Specifications
OmniAccess Reference: AOS-W System Reference
246 Part 031652-00 May 2005
802.1x Configuration
The following statements enable 802.1x authentication. It also establishes
which RADIUS server to use for 802.1x authentication, and determines the
default role that an 802.1x client will get in the absence of a “Class” attribute
from the RADIUS server.
aaa dot1x mode enable
aaa dot1x default-role student
aaa dot1x auth-server IAS1
aaa dot1x auth-server IAS2
Machine Authentication Enforcement
Because students do not always choose strong passwords, the school district
wished to ensure that only authorized computers were allowed on the wireless
network. This would prevent someone from bringing their own computer to
the building and logging in through guessed or stolen credentials. The
following statements enforce machine authentication before user
authentication—if a user attempts to login without machine authentication first
taking place, the user will be placed in the “guest” role and will have the same
access rights as any other guest.
aaa dot1x enforce-machine-authentication
mode enable
machine-authentication default-role computer
user-authentication default-role guest
VLAN and IP Address Configuration
The following statements set up VLANs, assign IP addresses to each VLAN,
and establish a “helper-address” to which DHCP requests will be forwarded.
Wireless clients will be assigned to either VLAN 60 or 61, and printers will be
assigned to VLAN 62. The client’s default gateway will be the Alcatel switch,
which will route the traffic out to the 10.1.1.0 subnet. The VLANs are used to
split up users into smaller IP subnets, improving performance by decreasing
broadcast traffic. The VLANs are internal to the Alcatel switch only, and do not
extend into other parts of the wired network. VLAN 63 is used for guest
access.
vlan 60
vlan 61
vlan 62
vlan 63
!
interface vlan 1
ip address 10.1.1.251 255.255.255.0