Client Name in Local MAC Authentication List
125
19
RADIUS
Making use of a single database of accessible information – as in an Authentication Server –
can greatly simplify the authentication and management of users in a large network. One such
type of Authentication Server supports the Remote Authentication Dial In User Service
(RADIUS) protocol as defined by RFC 2865.
For authenticating users prior to access, the RADIUS standard has become the protocol of
choice by administrators of large accessible networks. To accomplish the authentication in a
secure manner, the RADIUS client and RADIUS server must both be configured with the
same shared password or “secret”. This “secret” is used to generate one-way encrypted
authenticators that are present in all RADIUS packets. The “secret” is never transmitted over
the network.
RADIUS conforms to a secure communications client/server model using UDP as a transport
protocol. It is extremely flexible, supporting a variety of methods to authenticate and
statistically track users. RADIUS is also extensible, allowing for new methods of
authentication to be added without disrupting existing functionality.
As a user attempts to connect to a functioning RADIUS supported network, a device referred
to as the Network Access Server (NAS) first detects the contact. For wired clients, the NAS is
the DWS-3000 switch; for wireless clients, the AP serves as the NAS. The NAS or user-login
interface then prompts the user for a name and password. The NAS encrypts the supplied
information and a RADIUS client transports the request to a pre-configured RADIUS server.
The server can authenticate the user itself, or make use of a back-end device to ascertain
authenticity. In either case a response may or may not be forthcoming to the client. If the
server accepts the user, it returns a positive result with attributes containing configuration
information. If the server rejects the user, it returns a negative result. If the server rejects the
client or the shared “secrets” differ, the server returns no result. If the server requires
additional verification from the user, it returns a challenge, and the request process begins
again.
Client Name in Local MAC Authentication List
A wireless client MAC address can be configured in the AP MAC authentication list. A user-
friendly name of up to 32 printable ASCII characters can be assigned to a client entry in the
local Client MAC Authentication list. This is a configurable parameter and persists over
switch reboots. The client name cannot be assigned to a client entry on a RADIUS server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
