This chapter discusses configuration and use of the Remote Authentication Dial-In User Service (RADIUS) networking protocol on a BANDIT device.

Transcription

1 encor! enetworks TM Version A.1, January Encore Networks, Inc. All rights reserved. The RADIUS Protocol This chapter discusses configuration and use of the Remote Authentication Dial-In User Service (RADIUS) networking protocol on a BANDIT device. Note: The BANDIT devices use RADIUS only for Telnet logins. For all other logins, standard BANDIT authentication is used. If the login is via Telnet, the BANDIT s network access server identifier (NAS ID) determines whether the login uses RADIUS or standard authentication and selects the appropriate login routine. See the following sections: The RADIUS Networking Protocol Configuring the BANDIT as a RADIUS Client Note: See the Protocols Module for a full list of BANDIT protocols The RADIUS Networking Protocol RADIUS is a centralized authentication, authorization, and accounting (AAA) management system: Authentication verifies that the proper user credentials have been submitted for access to devices in the network. Authorization indicates which devices and services the user can have access to. Accounting tracks the use of the devices and services. The BANDIT s use of the RADIUS protocol conforms to RFC 2865, which describes the RADIUS protocol s authentication and authorization, and RFC 2866, which describes the RADIUS protocol s accounting. The BANDIT device is a RADIUS client. When a user logs in over a Telnet connection, the BANDIT sends the user credentials to the RADIUS server for verification. The RADIUS server usually resides at a network operation center (NOC), such as a headquarters (HQ) site or a central hub site. Note: Configuration of RADIUS user names, passwords, and access levels is performed on the RADIUS server. See the server manufacturer s literature to configure RADIUS on the server. For information on trademarks, safety, limitations of liability, and similar topics, see Notices. Home Module: Protocols Document 10

2 Page 2 Protocols Module, Document Configuring the BANDIT as a RADIUS Client 1 Log in to the BANDIT at administrator level. (For details, see Starting the ELIOS Software.) After a successful log-in, the Main Menu is displayed. Main Menu ) QuickStart Config Builder 2) Typical Configurations 3) Advanced Configurations 4) Tools V) View Current Unit Status F) Cellular Fast Connect L) Load Factory Defaults P) Load Plug and Play Defaults W) Write Configuration R) Reset Unit X) exit Session S) Statistics Y) system Administration 2 On the Main Menu, select System Administration. The System Administration Menu is displayed. System Administration ) User Management 2) SNMP Configuration 3) Database Management 4) Telnet Terminal 5) Port Data Capture 6) SNMP Triggered TRAPs 7) RADIUS Authentication B) Config Banner C) Copy Configuration F) Flash RDU N) Network Download R) Remote Logging U) Upgrade Code V) VPN Commands O) Ospf/Bgp Log W) Wireless Options 3 On the System Administration Menu, select RADIUS Authentication. The RADIUS Configuration Parameters Menu is displayed.

3 The RADIUS Protocol Page 3 2) Primary RADIUS Server IP : ) Secondary RADIUS Server IP : ) RADIUS NAS IP : On the RADIUS Configuration Parameters Menu, select each parameter (as described in step 5 through step 12) to configure the BANDIT as a RADIUS client. 5 On the RADIUS Configuration Parameters Menu, select RADIUS Admin Status. RADIUS Admin Status(1.Disable, 2.Enable): (1 to 2)[1] : a Do one of the following: i To refrain from using RADIUS, select Disable. This BANDIT device will not use RADIUS. The RADIUS Configuration Parameters Menu is redisplayed. Go to step 13. ii To use RADIUS, select Enable. This BANDIT device will be a RADIUS client. The RADIUS Configuration Parameters Menu is redisplayed. Continue to configure RADIUS parameters. 2) Primary RADIUS Server IP : ) Secondary RADIUS Server IP : ) RADIUS NAS IP : On the RADIUS Configuration Parameters Menu, select Primary RADIUS Server IP.

4 Page 4 Protocols Module, Document 10 Enter Primary RADIUS Server IP (N.N.N.N) : a Type the IP address of the primary server for the RADIUS application, and press Enter. The IP address is accepted and is displayed in the RADIUS Configuration Parameters Menu. 3) Secondary RADIUS Server IP : ) RADIUS NAS IP : If your network includes a secondary RADIUS server, then, on the RADIUS Configuration Parameters Menu, select Secondary RADIUS Server IP. Enter Seconday RADIUS Server IP (N.N.N.N) : a Type the IP address of the secondary server for the RADIUS application, and press Enter. The IP address is accepted and is displayed in the RADIUS Configuration Parameters Menu. 4) RADIUS NAS IP :

5 The RADIUS Protocol Page 5 8 On the RADIUS Configuration Parameters Menu, select RADIUS NAS IP. Enter NAS IP (Local IP) (N.N.N.N) : Note: The BANDIT functions as a network access server (NAS) for RADIUS, and uses one of its IP addresses (usually its WAN IP address) to identify itself to the RADIUS server. a Type the BANDIT s IP address for its RADIUS application NAS function, and press Enter. If the IP address entered is not one of the BANDIT s current IP addresses, the following message is displayed. WARNIING: IP Address is not part of the active interfaces! Caution: If you see this message, the NAS IP is not one of the BANDIT s current IP addresses. Make sure the BANDIT s NAS IP address corresponds to an IP address for one of the BANDIT s ports. You may need to repeat step 8. The RADIUS Configuration Parameters Menu is redisplayed, with the specified IP address. 4) RADIUS NAS IP : On the RADIUS Configuration Parameters Menu, select RADIUS Shared Secret. Enter RADIUS Shared Secret:

6 Page 6 Protocols Module, Document 10! Note: The RADIUS shared secret is used to negotiate the connection between the NAS and the RADIUS server. The RADIUS shared secret must be determined in advance and must be distributed to each party in the connection. Caution: Do not distribute the RADIUS shared secret to any entities other than those that must use that shared secret. Note: The RADIUS definition of shared secret corresponds to secret key (also known as pre-shared key or shared key ). It is not a generated shared secret such as that used in a key-agreement protocol (for example, a Diffie Hellman exchange). a Type the RADIUS shared secret exactly as it is presented, including special characters and uppercase or lowercase letters. (The RADIUS shared secret cannot contain spaces.) Then press the Enter key. ReEnter RADIUS Shared Secret: b Retype the RADIUS shared secret exactly as it is presented, including special characters and uppercase or lowercase letters. Then press the Enter key. If the entries are not the same, the following error message is displayed. Then the RADIUS Configuration Parameters Menu is redisplayed. Perform step 9 again. ERROR: Entered Strings differ!! Caution: If you see this message, the RADIUS shared secret might have been typed incorrectly; it must be re-entered. You must perform step 9 again, making sure that, in both substep a and substep b, you type the RADIUS shared secret exactly as it is presented. If the entries are the same, the RADIUS shared secret is accepted. Then the RADIUS Configuration Parameters Menu is redisplayed. 4) RADIUS NAS IP :

7 The RADIUS Protocol Page 7 10 On the RADIUS Configuration Parameters Menu, select RADIUS Server UDP Port. RADIUS Server UDP Port(1.Old_1645, 2.New_1812): (1 to 2)[2] : Note: To determine whether to use the old or new RADIUS UDP port number, see the vendor s instructions for the RADIUS server. a Select the UDP port for RADIUS transmissions. The RADIUS Configuration Parameters Menu is redisplayed with the selected RADIUS UDP port number. 4) RADIUS NAS IP : ) RADIUS Server UDP Port : On the RADIUS Configuration Parameters Menu, select RADIUS Retry Timeout. RADIUS Retry Timeout: (1 to 30)[3] : a Type the number of seconds for the BANDIT to wait for a response from the RADIUS server, and press Enter. The RADIUS Configuration Parameters Menu is redisplayed with the selected time for the RADIUS retry timeout.

8 Page 8 Protocols Module, Document 10 4) RADIUS NAS IP : ) RADIUS Server UDP Port : ) RADIUS Retry Timeout : 4 12 On the RADIUS Configuration Parameters Menu, select RADIUS Maximum Retries. RADIUS Max Retries: (0 to 20)[3] : a Type the maximum number of retries for the BANDIT to contact the RADIUS server, and press Enter. The RADIUS Configuration Parameters Menu is redisplayed with the indicated maximum number of retries. 4) RADIUS NAS IP : ) RADIUS Server UDP Port : ) RADIUS Retry Timeout : 4 8) RADIUS Maximum Retries : 4 13 After you have finished configuring the RADIUS configuration parameters, press the Escape key until you reach the Main Menu.

9 The RADIUS Protocol Page 9 Main Menu ) QuickStart Config Builder 2) Typical Configurations 3) Advanced Configurations 4) Tools V) View Current Unit Status F) Cellular Fast Connect L) Load Factory Defaults P) Load Plug and Play Defaults W) Write Configuration R) Reset Unit X) exit Session S) Statistics Y) system Administration 14 On the Main Menu, select Write Configuration, to save the new configuration. (For details, see Saving (Writing) a Configuration.) 15 Then, also on the Main Menu, select Reset Unit, to use the newly saved configuration. (For details, see Resetting the Device.)

10 Page 10 Protocols Module, Document 10