Specifications

Why Would I Use RADIUS-Snooping in My Network?

June 03, 2011 Page 2 of 12

Why Would I Use RADIUS-Snooping in My Network?

RADIUS‐SnoopingallowstheEnterasysdistribution‐tierswitchtoidentifyRADIUSexchanges

betweendevicesconnectedtoedgeswitchesandapplypolicytothosedevicesevenwhenthe

edgeswitchisfromanothervendoranddoesnotsupportpolicy.RADIUS‐Snoopingprovides,but

isnotlimitedto,thefollowingfunctionalities:

•RFC3580

DynamicVLANassignment

• Authenticationmodessupport

•Idleandsessiontimeoutssupport

•Multi‐userauthenticationonaport

•Multi‐authenticationmethodsupport

WithRS‐enabledonthedistribution‐tierswitch,theseSecureNetworkscapabilitiescanbe

configuredbythenetworkadministratoronanend‐userbasis.

How Can I Implement RADIUS-Snooping?

RSrequiresthatunencryptedRADIUSrequestframes,fromtheedgeswitch,transitthe

distribution‐tierswitch,beforeproceedingtotheup‐streamRADIUSserverforvalidation.

ToconfigureRSonadistribution‐tierswitch:

•SettheglobalMultiAuthmodetomulti

•SettheMultiAuthportmodetoauth‐optforallports

thatarepartoftheRSconfiguration

• GloballyenableRSonthedistribution‐tierswitch

•EnableRSonallportsoverwhichRADIUSrequestandresponseframeswilltransit

• OptionallychangetheperiodRSwillwaitforaRADIUSresponseframefromtheserver

• PopulatetheRADIUS ‐SnoopingflowtablewithRS

clientandRADIUSservercombinations

RADIUS-Snooping Overview

ThissectionprovidesanoverviewofRADIUS‐Snoopingconfigurationandmanagement.

Note: A router cannot reside between the RADIUS client and the distribution-tier switch enabled for

RS. The presence of a router would modify the calling-station ID of the RADIUS request frame that

RS depends upon to learn the MAC address of the end-station for this session.

Note: RADIUS-Snooping is currently only supported on Enterasys modular switch products.

A minimum of 256 MB of memory is required on all DFE modules in the switch, in order to enable

RADIUS-Snooping. See the SDRAM field of the show system hardware command to display the

amount of memory installed on a module. Module memory can be upgraded to 256 MB using the

DFE-256MB-UGK memory kit.