RuggedCom RX1100, RX1000 manual Radius Authentication

Chapter 26 – Maintaining The Router

Radius Authentication

The Radius protocol described in RFC 2865 provides a means for carrying authentication, authorization, and configuration information between a client (the router) which desires to authenticate its links and a shared Authentication Server.

Transactions between the router and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the router and RADIUS server, to eliminate the possibility that someone snooping on an insecure network could determine a user's password.

Radius deals with categories of authentication, known as services. The router supports user logins via the LOGIN service, PPP connections via the PPP service and non-root Web management via the WEBMIN service. The WEBMIN service allows operator actions to be logged under their login name (as opposed to “root”).

The router uses Radius to authenticate:

∙Serial port, embedded modem and SSH console logins to the root account,

∙SCP and SFTP (SSH file copies and file transfers) to the root account,

∙Logins to the rrsetup configuration (rrsetup account),

∙PPP Incoming connections on the embedded modem (specific user accounts),

∙Web Management logins (root and radius user accounts).

Radius server redundancy is supported. Multiple Radius servers, usually operating from a common database, may be used to authenticate a new session. If the first configured Radius server does not respond, subsequent servers will be tried until a positive/negative acknowledgment is received or all servers have been tried.

Each server is configured with an associated timeout which limits the duration of the request to it. An authentication request could thus require up to the sum of the timeouts of all configured servers.

If no Radius servers are configured (or are able to authenticate the request), logins are authenticated from the system account stored on the router. The goal of Radius Authentication is usually to severely restrict the distribution of this password, limiting regular access to server based authentication.

Note: Users employing the WEBMIN service are the exception to this rule. Being entirely managed via radius, they cannot access web management if radius is down.

The user has the option of designating specific servers to authenticate either Logins,

PPPor Webmin sessions or to have one server authenticate combinations of service or all services.

The radius server providing the WEBMIN service must also be configured to supply a “privilege-level” field which will be used in upcoming releases to provide operator levels of privilege. See the appendix on Radius Server Configuration for more information.

Helpful Hint