Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

User Authentication and Authorization

 

The BTI7800 supports local database and RADIUS/TACACS+ user authentication and authorization for CLI and NETCONF users.

Note

RADIUS is supported prior to release 2.1.1. TACACS+ is supported starting with release 4.1.

Local Authentication and Authorization

The BTI7800 maintains a local configuration database of users and their privilege levels. These users are managed with the users CLI command. When a user attempts to log in, the BTI7800 checks the supplied username and password against the local configuration database. Local authentication (and authorization) is the default method used on the BTI7800.

RADIUS/TACACS+ Authentication and Authorization

RADIUS and TACACS+ are two common client-server authentication, authorization, and accounting (AAA) protocols. The BTI7800, acting as a RADIUS/TACACS+ client, communicates securely with the RADIUS/TACACS+ server to authenticate and authorize users. In response to a login request, the RADIUS/TACACS+ server authenticates the user and returns the access privilege level for that user.

Note

The BTI7800 does not support accounting using RADIUS/TACACS+.

User credentials are encrypted using a shared secret that is known to both the BTI7800 and the RADIUS/TACACS+ server. For RADIUS, the shared secret is used to encrypt the user password. For TACACS+, the shared secret is used to encrypt the entire contents of TACACS+ packets.

The BTI7800 supports the following packet types and attributes according to RFC 2865 Remote Authentication Dial In User Service (Table 1) and draft-grant-tacacs-02.txt (Table 2).

Table 1: RADIUS Packets

Packet type

Attribute

Description

ACCESS-REQUEST - Sent from the BTI7800 RADIUS client to the RADIUS server to request authentication and authorization

User-Name

The system login ID of the user

User-Password

The user login password

NAS-Identifier

The BTI7800 management IP address

ACCESS-ACCEPT - Sent from the RADIUS server to the BTI7800 RADIUS client

Reply-Message

Must be present

Determines the group or privilege level of the user

Contains one of superuser, provisioning, surveillance, or btiuser (deprecated)

Note: If this user is configured in the local configuration database as well, then you must ensure that the group assignment for this user is identical between the RADIUS and the local configuration database.

Idle-Timeout

Must be present

Determines the inactivity timeout of the user

Valid ranges are the following:

  • 0: Disabled

  • 5 through 60 minutes

Table 2: TACACS+ Packets

Packet type

Attribute

Description

START - Sent from the BTI7800 TACACS+ client to the TACACS+ server to request authentication

user

The system login ID of the user

REPLY (GETPASS) - Sent from the TACACS+ server to the BTI7800 TACACS+ client asking for the user password

  

CONTINUE - Sent from the BTI7800 TACACS+ client to the TACACS+ server specifying the user password

password

The user login password

REPLY (PASS or FAIL) - Sent from the TACACS+ server to the BTI7800 TACACS+ client allowing or rejecting the user

  

REQUEST (authorization) - Sent from the BTI7800 TACACS+ client to the TACACS+ server requesting the authorization level

user

The system login ID of the user

REPLY (authorization) - Sent from the TACACS+ server to the BTI7800 TACACS+ client indicating the authorization level

priv-lvl or priv_lvl

Must be present

The privilege level for the user

  • 0: surveillance

  • 1: btiuser (deprecated)

  • 2 through 14: provisioning

  • 15: superuser

Note: If this user is configured in the local configuration database as well, then you must ensure that the group assignment for this user is identical between the TACACS+ and the local configuration database.

The RADIUS/TACACS+ authentication and authorization exchange occurs only at user login. TACACS+ command authorization is not supported.

Changes to user authentication or authorization settings on the external server (or the availability of the external server itself) do not affect the current login session.

RADIUS/TACACS+ authentication and authorization are not enabled by default.

Note

RADIUS and TACACS+ are mutually exclusive on the BTI7800. If you configure a BTI7800 to use RADIUS servers, you cannot also configure the same BTI7800 to use TACACS+ servers, and vice versa.

Authentication and Authorization Sequence

If the BTI7800 is configured to use one or more RADIUS/TACACS+ servers, RADIUS/TACACS+ authentication and authorization take precedence over local authentication and authorization. The BTI7800 can be configured to use up to four RADIUS/TACACS+ servers.

Software Version

Authentication and Authorization Sequence

Releases lower than 4.1

When a user tries to log in, the BTI7800 attempts to authenticate the user with the first configured RADIUS server. If authentication is successful, the user is allowed to log in. If authentication is not successful for any reason (including bad credentials), the BTI7800 times out and tries the same server again until the maximum number of allowed attempts with one server is reached. The BTI7800 then attempts authentication with the next configured server in the list. If all configured RADIUS servers are exhausted. the BTI7800 attempts to authenticate the user against the local configuration database.

Note: Local authentication take places if RADIUS authentication fails for any reason. It is therefore important that you properly maintain the local database even if you intend to use RADIUS authentication. If you fail to do so, you may run into situations where the RADIUS server rejects a user's credentials while local authentication accepts those same credentials.

Releases 4.1 and higher

When a user tries to log in, the BTI7800 attempts to authenticate and authorize the user using the first configured RADIUS/TACACS+ server. If the first server does not respond within the timeout period:

  • RADIUS: The BTI7800 tries the same server again until the maximum number of allowed attempts with one server is reached, at which time the BTI7800 attempts to connect with the next configured server in the list.

  • TACACS+: The BTI7800 attempts to connect with the next configured server in the list.

For both protocols, if authentication is successful, the user is allowed to log in. If authentication is not successful due to bad credentials, the user is denied access.

If all configured RADIUS/TACACS+ servers are unreachable, the BTI7800 attempts to authenticate and authorize the user against the local configuration database.

Configuring the RADIUS/TACACS+ Server

In order for the RADIUS/TACACS+ server to accept requests from each BTI7800 in the network, the RADIUS/TACACS+ server administrator must perform the following tasks:

Tasks

Required Configuration

Configure the RADIUS/TACACS+ server to accept requests from each BTI7800 implementing RADIUS/TACACS+ as a client.

Specify the IP address (management IP address) of each BTI7800 using RADIUS/TACACS+.

Specify the shared secret for each BTI7800. This must match the shared secret configured on the BTI7800 itself.

Configure the RADIUS/TACACS+ server with the user accounts of all users requiring access to the BTI7800 network.

Specify the username, password, and group (privilege level) for all users on every BTI7800 using RADIUS/TACACS+.

The RADIUS/TACACS+ server can reside on the same server as the proNX Service Manager or on any other server. If you are using the RADIUS server that is prepackaged with the proNX Service Manager, you have the added benefit of being able to use the proNX Service Manager to add and remove users to and from the RADIUS database. For details, see the proNX Service Manager Installation and Administration Guide and the proNX Service Manager User Guide.

Refer to the applicable RADIUS/TACACS+ server user guide for any additional operating, configuration, or provisioning requirements.

Provisioning RADIUS Authentication and Authorization

Use this procedure to configure the BTI7800 to use RADIUS authentication and authorization.

Note

In releases lower than release 4.3, you must have superuser privileges to provision RADIUS authentication and authorization. In releases 4.3 and higher, you can provision RADIUS authentication and authorization with the provisioning privilege.

  1. Specify the IP address of the RADIUS server.

    For example:

    bti7800(config)# system radius server 10.1.1.1 bti7800(config-server-10.1.1.1)#
    Note

    The default port is 1812. This must not be changed.

  2. Specify the shared secret to use.

    For example:

    bti7800(config-server-10.1.1.1)# shared-secret <password>
  3. Repeat 1 to 2 for each RADIUS server you want to use.
  4. Optionally, configure the RADIUS system parameters.
    1. Specify the number of attempts that the BTI7800 makes to contact the same RADIUS server before the BTI7800 attempts to contact the next RADIUS server.

      For example, to specify 5 attempts:

      bti7800(config-system)# radius options attempts 5
    2. Specify the timeout value for the access request.

      For example, to specify 10 seconds:

      bti7800(config-system)# radius options timeout 10
  5. Apply the provisioning.
    bti7800(config-system)# commit

The BTI7800 is now configured to use the configured RADIUS servers. Ensure any firewalls in the path are configured to allow RADIUS packets. Use the ping and traceroute commands to test the connectivity to each RADIUS server.

Provisioning TACACS+ Authentication and Authorization

Use this procedure to configure the BTI7800 to use TACACS+ authentication and authorization.

Note

In releases lower than release 4.3, you must have superuser privileges to provision TACACS+ authentication and authorization. In releases 4.3 and higher, you can provision TACACS+ authentication and authorization with the provisioning privilege.

  1. Specify the IP address of the TACACS+ server.

    For example:

    bti7800(config)# system tacacs-plus server 10.1.1.1
  2. Specify the shared secret to use.

    For example:

    bti7800(config-server-10.1.1.1)# shared-secret <password>
  3. Optionally, specify the authentication port to use.

    For example:

    bti7800(config-server-10.1.1.1)# authentication-port 49
  4. Repeat 1 to 3 for each TACACS+ server you want to use.
  5. Optionally, configure the TACACS+ system parameters.

    For example, to set the timeout:

    bti7800(config-system)# tacacs-plus options timeout 5
  6. Apply the provisioning.
    bti7800(config-system)# commit

The BTI7800 is now configured to use the configured TACACS+ servers. Ensure any firewalls in the path are configured to allow TACACS+ packets. Use the ping and traceroute commands to test the connectivity to each TACACS+ server.

Release History Table
Release
Description
In releases 4.3 and higher, you can provision RADIUS authentication and authorization with the provisioning privilege.
In releases 4.3 and higher, you can provision TACACS+ authentication and authorization with the provisioning privilege.
TACACS+ is supported starting with release 4.1.
If authentication is not successful due to bad credentials, the user is denied access.