196 Configuring Authentication, Authorization, and AccountingThe RADIUS server should be configured such that it will send the Cisco AVPair attribute with the “roles” value. For example:shell:roles=router-adminThe above example attribute gives the user access to the commandspermitted by the router-admin profile.Using RADIUS Servers to Control ManagementAccessThe RADIUS client on the switch supports multiple RADIUS servers. Whenmultiple authentication servers are configured, they can help provideredundancy. One server can be designated as the primary and the other(s) willfunction as backup server(s). The switch attempts to use the primary serverfirst. if the primary server does not respond, the switch attempts to use thebackup servers. A priority value can be configured to determine the order inwhich the backup servers are contacted.How Does RADIUS Control Management Access?Many networks use a RADIUS server to maintain a centralized user databasethat contains per-user authentication information. RADIUS servers provide acentralized authentication method for:• Telnet Access• Web Access• Console to Switch Access• Access Control Port (802.1X)Like TACACS+, RADIUS access control utilizes a database of userinformation on a remote server. Making use of a single database of accessibleinformation—as in an Authentication Server—can greatly simplify theauthentication and management of users in a large network. One such type ofAuthentication Server supports the Remote Authentication Dial In UserService (RADIUS) protocol as defined by RFC 2865.For authenticating users prior to access, the RADIUS standard has becomethe protocol of choice by administrators of large accessible networks. Toaccomplish the authentication in a secure manner, the RADIUS client andRADIUS server must both be configured with the same shared password or