Chapter 8 User Authentication
Avaya P332G-ML User’s Guide 49
RADIUSIntroduction to RADIUS
User accounts are typically maintained locally on the switch. Therefore, if a site
contains multiple Avaya Switches, it is necessary to configure each switch with its
own user accounts. Additionally, if for example a 'read-write' user has to be
changed into a 'read-only' user, you must change all the 'read-write' passwords
configured locally in every switch, in order to prevent him from accessing this level.
This is obviously not effective management. A better solution is to have all of the
user login information kept in a central location where all the switches can access it.
P330 features such a solution: the Remote Authentication Dial-In User Service
(RADIUS).
A RADIUS authentication server is installed on a central computer at the customer's
site. On this server user authentication (account) information is configured that
provides various degrees of access to the switch. The P330 will run as a RADIUS
client. When a user attempts to log into the switch, if there is no local user account
for the entered user name and password, then the switch will send an
Authentication Request to the RADIUS server in an attempt to authenticate the user
remotely. If the user name and password are authenticated, then the RADIUS server
responds to the switch with an Authentication Acknowledgement that includes
information on the user's privileges ('administrator', 'read-write', or 'read-only'),
and the user is allowed to gain access to the switch. If the user is not authenticated,
then an Aut henticat ion Rejec t is sent to the swi tch and th e user is not allow ed access
to the switch's embedded management.
The Remote Authentication Dial-In User Service (RADIUS) is an IETF standard
(RFC 2138) client/server security protocol. Security and login information is stored
in a central location known as the RADIUS server. RADIUS clients, such as the P330,
communicate with the RADIUS server to authenticate users.
All transactions between the RADIUS client and server are authenticated through
the use of a “shared secret” which is not sent over the network. The shared secret is
an authentication password configured on both the RADIUS client and its RADIUS
servers. The shared secret is stored as clear text in the client’s file on the RADIUS
server, and in the non-volatile memory of the P330. In addition, user passwords are
sent between the client and server are encrypted for increased security.