BigIron RX Series Configuration Guide 9753-1001810-01Configuring RADIUS security 45. The RADIUS server validates the device using a shared secret (the RADIUS key).6. The RADIUS server looks up the username in its database.7. If the username is found in the database, the RADIUS server validates the password.8. If the password is valid, the RADIUS server sends an Access-Accept packet to the device,authenticating the user. Within the Access-Accept packet are three Brocade vendor-specificattributes that indicate:• The privilege level of the user• A list of commands• Whether the user is allowed or denied usage of the commands in the listThe last two attributes are used with RADIUS authorization, if configured.9. The user is authenticated, and the information supplied in the Access-Accept packet for theuser is stored on the device. The user is granted the specified privilege level. If you configureRADIUS authorization, the user is allowed or denied usage of the commands in the list.RADIUS authorizationWhen RADIUS authorization takes place, the following events occur.1. A user previously authenticated by a RADIUS server enters a command on the device.2. The device looks at its configuration to see if the command is at a privilege level that requiresRADIUS command authorization.3. If the command belongs to a privilege level that requires authorization, the device looks at thelist of commands delivered to it in the RADIUS Access-Accept packet when the user wasauthenticated. (Along with the command list, an attribute was sent that specifies whether theuser is permitted or denied usage of the commands in the list.)NOTEAfter RADIUS authentication takes place, the command list resides on the BigIron RX. TheRADIUS server is not consulted again once the user has been authenticated. This means thatany changes made to the user’s command list on the RADIUS server are not reflected until thenext time the user is authenticated by the RADIUS server, and the new command list is sent tothe BigIron RX.4. If the command list indicates that the user is authorized to use the command, the command isexecuted.RADIUS accountingRADIUS accounting works as follows.1. One of the following events occur on the device:• A user logs into the management interface using Telnet or SSH• A user enters a command for which accounting has been configured• A system event occurs, such as a reboot or reloading of the configuration file2. The device checks its configuration to see if the event is one for which RADIUS accounting isrequired.