|
|
|
Realms and Groups provide two separate functions. A Realm provides a way of organizing user accounts on the RADIUS server. Groups provide a way of organizing NADs a user can log into as well as delivering vendor-specific configurable parameters.
For example, you might use a Realm called AvayaRealm to organize all of the user accounts that can log into Avaya switches in a campus environment. In this campus, there are two teams of network administrators, one team for the North campus and one for the South campus. Each team needs Read-Write access to the switches in their half of the campus and Read-Only access to the switches in the other half of the campus.
You would then configure all of the North switches with a Group name of NorthSwitches and the South switches with SouthSwitches.
For each user, you would create two user accounts in the AvayaRealm, one with a Group name of NorthSwitches and one with SouthSwitches. Each account would have the appropriate permissions for the two switch types.
When a user from the North team logs into a switch in the North campus, the switch will send an Access Request message with @AvayaRealm appended to the user name and a Group name of NorthSwitches. The RADIUS server will send an Access Accept message indicating Read-Write permission.
Similarly, when the same user logs in to a switch on the South campus, the message will append @AvayaRealm and a Group name of SouthSwitches. The RADIUS server will send an Access Accept message indicating Read-Only permission.
|
|
|