RuggedCom RS400 manual Radius overview, User Login Authentication and Authorization

Administration

1.12 RADIUS

RADIUS (Remote Authentication Dial In User Service) is used to provide centralized authentication and authorization for network access. ROS assigns a privilege level of Admin, Operator or Guest to a user who presents a valid username and password. The number of users who can access the ROS server is ordinarily dependent on the number of user records which can be configured on the server itself. ROS can also, however, be configured to pass along the credentials provided by the user to be remotely authenticated by a RADIUS server. In this way, a single RADIUS server can centrally store user data and provide authentication and authorization service to multiple ROS servers needing to authenticate connection attempts.

1.12.1 RADIUS overview

RADIUS (described in RFC 2865) is a UDP-based protocol is used for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. RADIUS is also used also widely utilized in conjunction with 802.1x for port security using EAP (See Appendix A).

A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

Unlike TACACS+, authorization and authentication functionality is supported in by RADIUS in the same packet frame. TACACS+ actually separates authentication from authorization into separate packets.

On receiving an authentication-authorization request from client in an “Access-Request” packet RADIUS server checks the conditions configured for received username-password combination in the user database. If all the conditions are met, the list of configuration values for the user is placed into an “Access-Accept” packet. These values include the type of service (e.g. SLIP, PPP, Login User) and all the necessary values to deliver the desired service.

1.12.2 User Login Authentication and Authorization

A RADIUS Server can be used to authenticate and authorize access to the device’s services, such as HMI via Serial Console, Telnet, SSH, RSH, Web Server (see Password Configuration). ROS implements a RADIUS Client which uses the Password Authentication Protocol (PAP) to verify access. Attributes sent to a RADIUS Server are:

•user name

•user password

•service type: Login

•vendor specific, currently defined as following:

vendor ID: Ruggedcom Inc. enterprise number (15004) assigned by the Internet Assigned Numbers Authority (IANA)

string, sub-attribute containing specific values: subtype: 1 (vendor’s name subtype)

length: 11 (total length of sub-attribute of subtype 1) ASCII string “RuggedCom”

Two RADIUS servers (Primary and Secondary) are configurable per device. If the Primary Server is not reachable, the device will automatically fall back to the Secondary server to complete the authorization process.