Open as PDF
446 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
If one of the RADIUS servers in the group does respond, but it indicates
that the user does not exist on the RADIUS server, or that the user is not
permitted on the network, then authentication for the user fails,
regardless of any additional methods. Only if all the RADIUS servers in the
server group do not respond does the WX attempt to authenticate using
the next method in the list.
Also note that if the primary authentication method is local and the
secondary method is RADIUS, but the user does not exist in the local
database, then the WX does attempt to authenticate using RADIUS. See
“Local Override Exception” on page 443.
Using pass-through authentication as the primary authentication method and
the local database as the secondary authentication method is not supported.
Extensible Authentication Protocol (EAP) is a generic point-to-point
protocol that supports multiple authentication mechanisms. EAP has
been adopted as a standard by the Institute of Electrical and Electronic
Engineers (IEEE). IEEE 802.1X is an encapsulated form for carrying
authentication messages in a standard message exchange between a user
(client) and an authenticator.
Table 38 summarizes the EAP protocols (also called types or methods)
supported by MSS.
Table 38 EAP Authentication Protocols for Local Processing
EAP Type Description Use Considerations
that uses a
mechanism to compare
encryption or key
Protocol that provides
negotiation, and key
provides encryption and
data integrity checking for
Wireless and wired
All authentication is
processed on the
both sides of
Requires use of