Open as PDF
516 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
The following example illustrates how to enable PEAP-MS-CHAP-V2
offload for the marketing (mktg) group and RADIUS pass-through
authentication for members of engineering. This example assumes that
engineering members are using DNS-style naming, such as is used with
EAP-TLS. A WX server certificate is also required.
1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string
starry for the key. Type the following command:
WX1200# set radius server r1 address 10.1.1.1 key starry
2 Configure the server group sg1 with member r1. Type the following
WX1200# set server group sg1 members r1
3 To authenticate all 802.1X users of SSID bobblehead in the group mktg
using PEAP on the WX switch and MS-CHAP-V2 on server sg1, type the
WX1200# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1
4 To authenticate all 802.1X users of SSID aircorp in @eng.example.com via
pass-through to sg1, type the following command:
WX1200# set authentication dot1x ssid aircorp *@eng.example.com pass-through sg1
5 Save the configuration:
WX1200# save config
success: configuration saved.
The following example shows how to change the VLAN access of wireless
users in an organization housed in multiple buildings.
Suppose the wireless users on the faculty of a college English department
have offices in building A and are authorized to use that building’s
bldga-prof- VLANs. These users also teach classes in building B. Because
you do not want to tunnel these users back to building A from building B
when they use their wireless laptops in class, you configure the location
policy on the WX switch to redirect them to the bldgb-eng VLAN.
You also want to allow writing instructors normally authorized to use any
-techcomm VLAN in the college to access the network through the
bldgb-eng VLAN when they are in building B.