not logged in | [Login]
This page is currently: "Work in Progress"
If you have questions or suggestions, you can reach me via Twitter: BennyE_HH
Alcatel-Lucent Enterprise runs various product lines. In the beginning this page will focus on the configuration of/for OmniSwitch products.
The Alcatel-Lucent OmniSwitch Vendor-Specific-Attributes (VSA) run as "Vendor ID" 800, hence you'll have to use the "XYLAN" dictionary.
The products run the "Alcatel-Lucent Operating System" (AOS) in two major release trees.
Note: Not all features are shared/available across the product lines, I'll do my best to pin-point what works in which release!
AOS Release 6
AOS Release 7
If you want to access the OmniSwitch via Telnet/SSH/WebView and authenticate the user via Radius, follow the steps below.
By default all access to the switch is limited to "console access" (User: admin, Password: switch) Except for SSH if the switch obtained an IP address via DHCP, then SSH will be available for initial remote configuration (that is the case below).
-> show aaa authentication
Service type = Default
Authentication = denied
Service type = Console
1st authentication server = local
Service type = Telnet
Authentication = Use Default,
Authentication = denied
Service type = Ftp
Authentication = Use Default,
Authentication = denied
Service type = Http
Authentication = Use Default,
Authentication = denied
Service type = Snmp
Authentication = Use Default,
Authentication = denied
Service type = Ssh
1st authentication server = local
On the switch, configure the following ...
-> aaa radius-server freeradius host 192.168.2.103 key verysecret
-> aaa authentication ssh freeradius local
-> show aaa server freeradius
Server name = freeradius
Server type = RADIUS,
IP Address 1 = 192.168.2.103,
Retry number = 3,
Time out (sec) = 2,
Authentication port = 1812,
Accounting port = 1813
Note: Please don't use "verysecret" as your key, it is just meant as a placeholder!
On the Radius ...
/etc/freeradius/clients.conf
client 192.168.2.106/24 {
secret = verysecret
shortname = OmniSwitch
}
/etc/freeradius/users
To create an admin account that has full read-write privileges is straight forward:
admin Cleartext-Password := "password"
Xylan-Asa-Access = "all",
Xylan-Acce-Priv-F-W1 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-W2 = 0xFFFFFFFF
Now let us assume you want to create an "read-only" user that can see all aspects of the configuration.
(This is the bad example! Showcasing the most common mistake ...)
readadmin Cleartext-Password := "password"
Xylan-Asa-Access = "all",
Xylan-Acce-Priv-R1 = 0xFFFFFFFF,
Xylan-Acce-Priv-R2 = 0xFFFFFFFF
If you just use the configuration above, you'll see the following error message:
Benny$ ssh readadmin@192.168.2.106
readadmin's password for keyboard-interactive method:
PTY allocation request failed on channel 0
Instead the entry needs to look like this:
readadmin Cleartext-Password := "password"
Xylan-Asa-Access = "all",
Xylan-Acce-Priv-F-R1 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-R2 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-W1 = 0x00000002,
Xylan-Acce-Priv-F-W2 = 0x00000000
The result should look like this:
Benny$ ssh readadmin@192.168.2.106
readadmin's password for keyboard-interactive method:
Welcome to the Alcatel-Lucent OmniSwitch 6450
Software Version 6.6.3.451.R01 Service Release, December 20, 2012.
Copyright(c), 1994-2012 Alcatel-Lucent. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent registered
in the United States Patent and Trademark Office.
->
-> vlan 20 enable
ERROR: Authorization failed. No functional privileges for this command
-> show vlan
stree mble src
vlan type admin oper 1x1 flat auth ip tag lrn name
-----+-----+------+------+------+------+----+-----+-----+------+----------
1 std on on on on off on off on VLAN 1
10 std on off on on off off off on VLAN 10
Although we just want to give "read-only" access to the OmniSwitch, we'll need to allow "read-write" for the access method, in this case SSH. The domains/command family values are simply added to the read-only or read-write entries.
You can get the values for the various commands/domains either via the CLI or by using the "Bitmap Calculator" that is accessible through the WebView of the AOS.
TODO ----- @freeRADIUS Administrator: Can we maybe host the pictures here? -----
-> show aaa priv hexa ?
^
WEBMGT VRRP VLAN UDLD TFTP-CLIENT TELNET SYSTEM STP SSH
SNMP SESSION SCP-SFTP RMON RIP RDP QOS PORT-MAPPING
POLICY PMM NTP NONE MODULE LOOPBACK-DETECTION LLDP
LINKAGG IPV6 IPMS IPMR IP-ROUTING IP-HELPER IP INTERFACE
HEALTH FILE DSHELL DOMAIN-SYSTEM DOMAIN-SERVICE
DOMAIN-SECURITY DOMAIN-POLICY DOMAIN-PHYSICAL
DOMAIN-NETWORK DOMAIN-LAYER2 DOMAIN-ADMIN DNS DHCP-SERVER
DEBUG CONFIG CHASSIS BRIDGE AVLAN ALL AIP AAA 802.1Q <cr>
(AAA & Configuration Mgr Command Set)
-> show aaa priv hexa ssh
0x00000002 0x00000000
-> show aaa priv hexa telnet
0x00000008 0x00000000
-> show aaa priv hexa ssh telnet
0x0000000a 0x00000000
The first value goes in R1/W1 and the second value in R2/W2, pretty easy (if you once figured it out). The advantage is that at login the "allowed set of commands" is known by the switch without any further interaction with the Radius during the session.
As you can see above, you can do the calculation on the switch as well if you provide the commands/domains.
That said, a read-only user for all domains with SSH + Telnet access would look like this:
readadmin Cleartext-Password := "password"
Xylan-Asa-Access = "all",
Xylan-Acce-Priv-F-R1 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-R2 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-W1 = 0x0000000A,
Xylan-Acce-Priv-F-W2 = 0x00000000
Please don't forget that you'll have to add the following command on your OmniSwitch if you want Telnet to query the Radius.
-> aaa authentication telnet freeradius local
Read this if you want to authenticate MAC-ADDRESSES through the Radius server.
On OmniSwitch:
-> aaa radius-server "freeradius" host 192.168.2.103 key verysecret
-> vlan port mobile 1/2
-> vlan port 1/2 802.1x enable
-> aaa authentication 802.1x freeradius
-> aaa authentication mac freeradius
The OmniSwitch created the following template automatically for you:
-> show configuration snapshot aaa
...
! 802.1x :
802.1x 1/2 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/2 captive-portal session-limit 12 retry-count 3
802.1x 1/2 supp-polling retry 2
802.1x 1/2 captive-portal inactivity-logout disable
802.1x 1/2 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/2 non-supplicant policy block
802.1x 1/2 captive-portal policy authentication pass default-vlan fail block
This is a secure (802.1x enabled) starting point, but we want to look at MAC-ADDRESS (non-supplicant) authentication first.
-> 802.1x 1/2 non-supplicant policy authentication pass default-vlan fail block
It is important to note the "policy authentication" keyword, as otherwise the MAC-ADDRESS will not be sent for verification to the Radius. In case of success we'll place the user in default-vlan, if not block.
If you now connect your workstation to the port, you'll see a request like the following at the Radius
rad_recv: Access-Request packet from host 192.168.2.106 port 1028, id=6, length=76
User-Name = "001EECAAAAAA"
User-Password = "001EECAAAAAA"
NAS-IP-Address = 192.168.2.106
NAS-Port = 1002
NAS-Port-Type = Ethernet
Service-Type = Call-Check
Note that the OmniSwitch sends the MAC-ADDRESS in UPPERCASE for username/password. TODO: Document how to change that... (it is possible)
In case that the authentication failed, you can verify the same on AOS CLI:
-> show 802.1x non-supplicant
Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned
-----+-----------------+----------------+-------------------+--------
01/02 00:1e:ec:aa:aa:aa Failed Basic-Blk 1
Now we add an entry to the /etc/freeradius/users for that MAC-ADDRESS:
001EECAAAAAA Cleartext-Password := "001EECAAAAAA"
The authentication should now be successful, verify like this:
-> show 802.1x non-supplicant
Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned
-----+-----------------+----------------+-------------------+--------
01/02 00:1e:ec:aa:aa:aa Authenticated Basic-Dft VLAN 1
Now let us assume that you want to place the user in a different VLAN (Dynamic VLAN Assignment) via Radius. There are two ways to do that ... (VLAN 20 is our plan)
1.) Use the Vendor-Specific-Attribute (Xylan-Auth-Group)
The entry in /etc/freeradius/users for that MAC-ADDRESS should look like this:
001EECAAAAAA Cleartext-Password := "001EECAAAAAA"
Xylan-Auth-Group = 20
The following looks good ...
Sending Access-Accept of id 22 to 192.168.2.106 port 1029
Xylan-Auth-Group = 20
Here is the confirmation:
-> show 802.1x non-supplicant
Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned
-----+-----------------+----------------+-------------------+--------
01/02 00:1e:ec:aa:aa:aa Authenticated Basic-Auth Svr 20
2.) Use the standardised way (IEEE)
The entry in /etc/freeradius/users for that MAC-ADDRESS should look like this:
001EECAAAAAA Cleartext-Password := "001EECAAAAAA"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-ID = 20
The following looks good ...
Sending Access-Accept of id 23 to 192.168.2.106 port 1029
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "20"
Here is the confirmation:
-> show 802.1x non-supplicant
Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned
-----+-----------------+----------------+-------------------+--------
01/02 00:1e:ec:aa:aa:aa Authenticated Basic-Auth Svr 20
TODO
Work in Progress
Brainstorm/TODO by Benny:
Sponsored by Network RADIUS 