Specifications

RADIUS-Snooping Overview

June 03, 2011 Page 4 of 12

table.Bydefault,theRADIUS‐Snoopingflowtableisempty.Entriesareaddedtotheflowtable

baseduponanindexentry.Thefirstmatchingentryinthetableisusedforthecontinuationofthe

authenticationprocess.

WhenaninvestigatedRADIUSframetransitstheRS‐enabledportwithamatch

intheflowtable,

RSwilltrackthatRADIUSrequestandresponseexchangeandwillbuildaMultiAuthsessionfor

theend‐user,baseduponwhatitfindsintheRADIUSresponseframes.

Setting the RADIUS-Snooping Timeout

AtimeoutisconfiguredtosetthenumberofsecondsthatthefirmwarewaitsforaRADIUS

responseframetobereturnedfromtheRADIUSserver,aftersuccessfullysnoopingaRADIUS

requestframefromtheclient.Ifnoresponseisseenbeforethetimeoutexpires,thesessionis

terminated.

RADIUS-Snooping Management

RADIUS‐Snoopingmanagementoptionsareavailableto:

•TerminateallRSsessionsoronaperportorMACaddressbasis

•ResetallRSconfigurationtoitsdefaultsettings

•ClearallRADIUS‐Snoopingflowtableentriesorperindexentry

•DisplayRSstatistics

RADIUS Session Attributes

TheRADIUSattributesdefiningthe sessionarereturnedintheRADIUSresponseframe.RADIUS

attributesareusedtoconfiguretheuseronthesystem.AttributesexplicitlysupportedbyRSthat

maybeincludedintheRADIUSresponseframeare:

•Idle‐Timeout–IfnoframesareseenfromthisMACaddress,

forthenumberofseconds

configured,thesessionwillbeterminated.

•Session‐Timeout–Thesessionisterminatedafterthenumberofsecondsconfigured.

•Filter‐ID –Definesthepolicyprofile(role)andCLImanagementprivilegelevel,justasit

wouldforanyotherlocalauthenticationagent.

•Tunnel‐Group‐Id–Specifies

theVLANIDforthissession.

Note: Numerous attributes may be supported by the RADIUS client for general RADIUS protocol

support. Such attributes are beyond the scope of this document. This RS implementation does not

interfere with normal RADIUS client attribute support. The list above indicates attributes actually

used by this RADIUS-Snooping application once authentication is successfully completed.