Radius, Introduction to radius – Avaya P460 User Manual

Chapter 9

User Authentication

Avaya P460

Installation and Maintenance Guide

57

RADIUS

Introduction to RADIUS

Local user accounts (see “Local User Accounts“ on page 55) are kept locally on the
switch. Therefore, if a site contains multiple Avaya Switches, it is necessary to
configure each switch with its own user accounts. Additionally, if for example a
'read-write' user has to be changed into a 'read-only' user, it will be necessary to
change all the 'read-write' passwords configured locally in every switch, in order to
prevent him to access this level anymore. This can be tedious at best, and at worst,
unmanageable. A better solution is to have all of the user login information kept in a
central location where all the switches can access it. Enter Remote Authentication
Dial-In User Service (RADIUS).
RADIUS (Remote Authentication Dial-In User Service) provides a mechanism for
such consolidation. A RADIUS authentication server is installed on a central
computer at the customer's site. On this server user authentication (account)
information is configured that provides various degrees of access to the switch. The
P460 will run as a RADIUS client. When a user attempts to log into the switch, if
there is no local user account for the entered user name and password, then the
switch will send an Authentication Request to the RADIUS server in an attempt to
authenticate the user remotely. If the user name and password are authenticated,
then the RADIUS server responds to the switch with an Authentication
Acknowledgement that includes information on the user's privileges
('administrator', 'read-write', or 'read-only'), and the user is allowed to gain access to
the switch. If the user is not authenticated, then an Authentication Reject is sent to
the switch and the user is not allowed access to the switch's embedded
management.