Nortel Networks OPTera Metro 3500 User Manual

Operation, administration, and maintenance (OAM) features 2-125

Planning and Ordering Guide—Part 1 of 2 NTRN10AN Rel 12.1 Standard Iss 1 Apr 2004

Centralized user administration and authentication through RADIUS

OPTera Metro 3500 supports a Remote Access Dial-In User authentication
Service (RADIUS) as a centralized authentication solution. The RADIUS
Protocol is an IETF Draft Standard (RFC 2865) widely used to support remote
access protocols (for example, SLIP, PPP, telnet, and rlogin). The RADIUS
Protocol is a UDP-based client-server protocol. OPTera Metro 3500
implementation provides support for three messages from this protocol:

•

Access-Request - message sent from the network processor to the
authentication server providing user information (user ID, password, etc.)

•

Access-Reject - message sent from the authentication server to the network
processor refusing access to the user

•

Access-Accept - message sent from the authentication server to the
network processor granting access to the user

Designated network processors in an OPTera Metro 3500 network operate as
RADIUS clients, responsible for passing user information to RADIUS servers,
and then acting on the response which is returned. This remote authentication
feature is user-provisionable, allowing system administrators to enable or
disable RADIUS. When RADIUS is enabled, all user authentications are
processed through the RADIUS server (that is, local account user
authentication is unavailable). When RADIUS servers are unavailable or
down, users will be able to log in with either local account user authentication
(if provisioned as the alternate) or local challenge-response user authentication
(always available).

Note 1: Network elements with CSA interoperate seamlessly with OPTera
Metro 3000 network elements that do not support CSA or have not enabled
CSA.

Note 2: If a user is connected by RS-232 to a shelf processor, that user will
be authenticated through Centralized Authentication. If the RADIUS
server is down, then the user will be prompt to select between retrying with
CSA, Challenge Response or Local authentication. Local authentication
will only be available if it was provisioned as the alternate authentication
method.

The login-retry strategy is as follows:

•

The RADIUS client on the network processor sends up to three requests to
the primary server, followed by up to three requests to the secondary.

•

The provisioned timeout value specifies the maximum amount of time it
will take to send and wait for responses for each server. For example, with
30 seconds as the provisioned primary RADIUS server timeout value, and
20 seconds for the secondary timeout value, the requests will be sent as
follows: