RADIUS interactive authentication is disabled by default. RADIUS challenge/response mode is enabled using the CLI interactive-authentication command in the config>system>security>radius context. If the response matches the expected response, the RADIUS server allows the user access, otherwise it rejects the response. The user then enters the challenge into his device (or software) and it calculates a response, which the user enters into the client which forwards it to the RADIUS server within an access request. Typically this is obtained from an external server that knows what type of authenticator is in the possession of the authorized user and can therefore choose a random or non-repeating pseudorandom number of appropriate length. The challenge packet includes a challenge to be displayed to the user, such as a unique generated numeric value unlikely ever to be repeated. However, users, user access permissions, and command authorization profiles must be configured on each router.Īny combination of these authentication methods can be configured to control network access from a router:Ģ.1.1.2.1.4.3. RADIUS Challenge/Response Interactive AuthenticationĬhallenge-response interactive authentication is used for key authentication where the Radius server is asking for the valid response to a displayed challenge. Implementing authentication without authorization for the routers does not require the configuration of VSAs (Vendor Specific Attributes) on the RADIUS server. The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message. It is recommended that the same user databases are maintained for RADIUS servers in order to avoid inconsistent behavior. It may get authenticated on the next login attempt if the next selected RADIUS server has the appropriate user-name. Although, if the first alive server in the list cannot find a user-name, the router does not re-query the next server in the RADIUS server list and denies the access request. If no other authentication methods are configured, or all methods reject the authentication request, then access is denied.įor the RADIUS server selection, round-robin is used if multiple RADIUS servers are configured. However, if other authentication methods such as TACACS+ and/or local are configured, then these methods are attempted. In this case, no access request is issued to any other RADIUS servers. If any RADIUS server rejects the authentication request, it sends an access reject message to the router. Each RADIUS server must be configured identically to guarantee consistent results. If the RADIUS server does not respond within a specified time, the router issues the access request to the next configured servers. User passwords are sent encrypted between the client and RADIUS server which prevents someone snooping on an insecure network to learn password information. The secret is never transmitted over the network. Transactions between the client and a RADIUS server are authenticated through the use of a shared secret. When a user attempts to log in through the console, Telnet, SSH, SCP, or FTP, the client sends an access request to a RADIUS, TACACS+, or local database. The router supports the following security features:Īuthentication validates a user name and password combination when a user attempts to log in. You can select the authentication order which determines the authentication method to try first, second, and third. You can configure routers to use local, Remote Authentication Dial In User Service (RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) security to validate users who attempt to access the router by console, Telnet, or FTP. The accounting data can then be used to analyze trends, and also for billing and auditing purposes. The type of accounting information recorded can include a history of the commands executed, the amount of time spent in the session, the services accessed, and the data transfer size during the session. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.Īnother step, accounting, keeps track of the activity of a user who has accessed the network. The first step, authentication, validates a user’s name and password. Network security is based on a multi-step process. This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on routers. 2.1. Authentication, Authorization, and Accounting
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |