Avaya Configuring RADIUS Uživatelský manuál

BayRS Version 15.1Part No. 308640-15.1 Rev 00October 2001600 Technology Park DriveBillerica, MA 01821-4130Configuring RADIUS

Configuring RADIUSD-2308640-15.1 Rev 00Nortel Networks Vendor-Specific AttributesThe Nortel Networks vendor ID is 1584, as allocated by the Internet A

Vendor-Specific Attributes308640-15.1 Rev 00D-3RADIUS Dictionary FileThis section shows the contents of the RADIUS dictionary file (bayrs.dct) for ref

Configuring RADIUSD-4308640-15.1 Rev 00Attributes used with l2tpAttributes used with multi user accessATTRIBUTE Bay-Primary-DNS-Server Bay-VSA (54, ip

308640-15.1 Rev 00E-1Appendix EConfiguring RADIUS with SecurIDUse the information in this appendix if you are using SecurID for RADIUS authentication.

Configuring RADIUSE-2308640-15.1 Rev 00Configuring RADIUS Client and ACE/Server Attributes on the RouterYou can use the BCC or Site Manager to configu

Configuring RADIUS with SecurID308640-15.1 Rev 00E-35.Accept the remaining default parameter values for the RADIUS client or modify them to customize

Configuring RADIUSE-4308640-15.1 Rev 00To specify a new secret password for the primary server, enter:primary-server-secret <string> For example

Configuring RADIUS with SecurID308640-15.1 Rev 00E-5Configure a RADIUS ClientTo enable RADIUS on a router slot and configure the RADIUS client:Site Ma

Configuring RADIUSE-6308640-15.1 Rev 00Configure a RADIUS ServerTo configure the IP address for a RADIUS server:Site Manager ProcedureYou do this Syst

Configuring RADIUS with SecurID308640-15.1 Rev 00E-7Select a Protocol for RADIUS Authentication Use the following steps to select a protocol, after wh

308640-15.1 Rev 00xi PrefaceThis guide describes Remote Authentication Dial-In User Service (RADIUS) and what you do to start and customize RADIUS ser

Configuring RADIUSE-8308640-15.1 Rev 00Configuring the ACE/Server After you configure the RADIUS client and server attributes on the router, you must

Configuring RADIUS with SecurID308640-15.1 Rev 00E-9The authentication procedure and interface dialog that you encounter when attempting to log in to

Configuring RADIUSE-10308640-15.1 Rev 00Logging In with a Valid PINAfter you obtain a valid PIN, you must enter it along with the token code on the Se

308640-15.1 Rev 00Index-1Aaccess accept, 1-6access challenge, 1-6access reject, 1-6access to Technician Interface, 3-6accounting. See RADIUS accountin

Index-2308640-15.1 Rev 00NNortel Networksvendor ID, D-2vendor-specific attributes, D-2numbered IP addresses, 1-6OOSPF Enable parameter, A-8Pparameters

308640-15.1 Rev 00Index-3operation with other vendors’ servers, 1-13server configurationchanging the primary and alternate servers, 4-12changing the s

Configuring RADIUSxii308640-15.1 Rev 00Text ConventionsThis guide uses the following text conventions:angle brackets (< >) Indicate that you cho

Preface308640-15.1 Rev 00xiii italic text Indicates new terms, book titles, and variables in command syntax descriptions. Where a variable is two or m

Configuring RADIUSxiv308640-15.1 Rev 00AcronymsThis guide uses the following acronyms:CHAP Challenge Handshake Authentication ProtocolDVS Dial VPN Ser

Preface308640-15.1 Rev 00xv Hard-Copy Technical ManualsYou can print selected technical manuals and release notes free, directly from the Internet. Go

308640-15.1 Rev 001-1Chapter 1RADIUS OverviewRADIUS (Remote Authentication Dial-In User Service) enables Internet service providers (ISPs) to offer mo

Configuring RADIUS1-2308640-15.1 Rev 00How RADIUS WorksAs networks grow to accommodate more users, network security and billing become more difficult

RADIUS Overview308640-15.1 Rev 001-3Figure 1-1 shows a sample network using RADIUS over a POTS (Plain Old Telephone Service) line and an ISDN (Integra

ii308640-15.1 Rev 00 Copyright © 2001 Nortel NetworksAll rights reserved. October 2001.The information in this document is subject to change without n

Configuring RADIUS1-4308640-15.1 Rev 00Configuring RADIUSTo configure the RADIUS server and client, follow these steps:1.Install the RADIUS server fil

RADIUS Overview308640-15.1 Rev 001-5Nortel Networks RADIUS ImplementationThe following Nortel Networks platforms can operate as RADIUS clients:• Acces

Configuring RADIUS1-6308640-15.1 Rev 00The client can also support a primary server, which is the original destination server, and an alternate server

RADIUS Overview308640-15.1 Rev 001-7SecurID, a token-passing security feature developed by Security Dynamics, Inc., prohibits unauthorized users from

Configuring RADIUS1-8308640-15.1 Rev 00Using IP and IPX Unnumbered Protocols for PPP ConnectionsThe RADIUS client supports IP and Internetwork Packet

RADIUS Overview308640-15.1 Rev 001-9Configuring Vendor-Specific Attributes (VSAs) for AuthenticationTo authenticate a remote caller, the RADIUS client

Configuring RADIUS1-10308640-15.1 Rev 00Configuring the Remote User to Work with the RADIUS ClientIn most RADIUS networks, the remote user is a router

RADIUS Overview308640-15.1 Rev 001-11• For non-Nortel servers, use the bayrs.dct file shown in Appendix D to modify your existing RADIUS dictionary. B

Configuring RADIUS1-12308640-15.1 Rev 00Using IP and IPX Unnumbered Protocols for PPP ConnectionsThe RADIUS client supports IP and IPX unnumbered inte

RADIUS Overview308640-15.1 Rev 001-13This new behavior resembles the operation of a RAS (remote access server) in local (non-DVS) mode and allows cust

308640-15.1 Rev 00iiiNortel Networks Inc. Software License AgreementThis Software License Agreement (“License Agreement”) is between you, the end-user

Configuring RADIUS1-14308640-15.1 Rev 00To ensure that a server is always available, you can configure one primary server and multiple alternate serve

RADIUS Overview308640-15.1 Rev 001-15For More InformationRefer to the following sources for more information about RADIUS:Aboba, B., and G. Zorn. “RAD

308640-15.1 Rev 002-1 Chapter 2Starting RADIUSThe Remote Authentication Dial-In User Service (RADIUS) centralizes authentication and accounting infor

Configuring RADIUS2-2308640-15.1 Rev 00Before You BeginBefore you enable RADIUS, do the following:1.Create and save a configuration file that has at l

Starting RADIUS308640-15.1 Rev 002-3 Enabling RADIUSYou can use the BCC or Site Manager to enable RADIUS on the router. To help you visualize the conf

Configuring RADIUS2-4308640-15.1 Rev 00Using the BCCTo enable RADIUS and configure the IP addresses for a RADIUS client and server:1.Start configurati

Starting RADIUS308640-15.1 Rev 002-5 Using Site ManagerUse the steps in the following sections to enable RADIUS on a router slot and configure the RAD

Configuring RADIUS2-6308640-15.1 Rev 00Configure a RADIUS ServerTo configure the IP address for a RADIUS server:6. Click on OK to accept the default s

Starting RADIUS308640-15.1 Rev 002-7 Select a Protocol for RADIUS Authentication Use the following steps to select a protocol, after which the RADIUS

iv308640-15.1 Rev 004. Generala. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software avail

Configuring RADIUS2-8308640-15.1 Rev 00Configuring Multiple RADIUS ClientsYou can use the script described in this section to configure a RADIUS clien

308640-15.1 Rev 003-1 Chapter 3Customizing the RADIUS Client ConfigurationThis chapter shows you how to change the parameter values to customize the R

Configuring RADIUS3-2308640-15.1 Rev 00Using the BCCTo modify the RADIUS client’s IP address, navigate to the radius-client# prompt for the appropriat

Customizing the RADIUS Client Configuration308640-15.1 Rev 003-3 Modifying the Authentication and Accounting ServicesThe default for both accounting

Configuring RADIUS3-4308640-15.1 Rev 00To configure the RADIUS client to generate accounting requests for incoming calls only, navigate to the radius

Customizing the RADIUS Client Configuration308640-15.1 Rev 003-5 Modifying the Protocol for RADIUS AuthenticationUse the following steps to modify the

Configuring RADIUS3-6308640-15.1 Rev 00Modifying Router AccessYou can modify access to the router by enabling or disabling the user/manager lock. The

Customizing the RADIUS Client Configuration308640-15.1 Rev 003-7 To change the authentication protocol to PAP:Site Manager ProcedureYou do this System

Configuring RADIUS3-8308640-15.1 Rev 00Removing RADIUS Authentication and AccountingYou can use either the BCC or Site Manager to remove RADIUS authen

Customizing the RADIUS Client Configuration308640-15.1 Rev 003-9 Setting the Debug Message LevelThe debug message level determines how verbose the sys

308640-15.1 Rev 00vContents PrefaceBefore You Begin ...

308640-15.1 Rev 004-1 Chapter 4Customizing the RADIUS Server ConfigurationThis chapter explains how to modify the RADIUS server configuration. The ser

Configuring RADIUS4-2308640-15.1 Rev 00Modifying the Primary Server’s PasswordThe first server you configure is the primary server. You can have only

Customizing the RADIUS Server Configuration308640-15.1 Rev 004-3 Modifying the Server ModeThe server mode tells the client how the server is configure

Configuring RADIUS4-4308640-15.1 Rev 00Designating Authentication and Accounting UDP PortsThe User Datagram Protocol (UDP) port is the logical port th

Customizing the RADIUS Server Configuration308640-15.1 Rev 004-5 Using Site ManagerTo designate the UDP port numbers of the RADIUS server on which it

Configuring RADIUS4-6308640-15.1 Rev 00Modifying the Server Response TimeWhen the client sends an accounting or authentication request to the server,

Customizing the RADIUS Server Configuration308640-15.1 Rev 004-7 Modifying the Number of Client Requests to the ServerYou can modify the number of tim

Configuring RADIUS4-8308640-15.1 Rev 00Using Site ManagerTo modify the number of client requests to the server:Site Manager ProcedureYou do this Syste

Customizing the RADIUS Server Configuration308640-15.1 Rev 004-9 Configuring Alternate ServersIn addition to the primary server, you can configure one

vi308640-15.1 Rev 00Accepting a Remote User’s IP Address ...1-14Configuring a RA

Configuring RADIUS4-10308640-15.1 Rev 00Using Site ManagerTo configure an alternate server:Site Manager ProcedureYou do this System responds1. In the

Customizing the RADIUS Server Configuration308640-15.1 Rev 004-11 Reconnecting to the Primary ServerWhen the primary server fails to respond to connec

Configuring RADIUS4-12308640-15.1 Rev 00Using Site ManagerTo try to reconnect to the primary server after a specified time period:Changing the Primary

Customizing the RADIUS Server Configuration308640-15.1 Rev 004-13 Using Site ManagerTo specify which server is the primary and which is the alternate:

Configuring RADIUS4-14308640-15.1 Rev 00Removing a Server EntryYou can remove a server entry from the RADIUS configuration.Using the BCCTo remove a se

308640-15.1 Rev 00A-1Appendix ASite Manager ParametersThis appendix describes the Site Manager RADIUS parameters. You can display the same information

Configuring RADIUSA-2308640-15.1 Rev 00You can also use the Technician Interface to modify parameters by issuing set and commit commands with the MIB

Site Manager Parameters308640-15.1 Rev 00A-3Server Configuration ParametersThe RADIUS Server Configuration window (Figure A-2) shows the current param

Configuring RADIUSA-4308640-15.1 Rev 00Parameter: Server IP AddressPath: Protocols > Global Protocols > RADIUS > Edit ServerDefault: NoneOpti

Site Manager Parameters308640-15.1 Rev 00A-5 Parameter: Auth. UDP PortPath: Protocols > Global Protocols > RADIUS > Edit ServerDefault: 1645O

308640-15.1 Rev 00viiAppendix B Monitoring RADIUS Using the BCC show CommandsOnline Help for show Commands ...

Configuring RADIUSA-6308640-15.1 Rev 00Parameter: Response Timeout (seconds)Path: Protocols > Global Protocols > RADIUS > Edit ServerDefault:

Site Manager Parameters308640-15.1 Rev 00A-7Protocol Parameters for RADIUS AuthenticationThe RADIUS Dial_In Protocol window (Figure A-3) shows the cur

Configuring RADIUSA-8308640-15.1 Rev 00Parameter: IP EnablePath: Protocols > Global Protocols > RADIUS > Edit RADIUS > Dial-In Protocol &g

Site Manager Parameters308640-15.1 Rev 00A-9Parameter: IPX EnablePath: Protocols > Global Protocols > RADIUS > Edit RADIUS > Dial-In Proto

308640-15.1 Rev 00B-1Appendix BMonitoring RADIUS Using theBCC show CommandsUse the BCC show commands to display configuration and statistical informat

Configuring RADIUSB-2308640-15.1 Rev 00Online Help for show CommandsTo display a list of command options, enter one of these commands at any BCC promp

Monitoring RADIUS Using the BCC show Commands308640-15.1 Rev 00B-3show radius alertsThe show radius alerts command displays problems with the RADIUS c

Configuring RADIUSB-4308640-15.1 Rev 00show radius clientsThe show radius clients command displays information about the router’s RADIUS configuration

Monitoring RADIUS Using the BCC show Commands308640-15.1 Rev 00B-5show radius servers generalThe show radius servers general command displays informat

Configuring RADIUSB-6308640-15.1 Rev 00show radius servers timersThe show radius servers timers command displays the time-setting information for the

Monitoring RADIUS Using the BCC show Commands308640-15.1 Rev 00B-7show radius stats accountingThe show radius stats accounting command displays all th

Configuring RADIUSB-8308640-15.1 Rev 00show radius stats authenticationThe show radius stats authentication command displays all the RADIUS statistica

308640-15.1 Rev 00C-1Appendix CConfiguration ExamplesThis appendix provides the following configuration examples for a router acting as a RADIUS clien

Configuring RADIUSC-2308640-15.1 Rev 00Configuring RADIUS AuthenticationThis example shows how to configure the router as a RADIUS authentication clie

Configuration Examples308640-15.1 Rev 00C-3Using the BCCTo enable RADIUS and configure the IP addresses for a RADIUS client and server:1.Start configu

Configuring RADIUSC-4308640-15.1 Rev 00To configure the sample network:Site Manager ProcedureYou do this System responds1. In the Configuration Manage

Configuration Examples308640-15.1 Rev 00C-5To select IP:Site Manager ProcedureYou do this System responds1. At the bottom of the RADIUS Client Configu

Configuring RADIUSC-6308640-15.1 Rev 00Configuring RADIUS AccountingThis example explains how to configure the router as a RADIUS accounting client, a

Configuration Examples308640-15.1 Rev 00C-7The next sections explain how to configure the sample network using the BCC and Site Manager.Using the BCCT

308640-15.1 Rev 00ixFiguresFigure 1-1. Sample Network Using RADIUS ...1-3Figure 2-1. BCC Hi

Configuring RADIUSC-8308640-15.1 Rev 0010.To enable RADIUS accounting for the RADIUS client on slot 2, enter:radius-client/2# accounting enabled11.Nav

Configuration Examples308640-15.1 Rev 00C-96. Click on an ISDN connector to assign a line to the pool, following these guidelines:• Site Manager does

Configuring RADIUSC-10308640-15.1 Rev 00To create a backup circuit: Refer to Configuring Dial Services for more information about dial backup circuits

Configuration Examples308640-15.1 Rev 00C-11To enable RADIUS accounting: Site Manager ProcedureYou do this System responds1. In the Configuration Mana

Configuring RADIUSC-12308640-15.1 Rev 00Configuring RADIUS Accounting and AuthenticationThis example explains how to configure the router as a RADIUS

Configuration Examples308640-15.1 Rev 00C-13The next sections explain how to configure the sample network using the BCC and Site Manager.Using the BCC

Configuring RADIUSC-14308640-15.1 Rev 00To configure the RADIUS client and server, and enable RADIUS authentication and accounting on a router slot:Si

Configuration Examples308640-15.1 Rev 00C-15To select IP:Site Manager ProcedureYou do this System responds1. At the bottom of the RADIUS Client Config

308640-15.1 Rev 00D-1Appendix DVendor-Specific AttributesThis appendix shows the Nortel Networks vendor-specific attributes (VSAs) and the dictionary