The system periodically scans the queue, extracts the packet and then sends them to the specific server and enables the waiting timer. If the transmission fails or no response packet is received from the server within the timeout time, the packet is placed back in the buffer queue again. Auto-switch of the RADIUS server: if the waiting timer expires and the current server is in the Down state or the number of retransmission events exceeds the maximum number configured, the current server is replaced by another server in the server group to transmit packets. HWTACACS is the enhancement of TACACS that is an access control protocol defined in RFC Similar to RADIUS, HWTACACS implements AAA of multiple users by communicating with the HWTACACS server in the Server/Client model. You use HWTACACS to perform AAA on access users over PPP or Virtual Private Dial Network (VPDN) and login users. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption and is more suitable for security control. Table 1-1 shows the differences between HWTACACS and RADIUS. Table 1-1 Differences between HWTACACS and RADIUS HWTACACS Uses TCP to provide reliable transmission Encrypts the main structure of packets except the standard HWTACACS header Separates authentication from authorization Suitable for security control Responsible for authorizing the router configuration RADIUS Uses UDP Encrypts only the password field in authentication packets Performs authentication together with authorization Suitable for accounting None HWTACACS authorizes the command line of users belonging to the specified class in the specified domain or SSH users. Command line authorization When you log in to the router through Telnet or SSH, each input command should pass HWTACACS authorization. If the command line is authorized, the command can be run. If Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-5

29 1 AAA and user management configuration Nortel Secure Router 8000 Series the command line is not authorized, the authorization failure message is prompted by the HWTACACS server. Command line authorization can use local authorization as the backup mode. In this way, you can use local authorization if command line authorization fails due to the fault of the server. If you receive no authorization response from the server in the timeout period, the command cannot be run. After the number of authorization failures exceeds the threshold in the case of no response from the server or failed authorization you can configure a policy to stay online or going offline. Figure 1-3 shows the process for the HWTACACS server to authenticate the command line. Figure 1-3 HWTACACS authorization based on the commands command author-cmd REQ author-cmd ACK User level upgrade When the router authenticates the user during user level upgrade, passwords of users at each level can be different. When the HWTACACS server authenticates the user during user level upgrade, you must make passwords of users at each level the same. After logging in to the router through Telnet or SSH, use the super command to upgrade or degrade its own level. The router must authenticate the user's password. Figure 1-4 shows the process of upgrading the HWTACACS user level. The router sends the user's password to the HWTACACS server for authentication. If the password is authenticated, you can upgrade the user level. The modified result affects only the current login. Figure 1-4 Process of upgrading the HWTACACS user level Tel/ssh Super Authen REQ Super Authen ACK User Router HWTACACS server If the router does not receive the authentication result in the timeout time specified by the users, the authentication fails and you cannot upgrade the user level cannot be upgraded. 1-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

30 1 AAA and user management configuration Domain-based User Management The NAS can manage users in two ways. Managing users basing on domains: Configurations such as the default authorization, RADIUS or HWTACACS template, and the authentication and accounting can be performed in a domain. Managing users by user accounts. In current AAA implementations, users are categorized into different domains. The domain to which a user belongs depends on the character string that follows the "@" of a user name. For example, the user of "user@hua" belongs to the domain "hua". If there is no "@" in the user name, the user belongs to the domain "default". Besides the default domain, AAA users can create up to 254 domains. You configure all the AAA users in the domain view through the application of authentication scheme, authorization scheme, and accounting scheme. The corresponding modes are preconfigured respectively in the AAA view. AAA, by default, adopts local authentication, local authorization, and no accounting schemes respectively. To create a domain and apply no schemes in the domain, AAA adopts the default schemes for this domain. In addition, to use the RADIUS or HWTACACS scheme for a user, you preconfigure the RADIUS or HWTACACS server template in the system view and then implement it in the view of the domain to which the user belongs. If you configure a domain and a user within the domain with some attributes at the same time, the user-based configuration takes precedence over the domain-based configuration. The authorization precedence you configure within a domain is lower than that configured on an AAA server, using the authorization attribute of the AAA server first. The domain authorization attribute is valid only when the AAA server does not have this authorization or does not support this authorization. In this way, you can add services flexibly when using domains regardless of the attribute limitations of the AAA server local user management Local user management includes: Setup of a local user database on a local router to maintain user information and manage users Local authentication 1.2 Configuring AAA Establishing the configuration task Applicable environment To provide access services for legal users and protect sensitive network devices from unauthorized access, configure AAA. NOTE You always enable AAA on the NAS. Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-7

31 1 AAA and user management configuration Nortel Secure Router 8000 Series Preconfiguration Tasks The PPP users can use the address negotiation function of PPP to obtain the IP address of the local interface from the NAS. AAA allocates addresses to PPP users on the NAS. The address allocation rules are as follows: To not to authenticate the user If the interface has an IP address, NAS allocates the address to the peer directly. If the interface has an IP address pool, NAS allocates the address in the address pool to the peer. To the default domain user passing the authentication process (The default user name has two types: the name such as "aaa" and the name such as If the server has delivered the IP address, NAS allocates this address to the peer directly. If the server has delivered the IP address pool ID, NAS allocates the address in the global or domain address pool to the peer. If the server has not delivered the address pool ID but the interface has an IP address pool, NAS allocates the address in this global address pool to the peer. To the common domain user passing the authentication process If the server has delivered the IP address, NAS allocates the address to the peer directly. If the server has delivered the IP address pool ID, NAS allocates the address in the specified domain address pool to the peer. If the server has not delivered either the IP address or the address pool ID, NAS traverse from the first address pool in the domain to search for the available IP address. In the above three cases, both the global address pool and the domain address pool are traversed for one time. If all the addresses in the specified global address pool or the domain address pool are used, NAS no longer traverses the address pool for the available IP address and directly returns an invalid IP address 0. Addresses, such as Class A addresses XXX and XXX.0.0.0, Class B addresses XXX.XXX and XXX.XXX.0.0, and Class C addresses XXX.XXX.XXX.25 and XXX.XXX.XXX.0, must not be configured as valid start or end addresses of the address pool. If the address pool contains these addresses, the addresses cannot be allocated. None. Data preparation NOTE The IP address negotiation needs to be configured on the client and the server respectively. To configure AAA, you need the following data. No Data 1 Name of the authentication scheme and the authentication mode 1-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

32 1 AAA and user management configuration No Data 2 (Optional) Name of the authorization scheme and the authorization mode, level of the user to be authorized through command lines, and timeout time of command line authorization 3 Name of the accounting scheme, the accounting mode, the interval of real-time accounting, accounting-start failure policy, real-time accounting failure policy, and the number of failed the real-time accounting 4 (Optional) Name of the recording scheme, name of the HWTACACS server template related to the recording mode, and events to be recorded 5 Interface type and interface number of the server or client, address pool ID and IP address range of the address pool, and the IP addresses to be allocated to users when no address pool is used Configuration procedures No. Procedure 1 Configuring the authentication scheme 2 Configuring the authorization scheme 3 Configuring the accounting scheme 4 (Optional) Configuring the recording scheme 5 Allocating IP addresses to users 6 Configuring IP address negotiation on an interface 7 Forcing the access user to be offline 8 Checking the configuration Configuring the authentication scheme Do as follows on the router: Step 1 Run: system-view The system view appears. Step 2 Run: aaa The AAA view appears. Step 3 Run: authentication-scheme authentication-scheme-name Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-9

33 1 AAA and user management configuration Nortel Secure Router 8000 Series The command creates an authentication scheme and the authentication scheme view appears. Step 4 Run: authentication-mode{ hwtacacs radius local } * [ none ] Or Run: authentication-mode none The command configures the authentication mode. Step 5 Run: authentication-super { hwtacacs super } * [ none ] Or Run: authentication-super none The command configures the authentication scheme of upgrading user level. NOTE AAA defaults to local authentication. To allow the user to pass without being authenticated, you need to create an authentication scheme, set the non-authentication mode in the scheme, and apply the scheme to the specified domain Configuring the authorization scheme Step 1 Run: Step 2 Run: Do as follow on the router: system-view The system view appears. aaa Step 3 Run: Step 4 Run: The AAA view appears. authorization-scheme authorization-scheme-name The command creates the authorization scheme and the authentication scheme view appears. authorization-mode { hwtacacs if-authenticated local }* [ none ] Or Run: 1-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

34 1 AAA and user management configuration Step 5 Run: authorization-mode none The command configures the authorization mode. authorization-cmd privilege-level hwtacacs [ local ] The command enables authorizing certain command lines to users at a certain level. Step 6 (Optional) Run: Step 7 Run: authorization-cmd no-response-policy { online offline [ max-times max-times-value ] } The command sets the policy of HWTACACS server failure or no-response because of no configured user. quit Step 8 Run: Return to the AAA view. quit Step 9 Run: Step 10 Run: Return to the system view. hwtacacs-server template template-name The HWTACACS server template view appears. hwtacacs-server timer response-timeout timeout-value The command sets the response timeout period of the timer. NOTE Only HWTACACS supports authorizing the command line to users at certain levels. For the commands containing the indications and values, such as interface ethernet2/2/0, you need to output commands in configuration file format. Otherwise, HWTACACS authorization fails. Command line authorization of HWTACACS has no relation with the authorization mode Configuring the accounting scheme Step 1 Run: Step 2 Run: Do as follows on the router: system-view The system view appears. aaa Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-11

35 1 AAA and user management configuration Nortel Secure Router 8000 Series The AAA view appears. Step 3 Run: accounting-scheme accounting-scheme-name The command creates the accounting scheme and the accounting scheme view appears. Step 4 Run: accounting-mode { hwtacacs radius none } The command configures the accounting mode. Step 5 Run: accounting realtime interval The command enables the real-time accounting and sets the accounting interval. Step 6 (Optional) Run: accounting start-fail { online offline } The command configures the policy for failing to start accounting at the remote end. Step 7 (Optional) Run: accounting interim-fail [ max-times times ] { online offline } The command configures the policy for failing real-time accounting (Optional) Configuring the recording scheme NOTE You can configure the recording function only when you use HWTACACS. Do as follows on the router: Step 1 Run: system-view The system view appears. Step 2 Run: aaa The AAA view appears. Step 3 Run: recording-scheme recording-scheme-name The command creates the recording scheme and the recording scheme view appears. Step 4 Run: recording-mode hwtacacs template-name The command configures the recording mode Nortel Networks Inc. Issue 5.3 (30 March 2009)

36 1 AAA and user management configuration Step 5 Run: quit Return to the AA view. Step 6 (Optional) Run: cmd recording-scheme recording-scheme-name The command records the commands run on the router. Step 7 (Optional) Run: outbound recording-scheme recording-scheme-name The command records the connections. Step 8 Run: system recording-scheme recording-scheme-name The command records the system events Allocating IP addresses to users Do as follows on the router: Step 1 Run: system-view The system view appears. Step 2 Run: aaa The AAA view appears. Step 3 Run: ip pool pool-number first-address [ last-address ] The command configures the IP address pool of the local system. Step 4 Run: quit Return to the system view. Step 5 Run: interface interface-type interface-number The interface view appears. Step 6 Run: remote address { ip-address pool [ pool-number ] } Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-13

37 1 AAA and user management configuration Nortel Secure Router 8000 Series The command allocates IP addresses to the remote users. NOTE It is not necessary for you to configure an address pool if there is only one user. Directly allocate a specific IP address to the user. In this case, you can skip steps 2, 3, and 4. You must run the command in step 6 on a POS or CPOS interface that supports PPP Configuring IP address negotiation on an interface Step 1 Run: Step 2 Run: Step 3 Run: Do as follows on the client: system-view The system view appears. interface interface-type interface-number The interface view appears. ip address ppp-negotiate The command configures the IP address negotiation on an interface. NOTE If both local and remote interfaces are PPP encapsulated, and the local interface has no IP address while the remote interface has an IP address, you can configure the IP address negotiable attribute on the local interface. The local interface obtains the IP address allocated by the peer that is generated through PPP negotiation. When configuring the IP address attribute, you should note the following: You can set the IP address negotiation only when the interface supports PPP. When the PPP status is Down, the IP address generated through negotiation is deleted. You do not need to configure an IP address on the local interface because the negotiation obtains the IP address. If the interface is already configured with an IP address, this IP address will be deleted. The IP address obtained by the earlier negotiation is deleted when you reconfigure the negotiation on this interface. The interface gets a new IP address through the negotiation. When you delete the negotiated address, the interface has no address. You must run the command in step 3 interfaces such as POS or CPOS that support PPP Forcing the access user to be offline Step 1 Run: Do as follows on the router: system-view 1-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

38 1 AAA and user management configuration The system view appears. Step 2 Run: aaa The AAA view appears. Step 3 Run: cut access-user The command configures forcing the user to be offline Checking the configuration Run the following commands to check the previous configuration: Action View the brief information on AAA. View the configuration about the accounting scheme. View the configuration about the authentication scheme. View the configuration about the authorization scheme. View the configuration about the recording scheme. Command display aaa configuration display accounting-scheme [ accounting-scheme-name ] display authentication-scheme [ authentication-scheme-name ] display authorization-scheme [ authorization-scheme-name ] display recording-scheme [ recording-scheme-name ] View the usage of the address pool. display ip pool { global domain domain-name } View the brief information on all access users. display access-user 1.3 Configuring the RADIUS server template Establishing the configuration task Applicable environment You need to configure the RADIUS server template when RADIUS is adopted. Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-15

39 1 AAA and user management configuration Nortel Secure Router 8000 Series NOTE Preconfiguration tasks None. Data preparation Most of the items in the RADIUS configuration have default configurations. You can also configure them based on the actual networking. You can modify the RADIUS configuration only when the RADIUS server template is not used by any user. To configure the RADIUS server, you need the following data. No Data 1 Name of the RADIUS server template 2 IP address and source port number of the master (or slave) RADIUS authentication server 3 IP address and port number of the master (or slave) RADIUS accounting server 4 (Optional) Protocol version used by the RADIUS server 5 (Optional) Key of the RADIUS server 6 (Optional) User name format (with or without domain name) of the RADIUS server 7 (Optional) Traffic unit on the RADIUS server 8 (Optional) Response timeout time of the RADIUS server and retransmission times 9 (Optional) NAS port format the RADIUS server and the corresponding port ID format Configuration procedures No. Procedure 1 Creating the RADIUS server template 2 Configuring the RADIUS authentication server 3 Configuring the RADIUS accounting server 4 (Optional) Configuring the protocol version of the RADIUS server 5 (Optional) Configuring the shared key of the RADIUS server 6 (Optional) Configuring the user name format of the RADIUS server 7 (Optional) Configuring the traffic unit of the RADIUS server 8 (Optional) Configuring the retransmission parameters of the RADIUS server 1-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)