Filter
Top Products
478 Configuring AAA for network users
NN47250-500 (320657-F Version 02.01)
Remote authentication with local backup
You can use a combination of authentication methods; for example, PEAP offload and local authentication. When PEAP
offload is configured, the WSS offloads all EAP processing from server groups; the RADIUS servers are not required to
communicate using the EAP protocols. (For details, see “Configuring 802.1X Acceleration” (page 484).) In the event
that RADIUS servers are unavailable, local authentication takes place, using the database on the WSS.
Suppose an administrator wants to rely on RADIUS servers and also wants to ensure that a certain group of users always
gets access. As shown in the following example, the administrator can enable PEAP offload, so that authentication is
performed by a RADIUS server group as the first method for these users, and configure local authentication last, in case
the RADIUS servers are unavailable. (See Figure 2.)
1 To configure server-1 and server-2 at IP addresses 192.168.253.1 and 192.168.253.2 with the password
chey3nn3, the administrator enters the following commands:
WSS# set radius server server-1 address 192.168.253.1 key chey3nn3
WSS# set radius server server-2 address 192.168.253.2 key chey3nn3
2 To configure server-1 and server-2 into server-group-1, the administrator enters the following command:
WSS# set server group server-group-1 members server-1 server-2
3 To enable PEAP offload plus local authentication for all users of SSID mycorp at @example.com, the
administrator enters the following command.
WSS# set authentication dot1x ssid mycorp *@example.com peap-mschapv2
server-group-1 local
Figure 2 shows the results of this combination of methods.
Figure 2. Remote authentication with PEAP offload using local
authentication as backup
840-9502-0025
RADIUS
Server-1
Server-group-1
RADIUS
Server-2
WSS
local database
pass fail
set authentication dot1x ssid mycorp *@example.com peap-mschapv2 server-group-1 local
1
1 2 3
4
5