Specifications

ManualsBrandsBlade Network Technologies ManualsComputer AccessoriesG8000

101

102

103

104

105

106

107

108

109

110

92 Implementing IBM System Networking 10Gb Ethernet Switches

RADIUS authentication and authorization

IBM System Networking switch supports the RADIUS (Remote Authentication Dial-in User

Service) method to authenticate and authorize remote administrators for managing the

switch. This method is based on a client/server model. The Remote Access Server (RAS),

the switch, is a client to the back-end database server. A remote user (the remote

administrator) interacts only with the RAS, not the back-end server and database.

RADIUS authentication consists of the following components:

򐂰 A protocol with a frame format that uses UDP over IP (based on RFC 2138, found at

http://www.ietf.org/rfc/rfc2138.txt and RFC 2866, found at

http://www.ietf.org/rfc/rfc2866.txt)

򐂰 A centralized server that stores all the user authorization information

򐂰 A client; in this case, the switch

The IBM System Networking switch, acting as the RADIUS client, communicates with the

RADIUS server to authenticate and authorize a remote administrator by using the protocol

definitions specified in RFC 2138 and RFC 2866. Transactions between the client and the

RADIUS server are authenticated by using a shared key that is not sent over the network. In

addition, the remote administrator passwords are sent encrypted between the RADIUS client

(the switch) and the back-end RADIUS server.

How RADIUS authentication works

RADIUS authentication uses the following steps:

1. A remote administrator connects to the switch and provides a user name and password.

2. Using the Authentication/Authorization protocol, the switch sends a request to the

authentication server.

3. The authentication server checks the request against the user ID database.

4. Using the RADIUS protocol, the authentication server instructs the switch to grant or deny

administrative access.

RADIUS authentication features in IBM System Networking switches

IBM System Networking switches support the following RADIUS authentication features:

򐂰 Supports RADIUS client on the switch, based on the protocol defined in RFC 2138 and

RFC 2866.

򐂰 Allows a RADIUS secret password that is up to 32 bytes and less than 16 octets.

򐂰 Supports a secondary authentication server so that when the primary authentication

server is unreachable, the switch can send client authentication requests to the secondary

authentication server.

򐂰 Supports user-configurable RADIUS server retry and timeout values:

– Timeout value: 1 - 10 seconds

– Retries: 1 - 3

The switch times out if it does not receive a response from the RADIUS server after 1 - 3

attempts. The switch also automatically tries to connect to the RADIUS server before it

declares the server down.

򐂰 Supports a user-configurable RADIUS application port.

The default is 1812/UDP-based, as described in RFC 2138, found at

http://www.ietf.org/rfc/rfc2138.txt. Port 1645 is also supported.