Security
7705 SAR OS System Management Guide Page 29
Figure 1 depicts end-user access requests sent to a RADIUS server. After validating the user
names and passwords, the RADIUS server returns an access accept message to the users on
ALU-1 and ALU-2. The user name and password from ALU-3 could not be authenticated,
thus access was denied.
Authentication
Authentication validates a user name and password combination when a user attempts to
log in.
When a user attempts to log in through the console, Telnet, SSH, SCP, or FTP, the
7705 SAR client sends an access request to a RADIUS, TACACS+, or local database.
Transactions between the client and a RADIUS server are authenticated through the use of a
shared secret. The secret is never transmitted over the network. User passwords are sent
encrypted between the client and RADIUS server, which prevents someone snooping on an
insecure network to learn password information.
If the RADIUS server does not respond within a specified time, the router issues the access
request to the next configured servers. Each RADIUS server must be configured identically
to guarantee consistent results.
If any RADIUS server rejects the authentication request, it sends an access reject message to
the router. In this case, no access request is issued to any other RADIUS servers. However,
if other authentication methods such as TACACS+ and/or local are configured, then these
methods are attempted. If no other authentication methods are configured, or all methods
reject the authentication request, then access is denied.
Figure 1: RADIUS Requests and Responses
Access Request
Access Request
ALU-2
ALU-1
ALU-3
Access Request
Access Accepted
Access Accepted
RADIUS Server
Authentication
X
Network
19673
To Next Page
Loading...
