3com 5500-SI Manual Do Utilizador
410
C
HAPTER
21: 802.1
X
C
ONFIGURATION
returns the configuration information and accounting data to NAS. Here, NAS
controls users and corresponding connections, while the RADIUS protocol
regulates how to transmit configuration and accounting information between
NAS and RADIUS.
controls users and corresponding connections, while the RADIUS protocol
regulates how to transmit configuration and accounting information between
NAS and RADIUS.
NAS and RADIUS exchange the information with UDP packets. During the
interaction, both sides encrypt the packets with keys before uploading user
configuration information (for example, password) to avoid being intercepted or
stolen.
interaction, both sides encrypt the packets with keys before uploading user
configuration information (for example, password) to avoid being intercepted or
stolen.
RADIUS Operation
A RADIUS server generally uses proxy function of the devices such as an access
server to perform user authentication. The operation process is as follows: First,
the user sends a request message (the client username and encrypted password is
included in the message ) to the RADIUS server. Second, the user will receive from
the RADIUS server various kinds of response messages in which the ACCEPT
message indicates that the user has passed the authentication, and the REJECT
message indicates that the user has not passed the authentication and needs to
input their username and password again, otherwise they will be rejected access.
server to perform user authentication. The operation process is as follows: First,
the user sends a request message (the client username and encrypted password is
included in the message ) to the RADIUS server. Second, the user will receive from
the RADIUS server various kinds of response messages in which the ACCEPT
message indicates that the user has passed the authentication, and the REJECT
message indicates that the user has not passed the authentication and needs to
input their username and password again, otherwise they will be rejected access.
Implementing
AAA/RADIUS on the
Ethernet Switch
In the above-mentioned AAA/RADIUS framework, the Switch 5500 Family, serving
as the user access device or NAS, is the client end of RADIUS. In other words, the
AAA/RADIUS concerning the client-end is implemented on the Switch 5500.
Figure 107 illustrates the RADIUS authentication network including 5500
Switches.
as the user access device or NAS, is the client end of RADIUS. In other words, the
AAA/RADIUS concerning the client-end is implemented on the Switch 5500.
Figure 107 illustrates the RADIUS authentication network including 5500
Switches.
Figure 107 Networking when Switch 5500 Units are Applying RADIUS Authentication
Configuring AAA
AAA configuration includes:
■
Creating/deleting an ISP domain
■
Configuring relevant attributes of the ISP domain
■
Creating a local user
■
Setting attributes of the local user
■
Disconnecting a user by force
Internet
Internet
SW 5500
PC user1
PC user2
PC user3
PC user4
SW 5500
ISP1
ISP2
Authentication
Server
Accounting
Server
Authentication
Server
Accounting
Server1
Accounting
Server2
Internet