Filter
Top Products
___________________________________________________________________________________________________________________________
5
1. Overview: RADIUS User Authentication
using Identify Engines
This document provides the framework for implementing user Authentication, Authorization, and
Accounting for Nortel switches.
1.1 RADIUS Support on Nortel Switches
RADIUS
authenti-
cation
802.1x
(EAP)
RADIUS
authenti-
cation
RADIUS
accoun-
ting
802.1x
(EAP)
RADIUS
account-
ing
RADIUS
account-
ing for CLI
commands
RADIUS
user
access
profile
RADIUS
SNMP
account-
ing
ERS 8600 Yes Yes Yes Yes Yes Yes Yes
ERS 8300 Yes Yes Yes Yes Yes Yes No
ERS 1600 Yes Yes Yes Yes Yes Yes No
ES 460/470 Yes Yes No No No No No
ERS 2500 Yes Yes No Yes No No No
ERS 4500 Yes Yes No Yes No No No
ERS 5500 Yes Yes No Yes No No No
ERS 5600 Yes Yes No Yes No No No
1.2 User Authentication using ERS1600, ERS8300, or
ERS8600
The ERS1600, ERS8300, and ERS8600 each support six different user access levels. The
access level is determined by the RADIUS attribute value sent back to the switch. The switch
uses RADIUS Vendor-Specific Attributes (IETF Attribute 26) to support its own extended
attributes. Vendor identifier 1584 (Bay Networks) attribute type 192 is used where the value is a
number from 0 to 6. The following chart displays the RADIUS attribute values and corresponding
access level.
Access Level VSA Attribute 26 – Vendor Identifier 1584
Type 192 value
None-Access 0
Read-Only-Access 1
Layer 1-Read-Write-Access 2
Layer 2-Read-Write-Access 3
Layer 3-Read-Write-Access 4
Read-Write-Access 5
Read-Write-All-Access 6
In addition, on the ERS8600 only, via vendor identifier 1584 attribute type 194, if is set to a value
of 0, you can enter a list of CLI commands not allowed for a user. The CLI command is entered
using the RADIUS string value configured via RADIUS vendor identifier 1584 attribute type 195.