beautypg.com

Realms, Groups and vsas, Login order of operations – Avaya 580 User Manual

Page 133: Login order of operations -21

background image

Document No. 10-300077, Issue 2

4-21

Security

Similarly, when the same user logs in to a switch on the South campus, the
message will append @AvayaRealm and a group name of SouthSwitches.
The RADIUS server will send an Access-Accept message indicating that
the user has read-only permission.

Realms

A realm provides a mechanism by which a RADIUS manager can organize
user accounts. Consult the RADIUS vendor documentation for information
on how to create realms on the server. Once created, user accounts are
placed in the realms. The realm name is also configured on the NADs and
when the NADs send Access-Request messages, the user name is appended
with an ampersand (@) and the realm name.

For example: User Bob in AvayaRealm logs in to the switch as Bob. The
Avaya switch sends an Access-Request message for user
Bob@AvayaRealm. The RADIUS server, upon receiving the request,
searches for Bob in the AvayaRealm.

Groups and VSAs

To provide user accounts the same granularity of privileges that local
authentication provides, you can configure vendor-specific attributes
(VSAs) on the RADIUS server and a group name on the switch. After you
set the group name, the switch includes it in Access-Request messages that
it sends to the RADIUS server.

If the user name, password, and group name match that of the user account,
the RADIUS server sends an Access-Accept message to the client. VSAs
that identify the privileges the user has are included in the Access-Accept
message.

* Note: If a user has a RADIUS account that does not contain a group

name, the RADIUS server still responds with an Access-Accept
message; but the message does not contain a group name or
VSAs. This absence of a group name presents a potential
security risk. For more information, see “

Configuring a

RADIUS Client

later in this chapter.

Login Order of Operations

When a user attempts to log in to the Avaya switch, the switch first checks
the local user accounts for the user name and password. If found, the user is
logged in using the local settings for that account.

If no local account is found and RADIUS is enabled and configured, the
switch sends an Access-Request message to the primary RADIUS server in
an attempt to authenticate the user remotely. If the user login is found and
correct, then the RADIUS server responds with an Access-Accept message
that includes the user privileges. If the user account has the appropriate
management type (for example, Web if he or she is trying to log in to the
Web Agent), the user is granted access.

This manual is related to the following products: