|
|
|
Realms and groups provide two separate functions. A realm provides a way of organizing user accounts on the RADIUS server. Groups provide a way of organizing NADs that a user can log in to as well as delivering vendor-specific parameters that you configure.
For example, you might use a realm called AvayaRealm to organize all user accounts that can log into Avaya switches in a campus environment. In this campus, you organize network administrators in to two teams, one team for the north campus and one for the south campus. Each team needs read-write access to switches in their half of the campus and read-only access to switches in the other half of the campus.
You would then assign all of the north switches to a group named NorthSwitches and the south switches to a group named SouthSwitches.
For each user, you would create two user accounts in the AvayaRealm: one with a group name of NorthSwitches and one with SouthSwitches. Each account would have the appropriate permissions for the two switch types.
When a user from the north team logs into a switch in the north campus, the switch sends an Access-Request message with @AvayaRealm appended to the user name and a group name of NorthSwitches. The RADIUS server will send an Access-Accept message indicating that the user has read-write permission.
Similarly, when the same user logs in to a switch on the South campus, the message will append @AvayaRealm and a group name of SouthSwitches. The RADIUS server will send an Access-Accept message indicating that the user has read-only permission.
|
|
|