EasyManua.ls Logo

Actelis Networks ML700 - Configuring for RADIUS Operation

Actelis Networks ML700
485 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
RADIUS Security Management
ML700 User Manual 12-15
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system
that centralizes control of device access. If RADIUS is used, all user profiles and access
limits to the ML devices can be managed via the RADIUS server. The ML devices serve as
clients which send authentication requests to a central RADIUS server.
NOTE: The Radius option can be configured on an ML level (as described in this section) or for all
selected MLs through the Group menu, Radius option.
It is recommended to use RADIUS in the following network environments:
Networks with multiple-vendor access servers
Networks already using RADIUS
Networks in which a user must only access a single service
Networks that require resource accounting
Networks with dynamic group of users (no need to set changes in the group on all NEs
but only in one location)
From R6.0 and higher, RADIUS on ML supports:
PAP (Password Authentication Protocol). (CHAP (Challenge Handshake Authentication
Protocol) is not supported, where CHAP messages are discarded by the system.)
Authentication only (RFC 2865). All account messages (supported in RFC2866) are
discarded by the system.
Configuring for RADIUS Operation
In order for the ML to be secured with the RADIUS server, two types of operations are
required:
Configure the ML NE (as a Radius client) with the RADIUS server address and with the
relevant communication parameters. See Configuring RADIUS on ML (on page 12-16).
Configure the Radius Server to respond with a Message (on page 12-18) which provides
Service-Type (on page 12-19) (Parameter ID #6) with values 1, 7 or 6 - for read, write
and admin user accordingly.
Authentication of user upon TL1 login is processed by checking for:
record availability for specified UserID (name);
matching of typed and registered (stored encrypted) password;
checking for the UserID privileges (read only, read-write, or full admin access)
idle session timeout (to close the session between ML and TL1 (MAV) agent
automatically if no activities detected).

Table of Contents