Radius authentication – RuggedCom RuggedRouter RX1000 User Manual

Chapter 26 – Maintaining The Router

Radius Authentication

The Radius protocol described in RFC 2865 provides a means for carrying
authentication, authorization, and configuration information between a client (the
router) which desires to authenticate its links and a shared Authentication Server.
Transactions between the router and RADIUS server are authenticated through the
use of a shared secret, which is never sent over the network. In addition, any user
passwords are sent encrypted between the router and RADIUS server, to eliminate the
possibility that someone snooping on an insecure network could determine a user's
password.
Radius deals with categories of authentication, known as services. The router
supports user logins via the LOGIN service, PPP connections via the PPP service
and non-root Web management via the WEBMIN service. The WEBMIN service
allows operator actions to be logged under their login name (as opposed to “root”).
The router uses Radius to authenticate:

•

Serial port, embedded modem and SSH console logins to the root

account,

•

SCP and SFTP (SSH file copies and file transfers) to the root account,

•

Logins to the rrsetup configuration (rrsetup account),

•

PPP Incoming connections on the embedded modem (specific user

accounts),

•

Web Management logins (root and radius user accounts).

Radius server redundancy is supported. Multiple Radius servers, usually operating
from a common database, may be used to authenticate a new session. If the first
configured Radius server does not respond, subsequent servers will be tried until a
positive/negative acknowledgment is received or all servers have been tried.
Each server is configured with an associated timeout which limits the duration of the
request to it. An authentication request could thus require up to the sum of the
timeouts of all configured servers.
If no Radius servers are configured (or are able to authenticate the request), logins are
authenticated from the system account stored on the router. The goal of Radius
Authentication is usually to severely restrict the distribution of this password, limiting
regular access to server based authentication.

Note: Users employing the WEBMIN service are the exception to this rule. Being

entirely managed via radius, they cannot access web management if radius is down.

The user has the option of designating specific servers to authenticate either Logins,
PPP or Webmin sessions or to have one server authenticate combinations of service
or all services.

The radius server providing the WEBMIN service must also be configured to supply a
“privilege-level” field which will be used in upcoming releases to provide operator
levels of privilege. See the appendix on Radius Server Configuration for more
information.

Helpful Hint

RuggedCom 253