Windows 2012 Radius Server setup for Avaya ERS 8600

[joseAlberto]

I have been trying to setup authentication for Various ERS 8600 running secure image 7.1.0.104 with a Windows server 2012 R2 Radius. My current configuration works on the Cisco devices and Brocade switches I have on the network but it does not work on the Avaya. I have follow the only guide I have found from Avaya but the instructions on the server side are for an Identity Engines Ignition Radius Server.
Can someone point me to a write-up or guide online using windows server? I tried different combination of vendor specific setting and values but even when the server says it granted access the switch says access denied.
Thank you in advance

Jose 

[TankII]

We used IDE due to problems with Windows Radius.

Funk Steel Belted Radius Dictionary file:
################################################################################
# bayrs.dct - Nortel Networks BayRS dictionary
#
# This dictionary contains BayRS Router Specific Attributes
#
# (See README.DCT for more details on the format of this file)
################################################################################
# Use the Radius specification attributes
#
@radius.dct

#
# Define Nortel Networks BayRS Family Attributes
#
MACRO Bay-VSA(t,s) 26 [vid=1584 type1=%t% len1=+2 data=%s%]

#
# Attributes used with dial services
#
ATTRIBUTE Bay-Local-IP-Address            Bay-VSA(35, ipaddr) r

#
# Attributes used with l2tp
#
ATTRIBUTE Bay-Primary-DNS-Server         Bay-VSA(54, ipaddr) r
ATTRIBUTE Bay-Secondary-DNS-Server         Bay-VSA(55, ipaddr) r
ATTRIBUTE Bay-Primary-NBNS-Server         Bay-VSA(56, ipaddr) r
ATTRIBUTE Bay-Secondary-NBNS-Server         Bay-VSA(57, ipaddr) r

#
# Attributes used with multi user access
#
ATTRIBUTE Bay-User-Level                   Bay-VSA(100, integer) R
VALUE Bay-User-Level   Manager             2
VALUE Bay-User-Level   User                4
VALUE Bay-User-Level   Operator            8

ATTRIBUTE Bay-Audit-Level                  Bay-VSA(101, integer) R
VALUE Bay-Audit-Level  Manager             2
VALUE Bay-Audit-Level  User                4
VALUE Bay-Audit-Level  Operator            8

ATTRIBUTE  Nortel-Service-Type              6     integer           Cr

VALUE      Nortel-Service-Type              Login         1
VALUE      Nortel-Service-Type              Framed          2
VALUE      Nortel-Service-Type              Callback-Login       3
VALUE      Nortel-Service-Type              Callback-Framed       4
VALUE      Nortel-Service-Type              Outbound          5
VALUE      Nortel-Service-Type              Administrative       6
VALUE      Nortel-Service-Type              NAS-Prompt          7
VALUE      Nortel-Service-Type              Authenticate-Only       8
VALUE      Nortel-Service-Type              Callback-NAS-Prompt    9
VALUE      Nortel-Service-Type              Call-Check          10
VALUE      Nortel-Service-Type              Callback-Administrative    11

################################################################################
# bayrs.dct - Nortel Networks BayRS dictionary
################################################################################

[avayajag]

Anyone else has somethig for this, I have not been able to get the server to authenticate the switch yet.

Jose

[Jeroen]

Hi JoseAlberto,

I've been using Microsoft RADIUS to access my ERS8600's for over 10 years now (2003, 2008, 2012 2012R2) without any issues.
Here is what you require to configure on ERS8600:

- Enable RADIUS globally on ERS8600
- Configure RADIUS server(s) on ERS8600, enabled and with the correct shared key

Then on MS NPS:

- Add the specific device as a RADIUS client with the corresponding shared secret
- You can create a connection request policy. It is is not required but it eases distinction of policies
- Create a network policy and have a condition of friendly name or nas IP-address of the ERS8600 added
- Also have the specific user group added of which you, as an ERS8600 admin, are member of.
- In the constraint tab, add Microsoft: Protected EAP as a EAP method.
- Enable MSCHAPv2 (EAP-MSCHAPv2). If this does not work add the less secure PAP/SPAP methods
- Then in settings, add a VSA with vendor radius standard and a value of 6 (RWA).
- Edit the VSA and enter vendor code 1584. Select yes it conform (RADIUS RFC)
- click configure attribute and use value 192 for Vendor-assigned attribute, atrribute format decimal and attribute value 6 (RWA).

Apply the config to NPS and you should have a working setup.

Be aware! Unfortunately EDM does not recognize the atribute value returned by RADIUS, resulting in an Always RWA ccess regardless the value being set (even RO)!  I've addressed a feature request at Avaya last year, but I assume it will take a long time to get this added within EDM.

[avayajag]

I just read this reply from home tonight, I will try it tomorrow and let you know.

Thanks a ton for the info.

Jose

[avayajag]

I tried your setting but I still am unable to log in. I tested my login on another Cisco switch and it worked, when I tried it on the 8600 I get the following message:

[avayajag]

This is what I have set up on the Radius server, I am posting a capture: