281
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
2.
The first command whose SSID and user glob matches the SSID and incoming
username is used to process this authentication. The command determines exactly
how this particular login attempt is processed by the switch.
Configuring EAP Offload
You can configure the switch to offload all EAP processing from server groups. In this case,
the RADIUS server is not required to communicate using the EAP protocols.
For PEAP-MS-CHAP-V2 offload, you define a complete user profile in the local database
and only a username and password on a RADIUS server. For EAP-TLS offload, you define a
complete user profile in the local database only.
For example, the following command authenticates all wireless users who request SSID
marshes
at example.com by offloading PEAP processing onto the switch, while still performing
MS-CHAP-V2 authentication via the server group
shorebirds
:
DWS-1008#
set authentication dot1x ssid marshes *@example.com peap-mschapv2
shorebirds
To offload
both
PEAP and MS-CHAP-V2 processing onto the switch, use the following
command:
DWS-1008#
set authentication dot1x ssid marshes *@example.com peap-mschapv2 local
Using Pass-Through
The pass-through method causes EAP authentication requests to be processed entirely by
remote RADIUS servers in server groups.
For example, the following command enables users at EXAMPLE to be processed via
server group
shorebirds
or
swampbirds
:
DWS-1008#
set authentication dot1X ssid marshes EXAMPLE/* pass-through
shorebirds swampbirds
The server group
swampbirds
is contacted only if all the RADIUS servers in
shorebirds
do
not respond.
Authenticating via a Local Database
To configure the switch to authenticate and authorize a user against the local database in
the switch, use the following command:
set authentication dot1x
{
ssid
ssid-name
|
wired
}
user-glob
[
bonded
]
protocol
local
Summary of Contents for DWS-1008
Page 1: ......