3com WX1200 3CRWX120695A Manuel D’Utilisation

C

HAPTER

 21: C

ONFIGURING

 AAA 

FOR

 N

ETWORK

 U

SERS

The following example illustrates how to enable PEAP-MS-CHAP-V2 
offload for the marketing (mktg) group and RADIUS pass-through 
authentication for members of engineering. This example assumes that 
engineering members are using DNS-style naming, such as is used with 
EAP-TLS. A WX server certificate is also required. 

1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string 

starry for the key. Type the following command:

WX1200# set radius server r1 address 10.1.1.1 key starry

2 Configure the server group sg1 with member r1. Type the following 

command:

WX1200# set server group sg1 members r1

3 To authenticate all 802.1X users of SSID bobblehead in the group mktg 

using PEAP on the WX switch and MS-CHAP-V2 on server sg1, type the 
following command:

WX1200# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1

4 To authenticate all 802.1X users of SSID aircorp in @eng.example.com via 

pass-through to sg1, type the following command:

WX1200# set authentication dot1x ssid aircorp *@eng.example.com pass-through sg1

5 Save the configuration:

WX1200# save config
success: configuration saved.

The following example shows how to change the VLAN access of wireless 
users in an organization housed in multiple buildings. 

Suppose the wireless users on the faculty of a college English department 
have offices in building A and are authorized to use that building’s 
bldga-prof- VLANs. These users also teach classes in building B. Because 
you do not want to tunnel these users back to building A from building B 
when they use their wireless laptops in class, you configure the location 
policy on the WX switch to redirect them to the bldgb-eng VLAN. 

You also want to allow writing instructors normally authorized to use any 
-techcomm VLAN in the college to access the network through the 
bldgb-eng VLAN when they are in building B.