Category     

Cradlepoint Advanced Authentication

« Go Back

Information

 
Content

Cradlepoint Advanced Authentication

Firmware Version: 5.4.x - for information on upgrading firmware, click here

Firmware version 6.0 has been released and introduces a vastly improved GUI for all current Series 3 routers.  Cradlepoint has created new Knowledge Base articles with updated screen shots and instructions for the new GUI layout.  As a result, this article has received its final update.  To view the version of this Knowledge Base article for Firmware 6.0 and Later please click here 
 

Quick Links

Summary

Configuration


Summary

SUMMARY:

This document is intended to assist users in configuring a Cradlepoint AER 2100, ARC MBR1400, CBA750B, or COR 600 Series router for TACACS or RADIUS authentication. We will also review our local authentication features and touch on security best practices.

 


SECURITY BEST PRACTICES:

  1. It is recommended that you do not use commonly attacked usernames like admin or root.
    • The Admin account is on be default: To remove this account you will need to create a new username and password then log out of the router. Log back in with the new username and password. Then you will have the ability to delete the admin account.
  2. It is recommend that you use complex password that use a combination of upper and lower case letters, numbers and special characters. Use no less then seven characters in a password.
    • Examples of passwords that you should never use:
      • Password, 12345678, any combination of your name, single dictionary words like monkey, baseball, football etc.
  3. Never use plain dictionary words  as they can be exploited by  a brute force attack.
  4. Avoid writing down your complex password by using password phases.
    • Complex password example: 9Hy#b!3nUvL
      • This password is strong but is typically written down somewhere which should be avoided at all cost.
    • Passphrase example: HowCould13DucksKnow?
      • Using a combination of words create an easy to remember phrase that is very difficult to crack due to the complexity and length.
  5. Change your password every 3 months.
​The above security practices comply with the Payment Card Industry (PCI) standards.

 


Configuration


ADVANCED AUTHETICATION OPTIONS:

  1. Log into the Cradlepoint router and browse to System Settings > Administration: on the column on your right click the tab for Router Security.

  2. You will now have the option to click the Advanced Security Mode box which  will expand the three advanced security options available. The advantages to server authentication is you can control access to numerous routers using one server based control point. This provides accountability by logging user activity and allows users to be added, removed, or disabled with ease.

  • Local Users Authentication

  • TACACS+ or Terminal Access Controller Access-Control System Plus

  • RADIUS or Remote Authentication Dial In User Service

User-added image
 

  • Enabling Ban IP Address will keep track of how many times an IP address has unsuccessfully attempted to login.  After 6 unsuccessful attempts the router will then block that IP for 30 minutes before allowing it to retry.


 

Local User Authentication Mode:

Local User Authentication Mode: will allow you to added a unique username and require a password that is a minimum of seven characters. Once you click apply you will now be prompted for both a username and password at the login screen.

User-added image



TACACS+ or Teminal Access Controller Access-Control System Plus:
 

  1. Using the Authentication Mode: pull down box  select TACACS+
  2. Select the timeout in seconds that the Cradlepoint will wait before ending the authentication session to the TACACS+ server.
  3. Select the Authentication Service:
    • ASCII/Login (Plain text)
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol – CHAP provides the best security
  • Server 1:
  1. Can be either IP or Fully Qualified Domain Name FQDN.
    • If you are using a FQDN ensure that you can resolve the DNS name from the Cradlepoint by using the Ping tool under System Settings > System Control > Advanced Control > Ping Test. Additionally you should run the same test when configuring an IP address.
  2. TCP port 49 is the common default TACACS+ . This can be changed.
  3. Enter the Shared Secret password configured on the TACACS+ server.
  4. Repeat the process for a second server. This is optional but recommended.

NOTE:  The Cradlepoint router requires that when a TACACS+ server is challenged for authentication that it returns privileged level "15" or "root".  All other privileges will fail to allow authentication to the Cradlepoint router.

User-added image



RADIUS or Remote Authentication Dial In User Service:

  1. Using the Authentication Mode: pull down box  select RADIUS
  2. Select the timeout in seconds that the Cradlepoint will wait before ending the authentication session to the RADIUS server.
  • Server 1:
    1. Server Address can be either IP or Fully Qualified Domain Name FQDN.
      • If you are using a FQDN ensure that you can resolve the DNS name from the Cradlepoint by using the Ping tool under System Settings > System Control > Advanced Control > Ping Test. Additionally you should run the same test when configuring an IP address.
    2. UDP port 1812 is the common default used by RADIUS . This can be changed.
    3. Enter the Shared Secret password configured on the RADIUS server.
    4. Repeat the process for a second server. This is optional but recommended.

NOTE:  The Cradlepoint router requires the RADIUS server to provide users managing the Cradlepoint router full administrative rights.  All other privileges will fail to allow authentications to the Cradlepoint router.

User-added image

 


Published Date: 12/11/2014

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com
 


 
Knowledge Home | Product