9.2.3.2. Alcatel

9.2.3.2.1. OS6250 - OS6450

Firmware: Generic

Administration Portal > ON CMDB > Network Devices Brand/Model: Alcatel/Generic

9.2.3.2.1.1. VLAN Configuration

First of all we need to create the VLANS:

Vlan 234
vlan 234 admin-state enable
vlan 234 enable name "VLAN 1"

9.2.3.2.1.2. RADIUS Configuration

9.2.3.2.1.2.1. RADIUS

In this section we will define the radius servers against which the authentications will be carried out and the format of these:

aaa radius-server <RADIUS1-Name> host <RADIUS-IP> key <RADIUS-Key> retransmit 3 timeout 2 auth-port 1812 acct-port 1813 nas-port ifindex

9.2.3.2.1.3. Dot1x Configuration

To configure the 802.1x and MAB functionality, we must define the operating mode as port security and each of the ports must be configured.

Global Configuration:

aaa authentication 802.1x <RADIUS-Name> <RADIUS-Name2>
aaa accounting 802.1x <RADIUS-Name> <RADIUS-Name2>

Interface Configuration:

vlan port <Port> 802.1x enable
vlan port mobile <Port>
802.1x <Port> direction in port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x <Port> trust-radius disable
802.1x <Port> supp-polling retry 2
802.1x <Port> supplicant policy authentication pass default-vlan fail block

9.2.3.2.1.4. MAC-Authentication (MAB)

To enable the MAC-Authentication functionality (used to perform MAB), it will be necessary to define the domain to use and the authentication order in the interface configuration.

Global Configuration:

aaa authentication mac <RADIUS-Name> <RADIUS-Name2>
aaa accounting mac <RADIUS-Name> <RADIUS-Name2>

Interface Configuration:

vlan port <Port> 802.1x enable
vlan port mobile <Port>
802.1x <Port> non-supplicant session-timeout disable interval 43200 trust-radius disable
802.1x <Port> non-supplicant policy authentication pass default-vlan fail vlan <VLAN-ID> block

9.2.3.2.1.5. Dot1x Features

9.2.3.2.1.5.1. Default VLAN

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the openNAC policy.

Interface Configuration:

vlan <VLAN-ID> port default <Port>

9.2.3.2.1.5.2. Critical VLAN

The critical VLAN will be the one in which the connections will be established in case the radius servers are not available for authorization.

802.1x auth-server-down policy user-network-profile <Profile-Name>
802.1x auth-server-down enable

After a device is classified into the VLAN for this UNP, an attempt to re-authenticate the device is made after a specific period of time (60 seconds by default). To change this time value, use the:

unp authserver-down-timeout command.

9.2.3.2.1.5.3. Voice VLAN

In the case of having a scenario where we have a desktop connected behind a telephone which needs a tagged VLAN as follows:

PC (Untagged) –> Phone (Tagged) –> Switch

It will be necessary to add the following configuration:

vlan 1021 mobile-tag enable vlan port mobile 1/3

9.2.3.2.1.5.4. Security Profiles (ACLs)

As previously explained, Alcatel uses UNP profiles to apply to users.

To apply ACLs to the connections it will be necessary to assign them in the configuration of the switch within each UNP profile.

9.2.3.2.1.6. TogglePort

9.2.3.2.1.6.1. SNMP

In order to perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

snmp security no-security  ---> v2c
snmp community-map mode enable
snmp community-map <comunity> user "snmp_rw" enable
snmp community-map <comunity> user "snmp_ro" enable

9.2.3.2.1.6.2. CoA

In order to perform the policy reevaluation through CoA, it will be necessary to activate this functionality and define de clients with their shared-key.

9.2.3.2.1.7. Troubleshooting & Monitoring

show aaa-device all-users
show mac-address-table 1/3
show ip helper dhcp-snooping binding

9.2.3.2.2. OS6860

Firmware: Alcatel OS 8.1+. Lower versions do not support this configuration.

Administration Portal > ON CMDB > Network Devices Brand/Model: Alcatel/Generic

9.2.3.2.2.1. RADIUS Global Configuration

Define the RADIUS servers to be used for authentications and their format:

    aaa radius-server "openNAC" host <Radius_Server_IP> key <Radius_Shared_Key>
aaa radius-server "openNAC" retransmit 3
aaa radius-server "openNAC" timeout 2
aaa radius-server "openNAC" auth-port 1812
aaa radius-server "openNAC" acct-port 1813
aaa radius-server "openNAC" nas-port ifindex

You now need to configure an edge profile (equivalent of a role) that will determine which VLAN is assigned to the device. In this case, the profile names are unreg, employee and guest.

unp edge-profile unreg
unp edge-profile unreg redirect enable
unp edge-profile unreg authentication-flag enable
unp vlan-mapping edge-profile unreg vlan 2
unp edge-profile guest
unp edge-profile guest redirect enable
unp edge-profile guest authentication-flag enable
unp vlan-mapping edge-profile guest vlan 5
unp edge-profile employee
unp edge-profile employee redirect enable
unp edge-profile employee authentication-flag enable
unp vlan-mapping edge-profile employee vlan 20

Note

Make sure you enable the redirect in all your roles as the access reevaluation will not work without it. Next, configure the switch in OpenNAC Enterprise. In the case of this example, the uplink is port 1/1/1. You have to include the IP to allow authentication in RADIUS, Preshared secret key, and define type of authentication at policies, and assign VLANs if required.

8021X

aaa device-authentication 802.1x "openNAC"
aaa device-authentication 802.1X openNAC

MAC Authentication

aaa device-authentication mac openNAC
aaa device-authentication mac "openNAC"

Interface configuration

To perform authentication on specific ports, you will first need to create an edge template and then apply it to those ports.

8021X

unp edge-template on_dot1x
unp edge-template on_dot1x 802.1X-authentication enable
unp edge-template on_dot1x mac-authentication enable
unp edge-template on_dot1x 802.1X-authentication failure-policy mac-authentication
unp port 1/1/2 port-type edge
unp port 1/1/2 edge-template on_dot1x

MAC Authentication

unp edge-template on_mab
unp edge-template on_mab mac-authentication enable
unp edge-template on_mab classification enable
unp port 1/1/2 port-type edge
unp port 1/1/2 edge-template on_mab
802.1X

9.2.3.2.2.2. Dot1x Features

VLAN Configuration

vlan 2 admin-state enable
vlan 5 admin-state enable
vlan 20 admin-state enable
vlan 100 admin-state enable

Voice VLAN

The voice VLAN will be used to separate the voice traffic from the data traffic. OpenNAC Enterprise supports VoIP on Alcatel by having multiple devices using multiple untagged VLANs on the same port. First, configure the user profile for voice. In this example, it is only isolating it on another VLAN, but any user profile attributes can be added to the profile.

unp edge-profile voice
unp edge-profile voice redirect enable
unp edge-profile voice authentication-flag enable
unp vlan-mapping edge-profile voice vlan 100

Next, make sure you enable VoIP in the switch configuration in OpenNAC Enterprise and configure the voiceRole.

[192.168.1.10]
VoIPEnabled=Y
voiceRole=voice

9.2.3.2.3. OS6360 - OS6560

Firmware: 8.9.73.R01

Administration Portal > ON CMDB > Network Devices Brand/Model: Alcatel/Generic - Alcatel/6560

9.2.3.2.3.1. About Alcatel UNP Profiles

The segmentation in this Alcatel model works differently from other Brands/Models, here we do not work with VLANS from OpenNAC, but with UNP profiles.

UNP profiles are defined on the switch and mapped to a VLAN. When performing RADIUS authentication, OpenNAC must return the name of said UNP profile and this will be the one assigned to the connection as a VLAN.

To carry out said application of profiles we have two options:

  1. (Recommended) Send the UNP profile as “Static Security Profile” from OpenNAC.

To do this we must define a Security profile for each UNP profile of the switch with the same name and assign it to the policy to which we want to use it.

  1. Define the switch UNP Profiles with the name equal to the ID of the VLAN to which they map.

In this way, when determining the VLAN in the opennac policy, we will be sending the equivalent of the name of the UNP profile since this is called the same as the VLAN to which it maps.

A very useful command to validate if the profile is being assigned correctly on the switch is:

show unp user detail

This will give us a result similar to:

  • If it has worked:

Profile From Auth Server = Profile-UNP1, --> profile named Profile-UNP1 that maps to a VLAN with ID 1007
Profile From Auth Server = 507, --> profile named 507 that maps to a VLAN with ID 507

  • If it hasn’t worked:

Profile From Auth Server = 1007 [Not Configured],  --> there is no profile called 1007

9.2.3.2.3.1.1. UNP Profile Creation

All profiles that are created and used in segmentation must have a VLAN mapped to them.

  1. Create a VLAN

vlan 1007 admin-state enable

  1. Create the profile to map the VLAN

unp profile "Profile-UNP1" map vlan 666

9.2.3.2.3.2. RADIUS Configuration

9.2.3.2.3.2.1. RADIUS

In this section we will define the radius servers against which the authentications will be carried out and the format of these:

aaa radius-server <RADIUS-NAME> host <RADIUS-IP> key <RADIUS-KEY> retransmit 3 timeout 5 auth-port 1812 acct-port 1813 vrf-name default

9.2.3.2.3.3. Dot1x Configuration

To configure the 802.1x and MAB functionality, we must define the operating mode as port security and each of the ports must be configured.

  • Global Configuration:

aaa device-authentication 802.1x "RADIUS1" "RADIUS2"
aaa accounting 802.1x "RADIUS1" "RADIUS2"

  • Interface Configuration:

unp port 1/1/21 admin-state enable
unp port {port or port-range} port-type bridge
unp port {port or port-range}  802.1x-authentication

9.2.3.2.3.4. MAC-Authentication (MAB)

To enable the MAC-Authentication functionality (used to perform MAB), it will be necessary to define the domain to use and the authentication order in the interface configuration.

  • Global Configuration:

aaa device-authentication mac "RADIUS1" "RADIUS2"
aaa accounting mac "RADIUS1" "RADIUS2"

  • Interface Configuration:

unp port {port or port-range} port-type bridge
unp port {port or port-range} mac-authentication

9.2.3.2.3.5. Dot1x Features

9.2.3.2.3.5.1. Default VLAN

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the openNAC policy.

  • Interface Configuration:

unp port {port or port range} default-profile <Default UNP>

9.2.3.2.3.5.2. Critical VLAN

The critical VLAN will be the one in which the connections will be established in case the radius servers are not available for authorization.

unp auth-server-down profile1 <Critical UNP>

After a device is classified into the VLAN for this UNP, an attempt to re-authenticate the device is made after a specific period of time (60 seconds by default). To change this time value, use the unp authserver-down-timeout command.

unp auth-server-down-timeout 120

9.2.3.2.3.5.3. Voice VLAN

Voice vlan configuration:

unp profile voice
unp profile voice redirect
unp profile voice authentication-flag
unp profile "voice" map vlan <Voice-VLAN>

In the case of having a scenario where we have a desktop connected behind a telephone which needs a tagged VLAN as follows:

PC (Untagged) –> Phone (Tagged) –> Switch

It will be necessary to add the following configuration:

unp profile <VoIP-Profile-Name>
unp profile <VoIP-Profile-Name> map vlan 1021
unp profile <VoIP-Profile-Name> mobile-tag

9.2.3.2.3.5.4. Security Profiles (ACLs)

As previously explained, Alcatel uses UNP profiles to apply to users.

To apply ACLs to the connections it will be necessary to assign them in the configuration of the switch within each UNP profile.

9.2.3.2.3.6. TogglePort

9.2.3.2.3.6.1. SNMP

In order to perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

  • SNMP v2

user <snmp_rw> read-write all password <comunity> no auth
user <snmp_rw> only-read all password <community> no auth
snmp security no-security
snmp community-map mode enable
snmp community-map <comunity> user "snmp_rw" enable
snmp community-map <comunity> user "snmp_ro" enable

  • SNMP v3

snmp security authentication all
snmp security privacy all

9.2.3.2.3.6.2. CoA

In order to perform the policy reevaluation through CoA, it will be necessary to activate this functionality and define de clients with their shared-key:

unp redirect port-bounce enable

9.2.3.2.4. OS6200

Firmware: 1.7.1.12

Administration Portal > ON CMDB > Network Devices Brand/Model: Alcatel/6200 (model tested: 6224)

9.2.3.2.4.1. General Configuration

Here is the generic configuration of the switch, not directly related to authentication:

interface ethernet 1/e24
switchport mode trunk
exit
vlan database
vlan 251,253-254
exit
interface ethernet 1/e24
switchport trunk allowed vlan add 253
exit
interface ethernet 1/e24
switchport trunk allowed vlan add 254
exit
interface ethernet 1/e24
switchport trunk allowed vlan add 251
exit
interface vlan 1
ip address 1.1.1.3 255.255.255.0
exit
ip default-gateway 1.1.1.2
clock timezone +1
clock summer-time recurring eu zone utc
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 1.1.1.1 poll

9.2.3.2.4.2. RADIUS Configuration

9.2.3.2.4.2.1. RADIUS

In this section we will define the radius servers against which the authentications will be carried out and the format of these:

radius-server host 1.1.1.1 key <RADIUS-Key>
radius-server host 1.1.1.2 key <RADIUS-Key> priority 1

9.2.3.2.4.3. Dot1x Configuration

To configure the 802.1x and MAB functionality, we must define the operating mode as port security and each of the ports must be configured.

Global Configuration:

aaa authentication dot1x default radius none
dot1x system-auth-control

Interface Configuration:

interface range ethernet 1/e(1-24)
dot1x multiple-hosts authentication
dot1x re-authentication
dot1x radius-attributes vlan
switchport general allowed vlan add 532 untagged
no dot1x legacy-supp-mode
dot1x port-control auto
dot1x single-host-violation forward
dot1x guest-vlan enable

9.2.3.2.4.4. MAC-Authentication (MAB)

To enable the MAC-Authentication functionality (used to perform MAB), it will be necessary to define the domain to use and the authentication order in the interface configuration. Interface Configuration:

interface range ethernet 1/e(1-24)
dot1x mac-authentication mac-and-802.1x
dot1x radius-attributes vlan

9.2.3.2.4.5. Default VLAN

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the openNAC policy.

Interface Configuration:

interface ethernet 1/e1
switchport general pvid 39

9.2.3.2.4.6. TogglePort

9.2.3.2.4.6.1. SNMP

In order to perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

snmp-server community aaa rw view Default
snmp-server community aaa rw 1.1.1.1 view DefaultSuper
snmp-server community siub ro view Default

9.2.3.2.4.6.2. CoA

Not Supported.