Avaya 580, 882 Login Order of Operations

Document No. 10-300077, Issue 2 4-21

Security

Similarly, when the same user logs in to a switch on the South campus, the

message will append @AvayaRealm and a group name of SouthSwitches.

The RADIUS server will send an Access-Accept message indicating that

the user has read-only permission.

Realms A realm provides a mechanism by which a RADIUS manager can organize

user accounts. Consult the RADIUS vendor documentation for information

on how to create realms on the server. Once created, user accounts are

placed in the realms. The realm name is also configured on the NADs and

when the NADs send Acces s-Request messages, the us er name is appended

with an ampersand (@) and the realm n a me.

For example: User Bob in AvayaRealm logs in to the switch as Bob. The

Avaya switch sends an Access-Request mess age for user

Bob@AvayaRealm. The RADIUS server, upon receiving the request,

searches for Bob in the AvayaRealm.

Groups and VSAs To provide user accounts the same granularity of privileges that local

authentication provides, you can configure vendor-specific attributes

(VSAs) on the RADIUS server and a group name on the switch. After you

set the group name, the switch inc ludes it in Access-Request mess ag es that

it sends to the RADIUS server.

If the user name, password, and group name match that of the user acc ount ,

the RADIUS server sends an Access-Accept message to the client. VSAs

that identify the privileges the user has are included in the Access-Accept

message.

* Note: If a user has a RADIUS account that does not contain a group

name, the RADIUS server still responds with an Access-Accept

message; but the message does not contain a group name or

VSAs. This absence of a group name presents a potential

security risk. For more informatio n, see “Configuring a

RADIUS Client” later in this chapter.

Login Order of Operations

When a user attempts to log in to the Avaya switch, th e switch first checks

the local user accounts for the user name and password. If found, the user is

logged in using the local settings for that account.

If no local account is found and RADIUS is enabled and configured, the

switch sends an Access-Request message to the primary RADIUS server in

an attempt to authenticate the user remotely. If the user login is found and

correct, then the RADIUS server responds with an Access-Accept message

that includes the user privileg es . If the user account has the appro priate

management type (for example, Web if he or she is trying to log in to the

Web Agent), the user is granted access.