Cisco Systems 15327 RADIUS on the ML-Series Card, RADIUS Relay Mode

19-6

Ethernet Card Software Feature and Configuration Guide, R7.2

January 2009

Chapter 19 Configuring Security for the ML-Series Card

RADIUS on the ML-Series Card

For more information about these commands, see the “Secure Shell Commands” section in the “Other

Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at

this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr.htm.

RADIUS on the ML-Series Card

RADIUS is a distributed client/server system that secures networks against unauthorized access. Clients

send authentication requests to a central RADIUS server, which contains all user authentication and

network service access information. The RADIUS host is normally a multiuser system running RADIUS

server software from Cisco or another software provider.

Many Cisco products offer RADIUS support, including the ONS 15454, ONS 15454 SDH, ONS 15327,

ONS 15310-CL, and ONS 15600. The ML-Series card also supports RADIUS.

The ML-Series card can operate either in RADIUS re lay mode or in RADIUS stand alone mode

(default). In either mode, the RADIUS messages from the ML-Series card are passed to a RADIUS

server that is on the data communications network (DCN) used to manage the ONS node.

RADIUS Relay Mode

In RADIUS relay mode, RADIUS on the ML-Series card is c onfigured by CTC or TL1 and uses the

AAA/RADIUS features of the ONS 15454 or ONS 15454 SDH node, which contains the ML-Series

card. There is no interaction between RADIUS relay mode and RADIUS standalone mode. For

information on ONS node security, refer to the “Security” chapter of the ONS node’s reference manual.

An ML-Series card operating in RADIUS relay mode does need to be specified as a client in the

RADIUS server entries. The RADIUS server uses the client entry for the ONS node as a proxy for the

ML-Series card.

Enabling relay mode disables the Cisco IOS CLI commands used to c onfigure AAA/RADIUS. The user

can still use the Cisco IOS CLI commands not related to AAA/RADIUS.

In relay mode, the ML-Series card shows a RADIUS server host with an IP address that is really the

internal IP address of the active timing, communications, and control card (TCC2/TCC2P). When the

ML-Series card actually sends RADIUS packets to this internal address, the TCC2/TCC2P converts the

RADIUS packet destination into the real IP address of the RADIUS server. In stand alone mode, the

ML-Series card shows the true IP addresses of the RADIUS servers.

When in relay mode with multiple RADIUS server hosts, the ML-Series card IOS CLI show run output

also shows the internal IP address of the active TCC2/TCCP card. But since the single IP address now

represents multiple hosts, different port numbers are paired with the IP address to distinguish the

individual hosts. These ports are from 1860 to 1869, one for each authentication server host configure d,

and from 1870 to 1879, one for each accounting server host configured.

The single IP address will not match the host IP addresses shown in CTC, which uses the true addresses

of the RADIUS server hosts. These same true IP addre sses appear in the ML-Series card IOS CLI show

run output, when the ML-Series card is in stand alone mode.

Note A user can configure up to 10 servers for either authentication or accounting application, and one server

host can perform both authentication and accounting applications.