Default Radius Configuration; Identifying The Radius Server Host - Cisco ONS 15454 SDH Configuration Manual

Chapter 19 Configuring Security for the ML-Series Card

Default RADIUS Configuration

RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS
through a network management application. When enabled, RADIUS can authenticate users accessing
the ML-Series card through the Cisco IOS CLI.

Identifying the RADIUS Server Host

ML-Series-card-to-RADIUS-server communication involves several components:
•
•
•
•
•
•
You identify RADIUS security servers by their hostname or IP address, their hostname and specific UDP
port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and
the UDP port number creates a unique identifier, allowing different ports to be individually defined as
RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be
sent to multiple UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for
example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using
this example, if the first host entry fails to provide accounting services, the ML-Series card tries the
second host entry configured on the same device for accounting services.
To configure RADIUS to use the AAA security commands, you must specify the host running the
RADIUS server daemon and a secret text (key) string that it shares with the ML-Series card. A RADIUS
server, the ONS node, and the ML-Series card use a shared secret text string to encrypt passwords and
exchange responses. The system ensures that the ML-Series cards' shared secret matches the shared
secret in the NE.
If you configure both global and per-server functions (timeout, retransmission, and key commands) on
Note
the switch, the per-server timer, retransmission, and key value commands override global timer,
retransmission, and key value commands. For information on configuring these settings on all RADIUS
servers, see the
Retransmission and timeout period values are configureable on the ML-Series card in stand alone mode.
Note
These values are not configureable on the ML-Series card in relay mode.
You can configure the ML-Series card to use AAA server groups to group existing server hosts for
authentication. For more information, see the
Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server
communication. This procedure is required.
Hostname or IP address
Authentication destination port
Accounting destination port
Key string
Timeout period
Retransmission value
"Configuring Settings for All RADIUS Servers" section on page
Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide, R8.0
"Defining AAA Server Groups" section on page
Configuring RADIUS
19-17.
19-13.
19-9