Alcatel-Lucent 7450 System Management Manual page 25

Security
login the user via local authentication. If this fails, the system will revert to RADIUS and
challenge/response mode. The authentication-order will precede the RADIUS interactive-
authentication mode.
Even if the authentication-order is RADIUS local, the standard password prompt is always
displayed. The user enters a username and password at this prompt. If RADIUS interactive-
authentication is enabled the password does not have to be the correct password since
authentication is accomplished using the RADIUS challenge/response method. The user can enter
any password. The username and password are sent to the RADIUS server, which responds with a
challenge request that is transmitted back to the node by the RADIUS server. Once the user enters
the challenge response, the response is authenticated by the RADIUS server to allow node access
to the user.
For example, if the system is configured with system security authentication-order set to local
RADIUS, at the login prompt the user can enter the username "admin" and the corresponding
password. If the password for local authentication does not match, the system falls into RADIUS
authentication mode. The system checks the interactive-authentication configuration and if it is
enabled it enters into challenge/response mode. It sends the username and password to the
RADIUS server, and the server sends the challenge request back to the node and to the user where
it appears as a challenge prompt onscreen. A challenge received from the RADIUS server
typically contains a string and a hardware token that can be used to generate a password on the
users' local personal token generator. For example, the RADIUS server might send the challenge
prompt "Enter response for challenge 12345:" to SR OS. The string "12345" can be entered in the
local token generator which generates the appropriate challenge response for the entered string.
This challenge response can then be entered on the SR-OS prompt for authorization.
Once the user enters the correct challenge response it is authenticated via the RADIUS server. The
server authenticates the user and the user gains access to the node.
If session timeout and Idle timeout values are configured on the RADIUS server, these are used to
govern the length of time before SR-OS cancels the challenge prompt. If the user is idle longer
than the received idle-timeout (seconds) from the RADIUS server, and/or if the user does not press
ENTER before the received session-timeout (seconds).
Note: For SSH only the session-timeout value is used. The SSH stack cannot track character input
into the login prompt until the enter key is pressed.
Note: If the idle/session attribute is not available or if the value is set to a very large number, SR
OS uses the smallest value set in "configure system login-control idle-timeout" and the idle/
session timeout attribute value to terminate the prompt. If the "login-control idle-timeout" is set to
0 (equivalent to infinite), the maximum idle-timeout (24-hours) is used for the calculation.
SR-OS displays the log-in attempts/failure per user in the "show system security user user-name"
screen. If the RADIUS rejects a challenge response, it counts as a failed login attempt and a new
prompt is displayed. The number of failed attempts is limited by the value set for "configure
7450 ESS System Mangement Guide Page 25