Foundry Networks Switch and Router Installation And Configuration Manual page 98

Foundry Switch and Router Installation and Configuration Guide
RADIUS Authorization
When RADIUS authorization takes place, the following events occur:
1. A user previously authenticated by a RADIUS server enters a command on the Foundry device.
2. The Foundry device looks at its configuration to see if the command is at a privilege level that requires
RADIUS command authorization.
3. If the command belongs to a privilege level that requires authorization, the Foundry device looks at the list of
commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along
with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of
the commands in the list.)
NOTE: After RADIUS authentication takes place, the command list resides on the Foundry device. The
RADIUS server is not consulted again once the user has been authenticated. This means that any changes
made to the user's command list on the RADIUS server are not reflected until the next time the user is
authenticated by the RADIUS server, and the new command list is sent to the Foundry device.
4. If the command list indicates that the user is authorized to use the command, the command is executed.
RADIUS Accounting
RADIUS accounting works as follows:
1. One of the following events occur on the Foundry device:
• A user logs into the management interface using Telnet or SSH
• A user enters a command for which accounting has been configured
• A system event occurs, such as a reboot or reloading of the configuration file
2. The Foundry device checks its configuration to see if the event is one for which RADIUS accounting is
required.
3. If the event requires RADIUS accounting, the Foundry device sends a RADIUS Accounting Start packet to
the RADIUS accounting server, containing information about the event.
4. The RADIUS accounting server acknowledges the Accounting Start packet.
5. The RADIUS accounting server records information about the event.
6. When the event is concluded, the Foundry device sends an Accounting Stop packet to the RADIUS
accounting server.
7. The RADIUS accounting server acknowledges the Accounting Stop packet.
AAA Operations for RADIUS
The following table lists the sequence of authentication, authorization, and accounting operations that take place
when a user gains access to a Foundry device that has RADIUS security configured.
User Action
User attempts to gain access to the
Privileged EXEC and CONFIG levels of
the CLI
3 - 34
Applicable AAA Operations
Enable authentication:
aaa authentication enable default <method-list>
System accounting start:
aaa accounting system default start-stop <method-list>
December 2000