Radius authentication, Securid support, Radius authentication 110 securid support 110 – Nortel Networks WEB OS 212777 User Manual

Page 110

Advertising
background image

Web OS 10.0 Application Guide

110

n

Chapter 5: Secure Switch Management

212777-A, February 2002

Radius Authentication

SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on
the switch, all subsequent SSH authentication requests will be redirected to the specified
RADIUS servers for authentication. The redirection is transparent to the SSH clients.

SecurID Support

SSH/SCP can also work with SecurID, a token card-based authentication method. The use of
SecurID requires the interactive mode during login, which is not provided by the SSH connec-
tion.

N

OTE

There is no SNMP or Browser-Based Interface (BBI) support for SecurID because the

SecurID server, ACE, is a one-time password authentication and requires an interactive ses-
sion.

To log in using SSH without difficulties, you need to use a special username, “ace,” to log in
and bypass the SSH authentication. After an SSH connection is established, you will then be
prompted to enter the username and password (the SecurID authentication is being performed
now). You will need to provide your actual username and the token in your SecurID card as a
regular Telnet user would do in order to log in.

To use SCP, you need to use the SCP-only administrator’s password (that is, the

scpadm

option under the

/cfg/sys/sshd

menu) to bypass the checking of SecurID. Alternately,

you can configure a regular administrator with a fixed password in the RADIUS server if it can
be supported. A regular administrator with a fixed password in the RADIUS server can per-
form both SSH and SCP with no additional authentication required.

A SCP-only administrator’s password is typically used when SecurID is used. For example, it
can be used in an automation program (in which the tokens of SecurID are not available) to
back up (download) the switch configurations each day.

N

OTE

The SCP-only administrator’s password must be different from the regular administra-

tor’s password. If the two passwords are the same, the administrator using that password will
not be allowed to log in as a SSH user because the switch will recognize him as the SCP-only
administrator and only allow the administrator access to SCP commands.

Advertising
Popular Brands
Popular manuals