Radius authentication, Introduction, Radius usage – RuggedCom RuggedRouter RX1100 User Manual

34. Maintaining The Router

Revision 1.14.3

305

RX1000/RX1100™

MIB Name

MIB Description

TCP-MIB

The MIB module for managing TCP implementations

IP-MIB

The MIB module for managing IP and ICMP implementations

UDP-MIB

The MIB module for managing UDP implementations

LLDP-MIB

The MIB module for managing LLDP

SNMP-VIEW-BASED-ACM-MIB

View-based Access Control Model for SNMP

SNMP-FRAMEWORK-MIB

The SNMP Management Architecture MIB

SNMP-MPD-MIB

The MIB for Message Processing and Dispatching

SNMP-USER-BASED-SM-MIB

The management information definitions for the SNMP User-based Security
Model

Table 34.1.

34.7. RADIUS Authentication

34.7.1. Introduction

RADIUS (Remote Authentication Dial In User Service), described in RFC 2865, is a protocol
designed to allow the centralization of authentication, authorization, and configuration of various
types of services. The goal of RADIUS authentication is typically to restrict the distribution of account
information and to avoid the replication of security management effort.

34.7.1.1. RADIUS Usage

The typical mode of operation involves a Network Access Server (NAS) - in this case the
RuggedRouter - and a remote RADIUS server, where account information is stored. In the course
of attempting to access connection-oriented services on the NAS, a user presents credentials to the
NAS for authentication. The NAS forwards these to a configured RADIUS server and accepts from it
the determination of whether the user is allowed the requested access. In order to protect the security
of account information and of both the NAS and the RADIUS server, transactions are encrypted and
authenticated through the use of a shared secret, which is never sent in the clear.

Some administrators set the passwords of existing RuggedRouter accounts, e.g. "rrsetup" and "root",
uniquely for each router, and then employ a common password per account for all routers served by
RADIUS. The router-specific passwords are restricted to a very few personnel. A larger set of expert
users is granted the rights to SSH login using the RADIUS root account passwords. Yet another set
of users is granted access via Webmin user accounts.

34.7.1.2. RADIUS on ROX

RuggedRouter supports RADIUS server redundancy. Multiple RADIUS servers, usually operating
from a common database, may be used to authenticate a new session. If the first configured RADIUS
server does not respond, subsequent servers will be tried until a positive/negative acknowledgment
is received or an attempt has been made to contact all configured servers.

Each server is configured with an associated timeout which limits the time that RuggedRouter will
wait for a response. An authentication request could thus require up to the sum of the timeouts of
all configured servers.