Management Access to Avaya 8300/8600 Switch via NAC RADIUS Server.

  • 0
  • 2
  • Question
  • Updated 4 years ago
There is Avaya 8300 switch and NAC.
I need to management login to switch CLI via NAC RADIUS. In documentation to Avaya 8300 switch I read, that there is Avaya VSA - "Access-Priority" wich need to be sent by RADIUS accept message from RADIUS Server to have mgmt access to Avaya switch. But I can't access to switch!
I've done TCP Dump and saw, that there is no access-priority attribute in RADIUS accept packet. Standart attributes (ex. Service-Type or Tunnel-Group-Id and others) RADIUS Server are sent. I think, that there is because NAC RADIUS Server do not know Avaya VSAs. 
So, can I do something to resolve this problem? I don't want to go deep into NAC's file system to find FreeRADIUS attributes file and write this attribute myself. Maybe there is some tool to do it from GUI or some other way to do it without risk of broke NAC System?

Thanks.
Photo of Mikhail

Mikhail

  • 202 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 2
Photo of Markus

Markus, Employee

  • 172 Points 100 badge 2x thumb
Hi Mikhail,

For Avaya branded firmware versions you don't need to worry about Avaya VSAs. For Nortel branded firmware versions it's/was more "complicated", different to configure.

In your case, just add the following line to the RADIUS Return Attributes for your Avaya
switch(es) in NAC Manager -> Switches Tab -> Edit Switch -> RADIUS Return Attributes, select
the one you are currently using: 


Service-Type=%Custom1%        (or %Custom2%...%Custom5%)


In the NAC Profile which is used/applied for CLI access, just use the following values in
the Custom1 to Custom5 fields, whichever you used in the above defined RADIUS Return Attribute:

A value of "6" gives you admin/RW privileges in the CLI (telnet/SSH).
A value of "7" gives you read-only privileges. 

That's it basically and has worked so far for any Avaya switches.

Hope this helps.

Kind regards,

Markus




Photo of Mikhail

Mikhail

  • 202 Points 100 badge 2x thumb
Thanks, Markus.

We've done all you wrote, and it works with Avaya 4500 switches. Service-Type=6 - rw access, Service-Type=7 - ro access. That's ok with 4500 switches.
But this is not works with Avaya 8300 and 8600 switches! We have not cli access to switches. Maybe, as you wrote before, there is Nortel branded firmware on the 8300/8600...

In documentation (Authentication, Authorization and Accounting (AAA) for ERS and ES  Technical Configuration Guide (Document Number : NN48500-558) http://downloads.avaya.com/css/P8/documents/100123717  ) I've read, that there is Avaya VSA "Access-Priority" to mgmt access to 8300 and 8600 switches... But this attribute is invalid for NAC, I can't write it in Radius Attributes to Send, error message. I think, that NAC don't know about Avaya VSAs.

If so, can I add this attribute to NAC RADIUS Server? Or there is no way to do this?

Kind regards, Mikhail.
Photo of Markus

Markus, Employee

  • 172 Points 100 badge 2x thumb
Thank you very much for your feedback, Mikhail.

I understand and remember this from my past Nortel experience.

In the past I just defined such vendor VSAs in cleartext as RADIUS Return Attribute
in NAC Manager and it worked, maybe those VSAs have already been present in
the "dictionaries" of the freeRadius version, which came with the NAC version that
time, this was more Cisco related.

If this didn't work, then "Dictionaries" is the term/topic you need to look at now.
http://freeradius.org/features/vendors.html

With my next answer I will give you the working path with the dictionaries on our
NAC appliances - you might find them on your own ;-), and try to give you a example,
how to modify a dictionary, add a new one or replace the current Avaya/Nortel disctionary or VSA strings in the Nortel or Avaya dictionary.
After that a restart of the NAC services is needed (nacctl restart).

The freeRadius guys always try to get the newest dictionaries from the vendors.
You might also try to google for them or try to get them from the Avaya support as 
well.

Just as hint... there are actually Bay, Nortel and Avaya dictionaries.

It looks like you need to state "Passport-Access-Priority=<value>", not just
"Access-Priority". Give it a try. Because I think the those dictionaries from Bay
and Nortel are included and contain this Attributes already, they are quite old.


https://www.opensource.apple.com/source/freeradius/freeradius-36/freeradius/share/dictionary.bay

# Passport 8000 Series Specific Attributes
#
ATTRIBUTE	Passport-Access-Priority		192	integer

VALUE	Passport-Access-Priority	None-Access		0
VALUE	Passport-Access-Priority	Read-Only-Access	1
VALUE	Passport-Access-Priority	L1-Read-Write-Access	2
VALUE	Passport-Access-Priority	L2-Read-Write-Access	3
VALUE	Passport-Access-Priority	L3-Read-Write-Access	4
VALUE	Passport-Access-Priority	Read-Write-Access	5
VALUE	Passport-Access-Priority	Read-Write-All-Access	6

https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary.nortel

http://code.metager.de/source/xref/freeradius/server/share/dictionary.nortel

https://downloads.avaya.com/elmodocs2/p330/P330/Configuring%20FreeRadius.pdf


I will try and see, what I can find and get for you as well.

Kind regards,

Markus




Photo of Markus

Markus, Employee

  • 172 Points 100 badge 2x thumb
For the 8600 it might be those...

https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary.nortel

VENDOR Nortel 562
BEGIN-VENDOR	Nortel


ATTRIBUTE Nortel-User-Role 110 string


ATTRIBUTE Nortel-Privilege-Level 166 integer


ATTRIBUTE Passport-Command-Scope 200 integer
ATTRIBUTE Passport-Command-Impact 201 integer
ATTRIBUTE Passport-Customer-Identifier 202 integer
ATTRIBUTE Passport-Allowed-Access 203 integer
ATTRIBUTE Passport-AllowedOut-Access 204 integer
ATTRIBUTE Passport-Login-Directory 205 string
ATTRIBUTE Passport-Timeout-Protocol 206 integer
ATTRIBUTE Passport-Role 207 string

Kind regards, Markus
Photo of Mikhail

Mikhail

  • 202 Points 100 badge 2x thumb
Thanks a lot.
But the problem is not solved yet.
 
https://support.avaya.com/public/index?page=content&id=SOLN182138&group=UG_PUBLIC document I read, that in the RADIUS dictionary I need to add the following radius VSAs: 
ATTRIBUTE Access-Priority-Attribute 192 integer Passport 
ATTRIBUTE Cli-Commands 193 string Passport 
ATTRIBUTE Command-Access 194 integer Passport 
ATTRIBUTE Commands 195 string Passport

with your help, it became clear, that assess-priority (192) attribute in NAC's RADIUS is Passport-Aceess-Priority. However, I could not find the rest attributes... 

I Have to write them in the RADIUS dictionary myself? Or maybe they're there, but I can not find them? Help, please .