3Com WX2200 3CRWX220095A Switch User Manual


 
444 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
Remote Authentication with Local Backup
You can use a combination of authentication methods; for example,
PEAP offload and local authentication. When PEAP offload is configured,
the WX switch offloads all EAP processing from server groups; the
RADIUS servers are not required to communicate using the EAP
protocols. (For details, see “Configuring EAP Offload” on page 449.) In
the event that RADIUS servers are unavailable, local authentication takes
place, using the database on the WX switch.
Suppose an administrator wants to rely on RADIUS servers and also wants
to ensure that a certain group of users always gets access. As shown in
the following example, the administrator can enable PEAP offload, so
that authentication is performed by a RADIUS server group as the first
method for these users, and configure local authentication last, in case
the RADIUS servers are unavailable. (See Figure 31.)
1 To configure server-1 and server-2 at IP addresses 192.168.253.1 and
192.168.253.2 with the password chey3nn3, the administrator enters
the following commands:
WX1200# set radius server server-1 address 192.168.253.1 key chey3nn3
WX1200# set radius server server-2 address 192.168.253.2 key chey3nn3
2 To configure server-1 and server-2 into server-group-1, the administrator
enters the following command:
WX1200# set server group server-group-1 members server-1 server-2
3 To enable PEAP offload plus local authentication for all users of SSID
mycorp at @example.com, the administrator enters the following
command.
WX1200# set authentication dot1x ssid mycorp *@example.com pass-through
server-group-1 local