10. Authentication
ROX™ v2.2 User Guide 118 RuggedBackbone™ RX1500
both the NAS and the RADIUS server, transactions are encrypted and authenticated through the use
of a shared secret, which is never sent in the clear.
Some administrators set the passwords of existing ROX™ accounts uniquely for each router, and
then employ a common password per account for all routers served by RADIUS. The router-specific
passwords are restricted to a very few personnel. A larger set of expert users is granted the rights to
SSH login using the RADIUS root account passwords.
10.1.3. RADIUS on ROX™
ROX™ supports RADIUS server redundancy. Multiple RADIUS servers, usually operating from a
common database, may be used to authenticate a new session. If the first configured RADIUS server
does not respond, subsequent servers will be tried until a positive/negative acknowledgment is received
or an attempt has been made to contact all configured servers.
Each server is configured with an associated timeout which limits the time that ROX™ will wait for a
response. An authentication request could thus require up to the sum of the timeouts of all configured
servers.
RADIUS authentication activity is logged to the authorization log file, “auth.log”. Details of each
authentication including the time of occurrence, source and result are included.
10.1.4. RADIUS, ROX™, and Services
RADIUS provides the means to restrict access on a per-service basis. Accounts may be configured on
a RADIUS server to be allowed access only to the PPP service, for example. ROX™ supports RADIUS
authentication for the following services:
• LOGIN
• PPP
ROX™ provides the option of designating different servers to authenticate LOGIN or PPP services
separately or in combination.
The LOGIN Service
The LOGIN service consists of the following types of access:
• Local console logins via the serial port and modem
• Remote shell logins via SSH and Telnet
• Secure file transfers using SCP and SFTP (based on SSH)
Authentication requests for LOGIN services will attempt to use RADIUS first. If no response is received
from any configured RADIUS server, ROX™ will authenticate against the local user database.
The PPP Service
The PPP service represents incoming PPP connections via modem. Authentication requests to the
PPP service use RADIUS only. In the event that no response is received from any configured RADIUS
server, ROX™ will not complete the authentication request.
10.1.5. RADIUS Authentication Configuration
There are two RADIUS server forms that can be configured in ROX™.
To Next Page
Loading...
Need help?
General
