5-8
Cisco ONS 15600 SDH Reference Manual, Release 9.0
78-18400-01
Chapter 5 Security
5.4 RADIUS Security
5.4 RADIUS Security
Users with Superuser security privileges can configure nodes to use Remote Authentication Dial In User
Service (RADIUS) authentication. Cisco Systems uses a strategy known as authentication,
authorization, and accounting (AAA) for verifying the identity of, granting access to, and tracking the
actions of remote users.
RADIUS server supports IPv6 addresses and can process authentication requests from a GNE or an ENE
that uses IPv6 addresses.
5.4.1 RADIUS Authentication
RADIUS is a system of distributed security that secures remote access to networks and network services
against unauthorized access. RADIUS comprises three components:
•
A protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP
•
A server
•
A client
The server runs on a central computer typically at the customer's site, while the clients reside in the
dial-up access servers and can be distributed throughout the network.
An ONS 15600 SDH node operates as a client of RADIUS. The client is responsible for passing user
information to designated RADIUS servers, and then acting on the response that is returned. RADIUS
servers are responsible for receiving user connection requests, authenticating the user, and returning all
configuration information necessary for the client to deliver service to the user. The RADIUS servers
can act as proxy clients to other kinds of authentication servers. Transactions between the client and
RADIUS server are authenticated through the use of a shared secret, which is never sent over the
network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This
eliminates the possibility that someone snooping on an unsecured network could determine a user's
password. Refer to the
Cisco ONS 15600 SDH Procedure Guide
for detailed instructions for
implementing RADIUS authentication.
5.4.2 Shared Secrets
A shared secret is a text string that serves as a password between:
•
A RADIUS client and RADIUS server
•
A RADIUS client and a RADIUS proxy
•
A RADIUS proxy and a RADIUS server
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared
secret that is used between the RADIUS client and the RADIUS proxy can be different than the shared
secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request
message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared
secrets also verify that the RADIUS message has not been modified in transit (message integrity). The
shared secret is also used to encrypt some RADIUS attributes, such as User-Password and
Tunnel-Password.
When creating and using a shared secret: