|
|
|
To provide user accounts the same granularity of privileges that local authentication provides, you can configure vendor-specific attributes (VSAs) on the RADIUS server and a group name on the switch. After you set the group name, the switch includes it in Access-Request messages that it sends to the RADIUS server.
If the user name, password, and group name match that of the user account, the RADIUS server sends an Access-Accept message to the client. VSAs that identify the privileges the user has are included in the Access-Accept message.
Note: If a user has a RADIUS account that does not contain a group name, the RADIUS server still responds with an Access-Accept message; but the message does not contain a group name or VSAs. This absence of a group name presents a potential security risk. For more information, see "Configuring a RADIUS Client" later in this chapter.
|
|
|