Implementing RADIUS-Snooping

RS requires that unencrypted RADIUS request frames, from the edge switch, transit the distribution-tier switch, before proceeding to the up-stream RADIUS server for validation.

Note

Note

A router cannot reside between the RADIUS client and the distribution-tier switch enabled for RS. The presence of a router would modify the calling-station ID of the RADIUS request frame that RS depends upon to learn the MAC address of the end-station for this session.

To configure RS on a distribution-tier switch:

  • Set the global MultiAuth mode to multi
  • Set the MultiAuth port mode to auth-opt for all ports that are part of the RS configuration
  • Globally enable RS on the distribution-tier switch
  • Enable RS on all ports over which RADIUS request and response frames will transit
  • Optionally change the period RS will wait for a RADIUS response frame from the server
  • Populate the RADIUS-Snooping flow table with RS client and RADIUS server combinations
  • Optionally enable RADIUS-Snooping accounting