Authentication - Alcatel-Lucent 7450 System Management Manual
Ethernet service switch
Hide thumbs
Also See for 7450:
- Quality of service manual (912 pages) ,
- Manual (816 pages) ,
- Configuration manual (778 pages)
Table of Contents
Advertisement
Authentication
Authentication validates a user name and password combination when a user attempts to log in.
When a user attempts to log in through the console, Telnet, SSH, SCP, or FTP, the client sends an
access request to a RADIUS, TACACS+, or local database.
Transactions between the client and a RADIUS server are authenticated through the use of a
shared secret. The secret is never transmitted over the network. User passwords are sent encrypted
between the client and RADIUS server which prevents someone snooping on an insecure network
to learn password information.
If the RADIUS server does not respond within a specified time, the router issues the access
request to the next configured servers. Each RADIUS server must be configured identically to
guarantee consistent results.
If any RADIUS server rejects the authentication request, it sends an access reject message to the
router. In this case, no access request is issued to any other RADIUS servers. However, if other
authentication methods such as TACACS+ and/or local are configured, then these methods are
attempted. If no other authentication methods are configured, or all methods reject the
authentication request, then access is denied.
For the RADIUS server selection, round-robin is used if multiple RADIUS servers are configured.
Although, if the first alive server in the list cannot find a user-name, the router does not re-query
the next server in the RADIUS server list and denies the access request. It may get authenticated
on the next login attempt if the next selected RADIUS server has the appropriate user-name. It is
recommended that the same user databases are maintained for RADIUS servers in order to avoid
inconsistent behavior.
The user login is successful when the RADIUS server accepts the authentication request and
responds to the router with an access accept message.
Implementing authentication without authorization for the routers does not require the
configuration of VSAs (Vendor Specific Attributes) on the RADIUS server. However, users, user
access permissions, and command authorization profiles must be configured on each router.
Any combination of these authentication methods can be configured to control network access
from a router:
•
•
•
7450 ESS System Mangement Guide
Local Authentication on page 22
RADIUS Authentication on page 22
TACACS+ Authentication on page 27
Security
Page 21
Advertisement
Table of Contents
