3Com WX2200 3CRWX220095A Switch User Manual


 
484 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
WX Switch Requirements
The WX port connected to the third-party AP must be configured as a
wired authentication port. If SSID traffic from the AP is tagged, the
same VLAN tag value must be used on the wired authentication port.
A MAC authentication rule must be configured to authenticate the
AP.
The WX must be configured as a RADIUS proxy for the AP. The WX is
a RADIUS server to the AP but remains a RADIUS client to the real
RADIUS servers.
The WX system IP address must be the same as the IP address configured
on the VLAN that contains the proxy port.
An authentication proxy rule must be configured for the AP’s users.
The rule matches based on SSID and username, and selects the
authentication method (a RADIUS server group) for proxying.
RADIUS Server Requirements
For 802.1X users, the usernames and passwords must be configured
on the RADIUS server.
For non-802.1X users of a tagged SSID, the special username
web-portal-ssid or last-resort-ssid must be configured, where ssid
is the SSID name. The fallthru authentication type (web-portal or
last-resort) specified for the wired authentication port connected to
the AP determines which username you need to configure.
For any users of an untagged SSID, the special username
web-portal-wired or last-resort-wired must be configured,
depending on the fallthru authentication type specified for the wired
authentication port.
Configuring
Authentication for
802.1X Users of a
Third-Party AP with
Tagged SSIDs
To configure MSS to authenticate 802.1X users of a third-party AP, use
the commands below to do the following:
Configure the port connected to the AP as a wired authentication
port. Use the following command:
set port type wired-auth port-list [tag tag-list]
[max-sessions num]
[auth-fall-thru {last-resort | none | web-portal}]