Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: grammar, editing

...

borderColorgreen
bgColortransparent
borderWidth2

...

Overview

The

Spacevars
0series4
is configurable using CLI and EMA interfaces, and the access to these interfaces are authenticated using the user credentials. User credentials can be verified using local or external authentication. For local authentication, the user credentials are validated against a locally stored user database

...

. For external authentication, the user credentials are sent to

...

Spacevars
0series4

...

Spacevars
0product

...

a remote Remote Authentication Dial In User Service (RADIUS)

...

server and authenticated. The username and encrypted password are sent to the remote RADIUS server in an ACCESS_REQUEST packet. The user is allowed/denied access to the 

Spacevars
0product
based on the response from the RADIUS server. 

Spacevars
0product
users are currently segregated into the following groups which define the privileges of each user. Access to data/commands is allowed/prevented based on the group of the user who is trying to acquire the access.

  • Administrator
  • Operator
  • FieldService
  • Guest
  • SecurityAuditor
  • Calea

Since the RADIUS protocol does not provide a means to assign users to a group, the implementation currently hard codes every RADIUS authenticated user to the Administrator group.

The

Spacevars
0series4
supports the following RADIUS authentication improvements:

...

Spacevars
0product

...

To configure RADIUS authentication for

Spacevars
0series4
, you must first enable external authentication and then configure the remote RADIUS server.

Anchor
privileges
privileges
Obtain Correct Privileges via RADIUS Transaction

When a user is authenticated via RADIUS, the user is assigned to a group provided by the RADIUS server as part of the ACCESS_ACCEPT packet.

Note
iconfalse
titleNote

If EMS is used for RADIUS authentication, the group information is passed in a VSA message as plain text after the vendor ID. The string start with "Sonus-Groups". No Vendor-specific formatting is used by EMS.

For

...

Spacevars
0product
 RADIUS authentication, RADIUS server is configured to return the group name using a VSA in ACCESS_ACCEPT packet. The VSA should be in the following format.

Code Block
languagenone
0               1               2               3       
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |  Length       |            Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     Vendor-Id (cont)           | Vendor type   | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    Attribute-Specific...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

The Vendor-Id is

...

an SMI Network Management Private Enterprise Code of the vendor

...

Ribbon as specified in RFC 2865.

  • Vendor ID for

...

  • Ribbon is "2879".
  • Vendor type can be "1" considering this is the first instance of using VSAs. Type "1" can be the identifier for a group name from server.
  • Vendor length is the length of the group name itself. This is followed by a string consisting of a case-sensitive group name.

If the RADIUS server does not provide a group or provides a group name which is not present in the

...

Spacevars
0product
 in the ACCESS_ACCEPT response, the user is denied access, and a log is written to the SECURITY event log stipulating that

...

the

Spacevars
0product
 received an invalid group name from the RADIUS server.

Anchor
multiple servers
multiple servers
Configure Multiple RADIUS Servers

The

...

Spacevars
0product
 supports configuring up to three RADIUS servers per

...

Spacevars
0product
 with the addition of radiusServer and retryCriteria parameters to radiusAuthentication configuration object.

When more than one RADIUS server is configured and RADIUS authentication is attempted, the server configured with the least priority value is tried first. If fallback is configured, the inverse priority order is followed to pick the next server for authentication. SBC allows a configurable number of retries and time-outs before retry.

Once the

...

Spacevars
0product
 sends an ACCESS_REQUEST, it waits until a configured amount of time (retryTimer) before resending the ACCESS_REQUEST. After a configurable number of failed attempts (retryCount), the RADIUS server is marked as unavailable, or out of service (OOS) for a configured amount of time (oosDuration), and the

...

Spacevars
0product
 moves to the next configured RADIUS server based on the configured priority. Once all RADIUS servers are attempted and deemed unreachable (or no responses are received), the

...

Spacevars
0product
 falls back to Local Authentication (if Local Authentication is enabled).

Note
iconfalse
titleNote

An administrator can manually return an OOS RADIUS server back into service by setting the radiusServer state flag first to disabled, and then back to enabled setting.

SBC includes statistics to check the status of a RADIUS server, as well as the time when an unavailable server automatically becomes available again. See "radiusAuthentication" statistic details at

...

Show Table OAM or Show Status OAM pages.

Note
iconfalse
titleNote
  • IPv6 configuration for RADIUS server is not supported at this time.
  • Access-Challenge support is not included

...

  • .
  • SBC only supports Password Authentication Protocol (PAP) authentication via RADIUS at this time.
  • RADIUS authentication not supported for REST interface.

...

Enable Remote Authentication

To enable remote authentication:

...

  1. Log into the SBC CLI.

  2. Change to

...

  1. Configuration mode:

    Code Block
    languagenone
    > configure private

    Span

     

  2. Execute the following command:

    Code Block
    languagenone
    % set system admin <system name> localAuthenticationEnabled false externalAuthenticationEnabled true
Info
titleInfo
For CLI configuration details,

...

refer to Admin - CLI. To enable the external authentication using EMA,

...

...

Configure a RADIUS Server

To configure

...

a remote RADIUS Server:

  1. Log

...

  1. into the 

    Spacevars
    0product
     CLI.
     

  2. Change to

...

  1. Configuration mode:

    Code Block
    languagenone
    > configure private

    Span
     

  2. Execute the following command:

    Code Block
    languagenone
    % set oam radiusAuthentication 
    	radiusServer <server name>
    		mgmtInterfaceGroup <string>
    		priority <#>
    		radiusNasIp <x.x.x.x>
    		radiusServerIp <x.x.x.x>
    		radiusServerPort <#>
    		radiusSharedSecret <8-128>
    		state <disabled | enabled>
    	retryCriteria
    		oosDuration <# minutes>
    		retryCount <#>
    		retryTimer <# milliseconds>
Info
titleInfo
For CLI configuration details,

...

refer to Radius Authentication - CLI. To configure a RADIUS server using EMA,

...

refer to Users and Application Management - Radius Authentication and OAM - Radius Authentication.

Include Page
Radius_auth_users
Radius_auth_users

Rules to Configure a RADIUS Shared Secret Key

The supports all alphabetical, numeric, and special characters for setting the radiusSharedSecret key.

The following characters in the key must be escaped while setting a radiusSharedSecret for configuring a RADIUS server:

  • # (hash) anywhere in the key
  • \ (backslash) anywhere in the key
  • “ (double quotes) at the beginning or end of the key

For example,

  • Un-escaped key: ThisIsARadiusKeyWithDoubleQuote”andBackSlash\Hash#andAdoubleQuoteAtTheEnd”
  • Escaped string: ThisIsARadiusKeyWithDoubleQuote”andBackSlash\\Hash\#andAdoubleQuoteAtTheEnd\”

Pagebreak