3com WXR100 3CRWXR10095A User Manual

Page of 728
Configuring AAA for Users of Third-Party APs
483
For any users of an AP that sends SSID traffic to the WX on an untagged 
VLAN, the WX does not use 802.1X. The WX sends a RADIUS query for 
the special username web-portal-wired or last-resort-wired
depending on the fallthru authentication type specified for the wired 
authentication port.
After successful RADIUS authentication of the user (or special username, 
for non-802.1X users), MSS assigns authorization attributes to the user 
from the RADIUS server’s access-accept response.
When the user’s session ends, the third-party AP sends a RADIUS 
stop-accounting record to the WX. The WX then removes the session. 
Requirements
Third-Party AP Requirements
„
The third-party AP must be connected to the WX switch through a 
wired Layer 2 link. MSS cannot provide data services if the AP and WX 
are in different Layer 3 subnets.
„
The AP must be configured as the WX’s RADIUS client.
„
The AP must be configured so that all traffic for a given SSID is 
mapped to the same 802.1Q tagged VLAN. If the AP has multiple 
SSIDs, each SSID must use a different tag value.
„
The AP must be configured to send the following information in a 
RADIUS access-request, for each user who wants to connect to the 
WLAN through the WX switch:
„
SSID requested by the user. The SSID can be attached to the end of 
the called-station-id (per Congdon), or can be in a VSA (for 
example, cisco-vsa:ssid=r12-cisco-1).
„
Calling-station-id that includes the user’s MAC address. The MAC 
address can be in any of the following formats:
— Separated by colons (for example, AA:BB:CC:DD:EE:FF)
— Separated by dashes (for example, AA-BB-CC-DD-EE-FF)
— Separated by dots (for example, AABB.CCDD.EEFF)
„
Username
„
The AP must be configured to send a RADIUS stop-accounting record 
when a user’s session ends.