Cisco Systems 15454-FTF2 9.4 RADIUS Security

9-9

Cisco ONS 15454 Reference Manual, R8.5.x

78-18106-01

Chapter 9 Security

9.3.2 Audit Trail Capacities

• Connection Mode—Telnet, Console, SNMP

• Category—Type of change (Hardware, Software, Configuration)

• Status—Status of the user action (Read, Initial, Successful, Timeout, Failed)

• Time—Time of change

• Message Type—Whether the event is Success/Failure type

• Message Details—Description o f the change

The ONS 15454 is able to store 640 log entries. When this limit is reached, the oldest entries are

overwritten with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is

raised and logged (by way of CORBA/CTC).

When the log server reaches the maximum capacity of 640 entries and begins overwriting records that

were not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit

trail records have been lost. Until you off-load the file, this event will not occur a second time regardless

of the amount of entries that are overwritten by incoming data. To export the audit trail log, refer to the

Cisco ONS 15454 Procedure Guide.

9.4 RADIUS Security

Users with Superuser security privileges can configure nodes to use Remote Authentication Dial In User

Service (RADIUS) authentication. Cisco Systems uses a strategy known as authentication,

authorization, and accounting (AAA) for verifying the iden tity of, granting access to, and tracking the

actions of remote users.

RADIUS is a system of distributed security that secures remote access to networks and network servic es

against unauthorized access. RADIUS comprises three components:

• A protocol with a frame format that utilizes User Datagram Protocol (UDP )/IP

• A server

• A client

The server runs on a central computer, typically at a customer site, while the clie nts reside in the dial-up

access servers and can be distributed throughout the network.

An ONS 15454 node operates as a client of RADIUS. The client is responsible for passing user

information to designated RADIUS servers, and then a cting on the response that is returned. RADIUS

servers are responsible for receiving user connection requests, authenticating the user, and returning all

configuration information necessary for the client to deliver service to the user. The RADIUS servers

can act as proxy clients to other kinds of authenticatio n servers. Transactions between the RADIUS

client and server are authenticated through the use of a shared secret, which is never sent over the

network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This

eliminates the possibility that someone monitoring an unsecured network could determine a user's

password. Refer to the Cisco ONS 15454 Procedure Guide for detailed instructions for implementing

RADIUS authentication.