Implementing RADIUS-Snooping

RS requires that unencrypted RADIUS request frames, from the edge switch, transit the distribution-tier switch, before proceeding to the up-stream RADIUS server for validation.

Note

A router cannot reside between the RADIUS client and the distribution-tier switch enabled for RS. The presence of a router would modify the calling-station ID of the RADIUS request frame that RS depends upon to learn the MAC address of the end-station for this session.

To configure RS on a distribution-tier switch:

• Set the global MultiAuth mode to multi
• Set the MultiAuth port mode to auth-opt for all ports that are part of the RS configuration
• Globally enable RS on the distribution-tier switch
• Enable RS on all ports over which RADIUS request and response frames will transit
• Optionally change the period RS will wait for a RADIUS response frame from the server
• Populate the RADIUS-Snooping flow table with RS client and RADIUS server combinations
• Optionally enable RADIUS-Snooping accounting