Table of Contents
Advertisement
1. Overview
Access control is the way you control who is allowed access to the network server and what services they
are allowed to use once they have access. Authentication, authorization, and accounting (AAA) network
security services provide the primary framework through which you set up access control on your network
device or access server.
Network professionals have always been challenged with having many individuals manage multiple
network devices with a single account. When problems occur it is nearly impossible to trace back
accountability and identify what changes were made by whom. RADIUS was designed to combat the
authentication and accounting (logging tied to user) problem; however, authorization (what an
authenticated user was allowed to do) controls were still missing. TACACS+ (latest implementation of
TACACS) has the ability to do authentication, authorization and accounting.
2. RADIUS
Remote Access Dial-In User Services (RADIUS) is a distributed client/server system that assists in
securing networks against unauthorized access, allowing a number of communication servers and clients
to authenticate user identities through a central database. The database within the RADIUS server stores
information about clients, users, passwords, and access privileges, protected with a shared secret.
RADIUS is a fully open and standard protocol defined by RFCs (authentication [RFC 2865] and
accounting [RFC 2866]). RADIUS protocol is an AAA protocol using IP framing with UDP port 1812 for
authentication and port 1813 for accounting.
2.1 Feature Operation
A RADIUS application has two components:
RADIUS server : A computer equipped with RADIUS server software (for example, a UNIX*
workstation) that is located at a central office or campus. It has authentication and access
information in a form that is compatible with the client. Typically, the database in the RADIUS
server stores client information, user information, password, and access privileges, including the
use of shared secret. A network can have at minimum one server for both authentication and
accounting, or one server for each service.
RADIUS client : A switch, router, or a remote access device equipped with RADIUS client
software that sends the authentication request to the RADIUS server upon a user attempting to
login via the RADIUS client. The client is the network access point between the remote users and
the server.
The RADIUS process includes:
RADIUS authentication, which you can use to identify remote users before you give them access
to a central network site.
RADIUS accounting, which enables data collection on the server during a remote user's dial-in
session with the client.
Authentication, Authorization and Accounting (AAA) for ERS and ES
November 2010
Technical Configuration Guide
avaya.com
6
Advertisement
Table of Contents
