I like centralized authentication approach. For corporate workstation normally it can be archived by means of Active Directory which becomes better and better with every release of Windows Server.
However for various types of devices you are still left with Radius or TACACS+ options. However I have much more experience with Microsoft NPS (it was called IAS in Windows 2003 times).
It is very easy to configure Cisco switch to use radius as authentication source, and even if you are rather novice to the subject you can google on the subject and find a solution within first three links.
But this time we'll look at how to configure Alcatel Lucent OS6250 series switches to use Radius for administrative access.
Teaching any switch/router to talk with radius normally requires some configuration on a) radius server and b) device itself.
And if it is rather easy to configure the 2nd part - the device, then a) part is rather tricky due to some caveats in communication with every device.
That is why we will start our journey with b) part. Steps to take:
1. enable aaa
2, create radius server profile with preshared key
3. tell aaa to use radius before fallback to internal (or local) authentication.
For os6250 configuration can be the following:
-> show configuration snapshot aaa
! AAA :
aaa radius-server "radserv" host <ipaddress> key <key> retransmit 3 timeout 2 auth-port 1812 acct-port 1813
aaa authentication default "local"
aaa authentication console "local"
aaa authentication ssh "radserv""local"
Now the NPS. I have promised that this is rather tricky part
As you can see, you have to add 5 entries, 800 is Alcatel-Lucent vendor code. You also can see Values which we will discuss later. What you can't see however are vendor attribute numbers which refers to those values.
![]()
First 4 are in Hex format and are numbered from 39 through 42 (only first one is shown).
![]()
The last one is string attribute 9:
![]()
Now let's get back and discuss those magic values and attributes.
Attributes can be found in the documentation (from *Network Configuration Guide.pdf):
![]( "from OS6250 Network Configuration Guide page 34-11")
Values, however should be constructed using web or cli interface of the switch. In Web interface go to
Security->ASA->Local Users->Family Bitmap Calculator. On the following screenshot full R/W access is selected:
![]()
Again, I have only OS6250 switches to test my solution on. Most likely this configuration can work with other Alcatel-Lucent switches, but with different bitmaps.
Described behavior has been tested on version AOS 6.6.4.221
However for various types of devices you are still left with Radius or TACACS+ options. However I have much more experience with Microsoft NPS (it was called IAS in Windows 2003 times).
It is very easy to configure Cisco switch to use radius as authentication source, and even if you are rather novice to the subject you can google on the subject and find a solution within first three links.
But this time we'll look at how to configure Alcatel Lucent OS6250 series switches to use Radius for administrative access.
Teaching any switch/router to talk with radius normally requires some configuration on a) radius server and b) device itself.
And if it is rather easy to configure the 2nd part - the device, then a) part is rather tricky due to some caveats in communication with every device.
That is why we will start our journey with b) part. Steps to take:
1. enable aaa
2, create radius server profile with preshared key
3. tell aaa to use radius before fallback to internal (or local) authentication.
For os6250 configuration can be the following:
-> show configuration snapshot aaa
! AAA :
aaa radius-server "radserv" host <ipaddress> key <key> retransmit 3 timeout 2 auth-port 1812 acct-port 1813
aaa authentication default "local"
aaa authentication console "local"
aaa authentication ssh "radserv""local"
Now the NPS. I have promised that this is rather tricky part
As you can see, you have to add 5 entries, 800 is Alcatel-Lucent vendor code. You also can see Values which we will discuss later. What you can't see however are vendor attribute numbers which refers to those values.
The last one is string attribute 9:
Now let's get back and discuss those magic values and attributes.
Attributes can be found in the documentation (from *Network Configuration Guide.pdf):
Values, however should be constructed using web or cli interface of the switch. In Web interface go to
Security->ASA->Local Users->Family Bitmap Calculator. On the following screenshot full R/W access is selected:
Again, I have only OS6250 switches to test my solution on. Most likely this configuration can work with other Alcatel-Lucent switches, but with different bitmaps.
Described behavior has been tested on version AOS 6.6.4.221