Specifications

MDS 05-6628A01, Rev. A MDS Orbit MCR-4G Technical Manual 67

RADIUS

Understanding

User accounts can be centrally managed with a RADIUS server. RADIUS accounts can be mapped to

one of the three user roles.

If the RADIUS server is not accessible, users may use the local username/password to “fall back” to

local authentication if the unit is configured to do so. Many RADIUS servers do not respond to a failed

behavior is that after three failed login attempts, the authentication will take place against the local

user/password database if local fallback is enabled. Refer to the section on “Local User Management”

for configuring the authentication order.

If more than one RADIUS server is configured, then the unit will attempt each RADIUS server in the

order that they appear in the configuration until a successful response is received. A RADIUS server

must be configured to provide the user’s authentication group in its authentication reply via a GE MDS

vendor attribute. This can be configured in freeradius (an open source RADIUS server) by using the

following dictionary file:

VENDOR GEMDS 4130

BEGIN-VENDOR GEMDS

ATTRIBUTE GEMDS-UserAuth-Group 1 integer

VALUE GEMDS-UserAuth-Group Operator 0

VALUE GEMDS-UserAuth-Group Technician 1

VALUE GEMDS-UserAuth-Group Administrator 2

END-VENDOR GEMDS

And configuring users as follows:

admin Cleartext-Password := “admin”

GEMDS-UserAuth-Group := Administrator

tech Cleartext-Password := “tech”

GEMDS-UserAuth-Group := Technician

oper Cleartext-Password := “oper”

GEMDS-UserAuth-Group := Operator

Configuring

The following shows how to configure a RADIUS server:

admin@(none) 02:23:42% set system mds-radius servers server1 address 192.168.1.2 shared-secret

abcd1234 user-authentication-type radius-CHAP

admin@(none) 00:06:15% show system mds-radius

servers server1 {

address 192.168.1.2;

shared-secret abcd1234;

user-authentication-type radius-CHAP;

}

[ok][2012-06-19 00:06:22]

[edit]

admin@(none) 00:06:22%commit