Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nortel BayStack switches RADIUS authentication and authorization

Status
Not open for further replies.

ac1dh3ad

Technical User
Oct 22, 2008
25
RU
Hi all,
I wonder if it is possible to configure RADIUS authentication and authorization on nortel switches. I can see from menu that it can, but i need to know if it may work in the way i want. I want to create two AD groups one for read-only and the other for read-write access, then set up MS IAS to grant access to nortel switches. Once i add AD user to one of the newly created groups, user will have appropriate rights: read-only or read-write. I wonder if it is possible to configure nortel switch to authenticate and authorize in this way. I guess i need to send some kind of radius attributes to make nortel switch able to identify user rights according to user's group membership. Any help will be appreciated.
Thank you.
 
Hi

The privilege of user accounts depend on the attributes returning from a RADIUS server. You can set the Service-Type field value to Administrative for read-write access and NAS-Prompt for read-only access on a RADIUS server.
 
Just tried it on BayStack 450-24T with FW:V1.48 SW:v4.5.5.03 ISVN:3, but unsuccessfully. Switch returns Access Denied from RADIUS server. Created two access policies each for AD group: RW and RO, one profile containing Service-Type attribute Administrative and other NAS-Prompt. Do i need to send some other attributes too? What authentication methods supported by Nortel switches, CHAP, PAP? Is there any Nortel document, link or tutorial that may help me too?
 
Hi

On the AD server, I only select MS-CHAP v2, PAP and SPAP as authenticaiton types. The return attributes I post previously work on ERS5500, ES425, and ERS4500 in my lab. Maybe you should check the log on your AD server and will figure out what cause the issue.

Cheers
 
If you are using RADIUS for switch management then there is no authentication protocol used.

You connect to the switch with telnet and the switch passes on your login name/password to the Radius server with the normal encrypted Radius MD5 hash of the shared secret.

I've never used MS-IAS does it show anything in the logs?
 
Something strange happens with RADIUS authentication on BayStack 450 (FW:V1.48 SW:v4.5.5.03 ISVN:3). I have just created another two accounts (short and without special character "-") and it works. Is there any known issues regarding RADIUS in BayStack software? I have examined software release notes, but could find nothing. Or is there any restrictions when creating accounts (maximum account/password lenght, restricted characters, etc.)?
 
Both username and password should be less than or equal to 15 characters. Although AD allows to create longer usernames and passwords, switch allows only 15 characters to be passed.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top