Netopia 3346N-ENT User Guide (en)

10-8  Firmware User Guide
In the latter two modes that involve both RADIUS and the local database, if the local database includes 
no username/password pairs, authentication will succeed only if the RADIUS ser ver authenticates the user. 
This differs from the Local Only mode where no authentication is per formed when the local database is empty.
If the primar y RADIUS ser ver responds with an access rejection or an access challenge, the alternate RADIUS 
ser ver is not contacted. Only if the primar y RADIUS ser ver fails to respond at all is the alternate RADIUS ser ver 
Therefore, do not attempt to select any of the RADIUS options unless you have a RADIUS ser ver correctly 
configured for this purpose. If you attempt to use RADIUS authentication without a RADIUS ser ver, you will lose 
your configuration access to the router.
The Advanced Security Options screen suppor ts both a primar y RADIUS ser ver and an alternate RADIUS 
ser ver. When the router is configured to authenticate using RADIUS, it will first attempt to contact the 
primar y RADIUS ser ver; if the primar y RADIUS ser ver responds, RADIUS authentication succeeds or fails 
based on the response returned by the primar y ser ver. If and only if the primar y ser ver fails to respond, the 
router will attempt to contact the alternate RADIUS ser ver to authenticate the user. The router makes two 
attempts per ser ver, three seconds apar t. 
You can specify the Remote Server Addr/Name and the Alt Remote Server Addr/Name either by using a 
hostname to be resolved using the Domain Name System (DNS) information configured in the router or by 
using an IP address in dotted-quad notation. The RADIUS Ser ver Addr/Name items are limited to 63 
In addition to specifying the ser ver’s hostname or IP address, you must also specify a Remote Server 
Secret and an Alt Remote Server Secret (if configured) known to both the router and the RADIUS ser ver. 
The secret is used to encr ypt RADIUS transactions in transit. The RADIUS Ser ver Secret items are limited 
to 31 characters.
The router’s RADIUS client implementation suppor ts passwords longer than 16 characters and properly 
encr ypts such passwords per RFC 2138. Not all RADIUS ser ver implementations handle passwords longer 
than 16 characters.
RADIUS Identifier can be either an IP address or an arbitrar y string to be used as the identifier in the 
router’s outgoing Access-Request packets. The RADIUS identifier is limited to 63 characters.
RADIUS Server Authentication Port specifies the UDP destination por t to which the router’s RADIUS 
authentication requests will be sent. The default value is 1812, the official IANA-assigned UDP por t 
number for the RADIUS authentication ser vice.
TACACS+ server authentication
Netopia Firmware Version 8.6.1 suppor ts TACACS+ ser ver authentication. Its application to a Netopia Router is 
to control access to the Router’s management inter face, and to audit commands submitted by a user.
TACACS (Terminal Access Controller Access Control System) protocol provides access control for Netopia 
Routers via a centralized ser ver. TACACS+ provides separate authentication, authorization and accounting 
ser vices.
TACACS allows a client to accept a username and password and quer y a TACACS authentication ser ver.