Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

281

282

283

284

285

286

287

288

289

290

RADIUS-Snooping Overview

June 03, 2011 Page 3 of 12

RADIUS-Snooping Configuration

MultiAuth Configuration

MultiAuthmust beenablediftheRADIUS‐Snoopingconfigurationinvolvestheauthenticationof

morethanasingleuseronaport.Therearetwoaspectstomultiauthenticationina

RADIUS‐Snoopingconfiguration:

•TheglobalMultiAuthmodemustbechangedfromthedefaultmodeofstricttomulti,in

ordertoauthenticate

multipledownstreamusers.

•TheMultiAuthportmodemustbesettoauth‐optforbothupstream(totheRADIUSserver)

anddownstream(totheauthenticatingswitch)ports.Setting globalMultiAuthtomultisets

thedefaultportvaluefromauth‐opttoforce‐auth.Resetthemodefortheaffectedports

to

auth‐opt.

SeetheConfiguringUserAuthenticationfeatureguideathttps://extranet.enterasys.com/downloads/

foracompletediscussiononMultiAuthconfiguration.

Enabling RADIUS-Snooping

RSisenabledgloballyonthedistribution‐tierswitch.Itisalsoenabledonthedistribution‐tier

switchportsdirectlyattachedtotheedgeswitchthattheRADIUSrequestframestransit,fromthe

edgeswitchtotheRADIUSserver,aswellastheportstheresponseframestransit,fromthe

RADIUS

serverbacktotheedgeswitch.

Configuring Enabled Port Settings

ThenumberofsecondsthefirmwarewaitsforaRADIUSresponseafteritsuccessfullysnoopsa

RADIUSrequestcanbesetper‐port.Ifyoudonotsetthistimeoutattheportlevel,thesystem

levelsettingisused.

InsomecasesitmaybenecessarytodropRADIUStraffic

betweenthedistributiontierdeviceand

theedgeswitches.Youcanenable ordisablepacketdroponaperportbasis.Packetsarealways

droppedforaresourceissuesituation.RSisnotcapableofforcingareauthentica tioneventshould

itbeunabletoinvestigateaRADIUS requestexchange.Droppinga

RADIUSrequestpacketdueto

resourceexhaustion,inmostcases,willcausetheedgedevicetoretryaRADIUSrequest,

providinganotheropportunitytosnooptheRADIUSexchange.Frameswithaninvalidformatfor

thecallingstationIDareonlydroppedwhendropisenabled.Inthecaseofdropping

frameswith

aninvalidformat,authenticationwillnottakeplaceforthisend‐user.

TheauthallocatedvaluespecifiesthemaximumnumberofRSusersperport.Youcanconfigure

thisnumberofallowedRSusersonaperportbasis.Thedefaultvaluedependsuponthesystem

licenseforthisdevice.

Youshouldsetthisauthallocatedvalueequaltoorlessthantheconfigured

valueforthesetmultiauthportnumuserscommand.Thisvalueisthemaximumnumberofusers

perportforallauthenticationclients.Typically ,authallocatedandmultiauthportnumusersare

settothesamevalue.

Populating the RADIUS-Snooping Flow Table

TheRADIUS‐SnoopingflowtableisafilterthatdetermineswhichRADIUSserverandclient

combinationswillbesnooped.Ifthesecretisconfigured,theresponseframesarecheckedfor

validMD5checksum,inordertovalidatethesender.

TheRSflowtablecontainsRADIUSserverandcliententriesforeach

RADIUSserverandclient

combinationforwhichRSwillbeusedonthissystem.TheRADIUSclientIPaddressand

authenticatingRADIUSserverIPaddressaremanuallyenteredintotheRADIUS‐Snoopingflow