[HOWTO] Authenticating Omnivista user via radius

[birkov]

Hi,

A little feedback on the Omnivista 2500 user authentication configuration with radius.

Tested with Omnivista 2500 version 3.5.3 GA 64 bits with WebServices and two NPS servers Microsoft 2008 R2.
Alcatel documentation : https://service.esd.alcatel-lucent.com/ ... umber=7254
Some docs in the Omnivista Help but not really helpful.

You need a working Omnivista 2500 server and one working NPS server.

1 )Connect to your NPS server and create a new radius client witch is your Omnivista2500 server. (write down the shared secret )

2 )Create a new Network policy with a User Groups condition (Active Directory User Group)

3 )In the parameters tab, add a Vendor Specific attribute with this configuration :
Vendor Code : 800 and configure attribute
Vendor-assigned attribute number : 20 <Alcatel-Nms-Group>
Attribute format : String
Attribute value : Default <This parameters return the Omnivista Group, Case Sensitive !>
The Default Omnivista group has Read-Only rights, if you need Read-Write, the Attribute value is : Administrators <Case Sensitive too !>

4 ) Valid all windows and login your Omnivista 2500 server and open Omnivista2500 software

5 ) Go to “Security”, “Authentication Servers”, click on the “Radius” tab and create a new radius server witch is your NPS server (take your paper with the shared secret)

6 ) Go to “Security”, “Users and User Group”, check that the group Default or Administrators is existing
7 ) Click “Authentication Server” and select the radius server object created in step 5
8 ) Apply.
9 ) Test the radius user authentication FROM ANOTHER INSTANCE of Omnivista !!< yes you can run multiple client instances on the same PC/server>
WARNING : Don’t close your first Omnivista 2500 instance before you have fully tested that the radius authentication is working !! Otherwise you will need to shutdown the NPS service on the radius server, because Omnivista 2500 don’t try to authenticate user with the local database if a radius server is configured and running.

Now you may be able to login Omnivista with your Active Directory account.
It's also working for Omnivista Web Services !!

See below the full Radius attribute list for Alcatel-NMS:
ATTRIBUTE Alcatel-Nms-Group Alcatel-Attr(20, string) R
ATTRIBUTE Alcatel-Nms-First-Name Alcatel-Attr(21, string) r
ATTRIBUTE Alcatel-Nms-Last-Name Alcatel-Attr(22, string) r
ATTRIBUTE Alcatel-Nms-Description Alcatel-Attr(23, string) r

[YORI]

Hi,
I'm having trouble setting up radius authentication for OV user.
I'm running OV 2500 NMS 4.3R1 GA (Build 51, 05/31/2018).
Here is my configuration, could you tell me if I'm missing something :

RADIUS NPS CONFIGURATION

radius client : https://imgur.com/a/tXLoLpK
network policy : https://imgur.com/a/Oc9jAbj

OV CONFIGURATION

Radius Server : https://imgur.com/a/uiDYizZ
User & Groups : https://imgur.com/a/lTE8Dfc

Here is the error I get when I'm trying to use the NPS to authenticate : https://imgur.com/a/19UYJ4r
Username and password are correct.

I'm getting no log on the NPS and here are the logs on the OV : https://imgur.com/a/0eflsze

I'm using this same NPS server to authenticate Wireless clients and its working fine so I assume the server IP configuration in OV is correct.
I've reached out to ALE support service but the tech did not seem to be able to provide any kind of help.
ALE documention on OmniVista is almost useless, your post is the only valuable information I could find on this subject.
I really hope you can help me

By the way, I'm facing other problems on OV (display bug in WebUI, Unable to delete wireless network even though every profil associated to those networks were deleted, ...). I will open a topic in the right section later.

[birkov2]

Hi Yori,
It's birkov, I've forgotten my password xD

I had the same problem with OV 4.2.1 and later.
After a moment on Wireshark, I understood that it was a problem of length of the shared secret.
With a 12 charaters long it's OK, with more it's not. And only ASCII characters !!

Another tip, don't try to upgrade your OV installation with Radius authentication enable, it will fail.
Before running upgrade, switch to local authentication, then upgrade, test and switch to radius authentication.

Keep smiling, it's Alcatel stuff :p

[birkov2]

I just got the same problem with new switches running AOS 8.x ...

[dervodebayern]

hi, any new updates on this?
Im able to login with my ad-user but the "Administrators" role is somehow not pushed on my user.
I always get the "Default" group permissions allthough i did everything according to your guide.
Any suggestions here?`

Regards


Edit:
Found the problem, where the order of my nps rules didnt work as i wanted them to.
Event Viewer can help a lot in these troubleshooting scenarios.

Regards,