Filter
Top Products
446 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
If one of the RADIUS servers in the group does respond, but it indicates
that the user does not exist on the RADIUS server, or that the user is not
permitted on the network, then authentication for the user fails,
regardless of any additional methods. Only if all the RADIUS servers in the
server group do not respond does the WX attempt to authenticate using
the next method in the list.
Also note that if the primary authentication method is local and the
secondary method is RADIUS, but the user does not exist in the local
database, then the WX does attempt to authenticate using RADIUS. See
“Local Override Exception” on page 443.
Using pass-through authentication as the primary authentication method and
the local database as the secondary authentication method is not supported.
IEEE 802.1X
Extensible
Authentication
Protocol Types
Extensible Authentication Protocol (EAP) is a generic point-to-point
protocol that supports multiple authentication mechanisms. EAP has
been adopted as a standard by the Institute of Electrical and Electronic
Engineers (IEEE). IEEE 802.1X is an encapsulated form for carrying
authentication messages in a standard message exchange between a user
(client) and an authenticator.
Table 38 summarizes the EAP protocols (also called types or methods)
supported by MSS.
Table 38 EAP Authentication Protocols for Local Processing
EAP Type Description Use Considerations
EAP-MD5
(EAP with
Message Digest
Algorithm 5)
Authentication algorithm
that uses a
challenge-response
mechanism to compare
hashes
Wired
authentication only
*
This protocol
provides no
encryption or key
establishment.
EAP-TLS
(EAP with
Transport Layer
Security)
Protocol that provides
mutual authentication,
integrity-protected
encryption algorithm
negotiation, and key
exchange. EAP-TLS
provides encryption and
data integrity checking for
the connection.
Wireless and wired
authentication.
All authentication is
processed on the
WX switch.
This protocol
requires X.509
public key
certificates on
both sides of
the connection.
Requires use of
local database.
Not supported
for RADIUS.