Alcatel-Lucent OmniAccess 3500 Mode D'Emploi
Chapter 5. Initial Configuration
3. Router Configuration — Add a static route to the enterprise router adjacent to the
gateway for every pool of VPN addresses that you allocate for the laptops and
cards (see the description of the Card/Laptop Address Range/Mask parameters in
the Configuration of Basic Parameters section below).
cards (see the description of the Card/Laptop Address Range/Mask parameters in
the Configuration of Basic Parameters section below).
4. Basic Gateway Configuration — Use the pre-configured IP address of the gateway
to set its networking parameters (including the permanent IP addresses of the two
network interfaces) and other basic parameters.
network interfaces) and other basic parameters.
Keytab File Generation on the Active Directory Server
To support the Single Sign-On (SSO) feature of the OmniAccess 3500 NLG platform, it is
necessary that the gateway communicate with the authentication infrastructure of the
necessary that the gateway communicate with the authentication infrastructure of the
enterprise. The OmniAccess 3500 NLG R1.2 only supports Microsoft Active Directory
and RADIUS for end-user authentication. The integration of the OmniAccess 3500 NLG
platform with the Active Directory infrastructure of the enterprise requires the
establishment of a trust relationship between the gateway and the Active Directory
Server (ADS). The following configuration steps enable the establishment of the trust
relationship:
1. Log into the Active Directory Server (ADS) and create a user account (e.g.,
and RADIUS for end-user authentication. The integration of the OmniAccess 3500 NLG
platform with the Active Directory infrastructure of the enterprise requires the
establishment of a trust relationship between the gateway and the Active Directory
Server (ADS). The following configuration steps enable the establishment of the trust
relationship:
1. Log into the Active Directory Server (ADS) and create a user account (e.g.,
evauth1) and password (e.g., evros123# — do not use this password in practice) in
the Active Directory database. The user account name (evauth1 in the example) is
also called the Service Principal Name (SPN) of the OmniAccess 3500 NLG
authentication service. For the new user account, set the options that the user
(i.e., the OmniAccess 3500 NLG authentication service) is not required to change
the password on the next login and that the password never expires. This set of
credentials will be used by the gateway for authenticating itself with the ADS
every time a laptop user seeks Windows NT authentication: if the gateway
credentials were instead set to expire, the authentication of laptop users would
also called the Service Principal Name (SPN) of the OmniAccess 3500 NLG
authentication service. For the new user account, set the options that the user
(i.e., the OmniAccess 3500 NLG authentication service) is not required to change
the password on the next login and that the password never expires. This set of
credentials will be used by the gateway for authenticating itself with the ADS
every time a laptop user seeks Windows NT authentication: if the gateway
credentials were instead set to expire, the authentication of laptop users would
start failing with no apparent reason.
2. Create in the ADS the keytab file for the gateway by executing the command
ktpass on the command prompt of the Windows Active Directory Server. Copy the
keytab file in the computer that you will use for initial configuration of the
gateway. You will eventually upload the keytab file to the gateway, so that the
gateway can use it for authentication with the ADS.
Use the following sample command to generate the keytab file in the ADS:
keytab file in the computer that you will use for initial configuration of the
gateway. You will eventually upload the keytab file to the gateway, so that the
gateway can use it for authentication with the ADS.
Use the following sample command to generate the keytab file in the ADS:
$ ktpass -princ EVAUTH1/guard1.evros.sample-net.com@EVROS.SAMPLE-NET.COM -
mapuser EVROS\evauth1 -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop
set +desonly -pass evros123# -out C:\evauthkeytab1
mapuser EVROS\evauth1 -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop
set +desonly -pass evros123# -out C:\evauthkeytab1
In this command, replace the sample parameter values with your own as follows:
o
evauth1 — The Service Principal Name created in the Active Directory (AD)
database for the gateway. In the –princ declaration of the ktpass command,
the name must be written entirely in uppercase letters (EVAUTH1 in the
database for the gateway. In the –princ declaration of the ktpass command,
the name must be written entirely in uppercase letters (EVAUTH1 in the
example). The choice of the Service Principal Name (evauth1 in the example)
is arbitrary.
is arbitrary.
o
guard1.evros.sample-net.com — The fully qualified domain name (FQDN) of
the gateway (shortly named guard1). In the –princ declaration of the ktpass
the gateway (shortly named guard1). In the –princ declaration of the ktpass
29