Enterasys Matrix DFE-Gold Series

944 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Enterasys Matrix DFE-Gold Series Configuration Guide 26-1

26

RADIUS Snooping Configuration

ThischapterdescribestheRADIUSSnoopingcommandsandhowtousethem.

Understanding RADIUS Snooper

RADIUSSnooper(RS)allowsanetworkmanagertomanagedownstreamconnections,whenthe

fullcomplementofEnterasys’SecureNetworkscapabilitiesisnotdeployedatthenetworkedge.

Thisallowsforthedeploymentoflessfeaturerichedgedevicestoperformbasicaccesscontrolat

thenetworkedge,whilestillprovidingcomplexuser

andservicebasedCoSprovisioning,

authorization,andusageauditingtothesession.

ManydownstreamdevicesauthenticatethelocalsessionwithaRADIUSserverthatresides

upstreamofthedistribution‐tierdevice.RADIUSrequestandresponseframesfromthesedevices

transitthedistribution‐tierdevice.TheinterceptionofthisRADIUStrafficallows

thedistribution‐

tierdevicetobuildanauthenticatedsessionfortheend‐station,asthoughitwasdirectly

connected.SessionsdetectedbyRSfunctionidenticallytolocalauthenticatedsessions fromthe

perspectiveoftheEnterasysMultiAuthframework.

TheunencryptedtrafficofthedownstreamdevicespassesthroughthedevicerunningRS,

allowing

suchMultiAuthandSecureNetworkfeaturesassession‐timeout,idle‐timeout,filter‐ID

attributesandVLAN‐tunnelattributestobeappliedtothetraffic.

TheclientsendsaRADIUSAccess‐RequestframetotheRADIUSservertoinitiatethe

authenticationprocess.ThisrequestframecontainstheCalling‐Station‐IDattribute.TheCalling

‐

Station‐ID,containingtheMACaddress,iscapturedbytheRS.Thesessionisdefinedbythe

attributesreturnedbytheRADIUSserverintheAccess‐Acceptframe.Theidle‐timeoutand

session‐timeoutdictatetheendofthesession,justasifthesessionwasdirectlyconnectedtothe

distributed‐tierdevicerunningRS.

TheRSflowtablecontainsflowsforeachvalidsessionforthissystem.TheclientIPaddressand

authenticatingRADIUSserverIP addressaremanuallyenteredintotheRADIUSflowtableonthe

RSenabledswitch.WhenaninvestigatedRADIUSframetransitstheRSenabledport

witha

matchintheflowtable,asessioniscreated.Thesessionbecomesactivewhenitseesaresponsefor

thesessionmatchfromtheRADIUSserver.

Aconfigurabletimerdeterminestheamountoftimethefirmwarewillwaitbeforeterminatinga

sessionbecausenoresponsewasseenfromthe

RADIUSserver.

DefaultandnetworkadministratorconfigurableRADIUSpacketdropsettingsexistbasedupon

resourceissuesandvalidationfailure.Packetdropforvalidationfailurescanbeconfiguredona

port‐by‐portbasis.

ToconfigureRSonaswitch:

Note: An Enterasys Feature Guide document that contains a complete discussion on RADIUS

Snooping configuration exists at the following Enterasys web site: http://www.enterasys.com/

support/manuals/

Table of Contents

Related product manuals

Preview: Enterasys Matrix 2G4072-52

Enterasys Matrix 2G4072-52

Preview: Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1G694-13

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24

Preview: Enterasys C3G124-24

Enterasys C3G124-24

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Enterasys A4H124-48P

Preview: Enterasys B5G124-24P2

Enterasys B5G124-24P2

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Enterasys SSA-G1018-0652

Preview: SecureStack B3 B3G124-24P

SecureStack B3 B3G124-24P

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P