KNOWLEDGE BASE ARTICLE

Article Number 1066

Configuring RADIUS Support To Allow Remote SSH

Connections To Controllers
Category
Product
Subproduct
Feature
Software Version

Product
Controller
Software
VxWorks OS
3.5.0+

Issue

As of Ovation 3.5.0, the capability to telnet into controllers has been removed for security
design considerations. Those capabilities that require remote shell access to the controllers
are still available to Emerson engineers via SSH connection and authentication via Remote
Authentication Dial In User Service (RADIUS), but first require additional configuration of
Network Policy and Access Services on the "primary" Domain Controller.

Mon
25
4
11
18
25
1

Tue
26
5
12
19
26
2

March, 2013
Wed Thu Fri
27 28 1
6
7
8
13 14 15
20 21 22
27 28 29
3
4
5

Initial Date

Sat Sun
2
3
9 10
16 17
23 24
30 31
6
7

Mon
31
7
14
21
28
5

September,
Tue Wed Thu
1
2
3
8
9 10
15 16 17
22 23 24
29 30 1
6
7
8

2015
Fri Sat Sun
4
5
6
11 12 13
18 19 20
25 26 27
2
3
4
9 10 11

Last Updated

Local (unauthenticated) console access to the controllers is still available via RJ-45 port
(OCR400) and micro USB port (OCR1100). The pin-out detail of the DG-9/RJ-45 connector
for OCR400s is the subject of Knowledge Base Article #135.

Workaround

N/A

Solution

These RADIUS capabilities can be configured per the instructions available in the Managing
Security for Ovation 3.x (OW3xx_40) user documentation for Ovation 3.5.0 and newer.
The Shared Secret that is required to partially facilitate this authentication for Ovation
controllers is presently hard-coded into the Ovation 3.5.0 software. It is mentioned in the
user documentation, but intentionally omitted for security considerations. This Shared
Secret is being made available in this article for the specific purpose of allowing Emerson
personnel to configure these remote access capabilities.
Reasonable attempts should be made to withhold the Shared Secret from non-Emerson personnel
and to have the RADIUS configuration implemented directly by Emerson personnel. Efforts should
be taken to avoid sharing this information externally, when and where possible. However, when
directly requested by a customer, the Ovation-CERT team has agreed that is acceptable to reveal
this information.

The Shared Secret is "Ovation35" (case-sensitive).

Please note that, for the purpose of supporting SSH connections, partner controllers need
to be independently configured as separate hosts in the RADIUS Clients list.
Also, like the Ovation Security Server software component, the RADIUS authentication
capabilities are presently only supported on the "primary" Domain Controller, in domains
with multiple Domain Controllers.
Once fully configured, establishing an SSH connection will require the use of an SSH client.
PuTTY has been established as the standard SSH client of choice for this purpose, but is
unable to be supplied as part of Ovation for licensing reasons. It can be downloaded from
https://sourceforge.net/projects/putty.mirror/
Page 1 of 2

Report generated on May 15, 2016 by Roann Jermaine Regio

Lastly, it is important to note that establishing an SSH connection to a controller will

immediately put the controller into alarm with the following message, to alert users of a
remote login:

Controller Error : Subsystem Error : Controller Shell : 0x1 : 0x0 : 0x0 : 0x0
Corresponding to:

Fault Code: 66
Fault ID: A
Fault Parameter 1: 6
Fault parameter 2: 1

This information does not appear to have been added to the Fault Information Tool as of
the initial date of this article, though an SDR on this subject has been entered.
Also, please be aware that all commands entered via the SSH connection are captured and
logged via syslog, and will thus appear in the Ovation Error Log and/or SIEM appliance, if
so configured.

Entered By

Tarek El Mohamad

FEA?/FEA Number
SDR?/SDR Number
REA?/REA Number
IUI?/IUI Number
Notif?/Notif Number
CAR?/CAR Number
Patch Available?

yes
yes
no
no
no
no

396
19501
0
0
0
0

no

Link #1
Link #2
Link #3
Link #4
Link #5
Live Article URL

Page 2 of 2

http://uspit-web12.emrsn.org/kb.a5w?kb_filter=id=1066

Report generated on May 15, 2016 by Roann Jermaine Regio