3com WX1200 3CRWX120695A User Manual

C

HAPTER

 21: C

ONFIGURING

 AAA 

FOR

 N

ETWORK

 U

SERS

A WX switch can provide network access for users associated with a 
third-party AP that has authenticated the users with RADIUS. You can 
connect a third-party AP to a WX switch and configure the WX to provide 
authorization for clients who authenticate and access the network 
through the AP. Figure 32 shows an example.

Figure 32   WX Switch Serving as RADIUS Proxy

The authentication process for users of a third-party AP is as follows:

1 MSS uses MAC authentication to authenticate the AP. 

2 The user contacts the AP and negotiates the authentication protocol to 

be used.

3 The AP, acting as a RADIUS client, sends a RADIUS access-request to the 

WX. The access-request includes the SSID, the user’s MAC address, and 
the username.

4 For 802.1X users, the AP uses 802.1X to authenticate the user, using the 

WX as its RADIUS server. The WX proxies RADIUS requests from the AP to 
a real RADIUS server, depending on the authentication method specified 
in the proxy authentication rule for the user.

For non-802.1X users, the AP does not use 802.1X. The WX sends a 
RADIUS query for the special username web-portal-ssid or 
last-resort-ssid, where ssid is the SSID name. The fallthru authentication 
type (web-portal or last-resort) specified for the wired authentication 
port connected to the AP determines which username is used.

Wired Layer 2
connection

RADIUS server

Layer 2
or Layer 3