Avaya 580 ユーザーズマニュアル
Document No. 10-300077, Issue 2
4-19
Security
RADIUS Client Support
Overview
Purpose of
RADIUS
RADIUS
In a network with many Avaya switches, configuring user accounts on each
of the switches can be time-consuming.You can centralize the user accounts
by using a Remote Authentication Dial-In User Service (RADIUS) server.
of the switches can be time-consuming.You can centralize the user accounts
by using a Remote Authentication Dial-In User Service (RADIUS) server.
RADIUS is a service that authenticates users when they attempt to log in to
a Network Access Device (NAD) such as an Avaya switch. RADIUS
typically runs on a Windows or Linux server; however, it can run on other
platforms as well depending on the vendor.
a Network Access Device (NAD) such as an Avaya switch. RADIUS
typically runs on a Windows or Linux server; however, it can run on other
platforms as well depending on the vendor.
* Note: RADIUS supports a maximum of 27 characters for user names.
If you use a RADIUS server to authenticate users, their switch
user names must not exceed 27 characters, regardless of the 31-
character maximum of the P580 and P882.
user names must not exceed 27 characters, regardless of the 31-
character maximum of the P580 and P882.
Authentication
Process
Process
RADIUS is a client/server architecture where each device that uses the
RADIUS server is a RADIUS client. The client sends Access-Request
messages to the RADIUS server. These messages include the user name, the
password encrypted, and optional parameters depending on configuration.
RADIUS server is a RADIUS client. The client sends Access-Request
messages to the RADIUS server. These messages include the user name, the
password encrypted, and optional parameters depending on configuration.
*Important: The RADIUS Client and Server must be configured
with the exact same parameters.
Once the RADIUS server receives the Access-Request message, it searches
its database for the user account. If the server finds the account, the
password is correct, and the optional parameters match, the server sends an
Access-Accept message to the RADIUS client. The Access-Accept
message indicates that the user account exists, the password is correct, and
the user has a certain access type (for example, administrative or read-only).
If the RADIUS server does not find the account or the password is
incorrect, then the server sends an Access-Reject message to the RADIUS
client.
its database for the user account. If the server finds the account, the
password is correct, and the optional parameters match, the server sends an
Access-Accept message to the RADIUS client. The Access-Accept
message indicates that the user account exists, the password is correct, and
the user has a certain access type (for example, administrative or read-only).
If the RADIUS server does not find the account or the password is
incorrect, then the server sends an Access-Reject message to the RADIUS
client.
* Note: Due to an interoperability issue, the P580 and P882 RADIUS
client does not accept Access-Accept messages from Windows
2000 RADIUS servers, which generate the Generate-Class-
Attribute. To resolve this issue, obtain Windows 2000 service
pack 3 or later. After installing the latest service pack, set the
Generate-Class-Attribute field to FALSE.
2000 RADIUS servers, which generate the Generate-Class-
Attribute. To resolve this issue, obtain Windows 2000 service
pack 3 or later. After installing the latest service pack, set the
Generate-Class-Attribute field to FALSE.