Filter
Top Products
Administration
ROS™ v3.5 42 RS400
1.12 RADIUS
RADIUS (Remote Authentication Dial In User Service) is used to provide centralized
authentication and authorization for network access. ROS assigns a privilege level of Admin,
Operator or Guest to a user who presents a valid username and password. The number of
users who can access the ROS server is ordinarily dependent on the number of user records
which can be configured on the server itself. ROS can also, however, be configured to pass
along the credentials provided by the user to be remotely authenticated by a RADIUS server. In
this way, a single RADIUS server can centrally store user data and provide authentication and
authorization service to multiple ROS servers needing to authenticate connection attempts.
1.12.1 RADIUS overview
RADIUS (described in RFC 2865) is a UDP-based protocol is used for carrying authentication,
authorization, and configuration information between a Network Access Server which desires to
authenticate its links and a shared Authentication Server. RADIUS is also used also widely
utilized in conjunction with 802.1x for port security using EAP
(See Appendix A).
A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of
authentication servers.
Unlike TACACS+, authorization and authentication functionality is supported in by RADIUS in
the same packet frame. TACACS+ actually separates authentication from authorization into
separate packets.
On receiving an authentication-authorization request from client in an “Access-Request” packet
RADIUS server checks the conditions configured for received username-password combination
in the user database. If all the conditions are met, the list of configuration values for the user is
placed into an “Access-Accept” packet. These values include the type of service (e.g. SLIP,
PPP, Login User) and all the necessary values to deliver the desired service.
1.12.2 User Login Authentication and Authorization
A RADIUS Server can be used to authenticate and authorize access to the device’s services,
such as HMI via Serial Console, Telnet, SSH, RSH, Web Server (see Password Configuration).
ROS implements a RADIUS Client which uses the Password Authentication Protocol (PAP) to
verify access. Attributes sent to a RADIUS Server are:
• user name
• user password
• service type: Login
• vendor specific, currently defined as following:
vendor ID: Ruggedcom Inc. enterprise number (15004) assigned by the Internet Assigned
Numbers Authority (IANA)
string, sub-attribute containing specific values:
subtype: 1 (vendor’s name subtype)
length: 11 (total length of sub-attribute of subtype 1)
ASCII string “RuggedCom”
Two RADIUS servers (Primary and Secondary) are configurable per device. If the Primary
Server is not reachable, the device will automatically fall back to the Secondary server to
complete the authorization process.