Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    User Authentication and Authorization

    The BTI7800 supports local database and RADIUS/TACACS+ user authentication and authorization for CLI and NETCONF users.

    Note: RADIUS is supported prior to release 2.1.1. TACACS+ is supported starting with release 4.1.

    Local Authentication and Authorization

    The BTI7800 maintains a local configuration database of users and their privilege levels. These users are managed with the users CLI command. When a user attempts to log in, the BTI7800 checks the supplied username and password against the local configuration database. Local authentication (and authorization) is the default method used on the BTI7800.

    RADIUS/TACACS+ Authentication and Authorization

    RADIUS and TACACS+ are two common client-server authentication, authorization, and accounting (AAA) protocols. The BTI7800, acting as a RADIUS/TACACS+ client, communicates securely with the RADIUS/TACACS+ server to authenticate and authorize users. In response to a login request, the RADIUS/TACACS+ server authenticates the user and returns the access privilege level for that user.

    Note: The BTI7800 does not support accounting using RADIUS/TACACS+.

    User credentials are encrypted using a shared secret that is known to both the BTI7800 and the RADIUS/TACACS+ server. For RADIUS, the shared secret is used to encrypt the user password. For TACACS+, the shared secret is used to encrypt the entire contents of TACACS+ packets.

    The BTI7800 supports the following packet types and attributes according to RFC 2865 Remote Authentication Dial In User Service (Table 1) and draft-grant-tacacs-02.txt (Table 2).

    Table 1: RADIUS Packets

    Packet type

    Attribute

    Description

    ACCESS-REQUEST - Sent from the BTI7800 RADIUS client to the RADIUS server to request authentication and authorization

    User-Name

    The system login ID of the user

    User-Password

    The user login password

    NAS-Identifier

    The BTI7800 management IP address

    ACCESS-ACCEPT - Sent from the RADIUS server to the BTI7800 RADIUS client

    Reply-Message

    Must be present

    Determines the group or privilege level of the user

    Contains one of superuser, provisioning, surveillance, or btiuser (deprecated)

    Note: If this user is configured in the local configuration database as well, then you must ensure that the group assignment for this user is identical between the RADIUS and the local configuration database.

    Idle-Timeout

    Must be present

    Determines the inactivity timeout of the user

    Valid ranges are the following:

    • 0: Disabled
    • 5 through 60 minutes

    Table 2: TACACS+ Packets

    Packet type

    Attribute

    Description

    START - Sent from the BTI7800 TACACS+ client to the TACACS+ server to request authentication

    user

    The system login ID of the user

    REPLY (GETPASS) - Sent from the TACACS+ server to the BTI7800 TACACS+ client asking for the user password

      

    CONTINUE - Sent from the BTI7800 TACACS+ client to the TACACS+ server specifying the user password

    password

    The user login password

    REPLY (PASS or FAIL) - Sent from the TACACS+ server to the BTI7800 TACACS+ client allowing or rejecting the user

      

    REQUEST (authorization) - Sent from the BTI7800 TACACS+ client to the TACACS+ server requesting the authorization level

    user

    The system login ID of the user

    REPLY (authorization) - Sent from the TACACS+ server to the BTI7800 TACACS+ client indicating the authorization level

    priv-lvl or priv_lvl

    Must be present

    The privilege level for the user

    • 0: surveillance
    • 1: btiuser (deprecated)
    • 2 through 14: provisioning
    • 15: superuser

    Note: If this user is configured in the local configuration database as well, then you must ensure that the group assignment for this user is identical between the TACACS+ and the local configuration database.

    The RADIUS/TACACS+ authentication and authorization exchange occurs only at user login. TACACS+ command authorization is not supported.

    Changes to user authentication or authorization settings on the external server (or the availability of the external server itself) do not affect the current login session.

    RADIUS/TACACS+ authentication and authorization are not enabled by default.

    Note: RADIUS and TACACS+ are mutually exclusive on the BTI7800. If you configure a BTI7800 to use RADIUS servers, you cannot also configure the same BTI7800 to use TACACS+ servers, and vice versa.

    Authentication and Authorization Sequence

    If the BTI7800 is configured to use one or more RADIUS/TACACS+ servers, RADIUS/TACACS+ authentication and authorization take precedence over local authentication and authorization. The BTI7800 can be configured to use up to four RADIUS/TACACS+ servers.

    Software Version

    Authentication and Authorization Sequence

    Releases lower than 4.1

    When a user tries to log in, the BTI7800 attempts to authenticate the user with the first configured RADIUS server. If authentication is successful, the user is allowed to log in. If authentication is not successful for any reason (including bad credentials), the BTI7800 times out and tries the same server again until the maximum number of allowed attempts with one server is reached. The BTI7800 then attempts authentication with the next configured server in the list. If all configured RADIUS servers are exhausted. the BTI7800 attempts to authenticate the user against the local configuration database.

    Note: Local authentication take places if RADIUS authentication fails for any reason. It is therefore important that you properly maintain the local database even if you intend to use RADIUS authentication. If you fail to do so, you may run into situations where the RADIUS server rejects a user's credentials while local authentication accepts those same credentials.

    Releases 4.1 and higher

    When a user tries to log in, the BTI7800 attempts to authenticate and authorize the user using the first configured RADIUS/TACACS+ server. If the first server does not respond within the timeout period:

    • RADIUS: The BTI7800 tries the same server again until the maximum number of allowed attempts with one server is reached, at which time the BTI7800 attempts to connect with the next configured server in the list.
    • TACACS+: The BTI7800 attempts to connect with the next configured server in the list.

    For both protocols, if authentication is successful, the user is allowed to log in. If authentication is not successful due to bad credentials, the user is denied access.

    If all configured RADIUS/TACACS+ servers are unreachable, the BTI7800 attempts to authenticate and authorize the user against the local configuration database.

    Configuring the RADIUS/TACACS+ Server

    In order for the RADIUS/TACACS+ server to accept requests from each BTI7800 in the network, the RADIUS/TACACS+ server administrator must perform the following tasks:

    Tasks

    Required Configuration

    Configure the RADIUS/TACACS+ server to accept requests from each BTI7800 implementing RADIUS/TACACS+ as a client.

    Specify the IP address (management IP address) of each BTI7800 using RADIUS/TACACS+.

    Specify the shared secret for each BTI7800. This must match the shared secret configured on the BTI7800 itself.

    Configure the RADIUS/TACACS+ server with the user accounts of all users requiring access to the BTI7800 network.

    Specify the username, password, and group (privilege level) for all users on every BTI7800 using RADIUS/TACACS+.

    The RADIUS/TACACS+ server can reside on the same server as the proNX Service Manager or on any other server. If you are using the RADIUS server that is prepackaged with the proNX Service Manager, you have the added benefit of being able to use the proNX Service Manager to add and remove users to and from the RADIUS database. For details, see the proNX Service Manager Installation and Administration Guide and the proNX Service Manager User Guide.

    Refer to the applicable RADIUS/TACACS+ server user guide for any additional operating, configuration, or provisioning requirements.

    Provisioning RADIUS Authentication and Authorization

    Use this procedure to configure the BTI7800 to use RADIUS authentication and authorization.

    Note: In releases lower than release 4.3, you must have superuser privileges to provision RADIUS authentication and authorization. In releases 4.3 and higher, you can provision RADIUS authentication and authorization with the provisioning privilege.

    1. Specify the IP address of the RADIUS server.

      For example:

      bti7800(config)# system radius server 10.1.1.1 bti7800(config-server-10.1.1.1)#

      Note: The default port is 1812. This must not be changed.

    2. Specify the shared secret to use.

      For example:

      bti7800(config-server-10.1.1.1)# shared-secret <password>
      bti7800(config-server-1.1.1.1)# exit 
      bti7800(config-system)# 
    3. Repeat 1 to 2 for each RADIUS server you want to use.
    4. Optionally, configure the RADIUS system parameters.
      1. Specify the number of attempts that the BTI7800 makes to contact the same RADIUS server before the BTI7800 attempts to contact the next RADIUS server.

        For example, to specify 5 attempts:

        bti7800(config-system)# radius options attempts 5
      2. Specify the timeout value for the access request.

        For example, to specify 10 seconds:

        bti7800(config-system)# radius options timeout 10
    5. Apply the provisioning.
      bti7800(config-system)# commit
      Commit complete. 

    The BTI7800 is now configured to use the configured RADIUS servers. Ensure any firewalls in the path are configured to allow RADIUS packets. Use the ping and traceroute commands to test the connectivity to each RADIUS server.

    Provisioning TACACS+ Authentication and Authorization

    Use this procedure to configure the BTI7800 to use TACACS+ authentication and authorization.

    Note: In releases lower than release 4.3, you must have superuser privileges to provision TACACS+ authentication and authorization. In releases 4.3 and higher, you can provision TACACS+ authentication and authorization with the provisioning privilege.

    1. Specify the IP address of the TACACS+ server.

      For example:

      bti7800(config)# system tacacs-plus server 10.1.1.1
      bti7800(config-server-10.1.1.1)# 
    2. Specify the shared secret to use.

      For example:

      bti7800(config-server-10.1.1.1)# shared-secret <password>
    3. Optionally, specify the authentication port to use.

      For example:

      bti7800(config-server-10.1.1.1)# authentication-port 49
      bti7800(config-server-10.1.1.1)# exit 
      bti7800(config-system)# 
    4. Repeat 1 to 3 for each TACACS+ server you want to use.
    5. Optionally, configure the TACACS+ system parameters.

      For example, to set the timeout:

      bti7800(config-system)# tacacs-plus options timeout 5
    6. Apply the provisioning.
      bti7800(config-system)# commit
      Commit complete. 

    The BTI7800 is now configured to use the configured TACACS+ servers. Ensure any firewalls in the path are configured to allow TACACS+ packets. Use the ping and traceroute commands to test the connectivity to each TACACS+ server.

    Release History Table

    Release
    Description
    In releases 4.3 and higher, you can provision RADIUS authentication and authorization with the provisioning privilege.
    In releases 4.3 and higher, you can provision TACACS+ authentication and authorization with the provisioning privilege.
    TACACS+ is supported starting with release 4.1.
    If authentication is not successful due to bad credentials, the user is denied access.

    Modified: 2017-10-30