Specifications
Authentication Overview
April 15, 2011 Page 8 of 36
Figure 3 Selecting Authentication Method When Multiple Methods are Validated
Remote Authentication Dial-In Service (RADIUS)
ThissectionprovidesdetailsfortheconfigurationofRADIUSandRFC3580attributes.
TheRemoteAuthenticationDial‐InUserService(RADIUS)isanextensibleprotocolusedtocarry
authenticationandauthorizationinformationbetweentheswitchandtheAuthenticationServer
(AS).RADIUSisusedbytheswitchforcommunicatingsupplicantsuppliedcredentials
tothe
authenticationserverandtheauthenticationresponsefromtheauthenticationserverbacktothe
switch.Thisinformationexchangeoccursoverthelink‐layerprotocol.
TheswitchactsasaclienttoRADIUSusingUDPport1812bydefault(configurableintheset
radiuscommand).Theauthenticationservercontainsadatabase
ofvalidsupplicantuseraccounts
withtheircorrespondingcredentials.Theauthenticationserverchecksthattheinformation
receivedfromtheswitchiscorrect,usingauthenticationschemessuchasPAP ,CHAP,orEAP.The
authenticationserverreturnsanAcceptorRejectmessagetotheswitchbasedonthecredential
validationperformedby
RADIUS.Theimplementationprovidesenhancednetworksecurityby
usingasharedsecretandMD5passwordencryption.
SMAC=User 1
SMAC=User 2
SMAC=User 3
Switch
MultiAuth Sessions Auth. Agent
Credit
Policy Role
Sales
Policy Role
Guest
Policy Role
Port X
802.1X
PWA
MAC
CEP
MAU Logic
<User 1, 802.1x, Authenticated, PID=Credit, Applied>
<User 2, PWA, Authenticated, PID=Sales, Applied>
<User 1, PWA, Authenticated, PID=Credit, Not Applied>
<User 3, MAC, Authenticated, PID=Guest, Applied>
<User 1, MAC, Authenticated, PID=Guest, Not Applied>
<User 2, MAC, Authenticated, PID=Guest, Not Applied>
For information about... Refer to page...
How RADIUS Data Is Used 9
The RADIUS Filter-ID 9
RFC 3580 10
Policy Maptable Response 12