Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 28641 user manual System Security, Using RADIUS Authentication

Models: 28641

1 159

Download 159 pages 50.55 Kb

Page 125

12 System Security

The Prestige incorporates a number of security measures to prevent unauthorized access to your network. For example, the Prestige supports both PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol) in authenticating a Remote Node. More information on CHAP and PAP can be found in Chapter 6.

By default, the Prestige can store information about up to eight different users. If more dial-up users are necessary, an external RADIUS (Remote Authentication Dial In User Service) server can be used to provide centralized user security.

In addition, the Prestige also implements a user password to get into the SMT screen. You will have three attempts to enter the correct system password. If you do not do so, the SMT will kick you out. In addition, the Prestige will only support one user in the SMT at one time.

Using RADIUS Authentication

In addition to the Prestige router’s built-in dial-up user list, which can hold up to eight users, it also supports an external authentication server which may provide password storage and usage accounting for thousands of users.

Installing a RADIUS Server

To use RADIUS authentication, you will need to have a UNIX- based machine on your network to act as a radiusd server, as well as a copy of the radiusd server program itself. You can

System Security 111

Image 125

ZyXEL Communications 28641 user manual System Security, Using RADIUS Authentication, Installing a RADIUS Server

Contents

ZyXEL ACCESSING THE INTERNET & INTRANETPrestige User’s Manual VersionZyXEL Limited Warranty FCC Part 15 Information Copyright 1997 by ZyXELAcknowledgments Information for Canadian Users Page ∙ E-mail Contacting ZyXEL∙ FTP Information , such as ZyXEL software and ROM updates for 1 Introduction Contents2 Before You Begin 3 Installation5 Remote Node Configuration 4 Configuring for Internet Access6 Dial-In Configuration 7 TCP/IP Configuration10 Filter Configuration 9 Bridging Configuration11 SNMP 12 System Security15 Troubleshooting 13 Telnet Configuration and Capabilities14 System Maintenance 17 Index 16 ISDN Switch TypesProblems with the LAN Interface Provisioning For U.S. SwitchesPage 1 Introduction FeaturesEase of Installation Built-in V.34 Modem ISDN Basic Rate Interface BRIMultiple Networking Protocol Support Standard Phone JackDHCP Support Dynamic Host Configuration Protocol RADIUS Remote Authentication Dial In User ServiceBandwidth On Demand Full Network ManagementApplications For Your Prestige Internet AccessCall Control Data CompressionMultiprotocol LAN-to-LAN Connection What This Manual CoversTelecommuting Server Mobile Users with V.34 ModemsOther Resources What This Manual Doesn’t CoverPacking List Additional Installation Requirements8 Introduction ∙ VT100 terminal emulation ∙ 9600 Baud rate∙ No parity, 8 Data bits, 1 Stop bit Road Map and Flow 2 Before You BeginOrdering Your ISDN Line Completing the WorksheetCollecting General Setup Information Switch Type Collecting ISDN Phone Line InformationGeography No of Phone #s∙ B Channel Usage - Determine which connection is appropriate for your B channel and check the corresponding option on the worksheet 14 Before You Begin Collecting Ethernet Setup InformationNumber of Host IDs IP Subnet MaskNumber of Bits Before You BeginISDN Setup Information General Setup InformationPrestige Setup and Installation Worksheet 16 Before You BeginDSS1 ISDN North America ISDN∙ 1st Telephone Number ∙ Analog Call check one∙ A/B Adapter Number & Subaddress 1TR6 ISDN∙ Outside Line Prefix Number ∙ PBX Number S/T Bus NumberEAZ Don’t Care Ethernet Setup InformationModem A/B Ignore AUI UTP20 Before You Begin Installation 3 InstallationFigure 3-1 Rear Panel Diagram Connecting the RS-232 Cable to your Prestige Connecting Your Computer and Your PrestigeConnecting an ISDN Line to your Prestige A Warning On Connection Cables∙ UTP Connecting a Telephone/Fax to your PrestigeConnecting an Ethernet Cable to your Prestige Prestige Front Panel Connecting a Power Adapter to your PrestigeAA - This LED auto answer indicates when auto answer is turned on Figure 3-4 Login Screen Powering On Your PrestigeFigure 3-3 Power on Messages Navigating Through the System Management Terminal Interface System Management Terminal Interface Summary Installation General SetupMenu Title Description30 Installation Figure 3-6 Menu 1 - General SetupNorth American ISDN ISDN Setup32 Installation DSS1 & 1TR6 ISDN 34 Installation Page General Ethernet Setup Ethernet SetupFigure 3-11 Menu 3.1 - General Ethernet Setup TCP/IP Ethernet Setup and DHCP38 Installation Figure 3-12 Menu 3.2 - TCP/IP Ethernet SetupPage Bridge Ethernet Setup Novell IPX Ethernet SetupRefer to the chapter on Novell IPX configuration Refer to the chapter on Bridging configuration4 Configuring for Internet Access Figure 4-1 Internet Access IP Addresses and the InternetInternet Access Configuration 5. My Login Name - Enter the login name given to you by your ISP ∙ Modem - The Prestige will place Modem data calls 46 Configuring for Internet Access Single User AccountIn summary Configuring Backup ISP Accounts Configuration for Single User Account2. Enter Menu 11, then select the number of an unused remote node 50 Configuring for Internet Access 5 Remote Node Configuration Figure 5-2 Menu 11.1 - Remote Node Profile Figure 5-1 Menu 11 - Remote Node Setup52 Remote Node Configuration Page ∙ PAP sends the user name and password in plain text if available. Once connected, the Prestige will use the BACP Bandwidth Allocation Control Protocol to establish the second B- channel if Multilink PPP is enabled, and the Remote Node supports MP and BACP 56 Remote Node Configuration Bandwidth on Demand 58 Remote Node Configuration Editing PPP Options ∙ 128 - A maximum of two channels can be used 60 Remote Node Configuration∙ 64 - At most one channel can be used Dial-In Configuration 6 Dial-In ConfigurationFigure 6-1 Example of Remote User Telecommuter TelecommutingDial-In Server Application Figure 6-2 Example of a Dial-In Server Application Default Dial-In Setup∙ None - No CLID is required 3. PPP Options Mutual Authen. - Some vendors, e.g. Cisco, implement a type of mutual authentication. That is, the node that initiates the call will request a user name and password from the far end that they are dialing to. If the Remote Node that is dialing in implements this type of authentication, set this field to Yes 11. IP Pool IP Start Addr - This field is active only if you selected Dial-In Users Setup Figure 6-5 Menu 14.1 - Edit Dial-in User Figure 6-4 Menu 14 - Dial-in User Setup68 Dial-In Configuration 3. Password - Enter the password for the Remote Dial-in User More on CLID IP Subnet Mask 7 TCP/IP Configuration72 TCP/IP Configuration LAN-to-LAN ApplicationRemote Node Setup 5. Rem IP Subnet Mask - Enter the subnet mask for the remote network Static Route Setup Figure 7-4 Static Routing Example 76 TCP/IP ConfigurationFigure 7-6 IP Static Route Setup Figure 7-5 Menu 12 - Static Route Setup - Main Menu78 TCP/IP Configuration IPX Network Environment 8 Novell IPX ConfigurationFrame Type Network NumbersFigure 8-1 Prestige Operating in IPX Environment Prestige on LAN with ServerPrestige on LAN without Server IPX Spoofing IPX Ethernet Setup∙ ∙ ∙ Ethernet ∙ SNAP Figure 8-3 LAN-to-LAN application Remote Node SetupLAN-to-LAN Application 1. Route - Make sure IPX is among the protocols in the Route field Static Route Setup Figure 8-5 NetWare Servers on Both Sides of the Link 86 Novell IPX ConfigurationFigure 8-6 Menu 12.2 - Edit IPX Static Route 88 Novell IPX Configuration Bridge Ethernet Setup 9 Bridging ConfigurationBridging Configuration IPX Spoofing∙ If it is set to None, nothing is done to IPX traffic IPX. Set it to Client if there are only client workstations on the Remote Node SetupLAN-to-LAN Application Figure 9-2 Remote Node Bridging Configuration Default Dial-In Setup for BridgeFigure 9-3 Menu 12.4 - Bridge Static Route Bridge Static Route Setup94 Bridging Configuration About Filtering 10 Filter Configuration96 Filter Configuration Configuring a Filter SetPrestige’s Filter Structure ∙ # - Refers to the filter rule number ∙ Pr - Protocol ∙ SA - Source Address ∙ SP - Source Port number TCP/IP Filter Rule Configuring a Filter Rule∙ Yes ∙ No ∙ None ∙ Less ∙ Greater ∙ Equal ∙ Not Equal 102 Filter Configuration Figure 10-5 Menu 21.1.1 - Generic Filter Rule Generic Filter Rule104 Filter Configuration Novell IPX Filter Rule∙ None ∙ RIP Request ∙ RIP Response ∙ SAP Request ∙ SAP Response About SNMP Configuring Your Prestige For SNMP Support11 SNMP 108 SNMP Figure 11-1 Menu 22 - SNMP Configurationleave the field blank default, then the Prestige will respond to all SNMP messages it receives, regardless of origin 110 SNMP 12 System Security Using RADIUS AuthenticationInstalling a RADIUS Server Configuring the Prestige for RADIUS Authentication # Client Name Adding Users to the RADIUS Database Using RADIUS Authentication for CLIDConfiguring the SMT Password 116 System Security About Telnet Configuration 13 Telnet Configuration and CapabilitiesTelnet Capabilities Single AdministratorSystem Timeout System Status 14 System Maintenance2. From this menu, select option 1. System Status 10. Error - the number of error packets on this channel Figure 14-3 LAN Packet Which Triggered Last Call Terminal Baud RateLog and Trace View Error LogSyslog And Accounting Diagnostic 126 System Maintenance Figure 14-6 Menu 24.4 - System Maintenance - Diagnosticworking properly, the test will succeed. Otherwise, note the error message that you receive and consult your network administrator 128 System Maintenance Backup ConfigurationSoftware Update Restore ConfigurationFigure 14-9 Example of uploading RAS using PCPLUS Command Interpreter ModeCall Control Parameters Call ControlFigure 14-11 Blacklist BlacklistFigure 14-12 Budget Management Budget ManagementModem/ISDN TA Emulation 134 System Maintenance Problems Starting Up the Prestige 15 TroubleshootingNone of the LEDs are on when you power up the Prestige Connecting the RS-232 cable, cannot access the SMTThe ISDN loopback test failed Problems With the ISDN LineThe ISDN initialization failed Can’t PING any station on the LAN Problems with the LAN InterfaceProblems Connecting to a Remote Node or ISP 138 Troubleshooting Problems Connecting to a Remote UserProvisioning For U.S. Switches 16 ISDN Switch TypesProvisioning Feature Provisioning For the AT&T 5ESS SwitchesSetting Provisioning FeatureProvisioning Feature Provisioning For the Northern Telecom SwitchSetting Provisioning Feature142 ISDN Switch Types Provisioning FeatureSetting 17 Index See IPX IP Address, 14 IP Subnet Mask, 15, 39, 71, 74Simple Network Management Protocol. See SNMP