Table of Contents
Advertisement
Security
11.4.3 RADIUS
The SCS supports the Remote Authentication for Dial-In User Services (RADIUS) protocol. RADIUS is a
centrally-located client-server security system.
The SCS supports RADIUS as described in RFC 2138 and is intended to support
Note:
future versions when they become available.
RADIUS is geared towards large networks that have many communications servers, or many users for
which explicit security measures must be enforced. Its advantages are:
Authentication information for multiple users, in multiple forms, can be stored in a single RADIUS
server.
The RADIUS server can be part of a local or wide-area network.
RADIUS can be used with Kerberos and CHAP/PAP security.
Passwords are not transmitted across the network in readable form.
Disadvantages include:
Keeping authentication information on one server can be dangerous; the server should be backed up
regularly.
Those wishing to use RADIUS must use one of the database types that RADIUS supports (currently
local RADIUS databases, UNIX password files, NIS files, Kerberos databases, and TACACS).
RADIUS servers are subject to security attacks from users already on the network. More information
can be found in the RFC 2058 and in your RADIUS server's documentation.
RADIUS consists of two parts: authentication and accounting. Authentication is handled by the RADIUS
authentication server, which stores authentication information configured by the network administrator.
Accounting is handled by the RADIUS accounting server, which stores statistical information about
authenticated connections. RADIUS accounting and authentication can be implemented independently of
one another.
11.4.3.1 RADIUS Authentication
The general process of SCS user authentication using a RADIUS server is explained below.
A user connects to the SCS. The SCS prompt the user for a username and password, or CHAP/PAP
1
authentication information if CHAP or PAP is configured.
2
The SCS creates an Access-Request packet that includes the username/password pair, an
identification string for the SCS, the port being used for the modem connection, the port type, and
other information as needed (see Authentication Attributes in Appendix D for more information). The
SCS then encrypts the password and sends the packet to the RADIUS authentication server.
CHAP responses sent from the user's PPP software to the SCS are not encrypted
Note:
beyond what is inherent to the operation of CHAP.
11-14
Database Configuration
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the SCS and is the answer not in the manual?