Header Only - DO NOT REMOVE - Extreme Networks

Clarification regarding Setting Up Radius Snooping on an N-Series


Userlevel 3
Article ID: 11759

Products
Matrix N-Series DFE, firmware 6.11.01.0040 and higher

Goals
Configure Radius Snooping on an Enterasys N-Series switch/router.

Solution
Per 6.11.01.0040 release notes, in the 'Feature Enhancements' section:
NEW FEATURE SUMMARY
RADIUS Snooping - RADIUS Snooping allows network managers to manage downstream "user" connections even when Enterasys Secure Networks capabilities are not deployed on the network edge or the edge is made up of third party switches. This feature allows deployments in which simpler, less feature rich devices perform basic access control at the network edge, and the N-Series provides for the ability to apply complex, user and service based CoS provisioning, authorization and usage auditing. After the downstream devices authenticate their local sessions with a RADIUS server that lives upstream of the distribution tier, the distribution tier N-Series will be able to see and 'snoop' on all the RADIUS request and response frames as they are sent between the clients and the server. The contents of these frames will be used to add local sessions to the N-Series which can be provisioned like directly connected sessions.

Radius Snooping is discussed in some detail, in the Radius-Snooping Feature Guide.

However, not mentioned in the Nov 7 2008 version (but included in the Apr 16 2009 version) of the Feature Guide are two factors which must be considered before Radius Snooping may be successfully enabled and configured.

Memory size

A minimum of 256 MB of memory (described as SDRAM in the output of a 'show system hardware' command) is required on all modules in order to enable Radius Snooping.

Here is an example of an attempt to violate this requirement: Matrix N3 Platinum(su)->set radius-snooping enable
Setting the RADIUS Snooping system parameters failed - please check log for details.
Matrix N3 Platinum(su)->[/code]
Here is the generated Fault Log error message: <164>Mar 18 12:36:28 10.20.1.15 RadSnoop[3.tEmanate10]RADIUS Snooping is not functio
nal on this slot as 256 MB is required[/code]
The resolution to this issue is to purchase and install a DFE-256MB-UGK memory kit.

Multiauthentication settings

In addition to the radius-snooping commands, to "manage" the snooped sessions and stations the user can also utilize the full suite of multiauth commands.

Multiauthentication settings must therefore also be considered in order for Radius Snooping to function:
  • The global multiauth mode must be changed from the default value of "strict" to "multi" mode, in order to authenticate multiple downstream users (possibly using license-expanded limits: 5468):
    set multiauth mode multi
  • Upon the change to "multi" mode, all ports change from a default value of "auth-opt" (authentication is optional) to "force-auth" (authentication is assumed to have occurred). In order to have any Radius authentication traffic to snoop as desired, both the upstream (where the Radius Server is located) and the downstream (where the edge switches conducting the actual authentication are located) Radius Snooping ports must be configured as "auth-opt":
    set multiauth port mode auth-opt <port#>
In the following example, consider these test values:

The upstream port is fe.3.1 and is where the Radius Server is connected. The Radius Server has IP address 10.20.1.6, the non-policy based authenticating switch on the edge has IP address 10.20.1.17, and is connected to fe.3.44 on the N-Series switch.

Globally enable multiauthentication, then restore the proper multiauth port setting on the Radius Snooping ports: Matrix N3 Platinum(su)->set multiauth mode multi
Matrix N3 Platinum(su)->show multiauth

Multiple authentication system configuration
-------------------------------------------------
Supported types : dot1x, pwa, mac, cep, radius-snooping
Maximum number of users : 1024
Current number of users : 0
System mode : multi
Default precedence : dot1x, pwa, mac, cep, radius-snooping
Admin precedence :
Operational precedence : dot1x, pwa, mac, cep, radius-snooping

Matrix N3 Platinum(su)->set multiauth port mode auth-opt fe.3.1,44
Matrix N3 Platinum(su)->show multiauth port fe.3.1,44

Port Mode Max Allowed Current
users users users
------------ ------------- ---------- ---------- ----------
fe.3.1 auth-opt 2048 256 0
fe.3.44 auth-opt 2048 256 0

Matrix N3 Platinum(su)->[/code]
Then, configure Radius Snooping as suggested in the Feature Guide's sample configuration: set radius-snooping enable
set radius-snooping timeout 15
set radius-snooping flow 1 10.20.1.17 10.20.1.6 1812 mysecret
set radius-snooping port enable timeout 0 drop enable authallocated 256 fe.3.1
set radius-snooping port enable timeout 0 drop enable authallocated 256 fe.3.44[/code]
See also: 10283 and 11537.

0 replies

Be the first to reply!

Reply