User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point

291

292

293

294

295

296

297

298

299

300

291

DWS-1008 User’s Manual

D-Link Systems, Inc.

Conguring AAA for Network Users

Requirements

Third-Party AP Requirements

• The third-party AP must be connected to the switch through a wired Layer 2 link.

MSS cannot provide data services if the AP and switch are in different Layer 3

subnets.

• The AP must be congured as the switch’s RADIUS client.

• The AP must be congured so that all trafc for a given SSID is mapped to the same

802.1Q tagged VLAN. If the AP has multiple SSIDs, each SSID must use a different

tag value.

• The AP must be congured to send the following information in a RADIUS access-

request, for each user who wants to connect to the WLAN through the switch:

• SSID requested by the user. The SSID can be attached to the end of the called-

station-id (per Congdon), or can be in a VSA (for example, cisco-vsa:ssid=r12-cisco-1).

• Calling-station-id that includes the user’s MAC address. The MAC address can be in

any of the following formats:

❍ Separated by colons (for example, AA:BB:CC:DD:EE:FF)

❍ Separated by dashes (for example, AA-BB-CC-DD-EE-FF)

❍ Separated by dots (for example, AABB.CCDD.EEFF)

• Username

• The AP must be congured to send a RADIUS stop-accounting record when a user’s

session ends.

Switch Requirements

• The switch port connected to the third-party AP must be congured as a wired

authentication port. If SSID trafc from the AP is tagged, the same VLAN tag value

must be used on the wired authentication port.

• A MAC authentication rule must be congured to authenticate the AP.

• The switch must be congured as a RADIUS proxy for the AP. The switch is a

RADIUS server to the AP but remains a RADIUS client to the real RADIUS servers.

• An authentication proxy rule must be congured for the AP’s users. The rule matches

based on SSID and username, and selects the authentication method (a RADIUS

server group) for proxying.

RADIUS Server Requirements

• For 802.1X users, the usernames and passwords must be congured on the RADIUS

server.

• For non-802.1X users of a tagged SSID, the special username last-resort-ssid must

be congured, where ssid is the SSID name. The fallthru authentication type (last-

resort) specied for the wired authentication port connected to the AP determines

which username you need to congure.

• For any users of an untagged SSID, the special username last-resort-wired must

be congured, depending on the fallthru authentication type specied for the wired

authentication port.