• Document Portal
• ››Application Notes
• ››Security

Interfacing with Forescout

Introduction

Document Number

ENG-010587

Purpose

This Application note will describe how to interface properly between the Tellabs OLT and ForeScout’s CounterACT product. The purpose of this document is to explain how to configure and administer the Tellabs OLAN system to interface with ForeScout CounterACT.  Counteract discovers and classifies devices attached to the Tellabs system.  Based on its classification CounterACT then assesses the device’s security posture and applies policies that enforce the specific behavior the device can have while connected to the network.  

Applies To

This document applies to all versions of the Tellabs OLAN OLT (1134/OLT6, 1150) running the SR29.2 release or above.   

The support per ForeScout version is outlined below:

Tellabs behaviors in CounterACT v7:

• SNMP Switch Block Restrict Action
• CLI Assign to VLAN Restrict Action
• 802.1x authentications - MAB and PAE (i.e. Phone and PC behind the Phone)
• Administrative Login
• Change of Authorization

Additional Tellabs behavior in CounterACT v8:

• CLI Access Port ACL Restrict Action

v7 ForeScout Compatibility Matrix:

v7 ForeScout See and Control Capabilities Summary:

Enforcing Policy on OLAN using ForeScout CounterACT

At a high level, ForeScout CounterACT can interface with the system in one of two modes.  It can use an 802.1x authorization or MAB based scheme.  This scheme requires authorization prior to any network access and depends on industry standard mechanisms for authorizing access to the network.  It can also enforce policy without using these mechanisms.  CounterACT classifies devices on the network, then applies policies based on the classification.  This can be done with or without an agent resident on the device.  This document will outline the various methods for enforcing the proper network access and security and how to implement them with the Tellabs OLAN system.

Using ForeScout CounterACT with 802.1x/MAB


 

Figure 1 ForeScout access via 802.1x MAB

ForeScout can use 802.1x or MAB to grant access to the network and enforce policy.  This uses the industry standard protocols.  802.1x uses a PAE or Port Authentication Entity to communicate Authentication Credentials to a RADIUS server and authenticate access to the port.  MAB or MAC Authentication Bypass allows the use of MAC address as an authentication credential and grant access to the network.  MAB uses RADIUS to perform the authentication action.  

The OLAN PAE or Port Authentication Entity interfaces with ForeScout in this mode with two different protocols:

• RADIUS - Remote Authentication Dial In User Service.  This interface allows a switch to transparently forward credentials from a user to the RADIUS server for authentication.  The RADIUS Server will either grant access via an Access Accept or Access Reject.  Radius also supports a mechanism to pass back the name of the policy to apply to the port via the FILTER-ID attribute.  
• COA - Change of Authorization is an extension to the RADIUS protocol to allow additional updates to a port. RADIUS suffers from only being triggered by authentication requests and cannot send updates in real time to the port.  COA allows updates of the port in real time to update policies or shut down a port in real time if deemed necessary.

Using ForeScout CounterACT with Pre/Post Policy Enforcement

ForeScout can also utilize either Pre or Post mechanism for doing Policy Enforcement.  ForeScout uses classification, either with or without the help of an agent resident on the end device.  ForeScout will send policy information to the OLT using CLI to grant access, modify access, and deny access to the network using policies.

Two of the major deployment scenarios used with ForeScout are Wired Pre-connect and Wired Post-connect.  

Wired pre-connect deployment of ForeScout CounterACT is a network access control strategy in which devices initially connect to a limited-access wired network, known as the assessment VLAN (virtual local area network), while CounterACT profiles them to determine ownership and assess compliance. Passing devices are then admitted to the production network with the appropriate access level based on user and device properties.

The following diagram outlines the Wired Port Pre-connect model used by ForeScout:




 

 

Wired post-connect deployment of ForeScout CounterACT is a network visibility and access control strategy in which endpoints are initially allowed access to the network while CounterACT profiles them to determine ownership and compliance. Access to the wired network is then adjusted based on profiling results and security policy.

The following diagram outlines the Wired Post-connect model used by ForeScout:



 

Adding Tellabs OLAN to ForeScout

The Tellabs OLAN OLT must be added to ForeScout so it can recognize the OLT as a manageable entity.

Go to Options->Switch->Add Switch



 

Enter the ESU IP address of the OLAN OLT.  Select Tellabs from the Vendor drop down list.  If Tellabs does not exist in the list, then you should upgrade your switch plugin so that Tellabs becomes available.  This adds all the additional control functions needed by ForeScout for enforcing policy.

• Connecting Appliance is the IP address of the CounterACT instance.
• Tellabs should be listed in the drop down for Vendors, if not, likely you need to update your ForeScout version.
• It is recommended that you update the comment to give a meaningful name to the OLAN OLT to help track which OLT it is.
  
  
   

After selecting Next, the Edit Switch CLI dialog will be offered.  Since Tellabs supports several extensions via CLI for Assign to VLAN and Access Port ACL restrict actions, the CLI needs to be set up.

• Connection Type: Select ssh 

• User: The User should be a user that is defined for use on the Tellabs OLT CLI.  It is recommended that you create a user specifically for use by Forescout.  The user MUST be an Admin User.
• Password: Enter and Confirm the configured Password for login and must agree with login credentials on the Tellabs OLT CLI.

In the next screen the SNMP configuration will be entered for the OLAN OLT.



 

The ForeScout application uses SNMP to retrieve some of the data from the OLT.  Both SNMPv2 and SNMPv3 are supported, but SNMPv3 is recommended due to security concerns with SNMPv2.  This example shows an SNMPv3 setup.  This interface is also used for the SNMP port switch block function of ForeScout.

• SNMP Version: Select SNMP version, SNMPv3 is recommended.
• Community String: If SNMPv2 is selected, a community string will need to be entered that matches that configured on the EMS for an SNMPv2 user.
• User: Enter the SNMPv3 username used to log into the Tellabs OLT SNMP Interface.  Username/Password must match a username/password configured in the SNMP tab of the OLT in the EMS GUI.
• Authentication: You must click authentication to enter SNMPv3 Password.
• Password/Confirm Password: Enter the SNMPv3 Password used to log into the Tellabs OLT SNMP interface.
• Use Privacy: Privacy is recommended and encrypts the SNMP exchanges with the OLT.  Select Use Privacy.
• Privacy Protocol: Select AES-128
• Privacy Password: Enter the privacy password which is used as key in encrypting the data.  This Privacy password must agree with the privacy password entered on the OLT SNMP configuration.  This is only used for SNMPv3.

In the Permissions screen, it needs to be configured as follows:


 

• MAC Permissions: Under MAC Permissions Enable Read MACs connected to switch port and switch port properties.
• MAC Permissions Write: Under MAC Permissions check Write - Enable Actions (Switch Block).  This will enable ForeScout to block a switch port on the ONT if it detects a policy violation.

 

The next screen will configure the 802.1x settings (Only Needed if 802.1X is being used):


 

• Radius Secret/ Retype Radius Secret: The Radius Secret is the shared secret used by the Tellabs OLT to access the CounterACT RADIUS server to perform authentication actions.

The user should also set the corresponding settings on the OLT if you have not already so that they agree with ForeScout.

• To access the SNMP screen in the Panorama GUI and configure SNMP, go to the following menu.
• Right Click on the corresponding OLT in the common tree->Properties->SNMP Tab.
• The Admin can be set to any value desired and defaults to the IP address of the OLT.
  
  
• Admin String: The Admin string is by default the OLT IP address.
• Enable SNMP Agent: If the Enable SNMP Agent button is not greyed out, click it to enable the agent.
• TrapHostName: Give a meaningful name to the TrapHost to help identify it.
• Parameter: Add a Trap Parameter to identify the user to be used in Traps for V3.  This will be shown in the next screen.

Go to SNMP User Administration and add a used to allow access to the SNMP agent.  The SNMP User MUST be created prior to the SNMP Parameter needed for Traps as the user is a part of the trap parameter.

Press Add to Create a new SNMP User.

 

• Name: Enter the User Name to be used in SNMPv3 authentication.  Typically, this user is used for both SNMP GET/SETs and Traps.
• Security Model: Security model should be USM for SNMPv3.
• Community String: This is only used for SNMPv2 and will not be editable if USM is selected.
• Security Level: AUTH_PRIV is used for SNMPv3
• Authen Protocol: HMAC-SHA-96 is recommended but needs to match the settings on ForeScout.
• Authen Password: Enter the same password used in setting up ForeScout.
• Priv Protocol: AES-128 is recommended.
• Priv Password: Should match the privacy password on ForeScout.
• Role: Select a Role from the drop-down list to agree with the level of access you want to grant to the SNMP user.    An Admin user role will be needed to enable write access to the system.

If not already created, press SNMP Parameter to create the Trap User.

 

• Name: Give a meaningful name to the Trap User.
• SNMP Model: V2 or V3 is supported, V3 is recommended and shown in this example.
• SNMP User: A previously created SNMP user should be selected.
• Storage Type: NONVOLATILE. 

You can now Add ForeScout to the list of destination trap hosts.


 

If it has not already been enabled, Enable the SNMP agent by pushing the corresponding button.

Set "Never Expire" Password Aging

The Forescout agent will need to log into the OLT in order to configure VLANs and block ports.  To do this it must have a valid CLI account.  It is recommended to disable password aging on that account so that Forescout is not blocked from updating ports on the OLT.  The password should still be changed in a controlled manner on a regular basis to ensure good security.    This just ensures that the password does not age out during normal operations.

Set Forscout Password Aging from the EMS

Use the following procedure to set Password Aging on a single user:

1. Open a Panorama PON (EMS) session and select the OLT from the Common Tree, right-click and select Local User Configuration from the dropdown List.
   
   
    
2. The Local User Configuration dialog screen is displayed. Scroll to the bottom of the Local User Configuration to access the User Information.
   
   
    
3. Select the User Information and click on the Modify button.
   
   
    
4. Set Aging Period to 0 and click on the Submit on the button. A dialog Warning will be displayed.
   
   
    
5. Click on the Yes button a success message id displayed.
   
   
    
6. Click on the OK button. the Local User Configuration dialog will show the Expires In field as Force Expired. 
7. Click on the Close button to end the session.

Setting Forescout Aging from the CLI

Open a CLI session for the OLT and access the enableusersecurity command:

The enableusersecurity command provides the Security Administrator with the ability to enable or disable password aging and craft account access for a user that resides in the local user database.

Attributes for the enableusersecurity command.

• Command -enableusersecurity
  • Local Password Aging Enable or Disable (E, D) [E]:
     

1. From an ESUx command line, Input enableusersecurity, and press Enter. The following prompt is displayed.

   ESUx> enableusersecurity <enter> Local Password Aging Enable or Disable (E,D)[E]:E Readonly craft Account Access Enable or Disable (E,D)[E]: E ESUx> _

2. Input D and press Enter to disable Local Password Aging. The following prompt is displayed.

   ESUx> enableusersecurity Local Password Aging Enable or Disable (E,D)[E]: D Readonly craft Account Access Enable or Disable (E,D)[E]: D <enter> ESUx> _

3. The results of the enableusersecurity command can be viewed by executing the userinfo command.

The next step is to enable the PAE (Port Authentication Entity) on the OLT and configure it to correspond to ForeScout settings.

Setting Up 802.1x/MAB Configuration on Tellabs OLAN

If you are using the 802.1x or MAB mechanism to grant access to the network with ForeScout, the following steps must be performed to configure OLAN to interface with the ForeScout RADIUS agent.


 

The settings for the OLAN OLT are accessed as follows: 

Right Click on the OLT->Protocol->Port Authentication.


 

• Enable 802.1x: Click Enable 802.1x port-based access control to turn on 802.1x/MAB on the OLT.
• Radius Server Hostname/IP Address: Add the Hostname or IP address of the ForeScout Appliance (which contains a RADIUS server) and add the corresponding secret/shared key.  If hostname is used, ensure DNS is set up for the system.
• Shared Key / Confirm Key: Add the shared secret / shared key used.  This must match the shared key on ForeScout.
• Dynamic Authorization Client Hostname/IP address: Add the Hostname or IP address of the ForeScout Appliance in the Dynamic Authorization Client Hostname/IP and the shared secret/key.  This allows the CoA actions to be performed by ForeScout.
• DAC UDP Port: The DAC UDP port should be left at the standard CoA port of 3799.  Tellabs supports a configurable port, but the current ForeScout release requires port 3799.

Validating OLT connectivity to ForeScout

You can validate the connection between RADIUS and ForeScout using menus on the ForeScout appliance.  It can validate the SNMP Agent Connection, Switch Port Block, and Assign to VLAN actions.


 

This can be done via the Options->Switch menu of the CounterACT GUI and select Test.  Answer yes to the prompt to test the configuration.

Ensure that the following tests pass:

• Read Permission
• Number of Physical Addresses Found
• Assign to VLAN
• Switch Block
• And Connectivity

Creating OLT Segments

As with any CounterACT installation, you will need to create the segments associated with the OLT so that CounterACT can properly monitor the system.  Create Segments in the Segment Manager.

Click On Segments, then click on Plus to create a new Tellabs Segment.

• Name: Set the name for the segment.
• Description: Set the description.
• Location: Set Location as Desired.

Press Add to Add an IP Range.

IP Range: Define the IP Range(s) over which the segment applies.

Creating OLT Span Port

One of the mechanisms CounterACT uses to monitor the network is via a SPAN or mirror port on the switch.  The Tellabs OLT supports port mirroring, and the following example will demonstrate how to set up the mirror port to allow CounterACT monitoring.

ESU2> portmirroring Usage : Port/LAG Mirroring  PORTMIRRORING <EN[ABLE]|DIS[ABLE]> <source port> <target port>  <IN|OUT|BOTH>  - EN[ABLE] will enable the port mirroring function.   - DIS[ABLE] will disable the port mirroring function.  - <source port> is one of:  - NET1..12 for UPLINK LAGs.  - <target port> is one of:  - MDS1-ESU<X>-1...MDS1-ESU<X>-6 where <X> = A or B.  - IN - All traffic coming in the source port is mirrored to the target port.  - OUT - All traffic going out of the source port is mirrored to the target port.  - BOTH - All traffic in both directions is mirrored from the source port to the    target port.   ESU2> portmirroring EN NET1 MDS1-ESUB-2 BOTH  Adding port mirroring ...  ... operation completed successfully. ESU2>

 

• The portmirroring command allows mirroring of either ports or LAG interfaces (NET interfaces).  The port mirror target is always a single port.  
• The portmirroring command also is not persistent, so after upgrades or reboots you will need to instantiate the port mirror again to resume monitoring.

Once the user has initiated the port mirror, the user can use the standard CounterACT mechanisms to enter the monitoring channels to enable monitoring of the traffic.  Consult CounterACT documentation for how to set this up.


 

This dialog simply shows the VLANs learned by ForeScout on the Span Port.  Select any VLANs to be monitored.

Using the Profile Match Function to Generalize Policies

Tellabs supports a very unique function that allows much more generalized policies to be defined within the Policy engine like CounterACT.  Conceptually within a given geographic area, you will have different services.  Examples of services might be: voice, video, data, printers, etc.  In most instances the Policy engine can classify the type of device and assign a logical category to it.  

One shortcoming of this is that for a given category of device (printer for example), the actual printer VLAN for a particular floor or area of a building may be in a different subnet than printers in another region.

The Tellabs OLT supports a match on the service profile name (similar to a VLAN name) based on the profile name coming from CounterACT.  In this way the policy actions coming from CounterAct can be very generic.  (i.e. Assign Printer VLAN).  On the OLT, all the possible services are configured on every port in a geographic area.  Then the correct one will be selected based on CounterACT classifying the device and applying a Policy Action which is sent via the Filter-ID portion of the RADIUS response.

See AppNote ENG-010428 Configuring Policy via RADIUS Authentication gives much more detail on this in the section Using Service Profile-Match for Generic Policies.

Administration of Non-802.1x Environments

CounterACT supports two modes of operation.  802.1x environments and non-802.1x environments.  The most typical deployment environment is non-802.1x.  

In non-802.1x environments, there are often ports that support both a phone and a PC on the same port.  The PC will be attached to a port on the phone.  This allows both to use a single switch port.   Since Phones do not support the CounterAct Secure Connector, some other mechanism is needed to indicate which of the two connections on the port is the Voice connection as it needs different policy applied.

VLAN Naming:


 

The VLAN entries in the Tellabs OLTs need to be created and presented for use by CounterAct.  In addition, if the configuration in CounterAct uses VLAN Names, then the Naming is important in the Tellabs EMS VLAN Properties Tab.  The Description Field should be equal to the VLAN Name and VLAN ID used in CounterAct. 

Typically, ports with a phone and PC will have configurations similar to the following:


 

This profile contains two profiles, DATA-NV2996-ANYMAC which applies to the PC behind the phone, and VOICE-NV76-SV76-ANYMAC to be applied to the phone attached to the port.  CounterAct will be looking for the string "VOICE" at the beginning of the profile name to indicate which profile applies to the phone.  The first 5 characters in the name of the VOICE profile is critical for proper recognition by Counteract.  

A group should be created for different user types.  This example recognizes Wireless Access Points and does an Assign to VLAN Action.


 

First, create a group for the wireless Access Points.

Then Create a Policy for VLAN Restrict Action:


 

Create a Main Rule:


 

This example ensures that the device is a Member of Group Network Devices.

• DHCP Device OS - Rules can be constructed such that when DHCP is snooped, the device OS includes Ruckus Wireless in this case.  

DHCP Vendor Class can also be used to help identify the device.  In this case, the Vendor Class also includes Ruckus CPE.  This dialog shows the Add to Group action which will move the device into the specified group for further processing.


 

Next, a Control Policy is created to assign the device to the desired VLAN.


 

In this example, the device is assigned to VLAN 15 and is assigned by VLAN ID rather than VLAN name.

The example below shows an action which assigns the VLAN by VLAN name and assigns it to a Remediation VLAN.


 

The following action shows how to perform a Switch Block action which blocks the port and prevents any traffic from passing.

Creation of MAB Groups

 CounterACT once it classifies a device, places it into a group.   Groups need to be created to manage the different MAB devices within the network.  In this example, we will use a Parent Group for MAB devices, and Sub Groups for the device types such as Printers and VoIP Phones.


 

The Group's menu is accessed via right clicking on Groups->Group Manager.

The example above shows the creation of a MAB group to contain all MAB devices.  

Using MAB with MAC Addresses

CounterACT supports MAB or MAC Authentication Bypass.  MAB allows the MAC address to be used to "authenticate" a device to RADIUS and get a policy back based on the device’s MAC address.  CounterACT and return this policy in the FILTER-ID field of the Access-Accept response.

In its simplest for a specific MAC address is used.  MAB is typically used for simpler devices (printers, phones, etc) that don’t support 802.1x authentication.  For this setup, each of the MAC addresses of each MAB device are added to CounterACT in the Lists Option.


 

CounterACT Options->Lists is used to add a List of MAC Addresses.


 

Once the list of MACs is created, it is then used in MAB Classification by creating a Policy.  

Using MAB with MAC OUIs

CounterACT also supports using MAC OUIs to classify devices.  This can be used in conjunction with the Tellabs Match function to greatly generalize the rules and Policies in CounterACT.  Every MAC address, the first three bytes of the MAC address identify the manufacturer of a device.  This can often be used to classify the type of device using the MAC OUI.  As an example, phones or printers from a manufacturer often all have the same MAC OUI.  You might be able to handle printers or phones simply by knowing their MAC OUI.

To create a list of MAC OUIs, you need to create a Custom Condition.  Custom Conditions are created via the main screen Policy Tab->Custom.


 

The example above shows custom conditions created that classify Camera MACs, Printer Macs and VoIP phone MACs.  This allows them to be treated generically with a single rule for each.  It also means that there is no need to enter individual device MACs.  The following dialog shows an example of an individual Rule.


 

Classifying Devices into a Group

At the highest level, a Policy needs to be created to classify MAB devices.

This is done by creating a policy whose scope is for Hosts without known IP addresses.  

Sub rules are added for all of the "devices" in that group.   The Sub-Rules shown in this example shows both explicit MAC addresses and MAC OUIs appropriate to the Rule.  Each rule has an associated set of actions.  An add to group action is used to classify it into a particular group of users.


 

The sub rules can be used to classify and place the MACs into a group.  An example of this is seen below that allows classification of both a list of explicit MACs and in addition any MAC OUIs that can be used to classify particular device types.  The MAB Sub-rules were used to classify and use an Action to add them to a group.


 

Example of the Add to Group Action:


 

Controlling MAB Devices

Once we have classified the device as MAB and determined its type, we need to use the CounterACT controls to set the associated policy.

From the Policy Tab -> Add you can add a new policy to control the MAB device.


In this example, a sub-rule has been created to handle VoIP phones and a separate rule for printer devices.  Later steps will explain the configuration that will be needed within the configuration of the control action.

Sub Rule Configuration

Within the sub-rules of MAB Control, the rule will be based on membership in the group.  It will then update the 802.1x MAR (MAC Address Repository) with that MAC address.


 

Once the MAC is recognized and classified, it will now be placed into the MAR which will result in a successful Authentication and proper assignment of a policy via Filter-ID.

The following example shows a rule which will configure the attributes in the RADIUS Access Accept message and configure the policy.


 

In this example it will assign the Filter-ID using TLAB-PROFILE-MATCH to VOICE.  The OLT upon receiving this will search for a profile that begins with the string VOICE and then assign that service profile to the line.  The service Profile will contain all the policy settings for that Port/MAC.  Additionally, this attribute adds an ACL profile to the line which will permit all traffic.

This dialog shows the entry of a VoIP MAC into the MAR as a result of the control action.

Creation of PAE Groups

In the use case where 802.1x is being used to authorize users on the system, this section defines how to configure to recognize these users and apply the appropriate policy.  CounterAct once it classifies a device it places it into a group.  This example will classify users using 802.1x and place them into a group.

First create a Group for the 802.1x PAE Users.


 

• Name: Add a name such as PAE Domain Endpoints or 802.1x Users to help distinguish these users.
• Description: Add a meaningful description.

Go to Options and select RADIUS to add a Pre-Admission Authorization rule to recognize these users.


 

Add the following Pre-Admission Authorization Rule:


 

• User-Name: Any 802.1x User
• NAS-Port-Type: Ethernet should be used a sNAS-Port-Type.
• LDAP-Group: If LDAP is being used for authentication, add the appropriate LDAP Group.  Please note the slash needed to escape any dashes within the LDAP Group Name.

Add the following Authorization Attributes:

• FILTER-ID: Add any Filter-ID to be used.  This shows a Profile Match on the assigned DATA profile.  An additional Filter-ID is shown for the ACL list.  A filter ID can also be included that defines the IFALIAS to be used and will appear in the User Label of Port
• Session-Timeout: 50400 is a typical default for most systems but can be modified.
• Termination-Action: RADIUS-Request is the required Termination Action.

Classifying and Controlling 802.1x Users

First, Create a Policy.


 

• Name: Give a meaningful name to the rule.
• Description: Add description of the policy.
• IP Ranges: In the Scope section select the IP ranges associated with this OLT(s).  In this example we selected the Tellabs IP ranges created earlier.

Create a Main Rule as follows:


 

Matching Condition: Select All criteria are True.

Add the following Criteria:

• 802.1x Authenticated Entity: Select User.
• 802.1x RADIUS Authentication State: Select RADIUS Accepted.
• NOT 802.1X Calling Station ID: Starts With 00-C0-9B.  This ensures that it is not the OLT MAC OUI which should be classified to a different group and ensures this will only apply to the users of the system.  CLI users will always be using the MAC of the OLT which begins with 00-C0-9B.

The user can also use Sub Rules to further classify the user into the appropriate Domain:


 

This sub rule shows classifying by domain and adding to the group appropriate to that domain.

• Matching Condition: All Criteria are True

Add Criteria:

• NetBIOS Domain: Set to the appropriate Domain for your network.

Actions:

• RADIUS Authorize: See details below.
• Add to Group: Add it to the group associated with the domain.

 

The following attributes were added to the RADIUS Access-Accept attributes in the RADIUS Authorization.

• User-Name: Any 802.1x User
• NAS-Port-Type: Ethernet should be used a sNAS-Port-Type.
• LDAP-Group: If LDAP is being used for authentication, add the appropriate LDAP Group.  Please note the slash needed to escape any dashes within the LDAP Group Name.

Add the following Authorization Attributes:

• FILTER-ID: Add any Filter-ID to be used.  This shows a Profile Match on the assigned DATA profile.  An additional Filter-ID is shown for the ACL list.  A filter ID can also be included that defines the IFALIAS to be used and will appear in the User Label of Port
• Session-Timeout: 50400 is a typical default for most systems but can be modified.
• Termination-Action: RADIUS-Request is the required Termination Action.

Authorization of OLT CLI Users via CounterAct

In this section we will create a group for Admin CLI users to enable access to the system.

Click the appropriate level in the Groups Manager, click Plus to add a new group for CounterAct to use for CLI users.


 

• Name: Give a meaningful name to the CLI users group.
• Description: Update the description.

Press OK to accept the group.

In Options -> RADIUS, we will add a rule for administrative CLI Users:


 

Add a Criteria using the Add Button.

• Calling-Station-ID: Add MAC starts with 00c09b which is the Tellabs OLT MAC prefix.  This will direct RADIUS requests from the OLT CLI RADIUS Auth to this group.
• User-Name: Any username is allowed, although it could be restricted further if needed.

Add the following Authorization Attributes:

• Reply-Message: preadm_admin
• Tellabs-UserRole: The role should be set to the appropriate Role in the Tellabs CLI system.

The following Roles are supported:

• Administrator - Can Read, Write, and create / delete users.  Cannot admin certificates.
• Maintenance - Can read and write to database, cannot edit users.
• ReadOnly - Can only look at database, cannot change it.
• SecurityAdmin - Can administer certificates.

Example of entering the Tellabs-UserRole:


 

Create a Policy to place the CLI users into the correct group:


 

Press Edit to Edit the Main Rule:


 

Add the Criteria of:

• 802.1x Authenticated Entity: Set the criteria to User.
• 802.1x Calling Station ID: Configure for Starts with the Tellabs MAC OUI of 00-c0-9b.  Ensure dashes are used to separate the octets.  This is different that is used in the Pre-Admission Authorization Rule for Admin Users.  

Add a Subrule for each administrative domain.  This example shows a TELLABS-WEST subdomain.


 

The Action Add to Group will be used to move them into the appropriate group.


 

 

---