Nortel Networks 3500, NTRN10AN manual Operation, administration, and maintenance OAM features

Models: 3500 NTRN10AN

1 342
Download 342 pages 27.69 Kb
Page 163
Image 163

Operation, administration, and maintenance (OAM) features 2-125

Centralized user administration and authentication through RADIUS

OPTera Metro 3500 supports a Remote Access Dial-In User authentication Service (RADIUS) as a centralized authentication solution. The RADIUS Protocol is an IETF Draft Standard (RFC 2865) widely used to support remote access protocols (for example, SLIP, PPP, telnet, and rlogin). The RADIUS Protocol is a UDP-based client-server protocol. OPTera Metro 3500 implementation provides support for three messages from this protocol:

Access-Request - message sent from the network processor to the authentication server providing user information (user ID, password, etc.)

Access-Reject - message sent from the authentication server to the network processor refusing access to the user

Access-Accept - message sent from the authentication server to the network processor granting access to the user

Designated network processors in an OPTera Metro 3500 network operate as RADIUS clients, responsible for passing user information to RADIUS servers, and then acting on the response which is returned. This remote authentication feature is user-provisionable, allowing system administrators to enable or disable RADIUS. When RADIUS is enabled, all user authentications are processed through the RADIUS server (that is, local account user authentication is unavailable). When RADIUS servers are unavailable or down, users will be able to log in with either local account user authentication (if provisioned as the alternate) or local challenge-response user authentication (always available).

Note 1: Network elements with CSA interoperate seamlessly with OPTera Metro 3000 network elements that do not support CSA or have not enabled CSA.

Note 2: If a user is connected by RS-232 to a shelf processor, that user will be authenticated through Centralized Authentication. If the RADIUS server is down, then the user will be prompt to select between retrying with CSA, Challenge Response or Local authentication. Local authentication will only be available if it was provisioned as the alternate authentication method.

The login-retry strategy is as follows:

The RADIUS client on the network processor sends up to three requests to the primary server, followed by up to three requests to the secondary.

The provisioned timeout value specifies the maximum amount of time it will take to send and wait for responses for each server. For example, with 30 seconds as the provisioned primary RADIUS server timeout value, and 20 seconds for the secondary timeout value, the requests will be sent as follows:

Planning and Ordering Guide—Part 1 of 2 NTRN10AN Rel 12.1 Standard Iss 1 Apr 2004

Page 163
Image 163
Nortel Networks 3500, NTRN10AN manual Operation, administration, and maintenance OAM features