9-8
Cisco ONS 15454 Reference Manual, R7.0
78-17191-01
Chapter 9 Security
9.4 9.3.2 Audit Trail Capacities
Status—Status of the user action (Read, Initial, Successful, Timeout, Failed)
Time—Time of change
Message Type—Whether the event is Success/Failure type
Message Details—Description of the change

9.3.2 Audit Trail Capacities

The ONS 15454 is able to store 640 log entries. When this limit is reached, the oldest entries are
overwritten with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is
raised and logged (by way of CORBA/CTC).
When the log server reaches the maximum capacity of 640 entries and begins overwriting records that
were not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit
trail records have been lost. Until you off-load the file, this event will not occur a second time regardless
of the amount of entries that are overwritten by incoming data. To export the audit trail log, refer to the
Cisco ONS 15454 Procedure Guide.
9.4 RADIUS Security
Users with Superuser security privileges can configure nodes to use Remote Authentication Dial In User
Service (RADIUS) authentication. Cisco Systems uses a strategy known as authentication,
authorization, and accounting (AAA) for verifying the identity of, granting access to, and tracking the
actions of remote users.

9.4.1 RADIUS Authentication

RADIUS is a system of distributed security that secures remote access to networks and network services
against unauthorized access. RADIUS comprises three components:
A protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP
A server
A client
The server runs on a central computer, typically at a customer site, while the clients reside in the dial-up
access servers and can be distributed throughout the network.
An ONS 15454 node operates as a client of RADIUS. The client is responsible for passing user
information to designated RADIUS servers, and then acting on the response that is returned. RADIUS
servers are responsible for receiving user connection requests, authenticating the user, and returning all
configuration information necessary for the client to deliver service to the user. The RADIUS servers
can act as proxy clients to other kinds of authentication servers. Transactions between the RADIUS
client and server are authenticated through the use of a shared secret, which is never sent over the
network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This
eliminates the possibility that someone monitoring an unsecured network could determine a user's
password. Refer to the Cisco ONS 15454 Procedure Guide for detailed instructions for implementing
RADIUS authentication.