Open as PDF
482 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
for Users of
A WX switch can provide network access for users associated with a
third-party AP that has authenticated the users with RADIUS. You can
connect a third-party AP to a WX switch and configure the WX to provide
authorization for clients who authenticate and access the network
through the AP. Figure 32 shows an example.
Figure 32 WX Switch Serving as RADIUS Proxy
Process for Users of a
The authentication process for users of a third-party AP is as follows:
1 MSS uses MAC authentication to authenticate the AP.
2 The user contacts the AP and negotiates the authentication protocol to
3 The AP, acting as a RADIUS client, sends a RADIUS access-request to the
WX. The access-request includes the SSID, the user’s MAC address, and
4 For 802.1X users, the AP uses 802.1X to authenticate the user, using the
WX as its RADIUS server. The WX proxies RADIUS requests from the AP to
a real RADIUS server, depending on the authentication method specified
in the proxy authentication rule for the user.
For non-802.1X users, the AP does not use 802.1X. The WX sends a
RADIUS query for the special username web-portal-ssid or
last-resort-ssid, where ssid is the SSID name. The fallthru authentication
type (web-portal or last-resort) specified for the wired authentication
port connected to the AP determines which username is used.
Wired Layer 2
or Layer 3