Security
7705 SAR OS System Management Guide Page 35
Security Controls
You can configure the 7705 SAR to use RADIUS, TACACS+, and local authentication to
validate users requesting access to the network. The order in which password authentication
is processed among RADIUS, TACACS+ and local passwords can be specifically
configured. For example, the authentication order can be configured to process authorization
via TACACS+ first, then RADIUS for authentication and accounting. Local access can be
specified next in the authentication order in the event that the RADIUS and TACACS+
servers are not operational.
When a Server Does Not Respond
A trap is issued if a RADIUS server is unresponsive. An alarm is raised if RADIUS is
enabled with at least one RADIUS server and no response is received to either accounting or
user access requests from any server.
Periodic checks to determine if the primary server is responsive again are performed. If a
server is down, it will not be contacted for 5 minutes. If a login is attempted after 5 minutes,
then the server is contacted again. If a server has the health check feature enabled and is
unresponsive, the server’s status is checked every 30 seconds. Health check is enabled by
default. When a service response is restored from at least one server, the alarm condition is
cleared. Alarms are raised and cleared on the Alcatel-Lucent Fault Manager or other third
party fault management servers.
The servers are accessed in order from lowest to highest specified index (from 1 to 5) for
authentication requests until a response from a server is received. A higher indexed server is
only queried if no response is received from a lower indexed server. If a response from the
server is received, no other server is queried.
Access Request Flow
In Figure 2, the authentication process is defined in the config>system>security>
password
context. The authentication order is determined by specifying the sequence in
which password authentication is attempted among RADIUS, TACACS+, and local servers.
This example uses the authentication order of RADIUS, then TACACS+, and finally, local.
An access request is sent to RADIUS server 1. One of two scenarios can occur. If there is no
response from the server, the request is passed to the next RADIUS server with the next
lowest index (RADIUS server 2) and so on, until the last RADIUS server is attempted
(RADIUS server 5). If server 5 does not respond, the request is passed to the TACACS+
server 1. If there is no response from that server, the request is passed to the next TACACS+
server with the next lowest index (TACACS+ server 2) and so on.
To Next Page
Loading...
