2-26 Avaya P550R, P580, P880, and P882 Multiservice Switch User Guide, Version 5.3.1
Chapter 2
message with user Bob@AvayaRealm. The RADIUS server, upon
receiving the request, would look for Bob in the AvayaRealm.
Groups &
RADIUS with
Vendor Specific
Attributes (VSA)
In order to provide user accounts with the same granularity of
privileges as on the Avaya switch, Vendor Specific Attributes must
be configured on the RADIUS server and a Group name must be set
on the Avaya switch. When set, the Group name is sent along with
the Access Request message to the RADIUS server.
The RADIUS server will send an Access Accept message if the user
name, password, and Group name match that of the user account. If
so, the Access Accept message will include the VSAs that identify the
privileges the user has.
* Note: If a user has a Standard RADIUS account, one that does
not contain the Group name, the RADIUS server will
still respond with an Access Accept message; but the
message will not contain the Group name or the VSAs.
This is a security loophole. See the Avaya-Service-
Type-Required parameter below for more information
Avaya Service-Types specify the level of privileges a user has. The
following three types are supported:
■ Administrative (can create user accounts and configure the
Avaya switch)
■ Read-Write (can configure the Avaya switch)
■ Read-Only (can view the Avaya switch configuration)
Avaya Management Types specify what method the user can use to
manage the switch. The following four types are supported:
■ Avaya Management All
■ Avaya Local CLI (Serial port on the supervisor)
■ Avaya Remote CLI (Telnet session)
■ Avaya Web Agent
Custom Access
Type s(CAT)
Custom Access Types provide a deeper level of granularity with
regards to what parameters a user can configure. For example, you
could restrict a user to configuring Layer 2 parameters only. If you
need to use CATs, those user accounts must be created and stored
locally on the Avaya switch, not on a RADIUS server.