Specifications

RADIUS-Snooping Overview

June 03, 2011 Page 5 of 12

Figure 1 RADIUS-Snooping Overview

Figure 1onpage 5illustratestheRADIUSrequestframeandRADIUSresponseframepaths.As

theRADIUSrequestframefromtheRADIUSclientedgedevicetransitsthedistribution‐tier

switch,itissnooped.AnRSsessioniscreatedonthedistribution ‐tierswitch,if:

•RADIUSsnoopingisenabledontheswitch

•RADIUS

Snoopingisenabledontheport

•TheRADIUSclientedgedeviceandRADIUSservercombinationaredefinedintheRADIUS

snoopingflowtable

WhentheRADIUSserverreceivestherequest,theauthenticatingdeviceisfirstvalidated.After

validatingthe authenticatingdevice,theserverauthenticatestheusersessionitselfbasedon

passedusername

andpasswordattributes.Ifthatsucceedsanaccessacceptmessagecontaining

RADIUSattributesissentbacktotheclient,otherwiseanaccessrejectmessageissentback.Asthe

RADIUSresponseframetransitsthedistribution‐tierswitch,theRADIUSattributescontainedin

theresponseframeareappliedtothissession,

ifanRSsessionwascreatedforthisclientserver

combinationandthesessionhasnottimedout.

RADIUS Server

Distribution-Tier

Switch

Edge Switch

The RADIUS Response Frame

RADIUS Request Frame is snooped

by the distribution-tier switch

RADIUS Request Frame

RADIUS Response Frame

RADIUS Response Frame is

snooped by the distribution-tier

switch