beautypg.com

Tacacs+ server authentication, Tacacs+ ser ver authentication -8 – Netopia 3300 User Manual

Page 272

background image

10-8 Firmware User Guide

Note:

In the latter two modes that involve both RADIUS and the local database, if the local database includes

no username/password pairs, authentication will succeed only if the RADIUS ser ver authenticates the user.
This differs from the Local Only mode where no authentication is per formed when the local database is empty.

If the primar y RADIUS ser ver responds with an access rejection or an access challenge, the alternate RADIUS
ser ver is not contacted. Only if the primar y RADIUS ser ver fails to respond at all is the alternate RADIUS ser ver
contacted.

Therefore, do not attempt to select any of the RADIUS options unless you have a RADIUS ser ver correctly
configured for this purpose. If you attempt to use RADIUS authentication without a RADIUS ser ver, you will lose
your configuration access to the router.

The Advanced Security Options screen suppor ts both a primar y RADIUS ser ver and an alternate RADIUS
ser ver. When the router is configured to authenticate using RADIUS, it will first attempt to contact the
primar y RADIUS ser ver; if the primar y RADIUS ser ver responds, RADIUS authentication succeeds or fails
based on the response returned by the primar y ser ver. If and only if the primar y ser ver fails to respond, the
router will attempt to contact the alternate RADIUS ser ver to authenticate the user. The router makes two
attempts per ser ver, three seconds apar t.

You can specify the Remote Server Addr/Name and the Alt Remote Server Addr/Name either by using a
hostname to be resolved using the Domain Name System (DNS) information configured in the router or by
using an IP address in dotted-quad notation. The RADIUS Ser ver Addr/Name items are limited to 63
characters.

In addition to specifying the ser ver’s hostname or IP address, you must also specify a Remote Server
Secret and an Alt Remote Server Secret (if configured) known to both the router and the RADIUS ser ver.
The secret is used to encr ypt RADIUS transactions in transit. The RADIUS Ser ver Secret items are limited
to 31 characters.

The router’s RADIUS client implementation suppor ts passwords longer than 16 characters and properly
encr ypts such passwords per RFC 2138. Not all RADIUS ser ver implementations handle passwords longer
than 16 characters.

RADIUS Identifier can be either an IP address or an arbitrar y string to be used as the identifier in the
router’s outgoing Access-Request packets. The RADIUS identifier is limited to 63 characters.

RADIUS Server Authentication Port specifies the UDP destination por t to which the router’s RADIUS
authentication requests will be sent. The default value is 1812, the official IANA-assigned UDP por t
number for the RADIUS authentication ser vice.

TACACS+ server authentication

Netopia Firmware Version 8.7 suppor ts TACACS+ ser ver authentication. Its application to a Netopia Router is to
control access to the Router’s management inter face, and to audit commands submitted by a user.

TACACS (Terminal Access Controller Access Control System) protocol provides access control for Netopia
Routers via a centralized ser ver. TACACS+ provides separate authentication, authorization and accounting
ser vices.

TACACS allows a client to accept a username and password and quer y a TACACS authentication ser ver.