Cisco 4400 validating identity radius
Each have a list of connected country domains (.nl, .dk, .au, etc.) serving the appropriate National Roaming Operators (NROs).They accept requests for federation domains for which they are authoritative, and subsequently forward them to the associated RADIUS server for that federation (and transport the result of the authentication request back).An example of the RADIUS hierarchy is shown in Figure 2.1.To transfer the user's authentication information securely across the RADIUS-infrastructure to their Id P, and to prevent other users from hijacking the connection after successful authentication, the access points or switches deployed by the SP use the IEEE 802.1X standard that encompasses the use of the Extensible Authentication Protocol (EAP).
They must be kept up-to-date by the responsible Id P.
Requests for federation domains they are not responsible for are forwarded to the proper confederation TLR.
A federation RADIUS server has a list of connected Id P and SP servers and the associated realms.
After successful authentication by the Identity Provider and authorisation by the Service Provider, this SP grants network access to the user, possibly by placing the user in a specific VLAN intended for guests.
In the next chapter the various elements of this architecture and their functions is described.