Loader

Security (RADIUS)

Provisioning RADIUS Security

Information

Note 1: This section discusses both provisioning of RADIUS servers and Trusted Hosts. It is not necessary to provision RADIUS and enable Trusted Hosts.
Conversely, it is not necessary to enable Trusted Hosts and provision RADIUS

Note 2: In addition to configuring RADIUS in the Panorama PON EMS, the RADIUS server must be properly provisioned to take advantage of the services provided by RADIUS (refer to the Tellabs 1100 Series Optical LAN Craft Interface User Interface Guide for additional details on RADIUS).

 

Remote Authentication Dial In User Service (RADIUS) security provisioning is available on a Optical Line Terminal (OLT) basis.

To provision RADIUS security.

  1. Logon to EMS and in the Network common tree, right-click on the target OLT and select Properties from the dropdown list.

  2. Select the Security tab.

  3. On the Security tab, click the Authentication Protocol Type drop-down and choose the security protocol type to be implemented (refer to the following table for the RADIUS Server attributes).
     

    Attribute

    Description

    RADIUS Server for Craft Authentication

    Authentication Protocol Type

    Select from None (default), PAP, CHAP, and MSCHAPV2.

    RADIUS Server Hostname/IP Address

    Internet Protocol (IP) address of the RADIUS Server(s). IP addresses for up to four RADIUS Servers is supported.

    Shared Key

    Enter the shared security keyword.

    Confirm Key

    Re-enter the shared security keyword.

    Trusted Host

    Enable Trusted Host

    Check box to enable trusted hosts.

    Host Table

    ID

    Non-user editable field. Lists the identifier for each selected trusted host IP address.

    IP Address

    Address(es) of the trusted host servers to be recognized by this OLT. Up to 30 trusted host IP addresses can be listed.

    ICMP

    Enable ICMP Destination Unreachable

    Select ICMP Destination Unreachable to send a message in response to a undeliverable packet to its destination, due to reasons other than network congestion. Configured as packets per second. Default is Enabled.

    Enable ICMP Group Echo Reply (ping)

    Select ICMP Group Echo Reply to respond to a ICMP Ping. Enable ICMP Echo Reply controls whether the OLT will respond to ping messages. Default is Enabled.

    ICMP Rate Limit

    No Rate Limit

    Check box to enable no rate limit

    Rate Limit (pkts/secs)

    Check box to enable rate limit. Enter amount of packets in seconds.

    Access

    Enable Telnet

    Defines whether Telnet access is allowed to the OLT. If Enable Telnet is set to Yes (checked), then the Telnet port on the OLT is open and can accept connections. If the Enable Telnet flag is set to No (not checked), then no Telnet is allowed and the only supported remote access is SSH.
  4. In the Authentication Protocol Type, click the drop-down and select the desired Protocol Type. The protocol types are listed from least to most secure: None (default), PAP, CHAP, and MSCHAPV2.
  • PAP – Password Authentication Protocol (PAP) is used by Point to Point Protocol to validate users before allowing them access to server resources.

PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or MSCHAPV2.

  • CHAP – Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider.

CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plain text of the secret, although it is never sent over the network. The MS-CHAP variant does not require either peer to know the plain text, but has been broken.

  • MSCHAPV2 – Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPV2) is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP.

MS-CHAPV2 is used as one authentication option in Microsoft's implementation of the PPTP protocol for virtual private networks. It is also used as an authentication option with RADIUS servers which are used for WiFi security using the WPA-Enterprise protocol. It is further used as the main authentication option of the Protected Extensible Authentication Protocol (PEAP).

  1. In the RADIUS Server IP Address fields, enter the Internet Protocol (IP) address(es) to the RADIUS server(s). Up to four RADIUS Servers are supported.
    Information

    Note: The RADIUS servers configured for RADIUS craft authentication may or may not be the same RADIUS servers that are configured for 802.1x authentication.

  2. In the Shared Key field, enter the key information. Asterisks are displayed for the contents of the key fields.

  3. In the Confirm Key field, re-enter the information entered in the Shared Key field. Asterisks are displayed for the contents of the key fields.
  4. If Trusted Host is to be enabled, check the Enable Trusted Host check box. When Trusted Host is enabled, the OLT only allows TCP connection requests and SNMP requests to the management processes of this OLT from ONLY those IP addresses listed in the Host Table, plus any RADIUS or 802.1x servers that may be configured on this OLT. Enabling Trusted Host list does not affect user traffic.
  5. In the Host Table, enter the IP address(es) of the servers that the selected OLT must be able to communicate with. Up to 30 IP addresses can be added and can include, but is not limited to:
Information

Note: If RADIUS servers are configured on this screen or on the 802.1x screen, the IP addresses are implicitly added.
  • Panorama PON EMS server (required)
  • File Transfer Protocol (FTP) server(s)
  • Network Time Protocol (NTP) servers
  • Secure Shell (SSH) clients
  • Telnet clients
  1. If ICMP is to be enabled, check the Enable ICMP Destination Unreachable check box. When ICMP Destination Unreachable is enabled, it generates a message in response to a packet undelivered to its destination. Check the Enable ICMP Group Echo Reply check box. When ICMP Group Echo Reply is enabled, it controls whether the OLT will respond to a ping message.
  2. Set the ICMP Rate Limit to No Rate Limit or Rate Limit as packets per second.
  3. After setting attributes in the Security tab, click the Apply button. Click the Close button to close the dialog.

 

 

 

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image