This chapter describes the RADIUS Snooping commands and how to use them.
Understanding RADIUS Snooper
RADIUS Snooper (RS) allows a network manager to manage downstream connections, when the
full complement of Enterasys' SecureNetworks capabilities is not deployed at the network edge.
This allows for the deployment of less feature rich edge devices to perform basic access control at
the network edge, while still providing complex user and service based CoS provisioning,
authorization, and usage auditing to the session.
Many downstream devices authenticate the local session with a RADIUS server that resides
upstream of the distribution‐tier device. RADIUS request and response frames from these devices
transit the distribution‐tier device. The interception of this RADIUS traffic allows the distribution‐
tier device to build an authenticated session for the end‐station, as though it was directly
connected. Sessions detected by RS function identically to local authenticated sessions from the
perspective of the Enterasys MultiAuth framework.
The unencrypted traffic of the downstream devices passes through the device running RS,
allowing such MultiAuth and SecureNetwork features as session‐timeout, idle‐timeout, filter‐ID
attributes and VLAN‐tunnel attributes to be applied to the traffic.
The client sends a RADIUS Access‐Request frame to the RADIUS server to initiate the
authentication process. This request frame contains the Calling‐Station‐ID attribute. The Calling‐
Station‐ID, containing the MAC address, is captured by the RS. The session is defined by the
attributes returned by the RADIUS server in the Access‐Accept frame. The idle‐timeout and
session‐timeout dictate the end of the session, just as if the session was directly connected to the
distributed‐tier device running RS.
The RS flow table contains flows for each valid session for this system. The client IP address and
authenticating RADIUS server IP address are manually entered into the RADIUS flow table on the
RS enabled switch. When an investigated RADIUS frame transits the RS enabled port with a
match in the flow table, a session is created. The session becomes active when it sees a response for
the session match from the RADIUS server.
A configurable timer determines the amount of time the firmware will wait before terminating a
session because no response was seen from the RADIUS server.
Default and network administrator configurable RADIUS packet drop settings exist based upon
resource issues and validation failure. Packet drop for validation failures can be configured on a
port‐by‐port basis.
To configure RS on a switch:
RADIUS Snooping Configuration
Note: An Enterasys Feature Guide document that contains a complete discussion on RADIUS
Snooping configuration exists at the following Enterasys web site:
support/manuals/
http://www.enterasys.com/
Enterasys Matrix DFE-Gold Series Configuration Guide 26-1
26