3Com WX2200 3CRWX220095A Switch User Manual


 
Configuring 802.1X Authentication 449
Configuring 802.1X
Authentication
The IEEE 802.1X standard is a framework for passing EAP protocols over
a wired or wireless LAN. Within this framework, you can use TLS,
PEAP-TTLS, or EAP-MD5. Most EAP protocols can be passed through the
WX switch to the RADIUS server. Some protocols can be processed locally
on the WX switch.
The following 802.1X authentication command allows differing
authentication treatments for multiple users:
set authentication dot1x {ssid ssid-name | wired} user-glob
[bonded] protocol method1 [method2] [method3] [method4]
For example, the following command authenticates wireless user Tamara,
when requesting SSID wetlands, as an 802.1X user using the
PEAP-MS-CHAP-V2 method via the server group shorebirds, which
contains one or more RADIUS servers:
WX1200# set authentication dot1x ssid wetlands Tamara
peap-mschapv2 shorebirds
When a user attempts to connect through 802.1X, the following events
occur:
1 For each 802.1X login attempt, MSS examines each command in the
configuration file in strict configuration order.
2 The first command whose SSID and user glob matches the SSID and
incoming username is used to process this authentication. The command
determines exactly how this particular login attempt is processed by the
WX switch.
(For more information about user globs, see “User Globs” on page 30.)
Configuring EAP
Offload
You can configure the WX switch to offload all EAP processing from
server groups. In this case, the RADIUS server is not required to
communicate using the EAP protocols.
For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the
local WX database and only a username and password on a RADIUS
server.