802.1 / RADIUS

User Authentication

When a craft user attempts to log on, the following process occurs:


 

1. The NE first attempts to authenticate the craft user in the local NE database.
2. If the user cannot be authenticated and a RADIUS server is configured, the NE attempts to authenticate the user in the RADIUS server database.
3. If the user cannot be authenticated, a rejection message is issued and the user is denied access.

Tellabs 1100 Series Optical LAN NEs communicate directly with the RADIUS server for craft user authentication. The local user account administration for the NE is managed by the Panorama PON via the NE User Administration function or by a Security Admin level user accessing the NE through the craft user interface. For details on user administration (see "NE User Administration" in the Tellabs 1100 Series Optical LAN Managing the PON User’s Guide).

Remote Authentication Dial-In User Service (RADIUS)

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate remote users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means it is easier to track usage for billing and for keeping network statistics. RADIUS is configured through the Panorama PON EMS (see "Provisioning RADIUS Security" in Managing the Tellabs 1100 Series Optical LAN Users Guide).

Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol.

The RADIUS client is typically a NAS and the RADIUS server is usually a process running on UNIX, Linux, or Windows platforms. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.