RADIUS Client Configuration

Overview

Remote Authentication Dial In User Service (RADIUSClosed Remote Authentication Dial-In User Service) is a remote authentication protocol that is used to communicate with an authentication server. A RADIUS server is responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.

The OcNOS device, acting as a RADIUS client, sends the user’s credentials to the RADIUS server requesting authentication. The RADIUS server validates the received user’s credentials and authenticates it. After the authentication, it authorizes the user’s privilege level and shares it with the OcNOS. Thus, the user role is decided based on the received privilege level.

The key points for RADIUS authentication are:

  • Transactions between client and server are authenticated through the use of a shared key and this key is never sent over the network.
  • The password is encrypted before sending it over the network.
  • A maximum of eight RADIUS servers can be configured.

Limitation

  • If the privilege level is not specified in the radius server’s user config file, the default role is considered “network-user.”
  • By default, the Privileged Exec mode is given to all the users

In OcNOS version 6.4.1, the RADIUS is not present on radius server or authentication fails from RADIUS server

To implement the above requirements, the existing CLI Authentication, Authorization and Accounting is used to enable fallback to local authentication server. This is disabled by default.

By default, the fallback to local authentication is applied when the Radius server is unreachable. For other scenarios, enable the fallback using the CLI.

For invalid secret key there is no fallback local authentication. Console authentication is not supported for Radius.

In OcNOS version 6.4.2, the RADIUS Authorization is supported.