Specifications

ManualsBrandsCisco ManualsComputer equipmentAS5800

151

152

153

154

155

156

157

158

159

160

Table Of Contents

4-15

Cisco AS5800 Operations, Administration, Maintenance, and Provisioning Guide

DOC-7810814=

Chapter 4 Administration

Access Service Security

Use RADIUS in the following network environments that require access security:

• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access

servers from several vendors use a single RADIUS server-based security database. In an IP-based

network with multiple vendors access servers, dial-in users are authenticated through a RADIUS

server that has been customized to work with the Kerberos security system.

• Turnkey network security environments in which applications support the RADIUS protocol, such

as in an access environment that uses a “smart card” access control system. In one case, RADIUS

has been used with Enigmas security cards to validate users and grant access to network resources.

• Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This

might be the first step when you make a transition to a Terminal Access Controller Access Control

System (TACACS+) server.

• Networks in which a user must only access a single service. Using RADIUS, you can control user

access to a single host, to a single utility such as Telnet, or to a single protocol such as Point-to-Point

Protocol (PPP). For example, when a user logs in, RADIUS identifies this user as having

authorization to run PPP using IP address10.2.3.4 and the defined access list is started.

• Networks that require resource accounting. You can use RADIUS accounting independent of

RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent

at the start and end of services, indicating the amount of resources (such as time, packets, and bytes

used during the session.

• An Internet service provider (ISP) might use a freeware-based version of RADIUS access control

and accounting software to meet special security and billing needs.

RADIUS is not suitable in the following network security situations:

• Multiprotocol access environments. RADIUS does not support the following protocols:

–

AppleTalk Remote Access Protocol (ARAP)

–

NetBIOS Frame Protocol Control Protocol (NBFCP)

–

NetWare Asynchronous Services Interface (NASI)

–

X.25 PAD connections

• Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be

used to authenticate from one Cisco router to a third party router if, other company’s router requires

RADIUS authentication.

• Networks using a variety of services. RADIUS generally binds a user to one service model.

RADIUS Operation

When attempting to log in and authenticate to Cisco AS5800 using RADIUS, the following steps occur:

1. The user enters a username and password at the corresponding prompts.

2. The username and encrypted password are sent over the network to the RADIUS server.

3. The user receives one of the following responses from the RADIUS server:

–

ACCEPT - The user is authenticated.

–

REJECT - The user is not authenticated and is prompted to reenter the username and password,

or access is denied.

–

CHALLENGE - A challenge is issued by the RADIUS server. The challenge collects additional

data from the user.