Loader

Download the PDF 

Multiple RADIUS Authentication Domains

Introduction

Document Number

ENG-010466

Purpose

The purpose of this feature is to allow more than one authentication domain for Radius Authentication.  Prior to FP29 the system only supported a single Radius Authentication Domain for all devices on that NE.  The Multiple Radius Domains profile allows for multiple Radius Authentication Domains and to direct specific devices to each Radius cluster.  For example, you might want your phones and PCs to authenticate to separate Radius clusters. 

 Applies To

All Tellabs OLT products.

Default Radius Profile

The default profile is defined on the EMS by right clicking on the OLT and selecting:

 Protocol->Port Authentication. 

This tab defines a radius cluster of machines which is associated with the default authentication domain.  Each radius server address defines a radius machine within the Radius Cluster.

Radius Profiles

With FP29 and above, additional Radius profiles can be defined which define each Radius cluster.

The Radius Profile(s) would be associated with a PAE Profile. This would allow multiple radius domains to be associated with a single port. Typically one Radius domain would be associated with the voice network and one Radius domain would be associated with one or more data devices on the same port.

A particular Radius cluster is selected from the list of radius clusters in the Radius Profile based on a MAC OUI filter,


 

Note: Please note that the Radius Server list defines a cluster, each cluster can have up to 4 servers and it is treated as a list of servers one of which is used as the active server and up to 3 others that can be failed over to in the event that the active server in the list fails.

An 802.1x request whose source MAC OUI matches the MAC OUI in the Radius Profile indicates the associated Radius Server list should be used.

If the OLT detects an incoming 802.1x supplicant packet that matches a MAC OUI filter, the OLT sends the 802.1x request to the radius server list associated with that Radius Domain.

The OLT sends the 802.1x supplicant packet to the first radius server on the list. If the radius server does not answer, each of the radius servers of the cluster shall be attempted in the order specified in the radius server list for the appropriate radius cluster.

PAE Profiles

The PAE profile or Port Authentication Entity Profile will then define the list of Radius profiles that are to be associated with the port.  Each Radius domain will have an entry in the list.  If no MAC OUI matches, the default Radius Authentication Domain will be used.

 

Summary

The multiple RADIUS Authentication domains is a powerful feature that can be utilized to allow authentication to multiple Radius domains.

 

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image