Nortel 2350 用户指南
Configuring AAA for network users 481
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Ways a WSS can use EAP
Network users with 802.1X support cannot access the network unless they are authenticated. You can
configure a WSS to authenticate users with EAP on a group of RADIUS servers and/or in a local user database
on the WSS, or to offload some authentication tasks from the server group.
configure a WSS to authenticate users with EAP on a group of RADIUS servers and/or in a local user database
on the WSS, or to offload some authentication tasks from the server group.
details these three basic
WSS authentication approaches.
(For information about digital certificates, see
Table 2: Three basic WSS approaches to EAP authentication
Approach
Description
Pass-
through
through
An EAP session is established directly between the client and RADIUS
server, passing through the WSS. User information resides on the
server. All authentication information and certificate exchanges pass
through the switch or use client certificates issued by a certificate
authority (CA). In this case, the switch does not need a digital
certificate, although the client might.
server, passing through the WSS. User information resides on the
server. All authentication information and certificate exchanges pass
through the switch or use client certificates issued by a certificate
authority (CA). In this case, the switch does not need a digital
certificate, although the client might.
Local
The WSS performs all authentication using information in a local user
database configured on the switch, or using a client-supplied
certificate. No RADIUS servers are required. In this case, the switch
needs a digital certificate. If you plan to use the EAP with Transport
Layer Security (EAP-TLS) authentication protocol, the clients also
need certificates.
database configured on the switch, or using a client-supplied
certificate. No RADIUS servers are required. In this case, the switch
needs a digital certificate. If you plan to use the EAP with Transport
Layer Security (EAP-TLS) authentication protocol, the clients also
need certificates.
Offload
The WSS offloads all EAP processing from a RADIUS server by
establishing a TLS session between the switch and the client. In this
case, the switch needs a digital certificate. When you use offload,
RADIUS can still be used for non-EAP authentication and
authorization. EAP-TLS cannot be used with offload.
establishing a TLS session between the switch and the client. In this
case, the switch needs a digital certificate. When you use offload,
RADIUS can still be used for non-EAP authentication and
authorization. EAP-TLS cannot be used with offload.