user manual
Security 10-7
Note: In the latter two modes that involve both RADIUS and the local database, if the local database includes
no username/password pairs, authentication will succeed only if the RADIUS server authenticates the user.
This differs from the Local Only mode where no authentication is per formed when the local database is empty.
If the primary RADIUS server responds with an access rejection or an access challenge, the alternate RADIUS
server is not contacted. Only if the primary RADIUS server fails to respond at all is the alternate RADIUS server
contacted.
Therefore, do not attempt to select any of the RADIUS options unless you have a RADIUS server correctly
configured for this purpose. If you attempt to use RADIUS authentication without a RADIUS server, you will lose
your configuration access to the router.
The Advanced Security Options screen supports both a primar y RADIUS server and an alternate RADIUS
server. When the router is configured to authenticate using RADIUS, it will first attempt to contact the
primary RADIUS server; if the primary RADIUS server responds, RADIUS authentication succeeds or fails
based on the response returned by the primary ser ver. If and only if the primary server fails to respond, the
router will attempt to contact the alternate RADIUS server to authenticate the user. The router makes two
attempts per server, three seconds apart.
• You can specify the Remote Server Addr/Name and the Alt Remote Server Addr/Name either by using a
hostname to be resolved using the Domain Name System (DNS) information configured in the router or by
using an IP address in dotted-quad notation. The RADIUS Server Addr/Name items are limited to 63
characters.
• In addition to specifying the server’s hostname or IP address, you must also specify a Remote Server
Secret and an Alt Remote Server Secret (if configured) known to both the router and the RADIUS server.
The secret is used to encrypt RADIUS transactions in transit. The RADIUS Ser ver Secret items are limited
to 31 characters.
The router’s RADIUS client implementation supports passwords longer than 16 characters and properly
encrypts such passwords per RFC 2138. Not all RADIUS server implementations handle passwords longer
than 16 characters.
• RADIUS Identifier can be either an IP address or an arbitrary string to be used as the identifier in the
router’s outgoing Access-Request packets. The RADIUS identifier is limited to 63 characters.
• RADIUS Server Authentication Port specifies the UDP destination port to which the router’s RADIUS
authentication requests will be sent. The default value is 1812, the official IANA-assigned UDP port
number for the RADIUS authentication service.
TACACS+ server authentication
Motorola Netopia® Embedded Software Version 8.7.4 supports TACACS+ server authentication. Its application
to a Motorola Netopia
®
Router is to control access to the Router’s management interface, and to audit
commands submitted by a user.
TACACS (Terminal Access Controller Access Control System) protocol provides access control for Motorola
Netopia
®
Routers via a centralized server. TACACS+ provides separate authentication, authorization and
accounting services.
TACACS allows a client to accept a username and password and quer y a TACACS authentication server.