Avaya RADIUS User Manual

BayRS Version 15.1

Part No. 308640-15.1 Rev 00
October 2001

600 Technology Park Drive
Billerica, MA 01821-4130

Configuring RADIUS

Copyright © 2001 Nortel Networks

All rights reserved. October 2001.
The information in this document is subject to change without notice. The statements, configurations, technical data,

and recommendations in this document are believed to be accurate and reliable, but are presented without express or
implied warranty. Users must take full responsibility for their applications of any products specified in this document.
The information in this document is proprietary to Nortel Networks Inc.

The software described in this document is furnished under a license agreement and may only be used in accordance
with the terms of that license. The software license agreement is included in this document.

Trademarks

Nortel Networks, the Nortel Networks logo, the Globemark, Advanced Remote Node, AN, ANH, ARN, ASN,
BayRS, BaySecure, BCC, BLN, Passport, and System 5000 are trademarks of Nortel Networks.

Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Microsoft, MS, MS-DOS, Win32, Windows, and Windows NT are trademarks of Microsoft Corporation.
NetWare is a trademark of Novell, Inc.
SecurID is a trademark of RSA Security Inc.
UNIX is a trademark of X/Open Company Limited.
The asterisk after a name denotes a trademarked item.

Restricted Rights Legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer
software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in
the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.

Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information contained herein are licensed only pursuant to a license agreement that
contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed
by third parties).

ii

308640-15.1 Rev 00

Nortel Networks Inc. Software License Agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE
THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original
shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is
copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data,
audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or
partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the
Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for
the selection of the Software and for the installation of, use of, and results obtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the
Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is
applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment
(“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable.
Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care
and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual
property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by
Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software
to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means
to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software
require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by
Nortel Networks with respect to such third party software.

2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated
to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and,
in such event, the above exclusions may not apply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS
BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b)
LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT,
SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR
SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT
OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE
BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or
supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions
do not allow these limitations or exclusions and, in such event, they may not apply.

308640-15.1 Rev 00

iii

4. General

a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks

Software available under this License Agreement is commercial computer software and commercial
computer software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections

12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer

fails to comply with the terms and conditions of this license. In either event, upon termination, Customer
must either return the Software to Nortel Networks or certify its destruction.

c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from

Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.

d. Neither party may bring an action, regardless of form, more than two years after the cause of the action

arose.

e. The terms and conditions of this License Agreement form the complete and exclusive agreement between

Customer and Nortel Networks.

f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If

the Software is acquired in the United States, then this License Agreement is governed by the laws of the
state of New York.

iv

308640-15.1 Rev 00

Contents

Preface

Before You Begin .............................................................................................................. xi

Text Conventions ..............................................................................................................xii

Acronyms .........................................................................................................................xiv

Hard-Copy Technical Manuals ......................................................................................... xv

How to Get Help .............................................................................................................. xv

Chapter 1
RADIUS Overview

How RADIUS Works ....................................................................................................... 1-2

Configuring RADIUS ....................................................................................................... 1-4

Nortel Networks RADIUS Implementation ...................................................................... 1-5

RADIUS Authentication .................................................................................................. 1-6

Using SecurID for Radius Authentication ................................................................. 1-6

Using RADIUS with Multilevel Access to the Router ................................................1-7

Using IP and IPX Unnumbered Protocols for PPP Connections .............................. 1-8

Using RADIUS with a Dial Service ...........................................................................1-8

Configuring Vendor-Specific Attributes (VSAs) for Authentication ...........................1-9

Using RADIUS with Demand Circuit Groups (Site Manager only) ...........................1-9

Configuring the Remote User to Work with the RADIUS Client .............................1-10

Using RADIUS with IP Utilities ...............................................................................1-10

RADIUS Accounting .....................................................................................................1-11

Using IP and IPX Unnumbered Protocols for PPP Connections ............................1-12

Using Dial VPN Services with Multilink PPP Accounting .......................................1-12

Using RADIUS with a Dial Service .........................................................................1-13

Using RADIUS with Demand Circuit Groups (Site Manager only) .........................1-13

Using RADIUS-Compatible Servers with the RADIUS Client .......................................1-13

308640-15.1 Rev 00

v

Accepting a Remote User’s IP Address ........................................................................1-14

Configuring a RADIUS Client .......................................................................................1-14

For More Information ....................................................................................................1-15

Chapter 2
Starting RADIUS

Before You Begin ............................................................................................................ 2-2

Starting Configuration Tools ........................................................................................... 2-2

Enabling RADIUS ...........................................................................................................2-3

Configuring Multiple RADIUS Clients .............................................................................2-8

Chapter 3
Customizing the RADIUS Client Configuration

Modifying the Client’s IP Address ...................................................................................3-1

Modifying the Authentication and Accounting Services .................................................3-3

Modifying the Protocol for RADIUS Authentication .........................................................3-5

Modifying Router Access ................................................................................................3-6

Modifying the PPP Authentication Protocol ....................................................................3-7

Removing RADIUS Authentication and Accounting .......................................................3-8

Setting the Debug Message Level .................................................................................. 3-9

Chapter 4
Customizing the RADIUS Server Configuration

Modifying the Primary Server’s Password ...................................................................... 4-2

Modifying the Server Mode ............................................................................................. 4-3

Designating Authentication and Accounting UDP Ports .................................................4-4

Modifying the Server Response Time ............................................................................4-6

Modifying the Number of Client Requests to the Server ................................................4-7

Configuring Alternate Servers ........................................................................................4-9

Reconnecting to the Primary Server ............................................................................4-11

Changing the Primary and Alternate Servers ...............................................................4-12

Removing a Server Entry .............................................................................................4-14

Appendix A
Site Manager Parameters

Client IP Address Parameter ......................................................................................... A-2

Server Configuration Parameters .................................................................................. A-3

Protocol Parameters for RADIUS Authentication ........................................................... A-7

vi

308640-15.1 Rev 00

Appendix B
Monitoring RADIUS Using the
BCC show Commands

Online Help for show Commands .................................................................................. B-2

show radius alerts .......................................................................................................... B-3

show radius clients ........................................................................................................ B-4

show radius servers general .......................................................................................... B-5

show radius servers timers ............................................................................................ B-6

show radius stats accounting ......................................................................................... B-7

show radius stats authentication .................................................................................... B-8

Appendix C
Configuration Examples

Configuring RADIUS Authentication .............................................................................. C-2

Configuring RADIUS Accounting ................................................................................... C-6

Configuring RADIUS Accounting and Authentication .................................................. C-12

Appendix D
Vendor-Specific Attributes

Nortel Networks Vendor-Specific Attributes ................................................................... D-2

RADIUS Dictionary File ................................................................................................. D-3

Appendix E
Configuring RADIUS with SecurID

Configuring RADIUS Client and ACE/Server Attributes

on the Router ................................................................................................................. E-2

Configure a RADIUS Client .............................................................................. E-5

Configure a RADIUS Server ............................................................................. E-6

Select a Protocol for RADIUS Authentication .................................................. E-7

Configuring the ACE/Server .......................................................................................... E-8

Establishing User Authentication ................................................................................... E-8

Logging In the First Time Using “New PIN” Mode ................................................... E-9

Logging In with a Valid PIN ................................................................................... E-10

“Next Tokencode” Prompt ...................................................................................... E-10

Index

308640-15.1 Rev 00

vii

Figures

Figure 1-1. Sample Network Using RADIUS .............................................................. 1-3

Figure 2-1. BCC Hierarchy of Objects ........................................................................ 2-3

Figure 2-2. Configuration Manager Window ...............................................................2-3

Figure A-1. RADIUS Client Configuration Window .................................................... A-2

Figure A-2. RADIUS Server Configuration Window ................................................... A-3

Figure A-3. RADIUS Dial_In Protocol Window .......................................................... A-7

Figure C-1. Sample Network Using RADIUS Authentication ..................................... C-2

Figure C-2. Sample Network Using RADIUS Accounting .......................................... C-6

Figure C-3. Sample Network Configured for Dialing an Alternate Site .................... C-12

308640-15.1 Rev 00

ix

This guide describes Remote Authentication Dial-In User Service (RADIUS) and
what you do to start and customize RADIUS services on a Nortel Networks*
router.

You can use the Bay Command Console (BCC*) or Site Manager to configure
RADIUS on a router. In this guide, you will find instructions for using both the
BCC and Site Manager.

Before You Begin

Preface

Before using this guide, you must complete the following procedures. For a new
router:

• Install the router (see the installation guide that came with your router).

• Connect the router to the network and create a pilot configuration file (see

Make sure that you are running the latest version of Nortel Networks BayRS* and
Site Manager software. For information about upgrading BayRS and Site
Manager, see the upgrading guide for your version of BayRS.

308640-15.1 Rev 00

Quick-Starting Routers, Configuring Remote Access for AN and Passport
ARN Routers, or Connecting ASN Routers to a Network).

xi

Configuring RADIUS

Text Conventions

This guide uses the following text conventions:

angle brackets (< >) Indicate that you choose the text to enter based on the

description inside the brackets. Do not type the
brackets when entering the command.

Example: If the command syntax is:

ping

<ip_address>

ping 192.32.10.12

, you enter:

bold text

Indicates command names and options and text that
you need to enter.

Example: Enter

Example: Use the

show ip {alerts | routes

dinfo

command.

}.

braces ({}) Indicate required elements in syntax descriptions

where there is more than one option. You must choose
only one of the options. Do not type the braces when
entering the command.

Example: If the command syntax is:

show ip {alerts | routes
show ip alerts or show ip routes

}

, you must enter either:

, but not both.

brackets ([ ]) Indicate optional elements in syntax descriptions. Do

not type the brackets when entering the command.

Example: If the command syntax is:

show ip interfaces [-alerts
show ip interfaces

or

]

, you can enter either:

show ip interfaces -alerts

.

ellipsis points (. . . ) Indicate that you repeat the last element of the

command as needed.

xii

Example: If the command syntax is:

ethernet/2/1
ethernet/2/1

[<parameter> <value>]

and as many parameter-value pairs as

needed.

. . .

, you enter

308640-15.1 Rev 00

Preface

italic text Indicates new terms, book titles, and variables in

command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.

Example: If the command syntax is:

show at <valid_route>
valid_route

is one variable and you substitute one value

for it.

screen text Indicates system output, for example, prompts and

system messages.

Example:

Set Trap Monitor Filters

separator ( > ) Shows menu paths.

Example: Protocols > IP identifies the IP option on the
Protocols menu.

vertical line (

) Separates choices for command keywords and

|

arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.

Example: If the command syntax is:

show ip {alerts | routes}
show ip alerts

or

, you enter either:

show ip routes

, but not both.

308640-15.1 Rev 00

xiii

Configuring RADIUS

Acronyms

This guide uses the following acronyms:

CHAP Challenge Handshake Authentication Protocol

DVS Dial VPN Services

FTP File Transfer Protocol

HTTP Hypertext Transfer Protocol

IP Internet Protocol

IPX Internetwork Protocol Exchange

IPXWAN Internet Packet Exchange Wide Area Network

ISDN Integrated Services Digital Network

ISP Internet service provider

LAN local area network

LCD liquid crystal display

xiv

NTP Network Time Protocol

OSPF Open Shortest Path First

PAP Password Authentication Protocol

POTS Plain Old Telephone Service

PPP Point-to-Point Protocol

RADIUS Remote Authentication Dial-In User Service

RAS remote access server

RIP Routing Information Protocol

SAP Service Advertising Protocol

TCP/IP Transmission Control Protocol/Internet Protocol

UDP User Datagram Protocol

VPN virtual private network

VSA vendor-specific attribute

WAN wide area network

308640-15.1 Rev 00

Hard-Copy Technical Manuals

You can print selected technical manuals and release notes free, directly from the
Internet. Go to the www.nortelnetworks.com/documentation URL. Find the
product for which you need documentation. Then locate the specific category and
model or version for your hardware or software product. Use Adobe* Acrobat
Reader* to open the manuals and release notes, search for the sections you need,
and print them on most standard printers. Go to Adobe Systems at the

www.adobe.com URL to download a free copy of the Adobe Acrobat Reader.

You can purchase selected documentation sets, CDs, and technical publications
through the Internet at the www1.fatbrain.com/documentation/nortel/ URL.

How to Get Help

If you purchased a service contract for your Nortel Networks product from a
distributor or authorized reseller, contact the technical support staff for that
distributor or reseller for assistance.

Preface

If you purchased a Nortel Networks service program, contact one of the following
Nortel Networks Technical Solutions Centers:

Additional information about the Nortel Networks Technical Solutions Centers is
available from the www.nortelnetworks.com/help/contact/global URL.

An Express Routing Code (ERC) is available for many Nortel Networks products
and services. When you use an ERC, your call is routed to a technical support
person who specializes in supporting that product or service.
your product or service, go to the

eserv/common/essContactUs.jsp

308640-15.1 Rev 00

Technical Solutions Center Telephone

Europe, Middle East, and Africa (33) (4) 92-966-968

North America (800) 4NORTEL or (800) 466-7835

Asia Pacific (61) (2) 9927-8800

China (800) 810-5000

To locate an ERC for

http://www130.nortelnetworks.com/cgi-bin/

URL.

xv

Chapter 1

RADIUS Overview

RADIUS (Remote Authentication Dial-In User Service) enables Internet service
providers (ISPs) to offer more remote access services to their customers. Remote
access is one of the fastest growing segments of the networking industry. Users in
branch offices, sales people in the field, and telecommuters are just a few of the
people who rely on remote access to do their jobs.

This chapter provides a conceptual overview of RADIUS, and explains how
Nortel Networks implements it. This chapter covers the following topics:

Topic Page

How RADIUS Works 1-2

Configuring RADIUS 1-4

Nortel Networks RADIUS Implementation 1-5

RADIUS Authentication 1-6

RADIUS Accounting 1-11

Using RADIUS-Compatible Servers with the RADIUS Client 1-13

Accepting a Remote User’s IP Address 1-14

Configuring a RADIUS Client 1-14

For More Information 1-15

308640-15.1 Rev 00

1-1

Configuring RADIUS

How RADIUS Works

As networks grow to accommodate more users, network security and billing
become more difficult to manage. RADIUS centralizes security and controls
billing services. RADIUS thus not only improves security but also adapts to the
ever-increasing volume and needs of remote users and service providers.

A RADIUS application has two components, the RADIUS server and the
RADIUS client.

The RADIUS server is a computer equipped with server software (for example, a
UNIX* workstation) that is located at a central office or campus. It has
authentication and access information in a form that is compatible with the client.
A network can have one server for both authentication and accounting, or one
server for each service.

The RADIUS client can be a router or a remote access server that is equipped with
client software and that typically resides on the same local area network (LAN)
segment as the server. The client is the network access point between the remote
users and the server.

1-2

RADIUS authentication lets you identify remote users before you give them
access to a central network site. RADIUS accounting enables the server to collect
data during a remote user’s dial-in session with the client. The server can then
determine billing charges.

308640-15.1 Rev 00

RADIUS Overview

Figure 1-1 shows a sample network using RADIUS over a POTS (Plain Old

Telephone Service) line and an ISDN (Integrated Services Digital Network).

MODEM

Remote dial-in

user

Remote dial-in

user

POTS

ISDN

RADIUS client

Figure 1-1. Sample Network Using RADIUS

BLN

RADIUS

server

CR0001A

308640-15.1 Rev 00

1-3

Configuring RADIUS

Configuring RADIUS

To configure the RADIUS server and client, follow these steps:

1.

Install the RADIUS server files. These files load at server startup and enable
the server to recognize the vendor-specific RADIUS clients.

• For Nortel Networks servers, copy the bayrs.dct, vendor.ini, and
dictiona.dcm files from the distribution CD to the directory you define at

installation time (usually C:\RADIUS\Services). For more information,
see Appendix D, “
Control Administration Guide for your platform (UNIX, NetWare*, or
Microsoft* Windows NT*).

• For non-Nortel Network servers, use the bayrs.dct file shown in

Appendix D

bayrs.dct file is in the format of some popular RADIUS servers, you may
be able to use it as a direct replacement for the existing RADIUS
dictionary. For more information, refer to the vendor-specific server
documentation.

2.

Configure the user-specific information in the RADIUS server database. For
more information, refer to the vendor-specific documentation.

Vendor-Specific Attributes” and the BaySecure Access

to modify your existing RADIUS dictionary. Because the

1-4

3.

Configure the BayRS RADIUS client using either Site Manager or the BCC.
For more information, see Chapters 2 through 4.

a.

Define the RADIUS slots and services to be provided (authentication,
accounting, or both).

b.

Configure the primary and secondary RADIUS servers.

4.

Configure RADIUS-enabled applications (dial services, HTTP, FTP, NTP,
Telnet ).

308640-15.1 Rev 00

Nortel Networks RADIUS Implementation

The following Nortel Networks platforms can operate as RADIUS clients:

• Access Node (AN*)

• Access Node Hub (ANH*)

• Access Stack Node (ASN*)

• Advanced Remote Node* (ARN*)

• Backbone Concentrator Node (BCN*)

• Backbone Link Node (BLN*)

• System 5000*

From one central location, RADIUS enables you to administer remote user
accounts through its full range of authentication and accounting services.
The remote users include:

• Routers with customized user profiles and routers from other vendors.
(RADIUS supports these routers by using vendor-specific attributes.)

• System administrators who log onto the RADIUS client from a local console
or Telnet.

RADIUS Overview

• Routers that act as dial-up servers (concentrators).

• Other services that the server can authenticate such as FTP and HTTP.

Note:

groups, Nortel Networks recommends using the BCC.

RADIUS supports unnumbered IP addresses (demand circuit groups) and
numbered IP addresses (dial-up services). RADIUS clients that use dial-up
services typically use demand circuits, but they can also use backup or bandwidth
circuits.

To enable RADIUS, you must specify the client’s Internet Protocol (IP) address.
As the RADIUS client, the router passes this address to the server when a remote
user makes an authentication or accounting request. The server will not accept the
request without the client’s IP address.

308640-15.1 Rev 00

To configure RADIUS with any service other than demand circuit

1-5

Configuring RADIUS

The client can also support a primary server, which is the original destination
server, and an alternate server, which is a server that the client contacts if it
cannot reach the primary server.

RADIUS Authentication

You configure RADIUS authentication on a slot-by-slot basis. Therefore, a call
designated for a RADIUS-configured slot can perform authentication. You can
also configure a slot for authentication even if the router is already using that slot
for a dial-up service. This includes dial-up services for both:

• Unnumbered IP addresses (demand circuit groups). For more information, see

“

Using IP and IPX Unnumbered Protocols for PPP Connections” on page 1-8.

• Numbered IP addresses (dial-on-demand, dial backup, and

bandwidth-on-demand). For more information, see “

Dial Service” on page 1-8.

When a remote user calls the RADIUS client, the client passes the call request,
referred to as the access challenge, to the RADIUS server. The access challenge
contains the user’s name and password. The server verifies the user’s identity and,
for authorized callers, responds with an access accept message, which includes
the required access information. This information is sent to the client, which
passes it to the remote user. If the remote user is not authorized, the server
responds with an access reject message.

Using RADIUS with a

The client can pass multiple requests to the server simultaneously. If the client
cannot reach the server, and you configured an alternate server, the client passes
the request to the alternate server.

The authentication process occurs only once for each call. Once RADIUS
authentication is complete, the remote user can communicate with the destination
network.

Using SecurID for Radius Authentication

For the highest level of protection from unauthorized users, you can use SecurID*
for RADIUS authentication. Nortel Networks implements SecurID on ARN
routers, which operate as RADIUS clients.

1-6

308640-15.1 Rev 00

RADIUS Overview

SecurID, a token-passing security feature developed by Security Dynamics, Inc.,
prohibits unauthorized users from accessing a RADIUS client through a router
management application (Telnet, HTTP, FTP, or the Technician Interface). A
RADIUS client configured with SecurID communicates with a centrally located
ACE/Server to identify and authenticate authorized users.

SecurID offers a more advanced level of authentication because it requires two
security checks instead of one. To access the protected router, you must enter a
valid SecurID PASSCODE, which consists of:

• A secret, memorized personal identification number (PIN)

• The current token code, generated by your assigned SecurID card. The token

code appears in the liquid crystal display (LCD) of the SecurID card. The
code changes at a specified interval, typically 60 seconds.

The combination of the PIN and the token code ensures exceptionally secure user
authentication and access control.

Each user authorized to access a RADIUS client configured with SecurID must
have an electronic SecurID card issued by Security Dynamics, Inc. Security
Dynamics programs each card with a PIN to uniquely identify its prospective
owner, and then assigns the card for exclusive use to that person only.

Using RADIUS with Multilevel Access to the Router

System administrators and network operators can use RADIUS authentication
services from a console connected to the router. This feature, which is part of
Nortel Networks multilevel access, grants authenticated users access to the router
for configuration and monitoring purposes. Nortel Networks recommends that
you use the BCC to configure multilevel access.

Multilevel access also assigns a privilege level that determines which system
commands the user can execute. For more information, see Appendix A in Using
the Bay Command Console (BCC).

308640-15.1 Rev 00

1-7

Configuring RADIUS

Using IP and IPX Unnumbered Protocols for PPP Connections

The RADIUS client supports IP and Internetwork Packet Exchange (IPX)
unnumbered interfaces, meaning that the circuit’s interface address is 0.0.0.0. All
remote users that dial in to the same slot on the client receive the same
unnumbered protocol configuration.

Note:

Unlike the circuit’s address, the RADIUS client’s address is a numbered

address.

The unnumbered circuit interface eliminates the need for a unique circuit
configuration for each remote user in a network. Therefore, an unnumbered circuit
interface reduces the configuration effort and the number of IP addresses that you
use for a large network. The client can activate any available circuit for an
incoming call because there is no specific address assigned to the circuit.

When you configure authentication for a router slot, Site Manager automatically
configures the dial-up circuits required for the client to accept calls from the
remote user. You are responsible for configuring only the unnumbered circuit
interfaces. If you use an FTP Telnet session, this configuration is unnecessary.

In addition to configuring unnumbered circuit interfaces, we recommend that you
enable IP or IPX triggered updates for the RADIUS client. The client uses
triggered updates to provide its local area network (LAN) with routing
information from the remote router. See Configuring IP, ARP, RARP, RIP, and
OSPF Services or Configuring IPX Services for more information about triggered
updates.

Using RADIUS with a Dial Service

To use RADIUS authentication with a dial service, you must configure at least one
of the three Nortel Networks dial services: dial-on-demand, dial backup, or
bandwidth-on-demand. The dial service enables the router to activate a dial-up
connection when it receives an incoming call. For information about configuring a
dial service, see Configuring Dial Services.

1-8

308640-15.1 Rev 00

RADIUS Overview

Configuring Vendor-Specific Attributes (VSAs) for Authentication

To authenticate a remote caller, the RADIUS client must identify the router
placing the call. Identify the remote caller by configuring the caller’s Challenge
Handshake Authentication Protocol (CHAP) or Password Authentication Protocol
(PAP) name and secret, so that it maps the local circuits to the name of the remote
caller.

• In slots not configured with RADIUS, identify the remote caller by
configuring the router’s caller resolution table. (For information about caller
resolution tables, see Configuring Dial Services.)

• In slots configured with RADIUS and dial circuits, configure the
vendor-specific attributes (VSAs) on the RADIUS server. The required VSA
is Bay-Local-IP-Address, which specifies the IP address of the local port.
This VSA must match the IP address of the interface receiving the call.

Note:

Do not configure a caller resolution table if you plan to use

vendor-specific attributes.

When a call comes in that needs authentication, the RADIUS client first checks
the router’s caller resolution table for an entry that identifies the caller.

• If the caller is authorized, the local router maps the caller to a local circuit,
and then activates that circuit.

• If that fails, and RADIUS is configured, the client sends the RADIUS server a
request for authentication.

Using RADIUS with Demand Circuit Groups (Site Manager only)

When configuring a RADIUS client using Site Manager, Site Manager
automatically configures a demand circuit group. You will need, however, to
configure a protocol for the demand circuit group. See “

RADIUS Authentication” on page 2-7.

To identify the remote user to the RADIUS server, the remote user uses the PPP
CHAP or PAP. The client includes the remote user’s CHAP name and secret or
PAP ID and password in the access challenge to the server. You cannot use VSAs
with demand circuit groups.

308640-15.1 Rev 00

Select a Protocol for

1-9

Configuring RADIUS

Configuring the Remote User to Work with the RADIUS Client

In most RADIUS networks, the remote user is a router. To enable the remote
router to work with the RADIUS authentication client, follow these guidelines:

• Enable dial-optimized routing.

The remote router sends routing updates to advertise its LAN to the client. By
enabling dial-optimized routing, you reduce the frequency of routing updates,
preventing the line from remaining active unnecessarily.

• Configure one-way PPP authentication.

The remote router must support one-way PPP authentication, meaning that
only the client sends CHAP challenges or PAP authentication requests to the
remote user. The remote user only recognizes and responds to the CHAP
challenges or PAP authentication requests from the client.

• Configure a default route in the routing table of the remote router.

The client does not advertise its LAN to the remote router. To specify the path
from the remote router to the client, you configure a default route, which is a
static route that enables the remote router to contact the client.

See Appendix C

for configuration examples.

Using RADIUS with IP Utilities

To use RADIUS authentication with an IP utility, you must configure the
RADIUS server so that it can recognize vendor-specific RADIUS clients.

Note:

To use RADIUS with IP utilities such as FTP, NTP, HTTP, and Telnet,

your RADIUS server must support VSAs.

• For Nortel Networks servers, copy the bayrs.dct, vendor.ini, and dictiona.dcm
files from the distribution CD to the directory you define at installation time
(usually C:\RADIUS\Services). For more information, see Appendix D,

“Vendor-Specific Attributes” and the BaySecure Access Control

Administration Guide for your platform (UNIX, NetWare, or NT).

1-10

308640-15.1 Rev 00

• For non-Nortel servers, use the bayrs.dct file shown in Appendix D to modify
your existing RADIUS dictionary. Because the bayrs.dct file is in the format
of some popular RADIUS servers, you may be able to use it as a direct
replacement for the existing RADIUS dictionary. For more information, refer
to the vendor-specific server documentation.

The Nortel Networks vendor ID is 1584, as allocated by the Internet Assigned
Numbers Authority. Use this ID in the VSA header.

For information on IP utilities, see Configuring IP Utilities.

RADIUS Accounting

You configure RADIUS accounting on a slot-by-slot basis. Therefore, a call
designated for a RADIUS-configured slot performs RADIUS accounting.

The RADIUS accounting server calculates billing charges for a communication
session between the remote user and the client. The RADIUS client sends
information to the server, such as the status of each call and the number of packets
transmitted during the session. Using this data, the server determines billing
charges, which the network administrator can use to manage network costs.

RADIUS Overview

An accounting session is the time during which the remote user communicates
with the client. The session begins when the client passes an accounting request
from the remote user to the server, with an accounting status byte set to start. The
session ends when the client sends a second request with the accounting status
byte set to stop. Multiple accounting sessions can occur simultaneously if there
are multiple dial-up connections.

The client sends accounting requests only to the server configured for accounting,
enabling you to use different servers for accounting and authentication.

If the client cannot reach the primary server after several attempts, and you
configured an alternate server, the client sends the accounting request to the
alternate server. If an accounting session starts with the primary server, and this
server goes down, the session is continued with the alternate server. Unless the
primary server recovers, the request to end the session is then sent to the alternate
server. To accurately determine billing charges, the network administrator collects
information from all accounting servers.

308640-15.1 Rev 00

1-11

Configuring RADIUS

Using IP and IPX Unnumbered Protocols for PPP Connections

The RADIUS client supports IP and IPX unnumbered interfaces, meaning that the
circuit’s interface address is 0.0.0.0. All remote users that dial in to the same slot
on the client receive the same unnumbered protocol configuration.

Note:

Unlike the circuit’s address, the RADIUS client’s address is a numbered

address.

The unnumbered circuit interface eliminates the need for a unique circuit
configuration for each remote user in a network. Therefore, an unnumbered circuit
interface reduces the configuration effort and the number of IP addresses that you
use for a large network. The client can activate any available circuit for an
incoming call because there is no specific address assigned to the circuit.

When you configure accounting for a router slot, Site Manager automatically
configures the dial-up circuits required for the client to accept calls from the
remote user. You are responsible for configuring only the unnumbered circuit
interfaces. If you use an FTP Telnet session, this configuration is unnecessary.

In addition to configuring unnumbered circuit interfaces, we recommend that you
enable IP or IPX triggered updates for the RADIUS client. The client uses
triggered updates to provide its local area network (LAN) with routing
information from the remote router. See Configuring IP, ARP, RARP, RIP, and
OSPF Services or Configuring IPX Services for more information about triggered
updates.

Using Dial VPN Services with Multilink PPP Accounting

The Dial VPN Services (DVS) feature reports multilink PPP (Point-to-Point
Protocol) usage to the RADIUS accounting server. Nortel Networks enables this
feature by default.

Prior to BayRS Version 14.00, DVS only reported one session per multilink
bundle to the RADIUS accounting server. Now, DVS reports one session per link,
so that as links are added or removed from a multilink bundle, the RADIUS
accounting server at the customer site receives accounting messages.

1-12

308640-15.1 Rev 00

RADIUS Overview

This new behavior resembles the operation of a RAS (remote access server) in
local (non-DVS) mode and allows customers to perform usage-based billing of
multilink PPP sessions.

In addition, the new multilink PPP accounting feature:

• Does not report the Termination-Cause attribute in the accounting STOP
message.

• Ensures uniqueness by having the gateway locally generate the NAS-Port,
Session-Id, and Multi-Session-Id attributes.

Using RADIUS with a Dial Service

To use RADIUS accounting on the router, you must configure at least one of the
three Nortel Networks dial services: dial-on-demand, dial backup, or
bandwidth-on-demand. The dial service enables the router to activate a dial-up
connection when it receives an incoming call. For information about dial services,
see Configuring Dial Services.

Using RADIUS with Demand Circuit Groups (Site Manager only)

When configuring a RADIUS client using Site Manager, Site Manager
automatically configures a demand circuit group. However, you will need to
configure a protocol for the demand circuit group. See “

RADIUS Authentication” on page 2-7.

To identify the remote user to the RADIUS server, the remote user uses the PPP
CHAP or PAP. The client includes the remote user’s CHAP name and secret or
PAP ID and password in the access challenge to the server. You cannot use VSAs
with demand circuit groups.

Select a Protocol for

Using RADIUS-Compatible Servers with the RADIUS Client

The Nortel Networks RADIUS client can communicate with any
RADIUS-compatible server. You must configure the server’s IP address so that
the client can communicate with the server.

308640-15.1 Rev 00

1-13

Configuring RADIUS

To ensure that a server is always available, you can configure one primary server
and multiple alternate servers. The client tries to connect to the primary server
first. If the primary server does not respond after a certain number of attempts, the
client sends the authentication or accounting request to the alternate server. Once
the primary server recovers, the client resumes communication with the primary
server.

Accepting a Remote User’s IP Address

The client accepts the IP address of a remote user only if the remote user is a PC,
not another router. The client does not support any other RADIUS extensions.

Configuring a RADIUS Client

Nortel Networks provides a script for configuring a RADIUS client on one or
more slots in a router. With this script, you can configure all selected slots in one
operation.

1-14

Note:

The RADIUS script configures each slot with the same configuration.

For information on running this script, see “

Clients” on page 2-8.

Configuring Multiple RADIUS

308640-15.1 Rev 00