Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nortel BayStack switches RADIUS authentication and authorization

Status
Not open for further replies.
ac1dh3ad

ac1dh3ad

Technical User
Oct 22, 2008
25
RU
Hi all,
I wonder if it is possible to configure RADIUS authentication and authorization on nortel switches. I can see from menu that it can, but i need to know if it may work in the way i want. I want to create two AD groups one for read-only and the other for read-write access, then set up MS IAS to grant access to nortel switches. Once i add AD user to one of the newly created groups, user will have appropriate rights: read-only or read-write. I wonder if it is possible to configure nortel switch to authenticate and authorize in this way. I guess i need to send some kind of radius attributes to make nortel switch able to identify user rights according to user's group membership. Any help will be appreciated.
Thank you.
 
Sort by date Sort by votes
Hi

The privilege of user accounts depend on the attributes returning from a RADIUS server. You can set the Service-Type field value to Administrative for read-write access and NAS-Prompt for read-only access on a RADIUS server.
 
Upvote 0 Downvote
Just tried it on BayStack 450-24T with FW:V1.48 SW:v4.5.5.03 ISVN:3, but unsuccessfully. Switch returns Access Denied from RADIUS server. Created two access policies each for AD group: RW and RO, one profile containing Service-Type attribute Administrative and other NAS-Prompt. Do i need to send some other attributes too? What authentication methods supported by Nortel switches, CHAP, PAP? Is there any Nortel document, link or tutorial that may help me too?
 
Upvote 0 Downvote
Hi

On the AD server, I only select MS-CHAP v2, PAP and SPAP as authenticaiton types. The return attributes I post previously work on ERS5500, ES425, and ERS4500 in my lab. Maybe you should check the log on your AD server and will figure out what cause the issue.

Cheers
 
Upvote 0 Downvote
If you are using RADIUS for switch management then there is no authentication protocol used.

You connect to the switch with telnet and the switch passes on your login name/password to the Radius server with the normal encrypted Radius MD5 hash of the shared secret.

I've never used MS-IAS does it show anything in the logs?
 
Upvote 0 Downvote
Something strange happens with RADIUS authentication on BayStack 450 (FW:V1.48 SW:v4.5.5.03 ISVN:3). I have just created another two accounts (short and without special character "-") and it works. Is there any known issues regarding RADIUS in BayStack software? I have examined software release notes, but could find nothing. Or is there any restrictions when creating accounts (maximum account/password lenght, restricted characters, etc.)?
 
Upvote 0 Downvote
Both username and password should be less than or equal to 15 characters. Although AD allows to create longer usernames and passwords, switch allows only 15 characters to be passed.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AShammah
  • Locked
  • Question
Nortel/Spectralink 2211/2210 lasted firmware
Replies
0
Views
202
AShammah
AShammah
UnderTheBusAsUsual
  • Question
Avaya IPO with OneCom and Gamma SIP trunks
Replies
1
Views
276
Firebird Scrambler
Firebird Scrambler
BSmith01
  • Locked
  • Question
Nortel Opt61C Meridian Mail Issue..
Replies
2
Views
107
ipohead
ipohead
VRRyan
  • Locked
  • Question
Nortel 5520-48T-PWR Console Issues
Replies
0
Views
139
VRRyan
VRRyan
PPrash
  • Locked
  • Question
Nortel/ Avaya Boss & Diag files for ERS switches
Replies
0
Views
70
PPrash
PPrash

Part and Inventory Search

Sponsor

Back
Top