3Com WX2200 3CRWX220095A Switch User Manual


 
Avoiding AAA Problems in Configuration Order 509
Configuration Producing an Incorrect Processing Order
For example, suppose you initially set up start-stop accounting as follows
for all 802.1X users via RADIUS server group 1:
WX1200# set accounting dot1x ssid mycorp * start-stop group1
success: change accepted.
You then set up PEAP-MS-CHAP-V2 authentication and authorization for all
users at EXAMPLE/ at server group 1. Finally, you set up PEAP-MS-CHAP-V2
authentication and authorization for all users in the local WX database, with
the intention that EXAMPLE users are to be processed first:
WX1200# set authentication dot1x ssid mycorp EXAMPLE/*
peap-mschapv2 group1
success: change accepted.
WX1200# set authentication dot1x ssid mycorp * peap-mschapv2
local
success: change accepted.
The following configuration order results. The authentication commands
are reversed, and MSS processes the authentication of all 802.1X users in
the local database and ignores the command for EXAMPLE/ users.
WX1200# display aaa
...
set accounting dot1x ssid mycorp * start-stop group1
set authentication dot1x ssid mycorp * peap-mschapv2 local
set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1
Configuration for a Correct Processing Order
To avoid processing errors for authentication and accounting commands
that include order-sensitive user globs, enter the commands for each user
glob in pairs.
For example, to set accounting and authorization for 802.1X users as you
intended in “Configuration Producing an Incorrect Processing Order” on
page 509, enter an accounting and authentication command for each
user glob in the order in which you want them processed:
WX1200# set accounting dot1x ssid mycorp EXAMPLE/* start-stop group1
success: change accepted.
WX1200# set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1
success: change accepted.
WX1200# set accounting dot1x ssid mycorp * start-stop group1
success: change accepted.
WX1200# set authentication dot1x ssid mycorp * peap-mschapv2 local
success: change accepted.