Open as PDF
Configuring AAA for Users of Third-Party APs 483
For any users of an AP that sends SSID traffic to the WX on an untagged
VLAN, the WX does not use 802.1X. The WX sends a RADIUS query for
the special username web-portal-wired or last-resort-wired,
depending on the fallthru authentication type specified for the wired
5 After successful RADIUS authentication of the user (or special username,
for non-802.1X users), MSS assigns authorization attributes to the user
from the RADIUS server’s access-accept response.
6 When the user’s session ends, the third-party AP sends a RADIUS
stop-accounting record to the WX. The WX then removes the session.
Requirements Third-Party AP Requirements
The third-party AP must be connected to the WX switch through a
wired Layer 2 link. MSS cannot provide data services if the AP and WX
are in different Layer 3 subnets.
The AP must be configured as the WX’s RADIUS client.
The AP must be configured so that all traffic for a given SSID is
mapped to the same 802.1Q tagged VLAN. If the AP has multiple
SSIDs, each SSID must use a different tag value.
The AP must be configured to send the following information in a
RADIUS access-request, for each user who wants to connect to the
WLAN through the WX switch:
SSID requested by the user. The SSID can be attached to the end of
the called-station-id (per Congdon), or can be in a VSA (for
Calling-station-id that includes the user’s MAC address. The MAC
address can be in any of the following formats:
— Separated by colons (for example, AA:BB:CC:DD:EE:FF)
— Separated by dashes (for example, AA-BB-CC-DD-EE-FF)
— Separated by dots (for example, AABB.CCDD.EEFF)
The AP must be configured to send a RADIUS stop-accounting record
when a user’s session ends.