Radius authorization, Radius accounting – Brocade BigIron RX Series Configuration Guide User Manual
Page 170
92
BigIron RX Series Configuration Guide
53-1002484-04
Configuring RADIUS security
3
•
A list of commands
•
Whether the user is allowed or denied usage of the commands in the list
The last two attributes are used with RADIUS authorization, if configured.
9. The user is authenticated, and the information supplied in the Access-Accept packet for the
user is stored on the BigIron RX. The user is granted the specified privilege level. If you
configure RADIUS authorization, the user is allowed or denied usage of the commands in the
list.
RADIUS authorization
When RADIUS authorization takes place, the following events occur.
1. A user previously authenticated by a RADIUS server enters a command on the BigIron RX.
2. The BigIron RX looks at its configuration to see if the command is at a privilege level that
requires RADIUS command authorization.
3. If the command belongs to a privilege level that requires authorization, the BigIron RX looks at
the list of commands delivered to it in the RADIUS Access-Accept packet when the user was
authenticated. (Along with the command list, an attribute was sent that specifies whether the
user is permitted or denied usage of the commands in the list.)
NOTE
After RADIUS authentication takes place, the command list resides on the BigIron RX. The
RADIUS server is not consulted again once the user has been authenticated. This means that
any changes made to the user’s command list on the RADIUS server are not reflected until the
next time the user is authenticated by the RADIUS server, and the new command list is sent to
the BigIron RX.
4. If the command list indicates that the user is authorized to use the command, the command is
executed.
RADIUS accounting
RADIUS accounting works as follows.
1. One of the following events occur on the BigIron RX:
•
A user logs into the management interface using Telnet or SSH
•
A user enters a command for which accounting has been configured
•
A system event occurs, such as a reboot or reloading of the configuration file
2. The BigIron RX checks its configuration to see if the event is one for which RADIUS accounting
is required.
3. If the event requires RADIUS accounting, the BigIron RX sends a RADIUS Accounting Start
packet to the RADIUS accounting server, containing information about the event.
4. The RADIUS accounting server acknowledges the Accounting Start packet.
5. The RADIUS accounting server records information about the event.
6. When the event is concluded, the BigIron RX sends an Accounting Stop packet to the RADIUS
accounting server.
7. The RADIUS accounting server acknowledges the Accounting Stop packet.