Question

Management Access to Avaya 8300/8600 Switch via NAC RADIUS Server.


There is Avaya 8300 switch and NAC.
I need to management login to switch CLI via NAC RADIUS. In documentation to Avaya 8300 switch I read, that there is Avaya VSA - "Access-Priority" wich need to be sent by RADIUS accept message from RADIUS Server to have mgmt access to Avaya switch. But I can't access to switch!
I've done TCP Dump and saw, that there is no access-priority attribute in RADIUS accept packet. Standart attributes (ex. Service-Type or Tunnel-Group-Id and others) RADIUS Server are sent. I think, that there is because NAC RADIUS Server do not know Avaya VSAs.
So, can I do something to resolve this problem? I don't want to go deep into NAC's file system to find FreeRADIUS attributes file and write this attribute myself. Maybe there is some tool to do it from GUI or some other way to do it without risk of broke NAC System?

Thanks.

5 replies

Hi Mikhail,

For Avaya branded firmware versions you don't need to worry about Avaya VSAs. For Nortel branded firmware versions it's/was more "complicated", different to configure.

In your case, just add the following line to the RADIUS Return Attributes for your Avaya
switch(es) in NAC Manager -> Switches Tab -> Edit Switch -> RADIUS Return Attributes, select
the one you are currently using:

Service-Type=%Custom1% (or %Custom2%...%Custom5%)

In the NAC Profile which is used/applied for CLI access, just use the following values in
the Custom1 to Custom5 fields, whichever you used in the above defined RADIUS Return Attribute:

A value of "6" gives you admin/RW privileges in the CLI (telnet/SSH).
A value of "7" gives you read-only privileges.

That's it basically and has worked so far for any Avaya switches.

Hope this helps.

Kind regards,

Markus
Markus wrote:

Hi Mikhail,

For Avaya branded firmware versions you don't need to worry about Avaya VSAs. For Nortel branded firmware versions it's/was more "complicated", different to configure.

In your case, just add the following line to the RADIUS Return Attributes for your Avaya
switch(es) in NAC Manager -> Switches Tab -> Edit Switch -> RADIUS Return Attributes, select
the one you are currently using:

Service-Type=%Custom1% (or %Custom2%...%Custom5%)

In the NAC Profile which is used/applied for CLI access, just use the following values in
the Custom1 to Custom5 fields, whichever you used in the above defined RADIUS Return Attribute:

A value of "6" gives you admin/RW privileges in the CLI (telnet/SSH).
A value of "7" gives you read-only privileges.

That's it basically and has worked so far for any Avaya switches.

Hope this helps.

Kind regards,

Markus

Thanks, Markus.

We've done all you wrote, and it works with Avaya 4500 switches. Service-Type=6 - rw access, Service-Type=7 - ro access. That's ok with 4500 switches.
But this is not works with Avaya 8300 and 8600 switches! We have not cli access to switches. Maybe, as you wrote before, there is Nortel branded firmware on the 8300/8600...

In documentation (Authentication, Authorization and Accounting (AAA) for ERS and ES Technical Configuration Guide (Document Number : NN48500-558) http://downloads.avaya.com/css/P8/documents/100123717 ) I've read, that there is Avaya VSA "Access-Priority" to mgmt access to 8300 and 8600 switches... But this attribute is invalid for NAC, I can't write it in Radius Attributes to Send, error message. I think, that NAC don't know about Avaya VSAs.

If so, can I add this attribute to NAC RADIUS Server? Or there is no way to do this?

Kind regards, Mikhail.
Markus wrote:

Hi Mikhail,

For Avaya branded firmware versions you don't need to worry about Avaya VSAs. For Nortel branded firmware versions it's/was more "complicated", different to configure.

In your case, just add the following line to the RADIUS Return Attributes for your Avaya
switch(es) in NAC Manager -> Switches Tab -> Edit Switch -> RADIUS Return Attributes, select
the one you are currently using:

Service-Type=%Custom1% (or %Custom2%...%Custom5%)

In the NAC Profile which is used/applied for CLI access, just use the following values in
the Custom1 to Custom5 fields, whichever you used in the above defined RADIUS Return Attribute:

A value of "6" gives you admin/RW privileges in the CLI (telnet/SSH).
A value of "7" gives you read-only privileges.

That's it basically and has worked so far for any Avaya switches.

Hope this helps.

Kind regards,

Markus

Thank you very much for your feedback, Mikhail.

I understand and remember this from my past Nortel experience.

In the past I just defined such vendor VSAs in cleartext as RADIUS Return Attribute
in NAC Manager and it worked, maybe those VSAs have already been present in
the "dictionaries" of the freeRadius version, which came with the NAC version that
time, this was more Cisco related.

If this didn't work, then "Dictionaries" is the term/topic you need to look at now.
http://freeradius.org/features/vendors.html

With my next answer I will give you the working path with the dictionaries on our
NAC appliances - you might find them on your own 😉, and try to give you a example,
how to modify a dictionary, add a new one or replace the current Avaya/Nortel disctionary or VSA strings in the Nortel or Avaya dictionary.
After that a restart of the NAC services is needed (nacctl restart).

The freeRadius guys always try to get the newest dictionaries from the vendors.
You might also try to google for them or try to get them from the Avaya support as
well.

Just as hint... there are actually Bay, Nortel and Avaya dictionaries.

It looks like you need to state "Passport-Access-Priority=", not just
"Access-Priority". Give it a try. Because I think the those dictionaries from Bay
and Nortel are included and contain this Attributes already, they are quite old.

https://www.opensource.apple.com/source/freeradius/freeradius-36/freeradius/share/dictionary.bay

# Passport 8000 Series Specific Attributes# ATTRIBUTE Passport-Access-Priority 192 integer VALUE Passport-Access-Priority None-Access 0 VALUE Passport-Access-Priority Read-Only-Access 1 VALUE Passport-Access-Priority L1-Read-Write-Access 2 VALUE Passport-Access-Priority L2-Read-Write-Access 3 VALUE Passport-Access-Priority L3-Read-Write-Access 4 VALUE Passport-Access-Priority Read-Write-Access 5 VALUE Passport-Access-Priority Read-Write-All-Access 6 [/code]https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary.nortel

http://code.metager.de/source/xref/freeradius/server/share/dictionary.nortel

https://downloads.avaya.com/elmodocs2/p330/P330/Configuring%20FreeRadius.pdf

I will try and see, what I can find and get for you as well.

Kind regards,

Markus
Markus wrote:

Hi Mikhail,

For Avaya branded firmware versions you don't need to worry about Avaya VSAs. For Nortel branded firmware versions it's/was more "complicated", different to configure.

In your case, just add the following line to the RADIUS Return Attributes for your Avaya
switch(es) in NAC Manager -> Switches Tab -> Edit Switch -> RADIUS Return Attributes, select
the one you are currently using:

Service-Type=%Custom1% (or %Custom2%...%Custom5%)

In the NAC Profile which is used/applied for CLI access, just use the following values in
the Custom1 to Custom5 fields, whichever you used in the above defined RADIUS Return Attribute:

A value of "6" gives you admin/RW privileges in the CLI (telnet/SSH).
A value of "7" gives you read-only privileges.

That's it basically and has worked so far for any Avaya switches.

Hope this helps.

Kind regards,

Markus

For the 8600 it might be those...

https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary.nortel

VENDOR Nortel 562BEGIN-VENDOR Nortel

ATTRIBUTE Nortel-User-Role 110 string

ATTRIBUTE Nortel-Privilege-Level 166 integer

ATTRIBUTE Passport-Command-Scope 200 integer
ATTRIBUTE Passport-Command-Impact 201 integer
ATTRIBUTE Passport-Customer-Identifier 202 integer
ATTRIBUTE Passport-Allowed-Access 203 integer
ATTRIBUTE Passport-AllowedOut-Access 204 integer
ATTRIBUTE Passport-Login-Directory 205 string
ATTRIBUTE Passport-Timeout-Protocol 206 integer
ATTRIBUTE Passport-Role 207 string

Kind regards, Markus [/code]
Markus wrote:

Hi Mikhail,

For Avaya branded firmware versions you don't need to worry about Avaya VSAs. For Nortel branded firmware versions it's/was more "complicated", different to configure.

In your case, just add the following line to the RADIUS Return Attributes for your Avaya
switch(es) in NAC Manager -> Switches Tab -> Edit Switch -> RADIUS Return Attributes, select
the one you are currently using:

Service-Type=%Custom1% (or %Custom2%...%Custom5%)

In the NAC Profile which is used/applied for CLI access, just use the following values in
the Custom1 to Custom5 fields, whichever you used in the above defined RADIUS Return Attribute:

A value of "6" gives you admin/RW privileges in the CLI (telnet/SSH).
A value of "7" gives you read-only privileges.

That's it basically and has worked so far for any Avaya switches.

Hope this helps.

Kind regards,

Markus

Thanks a lot.
But the problem is not solved yet.

https://support.avaya.com/public/index?page=content&id=SOLN182138&group=UG_PUBLIC document I read, that in the RADIUS dictionary I need to add the following radius VSAs:
ATTRIBUTE Access-Priority-Attribute 192 integer Passport
ATTRIBUTE Cli-Commands 193 string Passport
ATTRIBUTE Command-Access 194 integer Passport
ATTRIBUTE Commands 195 string Passport

with your help, it became clear, that assess-priority (192) attribute in NAC's RADIUS is Passport-Aceess-Priority. However, I could not find the rest attributes...

I Have to write them in the RADIUS dictionary myself? Or maybe they're there, but I can not find them? Help, please .

Reply