Establishing Switch Access
82 Installation and Configuration Guide Avaya C360 Multilayer Stackable Switches, version 4.5
RADIUS
Introduction to RADIUS
User accounts are typically maintained locally on the switch. Therefore, if a site contains
multiple Avaya Switches, it is necessary to configure each switch with its own user accounts.
Additionally, if for example a "read-write" user has to be changed into a "read-only" user, you
must change all the "read-write" passwords configured locally in every switch, in order to
prevent him from accessing this level. This is obviously not effective management. A better
solution is to have all of the user login information kept in a central location where all the
switches can access it. C360 features such a solution: the Remote Authentication Dial-In User
Service (RADIUS).
A RADIUS authentication server is installed on a central computer at the customer's site. On
this server user authentication (account) information is configured that provides various degrees
of access to the switch. The C360 will run as a RADIUS client. When a user attempts to log into
the switch, if there is no local user account for the entered user name and password, then the
switch will send an Authentication Request to the RADIUS server in an attempt to authenticate
the user remotely. If the user name and password are authenticated, then the RADIUS server
responds to the switch with an Authentication Acknowledgement that includes information on
the user's privileges ("administrator", "read-write", or "read-only"), and the user is allowed to
gain access to the switch. If the user is not authenticated, then an Authentication Reject is sent
to the switch and the user is not allowed access to the switch's embedded management.
The Remote Authentication Dial-In User Service (RADIUS) is an IETF standard (RFC 2138)
client/server security protocol. Security and login information is stored in a central location
known as the RADIUS server. RADIUS clients, such as the C360, communicate with the
RADIUS server to authenticate users.
All transactions between the RADIUS client and server are authenticated through the use of a
"shared secret" which is not sent over the network. The shared secret is an authentication
password configured on both the RADIUS client and its RADIUS servers. The shared secret is
stored as clear text in the client's file on the RADIUS server, and in the non-volatile memory of
the C360. In addition, user passwords sent between the client and server are encrypted for
increased security.
In the C360, RADIUS is used to authenticate management stations and (independently) for
802.1x port-based access control.
illustrates the RADIUS authentication procedure:
Summary of Contents for C360 Manager
Page 17: ...Issue 2 July 2005 17 Section 1 Avaya C360 Overview...
Page 18: ...18 Installation and Configuration Guide Avaya C360 Multilayer Stackable Switches version 4 5...
Page 29: ...Issue 2 July 2005 29 Section 2 Installing the C360...
Page 30: ...30 Installation and Configuration Guide Avaya C360 Multilayer Stackable Switches version 4 5...
Page 91: ...Issue 2 July 2005 91 Section 3 Avaya C360 Configuration...
Page 92: ...92 Installation and Configuration Guide Avaya C360 Multilayer Stackable Switches version 4 5...
Page 211: ...Issue 2 July 2005 211 Section 4 Troubleshooting and Maintaining the Avaya C360...
Page 212: ...212 Installation and Configuration Guide Avaya C360 Multilayer Stackable Switches version 4 5...