Alcatel-Lucent OS9-GNI-U24 ユーザーズマニュアル
Alcatel-Lucent
Page 88
OmniSwitch 9000
RFC 2251–Lightweight Directory Access Protocol (v3)
RFC 2252–Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions
RFC 2253–Lightweight Directory Access Protocol (v3): UTF-8 String Representation of
Distinguished Names
RFC 2254–The String Representation of LDAP Search Filters
RFC 2256–A Summary of the X.500 (96) User Schema for Use with LDAPv3
Other RFCs:
RFC 2574–User-based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3)
RFC 2924–Accounting Attributes and Record Formats
RFC 2975–Introduction to Accounting Management
RFC 2989–Criteria for Evaluating AAA Protocols for Network Access
Authentication Servers
Maximum number of authentication servers in single authority mode:
4 (not including any backup servers)
Maximum number of authentication servers in multiple authority mode:
4 per VLAN (not including any backup servers)
Maximum number of servers per Authenticated Switch Access type:
4 (not including any backup servers)
CLI Command Prefix Recognition:
The aaa radius-server and aaa ldap-server commands support prefix recognition.
ACE/Server
An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2
authentication or for policy management. Attributes are not supported on ACE/Servers. These values
must be configured on the switch through the user commands.
Since an ACE/Server does not store or send user privilege information to the switch, the switch
determines user privileges for Secur/ID logins. When a user attempts to log into the switch, the user ID
and password is sent to the ACE/Server. The server determines whether the login is valid. If the login
is valid, the user privileges must be determined. The switch checks its user database for the user’s
privileges. If the user is not in the database, the switch uses the default privilege, which is determined
by the default user account. There are no server-specific parameters that must be configured for the
switch to communicate with an attached ACE/Server; however, you must FTP the sdconf.rec file from
the server to the switch’s/network directory. This file is required so that the switch will know the IP
address of the ACE/Server. The ACE client in the switch is version 4.1; it does not support the
replicating and locking feature of ACE 5.0, but it may be used with an ACE 5.0 server if a legacy
configuration file is loaded on the server. The legacy configuration must specify authentication to two
specific servers (master and slave). The ACE/Server generates “secrets” that it sends to clients for
authentication. While you cannot configure the secret on the switch, you can clear it. The secret may
need to be cleared because the server and the switch get out of synch.
authentication or for policy management. Attributes are not supported on ACE/Servers. These values
must be configured on the switch through the user commands.
Since an ACE/Server does not store or send user privilege information to the switch, the switch
determines user privileges for Secur/ID logins. When a user attempts to log into the switch, the user ID
and password is sent to the ACE/Server. The server determines whether the login is valid. If the login
is valid, the user privileges must be determined. The switch checks its user database for the user’s
privileges. If the user is not in the database, the switch uses the default privilege, which is determined
by the default user account. There are no server-specific parameters that must be configured for the
switch to communicate with an attached ACE/Server; however, you must FTP the sdconf.rec file from
the server to the switch’s/network directory. This file is required so that the switch will know the IP
address of the ACE/Server. The ACE client in the switch is version 4.1; it does not support the
replicating and locking feature of ACE 5.0, but it may be used with an ACE 5.0 server if a legacy
configuration file is loaded on the server. The legacy configuration must specify authentication to two
specific servers (master and slave). The ACE/Server generates “secrets” that it sends to clients for
authentication. While you cannot configure the secret on the switch, you can clear it. The secret may
need to be cleared because the server and the switch get out of synch.
RADIUS Servers
RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A
built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific
Attributes (VSAs) is required. The Alcatel.Lucent attributes may include VLAN information, time-of-
day, or slot/port restrictions. RADIUS Server Attributes: RADIUS servers and RADIUS accounting
servers are configured with particular attributes defined in RFC 2138 and RFC 2139, respectively.
These attributes carry specific authentication, authorization, and configuration details about RADIUS
requests to and replies from the server. For a complete list of attributes (standard, and vendor-specific)
and how to configure them on the server, please refer to the Users Manual.
built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific
Attributes (VSAs) is required. The Alcatel.Lucent attributes may include VLAN information, time-of-
day, or slot/port restrictions. RADIUS Server Attributes: RADIUS servers and RADIUS accounting
servers are configured with particular attributes defined in RFC 2138 and RFC 2139, respectively.
These attributes carry specific authentication, authorization, and configuration details about RADIUS
requests to and replies from the server. For a complete list of attributes (standard, and vendor-specific)
and how to configure them on the server, please refer to the Users Manual.
Lightweight Directory Access Protocol (LDAP)
Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP
client in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256.
The protocol was developed as a way to use directory services over TCP/IP and to simplify the
directory access protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort.
Originally it was a front-end for X.500 DAP. The protocol synchronizes and governs the
communications between the LDAP client and the LDAP server. The protocol also dictates how its
databases of information, which are normally stored in hierarchical form, are searched, from the root
directory down to distinct entries. In addition, LDAP has its own format that permits LDAP-enabled
Web browsers to perform directory searches over TCP/IP.
For a complete list of attributes (vendor-specific) and how to configure them on the server, please refer
to the Users Manual.
client in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256.
The protocol was developed as a way to use directory services over TCP/IP and to simplify the
directory access protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort.
Originally it was a front-end for X.500 DAP. The protocol synchronizes and governs the
communications between the LDAP client and the LDAP server. The protocol also dictates how its
databases of information, which are normally stored in hierarchical form, are searched, from the root
directory down to distinct entries. In addition, LDAP has its own format that permits LDAP-enabled
Web browsers to perform directory searches over TCP/IP.
For a complete list of attributes (vendor-specific) and how to configure them on the server, please refer
to the Users Manual.
Policy Servers
(Policy Server Management)
Quality of Service (QoS) policies that are configured through Alcatel.Lucent’s PolicyView network
management application are stored on a Lightweight Directory Access Protocol (LDAP) server.
PolicyView is an OmniVista application that runs on an attached workstation.
Policy Server Specifications:
LDAP Policy Servers RFCs Supported:
management application are stored on a Lightweight Directory Access Protocol (LDAP) server.
PolicyView is an OmniVista application that runs on an attached workstation.
Policy Server Specifications:
LDAP Policy Servers RFCs Supported:
RFC 2251–Lightweight Directory Access Protocol (v3)
RFC 3060–Policy Core Information Model—Version 1 Specification
Maximum number of policy servers (supported on the switch): 4
Maximum number of policy servers (supported by PolicyView): 1
Policy servers use the Lightweight Directory Access Protocol (LDAP) to store policies that are
configured through Alcatel.Lucent’s PolicyView network management application. PolicyView is an
OmniVista application that runs on an attached workstation.
Maximum number of policy servers (supported by PolicyView): 1
Policy servers use the Lightweight Directory Access Protocol (LDAP) to store policies that are
configured through Alcatel.Lucent’s PolicyView network management application. PolicyView is an
OmniVista application that runs on an attached workstation.