Remote Authentication Dial-In User Service (RADIUS)

Remote Access Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers that connect and use a network service. RADIUS is also based on user authentication on the command line interface (CLI) that sends back a set of TLVs (Tag Length Value) that defines VLAN, network policies, and other pieces of information.

Overview 

This section describes how to configure the 802.1x and RADIUS protocols. Refer to the Application Note, Configuring Policy via Radius Authentication, ENG-010428 for further details.

The feature allows more than one authentication domain for RADIUS Authentication - the current EMS supports a single RADIUS authentication domain for all devices on an OLT.

If the user is using the 802.1x protocol to authenticate ports via RADIUS, the use will need to configure the default RADIUS Profile. The default RADIUS Profile is configured by right-clicking the OLT and selecting Protocol ® Port Authentication. Refer to the Configure PAE RADIUS procedures in Auto-Provisioning, for details about setting 802.1x configuration.

Now the user can authenticate more than one RADIUS domain by creating additional RADIUS profiles that include a Media Access Control (MAC) filter that allows the authentication of specific vendor equipment to a different domain. The PAE profile points to the default and filtered RADIUS domains. Typically this is used to filter phones off to one RADIUS domain and PCs to another domain. If no filters match, then the default RADIUS domain is used for authentication.

Refer to the diagrams, Single RADIUS Authentication Domain and Multiple RADIUS Authentication Domain, illustrated below, to determine when to use each type of RADIUS domain.  

Single RADIUS Authentication Domain
 

 Multiple RADIUS Authentication Domain 

This feature supports a list of RADIUS clusters in the form of a RADIUS profile. The RADIUS profile is associated with a Port Authentication Entity (PAE) profile (refer to Port Authentication Entity (PAE) Profiles. This allows multiple RADIUS domains to be associated with a single port. In practice, one RADIUS domain would be associated with Voice over Internet Protocol (VoIP) phones, and another with one or more data devices on the same port.

Note 1: If a hostname is used, the OLT must be configured with the DNS server information and default domain.

Note 2: Session Initiated Protocol (SIP) voice lines on ONTs do not use RADIUS authentication because they do not participate in 802.1x. They are considered a hardware part of the system and hence are considered to be trusted interfaces.  802.1x is performed only on untrusted subscriber ports.

Match MAC OUI to RADIUS Cluster

A particular RADIUS cluster is selected from the list of RADIUS clusters in the RADIUS profile based on MAC Organizationally Unique Identifier (OUI).

The RADIUS server list defines a cluster, each cluster can have up to 4 servers, and it is treated as a list of servers, one of which is used as the active server, and up to 3 others that can be failed over to in the event that the active server fails.

If the Optical Line Terminal detects an incoming 802.1x supplicant packet that matches a MAC filter, the OLT sends an 802.1x request to the associated RADIUS server list.

If the OLT detects an incoming 802.1x supplicant packet that does not match a non zero filter, then it is directed to the RADIUS cluster listed in the default RADIUS profile.

RADIUS domain is selected by filtering MAC addresses and the appropriate MAC/OUI is matched to a RADIUS cluster.

Note: The default RADIUS profile should not specify a MAC/OUI filter.

Within a cluster, the OLT sends 802.1x supplicant packets to the first RADIUS server on the list. If the RADIUS server does not answer, then the OLT sends 802.1x supplicant packets to each of the other RADIUS servers of the cluster on the RADIUS server list in turn.

The EMS will create a RADIUS profile with the appropriate contents ensuring compatibility. Only the default RADIUS profile is copied to each PAE profile.

The default PAE filter, on upgrade of the OLT, is updated to add the attribute for the RADIUS profile and points to the default profile. This allows upgrading existing databases to support the RADIUS profile while preserving backward compatibility.

Change of Authorization Overview

With the existing RADIUS protocol, the 802.1x supplicant would re-authenticate the device before the device was terminated; leaving a suspicious device access to the network for extended periods after being identified.

Change of Authorization (CoA) provides a mechanism for addressing the PAE protocol that acts as the gatekeeper to verify external devices, or if certain devices are deemed as security risks, the device can be disconnected from the network. As more devices such as cell phones, laptops and other devices are brought into controlled environments, it is desirable to support such devices and to encourage a policy-based approach to provide a positive security posture. Change of Authorization (CoA defines the Dynamic Authorization Client (DAC) that generates the CoA requests or Disconnect Requests. Disconnect messages are either acknowledged or not acknowledged. The DAC sends a Disconnect message to terminate user sessions.

The Dynamic Authorization Server (DAS) or policy server receives the CoA request and in turn, transfers it to the Optical LAN Terminal (OLT). 

Use the RADIUS tab, on the Ethernet Port Profiles screen, to create, edit, clone, or delete RADIUS line profiles and monitor the status of a profile edit or profile deletion. 

1. To access RADIUS right-click on the profiles () icon on the Main Window Toolbar.
   
   
    

2. For RADIUS related procedures, refer below:

Previous   |   Next