Device Security 113MAC ACL Name: mac1Rule Number: 1Action......................................... denyDestination MAC Address........................ 00:11:22:33:44:55Destination MAC Mask........................... 00:00:00:00:FF:FFLog............................................ TRUERADIUSMaking use of a single database of accessible information—as in an Authentication Server—can greatlysimplify the authentication and management of users in a large network. One such type ofAuthentication Server supports the Remote Authentication Dial In User Service (RADIUS) protocol asdefined by RFC 2865.For authenticating users prior to access, the RADIUS standard has become the protocol of choice byadministrators of large accessible networks. To accomplish the authentication in a secure manner, theRADIUS client and RADIUS server must both be configured with the same shared password or “secret”.This “secret” is used to generate one-way encrypted authenticators that are present in all RADIUSpackets. The “secret” is never transmitted over the network.RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. Itis extremely flexible, supporting a variety of methods to authenticate and statistically track users.RADIUS is also extensible, allowing for new methods of authentication to be added without disruptingexisting functionality.As a user attempts to connect to a functioning RADIUS supported network, a device referred to as theNetwork Access Server (NAS) or switch/router first detects the contact. The NAS or user-login interfacethen prompts the user for a name and password. The NAS encrypts the supplied information and aRADIUS client transports the request to a pre-configured RADIUS server. The server can authenticatethe user itself, or make use of a back-end device to ascertain authenticity. In either case a response may ormay not be forthcoming to the client. If the server accepts the user, it returns a positive result withattributes containing configuration information. If the server rejects the user, it returns a negative result.If the server rejects the client or the shared “secrets” differ, the server returns no result. If the serverrequires additional verification from the user, it returns a challenge, and the request process begins again.RADIUS Configuration ExamplesThis section contains examples of commands used to configure RADIUS settings on the switch.