This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Training, Documentation, & General Discussions
- FAQs
- Clarification regarding Setting Up Radius Snooping...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Clarification regarding Setting Up Radius Snooping on an N-Series
Clarification regarding Setting Up Radius Snooping on an N-Series
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-21-2013 11:51 PM
Article ID: 11759
Products
Matrix N-Series DFE, firmware 6.11.01.0040 and higher
Goals
Configure Radius Snooping on an Enterasys N-Series switch/router.
Solution
Per 6.11.01.0040 release notes, in the 'Feature Enhancements' section:
NEW FEATURE SUMMARY
RADIUS Snooping - RADIUS Snooping allows network managers to manage downstream "user" connections even when Enterasys Secure Networks capabilities are not deployed on the network edge or the edge is made up of third party switches. This feature allows deployments in which simpler, less feature rich devices perform basic access control at the network edge, and the N-Series provides for the ability to apply complex, user and service based CoS provisioning, authorization and usage auditing. After the downstream devices authenticate their local sessions with a RADIUS server that lives upstream of the distribution tier, the distribution tier N-Series will be able to see and 'snoop' on all the RADIUS request and response frames as they are sent between the clients and the server. The contents of these frames will be used to add local sessions to the N-Series which can be provisioned like directly connected sessions.
Radius Snooping is discussed in some detail, in the Radius-Snooping Feature Guide.
However, not mentioned in the Nov 7 2008 version (but included in the Apr 16 2009 version) of the Feature Guide are two factors which must be considered before Radius Snooping may be successfully enabled and configured.
Memory size
A minimum of 256 MB of memory (described as SDRAM in the output of a 'show system hardware' command) is required on all modules in order to enable Radius Snooping.
Here is an example of an attempt to violate this requirement: Matrix N3 Platinum(su)->set radius-snooping enable
Setting the RADIUS Snooping system parameters failed - please check log for details.
Matrix N3 Platinum(su)->
Here is the generated Fault Log error message: <164>Mar 18 12:36:28 10.20.1.15 RadSnoop[3.tEmanate10]RADIUS Snooping is not functio
nal on this slot as 256 MB is required
The resolution to this issue is to purchase and install a DFE-256MB-UGK memory kit.
Multiauthentication settings
In addition to the radius-snooping commands, to "manage" the snooped sessions and stations the user can also utilize the full suite of multiauth commands.
Multiauthentication settings must therefore also be considered in order for Radius Snooping to function:
The upstream port is fe.3.1 and is where the Radius Server is connected. The Radius Server has IP address 10.20.1.6, the non-policy based authenticating switch on the edge has IP address 10.20.1.17, and is connected to fe.3.44 on the N-Series switch.
Globally enable multiauthentication, then restore the proper multiauth port setting on the Radius Snooping ports: Matrix N3 Platinum(su)->set multiauth mode multi
Matrix N3 Platinum(su)->show multiauth
Multiple authentication system configuration
-------------------------------------------------
Supported types : dot1x, pwa, mac, cep, radius-snooping
Maximum number of users : 1024
Current number of users : 0
System mode : multi
Default precedence : dot1x, pwa, mac, cep, radius-snooping
Admin precedence :
Operational precedence : dot1x, pwa, mac, cep, radius-snooping
Matrix N3 Platinum(su)->set multiauth port mode auth-opt fe.3.1,44
Matrix N3 Platinum(su)->show multiauth port fe.3.1,44
Port Mode Max Allowed Current
users users users
------------ ------------- ---------- ---------- ----------
fe.3.1 auth-opt 2048 256 0
fe.3.44 auth-opt 2048 256 0
Matrix N3 Platinum(su)->
Then, configure Radius Snooping as suggested in the Feature Guide's sample configuration: set radius-snooping enable
set radius-snooping timeout 15
set radius-snooping flow 1 10.20.1.17 10.20.1.6 1812 mysecret
set radius-snooping port enable timeout 0 drop enable authallocated 256 fe.3.1
set radius-snooping port enable timeout 0 drop enable authallocated 256 fe.3.44
See also: 10283 and 11537.
Products
Matrix N-Series DFE, firmware 6.11.01.0040 and higher
Goals
Configure Radius Snooping on an Enterasys N-Series switch/router.
Solution
Per 6.11.01.0040 release notes, in the 'Feature Enhancements' section:
NEW FEATURE SUMMARY
RADIUS Snooping - RADIUS Snooping allows network managers to manage downstream "user" connections even when Enterasys Secure Networks capabilities are not deployed on the network edge or the edge is made up of third party switches. This feature allows deployments in which simpler, less feature rich devices perform basic access control at the network edge, and the N-Series provides for the ability to apply complex, user and service based CoS provisioning, authorization and usage auditing. After the downstream devices authenticate their local sessions with a RADIUS server that lives upstream of the distribution tier, the distribution tier N-Series will be able to see and 'snoop' on all the RADIUS request and response frames as they are sent between the clients and the server. The contents of these frames will be used to add local sessions to the N-Series which can be provisioned like directly connected sessions.
Radius Snooping is discussed in some detail, in the Radius-Snooping Feature Guide.
However, not mentioned in the Nov 7 2008 version (but included in the Apr 16 2009 version) of the Feature Guide are two factors which must be considered before Radius Snooping may be successfully enabled and configured.
Memory size
A minimum of 256 MB of memory (described as SDRAM in the output of a 'show system hardware' command) is required on all modules in order to enable Radius Snooping.
Here is an example of an attempt to violate this requirement: Matrix N3 Platinum(su)->set radius-snooping enable
Setting the RADIUS Snooping system parameters failed - please check log for details.
Matrix N3 Platinum(su)->
Here is the generated Fault Log error message: <164>Mar 18 12:36:28 10.20.1.15 RadSnoop[3.tEmanate10]RADIUS Snooping is not functio
nal on this slot as 256 MB is required
The resolution to this issue is to purchase and install a DFE-256MB-UGK memory kit.
Multiauthentication settings
In addition to the radius-snooping commands, to "manage" the snooped sessions and stations the user can also utilize the full suite of multiauth commands.
Multiauthentication settings must therefore also be considered in order for Radius Snooping to function:
- The global multiauth mode must be changed from the default value of "strict" to "multi" mode, in order to authenticate multiple downstream users (possibly using license-expanded limits: 5468😞
- set multiauth mode multi
- Upon the change to "multi" mode, all ports change from a default value of "auth-opt" (authentication is optional) to "force-auth" (authentication is assumed to have occurred). In order to have any Radius authentication traffic to snoop as desired, both the upstream (where the Radius Server is located) and the downstream (where the edge switches conducting the actual authentication are located) Radius Snooping ports must be configured as "auth-opt":
- set multiauth port mode auth-opt <port#>
The upstream port is fe.3.1 and is where the Radius Server is connected. The Radius Server has IP address 10.20.1.6, the non-policy based authenticating switch on the edge has IP address 10.20.1.17, and is connected to fe.3.44 on the N-Series switch.
Globally enable multiauthentication, then restore the proper multiauth port setting on the Radius Snooping ports: Matrix N3 Platinum(su)->set multiauth mode multi
Matrix N3 Platinum(su)->show multiauth
Multiple authentication system configuration
-------------------------------------------------
Supported types : dot1x, pwa, mac, cep, radius-snooping
Maximum number of users : 1024
Current number of users : 0
System mode : multi
Default precedence : dot1x, pwa, mac, cep, radius-snooping
Admin precedence :
Operational precedence : dot1x, pwa, mac, cep, radius-snooping
Matrix N3 Platinum(su)->set multiauth port mode auth-opt fe.3.1,44
Matrix N3 Platinum(su)->show multiauth port fe.3.1,44
Port Mode Max Allowed Current
users users users
------------ ------------- ---------- ---------- ----------
fe.3.1 auth-opt 2048 256 0
fe.3.44 auth-opt 2048 256 0
Matrix N3 Platinum(su)->
Then, configure Radius Snooping as suggested in the Feature Guide's sample configuration: set radius-snooping enable
set radius-snooping timeout 15
set radius-snooping flow 1 10.20.1.17 10.20.1.6 1812 mysecret
set radius-snooping port enable timeout 0 drop enable authallocated 256 fe.3.1
set radius-snooping port enable timeout 0 drop enable authallocated 256 fe.3.44
See also: 10283 and 11537.
0 REPLIES 0
