Enterasys Networks DFE-Gold Series RADIUS Snooping Configuration

Enterasys Matrix DFE-Gold Series Configuration Guide 26-1

RADIUS Snooping Configuration

ThischapterdescribestheRADIUSSnoopingcommandsandhowtousethem.

RADIUSSnooper(RS)allowsanetworkmanagertomanagedownstreamconnections,whenthe

fullcomplementofEnterasys’SecureNetworkscapabilitiesisnotdeployedatthenetworkedge.

Thisallowsforthedeploymentoflessfeaturerichedgedevicestoperformbasicaccesscontrolat

thenetworkedge,whilestillprovidingcomplexuserandservicebasedCoSprovisioning,

authorization,andusageauditingtothesession.

ManydownstreamdevicesauthenticatethelocalsessionwithaRADIUSserverthatresides

upstreamofthedistribution‐tierdevice.RADIUSrequestandresponseframesfromthesedevices

transitthedistribution‐tierdevice.TheinterceptionofthisRADIUStrafficallowsthedistribution‐

tierdevicetobuildanauthenticatedsessionfortheend‐station,asthoughitwasdirectly

connected.SessionsdetectedbyRSfunctionidenticallytolocalauthenticatedsessionsfromthe

perspectiveoftheEnterasysMultiAuthframework.

TheunencryptedtrafficofthedownstreamdevicespassesthroughthedevicerunningRS,

allowingsuchMultiAuthandSecureNetworkfeaturesassession‐timeout,idle‐timeout,filter‐ID

attributesandVLAN‐tunnelattributestobeappliedtothetraffic.

TheclientsendsaRADIUSAccess‐RequestframetotheRADIUSservertoinitiatethe

authenticationprocess.ThisrequestframecontainstheCalling‐Station‐IDattribute.TheCalling‐

Station‐ID,containingtheMACaddress,iscapturedbytheRS.Thesessionisdefinedbythe

attributesreturnedbytheRADIUSserverintheAccess‐Acceptframe.Theidle‐timeoutand

session‐timeoutdictatetheendofthesession,justasifthesessionwasdirectlyconnectedtothe

distributed‐tierdevicerunningRS.

TheRSflowtablecontainsflowsforeachvalidsessionforthissystem.TheclientIPaddressand

authenticatingRADIUSserverIPaddressaremanuallyenteredintotheRADIUSflowtableonthe

RSenabledswitch.WhenaninvestigatedRADIUSframetransitstheRSenabledportwitha

matchintheflowtable,asessioniscreated.Thesessionbecomesactivewhenitseesaresponsefor

thesessionmatchfromtheRADIUSserver.

Aconfigurabletimerdeterminestheamountoftimethefirmwarewillwaitbeforeterminatinga

sessionbecausenoresponsewasseenfromtheRADIUSserver.

DefaultandnetworkadministratorconfigurableRADIUSpacketdropsettingsexistbasedupon

resourceissuesandvalidationfailure.Packetdropforvalidationfailurescanbeconfiguredona

port‐by‐portbasis.

ToconfigureRSonaswitch:

Note: An Enterasys Feature Guide document that contains a complete discussion on RADIUS

Snooping configuration exists at the following Enterasys web site: http://www.enterasys.com/

support/manuals/