3com WX1200 3CRWX120695A Manuel D’Utilisation
516
C
HAPTER
21: C
ONFIGURING
AAA
FOR
N
ETWORK
U
SERS
Combining EAP
Offload with
Pass-Through
Authentication
The following example illustrates how to enable PEAP-MS-CHAP-V2
offload for the marketing (mktg) group and RADIUS pass-through
authentication for members of engineering. This example assumes that
engineering members are using DNS-style naming, such as is used with
EAP-TLS. A WX server certificate is also required.
offload for the marketing (mktg) group and RADIUS pass-through
authentication for members of engineering. This example assumes that
engineering members are using DNS-style naming, such as is used with
EAP-TLS. A WX server certificate is also required.
1 Configure the RADIUS server r1 at IP address 10.1.1.1 with the string
starry for the key. Type the following command:
WX1200# set radius server r1 address 10.1.1.1 key starry
2 Configure the server group sg1 with member r1. Type the following
command:
WX1200# set server group sg1 members r1
3 To authenticate all 802.1X users of SSID bobblehead in the group mktg
using PEAP on the WX switch and MS-CHAP-V2 on server sg1, type the
following command:
following command:
WX1200# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1
4 To authenticate all 802.1X users of SSID aircorp in @eng.example.com via
pass-through to sg1, type the following command:
WX1200# set authentication dot1x ssid aircorp *@eng.example.com pass-through sg1
5 Save the configuration:
WX1200# save config
success: configuration saved.
success: configuration saved.
Overriding
AAA-Assigned VLANs
The following example shows how to change the VLAN access of wireless
users in an organization housed in multiple buildings.
users in an organization housed in multiple buildings.
Suppose the wireless users on the faculty of a college English department
have offices in building A and are authorized to use that building’s
bldga-prof- VLANs. These users also teach classes in building B. Because
you do not want to tunnel these users back to building A from building B
when they use their wireless laptops in class, you configure the location
policy on the WX switch to redirect them to the bldgb-eng VLAN.
have offices in building A and are authorized to use that building’s
bldga-prof- VLANs. These users also teach classes in building B. Because
you do not want to tunnel these users back to building A from building B
when they use their wireless laptops in class, you configure the location
policy on the WX switch to redirect them to the bldgb-eng VLAN.
You also want to allow writing instructors normally authorized to use any
-techcomm VLAN in the college to access the network through the
bldgb-eng VLAN when they are in building B.
-techcomm VLAN in the college to access the network through the
bldgb-eng VLAN when they are in building B.