Chapter 8 User Authentication

SCP server must be installed on the management station. After defining users on the SCP server, the device acts as an SCP client.

The procedure described in the “Introduction to SSH“ on page 45 is used with the roles of the P330 and the client computer reversed.

To accomplish secured transfers, a P330 launches a local SSH client via the CLI in order to establish a secured channel to the secured file server. The P330 authenticates itself to the server by providing a user name and password. With a Windows-based SSH server (WinSSHD), the user name provided must be a defined user on the Windows machine with read/write privileges. The files transferred via SCP are saved in the “C:\Documents and Settings\username” directory.

The network element performs file transfer in unattended mode.

The P330 doesn't block SCP traffic from users not on the allowed managers list, because it is the SSH client. In addition, the P330 doesn't prompt the user to accept the Server’s fingerprint nor warns the user if the fingerprint from an IP address has changed.

For information on SCP file transfer commands, refer to “Uploading and Downloading Device Configurations and Images“on page 63.

RADIUS

Introduction to RADIUS

User accounts are typically maintained locally on the switch. Therefore, if a site contains multiple Avaya Switches, it is necessary to configure each switch with its own user accounts. Additionally, if for example a 'read-write' user has to be changed into a 'read-only' user, you must change all the 'read-write' passwords configured locally in every switch, in order to prevent him from accessing this level. This is obviously not effective management. A better solution is to have all of the user login information kept in a central location where all the switches can access it. P330 features such a solution: the Remote Authentication Dial-In User Service (RADIUS).

A RADIUS authentication server is installed on a central computer at the customer's site. On this server user authentication (account) information is configured that provides various degrees of access to the switch. The P330 will run as a RADIUS client. When a user attempts to log into the switch, if there is no local user account for the entered user name and password, then the switch will send an Authentication Request to the RADIUS server in an attempt to authenticate the user remotely. If the user name and password are authenticated, then the RADIUS server responds to the switch with an Authentication Acknowledgement that includes information on the user's privileges ('administrator', 'read-write', or 'read-only'), and the user is allowed to gain access to the switch. If the user is not authenticated, then an Authentication Reject is sent to the switch and the user is not allowed access

48

Avaya P334T-ML User’s Guide

Page 64
Image 64
Avaya P334T-ML manual Introduction to Radius